diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..d087038 --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +luxtools-client +.vscode/ \ No newline at end of file diff --git a/README.md b/README.md index 8c14268..e65f0d1 100644 --- a/README.md +++ b/README.md @@ -49,6 +49,81 @@ Examples: ./luxtools-client -allow "$HOME" ``` +## Install as a service + +The scripts below install (or update) the client as a service that starts automatically with the system. +They assume the client binary already exists in the same folder as the scripts. +During install/update, the scripts prompt you for the shared token (press Enter to keep the current token, if already configured). + +### Linux (systemd) + +Install / update: + +```bash +./install-linux.sh +``` + +Optional flags: + +```bash +# Change listen address (still must be loopback) +./install-linux.sh --listen 127.0.0.1:9000 + +# Restrict allowed folders (repeatable) +./install-linux.sh --allow "$HOME" --allow "/mnt/data" +``` + +Uninstall: + +```bash +./uninstall-linux.sh +``` + +Keep token/config on uninstall: + +```bash +./uninstall-linux.sh --keep-config +``` + +Notes: + +- Installs to `/opt/luxtools-client/luxtools-client` +- Creates `/etc/systemd/system/luxtools-client.service` +- Stores config (including the generated token) in `/etc/luxtools-client/luxtools-client.env` + +### Windows (Service) + +Run from an elevated (Administrator) Command Prompt. + +Install / update: + +```bat +install-windows.bat +``` + +Optional flags: + +```bat +install-windows.bat --listen 127.0.0.1:9000 +``` + +Uninstall: + +```bat +uninstall-windows.bat +``` + +Keep token/config on uninstall: + +```bat +uninstall-windows.bat --keep-config +``` + +Notes: + +- Installs to `%ProgramFiles%\LuxtoolsClient\luxtools-client.exe` +- Stores the generated token in `%ProgramData%\LuxtoolsClient\token.txt` + ## API ### Auth diff --git a/install-linux.sh b/install-linux.sh new file mode 100755 index 0000000..5906e45 --- /dev/null +++ b/install-linux.sh @@ -0,0 +1,155 @@ +#!/usr/bin/env bash +set -euo pipefail + +SERVICE_NAME="luxtools-client" +INSTALL_DIR="${HOME}/.local/share/${SERVICE_NAME}" +BIN_PATH="${INSTALL_DIR}/${SERVICE_NAME}" +CONFIG_DIR="${HOME}/.config/${SERVICE_NAME}" +ENV_FILE="${CONFIG_DIR}/${SERVICE_NAME}.env" +UNIT_DIR="${HOME}/.config/systemd/user" +UNIT_FILE="${UNIT_DIR}/${SERVICE_NAME}.service" + +DEFAULT_LISTEN="127.0.0.1:8765" + +usage() { + cat <]... + +Installs/updates ${SERVICE_NAME} as a systemd *user* service (runs under your current user). +- Re-running updates the installed binary and restarts the service. +- A stable token is stored in ${ENV_FILE} (created on first install). + +Options: + --listen host:port Listen address (default: ${DEFAULT_LISTEN}) + --allow PATH Allowed path prefix (repeatable). If none, any path is allowed. +EOF +} + +if [[ "${1:-}" == "-h" || "${1:-}" == "--help" ]]; then + usage + exit 0 +fi + +SCRIPT_DIR="$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" && pwd)" +SRC_BIN="${SCRIPT_DIR}/${SERVICE_NAME}" +if [[ ! -f "$SRC_BIN" ]]; then + echo "Missing binary next to script: ${SRC_BIN}" >&2 + echo "Build it first (e.g. 'go build -o ${SERVICE_NAME} .') and re-run." >&2 + exit 1 +fi + +LISTEN="${DEFAULT_LISTEN}" +ALLOW_ARGS="" + +while [[ $# -gt 0 ]]; do + case "$1" in + --listen) + LISTEN="${2:-}" + shift 2 + ;; + --allow) + p="${2:-}" + if [[ -n "$p" ]]; then + # Note: this is inserted into a shell command in the systemd unit; we escape quotes. + p_escaped=${p//\"/\\\"} + ALLOW_ARGS+=" -allow \"${p_escaped}\"" + fi + shift 2 + ;; + *) + echo "Unknown arg: $1" >&2 + usage + exit 2 + ;; + esac +done + +mkdir -p "$INSTALL_DIR" "$CONFIG_DIR" "$UNIT_DIR" + +# Copy a fresh binary into a temp location, then atomically replace. +TMP_BIN="$(mktemp -p /tmp ${SERVICE_NAME}.XXXXXX)" +trap 'rm -f "$TMP_BIN"' EXIT + +cp "$SRC_BIN" "$TMP_BIN" +chmod 0755 "$TMP_BIN" || true + +if [[ -f "$ENV_FILE" ]]; then + # Preserve existing config (especially TOKEN). + # shellcheck disable=SC1090 + source "$ENV_FILE" || true +fi + +CURRENT_TOKEN="${TOKEN:-}" +SUGGESTED_TOKEN="" +if [[ -z "${CURRENT_TOKEN}" ]]; then + if command -v openssl >/dev/null 2>&1; then + SUGGESTED_TOKEN="$(openssl rand -base64 32 | tr '+/' '-_' | tr -d '=\n\r')" + else + SUGGESTED_TOKEN="$(head -c 32 /dev/urandom | base64 | tr '+/' '-_' | tr -d '=\n\r')" + fi +fi + +echo +if [[ -n "${CURRENT_TOKEN}" ]]; then + echo "A token is already configured. Press Enter to keep it, or paste a new one." +else + echo "No token configured yet. Press Enter to use a generated token, or paste your own." +fi +read -r -s -p "Token: " TOKEN_INPUT +echo + +if [[ -n "${TOKEN_INPUT}" ]]; then + TOKEN="${TOKEN_INPUT}" +elif [[ -n "${CURRENT_TOKEN}" ]]; then + TOKEN="${CURRENT_TOKEN}" +else + TOKEN="${SUGGESTED_TOKEN}" +fi + +cat >"$ENV_FILE" <"$UNIT_FILE" <<'EOF' +[Unit] +Description=luxtools-client (local folder opener helper) + +[Service] +Type=simple +EnvironmentFile=%h/.config/luxtools-client/luxtools-client.env +ExecStart=/bin/sh -lc '%h/.local/share/luxtools-client/luxtools-client -listen "$LISTEN" -token "$TOKEN" $ALLOW_ARGS' +Restart=on-failure +RestartSec=1 + +NoNewPrivileges=true +PrivateTmp=true + +[Install] +WantedBy=default.target +EOF + +systemctl --user daemon-reload +systemctl --user enable "$SERVICE_NAME" >/dev/null +systemctl --user restart "$SERVICE_NAME" + +echo +echo "Installed/updated ${SERVICE_NAME}." +echo "- Binary: ${BIN_PATH}" +echo "- Unit: ${UNIT_FILE}" +echo "- Config: ${ENV_FILE}" +echo "Token (set this in the plugin config): ${TOKEN}" + +echo +echo "View logs with: journalctl --user -u ${SERVICE_NAME} -f" +echo "If you want it to start at boot without logging in, enable lingering:" +echo " loginctl enable-linger $(whoami)" diff --git a/install-windows.bat b/install-windows.bat new file mode 100644 index 0000000..3974772 --- /dev/null +++ b/install-windows.bat @@ -0,0 +1,112 @@ +@echo off +setlocal EnableExtensions EnableDelayedExpansion + +set "SERVICE_NAME=LuxtoolsClient" +set "DISPLAY_NAME=luxtools-client" +set "INSTALL_DIR=%ProgramFiles%\LuxtoolsClient" +set "BIN_PATH=%INSTALL_DIR%\luxtools-client.exe" +set "DATA_DIR=%ProgramData%\LuxtoolsClient" +set "TOKEN_FILE=%DATA_DIR%\token.txt" +set "LISTEN=127.0.0.1:8765" +set "SCRIPT_DIR=%~dp0" +set "SRC_EXE=%SCRIPT_DIR%luxtools-client.exe" + +rem Optional args: +rem --listen host:port + +if /I "%~1"=="-h" goto :usage +if /I "%~1"=="--help" goto :usage + +:parse +if "%~1"=="" goto :main +if /I "%~1"=="--listen" ( + set "LISTEN=%~2" + shift + shift + goto :parse +) +echo Unknown arg: %~1 +goto :usage + +:usage +echo Usage: %~nx0 [--listen host:port] +echo. +echo Installs/updates %DISPLAY_NAME% as a Windows Service (auto-start). +echo Re-running updates the installed binary and restarts the service. +echo The token is stored in %TOKEN_FILE%. +exit /b 2 + +:main +rem Require admin +net session >nul 2>&1 +if not "%ERRORLEVEL%"=="0" ( + echo This script must be run as Administrator. + exit /b 1 +) + +if not exist "%INSTALL_DIR%" mkdir "%INSTALL_DIR%" >nul 2>&1 +if not exist "%DATA_DIR%" mkdir "%DATA_DIR%" >nul 2>&1 + +if not exist "%SRC_EXE%" ( + echo Missing binary next to script: %SRC_EXE% + echo Build it first ^(e.g. "go build -o luxtools-client.exe ."^) and re-run. + exit /b 1 +) + +set "CURRENT_TOKEN=" +if exist "%TOKEN_FILE%" ( + set /p CURRENT_TOKEN=<"%TOKEN_FILE%" +) + +set "SUGGESTED_TOKEN=" +if "%CURRENT_TOKEN%"=="" ( + rem Generate a URL-safe-ish token; PowerShell is available on modern Windows. + for /f "usebackq delims=" %%T in (`powershell -NoProfile -Command "$b=[byte[]]::new(32);[Security.Cryptography.RandomNumberGenerator]::Fill($b);[Convert]::ToBase64String($b).TrimEnd('=') -replace '\+','-' -replace '/','_'"`) do ( + set "SUGGESTED_TOKEN=%%T" + ) +) + +echo. +if not "%CURRENT_TOKEN%"=="" ( + echo A token is already configured. Press Enter to keep it, or type a new one. +) else ( + echo No token configured yet. Press Enter to use a generated token, or type your own. +) +set /p TOKEN_INPUT=Token: + +if not "%TOKEN_INPUT%"=="" ( + set "TOKEN=%TOKEN_INPUT%" +) else ( + if not "%CURRENT_TOKEN%"=="" ( + set "TOKEN=%CURRENT_TOKEN%" + ) else ( + set "TOKEN=%SUGGESTED_TOKEN%" + ) +) + +>"%TOKEN_FILE%" (echo %TOKEN%) + +copy /Y "%SRC_EXE%" "%BIN_PATH%" >nul +if not "%ERRORLEVEL%"=="0" exit /b 1 + +set "BINPATH=\"%BIN_PATH%\" -listen %LISTEN% -token %TOKEN%" + +sc.exe query "%SERVICE_NAME%" >nul 2>&1 +if "%ERRORLEVEL%"=="0" ( + echo Updating existing service... + sc.exe stop "%SERVICE_NAME%" >nul 2>&1 + sc.exe config "%SERVICE_NAME%" start= auto binPath= "%BINPATH%" DisplayName= "%DISPLAY_NAME%" >nul +) else ( + echo Creating service... + sc.exe create "%SERVICE_NAME%" start= auto binPath= "%BINPATH%" DisplayName= "%DISPLAY_NAME%" >nul +) + +sc.exe start "%SERVICE_NAME%" >nul 2>&1 + +echo. +echo Installed/updated %DISPLAY_NAME%. +echo - Binary: %BIN_PATH% +echo - Token: %TOKEN% +echo - Listen: %LISTEN% +endlocal +exit /b 0 diff --git a/main.go b/main.go index 8c44122..4e57e01 100644 --- a/main.go +++ b/main.go @@ -69,7 +69,10 @@ func main() { mux.HandleFunc("/open", func(w http.ResponseWriter, r *http.Request) { withCORS(w, r) + start := time.Now() + var rawPath string if r.Method == http.MethodOptions { + log.Printf("/open preflight remote=%s origin=%q", r.RemoteAddr, r.Header.Get("Origin")) w.WriteHeader(http.StatusNoContent) return } @@ -82,18 +85,24 @@ func main() { dec := json.NewDecoder(http.MaxBytesReader(w, r.Body, 32*1024)) dec.DisallowUnknownFields() if err := dec.Decode(&req); err != nil { + log.Printf("/open bad-json remote=%s method=%s err=%v dur=%s", r.RemoteAddr, r.Method, err, time.Since(start)) writeJSON(w, http.StatusBadRequest, openResponse{OK: false, Message: "invalid json"}) return } default: + log.Printf("/open method-not-allowed remote=%s method=%s dur=%s", r.RemoteAddr, r.Method, time.Since(start)) writeJSON(w, http.StatusMethodNotAllowed, openResponse{OK: false, Message: "GET or POST required"}) return } + rawPath = req.Path + log.Printf("/open request remote=%s method=%s ua=%q path=%q", r.RemoteAddr, r.Method, r.UserAgent(), rawPath) + if !checkToken(r, *token) { // Allow token to be supplied via query string for GET fallback. qt := strings.TrimSpace(r.URL.Query().Get("token")) if qt == "" || !subtleStringEqual(qt, strings.TrimSpace(*token)) { + log.Printf("/open unauthorized remote=%s method=%s path=%q headerToken=%t queryToken=%t dur=%s", r.RemoteAddr, r.Method, rawPath, strings.TrimSpace(r.Header.Get("X-Filetools-Token")) != "", qt != "", time.Since(start)) writeJSON(w, http.StatusUnauthorized, openResponse{OK: false, Message: "unauthorized"}) return } @@ -101,19 +110,23 @@ func main() { target, err := normalizePath(req.Path) if err != nil { + log.Printf("/open bad-path remote=%s method=%s path=%q err=%v dur=%s", r.RemoteAddr, r.Method, rawPath, err, time.Since(start)) writeJSON(w, http.StatusBadRequest, openResponse{OK: false, Message: err.Error()}) return } if len(allowed) > 0 && !isAllowed(target, allowed) { + log.Printf("/open forbidden remote=%s method=%s path=%q normalized=%q dur=%s", r.RemoteAddr, r.Method, rawPath, target, time.Since(start)) writeJSON(w, http.StatusForbidden, openResponse{OK: false, Message: "path not allowed"}) return } if err := openFolder(target); err != nil { + log.Printf("/open open-failed remote=%s method=%s path=%q normalized=%q err=%v dur=%s", r.RemoteAddr, r.Method, rawPath, target, err, time.Since(start)) writeJSON(w, http.StatusInternalServerError, openResponse{OK: false, Message: err.Error()}) return } + log.Printf("/open opened remote=%s method=%s path=%q normalized=%q dur=%s", r.RemoteAddr, r.Method, rawPath, target, time.Since(start)) if r.Method == http.MethodGet { // For GET callers (image-ping), a 204 avoids console noise from non-image responses. diff --git a/uninstall-linux.sh b/uninstall-linux.sh new file mode 100755 index 0000000..f42c647 --- /dev/null +++ b/uninstall-linux.sh @@ -0,0 +1,61 @@ +#!/usr/bin/env bash +set -euo pipefail + +SERVICE_NAME="luxtools-client" +INSTALL_DIR="${HOME}/.local/share/${SERVICE_NAME}" +CONFIG_DIR="${HOME}/.config/${SERVICE_NAME}" +UNIT_FILE="${HOME}/.config/systemd/user/${SERVICE_NAME}.service" + +usage() { + cat </dev/null 2>&1 || true +systemctl --user disable "$SERVICE_NAME" >/dev/null 2>&1 || true +systemctl --user reset-failed "$SERVICE_NAME" >/dev/null 2>&1 || true + +# Also stop/disable any leftover system-wide service from older installs. +if systemctl list-unit-files 2>/dev/null | grep -q "^${SERVICE_NAME}\.service"; then + if [[ ${EUID} -eq 0 ]]; then + systemctl stop "$SERVICE_NAME" >/dev/null 2>&1 || true + systemctl disable "$SERVICE_NAME" >/dev/null 2>&1 || true + systemctl reset-failed "$SERVICE_NAME" >/dev/null 2>&1 || true + elif command -v sudo >/dev/null 2>&1; then + sudo systemctl stop "$SERVICE_NAME" >/dev/null 2>&1 || true + sudo systemctl disable "$SERVICE_NAME" >/dev/null 2>&1 || true + sudo systemctl reset-failed "$SERVICE_NAME" >/dev/null 2>&1 || true + else + echo "Note: a system service '${SERVICE_NAME}.service' exists; run with sudo to stop it." >&2 + fi +fi + +rm -f "$UNIT_FILE" +systemctl --user daemon-reload || true + +rm -rf "$INSTALL_DIR" + +if [[ $KEEP_CONFIG -eq 0 ]]; then + rm -rf "$CONFIG_DIR" +fi + +echo "Uninstalled ${SERVICE_NAME}." +if [[ $KEEP_CONFIG -eq 1 ]]; then + echo "Kept config directory: ${CONFIG_DIR}" +fi diff --git a/uninstall-windows.bat b/uninstall-windows.bat new file mode 100644 index 0000000..04f2c83 --- /dev/null +++ b/uninstall-windows.bat @@ -0,0 +1,55 @@ +@echo off +setlocal EnableExtensions + +set "SERVICE_NAME=LuxtoolsClient" +set "INSTALL_DIR=%ProgramFiles%\LuxtoolsClient" +set "DATA_DIR=%ProgramData%\LuxtoolsClient" + +rem Optional args: +rem --keep-config + +set "KEEP_CONFIG=0" +if /I "%~1"=="-h" goto :usage +if /I "%~1"=="--help" goto :usage +if /I "%~1"=="--keep-config" set "KEEP_CONFIG=1" + +goto :main + +:usage +echo Usage: %~nx0 [--keep-config] +echo. +echo Uninstalls luxtools-client Windows Service and removes installed files. +echo. +echo Options: +echo --keep-config Keeps %DATA_DIR% (token/config). +exit /b 2 + +:main +net session >nul 2>&1 +if not "%ERRORLEVEL%"=="0" ( + echo This script must be run as Administrator. + exit /b 1 +) + +sc.exe query "%SERVICE_NAME%" >nul 2>&1 +if "%ERRORLEVEL%"=="0" ( + sc.exe stop "%SERVICE_NAME%" >nul 2>&1 + rem Wait up to ~20s for the service to fully stop. + for /L %%i in (1,1,20) do ( + sc.exe query "%SERVICE_NAME%" | findstr /I "STATE" | findstr /I "STOPPED" >nul 2>&1 + if "%ERRORLEVEL%"=="0" goto :stopped + timeout /T 1 /NOBREAK >nul + ) +:stopped + sc.exe delete "%SERVICE_NAME%" >nul 2>&1 +) + +if exist "%INSTALL_DIR%" rmdir /S /Q "%INSTALL_DIR%" >nul 2>&1 +if "%KEEP_CONFIG%"=="0" ( + if exist "%DATA_DIR%" rmdir /S /Q "%DATA_DIR%" >nul 2>&1 +) + +echo Uninstalled luxtools-client. +if "%KEEP_CONFIG%"=="1" echo Kept config directory: %DATA_DIR% +endlocal +exit /b 0