@xtr-dev/rondevu-server 0.5.0 → 0.5.6

package/migrations/fresh_schema.sql

@@ -1,51 +1,32 @@
--- Fresh schema for Rondevu v0.5.0+
--- Unified Ed25519 authentication - username/keypair only
--- This is the complete schema without migration steps
+-- Fresh schema for Rondevu (Tags-based)
+-- Offers are standalone with tags for discovery
 
 -- Drop existing tables if they exist
 DROP TABLE IF EXISTS ice_candidates;
-DROP TABLE IF EXISTS services;
 DROP TABLE IF EXISTS offers;
-DROP TABLE IF EXISTS usernames;
-
--- Usernames table (now required for all users, even anonymous)
-CREATE TABLE usernames (
-  username TEXT PRIMARY KEY,
-  public_key TEXT NOT NULL UNIQUE,
-  claimed_at INTEGER NOT NULL,
-  expires_at INTEGER NOT NULL,
-  last_used INTEGER NOT NULL,
-  metadata TEXT,
-  CHECK(length(username) >= 3 AND length(username) <= 32)
-);
-
-CREATE INDEX idx_usernames_expires ON usernames(expires_at);
-CREATE INDEX idx_usernames_public_key ON usernames(public_key);
+DROP TABLE IF EXISTS services;
+DROP TABLE IF EXISTS credentials;
+DROP TABLE IF EXISTS rate_limits;
+DROP TABLE IF EXISTS nonces;
 
--- Services table with discovery fields
-CREATE TABLE services (
-  id TEXT PRIMARY KEY,
-  service_fqn TEXT NOT NULL,
-  service_name TEXT NOT NULL,
-  version TEXT NOT NULL,
-  username TEXT NOT NULL,
+-- Credentials table (name + secret auth)
+CREATE TABLE credentials (
+  name TEXT PRIMARY KEY,
+  secret TEXT NOT NULL UNIQUE,
   created_at INTEGER NOT NULL,
   expires_at INTEGER NOT NULL,
-  FOREIGN KEY (username) REFERENCES usernames(username) ON DELETE CASCADE,
-  UNIQUE(service_name, version, username)
+  last_used INTEGER NOT NULL,
+  CHECK(length(name) >= 3 AND length(name) <= 32)
 );
 
-CREATE INDEX idx_services_fqn ON services(service_fqn);
-CREATE INDEX idx_services_discovery ON services(service_name, version);
-CREATE INDEX idx_services_username ON services(username);
-CREATE INDEX idx_services_expires ON services(expires_at);
+CREATE INDEX idx_credentials_expires ON credentials(expires_at);
+CREATE INDEX idx_credentials_secret ON credentials(secret);
 
--- Offers table (now uses username instead of peer_id)
+-- Offers table (standalone with tags for discovery)
 CREATE TABLE offers (
   id TEXT PRIMARY KEY,
   username TEXT NOT NULL,
-  service_id TEXT,
-  service_fqn TEXT,
+  tags TEXT NOT NULL,  -- JSON array: '["tag1", "tag2"]'
   sdp TEXT NOT NULL,
   created_at INTEGER NOT NULL,
   expires_at INTEGER NOT NULL,
@@ -53,17 +34,15 @@ CREATE TABLE offers (
   answerer_username TEXT,
   answer_sdp TEXT,
   answered_at INTEGER,
-  FOREIGN KEY (username) REFERENCES usernames(username) ON DELETE CASCADE,
-  FOREIGN KEY (answerer_username) REFERENCES usernames(username) ON DELETE SET NULL
+  FOREIGN KEY (username) REFERENCES credentials(name) ON DELETE CASCADE
 );
 
 CREATE INDEX idx_offers_username ON offers(username);
-CREATE INDEX idx_offers_service ON offers(service_id);
 CREATE INDEX idx_offers_expires ON offers(expires_at);
 CREATE INDEX idx_offers_last_seen ON offers(last_seen);
 CREATE INDEX idx_offers_answerer ON offers(answerer_username);
 
--- ICE candidates table (now uses username instead of peer_id)
+-- ICE candidates table
 CREATE TABLE ice_candidates (
   id INTEGER PRIMARY KEY AUTOINCREMENT,
   offer_id TEXT NOT NULL,
@@ -71,11 +50,27 @@ CREATE TABLE ice_candidates (
   role TEXT NOT NULL CHECK(role IN ('offerer', 'answerer')),
   candidate TEXT NOT NULL,
   created_at INTEGER NOT NULL,
-  FOREIGN KEY (offer_id) REFERENCES offers(id) ON DELETE CASCADE,
-  FOREIGN KEY (username) REFERENCES usernames(username) ON DELETE CASCADE
+  FOREIGN KEY (offer_id) REFERENCES offers(id) ON DELETE CASCADE
 );
 
 CREATE INDEX idx_ice_offer ON ice_candidates(offer_id);
 CREATE INDEX idx_ice_username ON ice_candidates(username);
 CREATE INDEX idx_ice_role ON ice_candidates(role);
 CREATE INDEX idx_ice_created ON ice_candidates(created_at);
+
+-- Rate limits table
+CREATE TABLE rate_limits (
+  identifier TEXT PRIMARY KEY,
+  count INTEGER NOT NULL,
+  reset_time INTEGER NOT NULL
+);
+
+CREATE INDEX idx_rate_limits_reset ON rate_limits(reset_time);
+
+-- Nonces table (for replay attack prevention)
+CREATE TABLE nonces (
+  nonce_key TEXT PRIMARY KEY,
+  expires_at INTEGER NOT NULL
+);
+
+CREATE INDEX idx_nonces_expires ON nonces(expires_at);

package/package.json

@@ -1,29 +1,35 @@
 {
   "name": "@xtr-dev/rondevu-server",
-  "version": "0.5.0",
-  "description": "DNS-like WebRTC signaling server with username claiming and service discovery",
+  "version": "0.5.6",
+  "description": "DNS-like WebRTC signaling server with credential-based authentication and service discovery",
   "main": "dist/index.js",
   "scripts": {
     "build": "node build.js",
     "typecheck": "tsc",
     "dev": "ts-node src/index.ts",
     "start": "node dist/index.js",
-    "test": "echo \"Error: no test specified\" && exit 1",
+    "test": "node --import tsx --test tests/integration/*.test.ts",
+    "test:local": "API_URL=http://localhost:3000 node --import tsx --test tests/integration/*.test.ts",
     "deploy": "npx wrangler deploy src/worker.ts --var VERSION:$(git rev-parse --short HEAD)"
   },
   "devDependencies": {
     "@cloudflare/workers-types": "^4.20251014.0",
     "@types/better-sqlite3": "^7.6.13",
     "@types/node": "^24.9.2",
+    "@types/pg": "^8.15.4",
     "esbuild": "^0.25.11",
     "ts-node": "^10.9.2",
+    "tsx": "^4.19.0",
     "typescript": "^5.9.3"
   },
   "dependencies": {
     "@hono/node-server": "^1.19.6",
-    "@noble/ed25519": "^3.0.0",
     "@xtr-dev/rondevu-client": "^0.13.0",
     "better-sqlite3": "^12.4.1",
     "hono": "^4.10.4"
+  },
+  "optionalDependencies": {
+    "mysql2": "^3.14.1",
+    "pg": "^8.16.0"
   }
 }

package/src/app.ts

@@ -4,9 +4,6 @@ import { Storage } from './storage/types.ts';
 import { Config } from './config.ts';
 import { handleRpc, RpcRequest } from './rpc.ts';
 
-// Constants
-const MAX_BATCH_SIZE = 100;
-
 /**
  * Creates the Hono application with RPC interface
  */
@@ -25,7 +22,7 @@ export function createApp(storage: Storage, config: Config) {
       return config.corsOrigins[0];
     },
     allowMethods: ['GET', 'POST', 'OPTIONS'],
-    allowHeaders: ['Content-Type', 'Origin'],
+    allowHeaders: ['Content-Type', 'Origin', 'X-Name', 'X-Timestamp', 'X-Nonce', 'X-Signature'],
     exposeHeaders: ['Content-Type'],
     credentials: false,
     maxAge: 86400,
@@ -36,7 +33,7 @@ export function createApp(storage: Storage, config: Config) {
     return c.json({
       version: config.version,
       name: 'Rondevu',
-      description: 'WebRTC signaling with RPC interface and Ed25519 authentication',
+      description: 'WebRTC signaling with RPC interface and HMAC signature-based authentication',
     }, 200);
   });
 
@@ -51,35 +48,58 @@ export function createApp(storage: Storage, config: Config) {
 
   /**
    * POST /rpc
-   * RPC endpoint - accepts single or batch method calls
+   * RPC endpoint - accepts batch method calls only
    */
   app.post('/rpc', async (c) => {
     try {
       const body = await c.req.json();
 
-      // Support both single request and batch array
-      const requests: RpcRequest[] = Array.isArray(body) ? body : [body];
+      // Only accept batch arrays
+      if (!Array.isArray(body)) {
+        return c.json([{
+          success: false,
+          error: 'Request must be an array of RPC calls',
+          errorCode: 'INVALID_PARAMS'
+        }], 400);
+      }
+
+      const requests: RpcRequest[] = body;
 
       // Validate requests
       if (requests.length === 0) {
-        return c.json({ error: 'Empty request array' }, 400);
+        return c.json([{
+          success: false,
+          error: 'Empty request array',
+          errorCode: 'INVALID_PARAMS'
+        }], 400);
       }
 
-      if (requests.length > MAX_BATCH_SIZE) {
-        return c.json({ error: `Too many requests in batch (max ${MAX_BATCH_SIZE})` }, 400);
+      if (requests.length > config.maxBatchSize) {
+        return c.json([{
+          success: false,
+          error: `Too many requests in batch (max ${config.maxBatchSize})`,
+          errorCode: 'BATCH_TOO_LARGE'
+        }], 413); // 413 Payload Too Large
       }
 
-      // Handle RPC
-      const responses = await handleRpc(requests, storage, config);
+      // Handle RPC (pass context for auth headers)
+      const responses = await handleRpc(requests, c, storage, config);
 
-      // Return single response or array based on input
-      return c.json(Array.isArray(body) ? responses : responses[0], 200);
+      // Always return array
+      return c.json(responses, 200);
     } catch (err) {
       console.error('RPC error:', err);
-      return c.json({
+
+      // Distinguish between JSON parse errors and validation errors
+      const errorMsg = err instanceof SyntaxError
+        ? 'Invalid JSON in request body'
+        : 'Request must be valid JSON array';
+
+      return c.json([{
         success: false,
-        error: 'Invalid request format',
-      }, 400);
+        error: errorMsg,
+        errorCode: 'INVALID_PARAMS'
+      }], 400);
     }
   });
 

package/src/config.ts

@@ -1,11 +1,16 @@
+import { Storage } from './storage/types.ts';
+import { StorageType } from './storage/factory.ts';
+
 /**
  * Application configuration
  * Reads from environment variables with sensible defaults
  */
 export interface Config {
   port: number;
-  storageType: 'sqlite' | 'memory';
+  storageType: StorageType;
   storagePath: string;
+  databaseUrl: string;
+  dbPoolSize: number;
   corsOrigins: string[];
   version: string;
   offerDefaultTtl: number;
@@ -13,24 +18,165 @@ export interface Config {
   offerMinTtl: number;
   cleanupInterval: number;
   maxOffersPerRequest: number;
+  maxBatchSize: number;
+  maxSdpSize: number;
+  maxCandidateSize: number;
+  maxCandidateDepth: number;
+  maxCandidatesPerRequest: number;
+  maxTotalOperations: number;
+  timestampMaxAge: number; // Max age for timestamps (replay protection)
+  timestampMaxFuture: number; // Max future tolerance for timestamps (clock skew)
+  masterEncryptionKey: string; // 64-char hex string for encrypting secrets (32 bytes)
 }
 
 /**
  * Loads configuration from environment variables
  */
 export function loadConfig(): Config {
-  return {
-    port: parseInt(process.env.PORT || '3000', 10),
-    storageType: (process.env.STORAGE_TYPE || 'sqlite') as 'sqlite' | 'memory',
+  // Master encryption key for secret storage
+  // CRITICAL: Set MASTER_ENCRYPTION_KEY in production to a secure random value
+  let masterEncryptionKey = process.env.MASTER_ENCRYPTION_KEY;
+
+  if (!masterEncryptionKey) {
+    // SECURITY: Fail fast unless explicitly in development mode
+    // Default to production-safe behavior if NODE_ENV is unset
+    const isDevelopment = process.env.NODE_ENV === 'development';
+
+    if (!isDevelopment) {
+      throw new Error(
+        'MASTER_ENCRYPTION_KEY environment variable must be set. ' +
+        'Generate with: openssl rand -hex 32\n' +
+        'For development only, set NODE_ENV=development to use insecure dev key.'
+      );
+    }
+
+    // Use deterministic key ONLY in explicit development mode
+    // WARNING: DO NOT USE THIS IN PRODUCTION - only for local development
+    console.error('⚠️  WARNING: Using insecure deterministic development key');
+    console.error('⚠️  ONLY use NODE_ENV=development for local development');
+    console.error('⚠️  Generate production key with: openssl rand -hex 32');
+    // Random-looking dev key (not ASCII-readable to prevent accidental production use)
+    masterEncryptionKey = 'a3f8b9c2d1e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2';
+  }
+
+  // Validate master encryption key format
+  // NOTE: Using regex here is safe since this runs at startup, not during request processing
+  if (masterEncryptionKey.length !== 64 || !/^[0-9a-fA-F]{64}$/.test(masterEncryptionKey)) {
+    throw new Error('MASTER_ENCRYPTION_KEY must be 64-character hex string (32 bytes). Generate with: openssl rand -hex 32');
+  }
+
+  // Helper to safely parse and validate integer config values
+  function parsePositiveInt(value: string | undefined, defaultValue: string, name: string, min = 1): number {
+    const parsed = parseInt(value || defaultValue, 10);
+    if (isNaN(parsed)) {
+      throw new Error(`${name} must be a valid integer (got: ${value})`);
+    }
+    if (parsed < min) {
+      throw new Error(`${name} must be >= ${min} (got: ${parsed})`);
+    }
+    return parsed;
+  }
+
+  const config = {
+    port: parsePositiveInt(process.env.PORT, '3000', 'PORT', 1),
+    storageType: (process.env.STORAGE_TYPE || 'memory') as StorageType,
     storagePath: process.env.STORAGE_PATH || ':memory:',
+    databaseUrl: process.env.DATABASE_URL || '',
+    dbPoolSize: parsePositiveInt(process.env.DB_POOL_SIZE, '10', 'DB_POOL_SIZE', 1),
     corsOrigins: process.env.CORS_ORIGINS
       ? process.env.CORS_ORIGINS.split(',').map(o => o.trim())
       : ['*'],
     version: process.env.VERSION || 'unknown',
-    offerDefaultTtl: parseInt(process.env.OFFER_DEFAULT_TTL || '60000', 10),
-    offerMaxTtl: parseInt(process.env.OFFER_MAX_TTL || '86400000', 10),
-    offerMinTtl: parseInt(process.env.OFFER_MIN_TTL || '60000', 10),
-    cleanupInterval: parseInt(process.env.CLEANUP_INTERVAL || '60000', 10),
-    maxOffersPerRequest: parseInt(process.env.MAX_OFFERS_PER_REQUEST || '100', 10)
+    offerDefaultTtl: parsePositiveInt(process.env.OFFER_DEFAULT_TTL, '60000', 'OFFER_DEFAULT_TTL', 1000),
+    offerMaxTtl: parsePositiveInt(process.env.OFFER_MAX_TTL, '86400000', 'OFFER_MAX_TTL', 1000),
+    offerMinTtl: parsePositiveInt(process.env.OFFER_MIN_TTL, '60000', 'OFFER_MIN_TTL', 1000),
+    cleanupInterval: parsePositiveInt(process.env.CLEANUP_INTERVAL, '60000', 'CLEANUP_INTERVAL', 1000),
+    maxOffersPerRequest: parsePositiveInt(process.env.MAX_OFFERS_PER_REQUEST, '100', 'MAX_OFFERS_PER_REQUEST', 1),
+    maxBatchSize: parsePositiveInt(process.env.MAX_BATCH_SIZE, '100', 'MAX_BATCH_SIZE', 1),
+    maxSdpSize: parsePositiveInt(process.env.MAX_SDP_SIZE, String(64 * 1024), 'MAX_SDP_SIZE', 1024), // Min 1KB
+    maxCandidateSize: parsePositiveInt(process.env.MAX_CANDIDATE_SIZE, String(4 * 1024), 'MAX_CANDIDATE_SIZE', 256), // Min 256 bytes
+    maxCandidateDepth: parsePositiveInt(process.env.MAX_CANDIDATE_DEPTH, '10', 'MAX_CANDIDATE_DEPTH', 1),
+    maxCandidatesPerRequest: parsePositiveInt(process.env.MAX_CANDIDATES_PER_REQUEST, '100', 'MAX_CANDIDATES_PER_REQUEST', 1),
+    maxTotalOperations: parsePositiveInt(process.env.MAX_TOTAL_OPERATIONS, '1000', 'MAX_TOTAL_OPERATIONS', 1),
+    timestampMaxAge: parsePositiveInt(process.env.TIMESTAMP_MAX_AGE, '60000', 'TIMESTAMP_MAX_AGE', 1000), // Min 1 second
+    timestampMaxFuture: parsePositiveInt(process.env.TIMESTAMP_MAX_FUTURE, '60000', 'TIMESTAMP_MAX_FUTURE', 1000), // Min 1 second
+    masterEncryptionKey,
   };
+
+  return config;
+}
+
+/**
+ * Default config values (shared between Node and Workers)
+ */
+export const CONFIG_DEFAULTS = {
+  offerDefaultTtl: 60000,
+  offerMaxTtl: 86400000,
+  offerMinTtl: 60000,
+  cleanupInterval: 60000,
+  maxOffersPerRequest: 100,
+  maxBatchSize: 100,
+  maxSdpSize: 64 * 1024,
+  maxCandidateSize: 4 * 1024,
+  maxCandidateDepth: 10,
+  maxCandidatesPerRequest: 100,
+  maxTotalOperations: 1000,
+  timestampMaxAge: 60000,
+  timestampMaxFuture: 60000,
+} as const;
+
+/**
+ * Build config for Cloudflare Workers from env vars
+ */
+export function buildWorkerConfig(env: {
+  MASTER_ENCRYPTION_KEY: string;
+  OFFER_DEFAULT_TTL?: string;
+  OFFER_MAX_TTL?: string;
+  OFFER_MIN_TTL?: string;
+  MAX_OFFERS_PER_REQUEST?: string;
+  MAX_BATCH_SIZE?: string;
+  CORS_ORIGINS?: string;
+  VERSION?: string;
+}): Config {
+  return {
+    port: 0, // Not used in Workers
+    storageType: 'sqlite', // D1 is SQLite-compatible
+    storagePath: '', // Not used with D1
+    databaseUrl: '', // Not used with D1
+    dbPoolSize: 10, // Not used with D1
+    corsOrigins: env.CORS_ORIGINS?.split(',').map(o => o.trim()) ?? ['*'],
+    version: env.VERSION ?? 'unknown',
+    offerDefaultTtl: env.OFFER_DEFAULT_TTL ? parseInt(env.OFFER_DEFAULT_TTL, 10) : CONFIG_DEFAULTS.offerDefaultTtl,
+    offerMaxTtl: env.OFFER_MAX_TTL ? parseInt(env.OFFER_MAX_TTL, 10) : CONFIG_DEFAULTS.offerMaxTtl,
+    offerMinTtl: env.OFFER_MIN_TTL ? parseInt(env.OFFER_MIN_TTL, 10) : CONFIG_DEFAULTS.offerMinTtl,
+    cleanupInterval: CONFIG_DEFAULTS.cleanupInterval,
+    maxOffersPerRequest: env.MAX_OFFERS_PER_REQUEST ? parseInt(env.MAX_OFFERS_PER_REQUEST, 10) : CONFIG_DEFAULTS.maxOffersPerRequest,
+    maxBatchSize: env.MAX_BATCH_SIZE ? parseInt(env.MAX_BATCH_SIZE, 10) : CONFIG_DEFAULTS.maxBatchSize,
+    maxSdpSize: CONFIG_DEFAULTS.maxSdpSize,
+    maxCandidateSize: CONFIG_DEFAULTS.maxCandidateSize,
+    maxCandidateDepth: CONFIG_DEFAULTS.maxCandidateDepth,
+    maxCandidatesPerRequest: CONFIG_DEFAULTS.maxCandidatesPerRequest,
+    maxTotalOperations: CONFIG_DEFAULTS.maxTotalOperations,
+    timestampMaxAge: CONFIG_DEFAULTS.timestampMaxAge,
+    timestampMaxFuture: CONFIG_DEFAULTS.timestampMaxFuture,
+    masterEncryptionKey: env.MASTER_ENCRYPTION_KEY,
+  };
+}
+
+/**
+ * Run cleanup of expired entries (shared between Node and Workers)
+ * @returns Object with counts of deleted items
+ */
+export async function runCleanup(storage: Storage, now: number): Promise<{
+  offers: number;
+  credentials: number;
+  rateLimits: number;
+  nonces: number;
+}> {
+  const offers = await storage.deleteExpiredOffers(now);
+  const credentials = await storage.deleteExpiredCredentials(now);
+  const rateLimits = await storage.deleteExpiredRateLimits(now);
+  const nonces = await storage.deleteExpiredNonces(now);
+
+  return { offers, credentials, rateLimits, nonces };
 }