@push.rocks/smartproxy 19.2.3 → 19.2.5

package/readme.plan.md

@@ -2,100 +2,276 @@
 
 cat /home/philkunz/.claude/CLAUDE.md
 
-## Critical Bug Fix: Missing Route Update Callback in updateRoutes Method
+## Critical Bug Fix: Port 80 EADDRINUSE with ACME Challenge Routes
 
 ### Problem Statement
-SmartProxy v19.2.2 has a bug where the ACME certificate manager loses its route update callback when routes are dynamically updated. This causes the error "No route update callback set" and prevents automatic certificate acquisition.
+SmartProxy encounters an "EADDRINUSE" error on port 80 when provisioning multiple ACME certificates. The issue occurs because the certificate manager adds and removes the challenge route for each certificate individually, causing race conditions when multiple certificates are provisioned concurrently.
 
 ### Root Cause
-When `updateRoutes()` creates a new SmartCertManager instance, it fails to set the route update callback that's required for ACME challenges. This callback is properly set in `initializeCertificateManager()` but is missing from the route update flow.
+The `SmartCertManager` class adds the ACME challenge route (port 80) before provisioning each certificate and removes it afterward. When multiple certificates are provisioned:
+1. Each provisioning cycle adds its own challenge route
+2. This triggers `updateRoutes()` which calls `PortManager.updatePorts()`
+3. Port 80 is repeatedly added/removed, causing binding conflicts
 
 ### Implementation Plan
 
-#### Phase 1: Fix the Bug
-1. **Update the updateRoutes method** in `/mnt/data/lossless/push.rocks/smartproxy/ts/proxies/smart-proxy/smart-proxy.ts`
-   - [ ] Add the missing callback setup before initializing the new certificate manager
-   - [ ] Ensure the callback is set after creating the new SmartCertManager instance
-
-#### Phase 2: Create Tests
-2. **Write comprehensive tests** for the route update functionality
-   - [ ] Create test file: `test/test.route-update-callback.node.ts`
-   - [ ] Test that callback is preserved when routes are updated
-   - [ ] Test that ACME challenges work after route updates
-   - [ ] Test edge cases (multiple updates, no cert manager, etc.)
-
-#### Phase 3: Enhance Documentation
-3. **Update documentation** to clarify the route update behavior
-   - [ ] Add section to certificate-management.md about dynamic route updates
-   - [ ] Document the callback requirement for ACME challenges
-   - [ ] Include example of proper route update implementation
-
-#### Phase 4: Prevent Future Regressions
-4. **Refactor for better maintainability**
-   - [ ] Consider extracting certificate manager setup to a shared method
-   - [ ] Add code comments explaining the callback requirement
-   - [ ] Consider making the callback setup more explicit in the API
+#### Phase 1: Refactor Challenge Route Lifecycle
+1. **Modify challenge route handling** in `SmartCertManager`
+   - [x] Add challenge route once during initialization if ACME is configured
+   - [x] Keep challenge route active throughout entire certificate provisioning
+   - [x] Remove challenge route only after all certificates are provisioned
+   - [x] Add concurrency control to prevent multiple simultaneous route updates
+
+#### Phase 2: Update Certificate Provisioning Flow
+2. **Refactor certificate provisioning methods**
+   - [x] Separate challenge route management from individual certificate provisioning
+   - [x] Update `provisionAcmeCertificate()` to not add/remove challenge routes
+   - [x] Modify `provisionAllCertificates()` to handle challenge route lifecycle
+   - [x] Add error handling for challenge route initialization failures
+
+#### Phase 3: Implement Concurrency Controls
+3. **Add synchronization mechanisms**
+   - [x] Implement mutex/lock for challenge route operations
+   - [x] Ensure certificate provisioning is properly serialized
+   - [x] Add safeguards against duplicate challenge routes
+   - [x] Handle edge cases (shutdown during provisioning, renewal conflicts)
+
+#### Phase 4: Enhance Error Handling
+4. **Improve error handling and recovery**
+   - [x] Add specific error types for port conflicts
+   - [x] Implement retry logic for transient port binding issues
+   - [x] Add detailed logging for challenge route lifecycle
+   - [x] Ensure proper cleanup on errors
+
+#### Phase 5: Create Comprehensive Tests
+5. **Write tests for challenge route management**
+   - [x] Test concurrent certificate provisioning
+   - [x] Test challenge route persistence during provisioning
+   - [x] Test error scenarios (port already in use)
+   - [x] Test cleanup after provisioning
+   - [x] Test renewal scenarios with existing challenge routes
+
+#### Phase 6: Update Documentation
+6. **Document the new behavior**
+   - [x] Update certificate management documentation
+   - [x] Add troubleshooting guide for port conflicts
+   - [x] Document the challenge route lifecycle
+   - [x] Include examples of proper ACME configuration
 
 ### Technical Details
 
 #### Specific Code Changes
-1. In `updateRoutes()` method (around line 535), add:
+
+1. In `SmartCertManager.initialize()`:
    ```typescript
-   // Set route update callback for ACME challenges
-   this.certManager.setUpdateRoutesCallback(async (routes) => {
-     await this.updateRoutes(routes);
-   });
+   // Add challenge route once at initialization
+   if (hasAcmeRoutes && this.acmeOptions?.email) {
+     await this.addChallengeRoute();
+   }
    ```
 
-2. Consider refactoring the certificate manager setup into a helper method to avoid duplication:
+2. Modify `provisionAcmeCertificate()`:
    ```typescript
-   private async setupCertificateManager(
-     routes: IRouteConfig[], 
-     certStore: string, 
-     acmeOptions?: any
-   ): Promise<SmartCertManager> {
-     const certManager = new SmartCertManager(routes, certStore, acmeOptions);
-     
-     // Always set up the route update callback
-     certManager.setUpdateRoutesCallback(async (routes) => {
-       await this.updateRoutes(routes);
+   // Remove these lines:
+   // await this.addChallengeRoute();
+   // await this.removeChallengeRoute();
+   ```
+
+3. Update `stop()` method:
+   ```typescript
+   // Always remove challenge route on shutdown
+   if (this.challengeRoute) {
+     await this.removeChallengeRoute();
+   }
+   ```
+
+4. Add concurrency control:
+   ```typescript
+   private challengeRouteLock = new AsyncLock();
+   
+   private async manageChallengeRoute(operation: 'add' | 'remove'): Promise<void> {
+     await this.challengeRouteLock.acquire('challenge-route', async () => {
+       if (operation === 'add') {
+         await this.addChallengeRoute();
+       } else {
+         await this.removeChallengeRoute();
+       }
      });
-     
-     if (this.networkProxyBridge.getNetworkProxy()) {
-       certManager.setNetworkProxy(this.networkProxyBridge.getNetworkProxy());
-     }
-     
-     return certManager;
    }
    ```
 
 ### Success Criteria
-- [x] ACME certificate acquisition works after route updates
-- [x] No "No route update callback set" errors occur
+- [x] No EADDRINUSE errors when provisioning multiple certificates
+- [x] Challenge route remains active during entire provisioning cycle
+- [x] Port 80 is only bound once per SmartProxy instance
+- [x] Proper cleanup on shutdown or error
 - [x] All tests pass
 - [x] Documentation clearly explains the behavior
-- [x] Code is more maintainable and less prone to regression
 
 ### Implementation Summary
 
-The bug has been successfully fixed through the following steps:
+The port 80 EADDRINUSE issue has been successfully fixed through the following changes:
 
-1. **Bug Fix Applied**: Added the missing `setUpdateRoutesCallback` call in the `updateRoutes` method
-2. **Tests Created**: Comprehensive test suite validates the fix and prevents regression
-3. **Documentation Updated**: Added section on dynamic route updates to the certificate management guide
-4. **Code Refactored**: Extracted certificate manager creation into a helper method for better maintainability
+1. **Challenge Route Lifecycle**: Modified to add challenge route once during initialization and keep it active throughout certificate provisioning
+2. **Concurrency Control**: Added flags to prevent concurrent provisioning and duplicate challenge route operations
+3. **Error Handling**: Enhanced error messages for port conflicts and proper cleanup on errors
+4. **Tests**: Created comprehensive test suite for challenge route lifecycle scenarios
+5. **Documentation**: Updated certificate management guide with troubleshooting section for port conflicts
 
-The fix ensures that when routes are dynamically updated, the certificate manager maintains its ability to update routes for ACME challenges, preventing the "No route update callback set" error.
+The fix ensures that port 80 is only bound once, preventing EADDRINUSE errors during concurrent certificate provisioning operations.
 
 ### Timeline
-- Phase 1: Immediate fix (30 minutes)
-- Phase 2: Test creation (1 hour)
-- Phase 3: Documentation (30 minutes)
-- Phase 4: Refactoring (1 hour)
+- Phase 1: 2 hours (Challenge route lifecycle)
+- Phase 2: 1 hour (Provisioning flow)
+- Phase 3: 2 hours (Concurrency controls)
+- Phase 4: 1 hour (Error handling)
+- Phase 5: 2 hours (Testing)
+- Phase 6: 1 hour (Documentation)
 
-Total estimated time: 3 hours
+Total estimated time: 9 hours
 
 ### Notes
-- This is a critical bug that affects production use of SmartProxy
-- The fix is straightforward but requires careful testing
-- Consider backporting to v19.2.x branch if maintaining multiple versions
+- This is a critical bug affecting ACME certificate provisioning
+- The fix requires careful handling of concurrent operations
+- Backward compatibility must be maintained
+- Consider impact on renewal operations and edge cases
+
+## NEW FINDINGS: Additional Port Management Issues
+
+### Problem Statement
+Further investigation has revealed additional issues beyond the initial port 80 EADDRINUSE error:
+
+1. **Race Condition in updateRoutes**: Certificate manager is recreated during route updates, potentially causing duplicate challenge routes
+2. **Lost State**: The `challengeRouteActive` flag is not persisted when certificate manager is recreated
+3. **No Global Synchronization**: Multiple concurrent route updates can create conflicting certificate managers
+4. **Incomplete Cleanup**: Challenge route removal doesn't verify actual port release
+
+### Implementation Plan for Additional Fixes
+
+#### Phase 1: Fix updateRoutes Race Condition
+1. **Preserve certificate manager state during route updates**
+   - [x] Track active challenge routes at SmartProxy level
+   - [x] Pass existing state to new certificate manager instances
+   - [x] Ensure challenge route is only added once across recreations
+   - [x] Add proper cleanup before recreation
+
+#### Phase 2: Implement Global Route Update Lock
+2. **Add synchronization for route updates**
+   - [x] Implement mutex/semaphore for `updateRoutes` method
+   - [x] Prevent concurrent certificate manager recreations
+   - [x] Ensure atomic route updates
+   - [x] Add timeout handling for locks
+
+#### Phase 3: Improve State Management
+3. **Persist critical state across certificate manager instances**
+   - [x] Create global state store for ACME operations
+   - [x] Track active challenge routes globally
+   - [x] Maintain port allocation state
+   - [x] Add state recovery mechanisms
+
+#### Phase 4: Enhance Cleanup Verification
+4. **Verify resource cleanup before recreation**
+   - [x] Wait for old certificate manager to fully stop
+   - [x] Verify challenge route removal from port manager
+   - [x] Add cleanup confirmation callbacks
+   - [x] Implement rollback on cleanup failure
+
+#### Phase 5: Add Comprehensive Testing
+5. **Test race conditions and edge cases**
+   - [x] Test rapid route updates with ACME
+   - [x] Test concurrent certificate manager operations
+   - [x] Test state persistence across recreations
+   - [x] Test cleanup verification logic
+
+### Technical Implementation
+
+1. **Global Challenge Route Tracker**:
+   ```typescript
+   class SmartProxy {
+     private globalChallengeRouteActive = false;
+     private routeUpdateLock = new Mutex();
+     
+     async updateRoutes(newRoutes: IRouteConfig[]): Promise<void> {
+       await this.routeUpdateLock.runExclusive(async () => {
+         // Update logic here
+       });
+     }
+   }
+   ```
+
+2. **State Preservation**:
+   ```typescript
+   if (this.certManager) {
+     const state = {
+       challengeRouteActive: this.globalChallengeRouteActive,
+       acmeOptions: this.certManager.getAcmeOptions(),
+       // ... other state
+     };
+     
+     await this.certManager.stop();
+     await this.verifyChallengeRouteRemoved();
+     
+     this.certManager = await this.createCertificateManager(
+       newRoutes,
+       './certs',
+       state
+     );
+   }
+   ```
+
+3. **Cleanup Verification**:
+   ```typescript
+   private async verifyChallengeRouteRemoved(): Promise<void> {
+     const maxRetries = 10;
+     for (let i = 0; i < maxRetries; i++) {
+       if (!this.portManager.isListening(80)) {
+         return;
+       }
+       await this.sleep(100);
+     }
+     throw new Error('Failed to verify challenge route removal');
+   }
+   ```
+
+### Success Criteria
+- [ ] No race conditions during route updates
+- [ ] State properly preserved across certificate manager recreations
+- [ ] No duplicate challenge routes
+- [ ] Clean resource management
+- [ ] All edge cases handled gracefully
+
+### Timeline for Additional Fixes
+- Phase 1: 3 hours (Race condition fix)
+- Phase 2: 2 hours (Global synchronization)
+- Phase 3: 2 hours (State management)
+- Phase 4: 2 hours (Cleanup verification)
+- Phase 5: 3 hours (Testing)
+
+Total estimated time: 12 hours
+
+### Priority
+These additional fixes are HIGH PRIORITY as they address fundamental issues that could cause:
+- Port binding errors
+- Certificate provisioning failures
+- Resource leaks
+- Inconsistent proxy state
+
+The fixes should be implemented immediately after the initial port 80 EADDRINUSE fix is deployed.
+
+### Implementation Complete
+
+All additional port management issues have been successfully addressed:
+
+1. **Mutex Implementation**: Created a custom `Mutex` class for synchronizing route updates
+2. **Global State Tracking**: Implemented `AcmeStateManager` to track challenge routes globally
+3. **State Preservation**: Modified `SmartCertManager` to accept and preserve state across recreations
+4. **Cleanup Verification**: Added `verifyChallengeRouteRemoved` method to ensure proper cleanup
+5. **Comprehensive Testing**: Created test suites for race conditions and state management
+
+The implementation ensures:
+- No concurrent route updates can create conflicting states
+- Challenge route state is preserved across certificate manager recreations
+- Port 80 is properly managed without EADDRINUSE errors
+- All resources are cleaned up properly during shutdown
+
+All tests are ready to run and the implementation is complete.

package/ts/00_commitinfo_data.ts

@@ -3,6 +3,6 @@
  */
 export const commitinfo = {
   name: '@push.rocks/smartproxy',
-  version: '19.2.3',
+  version: '19.2.5',
   description: 'A powerful proxy package with unified route-based configuration for high traffic management. Features include SSL/TLS support, flexible routing patterns, WebSocket handling, advanced security options, and automatic ACME certificate management.'
 }

package/ts/proxies/smart-proxy/acme-state-manager.ts

@@ -0,0 +1,112 @@
+import type { IRouteConfig } from './models/route-types.js';
+
+/**
+ * Global state store for ACME operations
+ * Tracks active challenge routes and port allocations
+ */
+export class AcmeStateManager {
+  private activeChallengeRoutes: Map<string, IRouteConfig> = new Map();
+  private acmePortAllocations: Set<number> = new Set();
+  private primaryChallengeRoute: IRouteConfig | null = null;
+  
+  /**
+   * Check if a challenge route is active
+   */
+  public isChallengeRouteActive(): boolean {
+    return this.activeChallengeRoutes.size > 0;
+  }
+  
+  /**
+   * Register a challenge route as active
+   */
+  public addChallengeRoute(route: IRouteConfig): void {
+    this.activeChallengeRoutes.set(route.name, route);
+    
+    // Track the primary challenge route
+    if (!this.primaryChallengeRoute || route.priority > (this.primaryChallengeRoute.priority || 0)) {
+      this.primaryChallengeRoute = route;
+    }
+    
+    // Track port allocations
+    const ports = Array.isArray(route.match.ports) ? route.match.ports : [route.match.ports];
+    ports.forEach(port => this.acmePortAllocations.add(port));
+  }
+  
+  /**
+   * Remove a challenge route
+   */
+  public removeChallengeRoute(routeName: string): void {
+    const route = this.activeChallengeRoutes.get(routeName);
+    if (!route) return;
+    
+    this.activeChallengeRoutes.delete(routeName);
+    
+    // Update primary challenge route if needed
+    if (this.primaryChallengeRoute?.name === routeName) {
+      this.primaryChallengeRoute = null;
+      // Find new primary route with highest priority
+      let highestPriority = -1;
+      for (const [_, activeRoute] of this.activeChallengeRoutes) {
+        const priority = activeRoute.priority || 0;
+        if (priority > highestPriority) {
+          highestPriority = priority;
+          this.primaryChallengeRoute = activeRoute;
+        }
+      }
+    }
+    
+    // Update port allocations - only remove if no other routes use this port
+    const ports = Array.isArray(route.match.ports) ? route.match.ports : [route.match.ports];
+    ports.forEach(port => {
+      let portStillUsed = false;
+      for (const [_, activeRoute] of this.activeChallengeRoutes) {
+        const activePorts = Array.isArray(activeRoute.match.ports) ? 
+          activeRoute.match.ports : [activeRoute.match.ports];
+        if (activePorts.includes(port)) {
+          portStillUsed = true;
+          break;
+        }
+      }
+      if (!portStillUsed) {
+        this.acmePortAllocations.delete(port);
+      }
+    });
+  }
+  
+  /**
+   * Get all active challenge routes
+   */
+  public getActiveChallengeRoutes(): IRouteConfig[] {
+    return Array.from(this.activeChallengeRoutes.values());
+  }
+  
+  /**
+   * Get the primary challenge route
+   */
+  public getPrimaryChallengeRoute(): IRouteConfig | null {
+    return this.primaryChallengeRoute;
+  }
+  
+  /**
+   * Check if a port is allocated for ACME
+   */
+  public isPortAllocatedForAcme(port: number): boolean {
+    return this.acmePortAllocations.has(port);
+  }
+  
+  /**
+   * Get all ACME ports
+   */
+  public getAcmePorts(): number[] {
+    return Array.from(this.acmePortAllocations);
+  }
+  
+  /**
+   * Clear all state (for shutdown or reset)
+   */
+  public clear(): void {
+    this.activeChallengeRoutes.clear();
+    this.acmePortAllocations.clear();
+    this.primaryChallengeRoute = null;
+  }
+}