@rubytech/create-realagent 1.0.673 → 1.0.676

package/payload/server/maxy-edge.js

@@ -0,0 +1,420 @@
+import {
+  canAccessAdmin,
+  newCorrId,
+  sanitizeClientCorrId,
+  vncLog
+} from "./chunk-5YIXIF6C.js";
+
+// server/maxy-edge.ts
+import { createServer, request as httpRequest } from "http";
+import { createConnection as createConnection2 } from "net";
+import { readFileSync, existsSync, watchFile } from "fs";
+import { homedir } from "os";
+import { join } from "path";
+
+// server/ws-proxy.ts
+import { createConnection } from "net";
+var WS_PATH = "/websockify";
+var UPSTREAM_TIMEOUT_MS = 5e3;
+var HOP_BY_HOP = /* @__PURE__ */ new Set([
+  "connection",
+  "keep-alive",
+  "proxy-authenticate",
+  "proxy-authorization",
+  "te",
+  "trailer",
+  "transfer-encoding",
+  "upgrade"
+]);
+function attachVncWsProxy(server2, opts) {
+  const upstreamHost = opts.upstreamHost ?? "127.0.0.1";
+  const upstreamPort = opts.upstreamPort ?? 6080;
+  server2.on("upgrade", (req, clientSocket, head) => {
+    try {
+      handleUpgrade(req, clientSocket, head, {
+        isPublicHost: opts.isPublicHost,
+        upstreamHost,
+        upstreamPort
+      });
+    } catch (err) {
+      vncLog("ws-upgrade", {
+        decision: "rejected",
+        reason: "handler-exception",
+        err: err.message
+      });
+      clientSocket.destroy();
+    }
+  });
+}
+function handleUpgrade(req, clientSocket, head, opts) {
+  const url = req.url ?? "";
+  const qsIndex = url.indexOf("?");
+  const pathname = qsIndex === -1 ? url : url.slice(0, qsIndex);
+  if (pathname !== WS_PATH) {
+    return;
+  }
+  const corrId = newCorrId();
+  const query = qsIndex === -1 ? "" : url.slice(qsIndex + 1);
+  const rawClientCorrId = parseQueryParam(query, "corrId");
+  const clientCorrId = sanitizeClientCorrId(rawClientCorrId);
+  const hostHeader = (req.headers.host ?? "").split(":")[0];
+  const originHeader = headerString(req.headers.origin);
+  const remote = req.socket.remoteAddress;
+  const xff = headerString(req.headers["x-forwarded-for"]);
+  const decision = canAccessAdmin({
+    host: hostHeader,
+    remoteAddress: remote,
+    xForwardedFor: xff,
+    cookieHeader: headerString(req.headers.cookie),
+    isPublicHost: opts.isPublicHost
+  });
+  if (!decision.allow) {
+    const status = decision.reason === "public-host" ? 404 : 401;
+    vncLog("ws-upgrade", {
+      corrId,
+      clientCorrId: clientCorrId ?? null,
+      decision: "rejected",
+      reason: decision.reason,
+      ip: remote,
+      xff: xff ?? null,
+      origin: originHeader ?? null,
+      host: hostHeader
+    });
+    writeStatusAndDestroy(clientSocket, status, decision.reason === "public-host" ? "Not Found" : "Unauthorized");
+    return;
+  }
+  const originHost = parseOriginHost(originHeader);
+  if (!originHost) {
+    vncLog("ws-upgrade", {
+      corrId,
+      clientCorrId: clientCorrId ?? null,
+      decision: "rejected",
+      reason: "origin-missing-or-invalid",
+      origin: originHeader ?? null,
+      host: hostHeader,
+      ip: remote
+    });
+    writeStatusAndDestroy(clientSocket, 403, "Forbidden");
+    return;
+  }
+  if (originHost !== hostHeader) {
+    vncLog("ws-upgrade", {
+      corrId,
+      clientCorrId: clientCorrId ?? null,
+      decision: "rejected",
+      reason: "origin-mismatch",
+      origin_host: originHost,
+      host: hostHeader,
+      ip: remote
+    });
+    writeStatusAndDestroy(clientSocket, 403, "Forbidden");
+    return;
+  }
+  if (opts.isPublicHost(originHost)) {
+    vncLog("ws-upgrade", {
+      corrId,
+      clientCorrId: clientCorrId ?? null,
+      decision: "rejected",
+      reason: "origin-public-host",
+      origin_host: originHost,
+      host: hostHeader,
+      ip: remote
+    });
+    writeStatusAndDestroy(clientSocket, 403, "Forbidden");
+    return;
+  }
+  vncLog("ws-upgrade", {
+    corrId,
+    clientCorrId: clientCorrId ?? null,
+    decision: "accepted",
+    ip: remote,
+    xff: xff ?? null,
+    origin: originHeader ?? null,
+    host: hostHeader,
+    sec_ws_version: headerString(req.headers["sec-websocket-version"]) ?? null,
+    sec_ws_protocol: headerString(req.headers["sec-websocket-protocol"]) ?? null
+  });
+  const upstream = createConnection({ host: opts.upstreamHost, port: opts.upstreamPort });
+  upstream.setTimeout(UPSTREAM_TIMEOUT_MS);
+  let bytesClientToUpstream = 0;
+  let bytesUpstreamToClient = 0;
+  let closedBy = null;
+  let proxyOpened = false;
+  const finish = (side, reason) => {
+    if (closedBy) return;
+    closedBy = side;
+    if (proxyOpened) {
+      vncLog("proxy-close", {
+        corrId,
+        closedBy: side,
+        reason,
+        clientBytes: bytesClientToUpstream,
+        upstreamBytes: bytesUpstreamToClient
+      });
+    }
+    clientSocket.destroy();
+    upstream.destroy();
+  };
+  upstream.once("connect", () => {
+    upstream.setTimeout(0);
+    proxyOpened = true;
+    vncLog("proxy-open", {
+      corrId,
+      upstream: `${opts.upstreamHost}:${opts.upstreamPort}`
+    });
+    const lines = [];
+    lines.push(`${req.method ?? "GET"} ${WS_PATH} HTTP/${req.httpVersion}`);
+    lines.push(`host: ${opts.upstreamHost}:${opts.upstreamPort}`);
+    for (const [name, value] of Object.entries(req.headers)) {
+      if (name === "host") continue;
+      if (HOP_BY_HOP.has(name)) continue;
+      if (value == null) continue;
+      if (Array.isArray(value)) {
+        for (const v of value) lines.push(`${name}: ${v}`);
+      } else {
+        lines.push(`${name}: ${value}`);
+      }
+    }
+    const upgradeHeader = headerString(req.headers.upgrade);
+    const connectionHeader = headerString(req.headers.connection);
+    if (upgradeHeader) lines.push(`upgrade: ${upgradeHeader}`);
+    if (connectionHeader) lines.push(`connection: ${connectionHeader}`);
+    upstream.write(lines.join("\r\n") + "\r\n\r\n");
+    if (head && head.length > 0) upstream.write(head);
+    clientSocket.on("data", (chunk) => {
+      bytesClientToUpstream += chunk.length;
+    });
+    upstream.on("data", (chunk) => {
+      bytesUpstreamToClient += chunk.length;
+    });
+    clientSocket.pipe(upstream);
+    upstream.pipe(clientSocket);
+    clientSocket.once("close", (hadError) => {
+      finish("client", hadError ? "error" : "normal");
+    });
+    upstream.once("close", (hadError) => {
+      finish("upstream", hadError ? "error" : "normal");
+    });
+    clientSocket.once("error", (err) => {
+      vncLog("proxy-error", { corrId, side: "client", err: err.message });
+      finish("client", "error");
+    });
+    upstream.once("error", (err) => {
+      vncLog("proxy-error", { corrId, side: "upstream", err: err.message });
+      finish("upstream", "error");
+    });
+  });
+  upstream.once("timeout", () => {
+    if (proxyOpened) return;
+    vncLog("proxy-error", {
+      corrId,
+      side: "upstream-connect",
+      err: "timeout",
+      timeout_ms: UPSTREAM_TIMEOUT_MS
+    });
+    writeStatusAndDestroy(clientSocket, 504, "Gateway Timeout");
+    upstream.destroy();
+  });
+  upstream.once("error", (err) => {
+    if (proxyOpened) return;
+    vncLog("proxy-error", {
+      corrId,
+      side: "upstream-connect",
+      err: err.message
+    });
+    writeStatusAndDestroy(clientSocket, 502, "Bad Gateway");
+    upstream.destroy();
+  });
+}
+function parseQueryParam(query, key) {
+  if (!query) return null;
+  for (const pair of query.split("&")) {
+    const eq = pair.indexOf("=");
+    const k = eq === -1 ? pair : pair.slice(0, eq);
+    if (k !== key) continue;
+    const v = eq === -1 ? "" : pair.slice(eq + 1);
+    try {
+      return decodeURIComponent(v);
+    } catch {
+      return null;
+    }
+  }
+  return null;
+}
+function headerString(value) {
+  if (value == null) return void 0;
+  return Array.isArray(value) ? value[0] : value;
+}
+function parseOriginHost(origin) {
+  if (!origin) return null;
+  try {
+    return new URL(origin).hostname;
+  } catch {
+    return null;
+  }
+}
+function writeStatusAndDestroy(socket, status, statusText) {
+  try {
+    socket.write(
+      `HTTP/1.1 ${status} ${statusText}\r
+Connection: close\r
+Content-Length: 0\r
+\r
+`
+    );
+  } catch {
+  }
+  socket.destroy();
+}
+
+// server/maxy-edge.ts
+var PLATFORM_ROOT = process.env.MAXY_PLATFORM_ROOT || "";
+var BRAND_JSON_PATH = PLATFORM_ROOT ? join(PLATFORM_ROOT, "config", "brand.json") : "";
+var BRAND = { configDir: ".maxy" };
+if (BRAND_JSON_PATH && existsSync(BRAND_JSON_PATH)) {
+  try {
+    const parsed = JSON.parse(readFileSync(BRAND_JSON_PATH, "utf-8"));
+    if (typeof parsed.configDir === "string") BRAND.configDir = parsed.configDir;
+  } catch (err) {
+    console.error(`[edge] brand.json parse error: ${err.message}`);
+  }
+}
+var ALIAS_DOMAINS_PATH = join(homedir(), BRAND.configDir, "alias-domains.json");
+function loadAliasDomains() {
+  try {
+    if (!existsSync(ALIAS_DOMAINS_PATH)) return /* @__PURE__ */ new Set();
+    const parsed = JSON.parse(readFileSync(ALIAS_DOMAINS_PATH, "utf-8"));
+    if (!Array.isArray(parsed)) return /* @__PURE__ */ new Set();
+    return new Set(parsed.filter((h) => typeof h === "string"));
+  } catch {
+    return /* @__PURE__ */ new Set();
+  }
+}
+var aliasDomains = loadAliasDomains();
+watchFile(ALIAS_DOMAINS_PATH, { interval: 2e3 }, () => {
+  aliasDomains = loadAliasDomains();
+  console.log(`[edge] alias-domains reloaded (${aliasDomains.size})`);
+});
+function isPublicHost(host) {
+  return host.startsWith("public.") || aliasDomains.has(host);
+}
+var EDGE_PORT = parseInt(process.env.EDGE_PORT ?? process.env.PORT ?? "19200", 10);
+var EDGE_HOSTNAME = process.env.EDGE_HOSTNAME ?? "0.0.0.0";
+var UPSTREAM_HOST = process.env.MAXY_UI_HOST ?? "127.0.0.1";
+var UPSTREAM_PORT = parseInt(process.env.MAXY_UI_PORT ?? "19199", 10);
+var WEBSOCKIFY_HOST = process.env.WEBSOCKIFY_HOST ?? "127.0.0.1";
+var WEBSOCKIFY_PORT = parseInt(process.env.WEBSOCKIFY_PORT ?? "6080", 10);
+var HOP_BY_HOP2 = /* @__PURE__ */ new Set([
+  "connection",
+  "keep-alive",
+  "proxy-authenticate",
+  "proxy-authorization",
+  "te",
+  "trailer",
+  "transfer-encoding",
+  "upgrade"
+]);
+function forwardHttp(clientReq, clientRes) {
+  const headers = {};
+  for (const [name, value] of Object.entries(clientReq.headers)) {
+    if (value == null) continue;
+    if (HOP_BY_HOP2.has(name)) continue;
+    headers[name] = value;
+  }
+  const existingXff = headers["x-forwarded-for"];
+  const remote = clientReq.socket.remoteAddress ?? "";
+  headers["x-forwarded-for"] = existingXff ? Array.isArray(existingXff) ? [...existingXff, remote].join(", ") : `${existingXff}, ${remote}` : remote;
+  const upstream = httpRequest({
+    host: UPSTREAM_HOST,
+    port: UPSTREAM_PORT,
+    method: clientReq.method,
+    path: clientReq.url,
+    headers
+  });
+  upstream.on("response", (upstreamRes) => {
+    clientRes.writeHead(upstreamRes.statusCode ?? 502, upstreamRes.statusMessage, upstreamRes.headers);
+    upstreamRes.pipe(clientRes);
+  });
+  upstream.on("error", (err) => {
+    console.error(`[edge] upstream http error path=${clientReq.url} err=${err.message}`);
+    if (!clientRes.headersSent) {
+      clientRes.writeHead(502, { "content-type": "text/plain" });
+      clientRes.end("Bad Gateway (maxy-ui unavailable)");
+    } else {
+      clientRes.destroy();
+    }
+  });
+  clientReq.on("aborted", () => upstream.destroy());
+  clientReq.pipe(upstream);
+}
+function forwardUpgrade(req, clientSocket, head) {
+  const upstream = createConnection2({ host: UPSTREAM_HOST, port: UPSTREAM_PORT });
+  upstream.setTimeout(5e3);
+  upstream.once("connect", () => {
+    upstream.setTimeout(0);
+    const lines = [];
+    lines.push(`${req.method ?? "GET"} ${req.url} HTTP/${req.httpVersion}`);
+    lines.push(`host: ${UPSTREAM_HOST}:${UPSTREAM_PORT}`);
+    for (const [name, value] of Object.entries(req.headers)) {
+      if (name === "host") continue;
+      if (HOP_BY_HOP2.has(name)) continue;
+      if (value == null) continue;
+      if (Array.isArray(value)) {
+        for (const v of value) lines.push(`${name}: ${v}`);
+      } else {
+        lines.push(`${name}: ${value}`);
+      }
+    }
+    const upgradeHeader = req.headers.upgrade;
+    const connectionHeader = req.headers.connection;
+    if (typeof upgradeHeader === "string") lines.push(`upgrade: ${upgradeHeader}`);
+    if (typeof connectionHeader === "string") lines.push(`connection: ${connectionHeader}`);
+    upstream.write(lines.join("\r\n") + "\r\n\r\n");
+    if (head && head.length > 0) upstream.write(head);
+    clientSocket.pipe(upstream);
+    upstream.pipe(clientSocket);
+  });
+  const teardown = (_reason) => {
+    clientSocket.destroy();
+    upstream.destroy();
+  };
+  clientSocket.once("close", () => teardown("client-close"));
+  upstream.once("close", () => teardown("upstream-close"));
+  clientSocket.once("error", () => teardown("client-error"));
+  upstream.once("error", (err) => {
+    console.error(`[edge] upstream upgrade error path=${req.url} err=${err.message}`);
+    try {
+      clientSocket.write("HTTP/1.1 502 Bad Gateway\r\nConnection: close\r\nContent-Length: 0\r\n\r\n");
+    } catch {
+    }
+    teardown("upstream-error");
+  });
+  upstream.once("timeout", () => {
+    console.error(`[edge] upstream upgrade timeout path=${req.url}`);
+    try {
+      clientSocket.write("HTTP/1.1 504 Gateway Timeout\r\nConnection: close\r\nContent-Length: 0\r\n\r\n");
+    } catch {
+    }
+    teardown("upstream-timeout");
+  });
+}
+var server = createServer((req, res) => {
+  forwardHttp(req, res);
+});
+attachVncWsProxy(server, {
+  isPublicHost,
+  upstreamHost: WEBSOCKIFY_HOST,
+  upstreamPort: WEBSOCKIFY_PORT
+});
+server.on("upgrade", (req, socket, head) => {
+  const url = req.url ?? "";
+  const qsIndex = url.indexOf("?");
+  const pathname = qsIndex === -1 ? url : url.slice(0, qsIndex);
+  if (pathname === "/websockify") return;
+  forwardUpgrade(req, socket, head);
+});
+server.listen(EDGE_PORT, EDGE_HOSTNAME, () => {
+  console.log(`[edge] listening on http://${EDGE_HOSTNAME}:${EDGE_PORT}`);
+  console.log(`[edge] /websockify \u2192 ${WEBSOCKIFY_HOST}:${WEBSOCKIFY_PORT}`);
+  console.log(`[edge] everything else \u2192 ${UPSTREAM_HOST}:${UPSTREAM_PORT}`);
+});