termbeam 1.2.7 → 1.2.8

package/README.md

@@ -104,7 +104,8 @@ Persisted tunnels save a tunnel ID to `~/.termbeam/tunnel.json` so the URL stays
 ```bash
 termbeam [shell] [args...]        # start with a specific shell (default: auto-detect)
 termbeam --port 8080              # custom port (default: 3456)
-termbeam --host 127.0.0.1        # restrict to localhost (default: 0.0.0.0)
+termbeam --host 0.0.0.0           # allow LAN access (default: 127.0.0.1)
+termbeam --lan                    # shortcut for --host 0.0.0.0
 ```
 
 | Flag                  | Description                                          | Default        |
@@ -117,14 +118,15 @@ termbeam --host 127.0.0.1        # restrict to localhost (default: 0.0.0.0)
 | `--persisted-tunnel`  | Create a reusable devtunnel URL                      | Off            |
 | `--public`            | Allow public tunnel access                           | Off            |
 | `--port <port>`       | Server port                                          | `3456`         |
-| `--host <addr>`       | Bind address                                         | `0.0.0.0`      |
+| `--host <addr>`       | Bind address                                         | `127.0.0.1`    |
+| `--lan`               | Bind to all interfaces (LAN access)                  | Off            |
 | `--log-level <level>` | Log verbosity (error/warn/info/debug)                | `info`         |
 
 Environment variables: `PORT`, `TERMBEAM_PASSWORD`, `TERMBEAM_CWD`, `TERMBEAM_LOG_LEVEL`, `SHELL` (Unix fallback), `COMSPEC` (Windows fallback). See [Configuration docs](https://dorlugasigal.github.io/TermBeam/configuration/).
 
 ## Security
 
-TermBeam auto-generates a password and creates a tunnel by default, so your terminal is protected out of the box. Be aware that the tunnel exposes your terminal to the internet — use `--no-tunnel` for LAN-only access, or `--host 127.0.0.1` to restrict to your machine only.
+TermBeam auto-generates a password and creates a tunnel by default, so your terminal is protected out of the box. By default, the server binds to `127.0.0.1` (localhost only). Use `--lan` or `--host 0.0.0.0` to allow LAN access, or `--no-tunnel` to disable the tunnel.
 
 Auth uses secure httpOnly cookies with 24-hour expiry, login is rate-limited to 5 attempts per minute, and security headers (X-Frame-Options, X-Content-Type-Options, etc.) are set on all responses. The QR code on startup embeds a share token for password-free login — the token is reusable within its 5-minute validity window, which handles tunnel proxy retries and link preview services. API clients that can't use cookies can authenticate with an `Authorization: Bearer <password>` header. See the [Security Guide](https://dorlugasigal.github.io/TermBeam/security/) for more.
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "termbeam",
-  "version": "1.2.7",
+  "version": "1.2.8",
   "description": "Beam your terminal to any device — mobile-optimized web terminal with multi-session support",
   "main": "src/server.js",
   "bin": {

package/src/auth.js

@@ -129,7 +129,22 @@ function createAuth(password) {
     if (!password) return next();
     if (req.cookies.pty_token && validateToken(req.cookies.pty_token)) return next();
     const authHeader = req.headers.authorization;
-    if (authHeader === `Bearer ${password}`) return next();
+    if (authHeader && authHeader.startsWith('Bearer ')) {
+      const ip = req.ip || req.socket.remoteAddress;
+      const now = Date.now();
+      const window = 60 * 1000;
+      const maxAttempts = 5;
+      const attempts = authAttempts.get(ip) || [];
+      const recent = attempts.filter((t) => now - t < window);
+      if (recent.length >= maxAttempts) {
+        log.warn(`Auth: rate limit exceeded for ${ip}`);
+        return res.status(429).json({ error: 'Too many attempts. Try again later.' });
+      }
+      if (authHeader === `Bearer ${password}`) return next();
+      recent.push(now);
+      authAttempts.set(ip, recent);
+      return res.status(401).json({ error: 'unauthorized' });
+    }
     if (req.accepts('html')) return res.redirect('/login');
     res.status(401).json({ error: 'unauthorized' });
   }

package/src/cli.js

@@ -20,7 +20,8 @@ Options:
   --persisted-tunnel    Create a reusable devtunnel URL (stable across restarts)
   --public              Allow public tunnel access (default: private, owner-only)
   --port <port>         Set port (default: 3456, or PORT env var)
-  --host <addr>         Bind address (default: 0.0.0.0)
+  --host <addr>         Bind address (default: 127.0.0.1)
+  --lan                 Bind to 0.0.0.0 (allow LAN access, default: localhost only)
   --log-level <level>   Set log verbosity: error, warn, info, debug (default: info)
   -h, --help            Show this help
   -v, --version         Show version
@@ -206,7 +207,7 @@ function getDefaultShell() {
 
 function parseArgs() {
   let port = parseInt(process.env.PORT || '3456', 10);
-  let host = '0.0.0.0';
+  let host = '127.0.0.1';
 
   // Resolve log level early (env + args) so shell detection logs are visible
   let logLevel = process.env.TERMBEAM_LOG_LEVEL || 'info';
@@ -267,6 +268,8 @@ function parseArgs() {
       explicitPassword = true;
     } else if (args[i] === '--port' && args[i + 1]) {
       port = parseInt(args[++i], 10);
+    } else if (args[i] === '--lan') {
+      host = '0.0.0.0';
     } else if (args[i] === '--host' && args[i + 1]) {
       host = args[++i];
     } else if (args[i] === '--log-level' && args[i + 1]) {

package/src/routes.js

@@ -28,7 +28,7 @@ function setupRoutes(app, { auth, sessions, config, state }) {
         httpOnly: true,
         sameSite: 'lax',
         maxAge: 24 * 60 * 60 * 1000,
-        secure: false,
+        secure: req.secure,
       });
       log.info(`Auth: login success from ${req.ip}`);
       res.json({ ok: true });
@@ -58,7 +58,7 @@ function setupRoutes(app, { auth, sessions, config, state }) {
         httpOnly: true,
         sameSite: 'lax',
         maxAge: 24 * 60 * 60 * 1000,
-        secure: false,
+        secure: req.secure,
       });
       log.info(`Auth: share-token auto-login from ${req.ip}`);
       // Redirect to the same path without ?ott= to keep the URL clean

package/src/server.js

@@ -174,6 +174,8 @@ function createTermBeamServer(overrides = {}) {
         const gn = '\x1b[38;5;114m'; // green
         const dm = '\x1b[2m'; // dim
 
+        const bl = '\x1b[38;5;75m'; // light blue
+
         let publicUrl = null;
         if (config.useTunnel) {
           const tunnel = await startTunnel(config.port, {
@@ -191,10 +193,15 @@ function createTermBeamServer(overrides = {}) {
         console.log(`  Shell:    ${config.shell}`);
         console.log(`  Session:  ${defaultId}`);
         console.log(`  Auth:     ${config.password ? `${gn}🔒 password${rs}` : '🔓 none'}`);
+        if (isLanReachable) {
+          console.log(`  Bind:     ${config.host} (LAN accessible)`);
+        } else {
+          console.log(`  Bind:     ${config.host} (localhost only)`);
+        }
         console.log('');
 
         if (publicUrl) {
-          console.log(`  🌐 Public:  ${publicUrl}`);
+          console.log(`  Public:   ${bl}${publicUrl}${rs}`);
         }
         console.log(`  Local:    http://localhost:${config.port}`);
         if (isLanReachable) {
@@ -205,8 +212,6 @@ function createTermBeamServer(overrides = {}) {
         const qrDisplayUrl = qrUrl; // clean URL shown in console text
         const qrCodeUrl = config.password ? `${qrUrl}?ott=${auth.generateShareToken()}` : qrUrl;
         console.log('');
-        console.log(`  ${dm}📋 Clipboard requires HTTPS — use the Public or localhost URL${rs}`);
-        console.log('');
         try {
           const qr = await QRCode.toString(qrCodeUrl, { type: 'terminal', small: true });
           console.log(qr);
@@ -214,7 +219,7 @@ function createTermBeamServer(overrides = {}) {
           /* ignore */
         }
 
-        console.log(`  Scan the QR code or open: ${qrDisplayUrl}`);
+        console.log(`  Scan the QR code or open: ${bl}${qrDisplayUrl}${rs}`);
         if (config.password) console.log(`  Password: ${gn}${config.password}${rs}`);
         console.log('');