@linkshell/gateway 0.3.9 → 0.4.0

package/src/tokens.ts

@@ -1,45 +1,47 @@
 import { randomUUID } from "node:crypto";
 import type { GatewayStateStore } from "./state-store.js";
 
-interface DeviceAuthorization {
-  authorizationId: string;
-  hostDeviceId: string;
-  clientDeviceId: string | undefined;
-  clientName: string | undefined;
-  createdAt: number;
-  lastUsedAt: number;
-}
+const CLEANUP_INTERVAL = 5 * 60_000;
+const SESSION_TTL = 7 * 24 * 60 * 60_000; // 7 days — prune stale bindings
 
 interface TokenRecord {
   token: string;
-  authorizations: Map<string, DeviceAuthorization>;
+  sessionIds: Set<string>;
   createdAt: number;
   lastUsedAt: number;
 }
 
-export class AuthorizationManager {
+export class TokenManager {
   private tokens = new Map<string, TokenRecord>();
-  private hostDeviceToTokens = new Map<string, Set<string>>();
+  private sessionToToken = new Map<string, string>();
+  private cleanupTimer: ReturnType<typeof setInterval>;
 
-  constructor(private readonly store?: GatewayStateStore) {}
+  constructor(private readonly store?: GatewayStateStore) {
+    this.cleanupTimer = setInterval(() => this.cleanup(), CLEANUP_INTERVAL);
+  }
 
   async hydrate(): Promise<void> {
     if (!this.store) return;
     try {
-      const records = await this.store.loadAuthorizations();
+      const records = await this.store.loadTokens();
+      const now = Date.now();
       for (const record of records) {
-        const token = this.register(record.token);
-        this.authorize(token, record.hostDeviceId, {
-          authorizationId: record.authorizationId,
-          clientDeviceId: record.clientDeviceId,
-          clientName: record.clientName,
+        if (now - record.lastUsedAt > SESSION_TTL) {
+          void this.store.deleteToken(record.token).catch(() => {});
+          continue;
+        }
+        this.tokens.set(record.token, {
+          token: record.token,
+          sessionIds: new Set(record.sessionIds),
           createdAt: record.createdAt,
           lastUsedAt: record.lastUsedAt,
-          persist: false,
         });
+        for (const sessionId of record.sessionIds) {
+          this.sessionToToken.set(sessionId, record.token);
+        }
       }
     } catch (err) {
-      process.stderr.write(`[gateway] authorization store hydrate failed, using memory only: ${err}\n`);
+      process.stderr.write(`[gateway] token store hydrate failed, using memory only: ${err}\n`);
     }
   }
 
@@ -47,131 +49,83 @@ export class AuthorizationManager {
     if (deviceToken && this.tokens.has(deviceToken)) {
       const record = this.tokens.get(deviceToken)!;
       record.lastUsedAt = Date.now();
+      this.persist(record);
       return deviceToken;
     }
     const token = deviceToken || randomUUID();
     this.tokens.set(token, {
       token,
-      authorizations: new Map(),
+      sessionIds: new Set(),
       createdAt: Date.now(),
       lastUsedAt: Date.now(),
     });
+    this.persist(this.tokens.get(token)!);
     return token;
   }
 
-  authorize(
-    token: string,
-    hostDeviceId: string,
-    input: {
-      authorizationId?: string;
-      clientDeviceId?: string;
-      clientName?: string;
-      createdAt?: number;
-      lastUsedAt?: number;
-      persist?: boolean;
-    } = {},
-  ): DeviceAuthorization | undefined {
-    const record = this.tokens.get(token);
-    if (!record) return undefined;
-    const existing = record.authorizations.get(hostDeviceId);
-    const now = Date.now();
-    const authorization: DeviceAuthorization = {
-      authorizationId: input.authorizationId ?? existing?.authorizationId ?? randomUUID(),
-      hostDeviceId,
-      clientDeviceId: input.clientDeviceId ?? existing?.clientDeviceId,
-      clientName: input.clientName ?? existing?.clientName,
-      createdAt: input.createdAt ?? existing?.createdAt ?? now,
-      lastUsedAt: input.lastUsedAt ?? now,
-    };
-    record.authorizations.set(hostDeviceId, authorization);
-    record.lastUsedAt = now;
-    let tokens = this.hostDeviceToTokens.get(hostDeviceId);
-    if (!tokens) {
-      tokens = new Set();
-      this.hostDeviceToTokens.set(hostDeviceId, tokens);
-    }
-    tokens.add(token);
-    if (input.persist !== false) {
-      this.persist(token, authorization);
-    }
-    return authorization;
-  }
-
-  validate(token: string): boolean {
+  bind(token: string, sessionId: string): boolean {
     const record = this.tokens.get(token);
     if (!record) return false;
+    record.sessionIds.add(sessionId);
     record.lastUsedAt = Date.now();
+    this.sessionToToken.set(sessionId, token);
+    this.persist(record);
     return true;
   }
 
-  owns(token: string, hostDeviceId: string): boolean {
+  validate(token: string): boolean {
     const record = this.tokens.get(token);
     if (!record) return false;
-    const authorization = record.authorizations.get(hostDeviceId);
-    if (!authorization) return false;
-    const now = Date.now();
-    record.lastUsedAt = now;
-    authorization.lastUsedAt = now;
-    this.persist(token, authorization);
+    record.lastUsedAt = Date.now();
+    this.persist(record);
     return true;
   }
 
-  revoke(token: string, hostDeviceId: string, authorizationId: string): boolean {
+  owns(token: string, sessionId: string): boolean {
     const record = this.tokens.get(token);
-    const authorization = record?.authorizations.get(hostDeviceId);
-    if (!record || !authorization || authorization.authorizationId !== authorizationId) {
-      return false;
-    }
-    record.authorizations.delete(hostDeviceId);
-    const tokens = this.hostDeviceToTokens.get(hostDeviceId);
-    tokens?.delete(token);
-    if (tokens && tokens.size === 0) {
-      this.hostDeviceToTokens.delete(hostDeviceId);
-    }
-    void this.store?.deleteAuthorization(authorizationId).catch((err) => {
-      process.stderr.write(`[gateway] authorization store delete failed: ${err}\n`);
-    });
-    return true;
+    if (!record) return false;
+    record.lastUsedAt = Date.now();
+    this.persist(record);
+    return record.sessionIds.has(sessionId);
   }
 
-  getHostDeviceIds(token: string): Set<string> {
+  getSessionIds(token: string): Set<string> {
     const record = this.tokens.get(token);
     if (!record) return new Set();
     record.lastUsedAt = Date.now();
-    return new Set(record.authorizations.keys());
-  }
-
-  getSessionIds(token: string): Set<string> {
-    return this.getHostDeviceIds(token);
+    this.persist(record);
+    return record.sessionIds;
   }
 
-  getAuthorizationId(token: string, hostDeviceId: string): string | undefined {
-    return this.tokens.get(token)?.authorizations.get(hostDeviceId)?.authorizationId;
+  getTokenForSession(sessionId: string): string | undefined {
+    return this.sessionToToken.get(sessionId);
   }
 
-  getTokenForHostDevice(hostDeviceId: string): string | undefined {
-    return this.hostDeviceToTokens.get(hostDeviceId)?.values().next().value;
-  }
-
-  bind(token: string, hostDeviceId: string): boolean {
-    return !!this.authorize(token, hostDeviceId);
+  private cleanup(): void {
+    const now = Date.now();
+    for (const [token, record] of this.tokens) {
+      if (now - record.lastUsedAt > SESSION_TTL) {
+        for (const sid of record.sessionIds) {
+          this.sessionToToken.delete(sid);
+        }
+        this.tokens.delete(token);
+        void this.store?.deleteToken(token).catch(() => {});
+      }
+    }
   }
 
-  private persist(token: string, authorization: DeviceAuthorization): void {
-    void this.store?.saveAuthorization({
-      token,
-      authorizationId: authorization.authorizationId,
-      hostDeviceId: authorization.hostDeviceId,
-      clientDeviceId: authorization.clientDeviceId,
-      clientName: authorization.clientName,
-      createdAt: authorization.createdAt,
-      lastUsedAt: authorization.lastUsedAt,
+  private persist(record: TokenRecord): void {
+    void this.store?.saveToken({
+      token: record.token,
+      sessionIds: [...record.sessionIds],
+      createdAt: record.createdAt,
+      lastUsedAt: record.lastUsedAt,
     }).catch((err) => {
-      process.stderr.write(`[gateway] authorization store save failed: ${err}\n`);
+      process.stderr.write(`[gateway] token store save failed: ${err}\n`);
     });
   }
 
-  destroy(): void {}
+  destroy(): void {
+    clearInterval(this.cleanupTimer);
+  }
 }
-
-export class TokenManager extends AuthorizationManager {}

package/src/tunnel.ts

@@ -5,7 +5,7 @@ import {
   createEnvelope,
   serializeEnvelope,
 } from "@linkshell/protocol";
-import type { DeviceManager } from "./sessions.js";
+import type { SessionManager } from "./sessions.js";
 import type { TokenManager } from "./tokens.js";
 import { AUTH_REQUIRED } from "./auth-middleware.js";
 
@@ -26,23 +26,23 @@ export interface PendingTunnelWs {
 const pendingRequests = new Map<string, PendingTunnelRequest>();
 const pendingWsSockets = new Map<string, PendingTunnelWs>();
 
-// Track requestIds per host device for cleanup on host disconnect
-const deviceRequests = new Map<string, Set<string>>();
+// Track requestIds per session for cleanup on host disconnect
+const sessionRequests = new Map<string, Set<string>>();
 
-function trackRequest(hostDeviceId: string, requestId: string): void {
-  let set = deviceRequests.get(hostDeviceId);
+function trackRequest(sessionId: string, requestId: string): void {
+  let set = sessionRequests.get(sessionId);
   if (!set) {
     set = new Set();
-    deviceRequests.set(hostDeviceId, set);
+    sessionRequests.set(sessionId, set);
   }
   set.add(requestId);
 }
 
-function untrackRequest(hostDeviceId: string, requestId: string): void {
-  const set = deviceRequests.get(hostDeviceId);
+function untrackRequest(sessionId: string, requestId: string): void {
+  const set = sessionRequests.get(sessionId);
   if (set) {
     set.delete(requestId);
-    if (set.size === 0) deviceRequests.delete(hostDeviceId);
+    if (set.size === 0) sessionRequests.delete(sessionId);
   }
 }
 
@@ -65,19 +65,19 @@ function extractToken(req: IncomingMessage, url: URL): string | null {
   return null;
 }
 
-/** Parse lsh_tunnel cookie: "hostDeviceId:port:token" */
-export function parseTunnelCookie(req: IncomingMessage): { hostDeviceId: string; port: number; token: string } | null {
+/** Parse lsh_tunnel cookie: "sessionId:port:token" */
+export function parseTunnelCookie(req: IncomingMessage): { sessionId: string; port: number; token: string } | null {
   const cookie = req.headers.cookie;
   if (!cookie) return null;
   const match = cookie.match(/lsh_tunnel=([^;]+)/);
   if (!match?.[1]) return null;
   const parts = decodeURIComponent(match[1]).split(":");
   if (parts.length < 3) return null;
-  const hostDeviceId = parts[0]!;
+  const sessionId = parts[0]!;
   const port = Number(parts[1]);
   const token = parts.slice(2).join(":"); // token may contain colons
-  if (!hostDeviceId || isNaN(port) || port < 1 || port > 65535 || !token) return null;
-  return { hostDeviceId, port, token };
+  if (!sessionId || isNaN(port) || port < 1 || port > 65535 || !token) return null;
+  return { sessionId, port, token };
 }
 
 function errorResponse(res: ServerResponse, status: number, message: string): void {
@@ -89,38 +89,32 @@ function errorResponse(res: ServerResponse, status: number, message: string): vo
   res.end(message);
 }
 
-export function parseTunnelPath(pathname: string): { hostDeviceId: string; port: number; path: string } | null {
+export function parseTunnelPath(pathname: string): { sessionId: string; port: number; path: string } | null {
   const match = pathname.match(/^\/tunnel\/([^/]+)\/(\d+)(\/.*)?$/);
   if (!match) return null;
   const port = Number(match[2]);
   if (port < 1 || port > 65535) return null;
   return {
-    hostDeviceId: match[1]!,
+    sessionId: match[1]!,
     port,
     path: match[3] || "/",
   };
 }
 
-type ParsedTunnelTarget = {
-  hostDeviceId: string;
-  port: number;
-  path: string;
-};
-
 export async function handleTunnelRequest(
   req: IncomingMessage,
   res: ServerResponse,
-  sessions: DeviceManager,
+  sessions: SessionManager,
   tokens: TokenManager,
-  parsed: ParsedTunnelTarget,
+  parsed: { sessionId: string; port: number; path: string },
   url: URL,
   preAuthToken?: string,
 ): Promise<void> {
-  const { hostDeviceId, port, path } = parsed;
+  const { sessionId, port, path } = parsed;
 
   // Auth: device token OR Supabase JWT (userId owns session)
   const token = preAuthToken || extractToken(req, url);
-  const tokenOwns = token && tokens.owns(token, hostDeviceId);
+  const tokenOwns = token && tokens.owns(token, sessionId);
   let authOwns = false;
   let authJwt: string | null = null;
   if (!tokenOwns && AUTH_REQUIRED) {
@@ -141,7 +135,7 @@ export async function handleTunnelRequest(
           });
           if (userRes.ok) {
             const user = (await userRes.json()) as { id: string };
-            const session = sessions.get(hostDeviceId);
+            const session = sessions.get(sessionId);
             if (user.id && session?.userId && user.id === session.userId) {
               authOwns = true;
               authJwt = jwtCandidate;
@@ -159,12 +153,12 @@ export async function handleTunnelRequest(
   // Set auth cookie for subsequent sub-resource requests
   const cookieToken = tokenOwns ? token : authJwt;
   if (cookieToken) {
-    const cookieVal = encodeURIComponent(`${hostDeviceId}:${port}:${cookieToken}`);
+    const cookieVal = encodeURIComponent(`${sessionId}:${port}:${cookieToken}`);
     res.setHeader("Set-Cookie", `lsh_tunnel=${cookieVal}; Path=/; HttpOnly; SameSite=Lax`);
   }
 
   // Validate session & host
-  const session = sessions.get(hostDeviceId);
+  const session = sessions.get(sessionId);
   if (!session || !session.host || session.host.socket.readyState !== session.host.socket.OPEN) {
     errorResponse(res, 502, "Host not connected");
     return;
@@ -210,17 +204,17 @@ export async function handleTunnelRequest(
     headersSent: false,
     timeout: setTimeout(() => {
       pendingRequests.delete(requestId);
-      untrackRequest(hostDeviceId, requestId);
+      untrackRequest(sessionId, requestId);
       errorResponse(res, 504, "Tunnel request timed out");
     }, TUNNEL_TIMEOUT),
   };
   pendingRequests.set(requestId, pending);
-  trackRequest(hostDeviceId, requestId);
+  trackRequest(sessionId, requestId);
 
   // Send tunnel.request to host
   const envelope = createEnvelope({
     type: "tunnel.request",
-    hostDeviceId,
+    sessionId,
     payload: {
       requestId,
       method,
@@ -238,7 +232,7 @@ export async function handleTunnelRequest(
     if (p) {
       clearTimeout(p.timeout);
       pendingRequests.delete(requestId);
-      untrackRequest(hostDeviceId, requestId);
+      untrackRequest(sessionId, requestId);
     }
   });
 }
@@ -312,8 +306,8 @@ export function removeTunnelWs(requestId: string): void {
   pendingWsSockets.delete(requestId);
 }
 
-export function cleanupSessionTunnels(hostDeviceId: string): void {
-  const requestIds = deviceRequests.get(hostDeviceId);
+export function cleanupSessionTunnels(sessionId: string): void {
+  const requestIds = sessionRequests.get(sessionId);
   if (!requestIds) return;
   for (const rid of requestIds) {
     const pending = pendingRequests.get(rid);
@@ -328,21 +322,21 @@ export function cleanupSessionTunnels(hostDeviceId: string): void {
       pendingWsSockets.delete(rid);
     }
   }
-  deviceRequests.delete(hostDeviceId);
+  sessionRequests.delete(sessionId);
 }
 
 export async function handleTunnelWsUpgrade(
   ws: WebSocket,
-  parsed: ParsedTunnelTarget,
+  parsed: { sessionId: string; port: number; path: string },
   url: URL,
-  sessions: DeviceManager,
+  sessions: SessionManager,
   tokens: TokenManager,
 ): Promise<void> {
-  const { hostDeviceId, port, path } = parsed;
+  const { sessionId, port, path } = parsed;
 
   // Auth: device token OR Supabase JWT (userId owns session)
   const token = url.searchParams.get("token");
-  const tokenOwns = token && tokens.owns(token, hostDeviceId);
+  const tokenOwns = token && tokens.owns(token, sessionId);
   let authOwns = false;
   if (!tokenOwns && AUTH_REQUIRED) {
     // Try auth_token param first, then fall back to token param (cookie fallback stores JWT there)
@@ -358,7 +352,7 @@ export async function handleTunnelWsUpgrade(
           });
           if (userRes.ok) {
             const user = (await userRes.json()) as { id: string };
-            const session = sessions.get(hostDeviceId);
+            const session = sessions.get(sessionId);
             if (user.id && session?.userId && user.id === session.userId) {
               authOwns = true;
             }
@@ -372,7 +366,7 @@ export async function handleTunnelWsUpgrade(
     return;
   }
 
-  const session = sessions.get(hostDeviceId);
+  const session = sessions.get(sessionId);
   if (!session || !session.host || session.host.socket.readyState !== session.host.socket.OPEN) {
     ws.close(4002, "Host not connected");
     return;
@@ -383,12 +377,12 @@ export async function handleTunnelWsUpgrade(
 
   // Register this WS so host responses route here
   registerTunnelWs(requestId, ws);
-  trackRequest(hostDeviceId, requestId);
+  trackRequest(sessionId, requestId);
 
   // Send tunnel.request with upgrade header to host
   const envelope = createEnvelope({
     type: "tunnel.request",
-    hostDeviceId,
+    sessionId,
     payload: {
       requestId,
       method: "GET",
@@ -403,13 +397,13 @@ export async function handleTunnelWsUpgrade(
   // Forward data from browser WS to host
   ws.on("message", (data: Buffer | string) => {
     try {
-      const s = sessions.get(hostDeviceId);
+      const s = sessions.get(sessionId);
       if (!s?.host || s.host.socket.readyState !== s.host.socket.OPEN) return;
       const isBinary = typeof data !== "string";
       const buf = typeof data === "string" ? Buffer.from(data) : data;
       const fwd = createEnvelope({
         type: "tunnel.ws.data",
-        hostDeviceId,
+        sessionId,
         payload: {
           requestId,
           data: buf.toString("base64"),
@@ -423,13 +417,13 @@ export async function handleTunnelWsUpgrade(
   ws.on("close", (code, reason) => {
     try {
       removeTunnelWs(requestId);
-      untrackRequest(hostDeviceId, requestId);
-      const s = sessions.get(hostDeviceId);
+      untrackRequest(sessionId, requestId);
+      const s = sessions.get(sessionId);
       if (!s?.host || s.host.socket.readyState !== s.host.socket.OPEN) return;
       const safeCode = typeof code === "number" && code >= 1000 && code <= 4999 ? code : 1000;
       const fwd = createEnvelope({
         type: "tunnel.ws.close",
-        hostDeviceId,
+        sessionId,
         payload: {
           requestId,
           code: safeCode,