@nordbyte/nordrelay 0.6.0 → 0.8.0

package/dist/peer-identity.js

@@ -0,0 +1,127 @@
+import { createHash, generateKeyPairSync, randomBytes, sign, verify, } from "node:crypto";
+import { chmodSync, existsSync, mkdirSync, readFileSync } from "node:fs";
+import os from "node:os";
+import path from "node:path";
+import selfsigned from "selfsigned";
+import { readJsonFileWithBackup, writeJsonFileAtomic, writeTextFileAtomic } from "./persistence.js";
+const DEFAULT_HOME = path.join(os.homedir(), ".nordrelay");
+export function loadOrCreatePeerIdentity(home = process.env.NORDRELAY_HOME || DEFAULT_HOME, name) {
+    const filePath = path.join(home, "identity.json");
+    const existing = readJsonFileWithBackup(filePath).value;
+    if (existing?.nodeId && existing.publicKey && existing.privateKey && existing.fingerprint) {
+        return {
+            public: {
+                nodeId: existing.nodeId,
+                name: existing.name || defaultNodeName(),
+                publicKey: existing.publicKey,
+                fingerprint: existing.fingerprint,
+                createdAt: existing.createdAt,
+            },
+            privateKey: existing.privateKey,
+        };
+    }
+    const pair = generateKeyPairSync("ed25519", {
+        publicKeyEncoding: { type: "spki", format: "pem" },
+        privateKeyEncoding: { type: "pkcs8", format: "pem" },
+    });
+    const publicKey = pair.publicKey.toString();
+    const createdAt = new Date().toISOString();
+    const identity = {
+        nodeId: createNodeId(publicKey),
+        name: name?.trim() || defaultNodeName(),
+        publicKey,
+        privateKey: pair.privateKey.toString(),
+        fingerprint: fingerprintForPublicKey(publicKey),
+        createdAt,
+    };
+    mkdirSync(path.dirname(filePath), { recursive: true });
+    writeJsonFileAtomic(filePath, identity);
+    chmodSync(filePath, 0o600);
+    return {
+        public: {
+            nodeId: identity.nodeId,
+            name: identity.name,
+            publicKey: identity.publicKey,
+            fingerprint: identity.fingerprint,
+            createdAt: identity.createdAt,
+        },
+        privateKey: identity.privateKey,
+    };
+}
+export function ensurePeerTlsFiles(home = process.env.NORDRELAY_HOME || DEFAULT_HOME, identity) {
+    const certDir = path.join(home, "tls");
+    const certPath = path.join(certDir, "peer.crt");
+    const keyPath = path.join(certDir, "peer.key");
+    if (existsSync(certPath) && existsSync(keyPath)) {
+        const cert = readFileSync(certPath, "utf8");
+        const key = readFileSync(keyPath, "utf8");
+        return { certPath, keyPath, cert, key, fingerprint: fingerprintForCertificate(cert) };
+    }
+    mkdirSync(certDir, { recursive: true });
+    const attrs = [{ name: "commonName", value: identity?.nodeId ?? "nordrelay-peer" }];
+    const generated = selfsigned.generate(attrs, {
+        algorithm: "sha256",
+        days: 3650,
+        keySize: 2048,
+        extensions: [
+            { name: "basicConstraints", cA: false },
+            { name: "keyUsage", digitalSignature: true, keyEncipherment: true },
+            { name: "extKeyUsage", serverAuth: true },
+            {
+                name: "subjectAltName",
+                altNames: [
+                    { type: 2, value: "localhost" },
+                    { type: 7, ip: "127.0.0.1" },
+                    { type: 7, ip: "::1" },
+                ],
+            },
+        ],
+    });
+    writeTextFileAtomic(certPath, generated.cert);
+    writeTextFileAtomic(keyPath, generated.private);
+    chmodSync(certPath, 0o600);
+    chmodSync(keyPath, 0o600);
+    return {
+        certPath,
+        keyPath,
+        cert: generated.cert,
+        key: generated.private,
+        fingerprint: fingerprintForCertificate(generated.cert),
+    };
+}
+export function signPeerPayload(privateKey, payload) {
+    return sign(null, Buffer.from(payload, "utf8"), privateKey).toString("base64url");
+}
+export function verifyPeerPayload(publicKey, payload, signature) {
+    try {
+        return verify(null, Buffer.from(payload, "utf8"), publicKey, Buffer.from(signature, "base64url"));
+    }
+    catch {
+        return false;
+    }
+}
+export function createPairingSignaturePayload(nodeId, timestamp, code) {
+    return `${nodeId}\n${timestamp}\n${code}`;
+}
+export function createSharedSecret() {
+    return randomBytes(32).toString("base64url");
+}
+export function fingerprintForPublicKey(publicKey) {
+    return formatFingerprint(createHash("sha256").update(publicKey).digest("hex"));
+}
+export function fingerprintForCertificate(certPem) {
+    const body = certPem
+        .replace(/-----BEGIN CERTIFICATE-----/g, "")
+        .replace(/-----END CERTIFICATE-----/g, "")
+        .replace(/\s+/g, "");
+    return formatFingerprint(createHash("sha256").update(Buffer.from(body, "base64")).digest("hex"));
+}
+function createNodeId(publicKey) {
+    return createHash("sha256").update(publicKey).digest("hex").slice(0, 16);
+}
+function defaultNodeName() {
+    return `${os.hostname()} (${process.platform})`;
+}
+function formatFingerprint(hex) {
+    return hex.match(/.{1,2}/g)?.join(":") ?? hex;
+}

package/dist/peer-readiness.js

@@ -0,0 +1,77 @@
+import net from "node:net";
+export async function buildPeerReadiness(config) {
+    const listenUrl = peerListenUrl(config);
+    const localListening = await checkLocalPort(config.peerHost, config.peerPort);
+    const loopbackOnly = isLoopbackUrl(listenUrl);
+    const bindLoopbackOnly = isLoopbackHost(config.peerHost);
+    const warnings = [];
+    if (!config.peerEnabled) {
+        warnings.push("Peer server is disabled. Invites can be created, but pairing will fail until NORDRELAY_PEER_ENABLED=true and NordRelay is restarted.");
+    }
+    if (config.peerEnabled && !localListening) {
+        warnings.push(`Peer server is enabled, but no listener was detected on ${connectHostForBindHost(config.peerHost)}:${config.peerPort}.`);
+    }
+    if (loopbackOnly) {
+        warnings.push("Listen URL uses a loopback host. Other machines cannot reach this URL unless they run on the same host.");
+    }
+    if (bindLoopbackOnly && !loopbackOnly) {
+        warnings.push("Peer server is bound to loopback. Remote access requires a local tunnel, reverse proxy, or port forward to this host.");
+    }
+    if (!config.peerTlsEnabled && (!loopbackOnly || !bindLoopbackOnly)) {
+        warnings.push("Peer TLS is disabled. Use TLS for non-loopback or internet-reachable peer endpoints.");
+    }
+    return {
+        enabled: config.peerEnabled,
+        listenUrl,
+        bindHost: config.peerHost,
+        port: config.peerPort,
+        tlsEnabled: config.peerTlsEnabled,
+        requireTls: config.peerRequireTls,
+        localListening,
+        loopbackOnly,
+        bindLoopbackOnly,
+        manualCheckCommand: `nordrelay peer check ${listenUrl}`,
+        warnings,
+    };
+}
+export function peerListenUrl(config) {
+    if (config.peerPublicUrl)
+        return config.peerPublicUrl;
+    const scheme = config.peerTlsEnabled ? "https" : "http";
+    const host = config.peerHost === "0.0.0.0" || config.peerHost === "::" ? "127.0.0.1" : config.peerHost;
+    const displayHost = host.includes(":") && !host.startsWith("[") ? `[${host}]` : host;
+    return `${scheme}://${displayHost}:${config.peerPort}`;
+}
+function checkLocalPort(host, port) {
+    return new Promise((resolve) => {
+        const socket = net.createConnection({ host: connectHostForBindHost(host), port });
+        const finish = (ok) => {
+            socket.removeAllListeners();
+            socket.destroy();
+            resolve(ok);
+        };
+        socket.setTimeout(1_500);
+        socket.once("connect", () => finish(true));
+        socket.once("timeout", () => finish(false));
+        socket.once("error", () => finish(false));
+    });
+}
+function connectHostForBindHost(host) {
+    if (!host || host === "0.0.0.0")
+        return "127.0.0.1";
+    if (host === "::")
+        return "::1";
+    return host;
+}
+function isLoopbackUrl(value) {
+    try {
+        return isLoopbackHost(new URL(value).hostname);
+    }
+    catch {
+        return false;
+    }
+}
+function isLoopbackHost(host) {
+    const normalized = host.replace(/^\[|\]$/g, "").toLowerCase();
+    return normalized === "localhost" || normalized === "::1" || normalized === "0:0:0:0:0:0:0:1" || normalized.startsWith("127.");
+}