feat: refactor Socket.IO handling and improve API proxy configuration

- Updated the Socket.IO connection logic to use a unified API proxy path, enhancing maintainability.
- Removed deprecated socket handling functions and adjusted related components for improved clarity.
- Enhanced the Docker and Nuxt configurations to streamline API and WebSocket traffic management.
- Added comments in configuration files to clarify the setup for Socket.IO and reverse-proxy integration.

Author: tacxou

apps/api/.env.example

@@ -1,4 +1,6 @@
 # SESAME_LOG_LEVEL="info"
+# Activer derrière le reverse-proxy Nuxt (proxy /api vers l'API)
+# SESAME_TRUST_PROXY=1
 # SESAME_NAME_QUEUE="sesame"
 SESAME_JWT_SECRET="zeaezazeaezazaeeazrftrqezfqfqszewfsqddfqsqsqsdqdsqdsqdzsdqzsdqzs"
 # Docker (make dev) : hostname du conteneur Redis sur le réseau dev

apps/api/src/_common/functions/resolve-client-ip.ts

@@ -43,6 +43,14 @@ function tcpPeerIp(req: Request): string | null {
   return normalizeIp(req.socket?.remoteAddress ?? null);
 }
 
+function isLoopbackIp(ip: string | null): boolean {
+  return ip === '127.0.0.1' || ip === '::1';
+}
+
+function isTrustProxyEnabled(): boolean {
+  return /^(1|true|on|yes)$/i.test(process.env['SESAME_TRUST_PROXY'] || '');
+}
+
 /**
  * Résout l'IP client réelle derrière CDN / reverse-proxy (Cloudflare, nginx, etc.).
  * À utiliser pour l'auth et les audits ; combiner avec `trust proxy` sur Express si besoin.
@@ -53,6 +61,7 @@ function tcpPeerIp(req: Request): string | null {
  */
 export function resolveClientIp(req: Request): string | null {
   const peerIp = tcpPeerIp(req);
+  const trustedLocalProxy = isTrustProxyEnabled() && isLoopbackIp(peerIp);
   const orderedHeaders = ['cf-connecting-ip', 'true-client-ip', 'x-forwarded-for', 'x-real-ip'] as const;
 
   for (const name of orderedHeaders) {
@@ -63,7 +72,8 @@ export function resolveClientIp(req: Request): string | null {
       continue;
     }
     // Ne pas prendre un « forwarded » qui ne fait que recopier le pair TCP (pas de chaîne utile).
-    if (peerIp && ip === peerIp) {
+    // Exception : derrière le proxy Nuxt local, la chaîne XFF peut être « client, 127.0.0.1 ».
+    if (peerIp && ip === peerIp && !(trustedLocalProxy && name === 'x-forwarded-for' && raw?.includes(','))) {
       continue;
     }
     return ip;

apps/api/tests/unit/_common/functions/resolve-client-ip.spec.ts

@@ -86,6 +86,34 @@ describe('resolveClientIp', () => {
     expect(p.tcpPeerNormalized).toBe('140.82.121.5');
   });
 
+  it('returns X-Real-IP when tcp peer is loopback and trust proxy is enabled', () => {
+    const previous = process.env.SESAME_TRUST_PROXY;
+    process.env.SESAME_TRUST_PROXY = '1';
+    try {
+      const req = makeReq({
+        headers: { 'x-real-ip': '192.168.1.190' },
+        socket: { remoteAddress: '127.0.0.1' } as any,
+      });
+      expect(resolveClientIp(req)).toBe('192.168.1.190');
+    } finally {
+      process.env.SESAME_TRUST_PROXY = previous;
+    }
+  });
+
+  it('returns first X-Forwarded-For hop behind loopback proxy when trust proxy is enabled', () => {
+    const previous = process.env.SESAME_TRUST_PROXY;
+    process.env.SESAME_TRUST_PROXY = '1';
+    try {
+      const req = makeReq({
+        headers: { 'x-forwarded-for': '192.168.65.1, 127.0.0.1' },
+        socket: { remoteAddress: '127.0.0.1' } as any,
+      });
+      expect(resolveClientIp(req)).toBe('192.168.65.1');
+    } finally {
+      process.env.SESAME_TRUST_PROXY = previous;
+    }
+  });
+
   it('keeps raw peer fields in debug payload', () => {
     const req = makeReq({
       headers: { host: 'host.docker.internal:4002' },

apps/web/nuxt.config.ts

@@ -7,21 +7,15 @@ import setupApp from './src/server/extension.setup'
 import { loadingBarHijackFilter } from './src/composables/useLoadingBarHijackFilter'
 
 const SESAME_APP_API_URL = process.env.SESAME_APP_API_URL || 'http://127.0.0.1:4000'
-const SESAME_APP_API_URL_PARSED = new URL(SESAME_APP_API_URL)
-/** URL API exposée au navigateur (WebSocket). Ex. http://mactacx:4002 (Docker) ou :4000 (API native). */
-const SESAME_APP_PUBLIC_API_URL = process.env.SESAME_APP_PUBLIC_API_URL || ''
-/** Port API vu depuis le navigateur (Docker : 4002 mappé, interne API : 4000). */
-const SESAME_APP_PUBLIC_API_PORT = process.env.SESAME_APP_PUBLIC_API_PORT || ''
 const SESAME_ALLOWED_HOSTS = process.env.SESAME_ALLOWED_HOSTS ? process.env.SESAME_ALLOWED_HOSTS.split(',') : []
-const SOCKET_IO_PROXY_TARGET = SESAME_APP_API_URL.replace(/\/$/, '')
+const API_PROXY_TARGET = SESAME_APP_API_URL.replace(/\/$/, '')
 const IS_DEV = process.env.NODE_ENV === 'development'
 
 if (SESAME_ALLOWED_HOSTS.length === 0 && !/localhost/.test(SESAME_APP_API_URL) && IS_DEV) {
   SESAME_ALLOWED_HOSTS.push(new URL(SESAME_APP_API_URL).hostname)
 }
 
 consola.info(`[Nuxt] SESAME_APP_API_URL: ${SESAME_APP_API_URL}`)
-consola.info(`[Nuxt] Socket.IO public port: ${SESAME_APP_PUBLIC_API_PORT || SESAME_APP_API_URL_PARSED.port || '4000'}`)
 consola.info(`[Nuxt] SESAME_ALLOWED_HOSTS: ${SESAME_ALLOWED_HOSTS}`)
 
 let SESAME_APP_DARK_MODE: 'auto' | boolean = false
@@ -84,17 +78,14 @@ export default defineNuxtConfig({
   runtimeConfig: {
     public: {
       release: process.env.npm_package_name + '@' + process.env.npm_package_version,
-      socketApiUrl: SESAME_APP_PUBLIC_API_URL,
-      socketApiPort: SESAME_APP_API_URL_PARSED.port || (SESAME_APP_API_URL_PARSED.protocol === 'https:' ? '443' : '4000'),
-      socketPublicApiPort: SESAME_APP_PUBLIC_API_PORT || SESAME_APP_API_URL_PARSED.port || (SESAME_APP_API_URL_PARSED.protocol === 'https:' ? '443' : '4000'),
-      socketApiProtocol: SESAME_APP_API_URL_PARSED.protocol,
       sentry: {
         dsn: process.env.SESAME_SENTRY_DSN,
       },
     },
   },
   modules: [
     '@sentry/nuxt/module',
+    '@nuxt-alt/proxy',
     '@nuxt-alt/auth',
     '@nuxt-alt/http',
     '@pinia/nuxt',
@@ -105,6 +96,21 @@ export default defineNuxtConfig({
     'nuxt-monaco-editor',
     ...setupApp(),
   ],
+  proxy: {
+    debug: IS_DEV,
+    experimental: {
+      listener: true,
+    },
+    proxies: {
+      '/api': {
+        target: API_PROXY_TARGET,
+        changeOrigin: true,
+        ws: true,
+        xfwd: true,
+        rewrite: (path: string) => path.replace(/^\/api/, ''),
+      },
+    },
+  },
   sentry: {
     autoInjectServerSentry: "top-level-import",
   },
@@ -187,7 +193,7 @@ export default defineNuxtConfig({
         color: 'primary',
         size: '3px',
         position: 'top',
-        /** Exclut socket.io (long-polling) et le polling de synchro / daemon. */
+        /** Exclut Socket.IO (`/api/socket.io`) et le polling de synchro / daemon. */
         hijackFilter: loadingBarHijackFilter,
       },
     },
@@ -206,11 +212,13 @@ export default defineNuxtConfig({
   vite: {
     server: {
       allowedHosts: ['localhost', ...SESAME_ALLOWED_HOSTS],
+      // En dev, le navigateur parle à Vite : seul Vite peut faire l'upgrade WS (Nitro proxy.web → Invalid frame header).
       proxy: {
-        '/socket.io': {
-          target: SOCKET_IO_PROXY_TARGET,
+        '/api/socket.io': {
+          target: API_PROXY_TARGET,
           changeOrigin: true,
           ws: true,
+          rewrite: (path: string) => path.replace(/^\/api/, ''),
         },
       },
     },
@@ -262,17 +270,9 @@ export default defineNuxtConfig({
     typescriptBundlerResolution: true,
   },
   nitro: {
-    devProxy: {
-      '/socket.io': {
-        target: SOCKET_IO_PROXY_TARGET,
-        changeOrigin: true,
-        ws: true,
-      },
-    },
-    routeRules: {
-      '/api/**': {
-        proxy: `${SESAME_APP_API_URL}/**`,
-      },
+    experimental: {
+      /** Requis par @nuxt-alt/proxy pour ne pas intercepter les upgrades WS. */
+      websocket: false,
     },
   },
   experimental: {

apps/web/src/composables/useLoadingBarHijackFilter.ts

@@ -1,6 +1,6 @@
 /** Requêtes en arrière-plan : ne pas déclencher la barre Quasar (XHR hijack). */
 const BACKGROUND_URL_PARTS = [
-  '/socket.io',
+  '/api/socket.io',
   '/core/backends/sync-progress',
 ]
 

apps/web/src/composables/useSocketApiOrigin.ts

@@ -0,0 +1,18 @@
+import type { ManagerOptions, SocketOptions } from 'socket.io-client'
+
+/** Même préfixe que le proxy `/api/**` → API (cf. `nuxt.config.ts` routeRules). */
+export const SOCKET_IO_PATH = '/api/socket.io'
+
+/** Polling d'abord en dev (proxy Nitro HTTP) ; upgrade WS via Vite. Prod : WS en priorité. */
+export function socketIoTransports(): ('websocket' | 'polling')[] {
+  return import.meta.dev ? ['polling', 'websocket'] : ['websocket', 'polling']
+}
+
+export function buildSocketIoClientOptions(auth: { id: string; key: string }): Partial<ManagerOptions & SocketOptions> {
+  return {
+    path: SOCKET_IO_PATH,
+    query: { id: String(auth.id), key: String(auth.key) },
+    transports: socketIoTransports(),
+    reconnectionAttempts: 10,
+  }
+}

apps/web/src/composables/useSocketIoClient.ts

@@ -24,7 +24,7 @@ import { IdentityState } from '~/constants/enums'
 import { useIdentityStateStore } from '~/stores/identityState'
 import { loadingBarDefaults } from '~/composables/useLoadingBarHijackFilter'
 import { attachSocketIoDebug } from '~/composables/useSocketIoDebug'
-import { buildSocketIoClientOptions, resolveSocketApiOrigin } from '~/composables/useSocketApiOrigin'
+import { buildSocketIoClientOptions } from '~/composables/useSocketIoClient'
 import { io, type Socket } from 'socket.io-client'
 
 export default defineNuxtComponent({
@@ -159,7 +159,7 @@ export default defineNuxtComponent({
 
         this.disconnectBackendsSocket()
 
-        this.socket = io(`${resolveSocketApiOrigin()}/core/backends`, buildSocketIoClientOptions({ id, key }))
+        this.socket = io('/core/backends', buildSocketIoClientOptions({ id, key }))
         attachSocketIoDebug(this.socket, '/core/backends')
         this.socket.on('connect', () => {
           Object.assign(this.daemonStatus, { checking: true })

apps/web/src/layouts/default.vue

@@ -220,7 +220,7 @@
 import type { LocationQueryValue } from 'vue-router'
 import { reactive, ref } from 'vue'
 import { attachSocketIoDebug } from '~/composables/useSocketIoDebug'
-import { buildSocketIoClientOptions, resolveSocketApiOrigin } from '~/composables/useSocketApiOrigin'
+import { buildSocketIoClientOptions } from '~/composables/useSocketIoClient'
 import { io, type Socket } from 'socket.io-client'
 import { NewTargetId } from '~/constants/variables'
 
@@ -597,7 +597,7 @@ export default defineNuxtComponent({
       this.logsFollowTail = true
       this.logsLoading = true
 
-      this.logsSocket = io(`${resolveSocketApiOrigin()}/core/cron`, buildSocketIoClientOptions({ id, key }))
+      this.logsSocket = io('/core/cron', buildSocketIoClientOptions({ id, key }))
       attachSocketIoDebug(this.logsSocket, '/core/cron')
 
       this.logsSocket.on('connect', () => {