feat: implement API proxy service and relay routing for DID-based remote access

Author: benjinus

packages/node/src/api/routes/relay.ts

@@ -0,0 +1,186 @@
+import type { IncomingMessage, ServerResponse } from 'node:http';
+import type { RuntimeContext } from '../types.js';
+import { getGlobalLogger } from '../../logger.js';
+
+const logger = getGlobalLogger();
+const DID_PATTERN = /^did:claw:z[A-Za-z0-9]{32,}$/;
+const MAX_BODY_SIZE = 1_048_576; // 1 MB
+
+// ── Simple in-memory rate limiter ────────────────────────
+
+interface RateBucket {
+  count: number;
+  resetAt: number;
+}
+
+const rateBuckets = new Map<string, RateBucket>();
+
+function checkRateLimit(sourceIp: string, maxPerMinute: number): boolean {
+  const now = Date.now();
+  const bucket = rateBuckets.get(sourceIp);
+  if (!bucket || now >= bucket.resetAt) {
+    rateBuckets.set(sourceIp, { count: 1, resetAt: now + 60_000 });
+    return true;
+  }
+  bucket.count++;
+  return bucket.count <= maxPerMinute;
+}
+
+// ── Body reading ─────────────────────────────────────────
+
+function readBody(req: IncomingMessage, maxBytes: number): Promise<string> {
+  return new Promise((resolve, reject) => {
+    const chunks: Buffer[] = [];
+    let totalSize = 0;
+    req.on('data', (chunk: Buffer) => {
+      totalSize += chunk.length;
+      if (totalSize > maxBytes) {
+        req.destroy();
+        reject(new Error('Body too large'));
+        return;
+      }
+      chunks.push(chunk);
+    });
+    req.on('end', () => resolve(Buffer.concat(chunks).toString('utf-8')));
+    req.on('error', reject);
+  });
+}
+
+// ── JSON response helper ─────────────────────────────────
+
+function writeJson(res: ServerResponse, status: number, data: unknown): void {
+  res.setHeader('Content-Type', 'application/json');
+  res.writeHead(status);
+  res.end(JSON.stringify(data));
+}
+
+/**
+ * Handle /relay/* requests. Returns true if the request was handled.
+ *
+ * Routes:
+ *   GET  /relay/info                     — gateway info
+ *   GET  /relay/:targetDid/ping          — DID reachability check
+ *   ALL  /relay/:targetDid/api/v1/...    — proxy API requests to target
+ */
+export async function handleRelayRequest(
+  req: IncomingMessage,
+  res: ServerResponse,
+  pathname: string,
+  ctx: RuntimeContext,
+): Promise<boolean> {
+  if (!pathname.startsWith('/relay/') && pathname !== '/relay') return false;
+  if (!ctx.apiProxyService) return false;
+
+  // Strip /relay prefix
+  const subPath = pathname.slice('/relay'.length) || '/';
+
+  // GET /relay/info
+  if (subPath === '/info' || subPath === '/info/') {
+    if (req.method !== 'GET') {
+      writeJson(res, 405, { error: 'Method not allowed' });
+      return true;
+    }
+    const selfDid = ctx.identityService.getSelfDid();
+    writeJson(res, 200, {
+      data: {
+        gatewayDid: selfDid,
+        gatewayEnabled: true,
+      },
+    });
+    return true;
+  }
+
+  // Parse /:targetDid/...
+  // subPath starts with '/', e.g. '/did:claw:zXXX/ping'
+  const withoutLeadingSlash = subPath.slice(1);
+  const firstSlash = withoutLeadingSlash.indexOf('/');
+  const targetDid = firstSlash === -1
+    ? withoutLeadingSlash
+    : withoutLeadingSlash.slice(0, firstSlash);
+  const remaining = firstSlash === -1 ? '' : withoutLeadingSlash.slice(firstSlash);
+
+  if (!DID_PATTERN.test(decodeURIComponent(targetDid))) {
+    writeJson(res, 400, { error: 'Invalid DID format. Expected did:claw:z...' });
+    return true;
+  }
+
+  const decodedDid = decodeURIComponent(targetDid);
+
+  // Rate limiting
+  const sourceIp = (req.headers['x-forwarded-for'] as string)?.split(',')[0]?.trim()
+    || req.socket.remoteAddress
+    || 'unknown';
+  if (!checkRateLimit(sourceIp, ctx.apiProxyService.config.rateLimitPerMinute)) {
+    res.setHeader('Retry-After', '60');
+    writeJson(res, 429, { error: 'Rate limit exceeded' });
+    return true;
+  }
+
+  // GET /:targetDid/ping
+  if (remaining === '/ping' || remaining === '/ping/') {
+    if (req.method !== 'GET') {
+      writeJson(res, 405, { error: 'Method not allowed' });
+      return true;
+    }
+    try {
+      const result = await ctx.apiProxyService.ping(decodedDid);
+      writeJson(res, 200, { data: result });
+    } catch (err) {
+      logger.error('[relay] Ping failed for %s: %s', decodedDid, (err as Error).message);
+      writeJson(res, 502, { error: 'Ping failed' });
+    }
+    return true;
+  }
+
+  // Proxy: /:targetDid/api/v1/...
+  if (!remaining.startsWith('/api/')) {
+    writeJson(res, 400, { error: 'Proxy path must start with /api/' });
+    return true;
+  }
+
+  // Read request body
+  let body: string | undefined;
+  if (req.method !== 'GET' && req.method !== 'HEAD' && req.method !== 'DELETE') {
+    try {
+      body = await readBody(req, MAX_BODY_SIZE);
+    } catch {
+      writeJson(res, 413, { error: 'Request body too large (max 1MB)' });
+      return true;
+    }
+  }
+
+  // Collect headers to forward
+  const forwardHeaders: Record<string, string> = {};
+  if (req.headers.authorization) {
+    forwardHeaders['authorization'] = req.headers.authorization as string;
+  }
+  if (req.headers['content-type']) {
+    forwardHeaders['content-type'] = req.headers['content-type'] as string;
+  }
+  forwardHeaders['accept'] = (req.headers.accept as string) || 'application/json';
+
+  try {
+    const proxyResponse = await ctx.apiProxyService.proxyRequest(
+      decodedDid,
+      req.method || 'GET',
+      remaining,
+      forwardHeaders,
+      body,
+    );
+
+    // Write proxy response back to client
+    for (const [key, value] of Object.entries(proxyResponse.headers)) {
+      if (key.toLowerCase() === 'transfer-encoding') continue;
+      res.setHeader(key, String(value));
+    }
+    res.writeHead(proxyResponse.status);
+    res.end(proxyResponse.body ?? '');
+  } catch (err) {
+    writeJson(res, 504, {
+      error: 'Gateway timeout — target node did not respond',
+      detail: (err as Error).message,
+    });
+  }
+
+  return true;
+}

packages/node/src/api/server.ts

@@ -19,6 +19,7 @@ import { clawnetRoutes } from './routes/clawnet.js';
 import { profileRoutes } from './routes/profile.js';
 import { sessionRoutes } from './routes/session.js';
 import { walletRoutes } from './routes/wallets.js';
+import { handleRelayRequest } from './routes/relay.js';
 import type { RuntimeContext } from './types.js';
 
 function buildRouter(ctx: RuntimeContext): Router {
@@ -58,6 +59,8 @@ const AUTH_WHITELIST: Array<{ method?: string; path: string }> = [
   { method: 'PUT', path: '/api/v1/attachments' },
   // GET /api/v1/profile/:did — cached peer profiles are public
   // (matched via startsWith in isAuthExempt since :did varies)
+  // Relay routes — auth is enforced on the target node side
+  { path: '/relay' },
 ];
 
 function isAuthExempt(method: string, pathname: string): boolean {
@@ -130,6 +133,17 @@ export class ApiServer {
         return;
       }
 
+      // Handle /relay/* before standard router (relay needs wildcard path matching)
+      try {
+        const relayHandled = await handleRelayRequest(req, res, parsedUrl.pathname, this.ctx);
+        if (relayHandled) return;
+      } catch (error) {
+        if (res.headersSent) return;
+        const internal = error instanceof TelagentError ? error : new TelagentError(ErrorCodes.INTERNAL, error instanceof Error ? error.message : 'Unexpected error');
+        problem(res, internal.toProblem(req.url));
+        return;
+      }
+
       try {
         const matched = await this.router.handle(req, res);
         if (!matched && !res.headersSent) {

packages/node/src/api/types.ts

@@ -12,6 +12,7 @@ import type { NodeMonitoringService } from '../services/node-monitoring-service.
 import type { OwnerPermissionService } from '../services/owner-permission-service.js';
 import type { SelfProfileStore } from '../storage/profile-store.js';
 import type { PeerProfileRepository } from '../storage/peer-profile-repository.js';
+import type { ApiProxyService } from '../services/api-proxy-service.js';
 
 export interface ApiServerConfig {
   host: string;
@@ -36,4 +37,5 @@ export interface RuntimeContext {
   selfProfileStore: SelfProfileStore;
   peerProfileRepository: PeerProfileRepository;
   configuredPassphrase?: string;
+  apiProxyService?: ApiProxyService;
 }

packages/node/src/app.ts

@@ -10,6 +10,7 @@ import { verifyPassphrase } from './clawnet/verify-passphrase.js';
 import { GroupIndexer } from './indexer/group-indexer.js';
 import { AttachmentService } from './services/attachment-service.js';
 import { ClawNetTransportService } from './services/clawnet-transport-service.js';
+import { ApiProxyService } from './services/api-proxy-service.js';
 import { ContractProvider } from './services/contract-provider.js';
 import { GroupService } from './services/group-service.js';
 import { IdentityAdapterService } from './services/identity-adapter-service.js';
@@ -49,6 +50,7 @@ export class TelagentNode {
   private messageService: MessageService | null = null;
   private attachmentService: AttachmentService | null = null;
   private clawnetTransportService: ClawNetTransportService | null = null;
+  private apiProxyService: ApiProxyService | null = null;
   private monitoringService: NodeMonitoringService | null = null;
   private ownerPermissionService: OwnerPermissionService | null = null;
   private indexer: GroupIndexer | null = null;
@@ -241,6 +243,16 @@ export class TelagentNode {
       this.clawnetGateway,
       { baseUrl: discovery.nodeUrl, apiKey: this.config.clawnet.apiKey },
     );
+
+    // API Proxy Service (DID-based remote access)
+    if (this.config.apiProxy.enabled || this.config.apiProxy.gatewayEnabled) {
+      this.apiProxyService = new ApiProxyService(
+        this.config.apiProxy,
+        this.clawnetTransportService,
+        this.config.port,
+      );
+    }
+
     this.monitoringService = new NodeMonitoringService({
       thresholds: {
         errorRateWarnRatio: this.config.monitoring.errorRateWarnRatio,
@@ -277,6 +289,7 @@ export class TelagentNode {
       selfProfileStore: this.selfProfileStore,
       peerProfileRepository: this.peerProfileRepository,
       configuredPassphrase: passphrase ?? undefined,
+      apiProxyService: this.apiProxyService ?? undefined,
     };
 
     this.apiServer = new ApiServer(runtime);
@@ -352,6 +365,19 @@ export class TelagentNode {
           logger.warn('[telagent] Failed to cache peer profile from %s: %s', sourceDid, (err as Error).message);
         }
       },
+      // API Proxy callbacks (DID-based remote access)
+      onApiProxyRequest: this.apiProxyService
+        ? (req, sourceDid) => this.apiProxyService!.handleProxyRequest(req, sourceDid)
+        : undefined,
+      onApiProxyResponse: this.apiProxyService
+        ? (res) => this.apiProxyService!.handleProxyResponse(res)
+        : undefined,
+      onApiProxyPing: this.apiProxyService
+        ? (pingId, sourceDid) => this.apiProxyService!.handlePing(sourceDid, pingId)
+        : undefined,
+      onApiProxyPong: this.apiProxyService
+        ? (pingId) => this.apiProxyService!.handlePong(pingId)
+        : undefined,
     });
     logger.info('[telagent] P2P transport listener started');
     this.monitoringService.recordMailboxMaintenance(await this.messageService.runMaintenance());
@@ -371,6 +397,7 @@ export class TelagentNode {
     this.sessionManager?.lockAll();
 
     this.stopMailboxCleaner();
+    this.apiProxyService?.dispose();
     this.clawnetTransportService?.stopListening();
     await this.apiServer?.stop();
     await this.indexer?.stop();

packages/node/src/config.ts

@@ -53,6 +53,14 @@ export interface OwnerConfig {
   privateConversations: string[];
 }
 
+export interface ApiProxyConfig {
+  enabled: boolean;
+  gatewayEnabled: boolean;
+  timeoutMs: number;
+  rateLimitPerMinute: number;
+  maxBodyBytes: number;
+}
+
 export interface AppConfig {
   host: string;
   port: number;
@@ -64,6 +72,7 @@ export interface AppConfig {
   clawnet: ClawNetConfig;
   owner: OwnerConfig;
   monitoring: MonitoringConfig;
+  apiProxy: ApiProxyConfig;
 }
 
 export function loadConfigFromEnv(): AppConfig {
@@ -157,6 +166,14 @@ export function loadConfigFromEnv(): AppConfig {
 
   const publicUrl = process.env.TELAGENT_PUBLIC_URL?.trim() || undefined;
 
+  const apiProxy: ApiProxyConfig = {
+    enabled: parseBoolean(process.env.TELAGENT_API_PROXY_ENABLED, true),
+    gatewayEnabled: parseBoolean(process.env.TELAGENT_API_PROXY_GATEWAY_ENABLED, true),
+    timeoutMs: Number(process.env.TELAGENT_API_PROXY_TIMEOUT_MS || 30_000),
+    rateLimitPerMinute: Number(process.env.TELAGENT_API_PROXY_RATE_LIMIT || 60),
+    maxBodyBytes: Number(process.env.TELAGENT_API_PROXY_MAX_BODY_BYTES || 1_048_576),
+  };
+
   return {
     host,
     port,
@@ -175,6 +192,7 @@ export function loadConfigFromEnv(): AppConfig {
       maintenanceStaleWarnSec: Number(process.env.TELAGENT_MONITOR_MAINT_STALE_WARN_SEC || 180),
       maintenanceStaleCriticalSec: Number(process.env.TELAGENT_MONITOR_MAINT_STALE_CRITICAL_SEC || 300),
     },
+    apiProxy,
   };
 }