fbi-proxy 1.9.0 → 1.10.0

package/ts/auth/downloadCaddy.ts

@@ -0,0 +1,213 @@
+import {
+  mkdir,
+  writeFile,
+  rm,
+  chmod,
+  rename,
+  copyFile,
+} from "node:fs/promises";
+import { existsSync } from "node:fs";
+import { createHash } from "node:crypto";
+import { join } from "node:path";
+import { homedir, tmpdir } from "node:os";
+
+export type CaddyPlatform = {
+  os: "linux" | "darwin" | "windows";
+  arch: "amd64" | "arm64";
+  ext: "tar.gz" | "zip";
+};
+
+export function detectPlatform(
+  platform: NodeJS.Platform = process.platform,
+  arch: string = process.arch,
+): CaddyPlatform {
+  const osMap: Partial<Record<NodeJS.Platform, CaddyPlatform["os"]>> = {
+    linux: "linux",
+    darwin: "darwin",
+    win32: "windows",
+  };
+  const archMap: Record<string, CaddyPlatform["arch"]> = {
+    x64: "amd64",
+    arm64: "arm64",
+  };
+  const os = osMap[platform];
+  if (!os) throw new Error(`Unsupported OS: ${platform}`);
+  const mappedArch = archMap[arch];
+  if (!mappedArch) throw new Error(`Unsupported arch: ${arch}`);
+  return { os, arch: mappedArch, ext: os === "windows" ? "zip" : "tar.gz" };
+}
+
+export function buildAssetName(version: string, p: CaddyPlatform): string {
+  const v = version.replace(/^v/, "");
+  return `caddy_${v}_${p.os}_${p.arch}.${p.ext}`;
+}
+
+export function buildAssetUrl(version: string, name: string): string {
+  const tag = version.startsWith("v") ? version : `v${version}`;
+  return `https://github.com/caddyserver/caddy/releases/download/${tag}/${name}`;
+}
+
+export function buildChecksumsUrl(version: string): string {
+  const v = version.replace(/^v/, "");
+  const tag = version.startsWith("v") ? version : `v${version}`;
+  return `https://github.com/caddyserver/caddy/releases/download/${tag}/caddy_${v}_checksums.txt`;
+}
+
+export async function fetchLatestVersion(
+  signal?: AbortSignal,
+): Promise<string> {
+  const res = await fetch(
+    "https://api.github.com/repos/caddyserver/caddy/releases/latest",
+    { signal, headers: { "User-Agent": "fbi-proxy" } },
+  );
+  if (!res.ok) {
+    throw new Error(
+      `GitHub API ${res.status} ${res.statusText} for latest release`,
+    );
+  }
+  const data = (await res.json()) as { tag_name?: string };
+  if (!data.tag_name)
+    throw new Error("GitHub API: response is missing tag_name");
+  return data.tag_name;
+}
+
+/** Parse a checksums.txt file. Format: `<hex>  <filename>` per line. */
+export function parseChecksums(text: string): Map<string, string> {
+  const out = new Map<string, string>();
+  for (const line of text.split(/\r?\n/)) {
+    const trimmed = line.trim();
+    if (!trimmed || trimmed.startsWith("#")) continue;
+    const m = trimmed.match(/^([a-fA-F0-9]+)\s+\*?(.+)$/);
+    if (m) out.set(m[2]!.trim(), m[1]!.toLowerCase());
+  }
+  return out;
+}
+
+async function sha512OfPath(path: string): Promise<string> {
+  const hash = createHash("sha512");
+  const f = Bun.file(path);
+  const stream = f.stream();
+  for await (const chunk of stream) hash.update(chunk);
+  return hash.digest("hex");
+}
+
+export type DownloadOpts = {
+  version?: string;
+  destDir?: string;
+  signal?: AbortSignal;
+  log?: (msg: string) => void;
+  platform?: CaddyPlatform;
+};
+
+/**
+ * Download, verify (SHA-512 against the release's checksums.txt), extract,
+ * and install a Caddy binary into `destDir` (default `~/.fbi-proxy/bin`).
+ * Returns the absolute path to the extracted binary.
+ *
+ * Skips network work if the destination binary already exists.
+ */
+export async function downloadCaddy(opts: DownloadOpts = {}): Promise<string> {
+  const log = opts.log ?? ((m) => console.log(`[caddy-download] ${m}`));
+  const platform = opts.platform ?? detectPlatform();
+  const destDir = opts.destDir ?? join(homedir(), ".fbi-proxy", "bin");
+  const binaryName = platform.os === "windows" ? "caddy.exe" : "caddy";
+  const destPath = join(destDir, binaryName);
+
+  if (existsSync(destPath)) {
+    log(`already installed: ${destPath}`);
+    return destPath;
+  }
+
+  const version = opts.version ?? (await fetchLatestVersion(opts.signal));
+  log(`platform: ${platform.os}/${platform.arch}, version: ${version}`);
+
+  const assetName = buildAssetName(version, platform);
+  const assetUrl = buildAssetUrl(version, assetName);
+  const checksumsUrl = buildChecksumsUrl(version);
+
+  log(`fetching checksums: ${checksumsUrl}`);
+  const cksRes = await fetch(checksumsUrl, {
+    signal: opts.signal,
+    headers: { "User-Agent": "fbi-proxy" },
+  });
+  if (!cksRes.ok)
+    throw new Error(
+      `checksums fetch failed: ${cksRes.status} ${cksRes.statusText}`,
+    );
+  const checksums = parseChecksums(await cksRes.text());
+  const expectedSum = checksums.get(assetName);
+  if (!expectedSum) {
+    throw new Error(
+      `no checksum entry for '${assetName}' — release may not include this platform`,
+    );
+  }
+
+  await mkdir(destDir, { recursive: true });
+  const tmpArchive = join(tmpdir(), `fbi-proxy.${process.pid}.${assetName}`);
+
+  log(`downloading: ${assetUrl}`);
+  const dlRes = await fetch(assetUrl, {
+    signal: opts.signal,
+    headers: { "User-Agent": "fbi-proxy" },
+  });
+  if (!dlRes.ok)
+    throw new Error(`download failed: ${dlRes.status} ${dlRes.statusText}`);
+  const bytes = await dlRes.arrayBuffer();
+  await writeFile(tmpArchive, Buffer.from(bytes));
+  log(`downloaded ${bytes.byteLength} bytes`);
+
+  const actualSum = await sha512OfPath(tmpArchive);
+  if (actualSum !== expectedSum) {
+    await rm(tmpArchive, { force: true });
+    throw new Error(
+      `SHA-512 mismatch for ${assetName}\n  expected: ${expectedSum}\n  got:      ${actualSum}`,
+    );
+  }
+  log("checksum OK");
+
+  const tmpExtract = join(tmpdir(), `fbi-proxy-extract.${process.pid}`);
+  await rm(tmpExtract, { recursive: true, force: true });
+  await mkdir(tmpExtract, { recursive: true });
+
+  const tarCmd =
+    platform.ext === "tar.gz"
+      ? ["tar", "-xzf", tmpArchive, "-C", tmpExtract]
+      : ["tar", "-xf", tmpArchive, "-C", tmpExtract];
+  log(`extracting: ${tarCmd.join(" ")}`);
+  const proc = Bun.spawn(tarCmd, { stdout: "inherit", stderr: "inherit" });
+  const code = await proc.exited;
+  if (code !== 0) {
+    await rm(tmpArchive, { force: true });
+    await rm(tmpExtract, { recursive: true, force: true });
+    throw new Error(`tar extraction exited with code ${code}`);
+  }
+
+  const extractedBinary = join(tmpExtract, binaryName);
+  if (!existsSync(extractedBinary)) {
+    await rm(tmpArchive, { force: true });
+    await rm(tmpExtract, { recursive: true, force: true });
+    throw new Error(
+      `archive did not contain expected '${binaryName}' at top level`,
+    );
+  }
+
+  // Use copy+unlink instead of rename to handle cross-filesystem moves
+  // (e.g. /tmp on tmpfs vs ~/.fbi-proxy on a different mount). rename(2)
+  // fails with EXDEV in that case.
+  try {
+    await rename(extractedBinary, destPath);
+  } catch (err) {
+    if ((err as NodeJS.ErrnoException).code === "EXDEV") {
+      await copyFile(extractedBinary, destPath);
+    } else {
+      throw err;
+    }
+  }
+  if (platform.os !== "windows") await chmod(destPath, 0o755);
+
+  await rm(tmpArchive, { force: true });
+  await rm(tmpExtract, { recursive: true, force: true });
+
+  log(`installed: ${destPath}`);
+  return destPath;
+}

package/ts/auth/setupWizard.ts

@@ -0,0 +1,183 @@
+import * as readline from "node:readline/promises";
+import { stdin, stdout } from "node:process";
+import type { AuthConfigShape } from "./authConfig";
+import { randomBytes } from "node:crypto";
+
+export type WizardPrompter = {
+  ask: (question: string, defaultValue?: string) => Promise<string>;
+  askChoice: (question: string, choices: readonly string[]) => Promise<number>;
+  print: (line: string) => void;
+};
+
+export type WizardOptions = {
+  domain: string;
+  existing?: AuthConfigShape | null;
+};
+
+export async function runWizard(
+  prompter: WizardPrompter,
+  opts: WizardOptions,
+): Promise<AuthConfigShape> {
+  prompter.print("");
+  prompter.print("fbi-auth setup wizard");
+  prompter.print("─────────────────────");
+  prompter.print("");
+
+  const domain = await prompter.ask("Domain to gate", opts.domain);
+  const cleanDomain = domain.replace(/^\.+/, "").trim();
+
+  const providerIdx = await prompter.askChoice("Identity provider", [
+    "Google OAuth (BYO client ID + secret)",
+    "Firebase Auth (BYO project ID)",
+    "Snolab default (zero-config; supported domains only)",
+  ]);
+  const provider: AuthConfigShape["provider"] =
+    providerIdx === 0 ? "google" : providerIdx === 1 ? "firebase" : "snolab";
+
+  let clientId: string | undefined;
+  let clientSecret: string | undefined;
+  let firebase: AuthConfigShape["firebase"];
+
+  if (provider === "google") {
+    clientId = await prompter.ask(
+      "Google OAuth Client ID",
+      opts.existing?.provider === "google" ? opts.existing.clientId : undefined,
+    );
+    clientSecret = await prompter.ask(
+      "Google OAuth Client Secret",
+      opts.existing?.provider === "google"
+        ? opts.existing.clientSecret
+        : undefined,
+    );
+    prompter.print("");
+    prompter.print(
+      `  → Add this redirect URI in Google Cloud Console: https://sso.${cleanDomain}/callback`,
+    );
+    prompter.print("");
+  } else if (provider === "firebase") {
+    const projectId = await prompter.ask(
+      "Firebase Project ID",
+      opts.existing?.firebase?.projectId,
+    );
+    const apiKey = await prompter.ask(
+      "Firebase Web API Key (optional)",
+      opts.existing?.firebase?.apiKey ?? "",
+    );
+    const authDomain = await prompter.ask(
+      "Firebase Auth Domain",
+      opts.existing?.firebase?.authDomain ?? `${projectId}.firebaseapp.com`,
+    );
+    firebase = {
+      projectId: projectId.trim(),
+      apiKey: apiKey.trim() || undefined,
+      authDomain: authDomain.trim() || undefined,
+    };
+  } else {
+    // provider === "snolab" — no credentials to collect. The IdP values
+    // are baked into lib/fbi-auth/src/snolabDefaults.ts. Server startup
+    // will surface a clear error if the snolab project hasn't published
+    // values yet, or if the chosen domain isn't on the supported list.
+    prompter.print("");
+    prompter.print(
+      `  → Snolab default IdP — no credentials needed. Domain '${cleanDomain}'`,
+    );
+    prompter.print(
+      `    will be checked against SNOLAB_SUPPORTED_DOMAINS at startup.`,
+    );
+    prompter.print("");
+  }
+
+  const allowIdx = await prompter.askChoice("Allowlist policy", [
+    "Anyone who completes sign-in",
+    "Specific email addresses",
+    "Specific email domain(s)",
+  ]);
+
+  let allowlist: AuthConfigShape["allowlist"] = { anySignedIn: true };
+  if (allowIdx === 1) {
+    const raw = await prompter.ask("Allowed emails (comma-separated)");
+    allowlist = {
+      emails: raw
+        .split(",")
+        .map((s) => s.trim())
+        .filter(Boolean),
+      anySignedIn: false,
+    };
+  } else if (allowIdx === 2) {
+    const raw = await prompter.ask("Allowed email domains (comma-separated)");
+    allowlist = {
+      domains: raw
+        .split(",")
+        .map((s) => s.trim())
+        .filter(Boolean),
+      anySignedIn: false,
+    };
+  }
+
+  const cfg: AuthConfigShape = {
+    version: 1,
+    domain: cleanDomain,
+    cookieDomain: `.${cleanDomain}`,
+    ssoHost: `sso.${cleanDomain}`,
+    provider,
+    clientId,
+    clientSecret,
+    firebase,
+    sessionSecret:
+      opts.existing?.sessionSecret ?? randomBytes(32).toString("base64url"),
+    allowlist,
+  };
+
+  prompter.print("");
+  prompter.print("Config preview:");
+  prompter.print(JSON.stringify(redact(cfg), null, 2));
+  prompter.print("");
+
+  return cfg;
+}
+
+function redact(c: AuthConfigShape): AuthConfigShape {
+  return {
+    ...c,
+    clientSecret: c.clientSecret ? "***" : undefined,
+    sessionSecret: "***",
+  };
+}
+
+export function readlinePrompter(): WizardPrompter {
+  const rl = readline.createInterface({ input: stdin, output: stdout });
+  return {
+    async ask(question, defaultValue) {
+      const hint =
+        defaultValue !== undefined && defaultValue !== ""
+          ? ` [${defaultValue}]`
+          : "";
+      const answer = (await rl.question(`? ${question}${hint}: `)).trim();
+      return answer || defaultValue || "";
+    },
+    async askChoice(question, choices) {
+      this.print(`? ${question}:`);
+      choices.forEach((c, i) => this.print(`    ${i + 1}) ${c}`));
+      while (true) {
+        const raw = (await rl.question("> ")).trim();
+        const idx = Number(raw) - 1;
+        if (Number.isInteger(idx) && idx >= 0 && idx < choices.length)
+          return idx;
+        this.print(`  (enter 1-${choices.length})`);
+      }
+    },
+    print(line) {
+      stdout.write(line + "\n");
+    },
+  };
+}
+
+export function isTty(): boolean {
+  return Boolean(stdin.isTTY && stdout.isTTY);
+}
+
+export function closeReadlinePrompter(p: WizardPrompter): void {
+  void p;
+  // readline.createInterface keeps stdin in raw-ish mode; calling rl.close() requires the rl ref
+  // — kept simple here since the wizard runs once at startup and we exit/proceed right after.
+}

package/ts/auth/spawnCaddy.ts

@@ -0,0 +1,125 @@
+import { existsSync } from "node:fs";
+import { access } from "node:fs/promises";
+import { constants as fsConstants } from "node:fs";
+import { homedir } from "node:os";
+import { join } from "node:path";
+import { $ } from "../dSpawn";
+import { downloadCaddy } from "./downloadCaddy";
+
+export type CaddyHandle = {
+  pid: number | undefined;
+  caddyfilePath: string;
+  binary: string;
+  kill: () => void;
+};
+
+/**
+ * Resolve the Caddy binary, preferring (in order):
+ *   1. `CADDY_BIN` env var
+ *   2. `caddy` on $PATH (homebrew, apt, scoop, xcaddy, …)
+ *   3. `~/.fbi-proxy/bin/caddy` (previously auto-downloaded)
+ *   4. Auto-download the latest release from GitHub, verify SHA-512,
+ *      install to `~/.fbi-proxy/bin/caddy`, and use it.
+ *
+ * Set `FBI_CADDY_AUTO_DOWNLOAD=false` to disable step 4 (e.g. for
+ * air-gapped environments). When disabled and steps 1-3 all miss,
+ * returns `null` so the CLI can print a helpful error.
+ */
+export async function resolveCaddyBinary(): Promise<string | null> {
+  const fromEnv = process.env.CADDY_BIN;
+  if (fromEnv && (await isExecutable(fromEnv))) return fromEnv;
+
+  const fromPath = await whichCaddy();
+  if (fromPath) return fromPath;
+
+  const downloaded = join(homedir(), ".fbi-proxy", "bin", "caddy");
+  if (existsSync(downloaded) && (await isExecutable(downloaded))) {
+    return downloaded;
+  }
+
+  if (process.env.FBI_CADDY_AUTO_DOWNLOAD === "false") {
+    return null;
+  }
+
+  try {
+    console.log(
+      "[caddy] no binary found — downloading the latest release from GitHub (~30 MB).",
+    );
+    console.log("[caddy] (set FBI_CADDY_AUTO_DOWNLOAD=false to opt out)");
+    const path = await downloadCaddy({
+      log: (m) => console.log(`[caddy-download] ${m}`),
+    });
+    return path;
+  } catch (err) {
+    console.error(`[caddy] auto-download failed: ${(err as Error).message}`);
+    return null;
+  }
+}
+
+export function caddyNotFoundMessage(): string {
+  return [
+    "",
+    "[fbi-proxy] --with-caddy was passed but Caddy could not be found or downloaded.",
+    "",
+    "Auto-download from GitHub Releases is the default — if you saw a",
+    "download error above, check your network or set FBI_CADDY_AUTO_DOWNLOAD=false",
+    "and install Caddy manually:",
+    "",
+    "  - macOS:    brew install caddy",
+    "  - Debian:   sudo apt install caddy   (or see https://caddyserver.com/docs/install)",
+    "  - Windows:  scoop install caddy      (or: winget install CaddyServer.Caddy)",
+    "  - Manual:   https://caddyserver.com/download",
+    "",
+    "Or point fbi-proxy at an existing binary:",
+    "  CADDY_BIN=/path/to/caddy bunx fbi-proxy --with-caddy --domain <your-domain>",
+    "",
+  ].join("\n");
+}
+
+/**
+ * Spawn `caddy run --config <caddyfilePath>` as a tracked child process.
+ *
+ * The caller is expected to have already verified the binary is reachable via
+ * `resolveCaddyBinary()`. If you pass a custom binary path via `opts.binary`,
+ * we use it directly.
+ */
+export async function spawnCaddy(opts: {
+  caddyfilePath: string;
+  binary?: string;
+}): Promise<CaddyHandle | null> {
+  const binary = opts.binary ?? (await resolveCaddyBinary());
+  if (!binary) return null;
+
+  console.log(`[caddy] using binary: ${binary}`);
+  console.log(`[caddy] config: ${opts.caddyfilePath}`);
+
+  const proc =
+    $`${binary} run --config ${opts.caddyfilePath} --adapter caddyfile`.process;
+
+  proc.on("exit", (code) => {
+    console.log(`[caddy] exited with code ${code}`);
+  });
+
+  return {
+    pid: proc.pid,
+    caddyfilePath: opts.caddyfilePath,
+    binary,
+    kill: () => proc.kill?.(),
+  };
+}
+
+async function isExecutable(path: string): Promise<boolean> {
+  try {
+    await access(path, fsConstants.X_OK);
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+async function whichCaddy(): Promise<string | null> {
+  const result = await $`which caddy`.catch(() => null);
+  if (!result || result.code !== 0) return null;
+  const out = result.out.trim();
+  return out.length > 0 ? out.split("\n")[0]!.trim() : null;
+}

package/ts/auth/spawnFbiAuth.ts

@@ -0,0 +1,43 @@
+import path from "node:path";
+import getPort from "get-port";
+import { $ } from "../dSpawn";
+
+export type FbiAuthHandle = {
+  port: number;
+  pid: number | undefined;
+  kill: () => void;
+};
+
+export async function spawnFbiAuth(opts: {
+  configPath: string;
+  preferredPort?: number;
+}): Promise<FbiAuthHandle> {
+  const port = await getPort({ port: opts.preferredPort ?? 2433 });
+  const entry = path.resolve(
+    import.meta.dir,
+    "..",
+    "..",
+    "lib",
+    "fbi-auth",
+    "src",
+    "server.ts",
+  );
+
+  const proc = $.opt({
+    env: {
+      ...process.env,
+      FBI_AUTH_PORT: String(port),
+      FBI_AUTH_CONFIG_PATH: opts.configPath,
+    },
+  })`bun ${entry}`.process;
+
+  proc.on("exit", (code) => {
+    console.log(`[fbi-auth] exited with code ${code}`);
+  });
+
+  return {
+    port,
+    pid: proc.pid,
+    kill: () => proc.kill?.(),
+  };
+}

package/ts/buildFbiProxy.ts

@@ -8,10 +8,7 @@ if (import.meta.main) {
   await getFbiProxyBinary();
 }
 
-export async function getFbiProxyBinary({
-  rebuild = false,
-  originalCwd = "",
-} = {}) {
+export async function getFbiProxyBinary({ rebuild = false, originalCwd = "" } = {}) {
   const isWin = process.platform === "win32";
   const binaryName = getFbiProxyFilename();
   const binarySuffix = isWin ? ".exe" : "";
@@ -19,10 +16,7 @@ export async function getFbiProxyBinary({
   // Check for local build in original working directory first
   // This allows users to run `bunx fbi-proxy` from their local repo and use their own build
   if (!rebuild && originalCwd) {
-    const localBuilt = path.join(
-      originalCwd,
-      `target/release/fbi-proxy${binarySuffix}`,
-    );
+    const localBuilt = path.join(originalCwd, `target/release/fbi-proxy${binarySuffix}`);
     if (existsSync(localBuilt)) {
       console.log(`Using local build: ${localBuilt}`);
       await chmod(localBuilt, 0o755).catch(() => {});
@@ -61,7 +55,5 @@ export async function getFbiProxyBinary({
     return built;
   }
 
-  throw new Error(
-    "Oops, failed to build fbi-proxy binary. Please check your Rust setup.",
-  );
+  throw new Error("Oops, failed to build fbi-proxy binary. Please check your Rust setup.");
 }