bloby-bot 0.53.10 → 0.54.11

package/supervisor/index.ts

@@ -11,7 +11,7 @@ import { log } from '../shared/logger.js';
 import { startTunnel, stopTunnel, isTunnelAlive, restartTunnel, startNamedTunnel, restartNamedTunnel } from './tunnel.js';
 import { createWorkerApp } from '../worker/index.js';
 import { closeDb, getSession, getSetting } from '../worker/db.js';
-import { spawnBackend, stopBackend, restartBackend, getBackendPort, isBackendAlive, isBackendStopping, isBackendDead, readBackendLogTail, setBackendEnv } from './backend.js';
+import { spawnBackend, stopBackend, restartBackend, getBackendPort, isBackendAlive, isBackendStopping, isBackendDead, readBackendLogTail, setBackendEnv, setBackendGiveUpHandler } from './backend.js';
 import { handleAgentQuery, type AgentQueryRequest } from './agent-api.js';
 import { updateTunnelUrl, startHeartbeat, stopHeartbeat, disconnect } from '../shared/relay.js';
 import {
@@ -662,6 +662,32 @@ export async function startSupervisor() {
       res.setHeader('Content-Type', 'application/json');
       res.setHeader('Cache-Control', 'no-store, no-cache, must-revalidate');
 
+      // ── Loopback-only guard for channel MUTATION endpoints ──
+      // These are only ever called by the local agent over loopback (curl localhost:7400),
+      // never legitimately from the public Cloudflare tunnel. Without this, an unauthenticated
+      // remote request could set mode/admins or flip allowOthersToTrigger and seize the agent
+      // (it can run Bash/edit files). Same guard the Agent API uses: cloudflared forwards over
+      // loopback so the IP check alone is a no-op behind the relay — we also reject any request
+      // carrying cloudflared's cf-connecting-ip/cf-ray (tunnel-origin) headers. Reads (status,
+      // qr, qr-page) and alexa/handle (relay-origin, secret-gated) deliberately stay public.
+      const WA_MUTATION_ROUTES = new Set([
+        'POST /api/channels/whatsapp/configure',
+        'POST /api/channels/whatsapp/connect',
+        'POST /api/channels/whatsapp/disconnect',
+        'POST /api/channels/whatsapp/logout',
+        'POST /api/channels/whatsapp/pairing-code',
+        'POST /api/channels/send',
+      ]);
+      if (WA_MUTATION_ROUTES.has(`${req.method} ${channelPath}`)) {
+        const remoteIp = req.socket.remoteAddress || '';
+        const isLoopback = remoteIp === '127.0.0.1' || remoteIp === '::1' || remoteIp === '::ffff:127.0.0.1';
+        if (!isLoopback || req.headers['cf-connecting-ip'] || req.headers['cf-ray']) {
+          res.writeHead(403);
+          res.end(JSON.stringify({ ok: false, error: 'This channel endpoint is localhost-only.' }));
+          return;
+        }
+      }
+
       // GET /api/channels/status — all channel statuses
       if (req.method === 'GET' && channelPath === '/api/channels/status') {
         res.writeHead(200);
@@ -952,6 +978,7 @@ ${!connected ? `<script>
             if (data.admins !== undefined) cfg.channels.whatsapp.admins = data.admins;
             if (data.skill !== undefined) cfg.channels.whatsapp.skill = data.skill;
             if (data.allowGroups !== undefined) cfg.channels.whatsapp.allowGroups = !!data.allowGroups;
+            if (data.allowOthersToTrigger !== undefined) cfg.channels.whatsapp.allowOthersToTrigger = !!data.allowOthersToTrigger;
             saveConfig(cfg);
             res.writeHead(200);
             res.end(JSON.stringify({ ok: true, config: cfg.channels.whatsapp }));
@@ -1327,11 +1354,31 @@ mint();
       return;
     }
 
-    // POST /api/env — write env vars to workspace .env (used by chat EnvForm)
+    // POST /api/env — write env vars to workspace .env (used by chat EnvForm).
     if (req.method === 'POST' && req.url === '/api/env') {
+      // This route is intercepted before the /api worker gate, so gate it here: writing the
+      // workspace .env (which the backend loads) is a privileged action — require the portal token
+      // when a password is set. Internal supervisor calls (x-internal) bypass. The chat EnvForm
+      // sends the token via authFetch.
+      if (req.headers['x-internal'] !== internalSecret && await isAuthRequired()) {
+        const authHeader = req.headers['authorization'];
+        const token = authHeader?.startsWith('Bearer ') ? authHeader.slice(7) : null;
+        if (!token || !(await validateToken(token))) {
+          res.writeHead(401, { 'Content-Type': 'application/json' });
+          res.end(JSON.stringify({ error: 'Unauthorized' }));
+          return;
+        }
+      }
       let body = '';
-      req.on('data', (chunk: Buffer) => { body += chunk.toString(); });
+      let bodyBytes = 0;
+      let tooLarge = false;
+      req.on('data', (chunk: Buffer) => {
+        bodyBytes += chunk.length;
+        if (bodyBytes > 1_000_000) { tooLarge = true; req.destroy(); return; } // .env is tiny; 1MB is generous
+        body += chunk.toString();
+      });
       req.on('end', () => {
+        if (tooLarge) return;
         try {
           const { vars } = JSON.parse(body) as { vars: Record<string, string> };
           if (!vars || typeof vars !== 'object') {
@@ -1348,7 +1395,20 @@ mint();
 
           for (const [rawKey, rawValue] of Object.entries(vars)) {
             const key = rawKey.trim();
+            // Validate the key as a real env var name; reject anything that could inject extra
+            // lines or break .env parsing.
+            if (!/^[A-Za-z_][A-Za-z0-9_]*$/.test(key)) {
+              res.writeHead(400, { 'Content-Type': 'application/json' });
+              res.end(JSON.stringify({ error: `Invalid env var name: ${rawKey}` }));
+              return;
+            }
             const value = typeof rawValue === 'string' ? rawValue.trim() : rawValue;
+            // Reject embedded newlines/CR in the value — they'd inject arbitrary extra .env lines.
+            if (typeof value === 'string' && /[\r\n]/.test(value)) {
+              res.writeHead(400, { 'Content-Type': 'application/json' });
+              res.end(JSON.stringify({ error: `Invalid value for ${key}: must not contain newlines` }));
+              return;
+            }
             // Find existing line for this key (supports KEY=val, KEY="val", KEY='val')
             const idx = lines.findIndex((l) => {
               const trimmed = l.trim();
@@ -1380,20 +1440,29 @@ mint();
     if (req.url?.startsWith('/api/agent/')) {
       const agentPath = req.url.split('?')[0];
 
-      // Localhost-only guard
+      // Localhost-only guard. NOTE: cloudflared connects over loopback, so a tunneled request also
+      // arrives as 127.0.0.1 — this IP check alone is a no-op behind the relay. We additionally
+      // reject any request carrying cloudflared's cf-connecting-ip header (tunnel-origin traffic);
+      // the real defense is the 256-bit agent secret below. The Agent API is only ever called by
+      // the local workspace backend (loopback), never legitimately from the public tunnel.
       const remoteIp = req.socket.remoteAddress || '';
-      if (remoteIp !== '127.0.0.1' && remoteIp !== '::1' && remoteIp !== '::ffff:127.0.0.1') {
+      const isLoopback = remoteIp === '127.0.0.1' || remoteIp === '::1' || remoteIp === '::ffff:127.0.0.1';
+      if (!isLoopback || req.headers['cf-connecting-ip'] || req.headers['cf-ray']) {
         res.setHeader('Content-Type', 'application/json');
         res.writeHead(403);
         res.end(JSON.stringify({ ok: false, error: 'Agent API is localhost-only.' }));
         return;
       }
 
-      // Auth: x-agent-secret header (query param fallback for EventSource which cannot set headers)
+      // Auth: x-agent-secret header (query param fallback for EventSource which cannot set headers).
+      // Constant-time compare (length-guarded) so the secret can't be recovered via timing.
       const urlObj = new URL(req.url, `http://${req.headers.host}`);
       const headerSecret = req.headers['x-agent-secret'];
       const querySecret = urlObj.searchParams.get('secret');
-      if (headerSecret !== agentSecret && querySecret !== agentSecret) {
+      const presented = typeof headerSecret === 'string' ? headerSecret : (querySecret || '');
+      const secretOk = presented.length === agentSecret.length &&
+        crypto.timingSafeEqual(Buffer.from(presented), Buffer.from(agentSecret));
+      if (!secretOk) {
         res.setHeader('Content-Type', 'application/json');
         res.writeHead(401);
         res.end(JSON.stringify({ ok: false, error: 'Invalid or missing x-agent-secret.' }));
@@ -1787,6 +1856,28 @@ mint();
         };
       }
 
+      // Same for Codex OAuth: the app-server reads ~/.codex/auth.json at spawn, so a
+      // running subprocess only adopts a new identity on re-spawn. End live conversations
+      // after a successful exchange so the next message cold-starts with the fresh token.
+      // (Wraps only the one-shot /exchange; the device-code /status route latches
+      //  success on every poll and must not re-fire teardown — handled at re-spawn instead.)
+      if (req.method === 'POST' && req.url === '/api/auth/codex/exchange') {
+        const origEnd = res.end.bind(res);
+        (res as any).end = function (this: typeof res, ...args: any[]) {
+          try {
+            const body = typeof args[0] === 'string' ? args[0] : args[0]?.toString();
+            if (body) {
+              const json = JSON.parse(body);
+              if (json.success) {
+                log.info('[orchestrator] Codex re-auth succeeded — restarting conversations with fresh token');
+                endAllConversations();
+              }
+            }
+          } catch {}
+          return origEnd(...args);
+        };
+      }
+
       workerApp(req, res);
       return;
     }
@@ -1929,6 +2020,11 @@ mint();
     // An 'error' event with no listener is rethrown by Node as an uncaught exception,
     // which would crash the whole supervisor. ws still tears down + fires 'close'.
     ws.on('error', (err: any) => console.warn(`[app-ws] socket error: ${err?.message || err}`));
+    // Liveness: a half-open socket (mobile/Wi-Fi drop behind the tunnel) never fires 'close', so
+    // its chat subscription + maps would leak and broadcastBloby would keep writing to it. The
+    // heartbeat below pings; a peer that misses a pong is terminated (which fires 'close' → cleanup).
+    (ws as any).isAlive = true;
+    ws.on('pong', () => { (ws as any).isAlive = true; });
 
     // Per-WS chat subscription: when the client opts in, this WS joins chatSubscribers
     // and receives every bot:* / chat:* event the dashboard widget does. SSE through the
@@ -2203,6 +2299,8 @@ mint();
     // See appWss above: a listener-less 'error' event would crash the supervisor and kill
     // chat for everyone (G1). ws still fires 'close' afterward, so map cleanup still runs.
     ws.on('error', (err: any) => log.warn(`[bloby-ws] socket error: ${err?.message || err}`));
+    (ws as any).isAlive = true;
+    ws.on('pong', () => { (ws as any).isAlive = true; });
     let convId = Math.random().toString(36).slice(2) + Date.now().toString(36);
     conversations.set(ws, []);
 
@@ -2730,6 +2828,12 @@ mint();
     }
   }
 
+  // Tell the live chat when the backend gives up — the dashboard interstitial covers page loads,
+  // but an already-open chat client gets an explicit event it can surface ("ask me to fix the backend").
+  setBackendGiveUpHandler(() => {
+    broadcastBloby('backend:failed', { message: 'The workspace backend crashed and could not restart. Ask Bloby to fix it.' });
+  });
+
   // Spawn backend (worker runs in-process)
   spawnBackend(backendPort);
 
@@ -2902,6 +3006,20 @@ mint();
   armBackendWatcher();
   armWorkspaceWatcher();
 
+  // WebSocket liveness heartbeat — ping the app + chat WS clients every 30s and terminate any
+  // that missed the previous pong (half-open sockets that never fired 'close'). Terminating fires
+  // 'close', which runs the existing map/subscription cleanup. Scoped to our two WSS only (Vite's
+  // HMR socket is separate and managed by Vite). Cleared in shutdown().
+  const wsHeartbeat = setInterval(() => {
+    for (const wss of [blobyWss, appWss]) {
+      for (const ws of wss.clients) {
+        if ((ws as any).isAlive === false) { try { ws.terminate(); } catch {} continue; }
+        (ws as any).isAlive = false;
+        try { ws.ping(); } catch {}
+      }
+    }
+  }, 30_000);
+
   // Tunnel
   let tunnelUrl: string | null = null;
 
@@ -3064,6 +3182,7 @@ mint();
     stopScheduler();
     backendWatcher?.close();
     workspaceWatcher?.close();
+    clearInterval(wsHeartbeat);
     if (backendRestartTimer) clearTimeout(backendRestartTimer);
     if (watchdogInterval) clearInterval(watchdogInterval);
     stopHeartbeat();