Merge pull request #58 from fosrl/dev

various changes to to allow for unraid deployment

.gitignore

@@ -30,3 +30,4 @@ dist
 .dist
 installer
 *.tar
+bin

Dockerfile

@@ -27,6 +27,8 @@ COPY --from=builder /app/dist ./dist
 COPY --from=builder /app/init ./dist/init
 
 COPY config/config.example.yml ./dist/config.example.yml
+COPY config/traefik/traefik_config.example.yml ./dist/traefik_config.example.yml
+COPY config/traefik/dynamic_config.example.yml ./dist/dynamic_config.example.yml
 COPY server/db/names.json ./dist/names.json
 
 COPY public ./public

Makefile

@@ -1,4 +1,4 @@
-build-all:
+build-release:
 	@if [ -z "$(tag)" ]; then \
 		echo "Error: tag is required. Usage: make build-all tag=<tag>"; \
 		exit 1; \
@@ -12,6 +12,9 @@ build-arm:
 build-x86:
 	docker buildx build --platform linux/amd64 -t fosrl/pangolin:latest .
 
+build-x86-ecr:
+	docker buildx build --platform linux/amd64 -t 216989133116.dkr.ecr.us-east-1.amazonaws.com/pangolin:latest --push .
+
 build:
 	docker build -t fosrl/pangolin:latest .
 

README.md

@@ -1,5 +1,11 @@
 # Pangolin
 
+[![Documentation](https://img.shields.io/badge/docs-latest-blue.svg?style=flat-square)](https://docs.fossorial.io/)
+[![Docker](https://img.shields.io/docker/pulls/fosrl/pangolin?style=flat-square)](https://hub.docker.com/r/fosrl/pangolin)
+![Stars](https://img.shields.io/github/stars/fosrl/pangolin?style=flat-square)
+[![Discord](https://img.shields.io/discord/1325658630518865980?logo=discord&style=flat-square)](https://discord.gg/HCJR8Xhme4)
+[![Youtube](https://img.shields.io/badge/YouTube-red?logo=youtube&logoColor=white&style=flat-square)](https://www.youtube.com/@fossorial-app)
+
 Pangolin is a self-hosted tunneled reverse proxy management server with identity and access management, designed to securely expose private resources through use with the Traefik reverse proxy and WireGuard tunnel clients like Newt. With Pangolin, you retain full control over your infrastructure while providing a user-friendly and feature-rich solution for managing proxies, authentication, and access, and simplifying complex network setups, all with a clean and simple UI.
 
 ### Installation and Documentation
@@ -7,6 +13,11 @@ Pangolin is a self-hosted tunneled reverse proxy management server with identity
 -   [Installation Instructions](https://docs.fossorial.io/Getting%20Started/quick-install)
 -   [Full Documentation](https://docs.fossorial.io)
 
+### Authors and Maintainers
+
+- [Milo Schwartz](https://github.com/miloschwartz)
+- [Owen Schwartz](https://github.com/oschwartz10612)
+
 ## Preview
 
 <img src="public/screenshots/sites.png" alt="Preview"/>

SECURITY.md

@@ -0,0 +1,14 @@
+# Security Policy
+
+If you discover a security vulnerability, please follow the steps below to responsibly disclose it to us:
+
+1. **Do not create a public GitHub issue or discussion post.** This could put the security of other users at risk.
+2. Send a detailed report to [security@fossorial.io](mailto:security@fossorial.io) or send a **private** message to a maintainer on [Discord](https://discord.gg/HCJR8Xhme4). Include:
+
+-   Description and location of the vulnerability.
+-   Potential impact of the vulnerability.
+-   Steps to reproduce the vulnerability.
+-   Potential solutions to fix the vulnerability.
+-   Your name/handle and a link for recognition (optional).
+
+We aim to address the issue as soon as possible.

config/config.example.yml

@@ -1,17 +1,18 @@
 app:
-    dashboard_url: http://localhost
+    dashboard_url: http://localhost:3002
     base_domain: localhost
-    log_level: debug
+    log_level: info
     save_logs: false
 
 server:
     external_port: 3000
     internal_port: 3001
     next_port: 3002
-    internal_hostname: localhost
-    secure_cookies: false
+    internal_hostname: pangolin
+    secure_cookies: true
     session_cookie_name: p_session
     resource_session_cookie_name: p_resource_session
+    resource_access_token_param: p_token
 
 traefik:
     cert_resolver: letsencrypt
@@ -21,8 +22,9 @@ traefik:
 gerbil:
     start_port: 51820
     base_endpoint: localhost
-    block_size: 16
-    subnet_group: 10.0.0.0/8
+    block_size: 24
+    site_block_size: 30
+    subnet_group: 100.89.137.0/20
     use_subdomain: true
 
 rate_limits:
@@ -37,3 +39,5 @@ users:
 
 flags:
     require_email_verification: false
+    disable_signup_without_invite: true
+    disable_user_create_org: true

config/traefik/dynamic_config.example.yml

@@ -0,0 +1,54 @@
+http:
+  middlewares:
+    redirect-to-https:
+      redirectScheme:
+        scheme: https
+        permanent: true
+
+  routers:
+    # HTTP to HTTPS redirect router
+    main-app-router-redirect:
+      rule: "Host(`{{.DashboardDomain}}`)"
+      service: next-service
+      entryPoints:
+        - web
+      middlewares:
+        - redirect-to-https
+
+    # Next.js router (handles everything except API and WebSocket paths)
+    next-router:
+      rule: "Host(`{{.DashboardDomain}}`) && !PathPrefix(`/api/v1`)"
+      service: next-service
+      entryPoints:
+        - websecure
+      tls:
+        certResolver: letsencrypt
+
+    # API router (handles /api/v1 paths)
+    api-router:
+      rule: "Host(`{{.DashboardDomain}}`) && PathPrefix(`/api/v1`)"
+      service: api-service
+      entryPoints:
+        - websecure
+      tls:
+        certResolver: letsencrypt
+
+    # WebSocket router
+    ws-router:
+      rule: "Host(`{{.DashboardDomain}}`)"
+      service: api-service
+      entryPoints:
+        - websecure
+      tls:
+        certResolver: letsencrypt
+
+  services:
+    next-service:
+      loadBalancer:
+        servers:
+          - url: "http://pangolin:{{.NEXT_PORT}}"  # Next.js server
+
+    api-service:
+      loadBalancer:
+        servers:
+          - url: "http://pangolin:{{.EXTERNAL_PORT}}"  # API/WebSocket server

config/traefik/traefik_config.example.yml

@@ -0,0 +1,41 @@
+api:
+  insecure: true
+  dashboard: true
+
+providers:
+  http:
+    endpoint: "http://pangolin:{{.INTERNAL_PORT}}/api/v1/traefik-config"
+    pollInterval: "5s"
+  file:
+    filename: "/etc/traefik/dynamic_config.yml"
+
+experimental:
+  plugins:
+    badger:
+      moduleName: "github.com/fosrl/badger"
+      version: "v1.0.0-beta.2"
+
+log:
+  level: "INFO"
+  format: "common"
+
+certificatesResolvers:
+  letsencrypt:
+    acme:
+      httpChallenge:
+        entryPoint: web
+      email: "{{.LetsEncryptEmail}}"
+      storage: "/letsencrypt/acme.json"
+      caServer: "https://acme-v02.api.letsencrypt.org/directory"
+
+entryPoints:
+  web:
+    address: ":80"
+  websecure:
+    address: ":443"
+    http:
+      tls:
+        certResolver: "letsencrypt"
+
+serversTransport:
+  insecureSkipVerify: true

install/Makefile

@@ -1,8 +1,14 @@
 
 all: build
 
-build: 
-	CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -o installer
+build:
+	CGO_ENABLED=0 go build -o bin/installer
+
+release:
+	CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -o bin/installer_linux_amd64
+	CGO_ENABLED=0 GOOS=linux GOARCH=arm64 go build -o bin/installer_linux_arm64
 
 clean:
-	rm installer
+	rm bin/installer
+	rm bin/installer_linux_amd64
+	rm bin/installer_linux_arm64

install/fs/config.yml

@@ -1,6 +1,6 @@
 app:
-    dashboard_url: https://{{.Domain}}
-    base_domain: {{.Domain}}
+    dashboard_url: https://{{.DashboardDomain}}
+    base_domain: {{.BaseDomain}}
     log_level: info
     save_logs: false
 
@@ -9,9 +9,15 @@ server:
     internal_port: 3001
     next_port: 3002
     internal_hostname: pangolin
-    secure_cookies: false
+    secure_cookies: true
     session_cookie_name: p_session
     resource_session_cookie_name: p_resource_session
+    resource_access_token_param: p_token
+    cors:
+        origins: ["https://{{.DashboardDomain}}"]
+        methods: ["GET", "POST", "PUT", "DELETE", "PATCH"]
+        headers: ["X-CSRF-Token", "Content-Type"]
+        credentials: false
 
 traefik:
     cert_resolver: letsencrypt
@@ -21,10 +27,11 @@ traefik:
 
 gerbil:
     start_port: 51820
-    base_endpoint: {{.Domain}}
+    base_endpoint: {{.DashboardDomain}}
     use_subdomain: false
-    block_size: 16
-    subnet_group: 10.0.0.0/8
+    block_size: 24
+    site_block_size: 30
+    subnet_group: 100.89.137.0/20
 
 rate_limits:
     global:

install/fs/docker-compose.yml

@@ -1,6 +1,6 @@
 services:
   pangolin:
-    image: fosrl/pangolin:latest
+    image: fosrl/pangolin:{{.PangolinVersion}}
     container_name: pangolin
     restart: unless-stopped
     volumes:
@@ -11,8 +11,9 @@ services:
       timeout: "3s"
       retries: 5
 
+{{if .InstallGerbil}}
   gerbil:
-    image: fosrl/gerbil:latest
+    image: fosrl/gerbil:{{.GerbilVersion}}
     container_name: gerbil
     restart: unless-stopped
     depends_on:
@@ -32,12 +33,20 @@ services:
       - 51820:51820/udp
       - 443:443 # Port for traefik because of the network_mode
       - 80:80 # Port for traefik because of the network_mode
+{{end}}
 
   traefik:
     image: traefik:v3.1
     container_name: traefik
     restart: unless-stopped
+{{if .InstallGerbil}}
     network_mode: service:gerbil # Ports appear on the gerbil service
+{{end}}
+{{if not .InstallGerbil}}
+    ports:
+      - 443:443
+      - 80:80
+{{end}}
     depends_on:
       pangolin:
         condition: service_healthy

install/fs/traefik/dynamic_config.yml

@@ -8,7 +8,7 @@ http:
   routers:
     # HTTP to HTTPS redirect router
     main-app-router-redirect:
-      rule: "Host(`{{.Domain}}`)"
+      rule: "Host(`{{.DashboardDomain}}`)"
       service: next-service
       entryPoints:
         - web
@@ -17,7 +17,7 @@ http:
 
     # Next.js router (handles everything except API and WebSocket paths)
     next-router:
-      rule: "Host(`{{.Domain}}`) && !PathPrefix(`/api/v1`)"
+      rule: "Host(`{{.DashboardDomain}}`) && !PathPrefix(`/api/v1`)"
       service: next-service
       entryPoints:
         - websecure
@@ -26,7 +26,7 @@ http:
 
     # API router (handles /api/v1 paths)
     api-router:
-      rule: "Host(`{{.Domain}}`) && PathPrefix(`/api/v1`)"
+      rule: "Host(`{{.DashboardDomain}}`) && PathPrefix(`/api/v1`)"
       service: api-service
       entryPoints:
         - websecure
@@ -35,7 +35,7 @@ http:
 
     # WebSocket router
     ws-router:
-      rule: "Host(`{{.Domain}}`)"
+      rule: "Host(`{{.DashboardDomain}}`)"
       service: api-service
       entryPoints:
         - websecure

install/fs/traefik/traefik_config.yml

@@ -13,7 +13,7 @@ experimental:
   plugins:
     badger:
       moduleName: "github.com/fosrl/badger"
-      version: "v1.0.0-beta.1"
+      version: "v1.0.0-beta.2"
 
 log:
   level: "INFO"

install/go.mod

@@ -1,3 +1,8 @@
 module installer
 
-go 1.23.0
+go 1.23.0
+
+require (
+	golang.org/x/sys v0.29.0 // indirect
+	golang.org/x/term v0.28.0 // indirect
+)

install/go.sum

@@ -0,0 +1,4 @@
+golang.org/x/sys v0.29.0 h1:TPYlXGxvx1MGTn2GiZDhnjPA9wZzZeGKHHmKhHYvgaU=
+golang.org/x/sys v0.29.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/term v0.28.0 h1:/Ts8HFuMR2E6IP/jlo7QVLZHggjKQbhu/7H0LJFr3Gg=
+golang.org/x/term v0.28.0/go.mod h1:Sw/lC2IAUZ92udQNf3WodGtn4k/XoLyZoh8v/8uiwek=

install/main.go

@@ -10,26 +10,38 @@ import (
 	"path/filepath"
 	"runtime"
 	"strings"
+	"syscall"
 	"text/template"
 	"unicode"
+
+	"golang.org/x/term"
 )
 
+func loadVersions(config *Config) {
+	config.PangolinVersion = "1.0.0-beta.6"
+	config.GerbilVersion = "1.0.0-beta.2"
+}
+
 //go:embed fs/*
 var configFiles embed.FS
 
 type Config struct {
-	Domain                     string `yaml:"domain"`
-	LetsEncryptEmail           string `yaml:"letsEncryptEmail"`
-	AdminUserEmail             string `yaml:"adminUserEmail"`
-	AdminUserPassword          string `yaml:"adminUserPassword"`
-	DisableSignupWithoutInvite bool   `yaml:"disableSignupWithoutInvite"`
-	DisableUserCreateOrg       bool   `yaml:"disableUserCreateOrg"`
-	EnableEmail                bool   `yaml:"enableEmail"`
-	EmailSMTPHost              string `yaml:"emailSMTPHost"`
-	EmailSMTPPort              int    `yaml:"emailSMTPPort"`
-	EmailSMTPUser              string `yaml:"emailSMTPUser"`
-	EmailSMTPPass              string `yaml:"emailSMTPPass"`
-	EmailNoReply               string `yaml:"emailNoReply"`
+	PangolinVersion            string
+	GerbilVersion              string
+	BaseDomain                 string
+	DashboardDomain            string
+	LetsEncryptEmail           string
+	AdminUserEmail             string
+	AdminUserPassword          string
+	DisableSignupWithoutInvite bool
+	DisableUserCreateOrg       bool
+	EnableEmail                bool
+	EmailSMTPHost              string
+	EmailSMTPPort              int
+	EmailSMTPUser              string
+	EmailSMTPPass              string
+	EmailNoReply               string
+	InstallGerbil              bool
 }
 
 func main() {
@@ -44,10 +56,16 @@ func main() {
 	// check if there is already a config file
 	if _, err := os.Stat("config/config.yml"); err != nil {
 		config := collectUserInput(reader)
-		createConfigFiles(config)
+
+		loadVersions(&config)
+
+		if err := createConfigFiles(config); err != nil {
+			fmt.Printf("Error creating config files: %v\n", err)
+			os.Exit(1)
+		}
 
 		if !isDockerInstalled() && runtime.GOOS == "linux" {
-			if shouldInstallDocker() {
+			if readBool(reader, "Docker is not installed. Would you like to install it?", true) {
 				installDocker()
 			}
 		}
@@ -78,6 +96,24 @@ func readString(reader *bufio.Reader, prompt string, defaultValue string) string
 	return input
 }
 
+func readPassword(prompt string) string {
+	fmt.Print(prompt + ": ")
+
+	// Read password without echo
+	password, err := term.ReadPassword(int(syscall.Stdin))
+	fmt.Println() // Add a newline since ReadPassword doesn't add one
+
+	if err != nil {
+		return ""
+	}
+
+	input := strings.TrimSpace(string(password))
+	if input == "" {
+		return readPassword(prompt)
+	}
+	return input
+}
+
 func readBool(reader *bufio.Reader, prompt string, defaultValue bool) bool {
 	defaultStr := "no"
 	if defaultValue {
@@ -102,23 +138,32 @@ func collectUserInput(reader *bufio.Reader) Config {
 
 	// Basic configuration
 	fmt.Println("\n=== Basic Configuration ===")
-	config.Domain = readString(reader, "Enter your domain name", "")
+	config.BaseDomain = readString(reader, "Enter your base domain (no subdomain e.g. example.com)", "")
+	config.DashboardDomain = readString(reader, "Enter the domain for the Pangolin dashboard", "pangolin."+config.BaseDomain)
 	config.LetsEncryptEmail = readString(reader, "Enter email for Let's Encrypt certificates", "")
+	config.InstallGerbil = readBool(reader, "Do you want to use Gerbil to allow tunned connections", true)
 
 	// Admin user configuration
 	fmt.Println("\n=== Admin User Configuration ===")
-	config.AdminUserEmail = readString(reader, "Enter admin user email", "admin@"+config.Domain)
+	config.AdminUserEmail = readString(reader, "Enter admin user email", "admin@"+config.BaseDomain)
 	for {
-		config.AdminUserPassword = readString(reader, "Enter admin user password", "")
-		if valid, message := validatePassword(config.AdminUserPassword); valid {
-			break
+		pass1 := readPassword("Create admin user password")
+		pass2 := readPassword("Confirm admin user password")
+
+		if pass1 != pass2 {
+			fmt.Println("Passwords do not match")
 		} else {
-			fmt.Println("Invalid password:", message)
-			fmt.Println("Password requirements:")
-			fmt.Println("- At least one uppercase English letter")
-			fmt.Println("- At least one lowercase English letter")
-			fmt.Println("- At least one digit")
-			fmt.Println("- At least one special character")
+			config.AdminUserPassword = pass1
+			if valid, message := validatePassword(config.AdminUserPassword); valid {
+				break
+			} else {
+				fmt.Println("Invalid password:", message)
+				fmt.Println("Password requirements:")
+				fmt.Println("- At least one uppercase English letter")
+				fmt.Println("- At least one lowercase English letter")
+				fmt.Println("- At least one digit")
+				fmt.Println("- At least one special character")
+			}
 		}
 	}
 
@@ -140,10 +185,14 @@ func collectUserInput(reader *bufio.Reader) Config {
 	}
 
 	// Validate required fields
-	if config.Domain == "" {
+	if config.BaseDomain == "" {
 		fmt.Println("Error: Domain name is required")
 		os.Exit(1)
 	}
+	if config.DashboardDomain == "" {
+		fmt.Println("Error: Dashboard Domain name is required")
+		os.Exit(1)
+	}
 	if config.LetsEncryptEmail == "" {
 		fmt.Println("Error: Let's Encrypt email is required")
 		os.Exit(1)
@@ -269,19 +318,30 @@ func createConfigFiles(config Config) error {
 		return fmt.Errorf("error walking config files: %v", err)
 	}
 
-	// move the docker-compose.yml file to the root directory
-	os.Rename("config/docker-compose.yml", "docker-compose.yml")
+	// get the current directory
+	dir, err := os.Getwd()
+	if err != nil {
+		return fmt.Errorf("failed to get current directory: %v", err)
+	}
+
+	sourcePath := filepath.Join(dir, "config/docker-compose.yml")
+	destPath := filepath.Join(dir, "docker-compose.yml")
+
+	// Check if source file exists
+	if _, err := os.Stat(sourcePath); err != nil {
+		return fmt.Errorf("source docker-compose.yml not found: %v", err)
+	}
+
+	// Try to move the file
+	err = os.Rename(sourcePath, destPath)
+	if err != nil {
+		return fmt.Errorf("failed to move docker-compose.yml from %s to %s: %v",
+			sourcePath, destPath, err)
+	}
 
 	return nil
 }
 
-func shouldInstallDocker() bool {
-	reader := bufio.NewReader(os.Stdin)
-	fmt.Print("Would you like to install Docker? (yes/no): ")
-	response, _ := reader.ReadString('\n')
-	return strings.ToLower(strings.TrimSpace(response)) == "yes"
-}
-
 func installDocker() error {
 	// Detect Linux distribution
 	cmd := exec.Command("cat", "/etc/os-release")

package.json

@@ -1,6 +1,6 @@
 {
     "name": "@fosrl/pangolin",
-    "version": "1.0.0-beta.2",
+    "version": "1.0.0-beta.6",
     "private": true,
     "type": "module",
     "description": "Tunneled Reverse Proxy Management Server with Identity and Access Control and Dashboard UI",
@@ -26,6 +26,7 @@
         "@oslojs/encoding": "1.1.0",
         "@radix-ui/react-avatar": "1.1.2",
         "@radix-ui/react-checkbox": "1.1.3",
+        "@radix-ui/react-collapsible": "1.1.2",
         "@radix-ui/react-dialog": "1.1.4",
         "@radix-ui/react-dropdown-menu": "2.1.4",
         "@radix-ui/react-icons": "1.3.2",

server/apiServer.ts

@@ -20,23 +20,32 @@ const externalPort = config.getRawConfig().server.external_port;
 export function createApiServer() {
     const apiServer = express();
 
-    // Middleware setup
-    apiServer.set("trust proxy", 1);
-    if (dev) {
-        apiServer.use(
-            cors({
-                origin: `http://localhost:${config.getRawConfig().server.next_port}`,
-                credentials: true
-            })
-        );
-    } else {
-        const corsOptions = {
-            origin: config.getRawConfig().app.dashboard_url,
-            methods: ["GET", "POST", "PUT", "DELETE", "PATCH"],
-            allowedHeaders: ["Content-Type", "X-CSRF-Token"]
-        };
+    if (config.getRawConfig().server.trust_proxy) {
+        apiServer.set("trust proxy", 1);
+    }
 
-        apiServer.use(cors(corsOptions));
+    const corsConfig = config.getRawConfig().server.cors;
+
+    const options = {
+        ...(corsConfig?.origins
+            ? { origin: corsConfig.origins }
+            : {
+                  origin: (origin: any, callback: any) => {
+                      callback(null, true);
+                  }
+              }),
+        ...(corsConfig?.methods && { methods: corsConfig.methods }),
+        ...(corsConfig?.allowed_headers && {
+            allowedHeaders: corsConfig.allowed_headers
+        }),
+        credentials: !(corsConfig?.credentials === false)
+    };
+
+    logger.debug("Using CORS options", options);
+
+    apiServer.use(cors(options));
+
+    if (!dev) {
         apiServer.use(helmet());
         apiServer.use(csrfProtectionMiddleware);
     }
@@ -47,7 +56,8 @@ export function createApiServer() {
     if (!dev) {
         apiServer.use(
             rateLimitMiddleware({
-                windowMin: config.getRawConfig().rate_limits.global.window_minutes,
+                windowMin:
+                    config.getRawConfig().rate_limits.global.window_minutes,
                 max: config.getRawConfig().rate_limits.global.max_requests,
                 type: "IP_AND_PATH"
             })

server/auth/canUserAccessResource.ts

@@ -0,0 +1,45 @@
+import db from "@server/db";
+import { and, eq } from "drizzle-orm";
+import { roleResources, userResources } from "@server/db/schema";
+
+export async function canUserAccessResource({
+    userId,
+    resourceId,
+    roleId
+}: {
+    userId: string;
+    resourceId: number;
+    roleId: number;
+}): Promise<boolean> {
+    const roleResourceAccess = await db
+        .select()
+        .from(roleResources)
+        .where(
+            and(
+                eq(roleResources.resourceId, resourceId),
+                eq(roleResources.roleId, roleId)
+            )
+        )
+        .limit(1);
+
+    if (roleResourceAccess.length > 0) {
+        return true;
+    }
+
+    const userResourceAccess = await db
+        .select()
+        .from(userResources)
+        .where(
+            and(
+                eq(userResources.userId, userId),
+                eq(userResources.resourceId, resourceId)
+            )
+        )
+        .limit(1);
+
+    if (userResourceAccess.length > 0) {
+        return true;
+    }
+
+    return false;
+}

server/auth/sessions/app.ts

@@ -1,6 +1,6 @@
 import {
     encodeBase32LowerCaseNoPadding,
-    encodeHexLowerCase,
+    encodeHexLowerCase
 } from "@oslojs/encoding";
 import { sha256 } from "@oslojs/crypto/sha2";
 import { Session, sessions, User, users } from "@server/db/schema";
@@ -9,8 +9,10 @@ import { eq } from "drizzle-orm";
 import config from "@server/lib/config";
 import type { RandomReader } from "@oslojs/crypto/random";
 import { generateRandomString } from "@oslojs/crypto/random";
+import logger from "@server/logger";
 
-export const SESSION_COOKIE_NAME = config.getRawConfig().server.session_cookie_name;
+export const SESSION_COOKIE_NAME =
+    config.getRawConfig().server.session_cookie_name;
 export const SESSION_COOKIE_EXPIRES = 1000 * 60 * 60 * 24 * 30;
 export const SECURE_COOKIES = config.getRawConfig().server.secure_cookies;
 export const COOKIE_DOMAIN = "." + config.getBaseDomain();
@@ -24,25 +26,25 @@ export function generateSessionToken(): string {
 
 export async function createSession(
     token: string,
-    userId: string,
+    userId: string
 ): Promise<Session> {
     const sessionId = encodeHexLowerCase(
-        sha256(new TextEncoder().encode(token)),
+        sha256(new TextEncoder().encode(token))
     );
     const session: Session = {
         sessionId: sessionId,
         userId,
-        expiresAt: new Date(Date.now() + SESSION_COOKIE_EXPIRES).getTime(),
+        expiresAt: new Date(Date.now() + SESSION_COOKIE_EXPIRES).getTime()
     };
     await db.insert(sessions).values(session);
     return session;
 }
 
 export async function validateSessionToken(
-    token: string,
+    token: string
 ): Promise<SessionValidationResult> {
     const sessionId = encodeHexLowerCase(
-        sha256(new TextEncoder().encode(token)),
+        sha256(new TextEncoder().encode(token))
     );
     const result = await db
         .select({ user: users, session: sessions })
@@ -61,12 +63,12 @@ export async function validateSessionToken(
     }
     if (Date.now() >= session.expiresAt - SESSION_COOKIE_EXPIRES / 2) {
         session.expiresAt = new Date(
-            Date.now() + SESSION_COOKIE_EXPIRES,
+            Date.now() + SESSION_COOKIE_EXPIRES
         ).getTime();
         await db
             .update(sessions)
             .set({
-                expiresAt: session.expiresAt,
+                expiresAt: session.expiresAt
             })
             .where(eq(sessions.sessionId, session.sessionId));
     }
@@ -81,26 +83,38 @@ export async function invalidateAllSessions(userId: string): Promise<void> {
     await db.delete(sessions).where(eq(sessions.userId, userId));
 }
 
-export function serializeSessionCookie(token: string): string {
-    if (SECURE_COOKIES) {
-        return `${SESSION_COOKIE_NAME}=${token}; HttpOnly; SameSite=Strict; Max-Age=${SESSION_COOKIE_EXPIRES}; Path=/; Secure; Domain=${COOKIE_DOMAIN}`;
+export function serializeSessionCookie(
+    token: string,
+    isSecure: boolean
+): string {
+    if (isSecure) {
+        logger.debug("Setting cookie for secure origin");
+        if (SECURE_COOKIES) {
+            return `${SESSION_COOKIE_NAME}=${token}; HttpOnly; SameSite=Strict; Max-Age=${SESSION_COOKIE_EXPIRES}; Path=/; Secure; Domain=${COOKIE_DOMAIN}`;
+        } else {
+            return `${SESSION_COOKIE_NAME}=${token}; HttpOnly; SameSite=Strict; Max-Age=${SESSION_COOKIE_EXPIRES}; Path=/; Domain=${COOKIE_DOMAIN}`;
+        }
     } else {
-        return `${SESSION_COOKIE_NAME}=${token}; HttpOnly; SameSite=Strict; Max-Age=${SESSION_COOKIE_EXPIRES}; Path=/; Domain=${COOKIE_DOMAIN}`;
+        return `${SESSION_COOKIE_NAME}=${token}; HttpOnly; SameSite=Lax; Max-Age=${SESSION_COOKIE_EXPIRES}; Path=/;`;
     }
 }
 
-export function createBlankSessionTokenCookie(): string {
-    if (SECURE_COOKIES) {
-        return `${SESSION_COOKIE_NAME}=; HttpOnly; SameSite=Strict; Max-Age=0; Path=/; Secure; Domain=${COOKIE_DOMAIN}`;
+export function createBlankSessionTokenCookie(isSecure: boolean): string {
+    if (isSecure) {
+        if (SECURE_COOKIES) {
+            return `${SESSION_COOKIE_NAME}=; HttpOnly; SameSite=Strict; Max-Age=0; Path=/; Secure; Domain=${COOKIE_DOMAIN}`;
+        } else {
+            return `${SESSION_COOKIE_NAME}=; HttpOnly; SameSite=Strict; Max-Age=0; Path=/; Domain=${COOKIE_DOMAIN}`;
+        }
     } else {
-        return `${SESSION_COOKIE_NAME}=; HttpOnly; SameSite=Strict; Max-Age=0; Path=/; Domain=${COOKIE_DOMAIN}`;
+        return `${SESSION_COOKIE_NAME}=; HttpOnly; SameSite=Lax; Max-Age=0; Path=/;`;
     }
 }
 
 const random: RandomReader = {
     read(bytes: Uint8Array): void {
         crypto.getRandomValues(bytes);
-    },
+    }
 };
 
 export function generateId(length: number): string {

server/auth/verifyResourceAccessToken.ts

@@ -0,0 +1,67 @@
+import db from "@server/db";
+import {
+    Resource,
+    ResourceAccessToken,
+    resourceAccessToken,
+} from "@server/db/schema";
+import { and, eq } from "drizzle-orm";
+import { isWithinExpirationDate } from "oslo";
+import { verifyPassword } from "./password";
+
+export async function verifyResourceAccessToken({
+    resource,
+    accessTokenId,
+    accessToken
+}: {
+    resource: Resource;
+    accessTokenId: string;
+    accessToken: string;
+}): Promise<{
+    valid: boolean;
+    error?: string;
+    tokenItem?: ResourceAccessToken;
+}> {
+    const [result] = await db
+        .select()
+        .from(resourceAccessToken)
+        .where(
+            and(
+                eq(resourceAccessToken.resourceId, resource.resourceId),
+                eq(resourceAccessToken.accessTokenId, accessTokenId)
+            )
+        )
+        .limit(1);
+
+    const tokenItem = result;
+
+    if (!tokenItem) {
+        return {
+            valid: false,
+            error: "Access token does not exist for resource"
+        };
+    }
+
+    const validCode = await verifyPassword(accessToken, tokenItem.tokenHash);
+
+    if (!validCode) {
+        return {
+            valid: false,
+            error: "Invalid access token"
+        };
+    }
+
+    if (
+        tokenItem.expiresAt &&
+        !isWithinExpirationDate(new Date(tokenItem.expiresAt))
+    ) {
+        return {
+            valid: false,
+            error: "Access token has expired"
+        };
+    }
+
+    return {
+        valid: true,
+        tokenItem
+    };
+}

server/db/index.ts

@@ -4,10 +4,13 @@ import * as schema from "@server/db/schema";
 import path from "path";
 import fs from "fs/promises";
 import { APP_PATH } from "@server/lib/consts";
+import { existsSync, mkdirSync } from "fs";
 
 export const location = path.join(APP_PATH, "db", "db.sqlite");
 export const exists = await checkFileExists(location);
 
+bootstrapVolume();
+
 const sqlite = new Database(location);
 export const db = drizzle(sqlite, { schema });
 
@@ -21,3 +24,29 @@ async function checkFileExists(filePath: string): Promise<boolean> {
         return false;
     }
 }
+
+function bootstrapVolume() {
+    const appPath = APP_PATH;
+
+    const dbDir = path.join(appPath, "db");
+    const logsDir = path.join(appPath, "logs");
+
+    // check if the db directory exists and create it if it doesn't
+    if (!existsSync(dbDir)) {
+        mkdirSync(dbDir, { recursive: true });
+    }
+
+    // check if the logs directory exists and create it if it doesn't
+    if (!existsSync(logsDir)) {
+        mkdirSync(logsDir, { recursive: true });
+    }
+
+    // THIS IS FOR TRAEFIK; NOT REALLY NEEDED, BUT JUST IN CASE
+
+    const traefikDir = path.join(appPath, "traefik");
+
+    // check if the traefik directory exists and create it if it doesn't
+    if (!existsSync(traefikDir)) {
+        mkdirSync(traefikDir, { recursive: true });
+    }
+}

server/lib/config.ts

@@ -3,36 +3,74 @@ import yaml from "js-yaml";
 import path from "path";
 import { z } from "zod";
 import { fromError } from "zod-validation-error";
-import { __DIRNAME, APP_PATH, configFilePath1, configFilePath2 } from "@server/lib/consts";
+import {
+    __DIRNAME,
+    APP_PATH,
+    configFilePath1,
+    configFilePath2
+} from "@server/lib/consts";
 import { loadAppVersion } from "@server/lib/loadAppVersion";
 import { passwordSchema } from "@server/auth/passwordSchema";
+import stoi from "./stoi";
 
 const portSchema = z.number().positive().gt(0).lte(65535);
 const hostnameSchema = z
     .string()
     .regex(
-        /^(?!-)[a-zA-Z0-9-]{1,63}(?<!-)(\.[a-zA-Z]{2,})*$/,
-        "Invalid hostname. Must be a valid hostname like 'localhost' or 'test.example.com'."
-    );
+        /^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$|^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)+([A-Za-z]|[A-Za-z][A-Za-z0-9\-]*[A-Za-z0-9])$/
+    )
+    .or(z.literal("localhost"));
 
-const environmentSchema = z.object({
+const getEnvOrYaml = (envVar: string) => (valFromYaml: any) => {
+    return process.env[envVar] ?? valFromYaml;
+};
+
+const configSchema = z.object({
     app: z.object({
         dashboard_url: z
             .string()
             .url()
+            .optional()
+            .transform(getEnvOrYaml("APP_DASHBOARDURL"))
+            .pipe(z.string().url())
             .transform((url) => url.toLowerCase()),
-        base_domain: hostnameSchema,
+        base_domain: hostnameSchema
+            .optional()
+            .transform(getEnvOrYaml("APP_BASEDOMAIN"))
+            .pipe(hostnameSchema),
         log_level: z.enum(["debug", "info", "warn", "error"]),
         save_logs: z.boolean()
     }),
     server: z.object({
-        external_port: portSchema,
-        internal_port: portSchema,
-        next_port: portSchema,
+        external_port: portSchema
+            .optional()
+            .transform(getEnvOrYaml("SERVER_EXTERNALPORT"))
+            .transform(stoi)
+            .pipe(portSchema),
+        internal_port: portSchema
+            .optional()
+            .transform(getEnvOrYaml("SERVER_INTERNALPORT"))
+            .transform(stoi)
+            .pipe(portSchema),
+        next_port: portSchema
+            .optional()
+            .transform(getEnvOrYaml("SERVER_NEXTPORT"))
+            .transform(stoi)
+            .pipe(portSchema),
         internal_hostname: z.string().transform((url) => url.toLowerCase()),
         secure_cookies: z.boolean(),
         session_cookie_name: z.string(),
-        resource_session_cookie_name: z.string()
+        resource_session_cookie_name: z.string(),
+        resource_access_token_param: z.string(),
+        cors: z
+            .object({
+                origins: z.array(z.string()).optional(),
+                methods: z.array(z.string()).optional(),
+                allowed_headers: z.array(z.string()).optional(),
+                credentials: z.boolean().optional()
+            })
+            .optional(),
+        trust_proxy: z.boolean().optional().default(true)
     }),
     traefik: z.object({
         http_entrypoint: z.string(),
@@ -41,11 +79,21 @@ const environmentSchema = z.object({
         prefer_wildcard_cert: z.boolean().optional()
     }),
     gerbil: z.object({
-        start_port: portSchema,
-        base_endpoint: z.string().transform((url) => url.toLowerCase()),
+        start_port: portSchema
+            .optional()
+            .transform(getEnvOrYaml("GERBIL_STARTPORT"))
+            .transform(stoi)
+            .pipe(portSchema),
+        base_endpoint: z
+            .string()
+            .optional()
+            .transform(getEnvOrYaml("GERBIL_BASEENDPOINT"))
+            .pipe(z.string())
+            .transform((url) => url.toLowerCase()),
         use_subdomain: z.boolean(),
         subnet_group: z.string(),
-        block_size: z.number().positive().gt(0)
+        block_size: z.number().positive().gt(0),
+        site_block_size: z.number().positive().gt(0)
     }),
     rate_limits: z.object({
         global: z.object({
@@ -70,8 +118,16 @@ const environmentSchema = z.object({
         .optional(),
     users: z.object({
         server_admin: z.object({
-            email: z.string().email(),
+            email: z
+                .string()
+                .email()
+                .optional()
+                .transform(getEnvOrYaml("USERS_SERVERADMIN_EMAIL"))
+                .pipe(z.string().email()),
             password: passwordSchema
+                .optional()
+                .transform(getEnvOrYaml("USERS_SERVERADMIN_PASSWORD"))
+                .pipe(passwordSchema)
         })
     }),
     flags: z
@@ -84,12 +140,18 @@ const environmentSchema = z.object({
 });
 
 export class Config {
-    private rawConfig!: z.infer<typeof environmentSchema>;
+    private rawConfig!: z.infer<typeof configSchema>;
 
     constructor() {
         this.loadConfig();
+
+        if (process.env.GENERATE_TRAEFIK_CONFIG === "true") {
+            this.createTraefikConfig();
+        }
     }
 
+    public loadEnvironment() {}
+
     public loadConfig() {
         const loadConfig = (configPath: string) => {
             try {
@@ -130,6 +192,9 @@ export class Config {
                     );
                     environment = loadConfig(configFilePath1);
                 } catch (error) {
+                    console.log(
+                        "See the docs for information about what to include in the configuration file: https://docs.fossorial.io/Pangolin/Configuration/config"
+                    );
                     if (error instanceof Error) {
                         throw new Error(
                             `Error creating configuration file from example: ${
@@ -150,7 +215,7 @@ export class Config {
             throw new Error("No configuration file found");
         }
 
-        const parsedConfig = environmentSchema.safeParse(environment);
+        const parsedConfig = configSchema.safeParse(environment);
 
         if (!parsedConfig.success) {
             const errors = fromError(parsedConfig.error);
@@ -185,6 +250,8 @@ export class Config {
             ?.disable_user_create_org
             ? "true"
             : "false";
+        process.env.RESOURCE_ACCESS_TOKEN_PARAM =
+            parsedConfig.data.server.resource_access_token_param;
 
         this.rawConfig = parsedConfig.data;
     }
@@ -196,6 +263,72 @@ export class Config {
     public getBaseDomain(): string {
         return this.rawConfig.app.base_domain;
     }
+
+    private createTraefikConfig() {
+        try {
+            // check if traefik_config.yml and dynamic_config.yml exists in APP_PATH/traefik
+            const defaultTraefikConfigPath = path.join(
+                __DIRNAME,
+                "traefik_config.example.yml"
+            );
+            const defaultDynamicConfigPath = path.join(
+                __DIRNAME,
+                "dynamic_config.example.yml"
+            );
+
+            const traefikPath = path.join(APP_PATH, "traefik");
+            if (!fs.existsSync(traefikPath)) {
+                return;
+            }
+
+            // load default configs
+            let traefikConfig = fs.readFileSync(
+                defaultTraefikConfigPath,
+                "utf8"
+            );
+            let dynamicConfig = fs.readFileSync(
+                defaultDynamicConfigPath,
+                "utf8"
+            );
+
+            traefikConfig = traefikConfig
+                .split("{{.LetsEncryptEmail}}")
+                .join(this.rawConfig.users.server_admin.email);
+            traefikConfig = traefikConfig
+                .split("{{.INTERNAL_PORT}}")
+                .join(this.rawConfig.server.internal_port.toString());
+
+            dynamicConfig = dynamicConfig
+                .split("{{.DashboardDomain}}")
+                .join(new URL(this.rawConfig.app.dashboard_url).hostname);
+            dynamicConfig = dynamicConfig
+                .split("{{.NEXT_PORT}}")
+                .join(this.rawConfig.server.next_port.toString());
+            dynamicConfig = dynamicConfig
+                .split("{{.EXTERNAL_PORT}}")
+                .join(this.rawConfig.server.external_port.toString());
+
+            // write thiese to the traefik directory
+            const traefikConfigPath = path.join(
+                traefikPath,
+                "traefik_config.yml"
+            );
+            const dynamicConfigPath = path.join(
+                traefikPath,
+                "dynamic_config.yml"
+            );
+
+            fs.writeFileSync(traefikConfigPath, traefikConfig, "utf8");
+            fs.writeFileSync(dynamicConfigPath, dynamicConfig, "utf8");
+
+            console.log("Traefik configuration files created");
+        } catch (e) {
+            console.log(
+                "Failed to generate the Traefik configuration files. Please create them manually."
+            );
+            console.error(e);
+        }
+    }
 }
 
 export const config = new Config();

server/middlewares/verifyAccessTokenAccess.ts

@@ -4,7 +4,7 @@ import { resourceAccessToken, resources, userOrgs } from "@server/db/schema";
 import { and, eq } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
-import { canUserAccessResource } from "@server/lib/canUserAccessResource";
+import { canUserAccessResource } from "@server/auth/canUserAccessResource";
 
 export async function verifyAccessTokenAccess(
     req: Request,

server/middlewares/verifyTargetAccess.ts

@@ -4,7 +4,7 @@ import { resources, targets, userOrgs } from "@server/db/schema";
 import { and, eq } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
-import { canUserAccessResource } from "../lib/canUserAccessResource";
+import { canUserAccessResource } from "../auth/canUserAccessResource";
 
 export async function verifyTargetAccess(
     req: Request,

server/routers/auth/login.ts

@@ -120,7 +120,8 @@ export async function login(
 
         const token = generateSessionToken();
         await createSession(token, existingUser.userId);
-        const cookie = serializeSessionCookie(token);
+        const isSecure = req.protocol === "https";
+        const cookie = serializeSessionCookie(token, isSecure);
 
         res.appendHeader("Set-Cookie", cookie);
 

server/routers/auth/logout.ts

@@ -27,7 +27,8 @@ export async function logout(
 
     try {
         await invalidateSession(sessionId);
-        res.setHeader("Set-Cookie", createBlankSessionTokenCookie());
+        const isSecure = req.protocol === "https";
+        res.setHeader("Set-Cookie", createBlankSessionTokenCookie(isSecure));
 
         return response<null>(res, {
             data: null,

server/routers/auth/signup.ts

@@ -158,7 +158,8 @@ export async function signup(
 
         const token = generateSessionToken();
         await createSession(token, userId);
-        const cookie = serializeSessionCookie(token);
+        const isSecure = req.protocol === "https";
+        const cookie = serializeSessionCookie(token, isSecure);
         res.appendHeader("Set-Cookie", cookie);
 
         if (config.getRawConfig().flags?.require_email_verification) {

server/routers/badger/verifySession.ts

@@ -7,6 +7,7 @@ import { response } from "@server/lib/response";
 import { validateSessionToken } from "@server/auth/sessions/app";
 import db from "@server/db";
 import {
+    ResourceAccessToken,
     resourceAccessToken,
     resourcePassword,
     resourcePincode,
@@ -17,9 +18,15 @@ import {
 } from "@server/db/schema";
 import { and, eq } from "drizzle-orm";
 import config from "@server/lib/config";
-import { validateResourceSessionToken } from "@server/auth/sessions/resource";
+import {
+    createResourceSession,
+    serializeResourceSessionCookie,
+    validateResourceSessionToken
+} from "@server/auth/sessions/resource";
 import { Resource, roleResources, userResources } from "@server/db/schema";
 import logger from "@server/logger";
+import { verifyResourceAccessToken } from "@server/auth/verifyResourceAccessToken";
+import { generateSessionToken } from "@server/auth";
 
 const verifyResourceSessionSchema = z.object({
     sessions: z.record(z.string()).optional(),
@@ -28,6 +35,7 @@ const verifyResourceSessionSchema = z.object({
     host: z.string(),
     path: z.string(),
     method: z.string(),
+    accessToken: z.string().optional(),
     tls: z.boolean()
 });
 
@@ -59,7 +67,8 @@ export async function verifyResourceSession(
     }
 
     try {
-        const { sessions, host, originalRequestURL } = parsedBody.data;
+        const { sessions, host, originalRequestURL, accessToken: token } =
+            parsedBody.data;
 
         const [result] = await db
             .select()
@@ -103,11 +112,41 @@ export async function verifyResourceSession(
 
         const redirectUrl = `${config.getRawConfig().app.dashboard_url}/auth/resource/${encodeURIComponent(resource.resourceId)}?redirect=${encodeURIComponent(originalRequestURL)}`;
 
+        // check for access token
+        let validAccessToken: ResourceAccessToken | undefined;
+        if (token) {
+            const [accessTokenId, accessToken] = token.split(".");
+            const { valid, error, tokenItem } = await verifyResourceAccessToken(
+                {
+                    resource,
+                    accessTokenId,
+                    accessToken
+                }
+            );
+
+            if (error) {
+                logger.debug("Access token invalid: " + error);
+            }
+
+            if (valid && tokenItem) {
+                validAccessToken = tokenItem;
+
+                if (!sessions) {
+                    return await createAccessTokenSession(
+                        res,
+                        resource,
+                        tokenItem
+                    );
+                }
+            }
+        }
+
         if (!sessions) {
             return notAllowed(res);
         }
 
-        const sessionToken = sessions[config.getRawConfig().server.session_cookie_name];
+        const sessionToken =
+            sessions[config.getRawConfig().server.session_cookie_name];
 
         // check for unified login
         if (sso && sessionToken) {
@@ -172,6 +211,16 @@ export async function verifyResourceSession(
             }
         }
 
+        // At this point we have checked all sessions, but since the access token is valid, we should allow access
+        // and create a new session.
+        if (validAccessToken) {
+            return await createAccessTokenSession(
+                res,
+                resource,
+                validAccessToken
+            );
+        }
+
         logger.debug("No more auth to check, resource not allowed");
         return notAllowed(res, redirectUrl);
     } catch (e) {
@@ -209,11 +258,41 @@ function allowed(res: Response) {
     return response<VerifyUserResponse>(res, data);
 }
 
+async function createAccessTokenSession(
+    res: Response,
+    resource: Resource,
+    tokenItem: ResourceAccessToken
+) {
+    const token = generateSessionToken();
+    await createResourceSession({
+        resourceId: resource.resourceId,
+        token,
+        accessTokenId: tokenItem.accessTokenId,
+        sessionLength: tokenItem.sessionLength,
+        expiresAt: tokenItem.expiresAt,
+        doNotExtend: tokenItem.expiresAt ? true : false
+    });
+    const cookieName = `${config.getRawConfig().server.resource_session_cookie_name}_${resource.resourceId}`;
+    const cookie = serializeResourceSessionCookie(cookieName, token);
+    res.appendHeader("Set-Cookie", cookie);
+    logger.debug("Access token is valid, creating new session")
+    return response<VerifyUserResponse>(res, {
+        data: { valid: true },
+        success: true,
+        error: false,
+        message: "Access allowed",
+        status: HttpCode.OK
+    });
+}
+
 async function isUserAllowedToAccessResource(
     user: User,
     resource: Resource
 ): Promise<boolean> {
-    if (config.getRawConfig().flags?.require_email_verification && !user.emailVerified) {
+    if (
+        config.getRawConfig().flags?.require_email_verification &&
+        !user.emailVerified
+    ) {
         return false;
     }
 

server/routers/gerbil/getConfig.ts

@@ -50,7 +50,9 @@ export async function getConfig(req: Request, res: Response, next: NextFunction)
         let exitNode;
         if (exitNodeQuery.length === 0) {
             const address = await getNextAvailableSubnet();
-            const listenPort = await getNextAvailablePort();
+            // TODO: eventually we will want to get the next available port so that we can multiple exit nodes
+            // const listenPort = await getNextAvailablePort();
+            const listenPort = config.getRawConfig().gerbil.start_port;
             let subEndpoint = "";
             if (config.getRawConfig().gerbil.use_subdomain) {
                 subEndpoint = await getUniqueExitNodeEndpointName();

server/routers/resource/authWithAccessToken.ts

@@ -14,9 +14,7 @@ import {
 } from "@server/auth/sessions/resource";
 import config from "@server/lib/config";
 import logger from "@server/logger";
-import { verify } from "@node-rs/argon2";
-import { isWithinExpirationDate } from "oslo";
-import { verifyPassword } from "@server/auth/password";
+import { verifyResourceAccessToken } from "@server/auth/verifyResourceAccessToken";
 
 const authWithAccessTokenBodySchema = z
     .object({
@@ -69,58 +67,38 @@ export async function authWithAccessToken(
     const { accessToken, accessTokenId } = parsedBody.data;
 
     try {
-        const [result] = await db
+        const [resource] = await db
             .select()
-            .from(resourceAccessToken)
-            .where(
-                and(
-                    eq(resourceAccessToken.resourceId, resourceId),
-                    eq(resourceAccessToken.accessTokenId, accessTokenId)
-                )
-            )
-            .leftJoin(
-                resources,
-                eq(resources.resourceId, resourceAccessToken.resourceId)
-            )
+            .from(resources)
+            .where(eq(resources.resourceId, resourceId))
             .limit(1);
 
-        const resource = result?.resources;
-        const tokenItem = result?.resourceAccessToken;
-
-        if (!tokenItem) {
-            return next(
-                createHttpError(
-                    HttpCode.UNAUTHORIZED,
-                    createHttpError(
-                        HttpCode.BAD_REQUEST,
-                        "Access token does not exist for resource"
-                    )
-                )
-            );
-        }
-
         if (!resource) {
             return next(
-                createHttpError(HttpCode.BAD_REQUEST, "Resource does not exist")
+                createHttpError(HttpCode.NOT_FOUND, "Resource not found")
             );
         }
 
-        const validCode = await verifyPassword(accessToken, tokenItem.tokenHash);
+        const { valid, error, tokenItem } = await verifyResourceAccessToken({
+            resource,
+            accessTokenId,
+            accessToken
+        });
 
-        if (!validCode) {
-            return next(
-                createHttpError(HttpCode.UNAUTHORIZED, "Invalid access token")
-            );
-        }
-
-        if (
-            tokenItem.expiresAt &&
-            !isWithinExpirationDate(new Date(tokenItem.expiresAt))
-        ) {
+        if (!valid) {
             return next(
                 createHttpError(
                     HttpCode.UNAUTHORIZED,
-                    "Access token has expired"
+                    error || "Invalid access token"
+                )
+            );
+        }
+
+        if (!tokenItem || !resource) {
+            return next(
+                createHttpError(
+                    HttpCode.UNAUTHORIZED,
+                    "Access token does not exist for resource"
                 )
             );
         }

server/routers/site/createSite.ts

@@ -24,7 +24,7 @@ const createSiteParamsSchema = z
 const createSiteSchema = z
     .object({
         name: z.string().min(1).max(255),
-        exitNodeId: z.number().int().positive(),
+        exitNodeId: z.number().int().positive().optional(),
         // subdomain: z
         //     .string()
         //     .min(1)
@@ -32,7 +32,7 @@ const createSiteSchema = z
         //     .transform((val) => val.toLowerCase())
         //     .optional(),
         pubKey: z.string().optional(),
-        subnet: z.string(),
+        subnet: z.string().optional(),
         newtId: z.string().optional(),
         secret: z.string().optional(),
         type: z.string()
@@ -82,28 +82,46 @@ export async function createSite(
 
         const niceId = await getUniqueSiteName(orgId);
 
-        let payload: any = {
-            orgId,
-            exitNodeId,
-            name,
-            niceId,
-            subnet,
-            type
-        };
-
-        if (pubKey && type == "wireguard") {
-            // we dont add the pubKey for newts because the newt will generate it
-            payload = {
-                ...payload,
-                pubKey
-            };
-        }
-
         await db.transaction(async (trx) => {
-            const [newSite] = await trx
-                .insert(sites)
-                .values(payload)
-                .returning();
+            let newSite: Site;
+
+            if (exitNodeId) {
+                // we are creating a site with an exit node (tunneled)
+                if (!subnet) {
+                    return next(
+                        createHttpError(
+                            HttpCode.BAD_REQUEST,
+                            "Subnet is required for tunneled sites"
+                        )
+                    );
+                }
+
+                [newSite] = await trx
+                    .insert(sites)
+                    .values({
+                        orgId,
+                        exitNodeId,
+                        name,
+                        niceId,
+                        subnet,
+                        type,
+                        ...(pubKey && type == "wireguard" && { pubKey })
+                    })
+                    .returning();
+            } else {
+                // we are creating a site with no tunneling
+
+                [newSite] = await trx
+                    .insert(sites)
+                    .values({
+                        orgId,
+                        name,
+                        niceId,
+                        type,
+                        subnet: "0.0.0.0/0"
+                    })
+                    .returning();
+            }
 
             const adminRole = await trx
                 .select()
@@ -149,6 +167,16 @@ export async function createSite(
                         )
                     );
                 }
+
+                if (!exitNodeId) {
+                    return next(
+                        createHttpError(
+                            HttpCode.BAD_REQUEST,
+                            "Exit node ID is required for wireguard sites"
+                        )
+                    );
+                }
+
                 await addPeer(exitNodeId, {
                     publicKey: pubKey,
                     allowedIps: []

server/routers/site/pickSiteDefaults.ts

@@ -8,6 +8,7 @@ import createHttpError from "http-errors";
 import logger from "@server/logger";
 import { findNextAvailableCidr } from "@server/lib/ip";
 import { generateId } from "@server/auth/sessions/app";
+import config from "@server/lib/config";
 
 export type PickSiteDefaultsResponse = {
     exitNodeId: number;
@@ -51,9 +52,9 @@ export async function pickSiteDefaults(
 
         // TODO: we need to lock this subnet for some time so someone else does not take it
         let subnets = sitesQuery.map((site) => site.subnet);
-        // exclude the exit node address by replacing after the / with a /28
-        subnets.push(exitNode.address.replace(/\/\d+$/, "/29"));
-        const newSubnet = findNextAvailableCidr(subnets, 29, exitNode.address);
+        // exclude the exit node address by replacing after the / with a site block size
+        subnets.push(exitNode.address.replace(/\/\d+$/, `/${config.getRawConfig().gerbil.site_block_size}`));
+        const newSubnet = findNextAvailableCidr(subnets, config.getRawConfig().gerbil.site_block_size, exitNode.address);
         if (!newSubnet) {
             return next(
                 createHttpError(

server/routers/target/createTarget.ts

@@ -123,88 +123,100 @@ export async function createTarget(
             );
         }
 
-        // make sure the target is within the site subnet
-        if (
-            site.type == "wireguard" &&
-            !isIpInCidr(targetData.ip, site.subnet!)
-        ) {
-            return next(
-                createHttpError(
-                    HttpCode.BAD_REQUEST,
-                    `Target IP is not within the site subnet`
-                )
-            );
-        }
-
-        // Fetch resources for this site
-        const resourcesRes = await db.query.resources.findMany({
-            where: eq(resources.siteId, site.siteId)
-        });
-
-        // TODO: is this all inefficient?
-        // Fetch targets for all resources of this site
-        let targetIps: string[] = [];
-        let targetInternalPorts: number[] = [];
-        await Promise.all(
-            resourcesRes.map(async (resource) => {
-                const targetsRes = await db.query.targets.findMany({
-                    where: eq(targets.resourceId, resource.resourceId)
-                });
-                targetsRes.forEach((target) => {
-                    targetIps.push(`${target.ip}/32`);
-                    if (target.internalPort) {
-                        targetInternalPorts.push(target.internalPort);
-                    }
-                });
-            })
-        );
-
-        let internalPort!: number;
-        // pick a port
-        for (let i = 40000; i < 65535; i++) {
-            if (!targetInternalPorts.includes(i)) {
-                internalPort = i;
-                break;
+        let newTarget: Target[] = [];
+        if (site.type == "local") {
+            newTarget = await db
+                .insert(targets)
+                .values({
+                    resourceId,
+                    protocol: "tcp", // hard code for now
+                    ...targetData
+                })
+                .returning();
+        } else {
+            // make sure the target is within the site subnet
+            if (
+                site.type == "wireguard" &&
+                !isIpInCidr(targetData.ip, site.subnet!)
+            ) {
+                return next(
+                    createHttpError(
+                        HttpCode.BAD_REQUEST,
+                        `Target IP is not within the site subnet`
+                    )
+                );
             }
-        }
 
-        if (!internalPort) {
-            return next(
-                createHttpError(
-                    HttpCode.BAD_REQUEST,
-                    `No available internal port`
-                )
+            // Fetch resources for this site
+            const resourcesRes = await db.query.resources.findMany({
+                where: eq(resources.siteId, site.siteId)
+            });
+
+            // TODO: is this all inefficient?
+            // Fetch targets for all resources of this site
+            let targetIps: string[] = [];
+            let targetInternalPorts: number[] = [];
+            await Promise.all(
+                resourcesRes.map(async (resource) => {
+                    const targetsRes = await db.query.targets.findMany({
+                        where: eq(targets.resourceId, resource.resourceId)
+                    });
+                    targetsRes.forEach((target) => {
+                        targetIps.push(`${target.ip}/32`);
+                        if (target.internalPort) {
+                            targetInternalPorts.push(target.internalPort);
+                        }
+                    });
+                })
             );
-        }
 
-        const newTarget = await db
-            .insert(targets)
-            .values({
-                resourceId,
-                protocol: "tcp", // hard code for now
-                internalPort,
-                ...targetData
-            })
-            .returning();
+            let internalPort!: number;
+            // pick a port
+            for (let i = 40000; i < 65535; i++) {
+                if (!targetInternalPorts.includes(i)) {
+                    internalPort = i;
+                    break;
+                }
+            }
 
-        // add the new target to the targetIps array
-        targetIps.push(`${targetData.ip}/32`);
+            if (!internalPort) {
+                return next(
+                    createHttpError(
+                        HttpCode.BAD_REQUEST,
+                        `No available internal port`
+                    )
+                );
+            }
 
-        if (site.pubKey) {
-            if (site.type == "wireguard") {
-                await addPeer(site.exitNodeId!, {
-                    publicKey: site.pubKey,
-                    allowedIps: targetIps.flat()
-                });
-            } else if (site.type == "newt") {
-                // get the newt on the site by querying the newt table for siteId
-                const [newt] = await db
-                    .select()
-                    .from(newts)
-                    .where(eq(newts.siteId, site.siteId))
-                    .limit(1);
+            newTarget = await db
+                .insert(targets)
+                .values({
+                    resourceId,
+                    protocol: "tcp", // hard code for now
+                    internalPort,
+                    ...targetData
+                })
+                .returning();
 
-                addTargets(newt.newtId, newTarget);
+            // add the new target to the targetIps array
+            targetIps.push(`${targetData.ip}/32`);
+
+            if (site.pubKey) {
+                if (site.type == "wireguard") {
+                    await addPeer(site.exitNodeId!, {
+                        publicKey: site.pubKey,
+                        allowedIps: targetIps.flat()
+                    });
+                } else if (site.type == "newt") {
+                    // get the newt on the site by querying the newt table for siteId
+                    const [newt] = await db
+                        .select()
+                        .from(newts)
+                        .where(eq(newts.siteId, site.siteId))
+                        .limit(1);
+
+                    addTargets(newt.newtId, newTarget);
+                }
             }
         }
 

server/routers/traefik/getTraefikConfig.ts

@@ -56,6 +56,7 @@ export async function traefikConfigProvider(
                                 config.getRawConfig().server.resource_session_cookie_name,
                             userSessionCookieName:
                                 config.getRawConfig().server.session_cookie_name,
+                            accessTokenQueryParam: config.getRawConfig().server.resource_access_token_param,
                         },
                     },
                 },
@@ -150,6 +151,16 @@ export async function traefikConfigProvider(
                         ],
                     },
                 };
+            } else if (site.type === "local") {
+                http.services![serviceName] = {
+                    loadBalancer: {
+                        servers: [
+                            {
+                                url: `${target.method}://${target.ip}:${target.port}`,
+                            },
+                        ],
+                    },
+                };
             }
         }
 

server/routers/user/acceptInvite.ts

@@ -72,6 +72,16 @@ export async function acceptInvite(
 
         const { user, session } = await verifySession(req);
 
+        // at this point we know the user exists
+        if (!user) {
+            return next(
+                createHttpError(
+                    HttpCode.UNAUTHORIZED,
+                    "You must be logged in to accept an invite"
+                )
+            );
+        }
+
         if (user && user.email !== existingInvite.email) {
             return next(
                 createHttpError(

server/setup/copyInConfig.ts

@@ -7,6 +7,7 @@ import logger from "@server/logger";
 export async function copyInConfig() {
     const domain = config.getBaseDomain();
     const endpoint = config.getRawConfig().gerbil.base_endpoint;
+    const listenPort = config.getRawConfig().gerbil.start_port;
 
     // update the domain on all of the orgs where the domain is not equal to the new domain
     // TODO: eventually each org could have a unique domain that we do not want to overwrite, so this will be unnecessary
@@ -14,6 +15,8 @@ export async function copyInConfig() {
 
     // TODO: eventually each exit node could have a different endpoint
     await db.update(exitNodes).set({ endpoint }).where(ne(exitNodes.endpoint, endpoint));
+    // TODO: eventually each exit node could have a different port
+    await db.update(exitNodes).set({ listenPort }).where(ne(exitNodes.listenPort, listenPort));
 
     // update all resources fullDomain to use the new domain
     await db.transaction(async (trx) => {

server/setup/migrations.ts

@@ -4,10 +4,14 @@ import path from "path";
 import semver from "semver";
 import { versionMigrations } from "@server/db/schema";
 import { desc } from "drizzle-orm";
-import { __DIRNAME } from "@server/lib/consts";
+import { __DIRNAME, APP_PATH } from "@server/lib/consts";
 import { loadAppVersion } from "@server/lib/loadAppVersion";
 import m1 from "./scripts/1.0.0-beta1";
 import m2 from "./scripts/1.0.0-beta2";
+import m3 from "./scripts/1.0.0-beta3";
+import m4 from "./scripts/1.0.0-beta5";
+import m5 from "./scripts/1.0.0-beta6";
+import { existsSync, mkdirSync } from "fs";
 
 // THIS CANNOT IMPORT ANYTHING FROM THE SERVER
 // EXCEPT FOR THE DATABASE AND THE SCHEMA
@@ -15,7 +19,10 @@ import m2 from "./scripts/1.0.0-beta2";
 // Define the migration list with versions and their corresponding functions
 const migrations = [
     { version: "1.0.0-beta.1", run: m1 },
-    { version: "1.0.0-beta.2", run: m2 }
+    { version: "1.0.0-beta.2", run: m2 },
+    { version: "1.0.0-beta.3", run: m3 },
+    { version: "1.0.0-beta.5", run: m4 },
+    { version: "1.0.0-beta.6", run: m5 }
     // Add new migrations here as they are created
 ] as const;
 

server/setup/scripts/1.0.0-beta3.ts

@@ -0,0 +1,42 @@
+import { configFilePath1, configFilePath2 } from "@server/lib/consts";
+import fs from "fs";
+import yaml from "js-yaml";
+
+export default async function migration() {
+    console.log("Running setup script 1.0.0-beta.3...");
+
+    // Determine which config file exists
+    const filePaths = [configFilePath1, configFilePath2];
+    let filePath = "";
+    for (const path of filePaths) {
+        if (fs.existsSync(path)) {
+            filePath = path;
+            break;
+        }
+    }
+
+    if (!filePath) {
+        throw new Error(
+            `No config file found (expected config.yml or config.yaml).`
+        );
+    }
+
+    // Read and parse the YAML file
+    let rawConfig: any;
+    const fileContents = fs.readFileSync(filePath, "utf8");
+    rawConfig = yaml.load(fileContents);
+
+    // Validate the structure
+    if (!rawConfig.gerbil) {
+        throw new Error(`Invalid config file: gerbil is missing.`);
+    }
+
+    // Update the config
+    rawConfig.gerbil.site_block_size = 29;
+
+    // Write the updated YAML back to the file
+    const updatedYaml = yaml.dump(rawConfig);
+    fs.writeFileSync(filePath, updatedYaml, "utf8");
+
+    console.log("Done.");
+}

server/setup/scripts/1.0.0-beta5.ts

@@ -0,0 +1,101 @@
+import { APP_PATH, configFilePath1, configFilePath2 } from "@server/lib/consts";
+import fs from "fs";
+import yaml from "js-yaml";
+import path from "path";
+import { z } from "zod";
+import { fromZodError } from "zod-validation-error";
+
+export default async function migration() {
+    console.log("Running setup script 1.0.0-beta.5...");
+
+    // Determine which config file exists
+    const filePaths = [configFilePath1, configFilePath2];
+    let filePath = "";
+    for (const path of filePaths) {
+        if (fs.existsSync(path)) {
+            filePath = path;
+            break;
+        }
+    }
+
+    if (!filePath) {
+        throw new Error(
+            `No config file found (expected config.yml or config.yaml).`
+        );
+    }
+
+    // Read and parse the YAML file
+    let rawConfig: any;
+    const fileContents = fs.readFileSync(filePath, "utf8");
+    rawConfig = yaml.load(fileContents);
+
+    // Validate the structure
+    if (!rawConfig.server) {
+        throw new Error(`Invalid config file: server is missing.`);
+    }
+
+    // Update the config
+    rawConfig.server.resource_access_token_param = "p_token";
+
+    // Write the updated YAML back to the file
+    const updatedYaml = yaml.dump(rawConfig);
+    fs.writeFileSync(filePath, updatedYaml, "utf8");
+
+    // then try to update badger in traefik config
+
+    try {
+        const traefikPath = path.join(
+            APP_PATH,
+            "traefik",
+            "traefik_config.yml"
+        );
+
+        // read the traefik file
+        // look for the badger middleware
+        // set the version to v1.0.0-beta.2
+        /*
+experimental:
+  plugins:
+    badger:
+      moduleName: "github.com/fosrl/badger"
+      version: "v1.0.0-beta.2"
+        */
+
+        const schema = z.object({
+            experimental: z.object({
+                plugins: z.object({
+                    badger: z.object({
+                        moduleName: z.string(),
+                        version: z.string()
+                    })
+                })
+            })
+        });
+
+        const traefikFileContents = fs.readFileSync(traefikPath, "utf8");
+        const traefikConfig = yaml.load(traefikFileContents) as any;
+
+        const parsedConfig = schema.safeParse(traefikConfig);
+
+        if (!parsedConfig.success) {
+            throw new Error(fromZodError(parsedConfig.error).toString());
+        }
+
+        traefikConfig.experimental.plugins.badger.version = "v1.0.0-beta.2";
+
+        const updatedTraefikYaml = yaml.dump(traefikConfig);
+
+        fs.writeFileSync(traefikPath, updatedTraefikYaml, "utf8");
+
+        console.log(
+            "Updated the version of Badger in your Traefik configuration to v1.0.0-beta.2."
+        );
+    } catch (e) {
+        console.log(
+            "We were unable to update the version of Badger in your Traefik configuration. Please update it manually."
+        );
+        console.error(e);
+    }
+
+    console.log("Done.");
+}

server/setup/scripts/1.0.0-beta6.ts

@@ -0,0 +1,52 @@
+import { configFilePath1, configFilePath2 } from "@server/lib/consts";
+import fs from "fs";
+import yaml from "js-yaml";
+
+export default async function migration() {
+    console.log("Running setup script 1.0.0-beta.6...");
+
+    try {
+        // Determine which config file exists
+        const filePaths = [configFilePath1, configFilePath2];
+        let filePath = "";
+        for (const path of filePaths) {
+            if (fs.existsSync(path)) {
+                filePath = path;
+                break;
+            }
+        }
+
+        if (!filePath) {
+            throw new Error(
+                `No config file found (expected config.yml or config.yaml).`
+            );
+        }
+
+        // Read and parse the YAML file
+        let rawConfig: any;
+        const fileContents = fs.readFileSync(filePath, "utf8");
+        rawConfig = yaml.load(fileContents);
+
+        // Validate the structure
+        if (!rawConfig.server) {
+            throw new Error(`Invalid config file: server is missing.`);
+        }
+
+        // Update the config
+        rawConfig.server.cors = {
+            origins: [rawConfig.app.dashboard_url],
+            methods: ["GET", "POST", "PUT", "DELETE", "PATCH"],
+            headers: ["X-CSRF-Token", "Content-Type"],
+            credentials: false
+        };
+
+        // Write the updated YAML back to the file
+        const updatedYaml = yaml.dump(rawConfig);
+        fs.writeFileSync(filePath, updatedYaml, "utf8");
+    } catch (error) {
+        console.log("We were unable to add CORS to your config file. Please add it manually.")
+        console.error(error)
+    }
+
+    console.log("Done.");
+}

server/setup/setupServerAdmin.ts

@@ -69,6 +69,8 @@ export async function setupServerAdmin() {
 
             const userId = generateId(15);
 
+            await trx.update(users).set({ serverAdmin: false });
+
             await db.insert(users).values({
                 userId: userId,
                 email: email,

src/app/[orgId]/layout.tsx

@@ -25,7 +25,7 @@ export default async function OrgLayout(props: {
     const user = await getUser();
 
     if (!user) {
-        redirect(`/?redirect=/${orgId}`);
+        redirect(`/`);
     }
 
     try {

src/app/[orgId]/settings/general/layout.tsx

@@ -26,7 +26,7 @@ export default async function GeneralSettingsPage({
     const user = await getUser();
 
     if (!user) {
-        redirect(`/?redirect=/${orgId}/settings/general`);
+        redirect(`/`);
     }
 
     let orgUser = null;

src/app/[orgId]/settings/layout.tsx

@@ -61,7 +61,7 @@ export default async function SettingsLayout(props: SettingsLayoutProps) {
     const user = await getUser();
 
     if (!user) {
-        redirect(`/?redirect=/${params.orgId}/`);
+        redirect(`/`);
     }
 
     const cookie = await authCookieHeader();

src/app/[orgId]/settings/resources/[resourceId]/connectivity/page.tsx

@@ -62,6 +62,7 @@ import {
     SettingsSectionFooter
 } from "@app/components/Settings";
 import { SwitchInput } from "@app/components/SwitchInput";
+import { useSiteContext } from "@app/hooks/useSiteContext";
 
 // Regular expressions for validation
 const DOMAIN_REGEX =
@@ -351,7 +352,7 @@ export default function ReverseProxyTargets(props: {
         },
         {
             accessorKey: "ip",
-            header: "IP Address",
+            header: "IP / Hostname",
             cell: ({ row }) => (
                 <Input
                     defaultValue={row.original.ip}
@@ -528,11 +529,23 @@ export default function ReverseProxyTargets(props: {
                                     name="ip"
                                     render={({ field }) => (
                                         <FormItem>
-                                            <FormLabel>IP Address</FormLabel>
+                                            <FormLabel>IP / Hostname</FormLabel>
                                             <FormControl>
                                                 <Input id="ip" {...field} />
                                             </FormControl>
                                             <FormMessage />
+                                            {site?.type === "newt" ? (
+                                                <FormDescription>
+                                                    This is the IP or hostname
+                                                    of the target service on
+                                                    your network.
+                                                </FormDescription>
+                                            ) : site?.type === "wireguard" ? (
+                                                <FormDescription>
+                                                    This is the IP of the
+                                                    WireGuard peer.
+                                                </FormDescription>
+                                            ) : null}
                                         </FormItem>
                                     )}
                                 />
@@ -551,6 +564,19 @@ export default function ReverseProxyTargets(props: {
                                                 />
                                             </FormControl>
                                             <FormMessage />
+                                            {site?.type === "newt" ? (
+                                                <FormDescription>
+                                                    This is the port of the
+                                                    target service on your
+                                                    network.
+                                                </FormDescription>
+                                            ) : site?.type === "wireguard" ? (
+                                                <FormDescription>
+                                                    This is the port exposed on
+                                                    an address on the WireGuard
+                                                    network.
+                                                </FormDescription>
+                                            ) : null}
                                         </FormItem>
                                     )}
                                 />

src/app/[orgId]/settings/resources/[resourceId]/layout.tsx

@@ -2,13 +2,12 @@ import ResourceProvider from "@app/providers/ResourceProvider";
 import { internal } from "@app/lib/api";
 import {
     GetResourceAuthInfoResponse,
-    GetResourceResponse,
+    GetResourceResponse
 } from "@server/routers/resource";
 import { AxiosResponse } from "axios";
 import { redirect } from "next/navigation";
 import { authCookieHeader } from "@app/lib/api/cookies";
 import { SidebarSettings } from "@app/components/SidebarSettings";
-import {  Cloud, Settings, Shield } from "lucide-react";
 import SettingsSectionTitle from "@app/components/SettingsSectionTitle";
 import { GetOrgResponse } from "@server/routers/org";
 import OrgProvider from "@app/providers/OrgProvider";
@@ -20,7 +19,7 @@ import {
     BreadcrumbLink,
     BreadcrumbList,
     BreadcrumbPage,
-    BreadcrumbSeparator,
+    BreadcrumbSeparator
 } from "@app/components/ui/breadcrumb";
 import Link from "next/link";
 
@@ -39,7 +38,7 @@ export default async function ResourceLayout(props: ResourceLayoutProps) {
     try {
         const res = await internal.get<AxiosResponse<GetResourceResponse>>(
             `/resource/${params.resourceId}`,
-            await authCookieHeader(),
+            await authCookieHeader()
         );
         resource = res.data.data;
     } catch {
@@ -68,8 +67,8 @@ export default async function ResourceLayout(props: ResourceLayoutProps) {
         const getOrg = cache(async () =>
             internal.get<AxiosResponse<GetOrgResponse>>(
                 `/org/${params.orgId}`,
-                await authCookieHeader(),
-            ),
+                await authCookieHeader()
+            )
         );
         const res = await getOrg();
         org = res.data.data;
@@ -84,19 +83,19 @@ export default async function ResourceLayout(props: ResourceLayoutProps) {
     const sidebarNavItems = [
         {
             title: "General",
-            href: `/{orgId}/settings/resources/{resourceId}/general`,
+            href: `/{orgId}/settings/resources/{resourceId}/general`
             // icon: <Settings className="w-4 h-4" />,
         },
         {
             title: "Connectivity",
-            href: `/{orgId}/settings/resources/{resourceId}/connectivity`,
+            href: `/{orgId}/settings/resources/{resourceId}/connectivity`
             // icon: <Cloud className="w-4 h-4" />,
         },
         {
             title: "Authentication",
-            href: `/{orgId}/settings/resources/{resourceId}/authentication`,
+            href: `/{orgId}/settings/resources/{resourceId}/authentication`
             // icon: <Shield className="w-4 h-4" />,
-        },
+        }
     ];
 
     return (

src/app/[orgId]/settings/share-links/CreateShareLinkForm.tsx

@@ -57,14 +57,22 @@ import {
     CommandItem,
     CommandList
 } from "@app/components/ui/command";
-import { CheckIcon } from "lucide-react";
+import { CheckIcon, ChevronsUpDown } from "lucide-react";
 import { register } from "module";
 import { Label } from "@app/components/ui/label";
 import { Checkbox } from "@app/components/ui/checkbox";
 import { GenerateAccessTokenResponse } from "@server/routers/accessToken";
-import { constructShareLink } from "@app/lib/shareLinks";
+import {
+    constructDirectShareLink,
+    constructShareLink
+} from "@app/lib/shareLinks";
 import { ShareLinkRow } from "./ShareLinksTable";
 import { QRCodeCanvas, QRCodeSVG } from "qrcode.react";
+import {
+    Collapsible,
+    CollapsibleContent,
+    CollapsibleTrigger
+} from "@app/components/ui/collapsible";
 
 type FormProps = {
     open: boolean;
@@ -75,6 +83,7 @@ type FormProps = {
 const formSchema = z.object({
     resourceId: z.number({ message: "Please select a resource" }),
     resourceName: z.string(),
+    resourceUrl: z.string(),
     timeUnit: z.string(),
     timeValue: z.coerce.number().int().positive().min(1),
     title: z.string().optional()
@@ -88,14 +97,18 @@ export default function CreateShareLinkForm({
     const { toast } = useToast();
     const { org } = useOrgContext();
 
-    const api = createApiClient(useEnvContext());
+    const { env } = useEnvContext();
+    const api = createApiClient({ env });
 
     const [link, setLink] = useState<string | null>(null);
+    const [directLink, setDirectLink] = useState<string | null>(null);
     const [loading, setLoading] = useState(false);
     const [neverExpire, setNeverExpire] = useState(false);
 
+    const [isOpen, setIsOpen] = useState(false);
+
     const [resources, setResources] = useState<
-        { resourceId: number; name: string }[]
+        { resourceId: number; name: string; resourceUrl: string }[]
     >([]);
 
     const timeUnits = [
@@ -139,7 +152,13 @@ export default function CreateShareLinkForm({
                 });
 
             if (res?.status === 200) {
-                setResources(res.data.data.resources);
+                setResources(
+                    res.data.data.resources.map((r) => ({
+                        resourceId: r.resourceId,
+                        name: r.name,
+                        resourceUrl: `${r.ssl ? "https://" : "http://"}${r.fullDomain}/`
+                    }))
+                );
             }
         }
 
@@ -202,6 +221,13 @@ export default function CreateShareLinkForm({
                 token.accessToken
             );
             setLink(link);
+            const directLink = constructDirectShareLink(
+                env.server.resourceAccessTokenParam,
+                values.resourceUrl,
+                token.accessTokenId,
+                token.accessToken
+            );
+            setDirectLink(directLink);
             onCreated?.({
                 accessTokenId: token.accessTokenId,
                 resourceId: token.resourceId,
@@ -306,6 +332,10 @@ export default function CreateShareLinkForm({
                                                                                             "resourceName",
                                                                                             r.name
                                                                                         );
+                                                                                        form.setValue(
+                                                                                            "resourceUrl",
+                                                                                            r.resourceUrl
+                                                                                        );
                                                                                     }}
                                                                                 >
                                                                                     <CheckIcon
@@ -462,12 +492,62 @@ export default function CreateShareLinkForm({
                                         <QRCodeCanvas value={link} size={200} />
                                     </div>
 
-                                    <div className="mx-auto">
-                                        <CopyTextBox
-                                            text={link}
-                                            wrapText={false}
-                                        />
-                                    </div>
+                                    <Collapsible
+                                        open={isOpen}
+                                        onOpenChange={setIsOpen}
+                                        className="space-y-2"
+                                    >
+                                        <div className="mx-auto">
+                                            <CopyTextBox
+                                                text={link}
+                                                wrapText={false}
+                                            />
+                                        </div>
+                                        <div className="flex items-center justify-between space-x-4">
+                                            <CollapsibleTrigger asChild>
+                                                <Button
+                                                    variant="text"
+                                                    size="sm"
+                                                    className="p-0 flex items-center justify-between w-full"
+                                                >
+                                                    <h4 className="text-sm font-semibold">
+                                                        See alternative share
+                                                        links
+                                                    </h4>
+                                                    <div>
+                                                        <ChevronsUpDown className="h-4 w-4" />
+                                                        <span className="sr-only">
+                                                            Toggle
+                                                        </span>
+                                                    </div>
+                                                </Button>
+                                            </CollapsibleTrigger>
+                                        </div>
+                                        <CollapsibleContent className="space-y-2">
+                                            {directLink && (
+                                                <div className="space-y-2">
+                                                    <div className="mx-auto">
+                                                        <CopyTextBox
+                                                            text={directLink}
+                                                            wrapText={false}
+                                                        />
+                                                    </div>
+                                                    <p className="text-sm text-muted-foreground">
+                                                        This link does not
+                                                        require visiting in a
+                                                        browser to complete the
+                                                        redirect. It contains
+                                                        the access token
+                                                        directly in the URL,
+                                                        which can be useful for
+                                                        sharing with clients
+                                                        that do not support
+                                                        redirects.
+                                                    </p>
+                                                </div>
+                                            )}
+                                        </CollapsibleContent>
+                                    </Collapsible>
                                 </div>
                             )}
                         </div>

src/app/[orgId]/settings/share-links/ShareLinksTable.tsx

@@ -24,7 +24,7 @@ import { useRouter } from "next/navigation";
 // import CreateResourceForm from "./CreateResourceForm";
 import { useState } from "react";
 import ConfirmDeleteDialog from "@app/components/ConfirmDeleteDialog";
-import { formatAxiosError } from "@app/lib/api";;
+import { formatAxiosError } from "@app/lib/api";
 import { useToast } from "@app/hooks/useToast";
 import { createApiClient } from "@app/lib/api";
 import { useEnvContext } from "@app/hooks/useEnvContext";
@@ -109,15 +109,14 @@ export default function ShareLinksTable({
                                     </Button>
                                 </DropdownMenuTrigger>
                                 <DropdownMenuContent align="end">
-                                    <DropdownMenuItem>
-                                        <button
-                                            onClick={() =>
-                                                deleteSharelink(
-                                                    resourceRow.accessTokenId
-                                                )
-                                            }
-                                            className="text-red-500"
-                                        >
+                                    <DropdownMenuItem
+                                        onClick={() => {
+                                            deleteSharelink(
+                                                resourceRow.accessTokenId
+                                            );
+                                        }}
+                                    >
+                                        <button className="text-red-500">
                                             Delete
                                         </button>
                                     </DropdownMenuItem>

src/app/[orgId]/settings/sites/CreateSiteForm.tsx

@@ -49,7 +49,7 @@ const createSiteFormSchema = z.object({
         .max(30, {
             message: "Name must not be longer than 30 characters."
         }),
-    method: z.enum(["wireguard", "newt"])
+    method: z.enum(["wireguard", "newt", "local"])
 });
 
 type CreateSiteFormValues = z.infer<typeof createSiteFormSchema>;
@@ -79,17 +79,16 @@ export default function CreateSiteForm({
     const [isLoading, setIsLoading] = useState(false);
     const [isChecked, setIsChecked] = useState(false);
 
-    const router = useRouter();
-
     const [keypair, setKeypair] = useState<{
         publicKey: string;
         privateKey: string;
     } | null>(null);
+
     const [siteDefaults, setSiteDefaults] =
         useState<PickSiteDefaultsResponse | null>(null);
 
     const handleCheckboxChange = (checked: boolean) => {
-        setChecked?.(checked);
+        // setChecked?.(checked);
         setIsChecked(checked);
     };
 
@@ -98,6 +97,17 @@ export default function CreateSiteForm({
         defaultValues
     });
 
+    const nameField = form.watch("name");
+    const methodField = form.watch("method");
+
+    useEffect(() => {
+        const nameIsValid = nameField?.length >= 2 && nameField?.length <= 30;
+        const isFormValid = methodField === "local" || isChecked;
+
+        // Only set checked to true if name is valid AND (method is local OR checkbox is checked)
+        setChecked?.(nameIsValid && isFormValid);
+    }, [nameField, methodField, isChecked, setChecked]);
+
     useEffect(() => {
         if (!open) return;
 
@@ -114,11 +124,8 @@ export default function CreateSiteForm({
 
         api.get(`/org/${orgId}/pick-site-defaults`)
             .catch((e) => {
-                toast({
-                    variant: "destructive",
-                    title: "Error picking site defaults",
-                    description: formatAxiosError(e)
-                });
+                // update the default value of the form to be local method
+                form.setValue("method", "local");
             })
             .then((res) => {
                 if (res && res.status === 200) {
@@ -130,24 +137,56 @@ export default function CreateSiteForm({
     async function onSubmit(data: CreateSiteFormValues) {
         setLoading?.(true);
         setIsLoading(true);
-        if (!siteDefaults || !keypair) {
-            return;
-        }
         let payload: CreateSiteBody = {
             name: data.name,
-            subnet: siteDefaults.subnet,
-            exitNodeId: siteDefaults.exitNodeId,
-            pubKey: keypair.publicKey,
             type: data.method
         };
-        if (data.method === "newt") {
-            payload.secret = siteDefaults.newtSecret;
-            payload.newtId = siteDefaults.newtId;
+
+        if (data.method == "wireguard") {
+            if (!keypair || !siteDefaults) {
+                toast({
+                    variant: "destructive",
+                    title: "Error creating site",
+                    description: "Key pair or site defaults not found"
+                });
+                setLoading?.(false);
+                setIsLoading(false);
+                return;
+            }
+
+            payload = {
+                ...payload,
+                subnet: siteDefaults.subnet,
+                exitNodeId: siteDefaults.exitNodeId,
+                pubKey: keypair.publicKey
+            };
         }
+        if (data.method === "newt") {
+            if (!siteDefaults) {
+                toast({
+                    variant: "destructive",
+                    title: "Error creating site",
+                    description: "Site defaults not found"
+                });
+                setLoading?.(false);
+                setIsLoading(false);
+                return;
+            }
+
+            payload = {
+                ...payload,
+                subnet: siteDefaults.subnet,
+                exitNodeId: siteDefaults.exitNodeId,
+                secret: siteDefaults.newtSecret,
+                newtId: siteDefaults.newtId
+            };
+        }
+
         const res = await api
-            .put<
-                AxiosResponse<CreateSiteResponse>
-            >(`/org/${orgId}/site/`, payload)
+            .put<AxiosResponse<CreateSiteResponse>>(
+                `/org/${orgId}/site/`,
+                payload
+            )
             .catch((e) => {
                 toast({
                     variant: "destructive",
@@ -157,18 +196,20 @@ export default function CreateSiteForm({
             });
 
         if (res && res.status === 201) {
-            const niceId = res.data.data.niceId;
-            // navigate to the site page
-            // router.push(`/${orgId}/settings/sites/${niceId}`);
-
             const data = res.data.data;
 
             onCreate?.({
                 name: data.name,
                 id: data.siteId,
                 nice: data.niceId.toString(),
-                mbIn: "0 MB",
-                mbOut: "0 MB",
+                mbIn:
+                    data.type == "wireguard" || data.type == "newt"
+                        ? "0 MB"
+                        : "--",
+                mbOut:
+                    data.type == "wireguard" || data.type == "newt"
+                        ? "0 MB"
+                        : "--",
                 orgId: orgId as string,
                 type: data.type as any,
                 online: false
@@ -194,10 +235,10 @@ PersistentKeepalive = 5`
             : "";
 
     // am I at http or https?
-    let proto = "http:";
-    if (typeof window !== "undefined") {
-        proto = window.location.protocol;
-    }
+    let proto = "https:";
+    // if (typeof window !== "undefined") {
+    //     proto = window.location.protocol;
+    // }
 
     const newtConfig = `newt --id ${siteDefaults?.newtId} --secret ${siteDefaults?.newtSecret} --endpoint ${proto}//${siteDefaults?.endpoint}`;
 
@@ -245,12 +286,21 @@ PersistentKeepalive = 5`
                                             <SelectValue placeholder="Select method" />
                                         </SelectTrigger>
                                         <SelectContent>
-                                            <SelectItem value="wireguard">
-                                                WireGuard
+                                            <SelectItem value="local">
+                                                Local
                                             </SelectItem>
-                                            <SelectItem value="newt">
+                                            <SelectItem
+                                                value="newt"
+                                                disabled={!siteDefaults}
+                                            >
                                                 Newt
                                             </SelectItem>
+                                            <SelectItem
+                                                value="wireguard"
+                                                disabled={!siteDefaults}
+                                            >
+                                                WireGuard
+                                            </SelectItem>
                                         </SelectContent>
                                     </Select>
                                 </FormControl>
@@ -264,50 +314,76 @@ PersistentKeepalive = 5`
 
                     <div className="w-full">
                         {form.watch("method") === "wireguard" && !isLoading ? (
-                            <CopyTextBox text={wgConfig} />
+                            <>
+                                <CopyTextBox text={wgConfig} />
+                                <span className="text-sm text-muted-foreground">
+                                    You will only be able to see the
+                                    configuration once.
+                                </span>
+                            </>
                         ) : form.watch("method") === "wireguard" &&
                           isLoading ? (
                             <p>Loading WireGuard configuration...</p>
-                        ) : (
-                            <CopyTextBox text={newtConfig} wrapText={false} />
-                        )}
+                        ) : form.watch("method") === "newt" ? (
+                            <>
+                                <CopyTextBox
+                                    text={newtConfig}
+                                    wrapText={false}
+                                />
+                                <span className="text-sm text-muted-foreground">
+                                    You will only be able to see the
+                                    configuration once.
+                                </span>
+                            </>
+                        ) : null}
                     </div>
 
-                    <span className="text-sm text-muted-foreground">
-                        You will only be able to see the configuration once.
-                    </span>
-
                     {form.watch("method") === "newt" && (
-                        <>
-                            <br />
-                            <Link
-                                className="text-sm text-primary flex items-center gap-1"
-                                href="https://docs.fossorial.io/Newt/install"
-                                target="_blank"
-                                rel="noopener noreferrer"
-                            >
-                                <span>
-                                    {" "}
-                                    Learn how to install Newt on your system
-                                </span>
-                                <SquareArrowOutUpRight size={14} />
-                            </Link>
-                        </>
+                        <Link
+                            className="text-sm text-primary flex items-center gap-1"
+                            href="https://docs.fossorial.io/Newt/install"
+                            target="_blank"
+                            rel="noopener noreferrer"
+                        >
+                            <span>
+                                {" "}
+                                Learn how to install Newt on your system
+                            </span>
+                            <SquareArrowOutUpRight size={14} />
+                        </Link>
                     )}
 
-                    <div className="flex items-center space-x-2">
-                        <Checkbox
-                            id="terms"
-                            checked={isChecked}
-                            onCheckedChange={handleCheckboxChange}
-                        />
-                        <label
-                            htmlFor="terms"
-                            className="text-sm font-medium leading-none peer-disabled:cursor-not-allowed peer-disabled:opacity-70"
+                    {form.watch("method") === "local" && (
+                        <Link
+                            className="text-sm text-primary flex items-center gap-1"
+                            href="https://docs.fossorial.io/Pangolin/without-tunneling"
+                            target="_blank"
+                            rel="noopener noreferrer"
                         >
-                            I have copied the config
-                        </label>
-                    </div>
+                            <span>
+                                {" "}
+                                Local sites do not tunnel, learn more
+                            </span>
+                            <SquareArrowOutUpRight size={14} />
+                        </Link>
+                    )}
+
+                    {(form.watch("method") === "newt" ||
+                        form.watch("method") === "wireguard") && (
+                        <div className="flex items-center space-x-2">
+                            <Checkbox
+                                id="terms"
+                                checked={isChecked}
+                                onCheckedChange={handleCheckboxChange}
+                            />
+                            <label
+                                htmlFor="terms"
+                                className="text-sm font-medium leading-none peer-disabled:cursor-not-allowed peer-disabled:opacity-70"
+                            >
+                                I have copied the config
+                            </label>
+                        </div>
+                    )}
                 </form>
             </Form>
         </div>

src/app/[orgId]/settings/sites/SitesTable.tsx

@@ -23,7 +23,7 @@ import { useState } from "react";
 import CreateSiteForm from "./CreateSiteForm";
 import ConfirmDeleteDialog from "@app/components/ConfirmDeleteDialog";
 import { useToast } from "@app/hooks/useToast";
-import { formatAxiosError } from "@app/lib/api";;
+import { formatAxiosError } from "@app/lib/api";
 import { createApiClient } from "@app/lib/api";
 import { useEnvContext } from "@app/hooks/useEnvContext";
 import CreateSiteFormModal from "./CreateSiteModal";
@@ -146,21 +146,27 @@ export default function SitesTable({ sites, orgId }: SitesTableProps) {
             },
             cell: ({ row }) => {
                 const originalRow = row.original;
-
-                if (originalRow.online) {
-                    return (
-                        <span className="text-green-500 flex items-center space-x-2">
-                            <div className="w-2 h-2 bg-green-500 rounded-full"></div>
-                            <span>Online</span>
-                        </span>
-                    );
+                if (
+                    originalRow.type == "newt" ||
+                    originalRow.type == "wireguard"
+                ) {
+                    if (originalRow.online) {
+                        return (
+                            <span className="text-green-500 flex items-center space-x-2">
+                                <div className="w-2 h-2 bg-green-500 rounded-full"></div>
+                                <span>Online</span>
+                            </span>
+                        );
+                    } else {
+                        return (
+                            <span className="text-neutral-500 flex items-center space-x-2">
+                                <div className="w-2 h-2 bg-gray-500 rounded-full"></div>
+                                <span>Offline</span>
+                            </span>
+                        );
+                    }
                 } else {
-                    return (
-                        <span className="text-neutral-500 flex items-center space-x-2">
-                            <div className="w-2 h-2 bg-gray-500 rounded-full"></div>
-                            <span>Offline</span>
-                        </span>
-                    );
+                    return <span>--</span>;
                 }
             }
         },
@@ -245,6 +251,14 @@ export default function SitesTable({ sites, orgId }: SitesTableProps) {
                         </div>
                     );
                 }
+
+                if (originalRow.type === "local") {
+                    return (
+                        <div className="flex items-center space-x-2">
+                            <span>Local</span>
+                        </div>
+                    );
+                }
             }
         },
         {

src/app/[orgId]/settings/sites/[niceId]/SiteInfoCard.tsx

@@ -16,37 +16,50 @@ type SiteInfoCardProps = {};
 export default function SiteInfoCard({}: SiteInfoCardProps) {
     const { site, updateSite } = useSiteContext();
 
+    const getConnectionTypeString = (type: string) => {
+        if (type === "newt") {
+            return "Newt";
+        } else if (type === "wireguard") {
+            return "WireGuard";
+        } else if (type === "local") {
+            return "Local";
+        } else {
+            return "Unknown";
+        }
+    };
+
     return (
         <Alert>
             <InfoIcon className="h-4 w-4" />
             <AlertTitle className="font-semibold">Site Information</AlertTitle>
             <AlertDescription className="mt-4">
                 <InfoSections>
-                    <InfoSection>
-                        <InfoSectionTitle>Status</InfoSectionTitle>
-                        <InfoSectionContent>
-                            {site.online ? (
-                                <div className="text-green-500 flex items-center space-x-2">
-                                    <div className="w-2 h-2 bg-green-500 rounded-full"></div>
-                                    <span>Online</span>
-                                </div>
-                            ) : (
-                                <div className="text-neutral-500 flex items-center space-x-2">
-                                    <div className="w-2 h-2 bg-gray-500 rounded-full"></div>
-                                    <span>Offline</span>
-                                </div>
-                            )}
-                        </InfoSectionContent>
-                    </InfoSection>
-                    <Separator orientation="vertical" />
+                    {(site.type == "newt" || site.type == "wireguard") && (
+                        <>
+                            <InfoSection>
+                                <InfoSectionTitle>Status</InfoSectionTitle>
+                                <InfoSectionContent>
+                                    {site.online ? (
+                                        <div className="text-green-500 flex items-center space-x-2">
+                                            <div className="w-2 h-2 bg-green-500 rounded-full"></div>
+                                            <span>Online</span>
+                                        </div>
+                                    ) : (
+                                        <div className="text-neutral-500 flex items-center space-x-2">
+                                            <div className="w-2 h-2 bg-gray-500 rounded-full"></div>
+                                            <span>Offline</span>
+                                        </div>
+                                    )}
+                                </InfoSectionContent>
+                            </InfoSection>
+
+                            <Separator orientation="vertical" />
+                        </>
+                    )}
                     <InfoSection>
                         <InfoSectionTitle>Connection Type</InfoSectionTitle>
                         <InfoSectionContent>
-                            {site.type === "newt"
-                                ? "Newt"
-                                : site.type === "wireguard"
-                                  ? "WireGuard"
-                                  : "Unknown"}
+                            {getConnectionTypeString(site.type)}
                         </InfoSectionContent>
                     </InfoSection>
                 </InfoSections>

src/app/[orgId]/settings/sites/page.tsx

@@ -23,7 +23,10 @@ export default async function SitesPage(props: SitesPageProps) {
         sites = res.data.data.sites;
     } catch (e) {}
 
-    function formatSize(mb: number): string {
+    function formatSize(mb: number, type: string): string {
+        if (type === "local") {
+            return "--"; // because we are not able to track the data use in a local site right now
+        }
         if (mb >= 1024 * 1024) {
             return `${(mb / (1024 * 1024)).toFixed(2)} TB`;
         } else if (mb >= 1024) {
@@ -38,8 +41,8 @@ export default async function SitesPage(props: SitesPageProps) {
             name: site.name,
             id: site.siteId,
             nice: site.niceId.toString(),
-            mbIn: formatSize(site.megabytesIn || 0),
-            mbOut: formatSize(site.megabytesOut || 0),
+            mbIn: formatSize(site.megabytesIn || 0, site.type),
+            mbOut: formatSize(site.megabytesOut || 0, site.type),
             orgId: params.orgId,
             type: site.type as any,
             online: site.online

src/app/auth/layout.tsx

@@ -21,7 +21,7 @@ export default async function AuthLayout({ children }: AuthLayoutProps) {
         <>
             {user && (
                 <UserProvider user={user}>
-                    <div>
+                    <div className="p-3">
                         <ProfileIcon />
                     </div>
                 </UserProvider>

src/app/auth/login/DashboardLoginForm.tsx

@@ -13,6 +13,7 @@ import { useEnvContext } from "@app/hooks/useEnvContext";
 import { useRouter } from "next/navigation";
 import { useEffect } from "react";
 import Image from "next/image";
+import { cleanRedirect } from "@app/lib/cleanRedirect";
 
 type DashboardLoginFormProps = {
     redirect?: string;
@@ -57,10 +58,9 @@ export default function DashboardLoginForm({
                 <LoginForm
                     redirect={redirect}
                     onLogin={() => {
-                        if (redirect && redirect.includes("http")) {
-                            window.location.href = redirect;
-                        } else if (redirect) {
-                            router.push(redirect);
+                        if (redirect) {
+                            const safe = cleanRedirect(redirect);
+                            router.push(safe);
                         } else {
                             router.push("/");
                         }

src/app/auth/login/page.tsx

@@ -5,6 +5,7 @@ import { cache } from "react";
 import DashboardLoginForm from "./DashboardLoginForm";
 import { Mail } from "lucide-react";
 import { pullEnv } from "@app/lib/pullEnv";
+import { cleanRedirect } from "@app/lib/cleanRedirect";
 
 export const dynamic = "force-dynamic";
 
@@ -25,6 +26,11 @@ export default async function Page(props: {
         redirect("/");
     }
 
+    let redirectUrl: string | undefined = undefined;
+    if (searchParams.redirect) {
+        redirectUrl = cleanRedirect(searchParams.redirect as string);
+    }
+
     return (
         <>
             {isInvite && (
@@ -42,16 +48,16 @@ export default async function Page(props: {
                 </div>
             )}
 
-            <DashboardLoginForm redirect={searchParams.redirect as string} />
+            <DashboardLoginForm redirect={redirectUrl} />
 
             {(!signUpDisabled || isInvite) && (
                 <p className="text-center text-muted-foreground mt-4">
                     Don't have an account?{" "}
                     <Link
                         href={
-                            !searchParams.redirect
+                            !redirectUrl
                                 ? `/auth/signup`
-                                : `/auth/signup?redirect=${searchParams.redirect}`
+                                : `/auth/signup?redirect=${redirectUrl}`
                         }
                         className="underline"
                     >

src/app/auth/reset-password/ResetPasswordForm.tsx

@@ -43,6 +43,7 @@ import { createApiClient } from "@app/lib/api";
 import { useEnvContext } from "@app/hooks/useEnvContext";
 import { REGEXP_ONLY_DIGITS_AND_CHARS } from "input-otp";
 import { passwordSchema } from "@server/auth/passwordSchema";
+import { cleanRedirect } from "@app/lib/cleanRedirect";
 
 const requestSchema = z.object({
     email: z.string().email()
@@ -186,11 +187,9 @@ export default function ResetPasswordForm({
             setSuccessMessage("Password reset successfully! Back to login...");
 
             setTimeout(() => {
-                if (redirect && redirect.includes("http")) {
-                    window.location.href = redirect;
-                }
                 if (redirect) {
-                    router.push(redirect);
+                    const safe = cleanRedirect(redirect);
+                    router.push(safe);
                 } else {
                     router.push("/login");
                 }

src/app/auth/reset-password/page.tsx

@@ -3,6 +3,7 @@ import { redirect } from "next/navigation";
 import { cache } from "react";
 import ResetPasswordForm from "./ResetPasswordForm";
 import Link from "next/link";
+import { cleanRedirect } from "@app/lib/cleanRedirect";
 
 export const dynamic = "force-dynamic";
 
@@ -21,6 +22,11 @@ export default async function Page(props: {
         redirect("/");
     }
 
+    let redirectUrl: string | undefined = undefined;
+    if (searchParams.redirect) {
+        redirectUrl = cleanRedirect(searchParams.redirect);
+    }
+
     return (
         <>
             <ResetPasswordForm
@@ -34,7 +40,7 @@ export default async function Page(props: {
                     href={
                         !searchParams.redirect
                             ? `/auth/signup`
-                            : `/auth/signup?redirect=${searchParams.redirect}`
+                            : `/auth/signup?redirect=${redirectUrl}`
                     }
                     className="underline"
                 >

src/app/auth/resource/[resourceId]/AccessToken.tsx

@@ -30,6 +30,7 @@ export default function AccessToken({
     redirectUrl
 }: AccessTokenProps) {
     const [loading, setLoading] = useState(true);
+    const [isValid, setIsValid] = useState(false);
 
     const api = createApiClient(useEnvContext());
 
@@ -49,6 +50,7 @@ export default function AccessToken({
                 });
 
                 if (res.data.data.session) {
+                    setIsValid(true);
                     window.location.href = redirectUrl;
                 }
             } catch (e) {
@@ -61,24 +63,47 @@ export default function AccessToken({
         check();
     }, [accessTokenId, accessToken]);
 
+    function renderTitle() {
+        if (isValid) {
+            return "Access Granted";
+        } else {
+            return "Access URL Invalid";
+        }
+    }
+
+    function renderContent() {
+        if (isValid) {
+            return (
+                <div>
+                    You have been granted access to this resource. Redirecting
+                    you...
+                </div>
+            );
+        } else {
+            return (
+                <div>
+                    This shared access URL is invalid. Please contact the
+                    resource owner for a new URL.
+                    <div className="text-center mt-4">
+                        <Button>
+                            <Link href="/">Go Home</Link>
+                        </Button>
+                    </div>
+                </div>
+            );
+        }
+    }
+
     return loading ? (
         <div></div>
     ) : (
         <Card className="w-full max-w-md">
             <CardHeader>
                 <CardTitle className="text-center text-2xl font-bold">
-                    Access URL Invalid
+                    {renderTitle()}
                 </CardTitle>
             </CardHeader>
-            <CardContent>
-                This shared access URL is invalid. Please contact the resource
-                owner for a new URL.
-                <div className="text-center mt-4">
-                    <Button>
-                        <Link href="/">Go Home</Link>
-                    </Button>
-                </div>
-            </CardContent>
+            <CardContent>{renderContent()}</CardContent>
         </Card>
     );
 }

src/app/auth/resource/[resourceId]/ResourceAuthPortal.tsx

@@ -481,11 +481,7 @@ export default function ResourceAuthPortal(props: ResourceAuthPortalProps) {
                                         className={`${numMethods <= 1 ? "mt-0" : ""}`}
                                     >
                                         <LoginForm
-                                            redirect={
-                                                typeof window !== "undefined"
-                                                    ? window.location.href
-                                                    : ""
-                                            }
+                                            redirect={`/auth/resource/${props.resource.id}`}
                                             onLogin={async () =>
                                                 await handleSSOAuth()
                                             }

src/app/auth/resource/[resourceId]/page.tsx

@@ -45,17 +45,26 @@ export default async function ResourceAuthPage(props: {
     const user = await getUser({ skipCheckVerifyEmail: true });
 
     if (!authInfo) {
-        {
-            /* @ts-ignore */
-        } // TODO: fix this
+        // TODO: fix this
         return (
             <div className="w-full max-w-md">
+            {/* @ts-ignore */}
                 <ResourceNotFound />
             </div>
         );
     }
 
-    const redirectUrl = searchParams.redirect || authInfo.url;
+    let redirectUrl = authInfo.url;
+    if (searchParams.redirect) {
+        try {
+            const serverResourceHost = new URL(authInfo.url).host;
+            const redirectHost = new URL(searchParams.redirect).host;
+
+            if (serverResourceHost === redirectHost) {
+                redirectUrl = searchParams.redirect;
+            }
+        } catch (e) {}
+    }
 
     const hasAuth =
         authInfo.password ||

src/app/auth/signup/SignupForm.tsx

@@ -30,6 +30,7 @@ import { formatAxiosError } from "@app/lib/api";
 import { createApiClient } from "@app/lib/api";
 import { useEnvContext } from "@app/hooks/useEnvContext";
 import Image from "next/image";
+import { cleanRedirect } from "@app/lib/cleanRedirect";
 
 type SignupFormProps = {
     redirect?: string;
@@ -92,17 +93,17 @@ export default function SignupForm({
 
             if (res.data?.data?.emailVerificationRequired) {
                 if (redirect) {
-                    router.push(`/auth/verify-email?redirect=${redirect}`);
+                    const safe = cleanRedirect(redirect);
+                    router.push(`/auth/verify-email?redirect=${safe}`);
                 } else {
                     router.push("/auth/verify-email");
                 }
                 return;
             }
 
-            if (redirect && redirect.includes("http")) {
-                window.location.href = redirect;
-            } else if (redirect) {
-                router.push(redirect);
+            if (redirect) {
+                const safe = cleanRedirect(redirect);
+                router.push(safe);
             } else {
                 router.push("/");
             }

src/app/auth/signup/page.tsx

@@ -1,5 +1,6 @@
 import SignupForm from "@app/app/auth/signup/SignupForm";
 import { verifySession } from "@app/lib/auth/verifySession";
+import { cleanRedirect } from "@app/lib/cleanRedirect";
 import { pullEnv } from "@app/lib/pullEnv";
 import { Mail } from "lucide-react";
 import Link from "next/link";
@@ -41,6 +42,11 @@ export default async function Page(props: {
         }
     }
 
+    let redirectUrl: string | undefined;
+    if (searchParams.redirect) {
+        redirectUrl = cleanRedirect(searchParams.redirect);
+    }
+
     return (
         <>
             {isInvite && (
@@ -59,7 +65,7 @@ export default async function Page(props: {
             )}
 
             <SignupForm
-                redirect={searchParams.redirect as string}
+                redirect={redirectUrl}
                 inviteToken={inviteToken}
                 inviteId={inviteId}
             />
@@ -68,9 +74,9 @@ export default async function Page(props: {
                 Already have an account?{" "}
                 <Link
                     href={
-                        !searchParams.redirect
+                        !redirectUrl
                             ? `/auth/login`
-                            : `/auth/login?redirect=${searchParams.redirect}`
+                            : `/auth/login?redirect=${redirectUrl}`
                     }
                     className="underline"
                 >

src/app/auth/verify-email/VerifyEmailForm.tsx

@@ -36,6 +36,7 @@ import { useRouter } from "next/navigation";
 import { formatAxiosError } from "@app/lib/api";;
 import { createApiClient } from "@app/lib/api";
 import { useEnvContext } from "@app/hooks/useEnvContext";
+import { cleanRedirect } from "@app/lib/cleanRedirect";
 
 const FormSchema = z.object({
     email: z.string().email({ message: "Invalid email address" }),
@@ -91,11 +92,9 @@ export default function VerifyEmailForm({
                 "Email successfully verified! Redirecting you..."
             );
             setTimeout(() => {
-                if (redirect && redirect.includes("http")) {
-                    window.location.href = redirect;
-                }
                 if (redirect) {
-                    router.push(redirect);
+                    const safe = cleanRedirect(redirect);
+                    router.push(safe);
                 } else {
                     router.push("/");
                 }

src/app/auth/verify-email/page.tsx

@@ -1,5 +1,6 @@
 import VerifyEmailForm from "@app/app/auth/verify-email/VerifyEmailForm";
 import { verifySession } from "@app/lib/auth/verifySession";
+import { cleanRedirect } from "@app/lib/cleanRedirect";
 import { pullEnv } from "@app/lib/pullEnv";
 import { redirect } from "next/navigation";
 import { cache } from "react";
@@ -27,11 +28,16 @@ export default async function Page(props: {
         redirect("/");
     }
 
+    let redirectUrl: string | undefined;
+    if (searchParams.redirect) {
+        redirectUrl = cleanRedirect(searchParams.redirect as string);
+    }
+
     return (
         <>
             <VerifyEmailForm
                 email={user.email}
-                redirect={searchParams.redirect as string}
+                redirect={redirectUrl}
             />
         </>
     );

src/app/invite/InviteStatusCard.tsx

@@ -14,7 +14,7 @@ import { XCircle } from "lucide-react";
 import { useRouter } from "next/navigation";
 
 type InviteStatusCardProps = {
-    type: "rejected" | "wrong_user" | "user_does_not_exist";
+    type: "rejected" | "wrong_user" | "user_does_not_exist" | "not_logged_in";
     token: string;
 };
 

src/app/invite/page.tsx

@@ -60,6 +60,8 @@ export default async function InvitePage(props: {
             )
         ) {
             return "user_does_not_exist";
+        } else if (error.includes("You must be logged in to accept an invite")) {
+            return "not_logged_in";
         } else {
             return "rejected";
         }
@@ -71,6 +73,10 @@ export default async function InvitePage(props: {
         redirect(`/auth/signup?redirect=/invite?token=${params.token}`);
     }
 
+    if (!user && type === "not_logged_in") {
+        redirect(`/auth/login?redirect=/invite?token=${params.token}`);
+    }
+
     return (
         <>
             <InviteStatusCard type={type} token={tokenParam} />

src/app/layout.tsx

@@ -6,6 +6,8 @@ import { ThemeProvider } from "@app/providers/ThemeProvider";
 import EnvProvider from "@app/providers/EnvProvider";
 import { Separator } from "@app/components/ui/separator";
 import { pullEnv } from "@app/lib/pullEnv";
+import { BookOpenText } from "lucide-react";
+import Image from "next/image";
 
 export const metadata: Metadata = {
     title: `Dashboard - Pangolin`,
@@ -38,10 +40,10 @@ export default async function RootLayout({
                         <div className="flex-grow">{children}</div>
 
                         {/* Footer */}
-                        <footer className="w-full mt-12 py-3 mb-6">
-                            <div className="container mx-auto flex flex-wrap justify-center items-center h-4 space-x-4 text-sm text-neutral-400 select-none">
-                                <div className="whitespace-nowrap">
-                                    Pangolin
+                        <footer className="w-full mt-12 py-3 mb-6 px-4">
+                            <div className="container mx-auto flex flex-wrap justify-center items-center h-3 space-x-4 text-sm text-neutral-400 dark:text-neutral-600 select-none">
+                                <div className="flex items-center space-x-2 whitespace-nowrap">
+                                    <span>Pangolin</span>
                                 </div>
                                 <Separator orientation="vertical" />
                                 <div className="whitespace-nowrap">
@@ -60,7 +62,7 @@ export default async function RootLayout({
                                         xmlns="http://www.w3.org/2000/svg"
                                         viewBox="0 0 24 24"
                                         fill="currentColor"
-                                        className="w-4 h-4"
+                                        className="w-3 h-3"
                                     >
                                         <path d="M12 0C5.37 0 0 5.373 0 12c0 5.303 3.438 9.8 8.207 11.385.6.11.82-.26.82-.577v-2.17c-3.338.726-4.042-1.61-4.042-1.61-.546-1.385-1.333-1.755-1.333-1.755-1.09-.744.082-.73.082-.73 1.205.085 1.84 1.24 1.84 1.24 1.07 1.835 2.807 1.305 3.492.997.107-.775.42-1.305.763-1.605-2.665-.305-5.467-1.335-5.467-5.93 0-1.31.468-2.382 1.236-3.22-.123-.303-.535-1.523.117-3.176 0 0 1.008-.322 3.3 1.23a11.52 11.52 0 013.006-.403c1.02.005 2.045.137 3.006.403 2.29-1.552 3.295-1.23 3.295-1.23.654 1.653.242 2.873.12 3.176.77.838 1.235 1.91 1.235 3.22 0 4.605-2.805 5.623-5.475 5.92.43.37.814 1.1.814 2.22v3.293c0 .32.217.693.825.576C20.565 21.795 24 17.298 24 12 24 5.373 18.627 0 12 0z" />
                                     </svg>
@@ -70,10 +72,11 @@ export default async function RootLayout({
                                     href="https://docs.fossorial.io/Pangolin/overview"
                                     target="_blank"
                                     rel="noopener noreferrer"
-                                    aria-label="GitHub"
+                                    aria-label="Documentation"
                                     className="flex items-center space-x-3 whitespace-nowrap"
                                 >
-                                    <span>Docs</span>
+                                    <span>Documentation</span>
+                                    <BookOpenText className="w-3 h-3" />
                                 </a>
                                 {version && (
                                     <>

src/app/page.tsx

@@ -11,6 +11,7 @@ import { redirect } from "next/navigation";
 import { cache } from "react";
 import OrganizationLanding from "./components/OrganizationLanding";
 import { pullEnv } from "@app/lib/pullEnv";
+import { cleanRedirect } from "@app/lib/cleanRedirect";
 
 export const dynamic = "force-dynamic";
 
@@ -29,7 +30,8 @@ export default async function Page(props: {
 
     if (!user) {
         if (params.redirect) {
-            redirect(`/auth/login?redirect=${params.redirect}`);
+            const safe = cleanRedirect(params.redirect);
+            redirect(`/auth/login?redirect=${safe}`);
         } else {
             redirect(`/auth/login`);
         }
@@ -40,7 +42,8 @@ export default async function Page(props: {
         env.flags.emailVerificationRequired
     ) {
         if (params.redirect) {
-            redirect(`/auth/verify-email?redirect=${params.redirect}`);
+            const safe = cleanRedirect(params.redirect);
+            redirect(`/auth/verify-email?redirect=${safe}`);
         } else {
             redirect(`/auth/verify-email`);
         }
@@ -80,6 +83,7 @@ export default async function Page(props: {
 
                 <div className="w-full max-w-md mx-auto md:mt-32 mt-4">
                     <OrganizationLanding
+                        disableCreateOrg={env.flags.disableUserCreateOrg && !user.serverAdmin}
                         organizations={orgs.map((org) => ({
                             name: org.name,
                             id: org.orgId

src/components/LoginForm.tsx

@@ -41,7 +41,7 @@ import Image from 'next/image'
 
 type LoginFormProps = {
     redirect?: string;
-    onLogin?: () => void;
+    onLogin?: () => void | Promise<void>;
 };
 
 const formSchema = z.object({

src/components/ProfileIcon.tsx

@@ -57,6 +57,7 @@ export default function ProfileIcon() {
             })
             .then(() => {
                 router.push("/auth/login");
+                router.refresh();
             });
     }
 

src/components/ui/button.tsx

@@ -19,6 +19,7 @@ const buttonVariants = cva(
                 secondary:
                     "bg-secondary border border-input text-secondary-foreground hover:bg-secondary/80",
                 ghost: "hover:bg-accent hover:text-accent-foreground",
+                text: "",
                 link: "text-primary underline-offset-4 hover:underline",
             },
             size: {

src/components/ui/collapsible.tsx

@@ -0,0 +1,11 @@
+"use client"
+
+import * as CollapsiblePrimitive from "@radix-ui/react-collapsible"
+
+const Collapsible = CollapsiblePrimitive.Root
+
+const CollapsibleTrigger = CollapsiblePrimitive.CollapsibleTrigger
+
+const CollapsibleContent = CollapsiblePrimitive.CollapsibleContent
+
+export { Collapsible, CollapsibleTrigger, CollapsibleContent }

src/lib/cleanRedirect.ts

@@ -0,0 +1,18 @@
+type PatternConfig = {
+    name: string;
+    regex: RegExp;
+};
+
+const patterns: PatternConfig[] = [
+    { name: "Invite Token", regex: /^\/invite\?token=[a-zA-Z0-9-]+$/ },
+    { name: "Setup", regex: /^\/setup$/ },
+    { name: "Resource Auth Portal", regex: /^\/auth\/resource\/\d+$/ }
+];
+
+export function cleanRedirect(input: string): string {
+    if (!input || typeof input !== "string") {
+        return "/";
+    }
+    const isAccepted = patterns.some((pattern) => pattern.regex.test(input));
+    return isAccepted ? input : "/";
+}

src/lib/pullEnv.ts

@@ -6,7 +6,8 @@ export function pullEnv(): Env {
             nextPort: process.env.NEXT_PORT as string,
             externalPort: process.env.SERVER_EXTERNAL_PORT as string,
             sessionCookieName: process.env.SESSION_COOKIE_NAME as string,
-            resourceSessionCookieName: process.env.RESOURCE_SESSION_COOKIE_NAME as string
+            resourceSessionCookieName: process.env.RESOURCE_SESSION_COOKIE_NAME as string,
+            resourceAccessTokenParam: process.env.RESOURCE_ACCESS_TOKEN_PARAM as string
         },
         app: {
             environment: process.env.ENVIRONMENT as string,

src/lib/shareLinks.ts

@@ -1,3 +1,5 @@
+import { pullEnv } from "./pullEnv";
+
 export function constructShareLink(
     resourceId: number,
     id: string,
@@ -5,3 +7,12 @@ export function constructShareLink(
 ) {
     return `${window.location.origin}/auth/resource/${resourceId}?token=${id}.${token}`;
 }
+
+export function constructDirectShareLink(
+    param: string,
+    resourceUrl: string,
+    id: string,
+    token: string
+) {
+    return `${resourceUrl}?${param}=${id}.${token}`;
+}

src/lib/types/env.ts

@@ -8,6 +8,7 @@ export type Env = {
         nextPort: string;
         sessionCookieName: string;
         resourceSessionCookieName: string;
+        resourceAccessTokenParam: string;
     },
     email: {
         emailEnabled: boolean;