fied 0.2.7 → 0.2.9

package/dist/bin.js

@@ -262,9 +262,13 @@ async function share(options) {
   }
   const cols = options.cols ?? process.stdout.columns ?? 80;
   const rows = options.rows ?? process.stdout.rows ?? 24;
-  const rawKey = options.keyBase64Url ? fromBase64Url(options.keyBase64Url) : await generateKey();
-  const cryptoKey = await importKey(rawKey);
-  const keyFragment = options.keyBase64Url ?? toBase64Url(rawKey);
+  const legacyKey = options.keyBase64Url;
+  const readKeyRaw = options.readKeyBase64Url ? fromBase64Url(options.readKeyBase64Url) : legacyKey ? fromBase64Url(legacyKey) : await generateKey();
+  const writeKeyRaw = options.writeKeyBase64Url ? fromBase64Url(options.writeKeyBase64Url) : legacyKey ? fromBase64Url(legacyKey) : await generateKey();
+  const readKey = await importKey(readKeyRaw);
+  const writeKey = await importKey(writeKeyRaw);
+  const readKeyFragment = options.readKeyBase64Url ?? legacyKey ?? toBase64Url(readKeyRaw);
+  const writeKeyFragment = options.writeKeyBase64Url ?? legacyKey ?? toBase64Url(writeKeyRaw);
   const pty = attachSession(targetSession, cols, rows);
   if (!options.background) {
     console.log("");
@@ -274,7 +278,17 @@ async function share(options) {
     console.log(`  Size:     ${cols}x${rows}`);
     console.log("");
   }
-  const bridge = new RelayBridge(relayTarget, cryptoKey, keyFragment, pty, options.background, options.sessionId);
+  const bridge = new RelayBridge(
+    relayTarget,
+    readKey,
+    writeKey,
+    readKeyFragment,
+    writeKeyFragment,
+    pty,
+    options.background,
+    options.showReadonlyLink,
+    options.sessionId
+  );
   const onUrl = (url) => {
     if (options.background) {
       const sessionId = bridge.getSessionId();
@@ -352,6 +366,9 @@ async function createSession(relayHttpBase) {
     throw new Error(`Failed to create session: ${res.status} ${res.statusText}`);
   }
   const data = await res.json();
+  if (typeof data.sessionId !== "string") {
+    throw new Error("Invalid session creation response");
+  }
   return data.sessionId;
 }
 var WS_CONNECT_TIMEOUT_MS = 1e4;
@@ -359,12 +376,15 @@ function typeAAD(type) {
   return new Uint8Array([type & 255]);
 }
 var RelayBridge = class {
-  constructor(relayTarget, key, keyFragment, pty, silent = false, sessionId) {
+  constructor(relayTarget, readKey, writeKey, readKeyFragment, writeKeyFragment, pty, silent = false, showReadonlyLink = false, sessionId) {
     this.relayTarget = relayTarget;
-    this.key = key;
-    this.keyFragment = keyFragment;
+    this.readKey = readKey;
+    this.writeKey = writeKey;
+    this.readKeyFragment = readKeyFragment;
+    this.writeKeyFragment = writeKeyFragment;
     this.pty = pty;
     this.silent = silent;
+    this.showReadonlyLink = showReadonlyLink;
     this.sessionId = sessionId ?? null;
     this.pty.onData((data) => {
       if (this.ws?.readyState === WebSocket.OPEN) {
@@ -402,12 +422,14 @@ var RelayBridge = class {
         return;
       }
       const shareUrl = new URL(`s/${this.sessionId}`, this.relayTarget.httpBase);
-      const interactiveUrl = `${shareUrl.toString()}#${this.keyFragment}`;
+      const interactiveUrl = `${shareUrl.toString()}#r=${encodeURIComponent(this.readKeyFragment)}&w=${encodeURIComponent(this.writeKeyFragment)}`;
       const readonlyShareUrl = new URL(`${shareUrl.pathname.replace(/\/$/, "")}/v`, shareUrl);
-      const readonlyUrl = `${readonlyShareUrl.toString()}#${this.keyFragment}`;
+      const readonlyUrl = `${readonlyShareUrl.toString()}#r=${encodeURIComponent(this.readKeyFragment)}`;
       if (!this.silent) {
         await printShareLinkWithQr("interactive", interactiveUrl);
-        await printShareLinkWithQr("view-only", readonlyUrl);
+        if (this.showReadonlyLink) {
+          await printShareLinkWithQr("view-only", readonlyUrl);
+        }
         console.log("");
         console.log("  \x1B[2mThe encryption key is in the URL fragment (#) \u2014 the server never sees it.\x1B[0m");
         console.log("  \x1B[2mPress Ctrl+C to stop sharing.\x1B[0m");
@@ -446,7 +468,7 @@ var RelayBridge = class {
         const data = new Uint8Array(raw);
         const frame = parseFrame(data);
         if (frame.type === MSG_TERMINAL_INPUT) {
-          const plaintext = await decrypt(this.key, frame.iv, frame.ciphertext, typeAAD(frame.type));
+          const plaintext = await decrypt(this.writeKey, frame.iv, frame.ciphertext, typeAAD(frame.type));
           const input = parseInputPayload(this.decoder.decode(plaintext));
           if (!input || this.isReplayNonce(input.nonce)) {
             this.invalidInputFrames += 1;
@@ -459,7 +481,7 @@ var RelayBridge = class {
           this.rememberInputNonce(input.nonce);
           this.pty.write(input.data);
         } else if (frame.type === MSG_RESIZE) {
-          const plaintext = await decrypt(this.key, frame.iv, frame.ciphertext, typeAAD(frame.type));
+          const plaintext = await decrypt(this.writeKey, frame.iv, frame.ciphertext, typeAAD(frame.type));
           const resize = parseResizePayload(this.decoder.decode(plaintext));
           if (!resize) {
             this.invalidResizeFrames += 1;
@@ -518,7 +540,8 @@ var RelayBridge = class {
   async sendEncrypted(type, plaintext) {
     if (!this.ws || this.ws.readyState !== WebSocket.OPEN) return;
     try {
-      const { iv, ciphertext } = await encrypt(this.key, plaintext, typeAAD(type));
+      const key = type === MSG_TERMINAL_OUTPUT ? this.readKey : this.writeKey;
+      const { iv, ciphertext } = await encrypt(key, plaintext, typeAAD(type));
       const frame = frameMessage(type, iv, ciphertext);
       this.ws.send(frame);
     } catch (err) {
@@ -661,12 +684,14 @@ if (args.includes("--help") || args.includes("-h")) {
   \x1B[1mOptions:\x1B[0m
     --session, -s <name>   tmux session to share (auto-detected if only one)
     --relay <url>          relay server URL (default: https://fied.app)
+    --view-only            print a separate view-only share link
     --allow-insecure-relay allow http://localhost relay (dev only)
     --help, -h             show this help
 
   \x1B[1mExamples:\x1B[0m
     npx fied                       share the only tmux session
     npx fied -s mysession          share a specific session
+    npx fied --view-only           include a view-only link
     npx fied --relay http://localhost:8787   use a local relay
 `);
   process.exit(0);
@@ -680,8 +705,14 @@ if (args.includes("--__daemon")) {
       options.relay = args[++i];
     } else if (args[i] === "--allow-insecure-relay") {
       options.allowInsecureRelay = true;
+    } else if (args[i] === "--view-only") {
+      options.showReadonlyLink = true;
     } else if (args[i] === "--__session-id" && args[i + 1]) {
       options.sessionId = args[++i];
+    } else if (args[i] === "--__read-key" && args[i + 1]) {
+      options.readKeyBase64Url = args[++i];
+    } else if (args[i] === "--__write-key" && args[i + 1]) {
+      options.writeKeyBase64Url = args[++i];
     } else if (args[i] === "--__key" && args[i + 1]) {
       options.keyBase64Url = args[++i];
     }
@@ -697,6 +728,8 @@ async function main() {
   let relay;
   let session;
   let allowInsecureRelay = false;
+  let showReadonlyLink = false;
+  let showReadonlyLinkExplicit = false;
   for (let i = 0; i < args.length; i++) {
     if ((args[i] === "--session" || args[i] === "-s") && args[i + 1]) {
       session = args[++i];
@@ -704,6 +737,9 @@ async function main() {
       relay = args[++i];
     } else if (args[i] === "--allow-insecure-relay") {
       allowInsecureRelay = true;
+    } else if (args[i] === "--view-only") {
+      showReadonlyLink = true;
+      showReadonlyLinkExplicit = true;
     } else if (!args[i].startsWith("-")) {
       continue;
     } else {
@@ -763,10 +799,14 @@ async function main() {
   if (!session) {
     throw new Error("No tmux session selected");
   }
+  if (!showReadonlyLinkExplicit && process.stdin.isTTY && process.stderr.isTTY) {
+    showReadonlyLink = await confirm("Enable view-only share link?");
+  }
   await share({
     session,
     relay,
     allowInsecureRelay,
+    showReadonlyLink,
     onShareUrl: async (url) => {
       const background = await confirm("Run in background?");
       if (!background) {
@@ -778,7 +818,8 @@ async function main() {
         relay,
         allowInsecureRelay,
         sessionId: parsed.sessionId,
-        keyBase64Url: parsed.keyBase64Url
+        readKeyBase64Url: parsed.readKeyBase64Url,
+        writeKeyBase64Url: parsed.writeKeyBase64Url
       });
       console.error("");
       console.error(`  \x1B[1m\x1B[32mfied\x1B[0m \u2014 moved to background (PID ${child.pid})`);
@@ -798,8 +839,10 @@ function spawnBackground(options) {
     options.session,
     "--__session-id",
     options.sessionId,
-    "--__key",
-    options.keyBase64Url
+    "--__read-key",
+    options.readKeyBase64Url,
+    "--__write-key",
+    options.writeKeyBase64Url
   ];
   if (options.relay) childArgs.push("--relay", options.relay);
   if (options.allowInsecureRelay) childArgs.push("--allow-insecure-relay");
@@ -816,9 +859,26 @@ function parseShareUrl(url) {
   if (!match || !parsed.hash) {
     throw new Error("Invalid share URL");
   }
+  const hashRaw = parsed.hash.slice(1);
+  let readKeyBase64Url = "";
+  let writeKeyBase64Url = "";
+  if (hashRaw.includes("=") || hashRaw.includes("&")) {
+    const params = new URLSearchParams(hashRaw);
+    const read = params.get("r");
+    const write = params.get("w");
+    if (read && write) {
+      readKeyBase64Url = read;
+      writeKeyBase64Url = write;
+    }
+  }
+  if (!readKeyBase64Url || !writeKeyBase64Url) {
+    readKeyBase64Url = hashRaw;
+    writeKeyBase64Url = hashRaw;
+  }
   return {
     sessionId: match[1],
-    keyBase64Url: parsed.hash.slice(1)
+    readKeyBase64Url,
+    writeKeyBase64Url
   };
 }
 function timeSince(date) {

package/package.json

@@ -1,11 +1,9 @@
 {
   "name": "fied",
-  "version": "0.2.7",
+  "version": "0.2.9",
   "description": "Share your tmux session in the browser with end-to-end encryption",
   "type": "module",
-  "bin": {
-    "fied": "./dist/bin.js"
-  },
+  "bin": "dist/bin.js",
   "files": [
     "dist/bin.js",
     "README.md"