(opts: {
wsUrl: string
sessionId: string
token: string
})
| 153 | * container runs the CLI under Node, not Bun. |
| 154 | */ |
| 155 | export async function startUpstreamProxyRelay(opts: { |
| 156 | wsUrl: string |
| 157 | sessionId: string |
| 158 | token: string |
| 159 | }): Promise<UpstreamProxyRelay> { |
| 160 | const authHeader = |
| 161 | 'Basic ' + Buffer.from(`${opts.sessionId}:${opts.token}`).toString('base64') |
| 162 | // WS upgrade itself is auth-gated (proto authn: PRIVATE_API) — the gateway |
| 163 | // wants the session-ingress JWT on the upgrade request, separate from the |
| 164 | // Proxy-Authorization that rides inside the tunneled CONNECT. |
| 165 | const wsAuthHeader = `Bearer ${opts.token}` |
| 166 | |
| 167 | const relay = |
| 168 | typeof Bun !== 'undefined' |
| 169 | ? startBunRelay(opts.wsUrl, authHeader, wsAuthHeader) |
| 170 | : await startNodeRelay(opts.wsUrl, authHeader, wsAuthHeader) |
| 171 | |
| 172 | logForDebugging(`[upstreamproxy] relay listening on 127.0.0.1:${relay.port}`) |
| 173 | return relay |
| 174 | } |
| 175 | |
| 176 | function startBunRelay( |
| 177 | wsUrl: string, |
no test coverage detected