Add Python agent, WebSocket relay, real viewer, enrollment tokens

- WebSocket relay service (FastAPI) bridges agents and viewers - Python agent with screen capture (mss), input control (pynput), script execution, and auto-reconnect - Windows service wrapper, PyInstaller spec, NSIS installer for silent mass deployment (RemoteLink-Setup.exe /S /SERVER= /ENROLL=) - Enrollment token system: admin generates tokens, agents self-register - Real WebSocket viewer replaces simulated canvas - Linux agent binary served from /downloads/remotelink-agent-linux - DB migration 0002: viewer_token on sessions, enrollment_tokens table - Sign-up pages cleaned up (invite-only redirect) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-10 16:25:10 -07:00
parent b2be19ed14
commit e16a2fa978
28 changed files with 1953 additions and 343 deletions
--- a/app/api/agent/register/route.ts
+++ b/app/api/agent/register/route.ts
@@ -1,44 +1,112 @@
 import { db } from '@/lib/db'
-import { machines } from '@/lib/db/schema'
-import { eq } from 'drizzle-orm'
+import { machines, enrollmentTokens } from '@/lib/db/schema'
+import { eq, and, isNull, or, gt } from 'drizzle-orm'
 import { NextRequest, NextResponse } from 'next/server'
+import { randomBytes } from 'crypto'

+// POST /api/agent/register
+// Two modes:
+//   1. First-time: { enrollmentToken, name, hostname, os, osVersion, agentVersion, ipAddress }
+//      → creates machine, returns { machineId, accessKey }
+//   2. Re-register: { accessKey, name, hostname, os, osVersion, agentVersion, ipAddress }
+//      → updates existing machine, returns { machineId }
 export async function POST(request: NextRequest) {
  try {
    const body = await request.json()
-    const { accessKey, name, hostname, os, osVersion, agentVersion, ipAddress } = body
+    const { accessKey, enrollmentToken, name, hostname, os, osVersion, agentVersion, ipAddress } = body

-    if (!accessKey) {
-      return NextResponse.json({ error: 'Access key required' }, { status: 400 })
+    // ── Mode 2: existing agent re-registering ─────────────────────────────────
+    if (accessKey) {
+      const result = await db
+        .select()
+        .from(machines)
+        .where(eq(machines.accessKey, accessKey))
+        .limit(1)
+
+      const machine = result[0]
+      if (!machine) {
+        return NextResponse.json({ error: 'Invalid access key' }, { status: 401 })
+      }
+
+      await db
+        .update(machines)
+        .set({
+          name: name || machine.name,
+          hostname: hostname || machine.hostname,
+          os: os || machine.os,
+          osVersion: osVersion || machine.osVersion,
+          agentVersion: agentVersion || machine.agentVersion,
+          ipAddress: ipAddress || machine.ipAddress,
+          isOnline: true,
+          lastSeen: new Date(),
+          updatedAt: new Date(),
+        })
+        .where(eq(machines.id, machine.id))
+
+      return NextResponse.json({ machineId: machine.id })
    }

-    const result = await db
+    // ── Mode 1: first-time registration with enrollment token ─────────────────
+    if (!enrollmentToken) {
+      return NextResponse.json({ error: 'accessKey or enrollmentToken required' }, { status: 400 })
+    }
+
+    const tokenResult = await db
      .select()
-      .from(machines)
-      .where(eq(machines.accessKey, accessKey))
+      .from(enrollmentTokens)
+      .where(eq(enrollmentTokens.token, enrollmentToken))
      .limit(1)

-    const machine = result[0]
-    if (!machine) {
-      return NextResponse.json({ error: 'Invalid access key' }, { status: 401 })
+    const token = tokenResult[0]
+    if (!token) {
+      return NextResponse.json({ error: 'Invalid enrollment token' }, { status: 401 })
    }

-    await db
-      .update(machines)
-      .set({
-        name: name || machine.name,
-        hostname: hostname || machine.hostname,
-        os: os || machine.os,
-        osVersion: osVersion || machine.osVersion,
-        agentVersion: agentVersion || machine.agentVersion,
-        ipAddress: ipAddress || machine.ipAddress,
+    // Check revoked
+    if (token.revokedAt) {
+      return NextResponse.json({ error: 'Enrollment token has been revoked' }, { status: 401 })
+    }
+
+    // Check expiry
+    if (token.expiresAt && token.expiresAt < new Date()) {
+      return NextResponse.json({ error: 'Enrollment token has expired' }, { status: 401 })
+    }
+
+    // Check max uses
+    if (token.maxUses !== null && token.usedCount >= token.maxUses) {
+      return NextResponse.json({ error: 'Enrollment token has reached its use limit' }, { status: 401 })
+    }
+
+    if (!name) {
+      return NextResponse.json({ error: 'name is required for first-time registration' }, { status: 400 })
+    }
+
+    // Generate a secure access key for this machine
+    const newAccessKey = randomBytes(32).toString('hex')
+
+    const newMachine = await db
+      .insert(machines)
+      .values({
+        userId: token.createdBy!,
+        name,
+        hostname,
+        os,
+        osVersion,
+        agentVersion,
+        ipAddress,
+        accessKey: newAccessKey,
        isOnline: true,
        lastSeen: new Date(),
-        updatedAt: new Date(),
      })
-      .where(eq(machines.id, machine.id))
+      .returning({ id: machines.id })

-    return NextResponse.json({ success: true, machineId: machine.id })
+    // Increment use count
+    await db
+      .update(enrollmentTokens)
+      .set({ usedCount: token.usedCount + 1 })
+      .where(eq(enrollmentTokens.id, token.id))
+
+    return NextResponse.json({ machineId: newMachine[0].id, accessKey: newAccessKey })
  } catch (error) {
    console.error('[Agent Register] Error:', error)
    return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
--- a/app/api/connect/route.ts
+++ b/app/api/connect/route.ts
@@ -51,7 +51,7 @@ export async function POST(request: NextRequest) {
    .set({ usedAt: new Date(), usedBy: session.user.id, isActive: false })
    .where(eq(sessionCodes.id, sessionCode.id))

-  // Create session record
+  // Create session record (viewer_token is auto-generated by DB default)
  const newSession = await db
    .insert(sessions)
    .values({
@@ -61,7 +61,11 @@ export async function POST(request: NextRequest) {
      connectionType: 'session_code',
      sessionCode: normalizedCode,
    })
-    .returning({ id: sessions.id })
+    .returning({ id: sessions.id, viewerToken: sessions.viewerToken })

-  return NextResponse.json({ sessionId: newSession[0].id })
+  return NextResponse.json({
+    sessionId: newSession[0].id,
+    viewerToken: newSession[0].viewerToken,
+    machineId: sessionCode.machineId,
+  })
 }
--- a/app/api/enrollment-tokens/route.ts
+++ b/app/api/enrollment-tokens/route.ts
@@ -0,0 +1,62 @@
+import { auth } from '@/auth'
+import { db } from '@/lib/db'
+import { enrollmentTokens } from '@/lib/db/schema'
+import { eq, desc } from 'drizzle-orm'
+import { NextRequest, NextResponse } from 'next/server'
+
+// GET /api/enrollment-tokens — list all (admin only)
+export async function GET() {
+  const session = await auth()
+  if (!session?.user || session.user.role !== 'admin') {
+    return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
+  }
+
+  const tokens = await db
+    .select()
+    .from(enrollmentTokens)
+    .orderBy(desc(enrollmentTokens.createdAt))
+
+  return NextResponse.json({ tokens })
+}
+
+// POST /api/enrollment-tokens — create new token (admin only)
+export async function POST(request: NextRequest) {
+  const session = await auth()
+  if (!session?.user || session.user.role !== 'admin') {
+    return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
+  }
+
+  const { label, expiresInDays, maxUses } = await request.json()
+
+  const expiresAt = expiresInDays
+    ? new Date(Date.now() + expiresInDays * 24 * 60 * 60 * 1000)
+    : null
+
+  const token = await db
+    .insert(enrollmentTokens)
+    .values({
+      label: label || null,
+      createdBy: session.user.id,
+      expiresAt,
+      maxUses: maxUses || null,
+    })
+    .returning()
+
+  return NextResponse.json({ token: token[0] }, { status: 201 })
+}
+
+// DELETE /api/enrollment-tokens — revoke token (admin only)
+export async function DELETE(request: NextRequest) {
+  const session = await auth()
+  if (!session?.user || session.user.role !== 'admin') {
+    return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
+  }
+
+  const { id } = await request.json()
+  await db
+    .update(enrollmentTokens)
+    .set({ revokedAt: new Date() })
+    .where(eq(enrollmentTokens.id, id))
+
+  return NextResponse.json({ success: true })
+}