const arrayRemove = require('unordered-array-remove') const escapeHtml = require('escape-html') const http = require('http') const mime = require('mime') const pump = require('pump') const rangeParser = require('range-parser') function Server (torrent, opts = {}) { const server = http.createServer() if (!opts.origin) opts.origin = '*' // allow all origins by default const sockets = [] const pendingReady = [] let closed = false const _listen = server.listen const _close = server.close server.listen = (...args) => { closed = false server.on('connection', onConnection) server.on('request', onRequest) return _listen.apply(server, args) } server.close = cb => { closed = true server.removeListener('connection', onConnection) server.removeListener('request', onRequest) while (pendingReady.length) { const onReady = pendingReady.pop() torrent.removeListener('ready', onReady) } _close.call(server, cb) } server.destroy = cb => { sockets.forEach(socket => { socket.destroy() }) // Only call `server.close` if user has not called it already if (!cb) cb = () => {} if (closed) process.nextTick(cb) else server.close(cb) torrent = null } function isOriginAllowed (req) { // When `origin` option is `false`, deny all cross-origin requests if (opts.origin === false) return false // Requests without an 'Origin' header are not actually cross-origin, so just // deny them if (req.headers.origin == null) return false // The user allowed all origins if (opts.origin === '*') return true // Allow requests where the 'Origin' header matches the `opts.origin` setting return req.headers.origin === opts.origin } function onConnection (socket) { socket.setTimeout(36000000) sockets.push(socket) socket.once('close', () => { arrayRemove(sockets, sockets.indexOf(socket)) }) } function onRequest (req, res) { // If a 'hostname' string is specified, deny requests with a 'Host' // header that does not match the origin of the torrent server to prevent // DNS rebinding attacks. if (opts.hostname && req.headers.host !== `${opts.hostname}:${server.address().port}`) { return req.destroy() } const pathname = new URL(req.url, 'http://example.com').pathname // Allow cross-origin requests (CORS) if (isOriginAllowed(req)) { res.setHeader('Access-Control-Allow-Origin', req.headers.origin) } // Prevent browser mime-type sniffing res.setHeader('X-Content-Type-Options', 'nosniff') // Defense-in-depth: Set a strict Content Security Policy to mitigate XSS res.setHeader('Content-Security-Policy', "base-uri 'none'; default-src 'none'; frame-ancestors 'none'; form-action 'none';") if (pathname === '/favicon.ico') { return serve404Page() } // Allow CORS requests to specify arbitrary headers, e.g. 'Range', // by responding to the OPTIONS preflight request with the specified // origin and requested headers. if (req.method === 'OPTIONS') { if (isOriginAllowed(req)) return serveOptionsRequest() else return serveMethodNotAllowed() } if (req.method === 'GET' || req.method === 'HEAD') { if (torrent.ready) { handleRequest() } else { pendingReady.push(onReady) torrent.once('ready', onReady) } return } return serveMethodNotAllowed() function serveOptionsRequest () { res.statusCode = 204 // no content res.setHeader('Access-Control-Max-Age', '600') res.setHeader('Access-Control-Allow-Methods', 'GET,HEAD') if (req.headers['access-control-request-headers']) { res.setHeader( 'Access-Control-Allow-Headers', req.headers['access-control-request-headers'] ) } res.end() } function onReady () { arrayRemove(pendingReady, pendingReady.indexOf(onReady)) handleRequest() } function handleRequest () { if (pathname === '/') { return serveIndexPage() } const index = Number(pathname.split('/')[1]) if (Number.isNaN(index) || index >= torrent.files.length) { return serve404Page() } const file = torrent.files[index] serveFile(file) } function serveIndexPage () { res.statusCode = 200 res.setHeader('Content-Type', 'text/html') const listHtml = torrent.files .map((file, i) => ( `