@nordbyte/nordrelay 0.5.2 → 0.7.0

package/dist/peer-auth.js

@@ -0,0 +1,85 @@
+import { createHash, createHmac, randomBytes, timingSafeEqual } from "node:crypto";
+const MAX_CLOCK_SKEW_MS = 5 * 60 * 1000;
+const NONCE_TTL_MS = 10 * 60 * 1000;
+export class PeerNonceCache {
+    seen = new Map();
+    consume(peerId, nonce) {
+        const now = Date.now();
+        for (const [key, expiresAt] of this.seen.entries()) {
+            if (expiresAt <= now) {
+                this.seen.delete(key);
+            }
+        }
+        const key = `${peerId}:${nonce}`;
+        if (this.seen.has(key)) {
+            return false;
+        }
+        this.seen.set(key, now + NONCE_TTL_MS);
+        return true;
+    }
+}
+export function signPeerRequest(peer, method, pathname, body = "") {
+    const timestamp = new Date().toISOString();
+    const nonce = randomBytes(16).toString("base64url");
+    const bodyHash = hashBody(body);
+    const signature = createSignature(peer.secret, canonicalRequest(method, pathname, timestamp, nonce, bodyHash));
+    return {
+        timestamp,
+        nonce,
+        bodyHash,
+        headers: {
+            "x-nordrelay-peer-id": peer.id,
+            "x-nordrelay-peer-timestamp": timestamp,
+            "x-nordrelay-peer-nonce": nonce,
+            "x-nordrelay-peer-body-sha256": bodyHash,
+            "x-nordrelay-peer-signature": signature,
+        },
+    };
+}
+export function verifyPeerRequest(options) {
+    const timestamp = header(options.req, "x-nordrelay-peer-timestamp");
+    const nonce = header(options.req, "x-nordrelay-peer-nonce");
+    const bodyHash = header(options.req, "x-nordrelay-peer-body-sha256");
+    const signature = header(options.req, "x-nordrelay-peer-signature");
+    if (!timestamp || !nonce || !bodyHash || !signature) {
+        throw new Error("Missing peer authentication headers.");
+    }
+    const time = Date.parse(timestamp);
+    if (!Number.isFinite(time) || Math.abs(Date.now() - time) > MAX_CLOCK_SKEW_MS) {
+        throw new Error("Peer request timestamp is outside the allowed clock skew.");
+    }
+    if (hashBody(options.body) !== bodyHash) {
+        throw new Error("Peer request body hash mismatch.");
+    }
+    if (!options.nonces.consume(options.peer.id, nonce)) {
+        throw new Error("Replay detected for peer request.");
+    }
+    const expected = createSignature(options.peer.secret, canonicalRequest(options.method, options.pathname, timestamp, nonce, bodyHash));
+    if (!safeEqual(signature, expected)) {
+        throw new Error("Invalid peer request signature.");
+    }
+}
+export function header(req, name) {
+    const value = req.headers[name.toLowerCase()];
+    return Array.isArray(value) ? value[0] ?? "" : value ?? "";
+}
+export function hashBody(body) {
+    return createHash("sha256").update(body).digest("hex");
+}
+function canonicalRequest(method, pathname, timestamp, nonce, bodyHash) {
+    return [
+        method.toUpperCase(),
+        pathname,
+        timestamp,
+        nonce,
+        bodyHash,
+    ].join("\n");
+}
+function createSignature(secret, value) {
+    return createHmac("sha256", secret).update(value).digest("base64url");
+}
+function safeEqual(left, right) {
+    const leftBuffer = Buffer.from(left);
+    const rightBuffer = Buffer.from(right);
+    return leftBuffer.length === rightBuffer.length && timingSafeEqual(leftBuffer, rightBuffer);
+}

package/dist/peer-client.js

@@ -0,0 +1,256 @@
+import http from "node:http";
+import https from "node:https";
+import { createPairingSignaturePayload, signPeerPayload, fingerprintForPublicKey, } from "./peer-identity.js";
+import { signPeerRequest } from "./peer-auth.js";
+import { PeerStore } from "./peer-store.js";
+import { PEER_PROTOCOL_VERSION, } from "./peer-types.js";
+export async function pairPeer(options, identity, store = new PeerStore()) {
+    const timestamp = new Date().toISOString();
+    const payload = createPairingSignaturePayload(identity.public.nodeId, timestamp, options.code);
+    const body = {
+        code: options.code,
+        name: options.name,
+        publicUrl: options.publicUrl,
+        identity: identity.public,
+        timestamp,
+        signature: signPeerPayload(identity.privateKey, payload),
+    };
+    const result = await requestJson({
+        url: joinPeerUrl(options.url, "/peer/pair"),
+        method: "POST",
+        body,
+        allowSelfSigned: true,
+    });
+    if (result.data.protocolVersion !== PEER_PROTOCOL_VERSION) {
+        throw new Error(`Unsupported peer protocol version: ${result.data.protocolVersion}`);
+    }
+    if (fingerprintForPublicKey(result.data.identity.publicKey) !== result.data.identity.fingerprint) {
+        throw new Error("Remote peer identity fingerprint does not match its public key.");
+    }
+    const peer = store.upsertPeer({
+        id: result.data.peerId,
+        name: result.data.identity.name,
+        url: normalizePeerUrl(options.url),
+        nodeId: result.data.identity.nodeId,
+        publicKey: result.data.identity.publicKey,
+        fingerprint: result.data.identity.fingerprint,
+        tlsFingerprint: result.tlsFingerprint,
+        secret: result.data.secret,
+        enabled: true,
+        direction: "outbound",
+        scopes: result.data.scopes,
+        allowedAgents: result.data.allowedAgents,
+        allowedWorkspaceRoots: result.data.allowedWorkspaceRoots,
+        workspaceAliases: result.data.workspaceAliases,
+    });
+    return { peer, tlsFingerprint: result.tlsFingerprint };
+}
+export class RemoteRelayClient {
+    store;
+    constructor(store = new PeerStore()) {
+        this.store = store;
+    }
+    async rpc(peerId, type, payload, actor) {
+        const peer = this.requiredPeer(peerId);
+        const body = {
+            protocolVersion: PEER_PROTOCOL_VERSION,
+            type,
+            payload,
+            actor,
+        };
+        const bodyText = JSON.stringify(body);
+        const signed = signPeerRequest(peer, "POST", "/peer/rpc", bodyText);
+        try {
+            const startedAt = Date.now();
+            const result = await requestJson({
+                url: joinPeerUrl(requiredPeerUrl(peer), "/peer/rpc"),
+                method: "POST",
+                bodyText,
+                headers: signed.headers,
+                expectedTlsFingerprint: peer.tlsFingerprint,
+                allowSelfSigned: Boolean(peer.tlsFingerprint),
+            });
+            this.store.markSeen(peer.id, healthPatchFromRpc(type, result.data.ok ? result.data.data : null, Date.now() - startedAt));
+            if (!result.data.ok) {
+                throw new Error(result.data.error);
+            }
+            return result.data.data;
+        }
+        catch (error) {
+            this.store.markError(peer.id, error instanceof Error ? error.message : String(error));
+            throw error;
+        }
+    }
+    async webProxy(peerId, payload, actor, sourceContextKey) {
+        return this.rpc(peerId, "web.proxy", sourceContextKey ? { ...payload, contextKey: sourceContextKey } : payload, actor);
+    }
+    subscribe(peerId, onEvent, onError, sourceContextKey) {
+        const peer = this.requiredPeer(peerId);
+        const url = new URL(joinPeerUrl(requiredPeerUrl(peer), "/peer/events"));
+        if (sourceContextKey) {
+            url.searchParams.set("contextKey", sourceContextKey);
+        }
+        const signed = signPeerRequest(peer, "GET", `${url.pathname}${url.search}`, "");
+        const transport = url.protocol === "https:" ? https : http;
+        const req = transport.request({
+            method: "GET",
+            protocol: url.protocol,
+            hostname: url.hostname,
+            port: url.port,
+            path: `${url.pathname}${url.search}`,
+            headers: signed.headers,
+            rejectUnauthorized: false,
+        }, (res) => {
+            try {
+                assertTlsFingerprint(res.socket, peer.tlsFingerprint);
+            }
+            catch (error) {
+                req.destroy(error);
+                return;
+            }
+            if ((res.statusCode ?? 500) >= 400) {
+                req.destroy(new Error(`Peer events failed with HTTP ${res.statusCode}`));
+                return;
+            }
+            this.store.markSeen(peer.id, { remoteStatus: "online" });
+            let buffer = "";
+            res.setEncoding("utf8");
+            res.on("data", (chunk) => {
+                buffer += chunk;
+                let separator = buffer.indexOf("\n\n");
+                while (separator !== -1) {
+                    const frame = buffer.slice(0, separator);
+                    buffer = buffer.slice(separator + 2);
+                    const data = frame.split(/\n/).find((line) => line.startsWith("data:"))?.slice(5).trim();
+                    if (data) {
+                        try {
+                            onEvent(JSON.parse(data));
+                        }
+                        catch {
+                            // Ignore malformed event frames from a broken peer.
+                        }
+                    }
+                    separator = buffer.indexOf("\n\n");
+                }
+            });
+        });
+        req.on("error", (error) => {
+            this.store.markError(peer.id, error.message);
+            onError?.(error);
+        });
+        req.end();
+        return {
+            close: () => req.destroy(),
+        };
+    }
+    requiredPeer(peerId) {
+        const peer = this.store.get(peerId);
+        if (!peer) {
+            throw new Error("Peer not found.");
+        }
+        if (!peer.enabled) {
+            throw new Error("Peer is disabled.");
+        }
+        return peer;
+    }
+}
+function healthPatchFromRpc(type, data, latencyMs) {
+    if (type !== "peer.ping" || !data || typeof data !== "object") {
+        return { latencyMs, remoteStatus: "online" };
+    }
+    const record = data;
+    return {
+        latencyMs,
+        remoteVersion: typeof record.version === "string" ? record.version : undefined,
+        remoteStatus: typeof record.status === "string" ? record.status : "online",
+    };
+}
+async function requestJson(options) {
+    const url = new URL(options.url);
+    const bodyText = options.bodyText ?? (options.body === undefined ? "" : JSON.stringify(options.body));
+    const transport = url.protocol === "https:" ? https : http;
+    return await new Promise((resolve, reject) => {
+        const req = transport.request({
+            method: options.method,
+            protocol: url.protocol,
+            hostname: url.hostname,
+            port: url.port,
+            path: `${url.pathname}${url.search}`,
+            headers: {
+                "content-type": "application/json",
+                "content-length": Buffer.byteLength(bodyText),
+                ...(options.headers ?? {}),
+            },
+            rejectUnauthorized: options.allowSelfSigned ? false : undefined,
+        }, (res) => {
+            let tlsFingerprint;
+            try {
+                tlsFingerprint = assertTlsFingerprint(res.socket, options.expectedTlsFingerprint);
+            }
+            catch (error) {
+                reject(error);
+                req.destroy();
+                return;
+            }
+            const chunks = [];
+            res.on("data", (chunk) => chunks.push(Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk)));
+            res.on("end", () => {
+                const text = Buffer.concat(chunks).toString("utf8");
+                let data = {};
+                try {
+                    data = text ? JSON.parse(text) : {};
+                }
+                catch {
+                    reject(new Error(`Peer returned invalid JSON: ${text.slice(0, 200)}`));
+                    return;
+                }
+                if ((res.statusCode ?? 500) >= 400) {
+                    const message = data && typeof data === "object" && "error" in data ? String(data.error) : `HTTP ${res.statusCode}`;
+                    reject(new Error(message));
+                    return;
+                }
+                resolve({ data: data, tlsFingerprint });
+            });
+        });
+        req.on("error", reject);
+        if (bodyText)
+            req.write(bodyText);
+        req.end();
+    });
+}
+function assertTlsFingerprint(socket, expected) {
+    if (!socket.encrypted) {
+        if (expected) {
+            throw new Error("Expected a TLS peer connection, but the peer used plaintext HTTP.");
+        }
+        return undefined;
+    }
+    const certificate = socket.getPeerCertificate();
+    const actual = normalizeFingerprint(certificate?.fingerprint256);
+    if (expected && actual !== normalizeFingerprint(expected)) {
+        throw new Error("Peer TLS certificate fingerprint mismatch.");
+    }
+    return actual;
+}
+function requiredPeerUrl(peer) {
+    if (!peer.url) {
+        throw new Error(`Peer ${peer.name} has no URL.`);
+    }
+    return peer.url;
+}
+function joinPeerUrl(base, route) {
+    const url = new URL(normalizePeerUrl(base));
+    url.pathname = route;
+    url.search = "";
+    return url.toString();
+}
+function normalizePeerUrl(value) {
+    const url = new URL(value);
+    url.pathname = "";
+    url.search = "";
+    url.hash = "";
+    return url.toString().replace(/\/$/, "");
+}
+function normalizeFingerprint(value) {
+    return value?.trim().toLowerCase();
+}

package/dist/peer-context.js

@@ -0,0 +1,21 @@
+const DEFAULT_SOURCE_CONTEXT = "web:dashboard";
+export function peerRuntimeContextKey(peer, sourceContextKey) {
+    const source = sourceContextKey?.trim() || DEFAULT_SOURCE_CONTEXT;
+    return `peer:${encodeContextPart(peer.id || peer.nodeId)}:${encodeContextPart(source)}`;
+}
+export function parsePeerRuntimeContextKey(key) {
+    const match = /^peer:([^:]+):(.+)$/.exec(key);
+    if (!match?.[1] || !match[2]) {
+        return null;
+    }
+    return {
+        peerId: decodeContextPart(match[1]),
+        sourceContextKey: decodeContextPart(match[2]),
+    };
+}
+function encodeContextPart(value) {
+    return Buffer.from(value, "utf8").toString("base64url");
+}
+function decodeContextPart(value) {
+    return Buffer.from(value, "base64url").toString("utf8");
+}

package/dist/peer-identity.js

@@ -0,0 +1,127 @@
+import { createHash, generateKeyPairSync, randomBytes, sign, verify, } from "node:crypto";
+import { chmodSync, existsSync, mkdirSync, readFileSync } from "node:fs";
+import os from "node:os";
+import path from "node:path";
+import selfsigned from "selfsigned";
+import { readJsonFileWithBackup, writeJsonFileAtomic, writeTextFileAtomic } from "./persistence.js";
+const DEFAULT_HOME = path.join(os.homedir(), ".nordrelay");
+export function loadOrCreatePeerIdentity(home = process.env.NORDRELAY_HOME || DEFAULT_HOME, name) {
+    const filePath = path.join(home, "identity.json");
+    const existing = readJsonFileWithBackup(filePath).value;
+    if (existing?.nodeId && existing.publicKey && existing.privateKey && existing.fingerprint) {
+        return {
+            public: {
+                nodeId: existing.nodeId,
+                name: existing.name || defaultNodeName(),
+                publicKey: existing.publicKey,
+                fingerprint: existing.fingerprint,
+                createdAt: existing.createdAt,
+            },
+            privateKey: existing.privateKey,
+        };
+    }
+    const pair = generateKeyPairSync("ed25519", {
+        publicKeyEncoding: { type: "spki", format: "pem" },
+        privateKeyEncoding: { type: "pkcs8", format: "pem" },
+    });
+    const publicKey = pair.publicKey.toString();
+    const createdAt = new Date().toISOString();
+    const identity = {
+        nodeId: createNodeId(publicKey),
+        name: name?.trim() || defaultNodeName(),
+        publicKey,
+        privateKey: pair.privateKey.toString(),
+        fingerprint: fingerprintForPublicKey(publicKey),
+        createdAt,
+    };
+    mkdirSync(path.dirname(filePath), { recursive: true });
+    writeJsonFileAtomic(filePath, identity);
+    chmodSync(filePath, 0o600);
+    return {
+        public: {
+            nodeId: identity.nodeId,
+            name: identity.name,
+            publicKey: identity.publicKey,
+            fingerprint: identity.fingerprint,
+            createdAt: identity.createdAt,
+        },
+        privateKey: identity.privateKey,
+    };
+}
+export function ensurePeerTlsFiles(home = process.env.NORDRELAY_HOME || DEFAULT_HOME, identity) {
+    const certDir = path.join(home, "tls");
+    const certPath = path.join(certDir, "peer.crt");
+    const keyPath = path.join(certDir, "peer.key");
+    if (existsSync(certPath) && existsSync(keyPath)) {
+        const cert = readFileSync(certPath, "utf8");
+        const key = readFileSync(keyPath, "utf8");
+        return { certPath, keyPath, cert, key, fingerprint: fingerprintForCertificate(cert) };
+    }
+    mkdirSync(certDir, { recursive: true });
+    const attrs = [{ name: "commonName", value: identity?.nodeId ?? "nordrelay-peer" }];
+    const generated = selfsigned.generate(attrs, {
+        algorithm: "sha256",
+        days: 3650,
+        keySize: 2048,
+        extensions: [
+            { name: "basicConstraints", cA: false },
+            { name: "keyUsage", digitalSignature: true, keyEncipherment: true },
+            { name: "extKeyUsage", serverAuth: true },
+            {
+                name: "subjectAltName",
+                altNames: [
+                    { type: 2, value: "localhost" },
+                    { type: 7, ip: "127.0.0.1" },
+                    { type: 7, ip: "::1" },
+                ],
+            },
+        ],
+    });
+    writeTextFileAtomic(certPath, generated.cert);
+    writeTextFileAtomic(keyPath, generated.private);
+    chmodSync(certPath, 0o600);
+    chmodSync(keyPath, 0o600);
+    return {
+        certPath,
+        keyPath,
+        cert: generated.cert,
+        key: generated.private,
+        fingerprint: fingerprintForCertificate(generated.cert),
+    };
+}
+export function signPeerPayload(privateKey, payload) {
+    return sign(null, Buffer.from(payload, "utf8"), privateKey).toString("base64url");
+}
+export function verifyPeerPayload(publicKey, payload, signature) {
+    try {
+        return verify(null, Buffer.from(payload, "utf8"), publicKey, Buffer.from(signature, "base64url"));
+    }
+    catch {
+        return false;
+    }
+}
+export function createPairingSignaturePayload(nodeId, timestamp, code) {
+    return `${nodeId}\n${timestamp}\n${code}`;
+}
+export function createSharedSecret() {
+    return randomBytes(32).toString("base64url");
+}
+export function fingerprintForPublicKey(publicKey) {
+    return formatFingerprint(createHash("sha256").update(publicKey).digest("hex"));
+}
+export function fingerprintForCertificate(certPem) {
+    const body = certPem
+        .replace(/-----BEGIN CERTIFICATE-----/g, "")
+        .replace(/-----END CERTIFICATE-----/g, "")
+        .replace(/\s+/g, "");
+    return formatFingerprint(createHash("sha256").update(Buffer.from(body, "base64")).digest("hex"));
+}
+function createNodeId(publicKey) {
+    return createHash("sha256").update(publicKey).digest("hex").slice(0, 16);
+}
+function defaultNodeName() {
+    return `${os.hostname()} (${process.platform})`;
+}
+function formatFingerprint(hex) {
+    return hex.match(/.{1,2}/g)?.join(":") ?? hex;
+}