Merge remote-tracking branch 'upstream/dev' into fix-dev

merge dev
2026-03-02 00:36:38 +00:00 · 2025-12-08 08:21:19 +00:00
parent f8ab5b7af7 24cdac95cd
commit e60dce25c9
20 changed files with 1050 additions and 155 deletions
--- a/server/routers/client/createUserClient.ts
+++ b/server/routers/client/createUserClient.ts
@@ -220,6 +220,7 @@ export async function createUserClient(
                    niceId,
                    exitNodeId: randomExitNode.exitNodeId,
                    orgId,
+                    niceId,
                    name,
                    subnet: updatedSubnet,
                    type,
--- a/server/routers/olm/handleOlmPingMessage.ts
+++ b/server/routers/olm/handleOlmPingMessage.ts
@@ -7,6 +7,8 @@ import logger from "@server/logger";
 import { validateSessionToken } from "@server/auth/sessions/app";
 import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
 import { sendTerminateClient } from "../client/terminate";
+import { encodeHexLowerCase } from "@oslojs/encoding";
+import { sha256 } from "@oslojs/crypto/sha2";

 // Track if the offline checker interval is running
 let offlineCheckerInterval: NodeJS.Timeout | null = null;
@@ -133,10 +135,14 @@ export const handleOlmPingMessage: MessageHandler = async (context) => {
            return;
        }

+        const sessionId = encodeHexLowerCase(
+            sha256(new TextEncoder().encode(userToken))
+        );
+
        const policyCheck = await checkOrgAccessPolicy({
            orgId: client.orgId,
            userId: olm.userId,
-            sessionId: userToken // this is the user token passed in the message
+            sessionId // this is the user token passed in the message
        });

        if (!policyCheck.allowed) {
--- a/server/routers/olm/handleOlmRegisterMessage.ts
+++ b/server/routers/olm/handleOlmRegisterMessage.ts
@@ -1,17 +1,8 @@
 import {
-    Client,
    clientSiteResourcesAssociationsCache,
    db,
-    ExitNode,
-    Org,
    orgs,
-    roleClients,
-    roles,
-    siteResources,
-    Transaction,
-    userClients,
-    userOrgs,
-    users
+    siteResources
 } from "@server/db";
 import { MessageHandler } from "@server/routers/ws";
 import {
@@ -25,16 +16,13 @@ import {
 import { and, eq, inArray, isNull } from "drizzle-orm";
 import { addPeer, deletePeer } from "../newt/peers";
 import logger from "@server/logger";
-import { listExitNodes } from "#dynamic/lib/exitNodes";
-import {
-    generateAliasConfig,
-    getNextAvailableClientSubnet
-} from "@server/lib/ip";
+import { generateAliasConfig } from "@server/lib/ip";
 import { generateRemoteSubnets } from "@server/lib/ip";
-import { rebuildClientAssociationsFromClient } from "@server/lib/rebuildClientAssociations";
 import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
 import { validateSessionToken } from "@server/auth/sessions/app";
 import config from "@server/lib/config";
+import { encodeHexLowerCase } from "@oslojs/encoding";
+import { sha256 } from "@oslojs/crypto/sha2";

 export const handleOlmRegisterMessage: MessageHandler = async (context) => {
    logger.info("Handling register olm message!");
@@ -48,7 +36,8 @@ export const handleOlmRegisterMessage: MessageHandler = async (context) => {
        return;
    }

-    const { publicKey, relay, olmVersion, olmAgent, orgId, userToken } = message.data;
+    const { publicKey, relay, olmVersion, olmAgent, orgId, userToken } =
+        message.data;

    if (!olm.clientId) {
        logger.warn("Olm client ID not found");
@@ -94,10 +83,14 @@ export const handleOlmRegisterMessage: MessageHandler = async (context) => {
            return;
        }

+        const sessionId = encodeHexLowerCase(
+            sha256(new TextEncoder().encode(userToken))
+        );
+
        const policyCheck = await checkOrgAccessPolicy({
            orgId: orgId,
            userId: olm.userId,
-            sessionId: userToken // this is the user token passed in the message
+            sessionId // this is the user token passed in the message
        });

        if (!policyCheck.allowed) {
@@ -117,7 +110,10 @@ export const handleOlmRegisterMessage: MessageHandler = async (context) => {
        return;
    }

-    if ((olmVersion && olm.version !== olmVersion) || (olmAgent && olm.agent !== olmAgent)) {
+    if (
+        (olmVersion && olm.version !== olmVersion) ||
+        (olmAgent && olm.agent !== olmAgent)
+    ) {
        await db
            .update(olms)
            .set({
@@ -175,7 +171,10 @@ export const handleOlmRegisterMessage: MessageHandler = async (context) => {
    }

    // Process each site
-    for (const { sites: site, clientSitesAssociationsCache: association } of sitesData) {
+    for (const {
+        sites: site,
+        clientSitesAssociationsCache: association
+    } of sitesData) {
        if (!site.exitNodeId) {
            logger.warn(
                `Site ${site.siteId} does not have exit node, skipping`
@@ -275,6 +274,7 @@ export const handleOlmRegisterMessage: MessageHandler = async (context) => {
        // Add site configuration to the array
        siteConfigurations.push({
            siteId: site.siteId,
+            name: site.name,
            // relayEndpoint: relayEndpoint, // this can be undefined now if not relayed // lets not do this for now because it would conflict with the hole punch testing
            endpoint: site.endpoint,
            publicKey: site.publicKey,
--- a/server/routers/olm/handleOlmServerPeerAddMessage.ts
+++ b/server/routers/olm/handleOlmServerPeerAddMessage.ts
@@ -169,6 +169,7 @@ export const handleOlmServerPeerAddMessage: MessageHandler = async (
            type: "olm/wg/peer/add",
            data: {
                siteId: site.siteId,
+                name: site.name,
                endpoint: site.endpoint,
                publicKey: site.publicKey,
                serverIP: site.address,
--- a/server/routers/olm/peers.ts
+++ b/server/routers/olm/peers.ts
@@ -8,6 +8,7 @@ export async function addPeer(
    clientId: number,
    peer: {
        siteId: number;
+        name: string;
        publicKey: string;
        endpoint: string;
        relayEndpoint: string;
@@ -34,6 +35,7 @@ export async function addPeer(
        type: "olm/wg/peer/add",
        data: {
            siteId: peer.siteId,
+            name: peer.name,
            publicKey: peer.publicKey,
            endpoint: peer.endpoint,
            relayEndpoint: peer.relayEndpoint,
--- a/server/routers/siteResource/updateSiteResource.ts
+++ b/server/routers/siteResource/updateSiteResource.ts
@@ -328,23 +328,27 @@ export async function updateSiteResource(
 }

 export async function handleMessagingForUpdatedSiteResource(
-    existingSiteResource: SiteResource,
+    existingSiteResource: SiteResource | undefined,
    updatedSiteResource: SiteResource,
    site: { siteId: number; orgId: string },
    trx: Transaction
 ) {
    const { mergedAllClients } =
        await rebuildClientAssociationsFromSiteResource(
-            existingSiteResource, // we want to rebuild based on the existing resource then we will apply the change to the destination below
+            existingSiteResource || updatedSiteResource, // we want to rebuild based on the existing resource then we will apply the change to the destination below
            trx
        );

    // after everything is rebuilt above we still need to update the targets and remote subnets if the destination changed
    const destinationChanged =
+        existingSiteResource &&
        existingSiteResource.destination !== updatedSiteResource.destination;
    const aliasChanged =
+        existingSiteResource &&
        existingSiteResource.alias !== updatedSiteResource.alias;

+    // if the existingSiteResource is undefined (new resource) we don't need to do anything here, the rebuild above handled it all
+
    if (destinationChanged || aliasChanged) {
        const [newt] = await trx
            .select()