gitspace 0.2.0-rc.2 → 0.2.0-rc.21

package/worker/src/services/cloudflare.ts

@@ -1,609 +0,0 @@
-/**
- * Cloudflare API service
- *
- * Handles tunnel and DNS management via Cloudflare API.
- */
-
-import type { Env } from '../types';
-
-/**
- * Tunnel creation result
- */
-export interface TunnelResult {
-  id: string;
-  token: string;
-}
-
-/**
- * Find an existing tunnel by name
- */
-async function findTunnelByName(
-  env: Env,
-  name: string
-): Promise<{ id: string; name: string } | null> {
-  const tunnelName = `gitspace-${name}`;
-
-  const response = await fetch(
-    `https://api.cloudflare.com/client/v4/accounts/${env.CF_ACCOUNT_ID}/cfd_tunnel?name=${encodeURIComponent(tunnelName)}`,
-    {
-      method: 'GET',
-      headers: {
-        Authorization: `Bearer ${env.CF_API_TOKEN}`,
-      },
-    }
-  );
-
-  if (!response.ok) {
-    return null;
-  }
-
-  const data = (await response.json()) as {
-    success: boolean;
-    result: Array<{ id: string; name: string }>;
-  };
-
-  if (data.success && data.result.length > 0) {
-    return data.result[0];
-  }
-
-  return null;
-}
-
-/**
- * Get tunnel token for an existing tunnel
- */
-async function getTunnelToken(
-  env: Env,
-  tunnelId: string
-): Promise<string> {
-  const response = await fetch(
-    `https://api.cloudflare.com/client/v4/accounts/${env.CF_ACCOUNT_ID}/cfd_tunnel/${tunnelId}/token`,
-    {
-      method: 'GET',
-      headers: {
-        Authorization: `Bearer ${env.CF_API_TOKEN}`,
-      },
-    }
-  );
-
-  if (!response.ok) {
-    throw new Error('Failed to get tunnel token');
-  }
-
-  const data = (await response.json()) as {
-    success: boolean;
-    result: string;
-  };
-
-  return data.result;
-}
-
-/**
- * Create a new Cloudflare Tunnel (or reuse existing one)
- */
-export async function createTunnel(
-  env: Env,
-  name: string
-): Promise<TunnelResult> {
-  const tunnelName = `gitspace-${name}`;
-
-  // Check if tunnel already exists
-  const existingTunnel = await findTunnelByName(env, name);
-
-  if (existingTunnel) {
-    console.log(`Reusing existing tunnel: ${existingTunnel.name} (${existingTunnel.id})`);
-
-    // Get fresh token for existing tunnel
-    const token = await getTunnelToken(env, existingTunnel.id);
-
-    return {
-      id: existingTunnel.id,
-      token,
-    };
-  }
-
-  // Create new tunnel
-  // Generate tunnel secret (32 random bytes, base64)
-  const secretBytes = crypto.getRandomValues(new Uint8Array(32));
-  const secret = btoa(String.fromCharCode(...secretBytes));
-
-  const response = await fetch(
-    `https://api.cloudflare.com/client/v4/accounts/${env.CF_ACCOUNT_ID}/cfd_tunnel`,
-    {
-      method: 'POST',
-      headers: {
-        Authorization: `Bearer ${env.CF_API_TOKEN}`,
-        'Content-Type': 'application/json',
-      },
-      body: JSON.stringify({
-        name: tunnelName,
-        tunnel_secret: secret,
-      }),
-    }
-  );
-
-  if (!response.ok) {
-    const error = await response.text();
-    throw new Error(`Failed to create tunnel: ${error}`);
-  }
-
-  const data = (await response.json()) as {
-    success: boolean;
-    result: { id: string; token: string };
-    errors?: Array<{ message: string }>;
-  };
-
-  if (!data.success) {
-    throw new Error(
-      `Tunnel creation failed: ${data.errors?.map((e) => e.message).join(', ')}`
-    );
-  }
-
-  return {
-    id: data.result.id,
-    token: data.result.token,
-  };
-}
-
-/**
- * Configure tunnel ingress rules
- *
- * This tells cloudflared where to route traffic for the subdomain.
- * Points to local relay server on port 4480.
- */
-export async function configureTunnelIngress(
-  env: Env,
-  tunnelId: string,
-  subdomain: string
-): Promise<void> {
-  const response = await fetch(
-    `https://api.cloudflare.com/client/v4/accounts/${env.CF_ACCOUNT_ID}/cfd_tunnel/${tunnelId}/configurations`,
-    {
-      method: 'PUT',
-      headers: {
-        Authorization: `Bearer ${env.CF_API_TOKEN}`,
-        'Content-Type': 'application/json',
-      },
-      body: JSON.stringify({
-        config: {
-          ingress: [
-            {
-              hostname: `${subdomain}.gitspace.sh`,
-              service: 'http://localhost:4480',
-            },
-            {
-              hostname: `*.${subdomain}.gitspace.sh`,
-              service: 'http://localhost:4480',
-            },
-            {
-              // Catch-all rule (required)
-              service: 'http_status:404',
-            },
-          ],
-        },
-      }),
-    }
-  );
-
-  if (!response.ok) {
-    const error = await response.text();
-    throw new Error(`Failed to configure tunnel ingress: ${error}`);
-  }
-}
-
-/**
- * Delete a Cloudflare Tunnel
- */
-export async function deleteTunnel(env: Env, tunnelId: string): Promise<void> {
-  // First, clean up the tunnel connections
-  await fetch(
-    `https://api.cloudflare.com/client/v4/accounts/${env.CF_ACCOUNT_ID}/cfd_tunnel/${tunnelId}/connections`,
-    {
-      method: 'DELETE',
-      headers: {
-        Authorization: `Bearer ${env.CF_API_TOKEN}`,
-      },
-    }
-  );
-
-  // Then delete the tunnel
-  const response = await fetch(
-    `https://api.cloudflare.com/client/v4/accounts/${env.CF_ACCOUNT_ID}/cfd_tunnel/${tunnelId}`,
-    {
-      method: 'DELETE',
-      headers: {
-        Authorization: `Bearer ${env.CF_API_TOKEN}`,
-      },
-    }
-  );
-
-  if (!response.ok) {
-    const error = await response.text();
-    throw new Error(`Failed to delete tunnel: ${error}`);
-  }
-}
-
-/**
- * Find existing DNS record by name
- */
-async function findDNSRecord(
-  env: Env,
-  name: string
-): Promise<{ id: string; content: string } | null> {
-  const fullName = name.endsWith('.gitspace.sh') ? name : `${name}.gitspace.sh`;
-
-  const response = await fetch(
-    `https://api.cloudflare.com/client/v4/zones/${env.CF_ZONE_ID}/dns_records?name=${encodeURIComponent(fullName)}`,
-    {
-      method: 'GET',
-      headers: {
-        Authorization: `Bearer ${env.CF_API_TOKEN}`,
-      },
-    }
-  );
-
-  if (!response.ok) {
-    return null;
-  }
-
-  const data = (await response.json()) as {
-    success: boolean;
-    result: Array<{ id: string; content: string }>;
-  };
-
-  if (data.success && data.result.length > 0) {
-    return data.result[0];
-  }
-
-  return null;
-}
-
-/**
- * Update existing DNS record
- */
-async function updateDNSRecord(
-  env: Env,
-  recordId: string,
-  name: string,
-  tunnelId: string,
-  comment: string
-): Promise<void> {
-  const response = await fetch(
-    `https://api.cloudflare.com/client/v4/zones/${env.CF_ZONE_ID}/dns_records/${recordId}`,
-    {
-      method: 'PUT',
-      headers: {
-        Authorization: `Bearer ${env.CF_API_TOKEN}`,
-        'Content-Type': 'application/json',
-      },
-      body: JSON.stringify({
-        type: 'CNAME',
-        name,
-        content: `${tunnelId}.cfargotunnel.com`,
-        proxied: true,
-        comment,
-      }),
-    }
-  );
-
-  if (!response.ok) {
-    const error = await response.text();
-    throw new Error(`Failed to update DNS record: ${error}`);
-  }
-}
-
-/**
- * Create DNS records for a subdomain (or update existing ones)
- * Returns array of record IDs for later cleanup
- */
-export async function createDNSRecords(
-  env: Env,
-  subdomain: string,
-  tunnelId: string
-): Promise<string[]> {
-  const recordIds: string[] = [];
-
-  const records = [
-    { name: subdomain, comment: `gitspace.sh subdomain for ${subdomain}` },
-    { name: `*.${subdomain}`, comment: `gitspace.sh wildcard for ${subdomain}` },
-  ];
-
-  for (const record of records) {
-    // Check if record already exists
-    const existing = await findDNSRecord(env, record.name);
-
-    if (existing) {
-      console.log(`Updating existing DNS record: ${record.name}`);
-      await updateDNSRecord(env, existing.id, record.name, tunnelId, record.comment);
-      recordIds.push(existing.id);
-      continue;
-    }
-
-    // Create new record
-    const response = await fetch(
-      `https://api.cloudflare.com/client/v4/zones/${env.CF_ZONE_ID}/dns_records`,
-      {
-        method: 'POST',
-        headers: {
-          Authorization: `Bearer ${env.CF_API_TOKEN}`,
-          'Content-Type': 'application/json',
-        },
-        body: JSON.stringify({
-          type: 'CNAME',
-          name: record.name,
-          content: `${tunnelId}.cfargotunnel.com`,
-          proxied: true,
-          comment: record.comment,
-        }),
-      }
-    );
-
-    if (!response.ok) {
-      const error = await response.text();
-      throw new Error(`Failed to create DNS record for ${record.name}: ${error}`);
-    }
-
-    const data = (await response.json()) as {
-      success: boolean;
-      result: { id: string };
-    };
-
-    if (data.success) {
-      recordIds.push(data.result.id);
-    }
-  }
-
-  return recordIds;
-}
-
-/**
- * Delete DNS records by ID
- */
-export async function deleteDNSRecords(
-  env: Env,
-  recordIds: string[]
-): Promise<void> {
-  for (const recordId of recordIds) {
-    await fetch(
-      `https://api.cloudflare.com/client/v4/zones/${env.CF_ZONE_ID}/dns_records/${recordId}`,
-      {
-        method: 'DELETE',
-        headers: {
-          Authorization: `Bearer ${env.CF_API_TOKEN}`,
-        },
-      }
-    );
-  }
-}
-
-// ============================================================================
-// Cloudflare for SaaS - Custom Hostnames
-// ============================================================================
-
-/**
- * Custom hostname creation result
- */
-export interface CustomHostnameResult {
-  id: string;
-  hostname: string;
-  status: string;
-}
-
-/**
- * Create a custom hostname with wildcard SSL (Cloudflare for SaaS)
- *
- * This provisions a certificate for *.subdomain.gitspace.sh
- */
-export async function createCustomHostname(
-  env: Env,
-  subdomain: string
-): Promise<CustomHostnameResult> {
-  // Create hostname WITHOUT the * prefix - Cloudflare adds wildcard SAN automatically
-  // when wildcard: true is set. This covers both brad.gitspace.sh AND *.brad.gitspace.sh
-  const hostname = `${subdomain}.gitspace.sh`;
-
-  const response = await fetch(
-    `https://api.cloudflare.com/client/v4/zones/${env.CF_ZONE_ID}/custom_hostnames`,
-    {
-      method: 'POST',
-      headers: {
-        Authorization: `Bearer ${env.CF_API_TOKEN}`,
-        'Content-Type': 'application/json',
-      },
-      body: JSON.stringify({
-        hostname,
-        ssl: {
-          method: 'http',
-          type: 'dv',
-          wildcard: true, // Adds *.brad.gitspace.sh to the certificate SAN
-          settings: {
-            min_tls_version: '1.2',
-          },
-        },
-      }),
-    }
-  );
-
-  if (!response.ok) {
-    const error = await response.text();
-    throw new Error(`Failed to create custom hostname: ${error}`);
-  }
-
-  const data = (await response.json()) as {
-    success: boolean;
-    result: { id: string; hostname: string; status: string };
-    errors?: Array<{ message: string }>;
-  };
-
-  if (!data.success) {
-    throw new Error(
-      `Custom hostname creation failed: ${data.errors?.map((e) => e.message).join(', ')}`
-    );
-  }
-
-  return {
-    id: data.result.id,
-    hostname: data.result.hostname,
-    status: data.result.status,
-  };
-}
-
-/**
- * Delete a custom hostname
- */
-export async function deleteCustomHostname(
-  env: Env,
-  customHostnameId: string
-): Promise<void> {
-  const response = await fetch(
-    `https://api.cloudflare.com/client/v4/zones/${env.CF_ZONE_ID}/custom_hostnames/${customHostnameId}`,
-    {
-      method: 'DELETE',
-      headers: {
-        Authorization: `Bearer ${env.CF_API_TOKEN}`,
-      },
-    }
-  );
-
-  if (!response.ok) {
-    const error = await response.text();
-    throw new Error(`Failed to delete custom hostname: ${error}`);
-  }
-}
-
-/**
- * Get custom hostname status (for checking SSL provisioning)
- */
-export async function getCustomHostnameStatus(
-  env: Env,
-  customHostnameId: string
-): Promise<{ status: string; sslStatus: string }> {
-  const response = await fetch(
-    `https://api.cloudflare.com/client/v4/zones/${env.CF_ZONE_ID}/custom_hostnames/${customHostnameId}`,
-    {
-      method: 'GET',
-      headers: {
-        Authorization: `Bearer ${env.CF_API_TOKEN}`,
-      },
-    }
-  );
-
-  if (!response.ok) {
-    throw new Error('Failed to get custom hostname status');
-  }
-
-  const data = (await response.json()) as {
-    success: boolean;
-    result: { status: string; ssl: { status: string } };
-  };
-
-  return {
-    status: data.result.status,
-    sslStatus: data.result.ssl?.status ?? 'unknown',
-  };
-}
-
-/**
- * Simple encryption for tunnel tokens (stored in D1)
- * Uses AES-GCM with an HKDF-derived key from the ENCRYPTION_KEY secret
- */
-const TOKEN_DERIVATION_INFO = new TextEncoder().encode('tunnel-token-v1');
-const TOKEN_DERIVATION_SALT = new Uint8Array(32);
-
-async function deriveTokenKey(
-  env: Env,
-  usages: KeyUsage[]
-): Promise<CryptoKey> {
-  const keyMaterial = await crypto.subtle.importKey(
-    'raw',
-    new TextEncoder().encode(env.ENCRYPTION_KEY),
-    'HKDF',
-    false,
-    ['deriveKey']
-  );
-
-  return crypto.subtle.deriveKey(
-    {
-      name: 'HKDF',
-      hash: 'SHA-256',
-      salt: TOKEN_DERIVATION_SALT,
-      info: TOKEN_DERIVATION_INFO,
-    },
-    keyMaterial,
-    { name: 'AES-GCM', length: 256 },
-    false,
-    usages
-  );
-}
-
-async function deriveLegacyTokenKey(
-  env: Env,
-  usages: KeyUsage[]
-): Promise<CryptoKey> {
-  return crypto.subtle.importKey(
-    'raw',
-    new TextEncoder().encode(env.ENCRYPTION_KEY.padEnd(32, '0').slice(0, 32)),
-    { name: 'AES-GCM' },
-    false,
-    usages
-  );
-}
-
-export async function encryptToken(
-  env: Env,
-  token: string
-): Promise<string> {
-  const key = await deriveTokenKey(env, ['encrypt']);
-
-  const iv = crypto.getRandomValues(new Uint8Array(12));
-  const encrypted = await crypto.subtle.encrypt(
-    { name: 'AES-GCM', iv },
-    key,
-    new TextEncoder().encode(token)
-  );
-
-  // Combine IV + ciphertext and base64 encode
-  const combined = new Uint8Array(iv.length + encrypted.byteLength);
-  combined.set(iv);
-  combined.set(new Uint8Array(encrypted), iv.length);
-
-  return btoa(String.fromCharCode(...combined));
-}
-
-/**
- * Decrypt a tunnel token
- */
-export async function decryptToken(
-  env: Env,
-  encryptedToken: string
-): Promise<string> {
-  const combined = new Uint8Array(
-    atob(encryptedToken)
-      .split('')
-      .map((c) => c.charCodeAt(0))
-  );
-
-  const iv = combined.slice(0, 12);
-  const ciphertext = combined.slice(12);
-
-  const key = await deriveTokenKey(env, ['decrypt']);
-
-  try {
-    const decrypted = await crypto.subtle.decrypt(
-      { name: 'AES-GCM', iv },
-      key,
-      ciphertext
-    );
-
-    return new TextDecoder().decode(decrypted);
-  } catch {
-    const legacyKey = await deriveLegacyTokenKey(env, ['decrypt']);
-    const decrypted = await crypto.subtle.decrypt(
-      { name: 'AES-GCM', iv },
-      legacyKey,
-      ciphertext
-    );
-
-    return new TextDecoder().decode(decrypted);
-  }
-}

package/worker/src/types.ts

@@ -1,96 +0,0 @@
-/**
- * Cloudflare Worker environment bindings
- */
-export interface Env {
-  // D1 Database
-  DB: D1Database;
-
-  // Environment variables
-  PORTAL_URL: string;
-  MAX_ACCOUNTS: string; // Global account limit (beta period)
-  GITHUB_CLIENT_ID: string;
-  GITHUB_CLIENT_SECRET: string;
-  CF_API_TOKEN: string;
-  CF_ACCOUNT_ID: string;
-  CF_ZONE_ID: string;
-  ENCRYPTION_KEY: string;
-}
-
-/**
- * User record from D1
- */
-export interface User {
-  id: string;
-  github_id: string;
-  github_username: string;
-  email: string | null;
-  name: string | null;
-  avatar_url: string | null;
-  created_at: number;
-  updated_at: number;
-}
-
-/**
- * Token record from D1
- */
-export interface Token {
-  id: string;
-  prefix: string;
-  user_id: string;
-  device_name: string | null;
-  device_fingerprint: string | null;
-  created_at: number;
-  expires_at: number | null;
-  last_used_at: number | null;
-  revoked_at: number | null;
-}
-
-/**
- * Subdomain record from D1
- */
-export interface Subdomain {
-  id: string;
-  subdomain: string;
-  user_id: string;
-  tunnel_id: string;
-  dns_record_ids: string;
-  tunnel_token_encrypted: string;
-  status: 'active' | 'suspended' | 'deleted';
-  is_primary: number;
-  created_at: number;
-  updated_at: number;
-}
-
-/**
- * Session record from D1
- */
-export interface Session {
-  id: string;
-  user_id: string;
-  created_at: number;
-  expires_at: number;
-  ip_address: string | null;
-  user_agent: string | null;
-}
-
-/**
- * GitHub user info from API
- */
-export interface GitHubUser {
-  id: number;
-  login: string;
-  name: string | null;
-  email: string | null;
-  avatar_url: string;
-}
-
-/**
- * GitHub Device Flow response
- */
-export interface GitHubDeviceCodeResponse {
-  device_code: string;
-  user_code: string;
-  verification_uri: string;
-  expires_in: number;
-  interval: number;
-}

package/worker/tsconfig.json

@@ -1,15 +0,0 @@
-{
-  "compilerOptions": {
-    "target": "ESNext",
-    "module": "ESNext",
-    "moduleResolution": "bundler",
-    "strict": true,
-    "skipLibCheck": true,
-    "lib": ["ESNext"],
-    "types": ["@cloudflare/workers-types"],
-    "noEmit": true,
-    "isolatedModules": true
-  },
-  "include": ["src/**/*"],
-  "exclude": ["node_modules"]
-}