coding-tool-x 3.5.6 → 3.5.7

package/src/server/services/https-cert.js

@@ -0,0 +1,171 @@
+const fs = require('fs');
+const net = require('net');
+const os = require('os');
+const path = require('path');
+const selfsigned = require('selfsigned');
+const { PATHS } = require('../../config/paths');
+
+function dedupeSorted(values = []) {
+  return [...new Set(values.filter(Boolean).map((value) => String(value).trim()).filter(Boolean))].sort();
+}
+
+function isIpAddress(value) {
+  return net.isIP(String(value || '').trim()) !== 0;
+}
+
+function isValidDnsLabel(value) {
+  return /^[A-Za-z0-9.-]+$/.test(String(value || '').trim());
+}
+
+function collectLocalCertificateHosts() {
+  const hosts = ['localhost', '127.0.0.1', '::1'];
+  const hostname = os.hostname();
+  if (isValidDnsLabel(hostname)) {
+    hosts.push(hostname);
+  }
+
+  const interfaces = os.networkInterfaces();
+  Object.values(interfaces).forEach((entries) => {
+    (entries || []).forEach((entry) => {
+      const address = String(entry?.address || '').trim();
+      if (!address) {
+        return;
+      }
+
+      if (entry?.family === 'IPv4' || entry?.family === 4) {
+        hosts.push(address);
+        return;
+      }
+
+      if ((entry?.family === 'IPv6' || entry?.family === 6) && address !== '::1' && !address.startsWith('fe80::')) {
+        hosts.push(address);
+      }
+    });
+  });
+
+  return dedupeSorted(hosts);
+}
+
+function buildSubjectAltNames(hosts = collectLocalCertificateHosts()) {
+  return dedupeSorted(hosts).map((value) => (
+    isIpAddress(value)
+      ? { type: 7, ip: value }
+      : { type: 2, value }
+  ));
+}
+
+function ensureParentDir(filePath) {
+  fs.mkdirSync(path.dirname(filePath), { recursive: true });
+}
+
+function readMeta(metaPath) {
+  if (!fs.existsSync(metaPath)) {
+    return null;
+  }
+
+  try {
+    return JSON.parse(fs.readFileSync(metaPath, 'utf8'));
+  } catch {
+    return null;
+  }
+}
+
+function needsRegeneration(hosts, meta) {
+  if (!meta || !Array.isArray(meta.hosts)) {
+    return true;
+  }
+  const currentHosts = dedupeSorted(hosts);
+  const storedHosts = dedupeSorted(meta.hosts);
+  return currentHosts.length !== storedHosts.length || currentHosts.some((value, index) => value !== storedHosts[index]);
+}
+
+function generateSelfSignedCertificate(hosts) {
+  const primaryHost = hosts.find((value) => value === '127.0.0.1')
+    || hosts.find((value) => !isIpAddress(value))
+    || hosts[0]
+    || '127.0.0.1';
+
+  const attrs = [{ name: 'commonName', value: primaryHost }];
+  return selfsigned.generate(attrs, {
+    algorithm: 'sha256',
+    days: 3650,
+    keySize: 2048,
+    extensions: [
+      { name: 'basicConstraints', cA: false },
+      {
+        name: 'keyUsage',
+        digitalSignature: true,
+        keyEncipherment: true
+      },
+      {
+        name: 'extKeyUsage',
+        serverAuth: true
+      },
+      {
+        name: 'subjectAltName',
+        altNames: buildSubjectAltNames(hosts)
+      }
+    ]
+  });
+}
+
+function ensureLocalHttpsCertificate(options = {}) {
+  const keyPath = options.keyPath || PATHS.https.key;
+  const certPath = options.certPath || PATHS.https.cert;
+  const metaPath = options.metaPath || PATHS.https.meta;
+  const hosts = dedupeSorted(options.hosts || collectLocalCertificateHosts());
+  const existingMeta = readMeta(metaPath);
+  const hasFiles = fs.existsSync(keyPath) && fs.existsSync(certPath);
+
+  if (hasFiles && !needsRegeneration(hosts, existingMeta)) {
+    return {
+      keyPath,
+      certPath,
+      metaPath,
+      hosts,
+      generated: false
+    };
+  }
+
+  ensureParentDir(keyPath);
+  ensureParentDir(certPath);
+  ensureParentDir(metaPath);
+
+  const certificate = generateSelfSignedCertificate(hosts);
+  fs.writeFileSync(keyPath, certificate.private, 'utf8');
+  fs.writeFileSync(certPath, certificate.cert, 'utf8');
+  fs.writeFileSync(metaPath, JSON.stringify({
+    hosts,
+    generatedAt: new Date().toISOString()
+  }, null, 2), 'utf8');
+
+  return {
+    keyPath,
+    certPath,
+    metaPath,
+    hosts,
+    generated: true
+  };
+}
+
+function getLocalHttpsCredentials(options = {}) {
+  const certificate = ensureLocalHttpsCertificate(options);
+  return {
+    ...certificate,
+    key: fs.readFileSync(certificate.keyPath),
+    cert: fs.readFileSync(certificate.certPath)
+  };
+}
+
+module.exports = {
+  ensureLocalHttpsCertificate,
+  getLocalHttpsCredentials,
+  _test: {
+    dedupeSorted,
+    isIpAddress,
+    isValidDnsLabel,
+    collectLocalCertificateHosts,
+    buildSubjectAltNames,
+    needsRegeneration
+  }
+};

package/src/server/services/network-access.js

@@ -16,6 +16,21 @@ function isLoopbackAddress(address) {
   return false;
 }
 
+function hasTrustedProxySocket(req) {
+  if (!req) return false;
+  return isLoopbackAddress(req.socket && req.socket.remoteAddress);
+}
+
+function getForwardedHeaderValue(req, headerName) {
+  if (!hasTrustedProxySocket(req) || !req.headers) {
+    return '';
+  }
+
+  const rawValue = req.headers[headerName];
+  const value = Array.isArray(rawValue) ? rawValue[0] : rawValue;
+  return String(value || '').split(',')[0].trim();
+}
+
 function isLoopbackRequest(req) {
   if (!req) return false;
   const socketAddress = req.socket && req.socket.remoteAddress;
@@ -30,6 +45,34 @@ function isLoopbackRequest(req) {
   return true;
 }
 
+function getRequestProtocol(req) {
+  const forwardedProto = getForwardedHeaderValue(req, 'x-forwarded-proto').toLowerCase();
+  if (forwardedProto === 'https' || forwardedProto === 'https:') {
+    return 'https:';
+  }
+  if (forwardedProto === 'http' || forwardedProto === 'http:') {
+    return 'http:';
+  }
+  return req && req.socket && req.socket.encrypted ? 'https:' : 'http:';
+}
+
+function getRequestHost(req) {
+  const forwardedHost = getForwardedHeaderValue(req, 'x-forwarded-host');
+  if (forwardedHost) {
+    return forwardedHost;
+  }
+
+  if (!req || !req.headers) {
+    return '';
+  }
+
+  const host = req.headers.host;
+  if (Array.isArray(host)) {
+    return String(host[0] || '').trim();
+  }
+  return String(host || '').trim();
+}
+
 function isSameOriginRequest(req) {
   if (!req) return false;
   const origin = req.headers && req.headers.origin;
@@ -37,14 +80,14 @@ function isSameOriginRequest(req) {
     return true;
   }
 
-  const host = req.headers && req.headers.host;
+  const host = getRequestHost(req);
   if (!host) {
     return false;
   }
 
   try {
     const originUrl = new URL(origin);
-    return originUrl.host === host;
+    return originUrl.host.toLowerCase() === host.toLowerCase();
   } catch (error) {
     return false;
   }
@@ -124,6 +167,8 @@ module.exports = {
   normalizeAddress,
   isLoopbackAddress,
   isLoopbackRequest,
+  getRequestProtocol,
+  getRequestHost,
   isSameOriginRequest,
   isRemoteMutationAllowed,
   createRemoteMutationGuard,

package/src/server/services/notification-hooks.js

@@ -9,6 +9,7 @@ const { loadConfig } = require('../../config/loader');
 const { loadUIConfig, saveUIConfig } = require('./ui-config');
 const codexSettingsManager = require('./codex-settings-manager');
 const geminiSettingsManager = require('./gemini-settings-manager');
+const { getWebUiProtocol } = require('./web-ui-runtime');
 
 const MANAGED_HOOK_NAME = 'coding-tool-notify';
 const MANAGED_OPENCODE_PLUGIN_FILE = 'coding-tool-notify.js';
@@ -169,9 +170,10 @@ function buildBrowserNotificationEndpoint() {
     const config = loadConfig();
     const port = Number(config?.ports?.webUI);
     const resolvedPort = Number.isFinite(port) && port > 0 ? port : 19999;
-    return `http://127.0.0.1:${resolvedPort}/api/hooks/browser-event`;
+    const protocol = getWebUiProtocol();
+    return `${protocol}://127.0.0.1:${resolvedPort}/api/hooks/browser-event`;
   } catch (error) {
-    return 'http://127.0.0.1:19999/api/hooks/browser-event';
+    return `${getWebUiProtocol()}://127.0.0.1:19999/api/hooks/browser-event`;
   }
 }
 
@@ -746,6 +748,10 @@ function sendBrowserNotification(payload) {
         timeout: 5000
       }
 
+      if (urlObj.protocol === 'https:' && ['127.0.0.1', 'localhost', '::1'].includes(urlObj.hostname)) {
+        options.rejectUnauthorized = false
+      }
+
       const requestModule = urlObj.protocol === 'https:' ? https : http
       const request = requestModule.request(options, () => resolve())
       request.on('error', () => resolve())

package/src/server/services/web-ui-runtime.js

@@ -0,0 +1,54 @@
+function normalizeWebUiProtocol(value) {
+  return String(value || '').trim().toLowerCase() === 'https' ? 'https' : 'http';
+}
+
+function hasHttpsFlag(argv = process.argv) {
+  return Array.isArray(argv) && argv.includes('--https');
+}
+
+function getWebUiProtocol(options = {}) {
+  if (typeof options.https === 'boolean') {
+    return options.https ? 'https' : 'http';
+  }
+
+  if (typeof options.protocol === 'string' && options.protocol.trim()) {
+    return normalizeWebUiProtocol(options.protocol);
+  }
+
+  const env = options.env || process.env;
+  if (env && typeof env.CC_TOOL_WEB_UI_PROTOCOL === 'string' && env.CC_TOOL_WEB_UI_PROTOCOL.trim()) {
+    return normalizeWebUiProtocol(env.CC_TOOL_WEB_UI_PROTOCOL);
+  }
+
+  return hasHttpsFlag(options.argv || process.argv) ? 'https' : 'http';
+}
+
+function isHttpsEnabled(options = {}) {
+  return getWebUiProtocol(options) === 'https';
+}
+
+function getDefaultLoopbackHost(protocol = 'http') {
+  return normalizeWebUiProtocol(protocol) === 'https' ? '127.0.0.1' : 'localhost';
+}
+
+function getWebUiBaseUrl(port, options = {}) {
+  const protocol = getWebUiProtocol(options);
+  const hostname = String(options.hostname || '').trim() || getDefaultLoopbackHost(protocol);
+  return `${protocol}://${hostname}:${port}`;
+}
+
+function getWebSocketBaseUrl(port, options = {}) {
+  const protocol = getWebUiProtocol(options) === 'https' ? 'wss' : 'ws';
+  const hostname = String(options.hostname || '').trim() || getDefaultLoopbackHost(protocol === 'wss' ? 'https' : 'http');
+  return `${protocol}://${hostname}:${port}`;
+}
+
+module.exports = {
+  normalizeWebUiProtocol,
+  hasHttpsFlag,
+  getWebUiProtocol,
+  isHttpsEnabled,
+  getDefaultLoopbackHost,
+  getWebUiBaseUrl,
+  getWebSocketBaseUrl
+};

package/src/server/websocket-server.js

@@ -7,7 +7,9 @@ const { PATHS } = require('../config/paths');
 const {
   normalizeAddress,
   isLoopbackAddress,
-  isLoopbackRequest
+  isLoopbackRequest,
+  getRequestProtocol,
+  getRequestHost
 } = require('./services/network-access');
 
 const MAX_PERSISTED_LOGS = 500;
@@ -111,8 +113,8 @@ function isAllowedWebSocketOrigin(req) {
     return false;
   }
 
-  const requestHost = parseHostHeader(req.headers.host);
-  const requestProtocol = req.socket && req.socket.encrypted ? 'https:' : 'http:';
+  const requestHost = parseHostHeader(getRequestHost(req));
+  const requestProtocol = getRequestProtocol(req);
   const requestHostname = normalizeAddress(requestHost.hostname).toLowerCase();
   const requestPort = requestHost.port || defaultPortForProtocol(requestProtocol);
 
@@ -534,5 +536,10 @@ module.exports = {
   clearAllLogs,
   broadcastProxyState,
   broadcastSchedulerState,
-  broadcastBrowserNotification
+  broadcastBrowserNotification,
+  _test: {
+    parseHostHeader,
+    defaultPortForProtocol,
+    isAllowedWebSocketOrigin
+  }
 };