bdy 1.14.0-dev → 1.14.1-dev

package/distTs/package.json

@@ -1,7 +1,7 @@
 {
   "name": "bdy",
   "preferGlobal": false,
-  "version": "1.14.0-dev",
+  "version": "1.14.1-dev",
   "type": "commonjs",
   "license": "MIT",
   "scripts": {

package/distTs/src/agent/socket/client.js

@@ -23,7 +23,7 @@ class AgentSocketClient extends events_1.default {
     lastUpdate;
     tunnelRequests;
     fetch(activate = true, action = null, disabled = null, resetFirstHeard = false, tunnels) {
-        if (!this.socket)
+        if (!this.socket || !this.connected)
             return;
         this.socket.emit('fetchTunnelAgent', {
             id: this.id,
@@ -39,7 +39,7 @@ class AgentSocketClient extends events_1.default {
         });
     }
     update(activate, tunnels, force = false) {
-        if (!this.socket)
+        if (!this.socket || !this.connected)
             return;
         const now = Date.now();
         // nie robimy update jak byl mniej niz 5s temu
@@ -57,7 +57,7 @@ class AgentSocketClient extends events_1.default {
         });
     }
     emitRequest(tunnelId, logRequest) {
-        if (!this.socket)
+        if (!this.socket || !this.connected)
             return;
         this.socket.emit('tunnelRequest', {
             id: this.id,

package/distTs/src/tunnel/tunnel.js

@@ -53,6 +53,7 @@ const log_1 = __importDefault(require("./http/log"));
 const format_1 = __importDefault(require("../format"));
 const node_crypto_1 = __importDefault(require("node:crypto"));
 const cookie = __importStar(require("cookie"));
+const uuid_1 = require("uuid");
 const jsonwebtoken_1 = require("jsonwebtoken");
 const undici_1 = require("undici");
 const texts_1 = require("../texts");
@@ -62,6 +63,204 @@ const cfg_1 = __importDefault(require("./cfg"));
 const CIPHER_ALG = 'aes-256-cbc';
 const CIPHER_IV = Buffer.alloc(16).fill(0);
 const COOKIE_NAME = 'jwt_token';
+const ISSUERS = {
+    'https://stage-oidc.buddyusercontent.com': `-----BEGIN CERTIFICATE-----
+MIIEwDCCAqgCFBDp9Im/iI4hjQTeypaLQbZZZs45MA0GCSqGSIb3DQEBCwUAMBYx
+FDASBgNVBAMMC2J1ZGR5LndvcmtzMCAXDTIzMDIxNjA4MTMyOFoYDzIwNTMwMjA4
+MDgxMzI4WjAhMR8wHQYDVQQDDBYqLmJ1ZGR5dXNlcmNvbnRlbnQuY29tMIICIjAN
+BgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAvMDTFG4ha//vRxUb/AJpnubUi4Er
+z2TLxCNZBdHPwIqWvygvMHUmTySxMU+a05D/6yHnQiaqnXI0y7nh/ZYmkTqHs985
+3hr5gN/kLmcujo3YtUIm93ZbPHsmaBSlvBSzS1sI8GFE2pqePTo3e/qSWtV6aQBI
+0MTEAMKo3JokOft/9cMbdv212eo1Z7vkHvzO0IyAJ15fm4pX/to+2Xap2aG0M78K
+zVgtYdbJAmhstsGBaYxSr15PeDE0OkirevjRXPcGfyjV501tubGk18CH/hUBO3CB
+QOiAH2q1w8Istxus5xibpWYFHoPJiuZ1BryHHV4vnzkDS2RJ3tE+dXHAfIHIN2q0
+AjyDir0KZPOHLxOr17JsZuAfboVgLcZpmFWnm7hfZ6GfRt77ih9IFNi0doMbHmPx
+9B436oaFTXXQdDdMiFSDel1DyKqe+BBiGyqfg9Dvw6Qk+pS0b6q+e/XZYwG9q8K6
+6r1A+TribcAp0bl6O5XxFRdllEwbY9vbyoRX/bB0aKzhAkoP3Cuh4oss0ueiSwZC
+5NUIGSdHMioGjhIGLNj7hv4pZfwr5cxkwPwO43Vv25qVej+AJJwdlRNXS2MSjTQg
+Z/sVVOXsgJHTDyP7ke388rqsgXjdoacoJkTXUdl0652wkRPl9UQ4InVfyNw24MVc
+9ksePMYUIyW7rI8CAwEAATANBgkqhkiG9w0BAQsFAAOCAgEAa8I0iJ8155ihutvw
+1HEqhWbQokANxCdJ3zfdu6guTjrG9HxD7kuloB3ZyVVQsLdZlZoFfZnpMKtnFK1v
+deDtEoayPiUI6DHURtxFHWOYM/VWJd41s3nIoilApBdESpNI6RQvb7JIXuXCDndc
+pvuZ6U0zMnWTVFK7MVrbxqRDMO/mCTJUKIqNLmGo+6YYfhWy8y3HHdnC86CFUy+T
+IaMuDEuqd3HvpqljgXM8o5cTCYawnQA2PKA36XiJoc+9A00EuVQw0ILQbw3aYaIX
+/PNiq3CCyt1YIjal+zSNMxNnmNEW7H5+arxbT+I8oWDZUR+KyeZJYRjuZGzqfRGt
+hAzRj7HKN0bU4Y97a7GyWaxzMtbunWnl8U+1TsM/9cfNgjKZxMopZCb1n/TfUDMo
+/67xEjDS2B/LcGOWDUEExLXaxCoLtVwk7co+Z4FXmiMDmoJmrE6lbGcMD1Ys+6Td
+el3K5ll/6obgUFZsUMPP6xV2+nFz+LThueWphs1+7s0eD3xanVijSHXS8HF87yvE
+eiq+rBRq7FE0Eqen6spTWFpjrmdBxY5Ti0z14KKXHGJStrpC5KquegwBIj0w/wNY
+O6+HPN73rzfhtkO+A0tAG7el3XtqI0fOXiD1xot84neFJV6/qxyvnRUamJjKCgK2
+X1wqKx71Z3gigILDphu5m3d0RRU=
+-----END CERTIFICATE-----`,
+    'https://stageeu-oidc.buddyusercontent.com': `-----BEGIN CERTIFICATE-----
+MIIEwDCCAqgCFBDp9Im/iI4hjQTeypaLQbZZZs45MA0GCSqGSIb3DQEBCwUAMBYx
+FDASBgNVBAMMC2J1ZGR5LndvcmtzMCAXDTIzMDIxNjA4MTMyOFoYDzIwNTMwMjA4
+MDgxMzI4WjAhMR8wHQYDVQQDDBYqLmJ1ZGR5dXNlcmNvbnRlbnQuY29tMIICIjAN
+BgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAvMDTFG4ha//vRxUb/AJpnubUi4Er
+z2TLxCNZBdHPwIqWvygvMHUmTySxMU+a05D/6yHnQiaqnXI0y7nh/ZYmkTqHs985
+3hr5gN/kLmcujo3YtUIm93ZbPHsmaBSlvBSzS1sI8GFE2pqePTo3e/qSWtV6aQBI
+0MTEAMKo3JokOft/9cMbdv212eo1Z7vkHvzO0IyAJ15fm4pX/to+2Xap2aG0M78K
+zVgtYdbJAmhstsGBaYxSr15PeDE0OkirevjRXPcGfyjV501tubGk18CH/hUBO3CB
+QOiAH2q1w8Istxus5xibpWYFHoPJiuZ1BryHHV4vnzkDS2RJ3tE+dXHAfIHIN2q0
+AjyDir0KZPOHLxOr17JsZuAfboVgLcZpmFWnm7hfZ6GfRt77ih9IFNi0doMbHmPx
+9B436oaFTXXQdDdMiFSDel1DyKqe+BBiGyqfg9Dvw6Qk+pS0b6q+e/XZYwG9q8K6
+6r1A+TribcAp0bl6O5XxFRdllEwbY9vbyoRX/bB0aKzhAkoP3Cuh4oss0ueiSwZC
+5NUIGSdHMioGjhIGLNj7hv4pZfwr5cxkwPwO43Vv25qVej+AJJwdlRNXS2MSjTQg
+Z/sVVOXsgJHTDyP7ke388rqsgXjdoacoJkTXUdl0652wkRPl9UQ4InVfyNw24MVc
+9ksePMYUIyW7rI8CAwEAATANBgkqhkiG9w0BAQsFAAOCAgEAa8I0iJ8155ihutvw
+1HEqhWbQokANxCdJ3zfdu6guTjrG9HxD7kuloB3ZyVVQsLdZlZoFfZnpMKtnFK1v
+deDtEoayPiUI6DHURtxFHWOYM/VWJd41s3nIoilApBdESpNI6RQvb7JIXuXCDndc
+pvuZ6U0zMnWTVFK7MVrbxqRDMO/mCTJUKIqNLmGo+6YYfhWy8y3HHdnC86CFUy+T
+IaMuDEuqd3HvpqljgXM8o5cTCYawnQA2PKA36XiJoc+9A00EuVQw0ILQbw3aYaIX
+/PNiq3CCyt1YIjal+zSNMxNnmNEW7H5+arxbT+I8oWDZUR+KyeZJYRjuZGzqfRGt
+hAzRj7HKN0bU4Y97a7GyWaxzMtbunWnl8U+1TsM/9cfNgjKZxMopZCb1n/TfUDMo
+/67xEjDS2B/LcGOWDUEExLXaxCoLtVwk7co+Z4FXmiMDmoJmrE6lbGcMD1Ys+6Td
+el3K5ll/6obgUFZsUMPP6xV2+nFz+LThueWphs1+7s0eD3xanVijSHXS8HF87yvE
+eiq+rBRq7FE0Eqen6spTWFpjrmdBxY5Ti0z14KKXHGJStrpC5KquegwBIj0w/wNY
+O6+HPN73rzfhtkO+A0tAG7el3XtqI0fOXiD1xot84neFJV6/qxyvnRUamJjKCgK2
+X1wqKx71Z3gigILDphu5m3d0RRU=
+-----END CERTIFICATE-----`,
+    'https://oidc.buddyusercontent.com': `-----BEGIN CERTIFICATE-----
+MIIEwDCCAqgCFCIRhplNpTZLH9WdAbZus4xHHjPXMA0GCSqGSIb3DQEBCwUAMBYx
+FDASBgNVBAMMC2J1ZGR5LndvcmtzMCAXDTIzMDIxNjA4MTM1M1oYDzIwNTMwMjA4
+MDgxMzUzWjAhMR8wHQYDVQQDDBYqLmJ1ZGR5dXNlcmNvbnRlbnQuY29tMIICIjAN
+BgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAuA5ulo8uVKsxLcgIDn3DtnoMdyJv
+BHHl68b1p+SAb4OEN4SlEdl33jy2LMNwr0SS6Mh7VT9tkCUAxDpmImTdsd59qhqu
+5oxCnE5slx5/RmV0/RgCZRjy0phmPIImsMAvBsFY6+c+fPZfxJGs+uWtXXRS1IgI
+LO0BXSqIF2UIst+R787vynmI6UFPaD7bKaJkM79RPanjqvma+y8VvJU2isqz3bjS
+T32842iGlwnkwzz4SfOIiVgKT8HhnZsD5YmtTMPYYghgWj1HtMxOTJ/qEuXiLWfg
+TzqPI6Z2usnUb2lJl/EtEHILLyU4hfYr113nO3VIG6iLZahRttbelqujfWbQXS0w
+nAGn0e4RD5OzG+bu/y4yYBoQ2kRGtFpIH4nXOw43PhKo0rALAllrpQi4p26KYqWk
+r27BuOoZWmB2nkVm2v7vnDa6e2CpwXMaLpIFDANeSoK8Tr+RaHCp1JNMI7zYVejN
+C9bOKL35/Q0gsxWW3BdLL/EtTrwZKGlJtovkBQdFkEmiNnK8tc4BLKDmtYFsf8HZ
+I0jYHwVD90DP9lMJG/VFZl2xUBHKq7UjX/CLgRPc1S5QiqeHFh0kWVilcrVauaTT
+nAX2cG41lxGSH/60zxtOAYqKIdEvvQdHVl3S1AHemENl/ngh9kt2oU5+1Csb/+jG
+zrE5dI3ipDCUNHMCAwEAATANBgkqhkiG9w0BAQsFAAOCAgEAuZCIfMcexrKHEcQM
+otb6PXrCEOdiVq+vQuVAQCMfC9MyGcufxLY9+QhuPSVhsyZ1ffZufF6oT+HlQY4z
+5E5CE7kTw1q9Gpu4RHEtlg7ALvpAy+Hfi2sAJy6r6Tqa5hEoi/8qQFgqTn5ooFr2
+SkjK72dx3YkgRsV9P7O9TlteLgwd6POLmrbibvcGB9CiPSL/SmItT2vpASUxow0a
+JiyrbBgPQFaKPocfJJ917Zur1bigdUoCK+S0vq5tOFWrm3HXDIiz5+aB5/cW9/3W
+AXghWYdAStJH9xTIWA7dk8V4SPJjjQWhyG+GxM+oE999K4iPTOpGMjLfG/ZiLKLg
+1Z3gO3wNP2BrhotrAxVRcynvm6552nzDos9ybiq1VPbiz8qLYThNTu/tlw2JbCXw
+PWaM1jh8B2v5Q4NhRKnl3Zz03RtNHwAUYzZLahe47/ADb5/XC86H46NRLHZB3QIO
+wXYcTFrCskkdoGEZwiiqUchYjvWKb9++WHkPGGBaLhAlaCZNTgGXyt8OYJSRwIfT
+YbGYXuZMGUV3U63WZm3fOpHflQPkC9bzmK9MgFshhUlB0xk1vC1dkC2I5jOGJqa0
+3yZghw2R+f5zGZd7TusSmm7Kk8i6mCssRG8B3R8p+6a6GQFeWtqQcUV/dcJVs9sx
+ZbFKWzfs9+m8Y04W4PmzZM2ZAN8=
+-----END CERTIFICATE-----`,
+    'https://eu-oidc.buddyusercontent.com': `-----BEGIN CERTIFICATE-----
+MIIEwDCCAqgCFCIRhplNpTZLH9WdAbZus4xHHjPXMA0GCSqGSIb3DQEBCwUAMBYx
+FDASBgNVBAMMC2J1ZGR5LndvcmtzMCAXDTIzMDIxNjA4MTM1M1oYDzIwNTMwMjA4
+MDgxMzUzWjAhMR8wHQYDVQQDDBYqLmJ1ZGR5dXNlcmNvbnRlbnQuY29tMIICIjAN
+BgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAuA5ulo8uVKsxLcgIDn3DtnoMdyJv
+BHHl68b1p+SAb4OEN4SlEdl33jy2LMNwr0SS6Mh7VT9tkCUAxDpmImTdsd59qhqu
+5oxCnE5slx5/RmV0/RgCZRjy0phmPIImsMAvBsFY6+c+fPZfxJGs+uWtXXRS1IgI
+LO0BXSqIF2UIst+R787vynmI6UFPaD7bKaJkM79RPanjqvma+y8VvJU2isqz3bjS
+T32842iGlwnkwzz4SfOIiVgKT8HhnZsD5YmtTMPYYghgWj1HtMxOTJ/qEuXiLWfg
+TzqPI6Z2usnUb2lJl/EtEHILLyU4hfYr113nO3VIG6iLZahRttbelqujfWbQXS0w
+nAGn0e4RD5OzG+bu/y4yYBoQ2kRGtFpIH4nXOw43PhKo0rALAllrpQi4p26KYqWk
+r27BuOoZWmB2nkVm2v7vnDa6e2CpwXMaLpIFDANeSoK8Tr+RaHCp1JNMI7zYVejN
+C9bOKL35/Q0gsxWW3BdLL/EtTrwZKGlJtovkBQdFkEmiNnK8tc4BLKDmtYFsf8HZ
+I0jYHwVD90DP9lMJG/VFZl2xUBHKq7UjX/CLgRPc1S5QiqeHFh0kWVilcrVauaTT
+nAX2cG41lxGSH/60zxtOAYqKIdEvvQdHVl3S1AHemENl/ngh9kt2oU5+1Csb/+jG
+zrE5dI3ipDCUNHMCAwEAATANBgkqhkiG9w0BAQsFAAOCAgEAuZCIfMcexrKHEcQM
+otb6PXrCEOdiVq+vQuVAQCMfC9MyGcufxLY9+QhuPSVhsyZ1ffZufF6oT+HlQY4z
+5E5CE7kTw1q9Gpu4RHEtlg7ALvpAy+Hfi2sAJy6r6Tqa5hEoi/8qQFgqTn5ooFr2
+SkjK72dx3YkgRsV9P7O9TlteLgwd6POLmrbibvcGB9CiPSL/SmItT2vpASUxow0a
+JiyrbBgPQFaKPocfJJ917Zur1bigdUoCK+S0vq5tOFWrm3HXDIiz5+aB5/cW9/3W
+AXghWYdAStJH9xTIWA7dk8V4SPJjjQWhyG+GxM+oE999K4iPTOpGMjLfG/ZiLKLg
+1Z3gO3wNP2BrhotrAxVRcynvm6552nzDos9ybiq1VPbiz8qLYThNTu/tlw2JbCXw
+PWaM1jh8B2v5Q4NhRKnl3Zz03RtNHwAUYzZLahe47/ADb5/XC86H46NRLHZB3QIO
+wXYcTFrCskkdoGEZwiiqUchYjvWKb9++WHkPGGBaLhAlaCZNTgGXyt8OYJSRwIfT
+YbGYXuZMGUV3U63WZm3fOpHflQPkC9bzmK9MgFshhUlB0xk1vC1dkC2I5jOGJqa0
+3yZghw2R+f5zGZd7TusSmm7Kk8i6mCssRG8B3R8p+6a6GQFeWtqQcUV/dcJVs9sx
+ZbFKWzfs9+m8Y04W4PmzZM2ZAN8=
+-----END CERTIFICATE-----`,
+    'https://master-oidc.buddyusercontent.com': `-----BEGIN CERTIFICATE-----
+MIIEwDCCAqgCFBDp9Im/iI4hjQTeypaLQbZZZs47MA0GCSqGSIb3DQEBCwUAMBYx
+FDASBgNVBAMMC2J1ZGR5LndvcmtzMCAXDTIzMDIxNjA4MTM0NVoYDzIwNTMwMjA4
+MDgxMzQ1WjAhMR8wHQYDVQQDDBYqLmJ1ZGR5dXNlcmNvbnRlbnQuY29tMIICIjAN
+BgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAyHdEa5QrqJVIAESbgkIMw/pPAJ1R
+kIlin/BQBn43YmcIpw/uFSPol9M5S9WkVMESWhM+wk3V+byiAULOm7FQ5N1AqRMa
+msxmuFenDJQEtEZ/Ca/HQXSOqwUG0TTIE5OZxuJy0SlEIjNPE56cJhp/ojOkvhXn
+mdPtjPI8sslF4CXAHW8qTa/N9L66ro5WMEVba/XGzdySOSN3z8ycr1583ZVXPK7x
+nvo/LrskdbPIjNz8firGp2OBsM0qeINmTUBLFVkWRj4PGgcCGRd1bV4C085obtep
+0Cg/xZen3TQmoAFFsGVSO/3FP/lNv598HrzyHQKN/d2pl1d06NUl7mM7SLdHCbvi
+3zVe1Ntr01QJuQGo3Uv9v4D6j1urzN25ghSfjOzjmTJjpGIwHfKJlVy674laq7mT
+KBnkpwmOgvbPSaaYQ8ik72PuLb73IWkxIaQ4Hr0pqUw00CDLO9p1gcz/biktxhxj
+d48SzS0tQXQMTSKZYWWzfh+Q5rCwVKozzyHPHSJuLxetrtxEcnt5OQFqKu3bcCwI
+xoFLpl5BQjBTrvigOO2ElQxGz2+N7W9zu5VLOl0nCw5MQwN9KXyVHVEYYbC3Mmnq
+RSuudH/25SuYMaEkIUoQa7vgJmwPJ4uWVSExO9fnOmA0L0GM+1WbU3BgEp3FUVSw
+x4QPC1swwlhkVkkCAwEAATANBgkqhkiG9w0BAQsFAAOCAgEApZEjwNCxWHxuAMwE
+jvlEouPs+yZsaxxIC44kKuwNacvk5pV4lC4w59pDTlZghgQwGvT7YlU0GfNrZbJi
+2mREXH2DQt2GPv0roFYJGfT+tranbmmozJXdohSqllcM6Ev2f5I5Y7AkZePX3vAE
+aY0CJzBq9WTnfEjZCOcrkuI4hSccZ53R2DMm3IU2SBfwJlY5HwFLOokwUOgbVMCN
+O5szeNqGgdJjeNGwzCN3u0GwnKNhbvz02FsL+LSe2Mj9K5y5B950DIK6Nuj79nbj
+48uYcplsLBB7g1977QlTBnUVASy859Uajydla6RREw6ZPESVkZHXXJ7+2ek+vnnt
+5RHcbfnR+79MaKfUyVrtHmqtr5osvjhPQ9m9cmQG9UzoidKbxbYm6b6HbNRL5v79
+YNO/12X5pH5h5lc5iFc/0S5NQuOq1OT7lzZNcE0H87rvIvThW0U/X4KVqYj7XY90
+z2U1X+SDiq8ldzXtUYIJnl9J4v+I+u9iyJqYHYBBjj3Wn1NTzuE3ZDEBiwguuVUN
+aKEbQvoT3Eh8nNw3v/BVThjTpa+pMWlI6XpMi9rcN8/edLgaCbMaO059KJTwx4hq
+gUkjwZKhdE4s4pAn1BF644kkVdx2FXzdtmTfYWx1Rnsp1T0sxlzgMWltMd8wAuzS
+5cMq3aQmM1PRT/Q2XYwq7FhiiUg=
+-----END CERTIFICATE-----`,
+    'https://sls-oidc.buddyusercontent.com': `-----BEGIN CERTIFICATE-----
+MIIEwDCCAqgCFBDp9Im/iI4hjQTeypaLQbZZZs45MA0GCSqGSIb3DQEBCwUAMBYx
+FDASBgNVBAMMC2J1ZGR5LndvcmtzMCAXDTIzMDIxNjA4MTMyOFoYDzIwNTMwMjA4
+MDgxMzI4WjAhMR8wHQYDVQQDDBYqLmJ1ZGR5dXNlcmNvbnRlbnQuY29tMIICIjAN
+BgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAvMDTFG4ha//vRxUb/AJpnubUi4Er
+z2TLxCNZBdHPwIqWvygvMHUmTySxMU+a05D/6yHnQiaqnXI0y7nh/ZYmkTqHs985
+3hr5gN/kLmcujo3YtUIm93ZbPHsmaBSlvBSzS1sI8GFE2pqePTo3e/qSWtV6aQBI
+0MTEAMKo3JokOft/9cMbdv212eo1Z7vkHvzO0IyAJ15fm4pX/to+2Xap2aG0M78K
+zVgtYdbJAmhstsGBaYxSr15PeDE0OkirevjRXPcGfyjV501tubGk18CH/hUBO3CB
+QOiAH2q1w8Istxus5xibpWYFHoPJiuZ1BryHHV4vnzkDS2RJ3tE+dXHAfIHIN2q0
+AjyDir0KZPOHLxOr17JsZuAfboVgLcZpmFWnm7hfZ6GfRt77ih9IFNi0doMbHmPx
+9B436oaFTXXQdDdMiFSDel1DyKqe+BBiGyqfg9Dvw6Qk+pS0b6q+e/XZYwG9q8K6
+6r1A+TribcAp0bl6O5XxFRdllEwbY9vbyoRX/bB0aKzhAkoP3Cuh4oss0ueiSwZC
+5NUIGSdHMioGjhIGLNj7hv4pZfwr5cxkwPwO43Vv25qVej+AJJwdlRNXS2MSjTQg
+Z/sVVOXsgJHTDyP7ke388rqsgXjdoacoJkTXUdl0652wkRPl9UQ4InVfyNw24MVc
+9ksePMYUIyW7rI8CAwEAATANBgkqhkiG9w0BAQsFAAOCAgEAa8I0iJ8155ihutvw
+1HEqhWbQokANxCdJ3zfdu6guTjrG9HxD7kuloB3ZyVVQsLdZlZoFfZnpMKtnFK1v
+deDtEoayPiUI6DHURtxFHWOYM/VWJd41s3nIoilApBdESpNI6RQvb7JIXuXCDndc
+pvuZ6U0zMnWTVFK7MVrbxqRDMO/mCTJUKIqNLmGo+6YYfhWy8y3HHdnC86CFUy+T
+IaMuDEuqd3HvpqljgXM8o5cTCYawnQA2PKA36XiJoc+9A00EuVQw0ILQbw3aYaIX
+/PNiq3CCyt1YIjal+zSNMxNnmNEW7H5+arxbT+I8oWDZUR+KyeZJYRjuZGzqfRGt
+hAzRj7HKN0bU4Y97a7GyWaxzMtbunWnl8U+1TsM/9cfNgjKZxMopZCb1n/TfUDMo
+/67xEjDS2B/LcGOWDUEExLXaxCoLtVwk7co+Z4FXmiMDmoJmrE6lbGcMD1Ys+6Td
+el3K5ll/6obgUFZsUMPP6xV2+nFz+LThueWphs1+7s0eD3xanVijSHXS8HF87yvE
+eiq+rBRq7FE0Eqen6spTWFpjrmdBxY5Ti0z14KKXHGJStrpC5KquegwBIj0w/wNY
+O6+HPN73rzfhtkO+A0tAG7el3XtqI0fOXiD1xot84neFJV6/qxyvnRUamJjKCgK2
+X1wqKx71Z3gigILDphu5m3d0RRU=
+-----END CERTIFICATE-----`,
+    '*': `-----BEGIN CERTIFICATE-----
+MIIEwDCCAqgCFBDp9Im/iI4hjQTeypaLQbZZZs45MA0GCSqGSIb3DQEBCwUAMBYx
+FDASBgNVBAMMC2J1ZGR5LndvcmtzMCAXDTIzMDIxNjA4MTMyOFoYDzIwNTMwMjA4
+MDgxMzI4WjAhMR8wHQYDVQQDDBYqLmJ1ZGR5dXNlcmNvbnRlbnQuY29tMIICIjAN
+BgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAvMDTFG4ha//vRxUb/AJpnubUi4Er
+z2TLxCNZBdHPwIqWvygvMHUmTySxMU+a05D/6yHnQiaqnXI0y7nh/ZYmkTqHs985
+3hr5gN/kLmcujo3YtUIm93ZbPHsmaBSlvBSzS1sI8GFE2pqePTo3e/qSWtV6aQBI
+0MTEAMKo3JokOft/9cMbdv212eo1Z7vkHvzO0IyAJ15fm4pX/to+2Xap2aG0M78K
+zVgtYdbJAmhstsGBaYxSr15PeDE0OkirevjRXPcGfyjV501tubGk18CH/hUBO3CB
+QOiAH2q1w8Istxus5xibpWYFHoPJiuZ1BryHHV4vnzkDS2RJ3tE+dXHAfIHIN2q0
+AjyDir0KZPOHLxOr17JsZuAfboVgLcZpmFWnm7hfZ6GfRt77ih9IFNi0doMbHmPx
+9B436oaFTXXQdDdMiFSDel1DyKqe+BBiGyqfg9Dvw6Qk+pS0b6q+e/XZYwG9q8K6
+6r1A+TribcAp0bl6O5XxFRdllEwbY9vbyoRX/bB0aKzhAkoP3Cuh4oss0ueiSwZC
+5NUIGSdHMioGjhIGLNj7hv4pZfwr5cxkwPwO43Vv25qVej+AJJwdlRNXS2MSjTQg
+Z/sVVOXsgJHTDyP7ke388rqsgXjdoacoJkTXUdl0652wkRPl9UQ4InVfyNw24MVc
+9ksePMYUIyW7rI8CAwEAATANBgkqhkiG9w0BAQsFAAOCAgEAa8I0iJ8155ihutvw
+1HEqhWbQokANxCdJ3zfdu6guTjrG9HxD7kuloB3ZyVVQsLdZlZoFfZnpMKtnFK1v
+deDtEoayPiUI6DHURtxFHWOYM/VWJd41s3nIoilApBdESpNI6RQvb7JIXuXCDndc
+pvuZ6U0zMnWTVFK7MVrbxqRDMO/mCTJUKIqNLmGo+6YYfhWy8y3HHdnC86CFUy+T
+IaMuDEuqd3HvpqljgXM8o5cTCYawnQA2PKA36XiJoc+9A00EuVQw0ILQbw3aYaIX
+/PNiq3CCyt1YIjal+zSNMxNnmNEW7H5+arxbT+I8oWDZUR+KyeZJYRjuZGzqfRGt
+hAzRj7HKN0bU4Y97a7GyWaxzMtbunWnl8U+1TsM/9cfNgjKZxMopZCb1n/TfUDMo
+/67xEjDS2B/LcGOWDUEExLXaxCoLtVwk7co+Z4FXmiMDmoJmrE6lbGcMD1Ys+6Td
+el3K5ll/6obgUFZsUMPP6xV2+nFz+LThueWphs1+7s0eD3xanVijSHXS8HF87yvE
+eiq+rBRq7FE0Eqen6spTWFpjrmdBxY5Ti0z14KKXHGJStrpC5KquegwBIj0w/wNY
+O6+HPN73rzfhtkO+A0tAG7el3XtqI0fOXiD1xot84neFJV6/qxyvnRUamJjKCgK2
+X1wqKx71Z3gigILDphu5m3d0RRU=
+-----END CERTIFICATE-----`
+};
 class Tunnel extends events_1.default {
     agent;
     id;
@@ -503,7 +702,7 @@ class Tunnel extends events_1.default {
         }
         return this.httpAuthClient[host];
     }
-    async _httpExchangeAuthCode(code) {
+    async _httpExchangeAuthCode(code, verifier) {
         const client = this._getHttpAuthClient();
         try {
             const r = await client.request({
@@ -513,7 +712,8 @@ class Tunnel extends events_1.default {
                     'content-type': 'application/json',
                 },
                 body: JSON.stringify({
-                    code
+                    code,
+                    verifier
                 })
             });
             const o = await r.body.json();
@@ -526,32 +726,57 @@ class Tunnel extends events_1.default {
         }
         return '';
     }
-    _httpParseAuthToken(token) {
-        const msg = 'Invalid authorization token';
-        if (!token)
-            throw new Error(msg);
-        const data = (0, jsonwebtoken_1.decode)(token);
-        if (data === null || !data.tunnelId || !data.userId || data.aud !== 'tunnels' || data.sub !== 'tunnel_read')
-            throw new Error(msg);
-        return {
-            tunnelId: data.tunnelId,
-            userId: data.userId,
-            token
-        };
+    async _httpParseAuthToken(token) {
+        return new Promise((resolve, reject) => {
+            const msg = 'Invalid authorization token';
+            if (!token) {
+                reject(new Error(msg));
+                return;
+            }
+            const data = (0, jsonwebtoken_1.decode)(token);
+            if (!data || !data.iss) {
+                reject(new Error(msg));
+                return;
+            }
+            let cert;
+            if (ISSUERS[data.iss])
+                cert = ISSUERS[data.iss];
+            else
+                cert = ISSUERS['*'];
+            (0, jsonwebtoken_1.verify)(token, cert, {
+                complete: true,
+                issuer: data.iss
+            }, (err, data) => {
+                if (err || !data) {
+                    reject(new Error(msg));
+                    return;
+                }
+                const payload = data.payload;
+                if (!payload.tunnelId || !payload.userId || payload.aud !== 'tunnels' || payload.sub !== 'tunnel_read') {
+                    reject(new Error(msg));
+                    return;
+                }
+                resolve({
+                    tunnelId: payload.tunnelId,
+                    userId: payload.userId,
+                    token
+                });
+            });
+        });
     }
     _httpSetAuthCookie(res, token) {
         res.setHeader('set-cookie', cookie.serialize(COOKIE_NAME, token, {
             maxAge: 3600,
             path: '/',
-            secure: false,
+            secure: true,
             httpOnly: true,
             sameSite: 'lax'
         }));
     }
-    async _checkHttpAuthToken(code, token, req, res) {
+    async _checkHttpAuthToken(code, verifier, token, req, res) {
         let fromCookie = false;
-        if (code && !token) {
-            token = await this._httpExchangeAuthCode(code);
+        if (code && verifier && !token) {
+            token = await this._httpExchangeAuthCode(code, verifier);
         }
         if (!token) {
             const cookies = cookie.parse(req.headers.cookie || '');
@@ -562,7 +787,7 @@ class Tunnel extends events_1.default {
             return false;
         }
         try {
-            const data = this._httpParseAuthToken(token);
+            const data = await this._httpParseAuthToken(token);
             if (data.tunnelId !== this.id) {
                 return false;
             }
@@ -579,10 +804,10 @@ class Tunnel extends events_1.default {
             return false;
         }
     }
-    _httpEncryptState(str) {
+    _httpEncryptState(url, verifier) {
         try {
             const cipher = node_crypto_1.default.createCipheriv(CIPHER_ALG, Buffer.from(this.cipherKey), Buffer.from(CIPHER_IV));
-            let enc = cipher.update(JSON.stringify({ str }), 'utf8', 'hex');
+            let enc = cipher.update(JSON.stringify({ url, verifier }), 'utf8', 'hex');
             enc += cipher.final('hex');
             return enc;
         }
@@ -592,47 +817,56 @@ class Tunnel extends events_1.default {
         return '';
     }
     _httpDecryptState(state) {
+        let url = null;
+        let verifier = null;
         if (state) {
             try {
                 const decipher = node_crypto_1.default.createDecipheriv(CIPHER_ALG, Buffer.from(this.cipherKey), Buffer.from(CIPHER_IV));
                 let dec = decipher.update(state, 'hex', 'utf8');
                 dec += decipher.final('utf8');
-                const url = JSON.parse(dec).str;
-                if (url) {
-                    new URL(url);
-                    return url;
+                const json = JSON.parse(dec);
+                if (json) {
+                    if (json.url)
+                        url = json.url;
+                    if (json.verifier)
+                        verifier = json.verifier;
                 }
             }
             catch {
                 // do nothing
             }
         }
-        return '';
+        return {
+            url,
+            verifier
+        };
     }
     _redirectHttpToBuddyAuth(pathname, search, req, res) {
         let host = this.agent.host;
         if (/^https:\/\/\d+\.\d+\.\d+\.\d+$/.test(host)) {
             host = 'https://app.local.io';
         }
+        const verifier = (0, uuid_1.v4)();
+        const challenge = node_crypto_1.default.createHash('sha256').update(verifier).digest('hex');
         const callback = `https://${this.subdomain}.${(this.region || '').toLowerCase()}-${this.sshId}.${this.domain}`;
-        let state;
+        let redirect;
         if (req.headers['x-forwarded-host']) {
             if (req.headers['x-forwarded-proto'] === 'http') {
-                state = 'http://';
+                redirect = 'http://';
             }
             else {
-                state = 'https://';
+                redirect = 'https://';
             }
-            state += req.headers['x-forwarded-host'];
+            redirect += req.headers['x-forwarded-host'];
         }
         else {
-            state = callback;
+            redirect = callback;
         }
-        state += pathname;
+        redirect += pathname;
         if (search)
-            state += search;
-        const enc = this._httpEncryptState(state);
-        let url = `${host}/tunnel/auth?redirect_url=${encodeURIComponent(callback)}&id=${encodeURIComponent(this.id)}&agentId=${encodeURIComponent(this.agent.id)}&state=${encodeURIComponent(enc)}`;
+            redirect += search;
+        const enc = this._httpEncryptState(redirect, verifier);
+        let url = `${host}/tunnel/auth?redirect_url=${encodeURIComponent(callback)}&id=${encodeURIComponent(this.id)}&agentId=${encodeURIComponent(this.agent.id)}&challenge=${encodeURIComponent(challenge)}&state=${encodeURIComponent(enc)}`;
         if (/app\.local\.io/.test(host)) {
             url += '&response_type=token';
         }
@@ -646,8 +880,8 @@ class Tunnel extends events_1.default {
             const code = searchParams.get('code') || '';
             const state = searchParams.get('state') || '';
             const token = searchParams.get('access_token') || '';
-            const url = this._httpDecryptState(state);
-            const authByToken = await this._checkHttpAuthToken(code, token, req, res);
+            const { url, verifier } = this._httpDecryptState(state);
+            const authByToken = await this._checkHttpAuthToken(code, verifier || '', token, req, res);
             if (authByToken) {
                 if (url) {
                     this.httpEndFast(req, res, 302, 'Found', {
@@ -657,7 +891,7 @@ class Tunnel extends events_1.default {
                 }
                 return true;
             }
-            else if ((code || token) && url) {
+            if (url && verifier && (code || token)) {
                 this.httpEndFast(req, res, 404, 'Not found');
                 return false;
             }

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "bdy",
   "preferGlobal": false,
-  "version": "1.14.0-dev",
+  "version": "1.14.1-dev",
   "type": "commonjs",
   "license": "MIT",
   "scripts": {