Upgrade packages

Update dockerfile for correct node version.

Update package for openid-client

This essentially required reconstructing the oidc.go and auth.go files following the 6.x examples. While doing that, resolved some performance problems by only validating and parsing the session-stored JWT token once in the authenticated path and inserting the resulting sub (subject) into the request object for access in the next endpoint. This greatly simplifies the parts that expect an authenticated endpoint.

Added indexes for database performance.
Can't get the migration to generate!

Author: IDisposable

.github/workflows/pull-request.yml

@@ -31,7 +31,7 @@ jobs:
     - name: Use Node.js
       uses: actions/setup-node@v4
       with:
-        node-version: v22.21.0
+        node-version: v22.22.0
         cache: 'npm'
         cache-dependency-path: '**/package-lock.json'
 

Dockerfile

@@ -1,4 +1,4 @@
-FROM node:21.1.0-alpine AS packages
+FROM node:22.22.0-alpine AS packages
 WORKDIR /usr/src/app
 
 COPY LICENSE /usr/src/app/

package-lock.json

@@ -1,6 +1,6 @@
 {
   "name": "jetkvm-cloud-api",
-  "version": "1.0.0",
+  "version": "2026.01.29.0845",
   "description": "JetKVM Cloud API and Websocket Server",
   "main": "dist/src/index.js",
   "scripts": {
@@ -16,45 +16,42 @@
     "test:coverage": "vitest run --coverage"
   },
   "engines": {
-    "node": "22.x"
+    "node": "^22.22.0"
   },
   "keywords": [],
   "author": "JetKVM",
   "license": "GPL-2.0",
   "dependencies": {
-    "@aws-sdk/client-s3": "^3.654.0",
-    "@prisma/client": "^5.13.0",
-    "@tsconfig/node22": "^22.0.0",
+    "@aws-sdk/client-s3": "^3.978.0",
+    "@prisma/client": "^6.19.2",
+    "@tsconfig/node22": "^22.0.5",
     "@types/cookie-session": "^2.0.49",
-    "@types/cors": "^2.8.17",
-    "@types/node": "^20.12.10",
-    "@types/ws": "^8.5.10",
-    "cookie-session": "^2.1.0",
-    "cors": "^2.8.5",
-    "dotenv": "^16.4.7",
-    "express": "^5",
-    "helmet": "^7.1.0",
-    "http-proxy-middleware": "^3.0.3",
-    "jose": "^5.2.4",
-    "lru-cache": "^11.2.2",
-    "openid-client": "^5.6.5",
-    "prisma": "^5.13.0",
-    "semver": "^7.6.3",
+    "@types/cors": "^2.8.19",
+    "@types/node": "^25.1.0",
+    "@types/ws": "^8.18.1",
+    "cookie-session": "^2.1.1",
+    "cors": "^2.8.6",
+    "dotenv": "^17.2.3",
+    "express": "^5.2.1",
+    "helmet": "^8.1.0",
+    "http-proxy-middleware": "^3.0.5",
+    "jose": "^6.1.3",
+    "lru-cache": "^11.2.5",
+    "openid-client": "^6.8.1",
+    "prisma": "^6.19.2",
+    "semver": "^7.7.3",
     "ts-node": "^10.9.2",
-    "typescript": "^5.4.5",
-    "ws": "^8.17.1",
+    "typescript": "^5.9.3",
+    "ws": "^8.19.0",
     "zod": "^4.3.6"
   },
   "optionalDependencies": {
     "bufferutil": "^4.0.8"
   },
   "devDependencies": {
     "@types/express": "^5.0.6",
-    "@types/lru-cache": "^7.10.9",
-    "@types/semver": "^7.5.8",
-    "@vitest/coverage-v8": "^4.0.18",
-    "aws-sdk-client-mock": "^4.1.0",
-    "prettier": "3.2.5",
+    "@types/semver": "^7.7.1",
+    "prettier": "3.8.1",
     "vitest": "^4.0.18"
   }
 }

package.json

@@ -20,6 +20,8 @@ model User {
   picture  String?
   device   Device[]
   Activity TurnActivity[]
+
+  @@index([googleId], type: Hash)
 }
 
 model Device {
@@ -31,6 +33,10 @@ model Device {
   tempToken          String?
   tempTokenExpiresAt DateTime?
   secretToken        String?   @unique
+
+  @@index([userId], type: Hash)
+  @@index([tempToken], type: Hash)
+  @@index([secretToken], type: Hash)
 }
 
 model TurnActivity {
@@ -40,6 +46,8 @@ model TurnActivity {
   createdAt     DateTime? @default(now()) @db.Timestamp(6)
   bytesSent     Int
   bytesReceived Int
+
+  @@index([userId], type: Hash)
 }
 
 model Release {
@@ -53,4 +61,5 @@ model Release {
   hash              String
 
   @@unique([version, type])
+  @@index([type, rolloutPercentage])
 }

prisma/schema.prisma

@@ -1,37 +1,50 @@
 import { type NextFunction, type Request, type Response } from "express";
 import * as jose from "jose";
-import { UnauthorizedError } from "./errors";
-
+import { BadRequestError, UnauthorizedError } from "./errors";
+
+const JWKS_URL = new URL("https://www.googleapis.com/oauth2/v3/certs")
+const JWKS = jose.createRemoteJWKSet(JWKS_URL);
+const verificationOptions = {
+  //algorithms: ['RS256'],
+  issuer: "https://accounts.google.com",
+  audience: process.env.GOOGLE_CLIENT_ID,
+};
 
 export const verifyToken = async (idToken: string) => {
-  const JWKS = jose.createRemoteJWKSet(
-    new URL("https://www.googleapis.com/oauth2/v3/certs"),
-  );
-
   try {
-    const { payload } = await jose.jwtVerify(idToken, JWKS, {
-      issuer: "https://accounts.google.com",
-      audience: process.env.GOOGLE_CLIENT_ID,
-    });
-
+    const { payload } = await jose.jwtVerify(idToken, JWKS, verificationOptions);
+    console.log('JWT Payload:', payload);
     return payload;
-  } catch  (e) {
-    console.error(e);
+  } catch (error: any) {
+    console.error('JWT Verification Failed:', error.message);
     return null;
   }
 };
 
 export const authenticated = async (req: Request, res: Response, next: NextFunction) => {
-  const idToken = req.session?.id_token;
-  if (!idToken) throw new UnauthorizedError();
+  const session = req.session;
+  if (!session) throw new UnauthorizedError("No session found");
+
+  const idToken = session.id_token;
+  if (!idToken) throw new UnauthorizedError("No ID token found in session");
 
   const payload = await verifyToken(idToken);
-  if (!payload) throw new UnauthorizedError();
-  if (!payload.exp) throw new UnauthorizedError();
+  if (!payload) throw new UnauthorizedError("Invalid ID token");
 
-  if (new Date(payload.exp * 1000) < new Date()) {
-    throw new UnauthorizedError();
+  const { sub, iss, exp } = payload;
+  if (!sub) throw new UnauthorizedError("Missing sub (subject) in token");
+  if (!iss) throw new UnauthorizedError("Missing iss (issuer) in token");
+  if (!exp) throw new UnauthorizedError("Missing exp (expiration) in token");
+
+  if (new Date(payload.exp! * 1000) < new Date()) {
+    throw new UnauthorizedError("ID token has expired");
   }
 
+  const isGoogle = iss === "https://accounts.google.com";
+  if (!isGoogle) throw new BadRequestError("Token is not from Google");
+
+  req.subject = sub;
+  req.issuer = iss;
+
   next();
-};
+};

src/auth.ts

@@ -19,7 +19,6 @@ if (process.env.NODE_ENV !== "development") {
   prismaClient = global.__db;
 }
 
-
 // Have to cast it manually, because webstorm can't infer it for some reason
 // https://github.com/prisma/prisma/issues/2359#issuecomment-963340538
 export const prisma = prismaClient;

src/db.ts

@@ -1,4 +1,3 @@
-import * as jose from "jose";
 import { prisma } from "./db";
 import express from "express";
 import {
@@ -12,45 +11,40 @@ import { authenticated } from "./auth";
 import { activeConnections } from "./webrtc-signaling";
 
 export const List = async (req: express.Request, res: express.Response) => {
-  const idToken = req.session?.id_token;
-  const { iss, sub } = jose.decodeJwt(idToken);
-
-  // Authorization server’s identifier for the user
-  const isGoogle = iss === "https://accounts.google.com";
-  if (isGoogle) {
-    const devices = await prisma.device.findMany({
-      where: { user: { googleId: sub } },
-      select: { id: true, name: true, lastSeen: true },
-    });
+  const { subject } = req;
+  if (!subject) throw new UnauthorizedError("Missing subject in token");
 
-    return res.json({
-      devices: devices.map(device => {
-        const activeDevice = activeConnections.get(device.id);
-        const version = activeDevice?.[2] || null;
-
-        return {
-          ...device,
-          online: !!activeDevice,
-          version,
-        };
-      }),
-    });
-  } else {
-    throw new BadRequestError("Token is not from Google");
-  }
+  const devices = await prisma.device.findMany({
+    where: { user: { googleId: subject } },
+    select: { id: true, name: true, lastSeen: true },
+  });
+
+  return res.json({
+    devices: devices.map(device => {
+      const activeDevice = activeConnections.get(device.id);
+      const version = activeDevice?.[2] || null;
+
+      return {
+        ...device,
+        online: !!activeDevice,
+        version,
+      };
+    }),
+  });
 };
 
 export const Retrieve = async (
   req: express.Request<{ id: string }>,
   res: express.Response
 ) => {
-  const idToken = req.session?.id_token;
-  const { sub } = jose.decodeJwt(idToken);
+  const { subject } = req;
+  if (!subject) throw new UnauthorizedError("Missing subject in token");
+
   const { id } = req.params;
   if (!id) throw new UnprocessableEntityError("Missing device id in params");
 
   const device = await prisma.device.findUnique({
-    where: { id, user: { googleId: sub } },
+    where: { id, user: { googleId: subject } },
     select: { id: true, name: true, user: { select: { googleId: true } } },
   });
 
@@ -62,18 +56,17 @@ export const Update = async (
   req: express.Request<{ id: string }>,
   res: express.Response
 ) => {
-  const idToken = req.session?.id_token;
-  const { sub } = jose.decodeJwt(idToken);
-  if (!sub) throw new UnauthorizedError("Missing sub in token");
+  const { subject } = req;
+  if (!subject) throw new UnauthorizedError("Missing subject in token");
 
   const { id } = req.params;
   if (!id) throw new UnprocessableEntityError("Missing device id in params");
 
   const { name } = req.body as { name: string };
-  if (!name) throw new UnprocessableEntityError("Missing name in body");
+  if (!name) throw new UnprocessableEntityError("Missing device name in body");
 
   const device = await prisma.device.update({
-    where: { id, user: { googleId: sub } },
+    where: { id, user: { googleId: subject } },
     data: { name },
     select: { id: true },
   });
@@ -125,14 +118,13 @@ export const Delete = async (
     throw new BadRequestError("Unauthorized");
   }
 
-  const idToken = req.session?.id_token;
-  const { sub } = jose.decodeJwt(idToken);
-  if (!sub) throw new UnauthorizedError("Missing sub in token");
+  const { subject } = req;
+  if (!subject) throw new UnauthorizedError("Missing subject in token");
 
   const { id } = req.params;
   if (!id) throw new UnprocessableEntityError("Missing device id in params");
 
-  await prisma.device.delete({ where: { id, user: { googleId: sub } } });
+  await prisma.device.delete({ where: { id, user: { googleId: subject } } });
 
   // We just removed the device, so we should close any running open socket connections
   const conn = activeConnections.get(id);

src/devices.ts

@@ -1,7 +1,6 @@
 import express from "express";
 import cors from "cors";
 import cookieSession from "cookie-session";
-import * as jose from "jose";
 import helmet from "helmet";
 import 'dotenv/config';
 
@@ -97,26 +96,25 @@ app.get(
   "/me",
   authenticated,
   async (req: express.Request, res: express.Response) => {
-    const idToken = req.session?.id_token;
-    const { sub, iss, exp, aud, iat, jti, nbf } = jose.decodeJwt(idToken);
+    const { subject, issuer } = req;
+    if (!subject || !issuer) {
+      return res.status(401).json({ message: "Unauthorized" });
+    }
 
     let user;
-    if (iss === "https://accounts.google.com") {
+    if (issuer === "https://accounts.google.com") {
       user = await prisma.user.findUnique({
-        where: { googleId: sub },
+        where: { googleId: subject },
         select: { picture: true, email: true },
       });
     }
 
-    return res.json({ ...user, sub });
+    return res.json({ ...user, subject });
   },
 );
 
 app.get("/releases", Releases.Retrieve);
-app.get(
-  "/releases/system_recovery/latest",
-  Releases.RetrieveLatestSystemRecovery,
-);
+app.get("/releases/system_recovery/latest", Releases.RetrieveLatestSystemRecovery);
 app.get("/releases/app/latest", Releases.RetrieveLatestApp);
 
 app.get("/devices", authenticated, Devices.List);
@@ -127,11 +125,7 @@ app.delete("/devices/:id", Devices.Delete);
 
 app.post("/webrtc/session", authenticated, Webrtc.CreateSession);
 app.post("/webrtc/ice_config", authenticated, Webrtc.CreateIceCredentials);
-app.post(
-  "/webrtc/turn_activity",
-  authenticated,
-  Webrtc.CreateTurnActivity,
-);
+app.post("/webrtc/turn_activity", authenticated, Webrtc.CreateTurnActivity);
 
 app.post("/oidc/google", OIDC.Google);
 app.get("/oidc/callback_o", OIDC.Callback);