OpenClaw
825c6562ba
Some checks failed
Build & Deploy to Staging / Build & Deploy to Staging (push) Has been cancelled
- Create src/swagger.ts config module for swagger-jsdoc
- Add GET /openapi.json dynamic route (generated from @openapi annotations)
- Delete static public/openapi.json (was drifting from code)
- Add @openapi annotation for deprecated /v1/signup/free in index.ts
- Import swaggerSpec into index.ts
- All 12 endpoints now code-driven: demo/html, demo/markdown, convert/html,
convert/markdown, convert/url, templates, templates/{id}/render,
recover, recover/verify, billing/checkout, signup/free, health
359 lines
13 KiB
JavaScript
359 lines
13 KiB
JavaScript
import { Router } from "express";
|
|
import { renderPdf, renderUrlPdf } from "../services/browser.js";
|
|
import { markdownToHtml, wrapHtml } from "../services/markdown.js";
|
|
import dns from "node:dns/promises";
|
|
import logger from "../services/logger.js";
|
|
import net from "node:net";
|
|
function isPrivateIP(ip) {
|
|
// IPv6 loopback/unspecified
|
|
if (ip === "::1" || ip === "::")
|
|
return true;
|
|
// IPv6 link-local (fe80::/10)
|
|
if (ip.toLowerCase().startsWith("fe8") || ip.toLowerCase().startsWith("fe9") ||
|
|
ip.toLowerCase().startsWith("fea") || ip.toLowerCase().startsWith("feb"))
|
|
return true;
|
|
// IPv6 unique local (fc00::/7)
|
|
const lower = ip.toLowerCase();
|
|
if (lower.startsWith("fc") || lower.startsWith("fd"))
|
|
return true;
|
|
// IPv4-mapped IPv6
|
|
if (ip.startsWith("::ffff:"))
|
|
ip = ip.slice(7);
|
|
if (!net.isIPv4(ip))
|
|
return false;
|
|
const parts = ip.split(".").map(Number);
|
|
if (parts[0] === 0)
|
|
return true; // 0.0.0.0/8
|
|
if (parts[0] === 10)
|
|
return true; // 10.0.0.0/8
|
|
if (parts[0] === 127)
|
|
return true; // 127.0.0.0/8
|
|
if (parts[0] === 169 && parts[1] === 254)
|
|
return true; // 169.254.0.0/16
|
|
if (parts[0] === 172 && parts[1] >= 16 && parts[1] <= 31)
|
|
return true; // 172.16.0.0/12
|
|
if (parts[0] === 192 && parts[1] === 168)
|
|
return true; // 192.168.0.0/16
|
|
return false;
|
|
}
|
|
function sanitizeFilename(name) {
|
|
// Strip characters dangerous in Content-Disposition headers
|
|
return name.replace(/[\x00-\x1f"\\\r\n]/g, "").trim() || "document.pdf";
|
|
}
|
|
export const convertRouter = Router();
|
|
/**
|
|
* @openapi
|
|
* /v1/convert/html:
|
|
* post:
|
|
* tags: [Conversion]
|
|
* summary: Convert HTML to PDF
|
|
* description: Converts HTML content to a PDF document. Bare HTML fragments are automatically wrapped in a full HTML document.
|
|
* security:
|
|
* - BearerAuth: []
|
|
* - ApiKeyHeader: []
|
|
* requestBody:
|
|
* required: true
|
|
* content:
|
|
* application/json:
|
|
* schema:
|
|
* allOf:
|
|
* - type: object
|
|
* required: [html]
|
|
* properties:
|
|
* html:
|
|
* type: string
|
|
* description: HTML content to convert. Can be a full document or a fragment.
|
|
* example: '<h1>Hello World</h1><p>My first PDF</p>'
|
|
* css:
|
|
* type: string
|
|
* description: Optional CSS to inject (only used when html is a fragment, not a full document)
|
|
* example: 'body { font-family: sans-serif; padding: 40px; }'
|
|
* - $ref: '#/components/schemas/PdfOptions'
|
|
* responses:
|
|
* 200:
|
|
* description: PDF document
|
|
* content:
|
|
* application/pdf:
|
|
* schema:
|
|
* type: string
|
|
* format: binary
|
|
* 400:
|
|
* description: Missing html field
|
|
* 401:
|
|
* description: Missing API key
|
|
* 403:
|
|
* description: Invalid API key
|
|
* 415:
|
|
* description: Unsupported Content-Type (must be application/json)
|
|
* 429:
|
|
* description: Rate limit or usage limit exceeded
|
|
* 500:
|
|
* description: PDF generation failed
|
|
*/
|
|
convertRouter.post("/html", async (req, res) => {
|
|
let slotAcquired = false;
|
|
try {
|
|
// Reject non-JSON content types
|
|
const ct = req.headers["content-type"] || "";
|
|
if (!ct.includes("application/json")) {
|
|
res.status(415).json({ error: "Unsupported Content-Type. Use application/json." });
|
|
return;
|
|
}
|
|
const body = typeof req.body === "string" ? { html: req.body } : req.body;
|
|
if (!body.html) {
|
|
res.status(400).json({ error: "Missing 'html' field" });
|
|
return;
|
|
}
|
|
// Acquire concurrency slot
|
|
if (req.acquirePdfSlot) {
|
|
await req.acquirePdfSlot();
|
|
slotAcquired = true;
|
|
}
|
|
// Wrap bare HTML fragments
|
|
const fullHtml = body.html.includes("<html")
|
|
? body.html
|
|
: wrapHtml(body.html, body.css);
|
|
const pdf = await renderPdf(fullHtml, {
|
|
format: body.format,
|
|
landscape: body.landscape,
|
|
margin: body.margin,
|
|
printBackground: body.printBackground,
|
|
});
|
|
const filename = sanitizeFilename(body.filename || "document.pdf");
|
|
res.setHeader("Content-Type", "application/pdf");
|
|
res.setHeader("Content-Disposition", `inline; filename="${filename}"`);
|
|
res.send(pdf);
|
|
}
|
|
catch (err) {
|
|
logger.error({ err }, "Convert HTML error");
|
|
if (err.message === "QUEUE_FULL") {
|
|
res.status(429).json({ error: "Server busy - too many concurrent PDF generations. Please try again in a few seconds." });
|
|
return;
|
|
}
|
|
res.status(500).json({ error: `PDF generation failed: ${err.message}` });
|
|
}
|
|
finally {
|
|
if (slotAcquired && req.releasePdfSlot) {
|
|
req.releasePdfSlot();
|
|
}
|
|
}
|
|
});
|
|
/**
|
|
* @openapi
|
|
* /v1/convert/markdown:
|
|
* post:
|
|
* tags: [Conversion]
|
|
* summary: Convert Markdown to PDF
|
|
* description: Converts Markdown content to HTML and then to a PDF document.
|
|
* security:
|
|
* - BearerAuth: []
|
|
* - ApiKeyHeader: []
|
|
* requestBody:
|
|
* required: true
|
|
* content:
|
|
* application/json:
|
|
* schema:
|
|
* allOf:
|
|
* - type: object
|
|
* required: [markdown]
|
|
* properties:
|
|
* markdown:
|
|
* type: string
|
|
* description: Markdown content to convert
|
|
* example: '# Hello World\n\nThis is **bold** and *italic*.'
|
|
* css:
|
|
* type: string
|
|
* description: Optional CSS to inject into the rendered HTML
|
|
* - $ref: '#/components/schemas/PdfOptions'
|
|
* responses:
|
|
* 200:
|
|
* description: PDF document
|
|
* content:
|
|
* application/pdf:
|
|
* schema:
|
|
* type: string
|
|
* format: binary
|
|
* 400:
|
|
* description: Missing markdown field
|
|
* 401:
|
|
* description: Missing API key
|
|
* 403:
|
|
* description: Invalid API key
|
|
* 415:
|
|
* description: Unsupported Content-Type
|
|
* 429:
|
|
* description: Rate limit or usage limit exceeded
|
|
* 500:
|
|
* description: PDF generation failed
|
|
*/
|
|
convertRouter.post("/markdown", async (req, res) => {
|
|
let slotAcquired = false;
|
|
try {
|
|
// Reject non-JSON content types
|
|
const ct = req.headers["content-type"] || "";
|
|
if (!ct.includes("application/json")) {
|
|
res.status(415).json({ error: "Unsupported Content-Type. Use application/json." });
|
|
return;
|
|
}
|
|
const body = typeof req.body === "string" ? { markdown: req.body } : req.body;
|
|
if (!body.markdown) {
|
|
res.status(400).json({ error: "Missing 'markdown' field" });
|
|
return;
|
|
}
|
|
// Acquire concurrency slot
|
|
if (req.acquirePdfSlot) {
|
|
await req.acquirePdfSlot();
|
|
slotAcquired = true;
|
|
}
|
|
const html = markdownToHtml(body.markdown, body.css);
|
|
const pdf = await renderPdf(html, {
|
|
format: body.format,
|
|
landscape: body.landscape,
|
|
margin: body.margin,
|
|
printBackground: body.printBackground,
|
|
});
|
|
const filename = sanitizeFilename(body.filename || "document.pdf");
|
|
res.setHeader("Content-Type", "application/pdf");
|
|
res.setHeader("Content-Disposition", `inline; filename="${filename}"`);
|
|
res.send(pdf);
|
|
}
|
|
catch (err) {
|
|
logger.error({ err }, "Convert MD error");
|
|
if (err.message === "QUEUE_FULL") {
|
|
res.status(429).json({ error: "Server busy - too many concurrent PDF generations. Please try again in a few seconds." });
|
|
return;
|
|
}
|
|
res.status(500).json({ error: `PDF generation failed: ${err.message}` });
|
|
}
|
|
finally {
|
|
if (slotAcquired && req.releasePdfSlot) {
|
|
req.releasePdfSlot();
|
|
}
|
|
}
|
|
});
|
|
/**
|
|
* @openapi
|
|
* /v1/convert/url:
|
|
* post:
|
|
* tags: [Conversion]
|
|
* summary: Convert URL to PDF
|
|
* description: |
|
|
* Fetches a URL and converts the rendered page to PDF. JavaScript is disabled for security.
|
|
* Private/internal IP addresses are blocked (SSRF protection). DNS is pinned to prevent rebinding.
|
|
* security:
|
|
* - BearerAuth: []
|
|
* - ApiKeyHeader: []
|
|
* requestBody:
|
|
* required: true
|
|
* content:
|
|
* application/json:
|
|
* schema:
|
|
* allOf:
|
|
* - type: object
|
|
* required: [url]
|
|
* properties:
|
|
* url:
|
|
* type: string
|
|
* format: uri
|
|
* description: URL to convert (http or https only)
|
|
* example: 'https://example.com'
|
|
* waitUntil:
|
|
* type: string
|
|
* enum: [load, domcontentloaded, networkidle0, networkidle2]
|
|
* default: domcontentloaded
|
|
* description: When to consider navigation finished
|
|
* - $ref: '#/components/schemas/PdfOptions'
|
|
* responses:
|
|
* 200:
|
|
* description: PDF document
|
|
* content:
|
|
* application/pdf:
|
|
* schema:
|
|
* type: string
|
|
* format: binary
|
|
* 400:
|
|
* description: Missing/invalid URL or URL resolves to private IP
|
|
* 401:
|
|
* description: Missing API key
|
|
* 403:
|
|
* description: Invalid API key
|
|
* 415:
|
|
* description: Unsupported Content-Type
|
|
* 429:
|
|
* description: Rate limit or usage limit exceeded
|
|
* 500:
|
|
* description: PDF generation failed
|
|
*/
|
|
convertRouter.post("/url", async (req, res) => {
|
|
let slotAcquired = false;
|
|
try {
|
|
// Reject non-JSON content types
|
|
const ct = req.headers["content-type"] || "";
|
|
if (!ct.includes("application/json")) {
|
|
res.status(415).json({ error: "Unsupported Content-Type. Use application/json." });
|
|
return;
|
|
}
|
|
const body = req.body;
|
|
if (!body.url) {
|
|
res.status(400).json({ error: "Missing 'url' field" });
|
|
return;
|
|
}
|
|
// URL validation + SSRF protection
|
|
let parsed;
|
|
try {
|
|
parsed = new URL(body.url);
|
|
if (!["http:", "https:"].includes(parsed.protocol)) {
|
|
res.status(400).json({ error: "Only http/https URLs are supported" });
|
|
return;
|
|
}
|
|
}
|
|
catch {
|
|
res.status(400).json({ error: "Invalid URL" });
|
|
return;
|
|
}
|
|
// DNS lookup to block private/reserved IPs + pin resolution to prevent DNS rebinding
|
|
let resolvedAddress;
|
|
try {
|
|
const { address } = await dns.lookup(parsed.hostname);
|
|
if (isPrivateIP(address)) {
|
|
res.status(400).json({ error: "URL resolves to a private/internal IP address" });
|
|
return;
|
|
}
|
|
resolvedAddress = address;
|
|
}
|
|
catch {
|
|
res.status(400).json({ error: "DNS lookup failed for URL hostname" });
|
|
return;
|
|
}
|
|
// Acquire concurrency slot
|
|
if (req.acquirePdfSlot) {
|
|
await req.acquirePdfSlot();
|
|
slotAcquired = true;
|
|
}
|
|
const pdf = await renderUrlPdf(body.url, {
|
|
format: body.format,
|
|
landscape: body.landscape,
|
|
margin: body.margin,
|
|
printBackground: body.printBackground,
|
|
waitUntil: body.waitUntil,
|
|
hostResolverRules: `MAP ${parsed.hostname} ${resolvedAddress}`,
|
|
});
|
|
const filename = sanitizeFilename(body.filename || "page.pdf");
|
|
res.setHeader("Content-Type", "application/pdf");
|
|
res.setHeader("Content-Disposition", `inline; filename="${filename}"`);
|
|
res.send(pdf);
|
|
}
|
|
catch (err) {
|
|
logger.error({ err }, "Convert URL error");
|
|
if (err.message === "QUEUE_FULL") {
|
|
res.status(429).json({ error: "Server busy - too many concurrent PDF generations. Please try again in a few seconds." });
|
|
return;
|
|
}
|
|
res.status(500).json({ error: `PDF generation failed: ${err.message}` });
|
|
}
|
|
finally {
|
|
if (slotAcquired && req.releasePdfSlot) {
|
|
req.releasePdfSlot();
|
|
}
|
|
}
|
|
});
|