@mjasano/devtunnel 1.2.0 → 1.5.0

package/server.js

@@ -10,9 +10,172 @@ const crypto = require('crypto');
 
 const app = express();
 const server = http.createServer(app);
-const wss = new WebSocket.Server({ server });
 
-app.use(express.json());
+// Authentication configuration
+const PASSCODE = process.env.PASSCODE || null;
+const AUTH_TOKEN_EXPIRY = 24 * 60 * 60 * 1000; // 24 hours
+const authTokens = new Map(); // token -> { createdAt }
+
+// Generate random token
+function generateAuthToken() {
+  return crypto.randomBytes(32).toString('hex');
+}
+
+// Validate auth token
+function validateAuthToken(token) {
+  if (!token) return false;
+  const session = authTokens.get(token);
+  if (!session) return false;
+  if (Date.now() - session.createdAt > AUTH_TOKEN_EXPIRY) {
+    authTokens.delete(token);
+    return false;
+  }
+  return true;
+}
+
+// Auth middleware
+function authMiddleware(req, res, next) {
+  // If no passcode configured, allow all
+  if (!PASSCODE) return next();
+
+  // Check for auth token in cookie or header
+  const token = req.cookies?.authToken || req.headers['x-auth-token'];
+
+  if (validateAuthToken(token)) {
+    return next();
+  }
+
+  // Allow access to login endpoint and static login page
+  if (req.path === '/api/auth/login' || req.path === '/api/auth/status') {
+    return next();
+  }
+
+  res.status(401).json({ error: 'Authentication required' });
+}
+
+// Cookie parser middleware
+app.use((req, _res, next) => {
+  const cookieHeader = req.headers.cookie;
+  req.cookies = {};
+  if (cookieHeader) {
+    cookieHeader.split(';').forEach(cookie => {
+      const [name, ...rest] = cookie.trim().split('=');
+      req.cookies[name] = rest.join('=');
+    });
+  }
+  next();
+});
+
+// WebSocket security configuration
+const WS_MAX_MESSAGE_SIZE = 1024 * 1024; // 1MB max message size
+const WS_RATE_LIMIT_WINDOW = 1000; // 1 second
+const WS_RATE_LIMIT_MAX = 100; // max 100 messages per second
+
+const wss = new WebSocket.Server({
+  server,
+  maxPayload: WS_MAX_MESSAGE_SIZE
+});
+
+// Rate limiting for WebSocket connections
+const wsRateLimits = new Map();
+
+function checkRateLimit(ws) {
+  const now = Date.now();
+  let limit = wsRateLimits.get(ws);
+
+  if (!limit) {
+    limit = { count: 0, resetAt: now + WS_RATE_LIMIT_WINDOW };
+    wsRateLimits.set(ws, limit);
+  }
+
+  if (now > limit.resetAt) {
+    limit.count = 0;
+    limit.resetAt = now + WS_RATE_LIMIT_WINDOW;
+  }
+
+  limit.count++;
+
+  if (limit.count > WS_RATE_LIMIT_MAX) {
+    return false;
+  }
+
+  return true;
+}
+
+app.use(express.json({ limit: '5mb' }));
+
+// Serve login page without auth
+app.get('/login', (_req, res) => {
+  res.sendFile(path.join(__dirname, 'public', 'login.html'));
+});
+
+// Auth status endpoint (no auth required)
+app.get('/api/auth/status', (req, res) => {
+  const requiresAuth = !!PASSCODE;
+  const token = req.cookies?.authToken || req.headers['x-auth-token'];
+  const authenticated = !requiresAuth || validateAuthToken(token);
+  res.json({ requiresAuth, authenticated });
+});
+
+// Login endpoint (no auth required)
+app.post('/api/auth/login', (req, res) => {
+  if (!PASSCODE) {
+    return res.json({ success: true, message: 'No passcode required' });
+  }
+
+  const { passcode } = req.body;
+
+  if (passcode === PASSCODE) {
+    const token = generateAuthToken();
+    authTokens.set(token, { createdAt: Date.now() });
+
+    res.cookie('authToken', token, {
+      httpOnly: true,
+      secure: process.env.NODE_ENV === 'production',
+      maxAge: AUTH_TOKEN_EXPIRY,
+      sameSite: 'strict'
+    });
+
+    res.json({ success: true, token });
+  } else {
+    res.status(401).json({ success: false, error: 'Invalid passcode' });
+  }
+});
+
+// Logout endpoint
+app.post('/api/auth/logout', (req, res) => {
+  const token = req.cookies?.authToken || req.headers['x-auth-token'];
+  if (token) {
+    authTokens.delete(token);
+  }
+  res.clearCookie('authToken');
+  res.json({ success: true });
+});
+
+// Apply auth middleware to all API routes
+app.use('/api', authMiddleware);
+
+// Serve static files (with auth check for main app)
+app.use((req, res, next) => {
+  // Allow login page without auth
+  if (req.path === '/login.html' || req.path === '/login') {
+    return next();
+  }
+
+  // If auth required and not authenticated, redirect to login
+  if (PASSCODE) {
+    const token = req.cookies?.authToken || req.headers['x-auth-token'];
+    if (!validateAuthToken(token)) {
+      // For HTML requests, redirect to login
+      if (req.accepts('html')) {
+        return res.redirect('/login');
+      }
+      return res.status(401).json({ error: 'Authentication required' });
+    }
+  }
+  next();
+});
+
 app.use(express.static(path.join(__dirname, 'public')));
 
 // Session configuration
@@ -328,7 +491,26 @@ function stopTunnel(id) {
 }
 
 // WebSocket handling
-wss.on('connection', async (ws) => {
+wss.on('connection', async (ws, req) => {
+  // Authenticate WebSocket connection
+  if (PASSCODE) {
+    // Parse cookies from upgrade request
+    const cookies = {};
+    const cookieHeader = req.headers.cookie;
+    if (cookieHeader) {
+      cookieHeader.split(';').forEach(cookie => {
+        const [name, ...rest] = cookie.trim().split('=');
+        cookies[name] = rest.join('=');
+      });
+    }
+
+    const token = cookies.authToken;
+    if (!validateAuthToken(token)) {
+      ws.close(4001, 'Authentication required');
+      return;
+    }
+  }
+
   console.log('Client connected');
 
   let currentSession = null;
@@ -359,6 +541,12 @@ wss.on('connection', async (ws) => {
   ws.send(JSON.stringify({ type: 'tmux-sessions', data: tmuxSessions }));
 
   ws.on('message', (message) => {
+    // Rate limiting check
+    if (!checkRateLimit(ws)) {
+      ws.send(JSON.stringify({ type: 'error', message: 'Rate limit exceeded' }));
+      return;
+    }
+
     try {
       const msg = JSON.parse(message.toString());
 
@@ -502,6 +690,7 @@ wss.on('connection', async (ws) => {
 
   ws.on('close', () => {
     console.log('Client disconnected');
+    wsRateLimits.delete(ws);
     if (currentSession) {
       currentSession.clients.delete(ws);
       currentSession.lastAccess = Date.now();
@@ -537,19 +726,19 @@ async function getMemoryInfo() {
           const pageSize = 16384; // macOS default page size (16KB on Apple Silicon)
           const lines = output.split('\n');
 
-          let free = 0, active = 0, inactive = 0, wired = 0, compressed = 0, purgeable = 0;
+          let _free = 0, active = 0, _inactive = 0, wired = 0, compressed = 0, _purgeable = 0;
 
           lines.forEach(line => {
             const match = line.match(/^(.+):\s+(\d+)/);
             if (match) {
               const value = parseInt(match[2]) * pageSize;
               const key = match[1].toLowerCase();
-              if (key.includes('free')) free = value;
+              if (key.includes('free')) _free = value;
               else if (key.includes('active')) active = value;
-              else if (key.includes('inactive')) inactive = value;
+              else if (key.includes('inactive')) _inactive = value;
               else if (key.includes('wired')) wired = value;
               else if (key.includes('compressed')) compressed = value;
-              else if (key.includes('purgeable')) purgeable = value;
+              else if (key.includes('purgeable')) _purgeable = value;
             }
           });
 
@@ -769,6 +958,86 @@ app.post('/api/files/write', async (req, res) => {
   }
 });
 
+// Delete file or directory
+app.post('/api/files/delete', async (req, res) => {
+  try {
+    const { path: filePath } = req.body;
+
+    if (!filePath) {
+      return res.status(400).json({ error: 'Path required' });
+    }
+
+    const fullPath = path.join(WORKSPACE_ROOT, filePath);
+    const normalizedPath = path.normalize(fullPath);
+
+    if (!normalizedPath.startsWith(WORKSPACE_ROOT)) {
+      return res.status(403).json({ error: 'Access denied' });
+    }
+
+    // Don't allow deleting the workspace root
+    if (normalizedPath === WORKSPACE_ROOT) {
+      return res.status(403).json({ error: 'Cannot delete workspace root' });
+    }
+
+    const stats = await fs.stat(normalizedPath);
+
+    if (stats.isDirectory()) {
+      await fs.rm(normalizedPath, { recursive: true });
+    } else {
+      await fs.unlink(normalizedPath);
+    }
+
+    res.json({ success: true, path: filePath });
+  } catch (err) {
+    if (err.code === 'ENOENT') {
+      res.status(404).json({ error: 'File not found' });
+    } else {
+      res.status(500).json({ error: err.message });
+    }
+  }
+});
+
+// Rename file or directory
+app.post('/api/files/rename', async (req, res) => {
+  try {
+    const { oldPath, newPath } = req.body;
+
+    if (!oldPath || !newPath) {
+      return res.status(400).json({ error: 'Both oldPath and newPath required' });
+    }
+
+    const fullOldPath = path.join(WORKSPACE_ROOT, oldPath);
+    const fullNewPath = path.join(WORKSPACE_ROOT, newPath);
+    const normalizedOldPath = path.normalize(fullOldPath);
+    const normalizedNewPath = path.normalize(fullNewPath);
+
+    if (!normalizedOldPath.startsWith(WORKSPACE_ROOT) || !normalizedNewPath.startsWith(WORKSPACE_ROOT)) {
+      return res.status(403).json({ error: 'Access denied' });
+    }
+
+    // Check if source exists
+    await fs.stat(normalizedOldPath);
+
+    // Check if destination already exists
+    try {
+      await fs.stat(normalizedNewPath);
+      return res.status(409).json({ error: 'Destination already exists' });
+    } catch (err) {
+      if (err.code !== 'ENOENT') throw err;
+    }
+
+    await fs.rename(normalizedOldPath, normalizedNewPath);
+
+    res.json({ success: true, oldPath, newPath });
+  } catch (err) {
+    if (err.code === 'ENOENT') {
+      res.status(404).json({ error: 'File not found' });
+    } else {
+      res.status(500).json({ error: err.message });
+    }
+  }
+});
+
 // REST API
 app.get('/api/sessions', (req, res) => {
   const sessionList = Array.from(sessions.values()).map(s => ({

package/test/server.test.js

@@ -0,0 +1,204 @@
+const { describe, it, before, after } = require('node:test');
+const assert = require('node:assert');
+const http = require('node:http');
+const { spawn } = require('node:child_process');
+const path = require('node:path');
+
+let serverProcess;
+const serverPort = 3099;
+
+function makeRequest(method, path, body = null) {
+  return new Promise((resolve, reject) => {
+    const options = {
+      hostname: 'localhost',
+      port: serverPort,
+      path,
+      method,
+      headers: {
+        'Content-Type': 'application/json',
+      },
+    };
+
+    const req = http.request(options, (res) => {
+      let data = '';
+      res.on('data', (chunk) => (data += chunk));
+      res.on('end', () => {
+        try {
+          resolve({ status: res.statusCode, data: JSON.parse(data) });
+        } catch {
+          resolve({ status: res.statusCode, data });
+        }
+      });
+    });
+
+    req.on('error', reject);
+
+    if (body) {
+      req.write(JSON.stringify(body));
+    }
+    req.end();
+  });
+}
+
+function waitForServer(port, timeout = 10000) {
+  return new Promise((resolve, reject) => {
+    const start = Date.now();
+
+    const check = () => {
+      const req = http.get(`http://localhost:${port}/health`, (res) => {
+        if (res.statusCode === 200) {
+          resolve();
+        } else {
+          retry();
+        }
+      });
+
+      req.on('error', retry);
+      req.setTimeout(1000);
+    };
+
+    const retry = () => {
+      if (Date.now() - start > timeout) {
+        reject(new Error('Server startup timeout'));
+      } else {
+        setTimeout(check, 200);
+      }
+    };
+
+    check();
+  });
+}
+
+describe('DevTunnel Server API', () => {
+  before(async () => {
+    const serverPath = path.join(__dirname, '..', 'server.js');
+    serverProcess = spawn('node', [serverPath], {
+      env: { ...process.env, PORT: serverPort },
+      stdio: ['ignore', 'pipe', 'pipe'],
+    });
+
+    serverProcess.stdout.on('data', (data) => {
+      console.log(`[server] ${data.toString().trim()}`);
+    });
+
+    serverProcess.stderr.on('data', (data) => {
+      console.error(`[server] ${data.toString().trim()}`);
+    });
+
+    await waitForServer(serverPort);
+  });
+
+  after(() => {
+    if (serverProcess) {
+      serverProcess.kill('SIGTERM');
+    }
+  });
+
+  describe('GET /health', () => {
+    it('should return health status', async () => {
+      const { status, data } = await makeRequest('GET', '/health');
+      assert.strictEqual(status, 200);
+      assert.strictEqual(data.status, 'ok');
+      assert.strictEqual(typeof data.sessions, 'number');
+      assert.strictEqual(typeof data.tunnels, 'number');
+    });
+  });
+
+  describe('GET /api/system', () => {
+    it('should return system information', async () => {
+      const { status, data } = await makeRequest('GET', '/api/system');
+      assert.strictEqual(status, 200);
+      assert.ok(data.hostname);
+      assert.ok(data.platform);
+      assert.ok(data.arch);
+      assert.strictEqual(typeof data.uptime, 'number');
+      assert.ok(data.cpu);
+      assert.ok(data.memory);
+      assert.ok(Array.isArray(data.loadavg));
+    });
+  });
+
+  describe('GET /api/sessions', () => {
+    it('should return empty session list initially', async () => {
+      const { status, data } = await makeRequest('GET', '/api/sessions');
+      assert.strictEqual(status, 200);
+      assert.ok(Array.isArray(data));
+    });
+  });
+
+  describe('GET /api/tunnels', () => {
+    it('should return empty tunnel list initially', async () => {
+      const { status, data } = await makeRequest('GET', '/api/tunnels');
+      assert.strictEqual(status, 200);
+      assert.ok(Array.isArray(data));
+    });
+  });
+
+  describe('GET /api/files', () => {
+    it('should return file listing', async () => {
+      const { status, data } = await makeRequest('GET', '/api/files');
+      assert.strictEqual(status, 200);
+      assert.strictEqual(data.path, '');
+      assert.ok(Array.isArray(data.items));
+    });
+  });
+
+  describe('POST /api/files/write', () => {
+    it('should reject request without path', async () => {
+      const { status, data } = await makeRequest('POST', '/api/files/write', {
+        content: 'test',
+      });
+      assert.strictEqual(status, 400);
+      assert.strictEqual(data.error, 'Path required');
+    });
+  });
+
+  describe('POST /api/files/delete', () => {
+    it('should reject request without path', async () => {
+      const { status, data } = await makeRequest('POST', '/api/files/delete', {});
+      assert.strictEqual(status, 400);
+      assert.strictEqual(data.error, 'Path required');
+    });
+
+    it('should return 404 for non-existent file', async () => {
+      const { status, data } = await makeRequest('POST', '/api/files/delete', {
+        path: 'non-existent-file-12345.txt',
+      });
+      assert.strictEqual(status, 404);
+      assert.strictEqual(data.error, 'File not found');
+    });
+  });
+
+  describe('POST /api/files/rename', () => {
+    it('should reject request without paths', async () => {
+      const { status, data } = await makeRequest('POST', '/api/files/rename', {});
+      assert.strictEqual(status, 400);
+      assert.strictEqual(data.error, 'Both oldPath and newPath required');
+    });
+
+    it('should return 404 for non-existent source file', async () => {
+      const { status, data } = await makeRequest('POST', '/api/files/rename', {
+        oldPath: 'non-existent-file-12345.txt',
+        newPath: 'new-name.txt',
+      });
+      assert.strictEqual(status, 404);
+      assert.strictEqual(data.error, 'File not found');
+    });
+  });
+
+  describe('POST /api/tunnels', () => {
+    it('should reject request without valid port', async () => {
+      const { status, data } = await makeRequest('POST', '/api/tunnels', {});
+      assert.strictEqual(status, 400);
+      assert.strictEqual(data.error, 'Valid port number required');
+    });
+
+    it('should reject request with invalid port type', async () => {
+      const { status, data } = await makeRequest('POST', '/api/tunnels', {
+        port: 'invalid',
+      });
+      assert.strictEqual(status, 400);
+      assert.strictEqual(data.error, 'Valid port number required');
+    });
+  });
+});