From 0c0bdbf2fe21875e8804f2e23e2a3c2295187dba Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Mon, 28 Apr 2025 10:45:02 +0200
Subject: [PATCH] v4.0.0-beta.413 (#5711)

* feat(README): add InterviewPal sponsorship link and corresponding SVG icon

* chore(versions): update coolify version to 4.0.0-beta.413 and nightly version to 4.0.0-beta.414 in configuration files

* fix(terminal): enhance WebSocket client verification with authorized IPs in terminal server

* chore(versions): update realtime version to 1.0.8 in versions.json

* chore(versions): update realtime version to 1.0.8 in versions.json
---
 README.md                                  |  2 +
 config/constants.php                       |  4 +-
 docker/coolify-realtime/terminal-server.js | 72 ++++++++++++++++++----
 other/nightly/versions.json                |  6 +-
 public/svgs/interviewpal.svg               |  1 +
 routes/web.php                             | 11 ++++
 versions.json                              |  6 +-
 7 files changed, 82 insertions(+), 20 deletions(-)
 create mode 100644 public/svgs/interviewpal.svg

diff --git a/README.md b/README.md
index 6e245aa22..5f583df75 100644
--- a/README.md
+++ b/README.md
@@ -131,6 +131,8 @@ Thank you so much!
 <a href="https://arvensis.systems/?utm_source=coolify.io"><img width="60px" alt="Arvensis Systems" src="https://coolify.io/images/arvensis.png"/></a>
 <a href="https://github.com/Niki2k1"><img width="60px" alt="Niklas Lausch" src="https://github.com/Niki2k1.png"/></a>
 <a href="https://capgo.app/?utm_source=coolify.io"><img width="60px" alt="Cap-go" src="https://github.com/cap-go.png"/></a>
+<a href="https://interviewpal.com/?utm_source=coolify.io"><img width="60px" alt="InterviewPal" src="/public/svgs/interviewpal.svg"/></a>
+
 
 ...and many more at [GitHub Sponsors](https://github.com/sponsors/coollabsio)
 
diff --git a/config/constants.php b/config/constants.php
index f05bc7d8e..a849ae93e 100644
--- a/config/constants.php
+++ b/config/constants.php
@@ -2,9 +2,9 @@
 
 return [
     'coolify' => [
-        'version' => '4.0.0-beta.412',
+        'version' => '4.0.0-beta.413',
         'helper_version' => '1.0.8',
-        'realtime_version' => '1.0.7',
+        'realtime_version' => '1.0.8',
         'self_hosted' => env('SELF_HOSTED', true),
         'autoupdate' => env('AUTOUPDATE'),
         'base_config_path' => env('BASE_CONFIG_PATH', '/data/coolify'),
diff --git a/docker/coolify-realtime/terminal-server.js b/docker/coolify-realtime/terminal-server.js
index 6649f866c..61dd29453 100755
--- a/docker/coolify-realtime/terminal-server.js
+++ b/docker/coolify-realtime/terminal-server.js
@@ -3,7 +3,9 @@ import http from 'http';
 import pty from 'node-pty';
 import axios from 'axios';
 import cookie from 'cookie';
-import 'dotenv/config'
+import 'dotenv/config';
+
+const userSessions = new Map();
 
 const server = http.createServer((req, res) => {
     if (req.url === '/ready') {
@@ -15,16 +17,20 @@ const server = http.createServer((req, res) => {
     }
 });
 
-const verifyClient = async (info, callback) => {
-    const cookies = cookie.parse(info.req.headers.cookie || '');
-    // const origin = new URL(info.origin);
-    // const protocol = origin.protocol;
+const getSessionCookie = (req) => {
+    const cookies = cookie.parse(req.headers.cookie || '');
     const xsrfToken = cookies['XSRF-TOKEN'];
-
-    // Generate session cookie name based on APP_NAME
     const appName = process.env.APP_NAME || 'laravel';
     const sessionCookieName = `${appName.replace(/[^a-zA-Z0-9]/g, '_').toLowerCase()}_session`;
-    const laravelSession = cookies[sessionCookieName];
+    return {
+        sessionCookieName,
+        xsrfToken: xsrfToken,
+        laravelSession: cookies[sessionCookieName]
+    }
+}
+
+const verifyClient = async (info, callback) => {
+    const { xsrfToken, laravelSession, sessionCookieName } = getSessionCookie(info.req);
 
     // Verify presence of required tokens
     if (!laravelSession || !xsrfToken) {
@@ -54,11 +60,24 @@ const verifyClient = async (info, callback) => {
 
 
 const wss = new WebSocketServer({ server, path: '/terminal/ws', verifyClient: verifyClient });
-const userSessions = new Map();
 
-wss.on('connection', (ws) => {
+wss.on('connection', async (ws, req) => {
     const userId = generateUserId();
-    const userSession = { ws, userId, ptyProcess: null, isActive: false };
+    const userSession = { ws, userId, ptyProcess: null, isActive: false, authorizedIPs: [] };
+    const { xsrfToken, laravelSession, sessionCookieName } = getSessionCookie(req);
+
+    // Verify presence of required tokens
+    if (!laravelSession || !xsrfToken) {
+        ws.close(401, 'Unauthorized: Missing required tokens');
+        return;
+    }
+    const response = await axios.post(`http://coolify:8080/terminal/auth/ips`, null, {
+        headers: {
+            'Cookie': `${sessionCookieName}=${laravelSession}`,
+            'X-XSRF-TOKEN': xsrfToken
+        },
+    });
+    userSession.authorizedIPs = response.data.ipAddresses || [];
     userSessions.set(userId, userSession);
 
     ws.on('message', (message) => {
@@ -125,6 +144,20 @@ async function handleCommand(ws, command, userId) {
     const timeout = extractTimeout(commandString);
     const sshArgs = extractSshArgs(commandString);
     const hereDocContent = extractHereDocContent(commandString);
+
+    // Extract target host from SSH command
+    const targetHost = extractTargetHost(sshArgs);
+    if (!targetHost) {
+        ws.send('Invalid SSH command: No target host found');
+        return;
+    }
+
+    // Validate target host against authorized IPs
+    if (!userSession.authorizedIPs.includes(targetHost)) {
+        ws.send(`Unauthorized: Target host ${targetHost} not in authorized list`);
+        return;
+    }
+
     const options = {
         name: 'xterm-color',
         cols: 80,
@@ -152,7 +185,6 @@ async function handleCommand(ws, command, userId) {
         console.error(`Process exited with code ${exitCode} and signal ${signal}`);
         ws.send('pty-exited');
         userSession.isActive = false;
-
     });
 
     if (timeout) {
@@ -162,6 +194,22 @@ async function handleCommand(ws, command, userId) {
     }
 }
 
+function extractTargetHost(sshArgs) {
+    // Find the argument that matches the pattern user@host
+    const userAtHost = sshArgs.find(arg => {
+        // Skip paths that contain 'storage/app/ssh/keys/'
+        if (arg.includes('storage/app/ssh/keys/')) {
+            return false;
+        }
+        return /^[^@]+@[^@]+$/.test(arg);
+    });
+    if (!userAtHost) return null;
+
+    // Extract host from user@host
+    const host = userAtHost.split('@')[1];
+    return host;
+}
+
 async function handleError(err, userId) {
     console.error('WebSocket error:', err);
     await killPtyProcess(userId);
diff --git a/other/nightly/versions.json b/other/nightly/versions.json
index c3f4ba912..6dc9e7a02 100644
--- a/other/nightly/versions.json
+++ b/other/nightly/versions.json
@@ -1,16 +1,16 @@
 {
     "coolify": {
         "v4": {
-            "version": "4.0.0-beta.412"
+            "version": "4.0.0-beta.413"
         },
         "nightly": {
-            "version": "4.0.0-beta.413"
+            "version": "4.0.0-beta.414"
         },
         "helper": {
             "version": "1.0.8"
         },
         "realtime": {
-            "version": "1.0.7"
+            "version": "1.0.8"
         },
         "sentinel": {
             "version": "0.0.15"
diff --git a/public/svgs/interviewpal.svg b/public/svgs/interviewpal.svg
new file mode 100644
index 000000000..f0dc3731a
--- /dev/null
+++ b/public/svgs/interviewpal.svg
@@ -0,0 +1 @@
+<svg width="30" height="30" viewBox="0 0 202 192" fill="none" xmlns="http://www.w3.org/2000/svg"><g filter="url(#filter0_ddi_108_149)"><path d="M1 39.1976C1.00455 27.9441 1.00435 20.6882 3.68702 15.1463C6.04676 10.2715 9.81132 6.3077 14.4426 3.82386C19.7076 1.00013 26.5981 1 40.3827 1L160.306 1.00008C174.09 1.00008 180.981 1.00021 186.246 3.82394C190.877 6.30778 194.642 10.2716 197.001 15.1464C199.684 20.6883 199.684 27.9442 199.679 39.1976L201 149.546C201 164.056 201 171.312 198.317 176.854C195.958 181.728 192.193 185.692 187.562 188.176C182.297 191 175.406 191 161.622 191L41.6987 191C27.9141 191 21.0235 191 15.7585 188.176C11.1272 185.692 7.3627 181.728 5.00296 176.853C2.32029 171.312 2.32048 164.056 2.32048 149.546L1 39.1976Z" fill="url(#paint0_linear_108_149)"></path><path d="M34.0387 67.5918C34.0387 55.2761 34.0388 49.1181 36.3158 44.4141C38.3188 40.2764 41.5148 36.9123 45.4458 34.804C49.9148 32.4072 55.7649 32.4072 67.4654 32.4072H131.186C142.886 32.4072 148.736 32.4072 153.206 34.804C157.137 36.9123 160.333 40.2764 162.336 44.4141C164.613 49.1181 164.613 55.2761 164.613 67.5918V112.687C164.613 116.377 164.613 118.221 164.896 120.013C165.147 121.604 165.564 123.16 166.139 124.655C166.786 126.339 167.701 127.912 169.531 131.059L177.976 145.577C178.843 147.068 179.302 148.782 179.302 150.53C179.302 156.464 174.184 160.941 168.641 159.855L135.003 153.262C133.866 153.039 133.298 152.928 132.726 152.85C132.217 152.78 131.706 152.731 131.194 152.701C130.618 152.667 130.04 152.667 128.883 152.667H67.4654C55.7649 152.667 49.9148 152.667 45.4458 150.271C41.5148 148.162 38.3188 144.798 36.3158 140.66C34.0388 135.956 34.0387 129.798 34.0387 117.483V67.5918Z" fill="url(#paint1_linear_108_149)"></path><path d="M84.9615 93.9116C84.9615 101.123 79.4078 106.969 72.557 106.969C65.7062 106.969 60.1526 101.123 60.1526 93.9116C60.1526 86.7005 65.7062 80.8549 72.557 80.8549C79.4078 80.8549 84.9615 86.7005 84.9615 93.9116Z" fill="#EDE9E0"></path><path d="M142.414 93.9114C142.414 101.122 136.861 106.969 130.01 106.969C123.159 106.969 117.605 101.122 117.605 93.9114C117.605 86.7003 123.159 80.8547 130.01 80.8547C136.861 80.8547 142.414 86.7003 142.414 93.9114Z" fill="#EDE9E0"></path><path d="M113.688 63.6753C113.688 70.8863 108.134 76.7319 101.283 76.7319C94.4321 76.7319 88.8784 70.8863 88.8784 63.6753C88.8784 56.4642 94.4321 50.6184 101.283 50.6184C108.134 50.6184 113.688 56.4642 113.688 63.6753Z" fill="#EDE9E0"></path><path d="M113.688 124.149C113.688 131.36 108.134 137.206 101.283 137.206C94.4323 137.206 88.8786 131.36 88.8786 124.149C88.8786 116.938 94.4323 111.092 101.283 111.092C108.134 111.092 113.688 116.938 113.688 124.149Z" fill="#EDE9E0"></path></g><defs><filter id="filter0_ddi_108_149" x="0.637843" y="0.728382" width="200.679" height="190.634" filterUnits="userSpaceOnUse" color-interpolation-filters="sRGB"><feFlood flood-opacity="0" result="BackgroundImageFix"></feFlood><feColorMatrix in="SourceAlpha" type="matrix" values="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 127 0" result="hardAlpha"></feColorMatrix><feOffset dx="-0.135809" dy="0.135809"></feOffset><feGaussianBlur stdDeviation="0.0905394"></feGaussianBlur><feComposite in2="hardAlpha" operator="out"></feComposite><feColorMatrix type="matrix" values="0 0 0 0 1 0 0 0 0 1 0 0 0 0 1 0 0 0 0.25 0"></feColorMatrix><feBlend mode="normal" in2="BackgroundImageFix" result="effect1_dropShadow_108_149"></feBlend><feColorMatrix in="SourceAlpha" type="matrix" values="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 127 0" result="hardAlpha"></feColorMatrix><feOffset dx="0.181079" dy="-0.135809"></feOffset><feGaussianBlur stdDeviation="0.0679045"></feGaussianBlur><feComposite in2="hardAlpha" operator="out"></feComposite><feColorMatrix type="matrix" values="0 0 0 0 0.0784314 0 0 0 0 0.596078 0 0 0 0 0.282353 0 0 0 0.66 0"></feColorMatrix><feBlend mode="normal" in2="effect1_dropShadow_108_149" result="effect2_dropShadow_108_149"></feBlend><feBlend mode="normal" in="SourceGraphic" in2="effect2_dropShadow_108_149" result="shape"></feBlend><feColorMatrix in="SourceAlpha" type="matrix" values="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 127 0" result="hardAlpha"></feColorMatrix><feOffset dx="-0.362157" dy="0.362157"></feOffset><feGaussianBlur stdDeviation="0.271618"></feGaussianBlur><feComposite in2="hardAlpha" operator="arithmetic" k2="-1" k3="1"></feComposite><feColorMatrix type="matrix" values="0 0 0 0 0.722168 0 0 0 0 0.48793 0 0 0 0 0.455246 0 0 0 0.66 0"></feColorMatrix><feBlend mode="normal" in2="shape" result="effect3_innerShadow_108_149"></feBlend></filter><linearGradient id="paint0_linear_108_149" x1="101" y1="1" x2="101" y2="191" gradientUnits="userSpaceOnUse"><stop offset="0.100539" stop-color="#ECE8E1" data-darkreader-inline-stopcolor="" style="--darkreader-inline-stopcolor: var(--darkreader-background-ece8e1, #312b1f);"></stop><stop offset="0.171048" stop-color="#EAE6DE" data-darkreader-inline-stopcolor="" style="--darkreader-inline-stopcolor: var(--darkreader-background-eae6de, #262218);"></stop><stop offset="0.326166" stop-color="#EDE8DF" data-darkreader-inline-stopcolor="" style="--darkreader-inline-stopcolor: var(--darkreader-background-ede8df, #342c1d);"></stop><stop offset="0.520831" stop-color="#EDE7E1" data-darkreader-inline-stopcolor="" style="--darkreader-inline-stopcolor: var(--darkreader-background-ede7e1, #32281e);"></stop><stop offset="0.699493" stop-color="#EBE6E1" data-darkreader-inline-stopcolor="" style="--darkreader-inline-stopcolor: var(--darkreader-background-ebe6e1, #312920);"></stop><stop offset="1" stop-color="#D8D0C8" data-darkreader-inline-stopcolor="" style="--darkreader-inline-stopcolor: var(--darkreader-background-d8d0c8, #3f362d);"></stop></linearGradient><linearGradient id="paint1_linear_108_149" x1="90.8876" y1="1" x2="90.8876" y2="177.393" gradientUnits="userSpaceOnUse"><stop offset="0.100539" stop-color="#84DCA7" data-darkreader-inline-stopcolor="" style="--darkreader-inline-stopcolor: var(--darkreader-background-84dca7, #20724d);"></stop><stop offset="0.171048" stop-color="#6CBA8B" data-darkreader-inline-stopcolor="" style="--darkreader-inline-stopcolor: var(--darkreader-background-6cba8b, #3a7b5d);"></stop><stop offset="0.326166" stop-color="#5AC585" data-darkreader-inline-stopcolor="" style="--darkreader-inline-stopcolor: var(--darkreader-background-5ac585, #308961);"></stop><stop offset="0.520831" stop-color="#2BBE66" data-darkreader-inline-stopcolor="" style="--darkreader-inline-stopcolor: var(--darkreader-background-2bbe66, #229852);"></stop><stop offset="0.699493" stop-color="#139E4A" data-darkreader-inline-stopcolor="" style="--darkreader-inline-stopcolor: var(--darkreader-background-139e4a, #0f7e3b);"></stop><stop offset="1" stop-color="#00AC44" data-darkreader-inline-stopcolor="" style="--darkreader-inline-stopcolor: var(--darkreader-background-00ac44, #008a36);"></stop></linearGradient></defs></svg>
\ No newline at end of file
diff --git a/routes/web.php b/routes/web.php
index 3edfec910..3ddd77361 100644
--- a/routes/web.php
+++ b/routes/web.php
@@ -149,6 +149,17 @@ Route::middleware(['auth', 'verified'])->group(function () {
         return response()->json(['authenticated' => false], 401);
     })->name('terminal.auth');
 
+    Route::post('/terminal/auth/ips', function () {
+        if (auth()->check()) {
+            $team = auth()->user()->currentTeam();
+            $ipAddresses = $team->servers()->pluck('ip')->toArray();
+
+            return response()->json(['ipAddresses' => $ipAddresses], 200);
+        }
+
+        return response()->json(['ipAddresses' => []], 401);
+    })->name('terminal.auth.ips');
+
     Route::prefix('invitations')->group(function () {
         Route::get('/{uuid}', [Controller::class, 'acceptInvitation'])->name('team.invitation.accept');
         Route::get('/{uuid}/revoke', [Controller::class, 'revoke_invitation'])->name('team.invitation.revoke');
diff --git a/versions.json b/versions.json
index c3f4ba912..6dc9e7a02 100644
--- a/versions.json
+++ b/versions.json
@@ -1,16 +1,16 @@
 {
     "coolify": {
         "v4": {
-            "version": "4.0.0-beta.412"
+            "version": "4.0.0-beta.413"
         },
         "nightly": {
-            "version": "4.0.0-beta.413"
+            "version": "4.0.0-beta.414"
         },
         "helper": {
             "version": "1.0.8"
         },
         "realtime": {
-            "version": "1.0.7"
+            "version": "1.0.8"
         },
         "sentinel": {
             "version": "0.0.15"