dennii/Termix
1
0
Fork 0
Code Issues Pull Requests 2 Actions Packages Projects Releases 22 Wiki Activity

v1.8.0 #429

Merged
LukeGus merged 198 commits from dev-1.8.0 into main 2025-11-05 16:36:16 +00:00
Conversation 0 Commits 198 Files Changed 196 +143 -105
5 changed files with 143 additions and 105 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Showing only changes of commit 40232af503 - Show all commits

136
.github/workflows/docker-image.yml vendored
View File

@@ -3,22 +3,18 @@ name: Build and Push Docker Image
on: on:
workflow_dispatch: workflow_dispatch:
inputs: inputs:
tag_name: version:
description: "Custom tag name for the Docker image" description: "Version to build (e.g., 1.8.0)"
required: false
default: ""
registry:
description: "Docker registry to push to"
required: true required: true
default: "ghcr" production:
type: choice description: "Is this a production build?"
options: required: true
- "ghcr" default: false
- "dockerhub" type: boolean
jobs: jobs:
build: build:
runs-on: blacksmith-4vcpu-ubuntu-2404 runs-on: ubuntu-latest
steps: steps:
- name: Checkout repository - name: Checkout repository
uses: actions/checkout@v5 uses: actions/checkout@v5
@@ -28,102 +24,70 @@ jobs:
- name: Set up QEMU - name: Set up QEMU
uses: docker/setup-qemu-action@v3 uses: docker/setup-qemu-action@v3
with: with:
platforms: arm64 platforms: linux/amd64,linux/arm64,linux/arm/v7
- name: Setup Blacksmith Builder - name: Setup Docker Buildx
uses: useblacksmith/setup-docker-builder@v1 uses: docker/setup-buildx-action@v3
- name: Cache npm dependencies - name: Determine tags
uses: actions/cache@v4 id: tags
with: run: |
path: | VERSION=${{ github.event.inputs.version }}
~/.npm PROD=${{ github.event.inputs.production }}
node_modules
*/*/node_modules
key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
restore-keys: |
${{ runner.os }}-node-
- name: Cache Docker layers TAGS=()
uses: actions/cache@v4 ALL_TAGS=()
with:
path: /tmp/.buildx-cache
key: ${{ runner.os }}-buildx-${{ github.ref_name }}-${{ hashFiles('docker/Dockerfile') }}
restore-keys: |
${{ runner.os }}-buildx-${{ github.ref_name }}-
${{ runner.os }}-buildx-
- name: Login to GitHub Container Registry if [ "$PROD" = "true" ]; then
if: github.event.inputs.registry != 'dockerhub' # Production build → push release + latest to both GHCR and Docker Hub
TAGS+=("release-$VERSION" "latest")
for tag in "${TAGS[@]}"; do
ALL_TAGS+=("ghcr.io/lukegus/termix:$tag")
ALL_TAGS+=("docker.io/bugattiguy527/termix:$tag")
done
else
# Dev build → push only dev-x.x.x to GHCR
TAGS+=("dev-$VERSION")
for tag in "${TAGS[@]}"; do
ALL_TAGS+=("ghcr.io/lukegus/termix:$tag")
done
fi
echo "ALL_TAGS=${ALL_TAGS[*]}" >> $GITHUB_ENV
echo "All tags to build:"
printf '%s\n' "${ALL_TAGS[@]}"
- name: Login to GHCR
uses: docker/login-action@v3 uses: docker/login-action@v3
with: with:
registry: ghcr.io registry: ghcr.io
username: ${{ github.actor }} username: lukegus
password: ${{ secrets.GITHUB_TOKEN }} password: ${{ secrets.GHCR_TOKEN }}
- name: Login to Docker Hub - name: Login to Docker Hub (prod only)
if: github.event.inputs.registry == 'dockerhub' if: ${{ github.event.inputs.production == 'true' }}
uses: docker/login-action@v3 uses: docker/login-action@v3
with: with:
username: bugattiguy527 username: bugattiguy527
password: ${{ secrets.DOCKERHUB_TOKEN }} password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Determine Docker image tag - name: Build and push multi-arch image
run: | uses: docker/build-push-action@v5
REPO_OWNER=$(echo ${{ github.repository_owner }} | tr '[:upper:]' '[:lower:]')
echo "REPO_OWNER=$REPO_OWNER" >> $GITHUB_ENV
if [ "${{ github.event.inputs.tag_name }}" != "" ]; then
IMAGE_TAG="${{ github.event.inputs.tag_name }}"
elif [ "${{ github.ref }}" == "refs/heads/main" ]; then
IMAGE_TAG="latest"
elif [ "${{ github.ref }}" == "refs/heads/development" ]; then
IMAGE_TAG="development-latest"
else
IMAGE_TAG="${{ github.ref_name }}"
fi
echo "IMAGE_TAG=$IMAGE_TAG" >> $GITHUB_ENV
# Determine registry and image name
if [ "${{ github.event.inputs.registry }}" == "dockerhub" ]; then
echo "REGISTRY=docker.io" >> $GITHUB_ENV
echo "IMAGE_NAME=bugattiguy527/termix" >> $GITHUB_ENV
else
echo "REGISTRY=ghcr.io" >> $GITHUB_ENV
echo "IMAGE_NAME=$REPO_OWNER/termix" >> $GITHUB_ENV
fi
- name: Build and Push Multi-Arch Docker Image
uses: useblacksmith/build-push-action@v2
with: with:
context: . context: .
file: ./docker/Dockerfile file: ./docker/Dockerfile
push: true push: true
platforms: linux/amd64,linux/arm64 platforms: linux/amd64,linux/arm64,linux/arm/v7
tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.IMAGE_TAG }} tags: ${{ env.ALL_TAGS }}
labels: |
org.opencontainers.image.source=https://github.com/${{ github.repository }}
org.opencontainers.image.revision=${{ github.sha }}
build-args: | build-args: |
BUILDKIT_INLINE_CACHE=1 BUILDKIT_INLINE_CACHE=1
BUILDKIT_CONTEXT_KEEP_GIT_DIR=1 BUILDKIT_CONTEXT_KEEP_GIT_DIR=1
labels: |
org.opencontainers.image.source=https://github.com/${{ github.repository }}
org.opencontainers.image.revision=${{ github.sha }}
outputs: type=registry,compression=zstd,compression-level=19 outputs: type=registry,compression=zstd,compression-level=19
- name: Move cache - name: Cleanup Docker
run: |
rm -rf /tmp/.buildx-cache
mv /tmp/.buildx-cache-new /tmp/.buildx-cache
- name: Delete all untagged image versions
if: success() && github.event.inputs.registry != 'dockerhub'
uses: quartx-analytics/ghcr-cleaner@v1
with:
owner-type: user
token: ${{ secrets.GHCR_TOKEN }}
repository-owner: ${{ github.repository_owner }}
delete-untagged: true
- name: Cleanup Docker Images Locally
if: always() if: always()
run: | run: |
docker image prune -af docker image prune -af

2
docker/Dockerfile
View File

@@ -82,7 +82,7 @@ COPY --chown=node:node package.json ./
VOLUME ["/app/data"] VOLUME ["/app/data"]
EXPOSE ${PORT} 30001 30002 30003 30004 30005 300006 EXPOSE ${PORT} 30001 30002 30003 30004 30005 30006
COPY docker/entrypoint.sh /entrypoint.sh COPY docker/entrypoint.sh /entrypoint.sh
RUN chmod +x /entrypoint.sh RUN chmod +x /entrypoint.sh

49
src/backend/database/database.ts
View File

@@ -901,17 +901,40 @@ app.post(
const userId = (req as AuthenticatedRequest).userId; const userId = (req as AuthenticatedRequest).userId;
const { password } = req.body; const { password } = req.body;
const mainDb = getDb();
if (!password) { const userRecords = await mainDb
return res.status(400).json({ .select()
error: "Password required for import", .from(users)
code: "PASSWORD_REQUIRED", .where(eq(users.id, userId));
});
if (!userRecords || userRecords.length === 0) {
return res.status(404).json({ error: "User not found" });
} }
const unlocked = await authManager.authenticateUser(userId, password); const isOidcUser = !!userRecords[0].is_oidc;
if (!unlocked) {
return res.status(401).json({ error: "Invalid password" }); if (!isOidcUser) {
// Local accounts still prove knowledge of the password so their DEK can be derived again.
if (!password) {
return res.status(400).json({
error: "Password required for import",
code: "PASSWORD_REQUIRED",
});
}
const unlocked = await authManager.authenticateUser(userId, password);
if (!unlocked) {
return res.status(401).json({ error: "Invalid password" });
}
} else if (!DataCrypto.getUserDataKey(userId)) {
// OIDC users skip the password prompt; make sure their DEK is unlocked via the OIDC session.
const oidcUnlocked = await authManager.authenticateOIDCUser(userId);
if (!oidcUnlocked) {
return res.status(403).json({
error: "Failed to unlock user data with SSO credentials",
});
}
} }
apiLogger.info("Importing SQLite data", { apiLogger.info("Importing SQLite data", {
@@ -922,7 +945,14 @@ app.post(
mimetype: req.file.mimetype, mimetype: req.file.mimetype,
}); });
const userDataKey = DataCrypto.getUserDataKey(userId); let userDataKey = DataCrypto.getUserDataKey(userId);
if (!userDataKey && isOidcUser) {
// authenticateOIDCUser lazily provisions the session key; retry the fetch when it succeeds.
const oidcUnlocked = await authManager.authenticateOIDCUser(userId);
if (oidcUnlocked) {
userDataKey = DataCrypto.getUserDataKey(userId);
}
}
if (!userDataKey) { if (!userDataKey) {
throw new Error("User data not unlocked"); throw new Error("User data not unlocked");
} }
@@ -976,7 +1006,6 @@ app.post(
}; };
try { try {
const mainDb = getDb();
try { try {
const importedHosts = importDb const importedHosts = importDb

15
src/backend/utils/auth-manager.ts
View File

@@ -239,12 +239,19 @@ class AuthManager {
createAdminMiddleware() { createAdminMiddleware() {
return async (req: Request, res: Response, next: NextFunction) => { return async (req: Request, res: Response, next: NextFunction) => {
const authHeader = req.headers["authorization"]; let token = req.cookies?.jwt;
if (!authHeader?.startsWith("Bearer ")) {
return res.status(401).json({ error: "Missing Authorization header" }); if (!token) {
const authHeader = req.headers["authorization"];
if (authHeader?.startsWith("Bearer ")) {
token = authHeader.split(" ")[1];
}
}
if (!token) {
return res.status(401).json({ error: "Missing authentication token" });
} }
const token = authHeader.split(" ")[1];
const payload = await this.verifyJWTToken(token); const payload = await this.verifyJWTToken(token);
if (!payload) { if (!payload) {

46
src/ui/Desktop/Admin/AdminSettings.tsx
View File

@@ -45,6 +45,8 @@ import {
makeUserAdmin, makeUserAdmin,
removeAdminStatus, removeAdminStatus,
deleteUser, deleteUser,
getUserInfo,
getCookie,
isElectron, isElectron,
} from "@/ui/main-axios.ts"; } from "@/ui/main-axios.ts";
@@ -94,6 +96,14 @@ export function AdminSettings({
null, null,
); );
const [securityInitialized, setSecurityInitialized] = React.useState(true);
const [currentUser, setCurrentUser] = React.useState<{
id: string;
username: string;
is_admin: boolean;
is_oidc: boolean;
} | null>(null);
const [exportLoading, setExportLoading] = React.useState(false); const [exportLoading, setExportLoading] = React.useState(false);
const [importLoading, setImportLoading] = React.useState(false); const [importLoading, setImportLoading] = React.useState(false);
const [importFile, setImportFile] = React.useState<File | null>(null); const [importFile, setImportFile] = React.useState<File | null>(null);
@@ -101,6 +111,11 @@ export function AdminSettings({
const [showPasswordInput, setShowPasswordInput] = React.useState(false); const [showPasswordInput, setShowPasswordInput] = React.useState(false);
const [importPassword, setImportPassword] = React.useState(""); const [importPassword, setImportPassword] = React.useState("");
const requiresImportPassword = React.useMemo(
() => !currentUser?.is_oidc,
[currentUser?.is_oidc],
);
React.useEffect(() => { React.useEffect(() => {
if (isElectron()) { if (isElectron()) {
const serverUrl = (window as { configuredServerUrl?: string }) const serverUrl = (window as { configuredServerUrl?: string })
@@ -119,6 +134,23 @@ export function AdminSettings({
toast.error(t("admin.failedToFetchOidcConfig")); toast.error(t("admin.failedToFetchOidcConfig"));
} }
}); });
// Capture the current session so we know whether to ask for a password later.
getUserInfo()
.then((info) => {
if (info) {
setCurrentUser({
id: info.userId,
username: info.username,
is_admin: info.is_admin,
is_oidc: info.is_oidc,
});
}
})
.catch((err) => {
if (!err?.message?.includes("No server configured")) {
console.warn("Failed to fetch current user info", err);
}
});
fetchUsers(); fetchUsers();
}, []); }, []);
@@ -372,7 +404,7 @@ export function AdminSettings({
return; return;
} }
if (!importPassword.trim()) { if (requiresImportPassword && !importPassword.trim()) {
toast.error(t("admin.passwordRequired")); toast.error(t("admin.passwordRequired"));
return; return;
} }
@@ -395,7 +427,10 @@ export function AdminSettings({
const formData = new FormData(); const formData = new FormData();
formData.append("file", importFile); formData.append("file", importFile);
formData.append("password", importPassword); if (requiresImportPassword) {
// Preserve the existing password flow for non-OIDC accounts.
formData.append("password", importPassword);
}
const response = await fetch(apiUrl, { const response = await fetch(apiUrl, {
method: "POST", method: "POST",
@@ -1016,7 +1051,8 @@ export function AdminSettings({
</span> </span>
</Button> </Button>
</div> </div>
{importFile && ( {/* Only render the password field when a local account is performing the import. */}
{importFile && requiresImportPassword && (
<div className="space-y-2"> <div className="space-y-2">
<Label htmlFor="import-password">Password</Label> <Label htmlFor="import-password">Password</Label>
<PasswordInput <PasswordInput
@@ -1035,7 +1071,9 @@ export function AdminSettings({
<Button <Button
onClick={handleImportDatabase} onClick={handleImportDatabase}
disabled={ disabled={
importLoading || !importFile || !importPassword.trim() importLoading ||
!importFile ||
(requiresImportPassword && !importPassword.trim())
} }
className="w-full" className="w-full"
> >