fied 0.2.0 → 0.2.1

package/dist/bin.js

@@ -166,10 +166,18 @@ var DEFAULT_RELAY = "https://fied.app";
 var MSG_TERMINAL_OUTPUT = 1;
 var MSG_TERMINAL_INPUT = 2;
 var MSG_RESIZE = 3;
+var RESIZE_MIN_COLS = 20;
+var RESIZE_MAX_COLS = 1e3;
+var RESIZE_MIN_ROWS = 5;
+var RESIZE_MAX_ROWS = 300;
+var MAX_INVALID_RESIZE_FRAMES = 5;
 var RECONNECT_BASE_MS = 1e3;
 var RECONNECT_MAX_MS = 3e4;
 async function share(options) {
-  const relay = options.relay ?? DEFAULT_RELAY;
+  const relayTarget = parseRelayTarget(
+    options.relay ?? DEFAULT_RELAY,
+    options.allowInsecureRelay ?? process.env.FIED_ALLOW_INSECURE_RELAY === "1"
+  );
   const sessions = listSessions();
   if (sessions.length === 0) {
     console.error("No tmux sessions found. Start one with: tmux new -s mysession");
@@ -205,36 +213,75 @@ async function share(options) {
     console.log(`  Size:     ${cols}x${rows}`);
     console.log("");
   }
-  const bridge = new RelayBridge(relay, cryptoKey, keyFragment, pty, options.background);
+  const bridge = new RelayBridge(relayTarget, cryptoKey, keyFragment, pty, options.background);
   const onUrl = (url) => {
     if (options.background) {
       addSession({
         pid: process.pid,
         tmuxSession: targetSession,
         url,
-        relay,
+        relay: relayTarget.httpBase.toString(),
         startedAt: (/* @__PURE__ */ new Date()).toISOString()
       });
     }
   };
   await bridge.connect(onUrl);
-  const shutdown = () => {
+  let closed = false;
+  const cleanup = () => {
+    if (closed) return;
+    closed = true;
     bridge.destroy();
-    pty.kill();
-    if (options.background) removeSession(process.pid);
+    try {
+      pty.kill();
+    } catch {
+    }
+    if (options.background) {
+      removeSession(process.pid);
+    }
+  };
+  const exitNow = (code) => {
+    cleanup();
+    process.exit(code);
   };
-  process.on("SIGINT", shutdown);
-  process.on("SIGTERM", shutdown);
+  process.once("SIGINT", () => exitNow(0));
+  process.once("SIGTERM", () => exitNow(0));
   await new Promise((resolve) => {
     pty.onExit(() => {
-      bridge.destroy();
-      if (options.background) removeSession(process.pid);
+      cleanup();
       resolve();
     });
   });
 }
-async function createSession(relay) {
-  const res = await fetch(`${relay}/api/sessions`, { method: "POST" });
+function parseRelayTarget(relay, allowInsecureRelay) {
+  let parsed;
+  try {
+    parsed = new URL(relay);
+  } catch {
+    throw new Error(`Invalid relay URL: ${relay}`);
+  }
+  const isHttps = parsed.protocol === "https:";
+  const isHttp = parsed.protocol === "http:";
+  const isLocalhost = parsed.hostname === "localhost" || parsed.hostname === "127.0.0.1" || parsed.hostname === "::1";
+  if (!isHttps) {
+    if (!(isHttp && isLocalhost && allowInsecureRelay)) {
+      throw new Error(
+        "Relay must use https://. For local development, use http://localhost with --allow-insecure-relay or FIED_ALLOW_INSECURE_RELAY=1"
+      );
+    }
+  }
+  const httpBase = new URL(parsed.toString());
+  httpBase.hash = "";
+  httpBase.search = "";
+  if (!httpBase.pathname.endsWith("/")) {
+    httpBase.pathname = `${httpBase.pathname}/`;
+  }
+  const wsBase = new URL(httpBase.toString());
+  wsBase.protocol = httpBase.protocol === "https:" ? "wss:" : "ws:";
+  return { httpBase, wsBase };
+}
+async function createSession(relayHttpBase) {
+  const url = new URL("api/sessions", relayHttpBase);
+  const res = await fetch(url.toString(), { method: "POST" });
   if (!res.ok) {
     throw new Error(`Failed to create session: ${res.status} ${res.statusText}`);
   }
@@ -243,8 +290,8 @@ async function createSession(relay) {
 }
 var WS_CONNECT_TIMEOUT_MS = 1e4;
 var RelayBridge = class {
-  constructor(relay, key, keyFragment, pty, silent = false) {
-    this.relay = relay;
+  constructor(relayTarget, key, keyFragment, pty, silent = false) {
+    this.relayTarget = relayTarget;
     this.key = key;
     this.keyFragment = keyFragment;
     this.pty = pty;
@@ -263,18 +310,24 @@ var RelayBridge = class {
   encoder = new TextEncoder();
   decoder = new TextDecoder();
   sessionId = null;
+  onUrl = null;
+  invalidResizeFrames = 0;
   async connect(onUrl) {
     if (this.destroyed) return;
+    if (onUrl) {
+      this.onUrl = onUrl;
+    }
     if (!this.sessionId) {
       try {
-        this.sessionId = await createSession(this.relay);
+        this.sessionId = await createSession(this.relayTarget.httpBase);
       } catch {
         if (!this.silent) console.error("  \x1B[31mRelay unreachable, retrying...\x1B[0m");
         this.scheduleReconnect();
         return;
       }
-      const url = `${this.relay}/s/${this.sessionId}#${this.keyFragment}`;
-      onUrl?.(url);
+      const shareUrl = new URL(`s/${this.sessionId}`, this.relayTarget.httpBase);
+      const url = `${shareUrl.toString()}#${this.keyFragment}`;
+      this.onUrl?.(url);
       if (!this.silent) {
         console.log(`  \x1B[1mShare this link:\x1B[0m`);
         console.log(`  \x1B[4m\x1B[36m${url}\x1B[0m`);
@@ -284,8 +337,9 @@ var RelayBridge = class {
         console.log("");
       }
     }
-    const wsUrl = this.relay.replace(/^http/, "ws") + `/api/sessions/${this.sessionId}/ws?role=host`;
-    const ws = new WebSocket(wsUrl);
+    const wsUrl = new URL(`api/sessions/${this.sessionId}/ws`, this.relayTarget.wsBase);
+    wsUrl.searchParams.set("role", "host");
+    const ws = new WebSocket(wsUrl.toString());
     ws.binaryType = "arraybuffer";
     this.ws = ws;
     this.connectTimeout = setTimeout(() => {
@@ -316,10 +370,22 @@ var RelayBridge = class {
           this.pty.write(this.decoder.decode(plaintext));
         } else if (frame.type === MSG_RESIZE) {
           const plaintext = await decrypt(this.key, frame.iv, frame.ciphertext);
-          const { cols, rows } = JSON.parse(this.decoder.decode(plaintext));
-          this.pty.resize(cols, rows);
+          const resize = parseResizePayload(this.decoder.decode(plaintext));
+          if (!resize) {
+            this.invalidResizeFrames += 1;
+            if (this.invalidResizeFrames >= MAX_INVALID_RESIZE_FRAMES) {
+              ws.close(1008, "invalid resize frames");
+            }
+            return;
+          }
+          this.invalidResizeFrames = 0;
+          this.pty.resize(resize.cols, resize.rows);
+        }
+      } catch (err) {
+        if (!this.silent) {
+          const detail = err instanceof Error ? err.message : String(err);
+          console.error(`  \x1B[33mIncoming frame rejected:\x1B[0m ${detail}`);
         }
-      } catch {
       }
     });
     ws.on("close", () => {
@@ -365,10 +431,30 @@ var RelayBridge = class {
       const { iv, ciphertext } = await encrypt(this.key, plaintext);
       const frame = frameMessage(type, iv, ciphertext);
       this.ws.send(frame);
-    } catch {
+    } catch (err) {
+      if (!this.silent) {
+        const detail = err instanceof Error ? err.message : String(err);
+        console.error(`  \x1B[33mEncryption failed:\x1B[0m ${detail}`);
+      }
     }
   }
 };
+function parseResizePayload(payload) {
+  let parsed;
+  try {
+    parsed = JSON.parse(payload);
+  } catch {
+    return null;
+  }
+  if (!parsed || typeof parsed !== "object") return null;
+  const typed = parsed;
+  if (!Number.isInteger(typed.cols) || !Number.isInteger(typed.rows)) return null;
+  const cols = typed.cols;
+  const rows = typed.rows;
+  if (cols < RESIZE_MIN_COLS || cols > RESIZE_MAX_COLS) return null;
+  if (rows < RESIZE_MIN_ROWS || rows > RESIZE_MAX_ROWS) return null;
+  return { cols, rows };
+}
 
 // src/prompt.ts
 import { createInterface } from "node:readline";
@@ -438,6 +524,7 @@ if (args.includes("--help") || args.includes("-h")) {
   \x1B[1mOptions:\x1B[0m
     --session, -s <name>   tmux session to share (auto-detected if only one)
     --relay <url>          relay server URL (default: https://fied.app)
+    --allow-insecure-relay allow http://localhost relay (dev only)
     --help, -h             show this help
 
   \x1B[1mExamples:\x1B[0m
@@ -454,6 +541,8 @@ if (args.includes("--__daemon")) {
       options.session = args[++i];
     } else if (args[i] === "--relay" && args[i + 1]) {
       options.relay = args[++i];
+    } else if (args[i] === "--allow-insecure-relay") {
+      options.allowInsecureRelay = true;
     }
   }
   share({ ...options, background: true }).catch(() => process.exit(1));
@@ -466,11 +555,14 @@ if (args.includes("--__daemon")) {
 async function main() {
   let relay;
   let session;
+  let allowInsecureRelay = false;
   for (let i = 0; i < args.length; i++) {
     if ((args[i] === "--session" || args[i] === "-s") && args[i + 1]) {
       session = args[++i];
     } else if (args[i] === "--relay" && args[i + 1]) {
       relay = args[++i];
+    } else if (args[i] === "--allow-insecure-relay") {
+      allowInsecureRelay = true;
     } else if (!args[i].startsWith("-")) {
       continue;
     } else {
@@ -531,6 +623,7 @@ async function main() {
     const binPath = fileURLToPath(import.meta.url);
     const childArgs = ["--__daemon", "--session", session];
     if (relay) childArgs.push("--relay", relay);
+    if (allowInsecureRelay) childArgs.push("--allow-insecure-relay");
     const child = spawnChild(process.execPath, [binPath, ...childArgs], {
       detached: true,
       stdio: "ignore"
@@ -543,7 +636,7 @@ async function main() {
     console.error("");
     setTimeout(() => process.exit(0), 500);
   } else {
-    await share({ session, relay });
+    await share({ session, relay, allowInsecureRelay });
   }
 }
 function timeSince(date) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "fied",
-  "version": "0.2.0",
+  "version": "0.2.1",
   "description": "Share your tmux session in the browser with end-to-end encryption",
   "type": "module",
   "bin": {