@xtr-dev/rondevu-server 0.0.1 → 0.1.1

package/src/bloom.ts

@@ -0,0 +1,66 @@
+/**
+ * Bloom filter utility for testing if peer IDs might be in a set
+ * Used to filter out known peers from discovery results
+ */
+
+export class BloomFilter {
+  private bits: Uint8Array;
+  private size: number;
+  private numHashes: number;
+
+  /**
+   * Creates a bloom filter from a base64 encoded bit array
+   */
+  constructor(base64Data: string, numHashes: number = 3) {
+    // Decode base64 to Uint8Array (works in both Node.js and Workers)
+    const binaryString = atob(base64Data);
+    const bytes = new Uint8Array(binaryString.length);
+    for (let i = 0; i < binaryString.length; i++) {
+      bytes[i] = binaryString.charCodeAt(i);
+    }
+    this.bits = bytes;
+    this.size = this.bits.length * 8;
+    this.numHashes = numHashes;
+  }
+
+  /**
+   * Test if a peer ID might be in the filter
+   * Returns true if possibly in set, false if definitely not in set
+   */
+  test(peerId: string): boolean {
+    for (let i = 0; i < this.numHashes; i++) {
+      const hash = this.hash(peerId, i);
+      const index = hash % this.size;
+      const byteIndex = Math.floor(index / 8);
+      const bitIndex = index % 8;
+
+      if (!(this.bits[byteIndex] & (1 << bitIndex))) {
+        return false;
+      }
+    }
+    return true;
+  }
+
+  /**
+   * Simple hash function (FNV-1a variant)
+   */
+  private hash(str: string, seed: number): number {
+    let hash = 2166136261 ^ seed;
+    for (let i = 0; i < str.length; i++) {
+      hash ^= str.charCodeAt(i);
+      hash += (hash << 1) + (hash << 4) + (hash << 7) + (hash << 8) + (hash << 24);
+    }
+    return hash >>> 0;
+  }
+}
+
+/**
+ * Helper to parse bloom filter from base64 string
+ */
+export function parseBloomFilter(base64: string): BloomFilter | null {
+  try {
+    return new BloomFilter(base64);
+  } catch {
+    return null;
+  }
+}

package/src/config.ts

@@ -1,3 +1,5 @@
+import { generateSecretKey } from './crypto.ts';
+
 /**
  * Application configuration
  * Reads from environment variables with sensible defaults
@@ -6,21 +8,44 @@ export interface Config {
   port: number;
   storageType: 'sqlite' | 'memory';
   storagePath: string;
-  sessionTimeout: number;
   corsOrigins: string[];
+  version: string;
+  authSecret: string;
+  offerDefaultTtl: number;
+  offerMaxTtl: number;
+  offerMinTtl: number;
+  cleanupInterval: number;
+  maxOffersPerRequest: number;
+  maxTopicsPerOffer: number;
 }
 
 /**
  * Loads configuration from environment variables
  */
 export function loadConfig(): Config {
+  // Generate or load auth secret
+  let authSecret = process.env.AUTH_SECRET;
+  if (!authSecret) {
+    authSecret = generateSecretKey();
+    console.warn('WARNING: No AUTH_SECRET provided. Generated temporary secret:', authSecret);
+    console.warn('All peer credentials will be invalidated on server restart.');
+    console.warn('Set AUTH_SECRET environment variable to persist credentials across restarts.');
+  }
+
   return {
     port: parseInt(process.env.PORT || '3000', 10),
     storageType: (process.env.STORAGE_TYPE || 'sqlite') as 'sqlite' | 'memory',
     storagePath: process.env.STORAGE_PATH || ':memory:',
-    sessionTimeout: parseInt(process.env.SESSION_TIMEOUT || '300000', 10),
     corsOrigins: process.env.CORS_ORIGINS
       ? process.env.CORS_ORIGINS.split(',').map(o => o.trim())
       : ['*'],
+    version: process.env.VERSION || 'unknown',
+    authSecret,
+    offerDefaultTtl: parseInt(process.env.OFFER_DEFAULT_TTL || '60000', 10),
+    offerMaxTtl: parseInt(process.env.OFFER_MAX_TTL || '86400000', 10),
+    offerMinTtl: parseInt(process.env.OFFER_MIN_TTL || '60000', 10),
+    cleanupInterval: parseInt(process.env.CLEANUP_INTERVAL || '60000', 10),
+    maxOffersPerRequest: parseInt(process.env.MAX_OFFERS_PER_REQUEST || '100', 10),
+    maxTopicsPerOffer: parseInt(process.env.MAX_TOPICS_PER_OFFER || '50', 10),
   };
 }

package/src/crypto.ts

@@ -0,0 +1,149 @@
+/**
+ * Crypto utilities for stateless peer authentication
+ * Uses Web Crypto API for compatibility with both Node.js and Cloudflare Workers
+ */
+
+const ALGORITHM = 'AES-GCM';
+const IV_LENGTH = 12; // 96 bits for GCM
+const KEY_LENGTH = 32; // 256 bits
+
+/**
+ * Generates a random peer ID (16 bytes = 32 hex chars)
+ */
+export function generatePeerId(): string {
+  const bytes = crypto.getRandomValues(new Uint8Array(16));
+  return Array.from(bytes).map(b => b.toString(16).padStart(2, '0')).join('');
+}
+
+/**
+ * Generates a random secret key for encryption (32 bytes = 64 hex chars)
+ */
+export function generateSecretKey(): string {
+  const bytes = crypto.getRandomValues(new Uint8Array(KEY_LENGTH));
+  return Array.from(bytes).map(b => b.toString(16).padStart(2, '0')).join('');
+}
+
+/**
+ * Convert hex string to Uint8Array
+ */
+function hexToBytes(hex: string): Uint8Array {
+  const bytes = new Uint8Array(hex.length / 2);
+  for (let i = 0; i < hex.length; i += 2) {
+    bytes[i / 2] = parseInt(hex.substring(i, i + 2), 16);
+  }
+  return bytes;
+}
+
+/**
+ * Convert Uint8Array to base64 string
+ */
+function bytesToBase64(bytes: Uint8Array): string {
+  const binString = Array.from(bytes, (byte) =>
+    String.fromCodePoint(byte)
+  ).join('');
+  return btoa(binString);
+}
+
+/**
+ * Convert base64 string to Uint8Array
+ */
+function base64ToBytes(base64: string): Uint8Array {
+  const binString = atob(base64);
+  return Uint8Array.from(binString, (char) => char.codePointAt(0)!);
+}
+
+/**
+ * Encrypts a peer ID using the server secret key
+ * Returns base64-encoded encrypted data (IV + ciphertext)
+ */
+export async function encryptPeerId(peerId: string, secretKeyHex: string): Promise<string> {
+  const keyBytes = hexToBytes(secretKeyHex);
+
+  if (keyBytes.length !== KEY_LENGTH) {
+    throw new Error(`Secret key must be ${KEY_LENGTH * 2} hex characters (${KEY_LENGTH} bytes)`);
+  }
+
+  // Import key
+  const key = await crypto.subtle.importKey(
+    'raw',
+    keyBytes,
+    { name: ALGORITHM, length: 256 },
+    false,
+    ['encrypt']
+  );
+
+  // Generate random IV
+  const iv = crypto.getRandomValues(new Uint8Array(IV_LENGTH));
+
+  // Encrypt peer ID
+  const encoder = new TextEncoder();
+  const data = encoder.encode(peerId);
+
+  const encrypted = await crypto.subtle.encrypt(
+    { name: ALGORITHM, iv },
+    key,
+    data
+  );
+
+  // Combine IV + ciphertext and encode as base64
+  const combined = new Uint8Array(iv.length + encrypted.byteLength);
+  combined.set(iv, 0);
+  combined.set(new Uint8Array(encrypted), iv.length);
+
+  return bytesToBase64(combined);
+}
+
+/**
+ * Decrypts an encrypted peer ID secret
+ * Returns the plaintext peer ID or throws if decryption fails
+ */
+export async function decryptPeerId(encryptedSecret: string, secretKeyHex: string): Promise<string> {
+  try {
+    const keyBytes = hexToBytes(secretKeyHex);
+
+    if (keyBytes.length !== KEY_LENGTH) {
+      throw new Error(`Secret key must be ${KEY_LENGTH * 2} hex characters (${KEY_LENGTH} bytes)`);
+    }
+
+    // Decode base64
+    const combined = base64ToBytes(encryptedSecret);
+
+    // Extract IV and ciphertext
+    const iv = combined.slice(0, IV_LENGTH);
+    const ciphertext = combined.slice(IV_LENGTH);
+
+    // Import key
+    const key = await crypto.subtle.importKey(
+      'raw',
+      keyBytes,
+      { name: ALGORITHM, length: 256 },
+      false,
+      ['decrypt']
+    );
+
+    // Decrypt
+    const decrypted = await crypto.subtle.decrypt(
+      { name: ALGORITHM, iv },
+      key,
+      ciphertext
+    );
+
+    const decoder = new TextDecoder();
+    return decoder.decode(decrypted);
+  } catch (err) {
+    throw new Error('Failed to decrypt peer ID: invalid secret or secret key');
+  }
+}
+
+/**
+ * Validates that a peer ID and secret match
+ * Returns true if valid, false otherwise
+ */
+export async function validateCredentials(peerId: string, encryptedSecret: string, secretKey: string): Promise<boolean> {
+  try {
+    const decryptedPeerId = await decryptPeerId(encryptedSecret, secretKey);
+    return decryptedPeerId === peerId;
+  } catch {
+    return false;
+  }
+}

package/src/index.ts

@@ -15,8 +15,14 @@ async function main() {
     port: config.port,
     storageType: config.storageType,
     storagePath: config.storagePath,
-    sessionTimeout: `${config.sessionTimeout}ms`,
+    offerDefaultTtl: `${config.offerDefaultTtl}ms`,
+    offerMaxTtl: `${config.offerMaxTtl}ms`,
+    offerMinTtl: `${config.offerMinTtl}ms`,
+    cleanupInterval: `${config.cleanupInterval}ms`,
+    maxOffersPerRequest: config.maxOffersPerRequest,
+    maxTopicsPerOffer: config.maxTopicsPerOffer,
     corsOrigins: config.corsOrigins,
+    version: config.version,
   });
 
   let storage: Storage;
@@ -28,10 +34,20 @@ async function main() {
     throw new Error('Unsupported storage type');
   }
 
-  const app = createApp(storage, {
-    sessionTimeout: config.sessionTimeout,
-    corsOrigins: config.corsOrigins,
-  });
+  // Start periodic cleanup of expired offers
+  const cleanupInterval = setInterval(async () => {
+    try {
+      const now = Date.now();
+      const deleted = await storage.deleteExpiredOffers(now);
+      if (deleted > 0) {
+        console.log(`Cleanup: Deleted ${deleted} expired offer(s)`);
+      }
+    } catch (err) {
+      console.error('Cleanup error:', err);
+    }
+  }, config.cleanupInterval);
+
+  const app = createApp(storage, config);
 
   const server = serve({
     fetch: app.fetch,
@@ -39,18 +55,18 @@ async function main() {
   });
 
   console.log(`Server running on http://localhost:${config.port}`);
+  console.log('Ready to accept connections');
 
-  process.on('SIGINT', async () => {
+  // Graceful shutdown handler
+  const shutdown = async () => {
     console.log('\nShutting down gracefully...');
+    clearInterval(cleanupInterval);
     await storage.close();
     process.exit(0);
-  });
+  };
 
-  process.on('SIGTERM', async () => {
-    console.log('\nShutting down gracefully...');
-    await storage.close();
-    process.exit(0);
-  });
+  process.on('SIGINT', shutdown);
+  process.on('SIGTERM', shutdown);
 }
 
 main().catch((err) => {

package/src/middleware/auth.ts

@@ -0,0 +1,51 @@
+import { Context, Next } from 'hono';
+import { validateCredentials } from '../crypto.ts';
+
+/**
+ * Authentication middleware for Rondevu
+ * Validates Bearer token in format: {peerId}:{encryptedSecret}
+ */
+export function createAuthMiddleware(authSecret: string) {
+  return async (c: Context, next: Next) => {
+    const authHeader = c.req.header('Authorization');
+
+    if (!authHeader) {
+      return c.json({ error: 'Missing Authorization header' }, 401);
+    }
+
+    // Expect format: Bearer {peerId}:{secret}
+    const parts = authHeader.split(' ');
+    if (parts.length !== 2 || parts[0] !== 'Bearer') {
+      return c.json({ error: 'Invalid Authorization header format. Expected: Bearer {peerId}:{secret}' }, 401);
+    }
+
+    const credentials = parts[1].split(':');
+    if (credentials.length !== 2) {
+      return c.json({ error: 'Invalid credentials format. Expected: {peerId}:{secret}' }, 401);
+    }
+
+    const [peerId, encryptedSecret] = credentials;
+
+    // Validate credentials (async operation)
+    const isValid = await validateCredentials(peerId, encryptedSecret, authSecret);
+    if (!isValid) {
+      return c.json({ error: 'Invalid credentials' }, 401);
+    }
+
+    // Attach peer ID to context for use in handlers
+    c.set('peerId', peerId);
+
+    await next();
+  };
+}
+
+/**
+ * Helper to get authenticated peer ID from context
+ */
+export function getAuthenticatedPeerId(c: Context): string {
+  const peerId = c.get('peerId');
+  if (!peerId) {
+    throw new Error('No authenticated peer ID in context');
+  }
+  return peerId;
+}