import { NestFactory } from '@nestjs/core'; import { ValidationPipe } from '@nestjs/common'; import { SwaggerModule, DocumentBuilder } from '@nestjs/swagger'; import helmet from 'helmet'; import { AppModule } from './app.module'; import { ShutdownService } from './common/services/shutdown.service'; import * as dotenv from 'dotenv'; import * as fs from 'fs'; import * as path from 'path'; // Configuration loading order (later sources do NOT override earlier ones): // 1. Process env (Docker, shell, systemd) — highest priority // 2. .env (project-level overrides committed/managed by the user) // 3. data/.env.generated (Dashboard-managed config; created on first run) // // Rationale: explicit env vars from the host/orchestrator must always win // so that operators can override the Dashboard-saved config without having // to edit data/.env.generated by hand. const generatedEnvPath = path.resolve(process.cwd(), 'data', '.env.generated'); const userEnvPath = path.resolve(process.cwd(), '.env'); // Ensure data directory exists const dataDir = path.dirname(generatedEnvPath); if (!fs.existsSync(dataDir)) { fs.mkdirSync(dataDir, { recursive: true }); } // 2. User-managed .env (does not override real process env) if (fs.existsSync(userEnvPath)) { console.log('[Bootstrap] Loading .env from:', userEnvPath); dotenv.config({ path: userEnvPath, override: false }); } // 3. Dashboard-saved config (does not override .env or process env) if (fs.existsSync(generatedEnvPath)) { console.log('[Bootstrap] Loading saved configuration from:', generatedEnvPath); dotenv.config({ path: generatedEnvPath, override: false }); } else { console.log('[Bootstrap] First run detected, creating default configuration...'); // Create minimal .env.generated with sensible defaults const minimalConfig = `# OpenWA Configuration # Generated automatically on first run # Edit via Dashboard > Infrastructure or modify this file directly. # Note: values in process env or project .env take precedence over this file. # Database (SQLite - no external service required) DATABASE_TYPE=sqlite POSTGRES_BUILTIN=false # Redis & Queue (disabled by default) REDIS_ENABLED=false REDIS_BUILTIN=false QUEUE_ENABLED=false # Storage (Local filesystem) STORAGE_TYPE=local MINIO_BUILTIN=false STORAGE_PATH=./data/media # Docker Profiles: none (minimal setup) `; fs.writeFileSync(generatedEnvPath, minimalConfig); console.log('[Bootstrap] Created default configuration at:', generatedEnvPath); dotenv.config({ path: generatedEnvPath, override: false }); } async function bootstrap() { const app = await NestFactory.create(AppModule); // Enable shutdown hooks for graceful shutdown app.enableShutdownHooks(); // Wire up graceful shutdown service const shutdownService = app.get(ShutdownService); shutdownService.setShutdownCallback(async () => { await app.close(); }); // Enhanced Security Headers (Phase 3 Security Audit) app.use( helmet({ contentSecurityPolicy: { directives: { defaultSrc: ["'self'"], styleSrc: ["'self'", "'unsafe-inline'"], scriptSrc: ["'self'"], imgSrc: ["'self'", 'data:', 'https:'], connectSrc: ["'self'"], fontSrc: ["'self'"], objectSrc: ["'none'"], upgradeInsecureRequests: process.env.NODE_ENV === 'production' ? [] : null, }, }, hsts: { maxAge: 31536000, includeSubDomains: true, preload: true, }, noSniff: true, referrerPolicy: { policy: 'strict-origin-when-cross-origin' }, // Disable for API usage crossOriginResourcePolicy: { policy: 'cross-origin' }, }), ); // CORS Configuration (Phase 3 Security Audit) const allowedOrigins = process.env.CORS_ORIGINS?.split(',').map(o => o.trim()) || ['*']; app.enableCors({ origin: (origin: string | undefined, callback: (err: Error | null, allow?: boolean) => void) => { // Allow requests with no origin (mobile apps, Postman, server-to-server) if (!origin) return callback(null, true); // Check if wildcard or origin matches if (allowedOrigins.includes('*') || allowedOrigins.includes(origin)) { callback(null, true); } else { callback(new Error('Not allowed by CORS')); } }, credentials: true, methods: ['GET', 'POST', 'PUT', 'DELETE', 'PATCH', 'OPTIONS'], allowedHeaders: ['Content-Type', 'X-API-Key', 'Authorization', 'X-Request-ID'], exposedHeaders: ['X-RateLimit-Limit', 'X-RateLimit-Remaining', 'X-RateLimit-Reset'], maxAge: 86400, // 24 hours }); // Global prefix app.setGlobalPrefix('api'); // Enhanced Validation pipe with security options app.useGlobalPipes( new ValidationPipe({ whitelist: true, // Strip properties not in DTO forbidNonWhitelisted: true, // Throw error on unknown properties transform: true, transformOptions: { enableImplicitConversion: true, }, disableErrorMessages: process.env.NODE_ENV === 'production', // Hide details in prod }), ); // Swagger documentation const config = new DocumentBuilder() .setTitle('OpenWA API') .setDescription('Open Source WhatsApp API Gateway - Free, Self-Hosted HTTP API') .setVersion('0.1.6') .addApiKey({ type: 'apiKey', name: 'X-API-Key', in: 'header' }, 'X-API-Key') .addTag('sessions', 'WhatsApp session management') .addTag('messages', 'Send and manage messages') .addTag('webhooks', 'Webhook configuration') .addTag('contacts', 'Contact management') .addTag('groups', 'Group management') .addTag('labels', 'Label management (WhatsApp Business)') .addTag('channels', 'Channel/Newsletter management') .addTag('health', 'Health check endpoints') .build(); const document = SwaggerModule.createDocument(app, config); SwaggerModule.setup('api/docs', app, document); const port = process.env.PORT || 2785; await app.listen(port); console.log(`🚀 OpenWA is running on: http://localhost:${port}`); console.log(`📚 Swagger docs: http://localhost:${port}/api/docs`); } void bootstrap();