pal-explorer-cli 0.4.0

package/lib/core/signalingServer.js

@@ -0,0 +1,441 @@
+import net from 'net';
+import crypto from 'crypto';
+import config from '../utils/config.js';
+
+const SIGNALING_PORT = 7474;
+let server = null;
+let messageHandler = null;
+
+// Rate limiting: per-IP connection and token bucket tracking
+const MAX_CONNECTIONS_PER_IP = 3;
+const TOKENS_PER_SECOND = 10;
+const MAX_TOKENS = 15;
+const connectionsByIp = new Map();
+const tokenBuckets = new Map();
+const rateLimitOffenders = new Map();
+
+// Pending auth challenges (nonce → { publicKey, expiresAt })
+const pendingChallenges = new Map();
+const CHALLENGE_TTL_MS = 30000;
+
+// Wire format: 4-byte big-endian length prefix + JSON payload
+// Request:  { type: "status" } or { type: "message", envelope: {...} }
+// Response: JSON object (same framing)
+
+function frameMessage(obj) {
+  const json = JSON.stringify(obj);
+  const buf = Buffer.alloc(4 + Buffer.byteLength(json));
+  buf.writeUInt32BE(Buffer.byteLength(json), 0);
+  buf.write(json, 4);
+  return buf;
+}
+
+function getSocketIp(socket) {
+  return socket.remoteAddress || 'unknown';
+}
+
+// Token bucket rate limiter — refills TOKENS_PER_SECOND continuously
+function checkRateLimit(ip) {
+  const now = Date.now();
+
+  // Check if IP is in penalty box (repeat offenders get exponential backoff)
+  const offender = rateLimitOffenders.get(ip);
+  if (offender && now < offender.blockedUntil) return false;
+
+  let bucket = tokenBuckets.get(ip);
+  if (!bucket) {
+    bucket = { tokens: MAX_TOKENS, lastRefill: now };
+    tokenBuckets.set(ip, bucket);
+  }
+
+  // Refill tokens based on elapsed time
+  const elapsed = (now - bucket.lastRefill) / 1000;
+  bucket.tokens = Math.min(MAX_TOKENS, bucket.tokens + elapsed * TOKENS_PER_SECOND);
+  bucket.lastRefill = now;
+
+  if (bucket.tokens < 1) {
+    // Track repeat offenders with exponential backoff
+    const prev = rateLimitOffenders.get(ip);
+    const strikes = prev ? prev.strikes + 1 : 1;
+    const blockMs = Math.min(60000, 1000 * Math.pow(2, strikes - 1));
+    rateLimitOffenders.set(ip, { strikes, blockedUntil: now + blockMs });
+    return false;
+  }
+
+  bucket.tokens -= 1;
+  return true;
+}
+
+// Periodic cleanup of stale buckets and offender entries (every 60s)
+setInterval(() => {
+  const now = Date.now();
+  for (const [ip, bucket] of tokenBuckets) {
+    if (now - bucket.lastRefill > 60000) tokenBuckets.delete(ip);
+  }
+  for (const [ip, entry] of rateLimitOffenders) {
+    if (now > entry.blockedUntil + 300000) rateLimitOffenders.delete(ip);
+  }
+}, 60000).unref();
+
+function trackConnection(ip) {
+  const count = connectionsByIp.get(ip) || 0;
+  if (count >= MAX_CONNECTIONS_PER_IP) return false;
+  connectionsByIp.set(ip, count + 1);
+  return true;
+}
+
+function untrackConnection(ip) {
+  const count = connectionsByIp.get(ip) || 0;
+  if (count <= 1) connectionsByIp.delete(ip);
+  else connectionsByIp.set(ip, count - 1);
+}
+
+
+// Lazy-loaded crypto module cache
+const await_import_cache = {};
+async function loadCryptoModule() {
+  if (!await_import_cache.chatEncryption) {
+    try {
+      const mod = await import('../crypto/chatEncryption.js');
+      await_import_cache.chatEncryption = mod;
+    } catch {
+      await_import_cache.chatEncryption = {};
+    }
+  }
+}
+
+async function verifyAuth(request) {
+  if (!request._auth) return false;
+  const { nonce, signature, publicKey } = request._auth;
+  if (!nonce || !signature || !publicKey) return false;
+
+  const challenge = pendingChallenges.get(nonce);
+  if (!challenge || Date.now() > challenge.expiresAt) {
+    pendingChallenges.delete(nonce);
+    return false;
+  }
+
+  try {
+    await loadCryptoModule();
+    const { verifySignature } = await_import_cache.chatEncryption;
+    if (!verifySignature) return false;
+    const valid = verifySignature(nonce, signature, publicKey);
+    if (valid) pendingChallenges.delete(nonce);
+    return valid;
+  } catch {
+    return false;
+  }
+}
+
+function isFriend(publicKey) {
+  const friends = config.get('friends') || [];
+  return friends.some(f => f.id === publicKey || f.publicKey === publicKey);
+}
+
+function handleConnection(socket) {
+  const ip = getSocketIp(socket);
+
+  if (!trackConnection(ip)) {
+    socket.destroy();
+    return;
+  }
+
+  // Token bucket rate limit at connection acceptance
+  if (!checkRateLimit(ip)) {
+    untrackConnection(ip);
+    socket.destroy();
+    return;
+  }
+
+  let buffer = Buffer.alloc(0);
+
+  socket.on('data', (chunk) => {
+    buffer = Buffer.concat([buffer, chunk]);
+    processBuffer();
+  });
+
+  function processBuffer() {
+    if (buffer.length < 4) return;
+    const msgLen = buffer.readUInt32BE(0);
+
+    // Guard against oversized messages (1MB max)
+    if (msgLen > 1024 * 1024) {
+      socket.destroy();
+      return;
+    }
+
+    if (buffer.length < 4 + msgLen) return;
+
+    if (!checkRateLimit(ip)) {
+      socket.destroy();
+      return;
+    }
+
+    const jsonBuf = buffer.subarray(4, 4 + msgLen);
+    buffer = buffer.subarray(4 + msgLen);
+
+    let request;
+    try {
+      request = JSON.parse(jsonBuf.toString());
+    } catch {
+      const errResp = frameMessage({ error: 'Invalid JSON' });
+      socket.write(errResp, () => socket.end());
+      return;
+    }
+
+    handleRequest(request, socket);
+
+    // Process remaining messages in buffer
+    if (buffer.length >= 4) processBuffer();
+  }
+
+  socket.on('error', () => {});
+  socket.on('close', () => untrackConnection(ip));
+}
+
+async function handleRequest(request, socket) {
+  try {
+    // Phase 1: auth_challenge — issue a nonce for Ed25519 challenge-response
+    if (request.type === 'auth_challenge') {
+      if (pendingChallenges.size >= 500) {
+        socket.write(frameMessage({ error: 'Service busy' }), () => socket.end());
+        return;
+      }
+      const nonce = crypto.randomBytes(32).toString('hex');
+      pendingChallenges.set(nonce, { expiresAt: Date.now() + CHALLENGE_TTL_MS });
+      // Clean expired challenges periodically
+      if (pendingChallenges.size > 100) {
+        const now = Date.now();
+        for (const [k, v] of pendingChallenges) {
+          if (now > v.expiresAt) pendingChallenges.delete(k);
+        }
+      }
+      socket.write(frameMessage({ ok: true, nonce }), () => socket.end());
+      return;
+    }
+
+    if (request.type === 'status') {
+      // MEDIUM-4 fix: only return protocol info for unauthenticated callers
+      const resp = { ok: true, protocol: 'PAL/1.0', version: 1 };
+      const authenticated = await verifyAuth(request);
+      if (authenticated) {
+        const identity = config.get('identity');
+        resp.handle = identity?.handle || null;
+        resp.publicKey = identity?.publicKey || null;
+      }
+      socket.write(frameMessage(resp), () => socket.end());
+      return;
+    }
+
+    if (request.type === 'share_list') {
+      const { listShares } = await import('../core/shares.js');
+      const shares = listShares({ allUsers: true });
+      const authenticated = await verifyAuth(request);
+      const callerPk = authenticated ? request._auth.publicKey : null;
+      const callerIsFriend = callerPk ? isFriend(callerPk) : false;
+
+      const filtered = shares
+        .filter(s => {
+          if (s.status !== 'active' || s.expired) return false;
+          // CRITICAL-1 fix: unauthenticated callers only see public shares
+          if (!authenticated) return s.visibility !== 'private';
+          // Authenticated non-friends see only public shares
+          if (!callerIsFriend) return s.visibility !== 'private';
+          return true;
+        })
+        .map(s => {
+          const entry = {
+            id: s.id,
+            name: s.name,
+            type: s.type,
+            visibility: s.visibility || 'global',
+            streamable: s.streamable || false,
+            recipientCount: (s.recipients || []).length,
+            createdAt: s.createdAt,
+          };
+          // Only include magnet for authenticated friends
+          if (callerIsFriend) {
+            entry.magnet = s.magnet || null;
+          }
+          return entry;
+        });
+
+      const resp = { ok: true, shares: filtered };
+      if (callerIsFriend) {
+        const identity = config.get('identity');
+        const device = config.get('device');
+        resp.handle = identity?.handle || null;
+        resp.publicKey = identity?.publicKey || null;
+        resp.deviceName = device?.name || null;
+        resp.deviceId = device?.id || null;
+        resp.torrentPort = config.get('torrentPort') || null;
+      }
+      socket.write(frameMessage(resp), () => socket.end());
+      return;
+    }
+
+    if (request.type === 'share_files' && request.shareId) {
+      const { listShares } = await import('../core/shares.js');
+      const shares = listShares({ allUsers: true });
+      const share = shares.find(s => s.id === request.shareId || s.name === request.shareId);
+      if (!share) {
+        socket.write(frameMessage({ ok: false, error: 'Share not found' }), () => socket.end());
+        return;
+      }
+
+      // CRITICAL-2 fix: private shares require authentication + friendship or recipient check
+      if (share.visibility === 'private') {
+        const authenticated = await verifyAuth(request);
+        const callerPk = authenticated ? request._auth.publicKey : null;
+        if (!callerPk || (!isFriend(callerPk) && !(share.recipients || []).some(r => r.publicKey === callerPk || r.id === callerPk))) {
+          socket.write(frameMessage({ ok: false, error: 'Share not found' }), () => socket.end());
+          return;
+        }
+      }
+
+      socket.write(frameMessage({
+        ok: true,
+        shareId: share.id,
+        shareName: share.name,
+        files: share.files || [],
+        magnet: share.magnet || null,
+      }), () => socket.end());
+      return;
+    }
+
+    if (request.type === 'message' && request.envelope) {
+      const authenticated = await verifyAuth(request);
+      if (!authenticated) {
+        socket.write(frameMessage({ error: 'Unauthorized' }), () => socket.end());
+        return;
+      }
+      if (messageHandler) {
+        const result = await messageHandler(request.envelope);
+        socket.write(frameMessage(result), () => socket.end());
+      } else {
+        socket.write(frameMessage({ received: true }), () => socket.end());
+      }
+      return;
+    }
+
+    socket.write(frameMessage({ error: 'Unknown request type' }), () => socket.end());
+  } catch (e) {
+    // LOW-2 fix: never leak internal error details to callers
+    try {
+      socket.write(frameMessage({ error: 'Internal error' }), () => socket.end());
+    } catch {}
+  }
+}
+
+export function setMessageHandler(handler) {
+  messageHandler = handler;
+}
+
+export function start(callback) {
+  if (server) {
+    const result = { port: SIGNALING_PORT, bound: true };
+    if (callback) callback(result);
+    return result;
+  }
+
+  const srv = net.createServer(handleConnection);
+  server = srv; // optimistically set so isRunning() returns true immediately
+
+  srv.on('error', (err) => {
+    if (err.code === 'EADDRINUSE') {
+      console.error(`[signaling] Port ${SIGNALING_PORT} in use, skipping`);
+    }
+    server = null;
+    if (callback) callback({ port: SIGNALING_PORT, bound: false, error: err.code });
+  });
+
+  srv.listen(SIGNALING_PORT, '0.0.0.0', () => {
+    if (callback) callback({ port: SIGNALING_PORT, bound: true });
+  });
+
+  return { port: SIGNALING_PORT };
+}
+
+// Promise-based start for async callers
+export function startAsync() {
+  return new Promise((resolve) => start(resolve));
+}
+
+export function stop() {
+  if (server) {
+    server.close();
+    server = null;
+  }
+  connectionsByIp.clear();
+  tokenBuckets.clear();
+  rateLimitOffenders.clear();
+  pendingChallenges.clear();
+}
+
+export function isRunning() {
+  return server !== null;
+}
+
+export function getPort() {
+  return SIGNALING_PORT;
+}
+
+// Client helper — send a request to a peer's signaling port and get a response
+export function sendRequest(host, port, request, timeout = 3000) {
+  return new Promise((resolve, reject) => {
+    const socket = net.createConnection({ host, port }, () => {
+      socket.write(frameMessage(request));
+    });
+
+    let buffer = Buffer.alloc(0);
+    const timer = setTimeout(() => {
+      socket.destroy();
+      reject(new Error('Timeout'));
+    }, timeout);
+
+    socket.on('data', (chunk) => {
+      buffer = Buffer.concat([buffer, chunk]);
+      if (buffer.length >= 4) {
+        const msgLen = buffer.readUInt32BE(0);
+        if (buffer.length >= 4 + msgLen) {
+          clearTimeout(timer);
+          try {
+            const resp = JSON.parse(buffer.subarray(4, 4 + msgLen).toString());
+            resolve(resp);
+          } catch (e) {
+            reject(e);
+          }
+          socket.end();
+        }
+      }
+    });
+
+    socket.on('error', (err) => {
+      clearTimeout(timer);
+      reject(err);
+    });
+
+    socket.on('close', () => {
+      clearTimeout(timer);
+    });
+  });
+}
+
+// Client helper — perform authenticated request (challenge-response handshake)
+export async function sendAuthenticatedRequest(host, port, request, privateKey, publicKey, timeout = 5000) {
+  // Step 1: get challenge nonce
+  const challengeResp = await sendRequest(host, port, { type: 'auth_challenge' }, timeout);
+  if (!challengeResp.ok || !challengeResp.nonce) {
+    throw new Error('Failed to get auth challenge');
+  }
+
+  // Step 2: sign the nonce
+  const { signMessage } = await import('../crypto/chatEncryption.js');
+  const signature = signMessage(challengeResp.nonce, privateKey);
+
+  // Step 3: send authenticated request
+  return sendRequest(host, port, {
+    ...request,
+    _auth: { nonce: challengeResp.nonce, signature, publicKey },
+  }, timeout);
+}

package/lib/core/streamTransport.js

@@ -0,0 +1,106 @@
+import config from '../utils/config.js';
+import { fetchTurnCredentials } from './discoveryClient.js';
+import { isPro } from './pro.js';
+import { getNearbyPeers } from './mdnsService.js';
+import { sendRequest } from './signalingServer.js';
+import crypto from 'crypto';
+
+// Transport types
+export const TRANSPORT = { LAN: 'lan', P2P: 'p2p', RELAY: 'relay', TUNNEL: 'tunnel' };
+
+export function getTransportConfig() {
+  const settings = config.get('settings') || {};
+  return {
+    preferred: settings.streamTransport || 'p2p',
+    stunServers: settings.stunServers || ['stun:stun.l.google.com:19302'],
+    turnServer: settings.turn_server || 'turn.palexplorer.com',
+    customStunServers: settings.customStunServers || [],
+    customTurnServers: settings.customTurnServers || [],
+    tunnelUrl: settings.tunnelUrl || '',
+  };
+}
+
+export function setTransportConfig(updates) {
+  const settings = config.get('settings') || {};
+  if (updates.preferred !== undefined) settings.streamTransport = updates.preferred;
+  if (updates.stunServers !== undefined) settings.stunServers = updates.stunServers;
+  if (updates.customStunServers !== undefined) settings.customStunServers = updates.customStunServers;
+  if (updates.customTurnServers !== undefined) settings.customTurnServers = updates.customTurnServers;
+  if (updates.tunnelUrl !== undefined) settings.tunnelUrl = updates.tunnelUrl;
+  config.set('settings', settings);
+}
+
+export function getIceServers() {
+  const tc = getTransportConfig();
+  const servers = [];
+
+  // STUN servers (built-in + custom)
+  const stunUrls = [...tc.stunServers, ...tc.customStunServers].filter(Boolean);
+  if (stunUrls.length) servers.push({ urls: stunUrls });
+
+  // Custom TURN servers (user-provided, always included if present)
+  for (const turn of tc.customTurnServers) {
+    if (turn.urls) servers.push(turn); // { urls, username, credential }
+  }
+
+  return servers;
+}
+
+export async function getIceServersWithRelay() {
+  const servers = getIceServers();
+
+  // Add palexplorer-server TURN if available (Pro only)
+  try {
+    const creds = await fetchTurnCredentials();
+    if (creds?.urls) {
+      servers.push({
+        urls: Array.isArray(creds.urls) ? creds.urls : [creds.urls],
+        username: creds.username,
+        credential: creds.credential,
+      });
+    }
+  } catch {}
+
+  return servers;
+}
+
+export function generateRoomId(localPK, remotePK) {
+  const sorted = [localPK, remotePK].sort();
+  return crypto.createHash('sha256').update(sorted.join(':')).digest('hex').slice(0, 32);
+}
+
+export function requiresPro(transport) {
+  // LAN is free, all internet transports require Pro
+  return transport !== TRANSPORT.LAN;
+}
+
+export function canUseTransport(transport) {
+  if (transport === TRANSPORT.LAN) return true;
+  return isPro();
+}
+
+export async function selectBestTransport(targetPK) {
+  const tc = getTransportConfig();
+  const pro = isPro();
+
+  // LAN check — always try first (pure TCP)
+  const nearby = getNearbyPeers();
+  const lanPeer = nearby.find(p => p.publicKey === targetPK);
+  if (lanPeer) {
+    try {
+      const resp = await sendRequest(lanPeer.ip, 7474, { type: 'status' }, 2000);
+      if (resp.ok) return { transport: TRANSPORT.LAN, address: `${lanPeer.ip}:7474` };
+    } catch {}
+  }
+
+  // Internet transports require Pro
+  if (!pro) return null;
+
+  // Check user preference for internet transport
+  if (tc.preferred === 'tunnel' && tc.tunnelUrl) {
+    return { transport: TRANSPORT.TUNNEL, url: tc.tunnelUrl };
+  }
+
+  // P2P (default for internet)
+  return { transport: TRANSPORT.P2P, iceServers: await getIceServersWithRelay() };
+}

package/lib/core/su.js

@@ -0,0 +1,55 @@
+import crypto from 'crypto';
+import config from '../utils/config.js';
+
+let sessionToken = null;
+let sessionExpiresAt = null;
+const SESSION_TTL_MS = 30 * 60 * 1000; // 30 minutes
+
+function hashToken(token) {
+  return crypto.createHash('sha256').update(token).digest('hex');
+}
+
+export function setSuToken(token) {
+  config.set('suTokenHash', hashToken(token));
+}
+
+export function hasSuToken() {
+  return !!config.get('suTokenHash');
+}
+
+export function verifySuToken(token) {
+  const stored = config.get('suTokenHash');
+  if (!stored) return false;
+  const computed = hashToken(token);
+  if (computed.length !== stored.length) return false;
+  return crypto.timingSafeEqual(Buffer.from(computed), Buffer.from(stored));
+}
+
+export function authenticate(token) {
+  if (!verifySuToken(token)) return false;
+  sessionToken = token;
+  sessionExpiresAt = Date.now() + SESSION_TTL_MS;
+  return true;
+}
+
+export function isAuthenticated() {
+  if (sessionToken && sessionExpiresAt && Date.now() < sessionExpiresAt && verifySuToken(sessionToken)) return true;
+  if (sessionToken && sessionExpiresAt && Date.now() >= sessionExpiresAt) {
+    sessionToken = null;
+    sessionExpiresAt = null;
+  }
+  const envToken = process.env.PAL_SU_TOKEN;
+  if (envToken && verifySuToken(envToken)) return true;
+  return false;
+}
+
+export function requireSu() {
+  if (isAuthenticated()) return true;
+  throw new Error('This command requires super user access. Run "pe su auth" first or set PAL_SU_TOKEN.');
+}
+
+export function removeSuToken() {
+  config.delete('suTokenHash');
+  sessionToken = null;
+  sessionExpiresAt = null;
+}