tony/tesla-roadtrip
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity Bot
Files
381eb18cd3923e86bb1b8531109f886817d4bd24
tesla-roadtrip/server/index.ts
T
tony f793b526aa fix(security): owner auth gate, OAuth state cookie binding, 0600 token perms 
- Add OWNER_SECRET-based session: signed HMAC cookie, /api/auth/owner login,
  requireOwner middleware. All Tesla routes refuse 401 without it.
- Bind OAuth state to a SameSite=Lax httpOnly cookie at /start, validate
  match in /callback with constant-time compare. Refuses unmatched callbacks.
- Token store now mkdir 0700, writeFile + rename atomic, mode 0600 with
  defensive chmod. Owner-only on disk.
- VIN masked to last 4 in responses; partner-register no longer echoes raw
  Tesla body to clients; coord bounds checked on send-to-nav.
- Client: useTesla also tracks owner status; Connect Tesla button opens an
  OwnerLoginModal when not authenticated, then continues to Tesla OAuth.

Conscious deferrals:
- Explicit CSRF tokens on POST routes: mitigated by SameSite=Lax cookies
  + same-origin CORS. Will revisit if cross-origin clients land.
- At-rest token encryption: deferred for single-user app; tokens are on a
  0700 Dokku volume readable only by the app uid. Will add AES-GCM if we
  multi-tenant.
2026-05-31 22:32:22 +01:00

78 lines
2.8 KiB
TypeScript
Raw Blame History

import 'dotenv/config';
import express from 'express';
import cors from 'cors';
import helmet from 'helmet';
import cookieParser from 'cookie-parser';
import path from 'node:path';
import { fileURLToPath } from 'node:url';
import { existsSync } from 'node:fs';
import { env } from './config/env.js';
import { logger } from './lib/logger.js';
import chatRoutes from './routes/chat.js';
import tripsRoutes from './routes/trips.js';
import teslaRoutes from './routes/tesla.js';
import ownerRoutes from './routes/owner.js';
import { warnIfMisconfigured as warnOwnerAuth } from './lib/ownerAuth.js';
import { createOptionalAuth } from './lib/auth.js';
const app = express();
app.use(helmet({ contentSecurityPolicy: false }));
app.use(cors({ origin: env.appUrl, credentials: true }));
app.use(express.json({ limit: '2mb' }));
app.use(cookieParser());
app.use((req, _res, next) => {
if (req.url !== '/health') logger.info({ method: req.method, url: req.url }, 'request');
next();
});
app.get('/health', (_req, res) => {
res.json({ status: 'ok', service: 'tesla-roadtrip', time: new Date().toISOString() });
});
const auth = createOptionalAuth();
if (auth) {
app.use(auth.middleware());
app.use(auth.routes());
logger.info('Auth middleware mounted (AUTH_SECRET present)');
} else {
logger.info('Auth disabled — set AUTH_SECRET to enable user accounts');
}
// Owner auth + Tesla integration. Tesla routes are owner-gated except the
// public .well-known partner-key path. Owner routes handle login/logout.
warnOwnerAuth();
app.use(ownerRoutes);
app.use(teslaRoutes);
app.use('/api', chatRoutes);
app.use('/api/trips', tripsRoutes);
// ─── Static client (production only) ─────────────────────────────────────────
// In dev, Vite serves the client on :5173. In production (Dokku), the built
// client lands in client/dist via `npm run build` and we serve it from here.
const __filename = fileURLToPath(import.meta.url);
const __dirname = path.dirname(__filename);
const clientDist = path.resolve(__dirname, '../../client/dist');
if (existsSync(clientDist)) {
app.use(express.static(clientDist, { index: false, maxAge: '1h' }));
app.get(/.*/, (req, res, next) => {
// Don't shadow API or well-known paths.
if (req.path.startsWith('/api') || req.path.startsWith('/.well-known')) return next();
res.sendFile(path.join(clientDist, 'index.html'));
});
logger.info({ clientDist }, 'Serving built client');
} else {
logger.info('No client/dist found — relying on Vite dev server');
}
app.use((err: Error, _req: express.Request, res: express.Response, _next: express.NextFunction) => {
logger.error({ err }, 'Unhandled error');
res.status(500).json({ error: 'Internal server error' });
});
app.listen(env.port, () => {
logger.info(`Tesla Roadtrip server running on port ${env.port}`);
});
Reference in New Issue View Git Blame Copy Permalink