import express from 'express'; import cors from 'cors'; import path from 'path'; import './db/schema'; // initialize DB + bootstrap admin import { UPLOAD_PATH } from './db/schema'; import { requireAuth } from './middleware/auth'; import authRouter from './routes/auth'; import projectsRouter from './routes/projects'; import toolsRouter from './routes/tools'; import uploadsRouter from './routes/uploads'; import settingsRouter from './routes/settings'; import usersRouter from './routes/users'; const app = express(); const PORT = Number(process.env.PORT || 3000); app.use(cors()); app.use(express.json({ limit: '10mb' })); // Public — auth endpoints app.use('/api/auth', authRouter); // Public — serve uploaded files as static assets. // tags and markdown renderers can't send Authorization headers, // so file reads must be unauthenticated. POST/DELETE in uploadsRouter // are still protected by requireAuth inside the router. app.use('/api/uploads', express.static(UPLOAD_PATH)); // Protected — all other API routes require a valid JWT app.use('/api/projects', requireAuth, projectsRouter); app.use('/api/tools', requireAuth, toolsRouter); app.use('/api/uploads', requireAuth, uploadsRouter); // handles POST + DELETE only app.use('/api/settings', settingsRouter); // GET is public (branding on login page); PUT/POST require admin (per-method in router) app.use('/api/users', usersRouter); // requireAdmin applied inside router // Serve built React client in production const clientDist = path.join(__dirname, '../../client/dist'); app.use(express.static(clientDist)); app.get(/^(?!\/api).*/, (_req, res) => { res.sendFile(path.join(clientDist, 'index.html')); }); app.listen(PORT, '0.0.0.0', () => { console.log(`[CODEDUMP] Running on port ${PORT}`); console.log(`[CODEDUMP] Data directory: ${process.env.DATA_DIR || 'data/'}`); });