bda5556d37
Remediates the two web-console residuals from the 2026-07-05 posture audit: - Brute-force throttle (loginThrottle.ts): per-IP exponential backoff after 5 free attempts, plus a global floor for spread-out floods, keyed on the socket peer IP (not spoofable X-Forwarded-For) with a size-capped map. The constant-time compare already stopped the timing leak; this bounds guess *volume* against a by-design LAN-exposed console. - Session seal key now derives from the high-entropy mgmt token instead of the low-entropy login password, so a captured cookie is no longer an offline password oracle. Falls back to the password only when no token is configured (dev/local). Rotating the token now invalidates sessions. - Replace the process-wide NODE_TLS_REJECT_UNAUTHORIZED=0 with per-request Bun TLS scoped to the loopback proxy hop; a non-loopback mgmt URL now verifies normally. Dropped the env var from the systemd unit, Steam Deck installer, Windows run scripts, env examples, and web README. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
51 lines
2.4 KiB
TypeScript
51 lines
2.4 KiB
TypeScript
// /api/** → the management API. By the time we get here the gate (middleware/auth.ts) has
|
|
// confirmed an authenticated session. We inject the management bearer token server-side
|
|
// (the browser never sees it) and drop the browser's own cookies/auth from the upstream
|
|
// request, then proxy. The management API itself binds loopback only — this proxy is the
|
|
// ONLY path to it from the LAN, and it's authenticated.
|
|
import {
|
|
defineEventHandler,
|
|
getRequestURL,
|
|
proxyRequest,
|
|
setResponseStatus,
|
|
} from "h3";
|
|
import { isLoopbackUrl, mgmtToken, mgmtUrl } from "../../util/auth";
|
|
|
|
export default defineEventHandler((event) => {
|
|
const { pathname, search } = getRequestURL(event);
|
|
const base = mgmtUrl();
|
|
const target = `${base}${pathname}${search}`;
|
|
const token = mgmtToken();
|
|
// The mgmt API now requires a token always. Without one configured, forwarding an empty bearer
|
|
// would just bounce as 401 — fail fast and legibly instead (the packaged service sources the
|
|
// host's ~/.config/punktfunk/mgmt-token, so this only fires on a misconfigured/early-start deploy).
|
|
if (!token) {
|
|
setResponseStatus(event, 503);
|
|
return {
|
|
error:
|
|
"management token not configured (PUNKTFUNK_MGMT_TOKEN / ~/.config/punktfunk/mgmt-token)",
|
|
};
|
|
}
|
|
// TLS scoping (replaces the old process-wide NODE_TLS_REJECT_UNAUTHORIZED=0): the host presents a
|
|
// SELF-SIGNED, no-SAN identity cert on loopback, which normal verification rejects. We relax
|
|
// verification ONLY for this one loopback hop, via Bun's per-request `tls` option — so any OTHER
|
|
// outbound TLS the process ever makes still verifies normally (the global env unverified
|
|
// everything). If the operator points PUNKTFUNK_MGMT_URL at a NON-loopback host, we do NOT relax:
|
|
// a remote mgmt API must present a valid chain, which is stricter than the old blanket accept.
|
|
const fetchOptions = isLoopbackUrl(base)
|
|
? // `tls` is a Bun.fetch extension (the console runs on bun — Bun.serve/`bun .output/...`), not
|
|
// in the standard RequestInit type, so cast through unknown.
|
|
({ tls: { rejectUnauthorized: false } } as unknown as RequestInit)
|
|
: undefined;
|
|
|
|
return proxyRequest(event, target, {
|
|
fetchOptions,
|
|
headers: {
|
|
// Overwrite, not append: the host-held token replaces anything the browser sent.
|
|
authorization: `Bearer ${token}`,
|
|
// Don't forward the session cookie to the management API.
|
|
cookie: "",
|
|
},
|
|
});
|
|
});
|