update copyright years to 2019

[akkoma] / lib / pleroma / web / endpoint.ex

diff --git a/lib/pleroma/web/endpoint.ex b/lib/pleroma/web/endpoint.ex
index 1a012c1b416a05c5e6743cf2f0792af0045042e4..0b4ce9cc495622c27e0b56cb00c7e83d4fc73087 100644 (file)
--- a/lib/pleroma/web/endpoint.ex
+++ b/lib/pleroma/web/endpoint.ex
@@ -1,23 +1,31 @@
+# Pleroma: A lightweight social networking server
+# Copyright © 2017-2019 Pleroma Authors <https://pleroma.social/>
+# SPDX-License-Identifier: AGPL-3.0-only
+
 defmodule Pleroma.Web.Endpoint do
   use Phoenix.Endpoint, otp_app: :pleroma
 
-  if Application.get_env(:pleroma, :chat) |> Keyword.get(:enabled) do
-    socket("/socket", Pleroma.Web.UserSocket)
-  end
-
-  socket("/api/v1", Pleroma.Web.MastodonAPI.MastodonSocket)
+  socket("/socket", Pleroma.Web.UserSocket)
 
   # Serve at "/" the static files from "priv/static" directory.
   #
   # You should set gzip to true if you are running phoenix.digest
   # when deploying your static files in production.
-  plug(Plug.Static, at: "/media", from: Pleroma.Upload.upload_path(), gzip: false)
+  plug(CORSPlug)
+  plug(Pleroma.Plugs.HTTPSecurityPlug)
+
+  plug(Pleroma.Plugs.UploadedMedia)
+
+  # InstanceStatic needs to be before Plug.Static to be able to override shipped-static files
+  # If you're adding new paths to `only:` you'll need to configure them in InstanceStatic as well
+  plug(Pleroma.Plugs.InstanceStatic, at: "/")
 
   plug(
     Plug.Static,
     at: "/",
     from: :pleroma,
-    only: ~w(index.html static finmoji emoji packs sounds images instance sw.js favicon.png)
+    only:
+      ~w(index.html static finmoji emoji packs sounds images instance sw.js favicon.png schemas doc)
   )
 
   # Code reloading can be explicitly enabled under the
@@ -35,20 +43,30 @@ defmodule Pleroma.Web.Endpoint do
     parsers: [:urlencoded, :multipart, :json],
     pass: ["*/*"],
     json_decoder: Jason,
-    length: Application.get_env(:pleroma, :instance) |> Keyword.get(:upload_limit)
+    length: Application.get_env(:pleroma, :instance) |> Keyword.get(:upload_limit),
+    body_reader: {Pleroma.Web.Plugs.DigestPlug, :read_body, []}
   )
 
   plug(Plug.MethodOverride)
   plug(Plug.Head)
 
+  cookie_name =
+    if Application.get_env(:pleroma, Pleroma.Web.Endpoint) |> Keyword.get(:secure_cookie_flag),
+      do: "__Host-pleroma_key",
+      else: "pleroma_key"
+
   # The session will be stored in the cookie and signed,
   # this means its contents can be read but not tampered with.
   # Set :encryption_salt if you would also like to encrypt it.
   plug(
     Plug.Session,
     store: :cookie,
-    key: "_pleroma_key",
-    signing_salt: "CqaoopA2"
+    key: cookie_name,
+    signing_salt: {Pleroma.Config, :get, [[__MODULE__, :signing_salt], "CqaoopA2"]},
+    http_only: true,
+    secure:
+      Application.get_env(:pleroma, Pleroma.Web.Endpoint) |> Keyword.get(:secure_cookie_flag),
+    extra: "SameSite=Strict"
   )
 
   plug(Pleroma.Web.Router)