termbeam 1.17.7 → 1.18.0

package/src/server/routes.js

@@ -977,6 +977,83 @@ function setupRoutes(app, { auth, sessions, config, state, pushManager }) {
       res.json({ ok: true });
     });
   }
+
+  // --- Tunnel token renewal ---
+  app.get('/api/tunnel/status', apiRateLimit, auth.middleware, (_req, res) => {
+    const tunnelStatus = state.tunnelStatus || { state: 'unknown' };
+    // Injected via state to avoid loading the full tunnel module in test contexts
+    const getLoginInfo = state.getLoginInfo;
+    const loginInfo = getLoginInfo ? getLoginInfo() : null;
+    res.json({
+      ...tunnelStatus,
+      provider: loginInfo?.provider ?? null,
+      tokenLifetimeSeconds: loginInfo?.tokenLifetimeSeconds ?? null,
+    });
+  });
+
+  app.post('/api/tunnel/renew', apiRateLimit, auth.middleware, (_req, res) => {
+    const { spawn } = require('child_process');
+    const { findDevtunnel } = require('../tunnel');
+    const cmd = findDevtunnel() || 'devtunnel';
+    const proc = spawn(cmd, ['user', 'login', '-d'], {
+      stdio: ['pipe', 'pipe', 'pipe'],
+    });
+
+    let output = '';
+    let responded = false;
+
+    const timeout = setTimeout(() => {
+      if (!responded) {
+        responded = true;
+        proc.kill();
+        res.status(504).json({ error: 'Timed out waiting for device code' });
+      }
+    }, 15000);
+
+    function tryParse(data) {
+      if (responded || output.length > 10_000) return;
+      output += data;
+      // Entra: "open the page https://... and enter the code ABC123 to authenticate"
+      // GitHub: "Browse to https://... and enter the code: AB12-CD34"
+      const match =
+        output.match(/open the page (https:\/\/[^\s]+) and enter the code ([A-Z0-9]+)/i) ||
+        output.match(/Browse to (https:\/\/[^\s]+) and enter the code:?\s*([A-Z0-9-]+)/i);
+      if (match) {
+        responded = true;
+        clearTimeout(timeout);
+        // Stop reading output — we have what we need
+        proc.stdout.removeAllListeners('data');
+        proc.stderr.removeAllListeners('data');
+        res.json({
+          url: match[1],
+          code: match[2],
+        });
+      }
+    }
+
+    proc.stdout.on('data', (d) => tryParse(d.toString()));
+    proc.stderr.on('data', (d) => tryParse(d.toString()));
+
+    proc.on('close', (code) => {
+      clearTimeout(timeout);
+      if (!responded) {
+        responded = true;
+        if (code === 0) {
+          res.json({ ok: true, message: 'Already authenticated' });
+        } else {
+          res.status(500).json({ error: 'DevTunnel login failed' });
+        }
+      }
+    });
+
+    proc.on('error', (err) => {
+      clearTimeout(timeout);
+      if (!responded) {
+        responded = true;
+        res.status(500).json({ error: err.message });
+      }
+    });
+  });
 }
 
 function cleanupUploadedFiles() {

package/src/tunnel/index.js

@@ -21,19 +21,77 @@ let restartAttempts = 0;
 let isRestarting = false;
 let restartTimer = null;
 
+// --- Auth-wait state ---
+let waitingForAuth = false;
+let authCheckInterval = null;
+let expiryWarned = false;
+
 const HEALTH_CHECK_INTERVAL = 30_000; // 30s between checks
 const HEALTH_CHECK_GRACE = 2; // 2 consecutive failures before restart
 const MAX_RESTART_ATTEMPTS = 10;
 const BACKOFF_DELAYS = [1000, 2000, 5000, 10_000, 15_000, 30_000]; // then stays at 30s
+const AUTH_CHECK_INTERVAL = 30_000; // 30s between auth re-checks
+const TOKEN_EXPIRY_WARN_SECONDS = 3600; // warn at 1 hour remaining
+
+const AUTH_ERROR_PATTERNS = ['login required', 'not logged in', 'sign in required'];
 
 const SAFE_ID_RE = /^[a-zA-Z0-9._-]+$/;
 
 const DEVICE_CODE_INITIAL_TIMEOUT = 15000;
 const DEVICE_CODE_AUTH_TIMEOUT = 120000;
 
+function isAuthError(message) {
+  const lower = (message || '').toLowerCase();
+  return AUTH_ERROR_PATTERNS.some((p) => lower.includes(p));
+}
+
+function isLoggedIn() {
+  try {
+    const out = execFileSync(devtunnelCmd, ['user', 'show'], {
+      encoding: 'utf-8',
+      stdio: ['pipe', 'pipe', 'pipe'],
+      timeout: 10_000,
+    });
+    return out && !out.toLowerCase().includes('not logged in');
+  } catch {
+    return false;
+  }
+}
+
+function getLoginInfo() {
+  try {
+    const out = execFileSync(devtunnelCmd, ['user', 'show', '-v'], {
+      encoding: 'utf-8',
+      stdio: ['pipe', 'pipe', 'pipe'],
+      timeout: 10_000,
+    });
+    return parseLoginInfo(out);
+  } catch {
+    return null;
+  }
+}
+
+function parseLoginInfo(output) {
+  if (!output || output.toLowerCase().includes('not logged in')) return null;
+
+  let provider = 'unknown';
+  if (output.toLowerCase().includes('github')) provider = 'github';
+  else if (output.toLowerCase().includes('microsoft')) provider = 'microsoft';
+
+  // Parse "Token lifetime: H:MM:SS" from verbose output
+  let tokenLifetimeSeconds = null;
+  const ltMatch = output.match(/Token lifetime:\s*(\d+):(\d+):(\d+)/);
+  if (ltMatch) {
+    tokenLifetimeSeconds =
+      parseInt(ltMatch[1], 10) * 3600 + parseInt(ltMatch[2], 10) * 60 + parseInt(ltMatch[3], 10);
+  }
+
+  return { provider, tokenLifetimeSeconds };
+}
+
 function deviceCodeLogin(cmd) {
   return new Promise((resolve, reject) => {
-    const proc = spawn(cmd, ['user', 'login', '-d'], {
+    const proc = spawn(cmd, ['user', 'login', '-e', '-d'], {
       stdio: ['inherit', 'pipe', 'pipe'],
     });
 
@@ -152,7 +210,7 @@ let isPersisted = false;
 // --- Watchdog: health check & auto-restart ---
 
 function checkTunnelHealth() {
-  if (!tunnelId || !tunnelProc || isRestarting) return;
+  if (!tunnelId || !tunnelProc || isRestarting || waitingForAuth) return;
 
   const abortCtrl = new AbortController();
   const timer = setTimeout(() => abortCtrl.abort(), 10_000);
@@ -165,6 +223,20 @@ function checkTunnelHealth() {
       clearTimeout(timer);
 
       if (err) {
+        // Auth errors are handled separately — no restart countdown
+        if (isAuthError(err.message) || isAuthError(err.stderr)) {
+          handleAuthExpiration();
+          return;
+        }
+
+        // "Tunnel not found" can mean the user's auth expired (CLI can't
+        // query the tunnel without valid credentials). Check login status
+        // to distinguish from a genuinely deleted tunnel.
+        if (!isLoggedIn()) {
+          handleAuthExpiration();
+          return;
+        }
+
         consecutiveFailures++;
         log.warn(
           `Tunnel health check error: ${err.message} (${consecutiveFailures}/${HEALTH_CHECK_GRACE})`,
@@ -193,6 +265,9 @@ function checkTunnelHealth() {
           log.info(`Tunnel health restored (${hostConns} host connection(s))`);
         }
         consecutiveFailures = 0;
+
+        // Check token expiry while tunnel is healthy
+        checkTokenExpiry();
         return;
       }
 
@@ -209,6 +284,26 @@ function checkTunnelHealth() {
   );
 }
 
+function checkTokenExpiry() {
+  const info = getLoginInfo();
+  if (!info || info.tokenLifetimeSeconds === null) return;
+
+  const remaining = info.tokenLifetimeSeconds;
+
+  if (remaining <= TOKEN_EXPIRY_WARN_SECONDS && !expiryWarned) {
+    expiryWarned = true;
+    const minutes = Math.round(remaining / 60);
+    log.warn(`DevTunnel token expires in ${minutes}m`);
+    tunnelEvents.emit('auth-expiring', {
+      expiresIn: remaining * 1000,
+      provider: info.provider,
+    });
+  } else if (remaining > TOKEN_EXPIRY_WARN_SECONDS) {
+    // Reset the warning flag when token is refreshed
+    expiryWarned = false;
+  }
+}
+
 function startHealthCheck() {
   stopHealthCheck();
   consecutiveFailures = 0;
@@ -226,30 +321,74 @@ function stopHealthCheck() {
 function handleTunnelFailure() {
   if (isRestarting) return;
   stopHealthCheck();
+  killTunnelProc();
 
-  // Kill the zombie process
-  if (tunnelProc) {
-    try {
-      if (process.platform === 'win32' && tunnelProc.pid) {
-        try {
-          execFileSync('taskkill', ['/pid', String(tunnelProc.pid), '/T', '/F'], {
-            stdio: 'pipe',
-            timeout: 5000,
-          });
-        } catch {
-          /* best effort */
-        }
-      } else {
-        tunnelProc.kill('SIGKILL');
+  tunnelEvents.emit('disconnected');
+  scheduleRestart();
+}
+
+// --- Auth-expiration handling ---
+
+function killTunnelProc() {
+  if (!tunnelProc) return;
+  try {
+    if (process.platform === 'win32' && tunnelProc.pid) {
+      try {
+        execFileSync('taskkill', ['/pid', String(tunnelProc.pid), '/T', '/F'], {
+          stdio: 'pipe',
+          timeout: 5000,
+        });
+      } catch {
+        /* best effort */
       }
-    } catch {
-      /* best effort */
+    } else {
+      tunnelProc.kill('SIGKILL');
     }
-    tunnelProc = null;
+  } catch {
+    /* best effort */
   }
+  tunnelProc = null;
+}
+
+function handleAuthExpiration() {
+  if (waitingForAuth) return;
+  stopHealthCheck();
+  killTunnelProc();
 
   tunnelEvents.emit('disconnected');
-  scheduleRestart();
+  tunnelEvents.emit('auth-expired');
+  startAuthWait();
+}
+
+function startAuthWait() {
+  if (waitingForAuth) return;
+  waitingForAuth = true;
+  isRestarting = false;
+  restartAttempts = 0;
+  consecutiveFailures = 0;
+
+  log.warn('DevTunnel auth token expired (Microsoft tokens expire after a few days).');
+  log.warn('Tunnel is paused — re-authenticate on the host machine to restore:');
+  log.warn('  devtunnel user login -d');
+  log.warn('Tunnel will auto-reconnect once auth is restored.');
+
+  authCheckInterval = setInterval(() => {
+    if (isLoggedIn()) {
+      log.info('DevTunnel auth restored — resuming tunnel');
+      stopAuthWait();
+      tunnelEvents.emit('auth-restored');
+      scheduleRestart();
+    }
+  }, AUTH_CHECK_INTERVAL);
+  authCheckInterval.unref();
+}
+
+function stopAuthWait() {
+  waitingForAuth = false;
+  if (authCheckInterval) {
+    clearInterval(authCheckInterval);
+    authCheckInterval = null;
+  }
 }
 
 function scheduleRestart() {
@@ -271,6 +410,15 @@ function scheduleRestart() {
 
   restartTimer = setTimeout(async () => {
     restartTimer = null;
+
+    // If auth expired since restart was scheduled, switch to auth-wait mode
+    if (!isLoggedIn()) {
+      log.warn('DevTunnel auth expired during restart — waiting for re-authentication');
+      isRestarting = false;
+      handleAuthExpiration();
+      return;
+    }
+
     try {
       const result = await hostTunnel();
       if (result) {
@@ -368,21 +516,30 @@ async function startTunnel(port, options = {}) {
 
   log.info('Starting devtunnel...');
   try {
-    // Ensure user is logged in
-    let loggedIn = false;
-    try {
-      const userOut = execFileSync(devtunnelCmd, ['user', 'show'], {
-        encoding: 'utf-8',
-        stdio: ['pipe', 'pipe', 'pipe'],
-      });
-      // user show can succeed but show "not logged in" status
-      loggedIn = userOut && !userOut.toLowerCase().includes('not logged in');
-    } catch {}
+    // Ensure user is logged in. Prefer Entra over GitHub — Entra tokens auto-refresh
+    // for weeks via MSAL, while GitHub tokens expire after 8 hours.
+    let loggedIn = isLoggedIn();
+    const loginInfo = loggedIn ? getLoginInfo() : null;
+
+    if (loggedIn && loginInfo) {
+      const { provider, tokenLifetimeSeconds } = loginInfo;
+      if (provider === 'github') {
+        log.warn(
+          'Logged in with GitHub — tokens expire every 8 hours. ' +
+            'For longer sessions, use: devtunnel user login -e -d',
+        );
+      }
+      if (tokenLifetimeSeconds !== null) {
+        const h = Math.floor(tokenLifetimeSeconds / 3600);
+        const m = Math.round((tokenLifetimeSeconds % 3600) / 60);
+        log.info(`DevTunnel token expires in ${h}h ${m}m`);
+      }
+    }
 
     if (!loggedIn) {
-      log.info('devtunnel not logged in, launching browser login (30s timeout)...');
+      log.info('Logging in to DevTunnel with Microsoft Entra (recommended for long sessions)...');
       try {
-        execFileSync(devtunnelCmd, ['user', 'login'], { stdio: 'inherit', timeout: 30000 });
+        execFileSync(devtunnelCmd, ['user', 'login', '-e'], { stdio: 'inherit', timeout: 30000 });
       } catch {
         log.info('Browser login failed or unavailable, falling back to device code flow...');
         log.info('A code will be displayed — open the URL on any device to authenticate.');
@@ -391,7 +548,7 @@ async function startTunnel(port, options = {}) {
         } catch (_loginErr) {
           log.error('');
           log.error('  DevTunnel login failed. To use tunnels, run:');
-          log.error('    devtunnel user login');
+          log.error('    devtunnel user login -e -d');
           log.error('');
           log.error('  Or start without a tunnel:');
           log.error('    termbeam --no-tunnel');
@@ -480,8 +637,9 @@ async function startTunnel(port, options = {}) {
 }
 
 function cleanupTunnel() {
-  // Stop watchdog first to prevent restart during cleanup
+  // Stop watchdog and auth-wait to prevent restart during cleanup
   stopHealthCheck();
+  stopAuthWait();
   isRestarting = true; // prevent exit handler from restarting
   if (restartTimer) {
     clearTimeout(restartTimer);
@@ -489,26 +647,7 @@ function cleanupTunnel() {
   }
 
   const id = tunnelId;
-  if (tunnelProc) {
-    try {
-      // On Windows, kill the process tree to ensure all children die
-      if (process.platform === 'win32' && tunnelProc.pid) {
-        try {
-          execFileSync('taskkill', ['/pid', String(tunnelProc.pid), '/T', '/F'], {
-            stdio: 'pipe',
-            timeout: 5000,
-          });
-        } catch {
-          /* best effort */
-        }
-      } else {
-        tunnelProc.kill('SIGKILL');
-      }
-    } catch {
-      /* best effort */
-    }
-    tunnelProc = null;
-  }
+  killTunnelProc();
   if (id) {
     tunnelId = null;
     if (isPersisted) {
@@ -527,6 +666,14 @@ function cleanupTunnel() {
   consecutiveFailures = 0;
   restartAttempts = 0;
   isRestarting = false;
+  expiryWarned = false;
 }
 
-module.exports = { startTunnel, cleanupTunnel, findDevtunnel, tunnelEvents };
+module.exports = {
+  startTunnel,
+  cleanupTunnel,
+  findDevtunnel,
+  tunnelEvents,
+  getLoginInfo,
+  parseLoginInfo,
+};

package/public/assets/channel-Pj6K0-7n.js

@@ -1 +0,0 @@
-import{aq as o,ar as n}from"./index-BKVhZe-L.js";const t=(r,a)=>o.lang.round(n.parse(r)[a]);export{t as c};

package/public/assets/classDiagram-VBA2DB6C-CEuggsOe.js

@@ -1 +0,0 @@
-import{s as a,c as s,a as e,C as t}from"./chunk-WL4C6EOR-Cty7zCuA.js";import{_ as i}from"./index-BKVhZe-L.js";import"./chunk-FMBD7UC4-0fJhTPpT.js";import"./chunk-JSJVCQXG-Bv4lt_uR.js";import"./chunk-55IACEB6-C1YDnAkF.js";import"./chunk-KX2RTZJC-DSuNgcxs.js";var u={parser:e,get db(){return new t},renderer:s,styles:a,init:i(r=>{r.class||(r.class={}),r.class.arrowMarkerAbsolute=r.arrowMarkerAbsolute},"init")};export{u as diagram};

package/public/assets/classDiagram-v2-RAHNMMFH-CEuggsOe.js

@@ -1 +0,0 @@
-import{s as a,c as s,a as e,C as t}from"./chunk-WL4C6EOR-Cty7zCuA.js";import{_ as i}from"./index-BKVhZe-L.js";import"./chunk-FMBD7UC4-0fJhTPpT.js";import"./chunk-JSJVCQXG-Bv4lt_uR.js";import"./chunk-55IACEB6-C1YDnAkF.js";import"./chunk-KX2RTZJC-DSuNgcxs.js";var u={parser:e,get db(){return new t},renderer:s,styles:a,init:i(r=>{r.class||(r.class={}),r.class.arrowMarkerAbsolute=r.arrowMarkerAbsolute},"init")};export{u as diagram};

package/public/assets/clone-D5ZwbJNp.js

@@ -1 +0,0 @@
-import{b as r}from"./_baseUniq-DsM_tAIh.js";var e=4;function a(o){return r(o,e)}export{a as c};