20 files changed, 767 insertions, 0 deletions

diff --git a/lib/web/auth/dropbox/index.js b/lib/web/auth/dropbox/index.js
new file mode 100644
index 00000000..c03fbc57
--- /dev/null
+++ b/lib/web/auth/dropbox/index.js
@@ -0,0 +1,29 @@
+'use strict'
+
+const Router = require('express').Router
+const passport = require('passport')
+const DropboxStrategy = require('passport-dropbox-oauth2').Strategy
+const config = require('../../../config')
+const {setReturnToFromReferer, passportGeneralCallback} = require('../utils')
+
+let dropboxAuth = module.exports = Router()
+
+passport.use(new DropboxStrategy({
+  apiVersion: '2',
+  clientID: config.dropbox.clientID,
+  clientSecret: config.dropbox.clientSecret,
+  callbackURL: config.serverurl + '/auth/dropbox/callback'
+}, passportGeneralCallback))
+
+dropboxAuth.get('/auth/dropbox', function (req, res, next) {
+  setReturnToFromReferer(req)
+  passport.authenticate('dropbox-oauth2')(req, res, next)
+})
+
+// dropbox auth callback
+dropboxAuth.get('/auth/dropbox/callback',
+  passport.authenticate('dropbox-oauth2', {
+    successReturnToOrRedirect: config.serverurl + '/',
+    failureRedirect: config.serverurl + '/'
+  })
+)
diff --git a/lib/web/auth/email/index.js b/lib/web/auth/email/index.js
new file mode 100644
index 00000000..760075f8
--- /dev/null
+++ b/lib/web/auth/email/index.js
@@ -0,0 +1,74 @@
+'use strict'
+
+const Router = require('express').Router
+const passport = require('passport')
+const validator = require('validator')
+const LocalStrategy = require('passport-local').Strategy
+const config = require('../../../config')
+const models = require('../../../models')
+const logger = require('../../../logger')
+const {setReturnToFromReferer} = require('../utils')
+const {urlencodedParser} = require('../../utils')
+const response = require('../../../response')
+
+let emailAuth = module.exports = Router()
+
+passport.use(new LocalStrategy({
+  usernameField: 'email'
+}, function (email, password, done) {
+  if (!validator.isEmail(email)) return done(null, false)
+  models.User.findOne({
+    where: {
+      email: email
+    }
+  }).then(function (user) {
+    if (!user) return done(null, false)
+    if (!user.verifyPassword(password)) return done(null, false)
+    return done(null, user)
+  }).catch(function (err) {
+    logger.error(err)
+    return done(err)
+  })
+}))
+
+if (config.allowemailregister) {
+  emailAuth.post('/register', urlencodedParser, function (req, res, next) {
+    if (!req.body.email || !req.body.password) return response.errorBadRequest(res)
+    if (!validator.isEmail(req.body.email)) return response.errorBadRequest(res)
+    models.User.findOrCreate({
+      where: {
+        email: req.body.email
+      },
+      defaults: {
+        password: req.body.password
+      }
+    }).spread(function (user, created) {
+      if (user) {
+        if (created) {
+          logger.debug('user registered: ' + user.id)
+          req.flash('info', "You've successfully registered, please signin.")
+        } else {
+          logger.debug('user found: ' + user.id)
+          req.flash('error', 'This email has been used, please try another one.')
+        }
+        return res.redirect(config.serverurl + '/')
+      }
+      req.flash('error', 'Failed to register your account, please try again.')
+      return res.redirect(config.serverurl + '/')
+    }).catch(function (err) {
+      logger.error('auth callback failed: ' + err)
+      return response.errorInternalError(res)
+    })
+  })
+}
+
+emailAuth.post('/login', urlencodedParser, function (req, res, next) {
+  if (!req.body.email || !req.body.password) return response.errorBadRequest(res)
+  if (!validator.isEmail(req.body.email)) return response.errorBadRequest(res)
+  setReturnToFromReferer(req)
+  passport.authenticate('local', {
+    successReturnToOrRedirect: config.serverurl + '/',
+    failureRedirect: config.serverurl + '/',
+    failureFlash: 'Invalid email or password.'
+  })(req, res, next)
+})
diff --git a/lib/web/auth/facebook/index.js b/lib/web/auth/facebook/index.js
new file mode 100644
index 00000000..0e5474d8
--- /dev/null
+++ b/lib/web/auth/facebook/index.js
@@ -0,0 +1,29 @@
+'use strict'
+
+const Router = require('express').Router
+const passport = require('passport')
+const FacebookStrategy = require('passport-facebook').Strategy
+
+const config = require('../../../config')
+const {setReturnToFromReferer, passportGeneralCallback} = require('../utils')
+
+let facebookAuth = module.exports = Router()
+
+passport.use(new FacebookStrategy({
+  clientID: config.facebook.clientID,
+  clientSecret: config.facebook.clientSecret,
+  callbackURL: config.serverurl + '/auth/facebook/callback'
+}, passportGeneralCallback))
+
+facebookAuth.get('/auth/facebook', function (req, res, next) {
+  setReturnToFromReferer(req)
+  passport.authenticate('facebook')(req, res, next)
+})
+
+// facebook auth callback
+facebookAuth.get('/auth/facebook/callback',
+  passport.authenticate('facebook', {
+    successReturnToOrRedirect: config.serverurl + '/',
+    failureRedirect: config.serverurl + '/'
+  })
+)
diff --git a/lib/web/auth/github/index.js b/lib/web/auth/github/index.js
new file mode 100644
index 00000000..2a26669c
--- /dev/null
+++ b/lib/web/auth/github/index.js
@@ -0,0 +1,28 @@
+'use strict'
+
+const Router = require('express').Router
+const passport = require('passport')
+const GithubStrategy = require('passport-github').Strategy
+const config = require('../../../config')
+const {setReturnToFromReferer, passportGeneralCallback} = require('../utils')
+
+let githubAuth = module.exports = Router()
+
+passport.use(new GithubStrategy({
+  clientID: config.github.clientID,
+  clientSecret: config.github.clientSecret,
+  callbackURL: config.serverurl + '/auth/github/callback'
+}, passportGeneralCallback))
+
+githubAuth.get('/auth/github', function (req, res, next) {
+  setReturnToFromReferer(req)
+  passport.authenticate('github')(req, res, next)
+})
+
+// github auth callback
+githubAuth.get('/auth/github/callback',
+  passport.authenticate('github', {
+    successReturnToOrRedirect: config.serverurl + '/',
+    failureRedirect: config.serverurl + '/'
+  })
+)
diff --git a/lib/web/auth/gitlab/index.js b/lib/web/auth/gitlab/index.js
new file mode 100644
index 00000000..51de1602
--- /dev/null
+++ b/lib/web/auth/gitlab/index.js
@@ -0,0 +1,36 @@
+'use strict'
+
+const Router = require('express').Router
+const passport = require('passport')
+const GitlabStrategy = require('passport-gitlab2').Strategy
+const config = require('../../../config')
+const response = require('../../../response')
+const {setReturnToFromReferer, passportGeneralCallback} = require('../utils')
+
+let gitlabAuth = module.exports = Router()
+
+passport.use(new GitlabStrategy({
+  baseURL: config.gitlab.baseURL,
+  clientID: config.gitlab.clientID,
+  clientSecret: config.gitlab.clientSecret,
+  scope: config.gitlab.scope,
+  callbackURL: config.serverurl + '/auth/gitlab/callback'
+}, passportGeneralCallback))
+
+gitlabAuth.get('/auth/gitlab', function (req, res, next) {
+  setReturnToFromReferer(req)
+  passport.authenticate('gitlab')(req, res, next)
+})
+
+// gitlab auth callback
+gitlabAuth.get('/auth/gitlab/callback',
+  passport.authenticate('gitlab', {
+    successReturnToOrRedirect: config.serverurl + '/',
+    failureRedirect: config.serverurl + '/'
+  })
+)
+
+if (!config.gitlab.scope || config.gitlab.scope === 'api') {
+  // gitlab callback actions
+  gitlabAuth.get('/auth/gitlab/callback/:noteId/:action', response.gitlabActions)
+}
diff --git a/lib/web/auth/google/index.js b/lib/web/auth/google/index.js
new file mode 100644
index 00000000..bf2a260f
--- /dev/null
+++ b/lib/web/auth/google/index.js
@@ -0,0 +1,27 @@
+'use strict'
+
+const Router = require('express').Router
+const passport = require('passport')
+var GoogleStrategy = require('passport-google-oauth20').Strategy
+const config = require('../../../config')
+const {setReturnToFromReferer, passportGeneralCallback} = require('../utils')
+
+let facebookAuth = module.exports = Router()
+
+passport.use(new GoogleStrategy({
+  clientID: config.google.clientID,
+  clientSecret: config.google.clientSecret,
+  callbackURL: config.serverurl + '/auth/google/callback'
+}, passportGeneralCallback))
+
+facebookAuth.get('/auth/google', function (req, res, next) {
+  setReturnToFromReferer(req)
+  passport.authenticate('google', { scope: ['profile'] })(req, res, next)
+})
+  // google auth callback
+facebookAuth.get('/auth/google/callback',
+  passport.authenticate('google', {
+    successReturnToOrRedirect: config.serverurl + '/',
+    failureRedirect: config.serverurl + '/'
+  })
+)
diff --git a/lib/web/auth/index.js b/lib/web/auth/index.js
new file mode 100644
index 00000000..b5ca8434
--- /dev/null
+++ b/lib/web/auth/index.js
@@ -0,0 +1,48 @@
+'use strict'
+
+const Router = require('express').Router
+const passport = require('passport')
+
+const config = require('../../config')
+const logger = require('../../logger')
+const models = require('../../models')
+
+const authRouter = module.exports = Router()
+
+// serialize and deserialize
+passport.serializeUser(function (user, done) {
+  logger.info('serializeUser: ' + user.id)
+  return done(null, user.id)
+})
+
+passport.deserializeUser(function (id, done) {
+  models.User.findOne({
+    where: {
+      id: id
+    }
+  }).then(function (user) {
+    logger.info('deserializeUser: ' + user.id)
+    return done(null, user)
+  }).catch(function (err) {
+    logger.error(err)
+    return done(err, null)
+  })
+})
+
+if (config.isFacebookEnable) authRouter.use(require('./facebook'))
+if (config.isTwitterEnable) authRouter.use(require('./twitter'))
+if (config.isGitHubEnable) authRouter.use(require('./github'))
+if (config.isGitLabEnable) authRouter.use(require('./gitlab'))
+if (config.isDropboxEnable) authRouter.use(require('./dropbox'))
+if (config.isGoogleEnable) authRouter.use(require('./google'))
+if (config.isLDAPEnable) authRouter.use(require('./ldap'))
+if (config.isEmailEnable) authRouter.use(require('./email'))
+
+// logout
+authRouter.get('/logout', function (req, res) {
+  if (config.debug && req.isAuthenticated()) {
+    logger.debug('user logout: ' + req.user.id)
+  }
+  req.logout()
+  res.redirect(config.serverurl + '/')
+})
diff --git a/lib/web/auth/ldap/index.js b/lib/web/auth/ldap/index.js
new file mode 100644
index 00000000..766c5cbc
--- /dev/null
+++ b/lib/web/auth/ldap/index.js
@@ -0,0 +1,74 @@
+'use strict'
+
+const Router = require('express').Router
+const passport = require('passport')
+const LDAPStrategy = require('passport-ldapauth')
+const config = require('../../../config')
+const models = require('../../../models')
+const logger = require('../../../logger')
+const {setReturnToFromReferer} = require('../utils')
+const {urlencodedParser} = require('../../utils')
+const response = require('../../../response')
+
+let ldapAuth = module.exports = Router()
+
+passport.use(new LDAPStrategy({
+  server: {
+    url: config.ldap.url || null,
+    bindDn: config.ldap.bindDn || null,
+    bindCredentials: config.ldap.bindCredentials || null,
+    searchBase: config.ldap.searchBase || null,
+    searchFilter: config.ldap.searchFilter || null,
+    searchAttributes: config.ldap.searchAttributes || null,
+    tlsOptions: config.ldap.tlsOptions || null
+  }
+}, function (user, done) {
+  var profile = {
+    id: 'LDAP-' + user.uidNumber,
+    username: user.uid,
+    displayName: user.displayName,
+    emails: user.mail ? [user.mail] : [],
+    avatarUrl: null,
+    profileUrl: null,
+    provider: 'ldap'
+  }
+  var stringifiedProfile = JSON.stringify(profile)
+  models.User.findOrCreate({
+    where: {
+      profileid: profile.id.toString()
+    },
+    defaults: {
+      profile: stringifiedProfile
+    }
+  }).spread(function (user, created) {
+    if (user) {
+      var needSave = false
+      if (user.profile !== stringifiedProfile) {
+        user.profile = stringifiedProfile
+        needSave = true
+      }
+      if (needSave) {
+        user.save().then(function () {
+          if (config.debug) { logger.debug('user login: ' + user.id) }
+          return done(null, user)
+        })
+      } else {
+        if (config.debug) { logger.debug('user login: ' + user.id) }
+        return done(null, user)
+      }
+    }
+  }).catch(function (err) {
+    logger.error('ldap auth failed: ' + err)
+    return done(err, null)
+  })
+}))
+
+ldapAuth.post('/auth/ldap', urlencodedParser, function (req, res, next) {
+  if (!req.body.username || !req.body.password) return response.errorBadRequest(res)
+  setReturnToFromReferer(req)
+  passport.authenticate('ldapauth', {
+    successReturnToOrRedirect: config.serverurl + '/',
+    failureRedirect: config.serverurl + '/',
+    failureFlash: true
+  })(req, res, next)
+})
diff --git a/lib/web/auth/twitter/index.js b/lib/web/auth/twitter/index.js
new file mode 100644
index 00000000..5429522d
--- /dev/null
+++ b/lib/web/auth/twitter/index.js
@@ -0,0 +1,29 @@
+'use strict'
+
+const Router = require('express').Router
+const passport = require('passport')
+const TwitterStrategy = require('passport-twitter').Strategy
+
+const config = require('../../../config')
+const {setReturnToFromReferer, passportGeneralCallback} = require('../utils')
+
+let twitterAuth = module.exports = Router()
+
+passport.use(new TwitterStrategy({
+  consumerKey: config.twitter.consumerKey,
+  consumerSecret: config.twitter.consumerSecret,
+  callbackURL: config.serverurl + '/auth/twitter/callback'
+}, passportGeneralCallback))
+
+twitterAuth.get('/auth/twitter', function (req, res, next) {
+  setReturnToFromReferer(req)
+  passport.authenticate('twitter')(req, res, next)
+})
+
+// twitter auth callback
+twitterAuth.get('/auth/twitter/callback',
+  passport.authenticate('twitter', {
+    successReturnToOrRedirect: config.serverurl + '/',
+    failureRedirect: config.serverurl + '/'
+  })
+)
diff --git a/lib/web/auth/utils.js b/lib/web/auth/utils.js
new file mode 100644
index 00000000..ff7a1237
--- /dev/null
+++ b/lib/web/auth/utils.js
@@ -0,0 +1,53 @@
+'use strict'
+
+const models = require('../../models')
+const config = require('../../config')
+const logger = require('../../logger')
+
+exports.setReturnToFromReferer = function setReturnToFromReferer (req) {
+  var referer = req.get('referer')
+  if (!req.session) req.session = {}
+  req.session.returnTo = referer
+}
+
+exports.passportGeneralCallback = function callback (accessToken, refreshToken, profile, done) {
+  var stringifiedProfile = JSON.stringify(profile)
+  models.User.findOrCreate({
+    where: {
+      profileid: profile.id.toString()
+    },
+    defaults: {
+      profile: stringifiedProfile,
+      accessToken: accessToken,
+      refreshToken: refreshToken
+    }
+  }).spread(function (user, created) {
+    if (user) {
+      var needSave = false
+      if (user.profile !== stringifiedProfile) {
+        user.profile = stringifiedProfile
+        needSave = true
+      }
+      if (user.accessToken !== accessToken) {
+        user.accessToken = accessToken
+        needSave = true
+      }
+      if (user.refreshToken !== refreshToken) {
+        user.refreshToken = refreshToken
+        needSave = true
+      }
+      if (needSave) {
+        user.save().then(function () {
+          if (config.debug) { logger.info('user login: ' + user.id) }
+          return done(null, user)
+        })
+      } else {
+        if (config.debug) { logger.info('user login: ' + user.id) }
+        return done(null, user)
+      }
+    }
+  }).catch(function (err) {
+    logger.error('auth callback failed: ' + err)
+    return done(err, null)
+  })
+}
diff --git a/lib/web/baseRouter.js b/lib/web/baseRouter.js
new file mode 100644
index 00000000..b918ce75
--- /dev/null
+++ b/lib/web/baseRouter.js
@@ -0,0 +1,22 @@
+'use strict'
+
+const Router = require('express').Router
+
+const response = require('../response')
+
+const baseRouter = module.exports = Router()
+
+// get index
+baseRouter.get('/', response.showIndex)
+// get 403 forbidden
+baseRouter.get('/403', function (req, res) {
+  response.errorForbidden(res)
+})
+// get 404 not found
+baseRouter.get('/404', function (req, res) {
+  response.errorNotFound(res)
+})
+// get 500 internal error
+baseRouter.get('/500', function (req, res) {
+  response.errorInternalError(res)
+})
diff --git a/lib/web/historyRouter.js b/lib/web/historyRouter.js
new file mode 100644
index 00000000..1b22c232
--- /dev/null
+++ b/lib/web/historyRouter.js
@@ -0,0 +1,18 @@
+'use strict'
+
+const Router = require('express').Router
+
+const {urlencodedParser} = require('./utils')
+const history = require('../history')
+const historyRouter = module.exports = Router()
+
+// get history
+historyRouter.get('/history', history.historyGet)
+// post history
+historyRouter.post('/history', urlencodedParser, history.historyPost)
+// post history by note id
+historyRouter.post('/history/:noteId', urlencodedParser, history.historyPost)
+// delete history
+historyRouter.delete('/history', history.historyDelete)
+// delete history by note id
+historyRouter.delete('/history/:noteId', history.historyDelete)
diff --git a/lib/web/imageRouter.js b/lib/web/imageRouter.js
new file mode 100644
index 00000000..592a497c
--- /dev/null
+++ b/lib/web/imageRouter.js
@@ -0,0 +1,95 @@
+'use strict'
+var fs = require('fs')
+var url = require('url')
+var path = require('path')
+
+const Router = require('express').Router
+const formidable = require('formidable')
+var imgur = require('imgur')
+
+const config = require('../config')
+const logger = require('../logger')
+const response = require('../response')
+
+const imageRouter = module.exports = Router()
+
+// upload image
+imageRouter.post('/uploadimage', function (req, res) {
+  var form = new formidable.IncomingForm()
+
+  form.keepExtensions = true
+
+  if (config.imageUploadType === 'filesystem') {
+    form.uploadDir = 'public/uploads'
+  }
+
+  form.parse(req, function (err, fields, files) {
+    if (err || !files.image || !files.image.path) {
+      response.errorForbidden(res)
+    } else {
+      if (config.debug) { logger.info('SERVER received uploadimage: ' + JSON.stringify(files.image)) }
+
+      try {
+        switch (config.imageUploadType) {
+          case 'filesystem':
+            res.send({
+              link: url.resolve(config.serverurl + '/', files.image.path.match(/^public\/(.+$)/)[1])
+            })
+
+            break
+
+          case 's3':
+            var AWS = require('aws-sdk')
+            var awsConfig = new AWS.Config(config.s3)
+            var s3 = new AWS.S3(awsConfig)
+            const {getImageMimeType} = require('../utils')
+            fs.readFile(files.image.path, function (err, buffer) {
+              if (err) {
+                logger.error(err)
+                res.status(500).end('upload image error')
+                return
+              }
+              var params = {
+                Bucket: config.s3bucket,
+                Key: path.join('uploads', path.basename(files.image.path)),
+                Body: buffer
+              }
+
+              var mimeType = getImageMimeType(files.image.path)
+              if (mimeType) { params.ContentType = mimeType }
+
+              s3.putObject(params, function (err, data) {
+                if (err) {
+                  logger.error(err)
+                  res.status(500).end('upload image error')
+                  return
+                }
+                res.send({
+                  link: `https://s3-${config.s3.region}.amazonaws.com/${config.s3bucket}/${params.Key}`
+                })
+              })
+            })
+            break
+          case 'imgur':
+          default:
+            imgur.setClientId(config.imgur.clientID)
+            imgur.uploadFile(files.image.path)
+              .then(function (json) {
+                if (config.debug) { logger.info('SERVER uploadimage success: ' + JSON.stringify(json)) }
+                res.send({
+                  link: json.data.link.replace(/^http:\/\//i, 'https://')
+                })
+              })
+              .catch(function (err) {
+                logger.error(err)
+                return res.status(500).end('upload image error')
+              })
+            break
+        }
+      } catch (err) {
+        logger.error(err)
+        return res.status(500).end('upload image error')
+      }
+    }
+  })
+})
diff --git a/lib/web/middleware/checkURIValid.js b/lib/web/middleware/checkURIValid.js
new file mode 100644
index 00000000..88065e79
--- /dev/null
+++ b/lib/web/middleware/checkURIValid.js
@@ -0,0 +1,14 @@
+'use strict'
+
+const logger = require('../../logger')
+const response = require('../../response')
+
+module.exports = function (req, res, next) {
+  try {
+    decodeURIComponent(req.path)
+  } catch (err) {
+    logger.error(err)
+    return response.errorBadRequest(res)
+  }
+  next()
+}
diff --git a/lib/web/middleware/redirectWithoutTrailingSlashes.js b/lib/web/middleware/redirectWithoutTrailingSlashes.js
new file mode 100644
index 00000000..fbaba617
--- /dev/null
+++ b/lib/web/middleware/redirectWithoutTrailingSlashes.js
@@ -0,0 +1,17 @@
+'use strict'
+
+const config = require('../../config')
+
+module.exports = function (req, res, next) {
+  if (req.method === 'GET' && req.path.substr(-1) === '/' && req.path.length > 1) {
+    const queryString = req.url.slice(req.path.length)
+    const urlPath = req.path.slice(0, -1)
+    let serverURL = config.serverurl
+    if (config.urlpath) {
+      serverURL = serverURL.slice(0, -(config.urlpath.length + 1))
+    }
+    res.redirect(301, serverURL + urlPath + queryString)
+  } else {
+    next()
+  }
+}
diff --git a/lib/web/middleware/tooBusy.js b/lib/web/middleware/tooBusy.js
new file mode 100644
index 00000000..f1b72330
--- /dev/null
+++ b/lib/web/middleware/tooBusy.js
@@ -0,0 +1,13 @@
+'use strict'
+
+const toobusy = require('toobusy-js')
+
+const response = require('../../response')
+
+module.exports = function (req, res, next) {
+  if (toobusy()) {
+    response.errorServiceUnavailable(res)
+  } else {
+    next()
+  }
+}
diff --git a/lib/web/noteRouter.js b/lib/web/noteRouter.js
new file mode 100644
index 00000000..007c02c2
--- /dev/null
+++ b/lib/web/noteRouter.js
@@ -0,0 +1,24 @@
+'use strict'
+
+const Router = require('express').Router
+
+const response = require('../response')
+
+const noteRouter = module.exports = Router()
+
+// get new note
+noteRouter.get('/new', response.newNote)
+// get publish note
+noteRouter.get('/s/:shortid', response.showPublishNote)
+// publish note actions
+noteRouter.get('/s/:shortid/:action', response.publishNoteActions)
+// get publish slide
+noteRouter.get('/p/:shortid', response.showPublishSlide)
+// publish slide actions
+noteRouter.get('/p/:shortid/:action', response.publishSlideActions)
+// get note by id
+noteRouter.get('/:noteId', response.showNote)
+// note actions
+noteRouter.get('/:noteId/:action', response.noteActions)
+// note actions with action id
+noteRouter.get('/:noteId/:action/:actionId', response.noteActions)
diff --git a/lib/web/statusRouter.js b/lib/web/statusRouter.js
new file mode 100644
index 00000000..aa3a9b79
--- /dev/null
+++ b/lib/web/statusRouter.js
@@ -0,0 +1,92 @@
+'use strict'
+
+const Router = require('express').Router
+
+const response = require('../response')
+const realtime = require('../realtime')
+const config = require('../config')
+const models = require('../models')
+const logger = require('../logger')
+
+const {urlencodedParser} = require('./utils')
+
+const statusRouter = module.exports = Router()
+
+// get status
+statusRouter.get('/status', function (req, res, next) {
+  realtime.getStatus(function (data) {
+    res.set({
+      'Cache-Control': 'private', // only cache by client
+      'X-Robots-Tag': 'noindex, nofollow', // prevent crawling
+      'HackMD-Version': config.version
+    })
+    res.send(data)
+  })
+})
+// get status
+statusRouter.get('/temp', function (req, res) {
+  var host = req.get('host')
+  if (config.alloworigin.indexOf(host) === -1) {
+    response.errorForbidden(res)
+  } else {
+    var tempid = req.query.tempid
+    if (!tempid) {
+      response.errorForbidden(res)
+    } else {
+      models.Temp.findOne({
+        where: {
+          id: tempid
+        }
+      }).then(function (temp) {
+        if (!temp) {
+          response.errorNotFound(res)
+        } else {
+          res.header('Access-Control-Allow-Origin', '*')
+          res.send({
+            temp: temp.data
+          })
+          temp.destroy().catch(function (err) {
+            if (err) {
+              logger.error('remove temp failed: ' + err)
+            }
+          })
+        }
+      }).catch(function (err) {
+        logger.error(err)
+        return response.errorInternalError(res)
+      })
+    }
+  }
+})
+// post status
+statusRouter.post('/temp', urlencodedParser, function (req, res) {
+  var host = req.get('host')
+  if (config.alloworigin.indexOf(host) === -1) {
+    response.errorForbidden(res)
+  } else {
+    var data = req.body.data
+    if (!data) {
+      response.errorForbidden(res)
+    } else {
+      if (config.debug) {
+        logger.info('SERVER received temp from [' + host + ']: ' + req.body.data)
+      }
+      models.Temp.create({
+        data: data
+      }).then(function (temp) {
+        if (temp) {
+          res.header('Access-Control-Allow-Origin', '*')
+          res.send({
+            status: 'ok',
+            id: temp.id
+          })
+        } else {
+          response.errorInternalError(res)
+        }
+      }).catch(function (err) {
+        logger.error(err)
+        return response.errorInternalError(res)
+      })
+    }
+  }
+})
diff --git a/lib/web/userRouter.js b/lib/web/userRouter.js
new file mode 100644
index 00000000..ecfbaf8b
--- /dev/null
+++ b/lib/web/userRouter.js
@@ -0,0 +1,36 @@
+'use strict'
+
+const Router = require('express').Router
+
+const response = require('../response')
+const models = require('../models')
+const logger = require('../logger')
+
+const UserRouter = module.exports = Router()
+
+// get me info
+UserRouter.get('/me', function (req, res) {
+  if (req.isAuthenticated()) {
+    models.User.findOne({
+      where: {
+        id: req.user.id
+      }
+    }).then(function (user) {
+      if (!user) { return response.errorNotFound(res) }
+      var profile = models.User.getProfile(user)
+      res.send({
+        status: 'ok',
+        id: req.user.id,
+        name: profile.name,
+        photo: profile.photo
+      })
+    }).catch(function (err) {
+      logger.error('read me failed: ' + err)
+      return response.errorInternalError(res)
+    })
+  } else {
+    res.send({
+      status: 'forbidden'
+    })
+  }
+})
diff --git a/lib/web/utils.js b/lib/web/utils.js
new file mode 100644
index 00000000..c9016523
--- /dev/null
+++ b/lib/web/utils.js
@@ -0,0 +1,9 @@
+'use strict'
+
+const bodyParser = require('body-parser')
+
+// create application/x-www-form-urlencoded parser
+exports.urlencodedParser = bodyParser.urlencoded({
+  extended: false,
+  limit: 1024 * 1024 * 10 // 10 mb
+})