codex-webstrapper 0.1.0

package/src/assets.mjs

@@ -0,0 +1,190 @@
+import fs from "node:fs";
+import fsp from "node:fs/promises";
+import os from "node:os";
+import path from "node:path";
+import { spawn } from "node:child_process";
+
+import { safePathJoin, toErrorMessage } from "./util.mjs";
+
+const DEFAULT_CODEX_APP = "/Applications/Codex.app";
+
+const CONTENT_TYPES = {
+  ".html": "text/html; charset=utf-8",
+  ".js": "application/javascript; charset=utf-8",
+  ".mjs": "application/javascript; charset=utf-8",
+  ".css": "text/css; charset=utf-8",
+  ".json": "application/json; charset=utf-8",
+  ".svg": "image/svg+xml",
+  ".png": "image/png",
+  ".jpg": "image/jpeg",
+  ".jpeg": "image/jpeg",
+  ".gif": "image/gif",
+  ".webp": "image/webp",
+  ".woff": "font/woff",
+  ".woff2": "font/woff2",
+  ".ttf": "font/ttf",
+  ".ico": "image/x-icon",
+  ".mjs.map": "application/json; charset=utf-8",
+  ".js.map": "application/json; charset=utf-8"
+};
+
+export function defaultCacheRoot() {
+  return path.join(os.homedir(), ".cache", "codex-webstrap", "assets");
+}
+
+export function resolveCodexAppPaths(explicitCodexAppPath) {
+  const appPath = path.resolve(explicitCodexAppPath || DEFAULT_CODEX_APP);
+  const resourcesPath = path.join(appPath, "Contents", "Resources");
+  const asarPath = path.join(resourcesPath, "app.asar");
+  const infoPlistPath = path.join(appPath, "Contents", "Info.plist");
+  return { appPath, resourcesPath, asarPath, infoPlistPath };
+}
+
+export async function ensureCodexAppExists(paths) {
+  const checks = [paths.appPath, paths.resourcesPath, paths.asarPath, paths.infoPlistPath];
+  for (const filePath of checks) {
+    await fsp.access(filePath, fs.constants.R_OK);
+  }
+}
+
+export async function readBuildMetadata(paths) {
+  const plist = await fsp.readFile(paths.infoPlistPath, "utf8");
+  const bundleVersion = plist.match(/<key>CFBundleVersion<\/key>\s*<string>([^<]+)<\/string>/)?.[1] || "unknown";
+  const shortVersion = plist.match(/<key>CFBundleShortVersionString<\/key>\s*<string>([^<]+)<\/string>/)?.[1] || "unknown";
+  const buildKey = `${shortVersion}-${bundleVersion}`.replace(/[^a-zA-Z0-9._-]/g, "_");
+  return { bundleVersion, shortVersion, buildKey };
+}
+
+async function runAsarCliExtract(asarPath, outputPath) {
+  await new Promise((resolve, reject) => {
+    const child = spawn("npx", ["-y", "@electron/asar", "extract", asarPath, outputPath], {
+      stdio: ["ignore", "pipe", "pipe"]
+    });
+
+    let stderr = "";
+    child.stderr.on("data", (chunk) => {
+      stderr += chunk.toString("utf8");
+    });
+
+    child.on("error", reject);
+    child.on("exit", (code) => {
+      if (code === 0) {
+        resolve();
+        return;
+      }
+      reject(new Error(`asar extract failed with code ${code}: ${stderr.trim()}`));
+    });
+  });
+}
+
+async function extractAsarAll(asarPath, outputPath) {
+  try {
+    const module = await import("@electron/asar");
+    const extractAll = module.extractAll || module.default?.extractAll;
+    if (typeof extractAll === "function") {
+      extractAll(asarPath, outputPath);
+      return;
+    }
+    throw new Error("@electron/asar extractAll API unavailable");
+  } catch {
+    await runAsarCliExtract(asarPath, outputPath);
+  }
+}
+
+export async function ensureExtractedAssets({
+  asarPath,
+  cacheRoot = defaultCacheRoot(),
+  buildKey,
+  logger
+}) {
+  const root = path.resolve(cacheRoot);
+  const outputDir = path.join(root, buildKey);
+  const doneFile = path.join(outputDir, ".extract-complete.json");
+
+  await fsp.mkdir(root, { recursive: true, mode: 0o700 });
+
+  const alreadyExtracted = await fsp
+    .access(doneFile, fs.constants.R_OK)
+    .then(() => true)
+    .catch(() => false);
+
+  if (!alreadyExtracted) {
+    const tempDir = `${outputDir}.tmp-${Date.now()}`;
+    await fsp.rm(tempDir, { recursive: true, force: true });
+    await fsp.mkdir(tempDir, { recursive: true, mode: 0o700 });
+
+    logger.info("Extracting Codex assets", { outputDir });
+    await extractAsarAll(asarPath, tempDir);
+
+    await fsp.mkdir(outputDir, { recursive: true, mode: 0o700 });
+    await fsp.rm(outputDir, { recursive: true, force: true });
+    await fsp.rename(tempDir, outputDir);
+
+    await fsp.writeFile(
+      doneFile,
+      JSON.stringify(
+        {
+          extractedAt: new Date().toISOString(),
+          asarPath,
+          buildKey
+        },
+        null,
+        2
+      )
+    );
+  }
+
+  const webRoot = path.join(outputDir, "webview");
+  const workerPath = path.join(outputDir, ".vite", "build", "worker.js");
+  const indexPath = path.join(webRoot, "index.html");
+
+  await fsp.access(webRoot, fs.constants.R_OK);
+  await fsp.access(indexPath, fs.constants.R_OK);
+
+  return {
+    outputDir,
+    webRoot,
+    indexPath,
+    workerPath
+  };
+}
+
+export async function buildPatchedIndexHtml(indexPath) {
+  const html = await fsp.readFile(indexPath, "utf8");
+  const shimTag = '<script src="/__webstrapper/shim.js"></script>';
+
+  if (html.includes(shimTag)) {
+    return html;
+  }
+
+  if (html.includes("</head>")) {
+    return html.replace("</head>", `  ${shimTag}\n</head>`);
+  }
+
+  return `${shimTag}\n${html}`;
+}
+
+export async function readStaticFile(webRoot, requestPath) {
+  const normalized = requestPath === "/" ? "/index.html" : requestPath;
+  const filePath = safePathJoin(webRoot, normalized);
+  if (!filePath) {
+    return null;
+  }
+
+  const stat = await fsp
+    .stat(filePath)
+    .catch(() => null);
+  if (!stat || !stat.isFile()) {
+    return null;
+  }
+
+  const ext = path.extname(filePath);
+  const contentType = CONTENT_TYPES[ext] || "application/octet-stream";
+
+  try {
+    const body = await fsp.readFile(filePath);
+    return { body, contentType };
+  } catch (error) {
+    throw new Error(`Failed reading asset ${filePath}: ${toErrorMessage(error)}`);
+  }
+}

package/src/auth.mjs

@@ -0,0 +1,166 @@
+import crypto from "node:crypto";
+import fs from "node:fs/promises";
+import os from "node:os";
+import path from "node:path";
+
+import { randomId } from "./util.mjs";
+
+export const SESSION_COOKIE_NAME = "cw_session";
+
+export function defaultTokenFilePath() {
+  return path.join(os.homedir(), ".codex-webstrap", "token");
+}
+
+export async function ensurePersistentToken(tokenFilePath) {
+  const resolvedPath = path.resolve(tokenFilePath || defaultTokenFilePath());
+  await fs.mkdir(path.dirname(resolvedPath), { recursive: true, mode: 0o700 });
+
+  try {
+    const existing = (await fs.readFile(resolvedPath, "utf8")).trim();
+    if (existing.length >= 32) {
+      return { token: existing, tokenFilePath: resolvedPath };
+    }
+  } catch {
+    // No token yet.
+  }
+
+  const token = crypto.randomBytes(32).toString("hex");
+  await fs.writeFile(resolvedPath, `${token}\n`, { mode: 0o600 });
+  return { token, tokenFilePath: resolvedPath };
+}
+
+export function parseCookies(cookieHeader) {
+  const output = Object.create(null);
+  if (!cookieHeader) {
+    return output;
+  }
+
+  for (const segment of cookieHeader.split(";")) {
+    const [rawKey, ...rest] = segment.trim().split("=");
+    if (!rawKey) {
+      continue;
+    }
+    output[rawKey] = decodeURIComponent(rest.join("="));
+  }
+  return output;
+}
+
+export function serializeCookie(name, value, options = {}) {
+  const parts = [`${name}=${encodeURIComponent(value)}`];
+
+  if (options.maxAgeSeconds != null) {
+    parts.push(`Max-Age=${Math.max(0, Math.floor(options.maxAgeSeconds))}`);
+  }
+
+  parts.push(`Path=${options.path ?? "/"}`);
+
+  if (options.httpOnly !== false) {
+    parts.push("HttpOnly");
+  }
+
+  parts.push(`SameSite=${options.sameSite ?? "Lax"}`);
+
+  if (options.secure) {
+    parts.push("Secure");
+  }
+
+  return parts.join("; ");
+}
+
+export class SessionStore {
+  constructor({ ttlMs = 1000 * 60 * 60 * 12 } = {}) {
+    this.ttlMs = ttlMs;
+    this.sessions = new Map();
+  }
+
+  createSession() {
+    const id = randomId(24);
+    const expiresAt = Date.now() + this.ttlMs;
+    this.sessions.set(id, expiresAt);
+    return { id, expiresAt };
+  }
+
+  isValid(sessionId) {
+    if (!sessionId) {
+      return false;
+    }
+    const expiresAt = this.sessions.get(sessionId);
+    if (!expiresAt) {
+      return false;
+    }
+    if (expiresAt < Date.now()) {
+      this.sessions.delete(sessionId);
+      return false;
+    }
+    return true;
+  }
+
+  pruneExpired() {
+    const now = Date.now();
+    for (const [id, expiresAt] of this.sessions.entries()) {
+      if (expiresAt < now) {
+        this.sessions.delete(id);
+      }
+    }
+  }
+}
+
+export function createAuthController({ token, sessionStore, cookieName = SESSION_COOKIE_NAME }) {
+  function hasValidSession(req) {
+    const cookies = parseCookies(req.headers.cookie || "");
+    return sessionStore.isValid(cookies[cookieName]);
+  }
+
+  function isAuthorizedRequest(req) {
+    return hasValidSession(req);
+  }
+
+  function rejectUnauthorized(res) {
+    res.statusCode = 401;
+    res.setHeader("content-type", "application/json; charset=utf-8");
+    res.end(
+      JSON.stringify({
+        error: "unauthorized",
+        hint: "Authenticate first via /__webstrapper/auth?token=<TOKEN>."
+      })
+    );
+  }
+
+  function requireAuth(req, res) {
+    if (hasValidSession(req)) {
+      return true;
+    }
+    rejectUnauthorized(res);
+    return false;
+  }
+
+  function handleAuthRoute(req, res, parsedUrl) {
+    const provided = parsedUrl.searchParams.get("token") || "";
+    if (!provided || provided !== token) {
+      res.statusCode = 401;
+      res.setHeader("content-type", "application/json; charset=utf-8");
+      res.end(JSON.stringify({ error: "invalid_token" }));
+      return;
+    }
+
+    const session = sessionStore.createSession();
+    const cookie = serializeCookie(cookieName, session.id, {
+      maxAgeSeconds: Math.floor(sessionStore.ttlMs / 1000),
+      httpOnly: true,
+      sameSite: "Lax",
+      path: "/"
+    });
+
+    res.statusCode = 302;
+    res.setHeader("set-cookie", cookie);
+    res.setHeader("location", "/");
+    res.end();
+  }
+
+  return {
+    cookieName,
+    isAuthorizedRequest,
+    requireAuth,
+    handleAuthRoute
+  };
+}