@yoooclaw/phone-notifications 1.7.2 → 1.7.3

package/dist/index.js

@@ -5856,11 +5856,96 @@ function buildDeviceAuthPayload(params) {
     params.nonce
   ].join("|");
 }
-function resolveStateDir2() {
-  return resolveStateDir();
+function resolveClientStateDir(stateDir) {
+  return stateDir ?? resolveStateDir();
 }
-function loadOrCreateDeviceIdentity() {
-  const filePath = path.join(resolveStateDir2(), "identity", "device.json");
+function ensureDir(filePath) {
+  fs.mkdirSync(path.dirname(filePath), { recursive: true });
+}
+function resolveIdentityPath(stateDir) {
+  return path.join(stateDir, "identity", "device.json");
+}
+function normalizeDeviceAuthRole(role) {
+  return role.trim();
+}
+function normalizeDeviceAuthScopes(scopes) {
+  const out = /* @__PURE__ */ new Set();
+  for (const scope of scopes) {
+    const trimmed = scope.trim();
+    if (trimmed) {
+      out.add(trimmed);
+    }
+  }
+  return [...out].sort();
+}
+function resolveDeviceAuthPath(stateDir) {
+  return path.join(stateDir, "identity", "device-auth.json");
+}
+function readDeviceAuthStore(filePath) {
+  try {
+    if (!fs.existsSync(filePath)) return null;
+    const raw = fs.readFileSync(filePath, "utf8");
+    const parsed = JSON.parse(raw);
+    if (parsed?.version !== 1 || typeof parsed.deviceId !== "string") return null;
+    if (!parsed.tokens || typeof parsed.tokens !== "object") return null;
+    return parsed;
+  } catch {
+    return null;
+  }
+}
+function writeDeviceAuthStore(filePath, store) {
+  ensureDir(filePath);
+  fs.writeFileSync(filePath, `${JSON.stringify(store, null, 2)}
+`, {
+    mode: 384
+  });
+  try {
+    fs.chmodSync(filePath, 384);
+  } catch {
+  }
+}
+function loadDeviceAuthToken(params) {
+  const store = readDeviceAuthStore(resolveDeviceAuthPath(params.stateDir));
+  if (!store || store.deviceId !== params.deviceId) return null;
+  const entry = store.tokens[normalizeDeviceAuthRole(params.role)];
+  if (!entry || typeof entry.token !== "string") return null;
+  return entry;
+}
+function storeDeviceAuthToken(params) {
+  const filePath = resolveDeviceAuthPath(params.stateDir);
+  const existing = readDeviceAuthStore(filePath);
+  const role = normalizeDeviceAuthRole(params.role);
+  const next = {
+    version: 1,
+    deviceId: params.deviceId,
+    tokens: existing && existing.deviceId === params.deviceId && existing.tokens ? { ...existing.tokens } : {}
+  };
+  const entry = {
+    token: params.token,
+    role,
+    scopes: normalizeDeviceAuthScopes(params.scopes),
+    updatedAtMs: Date.now()
+  };
+  next.tokens[role] = entry;
+  writeDeviceAuthStore(filePath, next);
+  return entry;
+}
+function clearDeviceAuthToken(params) {
+  const filePath = resolveDeviceAuthPath(params.stateDir);
+  const store = readDeviceAuthStore(filePath);
+  if (!store || store.deviceId !== params.deviceId) return;
+  const role = normalizeDeviceAuthRole(params.role);
+  if (!store.tokens[role]) return;
+  const next = {
+    version: 1,
+    deviceId: store.deviceId,
+    tokens: { ...store.tokens }
+  };
+  delete next.tokens[role];
+  writeDeviceAuthStore(filePath, next);
+}
+function loadOrCreateDeviceIdentity(stateDir) {
+  const filePath = resolveIdentityPath(stateDir);
   try {
     if (fs.existsSync(filePath)) {
       const raw = fs.readFileSync(filePath, "utf8");
@@ -5890,6 +5975,7 @@ function loadOrCreateDeviceIdentity() {
     ...identity,
     createdAtMs: Date.now()
   };
+  ensureDir(filePath);
   fs.writeFileSync(filePath, `${JSON.stringify(stored, null, 2)}
 `, {
     mode: 384
@@ -5899,7 +5985,8 @@ function loadOrCreateDeviceIdentity() {
 var TunnelProxy = class _TunnelProxy {
   constructor(opts) {
     this.opts = opts;
-    this.deviceIdentity = loadOrCreateDeviceIdentity();
+    this.stateDir = resolveClientStateDir(opts.stateDir);
+    this.deviceIdentity = loadOrCreateDeviceIdentity(this.stateDir);
     opts.logger.info(
       `TunnelProxy: loaded device identity (deviceId=${this.deviceIdentity.deviceId})`
     );
@@ -5915,6 +6002,7 @@ var TunnelProxy = class _TunnelProxy {
   gatewayWsPending = [];
   /** 设备身份，用于 Gateway connect 握手 */
   deviceIdentity;
+  stateDir;
   pushGatewayPending(payload, reason) {
     this.gatewayWsPending.push(payload);
     this.opts.logger.info(
@@ -5932,6 +6020,65 @@ var TunnelProxy = class _TunnelProxy {
       password
     };
   }
+  loadStoredDeviceToken(role) {
+    return loadDeviceAuthToken({
+      stateDir: this.stateDir,
+      deviceId: this.deviceIdentity.deviceId,
+      role
+    })?.token ?? void 0;
+  }
+  buildGatewayConnectAuth(role) {
+    const explicitAuth = this.resolveGatewayConnectAuth();
+    const authPassword = explicitAuth?.password?.trim() || void 0;
+    const explicitGatewayToken = explicitAuth?.token?.trim() || void 0;
+    const deviceToken = explicitGatewayToken ? void 0 : this.loadStoredDeviceToken(role);
+    const authToken = explicitGatewayToken ?? deviceToken;
+    const auth = authToken || authPassword || deviceToken ? {
+      token: authToken,
+      deviceToken,
+      password: authPassword
+    } : void 0;
+    return {
+      auth,
+      authToken,
+      authPassword,
+      deviceToken
+    };
+  }
+  storeIssuedDeviceToken(params) {
+    const token = params.authInfo?.deviceToken;
+    if (typeof token !== "string" || !token.trim()) {
+      return;
+    }
+    const role = typeof params.authInfo?.role === "string" && params.authInfo.role.trim() ? params.authInfo.role.trim() : params.fallbackRole;
+    const scopes = Array.isArray(params.authInfo?.scopes) ? params.authInfo.scopes.filter(
+      (scope) => typeof scope === "string" && !!scope.trim()
+    ) : params.fallbackScopes;
+    storeDeviceAuthToken({
+      stateDir: this.stateDir,
+      deviceId: this.deviceIdentity.deviceId,
+      role,
+      token: token.trim(),
+      scopes
+    });
+  }
+  maybeClearStoredDeviceTokenOnMismatch(code, reason) {
+    const explicitAuth = this.resolveGatewayConnectAuth();
+    if (explicitAuth?.token || explicitAuth?.password) {
+      return;
+    }
+    if (code !== 1008 || !reason.toLowerCase().includes("device token mismatch")) {
+      return;
+    }
+    clearDeviceAuthToken({
+      stateDir: this.stateDir,
+      deviceId: this.deviceIdentity.deviceId,
+      role: "operator"
+    });
+    this.opts.logger.warn(
+      `TunnelProxy: cleared stale stored device token after gateway mismatch (deviceId=${this.deviceIdentity.deviceId})`
+    );
+  }
   buildLocalGatewayAuthAttempts(baseHeaders) {
     const auth = this.resolveGatewayConnectAuth();
     const attempts = [];
@@ -6101,12 +6248,12 @@ var TunnelProxy = class _TunnelProxy {
       if (frame.type === "event" && frame.event === "connect.challenge") {
         const challengeNonce = frame.payload?.nonce ?? "";
         const connectRequestId = `tunnel-connect-${randomUUID2()}`;
-        const gatewayAuth = this.resolveGatewayConnectAuth();
-        this.opts.logger.info(
-          `TunnelProxy: received connect.challenge (nonce=${challengeNonce}, connectReqId=${connectRequestId}, hasToken=${!!gatewayAuth?.token}, hasPassword=${!!gatewayAuth?.password}), sending connect request with device identity`
-        );
         const role = "operator";
         const scopes = ["operator.admin"];
+        const gatewayConnectAuth = this.buildGatewayConnectAuth(role);
+        this.opts.logger.info(
+          `TunnelProxy: received connect.challenge (nonce=${challengeNonce}, connectReqId=${connectRequestId}, hasToken=${!!gatewayConnectAuth.authToken}, hasPassword=${!!gatewayConnectAuth.authPassword}, hasDeviceToken=${!!gatewayConnectAuth.deviceToken}), sending connect request with device identity`
+        );
         const signedAtMs = Date.now();
         const clientId = "gateway-client";
         const clientMode = "backend";
@@ -6117,7 +6264,7 @@ var TunnelProxy = class _TunnelProxy {
           role,
           scopes,
           signedAtMs,
-          token: gatewayAuth?.token ?? null,
+          token: gatewayConnectAuth.authToken ?? null,
           nonce: challengeNonce
         });
         const signature = signDevicePayload(
@@ -6139,7 +6286,7 @@ var TunnelProxy = class _TunnelProxy {
             },
             role,
             scopes,
-            ...gatewayAuth ? { auth: gatewayAuth } : {},
+            ...gatewayConnectAuth.auth ? { auth: gatewayConnectAuth.auth } : {},
             device: {
               id: this.deviceIdentity.deviceId,
               publicKey: publicKeyRawBase64UrlFromPem(
@@ -6155,6 +6302,11 @@ var TunnelProxy = class _TunnelProxy {
         return;
       }
       if (frame.type === "res" && frame.ok === true && frame.payload?.type === "hello-ok") {
+        this.storeIssuedDeviceToken({
+          fallbackRole: "operator",
+          fallbackScopes: ["operator.admin"],
+          authInfo: frame.payload?.auth
+        });
         this.gatewayWsReady = true;
         this.gatewayWsConnecting = false;
         this.opts.logger.info(
@@ -6178,14 +6330,16 @@ var TunnelProxy = class _TunnelProxy {
     ws.on("close", (code, reason) => {
       const wasReady = this.gatewayWsReady;
       const pendingCount = this.gatewayWsPending.length;
+      const reasonText = reason.toString();
       this.opts.logger.info(
-        `TunnelProxy: RPC WS closed by gateway (code=${code}, reason=${reason.toString()}, ready=${wasReady}, pending=${pendingCount}, activeWs=${this.wsConnections.size})`
+        `TunnelProxy: RPC WS closed by gateway (code=${code}, reason=${reasonText}, ready=${wasReady}, pending=${pendingCount}, activeWs=${this.wsConnections.size})`
       );
       if (this.gatewayWs === ws) {
         this.gatewayWs = null;
         this.gatewayWsReady = false;
       }
       this.gatewayWsConnecting = false;
+      this.maybeClearStoredDeviceTokenOnMismatch(code, reasonText);
     });
     ws.on("error", (err) => {
       this.opts.logger.warn(
@@ -6549,6 +6703,7 @@ function createTunnelService(opts) {
           logger
         });
         proxy = new TunnelProxy({
+          stateDir: baseStateDir,
           gatewayBaseUrl: opts.gatewayBaseUrl,
           gatewayAuthMode: opts.gatewayAuthMode,
           gatewayToken: opts.gatewayToken,