diff --git a/Dockerfile b/Dockerfile index b0798e34..6ec9e23d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,8 +2,9 @@ FROM node:20-alpine AS builder WORKDIR /app -COPY package.json package-lock.json ./ -RUN npm ci +# COPY package.json package-lock.json ./ +COPY package.json ./ +RUN npm install COPY . . @@ -18,8 +19,9 @@ WORKDIR /app # Curl used for the health checks RUN apk add --no-cache curl -COPY package.json package-lock.json ./ -RUN npm ci --only=production && npm cache clean --force +# COPY package.json package-lock.json ./ +COPY package.json ./ +RUN npm install --only=production && npm cache clean --force COPY --from=builder /app/.next/standalone ./ COPY --from=builder /app/.next/static ./.next/static diff --git a/README.md b/README.md index 2cee8bff..5eb19098 100644 --- a/README.md +++ b/README.md @@ -34,53 +34,58 @@ _Your own self-hosted zero trust tunnel._ Pangolin is a self-hosted tunneled reverse proxy server with identity and access control, designed to securely expose private resources on distributed networks. Acting as a central hub, it connects isolated networks — even those behind restrictive firewalls — through encrypted tunnels, enabling easy access to remote services without opening ports. -Preview +Preview -_Sites page of Pangolin dashboard (dark mode) showing multiple tunnels connected to the central server._ +_Resources page of Pangolin dashboard (dark mode) showing multiple resources available to connect._ ## Key Features ### Reverse Proxy Through WireGuard Tunnel -- Expose private resources on your network **without opening ports** (firewall punching). -- Secure and easy to configure site-to-site connectivity via a custom **user space WireGuard client**, [Newt](https://github.com/fosrl/newt). -- Built-in support for any WireGuard client. -- Automated **SSL certificates** (https) via [LetsEncrypt](https://letsencrypt.org/). -- Support for HTTP/HTTPS and **raw TCP/UDP services**. -- Load balancing. +- Expose private resources on your network **without opening ports** (firewall punching). +- Secure and easy to configure site-to-site connectivity via a custom **user space WireGuard client**, [Newt](https://github.com/fosrl/newt). +- Built-in support for any WireGuard client. +- Automated **SSL certificates** (https) via [LetsEncrypt](https://letsencrypt.org/). +- Support for HTTP/HTTPS and **raw TCP/UDP services**. +- Load balancing. ### Identity & Access Management -- Centralized authentication system using platform SSO. **Users will only have to manage one login.** -- **Define access control rules for IPs, IP ranges, and URL paths per resource.** -- TOTP with backup codes for two-factor authentication. -- Create organizations, each with multiple sites, users, and roles. -- **Role-based access control** to manage resource access permissions. -- Additional authentication options include: - - Email whitelisting with **one-time passcodes.** - - **Temporary, self-destructing share links.** - - Resource specific pin codes. - - Resource specific passwords. +- Centralized authentication system using platform SSO. **Users will only have to manage one login.** +- **Define access control rules for IPs, IP ranges, and URL paths per resource.** +- TOTP with backup codes for two-factor authentication. +- Create organizations, each with multiple sites, users, and roles. +- **Role-based access control** to manage resource access permissions. +- Additional authentication options include: + - Email whitelisting with **one-time passcodes.** + - **Temporary, self-destructing share links.** + - Resource specific pin codes. + - Resource specific passwords. +- External identity provider (IdP) support with OAuth2/OIDC, such as Authentik, Keycloak, Okta, and others. + - Auto-provision users and roles from your IdP. ### Simple Dashboard UI -- Manage sites, users, and roles with a clean and intuitive UI. -- Monitor site usage and connectivity. -- Light and dark mode options. -- Mobile friendly. +- Manage sites, users, and roles with a clean and intuitive UI. +- Monitor site usage and connectivity. +- Light and dark mode options. +- Mobile friendly. ### Easy Deployment -- Run on any cloud provider or on-premises. -- **Docker Compose based setup** for simplified deployment. -- Future-proof installation script for streamlined setup and feature additions. -- Use any WireGuard client to connect, or use **Newt, our custom user space client** for the best experience. +- Run on any cloud provider or on-premises. +- **Docker Compose based setup** for simplified deployment. +- Future-proof installation script for streamlined setup and feature additions. +- Use any WireGuard client to connect, or use **Newt, our custom user space client** for the best experience. +- Use the API to create custom integrations and scripts. + - Fine-grained access control to the API via scoped API keys. + - Comprehensive Swagger documentation for the API. ### Modular Design -- Extend functionality with existing [Traefik](https://github.com/traefik/traefik) plugins, such as [CrowdSec](https://plugins.traefik.io/plugins/6335346ca4caa9ddeffda116/crowdsec-bouncer-traefik-plugin) and [Geoblock](github.com/PascalMinder/geoblock). +- Extend functionality with existing [Traefik](https://github.com/traefik/traefik) plugins, such as [CrowdSec](https://plugins.traefik.io/plugins/6335346ca4caa9ddeffda116/crowdsec-bouncer-traefik-plugin) and [Geoblock](github.com/PascalMinder/geoblock). - **Automatically install and configure Crowdsec via Pangolin's installer script.** -- Attach as many sites to the central server as you wish. +- Attach as many sites to the central server as you wish. Collage @@ -88,8 +93,8 @@ _Sites page of Pangolin dashboard (dark mode) showing multiple tunnels connected 1. **Deploy the Central Server**: - - Deploy the Docker Compose stack onto a VPS hosted on a cloud platform like RackNerd, Amazon EC2, DigitalOcean Droplet, or similar. There are many cheap VPS hosting options available to suit your needs. - + - Deploy the Docker Compose stack onto a VPS hosted on a cloud platform like RackNerd, Amazon EC2, DigitalOcean Droplet, or similar. There are many cheap VPS hosting options available to suit your needs. + > [!TIP] > Many of our users have had a great experience with [RackNerd](https://my.racknerd.com/aff.php?aff=13788). Depending on promotions, you can likely get a **VPS with 1 vCPU, 1GB RAM, and ~20GB SSD for just around $12/year**. That's a great deal! > We are part of the [RackNerd](https://my.racknerd.com/aff.php?aff=13788) affiliate program, so if you purchase through [our link](https://my.racknerd.com/aff.php?aff=13788), we receive a small commission which helps us maintain the project and keep it free for everyone. @@ -111,21 +116,21 @@ _Sites page of Pangolin dashboard (dark mode) showing multiple tunnels connected **Use Case Example - Bypassing Port Restrictions in Home Lab**: Imagine private sites where the ISP restricts port forwarding. By connecting these sites to Pangolin via WireGuard, you can securely expose HTTP and HTTPS resources on the private network without any networking complexity. +**Use Case Example - Deploying Services For Your Business**: +You can use Pangolin as an easy way to expose your business applications to your users behind a safe authentication portal you can integrate into your IdP solution. Expose resources on prem and on the cloud. + **Use Case Example - IoT Networks**: IoT networks are often fragmented and difficult to manage. By deploying Pangolin on a central server, you can connect all your IoT sites via Newt or another WireGuard client. This creates a simple, secure, and centralized way to access IoT resources without the need for intricate networking setups. - -Resources - _Resources page of Pangolin dashboard (dark mode) showing HTTPS and TCP resources with access control rules._ ## Similar Projects and Inspirations **Cloudflare Tunnels**: - A similar approach to proxying private resources securely, but Pangolin is a self-hosted alternative, giving you full control over your infrastructure. + A similar approach to proxying private resources securely, but Pangolin is a self-hosted alternative, giving you full control over your infrastructure. -**Authentik and Authelia**: - These projects inspired Pangolin’s centralized authentication system for proxies, enabling robust user and role management. +**Authelia**: + This inspired Pangolin’s centralized authentication system for proxies, enabling robust user and role management. ## Project Development / Roadmap diff --git a/config/config.example.yml b/config/config.example.yml index f3ab8d6e..7b5c144d 100644 --- a/config/config.example.yml +++ b/config/config.example.yml @@ -18,6 +18,7 @@ server: internal_hostname: "pangolin" session_cookie_name: "p_session_token" resource_access_token_param: "p_token" + secret: "your_secret_key_here" resource_access_token_headers: id: "P-Access-Token-Id" token: "P-Access-Token" diff --git a/install/config/docker-compose.yml b/install/config/docker-compose.yml index 496b0138..6c1a3755 100644 --- a/install/config/docker-compose.yml +++ b/install/config/docker-compose.yml @@ -35,7 +35,7 @@ services: - 80:80 # Port for traefik because of the network_mode {{end}} traefik: - image: traefik:v3.3.5 + image: traefik:v3.3.6 container_name: traefik restart: unless-stopped {{if .InstallGerbil}} diff --git a/install/main.go b/install/main.go index 82f7902e..a0d74a43 100644 --- a/install/main.go +++ b/install/main.go @@ -64,15 +64,15 @@ func main() { } var config Config - config.DoCrowdsecInstall = false - config.Secret = generateRandomSecretKey() - + // check if there is already a config file if _, err := os.Stat("config/config.yml"); err != nil { config = collectUserInput(reader) - + loadVersions(&config) - + config.DoCrowdsecInstall = false + config.Secret = generateRandomSecretKey() + if err := createConfigFiles(config); err != nil { fmt.Printf("Error creating config files: %v\n", err) os.Exit(1) @@ -202,7 +202,7 @@ func collectUserInput(reader *bufio.Reader) Config { config.BaseDomain = readString(reader, "Enter your base domain (no subdomain e.g. example.com)", "") config.DashboardDomain = readString(reader, "Enter the domain for the Pangolin dashboard", "pangolin."+config.BaseDomain) config.LetsEncryptEmail = readString(reader, "Enter email for Let's Encrypt certificates", "") - config.InstallGerbil = readBool(reader, "Do you want to use Gerbil to allow tunned connections", true) + config.InstallGerbil = readBool(reader, "Do you want to use Gerbil to allow tunneled connections", true) // Admin user configuration fmt.Println("\n=== Admin User Configuration ===") diff --git a/public/screenshots/collage.png b/public/screenshots/collage.png index 74fe6deb..c791e7ea 100644 Binary files a/public/screenshots/collage.png and b/public/screenshots/collage.png differ diff --git a/public/screenshots/hero.png b/public/screenshots/hero.png new file mode 100644 index 00000000..4e321ee1 Binary files /dev/null and b/public/screenshots/hero.png differ diff --git a/public/screenshots/resources.png b/public/screenshots/resources.png deleted file mode 100644 index 2ee2c6e2..00000000 Binary files a/public/screenshots/resources.png and /dev/null differ diff --git a/public/screenshots/sites.png b/public/screenshots/sites.png deleted file mode 100644 index aa7294f5..00000000 Binary files a/public/screenshots/sites.png and /dev/null differ diff --git a/server/integrationApiServer.ts b/server/integrationApiServer.ts index 20925326..ff5dca51 100644 --- a/server/integrationApiServer.ts +++ b/server/integrationApiServer.ts @@ -15,7 +15,6 @@ import { } from "@server/middlewares"; import { authenticated, unauthenticated } from "@server/routers/integration"; import { logIncomingMiddleware } from "./middlewares/logIncoming"; -import { csrfProtectionMiddleware } from "./middlewares/csrfProtection"; import helmet from "helmet"; import swaggerUi from "swagger-ui-express"; import { OpenApiGeneratorV3 } from "@asteasolutions/zod-to-openapi"; @@ -37,7 +36,6 @@ export function createIntegrationApiServer() { if (!dev) { apiServer.use(helmet()); - apiServer.use(csrfProtectionMiddleware); } apiServer.use(cookieParser()); diff --git a/server/lib/consts.ts b/server/lib/consts.ts index 7c9892bf..94d2716e 100644 --- a/server/lib/consts.ts +++ b/server/lib/consts.ts @@ -2,7 +2,7 @@ import path from "path"; import { fileURLToPath } from "url"; // This is a placeholder value replaced by the build process -export const APP_VERSION = "1.2.0"; +export const APP_VERSION = "1.3.0"; export const __FILENAME = fileURLToPath(import.meta.url); export const __DIRNAME = path.dirname(__FILENAME); diff --git a/server/license/license.ts b/server/license/license.ts index 7887f451..e97b8f50 100644 --- a/server/license/license.ts +++ b/server/license/license.ts @@ -13,12 +13,19 @@ import moment from "moment"; import { setHostMeta } from "@server/setup/setHostMeta"; import { encrypt, decrypt } from "@server/lib/crypto"; +const keyTypes = ["HOST", "SITES"] as const; +type KeyType = (typeof keyTypes)[number]; + +const keyTiers = ["PROFESSIONAL", "ENTERPRISE"] as const; +type KeyTier = (typeof keyTiers)[number]; + export type LicenseStatus = { isHostLicensed: boolean; // Are there any license keys? isLicenseValid: boolean; // Is the license key valid? hostId: string; // Host ID maxSites?: number; usedSites?: number; + tier?: KeyTier; }; export type LicenseKeyCache = { @@ -26,7 +33,8 @@ export type LicenseKeyCache = { licenseKeyEncrypted: string; valid: boolean; iat?: Date; - type?: "LICENSE" | "SITES"; + type?: KeyType; + tier?: KeyTier; numSites?: number; }; @@ -54,7 +62,8 @@ type ValidateLicenseAPIResponse = { type TokenPayload = { valid: boolean; - type: "LICENSE" | "SITES"; + type: KeyType; + tier: KeyTier; quantity: number; terminateAt: string; // ISO iat: number; // Issued at @@ -182,11 +191,12 @@ LQIDAQAB licenseKeyEncrypted: key.licenseKeyId, valid: payload.valid, type: payload.type, + tier: payload.tier, numSites: payload.quantity, iat: new Date(payload.iat * 1000) }); - if (payload.type === "LICENSE") { + if (payload.type === "HOST") { foundHostKey = true; } } catch (e) { @@ -273,6 +283,7 @@ LQIDAQAB ); cached.valid = payload.valid; cached.type = payload.type; + cached.tier = payload.tier; cached.numSites = payload.quantity; cached.iat = new Date(payload.iat * 1000); @@ -311,8 +322,9 @@ LQIDAQAB logger.debug("Checking key", cached); - if (cached.type === "LICENSE") { + if (cached.type === "HOST") { status.isLicenseValid = cached.valid; + status.tier = cached.tier; } if (!cached.valid) { diff --git a/server/routers/accessToken/listAccessTokens.ts b/server/routers/accessToken/listAccessTokens.ts index 1ed7b14a..07ef9aa3 100644 --- a/server/routers/accessToken/listAccessTokens.ts +++ b/server/routers/accessToken/listAccessTokens.ts @@ -172,9 +172,20 @@ export async function listAccessTokens( ) ); } - const { orgId, resourceId } = parsedParams.data; + const { resourceId } = parsedParams.data; - if (orgId && orgId !== req.userOrgId) { + const orgId = + parsedParams.data.orgId || + req.userOrg?.orgId || + req.apiKeyOrg?.orgId; + + if (!orgId) { + return next( + createHttpError(HttpCode.BAD_REQUEST, "Invalid organization ID") + ); + } + + if (req.user && orgId && orgId !== req.userOrgId) { return next( createHttpError( HttpCode.FORBIDDEN, @@ -183,21 +194,29 @@ export async function listAccessTokens( ); } - const accessibleResources = await db - .select({ - resourceId: sql`COALESCE(${userResources.resourceId}, ${roleResources.resourceId})` - }) - .from(userResources) - .fullJoin( - roleResources, - eq(userResources.resourceId, roleResources.resourceId) - ) - .where( - or( - eq(userResources.userId, req.user!.userId), - eq(roleResources.roleId, req.userOrgRoleId!) + let accessibleResources; + if (req.user) { + accessibleResources = await db + .select({ + resourceId: sql`COALESCE(${userResources.resourceId}, ${roleResources.resourceId})` + }) + .from(userResources) + .fullJoin( + roleResources, + eq(userResources.resourceId, roleResources.resourceId) ) - ); + .where( + or( + eq(userResources.userId, req.user!.userId), + eq(roleResources.roleId, req.userOrgRoleId!) + ) + ); + } else { + accessibleResources = await db + .select({ resourceId: resources.resourceId }) + .from(resources) + .where(eq(resources.orgId, orgId)); + } const accessibleResourceIds = accessibleResources.map( (resource) => resource.resourceId diff --git a/server/routers/idp/validateOidcCallback.ts b/server/routers/idp/validateOidcCallback.ts index 7f4ff784..1624616e 100644 --- a/server/routers/idp/validateOidcCallback.ts +++ b/server/routers/idp/validateOidcCallback.ts @@ -23,7 +23,7 @@ import { oidcAutoProvision } from "./oidcAutoProvision"; import license from "@server/license/license"; const ensureTrailingSlash = (url: string): string => { - return url.endsWith('/') ? url : `${url}/`; + return url.endsWith("/") ? url : `${url}/`; }; const paramsSchema = z @@ -228,6 +228,16 @@ export async function validateOidcCallback( req, res }); + + return response(res, { + data: { + redirectUrl: postAuthRedirectUrl + }, + success: true, + error: false, + message: "OIDC callback validated successfully", + status: HttpCode.CREATED + }); } else { if (!existingUser) { return next( diff --git a/server/routers/newt/createNewt.ts b/server/routers/newt/createNewt.ts index 25f4bb31..02517db5 100644 --- a/server/routers/newt/createNewt.ts +++ b/server/routers/newt/createNewt.ts @@ -49,7 +49,7 @@ export async function createNewt( const { newtId, secret } = parsedBody.data; - if (!req.userOrgRoleId) { + if (req.user && !req.userOrgRoleId) { return next( createHttpError(HttpCode.FORBIDDEN, "User does not have a role") ); diff --git a/server/routers/org/createOrg.ts b/server/routers/org/createOrg.ts index 37c230e6..576a46fa 100644 --- a/server/routers/org/createOrg.ts +++ b/server/routers/org/createOrg.ts @@ -3,13 +3,16 @@ import { z } from "zod"; import { db } from "@server/db"; import { eq } from "drizzle-orm"; import { + apiKeyOrg, + apiKeys, domains, Org, orgDomains, orgs, roleActions, roles, - userOrgs + userOrgs, + users } from "@server/db/schemas"; import response from "@server/lib/response"; import HttpCode from "@server/types/HttpCode"; @@ -57,7 +60,7 @@ export async function createOrg( try { // should this be in a middleware? if (config.getRawConfig().flags?.disable_user_create_org) { - if (!req.user?.serverAdmin) { + if (req.user && !req.user?.serverAdmin) { return next( createHttpError( HttpCode.FORBIDDEN, @@ -171,12 +174,33 @@ export async function createOrg( })) ); - await trx.insert(userOrgs).values({ - userId: req.user!.userId, - orgId: newOrg[0].orgId, - roleId: roleId, - isOwner: true - }); + if (req.user) { + await trx.insert(userOrgs).values({ + userId: req.user!.userId, + orgId: newOrg[0].orgId, + roleId: roleId, + isOwner: true + }); + } else { + // if org created by root api key, set the server admin as the owner + const [serverAdmin] = await trx + .select() + .from(users) + .where(eq(users.serverAdmin, true)); + + if (!serverAdmin) { + error = "Server admin not found"; + trx.rollback(); + return; + } + + await trx.insert(userOrgs).values({ + userId: serverAdmin.userId, + orgId: newOrg[0].orgId, + roleId: roleId, + isOwner: true + }); + } const memberRole = await trx .insert(roles) @@ -194,6 +218,18 @@ export async function createOrg( orgId })) ); + + const rootApiKeys = await trx + .select() + .from(apiKeys) + .where(eq(apiKeys.isRoot, true)); + + for (const apiKey of rootApiKeys) { + await trx.insert(apiKeyOrg).values({ + apiKeyId: apiKey.apiKeyId, + orgId: newOrg[0].orgId + }); + } }); if (!org) { diff --git a/server/routers/org/listUserOrgs.ts b/server/routers/org/listUserOrgs.ts index 43650480..fa33d2cb 100644 --- a/server/routers/org/listUserOrgs.ts +++ b/server/routers/org/listUserOrgs.ts @@ -29,16 +29,16 @@ const listOrgsSchema = z.object({ .pipe(z.number().int().nonnegative()) }); -registry.registerPath({ - method: "get", - path: "/user/{userId}/orgs", - description: "List all organizations for a user.", - tags: [OpenAPITags.Org, OpenAPITags.User], - request: { - query: listOrgsSchema - }, - responses: {} -}); +// registry.registerPath({ +// method: "get", +// path: "/user/{userId}/orgs", +// description: "List all organizations for a user.", +// tags: [OpenAPITags.Org, OpenAPITags.User], +// request: { +// query: listOrgsSchema +// }, +// responses: {} +// }); export type ListUserOrgsResponse = { orgs: Org[]; diff --git a/server/routers/resource/createResource.ts b/server/routers/resource/createResource.ts index af6807b9..e899530b 100644 --- a/server/routers/resource/createResource.ts +++ b/server/routers/resource/createResource.ts @@ -39,6 +39,7 @@ const createHttpResourceSchema = z isBaseDomain: z.boolean().optional(), siteId: z.number(), http: z.boolean(), + protocol: z.string(), domainId: z.string() }) .strict() @@ -129,7 +130,7 @@ export async function createResource( const { siteId, orgId } = parsedParams.data; - if (!req.userOrgRoleId) { + if (req.user && !req.userOrgRoleId) { return next( createHttpError(HttpCode.FORBIDDEN, "User does not have a role") ); @@ -202,7 +203,7 @@ async function createHttpResource( ); } - const { name, subdomain, isBaseDomain, http, domainId } = + const { name, subdomain, isBaseDomain, http, protocol, domainId } = parsedBody.data; const [orgDomain] = await db @@ -261,7 +262,7 @@ async function createHttpResource( name, subdomain, http, - protocol: "tcp", + protocol, ssl: true, isBaseDomain }) @@ -284,7 +285,7 @@ async function createHttpResource( resourceId: newResource[0].resourceId }); - if (req.userOrgRoleId != adminRole[0].roleId) { + if (req.user && req.userOrgRoleId != adminRole[0].roleId) { // make sure the user can access the resource await trx.insert(userResources).values({ userId: req.user?.userId!, diff --git a/server/routers/resource/listResources.ts b/server/routers/resource/listResources.ts index daac698f..9af24740 100644 --- a/server/routers/resource/listResources.ts +++ b/server/routers/resource/listResources.ts @@ -69,9 +69,7 @@ function queryResources( http: resources.http, protocol: resources.protocol, proxyPort: resources.proxyPort, - enabled: resources.enabled, - tlsServerName: resources.tlsServerName, - setHostHeader: resources.setHostHeader + enabled: resources.enabled }) .from(resources) .leftJoin(sites, eq(resources.siteId, sites.siteId)) @@ -105,9 +103,7 @@ function queryResources( http: resources.http, protocol: resources.protocol, proxyPort: resources.proxyPort, - enabled: resources.enabled, - tlsServerName: resources.tlsServerName, - setHostHeader: resources.setHostHeader + enabled: resources.enabled }) .from(resources) .leftJoin(sites, eq(resources.siteId, sites.siteId)) @@ -187,9 +183,17 @@ export async function listResources( ) ); } - const { siteId, orgId } = parsedParams.data; + const { siteId } = parsedParams.data; - if (orgId && orgId !== req.userOrgId) { + const orgId = parsedParams.data.orgId || req.userOrg?.orgId || req.apiKeyOrg?.orgId; + + if (!orgId) { + return next( + createHttpError(HttpCode.BAD_REQUEST, "Invalid organization ID") + ); + } + + if (req.user && orgId && orgId !== req.userOrgId) { return next( createHttpError( HttpCode.FORBIDDEN, @@ -198,7 +202,9 @@ export async function listResources( ); } - const accessibleResources = await db + let accessibleResources; + if (req.user) { + accessibleResources = await db .select({ resourceId: sql`COALESCE(${userResources.resourceId}, ${roleResources.resourceId})` }) @@ -213,6 +219,11 @@ export async function listResources( eq(roleResources.roleId, req.userOrgRoleId!) ) ); + } else { + accessibleResources = await db.select({ + resourceId: resources.resourceId + }).from(resources).where(eq(resources.orgId, orgId)); + } const accessibleResourceIds = accessibleResources.map( (resource) => resource.resourceId diff --git a/server/routers/resource/setResourceRoles.ts b/server/routers/resource/setResourceRoles.ts index 2699be1f..0f0b3df2 100644 --- a/server/routers/resource/setResourceRoles.ts +++ b/server/routers/resource/setResourceRoles.ts @@ -1,7 +1,7 @@ import { Request, Response, NextFunction } from "express"; import { z } from "zod"; import { db } from "@server/db"; -import { roleResources, roles } from "@server/db/schemas"; +import { apiKeys, roleResources, roles } from "@server/db/schemas"; import response from "@server/lib/response"; import HttpCode from "@server/types/HttpCode"; import createHttpError from "http-errors"; @@ -74,6 +74,17 @@ export async function setResourceRoles( const { resourceId } = parsedParams.data; + const orgId = req.userOrg?.orgId || req.apiKeyOrg?.orgId; + + if (!orgId) { + return next( + createHttpError( + HttpCode.INTERNAL_SERVER_ERROR, + "Organization not found" + ) + ); + } + // get this org's admin role const adminRole = await db .select() @@ -81,7 +92,7 @@ export async function setResourceRoles( .where( and( eq(roles.name, "Admin"), - eq(roles.orgId, req.userOrg!.orgId) + eq(roles.orgId, orgId) ) ) .limit(1); @@ -136,3 +147,4 @@ export async function setResourceRoles( ); } } + diff --git a/server/routers/resource/updateResource.ts b/server/routers/resource/updateResource.ts index 009bbaff..a857e103 100644 --- a/server/routers/resource/updateResource.ts +++ b/server/routers/resource/updateResource.ts @@ -45,8 +45,8 @@ const updateHttpResourceBodySchema = z domainId: z.string().optional(), enabled: z.boolean().optional(), stickySession: z.boolean().optional(), - tlsServerName: z.string().optional(), - setHostHeader: z.string().optional() + tlsServerName: z.string().nullable().optional(), + setHostHeader: z.string().nullable().optional() }) .strict() .refine((data) => Object.keys(data).length > 0, { @@ -81,7 +81,10 @@ const updateHttpResourceBodySchema = z } return true; }, - { message: "Invalid TLS Server Name. Use domain name format, or save empty to remove the TLS Server Name." } + { + message: + "Invalid TLS Server Name. Use domain name format, or save empty to remove the TLS Server Name." + } ) .refine( (data) => { @@ -90,7 +93,10 @@ const updateHttpResourceBodySchema = z } return true; }, - { message: "Invalid custom Host Header value. Use domain name format, or save empty to unset custom Host Header." } + { + message: + "Invalid custom Host Header value. Use domain name format, or save empty to unset custom Host Header." + } ); export type UpdateResourceResponse = Resource; @@ -300,7 +306,22 @@ async function updateHttpResource( const updatedResource = await db .update(resources) - .set(updatePayload) + .set({ + name: updatePayload.name, + subdomain: updatePayload.subdomain, + ssl: updatePayload.ssl, + sso: updatePayload.sso, + blockAccess: updatePayload.blockAccess, + emailWhitelistEnabled: updatePayload.emailWhitelistEnabled, + isBaseDomain: updatePayload.isBaseDomain, + applyRules: updatePayload.applyRules, + domainId: updatePayload.domainId, + enabled: updatePayload.enabled, + stickySession: updatePayload.stickySession, + tlsServerName: updatePayload.tlsServerName || null, + setHostHeader: updatePayload.setHostHeader || null, + fullDomain: updatePayload.fullDomain + }) .where(eq(resources.resourceId, resource.resourceId)) .returning(); diff --git a/server/routers/site/createSite.ts b/server/routers/site/createSite.ts index 43ef7de7..1e673ee5 100644 --- a/server/routers/site/createSite.ts +++ b/server/routers/site/createSite.ts @@ -103,7 +103,7 @@ export async function createSite( const { orgId } = parsedParams.data; - if (!req.userOrgRoleId) { + if (req.user && !req.userOrgRoleId) { return next( createHttpError(HttpCode.FORBIDDEN, "User does not have a role") ); @@ -235,7 +235,7 @@ export async function createSite( siteId: newSite.siteId }); - if (req.userOrgRoleId != adminRole[0].roleId) { + if (req.user && req.userOrgRoleId != adminRole[0].roleId) { // make sure the user can access the site trx.insert(userSites).values({ userId: req.user?.userId!, diff --git a/server/routers/site/listSites.ts b/server/routers/site/listSites.ts index 77f6b147..829f8375 100644 --- a/server/routers/site/listSites.ts +++ b/server/routers/site/listSites.ts @@ -101,7 +101,7 @@ export async function listSites( } const { orgId } = parsedParams.data; - if (orgId && orgId !== req.userOrgId) { + if (req.user && orgId && orgId !== req.userOrgId) { return next( createHttpError( HttpCode.FORBIDDEN, @@ -110,18 +110,26 @@ export async function listSites( ); } - const accessibleSites = await db - .select({ - siteId: sql`COALESCE(${userSites.siteId}, ${roleSites.siteId})` - }) - .from(userSites) - .fullJoin(roleSites, eq(userSites.siteId, roleSites.siteId)) - .where( - or( - eq(userSites.userId, req.user!.userId), - eq(roleSites.roleId, req.userOrgRoleId!) - ) - ); + let accessibleSites; + if (req.user) { + accessibleSites = await db + .select({ + siteId: sql`COALESCE(${userSites.siteId}, ${roleSites.siteId})` + }) + .from(userSites) + .fullJoin(roleSites, eq(userSites.siteId, roleSites.siteId)) + .where( + or( + eq(userSites.userId, req.user!.userId), + eq(roleSites.roleId, req.userOrgRoleId!) + ) + ); + } else { + accessibleSites = await db + .select({ siteId: sites.siteId }) + .from(sites) + .where(eq(sites.orgId, orgId)); + } const accessibleSiteIds = accessibleSites.map((site) => site.siteId); const baseQuery = querySites(orgId, accessibleSiteIds); diff --git a/server/routers/user/addUserRole.ts b/server/routers/user/addUserRole.ts index b482e39a..c0ac31bc 100644 --- a/server/routers/user/addUserRole.ts +++ b/server/routers/user/addUserRole.ts @@ -49,7 +49,7 @@ export async function addUserRole( const { userId, roleId } = parsedParams.data; - if (!req.userOrg) { + if (req.user && !req.userOrg) { return next( createHttpError( HttpCode.FORBIDDEN, @@ -58,7 +58,13 @@ export async function addUserRole( ); } - const orgId = req.userOrg.orgId; + const orgId = req.userOrg?.orgId || req.apiKeyOrg?.orgId; + + if (!orgId) { + return next( + createHttpError(HttpCode.BAD_REQUEST, "Invalid organization ID") + ); + } const existingUser = await db .select() diff --git a/server/routers/user/createOrgUser.ts b/server/routers/user/createOrgUser.ts index 3ca2a5a3..a198db5d 100644 --- a/server/routers/user/createOrgUser.ts +++ b/server/routers/user/createOrgUser.ts @@ -19,7 +19,15 @@ const paramsSchema = z const bodySchema = z .object({ - email: z.string().email().optional(), + email: z + .string() + .optional() + .refine((data) => { + if (data) { + return z.string().email().safeParse(data).success; + } + return true; + }), username: z.string().nonempty(), name: z.string().optional(), type: z.enum(["internal", "oidc"]).optional(), diff --git a/server/routers/user/getOrgUser.ts b/server/routers/user/getOrgUser.ts index f03cf0f0..6ebd33c0 100644 --- a/server/routers/user/getOrgUser.ts +++ b/server/routers/user/getOrgUser.ts @@ -106,7 +106,7 @@ export async function getOrgUser( ); } - if (user.userId !== req.userOrg.userId) { + if (req.user && user.userId !== req.userOrg.userId) { const hasPermission = await checkUserActionPermission( ActionsEnum.getOrgUser, req diff --git a/server/setup/scripts/1.3.0.ts b/server/setup/scripts/1.3.0.ts index fdd1b80b..a75dc207 100644 --- a/server/setup/scripts/1.3.0.ts +++ b/server/setup/scripts/1.3.0.ts @@ -8,8 +8,6 @@ import { APP_PATH, configFilePath1, configFilePath2 } from "@server/lib/consts"; const version = "1.3.0"; const location = path.join(APP_PATH, "db", "db.sqlite"); -await migration(); - export default async function migration() { console.log(`Running setup script ${version}...`); diff --git a/src/app/[orgId]/settings/resources/[resourceId]/proxy/page.tsx b/src/app/[orgId]/settings/resources/[resourceId]/proxy/page.tsx index ea388176..85c25415 100644 --- a/src/app/[orgId]/settings/resources/[resourceId]/proxy/page.tsx +++ b/src/app/[orgId]/settings/resources/[resourceId]/proxy/page.tsx @@ -657,7 +657,7 @@ export default function ReverseProxyTargets(props: { loading={httpsTlsLoading} form="tls-settings-form" > - Save HTTPS & TLS Settings + Save Settings @@ -896,7 +896,7 @@ export default function ReverseProxyTargets(props: { - The Host header to set when + The host header to set when proxying requests. Leave empty to use the default. diff --git a/src/app/admin/license/components/SitePriceCalculator.tsx b/src/app/admin/license/components/SitePriceCalculator.tsx index b27c8ada..56228769 100644 --- a/src/app/admin/license/components/SitePriceCalculator.tsx +++ b/src/app/admin/license/components/SitePriceCalculator.tsx @@ -40,6 +40,21 @@ export function SitePriceCalculator({ setSiteCount((prev) => (prev > 1 ? prev - 1 : 1)); }; + function continueToPayment() { + if (mode === "license") { + // open in new tab + window.open( + `https://payment.fossorial.io/buy/dab98d3d-9976-49b1-9e55-1580059d833f?quantity=${siteCount}`, + "_blank" + ); + } else { + window.open( + `https://payment.fossorial.io/buy/2b881c36-ea5d-4c11-8652-9be6810a054f?quantity=${siteCount}`, + "_blank" + ); + } + } + const totalCost = mode === "license" ? licenseFlatRate + siteCount * pricePerSite @@ -141,7 +156,9 @@ export function SitePriceCalculator({ - + diff --git a/src/app/admin/license/page.tsx b/src/app/admin/license/page.tsx index 74f86c96..316200c4 100644 --- a/src/app/admin/license/page.tsx +++ b/src/app/admin/license/page.tsx @@ -56,12 +56,16 @@ import { MinusCircle, PlusCircle } from "lucide-react"; import ConfirmDeleteDialog from "@app/components/ConfirmDeleteDialog"; import { SitePriceCalculator } from "./components/SitePriceCalculator"; import Link from "next/link"; +import { Checkbox } from "@app/components/ui/checkbox"; const formSchema = z.object({ licenseKey: z .string() .nonempty({ message: "License key is required" }) - .max(255) + .max(255), + agreeToTerms: z.boolean().refine((val) => val === true, { + message: "You must agree to the license terms" + }) }); function obfuscateLicenseKey(key: string): string { @@ -95,7 +99,8 @@ export default function LicensePage() { const form = useForm>({ resolver: zodResolver(formSchema), defaultValues: { - licenseKey: "" + licenseKey: "", + agreeToTerms: false } }); @@ -116,7 +121,7 @@ export default function LicensePage() { ); const keys = response.data.data; setRows(keys); - const hostKey = keys.find((key) => key.type === "LICENSE"); + const hostKey = keys.find((key) => key.type === "HOST"); if (hostKey) { setHostLicense(hostKey.licenseKey); } else { @@ -265,6 +270,44 @@ export default function LicensePage() { )} /> + ( + + + + +
+ + By checking this box, you + confirm that you have read + and agree to the license + terms corresponding to the + tier associated with your + license key. +
+ + View Fossorial + Commercial License & + Subscription Terms + + + +
+ + )} + /> @@ -305,8 +348,7 @@ export default function LicensePage() {

This will remove the license key and all - associated permissions. Any sites using this - license key will no longer be accessible. + associated permissions granted by it.

@@ -343,7 +385,13 @@ export default function LicensePage() {

- Licensed + {licenseStatus?.tier === + "PROFESSIONAL" + ? "Professional License" + : licenseStatus?.tier === + "ENTERPRISE" + ? "Enterprise License" + : "Licensed"}
) : ( diff --git a/src/app/admin/users/AdminUsersTable.tsx b/src/app/admin/users/AdminUsersTable.tsx index 12a6145c..68ad2790 100644 --- a/src/app/admin/users/AdminUsersTable.tsx +++ b/src/app/admin/users/AdminUsersTable.tsx @@ -173,7 +173,7 @@ export default function UsersTable({ users }: Props) {

Are you sure you want to permanently delete{" "} - + {selected?.email || selected?.name || selected?.username} diff --git a/src/app/components/LicenseViolation.tsx b/src/app/components/LicenseViolation.tsx index 1771475c..75d544d3 100644 --- a/src/app/components/LicenseViolation.tsx +++ b/src/app/components/LicenseViolation.tsx @@ -5,21 +5,33 @@ "use client"; +import { Button } from "@app/components/ui/button"; import { useLicenseStatusContext } from "@app/hooks/useLicenseStatusContext"; +import { useState } from "react"; export default function LicenseViolation() { const { licenseStatus } = useLicenseStatusContext(); + const [isDismissed, setIsDismissed] = useState(false); - if (!licenseStatus) return null; + if (!licenseStatus || isDismissed) return null; // Show invalid license banner if (licenseStatus.isHostLicensed && !licenseStatus.isLicenseValid) { return (

-

- Invalid or expired license keys detected. Follow license - terms to continue using all features. -

+
+

+ Invalid or expired license keys detected. Follow license + terms to continue using all features. +

+ +
); } @@ -32,12 +44,21 @@ export default function LicenseViolation() { ) { return (
-

- License Violation: This server is using{" "} - {licenseStatus.usedSites} sites which exceeds its licensed - limit of {licenseStatus.maxSites} sites. Follow license - terms to continue using all features. -

+
+

+ License Violation: This server is using{" "} + {licenseStatus.usedSites} sites which exceeds its + licensed limit of {licenseStatus.maxSites} sites. Follow + license terms to continue using all features. +

+ +
); } diff --git a/src/components/ConfirmDeleteDialog.tsx b/src/components/ConfirmDeleteDialog.tsx index 5ed13d51..a928ed60 100644 --- a/src/components/ConfirmDeleteDialog.tsx +++ b/src/components/ConfirmDeleteDialog.tsx @@ -105,7 +105,7 @@ export default function InviteUserForm({ {title} -
{dialog}
+
{dialog}
{ + field.onChange(e); + if (e.target.value.length === 6) { + mfaForm.handleSubmit(onSubmit)(); + } + }} > - {!user.twoFactorEnabled && ( - setOpenEnable2fa(true)} - > - Enable Two-factor - + {user?.type === UserType.Internal && ( + <> + {!user.twoFactorEnabled && ( + setOpenEnable2fa(true)} + > + Enable Two-factor + + )} + {user.twoFactorEnabled && ( + setOpenDisable2fa(true)} + > + Disable Two-factor + + )} + + )} - {user.twoFactorEnabled && ( - setOpenDisable2fa(true)} - > - Disable Two-factor - - )} - Theme {(["light", "dark", "system"] as const).map( (themeOption) => ( diff --git a/src/components/QRContainer.tsx b/src/components/QRContainer.tsx new file mode 100644 index 00000000..65912dba --- /dev/null +++ b/src/components/QRContainer.tsx @@ -0,0 +1,17 @@ +"use client"; + +export default function QRContainer({ + children =
, + outline = true +}) { + + return ( +
+
+ {children} +
+
+ ); +} diff --git a/src/components/SidebarNav.tsx b/src/components/SidebarNav.tsx index 238fb603..698fb01e 100644 --- a/src/components/SidebarNav.tsx +++ b/src/components/SidebarNav.tsx @@ -37,8 +37,31 @@ export function SidebarNav({ const niceId = params.niceId as string; const resourceId = params.resourceId as string; const userId = params.userId as string; - const [expandedItems, setExpandedItems] = useState>(new Set()); const clientId = params.clientId as string; + const [expandedItems, setExpandedItems] = useState>(() => { + const autoExpanded = new Set(); + + function findAutoExpandedAndActivePath( + items: SidebarNavItem[], + parentHrefs: string[] = [] + ) { + items.forEach((item) => { + const hydratedHref = hydrateHref(item.href); + const currentPath = [...parentHrefs, hydratedHref]; + + if (item.autoExpand || pathname.startsWith(hydratedHref)) { + currentPath.forEach((href) => autoExpanded.add(href)); + } + + if (item.children) { + findAutoExpandedAndActivePath(item.children, currentPath); + } + }); + } + + findAutoExpandedAndActivePath(items); + return autoExpanded; + }); const { licenseStatus, isUnlocked } = useLicenseStatusContext(); const { user } = useUserContext(); @@ -52,37 +75,6 @@ export function SidebarNav({ .replace("{clientId}", clientId); } - // Initialize expanded items based on autoExpand property and current path - useEffect(() => { - const autoExpanded = new Set(); - - function findAutoExpandedAndActivePath( - items: SidebarNavItem[], - parentHrefs: string[] = [] - ) { - items.forEach((item) => { - const hydratedHref = hydrateHref(item.href); - - // Add current item's href to the path - const currentPath = [...parentHrefs, hydratedHref]; - - // Auto expand if specified or if this item or any child is active - if (item.autoExpand || pathname.startsWith(hydratedHref)) { - // Expand all parent sections when a child is active - currentPath.forEach((href) => autoExpanded.add(href)); - } - - // Recursively check children - if (item.children) { - findAutoExpandedAndActivePath(item.children, currentPath); - } - }); - } - - findAutoExpandedAndActivePath(items); - setExpandedItems(autoExpanded); - }, [items, pathname]); - function toggleItem(href: string) { setExpandedItems((prev) => { const newSet = new Set(prev);