ad86c2040b
* fix select edit host but not update view (#438) * fix: Checksum issue with chocolatey * fix: Remove homebrew old stuff * Add Korean translation (#439) Co-authored-by: 송준우 <2484@coreit.co.kr> * feat: Automate flatpak * fix: Add imagemagik to electron builder to resolve build error * fix: Build error with runtime repo flag * fix: Flatpak runtime error and install freedesktop ver warning * fix: Flatpak runtime error and install freedesktop ver warning * feat: Re-add homebrew cask and move scripts to backend * fix: No sandbox flag issue * fix: Change name for electron macos cask output * fix: Sandbox error with Linux * fix: Remove comming soon for app stores in readme * Adding Comment at the end of the public_key on the host on deploy (#440) * Add termix.rb Cask file * Update Termix to version 1.9.0 with new checksum * Update README to remove 'coming soon' notes * -Add New Interface for Credential DB -Add Credential Name as a comment into the server authorized_key file --------- Co-authored-by: Luke Gustafson <88517757+LukeGus@users.noreply.github.com> * Sudo auto fill password (#441) * Add termix.rb Cask file * Update Termix to version 1.9.0 with new checksum * Update README to remove 'coming soon' notes * Feature Sudo password auto-fill; * Fix locale json shema; --------- Co-authored-by: Luke Gustafson <88517757+LukeGus@users.noreply.github.com> * Added Italian Language; (#445) * Add termix.rb Cask file * Update Termix to version 1.9.0 with new checksum * Update README to remove 'coming soon' notes * Added Italian Language; --------- Co-authored-by: Luke Gustafson <88517757+LukeGus@users.noreply.github.com> * Auto collapse snippet folders (#448) * Add termix.rb Cask file * Update Termix to version 1.9.0 with new checksum * Update README to remove 'coming soon' notes * feat: Add collapsable snippets (customizable in user profile) * Translations (#447) * Add termix.rb Cask file * Update Termix to version 1.9.0 with new checksum * Update README to remove 'coming soon' notes * Added Italian Language; * Fix translations; Removed duplicate keys, synchronised other languages using English as the source, translated added keys, fixed inaccurate translations. --------- Co-authored-by: Luke Gustafson <88517757+LukeGus@users.noreply.github.com> * Remove PTY-level keepalive (#449) * Add termix.rb Cask file * Update Termix to version 1.9.0 with new checksum * Update README to remove 'coming soon' notes * Remove PTY-level keepalive to prevent unwanted terminal output; use SSH-level keepalive instead --------- Co-authored-by: Luke Gustafson <88517757+LukeGus@users.noreply.github.com> * feat: Seperate server stats and tunnel management (improved both UI's) then started initial docker implementation * fix: finalize adding docker to db * feat: Add docker management support (local squash) * Fix RBAC role system bugs and improve UX (#446) * Fix RBAC role system bugs and improve UX - Fix user list dropdown selection in host sharing - Fix role sharing permissions to include role-based access - Fix translation template interpolation for success messages - Standardize system roles to admin and user only - Auto-assign user role to new registrations - Remove blocking confirmation dialogs in modal contexts - Add missing i18n keys for common actions - Fix button type to prevent unintended form submissions * Enhance RBAC system with UI improvements and security fixes - Move role assignment to Users tab with per-user role management - Protect system roles (admin/user) from editing and manual assignment - Simplify permission system: remove Use level, keep View and Manage - Hide Update button and Sharing tab for view-only/shared hosts - Prevent users from sharing hosts with themselves - Unify table and modal styling across admin panels - Auto-assign system roles on user registration - Add permission metadata to host interface * Add empty state message for role assignment - Display helpful message when no custom roles available - Clarify that system roles are auto-assigned - Add noCustomRolesToAssign translation in English and Chinese * fix: Prevent credential sharing errors for shared hosts - Skip credential resolution for shared hosts with credential authentication to prevent decryption errors (credentials are encrypted per-user) - Add warning alert in sharing tab when host uses credential authentication - Inform users that shared users cannot connect to credential-based hosts - Add translations for credential sharing warning (EN/ZH) This prevents authentication failures when sharing hosts configured with credential authentication while maintaining security by keeping credentials isolated per user. * feat: Improve rbac UI and fixes some bugs --------- Co-authored-by: Luke Gustafson <88517757+LukeGus@users.noreply.github.com> Co-authored-by: LukeGus <bugattiguy527@gmail.com> * SOCKS5 support (#452) * Add termix.rb Cask file * Update Termix to version 1.9.0 with new checksum * Update README to remove 'coming soon' notes * SOCKS5 support Adding single and chain socks5 proxy support * fix: cleanup files --------- Co-authored-by: Luke Gustafson <88517757+LukeGus@users.noreply.github.com> Co-authored-by: LukeGus <bugattiguy527@gmail.com> * Notes and Expiry fields add (#453) * Add termix.rb Cask file * Update Termix to version 1.9.0 with new checksum * Update README to remove 'coming soon' notes * Notes and Expiry add * fix: cleanup files --------- Co-authored-by: Luke Gustafson <88517757+LukeGus@users.noreply.github.com> Co-authored-by: LukeGus <bugattiguy527@gmail.com> * fix: ssh host types * fix: sudo incorrect styling and remove expiration date * feat: add sudo password and add diagonal bg's * fix: snippet running on enter key * fix: base64 decoding * fix: improve server stats / rbac * fix: wrap ssh host json export in hosts array * feat: auto trim host inputs, fix file manager jump hosts, dashboard prevent duplicates, file manager terminal not size updating, improve left sidebar sorting, hide/show tags, add apperance user profile tab, add new host manager tabs. * feat: improve terminal connection speed * fix: sqlite constriant errors and support non-root user (nginx perm issue) * feat: add beta syntax highlighing to terminal * feat: update imports and improve admin settings user management * chore: update translations * chore: update translations * feat: Complete light mode implementation with semantic theme system (#450) - Add comprehensive light/dark mode CSS variables with semantic naming - Implement theme-aware scrollbars using CSS variables - Add light mode backgrounds: --bg-base, --bg-elevated, --bg-surface, etc. - Add theme-aware borders: --border-base, --border-panel, --border-subtle - Add semantic text colors: --foreground-secondary, --foreground-subtle - Convert oklch colors to hex for better compatibility - Add theme awareness to CodeMirror editors - Update dark mode colors for consistency (background, sidebar, card, muted, input) - Add Tailwind color mappings for semantic classes Co-authored-by: Luke Gustafson <88517757+LukeGus@users.noreply.github.com> * fix: syntax errors * chore: updating/match themes and split admin settings * feat: add translation workflow and remove old translation.json * fix: translation workflow error * fix: translation workflow error * feat: improve translation system and update workflow * fix: wrong path for translations * fix: change translation to flat files * fix: gh rule error * chore: auto-translate to multiple languages (#458) * chore: improve organization and made a few styling changes in host manager * feat: improve terminal stability and split out the host manager * fix: add unnversiioned files * chore: migrate all to use the new theme system * fix: wrong animation line colors * fix: rbac implementation general issues (local squash) * fix: remove unneeded files * feat: add 10 new langs * chore: update gitnore * chore: auto-translate to multiple languages (#459) * fix: improve tunnel system * fix: properly split tabs, still need to fix up the host manager * chore: cleanup files (possible RC) * feat: add norwegian * chore: auto-translate to multiple languages (#461) * fix: small qol fixes and began readme update * fix: run cleanup script * feat: add docker docs button * feat: general bug fixes and readme updates * fix: translations * chore: auto-translate to multiple languages (#462) * fix: cleanup files * fix: test new translation issue and add better server-stats support * fix: fix translate error * chore: auto-translate to multiple languages (#463) * fix: fix translate mismatching text * chore: auto-translate to multiple languages (#465) * fix: fix translate mismatching text * fix: fix translate mismatching text * chore: auto-translate to multiple languages (#466) * fix: fix translate mismatching text * fix: fix translate mismatching text * fix: fix translate mismatching text * chore: auto-translate to multiple languages (#467) * fix: fix translate mismatching text * chore: auto-translate to multiple languages (#468) * feat: add to readme, a few qol changes, and improve server stats in general * chore: auto-translate to multiple languages (#469) * feat: turned disk uage into graph and fixed issue with termina console * fix: electron build error and hide icons when shared * chore: run clean * fix: general server stats issues, file manager decoding, ui qol * fix: add dashboard line breaks * fix: docker console error * fix: docker console not loading and mismatched stripped background for electron * fix: docker console not loading * chore: docker console not loading in docker * chore: translate readme to chinese * chore: match package lock to package json * chore: nginx config issue for dokcer console * chore: auto-translate to multiple languages (#470) --------- Co-authored-by: Tran Trung Kien <kientt13.7@gmail.com> Co-authored-by: junu <bigdwarf_@naver.com> Co-authored-by: 송준우 <2484@coreit.co.kr> Co-authored-by: SlimGary <trash.slim@gmail.com> Co-authored-by: Nunzio Marfè <nunzio.marfe@protonmail.com> Co-authored-by: Wesley Reid <starhound@lostsouls.org> Co-authored-by: ZacharyZcR <zacharyzcr1984@gmail.com> Co-authored-by: Denis <38875137+Medvedinca@users.noreply.github.com> Co-authored-by: Peet McKinney <68706879+PeetMcK@users.noreply.github.com>
356 lines
10 KiB
TypeScript
356 lines
10 KiB
TypeScript
import crypto from "crypto";
|
|
import { promises as fs } from "fs";
|
|
import path from "path";
|
|
import { databaseLogger } from "./logger.js";
|
|
|
|
class SystemCrypto {
|
|
private static instance: SystemCrypto;
|
|
private jwtSecret: string | null = null;
|
|
private databaseKey: Buffer | null = null;
|
|
private internalAuthToken: string | null = null;
|
|
private credentialSharingKey: Buffer | null = null;
|
|
|
|
private constructor() {}
|
|
|
|
static getInstance(): SystemCrypto {
|
|
if (!this.instance) {
|
|
this.instance = new SystemCrypto();
|
|
}
|
|
return this.instance;
|
|
}
|
|
|
|
async initializeJWTSecret(): Promise<void> {
|
|
try {
|
|
const envSecret = process.env.JWT_SECRET;
|
|
if (envSecret && envSecret.length >= 64) {
|
|
this.jwtSecret = envSecret;
|
|
return;
|
|
}
|
|
|
|
const dataDir = process.env.DATA_DIR || "./db/data";
|
|
const envPath = path.join(dataDir, ".env");
|
|
|
|
try {
|
|
const envContent = await fs.readFile(envPath, "utf8");
|
|
const jwtMatch = envContent.match(/^JWT_SECRET=(.+)$/m);
|
|
if (jwtMatch && jwtMatch[1] && jwtMatch[1].length >= 64) {
|
|
this.jwtSecret = jwtMatch[1];
|
|
process.env.JWT_SECRET = jwtMatch[1];
|
|
databaseLogger.success("JWT secret loaded from .env file", {
|
|
operation: "jwt_init_from_file_success",
|
|
secretLength: jwtMatch[1].length,
|
|
secretPrefix: jwtMatch[1].substring(0, 8) + "...",
|
|
});
|
|
return;
|
|
} else {
|
|
databaseLogger.warn(
|
|
"JWT_SECRET in .env file is invalid or too short",
|
|
{
|
|
operation: "jwt_init_invalid_secret",
|
|
hasMatch: !!jwtMatch,
|
|
secretLength: jwtMatch?.[1]?.length || 0,
|
|
},
|
|
);
|
|
}
|
|
} catch (fileError) {}
|
|
|
|
await this.generateAndGuideUser();
|
|
} catch (error) {
|
|
databaseLogger.error("Failed to initialize JWT secret", error, {
|
|
operation: "jwt_init_failed",
|
|
});
|
|
throw new Error("JWT secret initialization failed");
|
|
}
|
|
}
|
|
|
|
async getJWTSecret(): Promise<string> {
|
|
if (!this.jwtSecret) {
|
|
await this.initializeJWTSecret();
|
|
}
|
|
return this.jwtSecret!;
|
|
}
|
|
|
|
async initializeDatabaseKey(): Promise<void> {
|
|
try {
|
|
const dataDir = process.env.DATA_DIR || "./db/data";
|
|
const envPath = path.join(dataDir, ".env");
|
|
|
|
const envKey = process.env.DATABASE_KEY;
|
|
if (envKey && envKey.length >= 64) {
|
|
this.databaseKey = Buffer.from(envKey, "hex");
|
|
const keyFingerprint = crypto
|
|
.createHash("sha256")
|
|
.update(this.databaseKey)
|
|
.digest("hex")
|
|
.substring(0, 16);
|
|
|
|
return;
|
|
}
|
|
|
|
try {
|
|
const envContent = await fs.readFile(envPath, "utf8");
|
|
const dbKeyMatch = envContent.match(/^DATABASE_KEY=(.+)$/m);
|
|
if (dbKeyMatch && dbKeyMatch[1] && dbKeyMatch[1].length >= 64) {
|
|
this.databaseKey = Buffer.from(dbKeyMatch[1], "hex");
|
|
process.env.DATABASE_KEY = dbKeyMatch[1];
|
|
|
|
const keyFingerprint = crypto
|
|
.createHash("sha256")
|
|
.update(this.databaseKey)
|
|
.digest("hex")
|
|
.substring(0, 16);
|
|
|
|
return;
|
|
} else {
|
|
}
|
|
} catch (fileError) {}
|
|
|
|
await this.generateAndGuideDatabaseKey();
|
|
} catch (error) {
|
|
databaseLogger.error("Failed to initialize database key", error, {
|
|
operation: "db_key_init_failed",
|
|
dataDir: process.env.DATA_DIR || "./db/data",
|
|
});
|
|
throw new Error("Database key initialization failed");
|
|
}
|
|
}
|
|
|
|
async getDatabaseKey(): Promise<Buffer> {
|
|
if (!this.databaseKey) {
|
|
await this.initializeDatabaseKey();
|
|
}
|
|
return this.databaseKey!;
|
|
}
|
|
|
|
async initializeInternalAuthToken(): Promise<void> {
|
|
try {
|
|
const envToken = process.env.INTERNAL_AUTH_TOKEN;
|
|
if (envToken && envToken.length >= 32) {
|
|
this.internalAuthToken = envToken;
|
|
return;
|
|
}
|
|
|
|
const dataDir = process.env.DATA_DIR || "./db/data";
|
|
const envPath = path.join(dataDir, ".env");
|
|
|
|
try {
|
|
const envContent = await fs.readFile(envPath, "utf8");
|
|
const tokenMatch = envContent.match(/^INTERNAL_AUTH_TOKEN=(.+)$/m);
|
|
if (tokenMatch && tokenMatch[1] && tokenMatch[1].length >= 32) {
|
|
this.internalAuthToken = tokenMatch[1];
|
|
process.env.INTERNAL_AUTH_TOKEN = tokenMatch[1];
|
|
return;
|
|
}
|
|
} catch (error) {}
|
|
|
|
await this.generateAndGuideInternalAuthToken();
|
|
} catch (error) {
|
|
databaseLogger.error("Failed to initialize internal auth token", error, {
|
|
operation: "internal_auth_init_failed",
|
|
});
|
|
throw new Error("Internal auth token initialization failed");
|
|
}
|
|
}
|
|
|
|
async getInternalAuthToken(): Promise<string> {
|
|
if (!this.internalAuthToken) {
|
|
await this.initializeInternalAuthToken();
|
|
}
|
|
return this.internalAuthToken!;
|
|
}
|
|
|
|
async initializeCredentialSharingKey(): Promise<void> {
|
|
try {
|
|
const dataDir = process.env.DATA_DIR || "./db/data";
|
|
const envPath = path.join(dataDir, ".env");
|
|
|
|
const envKey = process.env.CREDENTIAL_SHARING_KEY;
|
|
if (envKey && envKey.length >= 64) {
|
|
this.credentialSharingKey = Buffer.from(envKey, "hex");
|
|
return;
|
|
}
|
|
|
|
try {
|
|
const envContent = await fs.readFile(envPath, "utf8");
|
|
const csKeyMatch = envContent.match(/^CREDENTIAL_SHARING_KEY=(.+)$/m);
|
|
if (csKeyMatch && csKeyMatch[1] && csKeyMatch[1].length >= 64) {
|
|
this.credentialSharingKey = Buffer.from(csKeyMatch[1], "hex");
|
|
process.env.CREDENTIAL_SHARING_KEY = csKeyMatch[1];
|
|
return;
|
|
}
|
|
} catch (fileError) {}
|
|
|
|
await this.generateAndGuideCredentialSharingKey();
|
|
} catch (error) {
|
|
databaseLogger.error(
|
|
"Failed to initialize credential sharing key",
|
|
error,
|
|
{
|
|
operation: "cred_sharing_key_init_failed",
|
|
dataDir: process.env.DATA_DIR || "./db/data",
|
|
},
|
|
);
|
|
throw new Error("Credential sharing key initialization failed");
|
|
}
|
|
}
|
|
|
|
async getCredentialSharingKey(): Promise<Buffer> {
|
|
if (!this.credentialSharingKey) {
|
|
await this.initializeCredentialSharingKey();
|
|
}
|
|
return this.credentialSharingKey!;
|
|
}
|
|
|
|
private async generateAndGuideUser(): Promise<void> {
|
|
const newSecret = crypto.randomBytes(32).toString("hex");
|
|
const instanceId = crypto.randomBytes(8).toString("hex");
|
|
|
|
this.jwtSecret = newSecret;
|
|
|
|
await this.updateEnvFile("JWT_SECRET", newSecret);
|
|
|
|
databaseLogger.success("JWT secret auto-generated and saved to .env", {
|
|
operation: "jwt_auto_generated",
|
|
instanceId,
|
|
envVarName: "JWT_SECRET",
|
|
note: "Ready for use - no restart required",
|
|
});
|
|
}
|
|
|
|
private async generateAndGuideDatabaseKey(): Promise<void> {
|
|
const newKey = crypto.randomBytes(32);
|
|
const newKeyHex = newKey.toString("hex");
|
|
const instanceId = crypto.randomBytes(8).toString("hex");
|
|
|
|
this.databaseKey = newKey;
|
|
|
|
await this.updateEnvFile("DATABASE_KEY", newKeyHex);
|
|
|
|
databaseLogger.success("Database key auto-generated and saved to .env", {
|
|
operation: "db_key_auto_generated",
|
|
instanceId,
|
|
envVarName: "DATABASE_KEY",
|
|
note: "Ready for use - no restart required",
|
|
});
|
|
}
|
|
|
|
private async generateAndGuideInternalAuthToken(): Promise<void> {
|
|
const newToken = crypto.randomBytes(32).toString("hex");
|
|
const instanceId = crypto.randomBytes(8).toString("hex");
|
|
|
|
this.internalAuthToken = newToken;
|
|
|
|
await this.updateEnvFile("INTERNAL_AUTH_TOKEN", newToken);
|
|
|
|
databaseLogger.success(
|
|
"Internal auth token auto-generated and saved to .env",
|
|
{
|
|
operation: "internal_auth_auto_generated",
|
|
instanceId,
|
|
envVarName: "INTERNAL_AUTH_TOKEN",
|
|
note: "Ready for use - no restart required",
|
|
},
|
|
);
|
|
}
|
|
|
|
private async generateAndGuideCredentialSharingKey(): Promise<void> {
|
|
const newKey = crypto.randomBytes(32);
|
|
const newKeyHex = newKey.toString("hex");
|
|
const instanceId = crypto.randomBytes(8).toString("hex");
|
|
|
|
this.credentialSharingKey = newKey;
|
|
|
|
await this.updateEnvFile("CREDENTIAL_SHARING_KEY", newKeyHex);
|
|
|
|
databaseLogger.success(
|
|
"Credential sharing key auto-generated and saved to .env",
|
|
{
|
|
operation: "cred_sharing_key_auto_generated",
|
|
instanceId,
|
|
envVarName: "CREDENTIAL_SHARING_KEY",
|
|
note: "Used for offline credential sharing - no restart required",
|
|
},
|
|
);
|
|
}
|
|
|
|
async validateJWTSecret(): Promise<boolean> {
|
|
try {
|
|
const secret = await this.getJWTSecret();
|
|
if (!secret || secret.length < 32) {
|
|
return false;
|
|
}
|
|
|
|
const jwt = await import("jsonwebtoken");
|
|
const testPayload = { test: true, timestamp: Date.now() };
|
|
const token = jwt.default.sign(testPayload, secret, { expiresIn: "1s" });
|
|
const decoded = jwt.default.verify(token, secret);
|
|
|
|
return !!decoded;
|
|
} catch (error) {
|
|
databaseLogger.error("JWT secret validation failed", error, {
|
|
operation: "jwt_validation_failed",
|
|
});
|
|
return false;
|
|
}
|
|
}
|
|
|
|
async getSystemKeyStatus() {
|
|
const isValid = await this.validateJWTSecret();
|
|
const hasSecret = this.jwtSecret !== null;
|
|
|
|
const hasEnvVar = !!(
|
|
process.env.JWT_SECRET && process.env.JWT_SECRET.length >= 64
|
|
);
|
|
|
|
return {
|
|
hasSecret,
|
|
isValid,
|
|
storage: {
|
|
environment: hasEnvVar,
|
|
},
|
|
algorithm: "HS256",
|
|
note: "Using simplified key management without encryption layers",
|
|
};
|
|
}
|
|
|
|
private async updateEnvFile(key: string, value: string): Promise<void> {
|
|
const dataDir = process.env.DATA_DIR || "./db/data";
|
|
const envPath = path.join(dataDir, ".env");
|
|
|
|
try {
|
|
await fs.mkdir(dataDir, { recursive: true });
|
|
|
|
let envContent = "";
|
|
|
|
try {
|
|
envContent = await fs.readFile(envPath, "utf8");
|
|
} catch {
|
|
envContent = "# Termix Auto-generated Configuration\n\n";
|
|
}
|
|
|
|
const keyRegex = new RegExp(`^${key}=.*$`, "m");
|
|
|
|
if (keyRegex.test(envContent)) {
|
|
envContent = envContent.replace(keyRegex, `${key}=${value}`);
|
|
} else {
|
|
if (!envContent.includes("# Security Keys")) {
|
|
envContent += "\n# Security Keys (Auto-generated)\n";
|
|
}
|
|
envContent += `${key}=${value}\n`;
|
|
}
|
|
|
|
await fs.writeFile(envPath, envContent);
|
|
|
|
process.env[key] = value;
|
|
} catch (error) {
|
|
databaseLogger.error(`Failed to update .env file with ${key}`, error, {
|
|
operation: "env_file_update_failed",
|
|
key,
|
|
});
|
|
throw error;
|
|
}
|
|
}
|
|
}
|
|
|
|
export { SystemCrypto };
|