@lamalibre/portlama-agent 1.0.22 → 1.0.24

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lamalibre/portlama-agent",
-  "version": "1.0.22",
+  "version": "1.0.24",
   "description": "Tunnel agent for Portlama — manages Chisel tunnel client as a system service",
   "type": "module",
   "license": "SEE LICENSE IN LICENSE.md",

package/src/lib/agent-plugins.js

@@ -21,7 +21,7 @@ import { agentDataDir, agentPluginsFile, agentPluginsDir } from './platform.js';
 const RESERVED_NAMES = [
   'health', 'onboarding', 'invite', 'enroll', 'tunnels', 'sites', 'system',
   'services', 'logs', 'users', 'certs', 'invitations', 'plugins', 'tickets',
-  'settings', 'identity', 'storage', 'agents',
+  'settings', 'identity', 'storage', 'agents', 'user-access',
 ];
 
 // --- Promise-chain mutex (serialises registry modifications) ---

package/src/lib/local-plugins.js

@@ -7,7 +7,8 @@ import { localDir, localPluginsFile, localPluginsDir } from './platform.js';
 // Reserved names that cannot be used as plugin names (matches panel-server constants).
 const RESERVED_NAMES = [
   'health', 'onboarding', 'invite', 'enroll', 'tunnels', 'sites', 'system',
-  'services', 'logs', 'users', 'certs', 'invitations', 'plugins', 'tickets', 'settings',
+  'services', 'logs', 'users', 'certs', 'invitations', 'plugins', 'tickets',
+  'settings', 'identity', 'storage', 'agents', 'user-access',
 ];
 
 // --- Promise-chain mutex (serialises registry modifications) ---

package/src/lib/panel-server.js

@@ -67,8 +67,15 @@ export async function startPanelServer(label, { port = 9393 } = {}) {
     // Allow health check without auth
     if (request.url === '/api/health') return;
 
-    // Static assets don't need API-level auth (nginx already verified mTLS)
-    if (!request.url.startsWith('/api')) return;
+    // Plugin bundles are intentionally public (loaded via <script> tag)
+    if (request.url.startsWith('/plugin-bundles/')) return;
+
+    // Auth is required for /api/* management routes AND all plugin routes
+    // (/<pluginName>/..., including non-/api/ sub-paths). Static assets (SPA
+    // files served by fastify-static from root) don't need auth.
+    const needsAuth = request.url.startsWith('/api') ||
+      /^\/[a-z0-9-]+\//.test(request.url);
+    if (!needsAuth) return;
 
     const verify = request.headers['x-ssl-client-verify'];
     if (verify !== 'SUCCESS') {
@@ -85,6 +92,35 @@ export async function startPanelServer(label, { port = 9393 } = {}) {
         request.certRole = 'agent';
         return;
       }
+
+      // Authelia-authenticated user (plugin tunnel access).
+      // When nginx routes through an Authelia-protected plugin vhost,
+      // Remote-User is set after successful Authelia forward auth. The header
+      // is cleared then re-injected by nginx — cannot be forged from outside.
+      // Port 9393 binds 127.0.0.1, so external traffic only arrives via nginx.
+      //
+      // Authelia users are restricted to plugin routes only (/{pluginName}/...).
+      // They must NOT access agent management API (/api/*) — those require
+      // mTLS (admin/agent cert) or localhost origin (desktop app).
+      const remoteUser = request.headers['remote-user'];
+      if (remoteUser) {
+        // Validate username format (defense-in-depth against header injection)
+        if (!/^[a-z0-9_.-]+$/i.test(remoteUser)) {
+          return reply.code(403).send({ error: 'Invalid user identity' });
+        }
+
+        // Block access to /api/* management endpoints — Authelia users
+        // may only access plugin routes (/{pluginName}/api/...)
+        if (request.url.startsWith('/api')) {
+          return reply.code(403).send({ error: 'Management API requires certificate authentication' });
+        }
+
+        request.certCN = `user:${remoteUser}`;
+        request.certRole = 'user';
+        request.autheliaUser = remoteUser;
+        return;
+      }
+
       return reply.code(403).send({ error: 'Valid mTLS certificate required' });
     }