dynamic-self-register-proxy 1.0.16 → 1.0.18

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "dynamic-self-register-proxy",
-  "version": "1.0.16",
+  "version": "1.0.18",
   "description": "Dynamic reverse proxy with self-registration API - applications can register themselves and receive an automatically assigned port",
   "main": "proxy-client.js",
   "bin": {
@@ -16,6 +16,7 @@
     "proxy.js",
     "proxy-client.js",
     "logger.js",
+    "terminal-server.js",
     "README.md",
     "LICENSE"
   ],
@@ -55,6 +56,8 @@
   "dependencies": {
     "dotenv": "^17.2.3",
     "express": "^5.2.1",
-    "http-proxy-middleware": "^3.0.5"
+    "http-proxy-middleware": "^3.0.5",
+    "node-pty": "^1.1.0",
+    "ws": "^8.19.0"
   }
 }

package/proxy.js

@@ -4,6 +4,7 @@ const express = require('express');
 const { createProxyMiddleware } = require('http-proxy-middleware');
 const { setupLogging } = require('./logger');
 const { execSync } = require('child_process');
+const crypto = require('crypto');
 const path = require('path');
 
 // Chargement du fichier .env depuis le répertoire du script
@@ -14,6 +15,7 @@ setupLogging('PROXY');
 
 const app = express();
 app.use(express.json());
+app.use(express.urlencoded({ extended: false }));
 
 // ============================================
 // CONFIGURATION
@@ -26,6 +28,14 @@ const HEALTH_CHECK_INTERVAL = process.env.HEALTH_CHECK_INTERVAL || 30000; // 30
 const HEALTH_CHECK_TIMEOUT = process.env.HEALTH_CHECK_TIMEOUT || 5000; // 5 secondes timeout
 const HEALTH_CHECK_GRACE_PERIOD = process.env.HEALTH_CHECK_GRACE_PERIOD || 60000; // 60 secondes de grâce pour les nouveaux serveurs
 
+// Authentification
+const ADMIN_PASSWORD = process.env.ADMIN_PASSWORD;
+const SESSION_SECRET = process.env.SESSION_SECRET || crypto.randomBytes(32).toString('hex');
+
+// Terminal en ligne
+const TERMINAL_CWD = process.env.TERMINAL_CWD || process.env.HOME || process.env.USERPROFILE;
+const TERMINAL_COMMAND = process.env.TERMINAL_COMMAND || '';
+
 // ============================================
 // REGISTRY - Stockage des routes en mémoire
 // ============================================
@@ -257,6 +267,333 @@ function startHealthCheckPolling() {
   setInterval(performHealthChecks, HEALTH_CHECK_INTERVAL);
 }
 
+// ============================================
+// AUTHENTIFICATION — Sessions & Middlewares
+// ============================================
+
+/** Stockage des sessions actives en mémoire */
+const activeSessions = new Set();
+
+/**
+ * Parse manuellement le header Cookie (évite cookie-parser)
+ * @param {import('express').Request} req
+ * @returns {Object<string, string>}
+ */
+function parseCookies(req) {
+  const header = req.headers.cookie || '';
+  const cookies = {};
+  header.split(';').forEach(pair => {
+    const [name, ...rest] = pair.trim().split('=');
+    if (name) cookies[name.trim()] = decodeURIComponent(rest.join('=').trim());
+  });
+  return cookies;
+}
+
+/**
+ * Signe un token avec HMAC-SHA256
+ * @param {string} token
+ * @returns {string} token.signature
+ */
+function signToken(token) {
+  const signature = crypto.createHmac('sha256', SESSION_SECRET).update(token).digest('hex');
+  return `${token}.${signature}`;
+}
+
+/**
+ * Vérifie et extrait un token signé
+ * @param {string} signedValue - Format: token.signature
+ * @returns {string|null} Le token si la signature est valide, null sinon
+ */
+function verifySignedToken(signedValue) {
+  if (!signedValue || !signedValue.includes('.')) return null;
+  const lastDot = signedValue.lastIndexOf('.');
+  const token = signedValue.slice(0, lastDot);
+  const signature = signedValue.slice(lastDot + 1);
+  const expected = crypto.createHmac('sha256', SESSION_SECRET).update(token).digest('hex');
+  if (signature.length !== expected.length) return null;
+  try {
+    if (crypto.timingSafeEqual(Buffer.from(signature, 'hex'), Buffer.from(expected, 'hex'))) {
+      return token;
+    }
+  } catch {
+    return null;
+  }
+  return null;
+}
+
+/**
+ * Comparaison sécurisée de deux chaînes (protection timing attack)
+ * @param {string} a
+ * @param {string} b
+ * @returns {boolean}
+ */
+function safeEqual(a, b) {
+  if (!a || !b) return false;
+  const bufA = Buffer.from(String(a));
+  const bufB = Buffer.from(String(b));
+  if (bufA.length !== bufB.length) return false;
+  return crypto.timingSafeEqual(bufA, bufB);
+}
+
+/**
+ * Crée une nouvelle session et la stocke
+ * @returns {string} Le token de session
+ */
+function createSession() {
+  const token = crypto.randomBytes(32).toString('hex');
+  activeSessions.add(token);
+  return token;
+}
+
+/**
+ * Détruit une session
+ * @param {string} token
+ */
+function destroySession(token) {
+  activeSessions.delete(token);
+}
+
+/**
+ * Vérifie si une session est valide
+ * @param {string} token
+ * @returns {boolean}
+ */
+function isValidSession(token) {
+  return token && activeSessions.has(token);
+}
+
+/**
+ * Écrit le cookie de session signé dans la réponse
+ * @param {import('express').Response} res
+ * @param {string} token
+ */
+function setSessionCookie(res, token) {
+  const signed = signToken(token);
+  res.setHeader('Set-Cookie', `proxy_session=${encodeURIComponent(signed)}; HttpOnly; SameSite=Strict; Path=/`);
+}
+
+/**
+ * Lit et vérifie le cookie de session depuis la requête
+ * @param {import('express').Request} req
+ * @returns {string|null} Le token si valide, null sinon
+ */
+function getSessionFromCookie(req) {
+  const cookies = parseCookies(req);
+  const signedValue = cookies['proxy_session'];
+  if (!signedValue) return null;
+  const token = verifySignedToken(signedValue);
+  if (!token) return null;
+  return isValidSession(token) ? token : null;
+}
+
+/**
+ * Supprime le cookie de session
+ * @param {import('express').Response} res
+ */
+function clearSessionCookie(res) {
+  res.setHeader('Set-Cookie', 'proxy_session=; HttpOnly; SameSite=Strict; Path=/; Max-Age=0');
+}
+
+/**
+ * Middleware : restreint l'accès aux requêtes provenant de localhost uniquement.
+ * Sécurisé car :
+ * - TCP handshake empêche le spoofing d'IP loopback depuis l'extérieur
+ * - trust proxy n'est pas activé → req.ip = IP réelle du socket
+ * - Pas de CORS configuré → DNS rebinding bloqué (preflight échoue pour JSON)
+ */
+function requireLocalOnly(req, res, next) {
+  const ip = req.ip || req.socket.remoteAddress;
+  const localAddresses = ['127.0.0.1', '::1', '::ffff:127.0.0.1'];
+
+  if (!localAddresses.includes(ip)) {
+    return res.status(403).json({ success: false, error: 'Local access only' });
+  }
+  next();
+}
+
+/**
+ * Middleware : exige une session admin valide
+ * Si ADMIN_PASSWORD n'est pas configuré, la route reste ouverte (rétrocompatibilité)
+ */
+function requireAuth(req, res, next) {
+  if (!ADMIN_PASSWORD) return next(); // Rétrocompatibilité
+
+  const sessionToken = getSessionFromCookie(req);
+  if (sessionToken) return next();
+
+  // Pas de session valide → distinguer HTML vs JSON
+  const acceptHeader = req.get('Accept') || '';
+  if (acceptHeader.includes('text/html') || !acceptHeader.includes('application/json')) {
+    return res.redirect('/proxy/login');
+  }
+  return res.status(401).json({ success: false, error: 'Authentication required' });
+}
+
+// ============================================
+// ROUTES D'AUTHENTIFICATION
+// ============================================
+
+/**
+ * GET /proxy/login
+ * Page de connexion administrateur
+ */
+app.get('/proxy/login', (req, res) => {
+  const error = req.query.error === '1';
+
+  const html = `
+<!DOCTYPE html>
+<html lang="fr">
+<head>
+  <meta charset="UTF-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <title>${escapeHtml(PROXY_NAME)} - Connexion</title>
+  <style>
+    * {
+      margin: 0;
+      padding: 0;
+      box-sizing: border-box;
+    }
+    body {
+      font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, Oxygen, Ubuntu, sans-serif;
+      background: linear-gradient(135deg, #1a1a2e 0%, #16213e 100%);
+      min-height: 100vh;
+      color: #e4e4e7;
+      display: flex;
+      align-items: center;
+      justify-content: center;
+      padding: 1.5rem;
+    }
+    .login-container {
+      width: 100%;
+      max-width: 380px;
+      text-align: center;
+    }
+    h1 {
+      font-size: 2rem;
+      background: linear-gradient(90deg, #6366f1, #8b5cf6);
+      -webkit-background-clip: text;
+      -webkit-text-fill-color: transparent;
+      background-clip: text;
+      margin-bottom: 0.25rem;
+    }
+    .subtitle {
+      color: #a1a1aa;
+      font-size: 0.95rem;
+      margin-bottom: 1.5rem;
+    }
+    .login-box {
+      background: rgba(255, 255, 255, 0.05);
+      border: 1px solid rgba(255, 255, 255, 0.1);
+      border-radius: 12px;
+      padding: 1.5rem;
+    }
+    .form-group {
+      margin-bottom: 1rem;
+      text-align: left;
+    }
+    .form-group label {
+      font-size: 0.75rem;
+      color: #a1a1aa;
+      margin-bottom: 0.25rem;
+      display: block;
+    }
+    .form-group input {
+      background: rgba(0, 0, 0, 0.3);
+      border: 1px solid rgba(255, 255, 255, 0.1);
+      padding: 0.6rem 0.75rem;
+      border-radius: 6px;
+      color: white;
+      font-family: inherit;
+      font-size: 0.9rem;
+      width: 100%;
+    }
+    .form-group input:focus {
+      outline: none;
+      border-color: #8b5cf6;
+      background: rgba(0, 0, 0, 0.4);
+    }
+    .submit-btn {
+      background: linear-gradient(90deg, #6366f1, #8b5cf6);
+      color: white;
+      border: none;
+      padding: 0.6rem 1.25rem;
+      border-radius: 6px;
+      font-weight: 600;
+      font-size: 0.85rem;
+      cursor: pointer;
+      transition: opacity 0.2s;
+      width: 100%;
+    }
+    .submit-btn:hover {
+      opacity: 0.9;
+    }
+    .error-msg {
+      background: rgba(239, 68, 68, 0.15);
+      border: 1px solid rgba(239, 68, 68, 0.3);
+      color: #fca5a5;
+      padding: 0.5rem 0.75rem;
+      border-radius: 6px;
+      font-size: 0.8rem;
+      margin-bottom: 1rem;
+    }
+    @media (max-width: 600px) {
+      .login-container {
+        max-width: none;
+      }
+    }
+  </style>
+</head>
+<body>
+  <div class="login-container">
+    <h1>${escapeHtml(PROXY_NAME)}</h1>
+    <p class="subtitle">Connexion administrateur</p>
+    <div class="login-box">
+      <form method="POST" action="/proxy/login">
+        ${error ? '<div class="error-msg">Mot de passe incorrect</div>' : ''}
+        <div class="form-group">
+          <label for="password">Mot de passe</label>
+          <input type="password" id="password" name="password" required autofocus>
+        </div>
+        <button type="submit" class="submit-btn">Connexion</button>
+      </form>
+    </div>
+  </div>
+</body>
+</html>
+  `.trim();
+
+  res.type('html').send(html);
+});
+
+/**
+ * POST /proxy/login
+ * Traitement du formulaire de connexion
+ */
+app.post('/proxy/login', (req, res) => {
+  const { password } = req.body;
+
+  if (ADMIN_PASSWORD && safeEqual(password, ADMIN_PASSWORD)) {
+    const token = createSession();
+    setSessionCookie(res, token);
+    return res.redirect('/');
+  }
+
+  res.redirect('/proxy/login?error=1');
+});
+
+/**
+ * POST /proxy/logout
+ * Déconnexion — détruit la session et redirige vers /proxy/login
+ */
+app.post('/proxy/logout', (req, res) => {
+  const sessionToken = getSessionFromCookie(req);
+  if (sessionToken) {
+    destroySession(sessionToken);
+  }
+  clearSessionCookie(res);
+  res.redirect('/proxy/login');
+});
+
 // ============================================
 // API D'ENREGISTREMENT
 // ============================================
@@ -269,7 +606,7 @@ function startHealthCheckPolling() {
  * 
  * Utilise un mutex pour éviter les race conditions lors d'inscriptions simultanées
  */
-app.post('/proxy/register', async (req, res) => {
+app.post('/proxy/register', requireLocalOnly, async (req, res) => {
   // Validation préliminaire (avant d'acquérir le mutex)
   const { path, name, port: requestedPort, target: requestedTarget, healthCheck } = req.body;
 
@@ -392,7 +729,7 @@ app.post('/proxy/register', async (req, res) => {
  * 
  * Utilise un mutex pour éviter les conflits avec les inscriptions simultanées
  */
-app.delete('/proxy/unregister', async (req, res) => {
+app.delete('/proxy/unregister', requireLocalOnly, async (req, res) => {
   const { path } = req.body;
 
   if (!path) {
@@ -443,7 +780,7 @@ app.delete('/proxy/unregister', async (req, res) => {
  * GET /proxy/routes
  * Liste toutes les routes enregistrées
  */
-app.get('/proxy/routes', (req, res) => {
+app.get('/proxy/routes', requireAuth, (req, res) => {
   const routes = [];
   registry.routes.forEach((value, path) => {
     routes.push({
@@ -469,7 +806,7 @@ app.get('/proxy/routes', (req, res) => {
  * Déclenche manuellement un health check pour une route spécifique
  * Body: { path: "/myapp" }
  */
-app.post('/proxy/check', async (req, res) => {
+app.post('/proxy/check', requireAuth, async (req, res) => {
   const { path } = req.body;
 
   if (!path) {
@@ -510,6 +847,162 @@ app.post('/proxy/check', async (req, res) => {
   });
 });
 
+/**
+ * GET /proxy/terminal
+ * Page du terminal en ligne (xterm.js + WebSocket)
+ */
+app.get('/proxy/terminal', requireAuth, (req, res) => {
+  const html = `
+<!DOCTYPE html>
+<html lang="fr">
+<head>
+  <meta charset="UTF-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <title>${escapeHtml(PROXY_NAME)} - Agent</title>
+  <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/xterm/css/xterm.css">
+  <style>
+    * { margin: 0; padding: 0; box-sizing: border-box; }
+    html, body { height: 100%; overflow: hidden; background: #1e1e1e; }
+    .terminal-header {
+      display: flex;
+      align-items: center;
+      gap: 1rem;
+      padding: 0.5rem 1rem;
+      background: #1a1a2e;
+      border-bottom: 1px solid rgba(255,255,255,0.1);
+      color: #e4e4e7;
+      font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif;
+      font-size: 0.85rem;
+    }
+    .back-link {
+      color: #8b5cf6;
+      text-decoration: none;
+      font-weight: 500;
+    }
+    .back-link:hover {
+      text-decoration: underline;
+    }
+    .terminal-title {
+      font-weight: 600;
+      color: #f4f4f5;
+    }
+    .terminal-command {
+      color: #10b981;
+      font-family: 'SF Mono', 'Fira Code', monospace;
+      font-size: 0.75rem;
+      margin-left: auto;
+      overflow: hidden;
+      text-overflow: ellipsis;
+      white-space: nowrap;
+    }
+    #terminal-container {
+      height: calc(100vh - 41px);
+    }
+  </style>
+</head>
+<body>
+  <div class="terminal-header">
+    <a href="/" class="back-link">&larr; Dashboard</a>
+    <span class="terminal-title">Agent</span>
+    ${TERMINAL_COMMAND ? '<span class="terminal-command">' + escapeHtml(TERMINAL_COMMAND) + '</span>' : ''}
+  </div>
+  <div id="terminal-container"></div>
+
+  <script src="https://cdn.jsdelivr.net/npm/xterm/lib/xterm.min.js"></script>
+  <script src="https://cdn.jsdelivr.net/npm/xterm-addon-fit/lib/xterm-addon-fit.min.js"></script>
+  <script>
+    class BrowserTerminal {
+      constructor(container, options = {}) {
+        this.container =
+          typeof container === 'string' ? document.querySelector(container) : container;
+        this.options = {
+          fitOnResize: true,
+          ...options,
+          terminalOptions: {
+            cursorBlink: true,
+            theme: {
+              background: '#1e1e1e',
+              foreground: '#d4d4d4',
+            },
+            ...options.terminalOptions,
+          },
+        };
+        this.terminal = new Terminal(this.options.terminalOptions);
+        this.fitAddon = new FitAddon.FitAddon();
+        this.ws = null;
+        this._resizeHandler = null;
+        this._init();
+      }
+      _init() {
+        this.terminal.loadAddon(this.fitAddon);
+        this.terminal.open(this.container);
+        this.fitAddon.fit();
+        this._bindClipboard();
+        this._connect();
+        this._bindResize();
+      }
+      _bindClipboard() {
+        // Laisser le navigateur gérer Ctrl+V (coller) et Ctrl+Shift+C (copier)
+        // Par défaut xterm intercepte ces touches et envoie des caractères de contrôle
+        this.terminal.attachCustomKeyEventHandler((e) => {
+          if (e.type !== 'keydown') return true;
+          if (e.ctrlKey && e.key === 'v') return false;
+          if (e.ctrlKey && e.shiftKey && e.key === 'C') return false;
+          return true;
+        });
+      }
+      _connect() {
+        const protocol = location.protocol === 'https:' ? 'wss:' : 'ws:';
+        const path = this.options.wsPath || '/terminal';
+        const url = this.options.wsUrl || protocol + '//' + location.host + path;
+        this.ws = new WebSocket(url);
+        this.ws.onopen = () => { this._sendResize(); };
+        this.ws.onmessage = (event) => { this.terminal.write(event.data); };
+        this.terminal.onData((data) => {
+          if (this.ws.readyState === WebSocket.OPEN) {
+            this.ws.send(data);
+          }
+        });
+      }
+      _bindResize() {
+        if (!this.options.fitOnResize) return;
+        this._resizeHandler = () => {
+          this.fitAddon.fit();
+          this._sendResize();
+        };
+        window.addEventListener('resize', this._resizeHandler);
+      }
+      _sendResize() {
+        if (this.ws.readyState === WebSocket.OPEN) {
+          this.ws.send(JSON.stringify({
+            type: 'resize',
+            cols: this.terminal.cols,
+            rows: this.terminal.rows,
+          }));
+        }
+      }
+      fit() {
+        this.fitAddon.fit();
+        this._sendResize();
+      }
+      dispose() {
+        if (this._resizeHandler) window.removeEventListener('resize', this._resizeHandler);
+        if (this.ws) this.ws.close();
+        this.terminal.dispose();
+      }
+    }
+
+    const term = new BrowserTerminal('#terminal-container', {
+      wsPath: '/terminal-ws',
+    });
+  </script>
+</body>
+</html>
+  `.trim();
+
+  res.type('html').send(html);
+});
+
 /**
  * GET /proxy/health
  * Health check du proxy
@@ -529,7 +1022,7 @@ app.get('/proxy/health', (req, res) => {
  * Page d'accueil listant tous les serveurs disponibles
  * Retourne du JSON si le client l'accepte (API), sinon du HTML (navigateur)
  */
-app.get('/', (req, res) => {
+app.get('/', requireAuth, (req, res) => {
   const routes = [];
   registry.routes.forEach((value, path) => {
     routes.push({
@@ -626,8 +1119,33 @@ app.get('/', (req, res) => {
     /* Toolbar */
     .toolbar {
       display: flex;
-      justify-content: flex-end;
+      justify-content: space-between;
+      align-items: center;
       margin-bottom: 0.75rem;
+      gap: 0.5rem;
+    }
+    .toolbar-right {
+      display: flex;
+      gap: 0.5rem;
+      align-items: center;
+    }
+    .agent-btn {
+      background: linear-gradient(90deg, #10b981, #059669);
+      color: white;
+      border: none;
+      padding: 0.5rem 1rem;
+      border-radius: 6px;
+      font-weight: 600;
+      font-size: 0.8rem;
+      cursor: pointer;
+      transition: opacity 0.2s;
+      display: inline-flex;
+      align-items: center;
+      gap: 0.4rem;
+      white-space: nowrap;
+    }
+    .agent-btn:hover {
+      opacity: 0.9;
     }
     .add-btn {
       background: linear-gradient(90deg, #6366f1, #8b5cf6);
@@ -884,6 +1402,13 @@ app.get('/', (req, res) => {
     }
     /* Responsive */
     @media (max-width: 600px) {
+      .toolbar {
+        flex-direction: column;
+      }
+      .toolbar-right {
+        width: 100%;
+        justify-content: flex-end;
+      }
       .service-card {
         flex-direction: column;
         align-items: flex-start;
@@ -918,7 +1443,11 @@ app.get('/', (req, res) => {
     </header>
 
     <div class="toolbar">
-      <button class="add-btn" onclick="openModal()">+ Ajouter</button>
+      <button class="agent-btn" onclick="openAgent()">&#9654; Lancer Agent</button>
+      <div class="toolbar-right">
+        <button class="add-btn" onclick="openModal()">+ Ajouter</button>
+        ${ADMIN_PASSWORD ? '<button class="action-btn" onclick="logout()">Déconnexion</button>' : ''}
+      </div>
     </div>
 
     ${routes.length > 0 ? `
@@ -1051,6 +1580,18 @@ app.get('/', (req, res) => {
       }
     });
 
+    function openAgent() {
+      window.open('/proxy/terminal', '_blank');
+    }
+
+    function logout() {
+      const form = document.createElement('form');
+      form.method = 'POST';
+      form.action = '/proxy/logout';
+      document.body.appendChild(form);
+      form.submit();
+    }
+
     async function checkHealth(path, btn) {
       if (btn.classList.contains('loading')) return;
       
@@ -1215,23 +1756,26 @@ app.use((req, res, next) => {
     });
   }
 
-  // Stocke les informations de la route dans l'objet req pour le middleware persistant
-  const target = route.target || 'http://localhost';
-  req.proxyTarget = `${target}:${route.port}`;
-  
-  // Trouve le path de la route pour le pathRewrite
-  req.proxyRoutePath = [...registry.routes.entries()]
-    .find(([, v]) => v === route)?.[0];
+  // Vérification de l'authentification avant de proxifier
+  requireAuth(req, res, () => {
+    // Stocke les informations de la route dans l'objet req pour le middleware persistant
+    const target = route.target || 'http://localhost';
+    req.proxyTarget = `${target}:${route.port}`;
+    
+    // Trouve le path de la route pour le pathRewrite
+    req.proxyRoutePath = [...registry.routes.entries()]
+      .find(([, v]) => v === route)?.[0];
 
-  // Délègue au middleware de proxy persistant
-  persistentProxyMiddleware(req, res, next);
+    // Délègue au middleware de proxy persistant
+    persistentProxyMiddleware(req, res, next);
+  });
 });
 
 // ============================================
 // DÉMARRAGE DU SERVEUR
 // ============================================
 
-app.listen(PROXY_PORT, () => {
+const server = app.listen(PROXY_PORT, () => {
   console.log('='.repeat(50));
   console.log(`🚀 ${PROXY_NAME}`);
   console.log('='.repeat(50));
@@ -1240,15 +1784,51 @@ app.listen(PROXY_PORT, () => {
   console.log(`Health check interval: ${HEALTH_CHECK_INTERVAL}ms`);
   console.log(`Health check grace period: ${HEALTH_CHECK_GRACE_PERIOD}ms`);
   console.log('');
+
+  // Warnings d'authentification
+  if (!ADMIN_PASSWORD) {
+    console.log('⚠️  WARNING: ADMIN_PASSWORD is not set — web interface is unprotected');
+  } else {
+    console.log('🔒 Web interface protected by admin password');
+  }
+  console.log('🔒 API routes restricted to localhost only');
+  if (!process.env.SESSION_SECRET) {
+    console.log('⚠️  WARNING: SESSION_SECRET is not set — using random secret (sessions lost on restart)');
+  }
+  console.log('');
+
   console.log('API Endpoints:');
   console.log('  POST   /proxy/register   - Register a new route');
   console.log('  DELETE /proxy/unregister - Remove a route');
   console.log('  GET    /proxy/routes     - List all routes');
   console.log('  GET    /proxy/health     - Health check');
+  console.log('  GET    /proxy/login      - Admin login page');
+  console.log('  GET    /proxy/terminal   - Agent terminal');
   console.log('');
   console.log('Note: Registered servers must implement GET /proxy/health');
   console.log('      returning status 200 to stay registered.');
   console.log('='.repeat(50));
+
+  // Initialisation du terminal en ligne
+  const { TerminalServer } = require('./terminal-server');
+  new TerminalServer(server, {
+    path: '/terminal-ws',
+    command: TERMINAL_COMMAND,
+    ptyOptions: {
+      cwd: TERMINAL_CWD,
+    },
+    wsOptions: {
+      verifyClient: (info) => {
+        if (!ADMIN_PASSWORD) return true;
+        const cookies = parseCookies(info.req);
+        const signedValue = cookies['proxy_session'];
+        if (!signedValue) return false;
+        const token = verifySignedToken(signedValue);
+        return token ? isValidSession(token) : false;
+      },
+    },
+  });
+  console.log(`🖥️  Agent terminal at /proxy/terminal (cwd: ${TERMINAL_CWD}, command: ${TERMINAL_COMMAND || 'none'})`);
   
   // Démarre le polling de health check
   startHealthCheckPolling();

package/terminal-server.js

@@ -0,0 +1,154 @@
+const os = require('os');
+const { execSync } = require('child_process');
+const pty = require('node-pty');
+const { WebSocketServer } = require('ws');
+
+const DEFAULT_SHELL = os.platform() === 'win32' ? 'powershell.exe' : 'bash';
+
+class TerminalServer {
+  /**
+   * @param {import('http').Server} httpServer
+   * @param {object} [options]
+   * @param {string} [options.shell] - Shell to spawn (default: auto-detected)
+   * @param {string[]} [options.shellArgs] - Shell arguments (default: [])
+   * @param {object} [options.ptyOptions] - node-pty spawn options overrides
+   * @param {number} [options.ptyOptions.cols] - Initial columns (default: 80)
+   * @param {number} [options.ptyOptions.rows] - Initial rows (default: 24)
+   * @param {string} [options.ptyOptions.cwd] - Working directory (default: user home)
+   * @param {object} [options.ptyOptions.env] - Environment variables (default: process.env)
+   * @param {string} [options.command] - Command to execute automatically after spawn
+   * @param {string} [options.path] - WebSocket endpoint path (default: '/terminal')
+   * @param {object} [options.wsOptions] - WebSocketServer options overrides
+   */
+  constructor(httpServer, options = {}) {
+    this.shell = options.shell || DEFAULT_SHELL;
+    this.shellArgs = options.shellArgs || [];
+    this.command = options.command || '';
+    this.ptyOptions = {
+      name: 'xterm-color',
+      cols: 80,
+      rows: 24,
+      cwd: process.env.HOME || process.env.USERPROFILE,
+      env: process.env,
+      ...options.ptyOptions,
+    };
+
+    this.connections = new Set();
+
+    this.wss = new WebSocketServer({
+      server: httpServer,
+      path: options.path || '/terminal',
+      ...options.wsOptions,
+    });
+    this.wss.on('connection', (ws, req) => this._handleConnection(ws, req));
+  }
+
+  _handleConnection(ws, req) {
+    const cwd = this.ptyOptions.cwd;
+
+    let ptyProcess;
+    try {
+      ptyProcess = pty.spawn(this.shell, this.shellArgs, {
+        ...this.ptyOptions,
+        cwd,
+      });
+    } catch (err) {
+      console.error(`[TERMINAL] Failed to spawn PTY (cwd: ${cwd}):`, err.message);
+      ws.close(1011, 'Failed to spawn terminal');
+      return;
+    }
+
+    const connection = { ws, ptyProcess };
+    this.connections.add(connection);
+
+    ptyProcess.onData((data) => {
+      try {
+        ws.send(data);
+      } catch (e) {
+        // WebSocket already closed
+      }
+    });
+
+    ws.on('message', (data) => {
+      const message = data.toString();
+      try {
+        const msg = JSON.parse(message);
+        if (msg.type === 'resize') {
+          ptyProcess.resize(msg.cols, msg.rows);
+          return;
+        }
+      } catch (e) {
+        // Not JSON, treat as terminal input
+      }
+      ptyProcess.write(message);
+    });
+
+    ws.on('close', () => {
+      this._gracefulKill(ptyProcess);
+      this.connections.delete(connection);
+    });
+
+    // Exécuter automatiquement la commande configurée
+    if (this.command) {
+      // Petit délai pour laisser le shell s'initialiser
+      setTimeout(() => {
+        ptyProcess.write(this.command + '\r');
+        console.log(`[TERMINAL] Auto-executed command: ${this.command}`);
+      }, 500);
+    }
+  }
+
+  /**
+   * Arrêt gracieux : envoie Ctrl+C deux fois pour interrompre proprement
+   * le programme en cours, attend qu'il se termine, puis tue le shell.
+   * @param {import('node-pty').IPty} ptyProcess
+   */
+  _gracefulKill(ptyProcess) {
+    const pid = ptyProcess.pid;
+    console.log(`[TERMINAL] Graceful shutdown (PID: ${pid})...`);
+
+    // 1er Ctrl+C
+    try { ptyProcess.write('\x03'); } catch (_) { /* ignore */ }
+
+    setTimeout(() => {
+      // 2e Ctrl+C
+      try { ptyProcess.write('\x03'); } catch (_) { /* ignore */ }
+
+      setTimeout(() => {
+        // Tuer tout l'arbre de processus
+        this._killProcessTree(pid);
+      }, 1000);
+    }, 500);
+  }
+
+  /**
+   * Tue l'arbre de processus par PID.
+   * Sur Windows : taskkill /F /T /PID
+   * Sur Linux/macOS : kill du groupe de processus
+   * @param {number} pid
+   */
+  _killProcessTree(pid) {
+    try {
+      if (os.platform() === 'win32') {
+        execSync(`taskkill /F /T /PID ${pid}`, { stdio: 'ignore' });
+      } else {
+        process.kill(-pid, 'SIGKILL');
+      }
+      console.log(`[TERMINAL] Killed process tree (PID: ${pid})`);
+    } catch (e) {
+      // Le processus est peut-être déjà terminé
+      console.log(`[TERMINAL] Process tree already exited (PID: ${pid})`);
+    }
+  }
+
+  dispose() {
+    for (const { ws, ptyProcess } of this.connections) {
+      this._gracefulKill(ptyProcess);
+      ws.close();
+    }
+    this.connections.clear();
+    this.wss.close();
+  }
+}
+
+module.exports = { TerminalServer };