js/server.js

const fs = require("node:fs");
const http = require("node:http");
const https = require("node:https");
const path = require("node:path");
const express = require("express");
const helmet = require("helmet");
const socketio = require("socket.io");
const Log = require("logger");

const { ipAccessControl, socketIpAccessControl } = require("./ip_access_control");

const vendor = require("./vendor");

const { getHtml, getVersion, getEnvVars, cors } = require("#server_functions");

/**
 * Server
 * @param {object} configObj The MM config full and redacted
 * @class
 */
function Server (configObj) {
	const config = configObj.fullConf;
	const app = express();
	const port = process.env.MM_PORT || config.port;
	const serverSockets = new Set();
	let server = null;

	/**
	 * Opens the server for incoming connections
	 * @returns {Promise} A promise that is resolved when the server listens to connections
	 */
	this.open = function () {
		return new Promise((resolve) => {
			if (config.useHttps) {
				const options = {
					key: fs.readFileSync(config.httpsPrivateKey),
					cert: fs.readFileSync(config.httpsCertificate)
				};
				server = https.Server(options, app);
			} else {
				server = http.Server(app);
			}
			const io = socketio(server, {
				allowRequest: socketIpAccessControl(config.ipWhitelist),
				cors: {
					origin: /.*$/,
					credentials: true
				},
				allowEIO3: true,
				pingInterval: 120000, // server → client ping every 2 mins
				pingTimeout: 120000 // wait up to 2 mins for client pong
			});

			server.on("connection", (socket) => {
				serverSockets.add(socket);
				socket.on("close", () => {
					serverSockets.delete(socket);
				});
			});

			Log.log(`Starting server on port ${port} ... `);

			// Add explicit error handling BEFORE calling listen so we can give user-friendly feedback
			server.once("error", (err) => {
				if (err && err.code === "EADDRINUSE") {
					const bindAddr = config.address || "localhost";
					const portInUseMessage = [
						"",
						"────────────────────────────────────────────────────────────────",
						` PORT IN USE: ${bindAddr}:${port}`,
						"",
						" Another process (most likely another MagicMirror instance)",
						" is already using this port.",
						"",
						" Stop the other process (free the port) or use a different port.",
						"────────────────────────────────────────────────────────────────"
					].join("\n");
					Log.error(portInUseMessage);
					return;
				}

				Log.error("Failed to start server:", err);
			});

			server.listen(port, config.address || "localhost");

			if (config.ipWhitelist instanceof Array && config.ipWhitelist.length === 0) {
				Log.warn("You're using a full whitelist configuration to allow for all IPs");
			}

			app.use(ipAccessControl(config.ipWhitelist));
			app.use(helmet(config.httpHeaders));
			app.use("/js", express.static(__dirname));

			if (config.hideConfigSecrets) {
				app.get("/config/config.env", (req, res) => {
					res.status(404).send("<!DOCTYPE html>\n<html lang=\"en\">\n<head>\n<meta charset=\"utf-8\">\n<title>Error</title>\n</head>\n<body>\n<pre>Cannot GET /config/config.env</pre>\n</body>\n</html>");
				});
			}

			let directories = ["/config", "/css", "/favicon.svg", "/defaultmodules", "/modules", "/node_modules/animate.css", "/node_modules/@fontsource", "/node_modules/@fortawesome", "/translations", "/tests/configs", "/tests/mocks"];
			for (const value of Object.values(vendor)) {
				const dirArr = value.split("/");
				if (dirArr[0] === "node_modules") directories.push(`/${dirArr[0]}/${dirArr[1]}`);
			}
			const uniqDirs = [...new Set(directories)];
			for (const directory of uniqDirs) {
				app.use(directory, express.static(path.resolve(global.root_path + directory)));
			}

			const startUp = new Date();
			const getStartup = (req, res) => res.send(startUp);

			const getConfig = (req, res) => {
				const obj = config.hideConfigSecrets ? configObj.redactedConf : configObj.fullConf;
				// Functions can't survive JSON.stringify, so we wrap them in a
				// tagged object { __mmFunction: "<source>" }. The client-side
				// JSON reviver in main.js recognises this tag and reconstructs
				// the live function from the source string.
				const jsonString = JSON.stringify(obj, (key, value) => {
					if (typeof value === "function") {
						return { __mmFunction: value.toString() };
					}
					return value;
				});
				res.set("Content-Type", "application/json");
				res.send(jsonString);
			};

			app.get("/config", (req, res) => getConfig(req, res));

			app.get("/cors", async (req, res) => await cors(req, res));

			app.get("/version", (req, res) => getVersion(req, res));

			app.get("/startup", (req, res) => getStartup(req, res));

			app.get("/env", (req, res) => getEnvVars(req, res));

			app.get("/", (req, res) => getHtml(req, res));

			// Reload endpoint for watch mode - triggers browser reload
			app.get("/reload", (req, res) => {
				Log.info("Reload request received, notifying all clients");
				io.emit("RELOAD");
				res.status(200).send("OK");
			});

			server.on("listening", () => {
				resolve({
					app,
					io
				});
			});
		});
	};

	/**
	 * Closes the server and destroys all lingering connections to it.
	 * @returns {Promise} A promise that resolves when server has successfully shut down
	 */
	this.close = function () {
		return new Promise((resolve) => {
			for (const socket of serverSockets.values()) {
				socket.destroy();
			}
			server.close(resolve);
		});
	};
}

module.exports = Server;
Use node prefix for build-in modules (#3340 ) 2024-01-08 17:45:54 +01:00			`const fs = require("node:fs");`
			`const http = require("node:http");`
			`const https = require("node:https");`
			`const path = require("node:path");`
Release 2.23.0 (#3078 ) 2023-04-04 20:44:32 +02:00			`const express = require("express");`
clean up server 2021-01-05 18:37:16 +01:00			`const helmet = require("helmet");`
Release 2.23.0 (#3078 ) 2023-04-04 20:44:32 +02:00			`const socketio = require("socket.io");`
exposed logger as node module 2021-02-18 19:14:53 +01:00			`const Log = require("logger");`
Fix if MM_PORT enviroment variable is set 2017-03-10 18:20:11 -03:00
fix(server): enforce ipWhitelist for Socket.IO too (#4169 ) 2026-06-01 17:26:16 +02:00			`const { ipAccessControl, socketIpAccessControl } = require("./ip_access_control");`
refactor: simplify internal `require()` calls (#4056 ) 2026-03-12 10:35:42 +01:00
			`const vendor = require("./vendor");`
refactor: replace `express-ipfilter` with lightweight custom middleware (#3917 ) 2025-10-18 19:56:55 +02:00
refactor: simplify internal `require()` calls (#4056 ) 2026-03-12 10:35:42 +01:00			`const { getHtml, getVersion, getEnvVars, cors } = require("#server_functions");`
simplify install and maintaining dependencies (#3795 ) 2025-06-01 17:03:11 +02:00
Cleanup jsdoc 2021-01-06 13:17:39 +01:00			`/**`
			`* Server`
change loading config.js, allow variables in config.js and try to protect sensitive data (#4029 ) 2026-02-06 00:21:35 +01:00			`* @param {object} configObj The MM config full and redacted`
Cleanup jsdoc 2021-01-06 13:17:39 +01:00			`* @class`
			`*/`
change loading config.js, allow variables in config.js and try to protect sensitive data (#4029 ) 2026-02-06 00:21:35 +01:00			`function Server (configObj) {`
			`const config = configObj.fullConf;`
Release 2.22.0 (#2983 ) 2023-01-01 18:09:08 +01:00			`const app = express();`
clean up server 2021-01-05 18:37:16 +01:00			`const port = process.env.MM_PORT \|\| config.port;`
fix server.close() issue 2021-09-24 00:30:00 +02:00			`const serverSockets = new Set();`
clean up server 2021-01-05 18:37:16 +01:00			`let server = null;`

Release 2.22.0 (#2983 ) 2023-01-01 18:09:08 +01:00			`/**`
			`* Opens the server for incoming connections`
			`* @returns {Promise} A promise that is resolved when the server listens to connections`
			`*/`
			`this.open = function () {`
			`return new Promise((resolve) => {`
			`if (config.useHttps) {`
			`const options = {`
			`key: fs.readFileSync(config.httpsPrivateKey),`
			`cert: fs.readFileSync(config.httpsCertificate)`
			`};`
Release 2.23.0 (#3078 ) 2023-04-04 20:44:32 +02:00			`server = https.Server(options, app);`
working version, use corsUrl in weather providers 2022-01-25 22:30:16 +01:00			`} else {`
Release 2.23.0 (#3078 ) 2023-04-04 20:44:32 +02:00			`server = http.Server(app);`
Release 2.22.0 (#2983 ) 2023-01-01 18:09:08 +01:00			`}`
Release 2.23.0 (#3078 ) 2023-04-04 20:44:32 +02:00			`const io = socketio(server, {`
fix(server): enforce ipWhitelist for Socket.IO too (#4169 ) 2026-06-01 17:26:16 +02:00			`allowRequest: socketIpAccessControl(config.ipWhitelist),`
Release 2.22.0 (#2983 ) 2023-01-01 18:09:08 +01:00			`cors: {`
			`origin: /.*$/,`
			`credentials: true`
			`},`
fix for #3380 , socket.io timeout closure (#3862 ) 2025-08-28 11:02:21 -05:00			`allowEIO3: true,`
			`pingInterval: 120000, // server → client ping every 2 mins`
			`pingTimeout: 120000 // wait up to 2 mins for client pong`
Release 2.22.0 (#2983 ) 2023-01-01 18:09:08 +01:00			`});`

			`server.on("connection", (socket) => {`
			`serverSockets.add(socket);`
			`socket.on("close", () => {`
			`serverSockets.delete(socket);`
			`});`
			`});`

			Log.log(`Starting server on port ${port} ... `);
feat: add clear log for occupied port at startup (#3890 ) 2025-09-13 13:01:55 +02:00
			`// Add explicit error handling BEFORE calling listen so we can give user-friendly feedback`
			`server.once("error", (err) => {`
			`if (err && err.code === "EADDRINUSE") {`
			`const bindAddr = config.address \|\| "localhost";`
			`const portInUseMessage = [`
			`"",`
			`"────────────────────────────────────────────────────────────────",`
			` PORT IN USE: ${bindAddr}:${port}`,
			`"",`
			`" Another process (most likely another MagicMirror instance)",`
			`" is already using this port.",`
			`"",`
			`" Stop the other process (free the port) or use a different port.",`
			`"────────────────────────────────────────────────────────────────"`
			`].join("\n");`
			`Log.error(portInUseMessage);`
			`return;`
			`}`

			`Log.error("Failed to start server:", err);`
			`});`

Release 2.22.0 (#2983 ) 2023-01-01 18:09:08 +01:00			`server.listen(port, config.address \|\| "localhost");`

			`if (config.ipWhitelist instanceof Array && config.ipWhitelist.length === 0) {`
Rework logging colors (#3350 ) 2024-01-16 21:54:55 +01:00			`Log.warn("You're using a full whitelist configuration to allow for all IPs");`
working version, use corsUrl in weather providers 2022-01-25 22:30:16 +01:00			`}`
first cors approach 2022-01-24 23:45:17 +01:00
refactor: replace `express-ipfilter` with lightweight custom middleware (#3917 ) 2025-10-18 19:56:55 +02:00			`app.use(ipAccessControl(config.ipWhitelist));`
Release 2.22.0 (#2983 ) 2023-01-01 18:09:08 +01:00			`app.use(helmet(config.httpHeaders));`
			`app.use("/js", express.static(__dirname));`

change loading config.js, allow variables in config.js and try to protect sensitive data (#4029 ) 2026-02-06 00:21:35 +01:00			`if (config.hideConfigSecrets) {`
			`app.get("/config/config.env", (req, res) => {`
			`res.status(404).send("<!DOCTYPE html>\n<html lang=\"en\">\n<head>\n<meta charset=\"utf-8\">\n<title>Error</title>\n</head>\n<body>\n<pre>Cannot GET /config/config.env</pre>\n</body>\n</html>");`
			`});`
			`}`

move default modules from /modules/default to /defaultmodules (#4019 ) 2026-01-27 08:37:52 +01:00			`let directories = ["/config", "/css", "/favicon.svg", "/defaultmodules", "/modules", "/node_modules/animate.css", "/node_modules/@fontsource", "/node_modules/@fortawesome", "/translations", "/tests/configs", "/tests/mocks"];`
refactor: enable ESLint rule "no-unused-vars" and handle related issues (#4080 ) 2026-04-02 08:56:27 +02:00			`for (const value of Object.values(vendor)) {`
simplify install and maintaining dependencies (#3795 ) 2025-06-01 17:03:11 +02:00			`const dirArr = value.split("/");`
			if (dirArr[0] === "node_modules") directories.push(`/${dirArr[0]}/${dirArr[1]}`);
			`}`
			`const uniqDirs = [...new Set(directories)];`
			`for (const directory of uniqDirs) {`
Release 2.22.0 (#2983 ) 2023-01-01 18:09:08 +01:00			`app.use(directory, express.static(path.resolve(global.root_path + directory)));`
			`}`
fix tabs, remove extra spaces and lines. 2016-12-29 22:23:08 -03:00
[weather] refactor: migrate to server-side providers with centralized HTTPFetcher (#4032 ) 2026-02-23 10:27:29 +01:00			`const startUp = new Date();`
			`const getStartup = (req, res) => res.send(startUp);`

change loading config.js, allow variables in config.js and try to protect sensitive data (#4029 ) 2026-02-06 00:21:35 +01:00			`const getConfig = (req, res) => {`
config endpoint must handle functions in module configs (#4106 ) 2026-04-12 22:50:00 +02:00			`const obj = config.hideConfigSecrets ? configObj.redactedConf : configObj.fullConf;`
			`// Functions can't survive JSON.stringify, so we wrap them in a`
			`// tagged object { __mmFunction: "<source>" }. The client-side`
			`// JSON reviver in main.js recognises this tag and reconstructs`
			`// the live function from the source string.`
			`const jsonString = JSON.stringify(obj, (key, value) => {`
			`if (typeof value === "function") {`
			`return { __mmFunction: value.toString() };`
			`}`
			`return value;`
			`});`
			`res.set("Content-Type", "application/json");`
			`res.send(jsonString);`
change loading config.js, allow variables in config.js and try to protect sensitive data (#4029 ) 2026-02-06 00:21:35 +01:00			`};`
config endpoint must handle functions in module configs (#4106 ) 2026-04-12 22:50:00 +02:00
[weather] refactor: migrate to server-side providers with centralized HTTPFetcher (#4032 ) 2026-02-23 10:27:29 +01:00			`app.get("/config", (req, res) => getConfig(req, res));`
change loading config.js, allow variables in config.js and try to protect sensitive data (#4029 ) 2026-02-06 00:21:35 +01:00
Release 2.22.0 (#2983 ) 2023-01-01 18:09:08 +01:00			`app.get("/cors", async (req, res) => await cors(req, res));`
New server route to fetch config 2017-06-29 21:22:00 +02:00
Release 2.22.0 (#2983 ) 2023-01-01 18:09:08 +01:00			`app.get("/version", (req, res) => getVersion(req, res));`
Add requiresVersion property to module API. 2016-10-13 16:42:15 +02:00
Release v2.25.0 (#3214 ) 2023-10-01 20:13:41 +02:00			`app.get("/startup", (req, res) => getStartup(req, res));`

add new env vars MM_MODULES_DIR and MM_CUSTOMCSS_FILE … (#3530 ) 2024-09-18 19:10:46 +02:00			`app.get("/env", (req, res) => getEnvVars(req, res));`

Release 2.22.0 (#2983 ) 2023-01-01 18:09:08 +01:00			`app.get("/", (req, res) => getHtml(req, res));`
Add server (web/socket), create socket system, better helper loader. 2016-03-30 12:20:46 +02:00
feat(core): add `server:watch` script with automatic restart on file changes (#3920 ) 2025-10-28 19:14:51 +01:00			`// Reload endpoint for watch mode - triggers browser reload`
			`app.get("/reload", (req, res) => {`
			`Log.info("Reload request received, notifying all clients");`
			`io.emit("RELOAD");`
			`res.status(200).send("OK");`
			`});`

Release 2.22.0 (#2983 ) 2023-01-01 18:09:08 +01:00			`server.on("listening", () => {`
			`resolve({`
			`app,`
			`io`
			`});`
			`});`
			`});`
			`};`
close server 2021-09-15 21:09:31 +02:00
Release 2.22.0 (#2983 ) 2023-01-01 18:09:08 +01:00			`/**`
			`* Closes the server and destroys all lingering connections to it.`
			`* @returns {Promise} A promise that resolves when server has successfully shut down`
			`*/`
close server 2021-09-15 21:09:31 +02:00			`this.close = function () {`
Release 2.22.0 (#2983 ) 2023-01-01 18:09:08 +01:00			`return new Promise((resolve) => {`
			`for (const socket of serverSockets.values()) {`
			`socket.destroy();`
			`}`
			`server.close(resolve);`
			`});`
refactor e2e 2021-09-16 22:36:18 +02:00			`};`
clean up server 2021-01-05 18:37:16 +01:00			`}`
Add server (web/socket), create socket system, better helper loader. 2016-03-30 12:20:46 +02:00
Squashed commit of the following: 2016-04-03 19:52:13 +02:00			`module.exports = Server;`