@mooncompany/uplink-chat 0.5.0

package/server/tailscale-https.js

@@ -0,0 +1,175 @@
+/**
+ * Tailscale HTTPS Module
+ * 
+ * Auto-detects Tailscale and provisions HTTPS certs for secure
+ * access over Tailscale. Enables getUserMedia (mic/camera) on mobile.
+ * 
+ * Zero config — just works if Tailscale is running.
+ */
+
+import https from 'https';
+import { execSync, exec } from 'child_process';
+import fs from 'fs';
+import path from 'path';
+import { log } from './utils.js';
+
+const CERT_DIR = path.join(process.env.APPDATA || process.env.HOME || '.', 'uplink-certs');
+const CERT_REFRESH_MS = 12 * 60 * 60 * 1000; // Refresh certs every 12 hours
+
+/**
+ * Get the Tailscale FQDN for this machine
+ * @returns {string|null} e.g. "na8.tail8b977a.ts.net"
+ */
+function getTailscaleDomain() {
+  try {
+    const statusJson = execSync('tailscale status --json', { 
+      timeout: 5000, 
+      encoding: 'utf-8',
+      stdio: ['pipe', 'pipe', 'pipe']
+    });
+    const status = JSON.parse(statusJson);
+    
+    // CertDomains contains the FQDN(s) this node can get certs for
+    if (status.CertDomains && status.CertDomains.length > 0) {
+      return status.CertDomains[0];
+    }
+    
+    // Fallback: construct from Self info
+    if (status.Self && status.Self.DNSName) {
+      // DNSName ends with a dot, remove it
+      return status.Self.DNSName.replace(/\.$/, '');
+    }
+    
+    return null;
+  } catch (err) {
+    log('debug', `[Tailscale] Not available: ${err.message}`);
+    return null;
+  }
+}
+
+/**
+ * Get the Tailscale IP for this machine
+ * @returns {string|null}
+ */
+function getTailscaleIP() {
+  try {
+    const ip = execSync('tailscale ip -4', {
+      timeout: 5000,
+      encoding: 'utf-8',
+      stdio: ['pipe', 'pipe', 'pipe']
+    }).trim();
+    return ip || null;
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Provision TLS certs from Tailscale for the given domain
+ * @param {string} domain 
+ * @returns {{ cert: string, key: string } | null}
+ */
+function provisionCerts(domain) {
+  try {
+    // Ensure cert directory exists
+    if (!fs.existsSync(CERT_DIR)) {
+      fs.mkdirSync(CERT_DIR, { recursive: true });
+    }
+
+    const certFile = path.join(CERT_DIR, `${domain}.crt`);
+    const keyFile = path.join(CERT_DIR, `${domain}.key`);
+
+    // Use tailscale cert to provision/renew
+    execSync(`tailscale cert --cert-file "${certFile}" --key-file "${keyFile}" "${domain}"`, {
+      timeout: 30000,
+      encoding: 'utf-8',
+      stdio: ['pipe', 'pipe', 'pipe']
+    });
+
+    if (fs.existsSync(certFile) && fs.existsSync(keyFile)) {
+      log('info', `[Tailscale] Certs provisioned for ${domain}`);
+      return {
+        cert: fs.readFileSync(certFile, 'utf-8'),
+        key: fs.readFileSync(keyFile, 'utf-8')
+      };
+    }
+
+    return null;
+  } catch (err) {
+    log('error', `[Tailscale] Failed to provision certs: ${err.message}`);
+    return null;
+  }
+}
+
+/**
+ * Set up HTTPS server with Tailscale certs
+ * Shares the same Express app as the HTTP server.
+ * 
+ * @param {express.Application} app - Express app
+ * @param {object} options
+ * @param {number} options.httpsPort - Port for HTTPS (default: HTTP port + 1)
+ * @param {Function} options.onServer - Callback with (httpsServer, domain) to set up WebSocket etc.
+ * @returns {Promise<{ server: https.Server, domain: string, url: string } | null>}
+ */
+export async function setupTailscaleHTTPS(app, options = {}) {
+  const domain = getTailscaleDomain();
+  if (!domain) {
+    log('info', '[Tailscale] Not detected, HTTPS disabled. Mic/camera requires localhost or HTTPS.');
+    return null;
+  }
+
+  const tsIP = getTailscaleIP();
+  log('info', `[Tailscale] Detected: ${domain} (${tsIP})`);
+
+  const certs = provisionCerts(domain);
+  if (!certs) {
+    log('warn', '[Tailscale] Could not provision certs. HTTPS disabled.');
+    return null;
+  }
+
+  const httpsPort = options.httpsPort || (parseInt(process.env.PORT || '3456') + 1);
+
+  const httpsServer = https.createServer({
+    cert: certs.cert,
+    key: certs.key
+  }, app);
+
+  // Let the caller wire up WebSocket handlers
+  if (options.onServer) {
+    options.onServer(httpsServer, domain);
+  }
+
+  return new Promise((resolve) => {
+    httpsServer.listen(httpsPort, '0.0.0.0', () => {
+      const url = `https://${domain}:${httpsPort}`;
+      log('info', `[Tailscale] HTTPS server running at ${url}`);
+
+      // Schedule cert refresh
+      const refreshInterval = setInterval(() => {
+        log('info', '[Tailscale] Refreshing certs...');
+        const newCerts = provisionCerts(domain);
+        if (newCerts) {
+          httpsServer.setSecureContext({
+            cert: newCerts.cert,
+            key: newCerts.key
+          });
+          log('info', '[Tailscale] Certs refreshed successfully');
+        }
+      }, CERT_REFRESH_MS);
+      refreshInterval.unref();
+
+      resolve({ server: httpsServer, domain, url, ip: tsIP });
+    });
+
+    httpsServer.on('error', (err) => {
+      if (err.code === 'EADDRINUSE') {
+        log('warn', `[Tailscale] Port ${httpsPort} in use, HTTPS disabled.`);
+      } else {
+        log('error', `[Tailscale] HTTPS server error: ${err.message}`);
+      }
+      resolve(null);
+    });
+  });
+}
+
+export { getTailscaleDomain, getTailscaleIP };