ably
diff --git a/‎.env.example‎
Lines changed: 10 additions & 3 deletions b/‎.env.example‎
Lines changed: 10 additions & 3 deletions
diff --git a/‎examples/web-cli/api/sign.ts‎
Lines changed: 48 additions & 0 deletions b/‎examples/web-cli/api/sign.ts‎
Lines changed: 48 additions & 0 deletions
diff --git a/‎examples/web-cli/package.json‎
Lines changed: 1 addition & 0 deletions b/‎examples/web-cli/package.json‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎examples/web-cli/src/App.tsx‎
Lines changed: 120 additions & 101 deletions b/‎examples/web-cli/src/App.tsx‎
Lines changed: 120 additions & 101 deletions
@@ -10,9 +10,16 @@ E2E_ABLY_ABLY_ACCESS_TOKEN=your_control_api_access_token
 # Set this to skip E2E tests even when API key is present (for CI or local dev when you don't want to run E2E tests)
 # SKIP_E2E_TESTS=true
 
-# CI bypass secret for rate limit bypass in parallel tests
-# This should match the CI_BYPASS_SECRET on the terminal server
-CI_BYPASS_SECRET=your_ci_bypass_secret
+# Terminal server signing secret
+# MUST match the live server's SIGNING_SECRET configuration at wss://web-cli.ably.com
+# Used to:
+#   1. Sign credentials for HMAC authentication (signedConfig + signature)
+#   2. Bypass rate limiting in tests (bypassRateLimit flag in signed config)
+# Contact platform team for the actual secret
+TERMINAL_SERVER_SIGNING_SECRET=your_signing_secret
+
+# Legacy: CI_BYPASS_SECRET (still supported as fallback)
+# CI_BYPASS_SECRET=your_ci_bypass_secret
 
 # Terminal server URL for local testing (defaults to production)
 # TERMINAL_SERVER_URL=ws://localhost:8080
@@ -0,0 +1,48 @@
+import type { VercelRequest, VercelResponse } from "@vercel/node";
+import { signCredentials, getSigningSecret } from "../lib/sign-handler.js";
+
+/**
+ * Vercel Serverless Function: Sign credentials for terminal authentication
+ *
+ * This endpoint signs API keys with HMAC-SHA256 to create signed configs
+ * that can be validated by the terminal server.
+ *
+ * Environment Variables Required:
+ * - SIGNING_SECRET or TERMINAL_SERVER_SIGNING_SECRET
+ *
+ * Request Body:
+ * - apiKey: string (required) - Ably API key in format "appId.keyId:secret"
+ * - bypassRateLimit: boolean (optional) - Set to true for CI/testing
+ *
+ * Response:
+ * - signedConfig: string - JSON-encoded config that was signed
+ * - signature: string - HMAC-SHA256 hex signature
+ */
+export default async function handler(
+  req: VercelRequest,
+  res: VercelResponse,
+) {
+  // Only accept POST requests
+  if (req.method !== "POST") {
+    return res.status(405).json({ error: "Method not allowed" });
+  }
+
+  // Get signing secret from environment
+  const secret = getSigningSecret();
+
+  if (!secret) {
+    console.error("[/api/sign] Signing secret not configured");
+    return res.status(500).json({ error: "Signing secret not configured" });
+  }
+
+  const { apiKey, bypassRateLimit } = req.body;
+
+  if (!apiKey) {
+    return res.status(400).json({ error: "apiKey is required" });
+  }
+
+  // Use shared signing logic
+  const result = signCredentials({ apiKey, bypassRateLimit }, secret);
+
+  res.status(200).json(result);
+}
@@ -23,6 +23,7 @@
     "@tailwindcss/vite": "^4.1.5",
     "@types/react": "^18.3.20",
     "@types/react-dom": "^18.3.5",
+    "@vercel/node": "^5.5.17",
     "@vitejs/plugin-react": "^4.3.4",
     "autoprefixer": "^10.4.21",
     "eslint": "^9.21.0",
 
@@ -32,80 +32,86 @@ const getCIAuthToken = (): string | undefined => {
   return (window as CliWindow).__ABLY_CLI_CI_AUTH_TOKEN__;
 };
 
-// Get credentials from various sources
+// Get signed credentials from various sources
 const getInitialCredentials = () => {
   const urlParams = new URLSearchParams(window.location.search);
-  
+
   // Get the domain from the WebSocket URL for scoping
   const wsUrl = getWebSocketUrl();
   const wsDomain = new URL(wsUrl).host;
-  
+
   // Check if we should clear credentials (for testing)
   if (urlParams.get('clearCredentials') === 'true') {
+    // Clear new signed format
+    localStorage.removeItem(`ably.web-cli.signedConfig.${wsDomain}`);
+    localStorage.removeItem(`ably.web-cli.signature.${wsDomain}`);
+    localStorage.removeItem(`ably.web-cli.rememberCredentials.${wsDomain}`);
+    sessionStorage.removeItem(`ably.web-cli.signedConfig.${wsDomain}`);
+    sessionStorage.removeItem(`ably.web-cli.signature.${wsDomain}`);
+    // Also clear old format (migration)
     localStorage.removeItem(`ably.web-cli.apiKey.${wsDomain}`);
     localStorage.removeItem(`ably.web-cli.accessToken.${wsDomain}`);
-    localStorage.removeItem(`ably.web-cli.rememberCredentials.${wsDomain}`);
-    // Also clear from sessionStorage
     sessionStorage.removeItem(`ably.web-cli.apiKey.${wsDomain}`);
     sessionStorage.removeItem(`ably.web-cli.accessToken.${wsDomain}`);
     // Remove the clearCredentials param from URL
     const cleanUrl = new URL(window.location.href);
     cleanUrl.searchParams.delete('clearCredentials');
     window.history.replaceState(null, '', cleanUrl.toString());
   }
-  
-  // Check localStorage for persisted credentials (if user chose to remember)
+
+  // Check query parameters FIRST (for test environment signed configs)
+  const qsSignedConfig = urlParams.get('signedConfig');
+  const qsSignature = urlParams.get('signature');
+
+  if (qsSignedConfig && qsSignature) {
+    console.log('[App] Using signed config from query parameters');
+    return {
+      signedConfig: qsSignedConfig,
+      signature: qsSignature,
+      source: 'query' as const
+    };
+  }
+
+  // Check localStorage for persisted signed credentials (if user chose to remember)
   const rememberCredentials = localStorage.getItem(`ably.web-cli.rememberCredentials.${wsDomain}`) === 'true';
   if (rememberCredentials) {
-    const storedApiKey = localStorage.getItem(`ably.web-cli.apiKey.${wsDomain}`);
-    const storedAccessToken = localStorage.getItem(`ably.web-cli.accessToken.${wsDomain}`);
-    if (storedApiKey) {
-      return { 
-        apiKey: storedApiKey, 
-        accessToken: storedAccessToken || undefined,
+    const storedSignedConfig = localStorage.getItem(`ably.web-cli.signedConfig.${wsDomain}`);
+    const storedSignature = localStorage.getItem(`ably.web-cli.signature.${wsDomain}`);
+    if (storedSignedConfig && storedSignature) {
+      console.log('[App] Using signed config from localStorage');
+      return {
+        signedConfig: storedSignedConfig,
+        signature: storedSignature,
         source: 'localStorage' as const
       };
     }
   }
-  
-  // Check sessionStorage for session-only credentials
-  const sessionApiKey = sessionStorage.getItem(`ably.web-cli.apiKey.${wsDomain}`);
-  const sessionAccessToken = sessionStorage.getItem(`ably.web-cli.accessToken.${wsDomain}`);
-  if (sessionApiKey) {
-    return { 
-      apiKey: sessionApiKey, 
-      accessToken: sessionAccessToken || undefined,
+
+  // Check sessionStorage for session-only signed credentials
+  const sessionSignedConfig = sessionStorage.getItem(`ably.web-cli.signedConfig.${wsDomain}`);
+  const sessionSignature = sessionStorage.getItem(`ably.web-cli.signature.${wsDomain}`);
+  if (sessionSignedConfig && sessionSignature) {
+    console.log('[App] Using signed config from sessionStorage');
+    return {
+      signedConfig: sessionSignedConfig,
+      signature: sessionSignature,
       source: 'session' as const
     };
   }
 
-  // Then check query parameters (only in non-production environments)
-  const qsApiKey = urlParams.get('apikey') || urlParams.get('apiKey');
-  const qsAccessToken = urlParams.get('accessToken') || urlParams.get('accesstoken');
-  
-  // Security check: only allow query param auth in development/test environments
-  const isProduction = import.meta.env.PROD && !window.location.hostname.includes('localhost') && !window.location.hostname.includes('127.0.0.1');
-  
-  if (qsApiKey) {
-    if (isProduction) {
-      console.error('Security Warning: API keys in query parameters are not allowed in production environments.');
-      // Clear the sensitive query parameters from the URL
-      const cleanUrl = new URL(window.location.href);
-      cleanUrl.searchParams.delete('apikey');
-      cleanUrl.searchParams.delete('apiKey');
-      cleanUrl.searchParams.delete('accessToken');
-      cleanUrl.searchParams.delete('accesstoken');
-      window.history.replaceState(null, '', cleanUrl.toString());
-    } else {
-      return { 
-        apiKey: qsApiKey, 
-        accessToken: qsAccessToken || undefined,
-        source: 'query' as const
-      };
-    }
+  // Check for old format credentials (migration)
+  const oldApiKey = localStorage.getItem(`ably.web-cli.apiKey.${wsDomain}`) ||
+                    sessionStorage.getItem(`ably.web-cli.apiKey.${wsDomain}`);
+  if (oldApiKey) {
+    console.warn('[App] Found old credential format. Please re-authenticate with signed credentials.');
+    // Clear old format
+    localStorage.removeItem(`ably.web-cli.apiKey.${wsDomain}`);
+    localStorage.removeItem(`ably.web-cli.accessToken.${wsDomain}`);
+    sessionStorage.removeItem(`ably.web-cli.apiKey.${wsDomain}`);
+    sessionStorage.removeItem(`ably.web-cli.accessToken.${wsDomain}`);
   }
 
-  return { apiKey: undefined, accessToken: undefined, source: 'none' as const };
+  return { signedConfig: undefined, signature: undefined, source: 'none' as const };
 };
 
 function App() {
@@ -117,11 +123,11 @@ function App() {
   const [displayMode, setDisplayMode] = useState<"fullscreen" | "drawer">(initialMode);
   const [showAuthSettings, setShowAuthSettings] = useState(false);
 
-  // Initialize credentials
+  // Initialize signed credentials
   const initialCreds = getInitialCredentials();
-  const [apiKey, setApiKey] = useState<string | undefined>(initialCreds.apiKey);
-  const [accessToken, setAccessToken] = useState<string | undefined>(initialCreds.accessToken);
-  const [isAuthenticated, setIsAuthenticated] = useState(Boolean(initialCreds.apiKey && initialCreds.apiKey.trim()));
+  const [signedConfig, setSignedConfig] = useState<string | undefined>(initialCreds.signedConfig);
+  const [signature, setSignature] = useState<string | undefined>(initialCreds.signature);
+  const [isAuthenticated, setIsAuthenticated] = useState(Boolean(initialCreds.signedConfig && initialCreds.signature));
   const [authSource, setAuthSource] = useState(initialCreds.source);
   // Get the URL and domain early for use in state initialization
   const currentWebsocketUrl = getWebSocketUrl();
@@ -144,64 +150,79 @@ function App() {
   }, []);
 
   // Handle authentication
-  const handleAuthenticate = useCallback((newApiKey: string, newAccessToken: string, remember?: boolean) => {
-    // Clear any existing session data when credentials change (domain-scoped)
-    sessionStorage.removeItem(`ably.cli.sessionId.${wsDomain}`);
-    sessionStorage.removeItem(`ably.cli.secondarySessionId.${wsDomain}`);
-    sessionStorage.removeItem(`ably.cli.isSplit.${wsDomain}`);
-    
-    setApiKey(newApiKey);
-    setAccessToken(newAccessToken);
-    setIsAuthenticated(true);
-    setShowAuthSettings(false);
-    
-    // Determine if we should remember based on parameter or current state
-    const shouldRemember = remember !== undefined ? remember : rememberCredentials;
-    
-    if (shouldRemember) {
-      // Store in localStorage for persistence (domain-scoped)
-      localStorage.setItem(`ably.web-cli.apiKey.${wsDomain}`, newApiKey);
-      localStorage.setItem(`ably.web-cli.rememberCredentials.${wsDomain}`, 'true');
-      if (newAccessToken) {
-        localStorage.setItem(`ably.web-cli.accessToken.${wsDomain}`, newAccessToken);
-      } else {
-        localStorage.removeItem(`ably.web-cli.accessToken.${wsDomain}`);
+  const handleAuthenticate = useCallback(async (newApiKey: string, remember?: boolean) => {
+    try {
+      // Call /api/sign endpoint to get signed config
+      const response = await fetch('/api/sign', {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({
+          apiKey: newApiKey,
+          bypassRateLimit: false
+        })
+      });
+
+      if (!response.ok) {
+        const error = await response.json();
+        console.error('[App] Failed to sign credentials:', error);
+        throw new Error(error.error || 'Failed to sign credentials');
       }
-      setAuthSource('localStorage');
-    } else {
-      // Store only in sessionStorage (domain-scoped)
-      sessionStorage.setItem(`ably.web-cli.apiKey.${wsDomain}`, newApiKey);
-      if (newAccessToken) {
-        sessionStorage.setItem(`ably.web-cli.accessToken.${wsDomain}`, newAccessToken);
+
+      const { signedConfig: newSignedConfig, signature: newSignature } = await response.json();
+
+      // Clear any existing session data when credentials change (domain-scoped)
+      sessionStorage.removeItem(`ably.cli.sessionId.${wsDomain}`);
+      sessionStorage.removeItem(`ably.cli.secondarySessionId.${wsDomain}`);
+      sessionStorage.removeItem(`ably.cli.isSplit.${wsDomain}`);
+
+      setSignedConfig(newSignedConfig);
+      setSignature(newSignature);
+      setIsAuthenticated(true);
+      setShowAuthSettings(false);
+
+      // Determine if we should remember based on parameter or current state
+      const shouldRemember = remember !== undefined ? remember : rememberCredentials;
+
+      if (shouldRemember) {
+        // Store in localStorage for persistence (domain-scoped)
+        localStorage.setItem(`ably.web-cli.signedConfig.${wsDomain}`, newSignedConfig);
+        localStorage.setItem(`ably.web-cli.signature.${wsDomain}`, newSignature);
+        localStorage.setItem(`ably.web-cli.rememberCredentials.${wsDomain}`, 'true');
+        setAuthSource('localStorage');
       } else {
-        sessionStorage.removeItem(`ably.web-cli.accessToken.${wsDomain}`);
+        // Store only in sessionStorage (domain-scoped)
+        sessionStorage.setItem(`ably.web-cli.signedConfig.${wsDomain}`, newSignedConfig);
+        sessionStorage.setItem(`ably.web-cli.signature.${wsDomain}`, newSignature);
+        // Clear from localStorage if it was there (domain-scoped)
+        localStorage.removeItem(`ably.web-cli.signedConfig.${wsDomain}`);
+        localStorage.removeItem(`ably.web-cli.signature.${wsDomain}`);
+        localStorage.removeItem(`ably.web-cli.rememberCredentials.${wsDomain}`);
+        setAuthSource('session');
       }
-      // Clear from localStorage if it was there (domain-scoped)
-      localStorage.removeItem(`ably.web-cli.apiKey.${wsDomain}`);
-      localStorage.removeItem(`ably.web-cli.accessToken.${wsDomain}`);
-      localStorage.removeItem(`ably.web-cli.rememberCredentials.${wsDomain}`);
-      setAuthSource('session');
+
+      setRememberCredentials(shouldRemember);
+    } catch (error) {
+      console.error('[App] Authentication error:', error);
+      throw error;
     }
-    
-    setRememberCredentials(shouldRemember);
   }, [rememberCredentials, wsDomain]);
 
   // Handle auth settings save
-  const handleAuthSettingsSave = useCallback((newApiKey: string, newAccessToken: string, remember: boolean) => {
+  const handleAuthSettingsSave = useCallback(async (newApiKey: string, remember: boolean) => {
     if (newApiKey) {
-      handleAuthenticate(newApiKey, newAccessToken, remember);
+      await handleAuthenticate(newApiKey, remember);
     } else {
       // Clear all credentials - go back to auth screen (domain-scoped)
       sessionStorage.removeItem(`ably.cli.sessionId.${wsDomain}`);
       sessionStorage.removeItem(`ably.cli.secondarySessionId.${wsDomain}`);
       sessionStorage.removeItem(`ably.cli.isSplit.${wsDomain}`);
-      sessionStorage.removeItem(`ably.web-cli.apiKey.${wsDomain}`);
-      sessionStorage.removeItem(`ably.web-cli.accessToken.${wsDomain}`);
-      localStorage.removeItem(`ably.web-cli.apiKey.${wsDomain}`);
-      localStorage.removeItem(`ably.web-cli.accessToken.${wsDomain}`);
+      sessionStorage.removeItem(`ably.web-cli.signedConfig.${wsDomain}`);
+      sessionStorage.removeItem(`ably.web-cli.signature.${wsDomain}`);
+      localStorage.removeItem(`ably.web-cli.signedConfig.${wsDomain}`);
+      localStorage.removeItem(`ably.web-cli.signature.${wsDomain}`);
       localStorage.removeItem(`ably.web-cli.rememberCredentials.${wsDomain}`);
-      setApiKey(undefined);
-      setAccessToken(undefined);
+      setSignedConfig(undefined);
+      setSignature(undefined);
       setIsAuthenticated(false);
       setShowAuthSettings(false);
       setRememberCredentials(false);
@@ -220,11 +241,11 @@ function App() {
   // Prepare the terminal component instance to pass it down
   const termRef = useRef<AblyCliTerminalHandle>(null);
   const TerminalInstance = useCallback(() => (
-    isAuthenticated && apiKey && apiKey.trim() ? (
+    isAuthenticated && signedConfig && signature ? (
       <AblyCliTerminal
         ref={termRef}
-        ablyAccessToken={accessToken}
-        ablyApiKey={apiKey}
+        signedConfig={signedConfig}
+        signature={signature}
         onConnectionStatusChange={handleConnectionChange}
         onSessionEnd={handleSessionEnd}
         onSessionId={handleSessionId}
@@ -233,10 +254,9 @@ function App() {
         enableSplitScreen={true}
         showSplitControl={true}
         maxReconnectAttempts={5} /* In the example, limit reconnection attempts for testing, default is 15 */
-        ciAuthToken={getCIAuthToken()}
       />
     ) : null
-  ), [isAuthenticated, apiKey, accessToken, handleConnectionChange, handleSessionEnd, handleSessionId, currentWebsocketUrl]);
+  ), [isAuthenticated, signedConfig, signature, handleConnectionChange, handleSessionEnd, handleSessionId, currentWebsocketUrl]);
 
   // Show auth screen if not authenticated
   if (!isAuthenticated) {
@@ -323,8 +343,7 @@ function App() {
         isOpen={showAuthSettings}
         onClose={() => setShowAuthSettings(false)}
         onSave={handleAuthSettingsSave}
-        currentApiKey={apiKey}
-        currentAccessToken={accessToken}
+        currentSignedConfig={signedConfig}
         rememberCredentials={rememberCredentials}
       />
     </div>