clay-server 2.5.0

package/lib/server.js

@@ -0,0 +1,582 @@
+var http = require("http");
+var crypto = require("crypto");
+var fs = require("fs");
+var path = require("path");
+var { WebSocketServer } = require("ws");
+var { pinPageHtml, setupPageHtml } = require("./pages");
+var { createProjectContext } = require("./project");
+
+var { CONFIG_DIR } = require("./config");
+
+var publicDir = path.join(__dirname, "public");
+var bundledThemesDir = path.join(__dirname, "themes");
+var userThemesDir = path.join(CONFIG_DIR, "themes");
+
+var MIME_TYPES = {
+  ".html": "text/html",
+  ".css": "text/css",
+  ".js": "application/javascript",
+  ".json": "application/json",
+  ".png": "image/png",
+  ".jpg": "image/jpeg",
+  ".jpeg": "image/jpeg",
+  ".gif": "image/gif",
+  ".webp": "image/webp",
+  ".bmp": "image/bmp",
+  ".svg": "image/svg+xml",
+  ".ico": "image/x-icon",
+};
+
+function generateAuthToken(pin) {
+  return crypto.createHash("sha256").update("clay:" + pin).digest("hex");
+}
+
+function parseCookies(req) {
+  var cookies = {};
+  var header = req.headers.cookie || "";
+  header.split(";").forEach(function (part) {
+    var pair = part.trim().split("=");
+    if (pair.length === 2) cookies[pair[0]] = pair[1];
+  });
+  return cookies;
+}
+
+function isAuthed(req, authToken) {
+  if (!authToken) return true;
+  var cookies = parseCookies(req);
+  return cookies["relay_auth"] === authToken;
+}
+
+// --- PIN rate limiting ---
+var pinAttempts = {}; // ip → { count, lastAttempt }
+var PIN_MAX_ATTEMPTS = 5;
+var PIN_LOCKOUT_MS = 15 * 60 * 1000; // 15 minutes
+
+function checkPinRateLimit(ip) {
+  var entry = pinAttempts[ip];
+  if (!entry) return null;
+  if (entry.count >= PIN_MAX_ATTEMPTS) {
+    var elapsed = Date.now() - entry.lastAttempt;
+    if (elapsed < PIN_LOCKOUT_MS) {
+      return Math.ceil((PIN_LOCKOUT_MS - elapsed) / 1000);
+    }
+    delete pinAttempts[ip];
+  }
+  return null;
+}
+
+function recordPinFailure(ip) {
+  if (!pinAttempts[ip]) pinAttempts[ip] = { count: 0, lastAttempt: 0 };
+  pinAttempts[ip].count++;
+  pinAttempts[ip].lastAttempt = Date.now();
+}
+
+function clearPinFailures(ip) {
+  delete pinAttempts[ip];
+}
+
+function serveStatic(urlPath, res) {
+  if (urlPath === "/") urlPath = "/index.html";
+
+  var filePath = path.join(publicDir, urlPath);
+
+  if (!filePath.startsWith(publicDir)) {
+    res.writeHead(403);
+    res.end("Forbidden");
+    return true;
+  }
+
+  try {
+    var content = fs.readFileSync(filePath);
+    var ext = path.extname(filePath);
+    var mime = MIME_TYPES[ext] || "application/octet-stream";
+    res.writeHead(200, { "Content-Type": mime + "; charset=utf-8", "Cache-Control": "no-cache" });
+    res.end(content);
+    return true;
+  } catch (e) {
+    return false;
+  }
+}
+
+/**
+ * Extract slug from URL path: /p/{slug}/... → slug
+ * Returns null if path doesn't match /p/{slug}
+ */
+function extractSlug(urlPath) {
+  var match = urlPath.match(/^\/p\/([a-z0-9_-]+)(\/|$)/);
+  return match ? match[1] : null;
+}
+
+/**
+ * Strip the /p/{slug} prefix from URL path
+ */
+function stripPrefix(urlPath, slug) {
+  var prefix = "/p/" + slug;
+  var rest = urlPath.substring(prefix.length);
+  return rest || "/";
+}
+
+/**
+ * Create a multi-project server.
+ * opts: { tlsOptions, caPath, pinHash, port, debug, dangerouslySkipPermissions }
+ */
+function createServer(opts) {
+  var tlsOptions = opts.tlsOptions || null;
+  var caPath = opts.caPath || null;
+  var pinHash = opts.pinHash || null;
+  var portNum = opts.port || 2633;
+  var debug = opts.debug || false;
+  var dangerouslySkipPermissions = opts.dangerouslySkipPermissions || false;
+  var lanHost = opts.lanHost || null;
+  var onAddProject = opts.onAddProject || null;
+  var onRemoveProject = opts.onRemoveProject || null;
+  var onGetDaemonConfig = opts.onGetDaemonConfig || null;
+  var onSetPin = opts.onSetPin || null;
+  var onSetKeepAwake = opts.onSetKeepAwake || null;
+  var onShutdown = opts.onShutdown || null;
+
+  var authToken = pinHash || null;
+  var realVersion = require("../package.json").version;
+  var currentVersion = debug ? "0.0.9" : realVersion;
+
+  var caContent = caPath ? (function () { try { return fs.readFileSync(caPath); } catch (e) { return null; } })() : null;
+  var pinPage = pinPageHtml();
+
+  // --- Project registry ---
+  var projects = new Map(); // slug → projectContext
+
+  // --- Push module (global) ---
+  var pushModule = null;
+  try {
+    var { initPush } = require("./push");
+    pushModule = initPush();
+  } catch (e) {}
+
+  // --- HTTP handler ---
+  var appHandler = function (req, res) {
+    var fullUrl = req.url.split("?")[0];
+
+    // Global auth endpoint
+    if (req.method === "POST" && req.url === "/auth") {
+      var ip = req.socket.remoteAddress || "";
+      var remaining = checkPinRateLimit(ip);
+      if (remaining !== null) {
+        res.writeHead(429, { "Content-Type": "application/json" });
+        res.end(JSON.stringify({ ok: false, locked: true, retryAfter: remaining }));
+        return;
+      }
+      var body = "";
+      req.on("data", function (chunk) { body += chunk; });
+      req.on("end", function () {
+        try {
+          var data = JSON.parse(body);
+          if (authToken && generateAuthToken(data.pin) === authToken) {
+            clearPinFailures(ip);
+            res.writeHead(200, {
+              "Set-Cookie": "relay_auth=" + authToken + "; Path=/; HttpOnly; SameSite=Strict; Max-Age=31536000" + (tlsOptions ? "; Secure" : ""),
+              "Content-Type": "application/json",
+            });
+            res.end('{"ok":true}');
+          } else {
+            recordPinFailure(ip);
+            var attemptsLeft = PIN_MAX_ATTEMPTS - (pinAttempts[ip] ? pinAttempts[ip].count : 0);
+            res.writeHead(401, { "Content-Type": "application/json" });
+            res.end(JSON.stringify({ ok: false, attemptsLeft: Math.max(attemptsLeft, 0) }));
+          }
+        } catch (e) {
+          res.writeHead(400);
+          res.end("Bad request");
+        }
+      });
+      return;
+    }
+
+    // CA certificate download
+    if (req.url === "/ca/download" && req.method === "GET" && caContent) {
+      res.writeHead(200, {
+        "Content-Type": "application/x-pem-file",
+        "Content-Disposition": 'attachment; filename="clay-ca.pem"',
+      });
+      res.end(caContent);
+      return;
+    }
+
+    // CORS preflight for cross-origin requests (HTTP onboarding → HTTPS)
+    if (req.method === "OPTIONS") {
+      res.writeHead(204, {
+        "Access-Control-Allow-Origin": "*",
+        "Access-Control-Allow-Methods": "GET, OPTIONS",
+        "Access-Control-Allow-Headers": "Content-Type",
+        "Access-Control-Max-Age": "86400",
+      });
+      res.end();
+      return;
+    }
+
+    // Setup page
+    if (fullUrl === "/setup" && req.method === "GET") {
+      var host = req.headers.host || "localhost";
+      var hostname = host.split(":")[0];
+      var protocol = tlsOptions ? "https" : "http";
+      var setupUrl = protocol + "://" + hostname + ":" + portNum;
+      var lanMode = /[?&]mode=lan/.test(req.url);
+      res.writeHead(200, {
+        "Content-Type": "text/html; charset=utf-8",
+        "Access-Control-Allow-Origin": "*",
+      });
+      res.end(setupPageHtml(setupUrl, setupUrl, !!caContent, lanMode));
+      return;
+    }
+
+    // Global push endpoints (used by setup page)
+    if (req.method === "GET" && fullUrl === "/api/vapid-public-key" && pushModule) {
+      res.writeHead(200, { "Content-Type": "application/json" });
+      res.end(JSON.stringify({ publicKey: pushModule.publicKey }));
+      return;
+    }
+
+    if (req.method === "POST" && fullUrl === "/api/push-subscribe" && pushModule) {
+      var body = "";
+      req.on("data", function (chunk) { body += chunk; });
+      req.on("end", function () {
+        try {
+          var parsed = JSON.parse(body);
+          var sub = parsed.subscription || parsed;
+          pushModule.addSubscription(sub, parsed.replaceEndpoint);
+          res.writeHead(200, { "Content-Type": "application/json" });
+          res.end('{"ok":true}');
+        } catch (e) {
+          res.writeHead(400);
+          res.end("Bad request");
+        }
+      });
+      return;
+    }
+
+    // Theme list: bundled (lib/themes/) + user (~/.clay/themes/)
+    if (req.method === "GET" && fullUrl === "/api/themes") {
+      var bundled = {};
+      var custom = {};
+      // Read bundled themes
+      try {
+        var bFiles = fs.readdirSync(bundledThemesDir);
+        for (var i = 0; i < bFiles.length; i++) {
+          if (!bFiles[i].endsWith(".json")) continue;
+          try {
+            var raw = fs.readFileSync(path.join(bundledThemesDir, bFiles[i]), "utf8");
+            var id = bFiles[i].replace(/\.json$/, "");
+            bundled[id] = JSON.parse(raw);
+          } catch (e) {}
+        }
+      } catch (e) {}
+      // Read user themes (override bundled if same id)
+      try {
+        var uFiles = fs.readdirSync(userThemesDir);
+        for (var j = 0; j < uFiles.length; j++) {
+          if (!uFiles[j].endsWith(".json")) continue;
+          try {
+            var uRaw = fs.readFileSync(path.join(userThemesDir, uFiles[j]), "utf8");
+            var uid = uFiles[j].replace(/\.json$/, "");
+            custom[uid] = JSON.parse(uRaw);
+          } catch (e) {}
+        }
+      } catch (e) {}
+      res.writeHead(200, { "Content-Type": "application/json" });
+      res.end(JSON.stringify({ bundled: bundled, custom: custom }));
+      return;
+    }
+
+    // Root path — redirect to first project
+    if (fullUrl === "/" && req.method === "GET") {
+      if (!isAuthed(req, authToken)) {
+        res.writeHead(200, { "Content-Type": "text/html; charset=utf-8" });
+        res.end(pinPage);
+        return;
+      }
+      if (projects.size > 0) {
+        var slug = projects.keys().next().value;
+        res.writeHead(302, { "Location": "/p/" + slug + "/" });
+        res.end();
+        return;
+      }
+      res.writeHead(200, { "Content-Type": "text/plain" });
+      res.end("No projects registered.");
+      return;
+    }
+
+    // Global info endpoint (auth required)
+    if (req.method === "GET" && req.url === "/info") {
+      if (!isAuthed(req, authToken)) {
+        res.writeHead(401, {
+          "Content-Type": "application/json",
+          "Access-Control-Allow-Origin": "*",
+        });
+        res.end('{"error":"unauthorized"}');
+        return;
+      }
+      var projectList = [];
+      projects.forEach(function (ctx, slug) {
+        projectList.push({ slug: slug, project: ctx.project });
+      });
+      res.end(JSON.stringify({ projects: projectList, version: currentVersion }));
+      return;
+    }
+
+    // Static files at root (favicon, manifest, icons, sw.js, etc.)
+    if (fullUrl.lastIndexOf("/") === 0 && !fullUrl.includes("..")) {
+      if (serveStatic(fullUrl, res)) return;
+    }
+
+    // Project-scoped routes: /p/{slug}/...
+    var slug = extractSlug(req.url.split("?")[0]);
+    if (!slug) {
+      // Not a project route and not handled above
+      res.writeHead(404);
+      res.end("Not found");
+      return;
+    }
+
+    var ctx = projects.get(slug);
+    if (!ctx) {
+      res.writeHead(302, { "Location": "/" });
+      res.end();
+      return;
+    }
+
+    // Redirect /p/{slug} → /p/{slug}/ (trailing slash required for relative paths)
+    if (fullUrl === "/p/" + slug) {
+      res.writeHead(301, { "Location": "/p/" + slug + "/" });
+      res.end();
+      return;
+    }
+
+    // Auth check for project routes
+    if (!isAuthed(req, authToken)) {
+      res.writeHead(200, { "Content-Type": "text/html; charset=utf-8" });
+      res.end(pinPage);
+      return;
+    }
+
+    // Strip prefix for project-scoped handling
+    var projectUrl = stripPrefix(req.url.split("?")[0], slug);
+    // Re-attach query string for API routes
+    var qsIdx = req.url.indexOf("?");
+    var projectUrlWithQS = qsIdx >= 0 ? projectUrl + req.url.substring(qsIdx) : projectUrl;
+
+    // Try project HTTP handler first (APIs)
+    var origUrl = req.url;
+    req.url = projectUrlWithQS;
+    var handled = ctx.handleHTTP(req, res, projectUrlWithQS);
+    req.url = origUrl;
+    if (handled) return;
+
+    // Static files (same assets for all projects)
+    if (req.method === "GET") {
+      if (serveStatic(projectUrl, res)) return;
+    }
+
+    res.writeHead(404);
+    res.end("Not found");
+  };
+
+  // --- Server setup ---
+  var server;
+  if (tlsOptions) {
+    server = require("https").createServer(tlsOptions, appHandler);
+  } else {
+    server = http.createServer(appHandler);
+  }
+
+  // --- HTTP onboarding server (only when TLS is active) ---
+  var onboardingServer = null;
+  if (tlsOptions) {
+    onboardingServer = http.createServer(function (req, res) {
+      var url = req.url.split("?")[0];
+
+      // CA certificate download
+      if (url === "/ca/download" && req.method === "GET" && caContent) {
+        res.writeHead(200, {
+          "Content-Type": "application/x-pem-file",
+          "Content-Disposition": 'attachment; filename="clay-ca.pem"',
+        });
+        res.end(caContent);
+        return;
+      }
+
+      // Setup page
+      if (url === "/setup" && req.method === "GET") {
+        var host = req.headers.host || "localhost";
+        var hostname = host.split(":")[0];
+        var httpsSetupUrl = "https://" + hostname + ":" + portNum;
+        var httpSetupUrl = "http://" + hostname + ":" + (portNum + 1);
+        var lanMode = /[?&]mode=lan/.test(req.url);
+        res.writeHead(200, { "Content-Type": "text/html; charset=utf-8" });
+        res.end(setupPageHtml(httpsSetupUrl, httpSetupUrl, !!caContent, lanMode));
+        return;
+      }
+
+      // /info — CORS-enabled, used by setup page to verify HTTPS
+      if (url === "/info" && req.method === "GET") {
+        res.writeHead(200, {
+          "Content-Type": "application/json",
+          "Access-Control-Allow-Origin": "*",
+        });
+        res.end(JSON.stringify({ version: currentVersion }));
+        return;
+      }
+
+      // Static files at root (favicon, manifest, icons, etc.)
+      if (url.lastIndexOf("/") === 0 && !url.includes("..")) {
+        if (serveStatic(url, res)) return;
+      }
+
+      // Everything else → redirect to HTTPS setup
+      var hostname = (req.headers.host || "localhost").split(":")[0];
+      res.writeHead(302, { "Location": "https://" + hostname + ":" + portNum + "/setup" });
+      res.end();
+    });
+  }
+
+  // --- WebSocket ---
+  var wss = new WebSocketServer({ noServer: true });
+
+  server.on("upgrade", function (req, socket, head) {
+    // Origin validation (CSRF prevention)
+    var origin = req.headers.origin;
+    if (origin) {
+      try {
+        var originUrl = new URL(origin);
+        var originPort = String(originUrl.port || (originUrl.protocol === "https:" ? "443" : "80"));
+        // Extract port from Host header for reverse proxy support.
+        // Use URL parser to correctly handle IPv6 addresses (e.g. [::1])
+        // and infer default port from origin protocol (not backend tlsOptions)
+        // so TLS-terminating proxies on :443 with HTTP backends work.
+        var hostPort;
+        try {
+          var hostUrl = new URL(originUrl.protocol + "//" + (req.headers.host || ""));
+          hostPort = String(hostUrl.port || (originUrl.protocol === "https:" ? "443" : "80"));
+        } catch (e2) {
+          hostPort = String(portNum);
+        }
+        if (originPort !== String(portNum) && originPort !== hostPort) {
+          socket.write("HTTP/1.1 403 Forbidden\r\n\r\n");
+          socket.destroy();
+          return;
+        }
+      } catch (e) {
+        socket.write("HTTP/1.1 403 Forbidden\r\n\r\n");
+        socket.destroy();
+        return;
+      }
+    }
+
+    if (!isAuthed(req, authToken)) {
+      socket.write("HTTP/1.1 401 Unauthorized\r\n\r\n");
+      socket.destroy();
+      return;
+    }
+
+    // Extract slug from WS URL: /p/{slug}/ws
+    var wsSlug = extractSlug(req.url);
+    if (!wsSlug) {
+      socket.destroy();
+      return;
+    }
+
+    var ctx = projects.get(wsSlug);
+    if (!ctx) {
+      socket.destroy();
+      return;
+    }
+
+    wss.handleUpgrade(req, socket, head, function (ws) {
+      ctx.handleConnection(ws);
+    });
+  });
+
+  // --- Project management ---
+  function addProject(cwd, slug, title) {
+    if (projects.has(slug)) return false;
+    var ctx = createProjectContext({
+      cwd: cwd,
+      slug: slug,
+      title: title || null,
+      pushModule: pushModule,
+      debug: debug,
+      dangerouslySkipPermissions: dangerouslySkipPermissions,
+      currentVersion: currentVersion,
+      lanHost: lanHost,
+      getProjectCount: function () { return projects.size; },
+      getProjectList: function () {
+        var list = [];
+        projects.forEach(function (ctx) { list.push(ctx.getStatus()); });
+        return list;
+      },
+      onAddProject: onAddProject,
+      onRemoveProject: onRemoveProject,
+      onGetDaemonConfig: onGetDaemonConfig,
+      onSetPin: onSetPin,
+      onSetKeepAwake: onSetKeepAwake,
+      onShutdown: onShutdown,
+    });
+    projects.set(slug, ctx);
+    ctx.warmup();
+    return true;
+  }
+
+  function removeProject(slug) {
+    var ctx = projects.get(slug);
+    if (!ctx) return false;
+    ctx.destroy();
+    projects.delete(slug);
+    return true;
+  }
+
+  function getProjects() {
+    var list = [];
+    projects.forEach(function (ctx) {
+      list.push(ctx.getStatus());
+    });
+    return list;
+  }
+
+  function setProjectTitle(slug, title) {
+    var ctx = projects.get(slug);
+    if (!ctx) return false;
+    ctx.setTitle(title);
+    return true;
+  }
+
+  function setAuthToken(hash) {
+    authToken = hash;
+  }
+
+  function broadcastAll(msg) {
+    projects.forEach(function (ctx) {
+      ctx.send(msg);
+    });
+  }
+
+  function destroyAll() {
+    projects.forEach(function (ctx, slug) {
+      console.log("[server] Destroying project:", slug);
+      ctx.destroy();
+    });
+    projects.clear();
+  }
+
+  return {
+    server: server,
+    onboardingServer: onboardingServer,
+    isTLS: !!tlsOptions,
+    addProject: addProject,
+    removeProject: removeProject,
+    getProjects: getProjects,
+    setProjectTitle: setProjectTitle,
+    setAuthToken: setAuthToken,
+    broadcastAll: broadcastAll,
+    destroyAll: destroyAll,
+  };
+}
+
+module.exports = { createServer: createServer, generateAuthToken: generateAuthToken };