npm - agent-relay - Versions diffs - 1.2.3 → 1.3.0 - Mend

agent-relay 1.2.3 → 1.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (200) hide show

package/dist/cloud/api/codex-auth-helper.d.ts CHANGED Viewed

@@ -1,11 +1,17 @@
 /**
  * Codex Auth Helper API
  *
- * Provides endpoints for the `npx agent-relay codex-auth` CLI command
- * to capture OAuth callbacks locally and send them to the cloud.
+ * Provides endpoints for the `npx agent-relay codex-auth` CLI command.
+ * Uses SSH tunneling to forward localhost:1455 to the workspace container,
+ * allowing the Codex CLI's OAuth callback to work in remote/container environments.
  *
- * This solves the "This site can't be reached" problem where Codex redirects
- * to localhost:1455 after auth but nothing is listening.
+ * Flow:
+ * 1. CLI gets workspace SSH info via /tunnel-info
+ * 2. CLI establishes SSH tunnel: local:1455 -> container:1455
+ * 3. User completes OAuth, browser redirects to localhost:1455
+ * 4. Tunnel forwards to container's Codex CLI server
+ * 5. Codex CLI exchanges code for tokens internally
+ * 6. CLI polls for auth completion
  */
 export declare const codexAuthHelperRouter: import("express-serve-static-core").Router;
 /**

package/dist/cloud/api/codex-auth-helper.js CHANGED Viewed

@@ -1,17 +1,26 @@
 /**
  * Codex Auth Helper API
  *
- * Provides endpoints for the `npx agent-relay codex-auth` CLI command
- * to capture OAuth callbacks locally and send them to the cloud.
+ * Provides endpoints for the `npx agent-relay codex-auth` CLI command.
+ * Uses SSH tunneling to forward localhost:1455 to the workspace container,
+ * allowing the Codex CLI's OAuth callback to work in remote/container environments.
  *
- * This solves the "This site can't be reached" problem where Codex redirects
- * to localhost:1455 after auth but nothing is listening.
+ * Flow:
+ * 1. CLI gets workspace SSH info via /tunnel-info
+ * 2. CLI establishes SSH tunnel: local:1455 -> container:1455
+ * 3. User completes OAuth, browser redirects to localhost:1455
+ * 4. Tunnel forwards to container's Codex CLI server
+ * 5. Codex CLI exchanges code for tokens internally
+ * 6. CLI polls for auth completion
  */
 import { Router } from 'express';
 import crypto from 'crypto';
 import { requireAuth } from './auth.js';
+import { db } from '../db/index.js';
+import { deriveSshPassword } from '../services/ssh-security.js';
 export const codexAuthHelperRouter = Router();
 const pendingAuthSessions = new Map();
+const pendingCliTokens = new Map();
 // Clean up old sessions every minute
 const cleanupInterval = setInterval(() => {
     const now = Date.now();
@@ -21,6 +30,13 @@ const cleanupInterval = setInterval(() => {
             pendingAuthSessions.delete(id);
         }
     }
+    // Also clean up CLI tokens
+    for (const [id, token] of pendingCliTokens) {
+        // Remove tokens older than 10 minutes
+        if (now - token.createdAt.getTime() > 10 * 60 * 1000) {
+            pendingCliTokens.delete(id);
+        }
+    }
 }, 60000);
 /**
  * Stop the cleanup interval. Call this on server shutdown.
@@ -31,16 +47,51 @@ export function stopCodexAuthCleanup() {
 /**
  * POST /api/auth/codex-helper/cli-session
  * Create a new auth session for the CLI command.
- * Returns an authSessionId that the CLI uses to send the auth code.
+ * Returns workspace info and CLI command for SSH tunnel approach.
  */
 codexAuthHelperRouter.post('/cli-session', requireAuth, async (req, res) => {
     const userId = req.session.userId;
+    const { workspaceId, authUrl, sessionId: onboardingSessionId } = req.body;
+    // If workspace ID provided, return SSH tunnel command
+    if (workspaceId) {
+        try {
+            const workspace = await db.workspaces.findById(workspaceId);
+            if (!workspace || workspace.userId !== userId) {
+                return res.status(404).json({ error: 'Workspace not found' });
+            }
+            // Generate a one-time CLI token for authentication
+            const cliToken = crypto.randomUUID();
+            pendingCliTokens.set(cliToken, {
+                userId,
+                workspaceId,
+                createdAt: new Date(),
+                authUrl, // Store authUrl so CLI can retrieve it
+                sessionId: onboardingSessionId, // Store sessionId for credential storage
+            });
+            console.log(`[codex-helper] Created CLI session for workspace ${workspaceId} with token ${cliToken.slice(0, 8)}...`);
+            const cloudUrl = process.env.PUBLIC_URL || 'https://agent-relay.com';
+            // Generate the CLI command with workspace ID and token
+            res.json({
+                workspaceId: workspace.id,
+                workspaceName: workspace.name,
+                expiresIn: 600, // 10 minutes
+                command: `npx agent-relay codex-auth --workspace=${workspaceId} --token=${cliToken}`,
+                commandWithUrl: `npx agent-relay codex-auth --workspace=${workspaceId} --token=${cliToken} --cloud-url=${cloudUrl}`,
+            });
+            return;
+        }
+        catch (error) {
+            console.error('[codex-helper] Error creating CLI session:', error);
+            return res.status(500).json({ error: 'Failed to create CLI session' });
+        }
+    }
+    // Legacy: token-based session (for backwards compatibility)
     const authSessionId = crypto.randomUUID();
     pendingAuthSessions.set(authSessionId, {
         userId,
         createdAt: new Date(),
     });
-    console.log(`[codex-helper] Created CLI session ${authSessionId} for user ${userId}`);
+    console.log(`[codex-helper] Created legacy CLI session ${authSessionId} for user ${userId}`);
     res.json({
         authSessionId,
         expiresIn: 600, // 10 minutes
@@ -53,7 +104,7 @@ codexAuthHelperRouter.post('/cli-session', requireAuth, async (req, res) => {
  * No auth required - validated by authSessionId.
  */
 codexAuthHelperRouter.post('/callback', async (req, res) => {
-    const { authSessionId, code, error } = req.body;
+    const { authSessionId, code, state, error } = req.body;
     if (!authSessionId) {
         return res.status(400).json({ error: 'Missing authSessionId' });
     }
@@ -69,8 +120,9 @@ codexAuthHelperRouter.post('/callback', async (req, res) => {
     if (!code) {
         return res.status(400).json({ error: 'Missing auth code' });
     }
-    // Store the code so the polling endpoint can retrieve it
+    // Store the code and state so the polling endpoint can retrieve them
     session.code = code;
+    session.state = state; // Store state for CSRF validation
     pendingAuthSessions.set(authSessionId, session);
     console.log(`[codex-helper] Auth code received for session ${authSessionId}`);
     res.json({ success: true, message: 'Auth code received. You can close this terminal.' });
@@ -89,12 +141,167 @@ codexAuthHelperRouter.get('/status/:authSessionId', requireAuth, async (req, res
     if (session.code) {
         // Clean up session after successful retrieval (code is single-use)
         const code = session.code;
+        const state = session.state;
         pendingAuthSessions.delete(authSessionId);
         return res.json({
             ready: true,
             code,
+            state, // Return state for CSRF validation
         });
     }
     res.json({ ready: false });
 });
+/**
+ * GET /api/auth/codex-helper/tunnel-info/:workspaceId
+ * Get SSH tunnel info for establishing port forwarding to a workspace.
+ * Returns host, port, user, and password for SSH connection.
+ *
+ * Authentication: Requires either session auth OR a valid CLI token.
+ */
+codexAuthHelperRouter.get('/tunnel-info/:workspaceId', async (req, res) => {
+    const { workspaceId } = req.params;
+    const { token } = req.query;
+    // Authenticate via CLI token or session
+    let userId;
+    if (token && typeof token === 'string') {
+        // CLI token authentication
+        const cliToken = pendingCliTokens.get(token);
+        if (!cliToken) {
+            return res.status(401).json({ error: 'Invalid or expired token' });
+        }
+        if (cliToken.workspaceId !== workspaceId) {
+            return res.status(403).json({ error: 'Token does not match workspace' });
+        }
+        userId = cliToken.userId;
+        // Don't delete token - it's also used for auth-status polling
+        // Cleanup interval will remove it after 10 minutes
+        console.log(`[codex-helper] CLI token used for workspace ${workspaceId}`);
+    }
+    else if (req.session?.userId) {
+        // Session authentication
+        userId = req.session.userId;
+    }
+    else {
+        return res.status(401).json({ error: 'Authentication required. Provide token query parameter or valid session.' });
+    }
+    try {
+        const workspace = await db.workspaces.findById(workspaceId);
+        if (!workspace || workspace.userId !== userId) {
+            return res.status(404).json({ error: 'Workspace not found' });
+        }
+        if (workspace.status !== 'running') {
+            return res.status(400).json({ error: 'Workspace is not running' });
+        }
+        // Parse workspace URL to get host
+        const publicUrl = workspace.publicUrl;
+        if (!publicUrl) {
+            return res.status(400).json({ error: 'Workspace URL not available' });
+        }
+        const url = new URL(publicUrl);
+        const host = url.hostname;
+        const apiPort = parseInt(url.port, 10) || 80;
+        // SSH connection info varies by environment:
+        // - Fly.io: Use public fly.dev hostname with port 2222 (exposed via TCP service)
+        // - Local Docker: Use localhost with derived SSH port (22000 + apiPort - 3000)
+        const isOnFly = !!process.env.FLY_APP_NAME;
+        const isLocalDocker = (host === 'localhost' || host === '127.0.0.1') && apiPort >= 3000;
+        let sshHost;
+        let sshPort;
+        if (isOnFly) {
+            // Fly.io public hostname - SSH is exposed as a public TCP service on port 2222
+            // Users can SSH directly from their machine to {app}.fly.dev:2222
+            const appName = `ar-${workspace.id.substring(0, 8)}`;
+            sshHost = `${appName}.fly.dev`;
+            sshPort = 2222;
+        }
+        else if (isLocalDocker) {
+            // Local Docker: SSH port is derived from API port
+            // API port 3500 -> SSH port 22500 (formula: 22000 + apiPort - 3000)
+            sshHost = 'localhost';
+            sshPort = 22000 + (apiPort - 3000);
+        }
+        else {
+            // Default fallback
+            sshHost = host;
+            sshPort = 2222;
+        }
+        // SSH password is derived per-workspace for security
+        // Each workspace gets a unique password based on its ID + secret salt
+        const sshPassword = deriveSshPassword(workspace.id);
+        // Get authUrl from CLI token if available
+        let authUrl;
+        if (token && typeof token === 'string') {
+            const cliToken = pendingCliTokens.get(token);
+            authUrl = cliToken?.authUrl;
+        }
+        res.json({
+            host: sshHost,
+            port: sshPort,
+            user: 'workspace',
+            password: sshPassword,
+            tunnelPort: 1455, // Codex OAuth callback port
+            workspaceId: workspace.id,
+            workspaceName: workspace.name,
+            authUrl, // OAuth URL if available (set by dashboard)
+        });
+    }
+    catch (error) {
+        console.error('[codex-helper] Error getting tunnel info:', error);
+        res.status(500).json({ error: 'Failed to get tunnel info' });
+    }
+});
+/**
+ * GET /api/auth/codex-helper/auth-status/:workspaceId
+ * Poll for Codex authentication completion in a workspace.
+ * The CLI uses this after establishing the tunnel to know when auth is done.
+ *
+ * Authentication: Requires either session auth OR a valid CLI token.
+ */
+codexAuthHelperRouter.get('/auth-status/:workspaceId', async (req, res) => {
+    const { workspaceId } = req.params;
+    const { token } = req.query;
+    // Authenticate via CLI token or session
+    let userId;
+    if (token && typeof token === 'string') {
+        // CLI token authentication
+        const cliToken = pendingCliTokens.get(token);
+        if (!cliToken) {
+            return res.status(401).json({ error: 'Invalid or expired token' });
+        }
+        if (cliToken.workspaceId !== workspaceId) {
+            return res.status(403).json({ error: 'Token does not match workspace' });
+        }
+        userId = cliToken.userId;
+    }
+    else if (req.session?.userId) {
+        // Session authentication
+        userId = req.session.userId;
+    }
+    else {
+        return res.status(401).json({ error: 'Authentication required. Provide token query parameter or valid session.' });
+    }
+    try {
+        const workspace = await db.workspaces.findById(workspaceId);
+        if (!workspace || workspace.userId !== userId) {
+            return res.status(404).json({ error: 'Workspace not found' });
+        }
+        if (!workspace.publicUrl) {
+            return res.status(400).json({ error: 'Workspace URL not available' });
+        }
+        // Check with workspace daemon if Codex is authenticated
+        const response = await fetch(`${workspace.publicUrl}/auth/cli/openai/check`, {
+            method: 'GET',
+            signal: AbortSignal.timeout(5000),
+        });
+        if (response.ok) {
+            const data = await response.json();
+            return res.json({ authenticated: data.authenticated });
+        }
+        res.json({ authenticated: false });
+    }
+    catch (error) {
+        // Workspace might not be reachable, return false
+        res.json({ authenticated: false });
+    }
+});
 //# sourceMappingURL=codex-auth-helper.js.map