npm - roster-server - Versions diffs - 2.1.34 → 2.2.1 - Mend

roster-server 2.1.34 → 2.2.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/index.js +91 -37
package/package.json +1 -1
package/test/roster-server.test.js +9 -0

package/index.js CHANGED Viewed

@@ -3,11 +3,14 @@ const path = require('path');
 const http = require('http');
 const https = require('https');
 const tls = require('tls');
+const crypto = require('crypto');
 const { EventEmitter } = require('events');
 const Greenlock = require('./vendor/greenlock-express/greenlock-express.js');
 const GreenlockShim = require('./vendor/greenlock-express/greenlock-shim.js');
 const log = require('lemonlog')('roster');
+const isBunRuntime = typeof Bun !== 'undefined' || (typeof process !== 'undefined' && process.release?.name === 'bun');
 // CRC32 implementation for deterministic port assignment
 function crc32(str) {
     const crcTable = [];
@@ -87,6 +90,16 @@ function buildCertLookupCandidates(servername) {
     return candidates;
 }
+function certCoversName(certPem, name) {
+    try {
+        const x509 = new crypto.X509Certificate(certPem);
+        const san = (x509.subjectAltName || '').toLowerCase();
+        return san.split(',').some(entry => entry.trim() === `dns:${name.toLowerCase()}`);
+    } catch {
+        return false;
+    }
+}
 function parseBooleanFlag(value, fallback = false) {
     if (value === undefined || value === null || value === '') return fallback;
     const normalized = String(value).trim().toLowerCase();
@@ -234,9 +247,13 @@ class Roster {
         this.disableWildcard = options.disableWildcard !== undefined
             ? parseBooleanFlag(options.disableWildcard, false)
             : parseBooleanFlag(process.env.ROSTER_DISABLE_WILDCARD, false);
+        const combineDefault = isBunRuntime;
         this.combineWildcardCerts = options.combineWildcardCerts !== undefined
-            ? parseBooleanFlag(options.combineWildcardCerts, false)
-            : parseBooleanFlag(process.env.ROSTER_COMBINE_WILDCARD_CERTS, false);
+            ? parseBooleanFlag(options.combineWildcardCerts, combineDefault)
+            : parseBooleanFlag(process.env.ROSTER_COMBINE_WILDCARD_CERTS, combineDefault);
+        if (isBunRuntime && this.combineWildcardCerts) {
+            log.info('Bun runtime detected: combined wildcard certificates enabled by default (SNI bypass)');
+        }
         const port = options.port === undefined ? 443 : options.port;
         if (port === 80 && !this.local) {
@@ -775,38 +792,7 @@ class Roster {
                 }
             }
-            const isBunRuntime = typeof Bun !== 'undefined' || process.release?.name === 'bun';
-            if (isBunRuntime && this.wildcardZones.size > 0) {
-                const retryDelayMs = Number.isFinite(Number(process.env.ROSTER_BUN_WILDCARD_PREWARM_RETRY_MS))
-                    ? Math.max(1000, Number(process.env.ROSTER_BUN_WILDCARD_PREWARM_RETRY_MS))
-                    : 30000;
-                const maxAttempts = Number.isFinite(Number(process.env.ROSTER_BUN_WILDCARD_PREWARM_MAX_ATTEMPTS))
-                    ? Math.max(0, Number(process.env.ROSTER_BUN_WILDCARD_PREWARM_MAX_ATTEMPTS))
-                    : 0; // 0 = retry forever
-                for (const zone of this.wildcardZones) {
-                    const bootstrapHost = `bun-bootstrap.${zone}`;
-                    const attemptPrewarm = async (attempt = 1) => {
-                        try {
-                            log.warn(`⚠️  Bun runtime detected: prewarming wildcard certificate via ${bootstrapHost} (attempt ${attempt})`);
-                            await greenlockRuntime.get({ servername: bootstrapHost });
-                            log.info(`✅ Bun wildcard prewarm succeeded for ${zone} on attempt ${attempt}`);
-                        } catch (error) {
-                            log.warn(`⚠️  Bun wildcard prewarm failed for ${zone} (attempt ${attempt}): ${error?.message || error}`);
-                            if (maxAttempts > 0 && attempt >= maxAttempts) {
-                                log.warn(`⚠️  Bun wildcard prewarm stopped for ${zone} after ${attempt} attempts`);
-                                return;
-                            }
-                            setTimeout(() => {
-                                attemptPrewarm(attempt + 1).catch(() => {});
-                            }, retryDelayMs);
-                        }
-                    };
-                    // Background prewarm + retries so HTTPS startup is not blocked by DNS propagation timing.
-                    attemptPrewarm().catch(() => {});
-                }
-            }
+            const bunTlsHotReloadHandlers = [];
             // Create dispatcher for each port
             const createDispatcher = (portData) => {
@@ -934,10 +920,22 @@ class Roster {
                 };
                 const ensureBunDefaultPems = async (primaryDomain) => {
                     let pems = await issueAndReloadPemsForServername(primaryDomain);
+                    const needsWildcard = this.combineWildcardCerts
+                        && this.wildcardZones.has(primaryDomain)
+                        && this.dnsChallenge;
+                    if (pems && needsWildcard && !certCoversName(pems.cert, `*.${primaryDomain}`)) {
+                        log.warn(`⚠️  Existing cert for ${primaryDomain} lacks *.${primaryDomain} SAN — clearing stale cert for combined re-issuance`);
+                        const certDir = path.join(greenlockStorePath, 'live', primaryDomain);
+                        try { fs.rmSync(certDir, { recursive: true, force: true }); } catch {}
+                        pems = null;
+                    }
                     if (pems) return pems;
                     const certSubject = primaryDomain.startsWith('*.') ? wildcardRoot(primaryDomain) : primaryDomain;
-                    log.warn(`⚠️  Bun runtime detected and cert files missing for ${primaryDomain}; requesting certificate via Greenlock before HTTPS bind`);
+                    log.warn(`⚠️  Bun: requesting ${needsWildcard ? 'combined wildcard' : ''} certificate for ${certSubject} via Greenlock before HTTPS bind`);
                     try {
                         await greenlockRuntime.get({ servername: certSubject });
                     } catch (error) {
@@ -963,7 +961,7 @@ class Roster {
                         const primaryDomain = Object.keys(portData.virtualServers)[0];
                         // Under Bun, avoid glx.httpsServer fallback (may serve invalid TLS on :443).
                         // Require concrete PEM files and create native https server directly.
-                        const defaultPems = await ensureBunDefaultPems(primaryDomain);
+                        let defaultPems = await ensureBunDefaultPems(primaryDomain);
                         httpsServer = https.createServer({
                             ...tlsOpts,
                             key: defaultPems.key,
@@ -977,6 +975,21 @@ class Roster {
                                     .catch(callback);
                             }
                         }, dispatcher);
+                        const reloadBunDefaultTls = async (servername, reason) => {
+                            const nextPems = await issueAndReloadPemsForServername(servername);
+                            if (!nextPems) return false;
+                            defaultPems = nextPems;
+                            if (typeof httpsServer.setSecureContext === 'function') {
+                                try {
+                                    httpsServer.setSecureContext({ key: defaultPems.key, cert: defaultPems.cert });
+                                    log.info(`🔄 Bun TLS default certificate reloaded on port ${portNum} (${reason})`);
+                                } catch (error) {
+                                    log.warn(`⚠️  Failed to hot-reload Bun TLS context on port ${portNum}: ${error?.message || error}`);
+                                }
+                            }
+                            return true;
+                        };
+                        bunTlsHotReloadHandlers.push(reloadBunDefaultTls);
                         log.warn(`⚠️  Bun runtime detected: using file-based TLS with SNI for ${primaryDomain} on port ${portNum}`);
                     } else {
                         httpsServer = glx.httpsServer(tlsOpts, dispatcher);
@@ -1036,12 +1049,53 @@ class Roster {
                     });
                 }
             }
+            if (isBunRuntime && !this.combineWildcardCerts && this.wildcardZones.size > 0 && bunTlsHotReloadHandlers.length > 0) {
+                const retryDelayMs = Number.isFinite(Number(process.env.ROSTER_BUN_WILDCARD_PREWARM_RETRY_MS))
+                    ? Math.max(1000, Number(process.env.ROSTER_BUN_WILDCARD_PREWARM_RETRY_MS))
+                    : 30000;
+                const maxAttempts = Number.isFinite(Number(process.env.ROSTER_BUN_WILDCARD_PREWARM_MAX_ATTEMPTS))
+                    ? Math.max(0, Number(process.env.ROSTER_BUN_WILDCARD_PREWARM_MAX_ATTEMPTS))
+                    : 0; // 0 = retry forever
+                for (const zone of this.wildcardZones) {
+                    const bootstrapHost = `bun-bootstrap.${zone}`;
+                    const attemptPrewarm = async (attempt = 1) => {
+                        try {
+                            log.warn(`⚠️  Bun runtime detected: prewarming wildcard certificate via ${bootstrapHost} (attempt ${attempt})`);
+                            let reloaded = false;
+                            for (const reloadTls of bunTlsHotReloadHandlers) {
+                                // Trigger issuance + immediately hot-reload default TLS context when ready.
+                                reloaded = (await reloadTls(bootstrapHost, `prewarm ${bootstrapHost} attempt ${attempt}`)) || reloaded;
+                            }
+                            if (!reloaded) {
+                                throw new Error(`No certificate could be loaded for ${bootstrapHost}`);
+                            }
+                            log.info(`✅ Bun wildcard prewarm succeeded for ${zone} on attempt ${attempt}`);
+                        } catch (error) {
+                            log.warn(`⚠️  Bun wildcard prewarm failed for ${zone} (attempt ${attempt}): ${error?.message || error}`);
+                            if (maxAttempts > 0 && attempt >= maxAttempts) {
+                                log.warn(`⚠️  Bun wildcard prewarm stopped for ${zone} after ${attempt} attempts`);
+                                return;
+                            }
+                            setTimeout(() => {
+                                attemptPrewarm(attempt + 1).catch(() => {});
+                            }, retryDelayMs);
+                        }
+                    };
+                    // Background prewarm + retries so HTTPS startup is not blocked by DNS propagation timing.
+                    attemptPrewarm().catch(() => {});
+                }
+            }
         });
     }
 }
 module.exports = Roster;
+module.exports.isBunRuntime = isBunRuntime;
 module.exports.wildcardRoot = wildcardRoot;
 module.exports.hostMatchesWildcard = hostMatchesWildcard;
 module.exports.wildcardSubjectForHost = wildcardSubjectForHost;
-module.exports.buildCertLookupCandidates = buildCertLookupCandidates;
+module.exports.buildCertLookupCandidates = buildCertLookupCandidates;
+module.exports.certCoversName = certCoversName;

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
     "name": "roster-server",
-    "version": "2.1.34",
+    "version": "2.2.1",
     "description": "👾 RosterServer - A domain host router to host multiple HTTPS.",
     "main": "index.js",
     "scripts": {

package/test/roster-server.test.js CHANGED Viewed

@@ -8,6 +8,7 @@ const http = require('http');
 const os = require('os');
 const Roster = require('../index.js');
 const {
+    isBunRuntime,
     wildcardRoot,
     hostMatchesWildcard,
     wildcardSubjectForHost,
@@ -324,6 +325,14 @@ describe('Roster', () => {
                 else process.env.ROSTER_COMBINE_WILDCARD_CERTS = previous;
             }
         });
+        it('defaults combineWildcardCerts based on isBunRuntime', () => {
+            const roster = new Roster({ local: false });
+            assert.strictEqual(roster.combineWildcardCerts, isBunRuntime);
+        });
+        it('explicit combineWildcardCerts=false overrides Bun default', () => {
+            const roster = new Roster({ local: false, combineWildcardCerts: false });
+            assert.strictEqual(roster.combineWildcardCerts, false);
+        });
     });
     describe('register (normal domain)', () => {