fix: resolve server bugs and unify app-name handling

Bug fixes: - bbb.js: replace undefined t('defaultWelcome') call that threw a ReferenceError when a room had an empty welcome message, breaking meeting creation. Default welcome and the guest-invite hint are now localised via the i18n system (new "bbb" namespace in de/en). - auth.js: app name was read from the never-written 'branding' settings key, so custom names never appeared in verification emails or the TOTP issuer. Now resolved through a shared getAppName() helper. - auth.js: lowercase the email in the registration duplicate check so case-variant duplicates return a clean 409 instead of a 500 (UNIQUE violation). - federation.js: select the user's "language" column so federation invite emails respect the recipient's language instead of always defaulting to English. - calendar.js: a set reminder could not be cleared. COALESCE treated an explicit reminder_minutes: null as "keep existing"; use a direct assignment that distinguishes "omitted" (keep) from "null" (clear). - index.js / analytics.js: exclude the BBB learning-analytics callback from the global 100kb body limit and give it its own 5mb limit, since analytics payloads for large meetings can be several MB. Cleanup: - Add server/config/appName.js as the single source of truth for the app name (admin setting -> APP_NAME env -> 'Redlight') and use it in auth, admin, rooms, calendar and federation, replacing the previous mix of wrong DB key, direct app_name reads and bare process.env reads. - Localise the BBB default welcome message in the room owner's language. - Remove two unused safeAppName variables in mailer.js.
2026-06-02 09:19:21 +02:00
parent 9fc51bdfc5
commit 4aea069295
12 changed files with 74 additions and 39 deletions
@@ -0,0 +1,20 @@
 import { getDb } from './database.js';
 /**
 * Resolve the configured application name.
 * Resolution order: admin-set 'app_name' setting → APP_NAME env var → 'Redlight'.
 *
 * The app name is stored in the settings table under the key 'app_name'
 * (see routes/branding.js). This helper is the single source of truth so the
 * configured name is used consistently across emails, the 2FA issuer, etc.
 */
 export async function getAppName() {
  try {
    const db = getDb();
    const row = await db.get("SELECT value FROM settings WHERE key = 'app_name'");
    if (row?.value) return row.value;
  } catch {
    // fall through to env/default if the DB is unavailable
  }
  return process.env.APP_NAME || 'Redlight';
 }
@@ -1,6 +1,7 @@
 import crypto from 'crypto';
 import xml2js from 'xml2js';
 import { log, fmtDuration, fmtStatus, fmtMethod, fmtReturncode, sanitizeBBBParams } from './logger.js';
 import { t } from './emaili18n.js';
 const BBB_URL = process.env.BBB_URL || 'https://your-bbb-server.com/bigbluebutton/api/';
 const BBB_SECRET = process.env.BBB_SECRET || '';
@@ -73,15 +74,15 @@ function getRoomPasswords(uid) {
  return { moderatorPW: modPw, attendeePW: attPw };
 }
-export async function createMeeting(room, logoutURL, loginURL = null, presentationUrl = null, analyticsCallbackURL = null) {
+export async function createMeeting(room, logoutURL, loginURL = null, presentationUrl = null, analyticsCallbackURL = null, lang = 'en') {
  const { moderatorPW, attendeePW } = getRoomPasswords(room.uid);
  // Build welcome message with guest invite link
  // HTML-escape user-controlled content to prevent stored XSS via BBB
-  let welcome = room.welcome_message ? escapeHtml(room.welcome_message) : t('defaultWelcome');
+  let welcome = room.welcome_message ? escapeHtml(room.welcome_message) : escapeHtml(t(lang, 'bbb.defaultWelcome'));
  if (logoutURL) {
    const guestLink = `${logoutURL}/join/${room.uid}`;
-    welcome += `<br><br>To invite other participants, share this link:<br><a href="${escapeHtml(guestLink)}">${escapeHtml(guestLink)}</a>`;
+    welcome += `<br><br>${escapeHtml(t(lang, 'bbb.inviteHint'))}<br><a href="${escapeHtml(guestLink)}">${escapeHtml(guestLink)}</a>`;
    // Access code is intentionally NOT shown in the welcome message to prevent
    // leaking it to all meeting participants.
  }
@@ -64,7 +64,6 @@ export async function sendVerificationEmail(to, name, verifyUrl, appName = 'Redl
  const from = process.env.SMTP_FROM || process.env.SMTP_USER;
  const headerAppName = sanitizeHeaderValue(appName);
  const safeName = escapeHtml(name);
  const safeAppName = escapeHtml(appName);
  await transporter.sendMail({
    from: `"${headerAppName}" <${from}>`,
@@ -112,7 +111,6 @@ export async function sendFederationInviteEmail(to, name, fromUser, roomName, me
  const safeFromUser = escapeHtml(fromUser);
  const safeRoomName = escapeHtml(roomName);
  const safeMessage = message ? escapeHtml(message) : null;
  const safeAppName = escapeHtml(appName);
  const introHtml = t(lang, 'email.federationInvite.intro')
    .replace('{fromUser}', `<strong style="color:#cdd6f4;">${safeFromUser}</strong>`);
@@ -42,5 +42,9 @@
      "note": "Der Termin wurde automatisch aus deinem Kalender entfernt.",
      "footer": "Diese Nachricht wurde automatisch von {appName} versendet."
    }
  },
  "bbb": {
    "defaultWelcome": "Willkommen im Meeting!",
    "inviteHint": "Lade weitere Teilnehmer ein, indem du diesen Link teilst:"
  }
 }
@@ -42,5 +42,9 @@
      "note": "The event has been automatically removed from your calendar.",
      "footer": "This message was sent automatically by {appName}."
    }
  },
  "bbb": {
    "defaultWelcome": "Welcome to the meeting!",
    "inviteHint": "To invite other participants, share this link:"
  }
 }
@@ -51,7 +51,14 @@ const corsOptions = process.env.APP_URL
  ? { origin: process.env.APP_URL, credentials: true }
  : { origin: false };
 app.use(cors(corsOptions));
-app.use(express.json({ limit: '100kb' }));
+// Global JSON body limit kept tight as a hardening measure. The BBB learning
 // analytics callback can send much larger payloads, so it is excluded here and
 // gets its own, more generous limit on the route itself (see routes/analytics.js).
 const jsonParser = express.json({ limit: '100kb' });
 app.use((req, res, next) => {
  if (req.path.startsWith('/api/analytics/callback/')) return next();
  return jsonParser(req, res, next);
 });
 // Request/Response logging (filters sensitive fields)
 app.use(requestResponseLogger);
@@ -4,6 +4,7 @@ import { v4 as uuidv4 } from 'uuid';
 import { getDb } from '../config/database.js';
 import { authenticateToken, requireAdmin, getBaseUrl } from '../middleware/auth.js';
 import { isMailerConfigured, sendInviteEmail } from '../config/mailer.js';
 import { getAppName } from '../config/appName.js';
 import { log } from '../config/logger.js';
 import {
  getOAuthConfig,
@@ -217,9 +218,8 @@ router.post('/invites', authenticateToken, requireAdmin, async (req, res) => {
    const baseUrl = getBaseUrl(req);
    const inviteUrl = `${baseUrl}/register?invite=${token}`;
-    // Load app name
+    // Load configured app name (admin setting → env → default)
-    const brandingSetting = await db.get("SELECT value FROM settings WHERE key = 'app_name'");
+    const appName = await getAppName();
    const appName = brandingSetting?.value || 'Redlight';
    if (isMailerConfigured()) {
      try {
@@ -1,4 +1,4 @@
-import { Router } from 'express';
+import { Router, json } from 'express';
 import crypto from 'crypto';
 import ExcelJS from 'exceljs';
 import PDFDocument from 'pdfkit';
@@ -10,7 +10,9 @@ import { getAnalyticsToken } from '../config/bbb.js';
 const router = Router();
 // POST /api/analytics/callback/:uid?token=... - BBB Learning Analytics callback (token-secured)
-router.post('/callback/:uid', async (req, res) => {
+// Excluded from the global 100kb body limit (see index.js): learning analytics
 // payloads for large meetings can be several MB.
 router.post('/callback/:uid', json({ limit: '5mb' }), async (req, res) => {
  try {
    const { token } = req.query;
    const expectedToken = getAnalyticsToken(req.params.uid);
@@ -13,6 +13,7 @@ import redis from '../config/redis.js';
 import { authenticateToken, generateToken, getBaseUrl } from '../middleware/auth.js';
 import { isMailerConfigured, sendVerificationEmail } from '../config/mailer.js';
 import { getOAuthConfig, discoverOIDC } from '../config/oauth.js';
 import { getAppName } from '../config/appName.js';
 import { log } from '../config/logger.js';
 if (!process.env.JWT_SECRET) {
@@ -179,7 +180,8 @@ router.post('/register', registerLimiter, async (req, res) => {
      return res.status(400).json({ error: `Password must not exceed ${MAX_PASSWORD_LENGTH} characters` });
    }
-    const existing = await db.get('SELECT id FROM users WHERE email = ?', [email]);
+    // Emails are stored lowercased, so compare lowercased to catch case-variant duplicates
    const existing = await db.get('SELECT id FROM users WHERE email = ?', [email.toLowerCase()]);
    if (existing) {
      return res.status(409).json({ error: 'Email is already in use' });
    }
@@ -213,12 +215,8 @@ router.post('/register', registerLimiter, async (req, res) => {
      const baseUrl = getBaseUrl(req);
      const verifyUrl = `${baseUrl}/verify-email?token=${verificationToken}`;
-      // Load app name from branding settings
+      // Load configured app name (admin setting → env → default)
-      const brandingSetting = await db.get("SELECT value FROM settings WHERE key = 'branding'");
+      const appName = await getAppName();
      let appName = 'Redlight';
      if (brandingSetting?.value) {
        try { appName = JSON.parse(brandingSetting.value).appName || appName; } catch {}
      }
      try {
        await sendVerificationEmail(email.toLowerCase(), display_name, verifyUrl, appName, 'en');
@@ -327,11 +325,7 @@ router.post('/resend-verification', resendVerificationLimiter, async (req, res)
    const baseUrl = getBaseUrl(req);
    const verifyUrl = `${baseUrl}/verify-email?token=${verificationToken}`;
-    const brandingSetting = await db.get("SELECT value FROM settings WHERE key = 'branding'");
+    const appName = await getAppName();
    let appName = 'Redlight';
    if (brandingSetting?.value) {
      try { appName = JSON.parse(brandingSetting.value).appName || appName; } catch {}
    }
    try {
      await sendVerificationEmail(email.toLowerCase(), user.display_name || user.name, verifyUrl, appName, user.language || 'en');
@@ -774,12 +768,8 @@ router.post('/2fa/setup', authenticateToken, twoFaLimiter, async (req, res) => {
    const secret = new OTPAuth.Secret({ size: 20 });
-    // Load app name from branding settings
+    // Use the configured app name as the TOTP issuer (admin setting → env → default)
-    const brandingSetting = await db.get("SELECT value FROM settings WHERE key = 'branding'");
+    const issuer = await getAppName();
    let issuer = 'Redlight';
    if (brandingSetting?.value) {
      try { issuer = JSON.parse(brandingSetting.value).appName || issuer; } catch {}
    }
    const totp = new OTPAuth.TOTP({
      issuer,
@@ -4,6 +4,7 @@ import { getDb } from '../config/database.js';
 import { authenticateToken, getBaseUrl } from '../middleware/auth.js';
 import { log } from '../config/logger.js';
 import { sendCalendarInviteEmail } from '../config/mailer.js';
 import { getAppName } from '../config/appName.js';
 import {
  isFederationEnabled,
  getFederationDomain,
@@ -219,7 +220,7 @@ router.put('/events/:id', authenticateToken, async (req, res) => {
        end_time = COALESCE(?, end_time),
        room_uid = ?,
        color = COALESCE(?, color),
-        reminder_minutes = COALESCE(?, reminder_minutes),
+        reminder_minutes = ?,
        reminder_sent_at = ${resetReminder ? 'NULL' : 'reminder_sent_at'},
        updated_at = CURRENT_TIMESTAMP
      WHERE id = ?
@@ -230,7 +231,9 @@ router.put('/events/:id', authenticateToken, async (req, res) => {
      end_time || null,
      room_uid !== undefined ? (room_uid || null) : event.room_uid,
      color || null,
-      validReminder !== undefined ? validReminder : null,
+      // Not in payload → keep existing; present (incl. null) → set/clear directly.
      // COALESCE can't be used here: it would treat an explicit null as "keep".
      validReminder !== undefined ? validReminder : event.reminder_minutes,
      req.params.id,
    ]);
@@ -323,7 +326,7 @@ router.post('/events/:id/share', authenticateToken, async (req, res) => {
    if (targetUser?.email) {
      const appUrl = getBaseUrl(req);
      const inboxUrl = `${appUrl}/federation/inbox`;
-      const appName = process.env.APP_NAME || 'Redlight';
+      const appName = await getAppName();
      const senderUser = await db.get('SELECT name, display_name FROM users WHERE id = ?', [req.user.id]);
      const fromDisplay = (senderUser?.display_name && senderUser.display_name !== '') ? senderUser.display_name : (senderUser?.name || req.user.name);
      sendCalendarInviteEmail(
@@ -645,7 +648,7 @@ router.post(['/receive-event', '/calendar-event'], calendarFederationLimiter, as
    if (targetUser.email) {
      const appUrl = getBaseUrl(req);
      const inboxUrl = `${appUrl}/federation/inbox`;
-      const appName = process.env.APP_NAME || 'Redlight';
+      const appName = await getAppName();
      sendCalendarInviteEmail(
        targetUser.email, targetUser.name, from_user,
        title, start_time, end_time, description || null,
@@ -6,6 +6,7 @@ import { authenticateToken, getBaseUrl } from '../middleware/auth.js';
 import { sendFederationInviteEmail, sendCalendarEventDeletedEmail } from '../config/mailer.js';
 import { log } from '../config/logger.js';
 import { createNotification } from '../config/notifications.js';
 import { getAppName } from '../config/appName.js';
 // M13: rate limit the unauthenticated federation receive endpoint
 const federationReceiveLimiter = rateLimit({
@@ -198,7 +199,7 @@ router.post('/receive', federationReceiveLimiter, async (req, res) => {
        // Look up user by name (case-insensitive)
        const targetUser = await db.get(
-            'SELECT id, name, email FROM users WHERE LOWER(name) = LOWER(?)',
+            'SELECT id, name, email, language FROM users WHERE LOWER(name) = LOWER(?)',
            [username]
        );
@@ -238,7 +239,7 @@ router.post('/receive', federationReceiveLimiter, async (req, res) => {
        if (targetUser.email) {
            const appUrl = getBaseUrl(req);
            const inboxUrl = `${appUrl}/federation/inbox`;
-            const appName = process.env.APP_NAME || 'Redlight';
+            const appName = await getAppName();
            sendFederationInviteEmail(
                targetUser.email, targetUser.name, from_user,
                room_name, message || null, inboxUrl, appName, targetUser.language || 'en'
@@ -627,7 +628,7 @@ router.post('/calendar-event-deleted', federationReceiveLimiter, async (req, res
        // Notify affected users by email (fire-and-forget)
        if (affectedUsers.length > 0) {
-            const appName = process.env.APP_NAME || 'Redlight';
+            const appName = await getAppName();
            for (const u of affectedUsers) {
                sendCalendarEventDeletedEmail(u.email, u.name, u.from_user, u.title, appName, u.language || 'en')
                    .catch(mailErr => {
@@ -9,6 +9,7 @@ import { authenticateToken, getBaseUrl } from '../middleware/auth.js';
 import { log } from '../config/logger.js';
 import { createNotification } from '../config/notifications.js';
 import { sendGuestInviteEmail } from '../config/mailer.js';
 import { getAppName } from '../config/appName.js';
 import {
  createMeeting,
  joinMeeting,
@@ -513,7 +514,9 @@ router.post('/:uid/start', authenticateToken, async (req, res) => {
    const analyticsCallbackURL = room.learning_analytics
      ? `${baseUrl}/api/analytics/callback/${room.uid}?token=${getAnalyticsToken(room.uid)}`
      : null;
-    await createMeeting(room, baseUrl, loginURL, presentationUrl, analyticsCallbackURL);
+    // Localise BBB's default welcome message in the room owner's language
    const owner = await db.get('SELECT language FROM users WHERE id = ?', [room.user_id]);
    await createMeeting(room, baseUrl, loginURL, presentationUrl, analyticsCallbackURL, owner?.language || 'en');
    const avatarURL = getUserAvatarURL(req, req.user);
    const displayName = req.user.display_name || req.user.name;
    const joinUrl = await joinMeeting(room.uid, displayName, true, avatarURL);
@@ -662,7 +665,9 @@ router.post('/:uid/guest-join', guestJoinLimiter, async (req, res) => {
      const analyticsCallbackURL = room.learning_analytics
        ? `${baseUrl}/api/analytics/callback/${room.uid}?token=${getAnalyticsToken(room.uid)}`
        : null;
-      await createMeeting(room, baseUrl, loginURL, null, analyticsCallbackURL);
+      // Localise BBB's default welcome message in the room owner's language
      const owner = await db.get('SELECT language FROM users WHERE id = ?', [room.user_id]);
      await createMeeting(room, baseUrl, loginURL, null, analyticsCallbackURL, owner?.language || 'en');
    }
    // Check moderator code
@@ -908,7 +913,7 @@ router.post('/invite-email', authenticateToken, async (req, res) => {
      ? `${baseUrl}/join/${room.uid}?ac=${encodeURIComponent(room.access_code)}`
      : `${baseUrl}/join/${room.uid}`;
-    const appName = process.env.APP_NAME || 'Redlight';
+    const appName = await getAppName();
    const fromUser = req.user.display_name || req.user.name;
    const lang = req.user.language || 'en';