upfynai-code 2.9.1 → 2.9.2

package/server/middleware/auth.js

@@ -0,0 +1,176 @@
+import jwt from 'jsonwebtoken';
+import crypto from 'crypto';
+import { userDb, relayTokensDb } from '../database/db.js';
+import { IS_PLATFORM } from '../constants/config.js';
+
+let JWT_SECRET = process.env.JWT_SECRET?.trim();
+if (!JWT_SECRET) {
+  if (IS_PLATFORM) {
+    // In local/self-hosted mode, generate a random secret (auth is bypassed anyway)
+    JWT_SECRET = crypto.randomBytes(32).toString('hex');
+  } else {
+    console.error('[SECURITY] JWT_SECRET environment variable is required. Server cannot start without it.');
+    process.exit(1);
+  }
+}
+
+// Optional static API key middleware
+const validateApiKey = (req, res, next) => {
+  if (!process.env.API_KEY) return next();
+  const apiKey = req.headers['x-api-key'];
+  if (apiKey !== process.env.API_KEY.trim()) {
+    return res.status(401).json({ error: 'Invalid API key' });
+  }
+  next();
+};
+
+// Extract JWT from request: cookie → Bearer header → query param (SSE only)
+const extractToken = (req) => {
+  // 1. httpOnly cookie (browser sessions — primary auth method)
+  if (req.cookies?.session) return req.cookies.session;
+
+  // 2. Bearer header (API clients, MCP)
+  const authHeader = req.headers['authorization'];
+  if (authHeader?.startsWith('Bearer ')) return authHeader.slice(7);
+
+  // 3. Query param — for GET requests (SSE EventSource + iframe embedding)
+  if (req.query?.token && req.method === 'GET') {
+    return req.query.token;
+  }
+
+  return null;
+};
+
+// JWT authentication middleware
+const authenticateToken = async (req, res, next) => {
+  // Platform mode: use first database user
+  if (IS_PLATFORM) {
+    try {
+      const user = await userDb.getFirstUser();
+      if (!user) return res.status(500).json({ error: 'Platform mode: No user found in database' });
+      req.user = user;
+      return next();
+    } catch (error) {
+      console.error('Platform mode error:', error);
+      return res.status(500).json({ error: 'Platform mode: Failed to fetch user' });
+    }
+  }
+
+  const token = extractToken(req);
+  if (!token) {
+    return res.status(401).json({ error: 'Access denied. No token provided.' });
+  }
+
+  try {
+    const decoded = jwt.verify(token, JWT_SECRET);
+    const user = await userDb.getUserById(decoded.userId);
+    if (!user) return res.status(401).json({ error: 'Invalid token. User not found.' });
+    req.user = user;
+    // If token came from query param, set session cookie for subsequent requests (iframe auto-auth)
+    if (req.query?.token && !req.cookies?.session) {
+      res.cookie('session', token, COOKIE_OPTIONS);
+    }
+    next();
+  } catch (error) {
+    return res.status(403).json({ error: 'Invalid or expired token' });
+  }
+};
+
+// Generate JWT token (30-day expiration)
+const generateToken = (user) => {
+  return jwt.sign(
+    { userId: user.id, username: user.username },
+    JWT_SECRET,
+    { expiresIn: '30d' }
+  );
+};
+
+// Cookie config for httpOnly session
+// Works for both self-hosted (same origin) and split deploy (Vercel proxy → Railway)
+const isSecureEnv = process.env.NODE_ENV === 'production' || !!process.env.VERCEL || !!process.env.RAILWAY_ENVIRONMENT;
+const COOKIE_OPTIONS = {
+  httpOnly: true,
+  secure: isSecureEnv,
+  // 'none' required for cross-origin iframe embedding (Vercel frontend → Railway backend)
+  // 'strict' used in local/dev mode where everything is same-origin
+  sameSite: isSecureEnv ? 'none' : 'strict',
+  maxAge: 30 * 24 * 60 * 60 * 1000, // 30 days
+  path: '/',
+};
+
+// Set session cookie on response
+const setSessionCookie = (res, token) => {
+  res.cookie('session', token, COOKIE_OPTIONS);
+};
+
+// Clear session cookie
+const clearSessionCookie = (res) => {
+  res.clearCookie('session', { path: '/' });
+};
+
+// WebSocket authentication (parse cookie from upgrade request headers)
+const authenticateWebSocket = async (request) => {
+  // Platform mode: bypass
+  if (IS_PLATFORM) {
+    try {
+      const user = await userDb.getFirstUser();
+      return user ? { userId: user.id, username: user.username } : null;
+    } catch { return null; }
+  }
+
+  let token = null;
+
+  // 1. Parse cookie from upgrade request
+  const cookieHeader = request.headers?.cookie || '';
+  if (cookieHeader) {
+    const cookies = Object.fromEntries(
+      cookieHeader.split(';').map(c => {
+        const [k, ...v] = c.trim().split('=');
+        return [k, v.join('=')];
+      })
+    );
+    token = cookies.session || null;
+  }
+
+  // 2. Fallback: query param (legacy)
+  if (!token) {
+    try {
+      const url = new URL(request.url, 'http://localhost');
+      token = url.searchParams.get('token');
+    } catch { /* ignore */ }
+  }
+
+  if (!token) {
+    return null;
+  }
+
+  // Relay token (upfyn_ prefix) — validate against DB, not JWT
+  if (token.startsWith('upfyn_') || token.startsWith('rt_')) {
+    try {
+      const tokenData = await relayTokensDb.validateToken(token);
+      if (tokenData) {
+        return { userId: Number(tokenData.user_id), username: tokenData.username };
+      }
+    } catch {
+    }
+    return null;
+  }
+
+  try {
+    const decoded = jwt.verify(token, JWT_SECRET);
+    // Validate against Turso — DB is source of truth
+    const user = await userDb.getUserById(decoded.userId);
+    if (!user) return null;
+    return { userId: user.id, username: user.username };
+  } catch { return null; }
+};
+
+export {
+  validateApiKey,
+  authenticateToken,
+  generateToken,
+  authenticateWebSocket,
+  setSessionCookie,
+  clearSessionCookie,
+  JWT_SECRET
+};

package/server/middleware/relayHelpers.js

@@ -0,0 +1,44 @@
+import { IS_CLOUD } from '../constants/config.js';
+
+/**
+ * Creates middleware that injects relay helper functions onto req.
+ * Must be applied AFTER authenticateToken.
+ *
+ * Security model:
+ *   - All relay commands go through sendRelayCommand which validates action allowlist
+ *   - Shell commands are restricted to known-safe prefixes (git, mkdir, rm, wmic)
+ *   - Dangerous shell patterns (pipes to bash, backtick injection, etc.) are blocked
+ *   - IP pinning: relay connection records the CLI's IP; only the authenticated user can send commands
+ *   - The relay token is validated at WebSocket connect time; commands flow only to the token owner's machine
+ *
+ * Adds to req:
+ *   - req.isCloud: boolean — true when running on Railway/Vercel/Render
+ *   - req.hasRelay(): boolean — true when user's machine is connected
+ *   - req.sendRelay(action, payload, timeout): Promise — send command to user's machine
+ *   - req.requireRelay(): returns false + sends 503 if cloud mode and no relay connected
+ */
+export function createRelayMiddleware(hasActiveRelay, sendRelayCommand, withRetry) {
+  return (req, res, next) => {
+    const userId = Number(req.user?.id);
+    req.isCloud = IS_CLOUD;
+    req.hasRelay = () => hasActiveRelay(userId);
+    // Retry transient relay failures (opencode pattern: exponential backoff)
+    req.sendRelay = (action, payload, timeout) =>
+      withRetry(() => sendRelayCommand(userId, action, payload, null, timeout || 15000), { maxRetries: 2 });
+
+    // Helper: return 503 if cloud mode and no relay connected
+    req.requireRelay = () => {
+      if (IS_CLOUD && !hasActiveRelay(userId)) {
+        res.status(503).json({
+          error: 'Machine not connected',
+          message: 'Run "uc connect" on your local machine to use this feature.',
+          code: 'RELAY_NOT_CONNECTED'
+        });
+        return false;
+      }
+      return true;
+    };
+
+    next();
+  };
+}

package/server/middleware/sandboxRouter.js

@@ -0,0 +1,174 @@
+/**
+ * Sandbox Command Router Middleware
+ * Intercepts REST API commands when no relay is connected,
+ * routing them to the sandbox service instead.
+ */
+
+import { sandboxClient } from '../sandbox.js';
+
+/**
+ * Middleware that routes file/git/exec commands to sandbox when no relay.
+ * Used on routes that normally proxy to the relay (file ops, git, etc.)
+ *
+ * Usage: app.use('/api/sandbox-proxy', authenticateToken, sandboxCommandRouter);
+ */
+export function sandboxCommandRouter(req, res, next) {
+  // If relay is connected, let the normal relay flow handle it
+  if (req.hasRelay && req.hasRelay()) {
+    return next();
+  }
+
+  // No relay — check if sandbox is available
+  handleSandboxCommand(req, res).catch(() => {
+    res.status(503).json({ error: 'No machine connected and sandbox unavailable' });
+  });
+}
+
+async function handleSandboxCommand(req, res) {
+  const userId = req.user.id;
+  const { action, ...params } = req.body;
+
+  // Verify sandbox is available
+  const available = await sandboxClient.isAvailable();
+  if (!available) {
+    return res.status(503).json({ error: 'No machine connected and sandbox service unreachable' });
+  }
+
+  // Check if user has an active sandbox
+  const status = await sandboxClient.getStatus(userId);
+  if (!status.exists) {
+    // Auto-init sandbox for the user
+    await sandboxClient.initSandbox(userId);
+  }
+
+  // Route based on action
+  switch (action) {
+    case 'file-read': {
+      const result = await sandboxClient.readFile(userId, params.filePath);
+      return res.json(result);
+    }
+    case 'file-write': {
+      const result = await sandboxClient.writeFile(userId, params.filePath, params.content);
+      return res.json(result);
+    }
+    case 'file-tree': {
+      const result = await sandboxClient.getFileTree(userId, params.dirPath, params.depth);
+      return res.json(result);
+    }
+    case 'exec': {
+      const result = await sandboxClient.exec(userId, params.command, {
+        cwd: params.cwd,
+        timeout: params.timeout,
+        userKeys: params.userKeys,
+      });
+      return res.json(result);
+    }
+    case 'git': {
+      const result = await sandboxClient.gitOperation(userId, params.gitCommand, params.cwd);
+      return res.json(result);
+    }
+    default:
+      return res.status(400).json({ error: `Unknown sandbox action: ${action}` });
+  }
+}
+
+/**
+ * WebSocket sandbox bridge — used in the WS handler for routing
+ * claude-command/shell-command/file-* when no relay is connected.
+ *
+ * @param {string} userId
+ * @param {string} messageType - WS message type (e.g. 'claude-command')
+ * @param {object} data - WS message data
+ * @param {object} writer - WebSocketWriter for sending responses
+ * @returns {boolean} true if handled by sandbox, false if not
+ */
+export async function handleSandboxWebSocketCommand(userId, messageType, data, writer) {
+  const available = await sandboxClient.isAvailable();
+  if (!available) return false;
+
+  try {
+    // Ensure sandbox exists
+    const status = await sandboxClient.getStatus(userId);
+    if (!status.exists) {
+      await sandboxClient.initSandbox(userId);
+    }
+
+    switch (messageType) {
+      case 'claude-command': {
+        // Execute claude CLI command in sandbox
+        writer.send({ type: 'session-created', sessionId: data.sessionId || `sandbox-${Date.now()}` });
+        writer.send({ type: 'stream', content: '[Sandbox] Executing in cloud sandbox...\n' });
+
+        const result = await sandboxClient.exec(userId, `claude --print "${data.command}"`, {
+          cwd: data.cwd,
+          timeout: 120000,
+          userKeys: data.userKeys,
+        });
+
+        writer.send({
+          type: 'stream',
+          content: result.stdout || '',
+        });
+
+        if (result.stderr) {
+          writer.send({ type: 'stream', content: `\n${result.stderr}` });
+        }
+
+        writer.send({
+          type: 'session-complete',
+          sessionId: data.sessionId,
+          exitCode: result.exitCode,
+        });
+
+        return true;
+      }
+
+      case 'shell-command': {
+        const result = await sandboxClient.exec(userId, data.command, {
+          cwd: data.cwd,
+          timeout: data.timeout || 30000,
+        });
+        writer.send({
+          type: 'shell-output',
+          stdout: result.stdout,
+          stderr: result.stderr,
+          exitCode: result.exitCode,
+        });
+        return true;
+      }
+
+      case 'file-read': {
+        const result = await sandboxClient.readFile(userId, data.filePath);
+        writer.send({ type: 'file-content', ...result });
+        return true;
+      }
+
+      case 'file-write': {
+        const result = await sandboxClient.writeFile(userId, data.filePath, data.content);
+        writer.send({ type: 'file-written', ...result });
+        return true;
+      }
+
+      case 'file-tree': {
+        const result = await sandboxClient.getFileTree(userId, data.dirPath, data.depth);
+        writer.send({ type: 'file-tree', ...result });
+        return true;
+      }
+
+      case 'git-operation': {
+        const result = await sandboxClient.gitOperation(userId, data.gitCommand, data.cwd);
+        writer.send({ type: 'git-result', ...result });
+        return true;
+      }
+
+      default:
+        return false;
+    }
+  } catch (error) {
+    writer.send({
+      type: 'error',
+      error: `Sandbox error: ${error.message || 'Unknown error'}`,
+    });
+    return true; // Handled (with error)
+  }
+}