copilot-proxy-web 1.0.0

package/lib/api.js

@@ -0,0 +1,564 @@
+const express = require("express");
+const { makePasteSeq } = require("./pty");
+const {
+  recordFailure,
+  clearFailures,
+  isBlocked,
+  getRemaining,
+} = require("./auth-rate-limit");
+
+function readValue(value) {
+  if (typeof value === "function") return value();
+  return value;
+}
+
+function firstForwardedIp(value) {
+  if (typeof value !== "string" || value.length === 0) return "";
+  const first = value.split(",")[0].trim();
+  return first || "";
+}
+
+function getClientIp(req, useXForwardedFor = false) {
+  if (useXForwardedFor) {
+    const forwarded = firstForwardedIp(req.headers["x-forwarded-for"]);
+    if (forwarded) return forwarded;
+  }
+  return req.socket?.remoteAddress || "";
+}
+
+function resolveSession(req, sessionManager) {
+  const id =
+    req.params?.sessionId ||
+    req.query?.sessionId ||
+    req.headers["x-session-id"];
+  if (id) {
+    const session = sessionManager.getSession(String(id));
+    if (session) return session;
+  }
+  return sessionManager.getDefaultSession();
+}
+
+function isValidSessionId(value) {
+  return typeof value === "string" && /^[A-Za-z0-9._-]+$/.test(value);
+}
+
+function createApiRouter({
+  sessionManager,
+  idleMs,
+  webEnabled,
+  apiEnabled,
+  version,
+  user,
+  authToken,
+  useXForwardedFor = false,
+  accessLog,
+  accessLogMode = "auth",
+}) {
+  const router = express.Router();
+
+  function shouldLogHttpAccess(req, res) {
+    if (accessLogMode === "off") return false;
+    const path = req.originalUrl || req.url || "";
+    const isApiPath = path.startsWith("/api/");
+    if (accessLogMode === "all") return isApiPath;
+    if (!isApiPath) return false;
+    const authResult = req._authResult || "none";
+    if (authResult === "failed" || authResult === "blocked") return true;
+    return res.statusCode >= 500;
+  }
+
+  router.use((req, res, next) => {
+    const startedAt = Date.now();
+    res.on("finish", () => {
+      if (!accessLog) return;
+      if (!shouldLogHttpAccess(req, res)) return;
+      accessLog({
+        type: "http",
+        ip: getClientIp(req, useXForwardedFor),
+        method: req.method,
+        path: req.originalUrl || req.url,
+        status: res.statusCode,
+        durationMs: Date.now() - startedAt,
+        auth: req._authResult || "none",
+      });
+    });
+    next();
+  });
+
+  router.use((req, res, next) => {
+    const ip = getClientIp(req, useXForwardedFor);
+    if (ip) {
+      res.setHeader("X-Client-IP", ip);
+    }
+    if (version) res.setHeader("X-App-Version", String(version));
+    if (!authToken) {
+      req._authResult = "disabled";
+      return next();
+    }
+    if (isBlocked(ip)) {
+      req._authResult = "blocked";
+      res.setHeader("X-Auth-Failures-Remaining", "0");
+      res.status(429).json({ ok: false, error: "too many auth failures" });
+      return;
+    }
+    const header = req.headers.authorization || "";
+    if (!header) {
+      req._authResult = "missing";
+      res.status(401).json({ ok: false, error: "unauthorized" });
+      return;
+    }
+    if (header === `Bearer ${authToken}`) {
+      req._authResult = "ok";
+      clearFailures(ip);
+      return next();
+    }
+    req._authResult = "failed";
+    recordFailure(ip);
+    res.setHeader("X-Auth-Failures-Remaining", String(getRemaining(ip)));
+    res.status(401).json({ ok: false, error: "unauthorized" });
+  });
+
+  function focusIn(session) {
+    if (session.writeInput) session.writeInput("\u001b[I");
+    else session.term.write("\u001b[I");
+  }
+
+  function focusOut(session) {
+    if (session.writeInput) session.writeInput("\u001b[O");
+    else session.term.write("\u001b[O");
+  }
+
+  function sendPaste(session, text) {
+    const seq = makePasteSeq(text);
+    if (session.writeInput) session.writeInput(seq);
+    else session.term.write(seq);
+  }
+
+  function submitEnter(session) {
+    if (session.writeInput) session.writeInput("\r");
+    else session.term.write("\r");
+  }
+
+  router.post("/api/sessions", (req, res) => {
+    const id = typeof req.body?.id === "string" ? req.body.id : undefined;
+    if (id !== undefined && !isValidSessionId(id)) {
+      res.status(400).json({ ok: false, error: "invalid session id" });
+      return;
+    }
+    const command = typeof req.body?.command === "string" ? req.body.command : undefined;
+    const cmd = typeof req.body?.cmd === "string" ? req.body.cmd : undefined;
+    const args = Array.isArray(req.body?.args) ? req.body.args : undefined;
+    const autoStart = req.body?.autoStart === true;
+    const cwd = typeof req.body?.cwd === "string" ? req.body.cwd : undefined;
+    const shellRaw = req.body?.shell;
+    const shell = shellRaw === undefined ? undefined : Boolean(shellRaw);
+    const shellInteractiveRaw = req.body?.shellInteractive;
+    const shellInteractive =
+      shellInteractiveRaw === undefined ? undefined : Boolean(shellInteractiveRaw);
+    const conversationProfileRaw = req.body?.conversationProfile;
+    const conversationProfile =
+      typeof conversationProfileRaw === "string" ? conversationProfileRaw : undefined;
+    const payload = command
+      ? { cmd: command, args: [], shell: true }
+      : { cmd, args };
+    if (shell !== undefined) payload.shell = shell;
+    if (shellInteractive !== undefined) payload.shellInteractive = shellInteractive;
+    if (conversationProfile !== undefined) payload.conversationProfile = conversationProfile;
+    const session = sessionManager.createSession({ id, cwd, autoStart, ...payload });
+    res.json({
+      ok: true,
+      session: { id: session.id, started: Boolean(session.term) },
+    });
+  });
+
+  router.get("/api/sessions", (_req, res) => {
+    res.json({ ok: true, sessions: sessionManager.listSessions() });
+  });
+
+  router.delete("/api/sessions/:sessionId", (req, res) => {
+    if (!isValidSessionId(req.params.sessionId)) {
+      res.status(400).json({ ok: false, error: "invalid session id" });
+      return;
+    }
+    const removed = sessionManager.deleteSession(req.params.sessionId);
+    if (!removed) {
+      res.status(404).json({ ok: false, error: "session not found" });
+      return;
+    }
+    res.json({ ok: true });
+  });
+
+  router.post("/api/sessions/:sessionId/start", (req, res) => {
+    if (!isValidSessionId(req.params.sessionId)) {
+      res.status(400).json({ ok: false, error: "invalid session id" });
+      return;
+    }
+    const command = typeof req.body?.command === "string" ? req.body.command : undefined;
+    const cmd = typeof req.body?.cmd === "string" ? req.body.cmd : undefined;
+    const args = Array.isArray(req.body?.args) ? req.body.args : undefined;
+    const cwd = typeof req.body?.cwd === "string" ? req.body.cwd : undefined;
+    const shellRaw = req.body?.shell;
+    const shell = shellRaw === undefined ? undefined : Boolean(shellRaw);
+    const shellInteractiveRaw = req.body?.shellInteractive;
+    const shellInteractive =
+      shellInteractiveRaw === undefined ? undefined : Boolean(shellInteractiveRaw);
+    const conversationProfileRaw = req.body?.conversationProfile;
+    const conversationProfile =
+      typeof conversationProfileRaw === "string" ? conversationProfileRaw : undefined;
+    const payload = command
+      ? { cmd: command, args: [], shell: true }
+      : { cmd, args, cwd };
+    if (shell !== undefined) payload.shell = shell;
+    if (shellInteractive !== undefined) payload.shellInteractive = shellInteractive;
+    if (conversationProfile !== undefined) payload.conversationProfile = conversationProfile;
+    const session = sessionManager.startSession(req.params.sessionId, { cwd, ...payload });
+    if (!session) {
+      res.status(404).json({ ok: false, error: "session not found" });
+      return;
+    }
+    res.json({ ok: true, session: { id: session.id, started: Boolean(session.term) } });
+  });
+
+  function sendHandler(req, res) {
+    const session = resolveSession(req, sessionManager);
+    if (!session) {
+      res.status(404).json({ ok: false, error: "session not found" });
+      return;
+    }
+    const text = typeof req.body?.text === "string" ? req.body.text : "";
+    const submit = req.body?.submit !== false;
+    const enterRaw = typeof req.body?.enter === "string" ? req.body.enter : "";
+    const enter = enterRaw.length > 0 && enterRaw.length <= 16 ? enterRaw : "";
+    if (!text.trim()) {
+      res.status(400).json({ ok: false, error: "text is required" });
+      return;
+    }
+    if (!session.term) {
+      res.status(409).json({ ok: false, error: "session not started" });
+      return;
+    }
+    if (sessionManager.addConversationEvent) {
+      sessionManager.addConversationEvent(session, {
+        role: "user",
+        markdown: text.trim(),
+        ts: new Date().toISOString(),
+        meta: { source: "send", format: "text" },
+      });
+    }
+    focusOut(session);
+    focusIn(session);
+    sendPaste(session, text);
+    focusOut(session);
+    if (submit) {
+      setTimeout(() => {
+        if (enter) {
+          if (session.writeInput) session.writeInput(enter);
+          else session.term.write(enter);
+        } else {
+          submitEnter(session);
+        }
+      }, 50);
+    }
+    res.json({ ok: true });
+  }
+
+  function submitHandler(req, res) {
+    const session = resolveSession(req, sessionManager);
+    if (!session) {
+      res.status(404).json({ ok: false, error: "session not found" });
+      return;
+    }
+    if (!session.term) {
+      res.status(409).json({ ok: false, error: "session not started" });
+      return;
+    }
+    focusIn(session);
+    submitEnter(session);
+    res.json({ ok: true });
+  }
+
+  function keysHandler(req, res) {
+    const session = resolveSession(req, sessionManager);
+    if (!session) {
+      res.status(404).json({ ok: false, error: "session not found" });
+      return;
+    }
+    const data = typeof req.body?.data === "string" ? req.body.data : "";
+    if (!data) {
+      res.status(400).json({ ok: false, error: "data is required" });
+      return;
+    }
+    if (!session.term) {
+      res.status(409).json({ ok: false, error: "session not started" });
+      return;
+    }
+    if (session.writeInput) session.writeInput(data);
+    else session.term.write(data);
+    res.json({ ok: true });
+  }
+
+  function statusHandler(req, res) {
+    const session = resolveSession(req, sessionManager);
+    if (!session) {
+      const exposeUser = req._authResult === "ok";
+      res.status(404).json({
+        ok: false,
+        error: "session not found",
+        version,
+        user: exposeUser ? user : undefined,
+      });
+      return;
+    }
+    const exposeUser = req._authResult === "ok";
+    res.json({
+      ok: true,
+      sessionId: session.id,
+      version,
+      user: exposeUser ? user : undefined,
+      started: Boolean(session.term),
+      cmd: session.cmd,
+      args: session.args,
+      cwd: session.cwd,
+      idleActive: session.idleActive,
+      idleMs: readValue(idleMs),
+      lastOutputTs: session.lastOutputTs,
+      cols: session.term?.cols || session.initialCols,
+      rows: session.term?.rows || session.initialRows,
+      initialCols: session.initialCols,
+      initialRows: session.initialRows,
+      webEnabled: readValue(webEnabled),
+      apiEnabled: readValue(apiEnabled),
+    });
+  }
+
+  function sizeHandler(req, res) {
+    const session = resolveSession(req, sessionManager);
+    if (!session) {
+      res.status(404).json({ ok: false, error: "session not found" });
+      return;
+    }
+    res.json({
+      ok: true,
+      sessionId: session.id,
+      cols: session.term?.cols || session.initialCols,
+      rows: session.term?.rows || session.initialRows,
+      initialCols: session.initialCols,
+      initialRows: session.initialRows,
+    });
+  }
+
+  function resizeHandler(req, res) {
+    const session = resolveSession(req, sessionManager);
+    if (!session) {
+      res.status(404).json({ ok: false, error: "session not found" });
+      return;
+    }
+    if (!session.term) {
+      res.status(409).json({ ok: false, error: "session not started" });
+      return;
+    }
+    const cols = Number(req.body?.cols);
+    const rows = Number(req.body?.rows);
+    if (!Number.isFinite(cols) || !Number.isFinite(rows)) {
+      res.status(400).json({ ok: false, error: "cols/rows required" });
+      return;
+    }
+    session.term.resize(cols, rows);
+    if (session.screen) session.screen.resize(cols, rows);
+    res.json({ ok: true, sessionId: session.id, cols, rows });
+  }
+
+  function eventsHandler(req, res) {
+    const session = resolveSession(req, sessionManager);
+    if (!session) {
+      res.status(404).json({ ok: false, error: "session not found" });
+      return;
+    }
+    res.writeHead(200, {
+      "Content-Type": "text/event-stream",
+      "Cache-Control": "no-cache",
+      Connection: "keep-alive",
+    });
+    res.write("\n");
+    session.sseClients.add(res);
+    req.on("close", () => {
+      session.sseClients.delete(res);
+    });
+  }
+
+  function hooksHandler(req, res) {
+    const session = resolveSession(req, sessionManager);
+    if (!session) {
+      res.status(404).json({ ok: false, error: "session not found" });
+      return;
+    }
+    res.json({ ok: true, sessionId: session.id, events: session.hookEvents || [] });
+  }
+
+  function conversationSnapshotHandler(req, res) {
+    const session = resolveSession(req, sessionManager);
+    if (!session) {
+      res.status(404).json({ ok: false, error: "session not found" });
+      return;
+    }
+    res.json({
+      ok: true,
+      sessionId: session.id,
+      events: session.conversation || [],
+      lastSeq: session.conversationSeq || 0,
+    });
+  }
+
+  function hooksStatusHandler(req, res) {
+    const session = resolveSession(req, sessionManager);
+    if (!session) {
+      res.status(404).json({ ok: false, error: "session not found" });
+      return;
+    }
+    const errors = session.hookErrors || [];
+    const last = errors[errors.length - 1] || null;
+    res.json({
+      ok: true,
+      sessionId: session.id,
+      errorCount: errors.length,
+      lastError: last,
+    });
+  }
+
+  function hooksClearHandler(req, res) {
+    const session = resolveSession(req, sessionManager);
+    if (!session) {
+      res.status(404).json({ ok: false, error: "session not found" });
+      return;
+    }
+    session.hookEvents = [];
+    session.hookErrors = [];
+    res.json({ ok: true, sessionId: session.id });
+  }
+
+  router.post("/api/send", sendHandler);
+  router.post("/api/submit", submitHandler);
+  router.post("/api/keys", keysHandler);
+  router.get("/api/status", statusHandler);
+  router.get("/api/size", sizeHandler);
+  router.post("/api/resize", resizeHandler);
+  router.get("/api/events", eventsHandler);
+  router.get("/api/hooks", hooksHandler);
+  router.get("/api/hooks/status", hooksStatusHandler);
+  router.post("/api/hooks/clear", hooksClearHandler);
+
+  router.post("/api/sessions/:sessionId/send", (req, res) => {
+    if (!isValidSessionId(req.params.sessionId)) {
+      res.status(400).json({ ok: false, error: "invalid session id" });
+      return;
+    }
+    req.query.sessionId = req.params.sessionId;
+    return sendHandler(req, res);
+  });
+
+  router.post("/api/sessions/:sessionId/submit", (req, res) => {
+    if (!isValidSessionId(req.params.sessionId)) {
+      res.status(400).json({ ok: false, error: "invalid session id" });
+      return;
+    }
+    req.query.sessionId = req.params.sessionId;
+    return submitHandler(req, res);
+  });
+
+  router.post("/api/sessions/:sessionId/keys", (req, res) => {
+    if (!isValidSessionId(req.params.sessionId)) {
+      res.status(400).json({ ok: false, error: "invalid session id" });
+      return;
+    }
+    req.query.sessionId = req.params.sessionId;
+    return keysHandler(req, res);
+  });
+
+  router.get("/api/sessions/:sessionId/status", (req, res) => {
+    if (!isValidSessionId(req.params.sessionId)) {
+      res.status(400).json({ ok: false, error: "invalid session id" });
+      return;
+    }
+    req.query.sessionId = req.params.sessionId;
+    return statusHandler(req, res);
+  });
+
+  router.get("/api/sessions/:sessionId/size", (req, res) => {
+    if (!isValidSessionId(req.params.sessionId)) {
+      res.status(400).json({ ok: false, error: "invalid session id" });
+      return;
+    }
+    req.query.sessionId = req.params.sessionId;
+    return sizeHandler(req, res);
+  });
+
+  router.get("/api/conversation", conversationSnapshotHandler);
+  router.get("/api/sessions/:sessionId/conversation", (req, res) => {
+    if (!isValidSessionId(req.params.sessionId)) {
+      res.status(400).json({ ok: false, error: "invalid session id" });
+      return;
+    }
+    req.query.sessionId = req.params.sessionId;
+    return conversationSnapshotHandler(req, res);
+  });
+
+  router.post("/api/sessions/:sessionId/resize", (req, res) => {
+    if (!isValidSessionId(req.params.sessionId)) {
+      res.status(400).json({ ok: false, error: "invalid session id" });
+      return;
+    }
+    req.query.sessionId = req.params.sessionId;
+    return resizeHandler(req, res);
+  });
+
+  router.get("/api/sessions/:sessionId/events", (req, res) => {
+    if (!isValidSessionId(req.params.sessionId)) {
+      res.status(400).json({ ok: false, error: "invalid session id" });
+      return;
+    }
+    req.query.sessionId = req.params.sessionId;
+    return eventsHandler(req, res);
+  });
+
+
+  router.get("/api/sessions/:sessionId/hooks", (req, res) => {
+    if (!isValidSessionId(req.params.sessionId)) {
+      res.status(400).json({ ok: false, error: "invalid session id" });
+      return;
+    }
+    req.query.sessionId = req.params.sessionId;
+    return hooksHandler(req, res);
+  });
+
+  router.get("/api/sessions/:sessionId/hooks/status", (req, res) => {
+    if (!isValidSessionId(req.params.sessionId)) {
+      res.status(400).json({ ok: false, error: "invalid session id" });
+      return;
+    }
+    req.query.sessionId = req.params.sessionId;
+    return hooksStatusHandler(req, res);
+  });
+
+  router.post("/api/sessions/:sessionId/hooks/clear", (req, res) => {
+    if (!isValidSessionId(req.params.sessionId)) {
+      res.status(400).json({ ok: false, error: "invalid session id" });
+      return;
+    }
+    req.query.sessionId = req.params.sessionId;
+    return hooksClearHandler(req, res);
+  });
+
+  return router;
+}
+
+function createApiApp(options) {
+  const app = express();
+  app.use(express.json({ limit: "1mb" }));
+  app.use(createApiRouter(options));
+  return app;
+}
+
+module.exports = {
+  createApiRouter,
+  createApiApp,
+};

package/lib/auth-rate-limit.js

@@ -0,0 +1,59 @@
+const WINDOW_MS = 10 * 60 * 1000;
+const MAX_FAILS = 100;
+
+const entries = new Map();
+
+function getEntry(key) {
+  if (!entries.has(key)) {
+    entries.set(key, {
+      firstTs: Date.now(),
+      count: 0,
+      blocked: false,
+    });
+  }
+  return entries.get(key);
+}
+
+function recordFailure(key) {
+  if (!key) return;
+  const entry = getEntry(key);
+  if (entry.blocked) return;
+  const now = Date.now();
+  if (now - entry.firstTs > WINDOW_MS) {
+    entry.firstTs = now;
+    entry.count = 1;
+  } else {
+    entry.count += 1;
+  }
+  if (entry.count >= MAX_FAILS) {
+    entry.blocked = true;
+  }
+}
+
+function clearFailures(key) {
+  if (!key) return;
+  entries.delete(key);
+}
+
+function isBlocked(key) {
+  if (!key) return false;
+  const entry = entries.get(key);
+  return Boolean(entry && entry.blocked);
+}
+
+function getRemaining(key, now = Date.now()) {
+  if (!key) return MAX_FAILS;
+  const entry = entries.get(key);
+  if (!entry) return MAX_FAILS;
+  if (entry.blocked) return 0;
+  if (now - entry.firstTs > WINDOW_MS) return MAX_FAILS;
+  const remaining = MAX_FAILS - entry.count;
+  return remaining > 0 ? remaining : 0;
+}
+
+module.exports = {
+  recordFailure,
+  clearFailures,
+  isBlocked,
+  getRemaining,
+};