tony
f793b526aa
- Add OWNER_SECRET-based session: signed HMAC cookie, /api/auth/owner login, requireOwner middleware. All Tesla routes refuse 401 without it. - Bind OAuth state to a SameSite=Lax httpOnly cookie at /start, validate match in /callback with constant-time compare. Refuses unmatched callbacks. - Token store now mkdir 0700, writeFile + rename atomic, mode 0600 with defensive chmod. Owner-only on disk. - VIN masked to last 4 in responses; partner-register no longer echoes raw Tesla body to clients; coord bounds checked on send-to-nav. - Client: useTesla also tracks owner status; Connect Tesla button opens an OwnerLoginModal when not authenticated, then continues to Tesla OAuth. Conscious deferrals: - Explicit CSRF tokens on POST routes: mitigated by SameSite=Lax cookies + same-origin CORS. Will revisit if cross-origin clients land. - At-rest token encryption: deferred for single-user app; tokens are on a 0700 Dokku volume readable only by the app uid. Will add AES-GCM if we multi-tenant.
283 lines
11 KiB
TypeScript
283 lines
11 KiB
TypeScript
import { Router, Request, Response } from 'express';
|
|
import crypto from 'node:crypto';
|
|
import { env } from '../config/env.js';
|
|
import { createLogger } from '../lib/logger.js';
|
|
import { teslaTokenStore } from '../lib/teslaTokenStore.js';
|
|
import { ownerIdFromRequest, requireOwner } from '../lib/ownerAuth.js';
|
|
import {
|
|
buildAuthorizeUrl,
|
|
exchangeCodeForTokens,
|
|
getAccessToken,
|
|
getVehicleData,
|
|
listVehicles,
|
|
sendNavigationRequest,
|
|
wakeVehicle,
|
|
registerPartnerAccount,
|
|
getAppToken,
|
|
} from '../lib/teslaClient.js';
|
|
|
|
const log = createLogger('tesla');
|
|
const router = Router();
|
|
|
|
const TESLA_STATE_COOKIE = 'tesla_oauth_state';
|
|
const STATE_TTL_S = 10 * 60;
|
|
|
|
// ─── Domain verification (PUBLIC — Tesla fetches anonymously) ───────────────
|
|
router.get('/.well-known/appspecific/com.tesla.3p.public-key.pem', (_req, res) => {
|
|
if (!env.tesla.publicKey) {
|
|
log.warn('Tesla public key requested but TESLA_FLEET_PUBLIC_KEY is empty');
|
|
res.status(404).type('text/plain').send('Public key not configured');
|
|
return;
|
|
}
|
|
res.type('application/x-pem-file');
|
|
res.set('Cache-Control', 'public, max-age=300');
|
|
res.send(env.tesla.publicKey);
|
|
});
|
|
|
|
// ─── Connect status (PUBLIC — used by client to decide UI state) ────────────
|
|
// Reveals only whether the integration is configured / connected; never
|
|
// emits any credentials or vehicle data.
|
|
router.get('/api/tesla/status', async (req, res) => {
|
|
if (!env.tesla.clientId || !env.tesla.clientSecret) {
|
|
res.json({ available: false, reason: 'pending_partner_approval' });
|
|
return;
|
|
}
|
|
const ownerId = ownerIdFromRequest(req);
|
|
const tokens = ownerId ? await teslaTokenStore.get(ownerId) : null;
|
|
res.json({
|
|
available: true,
|
|
connected: !!tokens,
|
|
ownerAuthenticated: !!ownerId,
|
|
connectedAt: tokens?.connectedAt ?? null,
|
|
vehicleId: tokens?.vehicleId ?? null,
|
|
vin: tokens?.vin ? `…${tokens.vin.slice(-4)}` : null, // masked
|
|
carType: tokens?.carType ?? null,
|
|
trimBadging: tokens?.trimBadging ?? null,
|
|
});
|
|
});
|
|
|
|
// ─── Everything below requires owner auth ──────────────────────────────────
|
|
|
|
// ─── Start the OAuth dance ──────────────────────────────────────────────────
|
|
router.get('/api/auth/tesla/start', requireOwner, (req, res) => {
|
|
if (!env.tesla.clientId || !env.tesla.clientSecret) {
|
|
res.status(503).json({ error: 'tesla_not_configured' });
|
|
return;
|
|
}
|
|
// Random state — bound to the browser via an httpOnly cookie so a CSRF
|
|
// attacker can't pre-seed a state that lands tokens in our account.
|
|
const state = crypto.randomBytes(16).toString('hex');
|
|
res.cookie(TESLA_STATE_COOKIE, state, {
|
|
httpOnly: true,
|
|
secure: env.nodeEnv === 'production',
|
|
sameSite: 'lax',
|
|
maxAge: STATE_TTL_S * 1000,
|
|
path: '/',
|
|
});
|
|
const url = buildAuthorizeUrl(state);
|
|
res.json({ authorizeUrl: url });
|
|
});
|
|
|
|
// ─── OAuth callback ─────────────────────────────────────────────────────────
|
|
// Tesla redirects the browser here after the user authorises. The owner cookie
|
|
// from when /start was called must still be present (SameSite=Lax allows it
|
|
// through on the top-level navigation back from Tesla), and the state in the
|
|
// cookie must equal the state Tesla bounced back.
|
|
router.get('/api/auth/tesla/callback', async (req, res) => {
|
|
const { code, state, error } = req.query as Record<string, string | undefined>;
|
|
const cookieState = (req as any).cookies?.[TESLA_STATE_COOKIE];
|
|
|
|
// Always clear the state cookie — single-use.
|
|
res.clearCookie(TESLA_STATE_COOKIE, { path: '/' });
|
|
|
|
if (error) {
|
|
log.warn({ error }, 'Tesla OAuth error');
|
|
res.redirect(`/?tesla_error=${encodeURIComponent(error)}`);
|
|
return;
|
|
}
|
|
if (!code || !state) {
|
|
res.status(400).type('text/plain').send('Missing code or state');
|
|
return;
|
|
}
|
|
if (!cookieState || typeof cookieState !== 'string' || cookieState.length !== state.length
|
|
|| !crypto.timingSafeEqual(Buffer.from(cookieState), Buffer.from(state))) {
|
|
log.warn({ haveCookie: !!cookieState }, 'OAuth state cookie missing or mismatched — rejecting');
|
|
res.status(400).type('text/plain').send('OAuth state mismatch — restart from the planner');
|
|
return;
|
|
}
|
|
|
|
const ownerId = ownerIdFromRequest(req);
|
|
if (!ownerId) {
|
|
// Owner cookie expired or the user opened the callback in a different
|
|
// browser. Refuse rather than fall back to a global identity.
|
|
res.status(401).type('text/plain').send('Owner session expired — log in and reconnect');
|
|
return;
|
|
}
|
|
|
|
try {
|
|
const tokens = await exchangeCodeForTokens(code);
|
|
let vehicleId: string | undefined;
|
|
let vin: string | undefined;
|
|
let carType: string | undefined;
|
|
let trimBadging: string | undefined;
|
|
try {
|
|
const vehicles = await listVehicles(tokens.access_token);
|
|
const first = vehicles[0];
|
|
if (first) {
|
|
vehicleId = String(first.id_s ?? first.id ?? '');
|
|
vin = first.vin;
|
|
}
|
|
if (vehicleId) {
|
|
try {
|
|
const data = await getVehicleData(tokens.access_token, vehicleId);
|
|
carType = data?.vehicle_config?.car_type;
|
|
trimBadging = data?.vehicle_config?.trim_badging;
|
|
} catch (e) {
|
|
log.info({ err: String(e) }, 'Vehicle asleep at connect — config will populate later');
|
|
}
|
|
}
|
|
} catch (e) {
|
|
log.warn({ err: String(e) }, 'listVehicles failed at connect');
|
|
}
|
|
|
|
await teslaTokenStore.set(ownerId, {
|
|
accessToken: tokens.access_token,
|
|
refreshToken: tokens.refresh_token,
|
|
expiresAt: Date.now() + tokens.expires_in * 1000,
|
|
scope: tokens.scope || '',
|
|
vehicleId,
|
|
vin,
|
|
carType,
|
|
trimBadging,
|
|
connectedAt: Date.now(),
|
|
});
|
|
|
|
log.info({ ownerId, vehicleId, vin: vin?.slice(-4) }, 'Tesla connected');
|
|
res.redirect('/?tesla_connected=1');
|
|
} catch (err) {
|
|
log.error({ err: String(err) }, 'Tesla OAuth callback failed');
|
|
res.redirect(`/?tesla_error=${encodeURIComponent('token_exchange_failed')}`);
|
|
}
|
|
});
|
|
|
|
// ─── Disconnect ─────────────────────────────────────────────────────────────
|
|
router.post('/api/tesla/disconnect', requireOwner, async (req, res) => {
|
|
const ownerId = ownerIdFromRequest(req)!;
|
|
await teslaTokenStore.remove(ownerId);
|
|
res.json({ ok: true });
|
|
});
|
|
|
|
// ─── Vehicle state (battery, range, location) ───────────────────────────────
|
|
router.get('/api/tesla/state', requireOwner, async (req, res) => {
|
|
if (!env.tesla.clientId) {
|
|
res.status(503).json({ connected: false, reason: 'pending_partner_approval' });
|
|
return;
|
|
}
|
|
const ownerId = ownerIdFromRequest(req)!;
|
|
const tokens = await getAccessToken(ownerId);
|
|
if (!tokens) {
|
|
res.status(401).json({ connected: false, reason: 'not_connected' });
|
|
return;
|
|
}
|
|
if (!tokens.vehicleId) {
|
|
res.status(404).json({ connected: true, reason: 'no_vehicles' });
|
|
return;
|
|
}
|
|
|
|
try {
|
|
const data = await getVehicleData(tokens.accessToken, tokens.vehicleId);
|
|
const cs = data?.charge_state || {};
|
|
const ds = data?.drive_state || {};
|
|
const vs = data?.vehicle_state || {};
|
|
const vc = data?.vehicle_config || {};
|
|
res.json({
|
|
connected: true,
|
|
asleep: false,
|
|
battery: typeof cs.battery_level === 'number' ? cs.battery_level : null,
|
|
rangeKm: typeof cs.battery_range === 'number' ? Math.round(cs.battery_range * 1.60934) : null,
|
|
idealRangeKm: typeof cs.ideal_battery_range === 'number' ? Math.round(cs.ideal_battery_range * 1.60934) : null,
|
|
chargingState: cs.charging_state ?? null,
|
|
chargerPowerKw: typeof cs.charger_power === 'number' ? cs.charger_power : null,
|
|
timeToFullCharge: typeof cs.time_to_full_charge === 'number' ? cs.time_to_full_charge : null,
|
|
lat: typeof ds.latitude === 'number' ? ds.latitude : null,
|
|
lng: typeof ds.longitude === 'number' ? ds.longitude : null,
|
|
heading: typeof ds.heading === 'number' ? ds.heading : null,
|
|
speedKmh: typeof ds.speed === 'number' ? Math.round(ds.speed * 1.60934) : null,
|
|
shiftState: ds.shift_state ?? null,
|
|
odometerKm: typeof vs.odometer === 'number' ? Math.round(vs.odometer * 1.60934) : null,
|
|
carType: vc.car_type ?? tokens.carType ?? null,
|
|
trimBadging: vc.trim_badging ?? tokens.trimBadging ?? null,
|
|
vin: tokens.vin ? `…${tokens.vin.slice(-4)}` : null,
|
|
vehicleName: vs.vehicle_name ?? null,
|
|
softwareVersion: vs.car_version ?? null,
|
|
fetchedAt: Date.now(),
|
|
});
|
|
} catch (err) {
|
|
const msg = String(err);
|
|
if (/408/.test(msg) || /asleep/i.test(msg)) {
|
|
res.status(202).json({ connected: true, asleep: true, vehicleId: tokens.vehicleId });
|
|
return;
|
|
}
|
|
log.error({ err: msg }, 'Failed to fetch vehicle state');
|
|
res.status(502).json({ connected: true, error: 'fleet_api_error' });
|
|
}
|
|
});
|
|
|
|
router.post('/api/tesla/wake', requireOwner, async (req, res) => {
|
|
const ownerId = ownerIdFromRequest(req)!;
|
|
const tokens = await getAccessToken(ownerId);
|
|
if (!tokens || !tokens.vehicleId) {
|
|
res.status(401).json({ ok: false, reason: 'not_connected' });
|
|
return;
|
|
}
|
|
try {
|
|
await wakeVehicle(tokens.accessToken, tokens.vehicleId);
|
|
res.json({ ok: true });
|
|
} catch (err) {
|
|
log.error({ err: String(err) }, 'Wake failed');
|
|
res.status(502).json({ ok: false, reason: 'wake_failed' });
|
|
}
|
|
});
|
|
|
|
router.post('/api/tesla/send-to-nav', requireOwner, async (req: Request, res: Response) => {
|
|
const ownerId = ownerIdFromRequest(req)!;
|
|
const tokens = await getAccessToken(ownerId);
|
|
if (!tokens || !tokens.vehicleId) {
|
|
res.status(401).json({ ok: false, reason: 'not_connected' });
|
|
return;
|
|
}
|
|
const { lat, lng, name } = req.body || {};
|
|
if (typeof lat !== 'number' || typeof lng !== 'number'
|
|
|| lat < -90 || lat > 90 || lng < -180 || lng > 180) {
|
|
res.status(400).json({ ok: false, reason: 'bad_coords' });
|
|
return;
|
|
}
|
|
try {
|
|
await sendNavigationRequest(tokens.accessToken, tokens.vehicleId, { lat, lng, name });
|
|
res.json({ ok: true });
|
|
} catch (err) {
|
|
log.error({ err: String(err) }, 'send-to-nav failed');
|
|
res.status(502).json({ ok: false, reason: 'fleet_api_error' });
|
|
}
|
|
});
|
|
|
|
// ─── Partner-account registration ─────────────────────────────────────────
|
|
// One-shot. Owner-gated. Does NOT echo Tesla's response body to the client.
|
|
router.post('/api/tesla/register-partner', requireOwner, async (_req, res) => {
|
|
if (!env.tesla.clientId || !env.tesla.clientSecret) {
|
|
res.status(503).json({ ok: false, reason: 'tesla_not_configured' });
|
|
return;
|
|
}
|
|
try {
|
|
const appToken = await getAppToken();
|
|
const domain = new URL(env.tesla.redirectUri).hostname;
|
|
await registerPartnerAccount(appToken, domain);
|
|
res.json({ ok: true });
|
|
} catch (err) {
|
|
log.error({ err: String(err) }, 'partner registration failed');
|
|
res.status(502).json({ ok: false, reason: 'partner_register_failed' });
|
|
}
|
|
});
|
|
|
|
export default router;
|