feat(oauth): generische OAuth2-Pipeline ueber RVS-Callback (Spotify/Google/GitHub/Strava/MS)
Bisher musste Stefan bei OAuth-Flows manuell den Auth-Code aus der Browser-URL kopieren (redirect_uri war localhost). Jetzt: RVS hat einen HTTP-Listener auf demselben Port wie der WebSocket, Provider redirecten nach Auth zu https://{RVS_HOST}/oauth/callback/{service}, RVS broadcastet, aria-bridge forwarded, Brain matched state + tauscht code gegen Token. Token-Refresh laeuft automatisch. - rvs/server.js: hybrid http.createServer + WebSocketServer{noServer}. Route GET /oauth/callback/{service}, broadcast oauth_callback an alle Raeume, schoene Dark-Mode-HTML-Antwort an den Browser (Auto-Close 4s). - bridge/aria_bridge.py: empfaengt oauth_callback, POSTet an Brain /internal/oauth-callback. - aria-brain/oauth.py: neuer Manager. Pending-Store mit state+TTL, Token-Exchange (Basic-Auth oder Body je nach Provider), persistente Speicherung in /shared/config/oauth_tokens.json (mode 0600), Token-Refresh wenn <60s Restzeit. Vordefinierte Configs fuer Spotify, Google, GitHub, Strava, Microsoft. - aria-brain/agent.py: META-Tools oauth_authorize / oauth_get_token / oauth_revoke. - aria-brain/prompts.py: System-Prompt-Block zeigt ARIA die feste Callback-URL als Quelle der Wahrheit + aktuelle Service-States. - aria-brain/main.py: HTTP-Endpoints /oauth/services, /oauth/apps, /oauth/authorize, /oauth/{service}/revoke, /internal/oauth-callback. - diagnostic: neue Section "OAuth-Apps". Pro Service Karte mit Status, client_id + client_secret (Passwort-Toggle), Speichern + Autorisieren- Buttons. Authorize oeffnet Provider-Auth in neuem Tab. - docker-compose.yml: brain-env um RVS_HOST + RVS_PORT_PUBLIC + RVS_TLS ergaenzt (Brain braucht die Werte zum Bau der Callback-URL). - .env.example: RVS_PORT_PUBLIC + Brain-Timeout-Vars (PROXY_TIMEOUT_SEC + Connect/Write/Pool) dokumentiert. - README.md: OAuth-Pipeline + ARIA-Live-Mirror in Diagnostic-Section, OAuth-Apps in Einstellungen-Tab erwaehnt. - issue.md: OAuth-Pipeline + Brain-Timeout-Fix als erledigt dokumentiert. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
+128
-5
@@ -1,6 +1,7 @@
|
||||
"use strict";
|
||||
|
||||
const { WebSocketServer } = require("ws");
|
||||
const http = require("http");
|
||||
const fs = require("fs");
|
||||
const path = require("path");
|
||||
|
||||
@@ -41,6 +42,7 @@ const ALLOWED_TYPES = new Set([
|
||||
"config_request",
|
||||
"flux_request", "flux_response",
|
||||
"agent_stream",
|
||||
"oauth_callback",
|
||||
]);
|
||||
|
||||
// Token-Raum: token -> { clients: Set<ws> }
|
||||
@@ -71,8 +73,17 @@ function cleanupRooms() {
|
||||
}
|
||||
}
|
||||
|
||||
// ── WebSocket-Server starten ────────────────────────────────────────
|
||||
|
||||
// ── HTTP + WebSocket Server (hybrid) ────────────────────────────────
|
||||
//
|
||||
// Der gleiche Port handelt jetzt sowohl WebSocket-Upgrades (App, Bridges,
|
||||
// Diagnostic) als auch normale HTTP-Requests (OAuth-Callbacks von Spotify,
|
||||
// Google etc.). TLS-Termination passiert wie bisher vor dem RVS-Container
|
||||
// (Caddy/Nginx); RVS selber bleibt plain HTTP. Wichtig fuer OAuth: aus
|
||||
// Provider-Sicht ist die Callback-URL `https://{RVS_HOST}:{PORT_oeffentlich}
|
||||
// /oauth/callback/{service}` — RVS schnappt den ?code=..&state=.., broadcastet
|
||||
// als WS-Message `oauth_callback` und antwortet dem Browser mit einer
|
||||
// schoenen "Tab schliessen"-Seite.
|
||||
//
|
||||
// maxPayload 100MB: TTS-Streaming + Voice-Upload (WAV als base64) +
|
||||
// audio_pcm Chunks koennen die ws-Library Default 1MB ueberschreiten.
|
||||
// Plus: file_request/file_response fuer Re-Download von Anhaengen.
|
||||
@@ -80,15 +91,127 @@ function cleanupRooms() {
|
||||
// (Code 1009 message too big, Bridge crashed im cleanup). 100 MB
|
||||
// deckt bis ~70 MB binaer ab; groessere Files werden Bridge-seitig
|
||||
// abgewiesen (siehe file_request-Handler) bevor die WS abreisst.
|
||||
const wss = new WebSocketServer({ port: PORT, maxPayload: 100 * 1024 * 1024 });
|
||||
const httpServer = http.createServer(handleHttpRequest);
|
||||
const wss = new WebSocketServer({ noServer: true, maxPayload: 100 * 1024 * 1024 });
|
||||
|
||||
wss.on("listening", () => {
|
||||
log(`RVS läuft auf Port ${PORT} | Max Sessions: ${MAX_SESSIONS}`);
|
||||
// HTTP-Upgrade-Pfad → an WebSocket-Server reichen
|
||||
httpServer.on("upgrade", (req, socket, head) => {
|
||||
wss.handleUpgrade(req, socket, head, (ws) => {
|
||||
wss.emit("connection", ws, req);
|
||||
});
|
||||
});
|
||||
|
||||
httpServer.listen(PORT, () => {
|
||||
log(`RVS läuft auf Port ${PORT} (HTTP + WS) | Max Sessions: ${MAX_SESSIONS}`);
|
||||
// Beim Start pruefen ob eine APK da ist
|
||||
const apkInfo = getLatestAPK();
|
||||
if (apkInfo) log(`APK bereit: v${apkInfo.version} (${(fs.statSync(apkInfo.path).size / 1024 / 1024).toFixed(1)}MB)`);
|
||||
});
|
||||
|
||||
// ── HTTP Route-Handler ──────────────────────────────────────────────
|
||||
|
||||
function handleHttpRequest(req, res) {
|
||||
try {
|
||||
const url = new URL(req.url, `http://${req.headers.host || "localhost"}`);
|
||||
const pathname = url.pathname;
|
||||
|
||||
// OAuth-Callback: GET /oauth/callback/{service}?code=...&state=...&error=...
|
||||
// Pattern fuer Spotify, Google, Strava, GitHub, ... — alle OAuth2 Auth-Code-Flow.
|
||||
// Wir broadcasten an alle Raeume (App ist nicht im selben Raum wie Bridge,
|
||||
// aber Bridge schon — sie picks-up und forwardet ans Brain).
|
||||
const oauthMatch = pathname.match(/^\/oauth\/callback\/([a-zA-Z0-9_-]+)\/?$/);
|
||||
if (req.method === "GET" && oauthMatch) {
|
||||
const service = oauthMatch[1];
|
||||
const code = url.searchParams.get("code") || "";
|
||||
const state = url.searchParams.get("state") || "";
|
||||
const err = url.searchParams.get("error") || "";
|
||||
const errDesc = url.searchParams.get("error_description") || "";
|
||||
|
||||
log(`OAuth-Callback: service=${service} code=${code.slice(0, 8)}... state=${state.slice(0, 8)}... err=${err}`);
|
||||
|
||||
const payload = { service, code, state };
|
||||
if (err) {
|
||||
payload.error = err;
|
||||
if (errDesc) payload.errorDescription = errDesc;
|
||||
}
|
||||
|
||||
// An alle Clients in allen Raeumen broadcasten — Bridge picks-up.
|
||||
const msg = JSON.stringify({
|
||||
type: "oauth_callback",
|
||||
payload,
|
||||
timestamp: Date.now(),
|
||||
});
|
||||
let receivers = 0;
|
||||
for (const [, room] of rooms) {
|
||||
for (const client of room.clients) {
|
||||
if (client.readyState === 1) {
|
||||
try { client.send(msg); receivers++; } catch (_) {}
|
||||
}
|
||||
}
|
||||
}
|
||||
log(`OAuth-Callback gebroadcastet an ${receivers} Client(s)`);
|
||||
|
||||
// Browser-Antwort: schoene HTML-Seite (auch bei Error)
|
||||
const ok = !err;
|
||||
const title = ok ? "OAuth erfolgreich" : "OAuth fehlgeschlagen";
|
||||
const bodyColor = ok ? "#34C759" : "#FF3B30";
|
||||
const icon = ok ? "✅" : "❌";
|
||||
const subtitle = ok
|
||||
? "Du kannst dieses Tab schliessen — ARIA hat den Zugang erhalten."
|
||||
: `Fehler: ${escapeHtml(err)} ${errDesc ? "— " + escapeHtml(errDesc) : ""}`;
|
||||
const html = `<!doctype html>
|
||||
<html lang="de"><head>
|
||||
<meta charset="utf-8">
|
||||
<meta name="viewport" content="width=device-width,initial-scale=1">
|
||||
<title>${title} — ${escapeHtml(service)}</title>
|
||||
<style>
|
||||
html,body{margin:0;padding:0;height:100%;font-family:-apple-system,BlinkMacSystemFont,'Segoe UI',sans-serif;background:#0D0D1A;color:#E0E0F0;}
|
||||
body{display:flex;align-items:center;justify-content:center;}
|
||||
.card{background:#1E1E2E;border:1px solid #2A2A3E;border-radius:12px;padding:32px;max-width:420px;text-align:center;box-shadow:0 4px 24px rgba(0,0,0,0.4);}
|
||||
.icon{font-size:64px;line-height:1;margin-bottom:16px;}
|
||||
.title{font-size:20px;font-weight:600;color:${bodyColor};margin-bottom:8px;}
|
||||
.service{font-size:13px;color:#8888AA;margin-bottom:20px;text-transform:uppercase;letter-spacing:0.1em;}
|
||||
.sub{font-size:14px;color:#C0C0D0;line-height:1.5;}
|
||||
.hint{font-size:11px;color:#666680;margin-top:24px;}
|
||||
</style></head><body>
|
||||
<div class="card">
|
||||
<div class="icon">${icon}</div>
|
||||
<div class="title">${title}</div>
|
||||
<div class="service">${escapeHtml(service)}</div>
|
||||
<div class="sub">${subtitle}</div>
|
||||
<div class="hint">Du kannst zur ARIA-App zurueckkehren.</div>
|
||||
</div>
|
||||
<script>setTimeout(()=>{try{window.close();}catch(e){}}, 4000);</script>
|
||||
</body></html>`;
|
||||
res.writeHead(ok ? 200 : 400, {
|
||||
"Content-Type": "text/html; charset=utf-8",
|
||||
"Cache-Control": "no-store",
|
||||
});
|
||||
res.end(html);
|
||||
return;
|
||||
}
|
||||
|
||||
// Health-Endpoint
|
||||
if (req.method === "GET" && pathname === "/health") {
|
||||
res.writeHead(200, { "Content-Type": "application/json" });
|
||||
res.end(JSON.stringify({ ok: true, rooms: rooms.size }));
|
||||
return;
|
||||
}
|
||||
|
||||
// Default: 404
|
||||
res.writeHead(404, { "Content-Type": "text/plain" });
|
||||
res.end("Not Found\n");
|
||||
} catch (e) {
|
||||
log(`HTTP handler error: ${e.message}`);
|
||||
try { res.writeHead(500).end("Internal Server Error"); } catch (_) {}
|
||||
}
|
||||
}
|
||||
|
||||
function escapeHtml(s) {
|
||||
return String(s || "").replace(/[&<>"']/g, (c) =>
|
||||
({ "&": "&", "<": "<", ">": ">", '"': """, "'": "'" }[c]));
|
||||
}
|
||||
|
||||
wss.on("connection", (ws, req) => {
|
||||
// Token aus URL-Query lesen: ws://host:port/?token=abc123
|
||||
const url = new URL(req.url, `http://${req.headers.host}`);
|
||||
|
||||
Reference in New Issue
Block a user