From 8706bc4c015cc7da108390d135f284ee6c29b72b Mon Sep 17 00:00:00 2001 From: chk <79915315+ChKendel@users.noreply.github.com> Date: Fri, 12 Jun 2026 19:22:50 +0200 Subject: [PATCH] Emergency Stop fix 3 --- auth/auth.js | 69 ++++++++++++++++++++++++++++ nginxPages/10-server-schooltech.conf | 17 ------- 2 files changed, 69 insertions(+), 17 deletions(-) diff --git a/auth/auth.js b/auth/auth.js index caa68c3..d1ffe52 100755 --- a/auth/auth.js +++ b/auth/auth.js @@ -3,10 +3,47 @@ import cookieParser from "cookie-parser"; import bcrypt from "bcrypt"; import fs from "fs"; import crypto from "crypto"; +import https from "https"; const USERS = JSON.parse(fs.readFileSync("./users.json")); const SESSIONS = {}; // in-memory session store +// Robot-Driver hinter dem Tunnel (TLS, selbst-signiert -> Verify aus) +const DRIVER_HOST = "appServer_TunnelHead"; +const DRIVER_PORT = 9798; + +// Kleiner HTTPS-Proxy-Helfer zum Driver (Core-Modul, keine Extra-Dependency) +function driverRequest(method, path) { + return new Promise((resolve, reject) => { + const req = https.request( + { + host: DRIVER_HOST, + port: DRIVER_PORT, + path, + method, + rejectUnauthorized: false, // entspricht nginx proxy_ssl_verify off + timeout: 5000 + }, + (res) => { + let body = ""; + res.on("data", (c) => { body += c; }); + res.on("end", () => resolve({ status: res.statusCode, body })); + } + ); + req.on("timeout", () => req.destroy(new Error("driver timeout"))); + req.on("error", reject); + req.end(); + }); +} + +// Session-Guard: true wenn eingeloggt, sonst sendet selbst 401 +function requireSession(req, res) { + const sid = req.cookies.SESSIONID; + if (sid && SESSIONS[sid]) return true; + res.status(401).send({ ok: false, error: "not authenticated" }); + return false; +} + const app = express(); app.use(express.json()); app.use(cookieParser()); @@ -84,4 +121,36 @@ app.get("/api/status", (req, res) => { return res.status(401).send({ ok: false }); }); +// =========================== +// Robot-Driver Proxy (same-origin, auth-geschützt) +// Nginx leitet /api/ auf diesen Service -> kein CORS, Cookie wird mitgeschickt. +// =========================== + +// Armed-Status abfragen: GET /api/power-status +app.get("/api/power-status", async (req, res) => { + if (!requireSession(req, res)) return; + try { + const r = await driverRequest("GET", "/api/power-status"); + res.status(r.status).type("application/json").send(r.body); + } catch (e) { + console.error("power-status proxy error:", e.message); + // Failsafe: Driver nicht erreichbar -> armed:false, Button bleibt versteckt + res.status(502).send({ ok: false, armed: false, error: "driver unreachable" }); + } +}); + +// Not-Aus auslösen: POST /api/emergency-stop +app.post("/api/emergency-stop", async (req, res) => { + if (!requireSession(req, res)) return; + const user = SESSIONS[req.cookies.SESSIONID].user; + console.log(`EMERGENCY-STOP ausgelöst von user=${user}`); + try { + const r = await driverRequest("POST", "/api/emergency-stop"); + res.status(r.status).type("application/json").send(r.body); + } catch (e) { + console.error("emergency-stop proxy error:", e.message); + res.status(502).send({ ok: false, error: "driver unreachable" }); + } +}); + app.listen(3000, ()=>console.log("Auth-Service läuft auf 3000")); diff --git a/nginxPages/10-server-schooltech.conf b/nginxPages/10-server-schooltech.conf index 1377011..2563ea7 100644 --- a/nginxPages/10-server-schooltech.conf +++ b/nginxPages/10-server-schooltech.conf @@ -17,23 +17,6 @@ server { try_files $uri $uri/ /index.html; } - # Robot Driver: power-status + emergency-stop (interner Proxy, vermeidet CORS) - location = /api/power-status { - proxy_pass http://appServer_TunnelHead:9798/api/power-status; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - } - - location = /api/emergency-stop { - proxy_pass http://appServer_TunnelHead:9798/api/emergency-stop; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - } - # API forwarding (auth) location /api/ { proxy_pass http://appserverauth:3000/api/;