@camstack/server 0.2.2 → 1.0.1

package/src/api/trpc/client-ip.ts

@@ -1,147 +0,0 @@
-/**
- * Client-IP extraction + LAN/remote classification for the tRPC layer.
- *
- * Used by the `webrtcSession.createSession` override to decide whether a
- * live-view session should force TURN-relay-only ICE: a viewer behind
- * CGNAT/4G (a non-LAN source IP) only ever offers a relay candidate, so
- * the broker must offer a genuinely relay-only SDP (the patched werift
- * emits one under `iceTransportPolicy:'relay'`) to get a clean
- * relay↔relay media path. LAN viewers (private/loopback source IP) keep
- * the low-latency direct host/srflx path. The SERVER computes this — the
- * client never sends a relay-only flag.
- */
-import type { FastifyRequest } from 'fastify'
-import type { IncomingMessage } from 'node:http'
-
-export type ClientRequest = FastifyRequest | IncomingMessage
-
-/**
- * Best-effort extraction of the originating client IP from a tRPC
- * request. Order of preference:
- *   1. `X-Forwarded-For` first hop (when behind a reverse proxy — the
- *      hub is typically fronted by Caddy/nginx/Cloudflare for remote
- *      access, so the socket peer is the proxy, not the viewer).
- *   2. Fastify's `req.ip` (already proxy-aware when `trustProxy` is on).
- *   3. The raw socket remote address.
- *
- * Returns `null` when no address can be determined (e.g. mesh-originated
- * calls that carry no HTTP request) — the caller treats `null` as "not
- * remote" so the LAN/direct path stays the safe default.
- */
-export function extractClientIp(req: ClientRequest | undefined): string | null {
-  if (!req) return null
-
-  // 1. X-Forwarded-For — comma-separated list, client is the FIRST entry.
-  const xff = req.headers['x-forwarded-for']
-  const xffValue = Array.isArray(xff) ? xff[0] : xff
-  if (typeof xffValue === 'string' && xffValue.length > 0) {
-    const first = xffValue.split(',')[0]?.trim()
-    if (first) return normalizeIp(first)
-  }
-
-  // 2. Fastify's parsed `req.ip` (honours `trustProxy` config).
-  if ('ip' in req && typeof req.ip === 'string' && req.ip.length > 0) {
-    return normalizeIp(req.ip)
-  }
-
-  // 3. Raw socket peer (WS / IncomingMessage path).
-  const remote = req.socket?.remoteAddress
-  if (typeof remote === 'string' && remote.length > 0) {
-    return normalizeIp(remote)
-  }
-
-  return null
-}
-
-/**
- * Best-effort read of the originating client's `User-Agent` header. Both
- * request shapes in the union (`FastifyRequest` and the raw WS-transport
- * `IncomingMessage`) expose `.headers['user-agent']`. Returns `null` when
- * absent (mesh-originated calls carry no HTTP request, and some clients
- * omit the header). Used by the `webrtc-session` mount to tag a browser
- * subscriber's broker attribution with the viewer's UA — the SERVER reads
- * it from the request context; any client-supplied value is ignored.
- */
-export function extractUserAgent(req: ClientRequest | undefined): string | null {
-  if (!req) return null
-  const ua = req.headers['user-agent']
-  const value = Array.isArray(ua) ? ua[0] : ua
-  if (typeof value === 'string' && value.length > 0) return value
-  return null
-}
-
-/**
- * Strip an IPv4-mapped IPv6 prefix (`::ffff:192.168.1.5` → `192.168.1.5`)
- * and any zone id (`fe80::1%en0` → `fe80::1`) so the range checks below
- * see a clean address.
- */
-function normalizeIp(ip: string): string {
-  let out = ip.trim()
-  if (out.startsWith('::ffff:')) out = out.slice('::ffff:'.length)
-  const pct = out.indexOf('%')
-  if (pct !== -1) out = out.slice(0, pct)
-  return out
-}
-
-/**
- * True when the address is NOT in a private / loopback / link-local /
- * Tailscale range — i.e. an internet (remote) viewer. Covers IPv4
- * (10/8, 172.16/12, 192.168/16, 127/8, 100.64/10 Tailscale CGNAT) and
- * IPv6 (::1, fc00::/7 unique-local, fe80::/10 link-local — fd7a::/16
- * Tailscale ULA is a subset of fc00::/7 and is therefore already
- * covered).
- *
- * Tailscale clients (the 100.64.0.0/10 CGNAT overlay or the fd7a::/16
- * ULA overlay) are deliberately classified LOCAL: over the Tailscale
- * mesh BOTH peers sit on the 100.x / fd7a:: overlay and are mutually
- * reachable, so the broker offers ALL candidates (host/srflx/relay)
- * — including the hub's Tailscale host candidate — and a direct
- * host↔host pair wins ICE with native (non-re-encoded) media. Forcing
- * relay-only for Tailscale would push them onto the broken relay path.
- *
- * Unparseable or null addresses return `false` (treated as LAN — the
- * safe default that preserves the existing direct path).
- */
-export function isRemoteClientIp(ip: string | null): boolean {
-  if (!ip) return false
-  if (ip.includes(':')) return !isPrivateIpv6(ip)
-  if (isIpv4(ip)) return !isPrivateIpv4(ip)
-  // Not a recognisable IP literal — be conservative, treat as LAN.
-  return false
-}
-
-function isIpv4(ip: string): boolean {
-  const parts = ip.split('.')
-  if (parts.length !== 4) return false
-  return parts.every((p) => {
-    if (!/^\d{1,3}$/.test(p)) return false
-    const n = Number.parseInt(p, 10)
-    return n >= 0 && n <= 255
-  })
-}
-
-function isPrivateIpv4(ip: string): boolean {
-  const parts = ip.split('.').map((p) => Number.parseInt(p, 10))
-  const [a, b] = parts
-  if (a === undefined || b === undefined) return false
-  if (a === 10) return true // 10.0.0.0/8
-  if (a === 127) return true // 127.0.0.0/8 loopback
-  if (a === 172 && b >= 16 && b <= 31) return true // 172.16.0.0/12
-  if (a === 192 && b === 168) return true // 192.168.0.0/16
-  if (a === 169 && b === 254) return true // 169.254.0.0/16 link-local
-  // 100.64.0.0/10 — Tailscale CGNAT overlay (100.64.0.0 – 100.127.255.255).
-  // Both Tailscale peers are mutually reachable on this overlay, so treat
-  // it as local (direct host↔host pair, no relay).
-  if (a === 100 && b >= 64 && b <= 127) return true
-  return false
-}
-
-function isPrivateIpv6(ip: string): boolean {
-  const lower = ip.toLowerCase()
-  if (lower === '::1') return true // loopback
-  if (lower === '::') return true // unspecified
-  if (lower.startsWith('fe80')) return true // fe80::/10 link-local
-  // fc00::/7 unique-local — covers fc.. and fd..
-  if (lower.startsWith('fc') || lower.startsWith('fd')) return true
-  return false
-}

package/src/api/trpc/core-cap-bridge.ts

@@ -1,154 +0,0 @@
-/**
- * Core-capability mesh bridge.
- *
- * The hub's CORE routers — hand-written single-impl routers plus the
- * handful of service-backed cap routers — are mounted only as the hub's
- * tRPC `appRouter`. No addon registers a provider for them, so
- * `addon-service-factory` never publishes a Moleculer service exposing
- * their actions. A forked addon calling `ctx.api.<coreCap>.<method>`
- * therefore falls through `localProviderLink` into `brokerTransportLink`,
- * whose load-balanced discovery wait has no deadline — the call hangs
- * forever (this was the `export-alexa` `redetectHubUrl` hang).
- *
- * `buildCoreCapService` walks the appRouter, picks the core namespaces,
- * and wraps each query/mutation as a `$core-caps.<kebab-cap>.<method>`
- * Moleculer action invoked through a trusted-mesh tRPC caller. With the
- * service mounted on the hub node, `brokerTransportLink` resolves and
- * routes the call exactly like any addon-provided cap.
- */
-import type { ServiceSchema } from 'moleculer'
-import { createCoreCapService, type CoreCapAction } from '@camstack/kernel'
-import { createCallerFactory } from './trpc.middleware.js'
-import { createMeshTrpcContext } from './trpc.context.js'
-import type { AppRouter } from './trpc.router.js'
-
-/**
- * appRouter namespaces that back the CORE API surface and must be
- * reachable cross-process. This is the core-router list from
- * `trpc.router.ts` (`buildCapabilityRouters`) minus the deliberate
- * exclusions below.
- *
- * Excluded on purpose:
- *  - `auth` — issuing service / scoped tokens over the trusted mesh
- *    would let any forked addon mint admin credentials. Addons must
- *    not perform authentication operations; this stays hub-local.
- *  - `live`, `systemEvents` — listed in `NEVER_BRIDGED_CAPS`
- *    (`trpc-links.ts`). They are hub-only push streams, not
- *    request/reply, and the worker side fast-fails on them by design.
- */
-const CORE_NAMESPACES: ReadonlySet<string> = new Set<string>([
-  // Service-backed cap routers (no addon provider).
-  'system',
-  'toast',
-  'integrations',
-  'nodes',
-  'addons',
-  // Hand-written single-impl core routers.
-  'capabilities',
-  'notifications',
-  'logs',
-  'hwaccel',
-  'streamProbe',
-  'settingsBackend',
-  'eventBusProxy',
-  'repl',
-  'addonSettingsRaw',
-])
-
-/**
- * camelCase → kebab-case. Mirrors `toKebab` in `trpc-links.ts` so the
- * action name matches what `brokerTransportLink` derives from `op.path`.
- */
-function toKebab(name: string): string {
-  return name.replace(/[A-Z]/g, (m, i: number) => (i > 0 ? '-' : '') + m.toLowerCase())
-}
-
-/** A tRPC procedure node — distinguished from a router by `_def.procedure`. */
-interface ProcedureNode {
-  readonly _def: { readonly procedure?: unknown; readonly type?: unknown }
-}
-
-function isProcedureNode(value: unknown): value is ProcedureNode {
-  // A built tRPC procedure is a callable object — `_def.procedures`
-  // stores the procedure function directly, not a wrapper object.
-  if (value === null || (typeof value !== 'object' && typeof value !== 'function')) return false
-  const def: unknown = (value as { _def?: unknown })._def
-  return (
-    def !== null && typeof def === 'object' && (def as { procedure?: unknown }).procedure === true
-  )
-}
-
-interface DiscoveredProcedure {
-  readonly path: string
-  readonly type: string
-}
-
-/**
- * Recursively flatten a tRPC router record to dotted procedure paths.
- * Robust to both layouts tRPC v11 may use for `_def.procedures`: a
- * nested record of sub-routers, or a flat record already keyed by
- * dotted path (a flat key simply yields its key verbatim).
- */
-function collectProcedures(
-  record: Readonly<Record<string, unknown>>,
-  prefix: string,
-  out: DiscoveredProcedure[],
-): void {
-  for (const [key, value] of Object.entries(record)) {
-    const path = prefix.length > 0 ? `${prefix}.${key}` : key
-    if (isProcedureNode(value)) {
-      const type = value._def.type
-      out.push({ path, type: typeof type === 'string' ? type : 'query' })
-    } else if (value !== null && typeof value === 'object') {
-      collectProcedures(value as Readonly<Record<string, unknown>>, path, out)
-    }
-  }
-}
-
-type ProcedureInvoker = (input: unknown) => Promise<unknown>
-
-/**
- * Navigate the decorated caller record (a recursive proxy) to the
- * procedure function at `path`. Every node on the proxy is callable,
- * so navigation uses `Reflect.get` across both objects and functions.
- */
-function resolveInvoker(caller: unknown, path: string): ProcedureInvoker | null {
-  let node: unknown = caller
-  for (const segment of path.split('.')) {
-    if (node === null || (typeof node !== 'object' && typeof node !== 'function')) return null
-    // Documented boundary: `node` is an object or function past the
-    // guard above; `Reflect.get` is typed for `object` targets.
-    node = Reflect.get(node as object, segment)
-  }
-  return typeof node === 'function' ? (node as ProcedureInvoker) : null
-}
-
-/**
- * Build the `$core-caps` Moleculer service schema from the hub
- * appRouter. Query + mutation procedures in {@link CORE_NAMESPACES} are
- * exposed; subscriptions are skipped (the broker transport is
- * request/reply only).
- */
-export function buildCoreCapService(appRouter: AppRouter): ServiceSchema {
-  const meshCaller: unknown = createCallerFactory(appRouter)(createMeshTrpcContext())
-
-  const discovered: DiscoveredProcedure[] = []
-  collectProcedures(appRouter._def.procedures, '', discovered)
-
-  const actions: CoreCapAction[] = []
-  for (const { path, type } of discovered) {
-    const dot = path.indexOf('.')
-    if (dot < 0) continue
-    const namespace = path.slice(0, dot)
-    if (!CORE_NAMESPACES.has(namespace)) continue
-    if (type === 'subscription') continue
-
-    const invoke = resolveInvoker(meshCaller, path)
-    if (invoke === null) continue
-
-    const method = path.slice(dot + 1)
-    actions.push({ actionName: `${toKebab(namespace)}.${method}`, invoke })
-  }
-
-  return createCoreCapService({ actions })
-}