npm - termbeam - Versions diffs - 1.2.7 → 1.2.9 - Mend

termbeam 1.2.7 → 1.2.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/README.md CHANGED Viewed

@@ -104,7 +104,8 @@ Persisted tunnels save a tunnel ID to `~/.termbeam/tunnel.json` so the URL stays
 ```bash
 termbeam [shell] [args...]        # start with a specific shell (default: auto-detect)
 termbeam --port 8080              # custom port (default: 3456)
-termbeam --host 127.0.0.1        # restrict to localhost (default: 0.0.0.0)
+termbeam --host 0.0.0.0           # allow LAN access (default: 127.0.0.1)
+termbeam --lan                    # shortcut for --host 0.0.0.0
 ```
 | Flag                  | Description                                          | Default        |
@@ -117,14 +118,15 @@ termbeam --host 127.0.0.1        # restrict to localhost (default: 0.0.0.0)
 | `--persisted-tunnel`  | Create a reusable devtunnel URL                      | Off            |
 | `--public`            | Allow public tunnel access                           | Off            |
 | `--port <port>`       | Server port                                          | `3456`         |
-| `--host <addr>`       | Bind address                                         | `0.0.0.0`      |
+| `--host <addr>`       | Bind address                                         | `127.0.0.1`    |
+| `--lan`               | Bind to all interfaces (LAN access)                  | Off            |
 | `--log-level <level>` | Log verbosity (error/warn/info/debug)                | `info`         |
 Environment variables: `PORT`, `TERMBEAM_PASSWORD`, `TERMBEAM_CWD`, `TERMBEAM_LOG_LEVEL`, `SHELL` (Unix fallback), `COMSPEC` (Windows fallback). See [Configuration docs](https://dorlugasigal.github.io/TermBeam/configuration/).
 ## Security
-TermBeam auto-generates a password and creates a tunnel by default, so your terminal is protected out of the box. Be aware that the tunnel exposes your terminal to the internet — use `--no-tunnel` for LAN-only access, or `--host 127.0.0.1` to restrict to your machine only.
+TermBeam auto-generates a password and creates a tunnel by default, so your terminal is protected out of the box. By default, the server binds to `127.0.0.1` (localhost only). Use `--lan` or `--host 0.0.0.0` to allow LAN access, or `--no-tunnel` to disable the tunnel.
 Auth uses secure httpOnly cookies with 24-hour expiry, login is rate-limited to 5 attempts per minute, and security headers (X-Frame-Options, X-Content-Type-Options, etc.) are set on all responses. The QR code on startup embeds a share token for password-free login — the token is reusable within its 5-minute validity window, which handles tunnel proxy retries and link preview services. API clients that can't use cookies can authenticate with an `Authorization: Bearer <password>` header. See the [Security Guide](https://dorlugasigal.github.io/TermBeam/security/) for more.

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "termbeam",
-  "version": "1.2.7",
+  "version": "1.2.9",
   "description": "Beam your terminal to any device — mobile-optimized web terminal with multi-session support",
   "main": "src/server.js",
   "bin": {

package/public/terminal.html CHANGED Viewed

@@ -3203,23 +3203,7 @@
         }
         async function handlePaste() {
-          // Try clipboard API for text first (most common), then images, then fallback to modal
-          if (navigator.clipboard && navigator.clipboard.readText) {
-            try {
-              const text = await navigator.clipboard.readText();
-              if (text) {
-                const ms = managed.get(activeId);
-                if (ms && ms.ws && ms.ws.readyState === 1) {
-                  ms.ws.send(JSON.stringify({ type: 'input', data: text }));
-                  showToast('Pasted!');
-                }
-                return;
-              }
-            } catch (err) {
-              console.warn('clipboard.readText failed:', err.message);
-            }
-          }
-          // Image paste: try clipboard.read() only if readText didn't work
+          // Try image first via clipboard.read()
           if (navigator.clipboard && navigator.clipboard.read) {
             try {
               const items = await navigator.clipboard.read();
@@ -3237,8 +3221,9 @@
                   const data = await res.json();
                   const ms = managed.get(activeId);
                   if (ms && ms.ws && ms.ws.readyState === 1) {
-                    ms.ws.send(JSON.stringify({ type: 'input', data: data.path + ' ' }));
-                    showToast('Image pasted: ' + data.path.split(/[/\\]/).pop());
+                    ms.ws.send(
+                      JSON.stringify({ type: 'input', data: (data.path || data.url) + ' ' }),
+                    );
                   }
                   return;
                 }
@@ -3247,6 +3232,22 @@
               console.warn('clipboard.read failed:', err.message);
             }
           }
+          // Text paste
+          if (navigator.clipboard && navigator.clipboard.readText) {
+            try {
+              const text = await navigator.clipboard.readText();
+              if (text) {
+                const ms = managed.get(activeId);
+                if (ms && ms.ws && ms.ws.readyState === 1) {
+                  ms.ws.send(JSON.stringify({ type: 'input', data: text }));
+                  showToast('Pasted!');
+                }
+                return;
+              }
+            } catch (err) {
+              console.warn('clipboard.readText failed:', err.message);
+            }
+          }
           openPasteModal();
         }
@@ -3392,36 +3393,44 @@
       // ===== Image Paste =====
       function setupImagePaste() {
-        document.addEventListener('paste', async (e) => {
-          const items = e.clipboardData && e.clipboardData.items;
-          if (!items) return;
-          for (const item of items) {
-            if (item.type.startsWith('image/')) {
-              e.preventDefault();
-              const blob = item.getAsFile();
-              if (!blob) return;
-              try {
-                const res = await fetch('/api/upload', {
-                  method: 'POST',
-                  headers: { 'Content-Type': item.type },
-                  body: blob,
-                });
-                if (!res.ok) throw new Error('Upload failed');
-                const data = await res.json();
-                const ms = managed.get(activeId);
-                if (ms && ms.ws && ms.ws.readyState === 1) {
-                  ms.ws.send(JSON.stringify({ type: 'input', data: data.path + ' ' }));
-                  showToast('Image pasted: ' + data.path.split(/[/\\]/).pop());
+        // Use capture phase so we intercept before xterm.js pastes a file path as text
+        document.addEventListener(
+          'paste',
+          async (e) => {
+            const items = e.clipboardData && e.clipboardData.items;
+            if (!items) return;
+            for (const item of items) {
+              if (item.type.startsWith('image/')) {
+                e.preventDefault();
+                e.stopPropagation();
+                const blob = item.getAsFile();
+                if (!blob) return;
+                try {
+                  const res = await fetch('/api/upload', {
+                    method: 'POST',
+                    headers: { 'Content-Type': item.type },
+                    body: blob,
+                    credentials: 'same-origin',
+                  });
+                  if (!res.ok) throw new Error('Upload failed');
+                  const data = await res.json();
+                  const ms = managed.get(activeId);
+                  if (ms && ms.ws && ms.ws.readyState === 1) {
+                    ms.ws.send(
+                      JSON.stringify({ type: 'input', data: (data.path || data.url) + ' ' }),
+                    );
+                  }
+                } catch (err) {
+                  showToast('Image paste failed');
                 }
-              } catch (err) {
-                showToast('Image paste failed');
+                return;
               }
-              return;
             }
-          }
-        });
+          },
+          true,
+        );
       }
       // ===== New Session Modal =====

package/src/auth.js CHANGED Viewed

@@ -86,26 +86,25 @@ function createAuth(password) {
     const token = crypto.randomBytes(32).toString('hex');
     const expiry = Date.now() + 5 * 60 * 1000;
     shareTokens.set(token, expiry); // 5 minute expiry
-    log.info(`Share: created ${token.slice(0, 8)}… (expires in 5m)`);
+    log.info('Share: created new token (expires in 5m)');
+    log.debug(`Share: token expires at ${new Date(expiry).toISOString()}`);
     return token;
   }
   function validateShareToken(token) {
     const expiry = shareTokens.get(token);
-    const tag = token.slice(0, 8);
     if (!expiry) {
-      log.warn(`Share: unknown token ${tag}…`);
+      log.warn('Share: unknown token presented');
       return false;
     }
     const remaining = Math.round((expiry - Date.now()) / 1000);
     if (remaining <= 0) {
       shareTokens.delete(token);
-      log.warn(`Share: expired token ${tag}…`);
+      log.warn('Share: expired token presented');
       return false;
     }
-    const min = Math.floor(remaining / 60);
-    const sec = remaining % 60;
-    log.info(`Share: valid token ${tag}… (${min}m ${sec}s remaining)`);
+    shareTokens.delete(token);
+    log.info('share token consumed');
     return true;
   }
@@ -129,9 +128,24 @@ function createAuth(password) {
     if (!password) return next();
     if (req.cookies.pty_token && validateToken(req.cookies.pty_token)) return next();
     const authHeader = req.headers.authorization;
-    if (authHeader === `Bearer ${password}`) return next();
-    if (req.accepts('html')) return res.redirect('/login');
-    res.status(401).json({ error: 'unauthorized' });
+    if (authHeader && authHeader.startsWith('Bearer ')) {
+      const ip = req.ip || req.socket.remoteAddress;
+      const now = Date.now();
+      const window = 60 * 1000;
+      const maxAttempts = 5;
+      const attempts = authAttempts.get(ip) || [];
+      const recent = attempts.filter((t) => now - t < window);
+      if (recent.length >= maxAttempts) {
+        log.warn(`Auth: rate limit exceeded for ${ip}`);
+        return res.status(429).json({ error: 'Too many attempts. Try again later.' });
+      }
+      if (authHeader === `Bearer ${password}`) return next();
+      recent.push(now);
+      authAttempts.set(ip, recent);
+      return res.status(401).json({ error: 'unauthorized' });
+    }
+    if (req.path.startsWith('/api/')) return res.status(401).json({ error: 'unauthorized' });
+    res.redirect('/login');
   }
   function rateLimit(req, res, next) {

package/src/cli.js CHANGED Viewed

@@ -20,7 +20,8 @@ Options:
   --persisted-tunnel    Create a reusable devtunnel URL (stable across restarts)
   --public              Allow public tunnel access (default: private, owner-only)
   --port <port>         Set port (default: 3456, or PORT env var)
-  --host <addr>         Bind address (default: 0.0.0.0)
+  --host <addr>         Bind address (default: 127.0.0.1)
+  --lan                 Bind to 0.0.0.0 (allow LAN access, default: localhost only)
   --log-level <level>   Set log verbosity: error, warn, info, debug (default: info)
   -h, --help            Show this help
   -v, --version         Show version
@@ -206,7 +207,7 @@ function getDefaultShell() {
 function parseArgs() {
   let port = parseInt(process.env.PORT || '3456', 10);
-  let host = '0.0.0.0';
+  let host = '127.0.0.1';
   // Resolve log level early (env + args) so shell detection logs are visible
   let logLevel = process.env.TERMBEAM_LOG_LEVEL || 'info';
@@ -267,6 +268,8 @@ function parseArgs() {
       explicitPassword = true;
     } else if (args[i] === '--port' && args[i + 1]) {
       port = parseInt(args[++i], 10);
+    } else if (args[i] === '--lan') {
+      host = '0.0.0.0';
     } else if (args[i] === '--host' && args[i + 1]) {
       host = args[++i];
     } else if (args[i] === '--log-level' && args[i + 1]) {

package/src/routes.js CHANGED Viewed

@@ -7,7 +7,7 @@ const { detectShells } = require('./shells');
 const log = require('./logger');
 const PUBLIC_DIR = path.join(__dirname, '..', 'public');
-const uploadedFiles = [];
+const uploadedFiles = new Map(); // id -> filepath
 function setupRoutes(app, { auth, sessions, config, state }) {
   // Serve static files (manifest.json, sw.js, icons, etc.)
@@ -28,7 +28,7 @@ function setupRoutes(app, { auth, sessions, config, state }) {
         httpOnly: true,
         sameSite: 'lax',
         maxAge: 24 * 60 * 60 * 1000,
-        secure: false,
+        secure: req.secure,
       });
       log.info(`Auth: login success from ${req.ip}`);
       res.json({ ok: true });
@@ -58,7 +58,7 @@ function setupRoutes(app, { auth, sessions, config, state }) {
         httpOnly: true,
         sameSite: 'lax',
         maxAge: 24 * 60 * 60 * 1000,
-        secure: false,
+        secure: req.secure,
       });
       log.info(`Auth: share-token auto-login from ${req.ip}`);
       // Redirect to the same path without ?ott= to keep the URL clean
@@ -212,12 +212,13 @@ function setupRoutes(app, { auth, sessions, config, state }) {
           'image/webp': '.webp',
           'image/bmp': '.bmp',
         }[contentType] || '.png';
-      const filename = `termbeam-${crypto.randomUUID()}${ext}`;
+      const id = crypto.randomUUID();
+      const filename = `termbeam-${id}${ext}`;
       const filepath = path.join(os.tmpdir(), filename);
       fs.writeFileSync(filepath, buffer);
-      uploadedFiles.push(filepath);
+      uploadedFiles.set(id, filepath);
       log.info(`Upload: ${filename} (${buffer.length} bytes)`);
-      res.json({ path: filepath });
+      res.json({ id, url: `/uploads/${id}`, path: filepath });
     });
     req.on('error', (err) => {
@@ -226,6 +227,17 @@ function setupRoutes(app, { auth, sessions, config, state }) {
     });
   });
+  // Serve uploaded files by opaque ID
+  app.get('/uploads/:id', auth.middleware, (req, res) => {
+    const filepath = uploadedFiles.get(req.params.id);
+    if (!filepath) return res.status(404).json({ error: 'not found' });
+    if (!fs.existsSync(filepath)) {
+      uploadedFiles.delete(req.params.id);
+      return res.status(404).json({ error: 'not found' });
+    }
+    res.sendFile(filepath);
+  });
   // Directory listing for folder browser
   app.get('/api/dirs', auth.middleware, (req, res) => {
     const query = req.query.q || config.cwd + path.sep;
@@ -248,7 +260,7 @@ function setupRoutes(app, { auth, sessions, config, state }) {
 }
 function cleanupUploadedFiles() {
-  for (const filepath of uploadedFiles) {
+  for (const [id, filepath] of uploadedFiles) {
     try {
       if (fs.existsSync(filepath)) {
         fs.unlinkSync(filepath);
@@ -257,7 +269,7 @@ function cleanupUploadedFiles() {
       log.error(`Failed to cleanup ${filepath}: ${err.message}`);
     }
   }
-  uploadedFiles.length = 0;
+  uploadedFiles.clear();
 }
 module.exports = { setupRoutes, cleanupUploadedFiles };

package/src/server.js CHANGED Viewed

@@ -174,6 +174,8 @@ function createTermBeamServer(overrides = {}) {
         const gn = '\x1b[38;5;114m'; // green
         const dm = '\x1b[2m'; // dim
+        const bl = '\x1b[38;5;75m'; // light blue
         let publicUrl = null;
         if (config.useTunnel) {
           const tunnel = await startTunnel(config.port, {
@@ -191,10 +193,15 @@ function createTermBeamServer(overrides = {}) {
         console.log(`  Shell:    ${config.shell}`);
         console.log(`  Session:  ${defaultId}`);
         console.log(`  Auth:     ${config.password ? `${gn}🔒 password${rs}` : '🔓 none'}`);
+        if (isLanReachable) {
+          console.log(`  Bind:     ${config.host} (LAN accessible)`);
+        } else {
+          console.log(`  Bind:     ${config.host} (localhost only)`);
+        }
         console.log('');
         if (publicUrl) {
-          console.log(`  🌐 Public:  ${publicUrl}`);
+          console.log(`  Public:   ${bl}${publicUrl}${rs}`);
         }
         console.log(`  Local:    http://localhost:${config.port}`);
         if (isLanReachable) {
@@ -205,8 +212,6 @@ function createTermBeamServer(overrides = {}) {
         const qrDisplayUrl = qrUrl; // clean URL shown in console text
         const qrCodeUrl = config.password ? `${qrUrl}?ott=${auth.generateShareToken()}` : qrUrl;
         console.log('');
-        console.log(`  ${dm}📋 Clipboard requires HTTPS — use the Public or localhost URL${rs}`);
-        console.log('');
         try {
           const qr = await QRCode.toString(qrCodeUrl, { type: 'terminal', small: true });
           console.log(qr);
@@ -214,7 +219,7 @@ function createTermBeamServer(overrides = {}) {
           /* ignore */
         }
-        console.log(`  Scan the QR code or open: ${qrDisplayUrl}`);
+        console.log(`  Scan the QR code or open: ${bl}${qrDisplayUrl}${rs}`);
         if (config.password) console.log(`  Password: ${gn}${config.password}${rs}`);
         console.log('');