thinkpool-pair 0.7.15 → 0.7.17
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/account.mjs +54 -3
- package/package.json +1 -1
package/account.mjs
CHANGED
|
@@ -13,12 +13,52 @@ import path from 'node:path'
|
|
|
13
13
|
import fs from 'node:fs'
|
|
14
14
|
import { createClient } from '@supabase/supabase-js'
|
|
15
15
|
import os from 'node:os'
|
|
16
|
-
import { saveAuth, loadAuth,
|
|
16
|
+
import { saveAuth, loadAuth, loadDirs, bindDir } from './auth-store.mjs'
|
|
17
17
|
|
|
18
18
|
const VERSION = (() => { try { return JSON.parse(fs.readFileSync(new URL('./package.json', import.meta.url), 'utf8')).version } catch { return null } })()
|
|
19
19
|
|
|
20
20
|
const BRIDGE = fileURLToPath(new URL('./bridge.mjs', import.meta.url))
|
|
21
21
|
|
|
22
|
+
// ── single-instance lock ────────────────────────────────────────────────────
|
|
23
|
+
// Two account supervisors on one machine share ONE ~/.thinkpool-pair/auth.json
|
|
24
|
+
// refresh token and race its rotation — which on 2026-06-17 deleted a live Pro
|
|
25
|
+
// login mid-session. The account supervisor is single-instance by nature; this
|
|
26
|
+
// pidfile lock refuses a second one. Acquired BEFORE auth so two can't both hit
|
|
27
|
+
// the refresh path. Exported for the test harness.
|
|
28
|
+
const LOCK = path.join(os.homedir(), '.thinkpool-pair', 'account.lock')
|
|
29
|
+
|
|
30
|
+
// True if `pid` is a live process (EPERM = exists but not ours; ESRCH = gone).
|
|
31
|
+
function pidAlive(pid) {
|
|
32
|
+
if (!pid || pid === process.pid) return false
|
|
33
|
+
try { process.kill(pid, 0); return true } catch (e) { return e.code === 'EPERM' }
|
|
34
|
+
}
|
|
35
|
+
|
|
36
|
+
// Returns true if we now hold the lock, false if another LIVE supervisor holds it.
|
|
37
|
+
// A stale lock (holder dead / garbage / ours) is taken over. fs errors fail-OPEN
|
|
38
|
+
// (return true) — a lock we can't manage must never block the real bridge.
|
|
39
|
+
export function acquireSingleton(lockPath = LOCK) {
|
|
40
|
+
try { fs.mkdirSync(path.dirname(lockPath), { recursive: true }) } catch { /* noop */ }
|
|
41
|
+
for (let i = 0; i < 3; i++) {
|
|
42
|
+
try {
|
|
43
|
+
const fd = fs.openSync(lockPath, 'wx') // atomic create-exclusive
|
|
44
|
+
fs.writeSync(fd, String(process.pid)); fs.closeSync(fd)
|
|
45
|
+
return true
|
|
46
|
+
} catch (e) {
|
|
47
|
+
if (e.code !== 'EEXIST') return true // can't create for another reason → fail open
|
|
48
|
+
let pid = 0
|
|
49
|
+
try { pid = parseInt(fs.readFileSync(lockPath, 'utf8').trim(), 10) || 0 } catch { /* unreadable */ }
|
|
50
|
+
if (pidAlive(pid)) return false // a live supervisor owns it → refuse
|
|
51
|
+
try { fs.rmSync(lockPath, { force: true }) } catch { return true } // stale → drop + retry
|
|
52
|
+
}
|
|
53
|
+
}
|
|
54
|
+
return true
|
|
55
|
+
}
|
|
56
|
+
|
|
57
|
+
// Release only if WE own it (don't unlink a lock another instance took over).
|
|
58
|
+
export function releaseSingleton(lockPath = LOCK) {
|
|
59
|
+
try { if ((parseInt(fs.readFileSync(lockPath, 'utf8').trim(), 10) || 0) === process.pid) fs.rmSync(lockPath, { force: true }) } catch { /* noop */ }
|
|
60
|
+
}
|
|
61
|
+
|
|
22
62
|
// ── login: OAuth-style DEVICE-CODE flow (hardened) ──────────────────────────
|
|
23
63
|
// The bridge asks Postgres (start_device_code) for a secret device_code + a short
|
|
24
64
|
// human user_code, prints the user_code + URL, then POLLS claim_device_code with
|
|
@@ -76,10 +116,20 @@ export function runBind(room, dir) {
|
|
|
76
116
|
|
|
77
117
|
// ── account supervisor: a headless child bridge per bound room, in its dir ──
|
|
78
118
|
export async function runAccount(SUPABASE_URL, SUPABASE_ANON) {
|
|
119
|
+
if (!acquireSingleton()) {
|
|
120
|
+
console.error('\n ◇ An account bridge is already running on this machine\n (~/.thinkpool-pair/account.lock). Not starting a second — two would race\n your saved login. Stop the other one first, or share a single room with\n `npx thinkpool-pair <ROOM>`.\n')
|
|
121
|
+
process.exit(0)
|
|
122
|
+
}
|
|
79
123
|
const auth = await authedClient(SUPABASE_URL, SUPABASE_ANON)
|
|
80
124
|
if (!auth) {
|
|
81
|
-
|
|
82
|
-
|
|
125
|
+
releaseSingleton()
|
|
126
|
+
// Do NOT delete auth.json here. A refresh can fail transiently (offline) or
|
|
127
|
+
// lose a refresh-token rotation race with another bridge sharing this login —
|
|
128
|
+
// wiping the file on that destroys a still-valid login. Leave it: only an
|
|
129
|
+
// explicit `login` should ever replace the token (saveAuth overwrites it).
|
|
130
|
+
// (2026-06-17: a second account supervisor raced the token and the old
|
|
131
|
+
// clearAuth() here deleted a live Pro login mid-session.)
|
|
132
|
+
console.error('\n ◇ Couldn\'t refresh your account session (offline, or another bridge\n may be using this login). Your saved login was left in place.\n If this keeps happening, re-link: npx thinkpool-pair login\n')
|
|
83
133
|
process.exit(1)
|
|
84
134
|
}
|
|
85
135
|
const { sb, session } = auth
|
|
@@ -156,6 +206,7 @@ export async function runAccount(SUPABASE_URL, SUPABASE_ANON) {
|
|
|
156
206
|
const stop = (sig) => {
|
|
157
207
|
if (stopping) return; stopping = true
|
|
158
208
|
clearInterval(iv)
|
|
209
|
+
releaseSingleton()
|
|
159
210
|
for (const c of children.values()) { try { c.kill(sig || 'SIGTERM') } catch { /* noop */ } }
|
|
160
211
|
// Flush the presence LEAVE before exiting so the dashboard flips to
|
|
161
212
|
// "not connected" in realtime (don't fire-and-forget the untrack).
|