miki-moni 0.3.1

package/worker/src/handshake.ts

@@ -0,0 +1,63 @@
+import nacl from "tweetnacl";
+
+export const CHALLENGE_TTL_MS = 10_000;  // 10s — daemon must respond fast
+
+export interface Challenge {
+  nonce: Uint8Array;       // 32 random bytes
+  issued_at_ms: number;
+}
+
+/** Generate a fresh challenge for the daemon to sign. */
+export function generateChallenge(): Challenge {
+  return {
+    nonce: crypto.getRandomValues(new Uint8Array(32)),
+    issued_at_ms: Date.now(),
+  };
+}
+
+/**
+ * Build the bytes the client is expected to sign: nonce (32B) ++ issued_at_ms (8B big-endian).
+ * Deterministic — both sides must compute the same bytes.
+ */
+export function buildChallengeMessage(nonce: Uint8Array, issued_at_ms: number): Uint8Array {
+  const out = new Uint8Array(32 + 8);
+  out.set(nonce, 0);
+  // 8-byte big-endian timestamp
+  const view = new DataView(out.buffer, 32, 8);
+  view.setBigUint64(0, BigInt(issued_at_ms), false);
+  return out;
+}
+
+/** Verify a challenge response. Returns true iff sig is valid AND challenge not expired. */
+export function verifyChallengeResponse(
+  challenge: Challenge,
+  sig: Uint8Array,
+  pubkey: Uint8Array,
+  now_ms: number,
+): boolean {
+  if (now_ms > challenge.issued_at_ms + CHALLENGE_TTL_MS) return false;
+  const msg = buildChallengeMessage(challenge.nonce, challenge.issued_at_ms);
+  return nacl.sign.detached.verify(msg, sig, pubkey);
+}
+
+/** daemon_id = first 16 bytes of SHA-256(signing_pubkey), hex-encoded (32 chars). */
+export async function deriveDaemonId(signing_pubkey: Uint8Array): Promise<string> {
+  const hash = await crypto.subtle.digest("SHA-256", signing_pubkey);
+  const bytes = new Uint8Array(hash).slice(0, 16);
+  return Array.from(bytes, (b) => b.toString(16).padStart(2, "0")).join("");
+}
+
+// ── Base64 helpers (workerd has atob/btoa but Uint8Array helpers are clearer) ──
+
+export function toBase64(bytes: Uint8Array): string {
+  let s = "";
+  for (const b of bytes) s += String.fromCharCode(b);
+  return btoa(s);
+}
+
+export function fromBase64(s: string): Uint8Array {
+  const bin = atob(s);
+  const out = new Uint8Array(bin.length);
+  for (let i = 0; i < bin.length; i++) out[i] = bin.charCodeAt(i);
+  return out;
+}

package/worker/src/index.ts

@@ -0,0 +1,81 @@
+import { PairingCoordinator } from "./pairing-coordinator.js";
+import { DaemonRelay } from "./daemon-relay.js";
+import { deriveDaemonId, fromBase64 } from "./handshake.js";
+import type { Env } from "./env.js";
+
+export { PairingCoordinator, DaemonRelay };
+
+export default {
+  async fetch(req: Request, env: Env, ctx: ExecutionContext): Promise<Response> {
+    const url = new URL(req.url);
+
+    if (url.pathname === "/v1/health") {
+      return new Response("ok", { status: 200 });
+    }
+
+    // Per-IP rate limit (skip in tests where RATE_LIMITER returns success synthetically)
+    if (env.RATE_LIMITER && (url.pathname === "/v1/daemon" || url.pathname === "/v1/phone")) {
+      const ip = req.headers.get("CF-Connecting-IP") ?? "test-ip";
+      try {
+        const { success } = await env.RATE_LIMITER.limit({ key: ip });
+        if (!success) return new Response("rate limited", { status: 429 });
+      } catch { /* binding may be unavailable in some test envs */ }
+    }
+
+    if (url.pathname === "/v1/daemon") {
+      if (req.headers.get("Upgrade") !== "websocket") {
+        return new Response("expected websocket", { status: 426 });
+      }
+      const pubkey_b64 = req.headers.get("X-Daemon-Pubkey");
+      if (!pubkey_b64) return new Response("missing X-Daemon-Pubkey", { status: 400 });
+      let pubkey: Uint8Array;
+      try {
+        pubkey = fromBase64(pubkey_b64);
+        if (pubkey.length !== 32) throw new Error("bad length");
+      } catch {
+        return new Response("bad X-Daemon-Pubkey", { status: 400 });
+      }
+      const daemon_id = await deriveDaemonId(pubkey);
+      const id = env.RELAY.idFromName(daemon_id);
+      const stub = env.RELAY.get(id);
+      return stub.fetch(req);
+    }
+
+    if (url.pathname === "/v1/phone") {
+      if (req.headers.get("Upgrade") !== "websocket") {
+        return new Response("expected websocket", { status: 426 });
+      }
+      // Browsers can't set custom headers on WebSocket; accept URL-query fallback.
+      const pairing_token = req.headers.get("X-Pairing-Token") ?? url.searchParams.get("token");
+      const daemon_id_hdr = req.headers.get("X-Daemon-Id") ?? url.searchParams.get("daemon_id");
+
+      let target_daemon_id: string | null = null;
+      if (pairing_token) {
+        const coordId = env.PAIRING.idFromName("coordinator");
+        const coordStub = env.PAIRING.get(coordId);
+        const claimRes = await coordStub.fetch(new Request("https://x/claim", {
+          method: "POST",
+          body: JSON.stringify({ token: pairing_token }),
+          headers: { "content-type": "application/json" },
+        }));
+        const claim = await claimRes.json() as { ok: boolean; daemon_id?: string; reason?: string };
+        if (!claim.ok || !claim.daemon_id) {
+          return new Response("invalid_pairing_token", { status: 404 });
+        }
+        target_daemon_id = claim.daemon_id;
+      } else if (daemon_id_hdr) {
+        target_daemon_id = daemon_id_hdr;
+      } else {
+        return new Response("missing X-Pairing-Token or X-Daemon-Id", { status: 400 });
+      }
+
+      // Forward the request to the DO. The DO also reads from query/header for downstream
+      // X-Phone-Pubkey / X-Sig in reconnect mode (modified in daemon-relay.ts).
+      const id = env.RELAY.idFromName(target_daemon_id);
+      const stub = env.RELAY.get(id);
+      return stub.fetch(req);
+    }
+
+    return new Response("not_found", { status: 404 });
+  },
+};

package/worker/src/pairing-code.ts

@@ -0,0 +1,39 @@
+// Crockford base32 alphabet — no 0/O/1/I/L (visually unambiguous).
+// 32 characters: 2-9 (no 0,1) plus A-Z minus I,L,O.
+export const PAIRING_CODE_ALPHABET = "23456789ABCDEFGHJKMNPQRSTUVWXYZ";
+
+export const PAIRING_CODE_LENGTH = 16;
+
+/** Generate a fresh random 16-char pairing code. ~76 bits entropy (log2(32^16)). */
+export function generatePairingCode(): string {
+  const bytes = new Uint8Array(PAIRING_CODE_LENGTH);
+  crypto.getRandomValues(bytes);
+  let code = "";
+  for (let i = 0; i < PAIRING_CODE_LENGTH; i++) {
+    code += PAIRING_CODE_ALPHABET[bytes[i]! % PAIRING_CODE_ALPHABET.length];
+  }
+  return code;
+}
+
+/** Strip hyphens + whitespace, uppercase. */
+export function normalizePairingCode(input: string): string {
+  return input.replace(/[\s-]+/g, "").toUpperCase();
+}
+
+/** Insert hyphens every 4 chars for display (XXXX-XXXX-XXXX-XXXX). */
+export function formatPairingCode(normalized: string): string {
+  const groups: string[] = [];
+  for (let i = 0; i < normalized.length; i += 4) {
+    groups.push(normalized.slice(i, i + 4));
+  }
+  return groups.join("-");
+}
+
+/** True iff input is exactly 16 chars from our alphabet (no hyphens, uppercase). */
+export function isValidPairingCode(input: string): boolean {
+  if (input.length !== PAIRING_CODE_LENGTH) return false;
+  for (const ch of input) {
+    if (!PAIRING_CODE_ALPHABET.includes(ch)) return false;
+  }
+  return true;
+}

package/worker/src/pairing-coordinator.ts

@@ -0,0 +1,145 @@
+import type { Env } from "./env.js";
+
+export const PAIRING_TTL_MS = 10 * 60 * 1000;   // 10 min
+const REGISTER_RATE_WINDOW_MS = 60 * 60 * 1000; // 1 hour
+const REGISTER_RATE_LIMIT = 100;
+const ALARM_INTERVAL_MS = 60_000;               // sweep every 60s
+
+interface PendingEntry {
+  daemon_id: string;
+  expires_at_ms: number;
+  /** Persistent tokens never expire (sweep skips them) and are not consumed on
+   *  claim — multiple phones can use the same QR over time, until the user
+   *  rotates via `pnpm pair --rotate`. Default false = legacy ephemeral. */
+  persistent?: boolean;
+}
+
+interface RateEntry {
+  count: number;
+  window_started_at_ms: number;
+}
+
+export class PairingCoordinator implements DurableObject {
+  private pending = new Map<string, PendingEntry>();
+  private rateLimits = new Map<string, RateEntry>();
+
+  constructor(private state: DurableObjectState, private env: Env) {
+    this.state.blockConcurrencyWhile(async () => {
+      const stored = await this.state.storage.get<Map<string, PendingEntry>>("pending");
+      if (stored) this.pending = stored;
+      const rates = await this.state.storage.get<Map<string, RateEntry>>("rates");
+      if (rates) this.rateLimits = rates;
+      const next = await this.state.storage.getAlarm();
+      if (!next) await this.state.storage.setAlarm(Date.now() + ALARM_INTERVAL_MS);
+    });
+  }
+
+  async fetch(req: Request): Promise<Response> {
+    const url = new URL(req.url);
+    const path = url.pathname.replace(/^\//, "");
+    if (req.method !== "POST") return new Response("method", { status: 405 });
+    const body = await req.json() as Record<string, unknown>;
+
+    if (path === "register") {
+      const token = String(body.token ?? "");
+      const daemon_id = String(body.daemon_id ?? "");
+      const persistent = body.persistent === true;
+      return this.json(await this.register(token, daemon_id, persistent));
+    }
+    if (path === "claim") {
+      const token = String(body.token ?? "");
+      return this.json(await this.claim(token));
+    }
+    if (path === "revoke") {
+      const token = String(body.token ?? "");
+      await this.revoke(token);
+      return this.json({ ok: true });
+    }
+    return new Response("not_found", { status: 404 });
+  }
+
+  private json(o: unknown): Response {
+    return new Response(JSON.stringify(o), { headers: { "content-type": "application/json" } });
+  }
+
+  async register(
+    token: string,
+    daemon_id: string,
+    persistent: boolean = false,
+  ): Promise<{ ok: true } | { ok: false; reason: string }> {
+    if (!token || !daemon_id) return { ok: false, reason: "bad_input" };
+    if (this.pending.size > 10000) return { ok: false, reason: "coordinator_full" };
+
+    const now = Date.now();
+    const r = this.rateLimits.get(daemon_id);
+    if (r && now - r.window_started_at_ms < REGISTER_RATE_WINDOW_MS) {
+      if (r.count >= REGISTER_RATE_LIMIT) return { ok: false, reason: "rate_limited" };
+      r.count++;
+    } else {
+      this.rateLimits.set(daemon_id, { count: 1, window_started_at_ms: now });
+    }
+    await this.state.storage.put("rates", this.rateLimits);
+
+    // Persistent: never expires. Sentinel via Number.MAX_SAFE_INTEGER so the
+    // existing `Date.now() > expires_at_ms` checks naturally fail.
+    const expires_at_ms = persistent ? Number.MAX_SAFE_INTEGER : now + PAIRING_TTL_MS;
+    this.pending.set(token, { daemon_id, expires_at_ms, persistent: persistent || undefined });
+    await this.state.storage.put("pending", this.pending);
+    return { ok: true };
+  }
+
+  async claim(token: string): Promise<{ ok: true; daemon_id: string } | { ok: false; reason: string }> {
+    const entry = this.pending.get(token);
+    if (!entry) return { ok: false, reason: "unknown" };
+    if (Date.now() > entry.expires_at_ms) {
+      this.pending.delete(token);
+      await this.state.storage.put("pending", this.pending);
+      return { ok: false, reason: "expired" };
+    }
+    // Persistent tokens stay in the map — same QR keeps working for the next
+    // device. Ephemeral tokens are consumed once.
+    if (!entry.persistent) {
+      this.pending.delete(token);
+      await this.state.storage.put("pending", this.pending);
+    }
+    return { ok: true, daemon_id: entry.daemon_id };
+  }
+
+  async revoke(token: string): Promise<void> {
+    if (this.pending.delete(token)) {
+      await this.state.storage.put("pending", this.pending);
+    }
+  }
+
+  /** Test-only — inserts a token bypassing rate limit. Not used in production paths. */
+  async _test_insert(token: string, daemon_id: string, expires_at_ms: number): Promise<void> {
+    this.pending.set(token, { daemon_id, expires_at_ms });
+    await this.state.storage.put("pending", this.pending);
+  }
+
+  async alarm(): Promise<void> {
+    const now = Date.now();
+    let changed = false;
+    for (const [token, entry] of this.pending) {
+      // Persistent tokens never expire (they have expires_at_ms set to
+      // Number.MAX_SAFE_INTEGER, but check the flag too in case of legacy data).
+      if (entry.persistent) continue;
+      if (entry.expires_at_ms < now) {
+        this.pending.delete(token);
+        changed = true;
+      }
+    }
+    if (changed) await this.state.storage.put("pending", this.pending);
+
+    let rateChanged = false;
+    for (const [did, r] of this.rateLimits) {
+      if (now - r.window_started_at_ms > REGISTER_RATE_WINDOW_MS) {
+        this.rateLimits.delete(did);
+        rateChanged = true;
+      }
+    }
+    if (rateChanged) await this.state.storage.put("rates", this.rateLimits);
+
+    await this.state.storage.setAlarm(Date.now() + ALARM_INTERVAL_MS);
+  }
+}

package/worker/wrangler-selfhost.toml

@@ -0,0 +1,36 @@
+# Self-host wrangler config — used by `miki setup` self-host wizard.
+#
+# Same as wrangler.toml, but WITHOUT the routes/custom_domain block. Self-host
+# users get the default <worker-name>.<account>.workers.dev URL; they're free
+# to attach their own custom domain via the CF dashboard afterwards.
+#
+# DO NOT add a routes block here — it would attach to whichever domain you
+# write and risk hijacking the author's hosted instance if the user happens
+# to share a CF account.
+
+name = "miki-relay"
+main = "src/index.ts"
+compatibility_date = "2025-01-01"
+compatibility_flags = ["nodejs_compat"]
+
+# Explicitly enable workers.dev URL so wrangler prints it after deploy.
+workers_dev = true
+
+[[durable_objects.bindings]]
+name = "PAIRING"
+class_name = "PairingCoordinator"
+
+[[durable_objects.bindings]]
+name = "RELAY"
+class_name = "DaemonRelay"
+
+[[migrations]]
+tag = "v1"
+# Free tier requires new_sqlite_classes (SQLite-backed DO). Paid tier could use new_classes (KV-backed).
+new_sqlite_classes = ["PairingCoordinator", "DaemonRelay"]
+
+[[unsafe.bindings]]
+name = "RATE_LIMITER"
+type = "ratelimit"
+namespace_id = "1"
+simple = { limit = 30, period = 60 }

package/worker/wrangler.toml

@@ -0,0 +1,29 @@
+name = "miki-relay"
+main = "src/index.ts"
+compatibility_date = "2025-01-01"
+compatibility_flags = ["nodejs_compat"]
+
+# Custom domain — self-host users replace with your own zone, or delete this
+# block entirely to use the default workers.dev subdomain.
+routes = [
+  { pattern = "relay.f1telemetrystationpro.org", custom_domain = true }
+]
+
+[[durable_objects.bindings]]
+name = "PAIRING"
+class_name = "PairingCoordinator"
+
+[[durable_objects.bindings]]
+name = "RELAY"
+class_name = "DaemonRelay"
+
+[[migrations]]
+tag = "v1"
+# Free tier requires new_sqlite_classes (SQLite-backed DO). Paid tier could use new_classes (KV-backed).
+new_sqlite_classes = ["PairingCoordinator", "DaemonRelay"]
+
+[[unsafe.bindings]]
+name = "RATE_LIMITER"
+type = "ratelimit"
+namespace_id = "1"
+simple = { limit = 30, period = 60 }