localssl-cli 0.1.0

package/src/gitignore.js

@@ -0,0 +1,30 @@
+const path = require('path');
+const fs = require('fs-extra');
+const { PROJECT_DIR } = require('./utils');
+
+async function ensureGitignore() {
+  const gitignorePath = path.join(PROJECT_DIR, '.gitignore');
+  const required = ['.localssl/*.pem', '.localssl/*.key', '.localssl/key.pem'];
+
+  let current = '';
+  if (await fs.pathExists(gitignorePath)) {
+    current = await fs.readFile(gitignorePath, 'utf8');
+  }
+
+  let updated = current;
+  let changed = false;
+  for (const item of required) {
+    if (!updated.includes(item)) {
+      updated += `${updated.endsWith('\n') || !updated ? '' : '\n'}${item}\n`;
+      changed = true;
+    }
+  }
+
+  if (changed) {
+    await fs.writeFile(gitignorePath, updated);
+  }
+
+  return changed;
+}
+
+module.exports = { ensureGitignore };

package/src/index.js

@@ -0,0 +1,16 @@
+const fs = require('fs');
+const path = require('path');
+
+function getHttpsOptions(baseDir = process.cwd()) {
+  const certPath = path.join(baseDir, '.localssl', 'cert.pem');
+  const keyPath = path.join(baseDir, '.localssl', 'key.pem');
+
+  return {
+    cert: fs.readFileSync(certPath),
+    key: fs.readFileSync(keyPath)
+  };
+}
+
+module.exports = {
+  getHttpsOptions
+};

package/src/init.js

@@ -0,0 +1,10 @@
+const { initMachine } = require('./bootstrap');
+const { info } = require('./utils');
+
+async function initCommand() {
+  info('Initializing machine trust...');
+  await initMachine();
+  info('Done.');
+}
+
+module.exports = { initCommand };

package/src/mobile.js

@@ -0,0 +1,53 @@
+const http = require('http');
+const os = require('os');
+const fs = require('fs-extra');
+const detectPort = require('detect-port');
+const qrcode = require('qrcode-terminal');
+const { LOCALSSL_CA_PUBLIC, info } = require('./utils');
+
+function getLocalIpAddress() {
+  const interfaces = os.networkInterfaces();
+  for (const values of Object.values(interfaces)) {
+    for (const item of values || []) {
+      if (item.family === 'IPv4' && !item.internal) {
+        return item.address;
+      }
+    }
+  }
+  return '127.0.0.1';
+}
+
+async function runQrServer() {
+  if (!(await fs.pathExists(LOCALSSL_CA_PUBLIC))) {
+    throw new Error('No machine CA found. Run: localssl init');
+  }
+
+  const crt = await fs.readFile(LOCALSSL_CA_PUBLIC);
+  const host = getLocalIpAddress();
+  const port = await detectPort(9999);
+
+  const server = http.createServer((req, res) => {
+    if (req.url === '/ca.crt') {
+      res.writeHead(200, {
+        'Content-Type': 'application/x-x509-ca-cert',
+        'Content-Disposition': 'attachment; filename="localssl-ca.crt"'
+      });
+      res.end(crt);
+      return;
+    }
+
+    res.writeHead(404);
+    res.end('Not found');
+  });
+
+  await new Promise((resolve) => server.listen(port, resolve));
+
+  const url = `http://${host}:${port}/ca.crt`;
+  info(`Scan this QR from your phone:`);
+  qrcode.generate(url, { small: true });
+  info(`iOS: Settings > General > VPN & Device Management > Install > Certificate Trust Settings`);
+  info(`Android: Settings > Security > Install from storage`);
+  info(`Serving CA at ${url} (Ctrl+C to stop)`);
+}
+
+module.exports = { runQrServer };

package/src/remove.js

@@ -0,0 +1,34 @@
+const path = require('path');
+const fs = require('fs-extra');
+const { LOCALSSL_HOME, LOCALSSL_CA_PUBLIC, PROJECT_LOCALSSL_DIR, PROJECT_DIR } = require('./utils');
+const { untrustCertificate: untrustMac } = require('./trust/macos');
+const { untrustCertificate: untrustWindows } = require('./trust/windows');
+const { untrustCertificate: untrustLinux } = require('./trust/linux');
+const { untrustInFirefox } = require('./trust/firefox');
+const { untrustInChromium } = require('./trust/chromium');
+
+async function removeTrust() {
+  if (process.platform === 'darwin') await untrustMac(LOCALSSL_CA_PUBLIC);
+  else if (process.platform === 'win32') await untrustWindows(LOCALSSL_CA_PUBLIC);
+  else await untrustLinux();
+
+  await untrustInFirefox();
+  await untrustInChromium();
+}
+
+async function cleanupFrameworkArtifacts() {
+  const helper = path.join(PROJECT_DIR, 'localssl.js');
+  if (await fs.pathExists(helper)) {
+    await fs.remove(helper);
+  }
+}
+
+async function removeAll() {
+  await removeTrust().catch(() => {});
+  await fs.remove(LOCALSSL_HOME).catch(() => {});
+  await fs.remove(PROJECT_LOCALSSL_DIR).catch(() => {});
+  await cleanupFrameworkArtifacts();
+  console.log('  localssl removed ✓');
+}
+
+module.exports = { removeAll };

package/src/renew.js

@@ -0,0 +1,11 @@
+const { ensureMkcert } = require('./bootstrap');
+const { detectHostsFromProject, generateProjectCert } = require('./certgen');
+
+async function renew() {
+  const mkcertPath = await ensureMkcert();
+  const hosts = await detectHostsFromProject();
+  await generateProjectCert({ mkcertPath, hosts, force: true });
+  console.log('  Project certificate renewed ✓');
+}
+
+module.exports = { renew };

package/src/status.js

@@ -0,0 +1,53 @@
+const fs = require('fs-extra');
+const { X509Certificate } = require('crypto');
+const { LOCALSSL_CA_PUBLIC, PROJECT_CERT, PROJECT_CONFIG, PROJECT_LOCALSSL_DIR } = require('./utils');
+const { detectFramework } = require('./frameworks/detect');
+
+function certSummary(label, certPem) {
+  const cert = new X509Certificate(certPem);
+  const expiry = new Date(cert.validTo);
+  const days = Math.ceil((expiry.getTime() - Date.now()) / (1000 * 60 * 60 * 24));
+  return { label, expiry: expiry.toISOString().slice(0, 10), days };
+}
+
+async function status() {
+  const rows = [];
+
+  if (await fs.pathExists(LOCALSSL_CA_PUBLIC)) {
+    const caText = await fs.readFile(LOCALSSL_CA_PUBLIC, 'utf8');
+    rows.push(certSummary('Machine CA', caText));
+  }
+
+  if (await fs.pathExists(PROJECT_CERT)) {
+    const certText = await fs.readFile(PROJECT_CERT, 'utf8');
+    rows.push(certSummary('Project cert', certText));
+  }
+
+  for (const row of rows) {
+    console.log(`  ${row.label.padEnd(14)} ${row.expiry} (${row.days} days)`);
+  }
+
+  const framework = await detectFramework();
+  console.log(`  Framework:      ${framework}`);
+
+  if (await fs.pathExists(PROJECT_CONFIG)) {
+    const cfg = await fs.readJson(PROJECT_CONFIG);
+    console.log(`  Hosts:          ${(cfg.hosts || []).join(', ') || 'localhost'}`);
+    console.log(`  Team members:   ${(cfg.team || []).length}`);
+  }
+
+  if (!(await fs.pathExists(PROJECT_LOCALSSL_DIR))) {
+    console.log('  localssl:       not configured');
+    return;
+  }
+
+  const warning = rows.find((r) => r.days <= 30);
+  if (warning) {
+    console.log('  Warning: cert expires in under 30 days. Run localssl renew');
+    return;
+  }
+
+  console.log('  All good ✓');
+}
+
+module.exports = { status };

package/src/team.js

@@ -0,0 +1,110 @@
+const os = require('os');
+const path = require('path');
+const fs = require('fs-extra');
+const { PROJECT_CONFIG, LOCALSSL_CA_PUBLIC, PROJECT_DIR } = require('./utils');
+const { trustCertificate: trustMac } = require('./trust/macos');
+const { trustCertificate: trustWindows } = require('./trust/windows');
+const { trustCertificate: trustLinux } = require('./trust/linux');
+const { trustInFirefox } = require('./trust/firefox');
+const { trustInChromium } = require('./trust/chromium');
+
+function defaultConfig(hosts = []) {
+  return {
+    version: 1,
+    hosts,
+    team: []
+  };
+}
+
+function sanitizePem(pem) {
+  return pem.replace(/\r\n/g, '\n').trim();
+}
+
+function assertPublicCert(pem) {
+  if (!pem.includes('BEGIN CERTIFICATE') || pem.includes('PRIVATE KEY')) {
+    throw new Error('localssl.json may only contain public certificates.');
+  }
+}
+
+async function loadTeamConfig(hosts = []) {
+  if (!(await fs.pathExists(PROJECT_CONFIG))) {
+    const cfg = defaultConfig(hosts);
+    await fs.writeJson(PROJECT_CONFIG, cfg, { spaces: 2 });
+    return cfg;
+  }
+
+  const cfg = await fs.readJson(PROJECT_CONFIG);
+  cfg.version = cfg.version || 1;
+  cfg.hosts = Array.isArray(cfg.hosts) ? cfg.hosts : hosts;
+  cfg.team = Array.isArray(cfg.team) ? cfg.team : [];
+  return cfg;
+}
+
+async function saveTeamConfig(config) {
+  for (const entry of config.team || []) {
+    assertPublicCert(entry.caPubCert || '');
+  }
+
+  await fs.writeJson(PROJECT_CONFIG, config, { spaces: 2 });
+}
+
+async function syncCurrentMachine(hosts) {
+  const config = await loadTeamConfig(hosts);
+  const caPubCert = sanitizePem(await fs.readFile(LOCALSSL_CA_PUBLIC, 'utf8'));
+  assertPublicCert(caPubCert);
+
+  const machine = os.hostname();
+  const existing = config.team.find((m) => m.machine === machine);
+  const payload = {
+    machine,
+    os: process.platform,
+    caPubCert,
+    addedAt: new Date().toISOString().slice(0, 10)
+  };
+
+  if (existing) {
+    Object.assign(existing, payload);
+  } else {
+    config.team.push(payload);
+  }
+
+  config.hosts = [...new Set([...(config.hosts || []), ...hosts])];
+  await saveTeamConfig(config);
+
+  return config;
+}
+
+async function trustTeamCertificates(config) {
+  let trusted = 0;
+
+  for (const member of config.team || []) {
+    if (!member.caPubCert || member.machine === os.hostname()) {
+      continue;
+    }
+
+    assertPublicCert(member.caPubCert);
+    const tempPath = path.join(PROJECT_DIR, '.localssl', `${member.machine}.crt`);
+    await fs.ensureDir(path.dirname(tempPath));
+    await fs.writeFile(tempPath, `${member.caPubCert}\n`);
+
+    try {
+      if (process.platform === 'darwin') await trustMac(tempPath);
+      else if (process.platform === 'win32') await trustWindows(tempPath);
+      else await trustLinux(tempPath);
+
+      await trustInFirefox(tempPath);
+      await trustInChromium(tempPath);
+      trusted += 1;
+    } catch {
+      // best-effort trust for teammate certs
+    }
+  }
+
+  return trusted;
+}
+
+module.exports = {
+  syncCurrentMachine,
+  trustTeamCertificates,
+  loadTeamConfig
+};

package/src/trust/chromium.js

@@ -0,0 +1,106 @@
+const os = require('os');
+const path = require('path');
+const fs = require('fs-extra');
+const { execFile } = require('child_process');
+
+function hasCertUtil() {
+  return new Promise((resolve) => {
+    execFile('certutil', ['-H'], (error) => resolve(!error));
+  });
+}
+
+async function getProfileRoots() {
+  const home = os.homedir();
+
+  if (process.platform === 'win32') {
+    const local = process.env.LOCALAPPDATA || '';
+    return [
+      path.join(local, 'Google', 'Chrome', 'User Data'),
+      path.join(local, 'Microsoft', 'Edge', 'User Data')
+    ];
+  }
+
+  if (process.platform === 'darwin') {
+    return [
+      path.join(home, 'Library', 'Application Support', 'Google', 'Chrome'),
+      path.join(home, 'Library', 'Application Support', 'Microsoft Edge')
+    ];
+  }
+
+  return [
+    path.join(home, '.config', 'google-chrome'),
+    path.join(home, '.config', 'chromium'),
+    path.join(home, '.config', 'microsoft-edge')
+  ];
+}
+
+async function collectNssDatabases() {
+  const dbs = new Set();
+  const home = os.homedir();
+
+  const commonDb = path.join(home, '.pki', 'nssdb');
+  if (await fs.pathExists(path.join(commonDb, 'cert9.db'))) {
+    dbs.add(commonDb);
+  }
+
+  const roots = await getProfileRoots();
+  for (const root of roots) {
+    if (!(await fs.pathExists(root))) {
+      continue;
+    }
+
+    const entries = await fs.readdir(root).catch(() => []);
+    for (const entry of entries) {
+      if (entry !== 'Default' && !entry.startsWith('Profile ')) {
+        continue;
+      }
+
+      const profile = path.join(root, entry);
+      if (await fs.pathExists(path.join(profile, 'cert9.db'))) {
+        dbs.add(profile);
+      }
+    }
+  }
+
+  return [...dbs];
+}
+
+async function runCertUtil(args) {
+  return new Promise((resolve) => {
+    execFile('certutil', args, () => resolve());
+  });
+}
+
+async function trustInChromium(certPath) {
+  const available = await hasCertUtil();
+  if (!available) {
+    return { trusted: false, reason: 'certutil not found' };
+  }
+
+  const databases = await collectNssDatabases();
+  if (!databases.length) {
+    return { trusted: false, reason: 'no Chrome/Edge NSS DB found' };
+  }
+
+  let applied = 0;
+  for (const db of databases) {
+    await runCertUtil(['-A', '-n', 'localssl', '-t', 'C,,', '-i', certPath, '-d', `sql:${db}`]);
+    applied += 1;
+  }
+
+  return { trusted: true, reason: `${applied} NSS DB(s)` };
+}
+
+async function untrustInChromium() {
+  const available = await hasCertUtil();
+  if (!available) {
+    return;
+  }
+
+  const databases = await collectNssDatabases();
+  for (const db of databases) {
+    await runCertUtil(['-D', '-n', 'localssl', '-d', `sql:${db}`]);
+  }
+}
+
+module.exports = { trustInChromium, untrustInChromium };

package/src/trust/firefox.js

@@ -0,0 +1,69 @@
+const os = require('os');
+const path = require('path');
+const fs = require('fs-extra');
+const { execFile } = require('child_process');
+
+function getFirefoxProfilesDir() {
+  const home = os.homedir();
+  if (process.platform === 'win32') {
+    return path.join(process.env.APPDATA || '', 'Mozilla', 'Firefox', 'Profiles');
+  }
+
+  if (process.platform === 'darwin') {
+    return path.join(home, 'Library', 'Application Support', 'Firefox', 'Profiles');
+  }
+
+  return path.join(home, '.mozilla', 'firefox');
+}
+
+async function hasCertUtil() {
+  return new Promise((resolve) => {
+    execFile('certutil', ['-H'], (error) => resolve(!error));
+  });
+}
+
+async function listProfiles() {
+  const dir = getFirefoxProfilesDir();
+  if (!(await fs.pathExists(dir))) {
+    return [];
+  }
+
+  const entries = await fs.readdir(dir);
+  return entries.map((entry) => path.join(dir, entry));
+}
+
+async function trustInFirefox(certPath) {
+  const available = await hasCertUtil();
+  if (!available) {
+    return { trusted: false, reason: 'certutil not found' };
+  }
+
+  const profiles = await listProfiles();
+  if (!profiles.length) {
+    return { trusted: false, reason: 'Firefox not found' };
+  }
+
+  for (const profile of profiles) {
+    await new Promise((resolve) => {
+      execFile('certutil', ['-A', '-n', 'localssl', '-t', 'C,,', '-i', certPath, '-d', `sql:${profile}`], () => resolve());
+    });
+  }
+
+  return { trusted: true, reason: `${profiles.length} profile(s)` };
+}
+
+async function untrustInFirefox() {
+  const available = await hasCertUtil();
+  if (!available) {
+    return;
+  }
+
+  const profiles = await listProfiles();
+  for (const profile of profiles) {
+    await new Promise((resolve) => {
+      execFile('certutil', ['-D', '-n', 'localssl', '-d', `sql:${profile}`], () => resolve());
+    });
+  }
+}
+
+module.exports = { trustInFirefox, untrustInFirefox };

package/src/trust/linux.js

@@ -0,0 +1,30 @@
+const { execFile } = require('child_process');
+const fs = require('fs-extra');
+const path = require('path');
+
+const systemCertPath = '/usr/local/share/ca-certificates/localssl-ca.crt';
+
+async function trustCertificate(certPath) {
+  await fs.copy(certPath, systemCertPath);
+  await new Promise((resolve, reject) => {
+    execFile('update-ca-certificates', [], (error) => {
+      if (error) {
+        reject(new Error('Linux trust update failed. Install ca-certificates tools and re-run with sudo.'));
+        return;
+      }
+      resolve();
+    });
+  });
+}
+
+async function untrustCertificate() {
+  if (await fs.pathExists(systemCertPath)) {
+    await fs.remove(systemCertPath);
+  }
+
+  await new Promise((resolve) => {
+    execFile('update-ca-certificates', ['--fresh'], () => resolve());
+  });
+}
+
+module.exports = { trustCertificate, untrustCertificate, systemCertPath };

package/src/trust/macos.js

@@ -0,0 +1,25 @@
+const { execFile } = require('child_process');
+
+function trustCertificate(certPath) {
+  return new Promise((resolve, reject) => {
+    execFile(
+      'security',
+      ['add-trusted-cert', '-d', '-r', 'trustRoot', '-k', '/Library/Keychains/System.keychain', certPath],
+      (error) => {
+        if (error) {
+          reject(new Error('Admin privileges required to install CA on macOS. Re-run with sudo.'));
+          return;
+        }
+        resolve();
+      }
+    );
+  });
+}
+
+function untrustCertificate(certPath) {
+  return new Promise((resolve) => {
+    execFile('security', ['remove-trusted-cert', '-d', certPath], () => resolve());
+  });
+}
+
+module.exports = { trustCertificate, untrustCertificate };

package/src/trust/windows.js

@@ -0,0 +1,21 @@
+const { execFile } = require('child_process');
+
+function trustCertificate(certPath) {
+  return new Promise((resolve, reject) => {
+    execFile('certutil', ['-addstore', '-f', 'ROOT', certPath], { windowsHide: true }, (error) => {
+      if (error) {
+        reject(new Error('Admin privileges required to install CA on Windows. Re-run terminal as Administrator.'));
+        return;
+      }
+      resolve();
+    });
+  });
+}
+
+function untrustCertificate(certPath) {
+  return new Promise((resolve) => {
+    execFile('certutil', ['-delstore', 'ROOT', certPath], { windowsHide: true }, () => resolve());
+  });
+}
+
+module.exports = { trustCertificate, untrustCertificate };

package/src/trust.js

@@ -0,0 +1,9 @@
+const { loadTeamConfig, trustTeamCertificates } = require('./team');
+
+async function trustTeam() {
+  const config = await loadTeamConfig();
+  const trusted = await trustTeamCertificates(config);
+  console.log(`  Trusted ${trusted} teammate CA certificate(s) ✓`);
+}
+
+module.exports = { trustTeam };

package/src/use.js

@@ -0,0 +1,40 @@
+const { initMachine } = require('./bootstrap');
+const { detectHostsFromProject, generateProjectCert } = require('./certgen');
+const { configureFramework } = require('./frameworks');
+const { ensureGitignore } = require('./gitignore');
+const { syncCurrentMachine, trustTeamCertificates } = require('./team');
+const { step, info } = require('./utils');
+
+async function useProject(hostsArg = []) {
+  info('Setting up local HTTPS for this project...');
+
+  const total = 4;
+  const { mkcertPath } = await initMachine({ quiet: true });
+  step(1, total, 'Installing local CA on your machine...', 'ok');
+
+  const detectedHosts = await detectHostsFromProject();
+  const hosts = hostsArg.length ? [...new Set([...detectedHosts, ...hostsArg])] : detectedHosts;
+  const certResult = await generateProjectCert({ mkcertPath, hosts });
+  step(
+    2,
+    total,
+    `Generating certificate for ${hosts[0]}...`,
+    certResult.generated ? 'ok' : 'skip',
+    certResult.generated ? '(valid 825 days)' : '(already configured)'
+  );
+
+  const frameworkResult = await configureFramework(certResult.certPath, certResult.keyPath);
+  step(3, total, `Configuring ${frameworkResult.framework}...`, frameworkResult.updated ? 'ok' : 'skip', `(${frameworkResult.details})`);
+
+  const gitignoreChanged = await ensureGitignore();
+  step(4, total, 'Updating .gitignore...', gitignoreChanged ? 'ok' : 'skip');
+
+  const teamConfig = await syncCurrentMachine(hosts);
+  const trusted = await trustTeamCertificates(teamConfig);
+
+  info('Done. Start your dev server — HTTPS is ready.');
+  info('Run: npm run dev');
+  info(`Team CAs trusted: ${trusted}`);
+}
+
+module.exports = { useProject };

package/src/utils.js

@@ -0,0 +1,52 @@
+const os = require('os');
+const path = require('path');
+const chalk = require('chalk');
+
+const HOME_DIR = os.homedir();
+const LOCALSSL_HOME = path.join(HOME_DIR, '.localssl');
+const LOCALSSL_CA_PUBLIC = path.join(LOCALSSL_HOME, 'ca.crt');
+const LOCALSSL_CA_KEY = path.join(LOCALSSL_HOME, 'ca.key');
+const PROJECT_DIR = process.cwd();
+const PROJECT_LOCALSSL_DIR = path.join(PROJECT_DIR, '.localssl');
+const PROJECT_CERT = path.join(PROJECT_LOCALSSL_DIR, 'cert.pem');
+const PROJECT_KEY = path.join(PROJECT_LOCALSSL_DIR, 'key.pem');
+const PROJECT_CONFIG = path.join(PROJECT_DIR, 'localssl.json');
+
+function step(index, total, message, status, details = '') {
+  const state = status === 'ok' ? chalk.green('✓') : status === 'skip' ? chalk.gray('↷') : chalk.red('✗');
+  const extra = details ? ` ${chalk.gray(details)}` : '';
+  console.log(`  [${index}/${total}] ${message} ${state}${extra}`);
+}
+
+function info(message) {
+  console.log(`  ${message}`);
+}
+
+function warn(message) {
+  console.log(chalk.yellow(`  ${message}`));
+}
+
+function err(message) {
+  console.error(chalk.red(`  ${message}`));
+}
+
+function isCI() {
+  return process.env.CI === 'true' || process.env.CI === '1';
+}
+
+module.exports = {
+  HOME_DIR,
+  LOCALSSL_HOME,
+  LOCALSSL_CA_PUBLIC,
+  LOCALSSL_CA_KEY,
+  PROJECT_DIR,
+  PROJECT_LOCALSSL_DIR,
+  PROJECT_CERT,
+  PROJECT_KEY,
+  PROJECT_CONFIG,
+  step,
+  info,
+  warn,
+  err,
+  isCI
+};