Merge branch 'dev' into feat/device-approvals

server/private/routers/hybrid.ts

@@ -36,8 +36,11 @@ import {
     LoginPage,
     resourceHeaderAuth,
     ResourceHeaderAuth,
+    resourceHeaderAuthExtendedCompatibility,
+    ResourceHeaderAuthExtendedCompatibility,
     orgs,
-    requestAuditLog
+    requestAuditLog,
+    Org
 } from "@server/db";
 import {
     resources,
@@ -76,6 +79,8 @@ import { checkExitNodeOrg, resolveExitNodes } from "#private/lib/exitNodes";
 import { maxmindLookup } from "@server/db/maxmind";
 import { verifyResourceAccessToken } from "@server/auth/verifyResourceAccessToken";
 import semver from "semver";
+import { maxmindAsnLookup } from "@server/db/maxmindAsn";
+import { checkOrgAccessPolicy } from "@server/lib/checkOrgAccessPolicy";
 
 // Zod schemas for request validation
 const getResourceByDomainParamsSchema = z.strictObject({
@@ -91,6 +96,12 @@ const getUserOrgRoleParamsSchema = z.strictObject({
     orgId: z.string().min(1, "Organization ID is required")
 });
 
+const getUserOrgSessionVerifySchema = z.strictObject({
+    userId: z.string().min(1, "User ID is required"),
+    orgId: z.string().min(1, "Organization ID is required"),
+    sessionId: z.string().min(1, "Session ID is required")
+});
+
 const getRoleResourceAccessParamsSchema = z.strictObject({
     roleId: z
         .string()
@@ -174,6 +185,8 @@ export type ResourceWithAuth = {
     pincode: ResourcePincode | null;
     password: ResourcePassword | null;
     headerAuth: ResourceHeaderAuth | null;
+    headerAuthExtendedCompatibility: ResourceHeaderAuthExtendedCompatibility | null;
+    org: Org
 };
 
 export type UserSessionWithUser = {
@@ -234,7 +247,8 @@ hybridRouter.get(
                 ["newt", "local", "wireguard"], // Allow them to use all the site types
                 true, // But don't allow domain namespace resources
                 false, // Dont include login pages,
-                true // allow raw resources
+                true, // allow raw resources
+                false // dont generate maintenance page
             );
 
             return response(res, {
@@ -497,6 +511,14 @@ hybridRouter.get(
                     resourceHeaderAuth,
                     eq(resourceHeaderAuth.resourceId, resources.resourceId)
                 )
+                .leftJoin(
+                    resourceHeaderAuthExtendedCompatibility,
+                    eq(
+                        resourceHeaderAuthExtendedCompatibility.resourceId,
+                        resources.resourceId
+                    )
+                )
+                .innerJoin(orgs, eq(orgs.orgId, resources.orgId))
                 .where(eq(resources.fullDomain, domain))
                 .limit(1);
 
@@ -529,7 +551,10 @@ hybridRouter.get(
                 resource: result.resources,
                 pincode: result.resourcePincode,
                 password: result.resourcePassword,
-                headerAuth: result.resourceHeaderAuth
+                headerAuth: result.resourceHeaderAuth,
+                headerAuthExtendedCompatibility:
+                    result.resourceHeaderAuthExtendedCompatibility,
+                org: result.orgs
             };
 
             return response<ResourceWithAuth>(res, {
@@ -593,6 +618,16 @@ hybridRouter.get(
                 )
                 .limit(1);
 
+            if (!result) {
+                return response<LoginPage | null>(res, {
+                    data: null,
+                    success: true,
+                    error: false,
+                    message: "Login page not found",
+                    status: HttpCode.OK
+                });
+            }
+
             if (
                 await checkExitNodeOrg(
                     remoteExitNode.exitNodeId,
@@ -608,16 +643,6 @@ hybridRouter.get(
                 );
             }
 
-            if (!result) {
-                return response<LoginPage | null>(res, {
-                    data: null,
-                    success: true,
-                    error: false,
-                    message: "Login page not found",
-                    status: HttpCode.OK
-                });
-            }
-
             return response<LoginPage>(res, {
                 data: result.loginPage,
                 success: true,
@@ -809,6 +834,69 @@ hybridRouter.get(
     }
 );
 
+// Get user organization role
+hybridRouter.get(
+    "/user/:userId/org/:orgId/session/:sessionId/verify",
+    async (req: Request, res: Response, next: NextFunction) => {
+        try {
+            const parsedParams = getUserOrgSessionVerifySchema.safeParse(
+                req.params
+            );
+            if (!parsedParams.success) {
+                return next(
+                    createHttpError(
+                        HttpCode.BAD_REQUEST,
+                        fromError(parsedParams.error).toString()
+                    )
+                );
+            }
+
+            const { userId, orgId, sessionId } = parsedParams.data;
+            const remoteExitNode = req.remoteExitNode;
+
+            if (!remoteExitNode || !remoteExitNode.exitNodeId) {
+                return next(
+                    createHttpError(
+                        HttpCode.BAD_REQUEST,
+                        "Remote exit node not found"
+                    )
+                );
+            }
+
+            if (await checkExitNodeOrg(remoteExitNode.exitNodeId, orgId)) {
+                return next(
+                    createHttpError(
+                        HttpCode.UNAUTHORIZED,
+                        "User is not authorized to access this organization"
+                    )
+                );
+            }
+
+            const accessPolicy = await checkOrgAccessPolicy({
+                orgId,
+                userId,
+                sessionId
+            });
+
+            return response(res, {
+                data: accessPolicy,
+                success: true,
+                error: false,
+                message: "User org access policy retrieved successfully",
+                status: HttpCode.OK
+            });
+        } catch (error) {
+            logger.error(error);
+            return next(
+                createHttpError(
+                    HttpCode.INTERNAL_SERVER_ERROR,
+                    "Failed to get user org role"
+                )
+            );
+        }
+    }
+);
+
 // Check if role has access to resource
 hybridRouter.get(
     "/role/:roleId/resource/:resourceId/access",
@@ -1238,6 +1326,70 @@ hybridRouter.get(
     }
 );
 
+const asnIpLookupParamsSchema = z.object({
+    ip: z.union([z.ipv4(), z.ipv6()])
+});
+hybridRouter.get(
+    "/asnip/:ip",
+    async (req: Request, res: Response, next: NextFunction) => {
+        try {
+            const parsedParams = asnIpLookupParamsSchema.safeParse(req.params);
+            if (!parsedParams.success) {
+                return next(
+                    createHttpError(
+                        HttpCode.BAD_REQUEST,
+                        fromError(parsedParams.error).toString()
+                    )
+                );
+            }
+
+            const { ip } = parsedParams.data;
+
+            if (!maxmindAsnLookup) {
+                return next(
+                    createHttpError(
+                        HttpCode.SERVICE_UNAVAILABLE,
+                        "ASNIP service is not available"
+                    )
+                );
+            }
+
+            const result = maxmindAsnLookup.get(ip);
+
+            if (!result || !result.autonomous_system_number) {
+                return next(
+                    createHttpError(
+                        HttpCode.NOT_FOUND,
+                        "ASNIP information not found"
+                    )
+                );
+            }
+
+            const { autonomous_system_number } = result;
+
+            logger.debug(
+                `ASNIP lookup successful for IP ${ip}: ${autonomous_system_number}`
+            );
+
+            return response(res, {
+                data: { asn: autonomous_system_number },
+                success: true,
+                error: false,
+                message: "GeoIP lookup successful",
+                status: HttpCode.OK
+            });
+        } catch (error) {
+            logger.error(error);
+            return next(
+                createHttpError(
+                    HttpCode.INTERNAL_SERVER_ERROR,
+                    "Failed to validate resource session token"
+                )
+            );
+        }
+    }
+);
+
 // GERBIL ROUTERS
 const getConfigSchema = z.object({
     publicKey: z.string(),

server/private/routers/internal.ts

@@ -16,6 +16,7 @@ import * as auth from "#private/routers/auth";
 import * as orgIdp from "#private/routers/orgIdp";
 import * as billing from "#private/routers/billing";
 import * as license from "#private/routers/license";
+import * as resource from "#private/routers/resource";
 
 import { verifySessionUserMiddleware } from "@server/middlewares";
 
@@ -37,3 +38,5 @@ internalRouter.post(
 );
 
 internalRouter.get(`/license/status`, license.getLicenseStatus);
+
+internalRouter.get("/maintenance/info", resource.getMaintenanceInfo);

server/private/routers/loginPage/loadLoginPage.ts

@@ -40,6 +40,11 @@ async function query(orgId: string | undefined, fullDomain: string) {
                 eq(loginPage.loginPageId, loginPageOrg.loginPageId)
             )
             .limit(1);
+
+        if (!res) {
+            return null;
+        }
+
         return {
             ...res.loginPage,
             orgId: res.loginPageOrg.orgId
@@ -65,6 +70,11 @@ async function query(orgId: string | undefined, fullDomain: string) {
             )
         )
         .limit(1);
+
+    if (!res) {
+        return null;
+    }
+
     return {
         ...res,
         orgId: orgLink.orgId

server/private/routers/loginPage/loadLoginPageBranding.ts

@@ -48,6 +48,11 @@ async function query(orgId: string) {
             )
         )
         .limit(1);
+
+    if (!res) {
+        return null;
+    }
+
     return {
         ...res,
         orgId: orgLink.orgs.orgId,

server/private/routers/resource/getMaintenanceInfo.ts

@@ -0,0 +1,113 @@
+/*
+ * This file is part of a proprietary work.
+ *
+ * Copyright (c) 2025 Fossorial, Inc.
+ * All rights reserved.
+ *
+ * This file is licensed under the Fossorial Commercial License.
+ * You may not use this file except in compliance with the License.
+ * Unauthorized use, copying, modification, or distribution is strictly prohibited.
+ *
+ * This file is not licensed under the AGPLv3.
+ */
+
+import { Request, Response, NextFunction } from "express";
+import { z } from "zod";
+import { db } from "@server/db";
+import { resources } from "@server/db";
+import { eq } from "drizzle-orm";
+import response from "@server/lib/response";
+import HttpCode from "@server/types/HttpCode";
+import createHttpError from "http-errors";
+import { fromError } from "zod-validation-error";
+import logger from "@server/logger";
+import { OpenAPITags, registry } from "@server/openApi";
+import { GetMaintenanceInfoResponse } from "@server/routers/resource/types";
+
+const getMaintenanceInfoSchema = z
+    .object({
+        fullDomain: z.string().min(1, "Domain is required")
+    })
+    .strict();
+
+async function query(fullDomain: string) {
+    const [res] = await db
+        .select({
+            resourceId: resources.resourceId,
+            name: resources.name,
+            fullDomain: resources.fullDomain,
+            maintenanceModeEnabled: resources.maintenanceModeEnabled,
+            maintenanceModeType: resources.maintenanceModeType,
+            maintenanceTitle: resources.maintenanceTitle,
+            maintenanceMessage: resources.maintenanceMessage,
+            maintenanceEstimatedTime: resources.maintenanceEstimatedTime
+        })
+        .from(resources)
+        .where(eq(resources.fullDomain, fullDomain))
+        .limit(1);
+    return res;
+}
+
+registry.registerPath({
+    method: "get",
+    path: "/maintenance/info",
+    description: "Get maintenance information for a resource by domain.",
+    tags: [OpenAPITags.Resource],
+    request: {
+        query: z.object({
+            fullDomain: z.string()
+        })
+    },
+    responses: {
+        200: {
+            description: "Maintenance information retrieved successfully"
+        },
+        404: {
+            description: "Resource not found"
+        }
+    }
+});
+
+export async function getMaintenanceInfo(
+    req: Request,
+    res: Response,
+    next: NextFunction
+): Promise<any> {
+    try {
+        const parsedQuery = getMaintenanceInfoSchema.safeParse(req.query);
+        if (!parsedQuery.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedQuery.error).toString()
+                )
+            );
+        }
+
+        const { fullDomain } = parsedQuery.data;
+
+        const maintenanceInfo = await query(fullDomain);
+
+        if (!maintenanceInfo) {
+            return next(
+                createHttpError(HttpCode.NOT_FOUND, "Resource not found")
+            );
+        }
+
+        return response<GetMaintenanceInfoResponse>(res, {
+            data: maintenanceInfo,
+            success: true,
+            error: false,
+            message: "Maintenance information retrieved successfully",
+            status: HttpCode.OK
+        });
+    } catch (error) {
+        logger.error(error);
+        return next(
+            createHttpError(
+                HttpCode.INTERNAL_SERVER_ERROR,
+                "An error occurred while retrieving maintenance information"
+            )
+        );
+    }
+}

server/private/routers/resource/index.ts

@@ -0,0 +1,14 @@
+/*
+ * This file is part of a proprietary work.
+ *
+ * Copyright (c) 2025 Fossorial, Inc.
+ * All rights reserved.
+ *
+ * This file is licensed under the Fossorial Commercial License.
+ * You may not use this file except in compliance with the License.
+ * Unauthorized use, copying, modification, or distribution is strictly prohibited.
+ *
+ * This file is not licensed under the AGPLv3.
+ */
+
+export * from "./getMaintenanceInfo";