Add Python agent, WebSocket relay, real viewer, enrollment tokens

- WebSocket relay service (FastAPI) bridges agents and viewers - Python agent with screen capture (mss), input control (pynput), script execution, and auto-reconnect - Windows service wrapper, PyInstaller spec, NSIS installer for silent mass deployment (RemoteLink-Setup.exe /S /SERVER= /ENROLL=) - Enrollment token system: admin generates tokens, agents self-register - Real WebSocket viewer replaces simulated canvas - Linux agent binary served from /downloads/remotelink-agent-linux - DB migration 0002: viewer_token on sessions, enrollment_tokens table - Sign-up pages cleaned up (invite-only redirect) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-10 16:25:10 -07:00
parent b2be19ed14
commit e16a2fa978
28 changed files with 1953 additions and 343 deletions
--- a/app/api/agent/register/route.ts
+++ b/app/api/agent/register/route.ts
@@ -1,44 +1,112 @@
 import { db } from '@/lib/db'
-import { machines } from '@/lib/db/schema'
-import { eq } from 'drizzle-orm'
+import { machines, enrollmentTokens } from '@/lib/db/schema'
+import { eq, and, isNull, or, gt } from 'drizzle-orm'
 import { NextRequest, NextResponse } from 'next/server'
+import { randomBytes } from 'crypto'

+// POST /api/agent/register
+// Two modes:
+//   1. First-time: { enrollmentToken, name, hostname, os, osVersion, agentVersion, ipAddress }
+//      → creates machine, returns { machineId, accessKey }
+//   2. Re-register: { accessKey, name, hostname, os, osVersion, agentVersion, ipAddress }
+//      → updates existing machine, returns { machineId }
 export async function POST(request: NextRequest) {
  try {
    const body = await request.json()
-    const { accessKey, name, hostname, os, osVersion, agentVersion, ipAddress } = body
+    const { accessKey, enrollmentToken, name, hostname, os, osVersion, agentVersion, ipAddress } = body

-    if (!accessKey) {
-      return NextResponse.json({ error: 'Access key required' }, { status: 400 })
+    // ── Mode 2: existing agent re-registering ─────────────────────────────────
+    if (accessKey) {
+      const result = await db
+        .select()
+        .from(machines)
+        .where(eq(machines.accessKey, accessKey))
+        .limit(1)
+
+      const machine = result[0]
+      if (!machine) {
+        return NextResponse.json({ error: 'Invalid access key' }, { status: 401 })
+      }
+
+      await db
+        .update(machines)
+        .set({
+          name: name || machine.name,
+          hostname: hostname || machine.hostname,
+          os: os || machine.os,
+          osVersion: osVersion || machine.osVersion,
+          agentVersion: agentVersion || machine.agentVersion,
+          ipAddress: ipAddress || machine.ipAddress,
+          isOnline: true,
+          lastSeen: new Date(),
+          updatedAt: new Date(),
+        })
+        .where(eq(machines.id, machine.id))
+
+      return NextResponse.json({ machineId: machine.id })
    }

-    const result = await db
+    // ── Mode 1: first-time registration with enrollment token ─────────────────
+    if (!enrollmentToken) {
+      return NextResponse.json({ error: 'accessKey or enrollmentToken required' }, { status: 400 })
+    }
+
+    const tokenResult = await db
      .select()
-      .from(machines)
-      .where(eq(machines.accessKey, accessKey))
+      .from(enrollmentTokens)
+      .where(eq(enrollmentTokens.token, enrollmentToken))
      .limit(1)

-    const machine = result[0]
-    if (!machine) {
-      return NextResponse.json({ error: 'Invalid access key' }, { status: 401 })
+    const token = tokenResult[0]
+    if (!token) {
+      return NextResponse.json({ error: 'Invalid enrollment token' }, { status: 401 })
    }

-    await db
-      .update(machines)
-      .set({
-        name: name || machine.name,
-        hostname: hostname || machine.hostname,
-        os: os || machine.os,
-        osVersion: osVersion || machine.osVersion,
-        agentVersion: agentVersion || machine.agentVersion,
-        ipAddress: ipAddress || machine.ipAddress,
+    // Check revoked
+    if (token.revokedAt) {
+      return NextResponse.json({ error: 'Enrollment token has been revoked' }, { status: 401 })
+    }
+
+    // Check expiry
+    if (token.expiresAt && token.expiresAt < new Date()) {
+      return NextResponse.json({ error: 'Enrollment token has expired' }, { status: 401 })
+    }
+
+    // Check max uses
+    if (token.maxUses !== null && token.usedCount >= token.maxUses) {
+      return NextResponse.json({ error: 'Enrollment token has reached its use limit' }, { status: 401 })
+    }
+
+    if (!name) {
+      return NextResponse.json({ error: 'name is required for first-time registration' }, { status: 400 })
+    }
+
+    // Generate a secure access key for this machine
+    const newAccessKey = randomBytes(32).toString('hex')
+
+    const newMachine = await db
+      .insert(machines)
+      .values({
+        userId: token.createdBy!,
+        name,
+        hostname,
+        os,
+        osVersion,
+        agentVersion,
+        ipAddress,
+        accessKey: newAccessKey,
        isOnline: true,
        lastSeen: new Date(),
-        updatedAt: new Date(),
      })
-      .where(eq(machines.id, machine.id))
+      .returning({ id: machines.id })

-    return NextResponse.json({ success: true, machineId: machine.id })
+    // Increment use count
+    await db
+      .update(enrollmentTokens)
+      .set({ usedCount: token.usedCount + 1 })
+      .where(eq(enrollmentTokens.id, token.id))
+
+    return NextResponse.json({ machineId: newMachine[0].id, accessKey: newAccessKey })
  } catch (error) {
    console.error('[Agent Register] Error:', error)
    return NextResponse.json({ error: 'Internal server error' }, { status: 500 })