@linkshell/gateway 0.2.25 → 0.2.27

package/src/relay.ts

@@ -141,29 +141,31 @@ function handleClientMessage(
   deviceId: string,
   sessions: SessionManager,
 ): void {
+  const requireController = (): boolean => {
+    if (session.controllerId === deviceId) return true;
+    socket.send(
+      serializeEnvelope(
+        createEnvelope({
+          type: "session.error",
+          sessionId: session.id,
+          payload: {
+            code: "control_conflict",
+            message: "Not the controller",
+          },
+        }),
+      ),
+    );
+    return false;
+  };
+
   switch (envelope.type) {
     case "terminal.input": {
-      // Only controller can send input
-      if (session.controllerId !== deviceId) {
-        socket.send(
-          serializeEnvelope(
-            createEnvelope({
-              type: "session.error",
-              sessionId: session.id,
-              payload: {
-                code: "control_conflict",
-                message: "Not the controller",
-              },
-            }),
-          ),
-        );
-        return;
-      }
+      if (!requireController()) return;
       sendToHost(session, envelope);
       break;
     }
     case "terminal.resize": {
-      if (session.controllerId !== deviceId) return;
+      if (!requireController()) return;
       sendToHost(session, envelope);
       break;
     }
@@ -175,7 +177,11 @@ function handleClientMessage(
     case "session.resume": {
       const p = parseTypedPayload("session.resume", envelope.payload);
       // Replay from gateway buffer first
-      const replay = sessions.getReplayFrom(session.id, p.lastAckedSeq);
+      const replay = sessions.getReplayFrom(
+        session.id,
+        p.lastAckedSeqByTerminal,
+        p.lastAckedSeq,
+      );
       for (const msg of replay) {
         const payload = msg.payload as Record<string, unknown>;
         socket.send(
@@ -183,6 +189,7 @@ function handleClientMessage(
             createEnvelope({
               type: "terminal.output",
               sessionId: session.id,
+              terminalId: msg.terminalId,
               seq: msg.seq,
               payload: { ...payload, isReplay: true },
             }),
@@ -234,6 +241,10 @@ function handleClientMessage(
     case "terminal.list":
     case "terminal.browse":
     case "terminal.mkdir":
+    case "terminal.history.request":
+    case "file.upload":
+    case "permission.decision":
+      if (!requireController()) return;
       sendToHost(session, envelope);
       break;
     default:

package/src/sessions.ts

@@ -84,6 +84,9 @@ export class SessionManager {
   addClient(sessionId: string, device: ConnectedDevice): void {
     const session = this.getOrCreate(sessionId);
     session.clients.set(device.deviceId, device);
+    if (!session.controllerId) {
+      session.controllerId = device.deviceId;
+    }
     session.lastActivity = Date.now();
   }
 
@@ -154,16 +157,26 @@ export class SessionManager {
     return [...session.lastStatusByTerminal.values()];
   }
 
-  getReplayFrom(sessionId: string, afterSeq: number): Envelope[] {
+  getReplayFrom(
+    sessionId: string,
+    afterSeqByTerminal: Record<string, number>,
+    fallbackAfterSeq = -1,
+  ): Envelope[] {
     const session = this.sessions.get(sessionId);
     if (!session) return [];
     const result: Envelope[] = [];
-    for (const buf of session.outputBuffers.values()) {
+    for (const [terminalId, buf] of session.outputBuffers) {
+      const afterSeq = afterSeqByTerminal[terminalId] ?? fallbackAfterSeq;
       for (const e of buf) {
         if (e.seq !== undefined && e.seq > afterSeq) result.push(e);
       }
     }
-    return result.sort((a, b) => (a.seq ?? 0) - (b.seq ?? 0));
+    return result.sort((a, b) => {
+      const at = Date.parse(a.timestamp);
+      const bt = Date.parse(b.timestamp);
+      if (!Number.isNaN(at) && !Number.isNaN(bt) && at !== bt) return at - bt;
+      return (a.seq ?? 0) - (b.seq ?? 0);
+    });
   }
 
   claimControl(sessionId: string, deviceId: string): boolean {

package/src/state-store.ts

@@ -0,0 +1,131 @@
+export interface StoredTokenRecord {
+  token: string;
+  sessionIds: string[];
+  createdAt: number;
+  lastUsedAt: number;
+}
+
+export interface StoredPairingRecord {
+  sessionId: string;
+  pairingCode: string;
+  expiresAt: number;
+  claimed: boolean;
+}
+
+export interface GatewayStateStore {
+  loadTokens(): Promise<StoredTokenRecord[]>;
+  saveToken(record: StoredTokenRecord): Promise<void>;
+  deleteToken(token: string): Promise<void>;
+  loadPairings(): Promise<StoredPairingRecord[]>;
+  savePairing(record: StoredPairingRecord): Promise<void>;
+  deletePairing(pairingCode: string): Promise<void>;
+}
+
+const TOKEN_TABLE = process.env.SUPABASE_GATEWAY_TOKEN_TABLE ?? "linkshell_gateway_tokens";
+const PAIRING_TABLE = process.env.SUPABASE_GATEWAY_PAIRING_TABLE ?? "linkshell_gateway_pairings";
+
+function msToIso(ms: number): string {
+  return new Date(ms).toISOString();
+}
+
+function isoToMs(value: unknown): number {
+  if (typeof value !== "string") return Date.now();
+  const parsed = Date.parse(value);
+  return Number.isNaN(parsed) ? Date.now() : parsed;
+}
+
+export function createSupabaseStateStore(): GatewayStateStore | undefined {
+  const url = process.env.SUPABASE_URL?.replace(/\/+$/, "");
+  const key = process.env.SUPABASE_SERVICE_ROLE_KEY || process.env.SUPABASE_ANON_KEY;
+  if (!url || !key) return undefined;
+
+  const headers = {
+    apikey: key,
+    Authorization: `Bearer ${key}`,
+    "Content-Type": "application/json",
+  };
+
+  async function request<T>(path: string, init?: RequestInit): Promise<T> {
+    const res = await fetch(`${url}/rest/v1/${path}`, {
+      ...init,
+      headers: {
+        ...headers,
+        ...(init?.headers ?? {}),
+      },
+    });
+    if (!res.ok) {
+      const body = await res.text().catch(() => "");
+      throw new Error(`Supabase state store ${res.status}: ${body || res.statusText}`);
+    }
+    if (res.status === 204) return undefined as T;
+    return (await res.json()) as T;
+  }
+
+  return {
+    async loadTokens() {
+      const rows = await request<Array<Record<string, unknown>>>(
+        `${TOKEN_TABLE}?select=token,session_ids,created_at,last_used_at`,
+      );
+      return rows.map((row) => ({
+        token: String(row.token ?? ""),
+        sessionIds: Array.isArray(row.session_ids)
+          ? row.session_ids.map(String)
+          : [],
+        createdAt: isoToMs(row.created_at),
+        lastUsedAt: isoToMs(row.last_used_at),
+      })).filter((record) => record.token);
+    },
+    async saveToken(record) {
+      await request(
+        `${TOKEN_TABLE}?on_conflict=token`,
+        {
+          method: "POST",
+          headers: { Prefer: "resolution=merge-duplicates" },
+          body: JSON.stringify({
+            token: record.token,
+            session_ids: record.sessionIds,
+            created_at: msToIso(record.createdAt),
+            last_used_at: msToIso(record.lastUsedAt),
+          }),
+        },
+      );
+    },
+    async deleteToken(token) {
+      await request(`${TOKEN_TABLE}?token=eq.${encodeURIComponent(token)}`, {
+        method: "DELETE",
+      });
+    },
+    async loadPairings() {
+      const rows = await request<Array<Record<string, unknown>>>(
+        `${PAIRING_TABLE}?select=pairing_code,session_id,expires_at,claimed`,
+      );
+      return rows.map((row) => ({
+        pairingCode: String(row.pairing_code ?? ""),
+        sessionId: String(row.session_id ?? ""),
+        expiresAt: isoToMs(row.expires_at),
+        claimed: row.claimed === true,
+      })).filter((record) => record.pairingCode && record.sessionId);
+    },
+    async savePairing(record) {
+      await request(
+        `${PAIRING_TABLE}?on_conflict=pairing_code`,
+        {
+          method: "POST",
+          headers: { Prefer: "resolution=merge-duplicates" },
+          body: JSON.stringify({
+            pairing_code: record.pairingCode,
+            session_id: record.sessionId,
+            expires_at: msToIso(record.expiresAt),
+            claimed: record.claimed,
+          }),
+        },
+      );
+    },
+    async deletePairing(pairingCode) {
+      await request(
+        `${PAIRING_TABLE}?pairing_code=eq.${encodeURIComponent(pairingCode)}`,
+        { method: "DELETE" },
+      );
+    },
+  };
+}

package/src/tokens.ts

@@ -1,4 +1,5 @@
 import { randomUUID } from "node:crypto";
+import type { GatewayStateStore } from "./state-store.js";
 
 const CLEANUP_INTERVAL = 5 * 60_000;
 const SESSION_TTL = 7 * 24 * 60 * 60_000; // 7 days — prune stale bindings
@@ -15,14 +16,40 @@ export class TokenManager {
   private sessionToToken = new Map<string, string>();
   private cleanupTimer: ReturnType<typeof setInterval>;
 
-  constructor() {
+  constructor(private readonly store?: GatewayStateStore) {
     this.cleanupTimer = setInterval(() => this.cleanup(), CLEANUP_INTERVAL);
   }
 
+  async hydrate(): Promise<void> {
+    if (!this.store) return;
+    try {
+      const records = await this.store.loadTokens();
+      const now = Date.now();
+      for (const record of records) {
+        if (now - record.lastUsedAt > SESSION_TTL) {
+          void this.store.deleteToken(record.token).catch(() => {});
+          continue;
+        }
+        this.tokens.set(record.token, {
+          token: record.token,
+          sessionIds: new Set(record.sessionIds),
+          createdAt: record.createdAt,
+          lastUsedAt: record.lastUsedAt,
+        });
+        for (const sessionId of record.sessionIds) {
+          this.sessionToToken.set(sessionId, record.token);
+        }
+      }
+    } catch (err) {
+      process.stderr.write(`[gateway] token store hydrate failed, using memory only: ${err}\n`);
+    }
+  }
+
   register(deviceToken?: string): string {
     if (deviceToken && this.tokens.has(deviceToken)) {
       const record = this.tokens.get(deviceToken)!;
       record.lastUsedAt = Date.now();
+      this.persist(record);
       return deviceToken;
     }
     const token = deviceToken || randomUUID();
@@ -32,6 +59,7 @@ export class TokenManager {
       createdAt: Date.now(),
       lastUsedAt: Date.now(),
     });
+    this.persist(this.tokens.get(token)!);
     return token;
   }
 
@@ -41,6 +69,7 @@ export class TokenManager {
     record.sessionIds.add(sessionId);
     record.lastUsedAt = Date.now();
     this.sessionToToken.set(sessionId, token);
+    this.persist(record);
     return true;
   }
 
@@ -48,6 +77,7 @@ export class TokenManager {
     const record = this.tokens.get(token);
     if (!record) return false;
     record.lastUsedAt = Date.now();
+    this.persist(record);
     return true;
   }
 
@@ -55,6 +85,7 @@ export class TokenManager {
     const record = this.tokens.get(token);
     if (!record) return false;
     record.lastUsedAt = Date.now();
+    this.persist(record);
     return record.sessionIds.has(sessionId);
   }
 
@@ -62,6 +93,7 @@ export class TokenManager {
     const record = this.tokens.get(token);
     if (!record) return new Set();
     record.lastUsedAt = Date.now();
+    this.persist(record);
     return record.sessionIds;
   }
 
@@ -77,10 +109,22 @@ export class TokenManager {
           this.sessionToToken.delete(sid);
         }
         this.tokens.delete(token);
+        void this.store?.deleteToken(token).catch(() => {});
       }
     }
   }
 
+  private persist(record: TokenRecord): void {
+    void this.store?.saveToken({
+      token: record.token,
+      sessionIds: [...record.sessionIds],
+      createdAt: record.createdAt,
+      lastUsedAt: record.lastUsedAt,
+    }).catch((err) => {
+      process.stderr.write(`[gateway] token store save failed: ${err}\n`);
+    });
+  }
+
   destroy(): void {
     clearInterval(this.cleanupTimer);
   }

package/src/tunnel.ts

@@ -7,6 +7,7 @@ import {
 } from "@linkshell/protocol";
 import type { SessionManager } from "./sessions.js";
 import type { TokenManager } from "./tokens.js";
+import { AUTH_REQUIRED } from "./auth-middleware.js";
 
 const TUNNEL_TIMEOUT = 30_000;
 const MAX_TUNNEL_BODY = 10 * 1024 * 1024; // 10MB
@@ -111,16 +112,50 @@ export async function handleTunnelRequest(
 ): Promise<void> {
   const { sessionId, port, path } = parsed;
 
-  // Auth
+  // Auth: device token OR Supabase JWT (userId owns session)
   const token = preAuthToken || extractToken(req, url);
-  if (!token || !tokens.owns(token, sessionId)) {
+  const tokenOwns = token && tokens.owns(token, sessionId);
+  let authOwns = false;
+  let authJwt: string | null = null;
+  if (!tokenOwns && AUTH_REQUIRED) {
+    // Try preAuthToken as JWT first (from cookie fallback), then from request headers/params
+    const jwtCandidate = preAuthToken || url.searchParams.get("auth_token") || (() => {
+      const auth = req.headers.authorization;
+      if (auth) { const m = auth.match(/^Bearer\s+(.+)$/i); if (m?.[1]) return m[1]; }
+      return null;
+    })();
+    if (jwtCandidate) {
+      try {
+        const SUPABASE_URL = process.env.SUPABASE_URL ?? "";
+        const SUPABASE_ANON_KEY = process.env.SUPABASE_ANON_KEY ?? "";
+        if (SUPABASE_URL && SUPABASE_ANON_KEY) {
+          const userRes = await fetch(`${SUPABASE_URL}/auth/v1/user`, {
+            headers: { Authorization: `Bearer ${jwtCandidate}`, apikey: SUPABASE_ANON_KEY },
+            signal: AbortSignal.timeout(5_000),
+          });
+          if (userRes.ok) {
+            const user = (await userRes.json()) as { id: string };
+            const session = sessions.get(sessionId);
+            if (user.id && session?.userId && user.id === session.userId) {
+              authOwns = true;
+              authJwt = jwtCandidate;
+            }
+          }
+        }
+      } catch {}
+    }
+  }
+  if (!tokenOwns && !authOwns) {
     errorResponse(res, 401, "Unauthorized");
     return;
   }
 
-  // Set auth cookie for subsequent sub-resource requests (root path so /_next/... etc. are covered)
-  const cookieVal = encodeURIComponent(`${sessionId}:${port}:${token}`);
-  res.setHeader("Set-Cookie", `lsh_tunnel=${cookieVal}; Path=/; HttpOnly; SameSite=Lax`);
+  // Set auth cookie for subsequent sub-resource requests
+  const cookieToken = tokenOwns ? token : authJwt;
+  if (cookieToken) {
+    const cookieVal = encodeURIComponent(`${sessionId}:${port}:${cookieToken}`);
+    res.setHeader("Set-Cookie", `lsh_tunnel=${cookieVal}; Path=/; HttpOnly; SameSite=Lax`);
+  }
 
   // Validate session & host
   const session = sessions.get(sessionId);
@@ -290,18 +325,43 @@ export function cleanupSessionTunnels(sessionId: string): void {
   sessionRequests.delete(sessionId);
 }
 
-export function handleTunnelWsUpgrade(
+export async function handleTunnelWsUpgrade(
   ws: WebSocket,
   parsed: { sessionId: string; port: number; path: string },
   url: URL,
   sessions: SessionManager,
   tokens: TokenManager,
-): void {
+): Promise<void> {
   const { sessionId, port, path } = parsed;
 
-  // Auth from query param or cookie in upgrade request
+  // Auth: device token OR Supabase JWT (userId owns session)
   const token = url.searchParams.get("token");
-  if (!token || !tokens.owns(token, sessionId)) {
+  const tokenOwns = token && tokens.owns(token, sessionId);
+  let authOwns = false;
+  if (!tokenOwns && AUTH_REQUIRED) {
+    // Try auth_token param first, then fall back to token param (cookie fallback stores JWT there)
+    const authToken = url.searchParams.get("auth_token") || token;
+    if (authToken) {
+      try {
+        const SUPABASE_URL = process.env.SUPABASE_URL ?? "";
+        const SUPABASE_ANON_KEY = process.env.SUPABASE_ANON_KEY ?? "";
+        if (SUPABASE_URL && SUPABASE_ANON_KEY) {
+          const userRes = await fetch(`${SUPABASE_URL}/auth/v1/user`, {
+            headers: { Authorization: `Bearer ${authToken}`, apikey: SUPABASE_ANON_KEY },
+            signal: AbortSignal.timeout(5_000),
+          });
+          if (userRes.ok) {
+            const user = (await userRes.json()) as { id: string };
+            const session = sessions.get(sessionId);
+            if (user.id && session?.userId && user.id === session.userId) {
+              authOwns = true;
+            }
+          }
+        }
+      } catch {}
+    }
+  }
+  if (!tokenOwns && !authOwns) {
     ws.close(4001, "Unauthorized");
     return;
   }