@juspay/shooter 1.19.0 → 1.20.0

package/src/lib/modules/client/terminal/ShareSheet.svelte

@@ -0,0 +1,395 @@
+<script lang="ts">
+  import type { ShareInfoResponse, ShareMode, ShareSheetProps } from '$lib/types';
+
+  import { getApiKey } from '$lib/modules/client/common';
+  import { Button, Input } from '@juspay/svelte-ui-components';
+
+  const { onClose, open = false, shareUrl, terminalId }: ShareSheetProps = $props();
+
+  let active = $state(false);
+  let currentMode = $state<null | ShareMode>(null);
+  let mode = $state<ShareMode>('view');
+  let password = $state('');
+  let busy = $state(false);
+  let errorMsg = $state<null | string>(null);
+  let copied = $state(false);
+
+  // Password characters avoid ambiguous glyphs (0/O, 1/l/I).
+  const PASSWORD_ALPHABET = 'ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz23456789';
+
+  const canSubmit = $derived(
+    active ? password.length === 0 || password.length >= 6 : password.length >= 6
+  );
+
+  $effect(() => {
+    if (open) {
+      void loadInfo();
+    }
+  });
+
+  async function loadInfo(): Promise<void> {
+    errorMsg = null;
+    copied = false;
+    try {
+      const res = await fetch(`/api/terminals/${terminalId}/share`, {
+        headers: { Authorization: `Bearer ${getApiKey()}` },
+      });
+      if (!res.ok) {
+        errorMsg = 'Failed to load share state.';
+        return;
+      }
+      const info = (await res.json()) as ShareInfoResponse;
+      active = info.active;
+      currentMode = info.mode ?? null;
+      mode = info.mode ?? 'view';
+      password = '';
+    } catch {
+      errorMsg = 'Failed to reach the server.';
+    }
+  }
+
+  function generatePassword(): void {
+    const bytes = crypto.getRandomValues(new Uint8Array(16));
+    password = Array.from(bytes, (b) => PASSWORD_ALPHABET[b % PASSWORD_ALPHABET.length]).join('');
+  }
+
+  async function saveShare(): Promise<void> {
+    if (busy || !canSubmit) {
+      return;
+    }
+    busy = true;
+    errorMsg = null;
+    try {
+      const res = await fetch(`/api/terminals/${terminalId}/share`, {
+        body: JSON.stringify({ mode, ...(password ? { password } : {}) }),
+        headers: {
+          Authorization: `Bearer ${getApiKey()}`,
+          'Content-Type': 'application/json',
+        },
+        method: 'PUT',
+      });
+      if (!res.ok) {
+        const data = (await res.json().catch(() => ({}))) as { error?: string };
+        errorMsg = data.error ?? 'Failed to save share.';
+        return;
+      }
+      const info = (await res.json()) as ShareInfoResponse;
+      active = info.active;
+      currentMode = info.mode ?? null;
+      password = '';
+    } catch {
+      errorMsg = 'Failed to reach the server.';
+    } finally {
+      busy = false;
+    }
+  }
+
+  async function revokeShare(): Promise<void> {
+    if (busy) {
+      return;
+    }
+    busy = true;
+    errorMsg = null;
+    try {
+      const res = await fetch(`/api/terminals/${terminalId}/share`, {
+        headers: { Authorization: `Bearer ${getApiKey()}` },
+        method: 'DELETE',
+      });
+      if (!res.ok) {
+        errorMsg = 'Failed to revoke share.';
+        return;
+      }
+      active = false;
+      currentMode = null;
+      password = '';
+    } catch {
+      errorMsg = 'Failed to reach the server.';
+    } finally {
+      busy = false;
+    }
+  }
+
+  async function copyUrl(): Promise<void> {
+    try {
+      await navigator.clipboard.writeText(shareUrl);
+      copied = true;
+      setTimeout(() => {
+        copied = false;
+      }, 2000);
+    } catch {
+      errorMsg = 'Failed to copy.';
+    }
+  }
+</script>
+
+{#if open}
+  <div
+    class="share-backdrop"
+    onclick={onClose}
+    onkeydown={(e: KeyboardEvent): void => {
+      if (e.key === 'Escape') {
+        onClose();
+      }
+    }}
+    role="presentation"
+  >
+    <div
+      class="share-sheet"
+      onclick={(e: MouseEvent): void => {
+        e.stopPropagation();
+      }}
+      role="dialog"
+      aria-label="Share terminal"
+      tabindex="-1"
+      onkeydown={(e: KeyboardEvent): void => {
+        if (e.key === 'Escape') {
+          onClose();
+        }
+      }}
+    >
+      <div class="share-sheet-header">
+        <h2 class="share-sheet-title">Share terminal</h2>
+        <button class="share-sheet-close" onclick={onClose} aria-label="Close">&times;</button>
+      </div>
+
+      {#if active}
+        <div class="share-active-row">
+          <span class="share-active-dot"></span>
+          <span class="share-active-label">
+            Sharing is active ({currentMode === 'control' ? 'full control' : 'view only'})
+          </span>
+        </div>
+        <div class="share-url-row">
+          <span class="share-url">{shareUrl}</span>
+          <Button
+            classes="btn-secondary btn-sm"
+            onclick={(): void => {
+              void copyUrl();
+            }}
+            text={copied ? 'Copied' : 'Copy'}
+          />
+        </div>
+      {:else}
+        <p class="share-sheet-sub">
+          Anyone with this page's link and the password below can access this terminal.
+        </p>
+      {/if}
+
+      <div class="share-field">
+        <span class="share-field-label">Access</span>
+        <div class="share-mode-toggle">
+          <button
+            class="share-mode-btn {mode === 'view' ? 'share-mode-active' : ''}"
+            onclick={(): void => {
+              mode = 'view';
+            }}
+          >
+            View only
+          </button>
+          <button
+            class="share-mode-btn {mode === 'control' ? 'share-mode-active' : ''}"
+            onclick={(): void => {
+              mode = 'control';
+            }}
+          >
+            Full control
+          </button>
+        </div>
+      </div>
+
+      <div class="share-field">
+        <span class="share-field-label">
+          {active ? 'New password (leave empty to keep current)' : 'Password (min 6 chars)'}
+        </span>
+        <div class="share-password-row">
+          <Input
+            bind:value={password}
+            dataType="text"
+            placeholder="Password"
+            classes="share-password-input"
+          />
+          <Button classes="btn-secondary btn-sm" onclick={generatePassword} text="Generate" />
+        </div>
+      </div>
+
+      {#if errorMsg}
+        <p class="share-error">{errorMsg}</p>
+      {/if}
+
+      <div class="share-actions">
+        {#if active}
+          <Button
+            classes="btn-danger btn-sm"
+            onclick={(): void => {
+              void revokeShare();
+            }}
+            disabled={busy}
+            text="Stop sharing"
+          />
+        {/if}
+        <Button
+          classes="btn-primary btn-sm"
+          onclick={(): void => {
+            void saveShare();
+          }}
+          disabled={busy || !canSubmit}
+          showLoader={busy}
+          text={active ? 'Update' : 'Start sharing'}
+        />
+      </div>
+    </div>
+  </div>
+{/if}
+
+<style>
+  .share-backdrop {
+    position: fixed;
+    inset: 0;
+    z-index: 100;
+    display: flex;
+    align-items: center;
+    justify-content: center;
+    background: rgba(0, 0, 0, 0.5);
+    padding: var(--space-4);
+  }
+
+  .share-sheet {
+    display: flex;
+    flex-direction: column;
+    gap: var(--space-3);
+    width: 100%;
+    max-width: 420px;
+    padding: var(--space-5);
+    background: var(--ds-background-100);
+    border: 1px solid var(--border);
+    border-radius: var(--radius-lg);
+  }
+
+  .share-sheet-header {
+    display: flex;
+    align-items: center;
+    justify-content: space-between;
+  }
+
+  .share-sheet-title {
+    margin: 0;
+    font-size: var(--text-lg);
+    color: var(--text-primary);
+  }
+
+  .share-sheet-close {
+    background: none;
+    border: none;
+    color: var(--text-tertiary);
+    font-size: 22px;
+    cursor: pointer;
+    line-height: 1;
+    padding: 4px;
+  }
+
+  .share-sheet-close:hover {
+    color: var(--text-primary);
+  }
+
+  .share-sheet-sub {
+    margin: 0;
+    font-size: var(--text-sm);
+    color: var(--text-tertiary);
+  }
+
+  .share-active-row {
+    display: flex;
+    align-items: center;
+    gap: var(--space-2);
+  }
+
+  .share-active-dot {
+    width: 8px;
+    height: 8px;
+    border-radius: 50%;
+    background: var(--ds-green-500, #22c55e);
+  }
+
+  .share-active-label {
+    font-size: var(--text-sm);
+    color: var(--text-secondary);
+  }
+
+  .share-url-row {
+    display: flex;
+    align-items: center;
+    gap: var(--space-2);
+    padding: var(--space-2);
+    background: var(--ds-gray-200);
+    border-radius: var(--radius-md);
+  }
+
+  .share-url {
+    flex: 1;
+    font-family: var(--font-mono);
+    font-size: 11px;
+    color: var(--text-secondary);
+    overflow: hidden;
+    text-overflow: ellipsis;
+    white-space: nowrap;
+  }
+
+  .share-field {
+    display: flex;
+    flex-direction: column;
+    gap: var(--space-1);
+  }
+
+  .share-field-label {
+    font-size: var(--text-xs);
+    color: var(--text-tertiary);
+  }
+
+  .share-mode-toggle {
+    display: flex;
+    gap: 2px;
+    padding: 2px;
+    background: var(--ds-gray-200);
+    border: 1px solid var(--ds-gray-400);
+    border-radius: var(--radius-md);
+    width: fit-content;
+  }
+
+  .share-mode-btn {
+    padding: 6px 12px;
+    font-size: var(--text-xs);
+    color: var(--text-tertiary);
+    background: none;
+    border: none;
+    border-radius: var(--radius-sm);
+    cursor: pointer;
+  }
+
+  .share-mode-active {
+    background: var(--ds-background-100);
+    color: var(--text-primary);
+  }
+
+  .share-password-row {
+    display: flex;
+    align-items: center;
+    gap: var(--space-2);
+  }
+
+  .share-password-row :global(.share-password-input) {
+    --input-container-margin: 0;
+    flex: 1;
+  }
+
+  .share-error {
+    margin: 0;
+    font-size: var(--text-sm);
+    color: var(--ds-red-700, #ef4444);
+  }
+
+  .share-actions {
+    display: flex;
+    justify-content: flex-end;
+    gap: var(--space-2);
+  }
+</style>

package/src/lib/modules/client/terminal/xterm-wrapper.ts

@@ -48,7 +48,12 @@ export async function createTerminal(options: TerminalOptions): Promise<Terminal
   term.loadAddon(fitAddon);
   term.loadAddon(new WebLinksAddon());
   term.open(options.container);
-  fitAddon.fit();
+  if (options.readOnly && options.initialCols && options.initialRows) {
+    // View-only: render at the PTY's size (we may not resize the shared PTY).
+    term.resize(options.initialCols, options.initialRows);
+  } else {
+    fitAddon.fit();
+  }
 
   // Block browser-level Cmd/Ctrl shortcuts from reaching the PTY.
   // Allow Ctrl+<letter> terminal signals (Ctrl+C/D/L/R/Z etc.) through.
@@ -71,7 +76,7 @@ export async function createTerminal(options: TerminalOptions): Promise<Terminal
 
   // Clipboard image paste interception
   let pasteListener: ((e: ClipboardEvent) => void) | null = null;
-  if (options.terminalId && options.apiKey) {
+  if (options.terminalId && options.apiKey && !options.readOnly) {
     const pasteTermId = options.terminalId;
     const pasteApiKey = options.apiKey;
 
@@ -185,6 +190,12 @@ export async function createTerminal(options: TerminalOptions): Promise<Terminal
         options.onActivity?.(msg.active ?? false);
       } else if (msg.type === 'cwd') {
         options.onCwd?.(msg.path ?? '');
+      } else if (msg.type === 'resize') {
+        // PTY was resized by another client (e.g. the owner). View-only
+        // terminals follow it; interactive ones are governed by their fit.
+        if (options.readOnly && msg.cols && msg.rows) {
+          term.resize(msg.cols, msg.rows);
+        }
       }
     };
 
@@ -205,6 +216,9 @@ export async function createTerminal(options: TerminalOptions): Promise<Terminal
 
   // Terminal input -> WebSocket
   term.onData((data) => {
+    if (options.readOnly) {
+      return;
+    }
     if (ws?.readyState === WebSocket.OPEN) {
       ws.send(JSON.stringify({ data, type: 'input' }));
     }
@@ -212,6 +226,9 @@ export async function createTerminal(options: TerminalOptions): Promise<Terminal
 
   // Handle resize — skip when container is hidden (display:none → size 0)
   const resizeObserver = new ResizeObserver((): void => {
+    if (options.readOnly) {
+      return; // View-only terminals keep the PTY's dimensions.
+    }
     if (!options.container.offsetWidth || !options.container.offsetHeight) {
       return;
     }

package/src/lib/modules/server/terminal/pty-manager.ts

@@ -483,6 +483,12 @@ class PtyManager {
       terminal.pty.resize(cols, rows);
       terminal.cols = cols;
       terminal.rows = rows;
+      // Broadcast the new PTY size so attached clients (e.g. view-only
+      // guests) can follow the terminal dimensions.
+      const msg = JSON.stringify({ cols, rows, type: 'resize' });
+      for (const ws of terminal.clients) {
+        this.safeSend(ws, msg);
+      }
       return true;
     } catch {
       return false;

package/src/lib/modules/server/terminal/share-auth.ts

@@ -0,0 +1,37 @@
+// Resolves a terminal-scoped request to owner (API key) or guest (share token).
+// Kept separate from auth.ts so routes without share semantics don't pull in SQLite.
+
+import type { AccessContext } from '$lib/types';
+
+import { validateAuth } from '../auth';
+import { shareStore } from './share-store';
+
+/** Extract the Bearer token from a request, or null. */
+export function bearerToken(request: Request): null | string {
+  const auth = request.headers.get('Authorization') || request.headers.get('authorization');
+  if (!auth?.startsWith('Bearer ')) {
+    return null;
+  }
+  return auth.slice(7).trim();
+}
+
+/**
+ * Resolve access for a request targeting one terminal.
+ * Owner (valid API key) → { level: 'owner' }.
+ * Guest (valid share session for THIS terminal) → { level: 'guest', mode }.
+ * Anything else → null.
+ */
+export function resolveAccess(request: Request, terminalId: string): AccessContext | null {
+  if (validateAuth(request) === null) {
+    return { level: 'owner', mode: null };
+  }
+  const token = bearerToken(request);
+  if (!token) {
+    return null;
+  }
+  const session = shareStore.resolveToken(token);
+  if (session?.terminalId !== terminalId) {
+    return null;
+  }
+  return { level: 'guest', mode: session.mode };
+}

package/src/lib/modules/server/terminal/share-store.ts

@@ -0,0 +1,172 @@
+/**
+ * Share Store — SQLite persistence for terminal sharing.
+ *
+ * terminal_shares: one share per terminal (scrypt password hash + mode).
+ * share_sessions:  guest sessions keyed by sha256(token), 7-day TTL.
+ *
+ * Database location: ~/.shooter/shooter.db (same file as terminal-store).
+ */
+
+import type { ShareMode, TerminalShareRecord } from '$lib/types';
+
+import Database from 'better-sqlite3';
+import { createHash, randomBytes, scryptSync, timingSafeEqual } from 'crypto';
+import * as fs from 'fs';
+import * as path from 'path';
+
+const DB_DIR = path.join(process.env.HOME || '', '.shooter');
+const DB_PATH = path.join(DB_DIR, 'shooter.db');
+
+const SESSION_TTL_MS = 7 * 24 * 60 * 60 * 1000; // 7 days
+
+// ── Password hashing (scrypt, per-share random salt) ─────────────────
+
+export class ShareStore {
+  private db: Database.Database;
+
+  constructor() {
+    fs.mkdirSync(DB_DIR, { recursive: true });
+    this.db = new Database(DB_PATH);
+    this.db.pragma('journal_mode = WAL');
+
+    this.db.exec(`
+			CREATE TABLE IF NOT EXISTS terminal_shares (
+				terminal_id   TEXT PRIMARY KEY,
+				password_hash TEXT NOT NULL,
+				mode          TEXT NOT NULL,
+				created_at    INTEGER NOT NULL,
+				updated_at    INTEGER NOT NULL
+			);
+			CREATE TABLE IF NOT EXISTS share_sessions (
+				token_hash  TEXT PRIMARY KEY,
+				terminal_id TEXT NOT NULL,
+				created_at  INTEGER NOT NULL,
+				expires_at  INTEGER NOT NULL
+			)
+		`);
+
+    this.cleanup();
+  }
+
+  /** Purge expired sessions and shares whose terminal no longer exists. */
+  cleanup(): void {
+    this.db.prepare('DELETE FROM share_sessions WHERE expires_at < ?').run(Date.now());
+    try {
+      this.db
+        .prepare('DELETE FROM terminal_shares WHERE terminal_id NOT IN (SELECT id FROM terminals)')
+        .run();
+      this.db
+        .prepare('DELETE FROM share_sessions WHERE terminal_id NOT IN (SELECT id FROM terminals)')
+        .run();
+    } catch {
+      // terminals table may not exist yet on a fresh database — skip orphan cleanup.
+    }
+  }
+
+  /** Issue a new guest session for a shared terminal. Returns the raw token (stored hashed). */
+  createSession(terminalId: string): { expiresAt: number; token: string } {
+    const token = randomBytes(32).toString('hex');
+    const now = Date.now();
+    const expiresAt = now + SESSION_TTL_MS;
+    this.db
+      .prepare(
+        'INSERT INTO share_sessions (token_hash, terminal_id, created_at, expires_at) VALUES (?, ?, ?, ?)'
+      )
+      .run(hashToken(token), terminalId, now, expiresAt);
+    return { expiresAt, token };
+  }
+
+  /** Delete all guest sessions for a terminal (password change / revoke). */
+  deleteSessions(terminalId: string): void {
+    this.db.prepare('DELETE FROM share_sessions WHERE terminal_id = ?').run(terminalId);
+  }
+
+  /** Revoke a share: delete the share row and every guest session for it. */
+  deleteShare(terminalId: string): void {
+    this.db.prepare('DELETE FROM terminal_shares WHERE terminal_id = ?').run(terminalId);
+    this.deleteSessions(terminalId);
+  }
+
+  getShare(terminalId: string): null | TerminalShareRecord {
+    const row = this.db
+      .prepare('SELECT * FROM terminal_shares WHERE terminal_id = ?')
+      .get(terminalId) as Record<string, unknown> | undefined;
+    return row ? rowToShare(row) : null;
+  }
+
+  /**
+   * Resolve a guest bearer token to its terminal + mode.
+   * Returns null if unknown, expired, or the share was revoked.
+   */
+  resolveToken(token: string): null | { mode: ShareMode; terminalId: string } {
+    if (!token) {
+      return null;
+    }
+    const row = this.db
+      .prepare(
+        `SELECT s.terminal_id, s.expires_at, sh.mode
+				 FROM share_sessions s
+				 JOIN terminal_shares sh ON sh.terminal_id = s.terminal_id
+				 WHERE s.token_hash = ?`
+      )
+      .get(hashToken(token)) as Record<string, unknown> | undefined;
+    if (!row) {
+      return null;
+    }
+    if ((row.expires_at as number) < Date.now()) {
+      this.db.prepare('DELETE FROM share_sessions WHERE token_hash = ?').run(hashToken(token));
+      return null;
+    }
+    return { mode: row.mode as ShareMode, terminalId: row.terminal_id as string };
+  }
+
+  /** Create or replace the share for a terminal. */
+  setShare(record: TerminalShareRecord): void {
+    this.db
+      .prepare(
+        `INSERT OR REPLACE INTO terminal_shares
+				 (terminal_id, password_hash, mode, created_at, updated_at)
+				 VALUES (?, ?, ?, ?, ?)`
+      )
+      .run(record.terminalId, record.passwordHash, record.mode, record.createdAt, record.updatedAt);
+  }
+}
+
+export function hashPassword(password: string): string {
+  const salt = randomBytes(16).toString('hex');
+  const hash = scryptSync(password, salt, 64).toString('hex');
+  return `scrypt:${salt}:${hash}`;
+}
+
+export function verifyPassword(password: string, stored: string): boolean {
+  const parts = stored.split(':');
+  if (parts.length !== 3 || parts[0] !== 'scrypt') {
+    return false;
+  }
+  const expected = Buffer.from(parts[2], 'hex');
+  const actual = scryptSync(password, parts[1], 64);
+  return expected.length === actual.length && timingSafeEqual(actual, expected);
+}
+
+// ── Row mapping ──────────────────────────────────────────────────────
+
+function hashToken(token: string): string {
+  return createHash('sha256').update(token).digest('hex');
+}
+
+function rowToShare(row: Record<string, unknown>): TerminalShareRecord {
+  return {
+    createdAt: row.created_at as number,
+    mode: row.mode as ShareMode,
+    passwordHash: row.password_hash as string,
+    terminalId: row.terminal_id as string,
+    updatedAt: row.updated_at as number,
+  };
+}
+
+// ── Singleton (globalThis bridges tsx server.ts + SvelteKit handler) ─
+
+const SS_GLOBAL_KEY = '__shooter_share_store';
+export const shareStore: ShareStore =
+  ((globalThis as Record<string, unknown>)[SS_GLOBAL_KEY] as ShareStore) || new ShareStore();
+(globalThis as Record<string, unknown>)[SS_GLOBAL_KEY] = shareStore;