Add dev IDE access architecture doc

2026-03-24 22:56:12 +00:00 · 2026-03-24 22:56:12 +00:00 · 2a6bfe77dc
commit 2a6bfe77dc
parent 1b1b22e8f8
1 changed files with 226 additions and 0 deletions
--- a/architecture/dev-ide-access.md
+++ b/architecture/dev-ide-access.md
@ -0,0 +1,226 @@
 # Dev IDE Access Architecture
 ## Overview
 Dev containers expose a browser-accessible VS Code IDE (code-server) via a
 host-based routing model. The API is the auth and proxy boundary. Traefik
 handles TLS and routing. Containers are never directly exposed.
 ---
 ## Architecture
 ```
 Browser
  ↓ https://dev-<vmid>.zerolaghub.dev
 Traefik (zlh-zpack-proxy, 10.70.0.242)
  ↓ wildcard TLS + host routing → http://10.60.0.245:4000
 API (zpack-api, 10.60.0.245:4000)
  ↓ token validation + cookie handoff
  ↓ HTTP + WebSocket proxy
 Container code-server (:6000)
 ```
 ---
 ## Why API Proxy (Not Direct Traefik → Container)
 Direct Traefik → container routing was tested and rejected for the following reasons:
 1. **No auth boundary** — code-server runs with `--auth none`. Without the API
   in the path, any request reaching the container would have full IDE access.
 2. **No ownership validation** — the API verifies the token against the
   database to confirm the requesting user owns the container. Traefik has no
   concept of this.
 3. **Per-container routing complexity** — direct routing requires a Traefik
   dynamic config entry per container. The API proxy approach requires only
   one wildcard rule regardless of how many containers exist.
 The API proxy adds one network hop but provides auth, ownership enforcement,
 and operational simplicity.
 ---
 ## Token Flow
 ### Step 1 — Token generation
 ```
 POST /api/dev/:id/ide-token
 Authorization: Bearer <user-jwt>
 ```
 Response:
 ```json
 {
  "token": "<ide-proxy-token>",
  "url": "https://dev-6070.zerolaghub.dev/?token=...",
  "expiresIn": 300
 }
 ```
 The IDE proxy token is short-lived (300s TTL), signed with a separate secret,
 and carries `{ sub, vmid, type: "dev-ide" }`. It is scoped to a specific
 container — a token for vmid 6070 cannot access vmid 6071.
 ### Step 2 — Bootstrap
 Browser navigates to `https://dev-6070.zerolaghub.dev/?token=...`
 Traefik forwards to the API. `handleHostedProxy` extracts the vmid from the
 `Host` header (`dev-6070` → `6070`), validates the token, confirms ownership
 against the database, then:
 1. Sets `zlh_dev_ide_token` HTTP-only cookie (path: `/`, scoped to the hosted domain)
 2. Redirects to the clean URL (token stripped from query string)
 ### Step 3 — Live traffic
 All subsequent requests carry the cookie. The API validates it on every
 request and proxies to `http://<container-ip>:6000`.
 WebSocket upgrades are handled in `attachDevProxyServer` on the raw Node.js
 HTTP server — the upgrade event is intercepted before Express routing, the
 cookie/token is validated, and a target-bound WS proxy is built at upgrade
 time using the resolved container IP.
 ---
 ## Request Flow Detail
 ```
 1. GET https://dev-6070.zerolaghub.dev/?token=<ide-token>
   → Traefik → API handleHostedProxy
   → validate token (vmid match + ownership)
   → Set-Cookie: zlh_dev_ide_token=<token>; HttpOnly; Path=/
   → 302 → https://dev-6070.zerolaghub.dev/
 2. GET https://dev-6070.zerolaghub.dev/
   → Traefik → API handleHostedProxy
   → validate cookie
   → proxy to http://10.100.x.x:6000/
   → code-server 302 → /?folder=/home/dev/workspace
 3. GET https://dev-6070.zerolaghub.dev/?folder=/home/dev/workspace
   → Traefik → API handleHostedProxy
   → validate cookie
   → proxy to http://10.100.x.x:6000/?folder=/home/dev/workspace
   → 200 code-server HTML
 4. WS wss://dev-6070.zerolaghub.dev/stable-<hash>/...
   → Traefik → API server upgrade handler (attachDevProxyServer)
   → validate cookie from WS request headers
   → build target-bound WS proxy → ws://10.100.x.x:6000/stable-<hash>/...
 ```
 ---
 ## Traefik Configuration
 ```yaml
 http:
  routers:
    dev-ide:
      rule: "HostRegexp(`dev-{vmid:[0-9]+}.zerolaghub.dev`)"
      entryPoints:
        - websecure
      service: dev-ide-api
      tls:
        certResolver: zpackv2
        domains:
          - main: "zerolaghub.dev"
            sans:
              - "*.zerolaghub.dev"
  services:
    dev-ide-api:
      loadBalancer:
        passHostHeader: true
        servers:
          - url: "http://10.60.0.245:4000"
 ```
 `passHostHeader: true` is critical — without it Express resolves relative
 redirects against the internal API IP, leaking it to the browser.
 TLS: wildcard cert `*.zerolaghub.dev` issued via Let's Encrypt DNS-01 challenge
 through Cloudflare. certResolver `zpackv2` handles renewal automatically.
 ---
 ## API Key Files
 - `src/routes/devProxy.js` — all IDE proxy logic
 - `src/app.js` — mounts devProxy router + calls `attachDevProxyServer`
 - `src/auth/tokens.js` — `signIdeProxyToken` / `verifyIdeProxyToken`
 Key functions in `devProxy.js`:
 - `handleHostedProxy` — entry point for all host-based requests
 - `parseHostedVmid` — extracts vmid from `Host: dev-6070.zerolaghub.dev`
 - `resolveDevTarget` — DB lookup confirming ownership + returning container IP
 - `attachDevProxyServer` — raw HTTP upgrade handler for WebSockets
 - `buildWsProxy` — builds a target-bound WS proxy instance at upgrade time
 ---
 ## WebSocket Critical Detail
 The shared HTTP proxy instance (`ideTunnelProxy`) has `ws: false`. WebSocket
 upgrades are handled exclusively in `attachDevProxyServer` which builds a
 new proxy instance per upgrade with the resolved container target hardcoded.
 This was the fix for the `ECONNREFUSED 127.0.0.1:6000` bug — the shared
 proxy was falling back to `DEFAULT_IDE_TARGET` (localhost) instead of the
 actual container IP because per-request context was lost during the upgrade.
 ---
 ## code-server Container Setup
 - Install path: `/opt/zlh/services/code-server`
 - Port: `6000` (bound to `0.0.0.0`)
 - Launch flags: `--auth none --disable-telemetry`
 - Auth: disabled at code-server level — API handles all auth
 - Workspace: `/home/dev/workspace`
 - User: `dev`
 Chrome blocks port 6000 as an unsafe port. This is internal only and never
 directly browser-accessible, so it is not an issue.
 ---
 ## Known Pitfalls
 | Issue | Cause | Fix |
 |-------|-------|-----|
 | `ERR_CONNECTION_CLOSED` in browser | Traefik/API not reachable or wrong code deployed | Check connectivity + confirm deployed code has `handleHostedProxy` |
 | 404 from API | `handleHostedProxy` not in running process | Restart API after deploy |
 | Redirect loops to raw IP | `passHostHeader: true` missing in Traefik | Add it to loadBalancer config |
 | WS 1006 disconnect | WS proxy falling back to `127.0.0.1` | Ensure `ws: false` on HTTP proxy, WS handled only in `attachDevProxyServer` |
 | Cookie not set | Token expired (300s TTL) | Generate a fresh token |
 | Wildcard cert fails to issue | Stale `_acme-challenge` TXT records in Cloudflare | Delete stale records manually, reload Traefik |
 ---
 ## Future: SSH Access via CF Tunnel
 Planned addition — same hostname, SSH protocol routed through Cloudflare Tunnel:
 ```
 Developer laptop
  ↓ ssh dev-6070.zerolaghub.dev
 Cloudflare edge (CF Tunnel)
  ↓
 Bastion VM
  ↓ SSH proxy jump
 Dev container
 ```
 Developer one-time SSH config:
 ```
 Host *.zerolaghub.dev
    ProxyCommand cloudflared access ssh --hostname %h
 ```
 CF Tunnel runs persistently on the bastion VM. Free tier covers up to 50 users.
 Browser IDE and SSH share the same hostname — different protocols routed separately.