@wu529778790/open-im 1.7.1-beta.1 → 1.7.1-beta.3

package/README.md

@@ -76,48 +76,95 @@ WeChat is not in the web UI; configure it in `~/.open-im/config.json` or via `op
 
 ### On a headless server (no GUI)
 
-Many servers do not have a desktop environment or browser. In that case, trying to auto-launch a browser (`xdg-open`, `open`, `start`) is unnecessary and may even fail. Use this pattern instead:
+Many servers do not have a desktop environment or browser. In that case, trying to auto-launch a browser (`xdg-open`, `open`, `start`) is unnecessary and may even fail. Use these patterns instead.
 
-- **1) Disable automatic browser launch**
+#### 1) Disable automatic browser launch
 
-  On the server:
+On the server:
+
+```bash
+export OPEN_IM_NO_BROWSER=1
+open-im start
+```
+
+This starts the bridge and the config web server in the background without attempting to open a browser.
+
+#### 2) Verify that the config page is listening on the server
+
+On the server:
+
+```bash
+ss -lntp | grep 39282        # or: netstat -lntp | grep 39282
+curl -v http://127.0.0.1:39282/
+```
+
+If you see a `LISTEN` line for `127.0.0.1:39282` and `curl` returns HTML, the config UI is running.
+
+#### 3) Safest option: SSH tunnel to local browser
+
+Instead of exposing port 39282 to the public internet, use SSH port forwarding:
+
+```bash
+# On your local machine:
+ssh -L 39282:127.0.0.1:39282 user@your-server-ip
+```
+
+Then open in your local browser:
+
+```text
+http://127.0.0.1:39282/
+```
+
+This safely tunnels the config page from the server to your local browser.
+
+#### 4) Optional: Remote access with one-time login link
+
+If you want to open the config UI directly from another device without SSH tunneling, you can bind the web config server to all interfaces and use a one-time login URL:
+
+- **Bind to all interfaces and keep the browser closed on the server:**
 
   ```bash
   export OPEN_IM_NO_BROWSER=1
+  export OPEN_IM_WEB_HOST=0.0.0.0
   open-im start
   ```
 
-  This starts the bridge and the config web server in the background without attempting to open a browser.
-
-- **2) Verify that the config page is listening on the server**
+  - By default, `OPEN_IM_WEB_HOST` is `127.0.0.1` (local only).
+  - Setting it to `0.0.0.0` makes the config page listen on all interfaces.
 
-  On the server:
+- **On startup, open-im will log a one-time login URL**, for example:
 
-  ```bash
-  ss -lntp | grep 39282        # or: netstat -lntp | grep 39282
-  curl -v http://127.0.0.1:39282/
+  ```text
+  ━━━━━━━━ Web Config Login ━━━━━━━━
+  Host binding : 0.0.0.0
+  Login URL    : http://127.0.0.1:39282/?login_token=xxxx
+  Note: replace 127.0.0.1 with your server IP or hostname when opening from another device.
+  This login link is valid for approximately 15 minutes and can be used only once.
+  After login, subsequent requests will use a short-lived session cookie.
   ```
 
-  If you see a `LISTEN` line for `127.0.0.1:39282` and `curl` returns HTML, the config UI is running.
+- **From your laptop/phone**, replace `127.0.0.1` with the server IP or hostname and open the URL in a browser:
 
-- **3) Access the config UI from your local machine via SSH tunnel**
+  ```text
+  http://your-server-ip:39282/?login_token=xxxx
+  ```
 
-  Instead of exposing port 39282 to the public internet, use SSH port forwarding:
+  The first successful visit:
 
-  ```bash
-  # On your local machine:
-  ssh -L 39282:127.0.0.1:39282 user@your-server-ip
-  ```
+  - Consumes the one-time `login_token` (subsequent uses will fail with 401);
+  - Creates a short-lived session and sets a `openim_session` cookie in your browser;
+  - Redirects you to the config page without query parameters.
 
-  Then open in your local browser:
+  After that, as long as the `openim_session` cookie is valid and the process is still running, you can continue visiting:
 
   ```text
-  http://127.0.0.1:39282/
+  http://your-server-ip:39282/
   ```
 
-  This safely tunnels the config page from the server to your local browser.
-
-> If you really want to expose the config UI directly, you can change the listener in `config-web.ts` from `server.listen(port, "127.0.0.1", ...)` to `0.0.0.0` and open port 39282 in your firewall / security group. For security reasons, SSH tunneling is strongly recommended instead.
+> Security notes:
+>
+> - Binding `OPEN_IM_WEB_HOST=0.0.0.0` exposes the config port on all interfaces. Always combine this with firewall rules / security groups and consider fronting the port with HTTPS + auth via a reverse proxy.
+> - When in doubt, prefer SSH tunneling (step 3) over direct exposure.
 
 ## Session Behavior
 

package/README.zh-CN.md

@@ -84,46 +84,93 @@ open-im start
 
 很多服务器没有桌面环境和浏览器，此时「自动打开浏览器」既没意义，还可能因为缺少 `xdg-open` 报错。推荐如下用法：
 
-- **1）关闭自动打开浏览器**
+#### 1）关闭自动打开浏览器
 
-  在服务器上设置环境变量，然后启动：
+在服务器上设置环境变量，然后启动：
+
+```bash
+export OPEN_IM_NO_BROWSER=1
+open-im start
+```
+
+这样只会在后台启动服务与配置页面，不会尝试执行 `xdg-open` / `open` / `start`。
+
+#### 2）检查配置页面是否已在服务器本机监听
+
+在服务器上执行：
+
+```bash
+ss -lntp | grep 39282        # 或 netstat -lntp | grep 39282
+curl -v http://127.0.0.1:39282/
+```
+
+若看到 `LISTEN 0 ... 127.0.0.1:39282` 且 `curl` 返回 HTML，则说明 Web 配置页已正常启动。
+
+#### 3）推荐方式：通过 SSH 隧道在本地浏览器访问
+
+不建议直接对外开放 39282 端口，而是使用 SSH 端口转发：
+
+```bash
+# 在本地电脑执行，将本地 39282 转发到服务器 127.0.0.1:39282
+ssh -L 39282:127.0.0.1:39282 user@your-server-ip
+```
+
+然后在本地浏览器访问：
+
+```text
+http://127.0.0.1:39282/
+```
+
+即可打开服务器上的配置页面。
+
+#### 4）可选：在服务器上直接访问的一次性登录链接
+
+如果你确实希望在服务器上绑定到公网 IP，从其他设备直接访问配置页面，可以：
+
+- **将 Web 配置服务绑定到所有网卡：**
 
   ```bash
   export OPEN_IM_NO_BROWSER=1
+  export OPEN_IM_WEB_HOST=0.0.0.0
   open-im start
   ```
 
-  这样只会在后台启动服务与配置页面，不会尝试执行 `xdg-open` / `open` / `start`。
-
-- **2）检查配置页面是否已在服务器本机监听**
+  - 默认情况下，`OPEN_IM_WEB_HOST` 为 `127.0.0.1`（仅本机访问）。
+  - 设置为 `0.0.0.0` 后，配置页面会监听在所有网卡上。
 
-  在服务器上执行：
+- **启动后，open-im 会在日志中输出一次性登录链接**，类似：
 
-  ```bash
-  ss -lntp | grep 39282        # 或 netstat -lntp | grep 39282
-  curl -v http://127.0.0.1:39282/
+  ```text
+  ━━━━━━━━ Web Config Login ━━━━━━━━
+  Host binding : 0.0.0.0
+  Login URL    : http://127.0.0.1:39282/?login_token=xxxx
+  Note: replace 127.0.0.1 with your server IP or hostname when opening from another device.
+  This login link is valid for approximately 15 minutes and can be used only once.
+  After login, subsequent requests will use a short-lived session cookie.
   ```
 
-  若看到 `LISTEN 0 ... 127.0.0.1:39282` 且 `curl` 返回 HTML，则说明 Web 配置页已正常启动。
+- **在本地电脑或手机浏览器中**，将 `127.0.0.1` 换成服务器 IP 或域名，打开该链接：
 
-- **3）通过 SSH 隧道在本地浏览器访问**
+  ```text
+  http://your-server-ip:39282/?login_token=xxxx
+  ```
 
-  不建议直接对外开放 39282 端口，而是使用 SSH 端口转发：
+  第一次成功访问会：
 
-  ```bash
-  # 在本地电脑执行，将本地 39282 转发到服务器 127.0.0.1:39282
-  ssh -L 39282:127.0.0.1:39282 user@your-server-ip
-  ```
+  - 消费掉这枚一次性 `login_token`（后续再访问同一链接会 401）；
+  - 在浏览器中创建一个短期会话，设置 `openim_session` Cookie；
+  - 自动重定向到不带参数的配置页。
 
-  然后在本地浏览器访问：
+  之后，只要 `openim_session` Cookie 仍然有效、进程仍在运行，就可以直接访问：
 
   ```text
-  http://127.0.0.1:39282/
+  http://your-server-ip:39282/
   ```
 
-  即可打开服务器上的配置页面。
-
-> 如确有需要，也可以自行修改 `config-web.ts` 中的监听地址，将 `server.listen(port, "127.0.0.1", ...)` 调整为 `0.0.0.0`，并在防火墙/安全组放行 39282 端口。但出于安全考虑，官方推荐使用 SSH 隧道方式。
+> 安全提示：
+>
+> - 将 `OPEN_IM_WEB_HOST=0.0.0.0` 意味着该端口会对所有网卡开放，请务必结合防火墙/安全组、尽量配合 HTTPS + 反向代理（例如 Nginx/Caddy 的 Basic Auth 或 OIDC 登录）一起使用。
+> - 如无把握，优先使用上面的 SSH 隧道方案（第 3 步），安全性更高。
 
 ## 会话说明
 

package/dist/cli.js

@@ -60,6 +60,13 @@ async function cmdStart() {
     console.log("\nopen-im started in the background.");
     console.log(`  pid: ${child.pid}`);
     console.log(`  config page: ${getWebConfigUrl()}`);
+    if (process.env.OPEN_IM_WEB_HOST && process.env.OPEN_IM_WEB_HOST !== "127.0.0.1") {
+        console.log("");
+        console.log("NOTE:");
+        console.log("  The config page is bound to OPEN_IM_WEB_HOST.");
+        console.log("  A one-time login URL (with login_token) has been printed by the config-web server logger.");
+        console.log("  Please use that URL (replacing 127.0.0.1 with your server IP/hostname) for the first login.");
+    }
 }
 async function cmdStop() {
     const status = getManagerStatus();

package/dist/config-web.d.ts

@@ -5,6 +5,7 @@ export interface StartedWebConfigServer {
     close: () => Promise<void>;
     url: string;
     waitForResult: Promise<WebFlowResult>;
+    loginUrl?: string;
 }
 export declare function getHealthPlatformSnapshot(file: FileConfig, env?: NodeJS.ProcessEnv): Record<string, {
     configured: boolean;

package/dist/config-web.js

@@ -1,6 +1,7 @@
 import { spawn } from "node:child_process";
 import { createServer } from "node:http";
 import { URL } from "node:url";
+import { randomBytes } from "node:crypto";
 import { DWClient } from "dingtalk-stream";
 import { WEB_CONFIG_PORT } from "./constants.js";
 import { CONFIG_PATH, getClaudeConfigHome, loadClaudeSettingsEnv, saveClaudeSettingsEnv, loadConfig, loadFileConfig, saveFileConfig } from "./config.js";
@@ -10,6 +11,99 @@ import { initWeWork, stopWeWork } from "./wework/client.js";
 import { createLogger } from "./logger.js";
 const log = createLogger("ConfigWeb");
 const TEST_TIMEOUT_MS = 10000;
+const pendingLogins = new Map();
+const activeSessions = new Map();
+function getWebConfigHost() {
+    const envHost = process.env.OPEN_IM_WEB_HOST?.trim();
+    if (envHost)
+        return envHost;
+    return "127.0.0.1";
+}
+function generateRandomToken(bytes = 32) {
+    return randomBytes(bytes).toString("base64url");
+}
+function cleanupExpiredAuth(now) {
+    for (const [token, info] of pendingLogins) {
+        if (info.expiresAt <= now)
+            pendingLogins.delete(token);
+    }
+    for (const [sessionId, info] of activeSessions) {
+        if (info.expiresAt <= now)
+            activeSessions.delete(sessionId);
+    }
+}
+function createLoginToken(ttlMs) {
+    const now = Date.now();
+    cleanupExpiredAuth(now);
+    const token = generateRandomToken(32);
+    pendingLogins.set(token, { expiresAt: now + ttlMs });
+    return token;
+}
+function createSession(request, ttlMs) {
+    const now = Date.now();
+    cleanupExpiredAuth(now);
+    const sessionId = generateRandomToken(32);
+    const remoteAddr = request.socket.remoteAddress;
+    const userAgent = typeof request.headers["user-agent"] === "string" ? request.headers["user-agent"] : undefined;
+    activeSessions.set(sessionId, {
+        expiresAt: now + ttlMs,
+        remoteAddr,
+        userAgent,
+    });
+    return sessionId;
+}
+function parseCookies(request) {
+    const header = request.headers.cookie;
+    if (!header)
+        return {};
+    const cookies = {};
+    const parts = header.split(";");
+    for (const part of parts) {
+        const [rawKey, ...rest] = part.split("=");
+        const key = rawKey.trim();
+        if (!key)
+            continue;
+        const value = rest.join("=").trim();
+        cookies[key] = decodeURIComponent(value);
+    }
+    return cookies;
+}
+function getSessionIdFromRequest(request) {
+    const cookies = parseCookies(request);
+    const sessionId = cookies.openim_session;
+    return sessionId && typeof sessionId === "string" && sessionId.length > 0 ? sessionId : null;
+}
+function isSessionValid(request) {
+    const sessionId = getSessionIdFromRequest(request);
+    if (!sessionId)
+        return false;
+    const info = activeSessions.get(sessionId);
+    if (!info)
+        return false;
+    const now = Date.now();
+    if (info.expiresAt <= now) {
+        activeSessions.delete(sessionId);
+        return false;
+    }
+    // Optional: tie session to basic client fingerprint (remote address)
+    const remoteAddr = request.socket.remoteAddress;
+    if (info.remoteAddr && remoteAddr && remoteAddr !== info.remoteAddr) {
+        return false;
+    }
+    return true;
+}
+function buildSessionCookie(sessionId, ttlMs) {
+    const maxAgeSec = Math.floor(ttlMs / 1000);
+    const parts = [
+        `openim_session=${encodeURIComponent(sessionId)}`,
+        "Path=/",
+        "HttpOnly",
+        "SameSite=Lax",
+        `Max-Age=${maxAgeSec}`,
+    ];
+    // 不设置 Secure，方便本地 http 使用；如果放在 https 反代后，可以在代理层加 Secure
+    return parts.join("; ");
+}
 export function getHealthPlatformSnapshot(file, env = process.env) {
     const fileTelegram = file.platforms?.telegram;
     const fileFeishu = file.platforms?.feishu;
@@ -514,6 +608,7 @@ export async function startWebConfigServer(options) {
             resolve(value);
         };
     });
+    const host = getWebConfigHost();
     const server = createServer(async (request, response) => {
         const requestUrl = new URL(request.url ?? "/", "http://127.0.0.1");
         const finishFlow = (result) => {
@@ -522,6 +617,43 @@ export async function startWebConfigServer(options) {
             server.close();
             settle(result);
         };
+        // Auth gating:
+        // - 当仅绑定 127.0.0.1 时，保持完全本地免登录（向后兼容）
+        // - 当绑定到 0.0.0.0 或其他地址时，启用一次性登录 + Session Cookie 机制
+        const isLocalOnly = host === "127.0.0.1";
+        const hasLoginTokenFeature = !isLocalOnly;
+        if (hasLoginTokenFeature) {
+            const loginToken = requestUrl.searchParams.get("login_token");
+            if (loginToken) {
+                const info = pendingLogins.get(loginToken);
+                const now = Date.now();
+                if (info && info.expiresAt > now) {
+                    // 有效的一次性登录 token：创建会话，设置 Cookie，并重定向到去掉 login_token 的 URL
+                    pendingLogins.delete(loginToken);
+                    const sessionTtlMs = 24 * 60 * 60 * 1000; // 24 小时
+                    const sessionId = createSession(request, sessionTtlMs);
+                    const cookie = buildSessionCookie(sessionId, sessionTtlMs);
+                    requestUrl.searchParams.delete("login_token");
+                    const redirectPath = requestUrl.pathname + (requestUrl.search ? requestUrl.search : "");
+                    response.writeHead(302, {
+                        Location: redirectPath || "/",
+                        "Set-Cookie": cookie,
+                    });
+                    response.end();
+                    return;
+                }
+                // 无效或过期的一次性 token
+                response.writeHead(401, { "content-type": "text/plain; charset=utf-8" });
+                response.end("Invalid or expired login link. Please generate a new one from the server.");
+                return;
+            }
+            // 其他请求：必须已有有效 session
+            if (!isSessionValid(request)) {
+                response.writeHead(401, { "content-type": "text/plain; charset=utf-8" });
+                response.end("Unauthorized. Please open the latest login URL from the server output.");
+                return;
+            }
+        }
         if (request.method === "GET" && requestUrl.pathname === "/") {
             response.writeHead(200, { "content-type": "text/html; charset=utf-8" });
             response.end(PAGE_HTML);
@@ -676,7 +808,7 @@ export async function startWebConfigServer(options) {
             }
             reject(error);
         });
-        server.listen(port, "127.0.0.1", () => resolve());
+        server.listen(port, host, () => resolve());
     });
     const address = server.address();
     if (!address || typeof address === "string") {
@@ -698,6 +830,24 @@ export async function startWebConfigServer(options) {
         if (timer)
             clearTimeout(timer);
     });
+    let loginUrlForReturn;
+    // 当绑定到非 127.0.0.1（例如 0.0.0.0）时，为远程访问生成一次性登录链接
+    if (host !== "127.0.0.1") {
+        const loginTtlMs = 15 * 60 * 1000; // 15 分钟内有效
+        const loginToken = createLoginToken(loginTtlMs);
+        const displayHost = host === "0.0.0.0" ? "127.0.0.1" : host;
+        const baseUrl = `http://${displayHost}:${port}`;
+        const loginUrl = `${baseUrl}/?login_token=${encodeURIComponent(loginToken)}`;
+        loginUrlForReturn = loginUrl;
+        log.info("━━━━━━━━ Web Config Login ━━━━━━━━");
+        log.info(`Host binding : ${host}`);
+        log.info(`Login URL    : ${loginUrl}`);
+        if (host === "0.0.0.0") {
+            log.info("Note: replace 127.0.0.1 with your server IP or hostname when opening from another device.");
+        }
+        log.info(`This login link is valid for approximately ${Math.floor(loginTtlMs / 60000)} minutes and can be used only once.`);
+        log.info("After login, subsequent requests will use a short-lived session cookie.");
+    }
     return {
         close: async () => {
             if (timer)
@@ -706,13 +856,15 @@ export async function startWebConfigServer(options) {
             settle("cancel");
         },
         url: `http://127.0.0.1:${port}`,
+        loginUrl: loginUrlForReturn,
         waitForResult,
     };
 }
 export async function runWebConfigFlow(options) {
     const started = await startWebConfigServer(options);
-    openBrowser(started.url);
-    log.info(`Opened local configuration page: ${started.url}`);
+    const targetUrl = started.loginUrl ?? started.url;
+    openBrowser(targetUrl);
+    log.info(`Opened local configuration page: ${targetUrl}`);
     log.info(process.env.OPEN_IM_NO_BROWSER === "1" ? "Browser launch disabled. Open the URL manually." : "Save the configuration in your browser to continue.");
     return started.waitForResult;
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wu529778790/open-im",
-  "version": "1.7.1-beta.1",
+  "version": "1.7.1-beta.3",
   "description": "Multi-platform IM bridge for AI CLI tools (Claude, Codex, CodeBuddy)",
   "type": "module",
   "main": "dist/index.js",