npm - jh-web-gateway - Versions diffs - 2.0.1 → 2.1.1 - Mend

jh-web-gateway 2.0.1 → 2.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

package/README.md +1 -1
package/dist/{chunk-J7PNSI42.js → chunk-7H2RJZN3.js} +225 -142
package/dist/chunk-7H2RJZN3.js.map +1 -0
package/dist/cli.js +32 -25
package/dist/cli.js.map +1 -1
package/dist/{tui-2J5JN3FF.js → tui-DIQMK2CW.js} +6 -31
package/dist/tui-DIQMK2CW.js.map +1 -0
package/package.json +2 -1
package/dist/chunk-J7PNSI42.js.map +0 -1
package/dist/tui-2J5JN3FF.js.map +0 -1

package/README.md CHANGED Viewed

@@ -407,7 +407,7 @@ Point any OpenAI-compatible tool at:
 |------|-------------|
 | `--headless` | Launch Chrome without a visible window (requires prior login) |
 | `--port <n>` | Override the configured port |
-| `--pages <n>` | Max concurrent browser pages (default: 3) |
+| `--pages <n>` | Max concurrent browser pages (default: 1) |
 ## Token Refresh

package/dist/{chunk-J7PNSI42.js → chunk-7H2RJZN3.js} RENAMED Viewed

@@ -64,12 +64,15 @@ async function findOrOpenJhPage(browser) {
 }
 // src/infra/config.ts
-import { readFile, writeFile, mkdir } from "fs/promises";
+import { readFile, writeFile, mkdir, chmod } from "fs/promises";
 import { homedir } from "os";
 import { join } from "path";
 function getConfigPath() {
   return join(homedir(), ".jh-gateway", "config.json");
 }
+function getConfigDir() {
+  return join(homedir(), ".jh-gateway");
+}
 function getDefaultConfig() {
   return {
     cdpUrl: "http://127.0.0.1:9222",
@@ -162,15 +165,13 @@ function validateConfig(raw) {
 }
 async function loadConfig() {
   const configPath = getConfigPath();
-  const configDir = join(homedir(), ".jh-gateway");
   let raw;
   try {
     raw = await readFile(configPath, "utf8");
   } catch (err) {
     if (isNodeError(err) && (err.code === "ENOENT" || err.code === "ENOTDIR")) {
       const defaults = getDefaultConfig();
-      await mkdir(configDir, { recursive: true });
-      await writeFile(configPath, JSON.stringify(defaults, null, 2), "utf8");
+      await saveConfig(defaults);
       return defaults;
     }
     throw err;
@@ -183,13 +184,19 @@ async function loadConfig() {
       `Config validation error: config file at ${configPath} contains malformed JSON`
     );
   }
-  return validateConfig(parsed);
+  const validated = validateConfig(parsed);
+  await enforceConfigPermissions(configPath, getConfigDir());
+  return validated;
 }
 async function saveConfig(config) {
   const configPath = getConfigPath();
-  const configDir = join(homedir(), ".jh-gateway");
-  await mkdir(configDir, { recursive: true });
-  await writeFile(configPath, JSON.stringify(config, null, 2), "utf8");
+  const configDir = getConfigDir();
+  await mkdir(configDir, { recursive: true, mode: 448 });
+  await writeFile(configPath, JSON.stringify(config, null, 2), {
+    encoding: "utf8",
+    mode: 384
+  });
+  await enforceConfigPermissions(configPath, configDir);
 }
 async function updateConfig(partial) {
   const current = await loadConfig();
@@ -202,9 +209,26 @@ async function updateConfig(partial) {
 function isNodeError(err) {
   return err instanceof Error && "code" in err;
 }
+async function enforceConfigPermissions(configPath, configDir) {
+  await chmod(configDir, 448).catch((err) => {
+    const message = err instanceof Error ? err.message : String(err);
+    console.warn(`[config] Could not enforce secure directory permissions: ${message}`);
+  });
+  await chmod(configPath, 384).catch((err) => {
+    const message = err instanceof Error ? err.message : String(err);
+    console.warn(`[config] Could not enforce secure file permissions: ${message}`);
+  });
+}
 // src/core/auth-capture.ts
 var JH_HOST = "chat.ai.jh.edu";
+function isJhUrl(url) {
+  try {
+    return new URL(url).hostname === JH_HOST;
+  } catch {
+    return false;
+  }
+}
 function getTokenExpiry(token) {
   try {
     const parts = token.split(".");
@@ -238,24 +262,15 @@ async function captureCredentials(cdpUrl, timeoutMs = 12e4) {
     page = await context.newPage();
   }
   const targetPage = page;
+  const routePattern = "**/*";
   return new Promise((resolve, reject) => {
     let settled = false;
-    const timer = setTimeout(() => {
-      if (settled) return;
-      settled = true;
-      reject(
-        new Error(
-          `Credential capture timed out after ${timeoutMs / 1e3}s. Please log in to chat.ai.jh.edu and send a message to trigger authentication.`
-        )
-      );
-    }, timeoutMs);
-    targetPage.route("**/*", async (route) => {
+    let cleanedUp = false;
+    const routeHandler = async (route) => {
       const request = route.request();
       const headers = await request.headers();
       const authHeader = headers["authorization"] ?? headers["Authorization"] ?? "";
-      if (!settled && authHeader.startsWith("Bearer ") && request.url().includes(JH_HOST)) {
-        settled = true;
-        clearTimeout(timer);
+      if (!settled && authHeader.startsWith("Bearer ") && isJhUrl(request.url())) {
         try {
           const bearerToken = authHeader.slice("Bearer ".length).trim();
           const rawCookies = await targetPage.context().cookies();
@@ -271,14 +286,45 @@ async function captureCredentials(cdpUrl, timeoutMs = 12e4) {
             expiresAt
           };
           await updateConfig({ credentials: captured });
-          resolve(captured);
+          settleSuccess(captured);
         } catch (err) {
-          reject(err);
+          settleFailure(err);
         }
       }
-      await route.continue();
-    }).then(() => {
-      if (!targetPage.url().includes(JH_HOST)) {
+      await route.continue().catch((err) => {
+        const message = err instanceof Error ? err.message : String(err);
+        console.warn(`[auth-capture] Route continuation failed: ${message}`);
+      });
+    };
+    const cleanup = async () => {
+      if (cleanedUp) return;
+      cleanedUp = true;
+      clearTimeout(timer);
+      await targetPage.unroute(routePattern, routeHandler).catch((err) => {
+        const message = err instanceof Error ? err.message : String(err);
+        console.warn(`[auth-capture] Route cleanup failed: ${message}`);
+      });
+    };
+    const settleSuccess = (captured) => {
+      if (settled) return;
+      settled = true;
+      void cleanup().finally(() => resolve(captured));
+    };
+    const settleFailure = (err) => {
+      if (settled) return;
+      settled = true;
+      const error = err instanceof Error ? err : new Error(String(err));
+      void cleanup().finally(() => reject(error));
+    };
+    const timer = setTimeout(() => {
+      settleFailure(
+        new Error(
+          `Credential capture timed out after ${timeoutMs / 1e3}s. Please log in to chat.ai.jh.edu and send a message to trigger authentication.`
+        )
+      );
+    }, timeoutMs);
+    targetPage.route(routePattern, routeHandler).then(() => {
+      if (!isJhUrl(targetPage.url())) {
         targetPage.goto(`https://${JH_HOST}`, { waitUntil: "commit" }).catch(() => {
         });
       } else {
@@ -286,11 +332,7 @@ async function captureCredentials(cdpUrl, timeoutMs = 12e4) {
         });
       }
     }).catch((err) => {
-      if (!settled) {
-        settled = true;
-        clearTimeout(timer);
-        reject(err);
-      }
+      settleFailure(err);
     });
   });
 }
@@ -316,7 +358,7 @@ async function captureCredentialsActive(cdpUrl, timeoutMs = 3e4) {
         const request = route.request();
         const headers = await request.headers();
         const authHeader = headers["authorization"] ?? headers["Authorization"] ?? "";
-        if (!settled && authHeader.startsWith("Bearer ") && request.url().includes(JH_HOST)) {
+        if (!settled && authHeader.startsWith("Bearer ") && isJhUrl(request.url())) {
           settled = true;
           clearTimeout(timer);
           try {
@@ -360,6 +402,7 @@ async function captureCredentialsActive(cdpUrl, timeoutMs = 3e4) {
 // src/infra/gateway-auth.ts
 import { randomBytes } from "crypto";
+import { timingSafeEqual } from "crypto";
 function generateApiKey() {
   return `jh-local-${randomBytes(16).toString("hex")}`;
 }
@@ -385,7 +428,7 @@ function authMiddleware(config) {
     }
     if (mode === "bearer") {
       const expected = `Bearer ${token}`;
-      if (authHeader !== expected) {
+      if (!safeEquals(authHeader, expected)) {
         return c.json(
           {
             error: {
@@ -400,7 +443,7 @@ function authMiddleware(config) {
       }
     } else if (mode === "basic") {
       const expected = `Basic ${Buffer.from(`gateway:${token}`).toString("base64")}`;
-      if (authHeader !== expected) {
+      if (!safeEquals(authHeader, expected)) {
         return c.json(
           {
             error: {
@@ -417,6 +460,12 @@ function authMiddleware(config) {
     return next();
   };
 }
+function safeEquals(actual, expected) {
+  const actualBuffer = Buffer.from(actual);
+  const expectedBuffer = Buffer.from(expected);
+  if (actualBuffer.length !== expectedBuffer.length) return false;
+  return timingSafeEqual(actualBuffer, expectedBuffer);
+}
 // src/infra/types.ts
 var MODEL_ENDPOINT_MAP = {
@@ -1667,9 +1716,11 @@ var PagePool = class {
   maxPages;
   maxWaitMs;
   initPromise = null;
+  pagesCreating = 0;
+  warmedUp = false;
   constructor(options = {}) {
     this.targetUrl = options.targetUrl ?? "https://chat.ai.jh.edu";
-    this.maxPages = options.maxPages ?? 3;
+    this.maxPages = options.maxPages ?? 1;
     this.maxWaitMs = options.maxWaitMs ?? 12e4;
   }
   /** Initialize the pool with an existing browser connection and seed page */
@@ -1700,11 +1751,20 @@ var PagePool = class {
    * Acquire a page for use. Creates new pages on-demand up to maxPages.
    * Note: We intentionally don't lock here — allowing multiple requests to
    * grab the same page and queue on it is actually faster than creating new pages.
+   *
+   * On first init (before any request succeeds), page scaling is disabled to
+   * avoid opening new Chrome tabs that may redirect through SSO and hang.
+   * Call `markWarmedUp()` after the first successful request to enable scaling.
    */
   async acquire() {
     let pooled = this.pages.find((p2) => !p2.inUse);
-    if (!pooled && this.pages.length < this.maxPages && this.browser) {
-      pooled = await this.createPage();
+    if (!pooled && this.warmedUp && this.pages.length + this.pagesCreating < this.maxPages && this.browser) {
+      this.pagesCreating++;
+      try {
+        pooled = await this.createPage();
+      } finally {
+        this.pagesCreating--;
+      }
     }
     if (!pooled) {
       pooled = this.pages.reduce(
@@ -1718,9 +1778,20 @@ var PagePool = class {
       queue: p.queue,
       release: () => {
         p.inUse = false;
+        if (!this.warmedUp) {
+          this.warmedUp = true;
+          console.log(`[PagePool] Warm-up complete \u2014 page scaling enabled (max ${this.maxPages})`);
+        }
       }
     };
   }
+  /** Mark the pool as warmed up, enabling page scaling. */
+  markWarmedUp() {
+    if (!this.warmedUp) {
+      this.warmedUp = true;
+      console.log(`[PagePool] Warm-up complete \u2014 page scaling enabled (max ${this.maxPages})`);
+    }
+  }
   async createPage() {
     if (!this.browser) {
       throw new Error("PagePool not initialized");
@@ -1731,15 +1802,27 @@ var PagePool = class {
       throw new Error("No browser context available");
     }
     const page = await context.newPage();
-    await page.goto(this.targetUrl, { waitUntil: "networkidle", timeout: 3e4 });
-    console.log(`[PagePool] New page ready: ${page.url()}`);
-    const pooled = {
-      page,
-      queue: new RequestQueue(this.maxWaitMs),
-      inUse: false
-    };
-    this.pages.push(pooled);
-    return pooled;
+    try {
+      await page.goto(this.targetUrl, { waitUntil: "networkidle", timeout: 3e4 });
+      const finalUrl = page.url();
+      if (!finalUrl.includes("chat.ai.jh.edu")) {
+        throw new Error(
+          `New page redirected away from target: ${finalUrl} \u2014 browser session may have expired, restart without --headless to re-login.`
+        );
+      }
+      console.log(`[PagePool] New page ready: ${finalUrl}`);
+      const pooled = {
+        page,
+        queue: new RequestQueue(this.maxWaitMs),
+        inUse: false
+      };
+      this.pages.push(pooled);
+      return pooled;
+    } catch (err) {
+      await page.close().catch(() => {
+      });
+      throw err;
+    }
   }
   /** Close all pages except the seed page */
   async drain() {
@@ -1755,6 +1838,99 @@ var PagePool = class {
   }
 };
+// src/core/token-refresher.ts
+var CredentialHolder = class {
+  creds = null;
+  /** Returns the current credentials, or `null` if none have been set yet. */
+  get() {
+    return this.creds;
+  }
+  /** Atomically replaces the stored credentials. */
+  set(creds) {
+    this.creds = creds;
+  }
+};
+function shouldRefresh(nowMs, expiresAt, thresholdMs) {
+  return expiresAt * 1e3 - nowMs < thresholdMs;
+}
+var BACKOFF_DELAYS = [5e3, 15e3, 3e4];
+var TokenRefresher = class {
+  credentialHolder;
+  cdpUrl;
+  checkIntervalMs;
+  refreshBeforeExpiryMs;
+  maxRetries;
+  intervalId = null;
+  constructor(credentialHolder, cdpUrl, options) {
+    this.credentialHolder = credentialHolder;
+    this.cdpUrl = cdpUrl;
+    this.checkIntervalMs = options?.checkIntervalMs ?? 6e4;
+    this.refreshBeforeExpiryMs = options?.refreshBeforeExpiryMs ?? 3e5;
+    this.maxRetries = options?.maxRetries ?? 3;
+  }
+  /** Start the background check interval. */
+  start() {
+    if (this.intervalId !== null) return;
+    this.intervalId = setInterval(() => {
+      void this.checkAndRefresh();
+    }, this.checkIntervalMs);
+  }
+  /** Stop the background check interval. */
+  stop() {
+    if (this.intervalId !== null) {
+      clearInterval(this.intervalId);
+      this.intervalId = null;
+    }
+  }
+  /** Check if a refresh is needed and perform it. Returns true if refreshed. */
+  async checkAndRefresh() {
+    const creds = this.credentialHolder.get();
+    if (!creds || !creds.expiresAt) {
+      return false;
+    }
+    if (!shouldRefresh(Date.now(), creds.expiresAt, this.refreshBeforeExpiryMs)) {
+      return false;
+    }
+    for (let attempt = 0; attempt < this.maxRetries; attempt++) {
+      try {
+        const newCreds = await captureCredentialsActive(this.cdpUrl);
+        const gatewayCreds = {
+          bearerToken: newCreds.bearerToken,
+          cookie: newCreds.cookie,
+          userAgent: newCreds.userAgent,
+          expiresAt: newCreds.expiresAt
+        };
+        this.credentialHolder.set(gatewayCreds);
+        await updateConfig({ credentials: gatewayCreds });
+        const expiryDate = new Date(newCreds.expiresAt * 1e3).toISOString();
+        console.log(`[TokenRefresher] Credentials refreshed successfully. New expiry: ${expiryDate}`);
+        return true;
+      } catch (err) {
+        const delay = BACKOFF_DELAYS[attempt] ?? BACKOFF_DELAYS[BACKOFF_DELAYS.length - 1];
+        if (attempt < this.maxRetries - 1) {
+          console.warn(
+            `[TokenRefresher] Refresh attempt ${attempt + 1}/${this.maxRetries} failed, retrying in ${delay / 1e3}s...`
+          );
+          await this.sleep(delay);
+        } else {
+          const msg = err instanceof Error ? err.message : String(err);
+          console.warn(
+            `
+\u26A0\uFE0F  [TokenRefresher] All ${this.maxRetries} refresh attempts failed. ${msg}
+   Continuing with current credentials. If requests start failing with 401,
+   restart with \`jh-gateway start\` (without --headless) to re-login.
+`
+          );
+        }
+      }
+    }
+    return false;
+  }
+  sleep(ms) {
+    return new Promise((resolve) => setTimeout(resolve, ms));
+  }
+};
 // src/infra/chrome-manager.ts
 import { existsSync } from "fs";
 import { execSync, spawn } from "child_process";
@@ -1996,99 +2172,6 @@ Expected locations for ${process.platform}:
   }
 };
-// src/core/token-refresher.ts
-var CredentialHolder = class {
-  creds = null;
-  /** Returns the current credentials, or `null` if none have been set yet. */
-  get() {
-    return this.creds;
-  }
-  /** Atomically replaces the stored credentials. */
-  set(creds) {
-    this.creds = creds;
-  }
-};
-function shouldRefresh(nowMs, expiresAt, thresholdMs) {
-  return expiresAt * 1e3 - nowMs < thresholdMs;
-}
-var BACKOFF_DELAYS = [5e3, 15e3, 3e4];
-var TokenRefresher = class {
-  credentialHolder;
-  cdpUrl;
-  checkIntervalMs;
-  refreshBeforeExpiryMs;
-  maxRetries;
-  intervalId = null;
-  constructor(credentialHolder, cdpUrl, options) {
-    this.credentialHolder = credentialHolder;
-    this.cdpUrl = cdpUrl;
-    this.checkIntervalMs = options?.checkIntervalMs ?? 6e4;
-    this.refreshBeforeExpiryMs = options?.refreshBeforeExpiryMs ?? 3e5;
-    this.maxRetries = options?.maxRetries ?? 3;
-  }
-  /** Start the background check interval. */
-  start() {
-    if (this.intervalId !== null) return;
-    this.intervalId = setInterval(() => {
-      void this.checkAndRefresh();
-    }, this.checkIntervalMs);
-  }
-  /** Stop the background check interval. */
-  stop() {
-    if (this.intervalId !== null) {
-      clearInterval(this.intervalId);
-      this.intervalId = null;
-    }
-  }
-  /** Check if a refresh is needed and perform it. Returns true if refreshed. */
-  async checkAndRefresh() {
-    const creds = this.credentialHolder.get();
-    if (!creds || !creds.expiresAt) {
-      return false;
-    }
-    if (!shouldRefresh(Date.now(), creds.expiresAt, this.refreshBeforeExpiryMs)) {
-      return false;
-    }
-    for (let attempt = 0; attempt < this.maxRetries; attempt++) {
-      try {
-        const newCreds = await captureCredentialsActive(this.cdpUrl);
-        const gatewayCreds = {
-          bearerToken: newCreds.bearerToken,
-          cookie: newCreds.cookie,
-          userAgent: newCreds.userAgent,
-          expiresAt: newCreds.expiresAt
-        };
-        this.credentialHolder.set(gatewayCreds);
-        await updateConfig({ credentials: gatewayCreds });
-        const expiryDate = new Date(newCreds.expiresAt * 1e3).toISOString();
-        console.log(`[TokenRefresher] Credentials refreshed successfully. New expiry: ${expiryDate}`);
-        return true;
-      } catch (err) {
-        const delay = BACKOFF_DELAYS[attempt] ?? BACKOFF_DELAYS[BACKOFF_DELAYS.length - 1];
-        if (attempt < this.maxRetries - 1) {
-          console.warn(
-            `[TokenRefresher] Refresh attempt ${attempt + 1}/${this.maxRetries} failed, retrying in ${delay / 1e3}s...`
-          );
-          await this.sleep(delay);
-        } else {
-          const msg = err instanceof Error ? err.message : String(err);
-          console.warn(
-            `
-\u26A0\uFE0F  [TokenRefresher] All ${this.maxRetries} refresh attempts failed. ${msg}
-   Continuing with current credentials. If requests start failing with 401,
-   restart with \`jh-gateway start\` (without --headless) to re-login.
-`
-          );
-        }
-      }
-    }
-    return false;
-  }
-  sleep(ms) {
-    return new Promise((resolve) => setTimeout(resolve, ms));
-  }
-};
 export {
   getChromeWebSocketUrl,
   connectToChrome,
@@ -2104,9 +2187,9 @@ export {
   isTokenExpired,
   startServer,
   PagePool,
-  ChromeManager,
   CredentialHolder,
   shouldRefresh,
-  TokenRefresher
+  TokenRefresher,
+  ChromeManager
 };
-//# sourceMappingURL=chunk-J7PNSI42.js.map
+//# sourceMappingURL=chunk-7H2RJZN3.js.map