@tiflis-io/tiflis-code-tunnel 0.3.5 → 0.3.7

package/dist/main.js

@@ -84,7 +84,13 @@ var EnvSchema = z.object({
   /**
    * Custom WebSocket path (defaults to /ws).
    */
-  WS_PATH: z.string().default("/ws")
+  WS_PATH: z.string().default("/ws"),
+  /**
+   * Optional path to web client static files directory.
+   * When set, the tunnel server will serve the web client at the root path.
+   * Example: "./node_modules/@tiflis-io/tiflis-code-web/dist"
+   */
+  WEB_CLIENT_PATH: z.string().optional()
 });
 function loadEnv() {
   const result = EnvSchema.safeParse(process.env);
@@ -120,16 +126,16 @@ function getProtocolVersion() {
   return `${PROTOCOL_VERSION.major}.${PROTOCOL_VERSION.minor}.${PROTOCOL_VERSION.patch}`;
 }
 var CONNECTION_TIMING = {
-  /** How often clients should send ping (15 seconds - keeps connection alive through proxies) */
-  PING_INTERVAL_MS: 15e3,
-  /** Max time to wait for ping before considering connection stale (45 seconds) */
-  PONG_TIMEOUT_MS: 45e3,
-  /** Interval for checking timed-out connections (10 seconds) */
-  TIMEOUT_CHECK_INTERVAL_MS: 1e4,
-  /** Minimum reconnect delay (1 second) */
-  RECONNECT_DELAY_MIN_MS: 1e3,
-  /** Maximum reconnect delay (30 seconds) */
-  RECONNECT_DELAY_MAX_MS: 3e4
+  /** How often clients should send ping (5 seconds - fast liveness detection) */
+  PING_INTERVAL_MS: 5e3,
+  /** Max time to wait for ping before considering connection stale (15 seconds = 3 missed pings) */
+  PONG_TIMEOUT_MS: 15e3,
+  /** Interval for checking timed-out connections (5 seconds - faster cleanup) */
+  TIMEOUT_CHECK_INTERVAL_MS: 5e3,
+  /** Minimum reconnect delay (500ms - fast first retry) */
+  RECONNECT_DELAY_MIN_MS: 500,
+  /** Maximum reconnect delay (5 seconds - don't wait too long) */
+  RECONNECT_DELAY_MAX_MS: 5e3
 };
 var WEBSOCKET_CONFIG = {
   /** Path for WebSocket endpoint */
@@ -519,6 +525,114 @@ async function handleError(error, reply, log) {
   });
 }
 
+// src/infrastructure/http/web-client-route.ts
+import fastifyStatic from "@fastify/static";
+import { existsSync, statSync } from "fs";
+import { resolve, join as join2 } from "path";
+var SECURITY_HEADERS = {
+  // Prevent MIME type sniffing
+  "X-Content-Type-Options": "nosniff",
+  // Prevent clickjacking
+  "X-Frame-Options": "DENY",
+  // XSS protection (legacy, but still useful for older browsers)
+  "X-XSS-Protection": "1; mode=block",
+  // Referrer policy
+  "Referrer-Policy": "strict-origin-when-cross-origin",
+  // Permissions policy (restrict sensitive APIs)
+  "Permissions-Policy": "camera=(), microphone=(self), geolocation=(), payment=()",
+  // Content Security Policy
+  "Content-Security-Policy": [
+    "default-src 'self'",
+    "script-src 'self'",
+    "style-src 'self' 'unsafe-inline'",
+    // unsafe-inline needed for Tailwind
+    "img-src 'self' data: blob:",
+    "font-src 'self'",
+    "connect-src 'self' ws: wss:",
+    "media-src 'self' blob:",
+    "worker-src 'self' blob:",
+    "frame-ancestors 'none'",
+    "base-uri 'self'",
+    "form-action 'self'"
+  ].join("; ")
+};
+var CACHE_CONTROL = {
+  // HTML files: no cache (SPA routing)
+  html: "no-cache, no-store, must-revalidate",
+  // Hashed assets: long cache (1 year)
+  assets: "public, max-age=31536000, immutable",
+  // Other static files: short cache (1 hour)
+  default: "public, max-age=3600"
+};
+function getCacheControl(url) {
+  if (url.endsWith(".html") || url === "/") {
+    return CACHE_CONTROL.html;
+  }
+  if (url.includes("/assets/") || url.includes(".")) {
+    const hasHash = /\.[a-f0-9]{8,}\./i.test(url);
+    return hasHash ? CACHE_CONTROL.assets : CACHE_CONTROL.default;
+  }
+  return CACHE_CONTROL.default;
+}
+async function registerWebClientRoute(app, options) {
+  const { webClientPath, logger } = options;
+  const absolutePath = resolve(webClientPath);
+  if (!existsSync(absolutePath)) {
+    logger.error(
+      { path: absolutePath },
+      "Web client path does not exist, skipping web client registration"
+    );
+    return;
+  }
+  const stats = statSync(absolutePath);
+  if (!stats.isDirectory()) {
+    logger.error(
+      { path: absolutePath },
+      "Web client path is not a directory, skipping web client registration"
+    );
+    return;
+  }
+  const indexPath = join2(absolutePath, "index.html");
+  if (!existsSync(indexPath)) {
+    logger.error(
+      { path: indexPath },
+      "Web client index.html not found, skipping web client registration"
+    );
+    return;
+  }
+  logger.info({ path: absolutePath }, "Registering web client static files");
+  app.addHook("onSend", async (request, reply, payload) => {
+    const url = request.url;
+    if (url.startsWith("/api/") || url.startsWith("/ws") || url.startsWith("/health")) {
+      return payload;
+    }
+    for (const [header, value] of Object.entries(SECURITY_HEADERS)) {
+      reply.header(header, value);
+    }
+    reply.header("Cache-Control", getCacheControl(url));
+    return payload;
+  });
+  await app.register(fastifyStatic, {
+    root: absolutePath,
+    prefix: "/",
+    // Serve index.html for SPA routing
+    wildcard: false
+  });
+  app.setNotFoundHandler(
+    async (request, reply) => {
+      const url = request.url;
+      if (url.startsWith("/api/") || url.startsWith("/ws") || url.startsWith("/health")) {
+        return reply.status(404).send({
+          error: "Not Found",
+          code: "NOT_FOUND"
+        });
+      }
+      return reply.sendFile("index.html");
+    }
+  );
+  logger.info("Web client registered successfully");
+}
+
 // src/domain/value-objects/tunnel-id.ts
 var TunnelId = class _TunnelId {
   _value;
@@ -1010,18 +1124,18 @@ var WebSocketServerWrapper = class {
       } catch {
       }
     });
-    const closePromise = new Promise((resolve, reject) => {
+    const closePromise = new Promise((resolve2, reject) => {
       wss.close((err) => {
         if (err) {
           this.logger.error({ error: err }, "Error closing WebSocket server");
           reject(err);
         } else {
           this.logger.info("WebSocket server closed gracefully");
-          resolve();
+          resolve2();
         }
       });
     });
-    const timeoutPromise = new Promise((resolve) => {
+    const timeoutPromise = new Promise((resolve2) => {
       setTimeout(() => {
         this.logger.warn(
           { timeoutMs, remainingClients: wss.clients.size },
@@ -1033,7 +1147,7 @@ var WebSocketServerWrapper = class {
           } catch {
           }
         });
-        resolve();
+        resolve2();
       }, timeoutMs);
     });
     await Promise.race([closePromise, timeoutPromise]);
@@ -2287,6 +2401,12 @@ async function bootstrap() {
     httpClientOperations,
     logger
   });
+  if (env.WEB_CLIENT_PATH) {
+    await registerWebClientRoute(app, {
+      webClientPath: env.WEB_CLIENT_PATH,
+      logger
+    });
+  }
   const wsServer = new WebSocketServerWrapper(
     {
       path: env.WS_PATH || WEBSOCKET_CONFIG.PATH,
@@ -2395,6 +2515,11 @@ bootstrap().catch((error) => {
  * @copyright 2025 Roman Barinov <rbarinov@gmail.com>
  * @license FSL-1.1-NC
  */
+/**
+ * @file web-client-route.ts
+ * @copyright 2025 Roman Barinov <rbarinov@gmail.com>
+ * @license FSL-1.1-NC
+ */
 /**
  * @file tunnel-id.ts
  * @copyright 2025 Roman Barinov <rbarinov@gmail.com>

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@tiflis-io/tiflis-code-tunnel",
-  "version": "0.3.5",
+  "version": "0.3.7",
   "description": "Tunnel server for tiflis-code - reverse proxy for workstation connections",
   "author": "Roman Barinov <rbarinov@gmail.com>",
   "license": "FSL-1.1-NC",
@@ -33,21 +33,22 @@
     "dist"
   ],
   "dependencies": {
+    "@fastify/static": "^8.3.0",
+    "dotenv": "^16.4.7",
     "fastify": "^5.2.1",
-    "ws": "^8.18.0",
-    "zod": "^3.24.1",
+    "nanoid": "^5.0.9",
     "pino": "^9.5.0",
     "pino-pretty": "^13.0.0",
-    "dotenv": "^16.4.7",
-    "nanoid": "^5.0.9"
+    "ws": "^8.18.0",
+    "zod": "^3.24.1"
   },
   "devDependencies": {
     "@eslint/js": "^9.17.0",
     "@types/node": "^22.10.2",
     "@types/ws": "^8.5.13",
     "eslint": "^9.17.0",
-    "tsx": "^4.19.2",
     "tsup": "^8.3.5",
+    "tsx": "^4.19.2",
     "typescript": "^5.7.2",
     "typescript-eslint": "^8.18.1",
     "vitest": "^2.1.8"