termbeam 1.2.6 → 1.2.8

package/README.md

@@ -104,27 +104,29 @@ Persisted tunnels save a tunnel ID to `~/.termbeam/tunnel.json` so the URL stays
 ```bash
 termbeam [shell] [args...]        # start with a specific shell (default: auto-detect)
 termbeam --port 8080              # custom port (default: 3456)
-termbeam --host 127.0.0.1        # restrict to localhost (default: 0.0.0.0)
+termbeam --host 0.0.0.0           # allow LAN access (default: 127.0.0.1)
+termbeam --lan                    # shortcut for --host 0.0.0.0
 ```
 
 | Flag                  | Description                                          | Default        |
 | --------------------- | ---------------------------------------------------- | -------------- |
 | `--password <pw>`     | Set access password (also accepts `--password=<pw>`) | Auto-generated |
-| `--no-password`       | Disable password                                     | —              |
+| `--no-password`       | Disable password (cannot combine with `--public`)    | —              |
 | `--generate-password` | Auto-generate a secure password                      | On             |
 | `--tunnel`            | Create an ephemeral devtunnel URL (private)          | On             |
 | `--no-tunnel`         | Disable tunnel (LAN-only)                            | —              |
 | `--persisted-tunnel`  | Create a reusable devtunnel URL                      | Off            |
 | `--public`            | Allow public tunnel access                           | Off            |
 | `--port <port>`       | Server port                                          | `3456`         |
-| `--host <addr>`       | Bind address                                         | `0.0.0.0`      |
+| `--host <addr>`       | Bind address                                         | `127.0.0.1`    |
+| `--lan`               | Bind to all interfaces (LAN access)                  | Off            |
 | `--log-level <level>` | Log verbosity (error/warn/info/debug)                | `info`         |
 
 Environment variables: `PORT`, `TERMBEAM_PASSWORD`, `TERMBEAM_CWD`, `TERMBEAM_LOG_LEVEL`, `SHELL` (Unix fallback), `COMSPEC` (Windows fallback). See [Configuration docs](https://dorlugasigal.github.io/TermBeam/configuration/).
 
 ## Security
 
-TermBeam auto-generates a password and creates a tunnel by default, so your terminal is protected out of the box. Be aware that the tunnel exposes your terminal to the internet — use `--no-tunnel` for LAN-only access, or `--host 127.0.0.1` to restrict to your machine only.
+TermBeam auto-generates a password and creates a tunnel by default, so your terminal is protected out of the box. By default, the server binds to `127.0.0.1` (localhost only). Use `--lan` or `--host 0.0.0.0` to allow LAN access, or `--no-tunnel` to disable the tunnel.
 
 Auth uses secure httpOnly cookies with 24-hour expiry, login is rate-limited to 5 attempts per minute, and security headers (X-Frame-Options, X-Content-Type-Options, etc.) are set on all responses. The QR code on startup embeds a share token for password-free login — the token is reusable within its 5-minute validity window, which handles tunnel proxy retries and link preview services. API clients that can't use cookies can authenticate with an `Authorization: Bearer <password>` header. See the [Security Guide](https://dorlugasigal.github.io/TermBeam/security/) for more.
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "termbeam",
-  "version": "1.2.6",
+  "version": "1.2.8",
   "description": "Beam your terminal to any device — mobile-optimized web terminal with multi-session support",
   "main": "src/server.js",
   "bin": {

package/src/auth.js

@@ -129,7 +129,22 @@ function createAuth(password) {
     if (!password) return next();
     if (req.cookies.pty_token && validateToken(req.cookies.pty_token)) return next();
     const authHeader = req.headers.authorization;
-    if (authHeader === `Bearer ${password}`) return next();
+    if (authHeader && authHeader.startsWith('Bearer ')) {
+      const ip = req.ip || req.socket.remoteAddress;
+      const now = Date.now();
+      const window = 60 * 1000;
+      const maxAttempts = 5;
+      const attempts = authAttempts.get(ip) || [];
+      const recent = attempts.filter((t) => now - t < window);
+      if (recent.length >= maxAttempts) {
+        log.warn(`Auth: rate limit exceeded for ${ip}`);
+        return res.status(429).json({ error: 'Too many attempts. Try again later.' });
+      }
+      if (authHeader === `Bearer ${password}`) return next();
+      recent.push(now);
+      authAttempts.set(ip, recent);
+      return res.status(401).json({ error: 'unauthorized' });
+    }
     if (req.accepts('html')) return res.redirect('/login');
     res.status(401).json({ error: 'unauthorized' });
   }

package/src/cli.js

@@ -20,7 +20,8 @@ Options:
   --persisted-tunnel    Create a reusable devtunnel URL (stable across restarts)
   --public              Allow public tunnel access (default: private, owner-only)
   --port <port>         Set port (default: 3456, or PORT env var)
-  --host <addr>         Bind address (default: 0.0.0.0)
+  --host <addr>         Bind address (default: 127.0.0.1)
+  --lan                 Bind to 0.0.0.0 (allow LAN access, default: localhost only)
   --log-level <level>   Set log verbosity: error, warn, info, debug (default: info)
   -h, --help            Show this help
   -v, --version         Show version
@@ -206,7 +207,7 @@ function getDefaultShell() {
 
 function parseArgs() {
   let port = parseInt(process.env.PORT || '3456', 10);
-  let host = '0.0.0.0';
+  let host = '127.0.0.1';
 
   // Resolve log level early (env + args) so shell detection logs are visible
   let logLevel = process.env.TERMBEAM_LOG_LEVEL || 'info';
@@ -230,7 +231,7 @@ function parseArgs() {
   let useTunnel = true;
   let noTunnel = false;
   let persistedTunnel = false;
-  let anonymousTunnel = false;
+  let publicTunnel = false;
   let explicitPassword = !!password;
 
   const args = process.argv.slice(2);
@@ -248,7 +249,7 @@ function parseArgs() {
       useTunnel = true;
       persistedTunnel = true;
     } else if (args[i] === '--public') {
-      anonymousTunnel = true;
+      publicTunnel = true;
     } else if (args[i].startsWith('--password=')) {
       password = args[i].split('=')[1];
       explicitPassword = true;
@@ -267,6 +268,8 @@ function parseArgs() {
       explicitPassword = true;
     } else if (args[i] === '--port' && args[i + 1]) {
       port = parseInt(args[++i], 10);
+    } else if (args[i] === '--lan') {
+      host = '0.0.0.0';
     } else if (args[i] === '--host' && args[i + 1]) {
       host = args[++i];
     } else if (args[i] === '--log-level' && args[i + 1]) {
@@ -285,8 +288,22 @@ function parseArgs() {
   if (noTunnel) useTunnel = false;
 
   // --public requires a tunnel
-  if (anonymousTunnel && !useTunnel) {
-    console.error('Error: --public requires a tunnel. Remove --no-tunnel or remove --public.');
+  if (publicTunnel && !useTunnel) {
+    const rd = '\x1b[31m';
+    const rs = '\x1b[0m';
+    console.error(
+      `${rd}Error: --public requires a tunnel. Remove --no-tunnel or remove --public.${rs}`,
+    );
+    process.exit(1);
+  }
+
+  // --public requires password authentication
+  if (publicTunnel && !password) {
+    const rd = '\x1b[31m';
+    const rs = '\x1b[0m';
+    console.error(
+      `${rd}Error: Public tunnels require password authentication. Remove --no-password or remove --public.${rs}`,
+    );
     process.exit(1);
   }
 
@@ -302,7 +319,7 @@ function parseArgs() {
     password,
     useTunnel,
     persistedTunnel,
-    anonymousTunnel,
+    publicTunnel,
     shell,
     shellArgs,
     cwd,

package/src/routes.js

@@ -28,7 +28,7 @@ function setupRoutes(app, { auth, sessions, config, state }) {
         httpOnly: true,
         sameSite: 'lax',
         maxAge: 24 * 60 * 60 * 1000,
-        secure: false,
+        secure: req.secure,
       });
       log.info(`Auth: login success from ${req.ip}`);
       res.json({ ok: true });
@@ -58,7 +58,7 @@ function setupRoutes(app, { auth, sessions, config, state }) {
         httpOnly: true,
         sameSite: 'lax',
         maxAge: 24 * 60 * 60 * 1000,
-        secure: false,
+        secure: req.secure,
       });
       log.info(`Auth: share-token auto-login from ${req.ip}`);
       // Redirect to the same path without ?ott= to keep the URL clean

package/src/server.js

@@ -27,10 +27,10 @@ function getLocalIP() {
   return '127.0.0.1';
 }
 
-function confirmAnonymousTunnel() {
+function confirmPublicTunnel() {
   const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
   return new Promise((resolve) => {
-    rl.question('  Do you want to continue with anonymous access? (y/N): ', (answer) => {
+    rl.question('  Do you want to continue with public access? (y/N): ', (answer) => {
       rl.close();
       resolve(answer.trim().toLowerCase() === 'y');
     });
@@ -110,8 +110,8 @@ function createTermBeamServer(overrides = {}) {
       }
     }
 
-    // Warn and require consent for anonymous tunnel access
-    if (config.useTunnel && config.anonymousTunnel) {
+    // Warn and require consent for public tunnel access
+    if (config.useTunnel && config.publicTunnel) {
       const rd = '\x1b[31m';
       const yl = '\x1b[33m';
       const rs = '\x1b[0m';
@@ -123,7 +123,7 @@ function createTermBeamServer(overrides = {}) {
       console.log(`  ${yl}No Microsoft login will be required to reach the tunnel.${rs}`);
       console.log(`  ${yl}Only the TermBeam password will protect your terminal.${rs}`);
       console.log('');
-      const confirmed = await confirmAnonymousTunnel();
+      const confirmed = await confirmPublicTunnel();
       if (!confirmed) {
         console.log('');
         console.log('  Aborted. Restart without --public for private access.');
@@ -174,11 +174,13 @@ function createTermBeamServer(overrides = {}) {
         const gn = '\x1b[38;5;114m'; // green
         const dm = '\x1b[2m'; // dim
 
+        const bl = '\x1b[38;5;75m'; // light blue
+
         let publicUrl = null;
         if (config.useTunnel) {
           const tunnel = await startTunnel(config.port, {
             persisted: config.persistedTunnel,
-            anonymous: config.anonymousTunnel,
+            anonymous: config.publicTunnel,
           });
           if (tunnel) {
             publicUrl = tunnel.url;
@@ -191,10 +193,15 @@ function createTermBeamServer(overrides = {}) {
         console.log(`  Shell:    ${config.shell}`);
         console.log(`  Session:  ${defaultId}`);
         console.log(`  Auth:     ${config.password ? `${gn}🔒 password${rs}` : '🔓 none'}`);
+        if (isLanReachable) {
+          console.log(`  Bind:     ${config.host} (LAN accessible)`);
+        } else {
+          console.log(`  Bind:     ${config.host} (localhost only)`);
+        }
         console.log('');
 
         if (publicUrl) {
-          console.log(`  🌐 Public:  ${publicUrl}`);
+          console.log(`  Public:   ${bl}${publicUrl}${rs}`);
         }
         console.log(`  Local:    http://localhost:${config.port}`);
         if (isLanReachable) {
@@ -205,8 +212,6 @@ function createTermBeamServer(overrides = {}) {
         const qrDisplayUrl = qrUrl; // clean URL shown in console text
         const qrCodeUrl = config.password ? `${qrUrl}?ott=${auth.generateShareToken()}` : qrUrl;
         console.log('');
-        console.log(`  ${dm}📋 Clipboard requires HTTPS — use the Public or localhost URL${rs}`);
-        console.log('');
         try {
           const qr = await QRCode.toString(qrCodeUrl, { type: 'terminal', small: true });
           console.log(qr);
@@ -214,7 +219,7 @@ function createTermBeamServer(overrides = {}) {
           /* ignore */
         }
 
-        console.log(`  Scan the QR code or open: ${qrDisplayUrl}`);
+        console.log(`  Scan the QR code or open: ${bl}${qrDisplayUrl}${rs}`);
         if (config.password) console.log(`  Password: ${gn}${config.password}${rs}`);
         console.log('');