faral/pokerface
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
pokerface/backend/src/index.js
Jan Willem Mannaerts fdd9ba8d56 Initial commit: Pokerface sprint planning poker for Jira 
Full-stack app with Express/Socket.io backend, React frontend,
NATS JetStream for state, and Atlassian Jira OAuth integration.

Includes security hardening: NATS auth support, KV bucket TTL
enforcement, CAS retry for race conditions, error message
sanitization, and OAuth state stored in NATS KV.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-26 21:38:37 +01:00

294 lines
8.9 KiB
JavaScript
Raw Blame History

import path from 'path';
import { fileURLToPath } from 'url';
import { createServer } from 'http';
import express from 'express';
import cors from 'cors';
import cookieParser from 'cookie-parser';
import dotenv from 'dotenv';
import { Server } from 'socket.io';
import natsAdapter from '@mickl/socket.io-nats-adapter';
const { createAdapter } = natsAdapter;
import { connectNats, getNatsConnection } from './lib/nats.js';
import pokerRoutes from './routes/poker.js';
import jiraRoutes from './routes/jira.js';
import roomRoutes from './routes/rooms.js';
import {
canAccessSession,
getSessionSnapshot,
isSessionParticipant,
joinSession,
leaveSession,
revealIfComplete,
saveScopedEstimate,
submitVote
} from './services/pokerService.js';
import { updateIssueEstimate } from './services/jiraService.js';
import { getSocketUser } from './middleware/auth.js';
import { safeError } from './lib/errors.js';
dotenv.config();
const __filename = fileURLToPath(import.meta.url);
const __dirname = path.dirname(__filename);
const isProd = process.env.NODE_ENV === 'production';
const app = express();
const httpServer = createServer(app);
const port = Number(process.env.PORT || 4010);
if (isProd && !process.env.FRONTEND_URL) {
throw new Error('FRONTEND_URL must be set in production.');
}
const frontendUrl = process.env.FRONTEND_URL || 'http://localhost:5174';
const corsOptions = { origin: frontendUrl, credentials: true };
function isAllowedOrigin(origin) {
if (!origin) return !isProd;
return origin === frontendUrl;
}
app.disable('x-powered-by');
app.use((_req, res, next) => {
res.setHeader('X-Content-Type-Options', 'nosniff');
res.setHeader('X-Frame-Options', 'DENY');
res.setHeader('Referrer-Policy', 'no-referrer');
res.setHeader('Permissions-Policy', 'geolocation=(), microphone=(), camera=()');
if (isProd) {
res.setHeader('Strict-Transport-Security', 'max-age=31536000; includeSubDomains');
}
next();
});
app.use(cors(corsOptions));
app.use(cookieParser());
app.use(express.json({ limit: '1mb' }));
app.get('/api/health', (_req, res) => {
res.json({ status: 'ok' });
});
app.use('/api/poker', pokerRoutes);
app.use('/api/jira', jiraRoutes);
app.use('/api/poker/rooms', roomRoutes);
if (isProd) {
const distPath = path.resolve(__dirname, '../../frontend/dist');
app.use(express.static(distPath));
app.get('*', (req, res) => {
if (req.path.startsWith('/api/')) return res.status(404).json({ error: 'Not found' });
res.sendFile(path.join(distPath, 'index.html'));
});
}
const io = new Server(httpServer, {
cors: corsOptions,
allowRequest: (req, callback) => {
if (isAllowedOrigin(req.headers.origin)) {
callback(null, true);
return;
}
callback('Origin not allowed', false);
}
});
async function emitSessionState(sessionId) {
const snapshot = await getSessionSnapshot(sessionId);
if (!snapshot) return;
io.to(`poker:${sessionId}`).emit('poker:participants', {
sessionId,
participants: snapshot.participants,
votedUserKeys: snapshot.votedUserKeys,
voteCount: snapshot.voteCount,
participantCount: snapshot.participantCount
});
io.to(`poker:${sessionId}`).emit('poker:vote-update', {
sessionId,
voteCount: snapshot.voteCount,
participantCount: snapshot.participantCount,
votedUserKeys: snapshot.votedUserKeys,
allVoted: snapshot.voteCount > 0 && snapshot.voteCount === snapshot.participantCount
});
if (snapshot.session.state === 'REVEALED' || snapshot.session.state === 'SAVED') {
io.to(`poker:${sessionId}`).emit('poker:revealed', {
sessionId,
votes: snapshot.votesByUser,
average: snapshot.session.averageEstimate,
suggestedEstimate: snapshot.session.suggestedEstimate,
savedEstimate: snapshot.session.savedEstimate
});
}
}
io.on('connection', (socket) => {
const user = getSocketUser(socket);
if (!user || !user.jiraCloudId) {
socket.emit('poker:error', { error: 'Not authenticated' });
socket.disconnect(true);
return;
}
socket.user = user;
socket.on('poker:join', async ({ sessionId }) => {
try {
if (!sessionId) {
socket.emit('poker:error', { error: 'sessionId is required.' });
return;
}
if (!await canAccessSession(sessionId, socket.user.jiraCloudId)) {
socket.emit('poker:error', { error: 'Session not found.' });
return;
}
socket.join(`poker:${sessionId}`);
const snapshot = await joinSession({
sessionId,
tenantCloudId: socket.user.jiraCloudId,
userKey: socket.user.jiraAccountId,
userName: socket.user.displayName,
avatarUrl: socket.user.avatarUrl || null
});
if (!snapshot) {
socket.emit('poker:error', { error: 'Session not found.' });
return;
}
await emitSessionState(sessionId);
} catch (error) {
console.error('[socket] poker:join failed:', error);
socket.emit('poker:error', { error: safeError(error) });
}
});
socket.on('poker:vote', async ({ sessionId, vote }) => {
try {
if (!sessionId) {
socket.emit('poker:error', { error: 'sessionId is required.' });
return;
}
if (!await canAccessSession(sessionId, socket.user.jiraCloudId)) {
socket.emit('poker:error', { error: 'Session not found.' });
return;
}
if (!await isSessionParticipant(sessionId, socket.user.jiraAccountId)) {
socket.emit('poker:error', { error: 'Join the session before voting.' });
return;
}
const voteResult = await submitVote({
sessionId,
tenantCloudId: socket.user.jiraCloudId,
userKey: socket.user.jiraAccountId,
vote
});
if (!voteResult) {
socket.emit('poker:error', { error: 'Unable to submit vote for this session.' });
return;
}
const reveal = await revealIfComplete(sessionId);
await emitSessionState(sessionId);
if (reveal?.allVoted) {
io.to(`poker:${sessionId}`).emit('poker:revealed', {
sessionId,
votes: reveal.votesByUser,
average: reveal.average,
suggestedEstimate: reveal.suggestedEstimate
});
}
} catch (error) {
console.error('[socket] poker:vote failed:', error);
socket.emit('poker:error', { error: safeError(error) });
}
});
socket.on('poker:save', async ({ sessionId, estimate }) => {
try {
if (!sessionId) {
socket.emit('poker:error', { error: 'sessionId is required.' });
return;
}
if (!await canAccessSession(sessionId, socket.user.jiraCloudId)) {
socket.emit('poker:error', { error: 'Session not found.' });
return;
}
if (!await isSessionParticipant(sessionId, socket.user.jiraAccountId)) {
socket.emit('poker:error', { error: 'Join the session before saving.' });
return;
}
const numericEstimate = Number(estimate);
if (!Number.isFinite(numericEstimate)) {
socket.emit('poker:error', { error: 'estimate must be a number.' });
return;
}
const saved = await saveScopedEstimate({
sessionId,
estimate: numericEstimate,
tenantCloudId: socket.user.jiraCloudId,
userKey: socket.user.jiraAccountId
});
if (!saved) {
socket.emit('poker:error', { error: 'Unable to save estimate for this session.' });
return;
}
const issueRef = saved.session.issueId || saved.session.issueKey;
try {
await updateIssueEstimate(socket.user.jiraAccountId, issueRef, numericEstimate, saved.session.boardId);
} catch (_jiraError) {
// Jira update is best-effort so poker flow continues even when Jira is unavailable.
}
io.to(`poker:${sessionId}`).emit('poker:saved', {
sessionId,
estimate: numericEstimate,
issueKey: saved.session.issueKey
});
io.to(`poker:${sessionId}`).emit('poker:ended', { sessionId });
} catch (error) {
console.error('[socket] poker:save failed:', error);
socket.emit('poker:error', { error: safeError(error) });
}
});
socket.on('poker:leave', async ({ sessionId }) => {
try {
if (!sessionId) return;
if (!await canAccessSession(sessionId, socket.user.jiraCloudId)) return;
await leaveSession({
sessionId,
tenantCloudId: socket.user.jiraCloudId,
userKey: socket.user.jiraAccountId
});
socket.leave(`poker:${sessionId}`);
await emitSessionState(sessionId);
} catch (error) {
console.error('[socket] poker:leave failed:', error);
socket.emit('poker:error', { error: safeError(error) });
}
});
});
async function start() {
const nc = await connectNats();
io.adapter(createAdapter(nc));
httpServer.listen(port, () => {
// eslint-disable-next-line no-console
console.log(`Pokerface backend listening on :${port}`);
});
}
start().catch((error) => {
// eslint-disable-next-line no-console
console.error('Failed to start server:', error);
process.exit(1);
});
Reference in a new issue View git blame Copy permalink