mirror of
https://github.com/Termix-SSH/Termix.git
synced 2026-07-16 05:13:36 +00:00
release-2.5.0 (#994)
* feat(sshid) - sshid.io equivalent for termix (#919) * feat(ssh-id): database schema, migrations and field encryption Adds ssh_identities, ssh_identity_keys and ssh_identity_ca tables (public keys stored plaintext for the unauthenticated resolver; CA private key registered for per-user field encryption), with UNIQUE(user_id), an index on ssh_identity_keys(identity_id), and idempotent CREATE TABLE migrations. * feat(ssh-id): backend API — resolver, key management, CA and certificates Mounts /sshid (nginx route added). Public text/plain authorized_keys resolver (+ exact /:algo filter, HTML viewer) and CA public-key endpoint; no-store + noindex headers on every resolver response including early 404s. Authenticated management: claim/rename/delete handle, add/import/generate/enable/delete keys, and a per-user CA (create/rotate/delete) with pure-Node OpenSSH certificate issuance. Audit logging on all mutations; UNIQUE races map to a precise 409. Unit tests for key parsing and certificate signing (ssh-keygen-validated). * feat(ssh-id): frontend panel, API client and i18n SSH ID panel wired into the app rail and AppShell: claim handle, resolver URL + curl one-liner, key list, generate, paste/import, CA enable/rotate/remove with server trust command, and per-key certificate issuance. API client re-exported through main-axios.ts; all strings i18n'd. * style(ssh-id): align panel and resolver page with Termix theme - Rebuild the SSH ID sidebar panel with the theme's square components (SectionCard / SettingRow / FakeSwitch) instead of rounded ad-hoc cards; use accent-brand and destructive tokens rather than raw red/green. - Fix panel scrolling: move overflow to a block scroll container so the cards keep their natural height instead of being clipped. - Restyle the public resolver HTML page (/sshid/u/:handle) to the Termix dark theme: square corners, #18181b/#303032 palette, #f59145 accent, uppercase section labels. - Tidy copy: 'Save To Credentials' label, drop the redundant generate intro, and correct the generate tooltip (the key is stored when saving to vault). * feat: rename to Termix ID, improve UI, backend inconsistencies, and general bug fixes --------- Co-authored-by: LukeGus <bugattiguy527@gmail.com> * ci(deps): bump actions/checkout from 6 to 7 in the github-actions group (#922) Bumps the github-actions group with 1 update: [actions/checkout](https://github.com/actions/checkout). Updates `actions/checkout` from 6 to 7 - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/v6...v7) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: '7' dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps-dev): bump the dev-patch-updates group with 11 updates (#923) Bumps the dev-patch-updates group with 11 updates: | Package | From | To | | --- | --- | --- | | [@codemirror/search](https://github.com/codemirror/search) | `6.7.0` | `6.7.1` | | [@codemirror/view](https://github.com/codemirror/view) | `6.43.0` | `6.43.1` | | [@tailwindcss/vite](https://github.com/tailwindlabs/tailwindcss/tree/HEAD/packages/@tailwindcss-vite) | `4.3.0` | `4.3.1` | | [@vitest/coverage-v8](https://github.com/vitest-dev/vitest/tree/HEAD/packages/coverage-v8) | `4.1.8` | `4.1.9` | | [@vitest/ui](https://github.com/vitest-dev/vitest/tree/HEAD/packages/ui) | `4.1.8` | `4.1.9` | | [eslint-plugin-react-refresh](https://github.com/ArnaudBarre/eslint-plugin-react-refresh) | `0.5.2` | `0.5.3` | | [lint-staged](https://github.com/lint-staged/lint-staged) | `17.0.7` | `17.0.8` | | [prettier](https://github.com/prettier/prettier) | `3.8.3` | `3.8.4` | | [sharp](https://github.com/lovell/sharp) | `0.35.1` | `0.35.2` | | [tailwindcss](https://github.com/tailwindlabs/tailwindcss/tree/HEAD/packages/tailwindcss) | `4.3.0` | `4.3.1` | | [vitest](https://github.com/vitest-dev/vitest/tree/HEAD/packages/vitest) | `4.1.8` | `4.1.9` | Updates `@codemirror/search` from 6.7.0 to 6.7.1 - [Changelog](https://github.com/codemirror/search/blob/main/CHANGELOG.md) - [Commits](https://github.com/codemirror/search/commits) Updates `@codemirror/view` from 6.43.0 to 6.43.1 - [Changelog](https://github.com/codemirror/view/blob/main/CHANGELOG.md) - [Commits](https://github.com/codemirror/view/commits) Updates `@tailwindcss/vite` from 4.3.0 to 4.3.1 - [Release notes](https://github.com/tailwindlabs/tailwindcss/releases) - [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md) - [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.3.1/packages/@tailwindcss-vite) Updates `@vitest/coverage-v8` from 4.1.8 to 4.1.9 - [Release notes](https://github.com/vitest-dev/vitest/releases) - [Changelog](https://github.com/vitest-dev/vitest/blob/main/docs/releases.md) - [Commits](https://github.com/vitest-dev/vitest/commits/v4.1.9/packages/coverage-v8) Updates `@vitest/ui` from 4.1.8 to 4.1.9 - [Release notes](https://github.com/vitest-dev/vitest/releases) - [Changelog](https://github.com/vitest-dev/vitest/blob/main/docs/releases.md) - [Commits](https://github.com/vitest-dev/vitest/commits/v4.1.9/packages/ui) Updates `eslint-plugin-react-refresh` from 0.5.2 to 0.5.3 - [Release notes](https://github.com/ArnaudBarre/eslint-plugin-react-refresh/releases) - [Changelog](https://github.com/ArnaudBarre/eslint-plugin-react-refresh/blob/main/CHANGELOG.md) - [Commits](https://github.com/ArnaudBarre/eslint-plugin-react-refresh/compare/v0.5.2...v0.5.3) Updates `lint-staged` from 17.0.7 to 17.0.8 - [Release notes](https://github.com/lint-staged/lint-staged/releases) - [Changelog](https://github.com/lint-staged/lint-staged/blob/main/CHANGELOG.md) - [Commits](https://github.com/lint-staged/lint-staged/compare/v17.0.7...v17.0.8) Updates `prettier` from 3.8.3 to 3.8.4 - [Release notes](https://github.com/prettier/prettier/releases) - [Changelog](https://github.com/prettier/prettier/blob/main/CHANGELOG.md) - [Commits](https://github.com/prettier/prettier/compare/3.8.3...3.8.4) Updates `sharp` from 0.35.1 to 0.35.2 - [Release notes](https://github.com/lovell/sharp/releases) - [Commits](https://github.com/lovell/sharp/compare/v0.35.1...v0.35.2) Updates `tailwindcss` from 4.3.0 to 4.3.1 - [Release notes](https://github.com/tailwindlabs/tailwindcss/releases) - [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md) - [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.3.1/packages/tailwindcss) Updates `vitest` from 4.1.8 to 4.1.9 - [Release notes](https://github.com/vitest-dev/vitest/releases) - [Changelog](https://github.com/vitest-dev/vitest/blob/main/docs/releases.md) - [Commits](https://github.com/vitest-dev/vitest/commits/v4.1.9/packages/vitest) --- updated-dependencies: - dependency-name: "@codemirror/search" dependency-version: 6.7.1 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: dev-patch-updates - dependency-name: "@codemirror/view" dependency-version: 6.43.1 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: dev-patch-updates - dependency-name: "@tailwindcss/vite" dependency-version: 4.3.1 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: dev-patch-updates - dependency-name: "@vitest/coverage-v8" dependency-version: 4.1.9 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: dev-patch-updates - dependency-name: "@vitest/ui" dependency-version: 4.1.9 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: dev-patch-updates - dependency-name: eslint-plugin-react-refresh dependency-version: 0.5.3 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: dev-patch-updates - dependency-name: lint-staged dependency-version: 17.0.8 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: dev-patch-updates - dependency-name: prettier dependency-version: 3.8.4 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: dev-patch-updates - dependency-name: sharp dependency-version: 0.35.2 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: dev-patch-updates - dependency-name: tailwindcss dependency-version: 4.3.1 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: dev-patch-updates - dependency-name: vitest dependency-version: 4.1.9 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: dev-patch-updates ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump nanoid in the prod-patch-updates group (#925) Bumps the prod-patch-updates group with 1 update: [nanoid](https://github.com/ai/nanoid). Updates `nanoid` from 5.1.11 to 5.1.15 - [Release notes](https://github.com/ai/nanoid/releases) - [Changelog](https://github.com/ai/nanoid/blob/main/CHANGELOG.md) - [Commits](https://github.com/ai/nanoid/compare/5.1.11...5.1.15) --- updated-dependencies: - dependency-name: nanoid dependency-version: 5.1.15 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: prod-patch-updates ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump the major-updates group with 5 updates (#926) Bumps the major-updates group with 5 updates: | Package | From | To | | --- | --- | --- | | [js-yaml](https://github.com/nodeca/js-yaml) | `4.2.0` | `5.0.0` | | [@eslint/js](https://github.com/eslint/eslint/tree/HEAD/packages/js) | `9.39.4` | `10.0.1` | | [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) | `25.9.2` | `26.0.0` | | [concurrently](https://github.com/open-cli-tools/concurrently) | `9.2.1` | `10.0.3` | | [eslint](https://github.com/eslint/eslint) | `9.39.4` | `10.5.0` | Updates `js-yaml` from 4.2.0 to 5.0.0 - [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md) - [Commits](https://github.com/nodeca/js-yaml/compare/4.2.0...5.0.0) Updates `@eslint/js` from 9.39.4 to 10.0.1 - [Release notes](https://github.com/eslint/eslint/releases) - [Commits](https://github.com/eslint/eslint/commits/v10.0.1/packages/js) Updates `@types/node` from 25.9.2 to 26.0.0 - [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases) - [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node) Updates `concurrently` from 9.2.1 to 10.0.3 - [Release notes](https://github.com/open-cli-tools/concurrently/releases) - [Commits](https://github.com/open-cli-tools/concurrently/compare/v9.2.1...v10.0.3) Updates `eslint` from 9.39.4 to 10.5.0 - [Release notes](https://github.com/eslint/eslint/releases) - [Commits](https://github.com/eslint/eslint/compare/v9.39.4...v10.5.0) --- updated-dependencies: - dependency-name: js-yaml dependency-version: 5.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: major-updates - dependency-name: "@eslint/js" dependency-version: 10.0.1 dependency-type: direct:development update-type: version-update:semver-major dependency-group: major-updates - dependency-name: "@types/node" dependency-version: 26.0.0 dependency-type: direct:development update-type: version-update:semver-major dependency-group: major-updates - dependency-name: concurrently dependency-version: 10.0.3 dependency-type: direct:development update-type: version-update:semver-major dependency-group: major-updates - dependency-name: eslint dependency-version: 10.5.0 dependency-type: direct:development update-type: version-update:semver-major dependency-group: major-updates ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * feat(ssh): add HashiCorp Vault SSH signer authentication * fix: small fixes to vault feature to align with Termix codebase * chore: add view docs links for vault/termix id * fix: file upload fails with 400 and missing schema migrations on upgrade (#929) Two bugs introduced in v2.4.1: 1. uploadFileStream uses fileManagerApi.post() which triggers axios's transformRequest to JSON-serialize the FormData because the instance default Content-Type is application/json. Change to postForm() which sets Content-Type: multipart/form-data so the browser XHR sends the correct multipart body with boundary. 2. Two schema items added to schema.ts were not included in migrateSchema() in db/index.ts, causing 500 errors on existing installations upgrading from v2.4.0: - user_preferences.status_color_scheme (no such column) - dashboard_service_links table (no such table) Fixes #928 Co-authored-by: sash <sash@fominykh.io> * fix: support PuTTY PPK ssh keys (#930) * fix: chunk large file manager uploads (#932) * fix: route dashboard hosts by protocol (#934) * fix: resolve tunnel endpoints reliably (#935) * Fix Electron OIDC browser auth failures (#936) * Allow RDP connections without stored credentials (#937) * Sync role credential shares for OIDC users (#938) * Fix terminal link dialog layering (#940) * Confirm large files before opening editor (#942) * Confirm closing active host connections (#943) * Preserve file path case in file manager UI (#941) * fix: preserve unicode guacamole tokens (#933) * Persist VNC authentication settings (#944) * Fix Guacamole websocket base path (#946) * Promote file manager terminals to tabs (#939) * Guard Guacamole disconnect during startup (#945) * chore: increment ver * feat: bitwarden ssh agent integration * feat: serial connections support * fix: various small bug fixes * feat: open all sessions in a folder and terminal custom theme color support * feat: cross host file manager clipboard and several small bug fixes * feat: tailscale/wireguard support and added a new status state for when backend is checking status * feat: grafana like server stats history, new alert system, ntfy/webhook support * feat: new grid and widget based homepage function * feat: new donate button in dashboard * fix: alert ui incorrectly using termix css and fixed issue with alert system not loading * chore: fix ci checks (#966) * Fix dashboard service link creation (#950) * Fix jump host SOCKS5 proxy selection (#951) * Fix jump host SOCKS5 proxy selection * fix: type jump host socks proxy config * Fix tmux detection path handling (#949) * Support GUACD_URL environment config (#952) * Retry autostart tunnel host fetches (#953) * Retry autostart tunnel host fetches * chore: format tunnel route * Fix PUID html ownership in Docker entrypoint (#954) * feat: allow custom tunnel endpoints (#977) * fix: skip metrics start for non-ssh hosts (#976) * Fix Proxmox import auth fallback (#956) * Fix Proxmox import auth fallback * chore: format proxmox import auth * Fix SSH heading syntax highlighting (#955) * Fix SSH heading syntax highlighting * chore: format terminal highlighter * Initialize auth before fullscreen terminal routes (#957) * Add WebAuthn passkey authentication (#959) * chore: add Biome tooling (#965) * chore: add biome tooling * chore: support tailwind syntax in biome * Fix VNC required argument handshake (#968) * Prioritize host results in command palette search (#969) * Prevent sidebar host hover layout shift (#970) * Add terminal font zoom with mouse wheel (#971) * Add host temperature metrics card (#972) * Make file downloads reliable in desktop app (#973) * Add app rail hover expansion setting (#974) * fix: use correct translation key for nav.close (#964) * fix(tunnel): skip endpoint credential validation for direct tunnels (#963) * fix: SSH port connection bug (#975) * fix: chunked upload for files >=1.5GB to bypass browser ArrayBuffer limit (#948) * feat: support SSH agent auth across SSH features (#960) * feat: add Podman container runtime support (#958) * chore: update readme and release notes * fix: stabilize Windows app icon (#978) * Add safe host sharing export (#979) * Add external editor support for file manager (#985) * Rework SSH credential password handling (#984) * Support password fallback for SSH key credentials * Complete SSH credential password fallback * Fix runtime base path for auth callbacks (#982) * Fix TUI terminal output highlighting (#983) Co-authored-by: LukeGus <bugattiguy527@gmail.com> * Add app fullscreen mode (#993) * Fix host metrics startup polling (#986) * chore: update release notes * fix: line chart text overlap * chore: update RELEASE_NOTES.md * chore: add donation goal to readme * chore: update readme * fix: hide full-screen button in electron app * fix: failed unit tests * chore: lint, format, and bump version to 2.5.0 * chore: remove timeout from crowdin translate * chore: sync Crowdin translations for 2.5.0 --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: DivByZero <mr.oplus@yahoo.fr> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: devdanetra <46488477+devdanetra@users.noreply.github.com> Co-authored-by: Aleksandr Fominykh <neoformalex@users.noreply.github.com> Co-authored-by: sash <sash@fominykh.io> Co-authored-by: ZacharyZcR <zacharyzcr1984@gmail.com>
This commit is contained in:
@@ -0,0 +1,29 @@
|
||||
import { SystemCrypto } from "./system-crypto.js";
|
||||
import { sshLogger } from "./logger.js";
|
||||
|
||||
const METRICS_SERVICE_URL = "http://localhost:30005";
|
||||
|
||||
export async function triggerLoginAlert(
|
||||
hostId: number,
|
||||
userId: string,
|
||||
sshUser: string,
|
||||
fromIp: string,
|
||||
): Promise<void> {
|
||||
try {
|
||||
const token = await SystemCrypto.getInstance().getInternalAuthToken();
|
||||
await fetch(`${METRICS_SERVICE_URL}/internal/login-alert`, {
|
||||
method: "POST",
|
||||
headers: {
|
||||
"Content-Type": "application/json",
|
||||
"x-internal-auth": token,
|
||||
},
|
||||
body: JSON.stringify({ hostId, userId, sshUser, fromIp }),
|
||||
});
|
||||
} catch (err) {
|
||||
sshLogger.warn("Failed to trigger login alert", {
|
||||
operation: "login_alert_trigger_error",
|
||||
hostId,
|
||||
error: err instanceof Error ? err.message : String(err),
|
||||
});
|
||||
}
|
||||
}
|
||||
@@ -147,6 +147,31 @@ class AuthManager {
|
||||
return authenticated;
|
||||
}
|
||||
|
||||
async setupWebAuthnUserEncryption(userId: string): Promise<void> {
|
||||
await this.userCrypto.setupWebAuthnUserEncryption(userId);
|
||||
}
|
||||
|
||||
async authenticateWebAuthnUser(
|
||||
userId: string,
|
||||
deviceType?: DeviceType,
|
||||
): Promise<boolean> {
|
||||
const sessionDurationMs =
|
||||
deviceType === "desktop" || deviceType === "mobile"
|
||||
? 30 * 24 * 60 * 60 * 1000
|
||||
: 24 * 60 * 60 * 1000;
|
||||
|
||||
const authenticated = await this.userCrypto.authenticateWebAuthnUser(
|
||||
userId,
|
||||
sessionDurationMs,
|
||||
);
|
||||
|
||||
if (authenticated) {
|
||||
await this.performLazyEncryptionMigration(userId);
|
||||
}
|
||||
|
||||
return authenticated;
|
||||
}
|
||||
|
||||
async convertToOIDCEncryption(userId: string): Promise<void> {
|
||||
await this.userCrypto.convertToOIDCEncryption(userId);
|
||||
}
|
||||
|
||||
@@ -43,6 +43,8 @@ class FieldCrypto {
|
||||
"publicKey",
|
||||
]),
|
||||
opkssh_tokens: new Set(["sshCert", "privateKey"]),
|
||||
termix_identity_ca: new Set(["privateKey"]),
|
||||
vault_tokens: new Set(["sshCert", "privateKey"]),
|
||||
};
|
||||
|
||||
static encryptField(
|
||||
|
||||
@@ -0,0 +1,86 @@
|
||||
export type GuacdOptions = {
|
||||
host: string;
|
||||
port: number;
|
||||
};
|
||||
|
||||
const DEFAULT_GUACD_OPTIONS: GuacdOptions = {
|
||||
host: "localhost",
|
||||
port: 4822,
|
||||
};
|
||||
|
||||
function parsePort(value: string | undefined, fallback: number) {
|
||||
const port = parseInt(value || "", 10);
|
||||
return Number.isFinite(port) ? port : fallback;
|
||||
}
|
||||
|
||||
export function parseGuacdUrl(
|
||||
value: string,
|
||||
fallback: GuacdOptions = DEFAULT_GUACD_OPTIONS,
|
||||
): GuacdOptions {
|
||||
const raw = value.trim();
|
||||
if (!raw) {
|
||||
return fallback;
|
||||
}
|
||||
|
||||
if (raw.includes("://")) {
|
||||
try {
|
||||
const url = new URL(raw);
|
||||
return {
|
||||
host: url.hostname || fallback.host,
|
||||
port: parsePort(url.port, fallback.port),
|
||||
};
|
||||
} catch {
|
||||
return fallback;
|
||||
}
|
||||
}
|
||||
|
||||
const bracketedIpv6 = raw.match(/^\[([^\]]+)\](?::(\d+))?$/);
|
||||
if (bracketedIpv6) {
|
||||
return {
|
||||
host: bracketedIpv6[1],
|
||||
port: parsePort(bracketedIpv6[2], fallback.port),
|
||||
};
|
||||
}
|
||||
|
||||
const [host, port] = raw.split(":");
|
||||
return {
|
||||
host: host || fallback.host,
|
||||
port: parsePort(port, fallback.port),
|
||||
};
|
||||
}
|
||||
|
||||
export function getGuacdEnvOptions(): GuacdOptions | null {
|
||||
if (process.env.GUACD_URL) {
|
||||
return parseGuacdUrl(process.env.GUACD_URL);
|
||||
}
|
||||
|
||||
if (!process.env.GUACD_HOST && !process.env.GUACD_PORT) {
|
||||
return null;
|
||||
}
|
||||
|
||||
return {
|
||||
host: process.env.GUACD_HOST || DEFAULT_GUACD_OPTIONS.host,
|
||||
port: parsePort(process.env.GUACD_PORT, DEFAULT_GUACD_OPTIONS.port),
|
||||
};
|
||||
}
|
||||
|
||||
export function resolveGuacdOptions(dbUrl?: string | null): GuacdOptions {
|
||||
const envOptions = getGuacdEnvOptions();
|
||||
if (envOptions) {
|
||||
return envOptions;
|
||||
}
|
||||
|
||||
if (dbUrl) {
|
||||
return parseGuacdUrl(dbUrl);
|
||||
}
|
||||
|
||||
return DEFAULT_GUACD_OPTIONS;
|
||||
}
|
||||
|
||||
export function formatGuacdOptions(options: GuacdOptions): string {
|
||||
return `${options.host}:${options.port}`;
|
||||
}
|
||||
|
||||
export function getDefaultGuacdUrl(): string {
|
||||
return formatGuacdOptions(resolveGuacdOptions());
|
||||
}
|
||||
@@ -293,5 +293,6 @@ export const systemLogger = new Logger("SYSTEM", "🚀", "#14b8a6");
|
||||
export const versionLogger = new Logger("VERSION", "📦", "#8b5cf6");
|
||||
export const dashboardLogger = new Logger("DASHBOARD", "📊", "#ec4899");
|
||||
export const guacLogger = new Logger("GUACAMOLE", "🖼️", "#ff6b6b");
|
||||
export const homepageLogger = new Logger("HOMEPAGE", "🏠", "#f97316");
|
||||
|
||||
export const logger = systemLogger;
|
||||
|
||||
@@ -0,0 +1,139 @@
|
||||
import { statsLogger } from "./logger.js";
|
||||
|
||||
export interface AlertPayload {
|
||||
hostName: string;
|
||||
hostId: number;
|
||||
triggerType: string;
|
||||
value?: number;
|
||||
threshold?: number;
|
||||
message: string;
|
||||
severity: "info" | "warning" | "critical";
|
||||
timestamp: string;
|
||||
ruleId: number;
|
||||
ruleName: string;
|
||||
}
|
||||
|
||||
interface WebhookConfig {
|
||||
url: string;
|
||||
headers?: Record<string, string>;
|
||||
method?: "POST" | "PUT";
|
||||
}
|
||||
|
||||
interface NtfyConfig {
|
||||
url: string;
|
||||
topic: string;
|
||||
token?: string;
|
||||
}
|
||||
|
||||
const NTFY_PRIORITY: Record<string, number> = {
|
||||
info: 2,
|
||||
warning: 3,
|
||||
critical: 5,
|
||||
};
|
||||
|
||||
async function fetchWithRetry(
|
||||
url: string,
|
||||
options: RequestInit,
|
||||
): Promise<void> {
|
||||
const attempt = async () => {
|
||||
const res = await fetch(url, options);
|
||||
if (!res.ok) {
|
||||
throw new Error(`HTTP ${res.status}: ${res.statusText}`);
|
||||
}
|
||||
};
|
||||
|
||||
try {
|
||||
await attempt();
|
||||
} catch (firstErr) {
|
||||
await new Promise((r) => setTimeout(r, 3000));
|
||||
try {
|
||||
await attempt();
|
||||
} catch (secondErr) {
|
||||
statsLogger.warn("Notification delivery failed after retry", {
|
||||
operation: "notification_send_failed",
|
||||
url,
|
||||
error:
|
||||
secondErr instanceof Error ? secondErr.message : String(secondErr),
|
||||
});
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
export async function sendWebhook(
|
||||
config: WebhookConfig,
|
||||
payload: AlertPayload,
|
||||
): Promise<void> {
|
||||
const { url, headers = {}, method = "POST" } = config;
|
||||
await fetchWithRetry(url, {
|
||||
method,
|
||||
headers: { "Content-Type": "application/json", ...headers },
|
||||
body: JSON.stringify(payload),
|
||||
});
|
||||
}
|
||||
|
||||
export async function sendNtfy(
|
||||
config: NtfyConfig,
|
||||
payload: AlertPayload,
|
||||
): Promise<void> {
|
||||
const { url, topic, token } = config;
|
||||
const ntfyUrl = `${url.replace(/\/$/, "")}/${topic}`;
|
||||
const headers: Record<string, string> = {
|
||||
"Content-Type": "application/json",
|
||||
Title: `[Termix] ${payload.hostName}: ${payload.ruleName}`,
|
||||
Priority: String(NTFY_PRIORITY[payload.severity] ?? 3),
|
||||
Tags:
|
||||
payload.severity === "critical"
|
||||
? "rotating_light"
|
||||
: payload.severity === "warning"
|
||||
? "warning"
|
||||
: "information_source",
|
||||
};
|
||||
if (token) {
|
||||
headers["Authorization"] = `Bearer ${token}`;
|
||||
}
|
||||
await fetchWithRetry(ntfyUrl, {
|
||||
method: "POST",
|
||||
headers,
|
||||
body: payload.message,
|
||||
});
|
||||
}
|
||||
|
||||
export interface NotificationChannel {
|
||||
id: number;
|
||||
type: string;
|
||||
config: string;
|
||||
enabled: boolean;
|
||||
}
|
||||
|
||||
export async function sendNotification(
|
||||
channel: NotificationChannel,
|
||||
payload: AlertPayload,
|
||||
): Promise<void> {
|
||||
if (!channel.enabled) return;
|
||||
|
||||
let parsedConfig: Record<string, unknown>;
|
||||
try {
|
||||
parsedConfig = JSON.parse(channel.config) as Record<string, unknown>;
|
||||
} catch {
|
||||
statsLogger.warn("Failed to parse notification channel config", {
|
||||
operation: "notification_config_parse_error",
|
||||
channelId: channel.id,
|
||||
});
|
||||
return;
|
||||
}
|
||||
|
||||
try {
|
||||
if (channel.type === "webhook") {
|
||||
await sendWebhook(parsedConfig as unknown as WebhookConfig, payload);
|
||||
} else if (channel.type === "ntfy") {
|
||||
await sendNtfy(parsedConfig as unknown as NtfyConfig, payload);
|
||||
}
|
||||
} catch (err) {
|
||||
statsLogger.warn("Notification send error", {
|
||||
operation: "notification_send_error",
|
||||
channelId: channel.id,
|
||||
type: channel.type,
|
||||
error: err instanceof Error ? err.message : String(err),
|
||||
});
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,108 @@
|
||||
import { afterEach, describe, expect, it } from "vitest";
|
||||
import {
|
||||
getRequestBasePath,
|
||||
getRequestBaseUrl,
|
||||
getRequestBaseUrlWithForceHTTPS,
|
||||
normalizeBasePath,
|
||||
} from "./request-origin.js";
|
||||
|
||||
function request(headers: Record<string, string | string[] | undefined>) {
|
||||
return {
|
||||
headers,
|
||||
socket: {},
|
||||
} as Parameters<typeof getRequestBasePath>[0];
|
||||
}
|
||||
|
||||
function restoreEnv(name: string, value: string | undefined) {
|
||||
if (value === undefined) {
|
||||
delete process.env[name];
|
||||
} else {
|
||||
process.env[name] = value;
|
||||
}
|
||||
}
|
||||
|
||||
describe("normalizeBasePath", () => {
|
||||
it("normalizes empty and root paths", () => {
|
||||
expect(normalizeBasePath("")).toBe("");
|
||||
expect(normalizeBasePath("/")).toBe("");
|
||||
expect(normalizeBasePath(" / ")).toBe("");
|
||||
});
|
||||
|
||||
it("normalizes configured base paths", () => {
|
||||
expect(normalizeBasePath("termix")).toBe("/termix");
|
||||
expect(normalizeBasePath("/termix/")).toBe("/termix");
|
||||
expect(normalizeBasePath("/termix, /other")).toBe("/termix");
|
||||
});
|
||||
|
||||
it("accepts forwarded prefix values that include a URL", () => {
|
||||
expect(normalizeBasePath("https://example.com/termix/")).toBe("/termix");
|
||||
});
|
||||
});
|
||||
|
||||
describe("getRequestBasePath", () => {
|
||||
const previousBasePath = process.env.BASE_PATH;
|
||||
const previousViteBasePath = process.env.VITE_BASE_PATH;
|
||||
const previousForceHttps = process.env.OIDC_FORCE_HTTPS;
|
||||
|
||||
afterEach(() => {
|
||||
restoreEnv("BASE_PATH", previousBasePath);
|
||||
restoreEnv("VITE_BASE_PATH", previousViteBasePath);
|
||||
restoreEnv("OIDC_FORCE_HTTPS", previousForceHttps);
|
||||
});
|
||||
|
||||
it("uses BASE_PATH before forwarded headers", () => {
|
||||
process.env.BASE_PATH = "/admin/";
|
||||
process.env.VITE_BASE_PATH = "";
|
||||
|
||||
expect(
|
||||
getRequestBasePath(request({ "x-forwarded-prefix": "/termix" })),
|
||||
).toBe("/admin");
|
||||
});
|
||||
|
||||
it("falls back to VITE_BASE_PATH for deployments that already set it", () => {
|
||||
process.env.BASE_PATH = "";
|
||||
process.env.VITE_BASE_PATH = "/termix/";
|
||||
|
||||
expect(getRequestBasePath(request({}))).toBe("/termix");
|
||||
});
|
||||
|
||||
it("uses X-Forwarded-Prefix when no env base path is set", () => {
|
||||
process.env.BASE_PATH = "";
|
||||
process.env.VITE_BASE_PATH = "";
|
||||
|
||||
expect(
|
||||
getRequestBasePath(request({ "x-forwarded-prefix": "/termix/" })),
|
||||
).toBe("/termix");
|
||||
});
|
||||
|
||||
it("builds a public base URL with forwarded origin and prefix", () => {
|
||||
process.env.BASE_PATH = "";
|
||||
process.env.VITE_BASE_PATH = "";
|
||||
|
||||
expect(
|
||||
getRequestBaseUrl(
|
||||
request({
|
||||
"x-forwarded-proto": "https",
|
||||
"x-forwarded-host": "example.com",
|
||||
"x-forwarded-prefix": "/termix",
|
||||
}),
|
||||
),
|
||||
).toBe("https://example.com/termix");
|
||||
});
|
||||
|
||||
it("applies OIDC_FORCE_HTTPS to public base URLs", () => {
|
||||
process.env.BASE_PATH = "";
|
||||
process.env.VITE_BASE_PATH = "";
|
||||
process.env.OIDC_FORCE_HTTPS = "true";
|
||||
|
||||
expect(
|
||||
getRequestBaseUrlWithForceHTTPS(
|
||||
request({
|
||||
"x-forwarded-proto": "http",
|
||||
"x-forwarded-host": "example.com",
|
||||
"x-forwarded-prefix": "/termix",
|
||||
}),
|
||||
),
|
||||
).toBe("https://example.com/termix");
|
||||
});
|
||||
});
|
||||
@@ -1,6 +1,31 @@
|
||||
import type { Request } from "express";
|
||||
import type { IncomingMessage } from "http";
|
||||
|
||||
function firstHeaderValue(value: string | string[] | undefined): string {
|
||||
if (!value) return "";
|
||||
const raw = Array.isArray(value) ? value[0] : value;
|
||||
return raw.split(",")[0].trim();
|
||||
}
|
||||
|
||||
export function normalizeBasePath(value: unknown): string {
|
||||
if (typeof value !== "string") return "";
|
||||
let basePath = value.split(",")[0].trim();
|
||||
if (!basePath) return "";
|
||||
|
||||
try {
|
||||
if (/^https?:\/\//i.test(basePath)) {
|
||||
basePath = new URL(basePath).pathname;
|
||||
}
|
||||
} catch {
|
||||
return "";
|
||||
}
|
||||
|
||||
basePath = basePath.split("?")[0].split("#")[0].trim();
|
||||
if (!basePath || basePath === "/") return "";
|
||||
if (!basePath.startsWith("/")) basePath = `/${basePath}`;
|
||||
return basePath.replace(/\/+$/, "");
|
||||
}
|
||||
|
||||
export function getRequestOrigin(req: Request | IncomingMessage): string {
|
||||
let protocol: string;
|
||||
const protoHeader = req.headers["x-forwarded-proto"];
|
||||
@@ -63,3 +88,26 @@ export function getRequestOriginWithForceHTTPS(
|
||||
}
|
||||
return getRequestOrigin(req);
|
||||
}
|
||||
|
||||
export function getRequestBasePath(req: Request | IncomingMessage): string {
|
||||
const envBasePath = normalizeBasePath(
|
||||
process.env.BASE_PATH || process.env.VITE_BASE_PATH,
|
||||
);
|
||||
if (envBasePath) return envBasePath;
|
||||
|
||||
return (
|
||||
normalizeBasePath(firstHeaderValue(req.headers["x-forwarded-prefix"])) ||
|
||||
normalizeBasePath(firstHeaderValue(req.headers["x-script-name"])) ||
|
||||
normalizeBasePath(firstHeaderValue(req.headers["x-original-prefix"]))
|
||||
);
|
||||
}
|
||||
|
||||
export function getRequestBaseUrl(req: Request | IncomingMessage): string {
|
||||
return `${getRequestOrigin(req)}${getRequestBasePath(req)}`;
|
||||
}
|
||||
|
||||
export function getRequestBaseUrlWithForceHTTPS(
|
||||
req: Request | IncomingMessage,
|
||||
): string {
|
||||
return `${getRequestOriginWithForceHTTPS(req)}${getRequestBasePath(req)}`;
|
||||
}
|
||||
|
||||
@@ -39,6 +39,19 @@ class SharedCredentialManager {
|
||||
ownerId: string,
|
||||
): Promise<void> {
|
||||
try {
|
||||
const existing = await db
|
||||
.select({ id: sharedCredentials.id })
|
||||
.from(sharedCredentials)
|
||||
.where(
|
||||
and(
|
||||
eq(sharedCredentials.hostAccessId, hostAccessId),
|
||||
eq(sharedCredentials.targetUserId, targetUserId),
|
||||
),
|
||||
)
|
||||
.limit(1);
|
||||
|
||||
if (existing.length > 0) return;
|
||||
|
||||
const ownerDEK = DataCrypto.getUserDataKey(ownerId);
|
||||
|
||||
if (ownerDEK) {
|
||||
@@ -158,6 +171,83 @@ class SharedCredentialManager {
|
||||
}
|
||||
}
|
||||
|
||||
async createSharedCredentialsForRoleMember(
|
||||
roleId: number,
|
||||
targetUserId: string,
|
||||
): Promise<void> {
|
||||
try {
|
||||
const hostsSharedWithRole = await db
|
||||
.select()
|
||||
.from(hostAccess)
|
||||
.innerJoin(hosts, eq(hostAccess.hostId, hosts.id))
|
||||
.where(eq(hostAccess.roleId, roleId));
|
||||
|
||||
for (const { host_access, ssh_data } of hostsSharedWithRole) {
|
||||
const activeCredentialId =
|
||||
ssh_data.credentialId ??
|
||||
ssh_data.rdpCredentialId ??
|
||||
ssh_data.vncCredentialId ??
|
||||
ssh_data.telnetCredentialId;
|
||||
|
||||
if (!activeCredentialId) continue;
|
||||
|
||||
try {
|
||||
await this.createSharedCredentialForUser(
|
||||
host_access.id,
|
||||
activeCredentialId,
|
||||
targetUserId,
|
||||
ssh_data.userId,
|
||||
);
|
||||
} catch (error) {
|
||||
databaseLogger.error(
|
||||
"Failed to create shared credential for role member",
|
||||
error,
|
||||
{
|
||||
operation: "create_shared_credentials_role_member",
|
||||
roleId,
|
||||
targetUserId,
|
||||
hostId: ssh_data.id,
|
||||
},
|
||||
);
|
||||
}
|
||||
}
|
||||
} catch (error) {
|
||||
databaseLogger.error(
|
||||
"Failed to create shared credentials for role member",
|
||||
error,
|
||||
{
|
||||
operation: "create_shared_credentials_role_member",
|
||||
roleId,
|
||||
targetUserId,
|
||||
},
|
||||
);
|
||||
throw error;
|
||||
}
|
||||
}
|
||||
|
||||
async createSharedCredentialsForUserRoles(userId: string): Promise<void> {
|
||||
try {
|
||||
const roleRows = await db
|
||||
.select({ roleId: userRoles.roleId })
|
||||
.from(userRoles)
|
||||
.where(eq(userRoles.userId, userId));
|
||||
|
||||
for (const { roleId } of roleRows) {
|
||||
await this.createSharedCredentialsForRoleMember(roleId, userId);
|
||||
}
|
||||
} catch (error) {
|
||||
databaseLogger.error(
|
||||
"Failed to create shared credentials for user roles",
|
||||
error,
|
||||
{
|
||||
operation: "create_shared_credentials_user_roles",
|
||||
userId,
|
||||
},
|
||||
);
|
||||
throw error;
|
||||
}
|
||||
}
|
||||
|
||||
async getSharedCredentialForUser(
|
||||
hostId: number,
|
||||
userId: string,
|
||||
|
||||
@@ -7,6 +7,7 @@ type TableName =
|
||||
| "users"
|
||||
| "ssh_data"
|
||||
| "ssh_credentials"
|
||||
| "termix_identity_ca"
|
||||
| "recent_activity"
|
||||
| "socks5_proxy_presets";
|
||||
|
||||
|
||||
@@ -1,7 +1,9 @@
|
||||
import { describe, it, expect } from "vitest";
|
||||
import { readFileSync } from "node:fs";
|
||||
import {
|
||||
parseSSHKey,
|
||||
parsePublicKey,
|
||||
preparePrivateKeyForSSH2,
|
||||
getFriendlyKeyTypeName,
|
||||
validateKeyPair,
|
||||
} from "./ssh-key-utils.js";
|
||||
@@ -20,6 +22,11 @@ AAAEDLo85Twyg0v6V1zsJaeRaxq9KPQXkqGY0HiJtVMzCXEFH+Ektft4yKdLjAkx8baBZK
|
||||
const ED25519_PUBLIC =
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFH+Ektft4yKdLjAkx8baBZK21SK5Iu+oPBVhPnfHSp7 test@termix.test";
|
||||
|
||||
const PPK_RSA_PRIVATE = readFileSync(
|
||||
"node_modules/ssh2/test/fixtures/keyParser/ppk_rsa",
|
||||
"utf8",
|
||||
);
|
||||
|
||||
describe("parsePublicKey", () => {
|
||||
it("detects ssh-ed25519 public keys", () => {
|
||||
const info = parsePublicKey(ED25519_PUBLIC);
|
||||
@@ -68,6 +75,26 @@ describe("parseSSHKey", () => {
|
||||
expect(info.success).toBe(false);
|
||||
expect(info.keyType).toBe("unknown");
|
||||
});
|
||||
|
||||
it("accepts PuTTY PPK v2 private keys supported by ssh2", () => {
|
||||
const info = parseSSHKey(PPK_RSA_PRIVATE);
|
||||
expect(info.success).toBe(true);
|
||||
expect(info.keyType).toBe("ssh-rsa");
|
||||
expect(info.publicKey).toContain("ssh-rsa");
|
||||
});
|
||||
|
||||
it("prepares PuTTY PPK v2 private keys for ssh2 connections", () => {
|
||||
const prepared = preparePrivateKeyForSSH2(PPK_RSA_PRIVATE);
|
||||
expect(prepared.toString("utf8")).toContain("PuTTY-User-Key-File-2");
|
||||
});
|
||||
|
||||
it("reports unsupported PuTTY PPK versions clearly", () => {
|
||||
const info = parseSSHKey(
|
||||
"PuTTY-User-Key-File-3: ssh-ed25519\nEncryption: none\n",
|
||||
);
|
||||
expect(info.success).toBe(false);
|
||||
expect(info.error).toMatch(/Unsupported PuTTY PPK v3/);
|
||||
});
|
||||
});
|
||||
|
||||
describe("getFriendlyKeyTypeName", () => {
|
||||
|
||||
@@ -225,20 +225,53 @@ export interface KeyPairValidationResult {
|
||||
error?: string;
|
||||
}
|
||||
|
||||
const PUTTY_PRIVATE_KEY_RE = /^PuTTY-User-Key-File-(\d+):\s*(.+)$/m;
|
||||
|
||||
export function normalizePrivateKeyText(privateKeyData: string): string {
|
||||
return privateKeyData.trim().replace(/\r\n/g, "\n").replace(/\r/g, "\n");
|
||||
}
|
||||
|
||||
function getUnsupportedPrivateKeyError(privateKeyData: string): string {
|
||||
const puttyMatch = PUTTY_PRIVATE_KEY_RE.exec(privateKeyData.trim());
|
||||
if (puttyMatch) {
|
||||
const [, version, type] = puttyMatch;
|
||||
return `Unsupported PuTTY PPK v${version} private key format (${type}). Convert the key to OpenSSH format with PuTTYgen, or use a PuTTY PPK v2 RSA/DSA key.`;
|
||||
}
|
||||
|
||||
return "Unsupported private key format. Use an OpenSSH, PEM, or PuTTY PPK v2 RSA/DSA private key.";
|
||||
}
|
||||
|
||||
export function preparePrivateKeyForSSH2(
|
||||
privateKeyData: string,
|
||||
passphrase?: string,
|
||||
): Buffer {
|
||||
const cleanKey = normalizePrivateKeyText(privateKeyData);
|
||||
const keyInfo = parseSSHKey(cleanKey, passphrase);
|
||||
|
||||
if (!keyInfo.success) {
|
||||
throw new Error(keyInfo.error || getUnsupportedPrivateKeyError(cleanKey));
|
||||
}
|
||||
|
||||
return Buffer.from(cleanKey, "utf8");
|
||||
}
|
||||
|
||||
export function parseSSHKey(
|
||||
privateKeyData: string,
|
||||
passphrase?: string,
|
||||
): KeyInfo {
|
||||
try {
|
||||
const cleanKey = normalizePrivateKeyText(privateKeyData);
|
||||
let keyType = "unknown";
|
||||
let publicKey = "";
|
||||
let useSSH2 = false;
|
||||
|
||||
if (ssh2Utils && typeof ssh2Utils.parseKey === "function") {
|
||||
try {
|
||||
const parsedKey = ssh2Utils.parseKey(privateKeyData, passphrase);
|
||||
const parsedKey = ssh2Utils.parseKey(cleanKey, passphrase);
|
||||
|
||||
if (!(parsedKey instanceof Error)) {
|
||||
if (parsedKey instanceof Error) {
|
||||
throw parsedKey;
|
||||
} else {
|
||||
if (parsedKey.type) {
|
||||
keyType = parsedKey.type;
|
||||
}
|
||||
@@ -273,23 +306,28 @@ export function parseSSHKey(
|
||||
}
|
||||
|
||||
if (!useSSH2) {
|
||||
keyType = detectKeyTypeFromContent(privateKeyData);
|
||||
keyType = detectKeyTypeFromContent(cleanKey);
|
||||
|
||||
publicKey = "";
|
||||
}
|
||||
|
||||
return {
|
||||
privateKey: privateKeyData,
|
||||
privateKey: cleanKey,
|
||||
publicKey,
|
||||
keyType,
|
||||
success: keyType !== "unknown",
|
||||
error:
|
||||
keyType === "unknown"
|
||||
? getUnsupportedPrivateKeyError(cleanKey)
|
||||
: undefined,
|
||||
};
|
||||
} catch (error) {
|
||||
try {
|
||||
const fallbackKeyType = detectKeyTypeFromContent(privateKeyData);
|
||||
const cleanKey = normalizePrivateKeyText(privateKeyData);
|
||||
const fallbackKeyType = detectKeyTypeFromContent(cleanKey);
|
||||
if (fallbackKeyType !== "unknown") {
|
||||
return {
|
||||
privateKey: privateKeyData,
|
||||
privateKey: cleanKey,
|
||||
publicKey: "",
|
||||
keyType: fallbackKeyType,
|
||||
success: true,
|
||||
@@ -299,13 +337,18 @@ export function parseSSHKey(
|
||||
// expected - fallback key type detection may fail
|
||||
}
|
||||
|
||||
const parserError = error instanceof Error ? error.message : "";
|
||||
const isPuttyKey = PUTTY_PRIVATE_KEY_RE.test(privateKeyData.trim());
|
||||
|
||||
return {
|
||||
privateKey: privateKeyData,
|
||||
publicKey: "",
|
||||
keyType: "unknown",
|
||||
success: false,
|
||||
error:
|
||||
error instanceof Error ? error.message : "Unknown error parsing key",
|
||||
isPuttyKey && /unsupported|parse|format/i.test(parserError)
|
||||
? getUnsupportedPrivateKeyError(privateKeyData)
|
||||
: parserError || getUnsupportedPrivateKeyError(privateKeyData),
|
||||
};
|
||||
}
|
||||
}
|
||||
|
||||
@@ -245,6 +245,62 @@ class UserCrypto {
|
||||
}
|
||||
}
|
||||
|
||||
async setupWebAuthnUserEncryption(userId: string): Promise<void> {
|
||||
const existingDEK = this.getUserDataKey(userId);
|
||||
|
||||
if (!existingDEK) {
|
||||
throw new Error(
|
||||
"Cannot enable WebAuthn encryption - user session not active. Please log in first.",
|
||||
);
|
||||
}
|
||||
|
||||
const systemKey = this.deriveWebAuthnSystemKey(userId);
|
||||
const encryptedDEK = this.encryptDEK(existingDEK, systemKey);
|
||||
systemKey.fill(0);
|
||||
|
||||
await this.storeWebAuthnEncryptedDEK(userId, encryptedDEK);
|
||||
}
|
||||
|
||||
async authenticateWebAuthnUser(
|
||||
userId: string,
|
||||
sessionDurationMs: number,
|
||||
): Promise<boolean> {
|
||||
try {
|
||||
const encryptedDEK = await this.getWebAuthnEncryptedDEK(userId);
|
||||
if (!encryptedDEK) {
|
||||
return false;
|
||||
}
|
||||
|
||||
const systemKey = this.deriveWebAuthnSystemKey(userId);
|
||||
const DEK = this.decryptDEK(encryptedDEK, systemKey);
|
||||
systemKey.fill(0);
|
||||
|
||||
if (!DEK || DEK.length === 0) {
|
||||
return false;
|
||||
}
|
||||
|
||||
const oldSession = this.userSessions.get(userId);
|
||||
if (oldSession) {
|
||||
oldSession.dataKey.fill(0);
|
||||
}
|
||||
|
||||
this.userSessions.set(userId, {
|
||||
dataKey: Buffer.from(DEK),
|
||||
expiresAt: Date.now() + sessionDurationMs,
|
||||
});
|
||||
|
||||
DEK.fill(0);
|
||||
return true;
|
||||
} catch (error) {
|
||||
databaseLogger.warn("WebAuthn authentication failed", {
|
||||
operation: "webauthn_auth_failed",
|
||||
userId,
|
||||
error: error instanceof Error ? error.message : "Unknown",
|
||||
});
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
getUserDataKey(userId: string): Buffer | null {
|
||||
const session = this.userSessions.get(userId);
|
||||
if (!session) {
|
||||
@@ -513,6 +569,21 @@ class UserCrypto {
|
||||
);
|
||||
}
|
||||
|
||||
private deriveWebAuthnSystemKey(userId: string): Buffer {
|
||||
const systemSecret =
|
||||
process.env.WEBAUTHN_SYSTEM_SECRET ||
|
||||
process.env.OIDC_SYSTEM_SECRET ||
|
||||
"termix-webauthn-system-secret-default";
|
||||
const salt = Buffer.from(`webauthn:${userId}`, "utf8");
|
||||
return crypto.pbkdf2Sync(
|
||||
systemSecret,
|
||||
salt,
|
||||
100000,
|
||||
UserCrypto.KEK_LENGTH,
|
||||
"sha256",
|
||||
);
|
||||
}
|
||||
|
||||
private encryptDEK(dek: Buffer, kek: Buffer): EncryptedDEK {
|
||||
const iv = crypto.randomBytes(16);
|
||||
const cipher = crypto.createCipheriv("aes-256-gcm", kek, iv);
|
||||
@@ -640,6 +711,48 @@ class UserCrypto {
|
||||
return null;
|
||||
}
|
||||
}
|
||||
|
||||
private async storeWebAuthnEncryptedDEK(
|
||||
userId: string,
|
||||
encryptedDEK: EncryptedDEK,
|
||||
): Promise<void> {
|
||||
const key = `user_encrypted_dek_webauthn_${userId}`;
|
||||
const value = JSON.stringify(encryptedDEK);
|
||||
|
||||
const existing = await getDb()
|
||||
.select()
|
||||
.from(settings)
|
||||
.where(eq(settings.key, key));
|
||||
|
||||
if (existing.length > 0) {
|
||||
await getDb()
|
||||
.update(settings)
|
||||
.set({ value })
|
||||
.where(eq(settings.key, key));
|
||||
} else {
|
||||
await getDb().insert(settings).values({ key, value });
|
||||
}
|
||||
}
|
||||
|
||||
private async getWebAuthnEncryptedDEK(
|
||||
userId: string,
|
||||
): Promise<EncryptedDEK | null> {
|
||||
try {
|
||||
const key = `user_encrypted_dek_webauthn_${userId}`;
|
||||
const result = await getDb()
|
||||
.select()
|
||||
.from(settings)
|
||||
.where(eq(settings.key, key));
|
||||
|
||||
if (result.length === 0) {
|
||||
return null;
|
||||
}
|
||||
|
||||
return JSON.parse(result[0].value);
|
||||
} catch {
|
||||
return null;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
export { UserCrypto, type KEKSalt, type EncryptedDEK };
|
||||
|
||||
Reference in New Issue
Block a user