release-2.5.0 (#994)

* feat(sshid) - sshid.io equivalent for termix (#919)

* feat(ssh-id): database schema, migrations and field encryption

Adds ssh_identities, ssh_identity_keys and ssh_identity_ca tables (public keys
stored plaintext for the unauthenticated resolver; CA private key registered
for per-user field encryption), with UNIQUE(user_id), an index on
ssh_identity_keys(identity_id), and idempotent CREATE TABLE migrations.

* feat(ssh-id): backend API — resolver, key management, CA and certificates

Mounts /sshid (nginx route added). Public text/plain authorized_keys resolver
(+ exact /:algo filter, HTML viewer) and CA public-key endpoint; no-store +
noindex headers on every resolver response including early 404s. Authenticated
management: claim/rename/delete handle, add/import/generate/enable/delete keys,
and a per-user CA (create/rotate/delete) with pure-Node OpenSSH certificate
issuance. Audit logging on all mutations; UNIQUE races map to a precise 409.
Unit tests for key parsing and certificate signing (ssh-keygen-validated).

* feat(ssh-id): frontend panel, API client and i18n

SSH ID panel wired into the app rail and AppShell: claim handle, resolver URL +
curl one-liner, key list, generate, paste/import, CA enable/rotate/remove with
server trust command, and per-key certificate issuance. API client re-exported
through main-axios.ts; all strings i18n'd.

* style(ssh-id): align panel and resolver page with Termix theme

- Rebuild the SSH ID sidebar panel with the theme's square components
  (SectionCard / SettingRow / FakeSwitch) instead of rounded ad-hoc cards;
  use accent-brand and destructive tokens rather than raw red/green.
- Fix panel scrolling: move overflow to a block scroll container so the
  cards keep their natural height instead of being clipped.
- Restyle the public resolver HTML page (/sshid/u/:handle) to the Termix
  dark theme: square corners, #18181b/#303032 palette, #f59145 accent,
  uppercase section labels.
- Tidy copy: 'Save To Credentials' label, drop the redundant generate intro,
  and correct the generate tooltip (the key is stored when saving to vault).

* feat: rename to Termix ID, improve UI, backend inconsistencies, and general bug fixes

---------

Co-authored-by: LukeGus <bugattiguy527@gmail.com>

* ci(deps): bump actions/checkout from 6 to 7 in the github-actions group (#922)

Bumps the github-actions group with 1 update: [actions/checkout](https://github.com/actions/checkout).


Updates `actions/checkout` from 6 to 7
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v6...v7)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: '7'
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps-dev): bump the dev-patch-updates group with 11 updates (#923)

Bumps the dev-patch-updates group with 11 updates:

| Package | From | To |
| --- | --- | --- |
| [@codemirror/search](https://github.com/codemirror/search) | `6.7.0` | `6.7.1` |
| [@codemirror/view](https://github.com/codemirror/view) | `6.43.0` | `6.43.1` |
| [@tailwindcss/vite](https://github.com/tailwindlabs/tailwindcss/tree/HEAD/packages/@tailwindcss-vite) | `4.3.0` | `4.3.1` |
| [@vitest/coverage-v8](https://github.com/vitest-dev/vitest/tree/HEAD/packages/coverage-v8) | `4.1.8` | `4.1.9` |
| [@vitest/ui](https://github.com/vitest-dev/vitest/tree/HEAD/packages/ui) | `4.1.8` | `4.1.9` |
| [eslint-plugin-react-refresh](https://github.com/ArnaudBarre/eslint-plugin-react-refresh) | `0.5.2` | `0.5.3` |
| [lint-staged](https://github.com/lint-staged/lint-staged) | `17.0.7` | `17.0.8` |
| [prettier](https://github.com/prettier/prettier) | `3.8.3` | `3.8.4` |
| [sharp](https://github.com/lovell/sharp) | `0.35.1` | `0.35.2` |
| [tailwindcss](https://github.com/tailwindlabs/tailwindcss/tree/HEAD/packages/tailwindcss) | `4.3.0` | `4.3.1` |
| [vitest](https://github.com/vitest-dev/vitest/tree/HEAD/packages/vitest) | `4.1.8` | `4.1.9` |


Updates `@codemirror/search` from 6.7.0 to 6.7.1
- [Changelog](https://github.com/codemirror/search/blob/main/CHANGELOG.md)
- [Commits](https://github.com/codemirror/search/commits)

Updates `@codemirror/view` from 6.43.0 to 6.43.1
- [Changelog](https://github.com/codemirror/view/blob/main/CHANGELOG.md)
- [Commits](https://github.com/codemirror/view/commits)

Updates `@tailwindcss/vite` from 4.3.0 to 4.3.1
- [Release notes](https://github.com/tailwindlabs/tailwindcss/releases)
- [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md)
- [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.3.1/packages/@tailwindcss-vite)

Updates `@vitest/coverage-v8` from 4.1.8 to 4.1.9
- [Release notes](https://github.com/vitest-dev/vitest/releases)
- [Changelog](https://github.com/vitest-dev/vitest/blob/main/docs/releases.md)
- [Commits](https://github.com/vitest-dev/vitest/commits/v4.1.9/packages/coverage-v8)

Updates `@vitest/ui` from 4.1.8 to 4.1.9
- [Release notes](https://github.com/vitest-dev/vitest/releases)
- [Changelog](https://github.com/vitest-dev/vitest/blob/main/docs/releases.md)
- [Commits](https://github.com/vitest-dev/vitest/commits/v4.1.9/packages/ui)

Updates `eslint-plugin-react-refresh` from 0.5.2 to 0.5.3
- [Release notes](https://github.com/ArnaudBarre/eslint-plugin-react-refresh/releases)
- [Changelog](https://github.com/ArnaudBarre/eslint-plugin-react-refresh/blob/main/CHANGELOG.md)
- [Commits](https://github.com/ArnaudBarre/eslint-plugin-react-refresh/compare/v0.5.2...v0.5.3)

Updates `lint-staged` from 17.0.7 to 17.0.8
- [Release notes](https://github.com/lint-staged/lint-staged/releases)
- [Changelog](https://github.com/lint-staged/lint-staged/blob/main/CHANGELOG.md)
- [Commits](https://github.com/lint-staged/lint-staged/compare/v17.0.7...v17.0.8)

Updates `prettier` from 3.8.3 to 3.8.4
- [Release notes](https://github.com/prettier/prettier/releases)
- [Changelog](https://github.com/prettier/prettier/blob/main/CHANGELOG.md)
- [Commits](https://github.com/prettier/prettier/compare/3.8.3...3.8.4)

Updates `sharp` from 0.35.1 to 0.35.2
- [Release notes](https://github.com/lovell/sharp/releases)
- [Commits](https://github.com/lovell/sharp/compare/v0.35.1...v0.35.2)

Updates `tailwindcss` from 4.3.0 to 4.3.1
- [Release notes](https://github.com/tailwindlabs/tailwindcss/releases)
- [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md)
- [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.3.1/packages/tailwindcss)

Updates `vitest` from 4.1.8 to 4.1.9
- [Release notes](https://github.com/vitest-dev/vitest/releases)
- [Changelog](https://github.com/vitest-dev/vitest/blob/main/docs/releases.md)
- [Commits](https://github.com/vitest-dev/vitest/commits/v4.1.9/packages/vitest)

---
updated-dependencies:
- dependency-name: "@codemirror/search"
  dependency-version: 6.7.1
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: dev-patch-updates
- dependency-name: "@codemirror/view"
  dependency-version: 6.43.1
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: dev-patch-updates
- dependency-name: "@tailwindcss/vite"
  dependency-version: 4.3.1
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: dev-patch-updates
- dependency-name: "@vitest/coverage-v8"
  dependency-version: 4.1.9
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: dev-patch-updates
- dependency-name: "@vitest/ui"
  dependency-version: 4.1.9
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: dev-patch-updates
- dependency-name: eslint-plugin-react-refresh
  dependency-version: 0.5.3
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: dev-patch-updates
- dependency-name: lint-staged
  dependency-version: 17.0.8
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: dev-patch-updates
- dependency-name: prettier
  dependency-version: 3.8.4
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: dev-patch-updates
- dependency-name: sharp
  dependency-version: 0.35.2
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: dev-patch-updates
- dependency-name: tailwindcss
  dependency-version: 4.3.1
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: dev-patch-updates
- dependency-name: vitest
  dependency-version: 4.1.9
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: dev-patch-updates
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump nanoid in the prod-patch-updates group (#925)

Bumps the prod-patch-updates group with 1 update: [nanoid](https://github.com/ai/nanoid).


Updates `nanoid` from 5.1.11 to 5.1.15
- [Release notes](https://github.com/ai/nanoid/releases)
- [Changelog](https://github.com/ai/nanoid/blob/main/CHANGELOG.md)
- [Commits](https://github.com/ai/nanoid/compare/5.1.11...5.1.15)

---
updated-dependencies:
- dependency-name: nanoid
  dependency-version: 5.1.15
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: prod-patch-updates
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump the major-updates group with 5 updates (#926)

Bumps the major-updates group with 5 updates:

| Package | From | To |
| --- | --- | --- |
| [js-yaml](https://github.com/nodeca/js-yaml) | `4.2.0` | `5.0.0` |
| [@eslint/js](https://github.com/eslint/eslint/tree/HEAD/packages/js) | `9.39.4` | `10.0.1` |
| [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) | `25.9.2` | `26.0.0` |
| [concurrently](https://github.com/open-cli-tools/concurrently) | `9.2.1` | `10.0.3` |
| [eslint](https://github.com/eslint/eslint) | `9.39.4` | `10.5.0` |


Updates `js-yaml` from 4.2.0 to 5.0.0
- [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md)
- [Commits](https://github.com/nodeca/js-yaml/compare/4.2.0...5.0.0)

Updates `@eslint/js` from 9.39.4 to 10.0.1
- [Release notes](https://github.com/eslint/eslint/releases)
- [Commits](https://github.com/eslint/eslint/commits/v10.0.1/packages/js)

Updates `@types/node` from 25.9.2 to 26.0.0
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

Updates `concurrently` from 9.2.1 to 10.0.3
- [Release notes](https://github.com/open-cli-tools/concurrently/releases)
- [Commits](https://github.com/open-cli-tools/concurrently/compare/v9.2.1...v10.0.3)

Updates `eslint` from 9.39.4 to 10.5.0
- [Release notes](https://github.com/eslint/eslint/releases)
- [Commits](https://github.com/eslint/eslint/compare/v9.39.4...v10.5.0)

---
updated-dependencies:
- dependency-name: js-yaml
  dependency-version: 5.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: major-updates
- dependency-name: "@eslint/js"
  dependency-version: 10.0.1
  dependency-type: direct:development
  update-type: version-update:semver-major
  dependency-group: major-updates
- dependency-name: "@types/node"
  dependency-version: 26.0.0
  dependency-type: direct:development
  update-type: version-update:semver-major
  dependency-group: major-updates
- dependency-name: concurrently
  dependency-version: 10.0.3
  dependency-type: direct:development
  update-type: version-update:semver-major
  dependency-group: major-updates
- dependency-name: eslint
  dependency-version: 10.5.0
  dependency-type: direct:development
  update-type: version-update:semver-major
  dependency-group: major-updates
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* feat(ssh): add HashiCorp Vault SSH signer authentication

* fix: small fixes to vault feature to align with Termix codebase

* chore: add view docs links for vault/termix id

* fix: file upload fails with 400 and missing schema migrations on upgrade (#929)

Two bugs introduced in v2.4.1:

1. uploadFileStream uses fileManagerApi.post() which triggers axios's
   transformRequest to JSON-serialize the FormData because the instance
   default Content-Type is application/json. Change to postForm() which
   sets Content-Type: multipart/form-data so the browser XHR sends the
   correct multipart body with boundary.

2. Two schema items added to schema.ts were not included in migrateSchema()
   in db/index.ts, causing 500 errors on existing installations upgrading
   from v2.4.0:
   - user_preferences.status_color_scheme (no such column)
   - dashboard_service_links table (no such table)

Fixes #928

Co-authored-by: sash <sash@fominykh.io>

* fix: support PuTTY PPK ssh keys (#930)

* fix: chunk large file manager uploads (#932)

* fix: route dashboard hosts by protocol (#934)

* fix: resolve tunnel endpoints reliably (#935)

* Fix Electron OIDC browser auth failures (#936)

* Allow RDP connections without stored credentials (#937)

* Sync role credential shares for OIDC users (#938)

* Fix terminal link dialog layering (#940)

* Confirm large files before opening editor (#942)

* Confirm closing active host connections (#943)

* Preserve file path case in file manager UI (#941)

* fix: preserve unicode guacamole tokens (#933)

* Persist VNC authentication settings (#944)

* Fix Guacamole websocket base path (#946)

* Promote file manager terminals to tabs (#939)

* Guard Guacamole disconnect during startup (#945)

* chore: increment ver

* feat: bitwarden ssh agent integration

* feat: serial connections support

* fix: various small bug fixes

* feat: open all sessions in a folder and terminal custom theme color support

* feat: cross host file manager clipboard and several small bug fixes

* feat: tailscale/wireguard support and added a new status state for when backend is checking status

* feat: grafana like server stats history, new alert system, ntfy/webhook support

* feat: new grid and widget based homepage function

* feat: new donate button in dashboard

* fix: alert ui incorrectly using termix css and fixed issue with alert system not loading

* chore: fix ci checks (#966)

* Fix dashboard service link creation (#950)

* Fix jump host SOCKS5 proxy selection (#951)

* Fix jump host SOCKS5 proxy selection

* fix: type jump host socks proxy config

* Fix tmux detection path handling (#949)

* Support GUACD_URL environment config (#952)

* Retry autostart tunnel host fetches (#953)

* Retry autostart tunnel host fetches

* chore: format tunnel route

* Fix PUID html ownership in Docker entrypoint (#954)

* feat: allow custom tunnel endpoints (#977)

* fix: skip metrics start for non-ssh hosts (#976)

* Fix Proxmox import auth fallback (#956)

* Fix Proxmox import auth fallback

* chore: format proxmox import auth

* Fix SSH heading syntax highlighting (#955)

* Fix SSH heading syntax highlighting

* chore: format terminal highlighter

* Initialize auth before fullscreen terminal routes (#957)

* Add WebAuthn passkey authentication (#959)

* chore: add Biome tooling (#965)

* chore: add biome tooling

* chore: support tailwind syntax in biome

* Fix VNC required argument handshake (#968)

* Prioritize host results in command palette search (#969)

* Prevent sidebar host hover layout shift (#970)

* Add terminal font zoom with mouse wheel (#971)

* Add host temperature metrics card (#972)

* Make file downloads reliable in desktop app (#973)

* Add app rail hover expansion setting (#974)

* fix: use correct translation key for nav.close (#964)

* fix(tunnel): skip endpoint credential validation for direct tunnels (#963)

* fix: SSH port connection bug (#975)

* fix: chunked upload for files >=1.5GB to bypass browser ArrayBuffer limit (#948)

* feat: support SSH agent auth across SSH features (#960)

* feat: add Podman container runtime support (#958)

* chore: update readme and release notes

* fix: stabilize Windows app icon (#978)

* Add safe host sharing export (#979)

* Add external editor support for file manager (#985)

* Rework SSH credential password handling (#984)

* Support password fallback for SSH key credentials

* Complete SSH credential password fallback

* Fix runtime base path for auth callbacks (#982)

* Fix TUI terminal output highlighting (#983)

Co-authored-by: LukeGus <bugattiguy527@gmail.com>

* Add app fullscreen mode (#993)

* Fix host metrics startup polling (#986)

* chore: update release notes

* fix: line chart text overlap

* chore: update RELEASE_NOTES.md

* chore: add donation goal to readme

* chore: update readme

* fix: hide full-screen button in electron app

* fix: failed unit tests

* chore: lint, format, and bump version to 2.5.0

* chore: remove timeout from crowdin translate

* chore: sync Crowdin translations for 2.5.0

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: DivByZero <mr.oplus@yahoo.fr>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: devdanetra <46488477+devdanetra@users.noreply.github.com>
Co-authored-by: Aleksandr Fominykh <neoformalex@users.noreply.github.com>
Co-authored-by: sash <sash@fominykh.io>
Co-authored-by: ZacharyZcR <zacharyzcr1984@gmail.com>
This commit is contained in:
Luke Gustafson
2026-06-29 13:28:26 -05:00
committed by GitHub
parent fd27a366d0
commit 9de904dd4c
348 changed files with 125184 additions and 76537 deletions
+29
View File
@@ -0,0 +1,29 @@
import { SystemCrypto } from "./system-crypto.js";
import { sshLogger } from "./logger.js";
const METRICS_SERVICE_URL = "http://localhost:30005";
export async function triggerLoginAlert(
hostId: number,
userId: string,
sshUser: string,
fromIp: string,
): Promise<void> {
try {
const token = await SystemCrypto.getInstance().getInternalAuthToken();
await fetch(`${METRICS_SERVICE_URL}/internal/login-alert`, {
method: "POST",
headers: {
"Content-Type": "application/json",
"x-internal-auth": token,
},
body: JSON.stringify({ hostId, userId, sshUser, fromIp }),
});
} catch (err) {
sshLogger.warn("Failed to trigger login alert", {
operation: "login_alert_trigger_error",
hostId,
error: err instanceof Error ? err.message : String(err),
});
}
}
+25
View File
@@ -147,6 +147,31 @@ class AuthManager {
return authenticated;
}
async setupWebAuthnUserEncryption(userId: string): Promise<void> {
await this.userCrypto.setupWebAuthnUserEncryption(userId);
}
async authenticateWebAuthnUser(
userId: string,
deviceType?: DeviceType,
): Promise<boolean> {
const sessionDurationMs =
deviceType === "desktop" || deviceType === "mobile"
? 30 * 24 * 60 * 60 * 1000
: 24 * 60 * 60 * 1000;
const authenticated = await this.userCrypto.authenticateWebAuthnUser(
userId,
sessionDurationMs,
);
if (authenticated) {
await this.performLazyEncryptionMigration(userId);
}
return authenticated;
}
async convertToOIDCEncryption(userId: string): Promise<void> {
await this.userCrypto.convertToOIDCEncryption(userId);
}
+2
View File
@@ -43,6 +43,8 @@ class FieldCrypto {
"publicKey",
]),
opkssh_tokens: new Set(["sshCert", "privateKey"]),
termix_identity_ca: new Set(["privateKey"]),
vault_tokens: new Set(["sshCert", "privateKey"]),
};
static encryptField(
+86
View File
@@ -0,0 +1,86 @@
export type GuacdOptions = {
host: string;
port: number;
};
const DEFAULT_GUACD_OPTIONS: GuacdOptions = {
host: "localhost",
port: 4822,
};
function parsePort(value: string | undefined, fallback: number) {
const port = parseInt(value || "", 10);
return Number.isFinite(port) ? port : fallback;
}
export function parseGuacdUrl(
value: string,
fallback: GuacdOptions = DEFAULT_GUACD_OPTIONS,
): GuacdOptions {
const raw = value.trim();
if (!raw) {
return fallback;
}
if (raw.includes("://")) {
try {
const url = new URL(raw);
return {
host: url.hostname || fallback.host,
port: parsePort(url.port, fallback.port),
};
} catch {
return fallback;
}
}
const bracketedIpv6 = raw.match(/^\[([^\]]+)\](?::(\d+))?$/);
if (bracketedIpv6) {
return {
host: bracketedIpv6[1],
port: parsePort(bracketedIpv6[2], fallback.port),
};
}
const [host, port] = raw.split(":");
return {
host: host || fallback.host,
port: parsePort(port, fallback.port),
};
}
export function getGuacdEnvOptions(): GuacdOptions | null {
if (process.env.GUACD_URL) {
return parseGuacdUrl(process.env.GUACD_URL);
}
if (!process.env.GUACD_HOST && !process.env.GUACD_PORT) {
return null;
}
return {
host: process.env.GUACD_HOST || DEFAULT_GUACD_OPTIONS.host,
port: parsePort(process.env.GUACD_PORT, DEFAULT_GUACD_OPTIONS.port),
};
}
export function resolveGuacdOptions(dbUrl?: string | null): GuacdOptions {
const envOptions = getGuacdEnvOptions();
if (envOptions) {
return envOptions;
}
if (dbUrl) {
return parseGuacdUrl(dbUrl);
}
return DEFAULT_GUACD_OPTIONS;
}
export function formatGuacdOptions(options: GuacdOptions): string {
return `${options.host}:${options.port}`;
}
export function getDefaultGuacdUrl(): string {
return formatGuacdOptions(resolveGuacdOptions());
}
+1
View File
@@ -293,5 +293,6 @@ export const systemLogger = new Logger("SYSTEM", "🚀", "#14b8a6");
export const versionLogger = new Logger("VERSION", "📦", "#8b5cf6");
export const dashboardLogger = new Logger("DASHBOARD", "📊", "#ec4899");
export const guacLogger = new Logger("GUACAMOLE", "🖼️", "#ff6b6b");
export const homepageLogger = new Logger("HOMEPAGE", "🏠", "#f97316");
export const logger = systemLogger;
+139
View File
@@ -0,0 +1,139 @@
import { statsLogger } from "./logger.js";
export interface AlertPayload {
hostName: string;
hostId: number;
triggerType: string;
value?: number;
threshold?: number;
message: string;
severity: "info" | "warning" | "critical";
timestamp: string;
ruleId: number;
ruleName: string;
}
interface WebhookConfig {
url: string;
headers?: Record<string, string>;
method?: "POST" | "PUT";
}
interface NtfyConfig {
url: string;
topic: string;
token?: string;
}
const NTFY_PRIORITY: Record<string, number> = {
info: 2,
warning: 3,
critical: 5,
};
async function fetchWithRetry(
url: string,
options: RequestInit,
): Promise<void> {
const attempt = async () => {
const res = await fetch(url, options);
if (!res.ok) {
throw new Error(`HTTP ${res.status}: ${res.statusText}`);
}
};
try {
await attempt();
} catch (firstErr) {
await new Promise((r) => setTimeout(r, 3000));
try {
await attempt();
} catch (secondErr) {
statsLogger.warn("Notification delivery failed after retry", {
operation: "notification_send_failed",
url,
error:
secondErr instanceof Error ? secondErr.message : String(secondErr),
});
}
}
}
export async function sendWebhook(
config: WebhookConfig,
payload: AlertPayload,
): Promise<void> {
const { url, headers = {}, method = "POST" } = config;
await fetchWithRetry(url, {
method,
headers: { "Content-Type": "application/json", ...headers },
body: JSON.stringify(payload),
});
}
export async function sendNtfy(
config: NtfyConfig,
payload: AlertPayload,
): Promise<void> {
const { url, topic, token } = config;
const ntfyUrl = `${url.replace(/\/$/, "")}/${topic}`;
const headers: Record<string, string> = {
"Content-Type": "application/json",
Title: `[Termix] ${payload.hostName}: ${payload.ruleName}`,
Priority: String(NTFY_PRIORITY[payload.severity] ?? 3),
Tags:
payload.severity === "critical"
? "rotating_light"
: payload.severity === "warning"
? "warning"
: "information_source",
};
if (token) {
headers["Authorization"] = `Bearer ${token}`;
}
await fetchWithRetry(ntfyUrl, {
method: "POST",
headers,
body: payload.message,
});
}
export interface NotificationChannel {
id: number;
type: string;
config: string;
enabled: boolean;
}
export async function sendNotification(
channel: NotificationChannel,
payload: AlertPayload,
): Promise<void> {
if (!channel.enabled) return;
let parsedConfig: Record<string, unknown>;
try {
parsedConfig = JSON.parse(channel.config) as Record<string, unknown>;
} catch {
statsLogger.warn("Failed to parse notification channel config", {
operation: "notification_config_parse_error",
channelId: channel.id,
});
return;
}
try {
if (channel.type === "webhook") {
await sendWebhook(parsedConfig as unknown as WebhookConfig, payload);
} else if (channel.type === "ntfy") {
await sendNtfy(parsedConfig as unknown as NtfyConfig, payload);
}
} catch (err) {
statsLogger.warn("Notification send error", {
operation: "notification_send_error",
channelId: channel.id,
type: channel.type,
error: err instanceof Error ? err.message : String(err),
});
}
}
+108
View File
@@ -0,0 +1,108 @@
import { afterEach, describe, expect, it } from "vitest";
import {
getRequestBasePath,
getRequestBaseUrl,
getRequestBaseUrlWithForceHTTPS,
normalizeBasePath,
} from "./request-origin.js";
function request(headers: Record<string, string | string[] | undefined>) {
return {
headers,
socket: {},
} as Parameters<typeof getRequestBasePath>[0];
}
function restoreEnv(name: string, value: string | undefined) {
if (value === undefined) {
delete process.env[name];
} else {
process.env[name] = value;
}
}
describe("normalizeBasePath", () => {
it("normalizes empty and root paths", () => {
expect(normalizeBasePath("")).toBe("");
expect(normalizeBasePath("/")).toBe("");
expect(normalizeBasePath(" / ")).toBe("");
});
it("normalizes configured base paths", () => {
expect(normalizeBasePath("termix")).toBe("/termix");
expect(normalizeBasePath("/termix/")).toBe("/termix");
expect(normalizeBasePath("/termix, /other")).toBe("/termix");
});
it("accepts forwarded prefix values that include a URL", () => {
expect(normalizeBasePath("https://example.com/termix/")).toBe("/termix");
});
});
describe("getRequestBasePath", () => {
const previousBasePath = process.env.BASE_PATH;
const previousViteBasePath = process.env.VITE_BASE_PATH;
const previousForceHttps = process.env.OIDC_FORCE_HTTPS;
afterEach(() => {
restoreEnv("BASE_PATH", previousBasePath);
restoreEnv("VITE_BASE_PATH", previousViteBasePath);
restoreEnv("OIDC_FORCE_HTTPS", previousForceHttps);
});
it("uses BASE_PATH before forwarded headers", () => {
process.env.BASE_PATH = "/admin/";
process.env.VITE_BASE_PATH = "";
expect(
getRequestBasePath(request({ "x-forwarded-prefix": "/termix" })),
).toBe("/admin");
});
it("falls back to VITE_BASE_PATH for deployments that already set it", () => {
process.env.BASE_PATH = "";
process.env.VITE_BASE_PATH = "/termix/";
expect(getRequestBasePath(request({}))).toBe("/termix");
});
it("uses X-Forwarded-Prefix when no env base path is set", () => {
process.env.BASE_PATH = "";
process.env.VITE_BASE_PATH = "";
expect(
getRequestBasePath(request({ "x-forwarded-prefix": "/termix/" })),
).toBe("/termix");
});
it("builds a public base URL with forwarded origin and prefix", () => {
process.env.BASE_PATH = "";
process.env.VITE_BASE_PATH = "";
expect(
getRequestBaseUrl(
request({
"x-forwarded-proto": "https",
"x-forwarded-host": "example.com",
"x-forwarded-prefix": "/termix",
}),
),
).toBe("https://example.com/termix");
});
it("applies OIDC_FORCE_HTTPS to public base URLs", () => {
process.env.BASE_PATH = "";
process.env.VITE_BASE_PATH = "";
process.env.OIDC_FORCE_HTTPS = "true";
expect(
getRequestBaseUrlWithForceHTTPS(
request({
"x-forwarded-proto": "http",
"x-forwarded-host": "example.com",
"x-forwarded-prefix": "/termix",
}),
),
).toBe("https://example.com/termix");
});
});
+48
View File
@@ -1,6 +1,31 @@
import type { Request } from "express";
import type { IncomingMessage } from "http";
function firstHeaderValue(value: string | string[] | undefined): string {
if (!value) return "";
const raw = Array.isArray(value) ? value[0] : value;
return raw.split(",")[0].trim();
}
export function normalizeBasePath(value: unknown): string {
if (typeof value !== "string") return "";
let basePath = value.split(",")[0].trim();
if (!basePath) return "";
try {
if (/^https?:\/\//i.test(basePath)) {
basePath = new URL(basePath).pathname;
}
} catch {
return "";
}
basePath = basePath.split("?")[0].split("#")[0].trim();
if (!basePath || basePath === "/") return "";
if (!basePath.startsWith("/")) basePath = `/${basePath}`;
return basePath.replace(/\/+$/, "");
}
export function getRequestOrigin(req: Request | IncomingMessage): string {
let protocol: string;
const protoHeader = req.headers["x-forwarded-proto"];
@@ -63,3 +88,26 @@ export function getRequestOriginWithForceHTTPS(
}
return getRequestOrigin(req);
}
export function getRequestBasePath(req: Request | IncomingMessage): string {
const envBasePath = normalizeBasePath(
process.env.BASE_PATH || process.env.VITE_BASE_PATH,
);
if (envBasePath) return envBasePath;
return (
normalizeBasePath(firstHeaderValue(req.headers["x-forwarded-prefix"])) ||
normalizeBasePath(firstHeaderValue(req.headers["x-script-name"])) ||
normalizeBasePath(firstHeaderValue(req.headers["x-original-prefix"]))
);
}
export function getRequestBaseUrl(req: Request | IncomingMessage): string {
return `${getRequestOrigin(req)}${getRequestBasePath(req)}`;
}
export function getRequestBaseUrlWithForceHTTPS(
req: Request | IncomingMessage,
): string {
return `${getRequestOriginWithForceHTTPS(req)}${getRequestBasePath(req)}`;
}
@@ -39,6 +39,19 @@ class SharedCredentialManager {
ownerId: string,
): Promise<void> {
try {
const existing = await db
.select({ id: sharedCredentials.id })
.from(sharedCredentials)
.where(
and(
eq(sharedCredentials.hostAccessId, hostAccessId),
eq(sharedCredentials.targetUserId, targetUserId),
),
)
.limit(1);
if (existing.length > 0) return;
const ownerDEK = DataCrypto.getUserDataKey(ownerId);
if (ownerDEK) {
@@ -158,6 +171,83 @@ class SharedCredentialManager {
}
}
async createSharedCredentialsForRoleMember(
roleId: number,
targetUserId: string,
): Promise<void> {
try {
const hostsSharedWithRole = await db
.select()
.from(hostAccess)
.innerJoin(hosts, eq(hostAccess.hostId, hosts.id))
.where(eq(hostAccess.roleId, roleId));
for (const { host_access, ssh_data } of hostsSharedWithRole) {
const activeCredentialId =
ssh_data.credentialId ??
ssh_data.rdpCredentialId ??
ssh_data.vncCredentialId ??
ssh_data.telnetCredentialId;
if (!activeCredentialId) continue;
try {
await this.createSharedCredentialForUser(
host_access.id,
activeCredentialId,
targetUserId,
ssh_data.userId,
);
} catch (error) {
databaseLogger.error(
"Failed to create shared credential for role member",
error,
{
operation: "create_shared_credentials_role_member",
roleId,
targetUserId,
hostId: ssh_data.id,
},
);
}
}
} catch (error) {
databaseLogger.error(
"Failed to create shared credentials for role member",
error,
{
operation: "create_shared_credentials_role_member",
roleId,
targetUserId,
},
);
throw error;
}
}
async createSharedCredentialsForUserRoles(userId: string): Promise<void> {
try {
const roleRows = await db
.select({ roleId: userRoles.roleId })
.from(userRoles)
.where(eq(userRoles.userId, userId));
for (const { roleId } of roleRows) {
await this.createSharedCredentialsForRoleMember(roleId, userId);
}
} catch (error) {
databaseLogger.error(
"Failed to create shared credentials for user roles",
error,
{
operation: "create_shared_credentials_user_roles",
userId,
},
);
throw error;
}
}
async getSharedCredentialForUser(
hostId: number,
userId: string,
+1
View File
@@ -7,6 +7,7 @@ type TableName =
| "users"
| "ssh_data"
| "ssh_credentials"
| "termix_identity_ca"
| "recent_activity"
| "socks5_proxy_presets";
+27
View File
@@ -1,7 +1,9 @@
import { describe, it, expect } from "vitest";
import { readFileSync } from "node:fs";
import {
parseSSHKey,
parsePublicKey,
preparePrivateKeyForSSH2,
getFriendlyKeyTypeName,
validateKeyPair,
} from "./ssh-key-utils.js";
@@ -20,6 +22,11 @@ AAAEDLo85Twyg0v6V1zsJaeRaxq9KPQXkqGY0HiJtVMzCXEFH+Ektft4yKdLjAkx8baBZK
const ED25519_PUBLIC =
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFH+Ektft4yKdLjAkx8baBZK21SK5Iu+oPBVhPnfHSp7 test@termix.test";
const PPK_RSA_PRIVATE = readFileSync(
"node_modules/ssh2/test/fixtures/keyParser/ppk_rsa",
"utf8",
);
describe("parsePublicKey", () => {
it("detects ssh-ed25519 public keys", () => {
const info = parsePublicKey(ED25519_PUBLIC);
@@ -68,6 +75,26 @@ describe("parseSSHKey", () => {
expect(info.success).toBe(false);
expect(info.keyType).toBe("unknown");
});
it("accepts PuTTY PPK v2 private keys supported by ssh2", () => {
const info = parseSSHKey(PPK_RSA_PRIVATE);
expect(info.success).toBe(true);
expect(info.keyType).toBe("ssh-rsa");
expect(info.publicKey).toContain("ssh-rsa");
});
it("prepares PuTTY PPK v2 private keys for ssh2 connections", () => {
const prepared = preparePrivateKeyForSSH2(PPK_RSA_PRIVATE);
expect(prepared.toString("utf8")).toContain("PuTTY-User-Key-File-2");
});
it("reports unsupported PuTTY PPK versions clearly", () => {
const info = parseSSHKey(
"PuTTY-User-Key-File-3: ssh-ed25519\nEncryption: none\n",
);
expect(info.success).toBe(false);
expect(info.error).toMatch(/Unsupported PuTTY PPK v3/);
});
});
describe("getFriendlyKeyTypeName", () => {
+50 -7
View File
@@ -225,20 +225,53 @@ export interface KeyPairValidationResult {
error?: string;
}
const PUTTY_PRIVATE_KEY_RE = /^PuTTY-User-Key-File-(\d+):\s*(.+)$/m;
export function normalizePrivateKeyText(privateKeyData: string): string {
return privateKeyData.trim().replace(/\r\n/g, "\n").replace(/\r/g, "\n");
}
function getUnsupportedPrivateKeyError(privateKeyData: string): string {
const puttyMatch = PUTTY_PRIVATE_KEY_RE.exec(privateKeyData.trim());
if (puttyMatch) {
const [, version, type] = puttyMatch;
return `Unsupported PuTTY PPK v${version} private key format (${type}). Convert the key to OpenSSH format with PuTTYgen, or use a PuTTY PPK v2 RSA/DSA key.`;
}
return "Unsupported private key format. Use an OpenSSH, PEM, or PuTTY PPK v2 RSA/DSA private key.";
}
export function preparePrivateKeyForSSH2(
privateKeyData: string,
passphrase?: string,
): Buffer {
const cleanKey = normalizePrivateKeyText(privateKeyData);
const keyInfo = parseSSHKey(cleanKey, passphrase);
if (!keyInfo.success) {
throw new Error(keyInfo.error || getUnsupportedPrivateKeyError(cleanKey));
}
return Buffer.from(cleanKey, "utf8");
}
export function parseSSHKey(
privateKeyData: string,
passphrase?: string,
): KeyInfo {
try {
const cleanKey = normalizePrivateKeyText(privateKeyData);
let keyType = "unknown";
let publicKey = "";
let useSSH2 = false;
if (ssh2Utils && typeof ssh2Utils.parseKey === "function") {
try {
const parsedKey = ssh2Utils.parseKey(privateKeyData, passphrase);
const parsedKey = ssh2Utils.parseKey(cleanKey, passphrase);
if (!(parsedKey instanceof Error)) {
if (parsedKey instanceof Error) {
throw parsedKey;
} else {
if (parsedKey.type) {
keyType = parsedKey.type;
}
@@ -273,23 +306,28 @@ export function parseSSHKey(
}
if (!useSSH2) {
keyType = detectKeyTypeFromContent(privateKeyData);
keyType = detectKeyTypeFromContent(cleanKey);
publicKey = "";
}
return {
privateKey: privateKeyData,
privateKey: cleanKey,
publicKey,
keyType,
success: keyType !== "unknown",
error:
keyType === "unknown"
? getUnsupportedPrivateKeyError(cleanKey)
: undefined,
};
} catch (error) {
try {
const fallbackKeyType = detectKeyTypeFromContent(privateKeyData);
const cleanKey = normalizePrivateKeyText(privateKeyData);
const fallbackKeyType = detectKeyTypeFromContent(cleanKey);
if (fallbackKeyType !== "unknown") {
return {
privateKey: privateKeyData,
privateKey: cleanKey,
publicKey: "",
keyType: fallbackKeyType,
success: true,
@@ -299,13 +337,18 @@ export function parseSSHKey(
// expected - fallback key type detection may fail
}
const parserError = error instanceof Error ? error.message : "";
const isPuttyKey = PUTTY_PRIVATE_KEY_RE.test(privateKeyData.trim());
return {
privateKey: privateKeyData,
publicKey: "",
keyType: "unknown",
success: false,
error:
error instanceof Error ? error.message : "Unknown error parsing key",
isPuttyKey && /unsupported|parse|format/i.test(parserError)
? getUnsupportedPrivateKeyError(privateKeyData)
: parserError || getUnsupportedPrivateKeyError(privateKeyData),
};
}
}
+113
View File
@@ -245,6 +245,62 @@ class UserCrypto {
}
}
async setupWebAuthnUserEncryption(userId: string): Promise<void> {
const existingDEK = this.getUserDataKey(userId);
if (!existingDEK) {
throw new Error(
"Cannot enable WebAuthn encryption - user session not active. Please log in first.",
);
}
const systemKey = this.deriveWebAuthnSystemKey(userId);
const encryptedDEK = this.encryptDEK(existingDEK, systemKey);
systemKey.fill(0);
await this.storeWebAuthnEncryptedDEK(userId, encryptedDEK);
}
async authenticateWebAuthnUser(
userId: string,
sessionDurationMs: number,
): Promise<boolean> {
try {
const encryptedDEK = await this.getWebAuthnEncryptedDEK(userId);
if (!encryptedDEK) {
return false;
}
const systemKey = this.deriveWebAuthnSystemKey(userId);
const DEK = this.decryptDEK(encryptedDEK, systemKey);
systemKey.fill(0);
if (!DEK || DEK.length === 0) {
return false;
}
const oldSession = this.userSessions.get(userId);
if (oldSession) {
oldSession.dataKey.fill(0);
}
this.userSessions.set(userId, {
dataKey: Buffer.from(DEK),
expiresAt: Date.now() + sessionDurationMs,
});
DEK.fill(0);
return true;
} catch (error) {
databaseLogger.warn("WebAuthn authentication failed", {
operation: "webauthn_auth_failed",
userId,
error: error instanceof Error ? error.message : "Unknown",
});
return false;
}
}
getUserDataKey(userId: string): Buffer | null {
const session = this.userSessions.get(userId);
if (!session) {
@@ -513,6 +569,21 @@ class UserCrypto {
);
}
private deriveWebAuthnSystemKey(userId: string): Buffer {
const systemSecret =
process.env.WEBAUTHN_SYSTEM_SECRET ||
process.env.OIDC_SYSTEM_SECRET ||
"termix-webauthn-system-secret-default";
const salt = Buffer.from(`webauthn:${userId}`, "utf8");
return crypto.pbkdf2Sync(
systemSecret,
salt,
100000,
UserCrypto.KEK_LENGTH,
"sha256",
);
}
private encryptDEK(dek: Buffer, kek: Buffer): EncryptedDEK {
const iv = crypto.randomBytes(16);
const cipher = crypto.createCipheriv("aes-256-gcm", kek, iv);
@@ -640,6 +711,48 @@ class UserCrypto {
return null;
}
}
private async storeWebAuthnEncryptedDEK(
userId: string,
encryptedDEK: EncryptedDEK,
): Promise<void> {
const key = `user_encrypted_dek_webauthn_${userId}`;
const value = JSON.stringify(encryptedDEK);
const existing = await getDb()
.select()
.from(settings)
.where(eq(settings.key, key));
if (existing.length > 0) {
await getDb()
.update(settings)
.set({ value })
.where(eq(settings.key, key));
} else {
await getDb().insert(settings).values({ key, value });
}
}
private async getWebAuthnEncryptedDEK(
userId: string,
): Promise<EncryptedDEK | null> {
try {
const key = `user_encrypted_dek_webauthn_${userId}`;
const result = await getDb()
.select()
.from(settings)
.where(eq(settings.key, key));
if (result.length === 0) {
return null;
}
return JSON.parse(result[0].value);
} catch {
return null;
}
}
}
export { UserCrypto, type KEKSalt, type EncryptedDEK };