@undefineds.co/xpod 0.3.31 → 0.3.32

package/dist/api/handlers/ProvisionHandler.js

@@ -13,13 +13,41 @@
  * GET /provision/status  - Local 端 SP 状态查询（公开）
  *   返回 SP 配置状态，供 Linx 查询
  */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || function (mod) {
+    if (mod && mod.__esModule) return mod;
+    var result = {};
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+    __setModuleDefault(result, mod);
+    return result;
+};
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.registerProvisionRoutes = registerProvisionRoutes;
 exports.registerProvisionStatusRoute = registerProvisionStatusRoute;
+exports.createLocalSetupProvisionStateWriter = createLocalSetupProvisionStateWriter;
+const fs = __importStar(require("node:fs"));
+const path = __importStar(require("node:path"));
+const node_crypto_1 = require("node:crypto");
 const global_logger_factory_1 = require("global-logger-factory");
 const ProvisionCodeCodec_1 = require("../../provision/ProvisionCodeCodec");
 /** 默认 24 小时 */
 const DEFAULT_TTL = 24 * 60 * 60;
+const PROVISION_STATUS_REFRESH_GRACE_SECONDS = 5 * 60;
 function registerProvisionRoutes(server, options) {
     const logger = (0, global_logger_factory_1.getLoggerFor)('ProvisionHandler');
     const { repository, baseUrl, baseStorageDomain } = options;
@@ -32,7 +60,7 @@ function registerProvisionRoutes(server, options) {
      *
      * Request:
      *   {
-     *     publicUrl: string,
+     *     publicUrl?: string,
      *     nodeId?: string,
      *     displayName?: string,
      *     ipv4?: string,
@@ -55,41 +83,70 @@ function registerProvisionRoutes(server, options) {
             sendJson(response, 400, { error: 'Invalid JSON body' });
             return;
         }
-        if (!body.publicUrl) {
-            sendJson(response, 400, { error: 'publicUrl is required' });
-            return;
-        }
-        try {
-            new URL(body.publicUrl);
-        }
-        catch {
-            sendJson(response, 400, { error: 'Invalid publicUrl format' });
-            return;
-        }
         try {
+            const domainMode = body.domainMode === 'self-managed' ? 'self-managed' : 'managed';
+            const requestedManagedDomain = normalizeRequestedManagedDomain(body.spDomain, baseStorageDomain);
+            const shouldAllocateManagedPublicUrl = !body.publicUrl && domainMode === 'managed' && Boolean(baseStorageDomain);
+            const preallocatedNodeId = shouldAllocateManagedPublicUrl
+                ? (body.nodeId ?? (0, node_crypto_1.randomUUID)())
+                : undefined;
+            const preallocatedSubdomainPrefix = preallocatedNodeId
+                ? resolveManagedSubdomainPrefix({
+                    domainMode,
+                    baseStorageDomain,
+                    requestedManagedDomain,
+                    nodeId: preallocatedNodeId,
+                })
+                : undefined;
+            const preallocatedSpDomain = preallocatedSubdomainPrefix
+                ? `${preallocatedSubdomainPrefix}.${baseStorageDomain}`
+                : undefined;
+            const effectivePublicUrl = body.publicUrl ?? derivePublicUrlFromSpDomain(preallocatedSpDomain);
+            if (!effectivePublicUrl) {
+                sendJson(response, 400, { error: 'publicUrl is required' });
+                return;
+            }
+            if (preallocatedSubdomainPrefix && baseStorageDomain && options.ddnsRepo) {
+                const existing = await options.ddnsRepo.getRecord(preallocatedSubdomainPrefix);
+                if (existing?.nodeId && existing.nodeId !== preallocatedNodeId) {
+                    sendJson(response, 409, {
+                        error: 'spDomain already allocated',
+                        spDomain: preallocatedSpDomain,
+                    });
+                    return;
+                }
+            }
+            try {
+                new URL(effectivePublicUrl);
+            }
+            catch {
+                sendJson(response, 400, { error: 'Invalid publicUrl format' });
+                return;
+            }
             const result = await repository.registerSpNode({
-                publicUrl: body.publicUrl,
+                publicUrl: effectivePublicUrl,
                 displayName: body.displayName,
-                nodeId: body.nodeId,
+                nodeId: preallocatedNodeId ?? body.nodeId,
                 nodeToken: body.nodeToken,
                 serviceToken: body.serviceToken,
             });
-            const domainMode = body.domainMode === 'self-managed' ? 'self-managed' : 'managed';
-            const requestedManagedDomain = normalizeRequestedManagedDomain(body.spDomain, baseStorageDomain);
-            const subdomainPrefix = resolveManagedSubdomainPrefix({
-                domainMode,
-                baseStorageDomain,
-                requestedManagedDomain,
-                nodeId: result.nodeId,
-            });
+            const subdomainPrefix = preallocatedSubdomainPrefix
+                ?? resolveManagedSubdomainPrefix({
+                    domainMode,
+                    baseStorageDomain,
+                    requestedManagedDomain,
+                    nodeId: result.nodeId,
+                });
             const spDomain = subdomainPrefix
                 ? `${subdomainPrefix}.${baseStorageDomain}`
                 : undefined;
+            const managedPublicUrl = derivePublicUrlFromSpDomain(spDomain);
+            const provisionSpUrl = body.publicUrl ?? managedPublicUrl ?? effectivePublicUrl;
             const tunnelState = await ensureManagedTunnelState({
                 repository,
                 nodeId: result.nodeId,
                 subdomainPrefix,
-                publicUrl: body.publicUrl,
+                publicUrl: provisionSpUrl,
                 localPort: body.localPort,
                 ipv4: body.ipv4,
                 tunnelToken: body.tunnelToken,
@@ -107,19 +164,22 @@ function registerProvisionRoutes(server, options) {
             }
             // 生成自包含 provisionCode（编码了 SP 信息，CSS 解码后直接回调 SP）
             const provisionCode = codec.encode({
-                spUrl: body.publicUrl,
+                spUrl: provisionSpUrl,
                 serviceToken: result.serviceToken,
                 nodeId: result.nodeId,
                 spDomain,
                 exp: Math.floor(Date.now() / 1000) + ttl,
             });
-            logger.info(`Registered SP node ${result.nodeId} at ${body.publicUrl}${spDomain ? `, spDomain: ${spDomain}` : ''}`);
+            logger.info(`Registered SP node ${result.nodeId} at ${provisionSpUrl}${spDomain ? `, spDomain: ${spDomain}` : ''}`);
             const responseBody = {
                 nodeId: result.nodeId,
                 nodeToken: result.nodeToken,
                 serviceToken: result.serviceToken,
                 provisionCode,
             };
+            if (managedPublicUrl) {
+                responseBody.publicUrl = managedPublicUrl;
+            }
             if (spDomain) {
                 responseBody.spDomain = spDomain;
             }
@@ -222,7 +282,6 @@ async function ensureManagedTunnelState(options) {
             localPort,
             configuredAt: new Date().toISOString(),
         },
-        publicAddress: tunnelConfig.endpoint || publicUrl,
     });
     return {
         mode,
@@ -285,7 +344,6 @@ async function ensureManagedTokenTunnelState(options) {
             configuredAt: new Date().toISOString(),
             source: 'client-token',
         },
-        publicAddress: endpoint || publicUrl,
     });
     return config;
 }
@@ -344,20 +402,79 @@ function readManagedTunnelConfig(metadata) {
 }
 function registerProvisionStatusRoute(server, options) {
     const logger = (0, global_logger_factory_1.getLoggerFor)('ProvisionStatusHandler');
+    const fetchImpl = options.fetchImpl ?? fetch;
+    const now = options.now ?? (() => Date.now());
+    const refreshGraceSeconds = options.refreshGraceSeconds ?? PROVISION_STATUS_REFRESH_GRACE_SECONDS;
+    const state = {
+        provisionCode: options.provisionCode,
+        nodeId: options.nodeId,
+        nodeToken: options.nodeToken,
+        serviceToken: options.serviceToken,
+        publicUrl: normalizeUrl(options.publicUrl),
+        spDomain: options.spDomain,
+    };
+    let refreshPromise;
     server.get('/provision/status', async (_request, response) => {
         const registered = Boolean(options.nodeId && options.cloudUrl);
         const body = {
             registered,
         };
         if (registered) {
+            const canRefresh = canRefreshProvisionStatus(options, state);
+            const currentNow = now();
+            const fresh = isProvisionCodeFresh(state.provisionCode, currentNow, refreshGraceSeconds);
+            const codeState = inspectProvisionCodeExpiration(state.provisionCode);
+            if (!canRefresh && codeState.kind !== 'missing' && !isProvisionCodeUsable(state.provisionCode, currentNow)) {
+                sendJson(response, 503, {
+                    registered: true,
+                    error: 'provision_refresh_unavailable',
+                    message: 'Local provision state is expired and cannot be refreshed. Please restart Local or try again.',
+                });
+                return;
+            }
+            if (canRefresh && !fresh) {
+                let didRefresh = false;
+                refreshPromise ??= refreshProvisionStatus({
+                    options,
+                    state,
+                    fetchImpl,
+                    logger,
+                }).finally(() => {
+                    refreshPromise = undefined;
+                });
+                try {
+                    await refreshPromise;
+                    didRefresh = true;
+                }
+                catch (error) {
+                    logger.warn(`Failed to refresh provisionCode for ${state.nodeId}: ${error}`);
+                    if (!isProvisionCodeUsable(state.provisionCode, now())) {
+                        sendJson(response, 503, {
+                            registered: true,
+                            error: 'provision_refresh_failed',
+                            message: 'Local provision state could not be refreshed. Please restart Local or try again.',
+                        });
+                        return;
+                    }
+                }
+                if (didRefresh) {
+                    await persistProvisionStatusState(options, state, logger);
+                }
+            }
             body.cloudUrl = options.cloudUrl;
-            body.nodeId = options.nodeId;
-            if (options.spDomain) {
-                body.spDomain = options.spDomain;
+            body.nodeId = state.nodeId ?? options.nodeId;
+            if (state.spDomain) {
+                body.spDomain = state.spDomain;
+            }
+            if (state.publicUrl) {
+                body.publicUrl = state.publicUrl;
+            }
+            if (state.provisionCode) {
+                body.provisionCode = state.provisionCode;
             }
             if (options.cloudBaseUrl) {
-                const provisionUrl = options.provisionCode
-                    ? `${options.cloudBaseUrl.replace(/\/$/, '')}/.account/?provisionCode=${encodeURIComponent(options.provisionCode)}`
+                const provisionUrl = state.provisionCode
+                    ? `${options.cloudBaseUrl.replace(/\/$/, '')}/.account/?provisionCode=${encodeURIComponent(state.provisionCode)}`
                     : `${options.cloudBaseUrl.replace(/\/$/, '')}/.account/`;
                 body.provisionUrl = provisionUrl;
             }
@@ -366,6 +483,193 @@ function registerProvisionStatusRoute(server, options) {
     }, { public: true });
     logger.info('Provision status route registered');
 }
+function createLocalSetupProvisionStateWriter(setupPath, providerId) {
+    if (!setupPath?.trim() || !providerId?.trim()) {
+        return undefined;
+    }
+    const targetPath = path.resolve(setupPath);
+    const targetProviderId = providerId.trim();
+    return async (state) => {
+        upsertLocalSetupFile(targetPath, targetProviderId, state);
+    };
+}
+async function persistProvisionStatusState(options, state, logger) {
+    if (!options.persistState || !state.nodeId || !state.nodeToken || !state.serviceToken || !state.provisionCode) {
+        return;
+    }
+    try {
+        await options.persistState({
+            nodeId: state.nodeId,
+            nodeToken: state.nodeToken,
+            serviceToken: state.serviceToken,
+            provisionCode: state.provisionCode,
+            publicUrl: state.publicUrl,
+            spDomain: state.spDomain,
+            cloudUrl: options.cloudUrl,
+            cloudBaseUrl: options.cloudBaseUrl,
+        });
+    }
+    catch (error) {
+        logger.warn(`Failed to persist refreshed local provision state: ${error}`);
+    }
+}
+function upsertLocalSetupFile(filePath, providerId, state) {
+    const existing = readJsonObjectFile(filePath);
+    const previous = readJsonObject(existing[providerId]);
+    const cloudIdentityUrl = normalizeUrl(state.cloudBaseUrl);
+    const cloudApiUrl = normalizeUrl(state.cloudUrl);
+    const provisionUrl = cloudIdentityUrl
+        ? `${cloudIdentityUrl.replace(/\/+$/u, '')}/.account/?provisionCode=${encodeURIComponent(state.provisionCode)}`
+        : readString(previous.provisionUrl);
+    existing[providerId] = {
+        ...previous,
+        nodeId: state.nodeId,
+        nodeToken: state.nodeToken,
+        serviceToken: state.serviceToken,
+        provisionCode: state.provisionCode,
+        publicUrl: normalizeUrl(state.publicUrl),
+        spDomain: readString(state.spDomain),
+        provisionUrl,
+        cloudIdentityUrl,
+        cloudApiUrl,
+        registeredAt: typeof previous.registeredAt === 'number' && Number.isFinite(previous.registeredAt)
+            ? previous.registeredAt
+            : Date.now(),
+    };
+    fs.mkdirSync(path.dirname(filePath), { recursive: true });
+    fs.writeFileSync(filePath, `${JSON.stringify(existing, null, 2)}\n`, { encoding: 'utf8', mode: 0o600 });
+    try {
+        fs.chmodSync(filePath, 0o600);
+    }
+    catch {
+        // Some filesystems do not support chmod; the local runtime can still proceed.
+    }
+}
+function readJsonObjectFile(filePath) {
+    try {
+        if (!fs.existsSync(filePath)) {
+            return {};
+        }
+        return readJsonObject(JSON.parse(fs.readFileSync(filePath, 'utf8')));
+    }
+    catch {
+        return {};
+    }
+}
+function readJsonObject(value) {
+    return value && typeof value === 'object' && !Array.isArray(value)
+        ? value
+        : {};
+}
+function readString(value) {
+    return typeof value === 'string' && value.trim() ? value.trim() : undefined;
+}
+function canRefreshProvisionStatus(options, state) {
+    return Boolean(options.cloudUrl
+        && state.nodeId
+        && state.nodeToken
+        && state.serviceToken
+        && state.publicUrl);
+}
+async function refreshProvisionStatus(options) {
+    const { options: statusOptions, state, fetchImpl, logger } = options;
+    const endpoint = new URL('/provision/nodes', ensureTrailingSlash(statusOptions.cloudUrl)).toString();
+    const requestBody = {
+        publicUrl: state.publicUrl,
+        nodeId: state.nodeId,
+        nodeToken: state.nodeToken,
+        serviceToken: state.serviceToken,
+        domainMode: state.spDomain ? 'managed' : 'self-managed',
+        spDomain: state.spDomain,
+    };
+    if (statusOptions.localPort && statusOptions.localPort > 0) {
+        requestBody.localPort = statusOptions.localPort;
+    }
+    if (statusOptions.tunnelToken) {
+        requestBody.tunnelToken = statusOptions.tunnelToken;
+        requestBody.tunnelMode = 'client';
+    }
+    const result = await fetchImpl(endpoint, {
+        method: 'POST',
+        headers: {
+            Accept: 'application/json',
+            'Content-Type': 'application/json',
+        },
+        body: JSON.stringify(requestBody),
+    });
+    if (!result.ok) {
+        const detail = await result.text().catch(() => '');
+        throw new Error(detail || `HTTP ${result.status}`);
+    }
+    const payload = await result.json().catch(() => undefined);
+    if (!payload
+        || typeof payload.nodeId !== 'string'
+        || typeof payload.nodeToken !== 'string'
+        || typeof payload.serviceToken !== 'string'
+        || typeof payload.provisionCode !== 'string') {
+        throw new Error('Cloud returned an incomplete provision refresh response.');
+    }
+    state.nodeId = payload.nodeId;
+    state.nodeToken = payload.nodeToken;
+    state.serviceToken = payload.serviceToken;
+    state.provisionCode = payload.provisionCode;
+    state.publicUrl = normalizeUrl(payload.publicUrl) ?? state.publicUrl;
+    state.spDomain = typeof payload.spDomain === 'string' ? payload.spDomain : state.spDomain;
+    process.env.XPOD_NODE_ID = state.nodeId;
+    process.env.XPOD_NODE_TOKEN = state.nodeToken;
+    process.env.XPOD_SERVICE_TOKEN = state.serviceToken;
+    process.env.XPOD_PROVISION_CODE = state.provisionCode;
+    if (statusOptions.cloudBaseUrl) {
+        process.env.XPOD_PROVISION_URL = `${statusOptions.cloudBaseUrl.replace(/\/$/u, '')}/.account/?provisionCode=${encodeURIComponent(state.provisionCode)}`;
+    }
+    if (state.spDomain) {
+        process.env.XPOD_SP_DOMAIN = state.spDomain;
+    }
+    logger.info(`Refreshed provisionCode for ${state.nodeId}`);
+}
+function isProvisionCodeFresh(code, nowMs, graceSeconds) {
+    const state = inspectProvisionCodeExpiration(code);
+    return state.kind === 'self-contained' && state.expiresAt > Math.floor(nowMs / 1000) + graceSeconds;
+}
+function isProvisionCodeUsable(code, nowMs) {
+    const state = inspectProvisionCodeExpiration(code);
+    if (state.kind === 'legacy') {
+        return true;
+    }
+    return state.kind === 'self-contained' && state.expiresAt > Math.floor(nowMs / 1000);
+}
+function inspectProvisionCodeExpiration(code) {
+    if (!code) {
+        return { kind: 'missing' };
+    }
+    const dotIndex = code.indexOf('.');
+    if (dotIndex <= 0) {
+        return { kind: 'legacy' };
+    }
+    try {
+        const payload = JSON.parse(Buffer.from(code.slice(0, dotIndex), 'base64url').toString('utf8'));
+        return typeof payload.exp === 'number' && Number.isFinite(payload.exp)
+            ? { kind: 'self-contained', expiresAt: payload.exp }
+            : { kind: 'invalid' };
+    }
+    catch {
+        return { kind: 'invalid' };
+    }
+}
+function ensureTrailingSlash(value) {
+    return value.endsWith('/') ? value : `${value}/`;
+}
+function normalizeUrl(value) {
+    if (!value?.trim()) {
+        return undefined;
+    }
+    try {
+        return new URL(value.trim()).toString().replace(/\/+$/u, '') + '/';
+    }
+    catch {
+        return value.trim().replace(/\/+$/u, '') + '/';
+    }
+}
 async function readJsonBody(request) {
     return new Promise((resolve, reject) => {
         let data = '';
@@ -393,6 +697,9 @@ function sendJson(response, status, data) {
     response.setHeader('Content-Type', 'application/json');
     response.end(JSON.stringify(data));
 }
+function derivePublicUrlFromSpDomain(spDomain) {
+    return spDomain ? `https://${spDomain}/` : undefined;
+}
 function normalizeRequestedManagedDomain(value, baseStorageDomain) {
     if (!value || !baseStorageDomain) {
         return undefined;