Initial commit - realms platform

backend/src/main.cpp

@@ -7,6 +7,8 @@
 #include "services/DatabaseService.h"
 #include "services/StatsService.h"
 #include "services/AuthService.h"
+#include "services/CensorService.h"
+#include "services/TreasuryService.h"
 #include <exception>
 #include <csignal>
 #include <sys/stat.h>
@@ -36,8 +38,8 @@ int main() {
         // Initialize StatsService BEFORE registering callbacks
         LOG_INFO << "Initializing StatsService...";
         StatsService::getInstance().initialize();
-        
-        // Register a pre-routing advice to handle CORS
+
+        // Register a pre-routing advice to handle CORS and CSRF protection
         app().registerPreRoutingAdvice([](const HttpRequestPtr &req,
                                          AdviceCallback &&acb,
                                          AdviceChainCallback &&accb) {
@@ -45,13 +47,13 @@ int main() {
             if (req->getMethod() == Options) {
                 auto resp = HttpResponse::newHttpResponse();
                 resp->setStatusCode(k204NoContent);
-                
+
                 // Get origin from request
                 std::string origin = req->getHeader("Origin");
                 if (origin.empty()) {
                     origin = "*";
                 }
-                
+
                 resp->addHeader("Access-Control-Allow-Origin", origin);
                 resp->addHeader("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS");
                 resp->addHeader("Access-Control-Allow-Headers", "Content-Type, Authorization");
@@ -60,6 +62,35 @@ int main() {
                 acb(resp);
                 return;
             }
+
+            // SECURITY FIX #18: CSRF protection for state-changing requests
+            // Require Origin or Referer header for POST/PUT/DELETE requests
+            if (req->getMethod() == Post || req->getMethod() == Put || req->getMethod() == Delete) {
+                std::string origin = req->getHeader("Origin");
+                std::string referer = req->getHeader("Referer");
+                std::string path = req->getPath();
+
+                // Skip CSRF check for API endpoints that use Bearer token auth
+                // (Bearer tokens are not automatically sent by browsers, so CSRF is not a concern)
+                std::string authHeader = req->getHeader("Authorization");
+                bool hasBearerToken = !authHeader.empty() && authHeader.substr(0, 7) == "Bearer ";
+
+                // Skip CSRF check for internal endpoints (server-to-server calls)
+                bool isInternalEndpoint = path.find("/api/webhook/") == 0 ||
+                                          path.find("/api/internal/") == 0;
+
+                // If not using Bearer auth and not an internal endpoint, require Origin or Referer header
+                if (!hasBearerToken && !isInternalEndpoint && origin.empty() && referer.empty()) {
+                    LOG_WARN << "CSRF protection: Blocked request without Origin/Referer to "
+                             << req->getPath() << " from " << req->getPeerAddr().toIpPort();
+                    auto resp = HttpResponse::newHttpResponse();
+                    resp->setStatusCode(k403Forbidden);
+                    resp->setBody("Missing Origin or Referer header");
+                    acb(resp);
+                    return;
+                }
+            }
+
             accb();
         });
         
@@ -81,15 +112,39 @@ int main() {
         // Register beginning advice to start the stats timer
         app().registerBeginningAdvice([]() {
             LOG_INFO << "Application started successfully";
-            
+
+            // Clean up stuck audio processing jobs on startup
+            LOG_INFO << "Cleaning up stuck audio processing jobs...";
+            auto dbClient = app().getDbClient();
+            *dbClient << "UPDATE audio_files SET status = 'failed' "
+                         "WHERE status = 'processing' AND created_at < NOW() - INTERVAL '5 minutes'"
+                      >> [](const drogon::orm::Result& r) {
+                          if (r.affectedRows() > 0) {
+                              LOG_INFO << "Marked " << r.affectedRows() << " stuck audio jobs as failed";
+                          }
+                      }
+                      >> [](const drogon::orm::DrogonDbException& e) {
+                          LOG_WARN << "Failed to clean up stuck audio jobs: " << e.base().what();
+                      };
+
             // Start the stats polling timer
             LOG_INFO << "Starting stats polling...";
             StatsService::getInstance().startPolling();
+
+            // Load censored words from database
+            LOG_INFO << "Loading censored words...";
+            CensorService::getInstance().loadCensoredWords();
+
+            // Start treasury scheduler (hourly check for growth/distribution)
+            LOG_INFO << "Starting treasury scheduler...";
+            TreasuryService::getInstance().initialize();
+            TreasuryService::getInstance().startScheduler();
         });
         
         app().setTermSignalHandler([]() {
             LOG_INFO << "Received termination signal, shutting down...";
             StatsService::getInstance().shutdown();
+            TreasuryService::getInstance().shutdown();
             app().quit();
         });