mirror of
https://github.com/Termix-SSH/Termix.git
synced 2026-07-17 05:43:36 +00:00
1e7c9ea53c
* feat(sshid) - sshid.io equivalent for termix (#919) * feat(ssh-id): database schema, migrations and field encryption Adds ssh_identities, ssh_identity_keys and ssh_identity_ca tables (public keys stored plaintext for the unauthenticated resolver; CA private key registered for per-user field encryption), with UNIQUE(user_id), an index on ssh_identity_keys(identity_id), and idempotent CREATE TABLE migrations. * feat(ssh-id): backend API — resolver, key management, CA and certificates Mounts /sshid (nginx route added). Public text/plain authorized_keys resolver (+ exact /:algo filter, HTML viewer) and CA public-key endpoint; no-store + noindex headers on every resolver response including early 404s. Authenticated management: claim/rename/delete handle, add/import/generate/enable/delete keys, and a per-user CA (create/rotate/delete) with pure-Node OpenSSH certificate issuance. Audit logging on all mutations; UNIQUE races map to a precise 409. Unit tests for key parsing and certificate signing (ssh-keygen-validated). * feat(ssh-id): frontend panel, API client and i18n SSH ID panel wired into the app rail and AppShell: claim handle, resolver URL + curl one-liner, key list, generate, paste/import, CA enable/rotate/remove with server trust command, and per-key certificate issuance. API client re-exported through main-axios.ts; all strings i18n'd. * style(ssh-id): align panel and resolver page with Termix theme - Rebuild the SSH ID sidebar panel with the theme's square components (SectionCard / SettingRow / FakeSwitch) instead of rounded ad-hoc cards; use accent-brand and destructive tokens rather than raw red/green. - Fix panel scrolling: move overflow to a block scroll container so the cards keep their natural height instead of being clipped. - Restyle the public resolver HTML page (/sshid/u/:handle) to the Termix dark theme: square corners, #18181b/#303032 palette, #f59145 accent, uppercase section labels. - Tidy copy: 'Save To Credentials' label, drop the redundant generate intro, and correct the generate tooltip (the key is stored when saving to vault). * feat: rename to Termix ID, improve UI, backend inconsistencies, and general bug fixes --------- Co-authored-by: LukeGus <bugattiguy527@gmail.com> * ci(deps): bump actions/checkout from 6 to 7 in the github-actions group (#922) Bumps the github-actions group with 1 update: [actions/checkout](https://github.com/actions/checkout). Updates `actions/checkout` from 6 to 7 - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/v6...v7) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: '7' dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps-dev): bump the dev-patch-updates group with 11 updates (#923) Bumps the dev-patch-updates group with 11 updates: | Package | From | To | | --- | --- | --- | | [@codemirror/search](https://github.com/codemirror/search) | `6.7.0` | `6.7.1` | | [@codemirror/view](https://github.com/codemirror/view) | `6.43.0` | `6.43.1` | | [@tailwindcss/vite](https://github.com/tailwindlabs/tailwindcss/tree/HEAD/packages/@tailwindcss-vite) | `4.3.0` | `4.3.1` | | [@vitest/coverage-v8](https://github.com/vitest-dev/vitest/tree/HEAD/packages/coverage-v8) | `4.1.8` | `4.1.9` | | [@vitest/ui](https://github.com/vitest-dev/vitest/tree/HEAD/packages/ui) | `4.1.8` | `4.1.9` | | [eslint-plugin-react-refresh](https://github.com/ArnaudBarre/eslint-plugin-react-refresh) | `0.5.2` | `0.5.3` | | [lint-staged](https://github.com/lint-staged/lint-staged) | `17.0.7` | `17.0.8` | | [prettier](https://github.com/prettier/prettier) | `3.8.3` | `3.8.4` | | [sharp](https://github.com/lovell/sharp) | `0.35.1` | `0.35.2` | | [tailwindcss](https://github.com/tailwindlabs/tailwindcss/tree/HEAD/packages/tailwindcss) | `4.3.0` | `4.3.1` | | [vitest](https://github.com/vitest-dev/vitest/tree/HEAD/packages/vitest) | `4.1.8` | `4.1.9` | Updates `@codemirror/search` from 6.7.0 to 6.7.1 - [Changelog](https://github.com/codemirror/search/blob/main/CHANGELOG.md) - [Commits](https://github.com/codemirror/search/commits) Updates `@codemirror/view` from 6.43.0 to 6.43.1 - [Changelog](https://github.com/codemirror/view/blob/main/CHANGELOG.md) - [Commits](https://github.com/codemirror/view/commits) Updates `@tailwindcss/vite` from 4.3.0 to 4.3.1 - [Release notes](https://github.com/tailwindlabs/tailwindcss/releases) - [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md) - [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.3.1/packages/@tailwindcss-vite) Updates `@vitest/coverage-v8` from 4.1.8 to 4.1.9 - [Release notes](https://github.com/vitest-dev/vitest/releases) - [Changelog](https://github.com/vitest-dev/vitest/blob/main/docs/releases.md) - [Commits](https://github.com/vitest-dev/vitest/commits/v4.1.9/packages/coverage-v8) Updates `@vitest/ui` from 4.1.8 to 4.1.9 - [Release notes](https://github.com/vitest-dev/vitest/releases) - [Changelog](https://github.com/vitest-dev/vitest/blob/main/docs/releases.md) - [Commits](https://github.com/vitest-dev/vitest/commits/v4.1.9/packages/ui) Updates `eslint-plugin-react-refresh` from 0.5.2 to 0.5.3 - [Release notes](https://github.com/ArnaudBarre/eslint-plugin-react-refresh/releases) - [Changelog](https://github.com/ArnaudBarre/eslint-plugin-react-refresh/blob/main/CHANGELOG.md) - [Commits](https://github.com/ArnaudBarre/eslint-plugin-react-refresh/compare/v0.5.2...v0.5.3) Updates `lint-staged` from 17.0.7 to 17.0.8 - [Release notes](https://github.com/lint-staged/lint-staged/releases) - [Changelog](https://github.com/lint-staged/lint-staged/blob/main/CHANGELOG.md) - [Commits](https://github.com/lint-staged/lint-staged/compare/v17.0.7...v17.0.8) Updates `prettier` from 3.8.3 to 3.8.4 - [Release notes](https://github.com/prettier/prettier/releases) - [Changelog](https://github.com/prettier/prettier/blob/main/CHANGELOG.md) - [Commits](https://github.com/prettier/prettier/compare/3.8.3...3.8.4) Updates `sharp` from 0.35.1 to 0.35.2 - [Release notes](https://github.com/lovell/sharp/releases) - [Commits](https://github.com/lovell/sharp/compare/v0.35.1...v0.35.2) Updates `tailwindcss` from 4.3.0 to 4.3.1 - [Release notes](https://github.com/tailwindlabs/tailwindcss/releases) - [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md) - [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.3.1/packages/tailwindcss) Updates `vitest` from 4.1.8 to 4.1.9 - [Release notes](https://github.com/vitest-dev/vitest/releases) - [Changelog](https://github.com/vitest-dev/vitest/blob/main/docs/releases.md) - [Commits](https://github.com/vitest-dev/vitest/commits/v4.1.9/packages/vitest) --- updated-dependencies: - dependency-name: "@codemirror/search" dependency-version: 6.7.1 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: dev-patch-updates - dependency-name: "@codemirror/view" dependency-version: 6.43.1 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: dev-patch-updates - dependency-name: "@tailwindcss/vite" dependency-version: 4.3.1 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: dev-patch-updates - dependency-name: "@vitest/coverage-v8" dependency-version: 4.1.9 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: dev-patch-updates - dependency-name: "@vitest/ui" dependency-version: 4.1.9 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: dev-patch-updates - dependency-name: eslint-plugin-react-refresh dependency-version: 0.5.3 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: dev-patch-updates - dependency-name: lint-staged dependency-version: 17.0.8 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: dev-patch-updates - dependency-name: prettier dependency-version: 3.8.4 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: dev-patch-updates - dependency-name: sharp dependency-version: 0.35.2 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: dev-patch-updates - dependency-name: tailwindcss dependency-version: 4.3.1 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: dev-patch-updates - dependency-name: vitest dependency-version: 4.1.9 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: dev-patch-updates ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump nanoid in the prod-patch-updates group (#925) Bumps the prod-patch-updates group with 1 update: [nanoid](https://github.com/ai/nanoid). Updates `nanoid` from 5.1.11 to 5.1.15 - [Release notes](https://github.com/ai/nanoid/releases) - [Changelog](https://github.com/ai/nanoid/blob/main/CHANGELOG.md) - [Commits](https://github.com/ai/nanoid/compare/5.1.11...5.1.15) --- updated-dependencies: - dependency-name: nanoid dependency-version: 5.1.15 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: prod-patch-updates ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump the major-updates group with 5 updates (#926) Bumps the major-updates group with 5 updates: | Package | From | To | | --- | --- | --- | | [js-yaml](https://github.com/nodeca/js-yaml) | `4.2.0` | `5.0.0` | | [@eslint/js](https://github.com/eslint/eslint/tree/HEAD/packages/js) | `9.39.4` | `10.0.1` | | [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) | `25.9.2` | `26.0.0` | | [concurrently](https://github.com/open-cli-tools/concurrently) | `9.2.1` | `10.0.3` | | [eslint](https://github.com/eslint/eslint) | `9.39.4` | `10.5.0` | Updates `js-yaml` from 4.2.0 to 5.0.0 - [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md) - [Commits](https://github.com/nodeca/js-yaml/compare/4.2.0...5.0.0) Updates `@eslint/js` from 9.39.4 to 10.0.1 - [Release notes](https://github.com/eslint/eslint/releases) - [Commits](https://github.com/eslint/eslint/commits/v10.0.1/packages/js) Updates `@types/node` from 25.9.2 to 26.0.0 - [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases) - [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node) Updates `concurrently` from 9.2.1 to 10.0.3 - [Release notes](https://github.com/open-cli-tools/concurrently/releases) - [Commits](https://github.com/open-cli-tools/concurrently/compare/v9.2.1...v10.0.3) Updates `eslint` from 9.39.4 to 10.5.0 - [Release notes](https://github.com/eslint/eslint/releases) - [Commits](https://github.com/eslint/eslint/compare/v9.39.4...v10.5.0) --- updated-dependencies: - dependency-name: js-yaml dependency-version: 5.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: major-updates - dependency-name: "@eslint/js" dependency-version: 10.0.1 dependency-type: direct:development update-type: version-update:semver-major dependency-group: major-updates - dependency-name: "@types/node" dependency-version: 26.0.0 dependency-type: direct:development update-type: version-update:semver-major dependency-group: major-updates - dependency-name: concurrently dependency-version: 10.0.3 dependency-type: direct:development update-type: version-update:semver-major dependency-group: major-updates - dependency-name: eslint dependency-version: 10.5.0 dependency-type: direct:development update-type: version-update:semver-major dependency-group: major-updates ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * feat(ssh): add HashiCorp Vault SSH signer authentication * fix: small fixes to vault feature to align with Termix codebase * chore: add view docs links for vault/termix id * fix: file upload fails with 400 and missing schema migrations on upgrade (#929) Two bugs introduced in v2.4.1: 1. uploadFileStream uses fileManagerApi.post() which triggers axios's transformRequest to JSON-serialize the FormData because the instance default Content-Type is application/json. Change to postForm() which sets Content-Type: multipart/form-data so the browser XHR sends the correct multipart body with boundary. 2. Two schema items added to schema.ts were not included in migrateSchema() in db/index.ts, causing 500 errors on existing installations upgrading from v2.4.0: - user_preferences.status_color_scheme (no such column) - dashboard_service_links table (no such table) Fixes #928 Co-authored-by: sash <sash@fominykh.io> * fix: support PuTTY PPK ssh keys (#930) * fix: chunk large file manager uploads (#932) * fix: route dashboard hosts by protocol (#934) * fix: resolve tunnel endpoints reliably (#935) * Fix Electron OIDC browser auth failures (#936) * Allow RDP connections without stored credentials (#937) * Sync role credential shares for OIDC users (#938) * Fix terminal link dialog layering (#940) * Confirm large files before opening editor (#942) * Confirm closing active host connections (#943) * Preserve file path case in file manager UI (#941) * fix: preserve unicode guacamole tokens (#933) * Persist VNC authentication settings (#944) * Fix Guacamole websocket base path (#946) * Promote file manager terminals to tabs (#939) * Guard Guacamole disconnect during startup (#945) * chore: increment ver * feat: bitwarden ssh agent integration * feat: serial connections support * fix: various small bug fixes * feat: open all sessions in a folder and terminal custom theme color support * feat: cross host file manager clipboard and several small bug fixes * feat: tailscale/wireguard support and added a new status state for when backend is checking status * feat: grafana like server stats history, new alert system, ntfy/webhook support * feat: new grid and widget based homepage function * feat: new donate button in dashboard * fix: alert ui incorrectly using termix css and fixed issue with alert system not loading * chore: start database layer refactor * docs: plan database layer refactor * docs: audit database layer refactor phase zero * chore: add database runtime adapter skeleton * chore: add settings repository skeleton * chore: add user session repository skeleton * chore: add host credential repository skeleton * chore: add field encryption boundary * chore: migrate settings route slice * chore: migrate user settings routes * chore: migrate host metrics settings routes * chore: migrate acme settings route * chore: migrate terminal settings route * chore: migrate tailscale settings read * chore: migrate guacamole settings reads * chore: migrate session timeout settings reads * chore: migrate auth route settings reads * chore: migrate host metrics settings reads * chore: migrate startup settings reads * chore: migrate user settings cleanup * chore: migrate password reset settings * chore: migrate oidc legacy settings read * chore: migrate user route settings slice * chore: migrate oidc state settings * chore: migrate user login settings reads * chore: migrate user crypto settings * chore: consolidate startup settings defaults * chore: consolidate database settings import export * chore: migrate core session auth paths * chore: migrate remaining session auth paths * chore: migrate admin user routes * chore: migrate user route admin checks * chore: migrate user lifecycle routes * chore: migrate auth user lookups * chore: migrate oidc user routes * chore: migrate api key repository paths * docs: add database gray rollout guide * chore: migrate trusted device paths * chore: migrate user session route user lookups * chore: add database repository rollout guard * chore: expose repository rollout status * chore: warn on repository rollout misconfiguration * chore: migrate remaining user lookup helpers * chore: migrate ssh user lookups * chore: migrate user settings admin lookups * chore: migrate acme ssl user lookups * chore: migrate audit log admin checks * chore: migrate oidc account user updates * chore: migrate password reset user updates * chore: migrate user deletion core records * chore: migrate snippet audit user lookups * chore: migrate ldap user sync paths * chore: migrate totp user updates * chore: migrate rbac user checks * chore: migrate rbac role paths * chore: migrate permission role lookups * chore: migrate rbac access list reads * chore: migrate shared rbac reads * chore: migrate rbac access writes * chore: migrate permission host access * chore: migrate role host access lookup * chore: migrate snippet access lookup * chore: migrate shared credential access lookups * chore: migrate host access cleanup writes * chore: migrate host list access checks * chore: migrate host access cleanup routes * chore: migrate shared credential role lookups * chore: migrate user role cleanup * chore: migrate admin role sync * chore: migrate ldap role sync * chore: migrate user role assignment * chore: migrate sso provider access * chore: migrate audit log access * chore: migrate user preference access * chore: migrate open tab access * chore: migrate dismissed alert access * chore: migrate homepage layout access * chore: migrate network topology access * chore: migrate dashboard service link access * chore: migrate command history access * chore: migrate recent activity cleanup * chore: migrate ssh credential usage access * chore: migrate transfer recent access * chore: migrate file manager bookmark access * chore: migrate c2s tunnel preset access * chore: migrate homepage item access * chore: migrate session recording access * chore: migrate tmux session tag access * chore: migrate opkssh token access * chore: migrate vault token access * chore: migrate vault profile access * chore: migrate host metrics preference access * chore: migrate host health access * chore: migrate host metrics history access * chore: migrate alert persistence access * chore: route alert host lookup through repository * chore: migrate user data export reads * chore: route host metrics stats sync through repository * chore: migrate host folder persistence * chore: migrate host resolution reads * chore: route jump host resolution reads * chore: route docker console jump host reads * chore: route docker ssh resolution reads * chore: route proxmox discovery resolution reads * chore: route file manager activity host reads * chore: route host metrics resolution reads * chore: route ssh auth credential reads * chore: route tunnel endpoint credential reads * chore: route credential deployment resolution reads * chore: route command history host flag reads * chore: route snippet execution resolution reads * chore: route terminal host resolution reads * chore: route vault oidc host resolution reads * chore: route wake on lan host reads * chore: route internal host list reads * chore: route host key verification persistence * chore: route credential read paths * chore: route credential host usage reads * chore: route credential folder rename * chore: route host owner access checks * chore: route shared credential source reads * chore: route user host credential cleanup * chore: route credential delete reads * chore: route credential update reads * chore: route host credential reads * chore: route host read paths * chore: route host projection reads * chore: route host list reads * chore: route snippet read paths * chore: route snippet folder writes * chore: route snippet crud paths * chore: route snippet bulk import * chore: route rbac ownership reads * chore: route user count reads * chore: route cleanup snippets folders * chore: route shared credential persistence * chore: route dashboard activity * chore: route guacamole host reads * chore: route host bulk lookups * chore: remove unlock-only simple db ops * chore: route host autostart persistence * chore: route ldap provisioning through users * chore: route credential encrypted writes * chore: route host encrypted writes * chore: route bulk host encrypted writes * chore: route termix id credentials * chore: route termix id ca persistence * chore: route termix identity persistence * chore: route credential system migration * chore: isolate user encryption migration storage * chore: remove legacy simple db ops * chore: isolate legacy sqlite migration copy * chore: route database settings import export * chore: route database host credential export * chore: route database host credential import * chore: route database file-manager import export * chore: route database alert usage import export * chore: route database user checks * chore: isolate auth lazy migration storage * chore: route explicit database saves * chore: initialize database save boundary * chore: route migration snapshot saves * chore: isolate sqlite import constraints * chore: route import sqlite boundary * chore: route user encryption migration store * chore: centralize current repository runtime * chore: route more current repositories * chore: route activity repository runtimes * chore: route token repository runtimes * chore: route health repository runtimes * chore: route identity repository runtimes * chore: route rbac repository runtime * chore: centralize current sqlite runtime access * chore: route user deletion key cleanup * chore: route user deletion vault cleanup * chore: route user deletion homepage cleanup * chore: route user deletion health cleanup * chore: route user deletion alert cleanup * chore: route user deletion identity cleanup * chore: add database layer preupgrade backup * Fix database repository type errors * fix: complete post-merge compile fixes for database refactor Restore missing DatabaseSaveTrigger/getDb imports, session log format fallback, OIDC provider resolution, guacamole recording insert, and passwordFallbackOnly typing after merging current dev. --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: DivByZero <mr.oplus@yahoo.fr> Co-authored-by: LukeGus <bugattiguy527@gmail.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: devdanetra <46488477+devdanetra@users.noreply.github.com> Co-authored-by: Aleksandr Fominykh <neoformalex@users.noreply.github.com> Co-authored-by: sash <sash@fominykh.io>
941 lines
27 KiB
TypeScript
941 lines
27 KiB
TypeScript
import { spawn, ChildProcess } from "child_process";
|
|
import { randomUUID } from "crypto";
|
|
import { WebSocket } from "ws";
|
|
import { OPKSSHBinaryManager } from "../utils/opkssh-binary-manager.js";
|
|
import { sshLogger } from "../utils/logger.js";
|
|
import { createCurrentOpksshTokenRepository } from "../database/repositories/current-opkssh-token-repository.js";
|
|
import { UserCrypto } from "../utils/user-crypto.js";
|
|
import { FieldCrypto } from "../utils/field-crypto.js";
|
|
import { promises as fs } from "fs";
|
|
import path from "path";
|
|
import axios from "axios";
|
|
import { load as loadYaml } from "js-yaml";
|
|
|
|
const AUTH_TIMEOUT = 60 * 1000;
|
|
|
|
export const OPKSSH_CALLBACK_PATH = "/host/opkssh-callback";
|
|
|
|
interface OPKSSHAuthSession {
|
|
requestId: string;
|
|
userId: string;
|
|
hostId: number;
|
|
hostname: string;
|
|
process: ChildProcess;
|
|
localPort: number;
|
|
callbackPort: number;
|
|
remoteRedirectUri: string;
|
|
providers: Array<{ alias: string; issuer: string }>;
|
|
status:
|
|
| "starting"
|
|
| "waiting_for_auth"
|
|
| "authenticating"
|
|
| "completed"
|
|
| "error";
|
|
ws: WebSocket;
|
|
stdoutBuffer: string;
|
|
privateKeyBuffer: string;
|
|
sshCertBuffer: string;
|
|
identity: {
|
|
email?: string;
|
|
sub?: string;
|
|
issuer?: string;
|
|
audience?: string;
|
|
};
|
|
createdAt: Date;
|
|
approvalTimeout: NodeJS.Timeout;
|
|
cleanup: () => Promise<void>;
|
|
}
|
|
|
|
const activeAuthSessions = new Map<string, OPKSSHAuthSession>();
|
|
const oauthStateToRequestId = new Map<string, string>();
|
|
const cleanupInProgress = new Set<string>();
|
|
|
|
function getOPKConfigPath(): string {
|
|
const dataDir =
|
|
process.env.DATA_DIR || path.join(process.cwd(), "db", "data");
|
|
return path.join(dataDir, ".opk", "config.yml");
|
|
}
|
|
|
|
async function ensureOPKConfigDir(): Promise<void> {
|
|
const configPath = getOPKConfigPath();
|
|
const configDir = path.dirname(configPath);
|
|
await fs.mkdir(configDir, { recursive: true });
|
|
}
|
|
|
|
async function createTemplateConfig(): Promise<void> {
|
|
const configPath = getOPKConfigPath();
|
|
const template = `
|
|
# OPKSSH Configuration
|
|
# OPKSSH Documentation: https://github.com/openpubkey/opkssh/blob/main/docs/config.md
|
|
# Termix Documentation: https://docs.termix.site/features/authentication/opkssh
|
|
`;
|
|
|
|
try {
|
|
await ensureOPKConfigDir();
|
|
await fs.writeFile(configPath, template, "utf8");
|
|
sshLogger.info(`Created template OPKSSH config at ${configPath}`);
|
|
} catch (error) {
|
|
sshLogger.warn("Failed to create template OPKSSH config", error);
|
|
}
|
|
}
|
|
|
|
interface ProviderRedirectInfo {
|
|
alias: string;
|
|
issuer: string;
|
|
redirectUris: string[];
|
|
}
|
|
|
|
async function checkOPKConfigExists(): Promise<{
|
|
exists: boolean;
|
|
error?: string;
|
|
configPath?: string;
|
|
providers?: ProviderRedirectInfo[];
|
|
}> {
|
|
const configPath = getOPKConfigPath();
|
|
const isDocker =
|
|
!!process.env.DATA_DIR && process.env.DATA_DIR.startsWith("/app");
|
|
const dockerHint = isDocker
|
|
? "\n\nDocker: Ensure /app/data is mounted as a volume with write permissions for node:node user."
|
|
: "";
|
|
|
|
try {
|
|
const content = await fs.readFile(configPath, "utf8");
|
|
|
|
if (!content.includes("providers:")) {
|
|
return {
|
|
exists: false,
|
|
configPath,
|
|
error: `OPKSSH configuration is missing 'providers' section. Please edit the config file at:\n${configPath}\n\n.`,
|
|
};
|
|
}
|
|
|
|
const lines = content.split("\n");
|
|
|
|
const hasUncommentedProvider = lines.some((line) => {
|
|
const trimmed = line.trim();
|
|
return (
|
|
trimmed.startsWith("- alias:") ||
|
|
(trimmed.startsWith("issuer:") && !line.trimStart().startsWith("#"))
|
|
);
|
|
});
|
|
|
|
if (!hasUncommentedProvider) {
|
|
return {
|
|
exists: false,
|
|
configPath,
|
|
error: `OPKSSH configuration has no active providers. Please edit the config file at:\n${configPath}\n\nUncomment and configure at least one OIDC provider.\nSee documentation: https://github.com/openpubkey/opkssh/blob/main/docs/config.md${dockerHint}`,
|
|
};
|
|
}
|
|
|
|
let providers: ProviderRedirectInfo[] = [];
|
|
try {
|
|
const parsed = loadYaml(content) as {
|
|
providers?: Array<{
|
|
alias?: string;
|
|
issuer?: string;
|
|
redirect_uris?: string[];
|
|
}>;
|
|
};
|
|
if (parsed?.providers && Array.isArray(parsed.providers)) {
|
|
providers = parsed.providers
|
|
.filter(
|
|
(
|
|
p,
|
|
): p is {
|
|
alias: string;
|
|
issuer: string;
|
|
redirect_uris?: string[];
|
|
} => typeof p.alias === "string" && typeof p.issuer === "string",
|
|
)
|
|
.map((p) => ({
|
|
alias: p.alias,
|
|
issuer: p.issuer.replace(/^https?:\/\//, ""),
|
|
redirectUris: Array.isArray(p.redirect_uris)
|
|
? p.redirect_uris.filter(
|
|
(u): u is string => typeof u === "string",
|
|
)
|
|
: [],
|
|
}));
|
|
}
|
|
} catch (e) {
|
|
sshLogger.warn("Failed to parse OPKSSH config for providers", {
|
|
operation: "opkssh_config_parse_providers_error",
|
|
error: e,
|
|
});
|
|
}
|
|
|
|
return { exists: true, configPath, providers };
|
|
} catch {
|
|
await createTemplateConfig();
|
|
return {
|
|
exists: false,
|
|
configPath,
|
|
error: `OPKSSH configuration not found. A template config file has been created at:\n${configPath}\n\nPlease edit this file and configure your OIDC provider (Google, GitHub, Microsoft, etc.).\nSee documentation: https://github.com/openpubkey/opkssh/blob/main/docs/config.md${dockerHint}`,
|
|
};
|
|
}
|
|
}
|
|
|
|
// OPKSSH's `redirect_uris` field lists candidate LOCAL ports for the callback listener
|
|
// that OPKSSH binds on the host running the binary. The openpubkey library enforces these
|
|
// must be localhost, a non-localhost entry causes ECONNRESET on /select/ at runtime.
|
|
// The publicly registered OAuth redirect URI is what Termix passes via --remote-redirect-uri
|
|
// (derived from request origin); users do NOT put that URL in this config field.
|
|
function validateRedirectUrisAreLocalhost(
|
|
providers: ProviderRedirectInfo[],
|
|
): { ok: true } | { ok: false; message: string } {
|
|
const isLocalHost = (host: string): boolean => {
|
|
const bare = host.replace(/^\[|\]$/g, "");
|
|
return (
|
|
bare === "localhost" ||
|
|
bare === "127.0.0.1" ||
|
|
bare === "::1" ||
|
|
bare === "0:0:0:0:0:0:0:1" ||
|
|
bare.startsWith("localhost:") ||
|
|
bare.startsWith("127.0.0.1:")
|
|
);
|
|
};
|
|
|
|
const issues: string[] = [];
|
|
for (const p of providers) {
|
|
const uris = p.redirectUris || [];
|
|
if (uris.length === 0) continue;
|
|
const nonLocal = uris.filter((u) => {
|
|
try {
|
|
return !isLocalHost(new URL(u).hostname);
|
|
} catch {
|
|
return true;
|
|
}
|
|
});
|
|
if (nonLocal.length > 0) {
|
|
issues.push(
|
|
`Provider '${p.alias}': non-localhost entries in redirect_uris: ${nonLocal.join(", ")}`,
|
|
);
|
|
}
|
|
}
|
|
|
|
if (issues.length > 0) {
|
|
return {
|
|
ok: false,
|
|
message:
|
|
`OPKSSH configuration error: 'redirect_uris' must only contain localhost URLs.\n\n` +
|
|
`${issues.join("\n")}\n\n` +
|
|
`This field is OPKSSH's local callback listener, it must be localhost (or omitted to use ` +
|
|
`the defaults http://localhost:3000/login-callback, :10001, :11110). ` +
|
|
`The public Termix callback URL is supplied automatically by Termix via --remote-redirect-uri; ` +
|
|
`you do not put it here. Register the PUBLIC Termix URL with your OAuth provider instead ` +
|
|
`(e.g. https://your-domain${OPKSSH_CALLBACK_PATH}).\n\n` +
|
|
`Fix: remove the non-localhost entries above, or delete the whole 'redirect_uris' block to use defaults.\n\n` +
|
|
`Docs: https://docs.termix.site/features/authentication/opkssh`,
|
|
};
|
|
}
|
|
|
|
return { ok: true };
|
|
}
|
|
|
|
export async function startOPKSSHAuth(
|
|
userId: string,
|
|
hostId: number,
|
|
hostname: string,
|
|
ws: WebSocket,
|
|
requestOrigin: string,
|
|
): Promise<string> {
|
|
try {
|
|
await ensureOPKConfigDir();
|
|
const configDir = path.dirname(getOPKConfigPath());
|
|
await fs.access(configDir, fs.constants.R_OK | fs.constants.W_OK);
|
|
} catch (error) {
|
|
sshLogger.error("OPKSSH directory not accessible", error);
|
|
const isDocker =
|
|
!!process.env.DATA_DIR && process.env.DATA_DIR.startsWith("/app");
|
|
const dockerHint = isDocker
|
|
? "\n\nDocker: Ensure /app/data is mounted as a volume with write permissions for node:node user."
|
|
: "";
|
|
ws.send(
|
|
JSON.stringify({
|
|
type: "opkssh_error",
|
|
error: `OPKSSH directory initialization failed: ${error.message}${dockerHint}`,
|
|
}),
|
|
);
|
|
return "";
|
|
}
|
|
|
|
const configCheck = await checkOPKConfigExists();
|
|
if (!configCheck.exists) {
|
|
ws.send(
|
|
JSON.stringify({
|
|
type: "opkssh_config_error",
|
|
requestId: "",
|
|
error: configCheck.error,
|
|
instructions: configCheck.error,
|
|
}),
|
|
);
|
|
return "";
|
|
}
|
|
|
|
const redirectValidation = validateRedirectUrisAreLocalhost(
|
|
configCheck.providers || [],
|
|
);
|
|
if (redirectValidation.ok === false) {
|
|
sshLogger.warn("OPKSSH config redirect_uris validation failed", {
|
|
operation: "opkssh_config_redirect_uris_not_localhost",
|
|
configPath: configCheck.configPath,
|
|
});
|
|
ws.send(
|
|
JSON.stringify({
|
|
type: "opkssh_config_error",
|
|
requestId: "",
|
|
error: redirectValidation.message,
|
|
instructions: redirectValidation.message,
|
|
}),
|
|
);
|
|
return "";
|
|
}
|
|
|
|
const requestId = randomUUID();
|
|
const remoteRedirectUri = `${requestOrigin}${OPKSSH_CALLBACK_PATH}`;
|
|
|
|
sshLogger.info("Starting OPKSSH auth session", {
|
|
operation: "opkssh_start_auth_remote_redirect_uri",
|
|
requestId,
|
|
userId,
|
|
hostId,
|
|
requestOrigin,
|
|
remoteRedirectUri,
|
|
providerAliases: (configCheck.providers || []).map((p) => p.alias),
|
|
});
|
|
|
|
const session: Partial<OPKSSHAuthSession> = {
|
|
requestId,
|
|
userId,
|
|
hostId,
|
|
hostname,
|
|
localPort: 0,
|
|
callbackPort: 0,
|
|
remoteRedirectUri,
|
|
providers: configCheck.providers || [],
|
|
status: "starting",
|
|
ws,
|
|
stdoutBuffer: "",
|
|
privateKeyBuffer: "",
|
|
sshCertBuffer: "",
|
|
identity: {},
|
|
createdAt: new Date(),
|
|
};
|
|
|
|
try {
|
|
const binaryPath = OPKSSHBinaryManager.getBinaryPath();
|
|
const configPath = getOPKConfigPath();
|
|
|
|
const args = [
|
|
"login",
|
|
"--print-key",
|
|
"--disable-browser-open",
|
|
`--config-path=${configPath}`,
|
|
`--remote-redirect-uri=${remoteRedirectUri}`,
|
|
];
|
|
|
|
const opksshProcess = spawn(binaryPath, args, {
|
|
stdio: ["ignore", "pipe", "pipe"],
|
|
env: {
|
|
...process.env,
|
|
},
|
|
});
|
|
session.process = opksshProcess;
|
|
|
|
const cleanup = async () => {
|
|
await cleanupAuthSession(requestId);
|
|
};
|
|
session.cleanup = cleanup;
|
|
|
|
const timeout = setTimeout(async () => {
|
|
sshLogger.warn(`OPKSSH auth timeout for session ${requestId}`);
|
|
ws.send(
|
|
JSON.stringify({
|
|
type: "opkssh_timeout",
|
|
requestId,
|
|
}),
|
|
);
|
|
await cleanup();
|
|
}, AUTH_TIMEOUT);
|
|
|
|
session.approvalTimeout = timeout;
|
|
|
|
ws.on("close", () => {
|
|
cleanup();
|
|
});
|
|
|
|
activeAuthSessions.set(requestId, session as OPKSSHAuthSession);
|
|
|
|
opksshProcess.stdout?.on("data", (data) => {
|
|
const output = data.toString();
|
|
handleOPKSSHOutput(requestId, output);
|
|
});
|
|
|
|
opksshProcess.stderr?.on("data", async (data) => {
|
|
const stderr = data.toString();
|
|
|
|
if (
|
|
stderr.includes("Opening browser to") ||
|
|
stderr.includes("Open your browser to:")
|
|
) {
|
|
handleOPKSSHOutput(requestId, stderr);
|
|
}
|
|
|
|
if (stderr.includes("listening on")) {
|
|
handleOPKSSHOutput(requestId, stderr);
|
|
}
|
|
|
|
const lowerStderr = stderr.toLowerCase();
|
|
|
|
// OPKSSH's openpubkey library rejects non-localhost `redirect_uris` at runtime
|
|
// with the distinctive message "redirectURI must be localhost". Surface that
|
|
// directly with actionable guidance.
|
|
if (lowerStderr.includes("redirecturi must be localhost")) {
|
|
sshLogger.warn("OPKSSH rejected non-localhost entry in redirect_uris", {
|
|
operation: "opkssh_stderr_redirect_uris_not_localhost",
|
|
requestId,
|
|
remoteRedirectUri,
|
|
stderrSnippet: stderr.slice(0, 500),
|
|
});
|
|
ws.send(
|
|
JSON.stringify({
|
|
type: "opkssh_config_error",
|
|
requestId,
|
|
error:
|
|
`OPKSSH rejected the local callback URI: every entry in 'redirect_uris' must be localhost.\n\n` +
|
|
`OPKSSH output:\n${stderr.trim()}\n\n` +
|
|
`The 'redirect_uris' config field is OPKSSH's LOCAL listener — it is not the public Termix callback. ` +
|
|
`Remove any non-localhost entries from redirect_uris (or delete the whole block to use OPKSSH's ` +
|
|
`defaults of :3000, :10001, :11110). Register the public Termix callback URL with your OAuth ` +
|
|
`provider instead, Termix passes it to OPKSSH automatically via --remote-redirect-uri.`,
|
|
instructions:
|
|
"See documentation: https://docs.termix.site/features/authentication/opkssh",
|
|
}),
|
|
);
|
|
await cleanup();
|
|
return;
|
|
}
|
|
|
|
// Generic redirect-uri/mismatch errors (OAuth provider side, OPKSSH config side, etc.)
|
|
const genericRedirectIndicators = [
|
|
"redirect_uri",
|
|
"redirect uri",
|
|
"invalid redirect",
|
|
"no matching redirect",
|
|
"allowed redirect",
|
|
"mismatching redirection",
|
|
];
|
|
const hasGenericRedirectError = genericRedirectIndicators.some((s) =>
|
|
lowerStderr.includes(s),
|
|
);
|
|
|
|
if (hasGenericRedirectError) {
|
|
sshLogger.warn("OPKSSH stderr reported redirect_uri error", {
|
|
operation: "opkssh_stderr_redirect_uri_error",
|
|
requestId,
|
|
remoteRedirectUri,
|
|
stderrSnippet: stderr.slice(0, 500),
|
|
});
|
|
ws.send(
|
|
JSON.stringify({
|
|
type: "opkssh_config_error",
|
|
requestId,
|
|
error:
|
|
`OPKSSH or the OAuth provider rejected the redirect URI.\n\n` +
|
|
`Computed Termix callback URI (sent to provider): ${remoteRedirectUri}\n\n` +
|
|
`OPKSSH output:\n${stderr.trim()}\n\n` +
|
|
`Register '${remoteRedirectUri}' as an authorized redirect URI with your OAuth provider ` +
|
|
`(e.g. in Google Cloud Console → OAuth client). ` +
|
|
`Also confirm any 'redirect_uris' in your OPKSSH config contain ONLY localhost URLs.`,
|
|
instructions:
|
|
"See documentation: https://docs.termix.site/features/authentication/opkssh",
|
|
}),
|
|
);
|
|
await cleanup();
|
|
return;
|
|
}
|
|
|
|
if (
|
|
stderr.includes("provider not found") ||
|
|
stderr.includes("config error") ||
|
|
stderr.includes("invalid config") ||
|
|
stderr.includes("config not found")
|
|
) {
|
|
ws.send(
|
|
JSON.stringify({
|
|
type: "opkssh_config_error",
|
|
requestId,
|
|
error:
|
|
"OPKSSH configuration error. Please verify your config file contains valid OIDC provider settings.",
|
|
instructions:
|
|
"See documentation: https://github.com/openpubkey/opkssh/blob/main/docs/config.md",
|
|
}),
|
|
);
|
|
cleanup();
|
|
}
|
|
|
|
if (
|
|
stderr.includes("level=error") ||
|
|
stderr.includes("Error:") ||
|
|
stderr.includes("failed")
|
|
) {
|
|
const isXdgOpenError = stderr.includes('exec: "xdg-open"');
|
|
if (!isXdgOpenError) {
|
|
if (
|
|
stderr.includes("bind: address already in use") ||
|
|
stderr.includes("error logging in") ||
|
|
stderr.includes("failed to start")
|
|
) {
|
|
await cleanup();
|
|
}
|
|
}
|
|
}
|
|
});
|
|
|
|
opksshProcess.on("error", (error) => {
|
|
ws.send(
|
|
JSON.stringify({
|
|
type: "opkssh_error",
|
|
requestId,
|
|
error: `OPKSSH process error: ${error.message}`,
|
|
}),
|
|
);
|
|
cleanup();
|
|
});
|
|
|
|
opksshProcess.on("exit", (code) => {
|
|
if (code !== 0 && session.status !== "completed") {
|
|
ws.send(
|
|
JSON.stringify({
|
|
type: "opkssh_error",
|
|
requestId,
|
|
error: `OPKSSH process exited with code ${code}`,
|
|
}),
|
|
);
|
|
}
|
|
cleanup();
|
|
});
|
|
|
|
return requestId;
|
|
} catch (error) {
|
|
sshLogger.error(`Failed to start OPKSSH auth session`, error);
|
|
ws.send(
|
|
JSON.stringify({
|
|
type: "opkssh_error",
|
|
requestId,
|
|
error: `Failed to start OPKSSH authentication: ${error instanceof Error ? error.message : "Unknown error"}`,
|
|
}),
|
|
);
|
|
return "";
|
|
}
|
|
}
|
|
|
|
function handleOPKSSHOutput(requestId: string, output: string): void {
|
|
const session = activeAuthSessions.get(requestId);
|
|
if (!session) {
|
|
return;
|
|
}
|
|
|
|
session.stdoutBuffer += output;
|
|
|
|
const chooserUrlMatch = session.stdoutBuffer.match(
|
|
/(?:Opening browser to|Open your browser to:)\s*http:\/\/(?:localhost|127\.0\.0\.1):(\d+)\/chooser/,
|
|
);
|
|
if (chooserUrlMatch && session.status === "starting") {
|
|
const actualPort = parseInt(chooserUrlMatch[1], 10);
|
|
const localChooserUrl = `http://127.0.0.1:${actualPort}/chooser`;
|
|
|
|
session.localPort = actualPort;
|
|
|
|
const baseUrl = session.remoteRedirectUri
|
|
.replace(/\/host\/opkssh-callback$/, "")
|
|
// In direct dev mode the WS server (30002) is separate from the HTTP API (30001)
|
|
.replace(/:30002\b/, ":30001");
|
|
const proxiedChooserUrl = `${baseUrl}/host/opkssh-chooser/${requestId}`;
|
|
|
|
session.status = "waiting_for_auth";
|
|
session.ws.send(
|
|
JSON.stringify({
|
|
type: "opkssh_status",
|
|
requestId,
|
|
stage: "chooser",
|
|
url: proxiedChooserUrl,
|
|
providers: session.providers,
|
|
localUrl: localChooserUrl,
|
|
message: "Please authenticate in your browser",
|
|
}),
|
|
);
|
|
}
|
|
|
|
const callbackPortMatch = session.stdoutBuffer.match(
|
|
/listening on http:\/\/(?:127\.0\.0\.1|localhost):(\d+)\//,
|
|
);
|
|
if (callbackPortMatch && !session.callbackPort) {
|
|
session.callbackPort = parseInt(callbackPortMatch[1], 10);
|
|
}
|
|
|
|
if (output.includes("BEGIN OPENSSH PRIVATE KEY")) {
|
|
session.status = "authenticating";
|
|
session.ws.send(
|
|
JSON.stringify({
|
|
type: "opkssh_status",
|
|
requestId,
|
|
stage: "authenticating",
|
|
message: "Processing authentication...",
|
|
}),
|
|
);
|
|
}
|
|
|
|
const privateKeyMatch = session.stdoutBuffer.match(
|
|
/(-----BEGIN OPENSSH PRIVATE KEY-----[\s\S]*?-----END OPENSSH PRIVATE KEY-----)/,
|
|
);
|
|
if (privateKeyMatch) {
|
|
session.privateKeyBuffer = privateKeyMatch[1].trim();
|
|
}
|
|
|
|
const certMatch = session.stdoutBuffer.match(
|
|
/(ecdsa-sha2-nistp256-cert-v01@openssh\.com\s+[A-Za-z0-9+/=]+|ssh-rsa-cert-v01@openssh\.com\s+[A-Za-z0-9+/=]+|ssh-ed25519-cert-v01@openssh\.com\s+[A-Za-z0-9+/=]+)/,
|
|
);
|
|
if (certMatch) {
|
|
session.sshCertBuffer = certMatch[1].trim();
|
|
}
|
|
|
|
const identityMatch = session.stdoutBuffer.match(
|
|
/Email, sub, issuer, audience:\s*\n?\s*([^\s]+)\s+([^\s]+)\s+([^\s]+)\s+([^\s]+)/,
|
|
);
|
|
if (identityMatch) {
|
|
session.identity = {
|
|
email: identityMatch[1],
|
|
sub: identityMatch[2],
|
|
issuer: identityMatch[3],
|
|
audience: identityMatch[4],
|
|
};
|
|
}
|
|
|
|
if (session.privateKeyBuffer && session.sshCertBuffer) {
|
|
if (!session.privateKeyBuffer.includes("BEGIN OPENSSH PRIVATE KEY")) {
|
|
sshLogger.error(`Invalid private key extracted [${requestId}]`, {
|
|
bufferPrefix: session.privateKeyBuffer.substring(0, 50),
|
|
});
|
|
session.ws.send(
|
|
JSON.stringify({
|
|
type: "opkssh_error",
|
|
requestId,
|
|
error: "Failed to extract valid private key from OPKSSH output",
|
|
}),
|
|
);
|
|
return;
|
|
}
|
|
|
|
if (!session.sshCertBuffer.match(/-cert-v01@openssh\.com/)) {
|
|
sshLogger.error(`Invalid SSH certificate extracted [${requestId}]`, {
|
|
bufferPrefix: session.sshCertBuffer.substring(0, 50),
|
|
});
|
|
session.ws.send(
|
|
JSON.stringify({
|
|
type: "opkssh_error",
|
|
requestId,
|
|
error: "Failed to extract valid SSH certificate from OPKSSH output",
|
|
}),
|
|
);
|
|
return;
|
|
}
|
|
|
|
storeOPKSSHToken(session);
|
|
}
|
|
}
|
|
|
|
async function storeOPKSSHToken(session: OPKSSHAuthSession): Promise<void> {
|
|
try {
|
|
const userCrypto = UserCrypto.getInstance();
|
|
|
|
const expiresAt = new Date();
|
|
expiresAt.setHours(expiresAt.getHours() + 24);
|
|
|
|
const userDataKey = userCrypto.getUserDataKey(session.userId);
|
|
if (!userDataKey) {
|
|
throw new Error("User data key not found");
|
|
}
|
|
|
|
const tokenId = `opkssh-${session.userId}-${session.hostId}`;
|
|
|
|
const encryptedCert = FieldCrypto.encryptField(
|
|
session.sshCertBuffer,
|
|
userDataKey,
|
|
tokenId,
|
|
"ssh_cert",
|
|
);
|
|
const encryptedKey = FieldCrypto.encryptField(
|
|
session.privateKeyBuffer,
|
|
userDataKey,
|
|
tokenId,
|
|
"private_key",
|
|
);
|
|
|
|
await createCurrentOpksshTokenRepository().upsert({
|
|
userId: session.userId,
|
|
hostId: session.hostId,
|
|
sshCert: encryptedCert,
|
|
privateKey: encryptedKey,
|
|
email: session.identity.email,
|
|
sub: session.identity.sub,
|
|
issuer: session.identity.issuer,
|
|
audience: session.identity.audience,
|
|
expiresAt: expiresAt.toISOString(),
|
|
});
|
|
|
|
session.status = "completed";
|
|
session.ws.send(
|
|
JSON.stringify({
|
|
type: "opkssh_completed",
|
|
requestId: session.requestId,
|
|
expiresAt: expiresAt.toISOString(),
|
|
}),
|
|
);
|
|
|
|
await session.cleanup();
|
|
} catch (error) {
|
|
sshLogger.error(
|
|
`Failed to store OPKSSH token for session ${session.requestId}`,
|
|
error,
|
|
);
|
|
session.ws.send(
|
|
JSON.stringify({
|
|
type: "opkssh_error",
|
|
requestId: session.requestId,
|
|
error: "Failed to store authentication token",
|
|
}),
|
|
);
|
|
await session.cleanup();
|
|
}
|
|
}
|
|
|
|
export async function getOPKSSHToken(
|
|
userId: string,
|
|
hostId: number,
|
|
): Promise<{ sshCert: string; privateKey: string } | null> {
|
|
try {
|
|
const repository = createCurrentOpksshTokenRepository();
|
|
const tokenData = await repository.findByUserAndHost(userId, hostId);
|
|
|
|
if (!tokenData) {
|
|
return null;
|
|
}
|
|
|
|
const expiresAt = new Date(tokenData.expiresAt);
|
|
|
|
if (expiresAt < new Date()) {
|
|
await repository.deleteByUserAndHost(userId, hostId);
|
|
return null;
|
|
}
|
|
|
|
const userCrypto = UserCrypto.getInstance();
|
|
const userDataKey = userCrypto.getUserDataKey(userId);
|
|
if (!userDataKey) {
|
|
throw new Error("User data key not found");
|
|
}
|
|
|
|
const tokenId = `opkssh-${userId}-${hostId}`;
|
|
const decryptedCert = FieldCrypto.decryptField(
|
|
tokenData.sshCert,
|
|
userDataKey,
|
|
tokenId,
|
|
"ssh_cert",
|
|
);
|
|
const decryptedKey = FieldCrypto.decryptField(
|
|
tokenData.privateKey,
|
|
userDataKey,
|
|
tokenId,
|
|
"private_key",
|
|
);
|
|
|
|
await repository.updateLastUsed(userId, hostId);
|
|
|
|
return {
|
|
sshCert: decryptedCert,
|
|
privateKey: decryptedKey,
|
|
};
|
|
} catch (error) {
|
|
sshLogger.error(`Failed to retrieve OPKSSH token`, error);
|
|
return null;
|
|
}
|
|
}
|
|
|
|
export async function deleteOPKSSHToken(
|
|
userId: string,
|
|
hostId: number,
|
|
): Promise<void> {
|
|
await createCurrentOpksshTokenRepository().deleteByUserAndHost(
|
|
userId,
|
|
hostId,
|
|
);
|
|
}
|
|
|
|
export async function invalidateOPKSSHToken(
|
|
userId: string,
|
|
hostId: number,
|
|
reason: string,
|
|
): Promise<void> {
|
|
try {
|
|
await createCurrentOpksshTokenRepository().deleteByUserAndHost(
|
|
userId,
|
|
hostId,
|
|
);
|
|
} catch (error) {
|
|
sshLogger.error(`Failed to invalidate OPKSSH token`, {
|
|
userId,
|
|
hostId,
|
|
reason,
|
|
error,
|
|
});
|
|
}
|
|
}
|
|
|
|
export async function handleOAuthCallback(
|
|
requestId: string,
|
|
queryString: string,
|
|
): Promise<{ success: boolean; message?: string }> {
|
|
const session = activeAuthSessions.get(requestId);
|
|
|
|
if (!session) {
|
|
return { success: false, message: "Invalid authentication session" };
|
|
}
|
|
|
|
try {
|
|
const callbackUrl = `http://127.0.0.1:${session.localPort}/login-callback?${queryString}`;
|
|
await axios.get(callbackUrl, {
|
|
timeout: 10000,
|
|
validateStatus: () => true,
|
|
});
|
|
return { success: true };
|
|
} catch {
|
|
session.ws.send(
|
|
JSON.stringify({
|
|
type: "opkssh_error",
|
|
requestId,
|
|
error: "Failed to complete authentication",
|
|
}),
|
|
);
|
|
await session.cleanup();
|
|
return { success: false, message: "Authentication failed" };
|
|
}
|
|
}
|
|
|
|
async function cleanupAuthSession(requestId: string): Promise<void> {
|
|
if (cleanupInProgress.has(requestId)) {
|
|
return;
|
|
}
|
|
|
|
cleanupInProgress.add(requestId);
|
|
|
|
try {
|
|
const session = activeAuthSessions.get(requestId);
|
|
if (!session) {
|
|
cleanupInProgress.delete(requestId);
|
|
return;
|
|
}
|
|
|
|
if (session.approvalTimeout) {
|
|
clearTimeout(session.approvalTimeout);
|
|
}
|
|
|
|
if (session.process) {
|
|
try {
|
|
session.process.kill("SIGTERM");
|
|
await new Promise<void>((resolve) => {
|
|
const killTimeout = setTimeout(() => {
|
|
if (session.process && !session.process.killed) {
|
|
session.process.kill("SIGKILL");
|
|
}
|
|
resolve();
|
|
}, 3000);
|
|
|
|
session.process.once("exit", () => {
|
|
clearTimeout(killTimeout);
|
|
resolve();
|
|
});
|
|
});
|
|
|
|
await new Promise((resolve) => setTimeout(resolve, 1000));
|
|
} catch (killError) {
|
|
sshLogger.warn(
|
|
`Failed to kill OPKSSH process for session ${requestId}`,
|
|
killError,
|
|
);
|
|
}
|
|
}
|
|
|
|
// Clean up any OAuth state mappings for this session
|
|
for (const [state, reqId] of oauthStateToRequestId.entries()) {
|
|
if (reqId === requestId) {
|
|
oauthStateToRequestId.delete(state);
|
|
}
|
|
}
|
|
|
|
activeAuthSessions.delete(requestId);
|
|
} finally {
|
|
cleanupInProgress.delete(requestId);
|
|
}
|
|
}
|
|
|
|
export function cancelAuthSession(requestId: string): void {
|
|
const session = activeAuthSessions.get(requestId);
|
|
if (session) {
|
|
session.cleanup();
|
|
}
|
|
}
|
|
|
|
export function getActiveAuthSession(
|
|
requestId: string,
|
|
): OPKSSHAuthSession | undefined {
|
|
return activeAuthSessions.get(requestId);
|
|
}
|
|
|
|
export function getActiveSessionsForUser(userId: string): OPKSSHAuthSession[] {
|
|
const sessions: OPKSSHAuthSession[] = [];
|
|
for (const session of activeAuthSessions.values()) {
|
|
if (session.userId === userId) {
|
|
sessions.push(session);
|
|
}
|
|
}
|
|
return sessions;
|
|
}
|
|
|
|
export function getActiveSessionsAll(): OPKSSHAuthSession[] {
|
|
return Array.from(activeAuthSessions.values());
|
|
}
|
|
|
|
export function registerOAuthState(state: string, requestId: string): void {
|
|
oauthStateToRequestId.set(state, requestId);
|
|
}
|
|
|
|
export function getRequestIdByOAuthState(state: string): string | undefined {
|
|
return oauthStateToRequestId.get(state);
|
|
}
|
|
|
|
export function clearOAuthState(state: string): void {
|
|
oauthStateToRequestId.delete(state);
|
|
}
|
|
|
|
export async function getUserIdFromRequest(req: {
|
|
cookies?: Record<string, string>;
|
|
headers: Record<string, string | undefined>;
|
|
}): Promise<string | null> {
|
|
try {
|
|
const { AuthManager } = await import("../utils/auth-manager.js");
|
|
const authManager = AuthManager.getInstance();
|
|
|
|
const token =
|
|
req.cookies?.jwt || req.headers.authorization?.replace("Bearer ", "");
|
|
if (!token) {
|
|
return null;
|
|
}
|
|
|
|
const decoded = await authManager.verifyJWTToken(token);
|
|
if (!decoded?.userId || decoded.pendingTOTP) return null;
|
|
return decoded.userId;
|
|
} catch {
|
|
return null;
|
|
}
|
|
}
|