@vividcodeai/embeddedcowork-dev 0.0.3-dev-20260507-b76190e8

package/dist/server/network-addresses.js

@@ -0,0 +1,114 @@
+import os from "os";
+export function resolveNetworkAddresses(args) {
+    const { host, protocol, port } = args;
+    const interfaces = os.networkInterfaces();
+    const seen = new Set();
+    const results = [];
+    const addAddress = (ip, scope) => {
+        if (!ip || ip === "0.0.0.0")
+            return;
+        const key = `ipv4-${ip}`;
+        if (seen.has(key))
+            return;
+        seen.add(key);
+        results.push({ ip, family: "ipv4", scope, remoteUrl: `${protocol}://${ip}:${port}` });
+    };
+    const normalizeFamily = (value) => {
+        if (typeof value === "string") {
+            const lowered = value.toLowerCase();
+            if (lowered === "ipv4") {
+                return "ipv4";
+            }
+        }
+        if (value === 4)
+            return "ipv4";
+        return null;
+    };
+    if (host === "0.0.0.0") {
+        // Enumerate system interfaces (IPv4 only)
+        for (const entries of Object.values(interfaces)) {
+            if (!entries)
+                continue;
+            for (const entry of entries) {
+                const family = normalizeFamily(entry.family);
+                if (!family)
+                    continue;
+                if (!entry.address || entry.address === "0.0.0.0")
+                    continue;
+                const scope = entry.internal ? "loopback" : "external";
+                addAddress(entry.address, scope);
+            }
+        }
+    }
+    // Always include loopback address
+    addAddress("127.0.0.1", "loopback");
+    // Include explicitly configured host if it was IPv4
+    if (isIPv4Address(host) && host !== "0.0.0.0") {
+        const isLoopback = host.startsWith("127.");
+        addAddress(host, isLoopback ? "loopback" : "external");
+    }
+    const scopeWeight = { external: 0, internal: 1, loopback: 2 };
+    return results.sort((a, b) => {
+        const scopeDelta = scopeWeight[a.scope] - scopeWeight[b.scope];
+        if (scopeDelta !== 0)
+            return scopeDelta;
+        return 0;
+    });
+}
+export function resolveRemoteAddresses(args) {
+    const all = resolveNetworkAddresses(args);
+    const userVisible = sortUserVisibleAddresses(all.filter((address) => address.scope === "external"));
+    return {
+        all,
+        userVisible,
+        primaryRemoteUrl: userVisible[0]?.remoteUrl,
+    };
+}
+function sortUserVisibleAddresses(addresses) {
+    return [...addresses].sort((left, right) => getUserVisiblePriority(left.ip) - getUserVisiblePriority(right.ip));
+}
+function getUserVisiblePriority(ip) {
+    if (isPrivateIPv4(ip))
+        return 0;
+    if (isLinkLocalIPv4(ip))
+        return 2;
+    return 1;
+}
+function isLinkLocalIPv4(ip) {
+    const octets = parseIPv4(ip);
+    if (!octets)
+        return false;
+    const [first, second] = octets;
+    return first === 169 && second === 254;
+}
+function isPrivateIPv4(ip) {
+    const octets = parseIPv4(ip);
+    if (!octets)
+        return false;
+    const [first, second] = octets;
+    if (first === 10)
+        return true;
+    if (first === 192 && second === 168)
+        return true;
+    return first === 172 && second >= 16 && second <= 31;
+}
+function parseIPv4(value) {
+    if (!isIPv4Address(value))
+        return null;
+    return value.split(".").map((part) => Number(part));
+}
+function isIPv4Address(value) {
+    if (!value)
+        return false;
+    const parts = value.split(".");
+    if (parts.length !== 4)
+        return false;
+    return parts.every((part) => {
+        if (part.length === 0 || part.length > 3)
+            return false;
+        if (!/^[0-9]+$/.test(part))
+            return false;
+        const num = Number(part);
+        return Number.isInteger(num) && num >= 0 && num <= 255;
+    });
+}

package/dist/server/remote-proxy.js

@@ -0,0 +1,466 @@
+import Fastify from "fastify";
+import { randomBytes, randomUUID } from "crypto";
+import { Readable } from "stream";
+import { pipeline } from "stream/promises";
+import { Agent, fetch } from "undici";
+const LOOPBACK_HOST = "127.0.0.1";
+const BOOTSTRAP_PAGE_PATH = "/__embeddedcowork/auth/token";
+const BOOTSTRAP_EXCHANGE_PATH = "/__embeddedcowork/api/auth/token";
+const SESSION_IDLE_TTL_MS = 30 * 60000;
+export class RemoteProxySessionManager {
+    constructor(options) {
+        this.options = options;
+        this.sessions = new Map();
+        this.cleanupTimer = setInterval(() => {
+            void this.cleanupExpiredSessions();
+        }, 60000);
+        this.cleanupTimer.unref();
+    }
+    async createSession(baseUrl, skipTlsVerify) {
+        if (!this.options.httpsOptions) {
+            throw new Error("Local HTTPS is required for remote proxy sessions");
+        }
+        const targetBaseUrl = normalizeBaseUrl(baseUrl);
+        const sessionId = randomUUID();
+        const bootstrapToken = randomBytes(32).toString("base64url");
+        const dispatcher = skipTlsVerify ? new Agent({ connect: { rejectUnauthorized: false } }) : undefined;
+        const app = Fastify({ logger: false, https: this.options.httpsOptions });
+        let session = null;
+        app.removeAllContentTypeParsers();
+        // Preserve raw request bodies for proxying while still letting token JSON parse from Buffer.
+        app.addContentTypeParser("*", { parseAs: "buffer" }, (_req, body, done) => done(null, body));
+        app.get(BOOTSTRAP_PAGE_PATH, async (request, reply) => {
+            if (!this.options.authManager.isLoopbackRequest(request)) {
+                reply.code(404).send({ error: "Not found" });
+                return;
+            }
+            reply.header("Cache-Control", "no-store");
+            reply.header("Pragma", "no-cache");
+            reply.header("Expires", "0");
+            reply.type("text/html").send(buildBootstrapPageHtml());
+        });
+        app.post(BOOTSTRAP_EXCHANGE_PATH, async (request, reply) => {
+            if (!this.options.authManager.isLoopbackRequest(request)) {
+                reply.code(404).send({ error: "Not found" });
+                return;
+            }
+            if (!session) {
+                reply.code(503).send({ error: "Remote proxy session is unavailable" });
+                return;
+            }
+            const body = parseTokenBody(request.body);
+            if (body.token !== session.bootstrapToken) {
+                reply.code(401).send({ error: "Invalid token" });
+                return;
+            }
+            session.activated = true;
+            session.lastAccessAt = Date.now();
+            reply.send({ ok: true });
+        });
+        app.all("/*", async (request, reply) => {
+            if (!session) {
+                reply.code(503).send({ error: "Remote proxy session is unavailable" });
+                return;
+            }
+            if (!session.activated) {
+                reply.code(403).send({ error: "Remote proxy session is not activated" });
+                return;
+            }
+            session.lastAccessAt = Date.now();
+            await proxyRequest({ request, reply, session, logger: this.options.logger });
+        });
+        app.setNotFoundHandler(async (request, reply) => {
+            if (!session) {
+                reply.code(503).send({ error: "Remote proxy session is unavailable" });
+                return;
+            }
+            if (!session.activated) {
+                reply.code(403).send({ error: "Remote proxy session is not activated" });
+                return;
+            }
+            session.lastAccessAt = Date.now();
+            await proxyRequest({ request, reply, session, logger: this.options.logger });
+        });
+        const addressInfo = await app.listen({ host: LOOPBACK_HOST, port: 0 });
+        const address = new URL(addressInfo);
+        const localBaseUrl = new URL(`https://${LOOPBACK_HOST}:${address.port}`);
+        const entryUrl = new URL(targetBaseUrl.pathname || "/", localBaseUrl);
+        const returnTo = buildReturnToTarget(entryUrl);
+        session = {
+            id: sessionId,
+            bootstrapToken,
+            targetBaseUrl,
+            skipTlsVerify,
+            localBaseUrl,
+            entryUrl,
+            bootstrapUrl: `${localBaseUrl.origin}${BOOTSTRAP_PAGE_PATH}?returnTo=${encodeURIComponent(returnTo)}#${encodeURIComponent(bootstrapToken)}`,
+            activated: false,
+            cookiePrefix: `cnrp_${randomBytes(6).toString("hex")}_`,
+            app,
+            dispatcher,
+            createdAt: Date.now(),
+            lastAccessAt: Date.now(),
+        };
+        this.sessions.set(sessionId, session);
+        this.options.logger.info({ sessionId, targetBaseUrl: targetBaseUrl.toString(), localBaseUrl: localBaseUrl.toString() }, "Created remote proxy session");
+        return { sessionId, windowUrl: session.bootstrapUrl };
+    }
+    async deleteSession(sessionId) {
+        return this.disposeSession(sessionId);
+    }
+    async cleanupExpiredSessions() {
+        const now = Date.now();
+        for (const session of Array.from(this.sessions.values())) {
+            if (now - session.lastAccessAt <= SESSION_IDLE_TTL_MS) {
+                continue;
+            }
+            await this.disposeSession(session.id);
+        }
+    }
+    async disposeSession(sessionId) {
+        const session = this.sessions.get(sessionId);
+        if (!session) {
+            return false;
+        }
+        this.sessions.delete(sessionId);
+        session.dispatcher?.close().catch(() => { });
+        await session.app.close().catch(() => { });
+        this.options.logger.info({ sessionId }, "Disposed remote proxy session");
+        return true;
+    }
+}
+function normalizeBaseUrl(input) {
+    const parsed = new URL(input.trim());
+    if (parsed.protocol !== "http:" && parsed.protocol !== "https:") {
+        throw new Error("Server URL must use http:// or https://");
+    }
+    parsed.hash = "";
+    parsed.search = "";
+    parsed.pathname = parsed.pathname === "/" ? "/" : parsed.pathname.replace(/\/+$/, "") || "/";
+    return parsed;
+}
+function buildReturnToTarget(entryUrl) {
+    const query = entryUrl.search ? entryUrl.search : "";
+    return `${entryUrl.pathname || "/"}${query}`;
+}
+function buildBootstrapPageHtml() {
+    return `<!doctype html>
+<html lang="en">
+  <head>
+    <meta charset="utf-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1" />
+    <title>EmbeddedCowork</title>
+    <style>
+      body { font-family: ui-sans-serif, system-ui, -apple-system, Segoe UI, Roboto, Helvetica, Arial; background: #0b0b0f; color: #fff; display: flex; align-items: center; justify-content: center; height: 100vh; margin: 0; }
+      .card { width: 420px; max-width: calc(100vw - 32px); background: #14141c; border: 1px solid rgba(255,255,255,0.08); border-radius: 14px; padding: 24px; }
+      h1 { font-size: 18px; margin: 0 0 12px; }
+      p { margin: 0; color: rgba(255,255,255,0.7); font-size: 13px; line-height: 1.4; }
+      .error { margin-top: 12px; color: #ff6b6b; font-size: 13px; display: none; }
+    </style>
+  </head>
+  <body>
+    <div class="card">
+      <h1>Connecting...</h1>
+      <p>Finalizing local authentication.</p>
+      <div id="error" class="error"></div>
+    </div>
+    <script>
+      const token = decodeURIComponent((location.hash || "").replace(/^#/, "").trim())
+      const params = new URLSearchParams(location.search)
+      const returnTo = sanitizeReturnTo(params.get("returnTo"))
+      const errorEl = document.getElementById("error")
+
+      function sanitizeReturnTo(value) {
+        if (!value || typeof value !== "string") return "/"
+        if (!value.startsWith("/")) return "/"
+        if (value.startsWith("//")) return "/"
+        return value
+      }
+
+      function showError(message) {
+        errorEl.textContent = message
+        errorEl.style.display = "block"
+      }
+
+      async function run() {
+        if (!token) {
+          showError("Missing bootstrap token.")
+          return
+        }
+
+        try {
+          const res = await fetch("${BOOTSTRAP_EXCHANGE_PATH}", {
+            method: "POST",
+            headers: { "Content-Type": "application/json" },
+            body: JSON.stringify({ token }),
+            credentials: "include",
+          })
+
+          if (!res.ok) {
+            let message = ""
+            try {
+              const json = await res.json()
+              message = json && json.error ? String(json.error) : ""
+            } catch {
+              message = ""
+            }
+            showError(message || "Token exchange failed (" + res.status + ")")
+            return
+          }
+
+          window.location.replace(returnTo)
+        } catch (error) {
+          showError(error && error.message ? error.message : String(error))
+        }
+      }
+
+      run()
+    </script>
+  </body>
+</html>`;
+}
+function parseTokenBody(body) {
+    const value = normalizeJsonBody(body);
+    const token = typeof value?.token === "string" ? value.token.trim() : "";
+    if (!token) {
+        throw new Error("Missing bootstrap token");
+    }
+    return { token };
+}
+function normalizeJsonBody(body) {
+    if (Buffer.isBuffer(body)) {
+        return JSON.parse(body.toString("utf-8"));
+    }
+    if (typeof body === "string") {
+        return JSON.parse(body);
+    }
+    return body;
+}
+function toRequestBody(body) {
+    if (body == null) {
+        return undefined;
+    }
+    if (Buffer.isBuffer(body) || typeof body === "string" || body instanceof Uint8Array) {
+        return body;
+    }
+    return JSON.stringify(body);
+}
+async function proxyRequest(args) {
+    const { request, reply, session, logger } = args;
+    const upstreamUrl = buildUpstreamUrl(session.targetBaseUrl, request.raw.url ?? request.url);
+    const headers = filterRequestHeaders(request.headers, session);
+    const init = {
+        method: request.method,
+        headers,
+        dispatcher: session.dispatcher,
+        redirect: "manual",
+    };
+    if (request.method !== "GET" && request.method !== "HEAD") {
+        const body = toRequestBody(request.body);
+        if (body !== undefined) {
+            init.body = body;
+            init.duplex = "half";
+        }
+    }
+    try {
+        const response = await fetch(upstreamUrl, init);
+        reply.code(response.status);
+        applyResponseHeaders(reply, response, session);
+        if (!response.body || request.method === "HEAD") {
+            reply.send();
+            return;
+        }
+        reply.hijack();
+        reply.raw.writeHead(reply.statusCode, toOutgoingHeaders(reply.getHeaders()));
+        await pipeline(Readable.fromWeb(response.body), reply.raw);
+    }
+    catch (error) {
+        logger.error({ err: error, upstreamUrl }, "Failed to proxy remote session request");
+        if (!reply.sent) {
+            reply.code(502).send({ error: "Remote proxy request failed" });
+        }
+    }
+}
+function buildUpstreamUrl(baseUrl, rawUrl) {
+    const parsed = new URL(rawUrl, "https://localhost");
+    const url = new URL(baseUrl.toString());
+    url.pathname = rewriteRequestPath(baseUrl, parsed.pathname);
+    url.search = stripInternalQuery(parsed.search);
+    url.hash = "";
+    return url.toString();
+}
+function rewriteRequestPath(baseUrl, requestPath) {
+    const basePath = normalizedBasePath(baseUrl);
+    if (basePath === "/") {
+        return requestPath;
+    }
+    if (requestPath === "/") {
+        return basePath;
+    }
+    if (pathHasBasePrefix(basePath, requestPath)) {
+        return requestPath;
+    }
+    return `${basePath}${requestPath}`;
+}
+function normalizedBasePath(baseUrl) {
+    return baseUrl.pathname || "/";
+}
+function pathHasBasePrefix(basePath, requestPath) {
+    return requestPath === basePath || requestPath.startsWith(`${basePath}/`);
+}
+function stripInternalQuery(search) {
+    if (!search || search === "?") {
+        return "";
+    }
+    return search;
+}
+function filterRequestHeaders(headers, session) {
+    const next = {};
+    for (const [key, value] of Object.entries(headers ?? {})) {
+        if (!value)
+            continue;
+        const lower = key.toLowerCase();
+        if (isHopByHopHeader(lower) ||
+            lower === "host" ||
+            lower === "content-length" ||
+            lower === "accept-encoding") {
+            continue;
+        }
+        if (lower === "origin") {
+            next[key] = session.targetBaseUrl.origin;
+            continue;
+        }
+        if (lower === "referer") {
+            const rewritten = rewriteRefererHeader(Array.isArray(value) ? value[0] : value, session.targetBaseUrl);
+            if (rewritten) {
+                next[key] = rewritten;
+            }
+            continue;
+        }
+        if (lower === "cookie") {
+            const rewritten = rewriteRequestCookieHeader(Array.isArray(value) ? value.join("; ") : value, session.cookiePrefix);
+            if (rewritten) {
+                next[key] = rewritten;
+            }
+            continue;
+        }
+        next[key] = Array.isArray(value) ? value.join(",") : value;
+    }
+    next.host = session.targetBaseUrl.port ? `${session.targetBaseUrl.hostname}:${session.targetBaseUrl.port}` : session.targetBaseUrl.hostname;
+    if (!next.origin) {
+        next.origin = session.targetBaseUrl.origin;
+    }
+    return next;
+}
+function rewriteRefererHeader(referer, targetBaseUrl) {
+    if (!referer) {
+        return null;
+    }
+    try {
+        const parsed = new URL(referer);
+        const rewritten = new URL(targetBaseUrl.toString());
+        rewritten.pathname = rewriteRequestPath(targetBaseUrl, parsed.pathname);
+        rewritten.search = parsed.search;
+        rewritten.hash = parsed.hash;
+        return rewritten.toString();
+    }
+    catch {
+        return null;
+    }
+}
+function applyResponseHeaders(reply, response, session) {
+    const setCookie = response.headers.getSetCookie?.();
+    if (Array.isArray(setCookie)) {
+        for (const cookie of setCookie) {
+            reply.header("set-cookie", rewriteSetCookie(cookie, session.cookiePrefix));
+        }
+    }
+    response.headers.forEach((value, key) => {
+        const lower = key.toLowerCase();
+        if (isHopByHopHeader(lower) ||
+            lower === "set-cookie" ||
+            lower === "content-length" ||
+            lower === "content-encoding") {
+            return;
+        }
+        if (lower === "location") {
+            reply.header(key, rewriteLocation(value, session.targetBaseUrl, session.localBaseUrl));
+            return;
+        }
+        reply.header(key, value);
+    });
+}
+function toOutgoingHeaders(headers) {
+    const next = {};
+    for (const [key, value] of Object.entries(headers)) {
+        if (value === undefined) {
+            continue;
+        }
+        next[key] = Array.isArray(value) ? value.map(String) : String(value);
+    }
+    return next;
+}
+function rewriteSetCookie(cookie, cookiePrefix) {
+    const parts = cookie.split(";").map((part) => part.trim());
+    const first = parts.shift() ?? "";
+    const separator = first.indexOf("=");
+    if (separator <= 0) {
+        return cookie;
+    }
+    const name = first.slice(0, separator).trim();
+    const value = first.slice(separator + 1);
+    const rewritten = [`${cookiePrefix}${name}=${value}`];
+    for (const part of parts) {
+        if (part.slice(0, 7).toLowerCase().startsWith("domain=")) {
+            continue;
+        }
+        rewritten.push(part);
+    }
+    return rewritten.join("; ");
+}
+function rewriteRequestCookieHeader(cookieHeader, cookiePrefix) {
+    const next = [];
+    for (const rawPart of cookieHeader.split(";")) {
+        const part = rawPart.trim();
+        if (!part)
+            continue;
+        const separator = part.indexOf("=");
+        if (separator <= 0)
+            continue;
+        const name = part.slice(0, separator).trim();
+        const value = part.slice(separator + 1);
+        if (!name.startsWith(cookiePrefix)) {
+            continue;
+        }
+        next.push(`${name.slice(cookiePrefix.length)}=${value}`);
+    }
+    return next.join("; ");
+}
+function rewriteLocation(location, targetBaseUrl, localBaseUrl) {
+    try {
+        const parsed = new URL(location, targetBaseUrl);
+        if (parsed.origin !== targetBaseUrl.origin) {
+            return location;
+        }
+        const rewritten = new URL(localBaseUrl.toString());
+        rewritten.pathname = parsed.pathname;
+        rewritten.search = parsed.search;
+        rewritten.hash = parsed.hash;
+        return rewritten.toString();
+    }
+    catch {
+        return location;
+    }
+}
+function isHopByHopHeader(name) {
+    return new Set([
+        "connection",
+        "keep-alive",
+        "proxy-authenticate",
+        "proxy-authorization",
+        "te",
+        "trailer",
+        "transfer-encoding",
+        "upgrade",
+    ]).has(name);
+}