@linkshell/gateway 0.4.24 → 0.4.27

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@linkshell/gateway",
-  "version": "0.4.24",
+  "version": "0.4.27",
   "type": "module",
   "main": "dist/gateway/src/index.js",
   "exports": {

package/src/embedded.ts

@@ -25,6 +25,7 @@ import {
   handleTunnelWsUpgrade,
   cleanupSessionTunnels,
 } from "./tunnel.js";
+import { serveWeb, serveWebAsset, webEnabled, webDistPath } from "./static-web.js";
 
 export interface EmbeddedGatewayOptions {
   port?: number;
@@ -252,6 +253,11 @@ export function startEmbeddedGateway(
         return;
       }
 
+      // Serve the gateway's OWN built web assets (no SPA fallback) before the
+      // tunnel cookie fallback, so a real asset like /assets/index-xxx.js is
+      // served locally instead of being proxied via a stale tunnel cookie.
+      if (await serveWebAsset(req, res)) return;
+
       // Tunnel fallback: cookie-based routing for sub-resources (e.g. /_next/static/...)
       const tunnelCookie = parseTunnelCookie(req);
       if (tunnelCookie && shouldUseTunnelCookieFallback(req, url.pathname, (pathname) =>
@@ -272,6 +278,11 @@ export function startEmbeddedGateway(
         return;
       }
 
+      // Web SPA: last GET fallback, after every API route, so it never shadows
+      // them. Serves index.html for "/" and client-side routes; a no-op (false)
+      // when no web dist is bundled (e.g. an API-only embedded gateway).
+      if (await serveWeb(req, res)) return;
+
       json(res, 404, { error: "not_found" });
     } catch (err) {
       if (err instanceof ZodError) {
@@ -479,6 +490,14 @@ export function startEmbeddedGateway(
       const actualPort =
         typeof addr === "object" && addr ? addr.port : targetPort;
       log("info", `embedded gateway on port ${actualPort}`);
+      // Surface whether the bundled web SPA was found — the in-app WebView loads
+      // this gateway's "/", so a missing dist means a blank screen. Makes the
+      // LAN/self-hosted "WebView is blank" failure mode diagnosable from logs.
+      if (webEnabled()) {
+        log("info", `web UI served from ${webDistPath()}`);
+      } else {
+        log("warn", `web UI not bundled (WEB_DIST=${webDistPath()} has no index.html) — in-app agent console will be blank`);
+      }
       resolve({
         port: actualPort,
         httpUrl: `http://127.0.0.1:${actualPort}`,

package/src/tokens.ts

@@ -89,6 +89,34 @@ export class TokenManager {
     return record.sessionIds.has(sessionId);
   }
 
+  async ownsFresh(token: string, sessionId: string): Promise<boolean> {
+    if (this.owns(token, sessionId)) return true;
+    if (!this.store) return false;
+    try {
+      const records = await this.store.loadTokens();
+      const now = Date.now();
+      for (const record of records) {
+        if (now - record.lastUsedAt > SESSION_TTL) continue;
+        if (record.token !== token) continue;
+        const next = {
+          token: record.token,
+          sessionIds: new Set(record.sessionIds),
+          createdAt: record.createdAt,
+          lastUsedAt: Date.now(),
+        };
+        this.tokens.set(record.token, next);
+        for (const sid of record.sessionIds) {
+          this.sessionToToken.set(sid, record.token);
+        }
+        this.persist(next);
+        return next.sessionIds.has(sessionId);
+      }
+    } catch (err) {
+      process.stderr.write(`[gateway] token store refresh failed: ${err}\n`);
+    }
+    return false;
+  }
+
   getSessionIds(token: string): Set<string> {
     const record = this.tokens.get(token);
     if (!record) return new Set();

package/src/tunnel.ts

@@ -171,7 +171,7 @@ export function parseTunnelCookie(req: IncomingMessage): { sessionId: string; po
   return { sessionId, port, token };
 }
 
-function errorResponse(res: ServerResponse, status: number, message: string): void {
+function errorResponse(res: ServerResponse, status: number, message: string, diagnostic?: string): void {
   if (res.headersSent) return;
   res.writeHead(status, {
     "content-type": "text/plain",
@@ -180,6 +180,7 @@ function errorResponse(res: ServerResponse, status: number, message: string): vo
     "surrogate-control": "no-store",
     "vary": "authorization, cookie",
     "access-control-allow-origin": "*",
+    ...(diagnostic ? { "x-linkshell-tunnel-error": diagnostic } : {}),
   });
   res.end(message);
 }
@@ -267,9 +268,10 @@ export async function handleTunnelRequest(
 
   // Auth: device token OR Supabase JWT (userId owns session)
   let token = preAuthToken || extractToken(req, url) || tokenFromTunnelCookie(req, sessionId, port);
-  let tokenOwns = Boolean(token && tokens.owns(token, sessionId));
+  let tokenOwns = Boolean(token && await tokens.ownsFresh(token, sessionId));
   let authOwns = false;
   let authJwt: string | null = null;
+  let authDiagnostic = token ? "token_not_bound" : "missing_token";
   if (!tokenOwns && AUTH_REQUIRED) {
     // Try preAuthToken as JWT first (from cookie fallback), then from request headers/params
     const jwtCandidate = preAuthToken || url.searchParams.get("auth_token") || (() => {
@@ -292,10 +294,20 @@ export async function handleTunnelRequest(
             if (user.id && session?.userId && user.id === session.userId) {
               authOwns = true;
               authJwt = jwtCandidate;
+            } else if (!session) {
+              authDiagnostic = "session_not_local";
+            } else if (!session.userId) {
+              authDiagnostic = "session_user_missing";
+            } else {
+              authDiagnostic = "session_user_mismatch";
             }
+          } else {
+            authDiagnostic = "invalid_jwt";
           }
         }
-      } catch {}
+      } catch {
+        authDiagnostic = "jwt_check_failed";
+      }
     }
   }
   if (!tokenOwns && authOwns) {
@@ -306,7 +318,7 @@ export async function handleTunnelRequest(
     }
   }
   if (!tokenOwns && !authOwns) {
-    errorResponse(res, 401, "Unauthorized");
+    errorResponse(res, 401, "Unauthorized", authDiagnostic);
     return;
   }
 
@@ -322,7 +334,7 @@ export async function handleTunnelRequest(
   // Validate session & host
   const session = sessions.get(sessionId);
   if (!session || !session.host || session.host.socket.readyState !== session.host.socket.OPEN) {
-    errorResponse(res, 502, "Host not connected");
+    errorResponse(res, 502, "Host not connected", !session ? "session_not_local" : "host_not_connected");
     return;
   }
 
@@ -514,8 +526,9 @@ export async function handleTunnelWsUpgrade(
 
   // Auth: device token OR Supabase JWT (userId owns session)
   let token = preAuthToken || url.searchParams.get("token");
-  let tokenOwns = Boolean(token && tokens.owns(token, sessionId));
+  let tokenOwns = Boolean(token && await tokens.ownsFresh(token, sessionId));
   let authOwns = false;
+  let authDiagnostic = token ? "token_not_bound" : "missing_token";
   if (!tokenOwns && AUTH_REQUIRED) {
     // Try auth_token param first, then fall back to token param (cookie fallback stores JWT there)
     const authToken = url.searchParams.get("auth_token") || token;
@@ -533,10 +546,20 @@ export async function handleTunnelWsUpgrade(
             const session = sessions.get(sessionId);
             if (user.id && session?.userId && user.id === session.userId) {
               authOwns = true;
+            } else if (!session) {
+              authDiagnostic = "session_not_local";
+            } else if (!session.userId) {
+              authDiagnostic = "session_user_missing";
+            } else {
+              authDiagnostic = "session_user_mismatch";
             }
+          } else {
+            authDiagnostic = "invalid_jwt";
           }
         }
-      } catch {}
+      } catch {
+        authDiagnostic = "jwt_check_failed";
+      }
     }
   }
   if (!tokenOwns && authOwns) {
@@ -547,7 +570,7 @@ export async function handleTunnelWsUpgrade(
     }
   }
   if (!tokenOwns && !authOwns) {
-    ws.close(4001, "Unauthorized");
+    ws.close(4001, `Unauthorized:${authDiagnostic}`);
     return;
   }