feat: add workhoster gateway API

2026-04-29 15:18:14 +00:00
parent 4ea339b85a
commit a22cc1c0eb
17 changed files with 905 additions and 22 deletions
@@ -0,0 +1,189 @@
+import * as plugins from '../../plugins.js';
+import type { OpsServer } from '../classes.opsserver.js';
+import * as interfaces from '../../../ts_interfaces/index.js';
+
+export class WorkHosterHandler {
+  public typedrouter = new plugins.typedrequest.TypedRouter();
+
+  constructor(private opsServerRef: OpsServer) {
+    this.opsServerRef.typedrouter.addTypedRouter(this.typedrouter);
+    this.registerHandlers();
+  }
+
+  private async requireAuth(
+    request: { identity?: interfaces.data.IIdentity; apiToken?: string },
+    requiredScope?: interfaces.data.TApiTokenScope,
+  ): Promise<string> {
+    if (request.identity?.jwt) {
+      try {
+        const isAdmin = await this.opsServerRef.adminHandler.adminIdentityGuard.exec({
+          identity: request.identity,
+        });
+        if (isAdmin) return request.identity.userId;
+      } catch { /* fall through */ }
+    }
+
+    if (request.apiToken) {
+      const tokenManager = this.opsServerRef.dcRouterRef.apiTokenManager;
+      if (tokenManager) {
+        const token = await tokenManager.validateToken(request.apiToken);
+        if (token) {
+          if (!requiredScope || tokenManager.hasScope(token, requiredScope)) {
+            return token.createdBy;
+          }
+          throw new plugins.typedrequest.TypedResponseError('insufficient scope');
+        }
+      }
+    }
+
+    throw new plugins.typedrequest.TypedResponseError('unauthorized');
+  }
+
+  private registerHandlers(): void {
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetGatewayCapabilities>(
+        'getGatewayCapabilities',
+        async (dataArg) => {
+          await this.requireAuth(dataArg, 'workhosters:read');
+          return { capabilities: this.getGatewayCapabilities() };
+        },
+      ),
+    );
+
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetWorkHosterDomains>(
+        'getWorkHosterDomains',
+        async (dataArg) => {
+          await this.requireAuth(dataArg, 'workhosters:read');
+          const dnsManager = this.opsServerRef.dcRouterRef.dnsManager;
+          if (!dnsManager) return { domains: [] };
+
+          const docs = await dnsManager.listDomains();
+          const domains = docs.map((domainDoc) => {
+            const domain = dnsManager.toPublicDomain(domainDoc);
+            const canManageDnsRecords = domain.source === 'dcrouter' || Boolean(domain.providerId);
+            return {
+              ...domain,
+              capabilities: {
+                canCreateSubdomains: canManageDnsRecords,
+                canManageDnsRecords,
+                canIssueCertificates: Boolean(this.opsServerRef.dcRouterRef.smartProxy),
+                canHostEmail: Boolean(this.opsServerRef.dcRouterRef.emailDomainManager),
+              },
+            } satisfies interfaces.data.IWorkHosterDomain;
+          });
+          return { domains };
+        },
+      ),
+    );
+
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_SyncWorkAppRoute>(
+        'syncWorkAppRoute',
+        async (dataArg) => {
+          const userId = await this.requireAuth(dataArg, 'workhosters:write');
+          const manager = this.opsServerRef.dcRouterRef.routeConfigManager;
+          if (!manager) {
+            return { success: false, message: 'Route management not initialized' };
+          }
+
+          const externalKey = this.buildExternalKey(dataArg.ownership);
+          const existingRoute = manager.findApiRouteByExternalKey(externalKey);
+
+          if (dataArg.delete) {
+            if (!existingRoute) {
+              return { success: true, action: 'unchanged' };
+            }
+            const result = await manager.deleteRoute(existingRoute.id);
+            return result.success
+              ? { success: true, action: 'deleted', routeId: existingRoute.id }
+              : { success: false, message: result.message };
+          }
+
+          if (!dataArg.route) {
+            return { success: false, message: 'route is required unless delete=true' };
+          }
+
+          const metadata: interfaces.data.IRouteMetadata = {
+            ownerType: 'workhoster',
+            workHosterType: dataArg.ownership.workHosterType,
+            workHosterId: dataArg.ownership.workHosterId,
+            workAppId: dataArg.ownership.workAppId,
+            externalKey,
+          };
+          const route = this.normalizeWorkAppRoute(dataArg.route, dataArg.ownership, externalKey);
+
+          if (existingRoute) {
+            const result = await manager.updateRoute(existingRoute.id, {
+              route,
+              enabled: dataArg.enabled ?? true,
+              metadata,
+            });
+            return result.success
+              ? { success: true, action: 'updated', routeId: existingRoute.id }
+              : { success: false, message: result.message };
+          }
+
+          const routeId = await manager.createRoute(route, userId, dataArg.enabled ?? true, metadata);
+          return { success: true, action: 'created', routeId };
+        },
+      ),
+    );
+  }
+
+  private getGatewayCapabilities(): interfaces.data.IGatewayCapabilities {
+    const dcRouter = this.opsServerRef.dcRouterRef;
+    return {
+      routes: {
+        read: Boolean(dcRouter.routeConfigManager),
+        write: Boolean(dcRouter.routeConfigManager),
+        idempotentSync: Boolean(dcRouter.routeConfigManager),
+      },
+      domains: {
+        read: Boolean(dcRouter.dnsManager),
+        write: Boolean(dcRouter.dnsManager),
+      },
+      certificates: {
+        read: Boolean(dcRouter.smartProxy),
+        export: Boolean(dcRouter.smartProxy),
+        forceRenew: Boolean(dcRouter.smartProxy),
+      },
+      email: {
+        domains: Boolean(dcRouter.emailDomainManager),
+        inbound: Boolean(dcRouter.emailServer),
+        outbound: Boolean(dcRouter.emailServer),
+      },
+      remoteIngress: {
+        enabled: Boolean(dcRouter.options.remoteIngressConfig?.enabled),
+      },
+      dns: {
+        authoritative: Boolean(dcRouter.options.dnsScopes?.length),
+        providerManaged: Boolean(dcRouter.dnsManager),
+      },
+      http3: {
+        enabled: dcRouter.options.http3?.enabled !== false,
+      },
+    };
+  }
+
+  private buildExternalKey(ownership: interfaces.data.IWorkAppRouteOwnership): string {
+    return [
+      ownership.workHosterType,
+      ownership.workHosterId,
+      ownership.workAppId,
+      ownership.hostname,
+    ].map((part) => part.trim()).join(':');
+  }
+
+  private normalizeWorkAppRoute(
+    route: interfaces.data.IDcRouterRouteConfig,
+    ownership: interfaces.data.IWorkAppRouteOwnership,
+    externalKey: string,
+  ): interfaces.data.IDcRouterRouteConfig {
+    const normalizedRoute = { ...route };
+    if (!normalizedRoute.name) {
+      normalizedRoute.name = `workapp-${externalKey.replace(/[^a-zA-Z0-9-]+/g, '-').slice(0, 80)}`;
+    }
+    return normalizedRoute;
+  }
+}