@openparachute/hub 0.3.0-rc.1 → 0.5.1

package/src/commands/expose.ts

@@ -31,7 +31,6 @@ import {
   buildWellKnown,
   isVaultEntry,
   shortName,
-  vaultInstanceName,
   writeWellKnownFile,
 } from "../well-known.ts";
 import { restart } from "./lifecycle.ts";
@@ -59,7 +58,7 @@ export interface ExposeOpts {
   statePath?: string;
   wellKnownPath?: string;
   hubPath?: string;
-  /** Directory holding hub.html + parachute.json (passed to the hub server). */
+  /** Directory holding hub.html (passed to the hub server). */
   wellKnownDir?: string;
   configDir?: string;
   port?: number;
@@ -105,11 +104,14 @@ export interface ExposeOpts {
 const HUB_DEPENDENT_SHORTS = ["vault"] as const;
 
 /**
- * OAuth paths the hub fronts on behalf of vault (Phase 0: vault implements
- * OAuth, hub owns the public URL). The mount path is what clients see; the
- * target tail is what vault expects. tailscale strips the mount before
- * forwarding, so the target must include vault's `/vault/<name>` prefix to
- * land at the right handler.
+ * OAuth paths the hub serves natively. The mount path is what clients see;
+ * the target is the hub's loopback origin (where `hub-server.ts` is
+ * listening). tailscale strips the mount before forwarding, so the target
+ * must include the same path so the hub-server router sees the full URL.
+ *
+ * Pre-cli#58 (PR (c)) these were proxied to vault's `/vault/<name>/oauth/*`
+ * handlers; after PR (c) the hub IS the OAuth IdP and vault validates
+ * hub-issued JWTs (vault#169).
  */
 const OAUTH_PATHS = [
   "/.well-known/oauth-authorization-server",
@@ -119,12 +121,17 @@ const OAUTH_PATHS = [
 ] as const;
 
 /**
- * Single-vault launch assumption: find the first `parachute-vault` entry.
- * Multi-vault OAuth routing is Phase 2+ (design note open-question #4).
+ * Single tailscale serve mount that catches every `/vault/<name>/...` request
+ * and routes it through the hub. The hub then reads services.json on each
+ * request to pick the right vault backend (#144). Consolidating to one mount
+ * means `parachute vault create techne` is reachable on the tailnet without
+ * re-running `parachute expose` — only the hub-internal lookup needs to know
+ * about the new path.
+ *
+ * Trailing slash distinguishes the mount from `/vaults` (the create-vault
+ * POST endpoint, an exact-match on hub).
  */
-function primaryVault(services: readonly ServiceEntry[]): ServiceEntry | undefined {
-  return services.find((s) => isVaultEntry(s));
-}
+const VAULT_MOUNT = "/vault/";
 
 /**
  * Remap legacy `paths: ["/"]` entries to `/<shortname>` so they don't collide
@@ -212,7 +219,15 @@ function planEntries(services: readonly ServiceEntry[], hubPort: number): ServeE
     target: serviceProxyTarget(hubPort, HUB_MOUNT),
     service: "hub",
   });
+  let anyVault = false;
   for (const s of services) {
+    if (isVaultEntry(s)) {
+      // Vault paths route through the single `/vault/` → hub mount below so
+      // `parachute vault create <name>` is reachable on the tailnet without
+      // a re-expose. Hub does the per-request services.json lookup (#144).
+      anyVault = true;
+      continue;
+    }
     const mount = s.paths[0] ?? `/${shortName(s.name)}`;
     entries.push({
       kind: "proxy",
@@ -221,6 +236,14 @@ function planEntries(services: readonly ServiceEntry[], hubPort: number): ServeE
       service: s.name,
     });
   }
+  if (anyVault) {
+    entries.push({
+      kind: "proxy",
+      mount: VAULT_MOUNT,
+      target: serviceProxyTarget(hubPort, VAULT_MOUNT),
+      service: "vault",
+    });
+  }
   entries.push({
     kind: "proxy",
     mount: WELL_KNOWN_MOUNT,
@@ -228,21 +251,17 @@ function planEntries(services: readonly ServiceEntry[], hubPort: number): ServeE
     service: "well-known",
   });
 
-  // Phase 0 OAuth seam: hub origin owns the public OAuth URLs; vault owns
-  // the implementation. When vault is installed, mount the four endpoints
-  // at the hub origin and proxy them into vault's `/vault/<name>/oauth/*`.
-  const vault = primaryVault(services);
-  if (vault) {
-    const vaultMount = vault.paths[0] ?? `/vault/${vaultInstanceName(vault)}`;
-    const vaultBase = vaultMount.replace(/\/$/, "");
-    for (const oauthPath of OAUTH_PATHS) {
-      entries.push({
-        kind: "proxy",
-        mount: oauthPath,
-        target: `http://127.0.0.1:${vault.port}${vaultBase}${oauthPath}`,
-        service: `${vault.name}:oauth`,
-      });
-    }
+  // The hub is the OAuth IdP — mount the four endpoints at the canonical
+  // origin and proxy them to the hub's loopback. tailscale strips the mount
+  // before forwarding, so the target keeps the same path (matches the
+  // `serviceProxyTarget` rule of thumb in the doc above).
+  for (const oauthPath of OAUTH_PATHS) {
+    entries.push({
+      kind: "proxy",
+      mount: oauthPath,
+      target: serviceProxyTarget(hubPort, oauthPath),
+      service: "hub:oauth",
+    });
   }
   return entries;
 }
@@ -372,12 +391,22 @@ export async function exposeUp(layer: ExposeLayer, opts: ExposeOpts = {}): Promi
     );
   }
 
+  // Kept for manual debugging / inspection only — the hub server now builds
+  // /.well-known/parachute.json dynamically from services.json at request time
+  // (#135), so this on-disk copy is no longer load-bearing for any consumer.
   const wellKnownDoc = buildWellKnown({ services, canonicalOrigin });
   writeWellKnownFile(wellKnownDoc, wellKnownFilePath);
   log(`Wrote ${wellKnownFilePath}`);
   writeHubFile(hubFilePath);
   log(`Wrote ${hubFilePath}`);
 
+  // Resolve the public hub origin before spawning the hub server — it gets
+  // baked into the OAuth `iss` claim via the `--issuer` flag. Falling back to
+  // the request origin would put `http://127.0.0.1:<port>` in tokens, which
+  // any client following RFC 8414 would reject.
+  const hubOrigin =
+    deriveHubOrigin({ override: opts.hubOrigin, exposeFqdn: fqdn }) ?? canonicalOrigin;
+
   let hubPort: number;
   if (opts.skipHub) {
     const existing = readHubPort(configDir);
@@ -391,6 +420,7 @@ export async function exposeUp(layer: ExposeLayer, opts: ExposeOpts = {}): Promi
       ...(opts.hubEnsureOpts ?? {}),
       configDir,
       wellKnownDir,
+      issuer: hubOrigin,
       log,
     });
     hubPort = hub.port;
@@ -415,8 +445,6 @@ export async function exposeUp(layer: ExposeLayer, opts: ExposeOpts = {}): Promi
     return code;
   }
 
-  const hubOrigin =
-    deriveHubOrigin({ override: opts.hubOrigin, exposeFqdn: fqdn }) ?? canonicalOrigin;
   const state: ExposeState = {
     version: 1,
     layer,
@@ -433,13 +461,14 @@ export async function exposeUp(layer: ExposeLayer, opts: ExposeOpts = {}): Promi
   if (layer === "public") {
     log(`✓ Public exposure active (Funnel). Open: ${canonicalOrigin}/`);
     log("  This node is reachable from the public internet.");
+    log(
+      "  Note: public is exploratory. Tailnet is the supported exposure shape today; the hub's OAuth + scope work targets tailnet first. Prefer `parachute expose tailnet` unless you specifically need a public URL.",
+    );
   } else {
     log(`✓ Tailnet exposure active. Open: ${canonicalOrigin}/`);
   }
   log(`  Discovery: ${canonicalOrigin}${WELL_KNOWN_MOUNT}`);
-  if (primaryVault(services)) {
-    log(`  OAuth issuer: ${hubOrigin}`);
-  }
+  log(`  OAuth issuer: ${hubOrigin}`);
 
   // Auto-restart services that cache the hub origin. Aaron hit this on launch
   // day: after `expose public` first-run, vault kept its stale (loopback)
@@ -494,6 +523,8 @@ export async function exposeOff(layer: ExposeLayer, opts: ExposeOpts = {}): Prom
   }
 
   clearExposeState(statePath);
+  // Pair to the debug-only write at expose-up — clean up the inspection artifact
+  // on teardown so it doesn't outlive the layer it described.
   if (existsSync(wellKnownFilePath)) {
     unlinkSync(wellKnownFilePath);
   }