csmith1865/cloud-api
1
0
Fork 0
mirror of https://github.com/jetkvm/cloud-api.git synced 2025-09-16 08:38:15 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Release 202412292129

Browse Source
This commit is contained in:
thinkafterbefore 2024-10-20 15:51:53 +02:00 committed by Adam Shiervani
commit ae4bc804c2
30 changed files with 5088 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
.env.example Normal file
View File

@ -0,0 +1,18 @@
DATABASE_URL="postgresql://jetkvm:jetkvm@localhost:5432/jetkvm?schema=public"
GOOGLE_CLIENT_ID=XXX # Google OIDC Client ID
GOOGLE_CLIENT_SECRET=XXX # Google OIDC Client Secret
API_HOSTNAME=XXX # Is needed for the OIDC Callback
APP_HOSTNAME=XXX # Is needed for the OIDC Callback
CLOUDFLARE_TURN_ID=XXX # Cloudflare TURN ID
CLOUDFLARE_TURN_TOKEN=XXX # Cloudflare TURN Token
COOKIE_SECRET=XXX # Session Cookie Secret
R2_ENDPOINT=XXX # Any S3 compatible endpoint
R2_ACCESS_KEY_ID=XXX # Any S3 compatible access key
R2_SECRET_ACCESS_KEY=XXX # Any S3 compatible secret access key
R2_BUCKET=XXX # Any S3 compatible bucket
R2_CDN_URL=XXX # Any S3 compatible CDN URL

3
.gitignore vendored Normal file
View File

@ -0,0 +1,3 @@
node_modules
.idea
.env

9
.prettierrc Normal file
View File

@ -0,0 +1,9 @@
{
"trailingComma": "all",
"tabWidth": 2,
"semi": true,
"useTabs": false,
"arrowParens": "avoid",
"singleQuote": false,
"printWidth": 90
}

130
CODE_OF_CONDUCT.md Normal file
View File

@ -0,0 +1,130 @@
CODE_OF_CONDUCT.md
# Contributor Covenant Code of Conduct
## Our Pledge
We as members, contributors, and leaders pledge to make participation in our
community a harassment-free experience for everyone, regardless of age, body
size, visible or invisible disability, ethnicity, sex characteristics, gender
identity and expression, level of experience, education, socio-economic status,
nationality, personal appearance, race, religion, or sexual identity
and orientation.
We pledge to act and interact in ways that contribute to an open, welcoming,
diverse, inclusive, and healthy community.
## Our Standards
Examples of behavior that contributes to a positive environment for our
community include:
- Demonstrating empathy and kindness toward other people
- Being respectful of differing opinions, viewpoints, and experiences
- Giving and gracefully accepting constructive feedback
- Accepting responsibility and apologizing to those affected by our mistakes,
and learning from the experience
- Focusing on what is best not just for us as individuals, but for the
overall community
Examples of unacceptable behavior include:
- The use of sexualized language or imagery, and sexual attention or
advances of any kind
- Trolling, insulting or derogatory comments, and personal or political attacks
- Public or private harassment
- Publishing others' private information, such as a physical or email
address, without their explicit permission
- Other conduct which could reasonably be considered inappropriate in a
professional setting
## Enforcement Responsibilities
Community leaders are responsible for clarifying and enforcing our standards of
acceptable behavior and will take appropriate and fair corrective action in
response to any behavior that they deem inappropriate, threatening, offensive,
or harmful.
Community leaders have the right and responsibility to remove, edit, or reject
comments, commits, code, wiki edits, issues, and other contributions that are
not aligned to this Code of Conduct, and will communicate reasons for moderation
decisions when appropriate.
## Scope
This Code of Conduct applies within all community spaces, and also applies when
an individual is officially representing the community in public spaces.
Examples of representing our community include using an official e-mail address,
posting via an official social media account, or acting as an appointed
representative at an online or offline event.
## Enforcement
Instances of abusive, harassing, or otherwise unacceptable behavior may be
reported to the community leaders responsible for enforcement at
support@jetkvm.com.
All complaints will be reviewed and investigated promptly and fairly.
All community leaders are obligated to respect the privacy and security of the
reporter of any incident.
## Enforcement Guidelines
Community leaders will follow these Community Impact Guidelines in determining
the consequences for any action they deem in violation of this Code of Conduct:
### 1. Correction
**Community Impact**: Use of inappropriate language or other behavior deemed
unprofessional or unwelcome in the community.
**Consequence**: A private, written warning from community leaders, providing
clarity around the nature of the violation and an explanation of why the
behavior was inappropriate. A public apology may be requested.
### 2. Warning
**Community Impact**: A violation through a single incident or series
of actions.
**Consequence**: A warning with consequences for continued behavior. No
interaction with the people involved, including unsolicited interaction with
those enforcing the Code of Conduct, for a specified period of time. This
includes avoiding interactions in community spaces as well as external channels
like social media. Violating these terms may lead to a temporary or
permanent ban.
### 3. Temporary Ban
**Community Impact**: A serious violation of community standards, including
sustained inappropriate behavior.
**Consequence**: A temporary ban from any sort of interaction or public
communication with the community for a specified period of time. No public or
private interaction with the people involved, including unsolicited interaction
with those enforcing the Code of Conduct, is allowed during this period.
Violating these terms may lead to a permanent ban.
### 4. Permanent Ban
**Community Impact**: Demonstrating a pattern of violation of community
standards, including sustained inappropriate behavior, harassment of an
individual, or aggression toward or disparagement of classes of individuals.
**Consequence**: A permanent ban from any sort of public interaction within
the community.
## Attribution
This Code of Conduct is adapted from the [Contributor Covenant][homepage],
version 2.0, available at
https://www.contributor-covenant.org/version/2/0/code_of_conduct.html.
Community Impact Guidelines were inspired by [Mozilla's code of conduct
enforcement ladder](https://github.com/mozilla/diversity).
[homepage]: https://www.contributor-covenant.org
For answers to common questions about this code of conduct, see the FAQ at
https://www.contributor-covenant.org/faq. Translations are available at
https://www.contributor-covenant.org/translations.

339
LICENSE Normal file
View File

@ -0,0 +1,339 @@
GNU GENERAL PUBLIC LICENSE
Version 2, June 1991
Copyright (C) 1989, 1991 Free Software Foundation, Inc.,
51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.
Preamble
The licenses for most software are designed to take away your
freedom to share and change it. By contrast, the GNU General Public
License is intended to guarantee your freedom to share and change free
software--to make sure the software is free for all its users. This
General Public License applies to most of the Free Software
Foundation's software and to any other program whose authors commit to
using it. (Some other Free Software Foundation software is covered by
the GNU Lesser General Public License instead.) You can apply it to
your programs, too.
When we speak of free software, we are referring to freedom, not
price. Our General Public Licenses are designed to make sure that you
have the freedom to distribute copies of free software (and charge for
this service if you wish), that you receive source code or can get it
if you want it, that you can change the software or use pieces of it
in new free programs; and that you know you can do these things.
To protect your rights, we need to make restrictions that forbid
anyone to deny you these rights or to ask you to surrender the rights.
These restrictions translate to certain responsibilities for you if you
distribute copies of the software, or if you modify it.
For example, if you distribute copies of such a program, whether
gratis or for a fee, you must give the recipients all the rights that
you have. You must make sure that they, too, receive or can get the
source code. And you must show them these terms so they know their
rights.
We protect your rights with two steps: (1) copyright the software, and
(2) offer you this license which gives you legal permission to copy,
distribute and/or modify the software.
Also, for each author's protection and ours, we want to make certain
that everyone understands that there is no warranty for this free
software. If the software is modified by someone else and passed on, we
want its recipients to know that what they have is not the original, so
that any problems introduced by others will not reflect on the original
authors' reputations.
Finally, any free program is threatened constantly by software
patents. We wish to avoid the danger that redistributors of a free
program will individually obtain patent licenses, in effect making the
program proprietary. To prevent this, we have made it clear that any
patent must be licensed for everyone's free use or not licensed at all.
The precise terms and conditions for copying, distribution and
modification follow.
GNU GENERAL PUBLIC LICENSE
TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
0. This License applies to any program or other work which contains
a notice placed by the copyright holder saying it may be distributed
under the terms of this General Public License. The "Program", below,
refers to any such program or work, and a "work based on the Program"
means either the Program or any derivative work under copyright law:
that is to say, a work containing the Program or a portion of it,
either verbatim or with modifications and/or translated into another
language. (Hereinafter, translation is included without limitation in
the term "modification".) Each licensee is addressed as "you".
Activities other than copying, distribution and modification are not
covered by this License; they are outside its scope. The act of
running the Program is not restricted, and the output from the Program
is covered only if its contents constitute a work based on the
Program (independent of having been made by running the Program).
Whether that is true depends on what the Program does.
1. You may copy and distribute verbatim copies of the Program's
source code as you receive it, in any medium, provided that you
conspicuously and appropriately publish on each copy an appropriate
copyright notice and disclaimer of warranty; keep intact all the
notices that refer to this License and to the absence of any warranty;
and give any other recipients of the Program a copy of this License
along with the Program.
You may charge a fee for the physical act of transferring a copy, and
you may at your option offer warranty protection in exchange for a fee.
2. You may modify your copy or copies of the Program or any portion
of it, thus forming a work based on the Program, and copy and
distribute such modifications or work under the terms of Section 1
above, provided that you also meet all of these conditions:
a) You must cause the modified files to carry prominent notices
stating that you changed the files and the date of any change.
b) You must cause any work that you distribute or publish, that in
whole or in part contains or is derived from the Program or any
part thereof, to be licensed as a whole at no charge to all third
parties under the terms of this License.
c) If the modified program normally reads commands interactively
when run, you must cause it, when started running for such
interactive use in the most ordinary way, to print or display an
announcement including an appropriate copyright notice and a
notice that there is no warranty (or else, saying that you provide
a warranty) and that users may redistribute the program under
these conditions, and telling the user how to view a copy of this
License. (Exception: if the Program itself is interactive but
does not normally print such an announcement, your work based on
the Program is not required to print an announcement.)
These requirements apply to the modified work as a whole. If
identifiable sections of that work are not derived from the Program,
and can be reasonably considered independent and separate works in
themselves, then this License, and its terms, do not apply to those
sections when you distribute them as separate works. But when you
distribute the same sections as part of a whole which is a work based
on the Program, the distribution of the whole must be on the terms of
this License, whose permissions for other licensees extend to the
entire whole, and thus to each and every part regardless of who wrote it.
Thus, it is not the intent of this section to claim rights or contest
your rights to work written entirely by you; rather, the intent is to
exercise the right to control the distribution of derivative or
collective works based on the Program.
In addition, mere aggregation of another work not based on the Program
with the Program (or with a work based on the Program) on a volume of
a storage or distribution medium does not bring the other work under
the scope of this License.
3. You may copy and distribute the Program (or a work based on it,
under Section 2) in object code or executable form under the terms of
Sections 1 and 2 above provided that you also do one of the following:
a) Accompany it with the complete corresponding machine-readable
source code, which must be distributed under the terms of Sections
1 and 2 above on a medium customarily used for software interchange; or,
b) Accompany it with a written offer, valid for at least three
years, to give any third party, for a charge no more than your
cost of physically performing source distribution, a complete
machine-readable copy of the corresponding source code, to be
distributed under the terms of Sections 1 and 2 above on a medium
customarily used for software interchange; or,
c) Accompany it with the information you received as to the offer
to distribute corresponding source code. (This alternative is
allowed only for noncommercial distribution and only if you
received the program in object code or executable form with such
an offer, in accord with Subsection b above.)
The source code for a work means the preferred form of the work for
making modifications to it. For an executable work, complete source
code means all the source code for all modules it contains, plus any
associated interface definition files, plus the scripts used to
control compilation and installation of the executable. However, as a
special exception, the source code distributed need not include
anything that is normally distributed (in either source or binary
form) with the major components (compiler, kernel, and so on) of the
operating system on which the executable runs, unless that component
itself accompanies the executable.
If distribution of executable or object code is made by offering
access to copy from a designated place, then offering equivalent
access to copy the source code from the same place counts as
distribution of the source code, even though third parties are not
compelled to copy the source along with the object code.
4. You may not copy, modify, sublicense, or distribute the Program
except as expressly provided under this License. Any attempt
otherwise to copy, modify, sublicense or distribute the Program is
void, and will automatically terminate your rights under this License.
However, parties who have received copies, or rights, from you under
this License will not have their licenses terminated so long as such
parties remain in full compliance.
5. You are not required to accept this License, since you have not
signed it. However, nothing else grants you permission to modify or
distribute the Program or its derivative works. These actions are
prohibited by law if you do not accept this License. Therefore, by
modifying or distributing the Program (or any work based on the
Program), you indicate your acceptance of this License to do so, and
all its terms and conditions for copying, distributing or modifying
the Program or works based on it.
6. Each time you redistribute the Program (or any work based on the
Program), the recipient automatically receives a license from the
original licensor to copy, distribute or modify the Program subject to
these terms and conditions. You may not impose any further
restrictions on the recipients' exercise of the rights granted herein.
You are not responsible for enforcing compliance by third parties to
this License.
7. If, as a consequence of a court judgment or allegation of patent
infringement or for any other reason (not limited to patent issues),
conditions are imposed on you (whether by court order, agreement or
otherwise) that contradict the conditions of this License, they do not
excuse you from the conditions of this License. If you cannot
distribute so as to satisfy simultaneously your obligations under this
License and any other pertinent obligations, then as a consequence you
may not distribute the Program at all. For example, if a patent
license would not permit royalty-free redistribution of the Program by
all those who receive copies directly or indirectly through you, then
the only way you could satisfy both it and this License would be to
refrain entirely from distribution of the Program.
If any portion of this section is held invalid or unenforceable under
any particular circumstance, the balance of the section is intended to
apply and the section as a whole is intended to apply in other
circumstances.
It is not the purpose of this section to induce you to infringe any
patents or other property right claims or to contest validity of any
such claims; this section has the sole purpose of protecting the
integrity of the free software distribution system, which is
implemented by public license practices. Many people have made
generous contributions to the wide range of software distributed
through that system in reliance on consistent application of that
system; it is up to the author/donor to decide if he or she is willing
to distribute software through any other system and a licensee cannot
impose that choice.
This section is intended to make thoroughly clear what is believed to
be a consequence of the rest of this License.
8. If the distribution and/or use of the Program is restricted in
certain countries either by patents or by copyrighted interfaces, the
original copyright holder who places the Program under this License
may add an explicit geographical distribution limitation excluding
those countries, so that distribution is permitted only in or among
countries not thus excluded. In such case, this License incorporates
the limitation as if written in the body of this License.
9. The Free Software Foundation may publish revised and/or new versions
of the General Public License from time to time. Such new versions will
be similar in spirit to the present version, but may differ in detail to
address new problems or concerns.
Each version is given a distinguishing version number. If the Program
specifies a version number of this License which applies to it and "any
later version", you have the option of following the terms and conditions
either of that version or of any later version published by the Free
Software Foundation. If the Program does not specify a version number of
this License, you may choose any version ever published by the Free Software
Foundation.
10. If you wish to incorporate parts of the Program into other free
programs whose distribution conditions are different, write to the author
to ask for permission. For software which is copyrighted by the Free
Software Foundation, write to the Free Software Foundation; we sometimes
make exceptions for this. Our decision will be guided by the two goals
of preserving the free status of all derivatives of our free software and
of promoting the sharing and reuse of software generally.
NO WARRANTY
11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
REPAIR OR CORRECTION.
12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES.
END OF TERMS AND CONDITIONS
How to Apply These Terms to Your New Programs
If you develop a new program, and you want it to be of the greatest
possible use to the public, the best way to achieve this is to make it
free software which everyone can redistribute and change under these terms.
To do so, attach the following notices to the program. It is safest
to attach them to the start of each source file to most effectively
convey the exclusion of warranty; and each file should have at least
the "copyright" line and a pointer to where the full notice is found.
<one line to give the program's name and a brief idea of what it does.>
Copyright (C) <year> <name of author>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License along
with this program; if not, write to the Free Software Foundation, Inc.,
51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
Also add information on how to contact you by electronic and paper mail.
If the program is interactive, make it output a short notice like this
when it starts in an interactive mode:
Gnomovision version 69, Copyright (C) year name of author
Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
This is free software, and you are welcome to redistribute it
under certain conditions; type `show c' for details.
The hypothetical commands `show w' and `show c' should show the appropriate
parts of the General Public License. Of course, the commands you use may
be called something other than `show w' and `show c'; they could even be
mouse-clicks or menu items--whatever suits your program.
You should also get your employer (if you work as a programmer) or your
school, if any, to sign a "copyright disclaimer" for the program, if
necessary. Here is a sample; alter the names:
Yoyodyne, Inc., hereby disclaims all copyright interest in the program
`Gnomovision' (which makes passes at compilers) written by James Hacker.
<signature of Ty Coon>, 1 April 1989
Ty Coon, President of Vice
This General Public License does not permit incorporating your program into
proprietary programs. If your program is a subroutine library, you may
consider it more useful to permit linking proprietary applications with the
library. If this is what you want to do, use the GNU Lesser General
Public License instead of this License.

70
README.md Normal file
View File

@ -0,0 +1,70 @@
<div align="center">
<img alt="JetKVM logo" src="https://jetkvm.com/logo-blue.png" height="28">
### Cloud API
[Discord](https://jetkvm.com/discord) | [Website](https://jetkvm.com) | [Issues](https://github.com/jetkvm/cloud-api/issues) | [Docs](https://jetkvm.com/docs)
[![Twitter](https://img.shields.io/twitter/url/https/twitter.com/jetkvm.svg?style=social&label=Follow%20%40JetKVM)](https://twitter.com/jetkvm)
</div>
JetKVM is a high-performance, open-source KVM over IP (Keyboard, Video, Mouse) solution designed for efficient remote management of computers, servers, and workstations. Whether you're dealing with boot failures, installing a new operating system, adjusting BIOS settings, or simply taking control of a machine from afar, JetKVM provides the tools to get it done effectively.
## Contributing
We welcome contributions from the community! Whether it's improving the firmware, adding new features, or enhancing documentation, your input is valuable. We also have some rules and taboos here, so please read this page and our [Code of Conduct](/CODE_OF_CONDUCT.md) carefully.
## I need help
The best place to search for answers is our [Documentation](https://jetkvm.com/docs). If you can't find the answer there, check our [Discord Server](https://discord.gg/8MaAhua7NW).
## I want to report an issue
If you've found an issue and want to report it, please check our [Issues](https://github.com/jetkvm/cloud-api/issues) page. Make sure the description contains information about the firmware version you're using, your platform, and a clear explanation of the steps to reproduce the issue.
## Development
This project is built with Node.JS, Prisma and Express.
To start the development server, run:
```bash
# For local development, you can use the following command to start a postgres instanc
# Don't use in production
docker run --name jetkvm-cloud-db \
-e POSTGRES_USER=jetkvm \
-e POSTGRES_PASSWORD=mysecretpassword \
-e POSTGRES_DB=jetkvm \
-d postgres
# Copy the .env.example file to .env and populate it with the correct values
cp .env.example .env
# Install dependencies
npm install
# Deploy the existing database migrations
npx prisma migrate deploy
# Start the production server on port 3000
npm run dev
```
## Production
```bash
# Copy the .env.example file to .env and populate it with the correct values
cp .env.example .env
# Install dependencies
npm install
# Deploy the existing database migrations
# Needs to run on new release
npx prisma migrate deploy
# Start the production server on port 3000
npm run start
```

3034
package-lock.json generated Normal file
View File

File diff suppressed because it is too large Load Diff

44
package.json Normal file
View File

@ -0,0 +1,44 @@
{
"name": "jetkvm-cloud-api",
"version": "1.0.0",
"description": "",
"main": "index.js",
"scripts": {
"start": "NODE_ENV=production node -r ts-node/register ./src/index.ts",
"dev": "NODE_ENV=development node --env-file=.env.development -r ts-node/register ./src/index.ts"
},
"engines": {
"node": "21.1.0"
},
"keywords": [],
"author": "",
"license": "ISC",
"dependencies": {
"@aws-sdk/client-s3": "^3.654.0",
"@prisma/client": "^5.13.0",
"@tsconfig/node22": "^22.0.0",
"@types/cookie-session": "^2.0.49",
"@types/cors": "^2.8.17",
"@types/node": "^20.12.10",
"@types/ws": "^8.5.10",
"cookie-session": "^2.1.0",
"cors": "^2.8.5",
"express": "^4.19.2",
"helmet": "^7.1.0",
"http-proxy-middleware": "^3.0.0",
"jose": "^5.2.4",
"openid-client": "^5.6.5",
"prettier": "3.2.5",
"prisma": "^5.13.0",
"semver": "^7.6.3",
"ts-node": "^10.9.2",
"typescript": "^5.4.5",
"ws": "^8.17.0"
},
"optionalDependencies": {
"bufferutil": "^4.0.8"
},
"devDependencies": {
"@types/semver": "^7.5.8"
}
}

26
prisma/migrations/20240507150027_init/migration.sql Normal file
View File

@ -0,0 +1,26 @@
-- CreateTable
CREATE TABLE "User" (
"id" BIGSERIAL NOT NULL,
"googleId" TEXT NOT NULL,
CONSTRAINT "User_pkey" PRIMARY KEY ("id")
);
-- CreateTable
CREATE TABLE "Kvm" (
"id" BIGSERIAL NOT NULL,
"deviceId" TEXT NOT NULL,
"name" TEXT,
"userId" BIGINT NOT NULL,
CONSTRAINT "Kvm_pkey" PRIMARY KEY ("id")
);
-- CreateIndex
CREATE UNIQUE INDEX "User_googleId_key" ON "User"("googleId");
-- CreateIndex
CREATE UNIQUE INDEX "Kvm_deviceId_key" ON "Kvm"("deviceId");
-- AddForeignKey
ALTER TABLE "Kvm" ADD CONSTRAINT "Kvm_userId_fkey" FOREIGN KEY ("userId") REFERENCES "User"("id") ON DELETE RESTRICT ON UPDATE CASCADE;

3
prisma/migrations/20240509114217_add_email_picture_user/migration.sql Normal file
View File

@ -0,0 +1,3 @@
-- AlterTable
ALTER TABLE "User" ADD COLUMN "email" TEXT,
ADD COLUMN "picture" TEXT;

2
prisma/migrations/20240509183549_/migration.sql Normal file
View File

@ -0,0 +1,2 @@
-- AlterTable
ALTER TABLE "Kvm" ADD COLUMN "lastSeen" TIMESTAMP(3);

2
prisma/migrations/20240509185127_/migration.sql Normal file
View File

@ -0,0 +1,2 @@
-- AlterTable
ALTER TABLE "Kvm" ALTER COLUMN "lastSeen" SET DATA TYPE TIMESTAMP(6);

25
prisma/migrations/20240510112256_/migration.sql Normal file
View File

@ -0,0 +1,25 @@
/*
Warnings:
- You are about to drop the `Kvm` table. If the table is not empty, all the data it contains will be lost.
*/
-- DropForeignKey
ALTER TABLE "Kvm" DROP CONSTRAINT "Kvm_userId_fkey";
-- DropTable
DROP TABLE "Kvm";
-- CreateTable
CREATE TABLE "Device" (
"id" TEXT NOT NULL,
"lastSeen" TIMESTAMP(6),
"name" TEXT,
"userId" BIGINT NOT NULL
);
-- CreateIndex
CREATE UNIQUE INDEX "Device_id_key" ON "Device"("id");
-- AddForeignKey
ALTER TABLE "Device" ADD CONSTRAINT "Device_userId_fkey" FOREIGN KEY ("userId") REFERENCES "User"("id") ON DELETE RESTRICT ON UPDATE CASCADE;

13
prisma/migrations/20240522164125_/migration.sql Normal file
View File

@ -0,0 +1,13 @@
-- CreateTable
CREATE TABLE "TurnActivity" (
"id" BIGSERIAL NOT NULL,
"userId" BIGINT NOT NULL,
"createdAt" TIMESTAMP(6) DEFAULT CURRENT_TIMESTAMP,
"bytesSent" INTEGER NOT NULL,
"bytesReceived" INTEGER NOT NULL,
CONSTRAINT "TurnActivity_pkey" PRIMARY KEY ("id")
);
-- AddForeignKey
ALTER TABLE "TurnActivity" ADD CONSTRAINT "TurnActivity_userId_fkey" FOREIGN KEY ("userId") REFERENCES "User"("id") ON DELETE RESTRICT ON UPDATE CASCADE;

13
prisma/migrations/20240909210949_/migration.sql Normal file
View File

@ -0,0 +1,13 @@
/*
Warnings:
- A unique constraint covering the columns `[secretToken]` on the table `Device` will be added. If there are existing duplicate values, this will fail.
*/
-- AlterTable
ALTER TABLE "Device" ADD COLUMN "secretToken" TEXT,
ADD COLUMN "tempToken" TEXT,
ADD COLUMN "tempTokenExpiresAt" TIMESTAMP(3);
-- CreateIndex
CREATE UNIQUE INDEX "Device_secretToken_key" ON "Device"("secretToken");

15
prisma/migrations/20240923151119_add_releases/migration.sql Normal file
View File

@ -0,0 +1,15 @@
-- CreateTable
CREATE TABLE "Release" (
"id" BIGSERIAL NOT NULL,
"version" TEXT NOT NULL,
"rolloutPercentage" INTEGER NOT NULL DEFAULT 10,
"createdAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
"updatedAt" TIMESTAMP(3) NOT NULL,
"url" TEXT NOT NULL,
"type" TEXT NOT NULL DEFAULT 'firmware',
CONSTRAINT "Release_pkey" PRIMARY KEY ("id")
);
-- CreateIndex
CREATE UNIQUE INDEX "Release_version_type_key" ON "Release"("version", "type");

8
prisma/migrations/20240924095535_add_hash_to_releases/migration.sql Normal file
View File

@ -0,0 +1,8 @@
/*
Warnings:
- Added the required column `hash` to the `Release` table without a default value. This is not possible if the table is not empty.
*/
-- AlterTable
ALTER TABLE "Release" ADD COLUMN "hash" TEXT NOT NULL;

2
prisma/migrations/20240924215802_make_app_default_release_type/migration.sql Normal file
View File

@ -0,0 +1,2 @@
-- AlterTable
ALTER TABLE "Release" ALTER COLUMN "type" SET DEFAULT 'app';

3
prisma/migrations/migration_lock.toml Normal file
View File

@ -0,0 +1,3 @@
# Please do not edit this file manually
# It should be added in your version-control system (i.e. Git)
provider = "postgresql"

56
prisma/schema.prisma Normal file
View File

@ -0,0 +1,56 @@
// This is your Prisma schema file,
// learn more about it in the docs: https://pris.ly/d/prisma-schema
// Looking for ways to speed up your queries, or scale easily with your serverless or edge functions?
// Try Prisma Accelerate: https://pris.ly/cli/accelerate-init
generator client {
provider = "prisma-client-js"
}
datasource db {
provider = "postgresql"
url = env("DATABASE_URL")
}
model User {
id BigInt @id @default(autoincrement())
googleId String @unique
email String?
picture String?
device Device[]
Activity TurnActivity[]
}
model Device {
id String @unique
lastSeen DateTime? @db.Timestamp(6)
name String?
user User @relation(fields: [userId], references: [id])
userId BigInt
tempToken String?
tempTokenExpiresAt DateTime?
secretToken String? @unique
}
model TurnActivity {
id BigInt @id @default(autoincrement())
user User @relation(fields: [userId], references: [id])
userId BigInt
createdAt DateTime? @default(now()) @db.Timestamp(6)
bytesSent Int
bytesReceived Int
}
model Release {
id BigInt @id @default(autoincrement())
version String
rolloutPercentage Int @default(10) // 10% of users
createdAt DateTime @default(now())
updatedAt DateTime @updatedAt
url String
type String @default("app") // "app" or "system"
hash String
@@unique([version, type])
}

46
publish_source.sh Executable file
View File

@ -0,0 +1,46 @@
#!/bin/bash
# Check if a commit message was provided
if [ -z "$1" ]; then
echo "Usage: $0 \"Your commit message here\""
exit 1
fi
COMMIT_MESSAGE="$1"
# Ensure you're on the main branch
git checkout main
# Add 'public' remote if it doesn't exist
if ! git remote | grep -q '^public$'; then
git remote add public https://github.com/jetkvm/cloud-api.git
fi
# Fetch the latest from the public repository
git fetch public || true
# Create a temporary branch for the release
git checkout -b release-temp
# If public/main exists, reset to it; else, use the root commit
if git ls-remote --heads public main | grep -q 'refs/heads/main'; then
git reset --soft public/main
else
git reset --soft $(git rev-list --max-parents=0 HEAD)
fi
# Merge changes from main
git merge --squash main
# Commit all changes as a single release commit
git commit -m "$COMMIT_MESSAGE"
# Force push the squashed commit to the public repository
git push --force public release-temp:main
# Switch back to main and delete the temporary branch
git checkout main
git branch -D release-temp
# Remove the public remote
git remote remove public

37
src/auth.ts Normal file
View File

@ -0,0 +1,37 @@
import { type NextFunction, type Request, type Response } from "express";
import * as jose from "jose";
import { UnauthorizedError } from "./errors";
export const verifyToken = async (idToken: string) => {
const JWKS = jose.createRemoteJWKSet(
new URL("https://www.googleapis.com/oauth2/v3/certs"),
);
try {
const { payload } = await jose.jwtVerify(idToken, JWKS, {
issuer: "https://accounts.google.com",
audience: process.env.GOOGLE_CLIENT_ID,
});
return payload;
} catch (e) {
console.error(e);
return null;
}
};
export const authenticated = async (req: Request, res: Response, next: NextFunction) => {
const idToken = req.session?.id_token;
if (!idToken) throw new UnauthorizedError();
const payload = await verifyToken(idToken);
if (!payload) throw new UnauthorizedError();
if (!payload.exp) throw new UnauthorizedError();
if (new Date(payload.exp * 1000) < new Date()) {
throw new UnauthorizedError();
}
next();
};

25
src/db.ts Normal file
View File

@ -0,0 +1,25 @@
import { PrismaClient } from "@prisma/client";
let prismaClient: PrismaClient;
declare global {
var __db: PrismaClient | undefined;
}
// This is needed because in development we don't want to restart
// the server with every change, but we want to make sure we don't
// create a new connectison to the DB with every change either.
if (process.env.NODE_ENV !== "development") {
prismaClient = new PrismaClient();
prismaClient.$connect();
} else {
if (!global.__db) {
global.__db = new PrismaClient();
global.__db.$connect();
}
prismaClient = global.__db;
}
// Have to cast it manually, because webstorm can't infer it for some reason
// https://github.com/prisma/prisma/issues/2359#issuecomment-963340538
export const prisma = prismaClient;

129
src/devices.ts Normal file
View File

@ -0,0 +1,129 @@
import * as jose from "jose";
import { prisma } from "./db";
import express from "express";
import {
BadRequestError,
NotFoundError,
UnauthorizedError,
UnprocessableEntityError,
} from "./errors";
import { activeConnections } from "./webrtc";
import * as crypto from "crypto";
import { authenticated } from "./auth";
export const List = async (req: express.Request, res: express.Response) => {
const idToken = req.session?.id_token;
const { iss, sub } = jose.decodeJwt(idToken);
// Authorization servers identifier for the user
const isGoogle = iss === "https://accounts.google.com";
if (isGoogle) {
const devices = await prisma.device.findMany({
where: { user: { googleId: sub } },
select: { id: true, name: true, lastSeen: true },
});
return res.json({
devices: devices.map(device => {
return { ...device, online: activeConnections.has(device.id) };
}),
});
} else {
throw new BadRequestError("Token is not from Google");
}
};
export const Retrieve = async (req: express.Request, res: express.Response) => {
const idToken = req.session?.id_token;
const { sub } = jose.decodeJwt(idToken);
const { id } = req.params;
if (!id) throw new UnprocessableEntityError("Missing device id in params");
const device = await prisma.device.findUnique({
where: { id, user: { googleId: sub } },
select: { id: true, name: true, user: { select: { googleId: true } } },
});
if (!device) throw new NotFoundError("Device not found");
return res.status(200).json({ device });
};
export const Update = async (req: express.Request, res: express.Response) => {
const idToken = req.session?.id_token;
const { sub } = jose.decodeJwt(idToken);
if (!sub) throw new UnauthorizedError("Missing sub in token");
const { id } = req.params;
if (!id) throw new UnprocessableEntityError("Missing device id in params");
const { name } = req.body as { name: string };
if (!name) throw new UnprocessableEntityError("Missing name in body");
const device = await prisma.device.update({
where: { id, user: { googleId: sub } },
data: { name },
select: { id: true },
});
return res.json(device);
};
export const Token = async (req: express.Request, res: express.Response) => {
const { tempToken } = req.body as { tempToken: string };
if (!tempToken) throw new UnprocessableEntityError("Missing temp token in body");
const device = await prisma.device.findFirst({ where: { tempToken } });
if (!device?.tempToken) throw new NotFoundError("Device not found");
if ((device?.tempTokenExpiresAt || 0) < new Date())
throw new UnauthorizedError("Token expired");
const secretToken = crypto.randomBytes(20).toString("hex");
await prisma.device.update({
where: { id: device.id },
data: { secretToken, tempToken: null, tempTokenExpiresAt: null },
});
return res.json({ secretToken });
};
export const Delete = async (req: express.Request, res: express.Response) => {
if (req.headers.authorization?.startsWith("Bearer ")) {
const secretToken = req.headers.authorization.split("Bearer ")[1];
const hasDevice = await prisma.device.findUnique({ where: { secretToken } });
if (!hasDevice) throw new NotFoundError("Device not found");
await prisma.device.delete({ where: { secretToken } });
return res.status(204).send();
}
// If the user doesn't have a secret token, we check their session cookie
try {
await new Promise<void>(resolve => {
authenticated(req, res, () => {
resolve();
});
});
} catch (error) {
throw new BadRequestError("Unauthorized");
}
const idToken = req.session?.id_token;
const { sub } = jose.decodeJwt(idToken);
if (!sub) throw new UnauthorizedError("Missing sub in token");
const { id } = req.params;
if (!id) throw new UnprocessableEntityError("Missing device id in params");
await prisma.device.delete({ where: { id, user: { googleId: sub } } });
// We just removed the device, so we should close any running open socket connections
const socket = activeConnections.get(id);
if (socket) {
socket.send("Deregistered from server");
socket.close();
}
return res.status(204).send();
};

55
src/errors.ts Normal file
View File

@ -0,0 +1,55 @@
export class HttpError extends Error {
status: number;
code?: string;
constructor(status: number, m?: string) {
super(m);
this.status = status;
}
}
export class BadRequestError extends HttpError {
constructor(message?: string, code?: string) {
super(400, message);
this.name = "BadRequestError";
this.code = code;
}
}
export class UnauthorizedError extends HttpError {
constructor(message?: string, code?: string) {
super(401, message);
this.name = "Unauthorized";
this.code = code;
}
}
export class ForbiddenError extends HttpError {
constructor(message?: string, code?: string) {
super(403, message);
this.name = "Forbidden";
}
}
export class NotFoundError extends HttpError {
constructor(message?: string, code?: string) {
super(404, message);
this.name = "NotFoundError";
}
}
export class UnprocessableEntityError extends HttpError {
constructor(message?: string, code?: string) {
super(422, message);
this.code = code;
this.name = "UnprocessableEntityError";
}
}
export class InternalServerError extends HttpError {
constructor(message?: string, code?: string) {
super(500, message);
this.code = code;
this.name = "InternalServerError";
}
}

204
src/index.ts Normal file
View File

@ -0,0 +1,204 @@
import express from "express";
import cors from "cors";
import cookieSession from "cookie-session";
import * as jose from "jose";
import helmet from "helmet";
import * as Devices from "./devices";
import * as OIDC from "./oidc";
import * as Webrtc from "./webrtc";
import * as Releases from "./releases";
import { HttpError } from "./errors";
import { authenticated } from "./auth";
import { prisma } from "./db";
declare global {
namespace NodeJS {
interface ProcessEnv {
NODE_ENV: "development" | "production";
API_HOSTNAME: string;
APP_HOSTNAME: string;
COOKIE_SECRET: string;
// We use Google OIDC for authentication
GOOGLE_CLIENT_ID: string;
GOOGLE_CLIENT_SECRET: string;
// We use Cloudflare STUN & TURN server for cloud users
CLOUDFLARE_TURN_ID: string;
CLOUDFLARE_TURN_TOKEN: string;
// We use R2 for storing releases
R2_ENDPOINT: string;
R2_ACCESS_KEY_ID: string;
R2_SECRET_ACCESS_KEY: string;
R2_BUCKET: string;
R2_CDN_URL: string;
}
}
}
const app = express();
app.use(helmet());
app.disable("x-powered-by");
app.use(express.json());
app.use(express.urlencoded({ extended: true }));
app.use(
cors({
origin: ["https://app.jetkvm.com", "http://localhost:5173"],
credentials: true,
}),
);
app.use(
cookieSession({
name: "session",
path: "/",
httpOnly: true,
keys: [process.env.COOKIE_SECRET],
secure: process.env.NODE_ENV === "production",
sameSite: "strict",
maxAge: 24 * 60 * 60 * 1000, // 24 hours
}),
);
function asyncHandler(fn: any) {
return (req: express.Request, res: express.Response, next: express.NextFunction) => {
return Promise.resolve(fn(req, res, next)).catch(next);
};
}
// express-session won't sent the cookie, as it's `secure` and `secureProxy` is set to true
// DO Apps doesn't send a X-Forwarded-Proto header, so we simply need to make a blanket trust
app.set("trust proxy", true);
const asyncAuthGuard = asyncHandler(authenticated);
app.get("/", (req, res) => {
return res.status(200).send("OK");
});
app.get(
"/me",
asyncAuthGuard,
asyncHandler(async (req: express.Request, res: express.Response) => {
const idToken = req.session?.id_token;
const { sub, iss, exp, aud, iat, jti, nbf } = jose.decodeJwt(idToken);
let user;
if (iss === "https://accounts.google.com") {
user = await prisma.user.findUnique({
where: { googleId: sub },
select: { picture: true, email: true },
});
}
return res.json({ ...user, sub });
}),
);
app.get("/releases", asyncHandler(Releases.Retrieve));
app.get(
"/releases/system_recovery/latest",
asyncHandler(Releases.RetrieveLatestSystemRecovery),
);
app.get("/releases/app/latest", asyncHandler(Releases.RetrieveLatestApp));
app.get("/devices", asyncAuthGuard, asyncHandler(Devices.List));
app.get("/devices/:id", asyncAuthGuard, asyncHandler(Devices.Retrieve));
app.post("/devices/token", asyncHandler(Devices.Token));
app.put("/devices/:id", asyncAuthGuard, asyncHandler(Devices.Update));
app.delete("/devices/:id", asyncHandler(Devices.Delete));
app.post("/webrtc/session", asyncAuthGuard, asyncHandler(Webrtc.CreateSession));
app.post("/webrtc/ice_config", asyncAuthGuard, asyncHandler(Webrtc.CreateIceCredentials));
app.post(
"/webrtc/turn_activity",
asyncAuthGuard,
asyncHandler(Webrtc.CreateTurnActivity),
);
app.post("/oidc/google", asyncHandler(OIDC.Google));
app.get("/oidc/callback_o", asyncHandler(OIDC.Callback));
app.get("/oidc/callback", (req, res) => {
/*
* We set the session cookie in the /oidc/google route as a part of 302 redirect to the OIDC login page
* When the OIDC provider redirects back to the /oidc/callback route, the session cookie won't be sent as it seen by the browser as a new session,
* and SameSite=Lax|Strict doesn't regard it as a same-site request.
*
* One solution, is to simply to use SameSite=None; Secure. Not nice for CSRF, and safari doesn't like it.
* Another solution is to simply return 200 and then redirect with HTML to the /oidc/callback_o route, which will have the session cookie.
* We went with the latter, and now we can have SameSite=Strict cookies:
* https://stackoverflow.com/questions/42216700/how-can-i-redirect-after-oauth2-with-samesite-strict-and-still-get-my-cookies
* */
const callbackUrl = req.url.replace("/oidc/callback", "/oidc/callback_o");
return res.send(
`<html>
<head>
<meta http-equiv="refresh" content="0; URL='${callbackUrl}'"/>
<script>
// Initial theme setup
document.documentElement.classList.toggle(
"dark",
localStorage.theme === "dark" ||
(!("theme" in localStorage) &&
window.matchMedia("(prefers-color-scheme: dark)").matches),
);
// Listen for system theme changes
window
.matchMedia("(prefers-color-scheme: dark)")
.addEventListener("change", ({ matches }) => {
if (!("theme" in localStorage)) {
// Only auto-switch if user hasn't manually set a theme
document.documentElement.classList.toggle("dark", matches);
}
});
</script>
<style>
body {background-color: #0f172a;}
</style>
</head>
<body></body>
</html>`,
);
});
app.post(
"/logout",
asyncHandler((req: express.Request, res: express.Response) => {
req.session = null;
return res.json({ message: "Logged out" });
}),
);
// Error-handling middleware
app.use(
(
err: HttpError | Error,
req: express.Request,
res: express.Response,
next: express.NextFunction,
) => {
const isProduction = process.env.NODE_ENV === "production";
const statusCode = err instanceof HttpError ? err.status : 500;
// Build the error response payload
const payload = {
name: err.name,
message: err.message,
...(isProduction ? {} : { stack: err.stack }),
};
console.error(err);
res.status(statusCode).json(payload);
},
);
const server = app.listen(3000, () => {
console.log("Server started on port 3000");
});
Webrtc.registerWebsocketServer(server);

159
src/oidc.ts Normal file
View File

@ -0,0 +1,159 @@
import { generators, Issuer } from "openid-client";
import express from "express";
import { prisma } from "./db";
import { BadRequestError } from "./errors";
import * as crypto from "crypto";
const API_HOSTNAME = process.env.API_HOSTNAME;
const APP_HOSTNAME = process.env.APP_HOSTNAME;
const REDIRECT_URI = `${API_HOSTNAME}/oidc/callback`;
const getGoogleOIDCClient = async () => {
const googleIssuer = await Issuer.discover("https://accounts.google.com");
return new googleIssuer.Client({
client_id: process.env.GOOGLE_CLIENT_ID,
client_secret: process.env.GOOGLE_CLIENT_SECRET,
redirect_uris: [REDIRECT_URI],
response_types: ["code"],
});
};
export const Google = async (req: express.Request, res: express.Response) => {
const state = new URLSearchParams();
// Generate a CSRF token and store it in the session, so the callback
// can ensure that the request is the same as the one that was initiated.
state.set("csrf", generators.state());
req.session!.csrf = state.get("csrf");
req.session!.deviceId = req.body.deviceId;
req.session!.returnTo = req.body.returnTo;
const code_verifier = generators.codeVerifier();
const code_challenge = generators.codeChallenge(code_verifier);
req.session!.code_verifier = code_verifier;
const client = await getGoogleOIDCClient();
const authorizationUrl = client.authorizationUrl({
scope: "openid email profile",
state: state.toString(),
// This ensures that to even issue the token, the client must have the code_verifier,
// which is stored in the session cookie.
code_challenge,
code_challenge_method: "S256",
});
return res.redirect(authorizationUrl);
};
export const Callback = async (req: express.Request, res: express.Response) => {
const client = await getGoogleOIDCClient();
// Retrieve recognized callback parameters from the request, e.g. code and state
const params = client.callbackParams(req);
if (!params)
throw new BadRequestError("Missing callback parameters", "missing_callback_params");
const sessionCsrf = req.session?.csrf;
if (!sessionCsrf) {
throw new BadRequestError("Missing CSRF in session", "missing_csrf");
}
const thisRequestCsrf = new URLSearchParams(params.state).get("csrf");
if (thisRequestCsrf !== sessionCsrf) {
throw new BadRequestError("Invalid CSRF", "invalid_csrf");
}
const deviceId = req.session?.deviceId as string | undefined;
const returnTo = (req.session?.returnTo ?? `${APP_HOSTNAME}/devices`) as string;
req.session!.csrf = null;
req.session!.returnTo = null;
req.session!.deviceId = null;
// Exchange code for access token and ID token
const tokenSet = await client.callback(REDIRECT_URI, params, {
state: req.query.state?.toString(),
code_verifier: req.session?.code_verifier,
});
const userInfo = await client.userinfo(tokenSet);
// TokenClaims is an object that contains the sub, email, name and other claims
const tokenClaims = tokenSet.claims();
if (!tokenClaims) {
throw new BadRequestError("Missing claims in token", "missing_claims");
}
if (!tokenSet.id_token) {
throw new BadRequestError("Missing ID Token", "missing_id_token");
}
req.session!.id_token = tokenSet.id_token;
await prisma.user.upsert({
where: { googleId: tokenClaims.sub },
update: {
googleId: tokenClaims.sub,
email: userInfo.email,
picture: userInfo.picture,
},
create: {
googleId: tokenClaims.sub,
email: userInfo.email,
picture: userInfo.picture,
},
});
// This means the user is trying to adopt a device by first logging/signin up/in
if (deviceId) {
const deviceAdopted = await prisma.device.findUnique({
where: { id: deviceId },
select: { user: { select: { googleId: true } } },
});
const isAdoptedByCurrentUser = deviceAdopted?.user.googleId === tokenClaims.sub;
const isAdoptedByOther = deviceAdopted && !isAdoptedByCurrentUser;
if (isAdoptedByOther) {
// Device is already adopted by another user. This can happen if:
// 1. The device was resold without being de-registered by the previous owner.
// 2. Someone is trying to adopt a device they don't own.
//
// Security note:
// The previous owner can't connect to the device anymore because:
// - The device would have done a hardware reset, erasing its deviceToken.
// - Without a valid deviceToken, the device can't connect to the cloud API.
//
// This check prevents unauthorized adoption and ensures proper ownership transfer.
// The cost of this check is therefore, that the previous owner has to re-register the device.
return res.redirect(`${APP_HOSTNAME}/already-adopted`);
}
// Temp Token expires in 5 minutes
const tempToken = crypto.randomBytes(20).toString("hex");
const tempTokenExpiresAt = new Date(new Date().getTime() + 5 * 60000);
await prisma.user.update({
where: { googleId: tokenClaims.sub },
data: {
device: {
upsert: {
create: { id: deviceId, tempToken, tempTokenExpiresAt },
where: { id: deviceId },
update: { tempToken, tempTokenExpiresAt },
},
},
},
});
console.log("Adopted device", deviceId, "for user", tokenClaims.sub);
const url = new URL(returnTo);
url.searchParams.append("tempToken", tempToken);
url.searchParams.append("deviceId", deviceId);
url.searchParams.append("oidcGoogle", tokenSet.id_token.toString());
url.searchParams.append("clientId", process.env.GOOGLE_CLIENT_ID);
return res.redirect(url.toString());
}
return res.redirect(returnTo);
};

358
src/releases.ts Normal file
View File

@ -0,0 +1,358 @@
import express from "express";
import { prisma } from "./db";
import { BadRequestError, InternalServerError, NotFoundError } from "./errors";
import { createHash } from "crypto";
import semver from "semver";
import { GetObjectCommand, ListObjectsV2Command, S3Client } from "@aws-sdk/client-s3";
const s3Client = new S3Client({
endpoint: process.env.R2_ENDPOINT!,
credentials: {
accessKeyId: process.env.R2_ACCESS_KEY_ID!,
secretAccessKey: process.env.R2_SECRET_ACCESS_KEY!,
},
region: "auto",
});
const bucketName = process.env.R2_BUCKET;
const baseUrl = process.env.R2_CDN_URL;
async function getLatestVersion(
prefix: "app" | "system",
includePrerelease: boolean,
): Promise<{ version: string; url: string; hash: string }> {
const listCommand = new ListObjectsV2Command({
Bucket: bucketName,
Prefix: prefix + "/",
Delimiter: "/",
});
const response = await s3Client.send(listCommand);
if (!response.CommonPrefixes || response.CommonPrefixes.length === 0) {
throw new NotFoundError(`No versions found under prefix ${prefix}`);
}
// Extract version folder names
let versions = response.CommonPrefixes.map(cp => cp.Prefix!.split("/")[1])
.filter(Boolean)
.filter(v => semver.valid(v));
if (versions.length === 0) {
throw new NotFoundError(`No valid versions found under prefix ${prefix}`);
}
// Get the latest version, optionally including prerelease versions
const latestVersion = semver.maxSatisfying(versions, "*", {
includePrerelease,
}) as string;
const fileName = prefix === "app" ? "jetkvm_app" : "system.tar";
const url = `${baseUrl}/${prefix}/${latestVersion}/${fileName}`;
const hashResponse = await s3Client.send(
new GetObjectCommand({
Bucket: bucketName,
Key: `${prefix}/${latestVersion}/${fileName}.sha256`,
}),
);
const hash = await streamToString(hashResponse.Body);
return { version: latestVersion, url, hash };
}
interface Release {
appVersion: string;
appUrl: string;
appHash: string;
systemVersion: string;
systemUrl: string;
systemHash: string;
}
async function getReleaseFromS3(includePrerelease: boolean): Promise<Release> {
const [appRelease, systemRelease] = await Promise.all([
getLatestVersion("app", includePrerelease),
getLatestVersion("system", includePrerelease),
]);
return {
appVersion: appRelease.version,
appUrl: appRelease.url,
appHash: appRelease.hash,
systemVersion: systemRelease.version,
systemUrl: systemRelease.url,
systemHash: systemRelease.hash,
};
}
async function isDeviceEligibleForLatestRelease(
rolloutPercentage: number,
deviceId: string,
): Promise<boolean> {
if (rolloutPercentage === 100) return true;
const hash = createHash("md5").update(deviceId).digest("hex");
const hashPrefix = hash.substring(0, 8);
const hashValue = parseInt(hashPrefix, 16) % 100;
return hashValue < rolloutPercentage;
}
async function getDefaultRelease(type: "app" | "system") {
const rolledOutReleases = await prisma.release.findMany({
where: { rolloutPercentage: 100, type },
select: { version: true, url: true, hash: true },
});
if (rolledOutReleases.length === 0) {
throw new InternalServerError(`No default release found for type ${type}`);
}
// Get the latest default version from the rolled out releases
const latestVersion = semver.maxSatisfying(
rolledOutReleases.map(r => r.version),
"*",
) as string;
// Get the release with the latest default version
const latestDefaultRelease = rolledOutReleases.find(r => r.version === latestVersion);
if (!latestDefaultRelease) {
throw new InternalServerError(`No default release found for type ${type}`);
}
return latestDefaultRelease;
}
export async function Retrieve(req: express.Request, res: express.Response) {
const deviceId = req.query.deviceId as string | undefined;
if (!deviceId) {
throw new BadRequestError("Device ID is required");
}
const includePrerelease = req.query.prerelease === "true";
// Get the latest release from S3
let remoteRelease: Release;
try {
remoteRelease = await getReleaseFromS3(includePrerelease);
} catch (error) {
console.error(error);
throw new InternalServerError("Failed to get the latest release from S3");
}
// If the request is for prereleases, ignore the rollout percentage and just return the latest release
// This is useful for the OTA updater to get the latest prerelease version
// This also prevents us from storing the rollout percentage for prerelease versions
if (includePrerelease) {
return res.json({
appVersion: remoteRelease.appVersion,
appUrl: remoteRelease.appUrl,
appHash: remoteRelease.appHash,
systemVersion: remoteRelease.systemVersion,
systemUrl: remoteRelease.systemUrl,
systemHash: remoteRelease.systemHash,
});
}
// Fetch or create the latest app release
const latestAppRelease = await prisma.release.upsert({
where: { version_type: { version: remoteRelease.appVersion, type: "app" } },
update: {},
create: {
version: remoteRelease.appVersion,
rolloutPercentage: 10,
url: remoteRelease.appUrl,
type: "app",
hash: remoteRelease.appHash,
},
select: { version: true, url: true, rolloutPercentage: true, hash: true },
});
// Fetch or create the latest system release
const latestSystemRelease = await prisma.release.upsert({
where: { version_type: { version: remoteRelease.systemVersion, type: "system" } },
update: {},
create: {
version: remoteRelease.systemVersion,
rolloutPercentage: 10,
url: remoteRelease.systemUrl,
type: "system",
hash: remoteRelease.systemHash,
},
select: { version: true, url: true, rolloutPercentage: true, hash: true },
});
const defaultAppRelease = await getDefaultRelease("app");
const defaultSystemRelease = await getDefaultRelease("system");
const responseJson = {
appVersion: defaultAppRelease.version,
appUrl: defaultAppRelease.url,
appHash: defaultAppRelease.hash,
systemVersion: defaultSystemRelease.version,
systemUrl: defaultSystemRelease.url,
systemHash: defaultSystemRelease.hash,
};
if (
await isDeviceEligibleForLatestRelease(latestAppRelease.rolloutPercentage, deviceId)
) {
responseJson.appVersion = latestAppRelease.version;
responseJson.appUrl = latestAppRelease.url;
responseJson.appHash = latestAppRelease.hash;
}
if (
await isDeviceEligibleForLatestRelease(
latestSystemRelease.rolloutPercentage,
deviceId,
)
) {
responseJson.systemVersion = latestSystemRelease.version;
responseJson.systemUrl = latestSystemRelease.url;
responseJson.systemHash = latestSystemRelease.hash;
}
return res.json(responseJson);
}
export async function RetrieveLatestSystemRecovery(
req: express.Request,
res: express.Response,
) {
const includePrerelease = req.query.prerelease === "true";
// Get the latest system recovery image from S3. It's stored in the system/ folder.
const listCommand = new ListObjectsV2Command({
Bucket: bucketName,
Prefix: "system/",
Delimiter: "/",
});
const response = await s3Client.send(listCommand);
// Extract version folder names
if (!response.CommonPrefixes || response.CommonPrefixes.length === 0) {
throw new NotFoundError(`No versions found under prefix system recovery image`);
}
// Get the latest version
const versions = response.CommonPrefixes.map(cp => cp.Prefix!.split("/")[1])
.filter(Boolean)
.filter(v => semver.valid(v));
const latestVersion = semver.maxSatisfying(versions, "*", {
includePrerelease,
}) as string;
const [firmwareFile, hashFile] = await Promise.all([
s3Client.send(
new GetObjectCommand({
Bucket: bucketName,
Key: `system/${latestVersion}/update.img`,
}),
),
s3Client.send(
new GetObjectCommand({
Bucket: bucketName,
Key: `system/${latestVersion}/update.img.sha256`,
}),
),
]);
if (!firmwareFile.Body || !hashFile.Body) {
throw new NotFoundError(
`No system recovery image or hash file not found for version ${latestVersion}`,
);
}
const firmwareContent = await streamToBuffer(firmwareFile.Body);
const remoteHash = await streamToString(hashFile.Body);
const localHash = createHash("sha256").update(firmwareContent).digest("hex");
if (remoteHash.trim() !== localHash) {
throw new InternalServerError("system recovery image hash does not match");
}
console.log("system recovery image hash matches", latestVersion);
return res.redirect(302, `${baseUrl}/system/${latestVersion}/update.img`);
}
export async function RetrieveLatestApp(req: express.Request, res: express.Response) {
const includePrerelease = req.query.prerelease === "true";
// Get the latest version
const listCommand = new ListObjectsV2Command({
Bucket: bucketName,
Prefix: "app/",
Delimiter: "/",
});
const response = await s3Client.send(listCommand);
if (!response.CommonPrefixes || response.CommonPrefixes.length === 0) {
throw new NotFoundError("No app versions found");
}
const versions = response.CommonPrefixes.map(cp => cp.Prefix!.split("/")[1]).filter(v =>
semver.valid(v),
);
const latestVersion = semver.maxSatisfying(versions, "*", {
includePrerelease,
}) as string;
// Get the app file and its hash
const [appFile, hashFile] = await Promise.all([
s3Client.send(
new GetObjectCommand({
Bucket: bucketName,
Key: `app/${latestVersion}/jetkvm_app`,
}),
),
s3Client.send(
new GetObjectCommand({
Bucket: bucketName,
Key: `app/${latestVersion}/jetkvm_app.sha256`,
}),
),
]);
if (!appFile.Body || !hashFile.Body) {
throw new NotFoundError(`App or hash file not found for version ${latestVersion}`);
}
const appContent = await streamToBuffer(appFile.Body);
const remoteHash = await streamToString(hashFile.Body);
const localHash = createHash("sha256").update(appContent).digest("hex");
if (remoteHash.trim() !== localHash) {
throw new InternalServerError("App hash does not match");
}
console.log("App hash matches", latestVersion);
return res.redirect(302, `${baseUrl}/app/${latestVersion}/jetkvm_app`);
}
// Helper function to convert stream to string
async function streamToString(stream: any): Promise<string> {
const chunks: Uint8Array[] = [];
for await (const chunk of stream) {
chunks.push(chunk);
}
const result = Buffer.concat(chunks).toString("utf-8");
return result.trimEnd();
}
// Helper function to convert stream to buffer
async function streamToBuffer(stream: any): Promise<Buffer> {
const chunks = [];
for await (const chunk of stream) {
chunks.push(chunk);
}
return Buffer.concat(chunks);
}

247
src/webrtc.ts Normal file
View File

@ -0,0 +1,247 @@
import { WebSocket, WebSocketServer } from "ws";
import express from "express";
import * as jose from "jose";
import { prisma } from "./db";
import { NotFoundError, UnprocessableEntityError } from "./errors";
import { IncomingMessage } from "http";
import { Socket } from "node:net";
import { Device } from "@prisma/client";
export const activeConnections: Map<string, WebSocket> = new Map();
export const inFlight: Set<string> = new Set();
export const CreateSession = async (req: express.Request, res: express.Response) => {
const idToken = req.session?.id_token;
const { sub } = jose.decodeJwt(idToken);
const { id, sd } = req.body;
if (!id) throw new UnprocessableEntityError("Missing id");
if (!sd) throw new UnprocessableEntityError("Missing sd");
const device = await prisma.device.findUnique({
where: { id, user: { googleId: sub } },
select: { id: true },
});
if (!device) {
throw new NotFoundError("Device not found");
}
if (inFlight.has(id)) {
console.log(`Websocket for ${id} in-flight with another client`);
throw new UnprocessableEntityError(
`Websocket for ${id} in-flight with another client`,
);
}
const ws = activeConnections.get(id);
if (!ws) {
console.log("No socket for id", id);
throw new NotFoundError(`No socket for id found`, "kvm_socket_not_found");
}
let wsRes: ((value: unknown) => void) | null = null,
wsRej: ((value: unknown) => void) | null = null;
let timeout: NodeJS.Timeout | undefined;
try {
inFlight.add(id);
const resp: any = await new Promise((res, rej) => {
timeout = setTimeout(() => {
rej(new Error("Timeout waiting for response from ws"));
}, 5000);
// Hoist the res and rej functions to be used in the finally block for cleanup
wsRes = res;
wsRej = rej;
ws.addEventListener("message", wsRes);
ws.addEventListener("error", wsRej);
ws.addEventListener("close", wsRej);
// If the HTTP client closes the connection before the websocket response is received, reject the promise
req.socket.on("close", wsRej);
ws.send(JSON.stringify({ sd, OidcGoogle: idToken }));
});
return res.json(JSON.parse(resp.data));
} catch (e) {
console.error(`Error sending data to kvm with ${id}`, e);
// If there was an error, remove the socket from the map
ws.close(); // Most likely there is no-one on the other end to close the connection
activeConnections.delete(id);
return res
.status(500)
.json({ error: "There was an error sending and receiving data to the KVM" });
} finally {
if (timeout) clearTimeout(timeout);
inFlight.delete(id);
if (wsRes && wsRej) {
ws.removeEventListener("message", wsRes);
ws.removeEventListener("error", wsRej);
ws.removeEventListener("close", wsRej);
}
}
};
export const CreateIceCredentials = async (
req: express.Request,
res: express.Response,
) => {
const resp = await fetch(
`https://rtc.live.cloudflare.com/v1/turn/keys/${process.env.CLOUDFLARE_TURN_ID}/credentials/generate`,
{
method: "POST",
headers: {
Authorization: `Bearer ${process.env.CLOUDFLARE_TURN_TOKEN}`,
"Content-Type": "application/json",
},
body: JSON.stringify({ ttl: 3600 }),
},
);
const data = (await resp.json()) as {
iceServers: { credential?: string; urls: string | string[]; username?: string };
};
if (!data.iceServers.urls) {
throw new Error("No ice servers returned");
}
if (data.iceServers.urls instanceof Array) {
data.iceServers.urls = data.iceServers.urls.filter(url => !url.startsWith("turns"));
}
return res.json(data);
};
export const CreateTurnActivity = async (req: express.Request, res: express.Response) => {
const idToken = req.session?.id_token;
const { sub } = jose.decodeJwt(idToken);
const { bytesReceived, bytesSent } = req.body;
await prisma.turnActivity.create({
data: {
bytesReceived,
bytesSent,
user: { connect: { googleId: sub } },
},
});
return res.json({ success: true });
};
async function updateDeviceLastSeen(id: string) {
const device = await prisma.device.findUnique({ where: { id } });
if (device) {
return prisma.device.update({ where: { id }, data: { lastSeen: new Date() } });
}
}
export const registerWebsocketServer = (server: any) => {
const wss = new WebSocketServer({ noServer: true });
server.on("upgrade", async (req: IncomingMessage, socket: Socket, head: Buffer) => {
const authHeader = req.headers["authorization"];
const secretToken = authHeader?.split(" ")?.[1];
if (!secretToken) {
console.log("No authorization header provided. Closing socket.");
return socket.destroy();
}
let device: Device | null = null;
try {
device = await prisma.device.findFirst({ where: { secretToken } });
} catch (error) {
console.log("There was an error validating the secret token", error);
return socket.destroy();
}
if (!device) {
console.log("Invalid secret token provided. Closing socket.");
return socket.destroy();
}
if (activeConnections.has(device.id)) {
console.log(
"Device already in active connection list. Terminating & deleting existing websocket.",
);
activeConnections.get(device.id)?.terminate();
activeConnections.delete(device.id);
}
wss.handleUpgrade(req, socket, head, function done(ws) {
wss.emit("connection", ws, req);
});
});
wss.on("connection", async function connection(ws, req) {
const authHeader = req.headers["authorization"];
const secretToken = authHeader?.split(" ")?.[1];
let device: Device | null = null;
try {
device = await prisma.device.findFirst({ where: { secretToken } });
} catch (error) {
ws.send("There was an error validating the secret token. Closing ws connection.");
console.log("There was an error validating the secret token", error);
return ws.close();
}
if (!device) {
ws.send("Invalid secret token provided. Closing ws connection.");
console.log("Invalid secret token provided. Closing ws connection.");
return ws.close();
}
const id = req.headers["x-device-id"] as string | undefined;
const hasId = !!id;
// Ensure id is provided
if (!hasId) {
ws.send("No id provided. Closing ws connection.");
console.log("No id provided. Closing ws connection.");
return ws.close();
}
if (!id) {
ws.send("Invalid id provided. Closing ws connection.");
console.log("Invalid id provided. Closing ws connection.");
return ws.close();
}
if (id !== device.id) {
ws.send("Id and token mismatch. Closing ws connection.");
console.log("Id and token mismatch. Closing ws connection.");
return ws.close();
}
// Ensure id is not inflight
if (inFlight.has(id)) {
ws.send(`ID, ${id} is in flight. Please try again.`);
console.log(`ID, ${id} is in flight. Please try again.`);
return ws.close();
}
activeConnections.set(id, ws);
console.log("New socket for id", id);
ws.on("error", async () => {
if (!id) return;
console.log("WS Error - Remove socket ", id);
activeConnections.delete(id);
await updateDeviceLastSeen(id);
});
ws.on("close", async () => {
if (!id) return;
console.log("WS Close - Remove socket ", id);
activeConnections.delete(id);
await updateDeviceLastSeen(id);
});
});
};

13
tsconfig.json Normal file
View File

@ -0,0 +1,13 @@
{
"extends": "@tsconfig/node22/tsconfig.json",
"compilerOptions": {
"module": "NodeNext",
"moduleResolution": "NodeNext"
},
"include": [
"src"
],
"exclude": [
"node_modules"
]
}