@jxa13/pm2ui 1.17.1 → 1.18.0

package/server.js

@@ -1,11 +1,16 @@
 const express = require('express');
+const crypto = require('crypto');
 const fs = require('fs');
 const os = require('os');
 const path = require('path');
-const { execFile, spawn } = require('child_process');
-const { promisify } = require('util');
+const { execFile } = require('child_process');
 const {
+  connectLogBus,
+  createProcess,
+  deleteProcess,
+  flushProcessLogs,
   listProcesses,
+  savePm2State,
   startProcess,
   stopProcess,
   restartProcess
@@ -15,19 +20,64 @@ const { getSystemStats } = require('./Services/systemService');
 const app = express();
 const PORT = process.env.PORT || 3210;
 const DEFAULT_PROTECTED_PROCESS_NAMES = ['node-webui'];
-const execFileAsync = promisify(execFile);
+const UNSAFE_METHODS = new Set(['POST', 'PUT', 'PATCH', 'DELETE']);
+const apiSessionToken = crypto.randomBytes(32).toString('hex');
 const reactDistPath = path.join(__dirname, 'frontend', 'dist');
 const reactIndexPath = path.join(reactDistPath, 'index.html');
-const pm2CliPath = (() => {
+const pm2PackageVersion = (() => {
   try {
-    return require.resolve('pm2/bin/pm2');
+    return require('pm2/package.json').version;
   } catch (error) {
-    return 'pm2';
+    return '';
   }
 })();
 
 app.use(express.json());
 
+function isSameOriginRequest(req) {
+  const origin = req.get('origin');
+
+  if (!origin) {
+    return true;
+  }
+
+  try {
+    const originUrl = new URL(origin);
+    return originUrl.host === req.get('host');
+  } catch (error) {
+    return false;
+  }
+}
+
+function hasValidApiSessionToken(req) {
+  const token = String(req.get('X-PM2UI-Token') || '');
+  const expectedToken = Buffer.from(apiSessionToken);
+  const receivedToken = Buffer.from(token);
+
+  if (!token || receivedToken.length !== expectedToken.length) {
+    return false;
+  }
+
+  return crypto.timingSafeEqual(receivedToken, expectedToken);
+}
+
+app.use((req, res, next) => {
+  if (!req.path.startsWith('/api/') || !UNSAFE_METHODS.has(req.method)) {
+    next();
+    return;
+  }
+
+  if (!isSameOriginRequest(req) || !hasValidApiSessionToken(req)) {
+    res.status(403).json({
+      ok: false,
+      error: 'Invalid API session'
+    });
+    return;
+  }
+
+  next();
+});
+
 function getProtectedProcessNames() {
   const rawValue = process.env.PROTECTED_PM2_PROCESSES;
   const names = rawValue
@@ -100,15 +150,6 @@ function readTextFile(filePath) {
   }
 }
 
-async function getCommandOutput(command, args) {
-  try {
-    const { stdout } = await execFileAsync(command, args);
-    return String(stdout || '').trim();
-  } catch (error) {
-    return '';
-  }
-}
-
 async function getPm2RuntimeStatus(processes = []) {
   const homeDirectory = os.homedir();
   const pm2Home = process.env.PM2_HOME || path.join(homeDirectory, '.pm2');
@@ -121,21 +162,17 @@ async function getPm2RuntimeStatus(processes = []) {
     'LaunchAgents',
     userName ? `pm2.${userName}.plist` : 'pm2.plist'
   ));
-  const version = await getCommandOutput(pm2CliPath, ['-v']);
   const daemonPid = daemonPidFile.exists ? readTextFile(daemonPidFile.path) : '';
-  const daemonUptime = daemonPid
-    ? await getCommandOutput('ps', ['-p', daemonPid, '-o', 'etime='])
-    : '';
 
   return {
     home: pm2Home,
-    version,
+    version: pm2PackageVersion,
     daemon: {
       connected: true,
       pid: daemonPid || '',
       pidFile: daemonPidFile.path,
-      uptime: daemonUptime || '',
-      uptimeSource: daemonUptime ? 'ps etime for the PM2 daemon process' : ''
+      uptime: '',
+      uptimeSource: ''
     },
     managedAppCount: processes.length,
     saved: dumpFile.exists,
@@ -258,10 +295,11 @@ function normalizePm2Args(value) {
   return [String(value)];
 }
 
-function parsePm2LogText(rawText, type, target) {
+function parsePm2LogText(rawText, type, target, options = {}) {
   const ansiRegex = /\u001b\[[0-9;]*m/g;
   const prefixRegex = /^\d+\|[^|]+\|\s*/;
   const timestampRegex = /^(\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2})\s*/;
+  const fallbackTimestamp = options.timestamp || new Date().toLocaleString();
 
   return String(rawText || '')
     .split(/\r?\n/)
@@ -275,15 +313,79 @@ function parsePm2LogText(rawText, type, target) {
       const message = withoutPrefix;
 
       return {
-        timestamp: timestamp || new Date().toLocaleString(),
+        timestamp: timestamp || fallbackTimestamp,
         type,
-        processId: null,
+        processId: options.processId ?? null,
         appName: target,
         message: message || withoutPrefix
       };
     });
 }
 
+async function readTailTextFile(filePath, maxBytes = 1024 * 1024 * 10) {
+  if (!filePath) {
+    return '';
+  }
+
+  try {
+    const stats = await fs.promises.stat(filePath);
+    const length = Math.min(stats.size, maxBytes);
+    const start = Math.max(stats.size - length, 0);
+    const handle = await fs.promises.open(filePath, 'r');
+
+    try {
+      const buffer = Buffer.alloc(length);
+      await handle.read(buffer, 0, length, start);
+      return buffer.toString('utf8');
+    } finally {
+      await handle.close();
+    }
+  } catch (error) {
+    if (error.code !== 'ENOENT') {
+      console.error('Read PM2 log file error:', error);
+    }
+
+    return '';
+  }
+}
+
+function getPm2ProcessLogFiles(process) {
+  const env = process?.pm2_env || {};
+
+  return [
+    { type: 'stdout', path: env.pm_out_log_path || '' },
+    { type: 'stderr', path: env.pm_err_log_path || '' }
+  ];
+}
+
+async function getLogEntriesForTarget(target, lineCount) {
+  const processes = await listProcesses();
+  const process = findProcessByTarget(processes, target);
+
+  if (!process) {
+    const error = new Error('PM2 target was not found');
+    error.statusCode = 404;
+    throw error;
+  }
+
+  const entriesByFile = await Promise.all(
+    getPm2ProcessLogFiles(process).map(async (file) => {
+      const rawText = await readTailTextFile(file.path);
+      return parsePm2LogText(rawText, file.type, process.name || target, {
+        processId: process.pm_id
+      });
+    })
+  );
+
+  return entriesByFile
+    .flat()
+    .slice(-lineCount);
+}
+
+function getLiveLogType(type) {
+  return type === 'err' ? 'stderr' : 'stdout';
+}
+
 function mapPm2Process(pm2Process) {
   const env = pm2Process.pm2_env || {};
   const processEnv = env.env || {};
@@ -381,6 +483,13 @@ app.get('/api/health', (req, res) => {
   });
 });
 
+app.get('/api/session', (req, res) => {
+  res.json({
+    ok: true,
+    token: apiSessionToken
+  });
+});
+
 app.get('/api/dashboard', async (req, res) => {
   try {
     res.json(await getDashboardData());
@@ -446,22 +555,12 @@ app.get('/api/pm2/status', async (req, res) => {
 
 app.post('/api/pm2/save', async (req, res) => {
   try {
-    execFile(pm2CliPath, ['save'], (error, stdout, stderr) => {
-      if (error) {
-        console.error('Save PM2 state API error:', error);
-        res.status(500).json({
-          ok: false,
-          error: stderr || error.message || 'Failed to save PM2 state'
-        });
-        return;
-      }
-
-      res.json({
-        ok: true,
-        message: 'PM2 state saved',
-        output: stdout || '',
-        errors: stderr || ''
-      });
+    await savePm2State();
+    res.json({
+      ok: true,
+      message: 'PM2 state saved',
+      output: '',
+      errors: ''
     });
   } catch (error) {
     console.error('Save PM2 state API error:', error);
@@ -532,61 +631,28 @@ app.post('/api/processes', async (req, res) => {
 
     const parsedArgs = parseProcessArgsInput(argsInput);
     const parsedNodeArgs = parseProcessArgsInput(nodeArgsInput);
-    const pm2Args = ['start', scriptPath, '--name', processName, '--cwd', cwd];
-
-    if (interpreter) {
-      pm2Args.push('--interpreter', interpreter);
-    }
-
-    if (parsedNodeArgs.length > 0) {
-      pm2Args.push('--node-args', parsedNodeArgs.join(' '));
-    }
-
-    if (instances) {
-      pm2Args.push('--instances', instances);
-    }
-
-    if (watch) {
-      pm2Args.push('--watch');
-    }
-
-    if (maxMemoryRestart) {
-      pm2Args.push('--max-memory-restart', maxMemoryRestart);
-    }
-
-    if (outLogPath) {
-      pm2Args.push('--output', outLogPath);
-    }
-
-    if (errorLogPath) {
-      pm2Args.push('--error', errorLogPath);
-    }
-
-    if (parsedArgs.length > 0) {
-      pm2Args.push('--', ...parsedArgs);
-    }
-
-    execFile(pm2CliPath, pm2Args, {
+    await createProcess({
+      script: scriptPath,
+      name: processName,
+      cwd,
+      ...(interpreter ? { interpreter } : {}),
+      ...(parsedNodeArgs.length > 0 ? { node_args: parsedNodeArgs } : {}),
+      ...(instances ? { instances } : {}),
+      ...(watch ? { watch: true } : {}),
+      ...(maxMemoryRestart ? { max_memory_restart: maxMemoryRestart } : {}),
+      ...(outLogPath ? { output: outLogPath } : {}),
+      ...(errorLogPath ? { error: errorLogPath } : {}),
+      ...(parsedArgs.length > 0 ? { args: parsedArgs } : {}),
       env: {
         ...process.env,
         ...(nodeEnv ? { NODE_ENV: nodeEnv } : {})
       }
-    }, (error, stdout, stderr) => {
-      if (error) {
-        console.error('Create process API error:', error);
-        res.status(500).json({
-          ok: false,
-          error: stderr || error.message || 'Failed to create process'
-        });
-        return;
-      }
-
-      res.json({
-        ok: true,
-        message: `Created process: ${processName}`,
-        output: stdout || '',
-        errors: stderr || ''
-      });
+    });
+    res.json({
+      ok: true,
+      message: `Created process: ${processName}`,
+      output: '',
+      errors: ''
     });
   } catch (error) {
     console.error('Create process API error:', error);
@@ -607,23 +673,12 @@ app.delete('/api/processes/:target', async (req, res) => {
     }
 
     await assertProcessCanBeControlled(target, 'deleted');
-
-    execFile(pm2CliPath, ['delete', target], (error, stdout, stderr) => {
-      if (error) {
-        console.error('Delete process API error:', error);
-        res.status(500).json({
-          ok: false,
-          error: stderr || error.message || 'Failed to delete process'
-        });
-        return;
-      }
-
-      res.json({
-        ok: true,
-        message: `Deleted process PM2 ID: ${target}`,
-        output: stdout || '',
-        errors: stderr || ''
-      });
+    await deleteProcess(target);
+    res.json({
+      ok: true,
+      message: `Deleted process PM2 ID: ${target}`,
+      output: '',
+      errors: ''
     });
   } catch (error) {
     console.error('Delete process API error:', error);
@@ -686,32 +741,14 @@ app.get('/api/processes/:target/logs', async (req, res) => {
       ? Math.min(Math.max(Math.trunc(requestedLines), 1), 500)
       : 100;
 
-    execFile(pm2CliPath, ['logs', target, '--nostream', '--lines', String(lines), '--timestamp', 'YYYY-MM-DD HH:mm:ss'], {
-      maxBuffer: 1024 * 1024 * 10
-    }, (error, stdout, stderr) => {
-      if (error && !stdout && !stderr) {
-        console.error('Logs API error:', error);
-        res.status(500).json({
-          ok: false,
-          error: error.message || 'Failed to load logs'
-        });
-        return;
-      }
-
-      const entries = [
-        ...parsePm2LogText(stdout, 'stdout', target),
-        ...parsePm2LogText(stderr, 'stderr', target)
-      ];
-
-      res.json({
-        ok: true,
-        target,
-        entries
-      });
+    res.json({
+      ok: true,
+      target,
+      entries: await getLogEntriesForTarget(target, lines)
     });
   } catch (error) {
     console.error('Logs API error:', error);
-    res.status(500).json({
+    res.status(error.statusCode || 500).json({
       ok: false,
       error: error.message || 'Failed to load logs'
     });
@@ -729,13 +766,7 @@ app.get('/api/processes/:target/logs/stream', async (req, res) => {
   res.write('retry: 5000\n\n');
 
   let isClosed = false;
-  const logProcess = spawn(pm2CliPath, ['logs', target, '--lines', '0', '--timestamp', 'YYYY-MM-DD HH:mm:ss'], {
-    stdio: ['ignore', 'pipe', 'pipe']
-  });
-  const buffers = {
-    stdout: '',
-    stderr: ''
-  };
+  let logBus = null;
 
   function writeEntries(rawText, type) {
     if (isClosed) {
@@ -749,13 +780,6 @@ app.get('/api/processes/:target/logs/stream', async (req, res) => {
     });
   }
 
-  function handleChunk(type, chunk) {
-    buffers[type] += chunk.toString('utf8');
-    const lines = buffers[type].split(/\r?\n/);
-    buffers[type] = lines.pop() || '';
-    writeEntries(lines.join('\n'), type);
-  }
-
   const heartbeatIntervalId = setInterval(() => {
     if (isClosed) {
       return;
@@ -765,60 +789,55 @@ app.get('/api/processes/:target/logs/stream', async (req, res) => {
     res.write(`data: ${JSON.stringify({ ok: true })}\n\n`);
   }, 15000);
 
-  logProcess.stdout.on('data', (chunk) => {
-    handleChunk('stdout', chunk);
-  });
-
-  logProcess.stderr.on('data', (chunk) => {
-    handleChunk('stderr', chunk);
-  });
-
-  logProcess.on('error', (error) => {
+  function handleStreamError(error) {
     console.error('Logs stream API error:', error);
     if (isClosed) {
       return;
     }
     res.write(`event: logs-error\n`);
     res.write(`data: ${JSON.stringify({ ok: false, error: error.message || 'Failed to stream logs' })}\n\n`);
-  });
+  }
 
-  logProcess.on('close', () => {
-    writeEntries(buffers.stdout, 'stdout');
-    writeEntries(buffers.stderr, 'stderr');
-    clearInterval(heartbeatIntervalId);
-    if (!isClosed) {
-      res.end();
+  try {
+    const processes = await listProcesses();
+    const process = findProcessByTarget(processes, target);
+
+    if (!process) {
+      throw Object.assign(new Error('PM2 target was not found'), { statusCode: 404 });
     }
-  });
+
+    logBus = await connectLogBus();
+    logBus.bus.on('log:*', (type, packet) => {
+      const packetProcess = packet?.process || {};
+      const normalizedTarget = String(target || '').trim();
+
+      if (String(packetProcess.pm_id ?? '') !== normalizedTarget && String(packetProcess.name || '') !== normalizedTarget) {
+        return;
+      }
+
+      writeEntries(String(packet?.data || ''), getLiveLogType(type));
+    });
+  } catch (error) {
+    handleStreamError(error);
+  }
 
   req.on('close', () => {
     isClosed = true;
     clearInterval(heartbeatIntervalId);
-    logProcess.kill();
+    logBus?.close();
   });
 });
 
 app.post('/api/processes/:target/logs/clear', async (req, res) => {
   try {
     const target = String(req.params.target || '');
-
-    execFile(pm2CliPath, ['flush', target], (error, stdout, stderr) => {
-      if (error) {
-        console.error('Clear logs API error:', error);
-        res.status(500).json({
-          ok: false,
-          error: stderr || error.message || 'Failed to clear logs'
-        });
-        return;
-      }
-
-      res.json({
-        ok: true,
-        target,
-        message: `Cleared logs for ${target}`,
-        output: stdout || '',
-        errors: stderr || ''
-      });
+    await flushProcessLogs(target);
+    res.json({
+      ok: true,
+      target,
+      message: `Cleared logs for ${target}`,
+      output: '',
+      errors: ''
     });
   } catch (error) {
     console.error('Clear logs API error:', error);

package/user_manual.md

@@ -21,10 +21,9 @@ Node WebUI is a local web dashboard for monitoring and managing Node.js services
 - macOS
 - Node.js 18 or newer
 - npm
-- PM2 installed and available on your shell path
-- One or more PM2-managed processes, unless you only want to create a process from the UI
+- One or more PM2-managed processes, unless you only want to create one from the UI
 
-Install PM2 globally if it is not installed:
+Node WebUI includes PM2 as a package dependency for dashboard operations. Install PM2 globally only if you want to use the `pm2` command in your terminal:
 
 ```bash
 npm install -g pm2
@@ -52,6 +51,8 @@ Install dependencies:
 npm install
 ```
 
+This installs both runtime dependencies and development dependencies needed to rebuild the React frontend. The published npm package ships the built frontend bundle for normal CLI use.
+
 Start Node WebUI:
 
 ```bash
@@ -212,6 +213,8 @@ Per-process action buttons:
 
 Some actions require confirmation before they run.
 
+Process actions, create, delete, save, log clearing, and Finder reveal are sent through Node WebUI's local API with a same-origin session token. If the page was loaded from the Node WebUI server, this is handled automatically.
+
 ## Bulk Actions
 
 Select one or more rows using the table checkboxes. The bulk action bar supports:
@@ -255,6 +258,8 @@ The logs workspace supports:
 
 The row-level log action opens logs for that specific process.
 
+Recent log history is read from the selected process stdout and stderr log files reported by PM2. Live log updates use PM2's Node API event bus. If a PM2 log file is missing or has been rotated away, that stream may show no recent entries until the process writes new output.
+
 ## Create PM2 App
 
 Click `Create PM2 App` to register a new PM2 process.
@@ -407,7 +412,7 @@ npm start
 
 ### Process actions fail
 
-Check that PM2 is installed and available:
+Check PM2 from the same shell/user that starts Node WebUI:
 
 ```bash
 pm2 -v
@@ -421,6 +426,8 @@ pm2 list
 
 If the process is protected, remove it from the protected list or adjust `PROTECTED_PM2_PROCESSES`.
 
+If the browser tab has been open across a Node WebUI restart, refresh the page so it fetches a fresh local API session token.
+
 ### Open folder does not work
 
 Open folder is designed for macOS Finder. It requires the process to have a valid script path or working directory.
@@ -456,3 +463,5 @@ Node WebUI is designed for local use. The server binds to:
 ```
 
 Do not expose it directly to the public internet. If you need remote access, put it behind authentication and a reverse proxy.
+
+Unsafe API methods require a same-origin session token generated by the local server. This reduces the risk of another website triggering local PM2 actions from your browser, but it is not full authentication and should not be treated as protection for LAN or internet exposure.