enricobuehler
54b75c9be4
apple / swift (push) Successful in 55s
windows-host / package (push) Successful in 2m31s
android / android (push) Successful in 4m40s
ci / rust (push) Successful in 4m43s
ci / web (push) Successful in 30s
ci / docs-site (push) Successful in 34s
deb / build-publish (push) Successful in 2m9s
decky / build-publish (push) Successful in 11s
docker / build-push (--build-arg FEDORA_VERSION=44, ci, ci/fedora-rpm.Dockerfile, punktfunk-fedora44-rpm) (push) Successful in 5s
docker / build-push (., web/Dockerfile, punktfunk-web) (push) Successful in 14s
docker / build-push (ci, ci/fedora-rpm.Dockerfile, punktfunk-fedora-rpm) (push) Successful in 4s
docker / build-push (ci, ci/rust-ci.Dockerfile, punktfunk-rust-ci) (push) Successful in 4s
docker / build-push (docs-site, docs-site/Dockerfile, punktfunk-docs) (push) Successful in 21s
ci / bench (push) Successful in 4m44s
docker / deploy-docs (push) Successful in 19s
rpm / build-publish (fedora-44, punktfunk-fedora44-rpm) (push) Successful in 8m6s
rpm / build-publish (bazzite, punktfunk-fedora-rpm) (push) Successful in 8m19s
Follows the security audit (#5/#9): the GameStream-compat plane carries inherent on-path weaknesses that can't be fixed on the wire without breaking stock Moonlight — its pairing runs over plain HTTP (#9, MITM-able during the pairing window) and its legacy control encryption can reuse GCM nonces (#5, a passive eavesdropper can recover/forge input). The native punktfunk/1 plane (SPAKE2 PIN pairing + per-direction AEAD nonces) has neither. So flip the default to secure-by-default: - `serve` → native punktfunk/1 plane + management API ONLY (no GameStream surface). - `serve --gamestream` → ALSO the GameStream/Moonlight-compat planes (nvhttp pairing, RTSP, ENet control, _nvstream mDNS). Opt-in, logged with a trusted-LAN caveat. `--moonlight` is an alias. - The native plane is now ALWAYS on in `serve` (`--native` is a kept-for-compat no-op); the unified GameStream+native host is `serve --gamestream`. `gamestream::serve` gates the GameStream spawns (nvhttp/rtsp/control/mdns) on the flag; the native plane + mgmt + native-pairing handle always run. To avoid silently regressing validated Moonlight deployments, the explicit deployment configs PRESERVE Moonlight via `--gamestream` (each documents dropping it for a secure native-only host): the Linux systemd unit, the Steam Deck installer, and the Windows service default (DEFAULT_HOST_CMD). The bare `serve` default (new/manual use) is secure. Docs swept to match (host-cli, moonlight, quickstart, install, packaging READMEs, CLAUDE.md, README, …): Moonlight setup now instructs `--gamestream`; native/console refs use bare `serve`. OpenAPI regenerated (a stale "run `serve --native`" string). fmt + clippy clean; 94 host tests green. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
104 lines
5.0 KiB
Markdown
104 lines
5.0 KiB
Markdown
# punktfunk web — management console
|
|
|
|
The browser UI for the punktfunk host's **management REST API** (`crates/punktfunk-host/src/mgmt.rs`,
|
|
OpenAPI at `docs/api/openapi.json`). It shows live status, host capabilities, paired
|
|
clients, the pairing-PIN flow, and session controls.
|
|
|
|
Stack: **TanStack Start** (full SSR) on **Bun** via **Nitro v2** (`bun` preset) · **React
|
|
Query** through **orval** codegen from the OpenAPI spec · **shadcn/ui** (Tailwind v4) ·
|
|
**Paraglide** i18n (en/de). Package manager + runtime: **Bun**.
|
|
|
|
## Develop
|
|
|
|
```sh
|
|
# from web/ — Bun is the toolchain (https://bun.sh)
|
|
bun install # runs `prepare` → codegen (orval + paraglide)
|
|
bun run dev # http://localhost:3000
|
|
|
|
# The dev server proxies /api → https://127.0.0.1:47990 (the host's mgmt API; it serves HTTPS
|
|
# with the host's self-signed identity cert — the dev proxy uses `secure: false`).
|
|
# Point it elsewhere: PUNKTFUNK_MGMT_URL=https://<host>:47990 bun run dev
|
|
```
|
|
|
|
Start a host with the management API up:
|
|
|
|
```sh
|
|
# from the repo root — `serve` brings up the native punktfunk/1 plane + the mgmt API (the console
|
|
# only needs the mgmt API; add --gamestream too if you also want the Moonlight surface):
|
|
WAYLAND_DISPLAY=wayland-kde XDG_CURRENT_DESKTOP=KDE \
|
|
cargo run -rp punktfunk-host -- serve
|
|
# loopback :47990, no token (a token is mandatory for non-loopback binds).
|
|
```
|
|
|
|
If the host runs with `--mgmt-token`, set it under **Settings → API token** (stored in
|
|
`localStorage`, sent as `Authorization: Bearer …` by the orval fetcher).
|
|
|
|
## Build & run (Nitro + Bun)
|
|
|
|
```sh
|
|
bun run build # → .output/ (Nitro server, `bun` preset, + .output/public assets)
|
|
PORT=3000 HOST=0.0.0.0 \
|
|
PUNKTFUNK_UI_PASSWORD=… PUNKTFUNK_MGMT_TOKEN=… \
|
|
PUNKTFUNK_MGMT_URL=https://127.0.0.1:47990 NODE_TLS_REJECT_UNAUTHORIZED=0 \
|
|
bun run start # = bun run .output/server/index.mjs
|
|
# (the mgmt API is HTTPS w/ the host's self-signed cert on loopback → the proxy's fetch needs
|
|
# NODE_TLS_REJECT_UNAUTHORIZED=0; it makes no other outbound TLS calls. See .env.example.)
|
|
bun run lint # tsc --noEmit
|
|
```
|
|
|
|
The built **Nitro Bun server** SSR-renders the app and is the only thing exposed on the LAN.
|
|
Run it on the same box as the host; it serves the console on `:3000` (or `$PORT`).
|
|
|
|
## Auth (backend-for-frontend)
|
|
|
|
Single-user, login-gated. Config via env (see `.env.example`):
|
|
|
|
- The console requires a **login** (`PUNKTFUNK_UI_PASSWORD`). On success the server sets a
|
|
**sealed session cookie** (h3 `useSession`, AES-GCM). `server/middleware/auth.ts` gates
|
|
*every* request — pages redirect to `/login`, `/api` returns 401 — and **fails closed**
|
|
(503) if `PUNKTFUNK_UI_PASSWORD` is unset, so a misconfigured LAN server admits no one.
|
|
- The **management API stays loopback-only + token** — never LAN-exposed. The web server
|
|
holds `PUNKTFUNK_MGMT_TOKEN` server-side and injects it when proxying `/api/**` →
|
|
`PUNKTFUNK_MGMT_URL` (`server/routes/api/[...].ts`). **The token never reaches the
|
|
browser**; the browser only ever holds the session cookie.
|
|
|
|
So: `browser ──password──▶ web server (session cookie) ──mgmt token, server-side──▶ mgmt API`.
|
|
Run the host with a matching token: `cargo run -rp punktfunk-host -- serve` +
|
|
`PUNKTFUNK_MGMT_TOKEN=…` (or `--mgmt-token …`). `vite dev` has no gate (localhost-only) and
|
|
proxies straight to the loopback mgmt API.
|
|
|
|
> Toolchain notes (load-bearing): TanStack Start's `start-plugin-core` peer-requires
|
|
> **Vite ≥ 7** — on Vite 6 the build's prerender/post-build hook silently doesn't run.
|
|
> `@vitejs/plugin-react` must match Vite (v5 ↔ Vite 7, v6 ↔ Vite 8); it's **required even
|
|
> for dev** (TanStack Start's dev mode needs the React Refresh runtime, else a blank
|
|
> screen). Nitro is the server target — without it `vite build` only emits client+SSR
|
|
> bundles, no deployable server. The Nitro `bun` preset makes `.output/server/index.mjs`
|
|
> Bun-runnable.
|
|
|
|
## Codegen
|
|
|
|
Generated code is **not committed** (gitignored) — reproduced from sources:
|
|
|
|
- `bun run codegen` — regenerate the API client (orval) + i18n runtime (paraglide). Runs on
|
|
`bun install` (`prepare`) and before `dev`/`build` (`pre*` for orval; the Vite plugin
|
|
compiles paraglide on dev/build).
|
|
- After a management-API change, regenerate the spec on the Rust side first:
|
|
`cargo run -p punktfunk-host -- openapi > docs/api/openapi.json`, then `bun run api:gen`.
|
|
|
|
## Layout
|
|
|
|
```
|
|
src/
|
|
routes/ file-based routes (index=dashboard, host, clients, pairing, settings)
|
|
components/
|
|
app-shell.tsx sidebar nav + language switcher
|
|
ui/ shadcn/ui primitives (button, card, table, …)
|
|
query-state.tsx loading/error wrapper (incl. 401 → "set a token")
|
|
api/
|
|
fetcher.ts orval mutator: base URL, bearer token, JSON, throwing ApiError
|
|
gen/ GENERATED react-query hooks + models (orval)
|
|
lib/i18n.ts reactive Paraglide locale hook
|
|
paraglide/ GENERATED i18n runtime (paraglide)
|
|
messages/{en,de}.json translation sources
|
|
```
|