fbi-proxy 1.9.0 → 1.10.0

package/ts/auth/authConfig.ts

@@ -0,0 +1,141 @@
+import { homedir } from "node:os";
+import { join, dirname } from "node:path";
+import { existsSync } from "node:fs";
+import { mkdir, writeFile, chmod, readFile } from "node:fs/promises";
+import { randomBytes } from "node:crypto";
+
+export type FirebaseSubConfig = {
+  projectId: string;
+  apiKey?: string;
+  authDomain?: string;
+};
+
+export type AuthConfigShape = {
+  version: 1;
+  domain: string;
+  cookieDomain: string;
+  ssoHost: string;
+  provider: "google" | "firebase" | "snolab";
+  clientId?: string;
+  clientSecret?: string;
+  firebase?: FirebaseSubConfig;
+  sessionSecret: string;
+  allowlist: {
+    emails?: string[];
+    domains?: string[];
+    anySignedIn?: boolean;
+  };
+};
+
+export function defaultConfigPath(): string {
+  return (
+    process.env.FBI_AUTH_CONFIG_PATH ??
+    join(
+      process.env.XDG_CONFIG_HOME ?? join(homedir(), ".config"),
+      "fbi-proxy",
+      "auth.json",
+    )
+  );
+}
+
+export async function readConfigOrNull(
+  path = defaultConfigPath(),
+): Promise<AuthConfigShape | null> {
+  if (!existsSync(path)) return null;
+  try {
+    return JSON.parse(await readFile(path, "utf8")) as AuthConfigShape;
+  } catch {
+    return null;
+  }
+}
+
+export async function writeConfig(
+  cfg: AuthConfigShape,
+  path = defaultConfigPath(),
+): Promise<void> {
+  await mkdir(dirname(path), { recursive: true });
+  await writeFile(path, JSON.stringify(cfg, null, 2), "utf8");
+  await chmod(path, 0o600);
+}
+
+export function configFromEnv(domain: string): AuthConfigShape | null {
+  const provider =
+    (process.env.FBI_AUTH_PROVIDER as AuthConfigShape["provider"]) ?? "google";
+  const clientId = process.env.FBI_AUTH_CLIENT_ID;
+  const firebaseProjectId = process.env.FBI_AUTH_FIREBASE_PROJECT_ID;
+
+  if (provider === "firebase") {
+    if (!firebaseProjectId) return null;
+  } else {
+    if (!clientId) return null;
+  }
+
+  const d = domain.startsWith(".") ? domain.slice(1) : domain;
+  return {
+    version: 1,
+    domain: d,
+    cookieDomain: `.${d}`,
+    ssoHost: `sso.${d}`,
+    provider,
+    clientId,
+    clientSecret: process.env.FBI_AUTH_CLIENT_SECRET,
+    firebase: firebaseProjectId
+      ? {
+          projectId: firebaseProjectId,
+          apiKey: process.env.FBI_AUTH_FIREBASE_API_KEY,
+          authDomain: process.env.FBI_AUTH_FIREBASE_AUTH_DOMAIN,
+        }
+      : undefined,
+    sessionSecret:
+      process.env.FBI_AUTH_SESSION_SECRET ??
+      randomBytes(32).toString("base64url"),
+    allowlist: parseAllowlistEnv(),
+  };
+}
+
+function parseAllowlistEnv(): AuthConfigShape["allowlist"] {
+  const emails = process.env.FBI_AUTH_ALLOW_EMAILS?.split(",")
+    .map((s) => s.trim())
+    .filter(Boolean);
+  const domains = process.env.FBI_AUTH_ALLOW_DOMAINS?.split(",")
+    .map((s) => s.trim())
+    .filter(Boolean);
+  const anySignedIn = process.env.FBI_AUTH_ALLOW_ANY === "true";
+  if (!emails?.length && !domains?.length && !anySignedIn) {
+    return { anySignedIn: true };
+  }
+  return { emails, domains, anySignedIn };
+}
+
+export function helpfulSetupMessage(domain: string, path: string): string {
+  return [
+    "",
+    "fbi-auth requires a config file but none was found.",
+    `Expected at: ${path}`,
+    "",
+    "Quick setup (Phase 1 — manual; setup wizard arrives in Phase 2):",
+    "",
+    "  1. Create a Google OAuth Web client at https://console.cloud.google.com/apis/credentials",
+    `     - Authorized redirect URI: https://sso.${domain}/callback`,
+    `     - Authorized JS origin:    https://sso.${domain}`,
+    "",
+    "  2. Either write the config file directly:",
+    `     mkdir -p $(dirname ${path}) && cat > ${path} <<EOF`,
+    "     {",
+    '       "version": 1,',
+    `       "domain": "${domain}",`,
+    `       "cookieDomain": ".${domain}",`,
+    `       "ssoHost": "sso.${domain}",`,
+    '       "provider": "google",',
+    '       "clientId": "<your-client-id>",',
+    '       "clientSecret": "<your-client-secret>",',
+    '       "sessionSecret": "<32+ random chars, base64url preferred>",',
+    '       "allowlist": { "anySignedIn": true }',
+    "     }",
+    "     EOF",
+    "",
+    "  3. Or use env vars (auto-creates the config on first run):",
+    `     FBI_AUTH_CLIENT_ID=...  FBI_AUTH_CLIENT_SECRET=...  bunx fbi-proxy --with-auth --domain ${domain}`,
+    "",
+  ].join("\n");
+}

package/ts/auth/caddyfileGen.test.ts

@@ -0,0 +1,156 @@
+import { describe, it, expect } from "vitest";
+import { generateCaddyfile } from "./caddyfileGen";
+
+describe("generateCaddyfile", () => {
+  it("emits the canonical fbi.com + auth + tls internal layout", () => {
+    const out = generateCaddyfile({
+      domain: "fbi.com",
+      ssoHost: "sso.fbi.com",
+      fbiAuthPort: 2433,
+      fbiProxyPort: 2432,
+      tlsMode: "internal",
+      withAuth: true,
+    });
+
+    expect(out).toMatchInlineSnapshot(`
+      "sso.fbi.com {
+        reverse_proxy 127.0.0.1:2433
+        tls internal
+      }
+
+      *.fbi.com {
+        @notauth not path /api/auth/* /login /callback /logout
+        forward_auth @notauth 127.0.0.1:2433 {
+          uri /api/auth/verify
+          copy_headers Remote-User Remote-Email Remote-Name
+          header_up X-Forwarded-Host {host}
+          header_up X-Forwarded-Uri {uri}
+        }
+        reverse_proxy 127.0.0.1:2432
+        tls internal
+      }
+      "
+    `);
+  });
+
+  it("emits ACME email block + auto TLS for a public domain with --with-auth", () => {
+    const out = generateCaddyfile({
+      domain: "example.dev",
+      ssoHost: "sso.example.dev",
+      fbiAuthPort: 2433,
+      fbiProxyPort: 2432,
+      acmeEmail: "ops@example.dev",
+      tlsMode: "auto",
+      withAuth: true,
+    });
+
+    expect(out).toMatchInlineSnapshot(`
+      "{
+        email ops@example.dev
+      }
+
+      sso.example.dev {
+        reverse_proxy 127.0.0.1:2433
+      }
+
+      *.example.dev {
+        @notauth not path /api/auth/* /login /callback /logout
+        forward_auth @notauth 127.0.0.1:2433 {
+          uri /api/auth/verify
+          copy_headers Remote-User Remote-Email Remote-Name
+          header_up X-Forwarded-Host {host}
+          header_up X-Forwarded-Uri {uri}
+        }
+        reverse_proxy 127.0.0.1:2432
+      }
+      "
+    `);
+  });
+
+  it("auto TLS = no tls stanza, no global block when no ACME email", () => {
+    const out = generateCaddyfile({
+      domain: "example.dev",
+      ssoHost: "sso.example.dev",
+      fbiAuthPort: 2433,
+      fbiProxyPort: 2432,
+      tlsMode: "auto",
+      withAuth: true,
+    });
+
+    expect(out).not.toContain("tls internal");
+    expect(out).not.toMatch(/^\{\s*email/);
+    expect(out).toContain("sso.example.dev {");
+    expect(out).toContain("*.example.dev {");
+    expect(out).toContain("forward_auth @notauth 127.0.0.1:2433");
+    expect(out).toContain("reverse_proxy 127.0.0.1:2432");
+  });
+
+  it("--with-caddy without --with-auth: only *.domain block, no forward_auth", () => {
+    const out = generateCaddyfile({
+      domain: "fbi.com",
+      fbiProxyPort: 2432,
+      tlsMode: "internal",
+      withAuth: false,
+    });
+
+    expect(out).toMatchInlineSnapshot(`
+      "*.fbi.com {
+        reverse_proxy 127.0.0.1:2432
+        tls internal
+      }
+      "
+    `);
+    expect(out).not.toContain("forward_auth");
+    expect(out).not.toContain("sso.fbi.com");
+  });
+
+  it("--with-caddy standalone, public domain + ACME email", () => {
+    const out = generateCaddyfile({
+      domain: "example.dev",
+      fbiProxyPort: 2432,
+      acmeEmail: "ops@example.dev",
+      tlsMode: "auto",
+      withAuth: false,
+    });
+
+    expect(out).toContain("email ops@example.dev");
+    expect(out).toContain("*.example.dev {");
+    expect(out).toContain("reverse_proxy 127.0.0.1:2432");
+    expect(out).not.toContain("forward_auth");
+    expect(out).not.toContain("sso.");
+    expect(out).not.toContain("tls internal");
+  });
+
+  it("strips a leading dot from the domain", () => {
+    const out = generateCaddyfile({
+      domain: ".fbi.com",
+      fbiProxyPort: 2432,
+      tlsMode: "internal",
+      withAuth: false,
+    });
+    expect(out).toContain("*.fbi.com {");
+    expect(out).not.toContain("*..fbi.com");
+  });
+
+  it("throws when withAuth is true but fbiAuthPort is missing", () => {
+    expect(() =>
+      generateCaddyfile({
+        domain: "fbi.com",
+        fbiProxyPort: 2432,
+        withAuth: true,
+        tlsMode: "internal",
+      }),
+    ).toThrow(/fbiAuthPort/);
+  });
+
+  it("omits the global email block when acmeEmail is empty string", () => {
+    const out = generateCaddyfile({
+      domain: "example.dev",
+      fbiProxyPort: 2432,
+      acmeEmail: "   ",
+      tlsMode: "auto",
+      withAuth: false,
+    });
+    expect(out).not.toMatch(/^\{/);
+  });
+});

package/ts/auth/caddyfileGen.ts

@@ -0,0 +1,142 @@
+import { homedir } from "node:os";
+import { dirname, join } from "node:path";
+import { mkdir, writeFile, chmod } from "node:fs/promises";
+
+export type CaddyfileOpts = {
+  /** Apex domain (e.g. "example.dev"). A leading "." is stripped. */
+  domain: string;
+  /** SSO host (e.g. "sso.example.dev"). Only used when `withAuth` is true. */
+  ssoHost?: string;
+  /** Local port that fbi-auth listens on. Required when `withAuth` is true. */
+  fbiAuthPort?: number;
+  /** Local port that fbi-proxy (Rust) listens on. */
+  fbiProxyPort: number;
+  /** Optional Let's Encrypt account email — emits a global `{ email ... }` block. */
+  acmeEmail?: string;
+  /**
+   * TLS strategy:
+   *  - "auto" (default): empty stanza — Caddy chooses ACME via Let's Encrypt.
+   *  - "internal": use Caddy's local CA (`tls internal`). Useful for `.fbi.com` etc.
+   */
+  tlsMode?: "auto" | "internal";
+  /**
+   * When true, wires the `forward_auth` directive through to fbi-auth and
+   * exposes `<ssoHost>` as its own site. When false, only the wildcard
+   * `*.<domain>` site is emitted (plain reverse_proxy to fbi-proxy).
+   */
+  withAuth?: boolean;
+};
+
+/**
+ * Generate a Caddyfile suitable for `bunx fbi-proxy --with-caddy [--with-auth]`.
+ *
+ * The shape (when `withAuth=true`):
+ *
+ * ```caddyfile
+ * {
+ *   email <acmeEmail>
+ * }
+ *
+ * <ssoHost> {
+ *   reverse_proxy 127.0.0.1:<fbiAuthPort>
+ *   <tls-stanza>
+ * }
+ *
+ * *.<domain> {
+ *   @notauth not path /api/auth/* /login /callback /logout
+ *   forward_auth @notauth 127.0.0.1:<fbiAuthPort> {
+ *     uri /api/auth/verify
+ *     copy_headers Remote-User Remote-Email Remote-Name
+ *     header_up X-Forwarded-Host {host}
+ *     header_up X-Forwarded-Uri {uri}
+ *   }
+ *   reverse_proxy 127.0.0.1:<fbiProxyPort>
+ *   <tls-stanza>
+ * }
+ * ```
+ *
+ * When `withAuth=false`, only the `*.<domain>` block is emitted and it skips
+ * the `forward_auth` directive — i.e. plain TLS termination + reverse proxy.
+ */
+export function generateCaddyfile(opts: CaddyfileOpts): string {
+  const domain = stripLeadingDot(opts.domain);
+  const tlsMode = opts.tlsMode ?? "auto";
+  const withAuth = opts.withAuth ?? false;
+  const tlsStanza = tlsMode === "internal" ? "  tls internal\n" : "";
+
+  const sections: string[] = [];
+
+  if (opts.acmeEmail && opts.acmeEmail.trim() !== "") {
+    sections.push(`{\n  email ${opts.acmeEmail.trim()}\n}`);
+  }
+
+  if (withAuth) {
+    const ssoHost = opts.ssoHost ?? `sso.${domain}`;
+    const fbiAuthPort = opts.fbiAuthPort;
+    if (fbiAuthPort === undefined) {
+      throw new Error(
+        "generateCaddyfile: fbiAuthPort is required when withAuth is true",
+      );
+    }
+    sections.push(
+      `${ssoHost} {\n` +
+        `  reverse_proxy 127.0.0.1:${fbiAuthPort}\n` +
+        tlsStanza +
+        `}`,
+    );
+
+    sections.push(
+      `*.${domain} {\n` +
+        `  @notauth not path /api/auth/* /login /callback /logout\n` +
+        `  forward_auth @notauth 127.0.0.1:${fbiAuthPort} {\n` +
+        `    uri /api/auth/verify\n` +
+        `    copy_headers Remote-User Remote-Email Remote-Name\n` +
+        `    header_up X-Forwarded-Host {host}\n` +
+        `    header_up X-Forwarded-Uri {uri}\n` +
+        `  }\n` +
+        `  reverse_proxy 127.0.0.1:${opts.fbiProxyPort}\n` +
+        tlsStanza +
+        `}`,
+    );
+  } else {
+    sections.push(
+      `*.${domain} {\n` +
+        `  reverse_proxy 127.0.0.1:${opts.fbiProxyPort}\n` +
+        tlsStanza +
+        `}`,
+    );
+  }
+
+  return sections.join("\n\n") + "\n";
+}
+
+export function defaultCaddyfilePath(): string {
+  return (
+    process.env.FBI_PROXY_CADDYFILE_PATH ??
+    join(
+      process.env.XDG_CONFIG_HOME ?? join(homedir(), ".config"),
+      "fbi-proxy",
+      "Caddyfile",
+    )
+  );
+}
+
+/**
+ * Render and write the Caddyfile to disk. Returns the rendered string and the
+ * absolute path it was written to. Creates parent directories as needed and
+ * chmods the file to 0644 (it's not a secret).
+ */
+export async function writeCaddyfile(
+  opts: CaddyfileOpts,
+  path = defaultCaddyfilePath(),
+): Promise<{ content: string; path: string }> {
+  const content = generateCaddyfile(opts);
+  await mkdir(dirname(path), { recursive: true });
+  await writeFile(path, content, "utf8");
+  await chmod(path, 0o644);
+  return { content, path };
+}
+
+function stripLeadingDot(d: string): string {
+  return d.startsWith(".") ? d.slice(1) : d;
+}

package/ts/auth/downloadCaddy.test.ts

@@ -0,0 +1,131 @@
+import { describe, it, expect } from "vitest";
+import {
+  detectPlatform,
+  buildAssetName,
+  buildAssetUrl,
+  buildChecksumsUrl,
+  parseChecksums,
+} from "./downloadCaddy";
+
+describe("detectPlatform", () => {
+  it("maps linux/x64 → linux/amd64/tar.gz", () => {
+    expect(detectPlatform("linux", "x64")).toEqual({
+      os: "linux",
+      arch: "amd64",
+      ext: "tar.gz",
+    });
+  });
+
+  it("maps linux/arm64 → linux/arm64/tar.gz", () => {
+    expect(detectPlatform("linux", "arm64")).toEqual({
+      os: "linux",
+      arch: "arm64",
+      ext: "tar.gz",
+    });
+  });
+
+  it("maps darwin/arm64 → darwin/arm64/tar.gz (Apple Silicon)", () => {
+    expect(detectPlatform("darwin", "arm64")).toEqual({
+      os: "darwin",
+      arch: "arm64",
+      ext: "tar.gz",
+    });
+  });
+
+  it("maps win32/x64 → windows/amd64/zip", () => {
+    expect(detectPlatform("win32", "x64")).toEqual({
+      os: "windows",
+      arch: "amd64",
+      ext: "zip",
+    });
+  });
+
+  it("throws on unsupported OS", () => {
+    expect(() => detectPlatform("freebsd" as NodeJS.Platform, "x64")).toThrow(
+      /Unsupported OS/,
+    );
+  });
+
+  it("throws on unsupported arch", () => {
+    expect(() => detectPlatform("linux", "mips")).toThrow(/Unsupported arch/);
+  });
+});
+
+describe("buildAssetName", () => {
+  it("matches Caddy's release naming for linux amd64", () => {
+    expect(
+      buildAssetName("v2.11.3", { os: "linux", arch: "amd64", ext: "tar.gz" }),
+    ).toBe("caddy_2.11.3_linux_amd64.tar.gz");
+  });
+
+  it("accepts a version without the v prefix", () => {
+    expect(
+      buildAssetName("2.11.3", { os: "darwin", arch: "arm64", ext: "tar.gz" }),
+    ).toBe("caddy_2.11.3_darwin_arm64.tar.gz");
+  });
+
+  it("uses .zip for windows", () => {
+    expect(
+      buildAssetName("v2.11.3", { os: "windows", arch: "amd64", ext: "zip" }),
+    ).toBe("caddy_2.11.3_windows_amd64.zip");
+  });
+});
+
+describe("buildAssetUrl", () => {
+  it("points at the GitHub Releases asset CDN with the v-prefixed tag", () => {
+    expect(buildAssetUrl("v2.11.3", "caddy_2.11.3_linux_amd64.tar.gz")).toBe(
+      "https://github.com/caddyserver/caddy/releases/download/v2.11.3/caddy_2.11.3_linux_amd64.tar.gz",
+    );
+  });
+
+  it("normalizes a bare version into a v-tag", () => {
+    expect(buildAssetUrl("2.11.3", "caddy_2.11.3_linux_amd64.tar.gz")).toBe(
+      "https://github.com/caddyserver/caddy/releases/download/v2.11.3/caddy_2.11.3_linux_amd64.tar.gz",
+    );
+  });
+});
+
+describe("buildChecksumsUrl", () => {
+  it("uses the `caddy_<v>_checksums.txt` naming Caddy ships", () => {
+    expect(buildChecksumsUrl("v2.11.3")).toBe(
+      "https://github.com/caddyserver/caddy/releases/download/v2.11.3/caddy_2.11.3_checksums.txt",
+    );
+  });
+});
+
+describe("parseChecksums", () => {
+  it("parses the real Caddy checksums.txt shape", () => {
+    const fixture = [
+      "abc123  caddy_2.11.3_buildable-artifact.tar.gz",
+      "def456  caddy_2.11.3_linux_amd64.tar.gz",
+      "0123456789abcdef  caddy_2.11.3_darwin_arm64.tar.gz",
+    ].join("\n");
+    const map = parseChecksums(fixture);
+    expect(map.size).toBe(3);
+    expect(map.get("caddy_2.11.3_linux_amd64.tar.gz")).toBe("def456");
+    expect(map.get("caddy_2.11.3_darwin_arm64.tar.gz")).toBe(
+      "0123456789abcdef",
+    );
+  });
+
+  it("skips blank lines and comments", () => {
+    const map = parseChecksums(`
+# this is a comment
+
+abc  some.tar.gz
+
+`);
+    expect(map.size).toBe(1);
+    expect(map.get("some.tar.gz")).toBe("abc");
+  });
+
+  it("normalizes hex to lowercase", () => {
+    const map = parseChecksums("ABCDEF  file.tar.gz");
+    expect(map.get("file.tar.gz")).toBe("abcdef");
+  });
+
+  it("tolerates the BSD '*filename' marker", () => {
+    const map = parseChecksums("abc  *file.tar.gz");
+    expect(map.get("file.tar.gz")).toBe("abc");
+  });
+});