fix(host-service): add CORS lockdown + PSK auth for local host-service

apps/desktop/src/lib/trpc/routers/host-service-manager/index.ts

@@ -16,7 +16,8 @@ export const createHostServiceManagerRouter = () => {
 				}
 				manager.setCloudApiUrl(env.NEXT_PUBLIC_API_URL);
 				const port = await manager.start(input.organizationId);
-				return { port };
+				const secret = manager.getSecret(input.organizationId);
+				return { port, secret };
 			}),
 
 		getStatus: publicProcedure

apps/desktop/src/lib/trpc/routers/workspaces/procedures/external-worktree-import.test.ts

@@ -9,6 +9,7 @@ import {
 } from "node:fs";
 import { tmpdir } from "node:os";
 import { join } from "node:path";
+import { listExternalWorktrees } from "../utils/git";
 
 /**
  * Integration tests for external worktree auto-import feature
@@ -116,10 +117,6 @@ describe("External worktree detection and import", () => {
 		// Create external worktree
 		createExternalWorktree(mainRepoPath, "feature-test", externalWorktreePath);
 
-		// Import the listExternalWorktrees function
-		const { listExternalWorktrees } = await import("../utils/git");
-
-		// List external worktrees
 		const externalWorktrees = await listExternalWorktrees(mainRepoPath);
 
 		// Find our external worktree

apps/desktop/src/main/host-service/index.ts

@@ -10,26 +10,33 @@
 import { serve } from "@hono/node-server";
 import {
 	createApp,
-	JwtAuthProvider,
+	JwtApiAuthProvider,
 	LocalGitCredentialProvider,
+	PskHostAuthProvider,
 } from "@superset/host-service";
 
 const authToken = process.env.AUTH_TOKEN;
 const cloudApiUrl = process.env.CLOUD_API_URL;
 const dbPath = process.env.HOST_DB_PATH;
 const deviceClientId = process.env.DEVICE_CLIENT_ID;
 const deviceName = process.env.DEVICE_NAME;
+const hostServiceSecret = process.env.HOST_SERVICE_SECRET;
 
 const auth =
-	authToken && cloudApiUrl ? new JwtAuthProvider(authToken) : undefined;
+	authToken && cloudApiUrl ? new JwtApiAuthProvider(authToken) : undefined;
+const hostAuth = hostServiceSecret
+	? new PskHostAuthProvider(hostServiceSecret)
+	: undefined;
 
 const { app, injectWebSocket } = createApp({
 	credentials: new LocalGitCredentialProvider(),
 	auth,
+	hostAuth,
 	cloudApiUrl,
 	dbPath,
 	deviceClientId,
 	deviceName,
+	allowedOrigins: ["http://127.0.0.1"],
 });
 
 const server = serve(

apps/desktop/src/main/lib/host-service-manager.ts

@@ -1,5 +1,6 @@
 import type { ChildProcess } from "node:child_process";
 import * as childProcess from "node:child_process";
+import { randomBytes } from "node:crypto";
 import path from "node:path";
 import { app } from "electron";
 import { getProcessEnvWithShellPath } from "../../lib/trpc/routers/workspaces/utils/shell-env";
@@ -11,6 +12,7 @@ type HostServiceStatus = "starting" | "running" | "crashed";
 interface HostServiceProcess {
 	process: ChildProcess | null;
 	port: number | null;
+	secret: string | null;
 	status: HostServiceStatus;
 	restartCount: number;
 	lastCrash?: number;
@@ -91,6 +93,10 @@ export class HostServiceManager {
 		return this.instances.get(organizationId)?.port ?? null;
 	}
 
+	getSecret(organizationId: string): string | null {
+		return this.instances.get(organizationId)?.secret ?? null;
+	}
+
 	getStatus(organizationId: string): HostServiceStatus | null {
 		if (this.pendingStarts.has(organizationId)) {
 			return "starting";
@@ -100,9 +106,11 @@ export class HostServiceManager {
 
 	private async spawn(organizationId: string): Promise<number> {
 		const pendingStart = createPortDeferred();
+		const secret = randomBytes(32).toString("hex");
 		const instance: HostServiceProcess = {
 			process: null,
 			port: null,
+			secret,
 			status: "starting",
 			restartCount: 0,
 			organizationId,
@@ -111,7 +119,7 @@ export class HostServiceManager {
 		this.pendingStarts.set(organizationId, pendingStart);
 
 		try {
-			const env = await this.buildHostServiceEnv(organizationId);
+			const env = await this.buildHostServiceEnv(organizationId, secret);
 			if (this.authToken) {
 				env.AUTH_TOKEN = this.authToken;
 			}
@@ -152,13 +160,15 @@ export class HostServiceManager {
 
 	private async buildHostServiceEnv(
 		organizationId: string,
+		secret: string,
 	): Promise<Record<string, string>> {
 		return getProcessEnvWithShellPath({
 			...(process.env as Record<string, string>),
 			ELECTRON_RUN_AS_NODE: "1",
 			ORGANIZATION_ID: organizationId,
 			DEVICE_CLIENT_ID: getHashedDeviceId(),
 			DEVICE_NAME: getDeviceName(),
+			HOST_SERVICE_SECRET: secret,
 			HOST_DB_PATH: path.join(
 				SUPERSET_HOME_DIR,
 				"host",

apps/desktop/src/renderer/lib/host-service-auth.ts

@@ -0,0 +1,18 @@
+const secrets = new Map<string, string>();
+
+export function setHostServiceSecret(hostUrl: string, secret: string): void {
+	secrets.set(hostUrl, secret);
+}
+
+export function removeHostServiceSecret(hostUrl: string): void {
+	secrets.delete(hostUrl);
+}
+
+export function getHostServiceHeaders(hostUrl: string): Record<string, string> {
+	const secret = secrets.get(hostUrl);
+	return secret ? { Authorization: `Bearer ${secret}` } : {};
+}
+
+export function getHostServiceWsToken(hostUrl: string): string | null {
+	return secrets.get(hostUrl) ?? null;
+}

apps/desktop/src/renderer/lib/host-service-client.ts

@@ -1,6 +1,7 @@
 import type { AppRouter } from "@superset/host-service";
 import { createTRPCClient, httpBatchLink } from "@trpc/client";
 import superjson from "superjson";
+import { getHostServiceHeaders } from "./host-service-auth";
 
 const clientCache = new Map<
 	string,
@@ -22,6 +23,7 @@ export function getHostServiceClientByUrl(hostUrl: string): HostServiceClient {
 			httpBatchLink({
 				url: `${hostUrl}/trpc`,
 				transformer: superjson,
+				headers: () => getHostServiceHeaders(hostUrl),
 			}),
 		],
 	});

apps/desktop/src/renderer/routes/_authenticated/_dashboard/v2-workspace/$workspaceId/components/WorkspaceTerminal/WorkspaceTerminal.tsx

@@ -2,8 +2,8 @@ import { Button } from "@superset/ui/button";
 import { FitAddon } from "@xterm/addon-fit";
 import { Terminal as XTerm } from "@xterm/xterm";
 import "@xterm/xterm/css/xterm.css";
-import { useEffect, useMemo, useRef, useState } from "react";
-import { useWorkspaceHostUrl } from "../../../providers/WorkspaceTrpcProvider/WorkspaceTrpcProvider";
+import { useEffect, useRef, useState } from "react";
+import { useWorkspaceWsUrl } from "../../../providers/WorkspaceTrpcProvider/WorkspaceTrpcProvider";
 
 interface WorkspaceTerminalProps {
 	workspaceId: string;
@@ -25,19 +25,15 @@ type TerminalServerMessage =
 	  };
 
 export function WorkspaceTerminal({ workspaceId }: WorkspaceTerminalProps) {
-	const hostUrl = useWorkspaceHostUrl();
 	const containerRef = useRef<HTMLDivElement | null>(null);
 	const [connectionState, setConnectionState] = useState<
 		"connecting" | "open" | "closed"
 	>("connecting");
 	const [reconnectKey, setReconnectKey] = useState(0);
 
-	const websocketUrl = useMemo(() => {
-		const url = new URL(`/terminal/${workspaceId}`, hostUrl);
-		url.protocol = url.protocol === "https:" ? "wss:" : "ws:";
-		url.searchParams.set("reconnect", String(reconnectKey));
-		return url.toString();
-	}, [hostUrl, reconnectKey, workspaceId]);
+	const websocketUrl = useWorkspaceWsUrl(`/terminal/${workspaceId}`, {
+		reconnect: String(reconnectKey),
+	});
 
 	useEffect(() => {
 		const container = containerRef.current;

apps/desktop/src/renderer/routes/_authenticated/_dashboard/v2-workspace/layout.tsx

@@ -3,6 +3,10 @@ import { useLiveQuery } from "@tanstack/react-db";
 import { createFileRoute, Outlet, useMatchRoute } from "@tanstack/react-router";
 import { useEffect, useRef } from "react";
 import { electronTrpc } from "renderer/lib/electron-trpc";
+import {
+	getHostServiceHeaders,
+	getHostServiceWsToken,
+} from "renderer/lib/host-service-auth";
 import { getWorkspaceHostUrlForWorkspace } from "renderer/lib/v2-workspace-host";
 import { useDashboardSidebarState } from "renderer/routes/_authenticated/hooks/useDashboardSidebarState";
 import { useCollections } from "renderer/routes/_authenticated/providers/CollectionsProvider";
@@ -53,12 +57,14 @@ function V2WorkspaceLayout() {
 		? (services.get(workspace.organizationId)?.url ?? null)
 		: null;
 	const shouldWaitForDeviceInfo = workspace !== null && isDeviceInfoPending;
+	const isLocal = workspace?.deviceId === currentDevice?.id;
 	const hostUrl =
 		!workspace || shouldWaitForDeviceInfo
 			? null
-			: workspace.deviceId === currentDevice?.id
+			: isLocal
 				? localHostUrl
 				: getWorkspaceHostUrlForWorkspace(workspace.id);
+
 	const lastEnsuredWorkspaceIdRef = useRef<string | null>(null);
 
 	useEffect(() => {
@@ -93,6 +99,8 @@ function V2WorkspaceLayout() {
 			cacheKey={workspace.id}
 			key={`${workspace.id}:${hostUrl}`}
 			hostUrl={hostUrl}
+			headers={() => getHostServiceHeaders(hostUrl)}
+			wsToken={() => getHostServiceWsToken(hostUrl)}
 		>
 			<Outlet />
 		</WorkspaceTrpcProvider>

apps/desktop/src/renderer/routes/_authenticated/_dashboard/v2-workspace/providers/WorkspaceTrpcProvider/WorkspaceTrpcProvider.tsx

@@ -1,4 +1,5 @@
 export {
 	useWorkspaceHostUrl,
+	useWorkspaceWsUrl,
 	WorkspaceClientProvider as WorkspaceTrpcProvider,
 } from "@superset/workspace-client";

apps/desktop/src/renderer/routes/_authenticated/providers/HostServiceProvider/HostServiceProvider.tsx

@@ -9,6 +9,7 @@ import {
 import { env } from "renderer/env.renderer";
 import { authClient } from "renderer/lib/auth-client";
 import { electronTrpc } from "renderer/lib/electron-trpc";
+import { setHostServiceSecret } from "renderer/lib/host-service-auth";
 import {
 	getHostServiceClient,
 	type HostServiceClient,
@@ -73,10 +74,14 @@ export function HostServiceProvider({ children }: { children: ReactNode }) {
 	const services = useMemo(() => {
 		const map = new Map<string, OrgService>();
 
-		const addOrg = (orgId: string, port: number) => {
+		const addOrg = (orgId: string, port: number, secret: string | null) => {
+			const url = `http://127.0.0.1:${port}`;
+			if (secret) {
+				setHostServiceSecret(url, secret);
+			}
 			map.set(orgId, {
 				port,
-				url: `http://127.0.0.1:${port}`,
+				url,
 				client: getHostServiceClient(port),
 			});
 		};
@@ -86,7 +91,7 @@ export function HostServiceProvider({ children }: { children: ReactNode }) {
 				organizationId: orgId,
 			});
 			if (cached?.port) {
-				addOrg(orgId, cached.port);
+				addOrg(orgId, cached.port, cached.secret ?? null);
 			}
 		}
 
@@ -96,7 +101,11 @@ export function HostServiceProvider({ children }: { children: ReactNode }) {
 			activePortData?.port &&
 			!map.has(activeOrganizationId)
 		) {
-			addOrg(activeOrganizationId, activePortData.port);
+			addOrg(
+				activeOrganizationId,
+				activePortData.port,
+				activePortData.secret ?? null,
+			);
 		}
 
 		return map;

packages/host-service/src/api/createApiClient/createApiClient.ts

@@ -1,12 +1,12 @@
 import type { AppRouter } from "@superset/trpc";
 import { createTRPCClient, httpBatchLink } from "@trpc/client";
 import SuperJSON from "superjson";
-import type { AuthProvider } from "../../providers/auth";
+import type { ApiAuthProvider } from "../../providers/auth";
 import type { ApiClient } from "../../types";
 
 export function createApiClient(
 	baseUrl: string,
-	authProvider: AuthProvider,
+	authProvider: ApiAuthProvider,
 ): ApiClient {
 	return createTRPCClient<AppRouter>({
 		links: [