feat: client and server logic to manage announcements (#3)

### Explanation

_No response_

### Issue

_No response_

### Attestations

- [x] I have read and agree to the [Code of Conduct](https://docs.nhcarrigan.com/community/coc/)
- [x] I have read and agree to the [Community Guidelines](https://docs.nhcarrigan.com/community/guide/).
- [x] My contribution complies with the [Contributor Covenant](https://docs.nhcarrigan.com/dev/covenant/).

### Dependencies

- [x] I have pinned the dependencies to a specific patch version.

### Style

- [x] I have run the linter and resolved any errors.
- [x] My pull request uses an appropriate title, matching the conventional commit standards.
- [x] My scope of feat/fix/chore/etc. correctly matches the nature of changes in my pull request.

### Tests

- [ ] My contribution adds new code, and I have added tests to cover it.
- [ ] My contribution modifies existing code, and I have updated the tests to reflect these changes.
- [ ] All new and existing tests pass locally with my changes.
- [ ] Code coverage remains at or above the configured threshold.

### Documentation

_No response_

### Versioning

_No response_

Reviewed-on: #3
Co-authored-by: Naomi Carrigan <commits@nhcarrigan.com>
Co-committed-by: Naomi Carrigan <commits@nhcarrigan.com>

server/src/cache/blockedIps.ts

@@ -0,0 +1,7 @@
+/**
+ * @copyright nhcarrigan
+ * @license Naomi's Public License
+ * @author Naomi Carrigan
+ */
+
+export const blockedIps: Array<{ ip: string; ttl: Date }> = [];

server/src/config/routesWithoutCors.ts

@@ -0,0 +1,15 @@
+/**
+ * @copyright nhcarrigan
+ * @license Naomi's Public License
+ * @author Naomi Carrigan
+ */
+
+/**
+ * If you want a route to allow any origin for CORS, add
+ * the full path to this array.
+ */
+export const routesWithoutCors = [
+  "/",
+  "/announcement",
+  "/health",
+];

server/src/db/database.ts

@@ -0,0 +1,24 @@
+/**
+ * @copyright nhcarrigan
+ * @license Naomi's Public License
+ * @author Naomi Carrigan
+ */
+
+import { PrismaClient } from "@prisma/client";
+
+class Database {
+  private readonly instance: PrismaClient;
+
+  public constructor() {
+    this.instance = new PrismaClient();
+    void this.instance.$connect();
+  }
+
+  public getInstance(): PrismaClient {
+    return this.instance;
+  }
+}
+
+const database = new Database();
+
+export { database };

server/src/hooks/cors.ts

@@ -0,0 +1,42 @@
+/**
+ * @copyright nhcarrigan
+ * @license Naomi's Public License
+ * @author Naomi Carrigan
+ */
+
+import { routesWithoutCors } from "../config/routesWithoutCors.js";
+import type { onRequestHookHandler } from "fastify";
+
+const isValidOrigin = (origin: string | undefined): boolean => {
+  if (origin === undefined) {
+    // We do not allow server-to-server requests.
+    return false;
+  }
+  if (process.env.NODE_ENV === "dev" && origin === "http://localhost:4200") {
+    // We allow the client to access the server when both are running locally.
+    return true;
+  }
+  // Otherwise, we only allow requests from our web application.
+  return origin === "https://hikari.nhcarrigan.com";
+};
+
+/**
+ * Ensures that form submissions only come from our web application.
+ * @param request - The request payload from the server.
+ * @param response - The reply handler from Fastify.
+ * @returns A Fastify reply if the request is invalid, otherwise undefined.
+ */
+// eslint-disable-next-line @typescript-eslint/no-misused-promises -- For reasons I cannot comprehend, Fastify seems to require us to return a request?
+export const corsHook: onRequestHookHandler = async(request, response) => {
+  if (routesWithoutCors.includes(request.url)) {
+    return undefined;
+  }
+  if (!isValidOrigin(request.headers.origin)) {
+    return await response.status(403).send({
+      error:
+        // eslint-disable-next-line stylistic/max-len -- This is a long error message.
+        "This route is only accessible from our dashboard at https://hikari.nhcarrigan.com.",
+    });
+  }
+  return undefined;
+};

server/src/hooks/ips.ts

@@ -0,0 +1,36 @@
+/**
+ * @copyright nhcarrigan
+ * @license Naomi's Public License
+ * @author Naomi Carrigan
+ */
+
+import { blockedIps } from "../cache/blockedIps.js";
+import { getIpFromRequest } from "../modules/getIpFromRequest.js";
+import type { onRequestHookHandler } from "fastify";
+
+/**
+ * Ensures that form submissions only come from our web application.
+ * @param request - The request payload from the server.
+ * @param response - The reply handler from Fastify.
+ * @returns A Fastify reply if the request is invalid, otherwise undefined.
+ */
+// eslint-disable-next-line @typescript-eslint/no-misused-promises -- For reasons I cannot comprehend, Fastify seems to require us to return a request?
+export const ipHook: onRequestHookHandler = async(request, response) => {
+  const ip = getIpFromRequest(request);
+  const ipRecord = blockedIps.find(
+    (record) => {
+      return record.ip === ip && record.ttl > new Date();
+    },
+  );
+  if (ipRecord && ipRecord.ttl > new Date()) {
+    return await response.
+      status(403).
+      send({
+        error: `Your IP address (${ipRecord.ip}) has been blocked until ${ipRecord.ttl.toISOString()}, to protect our API against brute-force attacks.`,
+      });
+  }
+  if (ipRecord && ipRecord.ttl <= new Date()) {
+    blockedIps.splice(blockedIps.indexOf(ipRecord), 1);
+  }
+  return undefined;
+};

server/src/index.ts

@@ -4,25 +4,41 @@
  * @author Naomi Carrigan
  */
 
+import cors from "@fastify/cors";
 import fastify from "fastify";
+import { corsHook } from "./hooks/cors.js";
+import { ipHook } from "./hooks/ips.js";
+import { announcementRoutes } from "./routes/announcement.js";
+import { baseRoutes } from "./routes/base.js";
 import { logger } from "./utils/logger.js";
 
 const server = fastify({
   logger: false,
 });
 
-server.get("/", async(_request, reply) => {
-  reply.redirect("https://hikari.nhcarrigan.com");
+/**
+ * This needs to be first, to ensure all requests have CORS configured.
+ * Our CORS settings allow for any origin, because we have a custom hook
+ * that guards specific routes from CORS requests.
+ * This is to allow our uptime monitor to access the health check route, for example.
+ * @see routesWithoutCors.ts
+ */
+server.register(cors, {
+  origin: "*",
 });
 
-server.get("/health", async(_request, reply) => {
-  reply.status(200).send("OK~!");
-});
+server.addHook("preHandler", corsHook);
+server.addHook("preHandler", ipHook);
+
+server.register(baseRoutes);
+server.register(announcementRoutes);
 
 server.listen({ port: 20_000 }, (error) => {
   if (error) {
     void logger.error("instantiate server", error);
     return;
   }
-  void logger.log("debug", "Server listening on port 20000.");
+  if (process.env.NODE_ENV !== "dev") {
+    void logger.log("debug", "Server listening on port 20000.");
+  }
 });

server/src/modules/announceOnDiscord.ts

@@ -0,0 +1,65 @@
+/**
+ * @copyright nhcarrigan
+ * @license Naomi's Public License
+ * @author Naomi Carrigan
+ */
+/* eslint-disable @typescript-eslint/naming-convention -- we are making raw API calls. */
+
+const channelIds = {
+  community: "1386105484313886820",
+  products:  "1386105452881776661",
+} as const;
+const roleIds = {
+  community: "1386107941224054895",
+  products:  "1386107909699666121",
+} as const;
+
+/**
+ * Forwards an announcement to our Discord server.
+ * @param title - The title of the announcement.
+ * @param content - The main body of the announcement.
+ * @param type - Whether the announcement is for a product or community.
+ * @returns A message indicating the success or failure of the operation.
+ */
+export const announceOnDiscord = async(
+  title: string,
+  content: string,
+  type: "products" | "community",
+): Promise<string> => {
+  const messageRequest = await fetch(
+    `https://discord.com/api/v10/channels/${channelIds[type]}/messages`,
+    {
+      body: JSON.stringify({
+        allowed_mentions: { parse: [ "users", "roles" ] },
+        content:          `# ${title}\n\n${content}\n-# <@&${roleIds[type]}>`,
+      }),
+      headers: {
+        "Authorization": `Bot ${process.env.DISCORD_TOKEN ?? ""}`,
+        "Content-Type":  "application/json",
+      },
+      method: "POST",
+    },
+  );
+  if (messageRequest.status !== 200) {
+    return "Failed to send message to Discord.";
+  }
+  // eslint-disable-next-line @typescript-eslint/consistent-type-assertions -- fetch does not accept generics.
+  const message = await messageRequest.json() as { id?: string };
+  if (message.id === undefined) {
+    return "Failed to parse message ID, cannot crosspost.";
+  }
+  const crosspostRequest = await fetch(
+    `https://discord.com/api/v10/channels/${channelIds[type]}/messages/${message.id}/crosspost`,
+    {
+      headers: {
+        "Authorization": `Bot ${process.env.DISCORD_TOKEN ?? ""}`,
+        "Content-Type":  "application/json",
+      },
+      method: "POST",
+    },
+  );
+  if (!crosspostRequest.ok) {
+    return "Failed to crosspost message to Discord.";
+  }
+  return "Successfully sent and published message to Discord.";
+};

server/src/modules/announceOnForum.ts

@@ -0,0 +1,40 @@
+/**
+ * @copyright nhcarrigan
+ * @license Naomi's Public License
+ * @author Naomi Carrigan
+ */
+/* eslint-disable @typescript-eslint/naming-convention -- we are making raw API calls. */
+/**
+ * Forwards an announcement to our Discord server.
+ * @param title - The title of the announcement.
+ * @param content - The main body of the announcement.
+ * @param type - Whether the announcement is for a product or community.
+ * @returns A message indicating the success or failure of the operation.
+ */
+export const announceOnForum = async(
+  title: string,
+  content: string,
+  type: "products" | "community",
+): Promise<string> => {
+  const forumRequest = await fetch(
+    `https://forum.nhcarrigan.com/posts.json`,
+    {
+      body: JSON.stringify({
+        category: 14,
+        raw:      content,
+        tags:     [ type ],
+        title:    title,
+      }),
+      headers: {
+        "Api-Key":      process.env.FORUM_API_KEY ?? "",
+        "Api-Username": "Hikari",
+        "Content-Type": "application/json",
+      },
+      method: "POST",
+    },
+  );
+  if (forumRequest.status !== 200) {
+    return "Failed to send message to forum.";
+  }
+  return "Successfully sent message to forum.";
+};

server/src/modules/getIpFromRequest.ts

@@ -0,0 +1,25 @@
+/**
+ * @copyright nhcarrigan
+ * @license Naomi's Public License
+ * @author Naomi Carrigan
+ */
+
+import type { FastifyRequest } from "fastify";
+
+/**
+ * Parses an IP address from a request, first looking for the
+ * Cloudflare headers, then falling back to the request IP.
+ * @param request - The Fastify request object.
+ * @returns The IP address as a string.
+ */
+export const getIpFromRequest = (request: FastifyRequest): string => {
+  const header
+    = request.headers["X-Forwarded-For"] ?? request.headers["Cf-Connecting-IP"];
+  if (typeof header === "string") {
+    return header;
+  }
+  if (Array.isArray(header)) {
+    return header[0] ?? header.join(", ");
+  }
+  return request.ip;
+};

server/src/routes/announcement.ts

@@ -0,0 +1,110 @@
+/**
+ * @copyright nhcarrigan
+ * @license Naomi's Public License
+ * @author Naomi Carrigan
+ */
+
+import { blockedIps } from "../cache/blockedIps.js";
+import { database } from "../db/database.js";
+import { announceOnDiscord } from "../modules/announceOnDiscord.js";
+import { announceOnForum } from "../modules/announceOnForum.js";
+import { getIpFromRequest } from "../modules/getIpFromRequest.js";
+import type { FastifyPluginAsync } from "fastify";
+
+const oneDay = 24 * 60 * 60 * 1000;
+
+/**
+ * Mounts the entry routes for the application. These routes
+ * should not require CORS, as they are used by external services
+ * such as our uptime monitor.
+ * @param server - The Fastify server instance.
+ */
+export const announcementRoutes: FastifyPluginAsync = async(server) => {
+  server.get("/announcements", async(_request, reply) => {
+    const announcements = await database.getInstance().announcements.findMany({
+      orderBy: {
+        createdAt: "desc",
+      },
+      take: 10,
+    });
+    return await reply.status(200).type("application/json").
+      send(announcements.map((announcement) => {
+        return {
+          content:   announcement.content,
+          createdAt: announcement.createdAt,
+          title:     announcement.title,
+          type:      announcement.type,
+        };
+      }));
+  });
+
+  // eslint-disable-next-line @typescript-eslint/naming-convention -- Fastify requires Body instead of body.
+  server.post<{ Body: { title: string; content: string; type: string } }>(
+    "/announcement",
+    // eslint-disable-next-line complexity -- This is a complex route, but it is necessary to validate the announcement.
+    async(request, reply) => {
+      const token = request.headers.authorization;
+      if (token === undefined || token !== process.env.ANNOUNCEMENT_TOKEN) {
+        blockedIps.push({
+          ip:  getIpFromRequest(request),
+          ttl: new Date(Date.now() + oneDay),
+        });
+        return await reply.status(401).send({
+          error:
+            // eslint-disable-next-line stylistic/max-len -- Big boi string.
+            "This endpoint requires a special auth token. If you believe you should have access, please contact Naomi. To protect our services, your IP has been blocked from all routes for 24 hours.",
+        });
+      }
+
+      const { title, content, type } = request.body;
+      if (
+        typeof title !== "string"
+        || typeof content !== "string"
+        || typeof type !== "string"
+        || title.length === 0
+        || content.length === 0
+        || type.length === 0
+      ) {
+        return await reply.status(400).send({
+          error: "Missing required fields.",
+        });
+      }
+
+      if (title.length < 20) {
+        return await reply.status(400).send({
+          error:
+            // eslint-disable-next-line stylistic/max-len -- Big boi string.
+            "Title must be at least 20 characters long so that it may be posted on our forum.",
+        });
+      }
+
+      if (content.length < 50) {
+        return await reply.status(400).send({
+          error:
+            // eslint-disable-next-line stylistic/max-len -- Big boi string.
+            "Content must be at least 50 characters long so that it may be posted on our forum.",
+        });
+      }
+
+      if (type !== "products" && type !== "community") {
+        return await reply.status(400).send({
+          error: "Invalid announcement type.",
+        });
+      }
+
+      await database.getInstance().announcements.create({
+        data: {
+          content,
+          title,
+          type,
+        },
+      });
+
+      const discord = await announceOnDiscord(title, content, type);
+      const forum = await announceOnForum(title, content, type);
+      return await reply.status(201).send({
+        message: `Announcement processed. Discord: ${discord}, Forum: ${forum}`,
+      });
+    },
+  );
+};

server/src/routes/base.ts

@@ -0,0 +1,23 @@
+/**
+ * @copyright nhcarrigan
+ * @license Naomi's Public License
+ * @author Naomi Carrigan
+ */
+
+import type { FastifyPluginAsync } from "fastify";
+
+/**
+ * Mounts the entry routes for the application. These routes
+ * should not require CORS, as they are used by external services
+ * such as our uptime monitor.
+ * @param server - The Fastify server instance.
+ */
+export const baseRoutes: FastifyPluginAsync = async(server) => {
+  server.get("/", async(_request, reply) => {
+    return await reply.redirect("https://hikari.nhcarrigan.com");
+  });
+
+  server.get("/health", async(_request, reply) => {
+    return await reply.status(200).send("OK~!");
+  });
+};