chore: add a authcheck when connecting to a websocket so that rogue u…

…sers are challenged more, fix deps and config schema

.config/config-schema.json

@@ -130,15 +130,18 @@
 			"additionalProperties": false,
 			"properties": {
 				"hosts": {
+					"description": "The hosts to enable Turnstile on",
 					"items": {
 						"type": "string"
 					},
 					"type": "array"
 				},
 				"secret": {
+					"description": "The Turnstile secret key, used by the backend",
 					"type": "string"
 				},
 				"siteKey": {
+					"description": "The Turnstile site key, used by the frontend",
 					"type": "string"
 				}
 			},

package.json

@@ -1,12 +1,12 @@
 {
 	"name": "stardust",
-	"version": "1.0",
+	"version": "1.0.0",
 	"private": true,
 	"type": "module",
 	"scripts": {
-		"dev": "tsx server.ts",
+		"dev": "CONFIG=$(cat .config/config.json) tsx server.ts",
 		"build": "CONFIG=$(cat .config/config.json) next build",
-		"start": "NODE_ENV=production tsx server.ts",
+		"start": "NODE_ENV=production CONFIG=$(cat .config/config.json) tsx server.ts",
 		"check": "biome check --write .",
 		"drizzle-kit": "drizzle-kit",
 		"db:push": "drizzle-kit push",
@@ -36,8 +36,6 @@
 		"@radix-ui/react-tabs": "^1.1.0",
 		"@radix-ui/react-tooltip": "^1.1.2",
 		"@tanstack/react-table": "8.19.3",
-		"@types/dockerode": "^3.3.26",
-		"@types/ws": "^8.5.10",
 		"argon2": "^0.40.3",
 		"babel-plugin-react-compiler": "0.0.0-experimental-696af53-20240625",
 		"class-variance-authority": "^0.7.0",
@@ -67,11 +65,13 @@
 	},
 	"devDependencies": {
 		"@biomejs/biome": "1.8.3",
+		"@types/dockerode": "^3.3.26",
 		"@types/node": "^20.11.30",
 		"@types/novnc__novnc": "^1.3.5",
 		"@types/pg": "^8.11.4",
 		"@types/react": "^18.3.3",
 		"@types/react-dom": "^18.3.0",
+		"@types/ws": "^8.5.10",
 		"autoprefixer": "^10.4.19",
 		"drizzle-kit": "^0.23.0",
 		"postcss": "^8.4.38",

server.ts

@@ -1,21 +1,26 @@
-import "dotenv/config";
-
 import { createServer } from "node:http";
 import { Socket } from "node:net";
-import type { Config } from "@/types/config";
+import { getConfig } from "@/lib/config";
+import docker from "@/lib/docker";
+import { db, session } from "@/lib/drizzle/db";
 import { consola } from "consola";
+import { and, eq } from "drizzle-orm";
 import next from "next";
+import { getToken } from "next-auth/jwt";
 import { WebSocketServer } from "ws";
+const config = getConfig();
 const port = Number.parseInt(process.env.PORT as string) || 3000;
 const dev = process.env.NODE_ENV !== "production";
-const config: Config = await import("./.config/config.json");
-process.env.CONFIG = JSON.stringify(config);
-const docker = (await import("@/lib/docker")).default;
 if (process.argv.includes("--turbo")) {
 	process.env.TURBOPACK = "1";
 }
 const server = createServer();
-const app = next({ dev, port, httpServer: server, hostname: process.env.HOSTNAME });
+const app = next({
+	dev,
+	port,
+	httpServer: server,
+	hostname: process.env.HOSTNAME,
+});
 consola.start(`✨ Stardust: Starting ${dev ? "development" : "production"} server...`);
 await app.prepare();
 const nextRequest = app.getRequestHandler();
@@ -63,8 +68,24 @@ websockify.on("connection", async (ws, req) => {
 server.on("request", nextRequest);
 server.on("upgrade", async (req, socket, head) => {
 	if (req.url?.includes("websockify")) {
+		const cookie = req.headers.cookie?.includes("__Secure") ? "__Secure-authjs.session-token" : "authjs.session-token";
+		const token = await getToken({
+			req: { headers: req.headers as Record<string, string> },
+			secret: config.auth.secret,
+			secureCookie: req.headers.cookie?.includes("__Secure"),
+			salt: cookie,
+			cookieName: cookie,
+		});
+		const [dbSession] = await db
+			.select({})
+			.from(session)
+			.where(and(eq(session.userId, token?.id as string), eq(session.id, req.url?.split("/")[2] as string)));
 		websockify.handleUpgrade(req, socket, head, (ws) => {
-			websockify.emit("connection", ws, req, websockify);
+			if (dbSession) {
+				websockify.emit("connection", ws, req, websockify);
+			} else {
+				ws.close(1008, "Unauthorized");
+			}
 		});
 	} else {
 		nextUpgrade(req, socket, head);