import express from 'express' import cors from 'cors' import helmet from 'helmet' import morgan from 'morgan' import http from 'http' import { Server as SocketIOServer } from 'socket.io' import cron from 'node-cron' import jwt from 'jsonwebtoken' import { z } from 'zod' import { redis } from './lib/redis' import { prisma } from './lib/prisma' import { authLimiter, apiLimiter, publicLimiter, adminLimiter } from './middleware/rateLimiter' // ─── Routes ─────────────────────────────────────────────────── import webhookRouter from './routes/webhooks' import companyAuthRouter from './routes/auth.company' import employeeAuthRouter from './routes/auth.employee' import renterAuthRouter from './routes/auth.renter' import vehiclesRouter from './routes/vehicles' import reservationsRouter from './routes/reservations' import teamRouter from './routes/team' import customersRouter from './routes/customers' import offersRouter from './routes/offers' import analyticsRouter from './routes/analytics' import notificationsRouter from './routes/notifications' import marketplaceRouter from './routes/marketplace' import adminRouter from './routes/admin' import companiesRouter from './routes/companies' import subscriptionsRouter from './routes/subscriptions' import siteRouter from './routes/site' import paymentsRouter from './routes/payments' const app = express() const server = http.createServer(app) // Trust the first hop from a reverse proxy so req.ip and rate-limiting // use the real client IP (from X-Forwarded-For) rather than the proxy's IP. if (process.env.NODE_ENV === 'production') { app.set('trust proxy', 1) } const v1 = '/api/v1' const defaultCorsOrigins = [ 'http://localhost:3000', 'http://localhost:3001', 'http://localhost:3002', 'http://localhost:3003', 'http://127.0.0.1:3000', 'http://127.0.0.1:3001', 'http://127.0.0.1:3002', 'http://127.0.0.1:3003', ] const corsOrigins = process.env.CORS_ORIGINS ? process.env.CORS_ORIGINS.split(',').map((origin) => origin.trim()).filter(Boolean) : defaultCorsOrigins const routeDocs = [ { method: 'GET', path: '/health', description: 'Health check' }, { method: 'GET', path: `${v1}/docs`, description: 'Machine-readable API index' }, { method: 'GET', path: `${v1}/auth/renter/me`, description: 'Current renter profile' }, { method: 'GET', path: `${v1}/vehicles`, description: 'List company vehicles' }, { method: 'POST', path: `${v1}/vehicles`, description: 'Create vehicle' }, { method: 'GET', path: `${v1}/reservations`, description: 'List reservations' }, { method: 'POST', path: `${v1}/reservations`, description: 'Create reservation' }, { method: 'GET', path: `${v1}/customers`, description: 'List customers' }, { method: 'POST', path: `${v1}/customers`, description: 'Create customer' }, { method: 'GET', path: `${v1}/offers`, description: 'List offers' }, { method: 'GET', path: `${v1}/analytics/dashboard`, description: 'Dashboard analytics' }, { method: 'GET', path: `${v1}/analytics/report`, description: 'Analytics report' }, { method: 'GET', path: `${v1}/notifications/company`, description: 'Company notifications' }, { method: 'GET', path: `${v1}/marketplace/cities`, description: 'Marketplace cities' }, { method: 'GET', path: `${v1}/marketplace/search`, description: 'Marketplace search' }, { method: 'GET', path: `${v1}/site/:slug/brand`, description: 'Public site brand config' }, { method: 'GET', path: `${v1}/companies/me`, description: 'Current company profile' }, { method: 'GET', path: `${v1}/subscriptions/plans`, description: 'Subscription plans' }, { method: 'POST', path: `${v1}/admin/auth/login`, description: 'Admin login' }, ] // ─── Socket.io ──────────────────────────────────────────────── const io = new SocketIOServer(server, { cors: { origin: corsOrigins, credentials: true, methods: ['GET', 'POST'] }, }) const redisMessageSchema = z.object({ type: z.string(), payload: z.unknown(), }) // Authenticate socket connections via JWT before joining user rooms io.use((socket, next) => { const token = socket.handshake.auth?.token as string | undefined if (!token) return next() // unauthenticated connections allowed; they just don't join rooms try { const payload = jwt.verify(token, process.env.JWT_SECRET!) as { sub: string; type: string } ;(socket as any).authenticatedUserId = payload.sub next() } catch { next(new Error('invalid_token')) } }) io.on('connection', (socket) => { const userId = (socket as any).authenticatedUserId as string | undefined if (userId) { socket.join(`user:${userId}`) } }) // Redis pub/sub → broadcast to connected clients const subscriber = redis.duplicate() subscriber.psubscribe('notifications:*', (err) => { if (err) console.error('[Redis] Subscribe error:', err) }) subscriber.on('pmessage', (_pattern, channel, message) => { try { const parsed = JSON.parse(message) const validated = redisMessageSchema.parse(parsed) const userId = channel.replace('notifications:', '') io.to(`user:${userId}`).emit('notification', validated) } catch (err) { console.error('[Redis] Invalid notification message:', err) } }) // ─── Middleware ──────────────────────────────────────────────── // Serve local file storage app.use('/storage', express.static(require('path').resolve(__dirname, 'lib/storage'))) // Webhook must use raw body BEFORE express.json() app.use('/api/v1/webhooks', express.raw({ type: 'application/json' }), webhookRouter) app.use(helmet()) app.use(cors({ origin: corsOrigins, credentials: true })) app.use(morgan('combined')) app.use(express.json({ limit: '10mb' })) // ─── API Routes ─────────────────────────────────────────────── // Auth routes: strict brute-force protection app.use(`${v1}/auth/renter`, authLimiter, renterAuthRouter) app.use(`${v1}/auth/company`, authLimiter, companyAuthRouter) app.use(`${v1}/auth/employee`, authLimiter, employeeAuthRouter) // Admin routes: dedicated limit app.use(`${v1}/admin`, adminLimiter, adminRouter) // Public unauthenticated routes app.use(`${v1}/marketplace`, publicLimiter, marketplaceRouter) app.use(`${v1}/site`, publicLimiter, siteRouter) // Authenticated company/renter routes app.use(`${v1}/vehicles`, apiLimiter, vehiclesRouter) app.use(`${v1}/reservations`, apiLimiter, reservationsRouter) app.use(`${v1}/team`, apiLimiter, teamRouter) app.use(`${v1}/customers`, apiLimiter, customersRouter) app.use(`${v1}/offers`, apiLimiter, offersRouter) app.use(`${v1}/analytics`, apiLimiter, analyticsRouter) app.use(`${v1}/notifications`, apiLimiter, notificationsRouter) app.use(`${v1}/companies`, apiLimiter, companiesRouter) app.use(`${v1}/subscriptions`, apiLimiter, subscriptionsRouter) app.use(`${v1}/payments`, apiLimiter, paymentsRouter) // ─── Health check ───────────────────────────────────────────── app.get('/health', (_req, res) => { res.json({ status: 'ok', version: '1.0.0', timestamp: new Date().toISOString() }) }) app.get(`${v1}/docs`, (_req, res) => { res.json({ name: 'rentaldrivego-api', version: '1.0.0', baseUrl: v1, docsUrl: '/docs', routes: routeDocs, }) }) app.get('/docs', (_req, res) => { const rows = routeDocs .map( (route) => `
${route.path}| Method | Path | Description |
|---|