feat: direct browser↔gateway xterm via short-lived HMAC tickets#862
Merged
Conversation
Browser now opens the xterm WebSocket straight to the gateway when supported, skipping the webapp WS proxy hop. Webapp signs a 5-minute ticket scoped to one PTY (HMAC over the gateway's existing securityKeyHash); gateway verifies it on the upgrade. Older gateways and http-only baseUrls transparently fall back to the existing proxy path via the new xterm-ticket endpoints, so no coordinated rollout is needed. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
sha256(rawSecurityKey)= the gateway's existingsecurityKeyHash); gateway verifies on the WS upgrade. No new secret introduced, no new on-disk state.directXtermcapability in manifest) and http-onlybaseUrls transparently fall back to the existing proxy path. No coordinated rollout needed.How it works
Two ticket-issuing endpoints, one per existing proxy path:
POST /api/v1/gateways/:gatewayId/xterm-ticketgatewayId+ asession_id(gateway PTY id){ session_id }POST /api/v1/coding-sessions/:codingSessionId/xterm-ticket{}(webapp resolves)Both return either
{ mode: "direct", wsUrl, expiresAt }or{ mode: "proxy", wsUrl }.Why this design
jtidedup map). Matches what code-server / ttyd / Cloud Shell do: a replayed ticket only re-attaches to a PTY the attacker would already need thesession_idfor. Key rotation is the escape hatch./api/coding/coding_xterm_session; every other gateway route still requiresAuthorization: Bearer.Files
Gateway (
packages/)gateway-protocol/src/manifest.ts— addscapabilities.directXterm?: booleancli/src/server/api/auth.ts—verifyTicket()+ ticket-eligible path whitelist in the auth hookcli/src/server/api/manifest-builder.ts— advertisesdirectXtermwhen coding slot is onWebapp (
apps/webapp/)app/routes/api.v1.gateways.$gatewayId.xterm-ticket.tsx— gateway-direct ticketapp/routes/api.v1.coding-sessions.$codingSessionId.xterm-ticket.tsx— CodingSession-bound ticketapp/lib/xterm-ws.client.ts— browser helper that calls the ticket endpoint and resolves relative proxy URLs towss://${location.host}…app/components/coding/gateway-terminal.tsx,app/components/gateway/xterm-pane.tsx,app/routes/home.gateways.$gatewayId.terminal.tsx— wire UI to the new helperTest plan
directXtermcapability in manifest) → falls back to proxy path; terminal still works./api/coding/coding_xterm_sessionwithAuthorization: Bearer …→ still authenticated as before./home/gateways/:id/terminal) — open, type, exit; "Start new shell" reopens cleanly./home/tasks/:id/coding/:sessionId) — open, resume session, new session.?ticket=query) → gateway returns 401 on WS upgrade.🤖 Generated with Claude Code