@xtr-dev/rondevu-server 0.0.1 → 0.1.2

package/src/app.ts

@@ -1,23 +1,37 @@
 import { Hono } from 'hono';
 import { cors } from 'hono/cors';
 import { Storage } from './storage/types.ts';
-
-export interface AppConfig {
-  sessionTimeout: number;
-  corsOrigins: string[];
-}
+import { Config } from './config.ts';
+import { createAuthMiddleware, getAuthenticatedPeerId } from './middleware/auth.ts';
+import { generatePeerId, encryptPeerId } from './crypto.ts';
+import { parseBloomFilter } from './bloom.ts';
+import type { Context } from 'hono';
 
 /**
- * Creates the Hono application with WebRTC signaling endpoints
+ * Creates the Hono application with topic-based WebRTC signaling endpoints
  */
-export function createApp(storage: Storage, config: AppConfig) {
+export function createApp(storage: Storage, config: Config) {
   const app = new Hono();
 
-  // Enable CORS
+  // Create auth middleware
+  const authMiddleware = createAuthMiddleware(config.authSecret);
+
+  // Enable CORS with dynamic origin handling
   app.use('/*', cors({
-    origin: config.corsOrigins,
-    allowMethods: ['GET', 'POST', 'OPTIONS'],
-    allowHeaders: ['Content-Type'],
+    origin: (origin) => {
+      // If no origin restrictions (wildcard), allow any origin
+      if (config.corsOrigins.length === 1 && config.corsOrigins[0] === '*') {
+        return origin;
+      }
+      // Otherwise check if origin is in allowed list
+      if (config.corsOrigins.includes(origin)) {
+        return origin;
+      }
+      // Default to first allowed origin
+      return config.corsOrigins[0];
+    },
+    allowMethods: ['GET', 'POST', 'PUT', 'DELETE', 'OPTIONS'],
+    allowHeaders: ['Content-Type', 'Origin', 'Authorization'],
     exposeHeaders: ['Content-Type'],
     maxAge: 600,
     credentials: true,
@@ -25,203 +39,483 @@ export function createApp(storage: Storage, config: AppConfig) {
 
   /**
    * GET /
-   * Lists all topics with their unanswered session counts (paginated)
-   * Query params: page (default: 1), limit (default: 100, max: 1000)
+   * Returns server version information
    */
-  app.get('/', async (c) => {
+  app.get('/', (c) => {
+    return c.json({
+      version: config.version,
+      name: 'Rondevu',
+      description: 'Topic-based peer discovery and signaling server'
+    });
+  });
+
+  /**
+   * GET /health
+   * Health check endpoint with version
+   */
+  app.get('/health', (c) => {
+    return c.json({
+      status: 'ok',
+      timestamp: Date.now(),
+      version: config.version
+    });
+  });
+
+  /**
+   * POST /register
+   * Register a new peer and receive credentials
+   */
+  app.post('/register', async (c) => {
     try {
-      const origin = c.req.header('Origin') || c.req.header('origin') || 'unknown';
-      const page = parseInt(c.req.query('page') || '1', 10);
-      const limit = parseInt(c.req.query('limit') || '100', 10);
+      // Generate new peer ID
+      const peerId = generatePeerId();
 
-      const result = await storage.listTopics(origin, page, limit);
+      // Encrypt peer ID with server secret (async operation)
+      const secret = await encryptPeerId(peerId, config.authSecret);
 
-      return c.json(result);
+      return c.json({
+        peerId,
+        secret
+      }, 200);
     } catch (err) {
-      console.error('Error listing topics:', err);
+      console.error('Error registering peer:', err);
       return c.json({ error: 'Internal server error' }, 500);
     }
   });
 
   /**
-   * GET /:topic/sessions
-   * Lists all unanswered sessions for a topic
+   * POST /offers
+   * Creates one or more offers with topics
+   * Requires authentication
    */
-  app.get('/:topic/sessions', async (c) => {
+  app.post('/offers', authMiddleware, async (c) => {
     try {
-      const origin = c.req.header('Origin') || c.req.header('origin') || 'unknown';
-      const topic = c.req.param('topic');
+      const body = await c.req.json();
+      const { offers } = body;
 
-      if (!topic) {
-        return c.json({ error: 'Missing required parameter: topic' }, 400);
+      if (!Array.isArray(offers) || offers.length === 0) {
+        return c.json({ error: 'Missing or invalid required parameter: offers (must be non-empty array)' }, 400);
       }
 
-      if (topic.length > 256) {
-        return c.json({ error: 'Topic string must be 256 characters or less' }, 400);
+      if (offers.length > config.maxOffersPerRequest) {
+        return c.json({ error: `Too many offers. Maximum ${config.maxOffersPerRequest} per request` }, 400);
       }
 
-      const sessions = await storage.listSessionsByTopic(origin, topic);
+      const peerId = getAuthenticatedPeerId(c);
+
+      // Validate and prepare offers
+      const offerRequests = [];
+      for (const offer of offers) {
+        // Validate SDP
+        if (!offer.sdp || typeof offer.sdp !== 'string') {
+          return c.json({ error: 'Each offer must have an sdp field' }, 400);
+        }
+
+        if (offer.sdp.length > 65536) {
+          return c.json({ error: 'SDP must be 64KB or less' }, 400);
+        }
+
+        // Validate secret if provided
+        if (offer.secret !== undefined) {
+          if (typeof offer.secret !== 'string') {
+            return c.json({ error: 'Secret must be a string' }, 400);
+          }
+          if (offer.secret.length > 128) {
+            return c.json({ error: 'Secret must be 128 characters or less' }, 400);
+          }
+        }
+
+        // Validate topics
+        if (!Array.isArray(offer.topics) || offer.topics.length === 0) {
+          return c.json({ error: 'Each offer must have a non-empty topics array' }, 400);
+        }
+
+        if (offer.topics.length > config.maxTopicsPerOffer) {
+          return c.json({ error: `Too many topics. Maximum ${config.maxTopicsPerOffer} per offer` }, 400);
+        }
+
+        for (const topic of offer.topics) {
+          if (typeof topic !== 'string' || topic.length === 0 || topic.length > 256) {
+            return c.json({ error: 'Each topic must be a string between 1 and 256 characters' }, 400);
+          }
+        }
+
+        // Validate and clamp TTL
+        let ttl = offer.ttl || config.offerDefaultTtl;
+        if (ttl < config.offerMinTtl) {
+          ttl = config.offerMinTtl;
+        }
+        if (ttl > config.offerMaxTtl) {
+          ttl = config.offerMaxTtl;
+        }
 
+        offerRequests.push({
+          id: offer.id,
+          peerId,
+          sdp: offer.sdp,
+          topics: offer.topics,
+          expiresAt: Date.now() + ttl,
+          secret: offer.secret,
+        });
+      }
+
+      // Create offers
+      const createdOffers = await storage.createOffers(offerRequests);
+
+      // Return simplified response
       return c.json({
-        sessions: sessions.map(s => ({
-          code: s.code,
-          info: s.info,
-          offer: s.offer,
-          offerCandidates: s.offerCandidates,
-          createdAt: s.createdAt,
-          expiresAt: s.expiresAt,
-        })),
-      });
+        offers: createdOffers.map(o => ({
+          id: o.id,
+          peerId: o.peerId,
+          topics: o.topics,
+          expiresAt: o.expiresAt
+        }))
+      }, 200);
     } catch (err) {
-      console.error('Error listing sessions:', err);
+      console.error('Error creating offers:', err);
       return c.json({ error: 'Internal server error' }, 500);
     }
   });
 
   /**
-   * POST /:topic/offer
-   * Creates a new offer and returns a unique session code
-   * Body: { info: string, offer: string }
+   * GET /offers/by-topic/:topic
+   * Find offers by topic with optional bloom filter exclusion
+   * Public endpoint (no auth required)
    */
-  app.post('/:topic/offer', async (c) => {
+  app.get('/offers/by-topic/:topic', async (c) => {
     try {
-      const origin = c.req.header('Origin') || c.req.header('origin') || 'unknown';
       const topic = c.req.param('topic');
-      const body = await c.req.json();
-      const { info, offer } = body;
+      const bloomParam = c.req.query('bloom');
+      const limitParam = c.req.query('limit');
 
-      if (!topic || typeof topic !== 'string') {
-        return c.json({ error: 'Missing or invalid required parameter: topic' }, 400);
-      }
+      const limit = limitParam ? Math.min(parseInt(limitParam, 10), 200) : 50;
 
-      if (topic.length > 256) {
-        return c.json({ error: 'Topic string must be 256 characters or less' }, 400);
-      }
+      // Parse bloom filter if provided
+      let excludePeerIds: string[] = [];
+      if (bloomParam) {
+        const bloom = parseBloomFilter(bloomParam);
+        if (!bloom) {
+          return c.json({ error: 'Invalid bloom filter format' }, 400);
+        }
 
-      if (!info || typeof info !== 'string') {
-        return c.json({ error: 'Missing or invalid required parameter: info' }, 400);
-      }
+        // Get all offers for topic first
+        const allOffers = await storage.getOffersByTopic(topic);
 
-      if (info.length > 1024) {
-        return c.json({ error: 'Info string must be 1024 characters or less' }, 400);
-      }
+        // Test each peer ID against bloom filter
+        const excludeSet = new Set<string>();
+        for (const offer of allOffers) {
+          if (bloom.test(offer.peerId)) {
+            excludeSet.add(offer.peerId);
+          }
+        }
 
-      if (!offer || typeof offer !== 'string') {
-        return c.json({ error: 'Missing or invalid required parameter: offer' }, 400);
+        excludePeerIds = Array.from(excludeSet);
       }
 
-      const expiresAt = Date.now() + config.sessionTimeout;
-      const code = await storage.createSession(origin, topic, info, offer, expiresAt);
+      // Get filtered offers
+      let offers = await storage.getOffersByTopic(topic, excludePeerIds.length > 0 ? excludePeerIds : undefined);
 
-      return c.json({ code }, 200);
+      // Apply limit
+      const total = offers.length;
+      offers = offers.slice(0, limit);
+
+      return c.json({
+        topic,
+        offers: offers.map(o => ({
+          id: o.id,
+          peerId: o.peerId,
+          sdp: o.sdp,
+          topics: o.topics,
+          expiresAt: o.expiresAt,
+          lastSeen: o.lastSeen,
+          hasSecret: !!o.secret  // Indicate if secret is required without exposing it
+        })),
+        total: bloomParam ? total + excludePeerIds.length : total,
+        returned: offers.length
+      }, 200);
     } catch (err) {
-      console.error('Error creating offer:', err);
+      console.error('Error fetching offers by topic:', err);
       return c.json({ error: 'Internal server error' }, 500);
     }
   });
 
   /**
-   * POST /answer
-   * Responds to an existing offer or sends ICE candidates
-   * Body: { code: string, answer?: string, candidate?: string, side: 'offerer' | 'answerer' }
+   * GET /topics
+   * List all topics with active peer counts (paginated)
+   * Public endpoint (no auth required)
+   * Query params:
+   *   - limit: Max topics to return (default 50, max 200)
+   *   - offset: Number of topics to skip (default 0)
+   *   - startsWith: Filter topics starting with this prefix (optional)
    */
-  app.post('/answer', async (c) => {
+  app.get('/topics', async (c) => {
     try {
-      const origin = c.req.header('Origin') || c.req.header('origin') || 'unknown';
-      const body = await c.req.json();
-      const { code, answer, candidate, side } = body;
+      const limitParam = c.req.query('limit');
+      const offsetParam = c.req.query('offset');
+      const startsWithParam = c.req.query('startsWith');
 
-      if (!code || typeof code !== 'string') {
-        return c.json({ error: 'Missing or invalid required parameter: code' }, 400);
+      const limit = limitParam ? Math.min(parseInt(limitParam, 10), 200) : 50;
+      const offset = offsetParam ? parseInt(offsetParam, 10) : 0;
+      const startsWith = startsWithParam || undefined;
+
+      const result = await storage.getTopics(limit, offset, startsWith);
+
+      return c.json({
+        topics: result.topics,
+        total: result.total,
+        limit,
+        offset,
+        ...(startsWith && { startsWith })
+      }, 200);
+    } catch (err) {
+      console.error('Error fetching topics:', err);
+      return c.json({ error: 'Internal server error' }, 500);
+    }
+  });
+
+  /**
+   * GET /peers/:peerId/offers
+   * View all offers from a specific peer
+   * Public endpoint
+   */
+  app.get('/peers/:peerId/offers', async (c) => {
+    try {
+      const peerId = c.req.param('peerId');
+      const offers = await storage.getOffersByPeerId(peerId);
+
+      // Collect unique topics
+      const topicsSet = new Set<string>();
+      offers.forEach(o => o.topics.forEach(t => topicsSet.add(t)));
+
+      return c.json({
+        peerId,
+        offers: offers.map(o => ({
+          id: o.id,
+          sdp: o.sdp,
+          topics: o.topics,
+          expiresAt: o.expiresAt,
+          lastSeen: o.lastSeen,
+          hasSecret: !!o.secret  // Indicate if secret is required without exposing it
+        })),
+        topics: Array.from(topicsSet)
+      }, 200);
+    } catch (err) {
+      console.error('Error fetching peer offers:', err);
+      return c.json({ error: 'Internal server error' }, 500);
+    }
+  });
+
+  /**
+   * GET /offers/mine
+   * List all offers owned by authenticated peer
+   * Requires authentication
+   */
+  app.get('/offers/mine', authMiddleware, async (c) => {
+    try {
+      const peerId = getAuthenticatedPeerId(c);
+      const offers = await storage.getOffersByPeerId(peerId);
+
+      return c.json({
+        peerId,
+        offers: offers.map(o => ({
+          id: o.id,
+          sdp: o.sdp,
+          topics: o.topics,
+          createdAt: o.createdAt,
+          expiresAt: o.expiresAt,
+          lastSeen: o.lastSeen,
+          secret: o.secret,  // Owner can see the secret
+          answererPeerId: o.answererPeerId,
+          answeredAt: o.answeredAt
+        }))
+      }, 200);
+    } catch (err) {
+      console.error('Error fetching own offers:', err);
+      return c.json({ error: 'Internal server error' }, 500);
+    }
+  });
+
+  /**
+   * DELETE /offers/:offerId
+   * Delete a specific offer
+   * Requires authentication and ownership
+   */
+  app.delete('/offers/:offerId', authMiddleware, async (c) => {
+    try {
+      const offerId = c.req.param('offerId');
+      const peerId = getAuthenticatedPeerId(c);
+
+      const deleted = await storage.deleteOffer(offerId, peerId);
+
+      if (!deleted) {
+        return c.json({ error: 'Offer not found or not authorized' }, 404);
       }
 
-      if (!side || (side !== 'offerer' && side !== 'answerer')) {
-        return c.json({ error: 'Invalid or missing parameter: side (must be "offerer" or "answerer")' }, 400);
+      return c.json({ deleted: true }, 200);
+    } catch (err) {
+      console.error('Error deleting offer:', err);
+      return c.json({ error: 'Internal server error' }, 500);
+    }
+  });
+
+  /**
+   * POST /offers/:offerId/answer
+   * Answer a specific offer (locks it to answerer)
+   * Requires authentication
+   */
+  app.post('/offers/:offerId/answer', authMiddleware, async (c) => {
+    try {
+      const offerId = c.req.param('offerId');
+      const peerId = getAuthenticatedPeerId(c);
+      const body = await c.req.json();
+      const { sdp, secret } = body;
+
+      if (!sdp || typeof sdp !== 'string') {
+        return c.json({ error: 'Missing or invalid required parameter: sdp' }, 400);
       }
 
-      if (!answer && !candidate) {
-        return c.json({ error: 'Missing required parameter: answer or candidate' }, 400);
+      if (sdp.length > 65536) {
+        return c.json({ error: 'SDP must be 64KB or less' }, 400);
       }
 
-      if (answer && candidate) {
-        return c.json({ error: 'Cannot provide both answer and candidate' }, 400);
+      // Validate secret if provided
+      if (secret !== undefined && typeof secret !== 'string') {
+        return c.json({ error: 'Secret must be a string' }, 400);
       }
 
-      const session = await storage.getSession(code, origin);
+      const result = await storage.answerOffer(offerId, peerId, sdp, secret);
 
-      if (!session) {
-        return c.json({ error: 'Session not found, expired, or origin mismatch' }, 404);
+      if (!result.success) {
+        return c.json({ error: result.error }, 400);
       }
 
-      if (answer) {
-        await storage.updateSession(code, origin, { answer });
-      }
+      return c.json({
+        offerId,
+        answererId: peerId,
+        answeredAt: Date.now()
+      }, 200);
+    } catch (err) {
+      console.error('Error answering offer:', err);
+      return c.json({ error: 'Internal server error' }, 500);
+    }
+  });
 
-      if (candidate) {
-        if (side === 'offerer') {
-          const updatedCandidates = [...session.offerCandidates, candidate];
-          await storage.updateSession(code, origin, { offerCandidates: updatedCandidates });
-        } else {
-          const updatedCandidates = [...session.answerCandidates, candidate];
-          await storage.updateSession(code, origin, { answerCandidates: updatedCandidates });
-        }
-      }
+  /**
+   * GET /offers/answers
+   * Poll for answers to all of authenticated peer's offers
+   * Requires authentication (offerer)
+   */
+  app.get('/offers/answers', authMiddleware, async (c) => {
+    try {
+      const peerId = getAuthenticatedPeerId(c);
+      const offers = await storage.getAnsweredOffers(peerId);
 
-      return c.json({ success: true }, 200);
+      return c.json({
+        answers: offers.map(o => ({
+          offerId: o.id,
+          answererId: o.answererPeerId,
+          sdp: o.answerSdp,
+          answeredAt: o.answeredAt,
+          topics: o.topics
+        }))
+      }, 200);
     } catch (err) {
-      console.error('Error handling answer:', err);
+      console.error('Error fetching answers:', err);
       return c.json({ error: 'Internal server error' }, 500);
     }
   });
 
   /**
-   * POST /poll
-   * Polls for session data (offer, answer, ICE candidates)
-   * Body: { code: string, side: 'offerer' | 'answerer' }
+   * POST /offers/:offerId/ice-candidates
+   * Post ICE candidates for an offer
+   * Requires authentication (must be offerer or answerer)
    */
-  app.post('/poll', async (c) => {
+  app.post('/offers/:offerId/ice-candidates', authMiddleware, async (c) => {
     try {
-      const origin = c.req.header('Origin') || c.req.header('origin') || 'unknown';
+      const offerId = c.req.param('offerId');
+      const peerId = getAuthenticatedPeerId(c);
       const body = await c.req.json();
-      const { code, side } = body;
-
-      if (!code || typeof code !== 'string') {
-        return c.json({ error: 'Missing or invalid required parameter: code' }, 400);
-      }
+      const { candidates } = body;
 
-      if (!side || (side !== 'offerer' && side !== 'answerer')) {
-        return c.json({ error: 'Invalid or missing parameter: side (must be "offerer" or "answerer")' }, 400);
+      if (!Array.isArray(candidates) || candidates.length === 0) {
+        return c.json({ error: 'Missing or invalid required parameter: candidates (must be non-empty array)' }, 400);
       }
 
-      const session = await storage.getSession(code, origin);
-
-      if (!session) {
-        return c.json({ error: 'Session not found, expired, or origin mismatch' }, 404);
+      // Verify offer exists and caller is offerer or answerer
+      const offer = await storage.getOfferById(offerId);
+      if (!offer) {
+        return c.json({ error: 'Offer not found or expired' }, 404);
       }
 
-      if (side === 'offerer') {
-        return c.json({
-          answer: session.answer || null,
-          answerCandidates: session.answerCandidates,
-        });
+      let role: 'offerer' | 'answerer';
+      if (offer.peerId === peerId) {
+        role = 'offerer';
+      } else if (offer.answererPeerId === peerId) {
+        role = 'answerer';
       } else {
-        return c.json({
-          offer: session.offer,
-          offerCandidates: session.offerCandidates,
-        });
+        return c.json({ error: 'Not authorized to post ICE candidates for this offer' }, 403);
       }
+
+      const added = await storage.addIceCandidates(offerId, peerId, role, candidates);
+
+      return c.json({
+        offerId,
+        candidatesAdded: added
+      }, 200);
     } catch (err) {
-      console.error('Error polling session:', err);
+      console.error('Error adding ICE candidates:', err);
       return c.json({ error: 'Internal server error' }, 500);
     }
   });
 
   /**
-   * GET /health
-   * Health check endpoint
+   * GET /offers/:offerId/ice-candidates
+   * Poll for ICE candidates from the other peer
+   * Requires authentication (must be offerer or answerer)
    */
-  app.get('/health', (c) => {
-    return c.json({ status: 'ok', timestamp: Date.now() });
+  app.get('/offers/:offerId/ice-candidates', authMiddleware, async (c) => {
+    try {
+      const offerId = c.req.param('offerId');
+      const peerId = getAuthenticatedPeerId(c);
+      const sinceParam = c.req.query('since');
+
+      const since = sinceParam ? parseInt(sinceParam, 10) : undefined;
+
+      // Verify offer exists and caller is offerer or answerer
+      const offer = await storage.getOfferById(offerId);
+      if (!offer) {
+        return c.json({ error: 'Offer not found or expired' }, 404);
+      }
+
+      let targetRole: 'offerer' | 'answerer';
+      if (offer.peerId === peerId) {
+        // Offerer wants answerer's candidates
+        targetRole = 'answerer';
+        console.log(`[ICE GET] Offerer ${peerId} requesting answerer ICE candidates for offer ${offerId}, since=${since}, answererPeerId=${offer.answererPeerId}`);
+      } else if (offer.answererPeerId === peerId) {
+        // Answerer wants offerer's candidates
+        targetRole = 'offerer';
+        console.log(`[ICE GET] Answerer ${peerId} requesting offerer ICE candidates for offer ${offerId}, since=${since}, offererPeerId=${offer.peerId}`);
+      } else {
+        return c.json({ error: 'Not authorized to view ICE candidates for this offer' }, 403);
+      }
+
+      const candidates = await storage.getIceCandidates(offerId, targetRole, since);
+      console.log(`[ICE GET] Found ${candidates.length} candidates for offer ${offerId}, targetRole=${targetRole}, since=${since}`);
+
+      return c.json({
+        offerId,
+        candidates: candidates.map(c => ({
+          candidate: c.candidate,
+          peerId: c.peerId,
+          role: c.role,
+          createdAt: c.createdAt
+        }))
+      }, 200);
+    } catch (err) {
+      console.error('Error fetching ICE candidates:', err);
+      return c.json({ error: 'Internal server error' }, 500);
+    }
   });
 
   return app;