@linkshell/gateway 0.2.21 → 0.2.23

package/src/index.ts

@@ -19,6 +19,7 @@ import {
   handleTunnelRequest,
   cleanupSessionTunnels,
 } from "./tunnel.js";
+import { AUTH_REQUIRED, requireAuth, checkWsAuth, validateRequest, checkSubscriptionByUserId } from "./auth-middleware.js";
 
 const port = Number(process.env.PORT ?? 8787);
 const logLevel = (process.env.LOG_LEVEL ?? "info") as
@@ -173,6 +174,28 @@ async function handleRequest(
     return;
   }
 
+  // Sessions owned by authenticated user (before AUTH_REQUIRED guard — uses its own auth)
+  if (method === "GET" && url.pathname === "/sessions/mine") {
+    const authResult = await validateRequest(req);
+    if (!authResult || !authResult.userId) {
+      json(res, 401, { error: "auth_required", message: "Authentication required" });
+      return;
+    }
+    const sessions = sessionManager
+      .listActive()
+      .filter((s) => s.userId === authResult.userId)
+      .map((s) => sessionManager.getSummary(s.id))
+      .filter(Boolean);
+    json(res, 200, { sessions });
+    return;
+  }
+
+  // Auth check for premium gateway (skip healthz and /sessions/mine)
+  if (AUTH_REQUIRED) {
+    const authResult = await requireAuth(req, res);
+    if (!authResult) return; // response already sent
+  }
+
   // Create pairing
   if (method === "POST" && url.pathname === "/pairings") {
     if (!isRateLimitBypassed(ip) && !pairingLimiter.allow(ip)) {
@@ -345,6 +368,27 @@ server.on("upgrade", (request, socket, head) => {
     return;
   }
 
+  // Auth check for premium gateway WebSocket connections
+  if (AUTH_REQUIRED) {
+    checkWsAuth(request).then((authResult) => {
+      if (!authResult || !authResult.authenticated) {
+        socket.write("HTTP/1.1 401 Unauthorized\r\n\r\n");
+        socket.destroy();
+        return;
+      }
+      if (!authResult.subscribed) {
+        socket.write("HTTP/1.1 403 Forbidden\r\nContent-Type: text/plain\r\n\r\nPro subscription required. Subscribe at https://itool.tech\r\n");
+        socket.destroy();
+        return;
+      }
+      (request as any).__authResult = authResult;
+      wss.handleUpgrade(request, socket, head, (ws) => {
+        wss.emit("connection", ws, request, url);
+      });
+    });
+    return;
+  }
+
   wss.handleUpgrade(request, socket, head, (ws) => {
     wss.emit("connection", ws, request, url);
   });
@@ -386,6 +430,15 @@ wss.on(
         existingSession.clients.size > 0 &&
         existingSession.state === "host_disconnected";
       sessionManager.setHost(sessionId, device);
+
+      // Associate userId from auth (for AUTH_REQUIRED gateways)
+      const authResult = (_request as any).__authResult as
+        | { userId?: string }
+        | undefined;
+      if (authResult?.userId) {
+        const session = sessionManager.get(sessionId);
+        if (session) session.userId = authResult.userId;
+      }
       if (isReconnect) {
         const notification = serializeEnvelope(
           createEnvelope({
@@ -509,6 +562,57 @@ function shutdown() {
 process.on("SIGINT", shutdown);
 process.on("SIGTERM", shutdown);
 
+// ── Subscription expiry checker (AUTH_REQUIRED gateways only) ──────
+
+const SUB_CHECK_INTERVAL = 5 * 60_000; // 5 minutes
+
+if (AUTH_REQUIRED) {
+  setInterval(async () => {
+    for (const session of sessionManager.listActive()) {
+      if (!session.userId || !session.host) continue;
+      const stillSubscribed = await checkSubscriptionByUserId(session.userId);
+      if (!stillSubscribed) {
+        log("info", `subscription expired for user ${session.userId}, disconnecting session ${session.id}`);
+        // Notify host
+        try {
+          session.host.socket.send(
+            serializeEnvelope(
+              createEnvelope({
+                type: "session.error",
+                sessionId: session.id,
+                payload: {
+                  code: "subscription_expired",
+                  message: "Your Pro subscription has expired. Renew at https://itool.tech",
+                },
+              }),
+            ),
+          );
+        } catch {}
+        // Close host connection
+        session.host.socket.close(4003, "subscription_expired");
+        // Notify clients
+        for (const [, client] of session.clients) {
+          try {
+            client.socket.send(
+              serializeEnvelope(
+                createEnvelope({
+                  type: "session.error",
+                  sessionId: session.id,
+                  payload: {
+                    code: "subscription_expired",
+                    message: "Host subscription expired. Session ended.",
+                  },
+                }),
+              ),
+            );
+            client.socket.close(4003, "subscription_expired");
+          } catch {}
+        }
+      }
+    }
+  }, SUB_CHECK_INTERVAL);
+}
+
 // ── Start ───────────────────────────────────────────────────────────
 
 server.listen(port, () => {

package/src/sessions.ts

@@ -27,6 +27,8 @@ export interface Session {
   platform: string | undefined;
   cwd: string | undefined;
   projectName: string | undefined;
+  // Auth: user who owns this session (set on AUTH_REQUIRED gateways)
+  userId: string | undefined;
 }
 
 const OUTPUT_BUFFER_CAPACITY = 200;
@@ -60,6 +62,7 @@ export class SessionManager {
         platform: undefined,
         cwd: undefined,
         projectName: undefined,
+        userId: undefined,
       };
       this.sessions.set(sessionId, session);
     }
@@ -194,6 +197,7 @@ export class SessionManager {
       platform: session.platform ?? null,
       cwd: session.cwd ?? null,
       projectName: session.projectName ?? null,
+      userId: session.userId ?? null,
     };
   }
 

package/src/tunnel.ts

@@ -209,29 +209,29 @@ export function handleTunnelResponse(payload: {
   body: string;
   isFinal: boolean;
 }): void {
-  const pending = pendingRequests.get(payload.requestId);
-  if (!pending) return;
-
-  if (!pending.headersSent) {
-    // Merge CORS headers
-    const responseHeaders: Record<string, string> = {
-      ...payload.headers,
-      "access-control-allow-origin": "*",
-    };
-    pending.res.writeHead(payload.statusCode, responseHeaders);
-    pending.headersSent = true;
-  }
+  try {
+    const pending = pendingRequests.get(payload.requestId);
+    if (!pending) return;
+
+    if (!pending.headersSent) {
+      const responseHeaders: Record<string, string> = {
+        ...payload.headers,
+        "access-control-allow-origin": "*",
+      };
+      pending.res.writeHead(payload.statusCode, responseHeaders);
+      pending.headersSent = true;
+    }
 
-  // Write body chunk
-  if (payload.body) {
-    pending.res.write(Buffer.from(payload.body, "base64"));
-  }
+    if (payload.body) {
+      pending.res.write(Buffer.from(payload.body, "base64"));
+    }
 
-  if (payload.isFinal) {
-    clearTimeout(pending.timeout);
-    pendingRequests.delete(payload.requestId);
-    pending.res.end();
-  }
+    if (payload.isFinal) {
+      clearTimeout(pending.timeout);
+      pendingRequests.delete(payload.requestId);
+      pending.res.end();
+    }
+  } catch {}
 }
 
 export function handleTunnelWsData(payload: {
@@ -239,10 +239,12 @@ export function handleTunnelWsData(payload: {
   data: string;
   isBinary: boolean;
 }): void {
-  const pending = pendingWsSockets.get(payload.requestId);
-  if (!pending) return;
-  const buf = Buffer.from(payload.data, "base64");
-  pending.ws.send(payload.isBinary ? buf : buf.toString("utf8"));
+  try {
+    const pending = pendingWsSockets.get(payload.requestId);
+    if (!pending || pending.ws.readyState !== 1) return;
+    const buf = Buffer.from(payload.data, "base64");
+    pending.ws.send(payload.isBinary ? buf : buf.toString("utf8"));
+  } catch {}
 }
 
 export function handleTunnelWsClose(payload: {
@@ -250,11 +252,15 @@ export function handleTunnelWsClose(payload: {
   code?: number;
   reason?: string;
 }): void {
-  const pending = pendingWsSockets.get(payload.requestId);
-  if (!pending) return;
-  const code = payload.code && payload.code >= 1000 && payload.code <= 4999 ? payload.code : 1000;
-  pending.ws.close(code, payload.reason ?? "");
-  pendingWsSockets.delete(payload.requestId);
+  try {
+    const pending = pendingWsSockets.get(payload.requestId);
+    if (!pending) return;
+    pendingWsSockets.delete(payload.requestId);
+    if (pending.ws.readyState === 1) {
+      const code = typeof payload.code === "number" && payload.code >= 1000 && payload.code <= 4999 ? payload.code : 1000;
+      pending.ws.close(code, payload.reason ?? "");
+    }
+  } catch {}
 }
 
 export function registerTunnelWs(requestId: string, ws: WebSocket): void {
@@ -330,36 +336,41 @@ export function handleTunnelWsUpgrade(
 
   // Forward data from browser WS to host
   ws.on("message", (data: Buffer | string) => {
-    const s = sessions.get(sessionId);
-    if (!s?.host || s.host.socket.readyState !== s.host.socket.OPEN) return;
-    const isBinary = typeof data !== "string";
-    const buf = typeof data === "string" ? Buffer.from(data) : data;
-    const fwd = createEnvelope({
-      type: "tunnel.ws.data",
-      sessionId,
-      payload: {
-        requestId,
-        data: buf.toString("base64"),
-        isBinary,
-      },
-    });
-    s.host.socket.send(serializeEnvelope(fwd));
+    try {
+      const s = sessions.get(sessionId);
+      if (!s?.host || s.host.socket.readyState !== s.host.socket.OPEN) return;
+      const isBinary = typeof data !== "string";
+      const buf = typeof data === "string" ? Buffer.from(data) : data;
+      const fwd = createEnvelope({
+        type: "tunnel.ws.data",
+        sessionId,
+        payload: {
+          requestId,
+          data: buf.toString("base64"),
+          isBinary,
+        },
+      });
+      s.host.socket.send(serializeEnvelope(fwd));
+    } catch {}
   });
 
   ws.on("close", (code, reason) => {
-    removeTunnelWs(requestId);
-    untrackRequest(sessionId, requestId);
-    const s = sessions.get(sessionId);
-    if (!s?.host || s.host.socket.readyState !== s.host.socket.OPEN) return;
-    const fwd = createEnvelope({
-      type: "tunnel.ws.close",
-      sessionId,
-      payload: {
-        requestId,
-        code,
-        reason: reason?.toString() || "",
-      },
-    });
-    s.host.socket.send(serializeEnvelope(fwd));
+    try {
+      removeTunnelWs(requestId);
+      untrackRequest(sessionId, requestId);
+      const s = sessions.get(sessionId);
+      if (!s?.host || s.host.socket.readyState !== s.host.socket.OPEN) return;
+      const safeCode = typeof code === "number" && code >= 1000 && code <= 4999 ? code : 1000;
+      const fwd = createEnvelope({
+        type: "tunnel.ws.close",
+        sessionId,
+        payload: {
+          requestId,
+          code: safeCode,
+          reason: reason?.toString() || "",
+        },
+      });
+      s.host.socket.send(serializeEnvelope(fwd));
+    } catch {}
   });
 }