fix: restore SSO functionality with basic auth credentials

  - Pass SSH credentials from basic auth session to client config in connectionHandler
  - Add webssh2Config placeholder to client index.html for proper injection
  - Enable autoConnect when credentials are provided via basic auth
  - Credentials now properly flow from HTTP basic auth to WebSocket session
  - bump webssh2_client@2.0.0-alpha.6

chore: update example Dockerfile to `node:22-alpine`

Author: billchurch

Dockerfile

@@ -1,29 +1,8 @@
-# Use debian:bookworm-slim runtime as a parent image
-FROM debian:bookworm-slim
+# Use node:22-alpine as a parent image for smallest size and best security
+FROM node:22-alpine
 
-RUN rm /bin/sh && ln -s /bin/bash /bin/sh
-
-RUN apt-get update \
-    && apt-get install -y curl \
-    && apt-get -y autoclean
-
-# nvm environment variables
-ENV NVM_DIR /usr/local/nvm
-ENV NODE_VERSION 22
-
-RUN mkdir -p $NVM_DIR
-
-# install nvm
-# https://github.com/creationix/nvm#install-script
-RUN curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.40.0/install.sh | bash
-
-ENV NODE_PATH $NVM_DIR/v$NODE_VERSION/lib/node_modules
-ENV PATH $NVM_DIR/versions/node/v$NODE_VERSION/bin:$PATH
-
-RUN echo "source $NVM_DIR/nvm.sh && \
-    nvm install $NODE_VERSION && \
-    nvm alias default $NODE_VERSION && \
-    nvm use default" | bash
+# Alpine uses ash shell by default, which is sufficient for our needs
+# No need to install bash unless specifically required
 
 # Set the working directory in the container
 WORKDIR /usr/src/app

app/connectionHandler.js

@@ -5,7 +5,7 @@ import { promises as fs } from 'fs'
 import path from 'path'
 import { createNamespacedDebug } from './logger.js'
 import { HTTP, MESSAGES, DEFAULTS } from './constants.js'
-import { modifyHtml } from './utils.js'
+import { modifyHtml, maskSensitiveData } from './utils.js'
 import { getClientPublicPath } from './client-path.js'
 const debug = createNamespacedDebug('connectionHandler')
 
@@ -43,6 +43,27 @@ async function handleConnection(req, res) {
     autoConnect: req.path.startsWith('/host/'), // Automatically connect if path starts with /host/
   }
 
+  // Include SSH credentials from session when using basic auth
+  if (req.session.usedBasicAuth && req.session.sshCredentials) {
+    tempConfig.ssh = {
+      host: req.session.sshCredentials.host,
+      port: req.session.sshCredentials.port,
+      username: req.session.sshCredentials.username,
+      password: req.session.sshCredentials.password,
+      ...(req.session.sshCredentials.privateKey && { privateKey: req.session.sshCredentials.privateKey }),
+      ...(req.session.sshCredentials.passphrase && { passphrase: req.session.sshCredentials.passphrase }),
+      ...(req.session.sshCredentials.term && { sshterm: req.session.sshCredentials.term })
+    }
+    debug('Including SSH credentials from basic auth session: %O', {
+      host: tempConfig.ssh.host,
+      port: tempConfig.ssh.port,
+      username: tempConfig.ssh.username,
+      hasPassword: !!tempConfig.ssh.password,
+      hasPrivateKey: !!tempConfig.ssh.privateKey,
+      term: tempConfig.ssh.sshterm
+    })
+  }
+
   const filePath = path.join(clientPath, DEFAULTS.CLIENT_FILE)
   await handleFileRead(filePath, tempConfig, res)
 }

package-lock.json

@@ -42,7 +42,7 @@
     "socket.io": "^4.8.1",
     "ssh2": "1.17",
     "validator": "^13.15.15",
-    "webssh2_client": "^2.0.0-alpha.4"
+    "webssh2_client": "^2.0.0-alpha.6"
   },
   "scripts": {
     "start": "node index.js",