Whiteboard exapp

Signed-off-by: Hoang Pham <[email protected]>

lib/AppInfo/Application.php

@@ -10,6 +10,7 @@
 
 namespace OCA\Whiteboard\AppInfo;
 
+use OCA\AppAPI\Middleware\AppAPIAuthMiddleware;
 use OCA\Files_Sharing\Event\BeforeTemplateRenderedEvent;
 use OCA\Viewer\Event\LoadViewer;
 use OCA\Whiteboard\Listener\AddContentSecurityPolicyListener;
@@ -44,6 +45,7 @@ public function register(IRegistrationContext $context): void {
 		$context->registerEventListener(LoadViewer::class, LoadViewerListener::class);
 		$context->registerEventListener(RegisterTemplateCreatorEvent::class, RegisterTemplateCreatorListener::class);
 		$context->registerEventListener(BeforeTemplateRenderedEvent::class, BeforeTemplateRenderedListener::class);
+		$context->registerMiddleware(AppAPIAuthMiddleware::class);
 	}
 
 	public function boot(IBootContext $context): void {

lib/Controller/SettingsController.php

@@ -10,10 +10,13 @@
 namespace OCA\Whiteboard\Controller;
 
 use Exception;
+use OCA\AppAPI\Attribute\AppAPIAuth;
 use OCA\Whiteboard\Service\ConfigService;
 use OCA\Whiteboard\Service\ExceptionService;
 use OCA\Whiteboard\Service\JWTService;
 use OCP\AppFramework\Controller;
+use OCP\AppFramework\Http\Attribute\NoCSRFRequired;
+use OCP\AppFramework\Http\Attribute\PublicPage;
 use OCP\AppFramework\Http\DataResponse;
 use OCP\IRequest;
 
@@ -31,6 +34,9 @@ public function __construct(
 		parent::__construct('whiteboard', $request);
 	}
 
+	#[AppAPIAuth]
+	#[PublicPage]
+	#[NoCSRFRequired]
 	public function update(): DataResponse {
 		try {
 			$serverUrl = $this->request->getParam('serverUrl');

src/collaboration/Portal.ts

@@ -44,7 +44,7 @@ export class Portal {
 			auth: {
 				token,
 			},
-			transports: ['websocket'],
+			transports: ['polling'],
 			timeout: 10000,
 		}).connect()
 

websocket_server/.dockerignore

@@ -0,0 +1,3 @@
+node_modules/
+*.pem
+appinfo

websocket_server/.gitignore

@@ -2,3 +2,4 @@
 # SPDX-License-Identifier: AGPL-3.0-or-later
 
 *.pem
+node_modules/

websocket_server/ApiService.js

@@ -14,7 +14,7 @@ dotenv.config()
 export default class ApiService {
 
 	constructor(tokenGenerator) {
-		this.NEXTCLOUD_URL = process.env.NEXTCLOUD_URL
+		this.NEXTCLOUD_URL = 'http://nextcloud'
 		this.IS_DEV = Utils.parseBooleanFromEnv(process.env.IS_DEV)
 		this.agent = this.IS_DEV ? new https.Agent({ rejectUnauthorized: false }) : null
 		this.tokenGenerator = tokenGenerator

websocket_server/AppManager.js

@@ -3,25 +3,30 @@
  * SPDX-License-Identifier: AGPL-3.0-or-later
  */
 
+/* eslint-disable no-console */
+
 import dotenv from 'dotenv'
 import express from 'express'
 import PrometheusDataManager from './PrometheusDataManager.js'
-
+import fetch from 'node-fetch'
+import getOrCreateJwtSecretKey from './JwtSecretManager.js'
 dotenv.config()
 
 export default class AppManager {
 
 	constructor(storageManager) {
 		this.app = express()
-		this.storageManager = storageManager
 		this.metricsManager = new PrometheusDataManager(storageManager)
 		this.METRICS_TOKEN = process.env.METRICS_TOKEN
+		this.JWT_SECRET_KEY = getOrCreateJwtSecretKey()
 		this.setupRoutes()
 	}
 
 	setupRoutes() {
 		this.app.get('/', this.homeHandler.bind(this))
 		this.app.get('/metrics', this.metricsHandler.bind(this))
+		this.app.get('/heartbeat', this.heartbeatHandler.bind(this))
+		this.app.put('/enabled', express.json(), this.enabledHandler.bind(this))
 	}
 
 	homeHandler(req, res) {
@@ -39,6 +44,68 @@ export default class AppManager {
 		res.end(metrics)
 	}
 
+	heartbeatHandler(req, res) {
+		res.status(200).json({ status: 'ok' })
+	}
+
+	async enabledHandler(req, res) {
+		try {
+			const authHeader = req.headers['authorization-app-api']
+
+			console.log('authHeader', authHeader)
+
+			if (!authHeader) {
+				return res
+					.status(401)
+					.send('Unauthorized: Missing AUTHORIZATION-APP-API header')
+			}
+
+			const [userId, appSecret] = Buffer.from(authHeader, 'base64')
+				.toString()
+				.split(':')
+			if (appSecret !== process.env.APP_SECRET) {
+				return res.status(401).send('Unauthorized: Invalid APP_SECRET')
+			}
+
+			const headers = {
+				'EX-APP-ID': process.env.APP_ID,
+				'EX-APP-VERSION': process.env.APP_VERSION,
+				'OCS-APIRequest': 'true',
+				'AUTHORIZATION-APP-API': Buffer.from(
+					`${userId}:${process.env.APP_SECRET}`,
+				).toString('base64'),
+				'Content-Type': 'application/json',
+			}
+
+			const response = await fetch(
+				'http://nextcloud/index.php/apps/whiteboard/settings',
+				{
+					method: 'POST',
+					headers,
+					body: JSON.stringify({
+						serverUrl: `${process.env.NEXTCLOUD_URL}/apps/app_api/proxy/whiteboard_websocket`,
+						secret: this.JWT_SECRET_KEY,
+					}),
+				},
+			)
+
+			if (!response.ok) {
+				const responseBody = await response.text()
+				throw new Error(
+					`HTTP error! status: ${response.status}, body: ${responseBody}`,
+				)
+			}
+
+			const data = await response.json()
+			res.status(200).json(data)
+		} catch (error) {
+			console.error('Error updating Nextcloud config:', error)
+			res
+				.status(500)
+				.send(`Failed to update Nextcloud configuration: ${error.message}`)
+		}
+	}
+
 	getApp() {
 		return this.app
 	}

websocket_server/Dockerfile

@@ -0,0 +1,26 @@
+FROM node:22.9.0-alpine3.20 AS build
+SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
+ARG NODE_ENV=production
+COPY ./ /app
+WORKDIR /app
+RUN apk upgrade --no-cache -a && \
+    apk add --no-cache ca-certificates && \
+    npm install --global clean-modules && \
+    npm clean-install && \
+    clean-modules --yes && \
+    npm cache clean --force
+
+FROM node:22.9.0-alpine3.20
+COPY --from=build --chown=nobody:nobody /app /app
+WORKDIR /app
+RUN apk upgrade --no-cache -a && \
+    apk add --no-cache ca-certificates tzdata netcat-openbsd curl
+
+ENV PORT=23000
+ENV TLS=false
+ENV STORAGE_STRATEGY=lru
+
+USER nobody
+EXPOSE 23000
+ENTRYPOINT ["npm", "run", "start"]
+HEALTHCHECK CMD nc -z 127.0.0.1 23000 || exit 1

websocket_server/JwtSecretManager.js

@@ -0,0 +1,22 @@
+/**
+ * SPDX-FileCopyrightText: 2024 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+/* eslint-disable no-console */
+
+import crypto from 'crypto'
+import dotenv from 'dotenv'
+
+dotenv.config()
+
+export default function getOrCreateJwtSecretKey() {
+	if (!process.env.JWT_SECRET_KEY) {
+		const newSecret = crypto.randomBytes(32).toString('hex')
+		process.env.JWT_SECRET_KEY = newSecret
+		console.log('Generated new JWT_SECRET_KEY:', newSecret)
+	} else {
+		console.log('Using existing JWT_SECRET_KEY from environment')
+	}
+	return process.env.JWT_SECRET_KEY
+}

websocket_server/SharedTokenGenerator.js

@@ -5,13 +5,14 @@
 
 import crypto from 'crypto'
 import dotenv from 'dotenv'
+import getOrCreateJwtSecretKey from './JwtSecretManager.js'
 
 dotenv.config()
 
 export default class SharedTokenGenerator {
 
 	constructor() {
-		this.SHARED_SECRET = process.env.JWT_SECRET_KEY
+		this.SHARED_SECRET = getOrCreateJwtSecretKey()
 	}
 
 	handle(roomId) {

websocket_server/appinfo/info.xml

@@ -0,0 +1,32 @@
+<?xml version="1.0"?>
+<info>
+    <id>whiteboard_websocket</id>
+    <name>Whiteboard WebSocket Server</name>
+    <summary>WebSocket server for Whiteboard app</summary>
+    <description>A WebSocket server implementation as an external app for Nextcloud Whiteboard</description>
+    <version>0.0.1</version>
+    <licence>AGPL</licence>
+    <author>Nextcloud GmbH</author>
+    <namespace>WhiteboardWebSocket</namespace>
+    <category>tools</category>
+    <bugs>https://your-github-repo/issues</bugs>
+    <dependencies>
+        <nextcloud min-version="27" max-version="30"/>
+    </dependencies>
+    <external-app>
+        <docker-install>
+            <registry>docker.io</registry>
+            <image>hweihwang/whiteboard_websocket</image>
+            <image-tag>latest</image-tag>
+        </docker-install>
+		<routes>
+			<route>
+				<url>.*</url>
+				<verb>GET,POST,PUT,DELETE,OPTIONS</verb>
+				<access_level>PUBLIC</access_level>
+				<headers_to_exclude>[]</headers_to_exclude>
+				<bruteforce_protection>[401, 500]</bruteforce_protection>
+			</route>
+		</routes>
+    </external-app>
+</info>