@cloudflare/sandbox 0.0.0-722aec2 → 0.0.0-75de276

package/src/request-handler.ts

@@ -0,0 +1,183 @@
+import { switchPort } from '@cloudflare/containers';
+import { createLogger, type LogContext, TraceContext } from '@repo/shared';
+import { getSandbox, type Sandbox } from './sandbox';
+import { sanitizeSandboxId, validatePort } from './security';
+
+export interface SandboxEnv {
+  Sandbox: DurableObjectNamespace<Sandbox>;
+}
+
+export interface RouteInfo {
+  port: number;
+  sandboxId: string;
+  path: string;
+  token: string;
+}
+
+export async function proxyToSandbox<E extends SandboxEnv>(
+  request: Request,
+  env: E
+): Promise<Response | null> {
+  // Create logger context for this request
+  const traceId =
+    TraceContext.fromHeaders(request.headers) || TraceContext.generate();
+  const logger = createLogger({
+    component: 'sandbox-do',
+    traceId,
+    operation: 'proxy'
+  });
+
+  try {
+    const url = new URL(request.url);
+    const routeInfo = extractSandboxRoute(url);
+
+    if (!routeInfo) {
+      return null; // Not a request to an exposed container port
+    }
+
+    const { sandboxId, port, path, token } = routeInfo;
+    const sandbox = getSandbox(env.Sandbox, sandboxId);
+
+    // Critical security check: Validate token (mandatory for all user ports)
+    // Skip check for control plane port 3000
+    if (port !== 3000) {
+      // Validate the token matches the port
+      const isValidToken = await sandbox.validatePortToken(port, token);
+      if (!isValidToken) {
+        logger.warn('Invalid token access blocked', {
+          port,
+          sandboxId,
+          path,
+          hostname: url.hostname,
+          url: request.url,
+          method: request.method,
+          userAgent: request.headers.get('User-Agent') || 'unknown'
+        });
+
+        return new Response(
+          JSON.stringify({
+            error: `Access denied: Invalid token or port not exposed`,
+            code: 'INVALID_TOKEN'
+          }),
+          {
+            status: 404,
+            headers: {
+              'Content-Type': 'application/json'
+            }
+          }
+        );
+      }
+    }
+
+    // Detect WebSocket upgrade request
+    const upgradeHeader = request.headers.get('Upgrade');
+    if (upgradeHeader?.toLowerCase() === 'websocket') {
+      // WebSocket path: Must use fetch() not containerFetch()
+      // This bypasses JSRPC serialization boundary which cannot handle WebSocket upgrades
+      return await sandbox.fetch(switchPort(request, port));
+    }
+
+    // Build proxy request with proper headers
+    let proxyUrl: string;
+
+    // Route based on the target port
+    if (port !== 3000) {
+      // Route directly to user's service on the specified port
+      proxyUrl = `http://localhost:${port}${path}${url.search}`;
+    } else {
+      // Port 3000 is our control plane - route normally
+      proxyUrl = `http://localhost:3000${path}${url.search}`;
+    }
+
+    const proxyRequest = new Request(proxyUrl, {
+      method: request.method,
+      headers: {
+        ...Object.fromEntries(request.headers),
+        'X-Original-URL': request.url,
+        'X-Forwarded-Host': url.hostname,
+        'X-Forwarded-Proto': url.protocol.replace(':', ''),
+        'X-Sandbox-Name': sandboxId // Pass the friendly name
+      },
+      body: request.body,
+      // @ts-expect-error - duplex required for body streaming in modern runtimes
+      duplex: 'half'
+    });
+
+    return await sandbox.containerFetch(proxyRequest, port);
+  } catch (error) {
+    logger.error(
+      'Proxy routing error',
+      error instanceof Error ? error : new Error(String(error))
+    );
+    return new Response('Proxy routing error', { status: 500 });
+  }
+}
+
+function extractSandboxRoute(url: URL): RouteInfo | null {
+  // Parse subdomain pattern: port-sandboxId-token.domain (tokens mandatory)
+  // Token is always exactly 16 chars (generated by generatePortToken)
+  const subdomainMatch = url.hostname.match(
+    /^(\d{4,5})-([^.-][^.]*?[^.-]|[^.-])-([a-z0-9_-]{16})\.(.+)$/
+  );
+
+  if (!subdomainMatch) {
+    return null;
+  }
+
+  const portStr = subdomainMatch[1];
+  const sandboxId = subdomainMatch[2];
+  const token = subdomainMatch[3]; // Mandatory token
+  const domain = subdomainMatch[4];
+
+  const port = parseInt(portStr, 10);
+  if (!validatePort(port)) {
+    return null;
+  }
+
+  let sanitizedSandboxId: string;
+  try {
+    sanitizedSandboxId = sanitizeSandboxId(sandboxId);
+  } catch (error) {
+    return null;
+  }
+
+  // DNS subdomain length limit is 63 characters
+  if (sandboxId.length > 63) {
+    return null;
+  }
+
+  return {
+    port,
+    sandboxId: sanitizedSandboxId,
+    path: url.pathname || '/',
+    token
+  };
+}
+
+export function isLocalhostPattern(hostname: string): boolean {
+  // Handle IPv6 addresses in brackets (with or without port)
+  if (hostname.startsWith('[')) {
+    if (hostname.includes(']:')) {
+      // [::1]:port format
+      const ipv6Part = hostname.substring(0, hostname.indexOf(']:') + 1);
+      return ipv6Part === '[::1]';
+    } else {
+      // [::1] format without port
+      return hostname === '[::1]';
+    }
+  }
+
+  // Handle bare IPv6 without brackets
+  if (hostname === '::1') {
+    return true;
+  }
+
+  // For IPv4 and regular hostnames, split on colon to remove port
+  const hostPart = hostname.split(':')[0];
+
+  return (
+    hostPart === 'localhost' ||
+    hostPart === '127.0.0.1' ||
+    hostPart === '0.0.0.0'
+  );
+}