From 24d7b37583784311a27f5ff4e34397ae47e5dadf Mon Sep 17 00:00:00 2001 From: Cory Sanin Date: Tue, 23 Sep 2025 15:02:25 -0500 Subject: [PATCH 1/4] require login to view (if enabled) --- config/config.example.json | 8 +- package-lock.json | 219 ++++++++++++++++++++++++++++++++++++- package.json | 9 +- src/DB.ts | 37 ++++++- src/Web.ts | 165 ++++++++++++++++++++++++---- src/index.ts | 2 +- views/login-required.ejs | 19 ++++ views/navigation.ejs | 3 + 8 files changed, 433 insertions(+), 29 deletions(-) create mode 100644 views/login-required.ejs diff --git a/config/config.example.json b/config/config.example.json index 97302e7..25084fb 100644 --- a/config/config.example.json +++ b/config/config.example.json @@ -4,6 +4,12 @@ "password": "correcthorse" }, "web": { - "port": 8080 + "port": 8080, + "oidc": { + "server": "https://gitea.artixlinux.org/", + "clientId": "fakefake-fake-fake-fake-fakefakefake", + "clientSecret": "thisisnotarealsecret", + "appBaseUrl": "http://localhost:8080" + } } } \ No newline at end of file diff --git a/package-lock.json b/package-lock.json index aedfb42..b6a669e 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,18 +1,22 @@ { "name": "archery", - "version": "0.1.8", + "version": "0.2.0", "lockfileVersion": 3, "requires": true, "packages": { "": { "name": "archery", - "version": "0.1.8", + "version": "0.2.0", "license": "MIT", "dependencies": { "body-parser": "^2.2.0", "ejs": "3.1.10", "express": "^5.1.0", + "express-session": "1.18.2", "express-ws": "^5.0.2", + "ky": "1.10.0", + "passport": "0.7.0", + "passport-openidconnect": "0.1.2", "pg": "^8.16.3", "pg-hstore": "^2.3.4", "sequelize": "^6.37.7", @@ -20,8 +24,11 @@ }, "devDependencies": { "@types/express": "^5.0.3", + "@types/express-session": "^1.18.2", "@types/express-ws": "3.0.5", "@types/node": "^24.5.2", + "@types/passport": "1.0.17", + "@types/passport-openidconnect": "0.1.3", "forking-build-shit": "1.0.4" }, "peerDependencies": { @@ -393,6 +400,16 @@ "@types/send": "*" } }, + "node_modules/@types/express-session": { + "version": "1.18.2", + "resolved": "https://registry.npmjs.org/@types/express-session/-/express-session-1.18.2.tgz", + "integrity": "sha512-k+I0BxwVXsnEU2hV77cCobC08kIsn4y44C3gC0b46uxZVMaXA04lSPgRLR/bSL2w0t0ShJiG8o4jPzRG/nscFg==", + "dev": true, + "license": "MIT", + "dependencies": { + "@types/express": "*" + } + }, "node_modules/@types/express-ws": { "version": "3.0.5", "resolved": "https://registry.npmjs.org/@types/express-ws/-/express-ws-3.0.5.tgz", @@ -434,6 +451,50 @@ "undici-types": "~7.12.0" } }, + "node_modules/@types/oauth": { + "version": "0.9.6", + "resolved": "https://registry.npmjs.org/@types/oauth/-/oauth-0.9.6.tgz", + "integrity": "sha512-H9TRCVKBNOhZZmyHLqFt9drPM9l+ShWiqqJijU1B8P3DX3ub84NjxDuy+Hjrz+fEca5Kwip3qPMKNyiLgNJtIA==", + "dev": true, + "license": "MIT", + "dependencies": { + "@types/node": "*" + } + }, + "node_modules/@types/passport": { + "version": "1.0.17", + "resolved": "https://registry.npmjs.org/@types/passport/-/passport-1.0.17.tgz", + "integrity": "sha512-aciLyx+wDwT2t2/kJGJR2AEeBz0nJU4WuRX04Wu9Dqc5lSUtwu0WERPHYsLhF9PtseiAMPBGNUOtFjxZ56prsg==", + "dev": true, + "license": "MIT", + "dependencies": { + "@types/express": "*" + } + }, + "node_modules/@types/passport-openidconnect": { + "version": "0.1.3", + "resolved": "https://registry.npmjs.org/@types/passport-openidconnect/-/passport-openidconnect-0.1.3.tgz", + "integrity": "sha512-k1Ni7bG/9OZNo2Qpjg2W6GajL+pww6ZPaNWMXfpteCX4dXf4QgaZLt2hjR5IiPrqwBT9+W8KjCTJ/uhGIoBx/g==", + "dev": true, + "license": "MIT", + "dependencies": { + "@types/express": "*", + "@types/oauth": "*", + "@types/passport": "*", + "@types/passport-strategy": "*" + } + }, + "node_modules/@types/passport-strategy": { + "version": "0.2.38", + "resolved": "https://registry.npmjs.org/@types/passport-strategy/-/passport-strategy-0.2.38.tgz", + "integrity": "sha512-GC6eMqqojOooq993Tmnmp7AUTbbQSgilyvpCYQjT+H6JfG/g6RGc7nXEniZlp0zyKJ0WUdOiZWLBZft9Yug1uA==", + "dev": true, + "license": "MIT", + "dependencies": { + "@types/express": "*", + "@types/passport": "*" + } + }, "node_modules/@types/qs": { "version": "6.9.17", "resolved": "https://registry.npmjs.org/@types/qs/-/qs-6.9.17.tgz", @@ -910,6 +971,55 @@ "url": "https://opencollective.com/express" } }, + "node_modules/express-session": { + "version": "1.18.2", + "resolved": "https://registry.npmjs.org/express-session/-/express-session-1.18.2.tgz", + "integrity": "sha512-SZjssGQC7TzTs9rpPDuUrR23GNZ9+2+IkA/+IJWmvQilTr5OSliEHGF+D9scbIpdC6yGtTI0/VhaHoVes2AN/A==", + "license": "MIT", + "dependencies": { + "cookie": "0.7.2", + "cookie-signature": "1.0.7", + "debug": "2.6.9", + "depd": "~2.0.0", + "on-headers": "~1.1.0", + "parseurl": "~1.3.3", + "safe-buffer": "5.2.1", + "uid-safe": "~2.1.5" + }, + "engines": { + "node": ">= 0.8.0" + } + }, + "node_modules/express-session/node_modules/cookie": { + "version": "0.7.2", + "resolved": "https://registry.npmjs.org/cookie/-/cookie-0.7.2.tgz", + "integrity": "sha512-yki5XnKuf750l50uGTllt6kKILY4nQ1eNIQatoXEByZ5dWgnKqbnqmTrBE5B4N7lrMJKQ2ytWMiTO2o0v6Ew/w==", + "license": "MIT", + "engines": { + "node": ">= 0.6" + } + }, + "node_modules/express-session/node_modules/cookie-signature": { + "version": "1.0.7", + "resolved": "https://registry.npmjs.org/cookie-signature/-/cookie-signature-1.0.7.tgz", + "integrity": "sha512-NXdYc3dLr47pBkpUCHtKSwIOQXLVn8dZEuywboCOJY/osA0wFSLlSawr3KN8qXJEyX66FcONTH8EIlVuK0yyFA==", + "license": "MIT" + }, + "node_modules/express-session/node_modules/debug": { + "version": "2.6.9", + "resolved": "https://registry.npmjs.org/debug/-/debug-2.6.9.tgz", + "integrity": "sha512-bC7ElrdJaJnPbAP+1EotYvqZsb3ecl5wi6Bfi6BJTUcNowp6cvspg0jXznRTKDjm/E7AdgFBVeAPVMNcKGsHMA==", + "license": "MIT", + "dependencies": { + "ms": "2.0.0" + } + }, + "node_modules/express-session/node_modules/ms": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/ms/-/ms-2.0.0.tgz", + "integrity": "sha512-Tpp60P6IUJDTuOq/5Z8cdskzJujfwqfOTkrwIwj7IRISpnkJnT6SyJ4PCPnGMoFjC9ddhal5KVIYtAt97ix05A==", + "license": "MIT" + }, "node_modules/express-ws": { "version": "5.0.2", "resolved": "https://registry.npmjs.org/express-ws/-/express-ws-5.0.2.tgz", @@ -1230,6 +1340,18 @@ "node": ">=10" } }, + "node_modules/ky": { + "version": "1.10.0", + "resolved": "https://registry.npmjs.org/ky/-/ky-1.10.0.tgz", + "integrity": "sha512-YRPCzHEWZffbfvmRrfwa+5nwBHwZuYiTrfDX0wuhGBPV0pA/zCqcOq93MDssON/baIkpYbvehIX5aLpMxrRhaA==", + "license": "MIT", + "engines": { + "node": ">=18" + }, + "funding": { + "url": "https://github.com/sindresorhus/ky?sponsor=1" + } + }, "node_modules/lodash": { "version": "4.17.21", "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz", @@ -1365,6 +1487,12 @@ "license": "MIT", "optional": true }, + "node_modules/oauth": { + "version": "0.10.2", + "resolved": "https://registry.npmjs.org/oauth/-/oauth-0.10.2.tgz", + "integrity": "sha512-JtFnB+8nxDEXgNyniwz573xxbKSOu3R8D40xQKqcjwJ2CDkYqUDI53o6IuzDJBx60Z8VKCm271+t8iFjakrl8Q==", + "license": "MIT" + }, "node_modules/object-inspect": { "version": "1.13.4", "resolved": "https://registry.npmjs.org/object-inspect/-/object-inspect-1.13.4.tgz", @@ -1389,6 +1517,15 @@ "node": ">= 0.8" } }, + "node_modules/on-headers": { + "version": "1.1.0", + "resolved": "https://registry.npmjs.org/on-headers/-/on-headers-1.1.0.tgz", + "integrity": "sha512-737ZY3yNnXy37FHkQxPzt4UZ2UWPWiCZWLvFZ4fu5cueciegX0zGPnrlY6bwRg4FdQOe9YU8MkmJwGhoMybl8A==", + "license": "MIT", + "engines": { + "node": ">= 0.8" + } + }, "node_modules/once": { "version": "1.4.0", "resolved": "https://registry.npmjs.org/once/-/once-1.4.0.tgz", @@ -1407,6 +1544,49 @@ "node": ">= 0.8" } }, + "node_modules/passport": { + "version": "0.7.0", + "resolved": "https://registry.npmjs.org/passport/-/passport-0.7.0.tgz", + "integrity": "sha512-cPLl+qZpSc+ireUvt+IzqbED1cHHkDoVYMo30jbJIdOOjQ1MQYZBPiNvmi8UM6lJuOpTPXJGZQk0DtC4y61MYQ==", + "license": "MIT", + "dependencies": { + "passport-strategy": "1.x.x", + "pause": "0.0.1", + "utils-merge": "^1.0.1" + }, + "engines": { + "node": ">= 0.4.0" + }, + "funding": { + "type": "github", + "url": "https://github.com/sponsors/jaredhanson" + } + }, + "node_modules/passport-openidconnect": { + "version": "0.1.2", + "resolved": "https://registry.npmjs.org/passport-openidconnect/-/passport-openidconnect-0.1.2.tgz", + "integrity": "sha512-JX3rTyW+KFZ/E9OF/IpXJPbyLO9vGzcmXB5FgSP2jfL3LGKJPdV7zUE8rWeKeeI/iueQggOeFa3onrCmhxXZTg==", + "license": "MIT", + "dependencies": { + "oauth": "0.10.x", + "passport-strategy": "1.x.x" + }, + "engines": { + "node": ">= 0.6.0" + }, + "funding": { + "type": "github", + "url": "https://github.com/sponsors/jaredhanson" + } + }, + "node_modules/passport-strategy": { + "version": "1.0.0", + "resolved": "https://registry.npmjs.org/passport-strategy/-/passport-strategy-1.0.0.tgz", + "integrity": "sha512-CB97UUvDKJde2V0KDWWB3lyf6PC3FaZP7YxZ2G8OAtn9p4HI9j9JLP9qjOGZFvyl8uwNT8qM+hGnz/n16NI7oA==", + "engines": { + "node": ">= 0.4.0" + } + }, "node_modules/path-to-regexp": { "version": "8.3.0", "resolved": "https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-8.3.0.tgz", @@ -1417,6 +1597,11 @@ "url": "https://opencollective.com/express" } }, + "node_modules/pause": { + "version": "0.0.1", + "resolved": "https://registry.npmjs.org/pause/-/pause-0.0.1.tgz", + "integrity": "sha512-KG8UEiEVkR3wGEb4m5yZkVCzigAD+cVEJck2CzYZO37ZGJfctvVptVO192MwrtPhzONn6go8ylnOdMhKqi4nfg==" + }, "node_modules/pg": { "version": "8.16.3", "resolved": "https://registry.npmjs.org/pg/-/pg-8.16.3.tgz", @@ -1599,6 +1784,15 @@ "url": "https://github.com/sponsors/ljharb" } }, + "node_modules/random-bytes": { + "version": "1.0.0", + "resolved": "https://registry.npmjs.org/random-bytes/-/random-bytes-1.0.0.tgz", + "integrity": "sha512-iv7LhNVO047HzYR3InF6pUcUsPQiHTM1Qal51DcGSuZFBil1aBBWG5eHPNek7bvILMaYJ/8RU1e8w1AMdHmLQQ==", + "license": "MIT", + "engines": { + "node": ">= 0.8" + } + }, "node_modules/range-parser": { "version": "1.2.1", "resolved": "https://registry.npmjs.org/range-parser/-/range-parser-1.2.1.tgz", @@ -2036,6 +2230,18 @@ "node": ">=0.8.0" } }, + "node_modules/uid-safe": { + "version": "2.1.5", + "resolved": "https://registry.npmjs.org/uid-safe/-/uid-safe-2.1.5.tgz", + "integrity": "sha512-KPHm4VL5dDXKz01UuEd88Df+KzynaohSL9fBh096KWAxSKZQDI2uBrVqtvRM4rwrIrRRKsdLNML/lnaaVSRioA==", + "license": "MIT", + "dependencies": { + "random-bytes": "~1.0.0" + }, + "engines": { + "node": ">= 0.8" + } + }, "node_modules/underscore": { "version": "1.13.7", "resolved": "https://registry.npmjs.org/underscore/-/underscore-1.13.7.tgz", @@ -2057,6 +2263,15 @@ "node": ">= 0.8" } }, + "node_modules/utils-merge": { + "version": "1.0.1", + "resolved": "https://registry.npmjs.org/utils-merge/-/utils-merge-1.0.1.tgz", + "integrity": "sha512-pMZTvIkT1d+TFGvDOqodOclx0QWkkgi6Tdoa8gC8ffGAAqz9pzPTZWAybbsHHoED/ztMtkv/VoYTYyShUn81hA==", + "license": "MIT", + "engines": { + "node": ">= 0.4.0" + } + }, "node_modules/uuid": { "version": "8.3.2", "resolved": "https://registry.npmjs.org/uuid/-/uuid-8.3.2.tgz", diff --git a/package.json b/package.json index cf858eb..afdeedc 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "archery", - "version": "0.1.8", + "version": "0.2.0", "description": "Build Arch packages through a web interface", "keywords": [ "docker", @@ -23,7 +23,11 @@ "body-parser": "^2.2.0", "ejs": "3.1.10", "express": "^5.1.0", + "express-session": "1.18.2", "express-ws": "^5.0.2", + "ky": "1.10.0", + "passport": "0.7.0", + "passport-openidconnect": "0.1.2", "pg": "^8.16.3", "pg-hstore": "^2.3.4", "sequelize": "^6.37.7", @@ -31,8 +35,11 @@ }, "devDependencies": { "@types/express": "^5.0.3", + "@types/express-session": "^1.18.2", "@types/express-ws": "3.0.5", "@types/node": "^24.5.2", + "@types/passport": "1.0.17", + "@types/passport-openidconnect": "0.1.3", "forking-build-shit": "1.0.4" }, "peerDependencies": { diff --git a/src/DB.ts b/src/DB.ts index 5184a07..534dd47 100644 --- a/src/DB.ts +++ b/src/DB.ts @@ -27,6 +27,12 @@ interface Build { sqid?: string; } +interface User { + id: string; + username: string; + displayName?: string; +} + interface LogChunk { id: number buildId: number @@ -46,6 +52,7 @@ const SELECT = ['id', 'repo', 'commit', 'distro', 'dependencies', 'startTime', ' class DB { private build: ModelStatic; private logChunk: ModelStatic; + private user: ModelStatic; private sequelize: Sequelize; constructor(config: DBConfig = {}) { @@ -128,12 +135,40 @@ class DB { } }); + this.user = this.sequelize.define('users', { + id: { + type: DataTypes.STRING, + primaryKey: true, + }, + username: { + type: DataTypes.STRING, + }, + displayName: { + type: DataTypes.STRING, + allowNull: true + } + }); + this.sync(); } private async sync(): Promise { await this.build.sync(); await this.logChunk.sync(); + await this.user.sync(); + } + + public async getUser(id: string): Promise { + return await this.user.findByPk(id); + } + + public async createUser(user: User): Promise { + await this.user.create({ + id: user.id, + username: user.username, + displayName: user.displayName || null + }); + return user.id; } public async createBuild(repo: string, commit: string, patch: string, distro: string, dependencies: string): Promise { @@ -271,4 +306,4 @@ class DB { export default DB; export { DB }; -export type { DBConfig, Status, Build, LogChunk }; +export type { DBConfig, Status, Build, LogChunk, User }; diff --git a/src/Web.ts b/src/Web.ts index ccd0ded..2f9147d 100644 --- a/src/Web.ts +++ b/src/Web.ts @@ -1,15 +1,33 @@ import * as http from "http"; import crypto from 'crypto'; -import type { Express } from "express"; +import type { Express } from 'express'; import express from 'express'; -import expressWs from "express-ws"; -import bodyParser from "body-parser"; +import expressWs from 'express-ws'; +import session from 'express-session'; +import ky from 'ky'; +import passport from 'passport'; +import OpenIDConnectStrategy from 'passport-openidconnect'; +import bodyParser from 'body-parser'; import Sqids from 'sqids'; -import type { DB, LogChunk } from "./DB.ts"; +import type { DB, LogChunk, Build, User } from "./DB.ts"; import type { BuildController, BuildEvent } from "./BuildController.ts"; interface WebConfig { + sessionSecret?: string; port?: number; + oidc?: { + server: string; + clientId: string; + clientSecret: string; + appBaseUrl: string; + }; +} + +interface OpenIdConfiguration { + issuer: string; + authorization_endpoint: string; + token_endpoint: string; + userinfo_endpoint: string; } /** @@ -42,12 +60,18 @@ class Web { private port: number; constructor(options: WebConfig = {}) { + this.initialize(options) + } + + initialize = async (options: WebConfig) => { + const sessionSecret = process.env['SESSIONSECRET'] || options.sessionSecret; const sqids = new Sqids({ minLength: 6, alphabet: 'abcdefghijkmnprstuvwxyz' }); const app: Express = express(); const wsApp = this.app = expressWs(app).app; + const oidc = await this.initializeOIDC(options); this.port = notStupidParseInt(process.env.PORT) || options['port'] as number || 8080; app.set('trust proxy', 1); @@ -68,6 +92,87 @@ class Web { }); }); + const showBuild = async (req: express.Request, res: express.Response, build: Build) => { + if (!build) { + res.sendStatus(404); + return; + } + build.sqid = sqids.encode([build.id]); + const log = splitLines(await this.db.getLog(build.id)); + + res.render('build', { + page: { + title: 'Archery', + titlesuffix: `Build #${build.id}`, + description: `Building ${build.repo} on ${build.distro}`, + }, + user: req?.user, + build, + log, + ended: build.status !== 'queued' && build.status !== 'running' + }); + } + + if (oidc) { + if (!sessionSecret) { + throw new Error('sessionSecret must be set.'); + } + app.use(session({ + secret: sessionSecret, + resave: false, + saveUninitialized: false + })); + passport.serializeUser(function (user: User, done) { + done(null, user.id); + }); + + passport.deserializeUser(async (id: string, done) => { + const user = await this.db.getUser(id); + done(null, { + id: user.id, + username: user.username, + name: user.displayName + }); + }); + passport.use(oidc); + app.use(passport.initialize()); + app.use(passport.session()); + app.get('/login', (req, res) => { + if(req?.user) { + return res.redirect('/'); + } + res.append('X-Robots-Tag', 'none'); + res.render('login-required', { + page: { + title: 'Archery', + titlesuffix: 'Log In', + description: 'Authentication required', + } + }); + }); + app.post('/login', passport.authenticate('openidconnect')); + app.get('/cb', passport.authenticate('openidconnect', { failureRedirect: '/login', failureMessage: true }), + function (_, res) { + res.redirect('/'); + } + ); + app.get('/logout', (req, res) => { + req.logOut((err) => { + if (err) { + console.error(`Failed to log out user: ${err}`); + } + res.redirect('/login'); + }); + }); + app.use((req, res, next) => { + if (!req?.user) { + res.redirect('/login'); + return; + } + next(); + }); + } + app.get('/', async (req, res) => { try { const builds = 'q' in req.query ? await this.db.searchBuilds(req.query.q as string) : await this.db.getBuildsBy(req.query); @@ -80,6 +185,7 @@ class Web { titlesuffix: 'Dashboard', description: 'PKGBUILD central' }, + user: req?.user, builds, timeElapsed }); @@ -90,7 +196,7 @@ class Web { } }); - app.get('/build{/}', async(req, res) => { + app.get('/build{/}', async (req, res) => { const query = ('id' in req.query && typeof req.query.id === 'string' && await this.db.getBuild(sqids.decode(req.query.id)?.[0])) || req.query; res.render('build-new', { page: { @@ -98,6 +204,7 @@ class Web { titlesuffix: 'New Build', description: 'Kick off a build', }, + user: req?.user, query }); }); @@ -116,23 +223,7 @@ class Web { app.get('/build/:id{/}', async (req, res) => { const build = await this.db.getBuild(sqids.decode(req.params.id)?.[0]); - if (!build) { - res.sendStatus(404); - return; - } - build.sqid = sqids.encode([build.id]); - const log = splitLines(await this.db.getLog(build.id)); - - res.render('build', { - page: { - title: 'Archery', - titlesuffix: `Build #${build.id}`, - description: `Building ${build.repo} on ${build.distro}` - }, - build, - log, - ended: build.status !== 'queued' && build.status !== 'running' - }); + showBuild(req, res, build); }); app.get('/build/:id/cancel', async (req, res) => { @@ -187,7 +278,6 @@ class Web { this.buildController.removeListener('log', eventListener); }); }); - } close = () => { @@ -203,6 +293,35 @@ class Web { } } + initializeOIDC = async (options: WebConfig): Promise => { + if (!options.oidc || !options.oidc.server || !options.oidc.clientId || !options.oidc.clientSecret) { + return false; + } + const server = options.oidc.server.endsWith('/') ? options.oidc.server : `${options.oidc.server}/`; + const baseUrl = options.oidc.appBaseUrl.endsWith('/') ? options.oidc.appBaseUrl : `${options.oidc.appBaseUrl}/`; + const openidconf = await ky.get(`${server}.well-known/openid-configuration`).json(); + return new OpenIDConnectStrategy({ + issuer: openidconf.issuer, + authorizationURL: openidconf.authorization_endpoint, + tokenURL: openidconf.token_endpoint, + userInfoURL: openidconf.userinfo_endpoint, + clientID: options.oidc.clientId, + clientSecret: options.oidc.clientSecret, + callbackURL: `${baseUrl}cb` + }, async (_: string, profile: passport.Profile, cb: OpenIDConnectStrategy.VerifyCallback) => { + const userObj: User = { + id: profile.id, + username: profile.username, + displayName: profile.displayName + }; + const user = await this.db.getUser(profile.id); + if (!user) { + await this.db.createUser(userObj); + } + return cb(null, userObj); + }); + } + setBuildController = (buildController: BuildController) => { this.buildController = buildController; } diff --git a/src/index.ts b/src/index.ts index d6bb1fe..86d3084 100644 --- a/src/index.ts +++ b/src/index.ts @@ -11,7 +11,7 @@ interface compositeConfig { db?: DBConfig } -const config: compositeConfig = JSON.parse(await fs.promises.readFile(process.env.config || process.env.CONFIG || path.join('config', 'config.json'), 'utf-8')); +const config: compositeConfig = JSON.parse(await fs.promises.readFile(process.env.config || process.env.CONFIG || path.join(process.cwd(), 'config', 'config.json'), 'utf-8')); const web = new Web(config.web); const buildController = new BuildController(); diff --git a/views/login-required.ejs b/views/login-required.ejs new file mode 100644 index 0000000..bb134fa --- /dev/null +++ b/views/login-required.ejs @@ -0,0 +1,19 @@ + + + + + <%- include("head", locals) %> + + + + <%- include("navigation", locals) %> +
+

Authentication Required

+ You must log in to access that page. +
+ +
+
+ <%- include("footer", locals) %> + + diff --git a/views/navigation.ejs b/views/navigation.ejs index d7038d8..ebde468 100644 --- a/views/navigation.ejs +++ b/views/navigation.ejs @@ -14,6 +14,9 @@
  • Arch Builds
  • Artix Builds
  • New Build
    • + <% if (locals.user) { %> +
  • Log Out
    • + <% } %> \ No newline at end of file -- 2.49.1 From b20bbf40fc348808f8298ecb3ab96302348aac76 Mon Sep 17 00:00:00 2001 From: Cory Sanin Date: Tue, 23 Sep 2025 16:09:31 -0500 Subject: [PATCH 2/4] Track and display build authors --- scripts/build.js | 10 +--------- src/DB.ts | 37 ++++++++++++++++++++++++++++--------- src/Web.ts | 7 ++++--- views/build.ejs | 9 +++++++-- views/index.ejs | 2 +- 5 files changed, 41 insertions(+), 24 deletions(-) diff --git a/scripts/build.js b/scripts/build.js index 2d7ca4b..42dc403 100644 --- a/scripts/build.js +++ b/scripts/build.js @@ -4,14 +4,6 @@ document.addEventListener('DOMContentLoaded', function () { const buildStatusTxt = this.getElementById('buildStatus'); let started = logContainer.childElementCount > 0; - /** - * Get the correct path to establish a ws connection - * @param {Location} loc - */ - function wsPath(loc) { - return loc.pathname.replace(/\/$/, '') + '/ws'; - } - /** * Add log line to the DOM * @param {string[]} str @@ -52,7 +44,7 @@ document.addEventListener('DOMContentLoaded', function () { const loc = window.location; let new_uri = loc.protocol === 'https:' ? 'wss:' : 'ws:'; new_uri += "//" + loc.host; - new_uri += wsPath(loc); + new_uri += loc.pathname + 'ws'; var ws = new WebSocket(new_uri); ws.onmessage = function (message) { diff --git a/src/DB.ts b/src/DB.ts index 534dd47..53dff70 100644 --- a/src/DB.ts +++ b/src/DB.ts @@ -149,13 +149,24 @@ class DB { } }); + this.build.belongsTo(this.user); + this.user.hasMany(this.build); + this.sync(); } private async sync(): Promise { + await this.user.sync(); await this.build.sync(); await this.logChunk.sync(); - await this.user.sync(); + + if (!(await this.getUser('-1'))) { + await this.createUser({ + id: '-1', + username: '???', + displayName: 'Anonymous User' + }); + } } public async getUser(id: string): Promise { @@ -171,13 +182,14 @@ class DB { return user.id; } - public async createBuild(repo: string, commit: string, patch: string, distro: string, dependencies: string): Promise { + public async createBuild(repo: string, commit: string, patch: string, distro: string, dependencies: string, author: string): Promise { const buildRec = await this.build.create({ repo, commit: commit || null, patch: patch || null, distro, - dependencies + dependencies, + userId: author || '-1' }); return buildRec.id; } @@ -224,14 +236,17 @@ class DB { } public async getBuild(id: number): Promise { - return await this.build.findByPk(id); + return await this.build.findByPk(id, { + include: this.user + }); } public async getBuilds(): Promise { return await this.build.findAll({ attributes: SELECT, order: [['id', 'DESC']], - where: FRESH + where: FRESH, + include: this.user }); } @@ -242,7 +257,8 @@ class DB { where: { ...FRESH, status - } + }, + include: this.user }); } @@ -253,7 +269,8 @@ class DB { where: { ...FRESH, distro - } + }, + include: this.user }); } @@ -264,7 +281,8 @@ class DB { where: { ...FRESH, ...filterable - } + }, + include: this.user }); } @@ -287,7 +305,8 @@ class DB { { repo: { [Op.iLike]: `%${query}%` } } ] }, - limit: 100 + limit: 100, + include: this.user }); } diff --git a/src/Web.ts b/src/Web.ts index 2f9147d..8c1a1c6 100644 --- a/src/Web.ts +++ b/src/Web.ts @@ -215,13 +215,14 @@ class Web { req.body.commit || null, req.body.patch || null, req.body.distro || 'arch', - req.body.dependencies || 'stable' + req.body.dependencies || 'stable', + req?.user?.['id'] ); - res.redirect(`/build/${sqids.encode([buildId])}`); + res.redirect(`/build/${sqids.encode([buildId])}/`); this.buildController.triggerBuild(); }); - app.get('/build/:id{/}', async (req, res) => { + app.get('/build/:id/', async (req, res) => { const build = await this.db.getBuild(sqids.decode(req.params.id)?.[0]); showBuild(req, res, build); }); diff --git a/views/build.ejs b/views/build.ejs index 0926315..cd7e96d 100644 --- a/views/build.ejs +++ b/views/build.ejs @@ -18,17 +18,22 @@ <%= build.distro %> <%= build.dependencies %> <%= build.startTime %> + <% if (build.userId !== '-1') { %> + <%= build.user.displayName %> (<%= build.user.username %>) + <% } %> + <% if (build.sqid) { %> + <% } %> <% if (!ended) { %> <% } %> -

    Full logs

    +

    Full logs

    <% (log || []).forEach(line => { %>
    <%= line %>
    <% }) %>
    <% if (!ended) { %> diff --git a/views/index.ejs b/views/index.ejs index 968f361..3993acf 100644 --- a/views/index.ejs +++ b/views/index.ejs @@ -20,7 +20,7 @@ <% builds.forEach(build => { %> - <%= build.repo %> + <%= build.repo %> <%= build.distro %> <%= build.startTime %> <%= timeElapsed(build.startTime, build.endTime) %> -- 2.49.1 From 77441fe7ed1a34fde4f3e4bea8e1b88607c1fff4 Mon Sep 17 00:00:00 2001 From: Cory Sanin Date: Tue, 23 Sep 2025 19:15:19 -0500 Subject: [PATCH 3/4] create public build endpoint --- scripts/copy.js | 7 +++ src/DB.ts | 17 +++++- src/Web.ts | 127 +++++++++++++++++++++++------------------- styles/01-styles.scss | 9 +++ views/build.ejs | 10 +++- 5 files changed, 108 insertions(+), 62 deletions(-) create mode 100644 scripts/copy.js diff --git a/scripts/copy.js b/scripts/copy.js new file mode 100644 index 0000000..5a65a16 --- /dev/null +++ b/scripts/copy.js @@ -0,0 +1,7 @@ +document.addEventListener('DOMContentLoaded', function () { + for (let btn of document.getElementsByClassName('copybtn')) { + btn.addEventListener('click', e => { + navigator.clipboard.writeText(e.target.previousElementSibling.innerText); + }); + } +}); diff --git a/src/DB.ts b/src/DB.ts index 53dff70..31e1846 100644 --- a/src/DB.ts +++ b/src/DB.ts @@ -25,6 +25,7 @@ interface Build { status: Status; pid?: number; sqid?: string; + uuid: string; } interface User { @@ -105,6 +106,10 @@ class DB { pid: { type: DataTypes.INTEGER, allowNull: true + }, + uuid: { + type: DataTypes.STRING, + unique: true } }); @@ -182,13 +187,14 @@ class DB { return user.id; } - public async createBuild(repo: string, commit: string, patch: string, distro: string, dependencies: string, author: string): Promise { + public async createBuild(repo: string, commit: string, patch: string, distro: string, dependencies: string, author: string, uuid: string): Promise { const buildRec = await this.build.create({ repo, commit: commit || null, patch: patch || null, distro, dependencies, + uuid, userId: author || '-1' }); return buildRec.id; @@ -241,6 +247,15 @@ class DB { }); } + public async getBuildByUuid(uuid: string): Promise { + return await this.build.findOne({ + where: { + uuid + }, + include: this.user + }); + } + public async getBuilds(): Promise { return await this.build.findAll({ attributes: SELECT, diff --git a/src/Web.ts b/src/Web.ts index 8c1a1c6..506e677 100644 --- a/src/Web.ts +++ b/src/Web.ts @@ -92,24 +92,70 @@ class Web { }); }); - const showBuild = async (req: express.Request, res: express.Response, build: Build) => { - if (!build) { - res.sendStatus(404); - return; - } - build.sqid = sqids.encode([build.id]); - const log = splitLines(await this.db.getLog(build.id)); + const createBuildPages = (slug: string, getBuildFn: (str: string) => Promise) => { + app.get(`/${slug}/:id/`, async (req, res) => { + const build = await getBuildFn(req.params.id); + if (!build) { + res.sendStatus(404); + return; + } + build.sqid = sqids.encode([build.id]); + const log = splitLines(await this.db.getLog(build.id)); - res.render('build', { - page: { - title: 'Archery', - titlesuffix: `Build #${build.id}`, - description: `Building ${build.repo} on ${build.distro}`, - }, - user: req?.user, - build, - log, - ended: build.status !== 'queued' && build.status !== 'running' + if (req?.user) { + res.locals.shareable = `${req.protocol}://${req.host}/b/${build.uuid}/`; + } + + res.render('build', { + page: { + title: 'Archery', + titlesuffix: `Build #${build.id}`, + description: `Building ${build.repo} on ${build.distro}`, + }, + user: req?.user, + build, + log, + ended: build.status !== 'queued' && build.status !== 'running', + public: !!oidc && !req?.user + }); + }); + + app.get(`/${slug}/:id/logs{/}`, async (req, res) => { + const build = await getBuildFn(req.params.id); + if (!build) { + res.sendStatus(404); + return; + } + const log = (await this.db.getLog(build.id)).map(logChunk => logChunk.chunk).join('\n'); + res.set('Content-Type', 'text/plain').send(log); + }); + + app.get(`/${slug}/:id/patch{/}`, async (req, res) => { + const build = await getBuildFn(req.params.id); + if (!build || !build.patch) { + res.sendStatus(404); + return; + } + res.set('Content-Type', 'text/plain').send(build.patch); + }); + + wsApp.ws(`/${slug}/:id/ws`, async (ws, req) => { + const build = await getBuildFn(req.params.id); + if (! build || (build.status !== 'queued' && build.status !== 'running')) { + return ws.close(); + } + console.log('WS Opened'); + const eventListener = (be: BuildEvent) => { + if (be.id === build.id) { + ws.send(JSON.stringify(be)); + } + }; + this.buildController.on('log', eventListener); + + ws.on('close', () => { + console.log('WS Closed'); + this.buildController.removeListener('log', eventListener); + }); }); } @@ -138,7 +184,7 @@ class Web { app.use(passport.initialize()); app.use(passport.session()); app.get('/login', (req, res) => { - if(req?.user) { + if (req?.user) { return res.redirect('/'); } res.append('X-Robots-Tag', 'none'); @@ -164,6 +210,7 @@ class Web { res.redirect('/login'); }); }); + createBuildPages('b', (id) => this.db.getBuildByUuid(id)); app.use((req, res, next) => { if (!req?.user) { res.redirect('/login'); @@ -216,16 +263,14 @@ class Web { req.body.patch || null, req.body.distro || 'arch', req.body.dependencies || 'stable', - req?.user?.['id'] + req?.user?.['id'], + crypto.randomUUID() ); res.redirect(`/build/${sqids.encode([buildId])}/`); this.buildController.triggerBuild(); }); - app.get('/build/:id/', async (req, res) => { - const build = await this.db.getBuild(sqids.decode(req.params.id)?.[0]); - showBuild(req, res, build); - }); + createBuildPages('build', (id) => this.db.getBuild(sqids.decode(id)?.[0])); app.get('/build/:id/cancel', async (req, res) => { const build = await this.db.getBuild(sqids.decode(req.params.id)?.[0]); @@ -239,46 +284,12 @@ class Web { catch (ex) { console.error(ex); } - res.redirect(`/build/${req.params.id}`); - }); - - app.get('/build/:id/logs{/}', async (req, res) => { - const build = await this.db.getBuild(sqids.decode(req.params.id)?.[0]); - if (!build) { - res.sendStatus(404); - return; - } - const log = (await this.db.getLog(build.id)).map(logChunk => logChunk.chunk).join('\n'); - res.set('Content-Type', 'text/plain').send(log); - }); - - app.get('/build/:id/patch{/}', async (req, res) => { - const build = await this.db.getBuild(sqids.decode(req.params.id)?.[0]); - if (!build || !build.patch) { - res.sendStatus(404); - return; - } - res.set('Content-Type', 'text/plain').send(build.patch); + res.redirect(`/build/${req.params.id}/`); }); app.get('/healthcheck', (_, res) => { res.send('Healthy'); }); - - wsApp.ws('/build/:id/ws', (ws, req) => { - console.log('WS Opened'); - const eventListener = (be: BuildEvent) => { - if (be.id === sqids.decode(req.params.id)?.[0]) { - ws.send(JSON.stringify(be)); - } - }; - this.buildController.on('log', eventListener); - - ws.on('close', () => { - console.log('WS Closed'); - this.buildController.removeListener('log', eventListener); - }); - }); } close = () => { diff --git a/styles/01-styles.scss b/styles/01-styles.scss index e56d167..b9d5a26 100644 --- a/styles/01-styles.scss +++ b/styles/01-styles.scss @@ -118,6 +118,15 @@ input[type="submit"] { } } +span, +a { + + &:has(+ button.copybtn) { + float: left; + margin-right: .75em; + } +} + .sidebar { background: var(--primary); diff --git a/views/build.ejs b/views/build.ejs index cd7e96d..d9bdb82 100644 --- a/views/build.ejs +++ b/views/build.ejs @@ -12,18 +12,21 @@

    <%= build.status %>

    - <%= build.repo %> + <%= build.repo %> <% if (build.commit) { %><%= build.commit %><% } else { %>latest<% } %> <% if (build.patch) { %>patch file<% } else { %>none<% } %> <%= build.distro %> <%= build.dependencies %> <%= build.startTime %> - <% if (build.userId !== '-1') { %> + <% if (build.userId && build.userId !== '-1') { %> <%= build.user.displayName %> (<%= build.user.username %>) <% } %> + <% if (locals.shareable) { %> + <%= shareable %> + <% } %>
    - <% if (build.sqid) { %> + <% if (build.sqid && !public) { %> @@ -44,6 +47,7 @@ <%- include("footer", locals) %> + <% if (!ended) { %> <% } %> -- 2.49.1 From fe49302ecaab43d46de57354c35661fee9a7625d Mon Sep 17 00:00:00 2001 From: Cory Sanin Date: Wed, 24 Sep 2025 23:31:24 -0500 Subject: [PATCH 4/4] add session store --- src/DB.ts | 146 +++++++++++++++++++++++++++++++++++++++++++++++++-- src/Web.ts | 47 +++++++++-------- src/index.ts | 1 + 3 files changed, 169 insertions(+), 25 deletions(-) diff --git a/src/DB.ts b/src/DB.ts index 31e1846..150b6f2 100644 --- a/src/DB.ts +++ b/src/DB.ts @@ -1,9 +1,13 @@ import { Sequelize, DataTypes, Op, } from 'sequelize'; +import { Store } from 'express-session' +import { notStupidParseInt } from './Web.ts'; import type { ModelStatic, Filterable } from 'sequelize'; import type { LogType } from './BuildController.ts'; +import type { SessionData } from 'express-session' type Status = 'queued' | 'running' | 'cancelled' | 'success' | 'error'; type Dependencies = 'stable' | 'testing' | 'staging'; +type Callback = (err?: unknown, data?: any) => any interface DBConfig { db?: string; @@ -41,7 +45,7 @@ interface LogChunk { chunk: string } -const MONTH = 1000 * 60 * 60 * 24 * 24; +const MONTH = 1000 * 60 * 60 * 24 * 30; const FRESH = { [Op.or]: [ { startTime: { [Op.gt]: new Date(Date.now() - MONTH) } }, @@ -50,13 +54,27 @@ const FRESH = { } const SELECT = ['id', 'repo', 'commit', 'distro', 'dependencies', 'startTime', 'endTime', 'status']; -class DB { +function handleCallback(err: unknown, data: T, cb?: Callback): T { + if (cb) { + cb(err, data); + } + if (err) { + throw err; + } + return data; +} + +class DB extends Store { private build: ModelStatic; private logChunk: ModelStatic; private user: ModelStatic; + private session: ModelStatic; private sequelize: Sequelize; + private ttl: number; constructor(config: DBConfig = {}) { + super(); + this.ttl = notStupidParseInt(process.env['COOKIETTL']) || 1000 * 60 * 60 * 24 * 30; this.sequelize = new Sequelize(config.db || 'archery', config.user || 'archery', process.env.PASSWORD || config.password || '', { host: config.host || 'localhost', port: config.port || 5432, @@ -154,6 +172,16 @@ class DB { } }); + this.session = this.sequelize.define('session', { + sid: { + type: DataTypes.STRING, + primaryKey: true, + }, + sessionData: { + type: DataTypes.JSONB, + } + }); + this.build.belongsTo(this.user); this.user.hasMany(this.build); @@ -164,7 +192,8 @@ class DB { await this.user.sync(); await this.build.sync(); await this.logChunk.sync(); - + await this.session.sync(); + if (!(await this.getUser('-1'))) { await this.createUser({ id: '-1', @@ -329,8 +358,117 @@ class DB { await this.build.destroy({ where: { startTime: { [Op.lt]: new Date(Date.now() - MONTH * 6) } - } + }, + force: true }); + await this.session.destroy({ + where: { + updatedAt: { [Op.lt]: new Date(Date.now() - this.ttl) } + }, + force: true + }); + } + + public getTTL(sessionData: SessionData) { + if (sessionData?.cookie?.expires) { + const ms = Number(new Date(sessionData.cookie.expires)) - Date.now(); + return ms; + } + else { + return this.ttl; + } + } + + public async set(sid: string, sessionData: SessionData, cb?: Callback): Promise { + const ttl = this.getTTL(sessionData); + try { + if (ttl > 0) { + await this.session.upsert({ + sid, + sessionData + }); + handleCallback(null, null, cb); + return; + } + await this.destroy(sid, cb); + } + catch (err) { + return handleCallback(err, null, cb); + } + } + + public async get(sid: string, cb?: Callback): Promise { + try { + return handleCallback(null, ((await this.session.findByPk(sid))?.sessionData) as SessionData || null, cb); + } + catch (err) { + return handleCallback(err, null, cb); + } + } + + public async destroy(sid: string, cb?: Callback): Promise { + try { + await this.session.destroy({ + where: { + sid + }, + force: true + }); + handleCallback(null, null, cb); + } + catch (err) { + handleCallback(err, null, cb); + } + } + + public async clear(cb?: Callback): Promise { + try { + await this.session.destroy({ + truncate: true, + force: true + }); + handleCallback(null, null, cb); + } + catch (err) { + handleCallback(err, null, cb); + } + } + + public async length(cb?: Callback): Promise { + try { + return handleCallback(null, await this.session.count(), cb); + } + catch (err) { + handleCallback(err, null, cb); + } + } + + public async touch(sid: string, sessionData: SessionData, cb?: Callback): Promise { + try { + await this.session.update({}, + { + where: { + sid + } + } + ); + handleCallback(null, null, cb); + } + catch (err) { + handleCallback(err, null, cb); + } + } + + public async all(cb?: Callback): Promise { + try { + const all = await this.session.findAll({ + attributes: ['sessionData'] + }); + return handleCallback(null, all.map(row => row.sessionData as SessionData), cb); + } + catch (err) { + handleCallback(err, null, cb); + } } public async close(): Promise { diff --git a/src/Web.ts b/src/Web.ts index 506e677..20986fd 100644 --- a/src/Web.ts +++ b/src/Web.ts @@ -15,6 +15,7 @@ import type { BuildController, BuildEvent } from "./BuildController.ts"; interface WebConfig { sessionSecret?: string; port?: number; + secure?: boolean; oidc?: { server: string; clientId: string; @@ -58,12 +59,14 @@ class Web { private buildController: BuildController; private app: expressWs.Application; private port: number; + private options:WebConfig; constructor(options: WebConfig = {}) { - this.initialize(options) + this.options = options; } - initialize = async (options: WebConfig) => { + initialize = async () => { + const options = this.options; const sessionSecret = process.env['SESSIONSECRET'] || options.sessionSecret; const sqids = new Sqids({ minLength: 6, @@ -141,7 +144,7 @@ class Web { wsApp.ws(`/${slug}/:id/ws`, async (ws, req) => { const build = await getBuildFn(req.params.id); - if (! build || (build.status !== 'queued' && build.status !== 'running')) { + if (!build || (build.status !== 'queued' && build.status !== 'running')) { return ws.close(); } console.log('WS Opened'); @@ -159,15 +162,29 @@ class Web { }); } + app.get('/healthcheck', (_, res) => { + res.send('Healthy'); + }); + if (oidc) { if (!sessionSecret) { throw new Error('sessionSecret must be set.'); } app.use(session({ + name: 'sessionId', secret: sessionSecret, - resave: false, - saveUninitialized: false + resave: true, + saveUninitialized: false, + store: this.db, + cookie: { + maxAge: notStupidParseInt(process.env['COOKIETTL']) || 1000 * 60 * 60 * 24 * 30, // 30 days + httpOnly: true, + secure: !!options.secure + } })); + passport.use(oidc); + app.use(passport.initialize()); + app.use(passport.session()); passport.serializeUser(function (user: User, done) { done(null, user.id); }); @@ -177,12 +194,9 @@ class Web { done(null, { id: user.id, username: user.username, - name: user.displayName + displayName: user.displayName }); }); - passport.use(oidc); - app.use(passport.initialize()); - app.use(passport.session()); app.get('/login', (req, res) => { if (req?.user) { return res.redirect('/'); @@ -197,11 +211,7 @@ class Web { }); }); app.post('/login', passport.authenticate('openidconnect')); - app.get('/cb', passport.authenticate('openidconnect', { failureRedirect: '/login', failureMessage: true }), - function (_, res) { - res.redirect('/'); - } - ); + app.get('/cb', passport.authenticate('openidconnect', { successRedirect: '/', failureRedirect: '/login', failureMessage: true })); app.get('/logout', (req, res) => { req.logOut((err) => { if (err) { @@ -287,9 +297,7 @@ class Web { res.redirect(`/build/${req.params.id}/`); }); - app.get('/healthcheck', (_, res) => { - res.send('Healthy'); - }); + this._webserver = this.app.listen(this.port, () => console.log(`archery is running on port ${this.port}`)); } close = () => { @@ -300,9 +308,6 @@ class Web { setDB = (db: DB) => { this.db = db; - if (!this._webserver) { - this._webserver = this.app.listen(this.port, () => console.log(`archery is running on port ${this.port}`)); - } } initializeOIDC = async (options: WebConfig): Promise => { @@ -340,5 +345,5 @@ class Web { } export default Web; -export { Web }; +export { Web, notStupidParseInt }; export type { WebConfig }; diff --git a/src/index.ts b/src/index.ts index 86d3084..ade1a32 100644 --- a/src/index.ts +++ b/src/index.ts @@ -19,6 +19,7 @@ await new Promise((resolve) => setTimeout(resolve, 1500)); const db = new DB(config.db); web.setDB(db); web.setBuildController(buildController); +web.initialize(); buildController.setDB(db); process.on('SIGTERM', () => { -- 2.49.1