@rubytech/create-maxy 1.0.680 → 1.0.681

package/payload/server/maxy-edge.js

@@ -1,4 +1,5 @@
 import {
+  LOG_DIR,
   canAccessAdmin,
   describeRemoteSession,
   newCorrId,
@@ -9,7 +10,7 @@ import {
 
 // server/maxy-edge.ts
 import { createServer, request as httpRequest } from "http";
-import { createConnection as createConnection2 } from "net";
+import { createConnection as createConnection3 } from "net";
 import { readFileSync, existsSync, watchFile } from "fs";
 import { homedir } from "os";
 import { join } from "path";
@@ -275,6 +276,357 @@ Content-Length: 0\r
   socket.destroy();
 }
 
+// server/ws-proxy-ttyd.ts
+import { createConnection as createConnection2 } from "net";
+
+// app/lib/ttyd-logger.ts
+import { appendFileSync, mkdirSync } from "fs";
+import { resolve } from "path";
+var EDGE_LOG_FILE = resolve(LOG_DIR, "edge-boot.log");
+try {
+  mkdirSync(LOG_DIR, { recursive: true });
+} catch (err) {
+  console.error(`[ttyd-log-fail] mkdir ${LOG_DIR} failed: ${err.message}`);
+}
+function ttydLog(phase, fields = {}) {
+  const ts = (/* @__PURE__ */ new Date()).toISOString();
+  const kv = Object.entries(fields).map(([k, v]) => `${k}=${JSON.stringify(v)}`).join(" ");
+  const line = kv.length > 0 ? `[${ts}] [${phase}] ${kv}
+` : `[${ts}] [${phase}]
+`;
+  try {
+    appendFileSync(EDGE_LOG_FILE, line);
+  } catch (err) {
+    console.error(`[ttyd-log-fail] ${err.message} \u2014 dropped: ${line.slice(0, 300).trim()}`);
+  }
+}
+
+// server/ws-proxy-ttyd.ts
+var WS_PATH2 = "/ttyd";
+var UPSTREAM_TIMEOUT_MS2 = 5e3;
+var FLOW_ACTIVE_INTERVAL_MS = 5e3;
+var FLOW_IDLE_INTERVAL_MS = 3e4;
+var CHUNK_THROTTLE_MS = 1e3;
+var CHUNK_UNTHROTTLED_COUNT = 5;
+var HOP_BY_HOP2 = /* @__PURE__ */ new Set([
+  "connection",
+  "keep-alive",
+  "proxy-authenticate",
+  "proxy-authorization",
+  "te",
+  "trailer",
+  "transfer-encoding",
+  "upgrade"
+]);
+function attachTtydWsProxy(server2, opts) {
+  const upstreamHost = opts.upstreamHost ?? "127.0.0.1";
+  const upstreamPort = opts.upstreamPort ?? 7681;
+  const now = opts.now ?? (() => Date.now());
+  server2.on("upgrade", (req, clientSocket, head) => {
+    try {
+      handleUpgrade2(req, clientSocket, head, {
+        isPublicHost: opts.isPublicHost,
+        upstreamHost,
+        upstreamPort,
+        now
+      });
+    } catch (err) {
+      ttydLog("ttyd-ws-upgrade", {
+        decision: "rejected",
+        reason: "handler-exception",
+        err: err.message
+      });
+      clientSocket.destroy();
+    }
+  });
+}
+function handleUpgrade2(req, clientSocket, head, opts) {
+  const url = req.url ?? "";
+  const qsIndex = url.indexOf("?");
+  const pathname = qsIndex === -1 ? url : url.slice(0, qsIndex);
+  if (pathname !== WS_PATH2) return;
+  const corrId = newCorrId();
+  const query = qsIndex === -1 ? "" : url.slice(qsIndex + 1);
+  const clientCorrId = sanitizeClientCorrId(parseQueryParam2(query, "corrId"));
+  const hostHeader = (req.headers.host ?? "").split(":")[0];
+  const originHeader = headerString2(req.headers.origin);
+  const remote = req.socket.remoteAddress;
+  const xff = headerString2(req.headers["x-forwarded-for"]);
+  const cookieHeader = headerString2(req.headers.cookie);
+  const decision = canAccessAdmin({
+    host: hostHeader,
+    remoteAddress: remote,
+    xForwardedFor: xff,
+    cookieHeader,
+    isPublicHost: opts.isPublicHost
+  });
+  if (!decision.allow) {
+    const status = decision.reason === "public-host" ? 404 : 401;
+    const rawToken = parseCookieValue(cookieHeader, "__remote_session");
+    const tokenInfo = describeRemoteSession(rawToken);
+    ttydLog("ttyd-ws-upgrade", {
+      corrId,
+      clientCorrId: clientCorrId ?? null,
+      decision: "rejected",
+      reason: decision.reason,
+      ip: remote,
+      xff: xff ?? null,
+      origin: originHeader ?? null,
+      host: hostHeader,
+      cookieHeaderPresent: cookieHeader != null && cookieHeader.length > 0,
+      tokenPresent: tokenInfo.present,
+      tokenExpired: tokenInfo.expired
+    });
+    writeStatusAndDestroy2(clientSocket, status, decision.reason === "public-host" ? "Not Found" : "Unauthorized");
+    return;
+  }
+  const originHost = parseOriginHost2(originHeader);
+  if (!originHost) {
+    ttydLog("ttyd-ws-upgrade", {
+      corrId,
+      clientCorrId: clientCorrId ?? null,
+      decision: "rejected",
+      reason: "origin-missing-or-invalid",
+      origin: originHeader ?? null,
+      host: hostHeader,
+      ip: remote
+    });
+    writeStatusAndDestroy2(clientSocket, 403, "Forbidden");
+    return;
+  }
+  if (originHost !== hostHeader) {
+    ttydLog("ttyd-ws-upgrade", {
+      corrId,
+      clientCorrId: clientCorrId ?? null,
+      decision: "rejected",
+      reason: "origin-mismatch",
+      origin_host: originHost,
+      host: hostHeader,
+      ip: remote
+    });
+    writeStatusAndDestroy2(clientSocket, 403, "Forbidden");
+    return;
+  }
+  if (opts.isPublicHost(originHost)) {
+    ttydLog("ttyd-ws-upgrade", {
+      corrId,
+      clientCorrId: clientCorrId ?? null,
+      decision: "rejected",
+      reason: "origin-public-host",
+      origin_host: originHost,
+      host: hostHeader,
+      ip: remote
+    });
+    writeStatusAndDestroy2(clientSocket, 403, "Forbidden");
+    return;
+  }
+  ttydLog("ttyd-ws-upgrade", {
+    corrId,
+    clientCorrId: clientCorrId ?? null,
+    decision: "accepted",
+    ip: remote,
+    xff: xff ?? null,
+    origin: originHeader ?? null,
+    host: hostHeader,
+    sec_ws_version: headerString2(req.headers["sec-websocket-version"]) ?? null,
+    sec_ws_protocol: headerString2(req.headers["sec-websocket-protocol"]) ?? null
+  });
+  const connectStart = opts.now();
+  const upstream = createConnection2({ host: opts.upstreamHost, port: opts.upstreamPort });
+  upstream.setTimeout(UPSTREAM_TIMEOUT_MS2);
+  let bytesClientToUpstream = 0;
+  let bytesUpstreamToClient = 0;
+  let lastFlowBytesClient = 0;
+  let lastFlowBytesUpstream = 0;
+  let lastActivityAt = opts.now();
+  let lastChunkLogAtClient = 0;
+  let lastChunkLogAtUpstream = 0;
+  let chunkCountClient = 0;
+  let chunkCountUpstream = 0;
+  let closedBy = null;
+  let proxyOpened = false;
+  const sessionStart = opts.now();
+  let flowHandle = null;
+  let currentFlowInterval = FLOW_ACTIVE_INTERVAL_MS;
+  const scheduleFlow = (intervalMs) => {
+    if (flowHandle) clearInterval(flowHandle);
+    currentFlowInterval = intervalMs;
+    flowHandle = setInterval(emitFlow, intervalMs);
+  };
+  const emitFlow = () => {
+    if (!proxyOpened || closedBy) return;
+    const deltaClient = bytesClientToUpstream - lastFlowBytesClient;
+    const deltaUpstream = bytesUpstreamToClient - lastFlowBytesUpstream;
+    lastFlowBytesClient = bytesClientToUpstream;
+    lastFlowBytesUpstream = bytesUpstreamToClient;
+    const idleMs = opts.now() - lastActivityAt;
+    ttydLog("ttyd-proxy-flow", {
+      corrId,
+      clientBytes: bytesClientToUpstream,
+      upstreamBytes: bytesUpstreamToClient,
+      clientBytesDelta: deltaClient,
+      upstreamBytesDelta: deltaUpstream,
+      idleMs
+    });
+    const active = deltaClient > 0 || deltaUpstream > 0;
+    const desiredInterval = active ? FLOW_ACTIVE_INTERVAL_MS : FLOW_IDLE_INTERVAL_MS;
+    if (desiredInterval !== currentFlowInterval) scheduleFlow(desiredInterval);
+  };
+  const finish = (side, reason) => {
+    if (closedBy) return;
+    closedBy = side;
+    if (flowHandle) {
+      clearInterval(flowHandle);
+      flowHandle = null;
+    }
+    if (proxyOpened) {
+      ttydLog("ttyd-proxy-close", {
+        corrId,
+        closedBy: side,
+        reason,
+        clientBytes: bytesClientToUpstream,
+        upstreamBytes: bytesUpstreamToClient,
+        durationMs: opts.now() - sessionStart
+      });
+    }
+    clientSocket.destroy();
+    upstream.destroy();
+  };
+  upstream.once("connect", () => {
+    upstream.setTimeout(0);
+    proxyOpened = true;
+    ttydLog("ttyd-proxy-open", {
+      corrId,
+      upstream: `${opts.upstreamHost}:${opts.upstreamPort}`,
+      connect_ms: opts.now() - connectStart
+    });
+    const lines = [];
+    lines.push(`${req.method ?? "GET"} ${WS_PATH2} HTTP/${req.httpVersion}`);
+    lines.push(`host: ${opts.upstreamHost}:${opts.upstreamPort}`);
+    for (const [name, value] of Object.entries(req.headers)) {
+      if (name === "host") continue;
+      if (HOP_BY_HOP2.has(name)) continue;
+      if (value == null) continue;
+      if (Array.isArray(value)) {
+        for (const v of value) lines.push(`${name}: ${v}`);
+      } else {
+        lines.push(`${name}: ${value}`);
+      }
+    }
+    const upgradeHeader = headerString2(req.headers.upgrade);
+    const connectionHeader = headerString2(req.headers.connection);
+    if (upgradeHeader) lines.push(`upgrade: ${upgradeHeader}`);
+    if (connectionHeader) lines.push(`connection: ${connectionHeader}`);
+    upstream.write(lines.join("\r\n") + "\r\n\r\n");
+    if (head && head.length > 0) upstream.write(head);
+    const logChunk = (dir, bytes) => {
+      const now = opts.now();
+      if (dir === "client\u2192upstream") {
+        chunkCountClient += 1;
+        const sinceLastMs = lastChunkLogAtClient === 0 ? 0 : now - lastChunkLogAtClient;
+        if (chunkCountClient <= CHUNK_UNTHROTTLED_COUNT || sinceLastMs >= CHUNK_THROTTLE_MS) {
+          ttydLog("ttyd-proxy-chunk", { corrId, dir, bytes, sinceLastMs });
+          lastChunkLogAtClient = now;
+        }
+      } else {
+        chunkCountUpstream += 1;
+        const sinceLastMs = lastChunkLogAtUpstream === 0 ? 0 : now - lastChunkLogAtUpstream;
+        if (chunkCountUpstream <= CHUNK_UNTHROTTLED_COUNT || sinceLastMs >= CHUNK_THROTTLE_MS) {
+          ttydLog("ttyd-proxy-chunk", { corrId, dir, bytes, sinceLastMs });
+          lastChunkLogAtUpstream = now;
+        }
+      }
+      lastActivityAt = now;
+    };
+    clientSocket.on("data", (chunk) => {
+      bytesClientToUpstream += chunk.length;
+      logChunk("client\u2192upstream", chunk.length);
+    });
+    upstream.on("data", (chunk) => {
+      bytesUpstreamToClient += chunk.length;
+      logChunk("upstream\u2192client", chunk.length);
+    });
+    clientSocket.pipe(upstream);
+    upstream.pipe(clientSocket);
+    scheduleFlow(FLOW_ACTIVE_INTERVAL_MS);
+    clientSocket.once("close", (hadError) => {
+      finish("client", hadError ? "error" : "normal");
+    });
+    upstream.once("close", (hadError) => {
+      finish("upstream", hadError ? "error" : "normal");
+    });
+    clientSocket.once("error", (err) => {
+      ttydLog("ttyd-proxy-error", { corrId, side: "client", err: err.message });
+      finish("client", "error");
+    });
+    upstream.once("error", (err) => {
+      ttydLog("ttyd-proxy-error", { corrId, side: "upstream", err: err.message });
+      finish("upstream", "error");
+    });
+  });
+  upstream.once("timeout", () => {
+    if (proxyOpened) return;
+    ttydLog("ttyd-proxy-error", {
+      corrId,
+      side: "upstream-connect",
+      err: "timeout",
+      timeout_ms: UPSTREAM_TIMEOUT_MS2
+    });
+    writeStatusAndDestroy2(clientSocket, 504, "Gateway Timeout");
+    upstream.destroy();
+  });
+  upstream.once("error", (err) => {
+    if (proxyOpened) return;
+    ttydLog("ttyd-proxy-error", {
+      corrId,
+      side: "upstream-connect",
+      err: err.message
+    });
+    writeStatusAndDestroy2(clientSocket, 502, "Bad Gateway");
+    upstream.destroy();
+  });
+}
+function parseQueryParam2(query, key) {
+  if (!query) return null;
+  for (const pair of query.split("&")) {
+    const eq = pair.indexOf("=");
+    const k = eq === -1 ? pair : pair.slice(0, eq);
+    if (k !== key) continue;
+    const v = eq === -1 ? "" : pair.slice(eq + 1);
+    try {
+      return decodeURIComponent(v);
+    } catch {
+      return null;
+    }
+  }
+  return null;
+}
+function headerString2(value) {
+  if (value == null) return void 0;
+  return Array.isArray(value) ? value[0] : value;
+}
+function parseOriginHost2(origin) {
+  if (!origin) return null;
+  try {
+    return new URL(origin).hostname;
+  } catch {
+    return null;
+  }
+}
+function writeStatusAndDestroy2(socket, status, statusText) {
+  try {
+    socket.write(
+      `HTTP/1.1 ${status} ${statusText}\r
+Connection: close\r
+Content-Length: 0\r
+\r
+`
+    );
+  } catch {
+  }
+  socket.destroy();
+}
+
 // server/maxy-edge.ts
 var PLATFORM_ROOT = process.env.MAXY_PLATFORM_ROOT || "";
 var BRAND_JSON_PATH = PLATFORM_ROOT ? join(PLATFORM_ROOT, "config", "brand.json") : "";
@@ -312,7 +664,9 @@ var UPSTREAM_HOST = process.env.MAXY_UI_HOST ?? "127.0.0.1";
 var UPSTREAM_PORT = parseInt(process.env.MAXY_UI_PORT ?? "19199", 10);
 var WEBSOCKIFY_HOST = process.env.WEBSOCKIFY_HOST ?? "127.0.0.1";
 var WEBSOCKIFY_PORT = parseInt(process.env.WEBSOCKIFY_PORT ?? "6080", 10);
-var HOP_BY_HOP2 = /* @__PURE__ */ new Set([
+var TTYD_HOST = process.env.TTYD_HOST ?? "127.0.0.1";
+var TTYD_PORT = parseInt(process.env.TTYD_PORT ?? "7681", 10);
+var HOP_BY_HOP3 = /* @__PURE__ */ new Set([
   "connection",
   "keep-alive",
   "proxy-authenticate",
@@ -326,7 +680,7 @@ function forwardHttp(clientReq, clientRes) {
   const headers = {};
   for (const [name, value] of Object.entries(clientReq.headers)) {
     if (value == null) continue;
-    if (HOP_BY_HOP2.has(name)) continue;
+    if (HOP_BY_HOP3.has(name)) continue;
     headers[name] = value;
   }
   const existingXff = headers["x-forwarded-for"];
@@ -356,7 +710,7 @@ function forwardHttp(clientReq, clientRes) {
   clientReq.pipe(upstream);
 }
 function forwardUpgrade(req, clientSocket, head) {
-  const upstream = createConnection2({ host: UPSTREAM_HOST, port: UPSTREAM_PORT });
+  const upstream = createConnection3({ host: UPSTREAM_HOST, port: UPSTREAM_PORT });
   upstream.setTimeout(5e3);
   upstream.once("connect", () => {
     upstream.setTimeout(0);
@@ -365,7 +719,7 @@ function forwardUpgrade(req, clientSocket, head) {
     lines.push(`host: ${UPSTREAM_HOST}:${UPSTREAM_PORT}`);
     for (const [name, value] of Object.entries(req.headers)) {
       if (name === "host") continue;
-      if (HOP_BY_HOP2.has(name)) continue;
+      if (HOP_BY_HOP3.has(name)) continue;
       if (value == null) continue;
       if (Array.isArray(value)) {
         for (const v of value) lines.push(`${name}: ${v}`);
@@ -416,15 +770,22 @@ attachVncWsProxy(server, {
   upstreamHost: WEBSOCKIFY_HOST,
   upstreamPort: WEBSOCKIFY_PORT
 });
+attachTtydWsProxy(server, {
+  isPublicHost,
+  upstreamHost: TTYD_HOST,
+  upstreamPort: TTYD_PORT
+});
 server.on("upgrade", (req, socket, head) => {
   const url = req.url ?? "";
   const qsIndex = url.indexOf("?");
   const pathname = qsIndex === -1 ? url : url.slice(0, qsIndex);
   if (pathname === "/websockify") return;
+  if (pathname === "/ttyd") return;
   forwardUpgrade(req, socket, head);
 });
 server.listen(EDGE_PORT, EDGE_HOSTNAME, () => {
   console.log(`[edge] listening on http://${EDGE_HOSTNAME}:${EDGE_PORT}`);
   console.log(`[edge] /websockify \u2192 ${WEBSOCKIFY_HOST}:${WEBSOCKIFY_PORT}`);
+  console.log(`[edge] /ttyd       \u2192 ${TTYD_HOST}:${TTYD_PORT}`);
   console.log(`[edge] everything else \u2192 ${UPSTREAM_HOST}:${UPSTREAM_PORT}`);
 });