From f59147dbc1dffa5bfbe3874efa6f2ec5cbd9cf6a Mon Sep 17 00:00:00 2001 From: Peter Steinberger Date: Tue, 24 Jun 2025 03:38:41 +0200 Subject: [PATCH] remove authToken; that would prevent localhost from entering pw-less --- mac/VibeTunnel/Core/Services/BunServer.swift | 22 +++--------------- .../Core/Services/ServerManager.swift | 11 --------- .../Core/Services/SessionMonitor.swift | 14 +---------- web/src/server/middleware/auth.ts | 23 ++++--------------- web/src/server/server.ts | 7 ------ 5 files changed, 8 insertions(+), 69 deletions(-) diff --git a/mac/VibeTunnel/Core/Services/BunServer.swift b/mac/VibeTunnel/Core/Services/BunServer.swift index a0bda128..3ea9de77 100644 --- a/mac/VibeTunnel/Core/Services/BunServer.swift +++ b/mac/VibeTunnel/Core/Services/BunServer.swift @@ -1,6 +1,5 @@ import Foundation import OSLog -import CryptoKit /// Server state enumeration enum ServerState { @@ -45,21 +44,6 @@ final class BunServer { var port: String = "" var bindAddress: String = "127.0.0.1" - - /// Local authentication token for bypassing auth on localhost - private let localAuthToken: String = { - // Generate a secure random token for this session - let randomData = Data((0..<32).map { _ in UInt8.random(in: 0...255) }) - return randomData.base64EncodedString() - .replacingOccurrences(of: "+", with: "-") - .replacingOccurrences(of: "/", with: "_") - .replacingOccurrences(of: "=", with: "") - }() - - /// Get the local auth token for use in HTTP requests - var localToken: String { - localAuthToken - } // MARK: - Initialization @@ -169,9 +153,9 @@ final class BunServer { // Add local bypass authentication for the Mac app if authMode != "none" { - // Enable local bypass with our generated token - vibetunnelArgs += " --allow-local-bypass --local-auth-token \(localAuthToken)" - logger.info("Local authentication bypass enabled for Mac app") + // Enable local bypass without requiring token for browser access + vibetunnelArgs += " --allow-local-bypass" + logger.info("Local authentication bypass enabled for localhost connections") } // Create wrapper to run vibetunnel with a parent death signal diff --git a/mac/VibeTunnel/Core/Services/ServerManager.swift b/mac/VibeTunnel/Core/Services/ServerManager.swift index c9590c75..8fae7c75 100644 --- a/mac/VibeTunnel/Core/Services/ServerManager.swift +++ b/mac/VibeTunnel/Core/Services/ServerManager.swift @@ -224,9 +224,6 @@ class ServerManager { } logger.info("Started server on port \(self.port)") - - // Pass the local auth token to SessionMonitor - SessionMonitor.shared.setLocalAuthToken(server.localToken) // Trigger cleanup of old sessions after server starts await triggerInitialCleanup() @@ -256,9 +253,6 @@ class ServerManager { await server.stop() bunServer = nil isRunning = false - - // Clear the auth token from SessionMonitor - SessionMonitor.shared.setLocalAuthToken(nil) // Reset crash tracking when manually stopped consecutiveCrashes = 0 @@ -322,11 +316,6 @@ class ServerManager { var request = URLRequest(url: url) request.httpMethod = "POST" request.timeoutInterval = 10 - - // Add local auth token if available - if let server = bunServer { - request.setValue(server.localToken, forHTTPHeaderField: "X-VibeTunnel-Local") - } // Make the cleanup request let (data, response) = try await URLSession.shared.data(for: request) diff --git a/mac/VibeTunnel/Core/Services/SessionMonitor.swift b/mac/VibeTunnel/Core/Services/SessionMonitor.swift index c90b8b5e..d802884f 100644 --- a/mac/VibeTunnel/Core/Services/SessionMonitor.swift +++ b/mac/VibeTunnel/Core/Services/SessionMonitor.swift @@ -29,17 +29,11 @@ final class SessionMonitor { private var lastFetch: Date? private let cacheInterval: TimeInterval = 2.0 private let serverPort: Int - private var localAuthToken: String? private init() { let port = UserDefaults.standard.integer(forKey: "serverPort") self.serverPort = port > 0 ? port : 4_020 } - - /// Set the local auth token for server requests - func setLocalAuthToken(_ token: String?) { - self.localAuthToken = token - } /// Number of running sessions var sessionCount: Int { @@ -75,13 +69,7 @@ final class SessionMonitor { throw URLError(.badURL) } - var request = URLRequest(url: url, timeoutInterval: 3.0) - - // Add local auth token if available - if let token = localAuthToken { - request.setValue(token, forHTTPHeaderField: "X-VibeTunnel-Local") - } - + let request = URLRequest(url: url, timeoutInterval: 3.0) let (data, response) = try await URLSession.shared.data(for: request) guard let httpResponse = response as? HTTPURLResponse, diff --git a/web/src/server/middleware/auth.ts b/web/src/server/middleware/auth.ts index 953ff974..c75d08e1 100644 --- a/web/src/server/middleware/auth.ts +++ b/web/src/server/middleware/auth.ts @@ -12,7 +12,6 @@ interface AuthConfig { bearerToken?: string; // Token that HQ must use to authenticate with this remote authService?: AuthService; // Enhanced auth service for JWT tokens allowLocalBypass?: boolean; // Allow localhost connections to bypass auth - localAuthToken?: string; // Token for localhost authentication } interface AuthenticatedRequest extends Request { @@ -67,24 +66,10 @@ export function createAuthMiddleware(config: AuthConfig) { // Check for local bypass if enabled if (config.allowLocalBypass && isLocalRequest(req)) { - // If a local auth token is configured, check for it - if (config.localAuthToken) { - const providedToken = req.headers['x-vibetunnel-local'] as string; - if (providedToken === config.localAuthToken) { - logger.debug('Local request authenticated with token'); - req.authMethod = 'local-bypass'; - req.userId = 'local-user'; - return next(); - } else { - logger.debug('Local request missing or invalid token'); - } - } else { - // No token required for local bypass - logger.debug('Local request authenticated without token'); - req.authMethod = 'local-bypass'; - req.userId = 'local-user'; - return next(); - } + logger.debug('Local request authenticated - bypassing auth'); + req.authMethod = 'local-bypass'; + req.userId = 'local-user'; + return next(); } // Only log auth requests that might be problematic (no header or failures) diff --git a/web/src/server/server.ts b/web/src/server/server.ts index 9c20f7e3..5478579c 100644 --- a/web/src/server/server.ts +++ b/web/src/server/server.ts @@ -63,7 +63,6 @@ interface Config { bellNotificationsEnabled: boolean; // Local bypass configuration allowLocalBypass: boolean; - localAuthToken: string | null; } // Show help message @@ -82,7 +81,6 @@ Options: --disallow-user-password Disable password auth, SSH keys only (auto-enables --enable-ssh-keys) --no-auth Disable authentication (auto-login as current user) --allow-local-bypass Allow localhost connections to bypass authentication - --local-auth-token Token for localhost authentication bypass --debug Enable debug logging Push Notification Options: @@ -148,7 +146,6 @@ function parseArgs(): Config { bellNotificationsEnabled: true, // Enable bell notifications by default // Local bypass configuration allowLocalBypass: false, - localAuthToken: null as string | null, }; // Check for help flag first @@ -207,9 +204,6 @@ function parseArgs(): Config { config.generateVapidKeys = true; } else if (args[i] === '--allow-local-bypass') { config.allowLocalBypass = true; - } else if (args[i] === '--local-auth-token' && i + 1 < args.length) { - config.localAuthToken = args[i + 1]; - i++; // Skip the token value in next iteration } else if (args[i].startsWith('--')) { // Unknown argument logger.error(`Unknown argument: ${args[i]}`); @@ -442,7 +436,6 @@ export async function createApp(): Promise { bearerToken: remoteBearerToken || undefined, // Token that HQ must use to auth with us authService, // Add enhanced auth service for JWT tokens allowLocalBypass: config.allowLocalBypass, - localAuthToken: config.localAuthToken || undefined, }); // Serve static files with .html extension handling