aigo 1.1.0 → 1.2.0

package/Makefile

@@ -1,4 +1,8 @@
-.PHONY: publish-minor
+.PHONY: publish-minor publish-patch
 publish-minor:
 	npm version minor
 	npm publish
+
+publish-patch:
+	npm version patch
+	npm publish

package/README.md

@@ -228,17 +228,46 @@ aigo uses multiple layers of security:
 
 1. **URL Token** - A random 4-character token in the URL path (`/t/<token>`)
 2. **Password** - A 6-character alphanumeric password (or custom password via `-P`)
-3. **Session Lock** - Screen locks after inactivity (disabled by default, enable with `-T <mins>`)
-4. **Auto Exit** - Session terminates after inactivity (disabled by default, enable with `-E <mins>`)
+3. **Brute-Force Protection** - Progressive delays and lockout after failed attempts
+4. **Session Lock** - Screen locks after inactivity (disabled by default, enable with `-T <mins>`)
+5. **Auto Exit** - Session terminates after inactivity (disabled by default, enable with `-E <mins>`)
 
 **Security features:**
 - Token required in URL (403 Forbidden without it)
 - Password required before terminal access
 - Password uses unambiguous characters (no 0/O, 1/l/I)
+- Brute-force protection with progressive delays (see below)
 - Lock screen requires re-entering password after inactivity (when enabled)
 - Session auto-terminates and kills tmux after extended inactivity (when enabled)
 - HTTPS via tunnel (encrypted in transit)
 
+### Brute-Force Protection
+
+aigo automatically protects against password brute-force attacks with:
+- **Progressive delays** after 5 failed attempts
+- **IP-based tracking** that persists across page refreshes
+- **15-minute lockout** after 10 failed attempts
+
+| Attempt | Behavior |
+|---------|----------|
+| 1-4 | Instant response |
+| 5 | 1 second wait (input disabled, countdown shown) |
+| 6 | 2 second wait |
+| 7 | 4 second wait |
+| 8 | 8 second wait |
+| 9 | 16 second wait |
+| 10+ | **IP locked out for 15 minutes** |
+
+After 5 failed attempts, the password input is disabled and a countdown timer shows the remaining wait time. After 10 failed attempts, the IP address is locked out for 15 minutes - refreshing the page won't reset the counter.
+
+Configure in `lib/config.js`:
+```javascript
+maxAuthAttempts: 10,      // Lock out IP after this many failures
+authDelayThreshold: 5,    // Start delays after this many failures  
+authBaseDelayMs: 1000,    // Base delay (doubles each attempt)
+authLockoutMins: 15,      // Lockout duration after max attempts
+```
+
 **Recommendations:**
 - Use HTTPS (both ngrok and cloudflared provide this automatically)
 - Don't share your access URL or password publicly
@@ -278,7 +307,6 @@ When accessing aigo from a mobile device (phone or tablet), control buttons appe
 | **Mode** | `Shift+Tab` | Toggle between chat/edit modes in Claude Code or switch modes in Cursor Agent |
 | **Enter** | `Enter` | Send Enter key to confirm prompts or submit input |
 | **Stop** | `Ctrl+C` | Interrupt the current operation (stop running commands or cancel AI responses) |
-| **Exit** | Cleanup | Shows confirmation dialog, then kills tmux session and stops the server |
 
 These buttons are useful because mobile keyboards don't easily support modifier key combinations like Ctrl+C or Shift+Tab.
 
@@ -523,10 +551,11 @@ npx nodemon bin/aigo.js claude
 Bump the minor version and publish to npm:
 
 ```bash
-make publish-minor
+make publish-minor   # bump minor (e.g. 1.0.1 → 1.1.0), then publish
+make publish-patch   # bump patch (e.g. 1.0.1 → 1.0.2), then publish
 ```
 
-This runs `npm version minor` (updates `package.json` and creates a git commit/tag) then `npm publish`.
+Each runs `npm version minor` or `npm version patch` (updates `package.json` and creates a git commit/tag) then `npm publish`.
 
 ## License
 

package/lib/config.js

@@ -74,7 +74,23 @@ export const config = {
   maxReconnectAttempts: 10,
   
   /** Base delay between reconnection attempts (ms) */
-  reconnectDelay: 2000
+  reconnectDelay: 2000,
+  
+  // ============================================
+  // Brute-Force Protection
+  // ============================================
+  
+  /** Maximum auth attempts before locking out the IP */
+  maxAuthAttempts: 10,
+  
+  /** Start progressive delays after this many failures */
+  authDelayThreshold: 5,
+  
+  /** Base delay in ms (doubles each attempt after threshold) */
+  authBaseDelayMs: 1000,
+  
+  /** Lockout duration in minutes after max attempts reached */
+  authLockoutMins: 15
 };
 
 export default config;

package/lib/server.js

@@ -6,10 +6,82 @@ import { fileURLToPath } from 'url';
 import { execSync } from 'child_process';
 import pty from 'node-pty';
 import { getTmuxPath, killSession } from './tmux.js';
+import { config } from './config.js';
 
 const __filename = fileURLToPath(import.meta.url);
 const __dirname = path.dirname(__filename);
 
+// IP-based brute-force tracking (persists across connections)
+// Map<ip, { attempts: number, lockedUntil: number | null }>
+const ipAttempts = new Map();
+
+/**
+ * Get client IP from request, checking forwarded headers for tunnels
+ */
+function getClientIp(req) {
+  // Check X-Forwarded-For header (used by ngrok, cloudflared, proxies)
+  const forwarded = req.headers['x-forwarded-for'];
+  if (forwarded) {
+    // Take the first IP in the chain (original client)
+    return forwarded.split(',')[0].trim();
+  }
+  // Fall back to direct connection IP
+  return req.socket?.remoteAddress || req.connection?.remoteAddress || 'unknown';
+}
+
+/**
+ * Check if IP is locked out
+ */
+function isIpLockedOut(ip) {
+  const record = ipAttempts.get(ip);
+  if (!record) return false;
+  if (record.lockedUntil && Date.now() < record.lockedUntil) {
+    return true;
+  }
+  // Lockout expired, reset
+  if (record.lockedUntil && Date.now() >= record.lockedUntil) {
+    ipAttempts.delete(ip);
+    return false;
+  }
+  return false;
+}
+
+/**
+ * Get remaining lockout time in ms
+ */
+function getLockoutRemaining(ip) {
+  const record = ipAttempts.get(ip);
+  if (!record || !record.lockedUntil) return 0;
+  return Math.max(0, record.lockedUntil - Date.now());
+}
+
+/**
+ * Record failed attempt for IP
+ */
+function recordFailedAttempt(ip) {
+  let record = ipAttempts.get(ip);
+  if (!record) {
+    record = { attempts: 0, lockedUntil: null };
+    ipAttempts.set(ip, record);
+  }
+  record.attempts++;
+  
+  // Check if should lock out
+  if (record.attempts >= config.maxAuthAttempts) {
+    record.lockedUntil = Date.now() + (config.authLockoutMins * 60 * 1000);
+    console.log(`IP ${ip} locked out for ${config.authLockoutMins} minutes`);
+  }
+  
+  return record;
+}
+
+/**
+ * Reset attempts for IP (on successful auth)
+ */
+function resetIpAttempts(ip) {
+  ipAttempts.delete(ip);
+}
+
 /**
  * Start the web server with WebSocket support
  */
@@ -84,8 +156,9 @@ export function startServer({ port, token, password, session, lockTimeout, exitT
     // WebSocket server
     const wss = new WebSocketServer({ server, path: `/ws/${token}` });
     
-    wss.on('connection', (ws) => {
-      console.log('WebSocket client connected');
+    wss.on('connection', (ws, req) => {
+      const clientIp = getClientIp(req);
+      console.log(`WebSocket client connected from ${clientIp}`);
       hasActiveConnection = true;
       updateActivity();
       
@@ -95,6 +168,24 @@ export function startServer({ port, token, password, session, lockTimeout, exitT
       let ptyProcess = null;
       let authenticated = false;
       
+      // Check if IP is already locked out
+      if (isIpLockedOut(clientIp)) {
+        const remainingMs = getLockoutRemaining(clientIp);
+        const remainingMins = Math.ceil(remainingMs / 60000);
+        console.log(`IP ${clientIp} is locked out for ${remainingMins} more minutes`);
+        ws.send(JSON.stringify({ 
+          type: 'auth_locked', 
+          message: `Too many failed attempts. Try again in ${remainingMins} minute${remainingMins !== 1 ? 's' : ''}.`,
+          lockoutRemainingMs: remainingMs
+        }));
+        ws.close(1008, 'IP locked out');
+        return;
+      }
+      
+      // Get current attempt count for this IP
+      const ipRecord = ipAttempts.get(clientIp);
+      const currentAttempts = ipRecord ? ipRecord.attempts : 0;
+      
       // Send auth request
       ws.send(JSON.stringify({ type: 'auth_required' }));
       
@@ -107,10 +198,25 @@ export function startServer({ port, token, password, session, lockTimeout, exitT
           try {
             const parsed = JSON.parse(message);
             if (parsed.type === 'auth' && parsed.password) {
+              // Check if IP is locked out (could have been locked by another connection)
+              if (isIpLockedOut(clientIp)) {
+                const remainingMs = getLockoutRemaining(clientIp);
+                const remainingMins = Math.ceil(remainingMs / 60000);
+                console.log(`IP ${clientIp} is locked out`);
+                ws.send(JSON.stringify({ 
+                  type: 'auth_locked', 
+                  message: `Too many failed attempts. Try again in ${remainingMins} minute${remainingMins !== 1 ? 's' : ''}.`,
+                  lockoutRemainingMs: remainingMs
+                }));
+                ws.close(1008, 'IP locked out');
+                return;
+              }
+              
               if (parsed.password === password) {
                 authenticated = true;
+                resetIpAttempts(clientIp); // Clear failed attempts on success
                 updateActivity();
-                console.log('Client authenticated successfully');
+                console.log(`Client ${clientIp} authenticated successfully`);
                 
                 // Send auth success with config
                 ws.send(JSON.stringify({ 
@@ -160,8 +266,33 @@ export function startServer({ port, token, password, session, lockTimeout, exitT
                   ws.close(1011, 'PTY spawn failed');
                 }
               } else {
-                console.log('Client authentication failed');
-                ws.send(JSON.stringify({ type: 'auth_failed' }));
+                // Authentication failed - use IP-based tracking
+                const record = recordFailedAttempt(clientIp);
+                const attemptsRemaining = config.maxAuthAttempts - record.attempts;
+                console.log(`Client ${clientIp} authentication failed (attempt ${record.attempts}/${config.maxAuthAttempts})`);
+                
+                // Calculate delay for client-side countdown (after threshold)
+                let delayMs = 0;
+                if (record.attempts >= config.authDelayThreshold) {
+                  delayMs = config.authBaseDelayMs * Math.pow(2, record.attempts - config.authDelayThreshold);
+                }
+                
+                // Check if should lock out
+                if (record.attempts >= config.maxAuthAttempts) {
+                  const lockoutMs = config.authLockoutMins * 60 * 1000;
+                  ws.send(JSON.stringify({ 
+                    type: 'auth_locked', 
+                    message: `Too many failed attempts. Try again in ${config.authLockoutMins} minutes.`,
+                    lockoutRemainingMs: lockoutMs
+                  }));
+                  ws.close(1008, 'Too many failed attempts');
+                } else {
+                  ws.send(JSON.stringify({ 
+                    type: 'auth_failed',
+                    attemptsRemaining: attemptsRemaining,
+                    delayMs: delayMs  // Client will show countdown and disable input
+                  }));
+                }
               }
               return;
             }
@@ -192,11 +323,48 @@ export function startServer({ port, token, password, session, lockTimeout, exitT
           
           // Handle re-auth (after lock screen)
           if (parsed.type === 're-auth' && parsed.password) {
+            // Check if IP is locked out
+            if (isIpLockedOut(clientIp)) {
+              const remainingMs = getLockoutRemaining(clientIp);
+              const remainingMins = Math.ceil(remainingMs / 60000);
+              ws.send(JSON.stringify({ 
+                type: 'auth_locked', 
+                message: `Too many failed attempts. Try again in ${remainingMins} minute${remainingMins !== 1 ? 's' : ''}.`,
+                lockoutRemainingMs: remainingMs
+              }));
+              ws.close(1008, 'IP locked out');
+              return;
+            }
+            
             if (parsed.password === password) {
+              resetIpAttempts(clientIp);
               updateActivity();
               ws.send(JSON.stringify({ type: 'auth_success' }));
             } else {
-              ws.send(JSON.stringify({ type: 'auth_failed' }));
+              const record = recordFailedAttempt(clientIp);
+              const attemptsRemaining = config.maxAuthAttempts - record.attempts;
+              console.log(`Re-auth failed for ${clientIp} (attempt ${record.attempts}/${config.maxAuthAttempts})`);
+              
+              let delayMs = 0;
+              if (record.attempts >= config.authDelayThreshold) {
+                delayMs = config.authBaseDelayMs * Math.pow(2, record.attempts - config.authDelayThreshold);
+              }
+              
+              if (record.attempts >= config.maxAuthAttempts) {
+                const lockoutMs = config.authLockoutMins * 60 * 1000;
+                ws.send(JSON.stringify({ 
+                  type: 'auth_locked', 
+                  message: `Too many failed attempts. Try again in ${config.authLockoutMins} minutes.`,
+                  lockoutRemainingMs: lockoutMs
+                }));
+                ws.close(1008, 'Too many failed attempts');
+              } else {
+                ws.send(JSON.stringify({ 
+                  type: 'auth_failed',
+                  attemptsRemaining: attemptsRemaining,
+                  delayMs: delayMs
+                }));
+              }
             }
             return;
           }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "aigo",
-  "version": "1.1.0",
+  "version": "1.2.0",
   "description": "Stream Claude Code to the web - run Claude remotely from any device",
   "type": "module",
   "bin": {

package/public/index.html

@@ -467,18 +467,6 @@
       color: var(--bg-primary);
     }
     
-    /* Exit button */
-    #mobile-exit-btn {
-      color: #ff5555;
-      border-color: #ff5555;
-    }
-    
-    #mobile-exit-btn:hover,
-    #mobile-exit-btn:active {
-      background: #ff5555;
-      color: white;
-    }
-    
     /* History button */
     #mobile-history-btn {
       color: #00ffff;
@@ -646,7 +634,6 @@
       <button id="mobile-mode-toggle" class="mobile-btn" title="Switch mode (Shift+Tab)">Mode</button>
       <button id="mobile-enter-btn" class="mobile-btn" title="Send Enter key">Enter</button>
       <button id="mobile-stop-btn" class="mobile-btn" title="Stop (Ctrl+C)">Stop</button>
-      <button id="mobile-exit-btn" class="mobile-btn" title="Exit session">Exit</button>
     </div>
     
     <!-- History modal overlay -->

package/public/terminal.js

@@ -51,7 +51,6 @@
     const mobileToggleBtn = document.getElementById('mobile-mode-toggle');
     const mobileEnterBtn = document.getElementById('mobile-enter-btn');
     const mobileStopBtn = document.getElementById('mobile-stop-btn');
-    const mobileExitBtn = document.getElementById('mobile-exit-btn');
     const mobileHistoryBtn = document.getElementById('mobile-history-btn');
     const historyOverlay = document.getElementById('history-overlay');
     const historyCloseBtn = document.getElementById('history-close-btn');
@@ -451,14 +450,6 @@
       }
     });
     
-    // Mobile exit button handler (shows confirmation dialog)
-    mobileExitBtn.addEventListener('click', () => {
-      if (authenticated && !isLocked) {
-        mobileButtonFeedback(mobileExitBtn);
-        showExitConfirm();
-      }
-    });
-    
     // Strip ANSI escape codes from text for clean display
     function stripAnsiCodes(text) {
       // Remove ANSI escape sequences (colors, cursor movement, etc.)
@@ -654,12 +645,93 @@
             }
             
             if (msg.type === 'auth_failed') {
-              authError.textContent = 'Invalid password';
               if (!isLocked) {
                 savedPassword = null;
               }
               passwordInput.value = '';
-              passwordInput.focus();
+              
+              // Check if there's a delay (brute-force protection kicked in)
+              if (msg.delayMs && msg.delayMs > 0) {
+                // Disable input and show countdown
+                passwordInput.disabled = true;
+                authBtn.disabled = true;
+                
+                let remainingMs = msg.delayMs;
+                const updateCountdown = () => {
+                  const seconds = Math.ceil(remainingMs / 1000);
+                  authError.textContent = `Too many attempts. Wait ${seconds}s (${msg.attemptsRemaining} attempts remaining)`;
+                  authError.style.color = '#ffaa00';
+                };
+                updateCountdown();
+                
+                const countdownInterval = setInterval(() => {
+                  remainingMs -= 100;
+                  if (remainingMs <= 0) {
+                    clearInterval(countdownInterval);
+                    passwordInput.disabled = false;
+                    authBtn.disabled = false;
+                    authError.textContent = `Invalid password (${msg.attemptsRemaining} attempts remaining)`;
+                    authError.style.color = '#ff5555';
+                    passwordInput.focus();
+                  } else {
+                    updateCountdown();
+                  }
+                }, 100);
+              } else {
+                // No delay, just show error with attempts remaining
+                let errorMsg = 'Invalid password';
+                if (typeof msg.attemptsRemaining === 'number') {
+                  errorMsg += ` (${msg.attemptsRemaining} attempts remaining)`;
+                }
+                authError.textContent = errorMsg;
+                authError.style.color = '#ff5555';
+                passwordInput.focus();
+              }
+              return;
+            }
+            
+            if (msg.type === 'auth_locked') {
+              // Locked out - too many attempts
+              passwordInput.disabled = true;
+              authBtn.disabled = true;
+              authBtn.textContent = 'Locked';
+              authError.style.color = '#ff5555';
+              if (!isLocked) {
+                savedPassword = null;
+              }
+              
+              // Show countdown if lockout time is provided
+              if (msg.lockoutRemainingMs && msg.lockoutRemainingMs > 0) {
+                let remainingMs = msg.lockoutRemainingMs;
+                const updateLockoutCountdown = () => {
+                  const mins = Math.floor(remainingMs / 60000);
+                  const secs = Math.ceil((remainingMs % 60000) / 1000);
+                  if (mins > 0) {
+                    authError.textContent = `Locked out. Try again in ${mins}m ${secs}s`;
+                  } else {
+                    authError.textContent = `Locked out. Try again in ${secs}s`;
+                  }
+                };
+                updateLockoutCountdown();
+                
+                const lockoutInterval = setInterval(() => {
+                  remainingMs -= 1000;
+                  if (remainingMs <= 0) {
+                    clearInterval(lockoutInterval);
+                    // Re-enable and allow retry
+                    passwordInput.disabled = false;
+                    authBtn.disabled = false;
+                    authBtn.textContent = 'Connect';
+                    authError.textContent = 'You can try again now';
+                    authError.style.color = '#00ff88';
+                    passwordInput.focus();
+                  } else {
+                    updateLockoutCountdown();
+                  }
+                }, 1000);
+              } else {
+                authError.textContent = msg.message || 'Too many failed attempts. Please reconnect.';
+              }
               return;
             }