fix(remote-control): harden self-hosted session flows (#278)

Co-authored-by: chengzifeng <chengzifeng@meituan.com>
2026-06-18 22:35:51 +00:00 · 2026-04-16 10:46:31 +08:00
parent 5a4c820e1d
commit fe08cacf8d
24 changed files with 1252 additions and 162 deletions
--- a/packages/remote-control-server/src/routes/web/auth.ts
+++ b/packages/remote-control-server/src/routes/web/auth.ts
@@ -1,5 +1,6 @@
 import { Hono } from "hono";
-import { storeGetSession, storeBindSession } from "../../store";
+import { storeBindSession } from "../../store";
+import { resolveExistingWebSessionId, toWebSessionId } from "../../services/session";

 const app = new Hono();

@@ -14,13 +15,13 @@ app.post("/bind", async (c) => {
    return c.json({ error: "sessionId and uuid are required" }, 400);
  }

-  const session = storeGetSession(sessionId);
-  if (!session) {
+  const resolvedSessionId = resolveExistingWebSessionId(sessionId);
+  if (!resolvedSessionId) {
    return c.json({ error: "Session not found" }, 404);
  }

-  storeBindSession(sessionId, uuid);
-  return c.json({ ok: true, sessionId });
+  storeBindSession(resolvedSessionId, uuid);
+  return c.json({ ok: true, sessionId: toWebSessionId(resolvedSessionId) });
 });

 export default app;
--- a/packages/remote-control-server/src/routes/web/control.ts
+++ b/packages/remote-control-server/src/routes/web/control.ts
@@ -1,31 +1,46 @@
 import { Hono } from "hono";
 import { uuidAuth } from "../../auth/middleware";
-import { getSession, updateSessionStatus } from "../../services/session";
+import { getSession, isSessionClosedStatus, resolveOwnedWebSessionId, updateSessionStatus } from "../../services/session";
 import { publishSessionEvent } from "../../services/transport";
 import { getEventBus } from "../../transport/event-bus";
-import { storeIsSessionOwner } from "../../store";

 const app = new Hono();

-function checkOwnership(c: { get: (key: string) => string | undefined }, sessionId: string) {
+type OwnershipCheckResult =
+  | { error: true }
+  | { error: true; reason: string }
+  | { error: false; session: NonNullable<ReturnType<typeof getSession>>; sessionId: string };
+
+function checkOwnership(c: { get: (key: string) => string | undefined }, sessionId: string): OwnershipCheckResult {
  const uuid = c.get("uuid")!;
-  if (!storeIsSessionOwner(sessionId, uuid)) {
-    return { error: true, session: null };
+  const resolvedSessionId = resolveOwnedWebSessionId(sessionId, uuid);
+  if (!resolvedSessionId) {
+    return { error: true };
  }
-  const session = getSession(sessionId);
+  const session = getSession(resolvedSessionId);
  if (!session) {
-    return { error: true, session: null };
+    return { error: true };
  }
-  return { error: false, session };
+  if (isSessionClosedStatus(session.status)) {
+    return { error: true, reason: `Session is ${session.status}` };
+  }
+  return { error: false, session, sessionId: resolvedSessionId };
+}
+
+function closedSessionResponse(message: string) {
+  return { error: { type: "session_closed", message } };
 }

 /** POST /web/sessions/:id/events — Send user message to session */
 app.post("/sessions/:id/events", uuidAuth, async (c) => {
-  const sessionId = c.req.param("id")!;
-  const { error } = checkOwnership(c, sessionId);
-  if (error) {
-    return c.json({ error: { type: "forbidden", message: "Not your session" } }, 403);
+  const requestedSessionId = c.req.param("id")!;
+  const ownership = checkOwnership(c, requestedSessionId);
+  if (ownership.error) {
+    const message = "reason" in ownership ? ownership.reason : "Not your session";
+    const status = "reason" in ownership ? 409 : 403;
+    return c.json("reason" in ownership ? closedSessionResponse(message) : { error: { type: "forbidden", message } }, status);
  }
+  const { sessionId } = ownership;

  const body = await c.req.json();
  const eventType = body.type || "user";
@@ -37,11 +52,14 @@ app.post("/sessions/:id/events", uuidAuth, async (c) => {

 /** POST /web/sessions/:id/control — Send control request (permission approval etc) */
 app.post("/sessions/:id/control", uuidAuth, async (c) => {
-  const sessionId = c.req.param("id")!;
-  const { error } = checkOwnership(c, sessionId);
-  if (error) {
-    return c.json({ error: { type: "forbidden", message: "Not your session" } }, 403);
+  const requestedSessionId = c.req.param("id")!;
+  const ownership = checkOwnership(c, requestedSessionId);
+  if (ownership.error) {
+    const message = "reason" in ownership ? ownership.reason : "Not your session";
+    const status = "reason" in ownership ? 409 : 403;
+    return c.json("reason" in ownership ? closedSessionResponse(message) : { error: { type: "forbidden", message } }, status);
  }
+  const { sessionId } = ownership;

  const body = await c.req.json();
  const event = publishSessionEvent(sessionId, body.type || "control_request", body, "outbound");
@@ -50,11 +68,14 @@ app.post("/sessions/:id/control", uuidAuth, async (c) => {

 /** POST /web/sessions/:id/interrupt — Interrupt session */
 app.post("/sessions/:id/interrupt", uuidAuth, async (c) => {
-  const sessionId = c.req.param("id")!;
-  const { error } = checkOwnership(c, sessionId);
-  if (error) {
-    return c.json({ error: { type: "forbidden", message: "Not your session" } }, 403);
+  const requestedSessionId = c.req.param("id")!;
+  const ownership = checkOwnership(c, requestedSessionId);
+  if (ownership.error) {
+    const message = "reason" in ownership ? ownership.reason : "Not your session";
+    const status = "reason" in ownership ? 409 : 403;
+    return c.json("reason" in ownership ? closedSessionResponse(message) : { error: { type: "forbidden", message } }, status);
  }
+  const { sessionId } = ownership;

  publishSessionEvent(sessionId, "interrupt", { action: "interrupt" }, "outbound");
  updateSessionStatus(sessionId, "idle");
--- a/packages/remote-control-server/src/routes/web/sessions.ts
+++ b/packages/remote-control-server/src/routes/web/sessions.ts
@@ -1,9 +1,16 @@
 import { Hono } from "hono";
 import { uuidAuth } from "../../auth/middleware";
-import { getSession, createSession } from "../../services/session";
-import { storeListSessionsByOwnerUuid, storeIsSessionOwner, storeBindSession } from "../../store";
+import {
+  createSession,
+  getSession,
+  isSessionClosedStatus,
+  listWebSessionSummariesByOwnerUuid,
+  listWebSessionsByOwnerUuid,
+  resolveOwnedWebSessionId,
+  toWebSessionResponse,
+} from "../../services/session";
+import { storeBindSession } from "../../store";
 import { createWorkItem } from "../../services/work-dispatch";
-import { listSessionSummariesByOwnerUuid } from "../../services/session";
 import { createSSEStream } from "../../transport/sse-writer";
 import { getEventBus } from "../../transport/event-bus";

@@ -38,36 +45,36 @@ app.post("/sessions", uuidAuth, async (c) => {
 /** GET /web/sessions — List sessions owned by the requesting UUID */
 app.get("/sessions", uuidAuth, async (c) => {
  const uuid = c.get("uuid")!;
-  const sessions = storeListSessionsByOwnerUuid(uuid);
+  const sessions = listWebSessionsByOwnerUuid(uuid);
  return c.json(sessions, 200);
 });

 /** GET /web/sessions/all — List sessions owned by the requesting UUID (unowned sessions excluded) */
 app.get("/sessions/all", uuidAuth, async (c) => {
  const uuid = c.get("uuid")!;
-  const sessions = listSessionSummariesByOwnerUuid(uuid);
+  const sessions = listWebSessionSummariesByOwnerUuid(uuid);
  return c.json(sessions, 200);
 });

 /** GET /web/sessions/:id — Session detail */
 app.get("/sessions/:id", uuidAuth, async (c) => {
  const uuid = c.get("uuid")!;
-  const sessionId = c.req.param("id")!;
-  if (!storeIsSessionOwner(sessionId, uuid)) {
+  const sessionId = resolveOwnedWebSessionId(c.req.param("id")!, uuid);
+  if (!sessionId) {
    return c.json({ error: { type: "forbidden", message: "Not your session" } }, 403);
  }
  const session = getSession(sessionId);
  if (!session) {
    return c.json({ error: { type: "not_found", message: "Session not found" } }, 404);
  }
-  return c.json(session, 200);
+  return c.json(toWebSessionResponse(session), 200);
 });

 /** GET /web/sessions/:id/history — Historical events for session */
 app.get("/sessions/:id/history", uuidAuth, async (c) => {
  const uuid = c.get("uuid")!;
-  const sessionId = c.req.param("id")!;
-  if (!storeIsSessionOwner(sessionId, uuid)) {
+  const sessionId = resolveOwnedWebSessionId(c.req.param("id")!, uuid);
+  if (!sessionId) {
    return c.json({ error: { type: "forbidden", message: "Not your session" } }, 403);
  }
  const session = getSession(sessionId);
@@ -83,14 +90,17 @@ app.get("/sessions/:id/history", uuidAuth, async (c) => {
 /** SSE /web/sessions/:id/events — Real-time event stream */
 app.get("/sessions/:id/events", uuidAuth, async (c) => {
  const uuid = c.get("uuid")!;
-  const sessionId = c.req.param("id")!;
-  if (!storeIsSessionOwner(sessionId, uuid)) {
+  const sessionId = resolveOwnedWebSessionId(c.req.param("id")!, uuid);
+  if (!sessionId) {
    return c.json({ error: { type: "forbidden", message: "Not your session" } }, 403);
  }
  const session = getSession(sessionId);
  if (!session) {
    return c.json({ error: { type: "not_found", message: "Session not found" } }, 404);
  }
+  if (isSessionClosedStatus(session.status)) {
+    return c.json({ error: { type: "session_closed", message: `Session is ${session.status}` } }, 409);
+  }

  const lastEventId = c.req.header("Last-Event-ID");
  const fromSeqNum = lastEventId ? parseInt(lastEventId) : 0;