npm - @aikidosec/broker-client - Versions diffs - 1.0.4 → 1.0.6 - Mend

@aikidosec/broker-client 1.0.4 → 1.0.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/README.md CHANGED Viewed

@@ -60,6 +60,7 @@ Resource IDs are displayed in the Aikido UI when you register them.
 - `HTTP_PROXY` - Proxy server for HTTP requests (e.g., `http://proxy.company.local:8080`)
 - `HTTPS_PROXY` - Proxy server for HTTPS requests (e.g., `http://proxy.company.local:8080`)
 - `ALL_PROXY` - Universal proxy fallback for all protocols if protocol-specific proxy is not set
+- `BROKER_TARGET_URL` - Override the broker server URL (defaults to `https://broker.aikidobroker.com`)
 ## How It Works

package/app/client.js CHANGED Viewed

@@ -10,9 +10,9 @@ import axios from 'axios';
 import { URL } from 'url';
 import { Address4, Address6 } from 'ip-address';
 import dns from 'native-dns';
-import fs from 'fs';
 import { ResourceManager } from './resourceManager.js';
 import { HttpsProxyAgent } from 'https-proxy-agent';
+import { getClientId, setClientIdCache, getServerUrl, getClientSecret } from './config.js';
 // Configure logging
 const log = {
@@ -23,10 +23,9 @@ const log = {
 };
 // Broker Server Configuration
-const SERVER_URL = "https://broker.aikidobroker.com";
+const CLIENT_SECRET = getClientSecret();
+const SERVER_URL = getServerUrl();
-// Client Configuration (from environment)
-const CLIENT_SECRET = process.env.CLIENT_SECRET;
 const ALLOWED_SUBNETS = process.env.ALLOWED_INTERNAL_SUBNETS
   ? process.env.ALLOWED_INTERNAL_SUBNETS.split(',').map(s => s.trim()).filter(s => s)
   : [];
@@ -37,9 +36,12 @@ const DNS_SERVERS = process.env.DNS_SERVERS
   : null;
 // Configure axios defaults
+const MAX_RESPONSE_SIZE = 100 * 1024 * 1024; // 100 MB
 const axiosConfig = {
-  timeout: 30000,
-  maxRedirects: 5
+  timeout: 300000,
+  maxRedirects: 5,
+  maxContentLength: MAX_RESPONSE_SIZE,
+  maxBodyLength: MAX_RESPONSE_SIZE
 };
 // Create axios instance for internal requests
@@ -48,31 +50,6 @@ const internalHttpClient = axios.create(axiosConfig);
 // Initialize ResourceManager
 const resourceManager = new ResourceManager();
-// Cache for client_id
-let _clientIdCache = null;
-/**
- * Get the client ID from cache or read from file.
- * Returns null if not registered yet.
- */
-function getClientId() {
-  if (_clientIdCache !== null) {
-    return _clientIdCache;
-  }
-  const clientIdPath = '/config/client_id';
-  if (fs.existsSync(clientIdPath)) {
-    try {
-      _clientIdCache = fs.readFileSync(clientIdPath, 'utf8').trim();
-      return _clientIdCache;
-    } catch (e) {
-      log.error(`Failed to read client_id: ${e.message}`);
-    }
-  }
-  return null;
-}
 /**
  * Resolve hostname using custom DNS servers if configured.
  * Falls back to system DNS if DNS_SERVERS not set.
@@ -232,7 +209,8 @@ const socket = io(SERVER_URL, {
   reconnectionDelayMax: 30000,
   randomizationFactor: 0.5,
   tryAllTransports: true, // if we don't, it won't try to fallback from websocket to polling
-  autoConnect: false  // Don't connect until after registration
+  autoConnect: false,  // Don't connect until after registration
+  withCredentials: true // make sure cookies work for sticky sessions
 });
 // Socket.IO event handlers
@@ -300,7 +278,7 @@ socket.on('forward_request', async (data, callback) => {
       request_id: requestId,
       status_code: 403,
       headers: {},
-      body: 'Target URL is not an allowed internal resource'
+      body: formatMessageBody('Target URL is not an allowed internal resource')
     });
     return;
   }
@@ -310,7 +288,7 @@ socket.on('forward_request', async (data, callback) => {
       request_id: requestId,
       status_code: 403,
       headers: {},
-      body: 'Target URL is not in the allowed resources list'
+      body: formatMessageBody('Target URL is not in the allowed resources list')
     });
     return;
   }
@@ -337,30 +315,41 @@ socket.on('forward_request', async (data, callback) => {
       url: resolvedUrl,
       headers,
       data: body,
-      validateStatus: () => true // Accept any status code
+      validateStatus: () => true, // Accept any status code
+      responseType: 'arraybuffer', // Get raw bytes, don't parse JSON
     });
     log.info(`Successfully forwarded request ${requestId} to ${targetUrl}, status: ${response.status}`);
     // Return response via acknowledgement
+    // Send body as base64 to preserve binary data byte-for-byte (critical for Docker registry digests)
+    const responseBody = response.data ? Buffer.from(response.data).toString('base64') : null;
     callback({
       request_id: requestId,
       status_code: response.status,
       headers: response.headers,
-      body: typeof response.data === 'string' ? response.data : JSON.stringify(response.data)
+      body: responseBody,
+      version: 2
     });
   } catch (error) {
-    log.error(`Error forwarding request ${requestId} to ${targetUrl}: ${error.message}`);
+    log.error(`Error forwarding request ${requestId} to ${targetUrl}: ${error?.response?.status || error.message}`);
+    const errorMessage = `Error reaching internal resource: ${error?.response?.status || error.message}`;
     callback({
       request_id: requestId,
       status_code: 502,
       headers: {},
-      body: `Error reaching internal resource: ${error.message}`
+      body: formatMessageBody(errorMessage),
+      version: 2
     });
   }
 });
+function formatMessageBody(message) {
+  return Buffer.from(message, 'utf-8').toString('base64');
+}
 /**
  * Register this client with the broker server
  */
@@ -387,14 +376,7 @@ async function registerWithServer() {
         log.info(`✓ Successfully registered with broker server as ${clientId}`);
         // Save client_id to file and cache
-        _clientIdCache = clientId;
-        try {
-          fs.mkdirSync('/config', { recursive: true });
-          fs.writeFileSync('/config/client_id', clientId);
-          log.info("💾 Saved client_id to /config/client_id");
-        } catch (e) {
-          log.warn(`Could not save client_id file: ${e.message}`);
-        }
+        setClientIdCache(clientId);
         log.info("Waiting for server to propagate configuration...");
         await new Promise(resolve => setTimeout(resolve, 5000));
@@ -402,17 +384,7 @@ async function registerWithServer() {
       } else if (response.status === 409) {
         log.info("✓ Client already registered with server (this is OK)");
         // Try to extract client_id from response if available
-        try {
-          const clientId = response.data.client_id;
-          if (clientId) {
-            _clientIdCache = clientId;
-            fs.mkdirSync('/config', { recursive: true });
-            fs.writeFileSync('/config/client_id', clientId);
-            log.info("💾 Saved client_id to /config/client_id");
-          }
-        } catch (e) {
-          log.warn(`Could not save client_id file: ${e.message}`);
-        }
+        setClientIdCache(response.data.client_id);
         return;
       } else {
         log.warn(`Registration attempt ${attempt + 1} failed: ${response.status} - ${response.data}`);

package/app/config.js ADDED Viewed

@@ -0,0 +1,65 @@
+import fs from 'fs';
+// Client ID file path
+const CLIENT_ID_PATH = '/config/client_id';
+// Cache for client_id
+let _clientIdCache = null;
+// Client secret from environment
+const CLIENT_SECRET = process.env.CLIENT_SECRET;
+/**
+ * Get the server URL.
+ * Uses BROKER_TARGET_URL env var, defaults to https://broker.aikidobroker.com
+ */
+export function getServerUrl() {
+  return process.env.BROKER_TARGET_URL || 'https://broker.aikidobroker.com';
+}
+/**
+ * Get the client secret from environment.
+ */
+export function getClientSecret() {
+  return CLIENT_SECRET;
+}
+/**
+ * Get the client ID from cache or read from file.
+ * Returns null if not registered yet.
+ */
+export function getClientId() {
+  if (_clientIdCache !== null) {
+    return _clientIdCache;
+  }
+  if (fs.existsSync(CLIENT_ID_PATH)) {
+    try {
+      _clientIdCache = fs.readFileSync(CLIENT_ID_PATH, 'utf8').trim();
+      return _clientIdCache;
+    } catch (e) {
+      console.error(`[ERROR] ${new Date().toISOString()} - Failed to read client_id: ${e.message}`);
+    }
+  }
+  return null;
+}
+/**
+ * Set the client ID cache and persist to file.
+ * Does nothing if clientId is null/undefined.
+ */
+export function setClientIdCache(clientId) {
+  if (!clientId) {
+    return;
+  }
+  _clientIdCache = clientId;
+  try {
+    fs.mkdirSync('/config', { recursive: true });
+    fs.writeFileSync(CLIENT_ID_PATH, clientId);
+    console.log(`[INFO] ${new Date().toISOString()} - 💾 Saved client_id to ${CLIENT_ID_PATH}`);
+  } catch (e) {
+    console.error(`[ERROR] ${new Date().toISOString()} - Failed to write client_id: ${e.message}`);
+  }
+}

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@aikidosec/broker-client",
-  "version": "1.0.4",
+  "version": "1.0.6",
   "description": "Aikido Broker Client - Runs in customer network to forward requests to internal resources",
   "main": "app/client.js",
   "type": "module",