fbi-proxy 1.15.0 → 1.16.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "fbi-proxy",
-  "version": "1.15.0",
+  "version": "1.16.0",
   "description": "FBI-Proxy provides easy HTTPS access to your local services with intelligent domain routing",
   "keywords": [
     "development-tools",
@@ -39,6 +39,8 @@
     "format": "prettier --write .",
     "lint": "prettier --check .",
     "prepare": "husky",
+    "port-forward:install": "bun ts/install-port-forward.ts",
+    "port-forward:uninstall": "bun ts/install-port-forward.ts --uninstall",
     "start": "bun ts/cli.ts",
     "start:rs": "./target/release/fbi-proxy",
     "test": "vitest run",

package/rs/fbi-proxy.rs

@@ -783,12 +783,23 @@ fn spawn_routes_watcher(
     });
 }
 
+pub struct TlsOptions {
+    /// Apex domain used for SAN entries on the self-signed cert.
+    /// Empty string falls back to `localhost` + `127.0.0.1`.
+    pub domain: String,
+    /// Directory the generated cert+key are persisted to. The same
+    /// fingerprint is reused across boots so browsers can remember
+    /// "trust this exception" once.
+    pub cert_dir: std::path::PathBuf,
+}
+
 pub async fn start_proxy_server(
     host: Option<&str>,
     port: u16,
     domain_filter: Option<String>,
     compiled_routes: Vec<CompiledRoute>,
     watch_path: Option<String>,
+    tls: Option<TlsOptions>,
 ) -> Result<(), BoxError> {
     let host = host.unwrap_or("127.0.0.1");
     let addr: SocketAddr = format!("{}:{}", host, port).parse()?;
@@ -821,10 +832,45 @@ pub async fn start_proxy_server(
         }
     }
 
+    let acceptor = match &tls {
+        Some(opts) => {
+            let acc = fbi_proxy::tls::build_acceptor(&opts.domain, &opts.cert_dir)?;
+            // Auto-install the self-signed leaf as a system trust anchor when
+            // running with the privileges to do so. Idempotent — no-op if
+            // already trusted. If unprivileged (and untrusted), this errors and
+            // we surface a clear message rather than booting silently into
+            // "browser warnings forever" mode.
+            let cert_path = fbi_proxy::tls::cert_pem_path(&opts.domain, &opts.cert_dir);
+            match fbi_proxy::tls::install_to_system_trust(&cert_path) {
+                Ok(true) => println!(
+                    "TLS: cert installed to system trust store ({})",
+                    cert_path.display()
+                ),
+                Ok(false) => {}
+                Err(e) => {
+                    eprintln!(
+                        "[tls] could not auto-install cert to system trust: {e}\n      \
+                         start with sudo to install, or accept the browser warning."
+                    );
+                }
+            }
+            Some(acc)
+        }
+        None => None,
+    };
+
     let listener = TcpListener::bind(addr).await?;
 
-    info!("FBI Proxy server running on http://{}", addr);
-    println!("FBI Proxy listening on: http://{}", addr);
+    let scheme = if acceptor.is_some() { "https" } else { "http" };
+    info!("FBI Proxy server running on {}://{}", scheme, addr);
+    println!("FBI Proxy listening on: {}://{}", scheme, addr);
+    if let Some(opts) = &tls {
+        println!(
+            "TLS: self-signed cert at {}/{}.pem (browser warning expected — Phase 1)",
+            opts.cert_dir.display(),
+            if opts.domain.is_empty() { "localhost" } else { &opts.domain }
+        );
+    }
     if let Some(ref domain) = domain_filter {
         if !domain.is_empty() {
             println!("Domain filter: Only accepting requests for *.{}", domain);
@@ -856,20 +902,35 @@ pub async fn start_proxy_server(
 
     loop {
         let (stream, _) = listener.accept().await?;
-        let io = TokioIo::new(stream);
         let proxy = proxy.clone();
+        let acceptor = acceptor.clone();
 
         tokio::task::spawn(async move {
             let service = service_fn(move |req| handle_connection(req, proxy.clone()));
 
-            if let Err(err) = http1::Builder::new()
+            let mut builder = http1::Builder::new();
+            builder
                 .preserve_header_case(true)
-                .title_case_headers(true)
-                .serve_connection(io, service)
-                .with_upgrades()
-                .await
-            {
-                error!("Error serving connection: {:?}", err);
+                .title_case_headers(true);
+
+            match acceptor {
+                Some(a) => match a.accept(stream).await {
+                    Ok(tls_stream) => {
+                        let io = TokioIo::new(tls_stream);
+                        if let Err(err) = builder.serve_connection(io, service).with_upgrades().await {
+                            error!("Error serving TLS connection: {:?}", err);
+                        }
+                    }
+                    Err(err) => {
+                        error!("TLS handshake failed: {:?}", err);
+                    }
+                },
+                None => {
+                    let io = TokioIo::new(stream);
+                    if let Err(err) = builder.serve_connection(io, service).with_upgrades().await {
+                        error!("Error serving connection: {:?}", err);
+                    }
+                }
             }
         });
     }
@@ -956,16 +1017,47 @@ TRY RUN:
                 .env("FBI_PROXY_ROUTES")
                 .default_value("")
         )
+        .arg(
+            Arg::new("tls")
+                .long("tls")
+                .help("Terminate TLS using a self-signed cert (browser warning expected — Phase 1, no system trust install). Use --port 443 with sudo for the standard HTTPS port. (env: FBI_PROXY_TLS)")
+                .env("FBI_PROXY_TLS")
+                .num_args(0)
+                .action(clap::ArgAction::SetTrue)
+        )
+        .arg(
+            Arg::new("cert-dir")
+                .long("cert-dir")
+                .value_name("DIR")
+                .help("Directory for the self-signed cert+key (env: FBI_PROXY_CERT_DIR, default: ~/.config/fbi-proxy/certs)")
+                .env("FBI_PROXY_CERT_DIR")
+                .default_value("")
+        )
         .get_matches();
 
-    let port = matches
-        .get_one::<String>("port")
-        .unwrap()
-        .parse::<u16>()
-        .unwrap_or_else(|_| {
-            error!("Invalid port value, using default 2432");
-            2432
-        });
+    let tls_enabled = matches.get_flag("tls");
+
+    // Default port jumps to 443 when --tls is set unless the user explicitly
+    // overrode --port / FBI_PROXY_PORT. Binding :443 needs sudo on most
+    // systems; the helpful failure path is documented in the bind error.
+    let port_source = matches.value_source("port");
+    let port_explicit = matches!(
+        port_source,
+        Some(clap::parser::ValueSource::CommandLine)
+            | Some(clap::parser::ValueSource::EnvVariable)
+    );
+    let port = if tls_enabled && !port_explicit {
+        443
+    } else {
+        matches
+            .get_one::<String>("port")
+            .unwrap()
+            .parse::<u16>()
+            .unwrap_or_else(|_| {
+                error!("Invalid port value, using default 2432");
+                2432
+            })
+    };
 
     let host = matches.get_one::<String>("host").unwrap();
     let domain = matches.get_one::<String>("domain").unwrap();
@@ -996,11 +1088,26 @@ TRY RUN:
         )
     };
 
+    let cert_dir_raw = matches.get_one::<String>("cert-dir").unwrap();
+    let tls_opts = if tls_enabled {
+        let cert_dir = if cert_dir_raw.is_empty() {
+            fbi_proxy::tls::default_cert_dir()
+        } else {
+            std::path::PathBuf::from(cert_dir_raw)
+        };
+        Some(TlsOptions {
+            domain: domain.clone(),
+            cert_dir,
+        })
+    } else {
+        None
+    };
+
     let rt = tokio::runtime::Runtime::new().unwrap();
     rt.block_on(async {
         info!(
-            "Starting FBI-Proxy on {}:{} with domain filter: {:?}",
-            host, port, domain_filter
+            "Starting FBI-Proxy on {}:{} with domain filter: {:?}, tls: {}",
+            host, port, domain_filter, tls_enabled
         );
         if let Err(e) = start_proxy_server(
             Some(host),
@@ -1008,6 +1115,7 @@ TRY RUN:
             domain_filter,
             compiled_routes,
             watch_path,
+            tls_opts,
         )
         .await
         {

package/rs/lib.rs

@@ -5,3 +5,4 @@
 
 pub mod metrics;
 pub mod routes;
+pub mod tls;

package/rs/tls.rs

@@ -0,0 +1,243 @@
+//! Self-signed TLS support for `--tls` mode (Phase 1: no system trust
+//! install). Generates a self-signed certificate for the configured
+//! domain (with `*.<domain>` SAN) and persists it under
+//! `~/.config/fbi-proxy/certs/` so the same fingerprint survives
+//! restarts — browsers can "remember the exception" once.
+//!
+//! The browser warning is expected in this phase. Use Phase 2
+//! (`fbi-proxy trust`) to install a local CA into the system trust
+//! store for a clean lock-icon experience.
+
+use std::path::{Path, PathBuf};
+use std::sync::Arc;
+
+use rcgen::{CertificateParams, DnType, DistinguishedName, KeyPair, SanType};
+use tokio_rustls::TlsAcceptor;
+use tokio_rustls::rustls::ServerConfig;
+use tokio_rustls::rustls::pki_types::{CertificateDer, PrivateKeyDer, pem::PemObject};
+
+pub type BoxError = Box<dyn std::error::Error + Send + Sync>;
+
+/// Where on-disk certs live. Layout: `{base}/certs/{domain}.{pem,key}`.
+pub fn default_cert_dir() -> PathBuf {
+    let base = std::env::var_os("XDG_CONFIG_HOME")
+        .map(PathBuf::from)
+        .or_else(|| std::env::var_os("HOME").map(|h| PathBuf::from(h).join(".config")))
+        .unwrap_or_else(|| PathBuf::from("."));
+    base.join("fbi-proxy").join("certs")
+}
+
+/// Path to the cert file for a given domain (sibling `.key` lives at
+/// the same stem). Use this when you need to install the cert into a
+/// system trust store after `build_acceptor` has materialized it.
+pub fn cert_pem_path(domain: &str, cert_dir: &Path) -> PathBuf {
+    let slug = if domain.is_empty() { "localhost" } else { domain };
+    cert_dir.join(format!("{slug}.pem"))
+}
+
+/// Whether the given cert is currently a trusted anchor on this
+/// system. Returns `false` if the check itself can't be performed
+/// (unsupported platform, missing tool) — callers should treat that
+/// as "no, attempt install."
+pub fn is_trusted(cert_path: &Path) -> bool {
+    #[cfg(target_os = "macos")]
+    {
+        std::process::Command::new("security")
+            .args(["verify-cert", "-c"])
+            .arg(cert_path)
+            .stdout(std::process::Stdio::null())
+            .stderr(std::process::Stdio::null())
+            .status()
+            .map(|s| s.success())
+            .unwrap_or(false)
+    }
+    #[cfg(not(target_os = "macos"))]
+    {
+        let _ = cert_path;
+        false
+    }
+}
+
+/// Install `cert_path` as a trusted root anchor in the system trust
+/// store. Idempotent — checks `is_trusted` first and returns `Ok(false)`
+/// if no install was performed.
+///
+/// Requires root on macOS (writes to `/Library/Keychains/System.keychain`).
+/// On other platforms this is a no-op for now (Linux / Windows is a
+/// follow-up — see TODO.md).
+pub fn install_to_system_trust(cert_path: &Path) -> Result<bool, BoxError> {
+    if is_trusted(cert_path) {
+        return Ok(false);
+    }
+
+    #[cfg(target_os = "macos")]
+    {
+        log::info!("installing {} to System.keychain", cert_path.display());
+        let status = std::process::Command::new("security")
+            .args([
+                "add-trusted-cert",
+                "-d",
+                "-r",
+                "trustRoot",
+                "-k",
+                "/Library/Keychains/System.keychain",
+            ])
+            .arg(cert_path)
+            .status()?;
+        if !status.success() {
+            return Err(format!(
+                "security add-trusted-cert failed (exit {:?}); needs root (sudo)",
+                status.code(),
+            )
+            .into());
+        }
+        Ok(true)
+    }
+    #[cfg(not(target_os = "macos"))]
+    {
+        let _ = cert_path;
+        log::warn!("auto-trust-install: only macOS supported in this build");
+        Ok(false)
+    }
+}
+
+/// Build a `TlsAcceptor` for the given domain, reusing a persisted
+/// cert if one exists or generating + writing a fresh one if not.
+///
+/// `domain` is the apex (e.g. `"fbi.com"`); the cert SAN includes both
+/// the apex and `*.{domain}` so any subdomain validates. If `domain`
+/// is empty or `"localhost"`, only `localhost` + `127.0.0.1` are
+/// covered.
+pub fn build_acceptor(domain: &str, cert_dir: &Path) -> Result<TlsAcceptor, BoxError> {
+    let (cert_pem, key_pem) = load_or_generate(domain, cert_dir)?;
+
+    let cert_chain: Vec<CertificateDer<'static>> = CertificateDer::pem_slice_iter(cert_pem.as_bytes())
+        .collect::<Result<Vec<_>, _>>()?;
+    let key = PrivateKeyDer::from_pem_slice(key_pem.as_bytes())?;
+
+    let config = ServerConfig::builder()
+        .with_no_client_auth()
+        .with_single_cert(cert_chain, key)?;
+
+    Ok(TlsAcceptor::from(Arc::new(config)))
+}
+
+fn load_or_generate(domain: &str, cert_dir: &Path) -> Result<(String, String), BoxError> {
+    let slug = if domain.is_empty() { "localhost" } else { domain };
+    let cert_path = cert_dir.join(format!("{slug}.pem"));
+    let key_path = cert_dir.join(format!("{slug}.key"));
+
+    if cert_path.exists() && key_path.exists() {
+        let cert = std::fs::read_to_string(&cert_path)?;
+        let key = std::fs::read_to_string(&key_path)?;
+        return Ok((cert, key));
+    }
+
+    let (cert_pem, key_pem) = generate_self_signed(domain)?;
+    std::fs::create_dir_all(cert_dir)?;
+    std::fs::write(&cert_path, &cert_pem)?;
+    // 0600 on the key — std::fs::write opens 0644 by default
+    write_private(&key_path, key_pem.as_bytes())?;
+
+    Ok((cert_pem, key_pem))
+}
+
+#[cfg(unix)]
+fn write_private(path: &Path, bytes: &[u8]) -> std::io::Result<()> {
+    use std::io::Write;
+    use std::os::unix::fs::OpenOptionsExt;
+    let mut f = std::fs::OpenOptions::new()
+        .write(true)
+        .create(true)
+        .truncate(true)
+        .mode(0o600)
+        .open(path)?;
+    f.write_all(bytes)?;
+    Ok(())
+}
+
+#[cfg(not(unix))]
+fn write_private(path: &Path, bytes: &[u8]) -> std::io::Result<()> {
+    std::fs::write(path, bytes)
+}
+
+/// Generate a SAN-only self-signed cert valid for ~1 year. Returns
+/// `(cert_pem, key_pem)`. The Common Name is intentionally left blank
+/// — modern browsers ignore CN and only honor SAN entries.
+pub fn generate_self_signed(domain: &str) -> Result<(String, String), BoxError> {
+    let mut sans: Vec<SanType> = Vec::new();
+    if domain.is_empty() || domain == "localhost" {
+        sans.push(SanType::DnsName("localhost".try_into()?));
+        sans.push(SanType::IpAddress("127.0.0.1".parse()?));
+    } else {
+        sans.push(SanType::DnsName(domain.try_into()?));
+        sans.push(SanType::DnsName(format!("*.{domain}").try_into()?));
+    }
+
+    let mut params = CertificateParams::default();
+    params.subject_alt_names = sans;
+
+    // Browsers ignore CN, but a non-empty DN avoids some tooling
+    // warnings. Use OrganizationName so the CN stays empty.
+    let mut dn = DistinguishedName::new();
+    dn.push(DnType::OrganizationName, "fbi-proxy (self-signed)");
+    params.distinguished_name = dn;
+
+    let now = time::OffsetDateTime::now_utc();
+    params.not_before = now - time::Duration::days(1);
+    params.not_after = now + time::Duration::days(365);
+
+    let key_pair = KeyPair::generate()?;
+    let cert = params.self_signed(&key_pair)?;
+
+    Ok((cert.pem(), key_pair.serialize_pem()))
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn generates_pem_with_domain_san() {
+        let (cert, key) = generate_self_signed("fbi.com").unwrap();
+        assert!(cert.contains("BEGIN CERTIFICATE"));
+        assert!(key.contains("BEGIN PRIVATE KEY"));
+
+        // Parse the cert and check SAN entries
+        let der = CertificateDer::pem_slice_iter(cert.as_bytes())
+            .next()
+            .unwrap()
+            .unwrap();
+        // We don't fully x509-parse here — but the cert+key should be
+        // accepted by rustls' single-cert builder, which is what the
+        // real server uses. That's the real-world contract.
+        let key_der = PrivateKeyDer::from_pem_slice(key.as_bytes()).unwrap();
+        let config = ServerConfig::builder()
+            .with_no_client_auth()
+            .with_single_cert(vec![der], key_der);
+        assert!(config.is_ok(), "rustls should accept generated cert+key");
+    }
+
+    #[test]
+    fn generates_for_localhost_fallback() {
+        let (cert, _key) = generate_self_signed("").unwrap();
+        assert!(cert.contains("BEGIN CERTIFICATE"));
+    }
+
+    #[test]
+    fn load_or_generate_round_trips_persisted_certs() {
+        let tmp = std::env::temp_dir().join(format!(
+            "fbi-tls-test-{}",
+            std::process::id()
+        ));
+        let _ = std::fs::remove_dir_all(&tmp);
+
+        let (cert1, key1) = load_or_generate("test.dev", &tmp).unwrap();
+        // Second call should return the same content (loaded from disk)
+        let (cert2, key2) = load_or_generate("test.dev", &tmp).unwrap();
+        assert_eq!(cert1, cert2);
+        assert_eq!(key1, key2);
+
+        let _ = std::fs::remove_dir_all(&tmp);
+    }
+}

package/ts/auth/authConfig.ts

@@ -10,15 +10,21 @@ export type FirebaseSubConfig = {
   authDomain?: string;
 };
 
+export type LocalSubConfig = {
+  email: string;
+  name?: string;
+};
+
 export type AuthConfigShape = {
   version: 1;
   domain: string;
   cookieDomain: string;
   ssoHost: string;
-  provider: "google" | "firebase" | "snolab";
+  provider: "google" | "firebase" | "snolab" | "local";
   clientId?: string;
   clientSecret?: string;
   firebase?: FirebaseSubConfig;
+  local?: LocalSubConfig;
   sessionSecret: string;
   allowlist: {
     emails?: string[];
@@ -63,10 +69,16 @@ export function configFromEnv(domain: string): AuthConfigShape | null {
     (process.env.FBI_AUTH_PROVIDER as AuthConfigShape["provider"]) ?? "google";
   const clientId = process.env.FBI_AUTH_CLIENT_ID;
   const firebaseProjectId = process.env.FBI_AUTH_FIREBASE_PROJECT_ID;
+  const localUser = process.env.FBI_AUTH_LOCAL_USER;
 
   if (provider === "firebase") {
     if (!firebaseProjectId) return null;
+  } else if (provider === "snolab") {
+    // snolab uses baked-in defaults; nothing required beyond the provider name
+  } else if (provider === "local") {
+    if (!localUser) return null;
   } else {
+    // google (default)
     if (!clientId) return null;
   }
 
@@ -86,6 +98,12 @@ export function configFromEnv(domain: string): AuthConfigShape | null {
           authDomain: process.env.FBI_AUTH_FIREBASE_AUTH_DOMAIN,
         }
       : undefined,
+    local: localUser
+      ? {
+          email: localUser,
+          name: process.env.FBI_AUTH_LOCAL_NAME,
+        }
+      : undefined,
     sessionSecret:
       process.env.FBI_AUTH_SESSION_SECRET ??
       randomBytes(32).toString("base64url"),