move source files to src folder,

move localdb to config folder,
consolidate vars.js with localdb,
move service scripts to service folder

src/db.js

@@ -0,0 +1,43 @@
+import { readFileSync, writeFileSync } from "fs";
+import { exit } from "process";
+
+class localdb {
+	#filename = "config/localdb.json";
+	#data = null;
+	constructor() {
+		try {
+			this.load(this.#filename);
+		}
+		catch {
+			console.log("Error: localdb.json was not found. Please follow the directions in the README to initialize localdb.json.");
+			exit(1);
+		}
+	}
+	load(path) {
+		this.#data = JSON.parse(readFileSync(path));
+	}
+	save(path) {
+		writeFileSync(path, JSON.stringify(this.#data));
+	}
+	getApplicationConfig() {
+		return this.#data.application;
+	}
+	getResourceConfig() {
+		return this.#data.resources;
+	}
+	getUserConfig(username) {
+		if (this.#data.users[username]) {
+			return this.#data.users[username];
+		}
+		else {
+			return null;
+		}
+	}
+}
+
+export const db = new localdb();
+export const pveAPI = db.getApplicationConfig().pveAPI;
+export const pveAPIToken = db.getApplicationConfig().pveAPIToken;
+export const listenPort = db.getApplicationConfig().listenPort;
+export const hostname = db.getApplicationConfig().hostname;
+export const domain = db.getApplicationConfig().domain;

src/main.js

@@ -0,0 +1,787 @@
+import express from "express";
+import bodyParser from "body-parser";
+import cookieParser from "cookie-parser";
+import cors from "cors";
+import morgan from "morgan";
+import api from "../package.json" assert {type: "json"};
+
+import { requestPVE, handleResponse, getDiskInfo } from "./pve.js";
+import { checkAuth, approveResources, getUserResources } from "./utils.js";
+import { db, pveAPIToken, listenPort, hostname, domain } from "./db.js";
+
+const app = express();
+app.use(bodyParser.urlencoded({ extended: true }));
+app.use(cookieParser())
+app.use(cors({ origin: hostname }));
+app.use(morgan("combined"));
+
+/**
+ * GET - get API version
+ * responses:
+ * - 200: {version: String}
+ */
+app.get("/api/version", (req, res) => {
+	res.status(200).send({ version: api.version });
+});
+
+/**
+ * GET - echo request
+ * responses:
+ * - 200: {body: request.body, cookies: request.cookies}
+ */
+app.get("/api/echo", (req, res) => {
+	res.status(200).send({ body: req.body, cookies: req.cookies });
+});
+
+/**
+ * GET - check authentication
+ * responses:
+ * - 200: {auth: true, path: String}
+ * - 401: {auth: false, path: String}
+ */
+app.get("/api/auth", async (req, res) => {
+	let auth = await checkAuth(req.cookies, res);
+	if (!auth) { return; }
+	res.status(200).send({ auth: true });
+});
+
+/**
+ * GET - proxy proxmox api without privilege elevation
+ * request and responses passed through to/from proxmox
+ */
+app.get("/api/proxmox/*", async (req, res) => { // proxy endpoint for GET proxmox api with no token
+	let path = req.url.replace("/api/proxmox", "");
+	let result = await requestPVE(path, "GET", req.cookies);
+	res.status(result.status).send(result.data);
+});
+
+/**
+ * POST - proxy proxmox api without privilege elevation
+ * request and responses passed through to/from proxmox
+ */
+app.post("/api/proxmox/*", async (req, res) => { // proxy endpoint for POST proxmox api with no token
+	let path = req.url.replace("/api/proxmox", "");
+	let result = await requestPVE(path, "POST", req.cookies, JSON.stringify(req.body)); // need to stringify body because of other issues
+	res.status(result.status).send(result.data);
+});
+
+/**
+ * POST - safer ticket generation using proxmox authentication but adding HttpOnly
+ * request:
+ * - username: String
+ * - password: String
+ * responses:
+ * - 200: {auth: true, path: String}
+ * - 401: {auth: false, path: String}
+ */
+app.post("/api/ticket", async (req, res) => {
+	let response = await requestPVE("/access/ticket", "POST", null, JSON.stringify(req.body));
+	if (!(response.status === 200)) {
+		res.status(response.status).send({ auth: false });
+		res.end();
+		return;
+	}
+	let ticket = response.data.data.ticket;
+	let csrftoken = response.data.data.CSRFPreventionToken;
+	let username = response.data.data.username;
+	let expire = new Date(Date.now() + (2 * 60 * 60 * 1000));
+	res.cookie("PVEAuthCookie", ticket, { domain: domain, path: "/", httpOnly: true, secure: true, expires: expire });
+	res.cookie("CSRFPreventionToken", csrftoken, { domain: domain, path: "/", httpOnly: true, secure: true, expires: expire });
+	res.cookie("username", username, { domain: domain, path: "/", secure: true, expires: expire });
+	res.cookie("auth", 1, { domain: domain, path: "/", secure: true, expires: expire });
+	res.status(200).send({ auth: true });
+});
+
+/**
+ * DELETE - request to destroy ticket
+ * responses:
+ * - 200: {auth: false, path: String}
+ */
+app.delete("/api/ticket", async (req, res) => {
+	let expire = new Date(0);
+	res.cookie("PVEAuthCookie", "", { domain: domain, path: "/", httpOnly: true, secure: true, expires: expire });
+	res.cookie("CSRFPreventionToken", "", { domain: domain, path: "/", httpOnly: true, secure: true, expires: expire });
+	res.cookie("username", "", { domain: domain, path: "/", httpOnly: true, secure: true, expires: expire });
+	res.cookie("auth", 0, { domain: domain, path: "/", expires: expire });
+	res.status(200).send({ auth: false });
+});
+
+/**
+ * GET - get db user resource information including allocated, free, and maximum resource values along with resource metadata
+ * responses:
+ * - 200: {avail: Object, max: Object, units: Object, used: Object}
+ * - 401: {auth: false, path: String}
+ */
+app.get("/api/user/resources", async (req, res) => {
+	// check auth
+	let auth = await checkAuth(req.cookies, res);
+	if (!auth) { return; }
+	let resources = await getUserResources(req, req.cookies.username);
+	res.status(200).send(resources);
+});
+
+/**
+ * GET - get db user instance configuration
+ * responses:
+ * - 200: {pool: String, templates: {lxc: Object, qemu: Object}, vmid: {min: Number, max: Number}}
+ * - 401: {auth: false, path: String}
+ */
+app.get("/api/user/instances", async (req, res) => {
+	// check auth
+	let auth = await checkAuth(req.cookies, res);
+	if (!auth) { return; }
+	let config = db.getUserConfig(req.cookies.username);
+	res.status(200).send(config.instances)
+});
+
+/**
+ * GET - get db user node configuration
+ * responses:
+ * - 200: {nodes: String[]}
+ * - 401: {auth: false, path: String}
+ */
+app.get("/api/user/nodes", async (req, res) => {
+	// check auth
+	let auth = await checkAuth(req.cookies, res);
+	if (!auth) { return; }
+	let config = db.getUserConfig(req.cookies.username);
+	res.status(200).send({ nodes: config.nodes })
+})
+
+/**
+ * POST - detach mounted disk from instance
+ * request:
+ * - node: String - vm host node id
+ * - type: String - vm type (lxc, qemu)
+ * - vmid: Number - vm id number
+ * - disk: String - disk id (sata0, NOT unused)
+ * responses:
+ * - 200: PVE Task Object
+ * - 401: {auth: false, path: String}
+ * - 500: {error: String}
+ * - 500: PVE Task Object
+ */
+app.post("/api/instance/disk/detach", async (req, res) => {
+	// check auth for specific instance
+	let vmpath = `/nodes/${req.body.node}/${req.body.type}/${req.body.vmid}`;
+	let auth = await checkAuth(req.cookies, res, vmpath);
+	if (!auth) { return; }
+	// get current config
+	let config = (await requestPVE(`${vmpath}/config`, "GET", req.cookies, null, null)).data.data;
+	// disk must exist
+	if (!config[req.body.disk]) {
+		res.status(500).send({ error: `Disk ${req.body.disk} does not exist.` });
+		res.end();
+		return;
+	}
+	// disk cannot be unused
+	if (req.body.disk.includes("unused")) {
+		res.status(500).send({ error: `Requested disk ${req.body.disk} cannot be unused. Use /disk/delete to permanently delete unused disks.` });
+		res.end();
+		return;
+	}
+	let action = JSON.stringify({ delete: req.body.disk });
+	let method = req.body.type === "qemu" ? "POST" : "PUT";
+	let result = await requestPVE(`${vmpath}/config`, method, req.cookies, action, pveAPIToken);
+	await handleResponse(req.body.node, result, res);
+});
+
+/**
+ * POST - attach unused disk image to instance
+ * request:
+ * - node: String - vm host node id
+ * - type: String - vm type (lxc, qemu)
+ * - vmid: Number - vm id number
+ * - disk: String - disk id (sata0)
+ * - source: Number - source unused disk number (0 => unused0)
+ * responses:
+ * - 200: PVE Task Object
+ * - 401: {auth: false, path: String}
+ * - 500: {error: String}
+ * - 500: PVE Task Object
+ */
+app.post("/api/instance/disk/attach", async (req, res) => {
+	// check auth for specific instance
+	let vmpath = `/nodes/${req.body.node}/${req.body.type}/${req.body.vmid}`;
+	let auth = await checkAuth(req.cookies, res, vmpath);
+	if (!auth) { return; }
+	// get current config
+	let config = (await requestPVE(`${vmpath}/config`, "GET", req.cookies, null, null)).data.data;
+	// disk must exist
+	if (!config[`unused${req.body.source}`]) {
+		res.status(403).send({ error: `Requested disk unused${req.body.source} does not exist.` });
+		res.end();
+		return;
+	}
+	// target disk must be allowed according to source disk's storage options
+	let diskConfig = await getDiskInfo(req.body.node, req.body.type, req.body.vmid, `unused${req.body.source}`); // get target disk
+	let resourceConfig = db.getResourceConfig();
+	if (!resourceConfig[diskConfig.storage].disks.some(diskPrefix => req.body.disk.startsWith(diskPrefix))) {
+		res.status(500).send({ error: `Requested target ${req.body.disk} is not in allowed list [${resourceConfig[diskConfig.storage].disks}].` });
+		res.end();
+		return;
+	}
+	// setup action using source disk info from vm config
+	let action = {};
+	action[req.body.disk] = config[`unused${req.body.source}`];
+	action = JSON.stringify(action);
+	let method = req.body.type === "qemu" ? "POST" : "PUT";
+	// commit action
+	let result = await requestPVE(`${vmpath}/config`, method, req.cookies, action, pveAPIToken);
+	await handleResponse(req.body.node, result, res);
+});
+
+/**
+ * POST - increase size of mounted disk
+ * request:
+ * - node: String - vm host node id
+ * - type: String - vm type (lxc, qemu)
+ * - vmid: Number - vm id number
+ * - disk: String - disk id (sata0)
+ * - size: Number - increase size in GiB
+ * responses:
+ * - 200: PVE Task Object
+ * - 401: {auth: false, path: String}
+ * - 500: {error: String}
+ * - 500: {request: Object, error: String}
+ * - 500: PVE Task Object
+ */
+app.post("/api/instance/disk/resize", async (req, res) => {
+	// check auth for specific instance
+	let vmpath = `/nodes/${req.body.node}/${req.body.type}/${req.body.vmid}`;
+	let auth = await checkAuth(req.cookies, res, vmpath);
+	if (!auth) { return; }
+	// check disk existence
+	let diskConfig = await getDiskInfo(req.body.node, req.body.type, req.body.vmid, req.body.disk); // get target disk
+	if (!diskConfig) { // exit if disk does not exist
+		res.status(500).send({ error: `requested disk ${req.body.disk} does not exist.` });
+		res.end();
+		return;
+	}
+	// setup request
+	let storage = diskConfig.storage; // get the storage
+	let request = {};
+	request[storage] = Number(req.body.size * 1024 ** 3); // setup request object
+	// check request approval
+	if (!await approveResources(req, req.cookies.username, request)) {
+		res.status(500).send({ request: request, error: `Storage ${storage} could not fulfill request of size ${req.body.size}G.` });
+		res.end();
+		return;
+	}
+	// action approved, commit to action
+	let action = JSON.stringify({ disk: req.body.disk, size: `+${req.body.size}G` });
+	let result = await requestPVE(`${vmpath}/resize`, "PUT", req.cookies, action, pveAPIToken);
+	await handleResponse(req.body.node, result, res);
+});
+
+/**
+ * POST - move mounted disk from one storage to another
+ * request:
+ * - node: String - vm host node id
+ * - type: String - vm type (lxc, qemu)
+ * - vmid: Number - vm id number
+ * - disk: String - disk id (sata0)
+ * - storage: String - target storage to move disk
+ * - delete: Number - delete original disk (0, 1) 
+ * responses:
+ * - 200: PVE Task Object
+ * - 401: {auth: false, path: String}
+ * - 500: {error: String}
+ * - 500: {request: Object, error: String}
+ * - 500: PVE Task Object
+ */
+app.post("/api/instance/disk/move", async (req, res) => {
+	// check auth for specific instance
+	let vmpath = `/nodes/${req.body.node}/${req.body.type}/${req.body.vmid}`;
+	let auth = await checkAuth(req.cookies, res, vmpath);
+	if (!auth) { return; }
+	// check disk existence
+	let diskConfig = await getDiskInfo(req.body.node, req.body.type, req.body.vmid, req.body.disk); // get target disk
+	if (!diskConfig) { // exit if disk does not exist
+		res.status(500).send({ error: `requested disk ${req.body.disk} does not exist.` });
+		res.end();
+		return;
+	}
+	// setup request
+	let size = parseInt(diskConfig.size); // get source disk size
+	let srcStorage = diskConfig.storage; // get source storage
+	let dstStorage = req.body.storage; // get destination storage
+	let request = {};
+	let release = {};
+	if (req.body.delete) { // if delete is true, increase resource used by the source storage
+		release[srcStorage] = Number(size);
+	}
+	request[dstStorage] = Number(size); // always decrease destination storage by size
+	// check request approval
+	if (!await approveResources(req, req.cookies.username, request)) {
+		res.status(500).send({ request: request, error: `Storage ${req.body.storage} could not fulfill request of size ${req.body.size}G.` });
+		res.end();
+		return;
+	}
+	// create action
+	let action = { storage: req.body.storage, delete: req.body.delete };
+	if (req.body.type === "qemu") {
+		action.disk = req.body.disk
+	}
+	else {
+		action.volume = req.body.disk
+	}
+	action = JSON.stringify(action);
+	let route = req.body.type === "qemu" ? "move_disk" : "move_volume";
+	// commit action
+	let result = await requestPVE(`${vmpath}/${route}`, "POST", req.cookies, action, pveAPIToken);
+	await handleResponse(req.body.node, result, res);
+});
+
+/**
+ * DELETE - delete unused disk permanently
+ * request:
+ * - node: String - vm host node id
+ * - type: String - vm type (lxc, qemu)
+ * - vmid: Number - vm id number
+ * - disk: String - disk id (unused0 or ide0)
+ * responses:
+ * - 200: PVE Task Object
+ * - 401: {auth: false, path: String}
+ * - 500: {error: String}
+ * - 500: PVE Task Object
+ */
+app.delete("/api/instance/disk/delete", async (req, res) => {
+	// check auth for specific instance
+	let vmpath = `/nodes/${req.body.node}/${req.body.type}/${req.body.vmid}`;
+	let auth = await checkAuth(req.cookies, res, vmpath);
+	if (!auth) { return; }
+	// get current config
+	let config = (await requestPVE(`${vmpath}/config`, "GET", req.cookies, null, null)).data.data;
+	// disk must exist
+	if (!config[req.body.disk]) {
+		res.status(403).send({ error: `Requested disk unused${req.body.source} does not exist.` });
+		res.end();
+		return;
+	}
+	// only ide or unused are allowed to be deleted
+	if (!req.body.disk.includes("unused") && !req.body.disk.includes("ide")) { // must be ide or unused
+		res.status(500).send({ error: `Requested disk ${req.body.disk} must be unused or ide. Use /disk/detach to detach disks in use.` });
+		res.end();
+		return;
+	}
+	// create action
+	let action = JSON.stringify({ delete: req.body.disk });
+	let method = req.body.type === "qemu" ? "POST" : "PUT";
+	// commit action
+	let result = await requestPVE(`${vmpath}/config`, method, req.cookies, action, pveAPIToken);
+	await handleResponse(req.body.node, result, res);
+});
+
+/**
+ * POST - create a new disk in storage of specified size
+ * request:
+ * - node: String - vm host node id
+ * - type: String - vm type (lxc, qemu)
+ * - vmid: Number - vm id number
+ * - disk: String - disk id (sata0, ide0)
+ * - storage: String - storage to hold disk
+ * - size: Number - size of disk in GiB
+ * responses:
+ * - 200: PVE Task Object
+ * - 401: {auth: false, path: String}
+ * - 500: {request: Object, error: String}
+ * - 500: PVE Task Object
+ */
+app.post("/api/instance/disk/create", async (req, res) => {
+	// check auth for specific instance
+	let vmpath = `/nodes/${req.body.node}/${req.body.type}/${req.body.vmid}`;
+	let auth = await checkAuth(req.cookies, res, vmpath);
+	if (!auth) { return; }
+	// get current config
+	let config = (await requestPVE(`${vmpath}/config`, "GET", req.cookies, null, null)).data.data;
+	// disk must not exist
+	if (config[req.body.disk]) {
+		res.status(403).send({ error: `Requested disk ${req.body.disk} already exists.` });
+		res.end();
+		return;
+	}
+	// setup request
+	let request = {};
+	if (!req.body.disk.includes("ide")) {
+		request[req.body.storage] = Number(req.body.size * 1024 ** 3); // setup request object
+		// check request approval
+		if (!await approveResources(req, req.cookies.username, request)) {
+			res.status(500).send({ request: request, error: `Storage ${req.body.storage} could not fulfill request of size ${req.body.size}G.` });
+			res.end();
+			return;
+		}
+	}
+	// target disk must be allowed according to storage options
+	let resourceConfig = db.getResourceConfig();
+	if (!resourceConfig[req.body.storage].disks.some(diskPrefix => req.body.disk.startsWith(diskPrefix))) {
+		res.status(500).send({ error: `Requested target ${req.body.disk} is not in allowed list [${resourceConfig[req.body.storage].disks}].` });
+		res.end();
+		return;
+	}
+	// setup action
+	let action = {};
+	if (req.body.disk.includes("ide") && req.body.iso) {
+		action[req.body.disk] = `${req.body.iso},media=cdrom`;
+	}
+	else if (req.body.type === "qemu") { // type is qemu, use sata
+		action[req.body.disk] = `${req.body.storage}:${req.body.size}`;
+	}
+	else { // type is lxc, use mp and add mp and backup values
+		action[req.body.disk] = `${req.body.storage}:${req.body.size},mp=/${req.body.disk}/,backup=1`;
+	}
+	action = JSON.stringify(action);
+	let method = req.body.type === "qemu" ? "POST" : "PUT";
+	// commit action
+	let result = await requestPVE(`${vmpath}/config`, method, req.cookies, action, pveAPIToken);
+	await handleResponse(req.body.node, result, res);
+});
+
+/**
+ * POST - create new virtual network interface
+ * request:
+ * - node: String - vm host node id
+ * - type: String - vm type (lxc, qemu)
+ * - vmid: Number - vm id number
+ * - netid: Number - network interface id number (0 => net0)
+ * - rate: Number - new bandwidth rate for interface in MB/s
+ * - name: String, optional - required interface name for lxc only
+ * responses:
+ * - 200: PVE Task Object
+ * - 401: {auth: false, path: String}
+ * - 500: {error: String}
+ * - 500: {request: Object, error: String}
+ * - 500: PVE Task Object
+ */
+app.post("/api/instance/network/create", async (req, res) => {
+	// check auth for specific instance
+	let vmpath = `/nodes/${req.body.node}/${req.body.type}/${req.body.vmid}`;
+	let auth = await checkAuth(req.cookies, res, vmpath);
+	if (!auth) { return; }
+	// get current config
+	let currentConfig = await requestPVE(`/nodes/${req.body.node}/${req.body.type}/${req.body.vmid}/config`, "GET", null, null, pveAPIToken);
+	// net interface must not exist
+	if (currentConfig.data.data[`net${req.body.netid}`]) {
+		res.status(500).send({ error: `Network interface net${req.body.netid} already exists. Use /api/instance.network/modify to modify existing network interface.` });
+		res.end();
+		return;
+	}
+	if (req.body.type === "lxc" && !req.body.name) {
+		res.status(500).send({ error: `Network interface must have name parameter.` });
+		res.end();
+		return;
+	}
+	let request = {
+		network: Number(req.body.rate)
+	};
+	// check resource approval
+	if (!await approveResources(req, req.cookies.username, request)) {
+		res.status(500).send({ request: request, error: `Could not fulfil network request of ${req.body.rate}MB/s.` });
+		res.end();
+		return;
+	}
+	// setup action
+	let vlan = getUserConfig().instances.vlan;
+	let action = {};
+	if (type === "lxc") {
+		action[`net${req.body.netid}`] = `name=${req.body.name},bridge=vmbr0,ip=dhcp,ip6=dhcp,tag=${vlan},type=veth,rate=${req.body.rate}`;
+	}
+	else {
+		action[`new${req.body.netid}`] = `virtio,bridge=vmbr0,tag=${vlan},rate=${req.body.rate}`;
+	}
+	action = JSON.stringify(action);
+	let method = req.body.type === "qemu" ? "POST" : "PUT";
+	// commit action
+	let result = await requestPVE(`${vmpath}/config`, method, req.cookies, action, pveAPIToken);
+	await handleResponse(req.body.node, result, res);
+});
+
+/**
+ * POST - modify virtual network interface
+ * request:
+ * - node: String - vm host node id
+ * - type: String - vm type (lxc, qemu)
+ * - vmid: Number - vm id number
+ * - netid: Number - network interface id number (0 => net0)
+ * - rate: Number - new bandwidth rate for interface in MB/s
+ * responses:
+ * - 200: PVE Task Object
+ * - 401: {auth: false, path: String}
+ * - 500: {error: String}
+ * - 500: {request: Object, error: String}
+ * - 500: PVE Task Object
+ */
+app.post("/api/instance/network/modify", async (req, res) => {
+	// check auth for specific instance
+	let vmpath = `/nodes/${req.body.node}/${req.body.type}/${req.body.vmid}`;
+	let auth = await checkAuth(req.cookies, res, vmpath);
+	if (!auth) { return; }
+	// get current config
+	let currentConfig = await requestPVE(`/nodes/${req.body.node}/${req.body.type}/${req.body.vmid}/config`, "GET", null, null, pveAPIToken);
+	// net interface must already exist
+	if (!currentConfig.data.data[`net${req.body.netid}`]) {
+		res.status(500).send({ error: `Network interface net${req.body.netid} does not exist. Use /api/instance/network/create to create a new network interface.` });
+		res.end();
+		return;
+	}
+	let currentNetworkConfig = currentConfig.data.data[`net${req.body.netid}`];
+	let currentNetworkRate = currentNetworkConfig.split("rate=")[1].split(",")[0];
+	let request = {
+		network: Number(req.body.rate) - Number(currentNetworkRate)
+	};
+	// check resource approval
+	if (!await approveResources(req, req.cookies.username, request)) {
+		res.status(500).send({ request: request, error: `Could not fulfil network request of ${req.body.rate}MB/s.` });
+		res.end();
+		return;
+	}
+	// setup action
+	let action = {};
+	action[`net${req.body.netid}`] = currentNetworkConfig.replace(`rate=${currentNetworkRate}`, `rate=${req.body.rate}`);
+	action = JSON.stringify(action);
+	let method = req.body.type === "qemu" ? "POST" : "PUT";
+	// commit action
+	let result = await requestPVE(`${vmpath}/config`, method, req.cookies, action, pveAPIToken);
+	await handleResponse(req.body.node, result, res);
+});
+
+/**
+ * DELETE - delete virtual network interface
+ * request:
+ * - node: String - vm host node id
+ * - type: String - vm type (lxc, qemu)
+ * - vmid: Number - vm id number
+ * - netid: Number - network interface id number (0 => net0)
+ * responses:
+ * - 200: PVE Task Object
+ * - 401: {auth: false, path: String}
+ * - 500: {error: String}
+ * - 500: PVE Task Object
+ */
+app.delete("/api/instance/network/delete", async (req, res) => {
+	// check auth for specific instance
+	let vmpath = `/nodes/${req.body.node}/${req.body.type}/${req.body.vmid}`;
+	let auth = await checkAuth(req.cookies, res, vmpath);
+	if (!auth) { return; }
+	// get current config
+	let currentConfig = await requestPVE(`/nodes/${req.body.node}/${req.body.type}/${req.body.vmid}/config`, "GET", null, null, pveAPIToken);
+	// net interface must already exist
+	if (!currentConfig.data.data[`net${req.body.netid}`]) {
+		res.status(500).send({ error: `Network interface net${req.body.netid} does not exist.` });
+		res.end();
+		return;
+	}
+	// setup action
+	let action = { delete: `net${req.body.netid}`};
+	let method = req.body.type === "qemu" ? "POST" : "PUT";
+	// commit action
+	let result = await requestPVE(`${vmpath}/config`, method, req.cookies, action, pveAPIToken);
+	await handleResponse(req.body.node, result, res);
+});
+
+/**
+ * GET - get instance pcie device data
+ * request:
+ * - node: String - vm host node id
+ * - type: String - vm type (lxc, qemu)
+ * - vmid: Number - vm id number to destroy
+ * - hostpci: String - hostpci number
+ * responses:
+ * - 200: PVE PCI Device Object
+ * - 401: {auth: false, path: String}
+ * - 500: {error: String} 
+ */
+app.get("/api/instance/pci", async (req, res) => {
+	// check auth for specific instance
+	let vmpath = `/nodes/${req.query.node}/${req.query.type}/${req.query.vmid}`;
+	let auth = await checkAuth(req.cookies, res, vmpath);
+	if (!auth) { return; }
+	// check device is in instance config
+	let config = (await requestPVE(`${vmpath}/config`, "GET", req.cookies)).data.data;
+	if (!config[`hostpci${req.query.hostpci}`]) {
+		res.status(500).send({ error: `Could not find hostpci${req.query.hostpci} in ${req.query.vmid}.` });
+		res.end();
+		return;
+	}
+	let device = config[`hostpci${req.query.hostpci}`].split(",")[0];
+	console.log(device)
+	// get node's pci devices
+	let result = (await requestPVE(`/nodes/${req.query.node}/hardware/pci`, "GET", req.cookies, null, pveAPIToken)).data.data;
+	let deviceData = [];
+	result.forEach((element) => {
+		if (element.id.startsWith(device)) {
+			deviceData.push(element);
+		}
+	});
+	res.status(200).send(deviceData);
+	res.end();
+	return;
+});
+
+/**
+ * POST - set basic resources for vm
+ * request:
+ * - node: String - vm host node id
+ * - type: String - vm type (lxc, qemu)
+ * - vmid: Number - vm id number
+ * - cores: Number - new number of cores for instance
+ * - memory: Number - new amount of memory for instance
+ * - swap: Number, optional - new amount of swap for instance
+ * responses:
+ * - 200: PVE Task Object
+ * - 401: {auth: false, path: String}
+ * - 500: {request: Object, error: String}
+ * - 500: PVE Task Object
+ */
+app.post("/api/instance/resources", async (req, res) => {
+	// check auth for specific instance
+	let vmpath = `/nodes/${req.body.node}/${req.body.type}/${req.body.vmid}`;
+	let auth = await checkAuth(req.cookies, res, vmpath);
+	if (!auth) { return; }
+	// get current config
+	let currentConfig = await requestPVE(`/nodes/${req.body.node}/${req.body.type}/${req.body.vmid}/config`, "GET", null, null, pveAPIToken);
+	let request = {
+		cores: Number(req.body.cores) - Number(currentConfig.data.data.cores),
+		memory: Number(req.body.memory) - Number(currentConfig.data.data.memory)
+	};
+	if (req.body.type === "lxc") {
+		request.swap = Number(req.body.swap) - Number(currentConfig.data.data.swap);
+	}
+	// check resource approval
+	if (!await approveResources(req, req.cookies.username, request)) {
+		res.status(500).send({ request: request, error: `Could not fulfil request.` });
+		res.end();
+		return;
+	}
+	// setup action
+	let action = { cores: req.body.cores, memory: req.body.memory };
+	if (req.body.type === "lxc") {
+		action.swap = Number(req.body.swap);
+	}
+	action = JSON.stringify(action);
+	let method = req.body.type === "qemu" ? "POST" : "PUT";
+	// commit action
+	let result = await requestPVE(`${vmpath}/config`, method, req.cookies, action, pveAPIToken);
+	await handleResponse(req.body.node, result, res);
+});
+
+/**
+ * POST - create new instance
+ * request:
+ * - node: String - vm host node id
+ * - type: String - vm type (lxc, qemu)
+ * - vmid: Number - vm id number for instance
+ * - hostname: String, optional- hostname for lxc instance
+ * - name: String, optional - hostname for qemu instance
+ * - cores: Number - number of cores for instance
+ * - memory: Number - amount of memory for instance
+ * - swap: Number, optional - amount of swap for lxc instance
+ * - password: String, optional - password for lxc instance
+ * - ostemplate: String, optional - os template name for lxc instance
+ * - rootfslocation: String, optional - storage name for lxc instance rootfs
+ * - rootfssize: Number, optional, - size of lxc instance rootfs
+ * responses:
+ * - 200: PVE Task Object
+ * - 401: {auth: false, path: String}
+ * - 500: {error: String}
+ * - 500: {request: Object, error: String}
+ * - 500: PVE Task Object
+ */
+app.post("/api/instance", async (req, res) => {
+	// check auth
+	let auth = await checkAuth(req.cookies, res);
+	if (!auth) { return; }
+	// get user db config
+	let user = await db.getUserConfig(req.cookies.username);
+	let vmid = Number.parseInt(req.body.vmid);
+	let vmid_min = user.instances.vmid.min;
+	let vmid_max = user.instances.vmid.max;
+	// check vmid is within allowed range
+	if (vmid < vmid_min || vmid > vmid_max) {
+		res.status(500).send({ error: `Requested vmid ${vmid} is out of allowed range [${vmid_min},${vmid_max}].` });
+		res.end();
+		return;
+	}
+	// check node is within allowed list
+	if (!user.nodes.includes(req.body.node)) {
+		res.status(500).send({ error: `Requested node ${req.body.node} is not in allowed nodes [${user.nodes}].` });
+		res.end();
+		return;
+	}
+	// setup request
+	let request = {
+		cores: Number(req.body.cores),
+		memory: Number(req.body.memory)
+	};
+	if (req.body.type === "lxc") {
+		request.swap = req.body.swap;
+		request[req.body.rootfslocation] = req.body.rootfssize;
+	}
+	for (let key of Object.keys(user.instances.templates[req.body.type])) {
+		let item = user.instances.templates[req.body.type][key];
+		if (item.resource) {
+			if (request[item.resource.name]) {
+				request[item.resource.name] += item.resource.amount;
+			}
+			else {
+				request[item.resource.name] = item.resource.amount;
+			}
+		}
+	}
+	// check resource approval
+	if (!await approveResources(req, req.cookies.username, request)) { // check resource approval
+		res.status(500).send({ request: request, error: `Not enough resources to satisfy request.` });
+		res.end();
+		return;
+	}
+	// setup action by adding non resource values
+	let action = {
+		vmid: req.body.vmid,
+		cores: Number(req.body.cores),
+		memory: Number(req.body.memory),
+		pool: user.instances.pool
+	};
+	for (let key of Object.keys(user.instances.templates[req.body.type])) {
+		action[key] = user.instances.templates[req.body.type][key].value;
+	}
+	if (req.body.type === "lxc") {
+		action.hostname = req.body.name;
+		action.unprivileged = 1;
+		action.features = "nesting=1";
+		action.password = req.body.password;
+		action.ostemplate = req.body.ostemplate;
+		action.rootfs = `${req.body.rootfslocation}:${req.body.rootfssize}`;
+	}
+	else {
+		action.name = req.body.name;
+	}
+	action = JSON.stringify(action);
+	// commit action
+	let result = await requestPVE(`/nodes/${req.body.node}/${req.body.type}`, "POST", req.cookies, action, pveAPIToken);
+	await handleResponse(req.body.node, result, res);
+});
+
+/**
+ * DELETE - destroy existing instance
+ * request:
+ * - node: String - vm host node id
+ * - type: String - vm type (lxc, qemu)
+ * - vmid: Number - vm id number to destroy
+ * responses:
+ * - 200: PVE Task Object
+ * - 401: {auth: false, path: String}
+ * - 500: PVE Task Object
+ */
+app.delete("/api/instance", async (req, res) => {
+	// check auth for specific instance
+	let vmpath = `/nodes/${req.body.node}/${req.body.type}/${req.body.vmid}`;
+	let auth = await checkAuth(req.cookies, res, vmpath);
+	if (!auth) { return; }
+	// commit action
+	let result = await requestPVE(vmpath, "DELETE", req.cookies, null, pveAPIToken);
+	await handleResponse(req.body.node, result, res);
+});
+
+app.listen(listenPort, () => {
+	console.log(`proxmoxaas-api v${api.version} listening on port ${listenPort}`);
+});

src/pve.js

@@ -0,0 +1,118 @@
+import axios from 'axios';
+import { pveAPI, pveAPIToken } from "./db.js";
+
+export async function requestPVE(path, method, cookies, body = null, token = null) {
+	let url = `${pveAPI}${path}`;
+	let content = {
+		method: method,
+		mode: "cors",
+		credentials: "include",
+		headers: {
+			"Content-Type": "application/x-www-form-urlencoded"
+		},
+	}
+
+	if (token) {
+		content.headers.Authorization = `PVEAPIToken=${token.user}@${token.realm}!${token.id}=${token.uuid}`;
+	}
+	else if (cookies) {
+		content.headers.CSRFPreventionToken = cookies.CSRFPreventionToken;
+		content.headers.Cookie = `PVEAuthCookie=${cookies.PVEAuthCookie}; CSRFPreventionToken=${cookies.CSRFPreventionToken}`;
+	}
+
+	if (body) {
+		content.data = JSON.parse(body);
+	}
+
+	try {
+		let response = await axios.request(url, content);
+		return response;
+	}
+	catch (error) {
+		return error.response;
+	}
+}
+
+export async function handleResponse(node, result, res) {
+	const waitFor = delay => new Promise(resolve => setTimeout(resolve, delay));
+	if (result.data.data && typeof (result.data.data) === "string" && result.data.data.startsWith("UPID:")) {
+		let upid = result.data.data;
+		while (true) {
+			let taskStatus = await requestPVE(`/nodes/${node}/tasks/${upid}/status`, "GET", null, null, pveAPIToken);
+			if (taskStatus.data.data.status === "stopped" && taskStatus.data.data.exitstatus === "OK") {
+				let result = taskStatus.data.data;
+				let taskLog = await requestPVE(`/nodes/${node}/tasks/${upid}/log`, "GET", null, null, pveAPIToken);
+				result.log = taskLog.data.data;
+				res.status(200).send(result);
+				res.end();
+				return;
+			}
+			else if (taskStatus.data.data.status === "stopped") {
+				let result = taskStatus.data.data;
+				let taskLog = await requestPVE(`/nodes/${node}/tasks/${upid}/log`, "GET", null, null, pveAPIToken);
+				result.log = taskLog.data.data;
+				res.status(500).send(result);
+				res.end();
+				return;
+			}
+			else {
+				await waitFor(1000);
+			}
+		}
+	}
+	else {
+		res.status(result.status).send(result.data);
+		res.end();
+	}
+}
+
+export async function getUsedResources(req, resourceMeta) {
+	let response = await requestPVE("/cluster/resources", "GET", req.cookies);
+	let used = {};
+	let diskprefixes = [];
+	for (let resourceName of Object.keys(resourceMeta)) {
+		used[resourceName] = 0;
+		if (resourceMeta[resourceName].type === "storage") {
+			for (let diskPrefix of resourceMeta[resourceName].disks) {
+				diskprefixes.push(diskPrefix);
+			}
+		}
+	}
+	for (let instance of response.data.data) {
+		if (instance.type === "lxc" || instance.type === "qemu") {
+			let config = await requestPVE(`/nodes/${instance.node}/${instance.type}/${instance.vmid}/config`, "GET", req.cookies);
+			config = config.data.data;
+			for (let key of Object.keys(config)) {
+				if (Object.keys(used).includes(key) && resourceMeta[key].type === "numeric") {
+					used[key] += Number(config[key]);
+				}
+				else if (diskprefixes.some(prefix => key.startsWith(prefix))) {
+					let diskInfo = await getDiskInfo(instance.node, instance.type, instance.vmid, key);
+					if (diskInfo) { // only count if disk exists
+						used[diskInfo.storage] += Number(diskInfo.size);
+					}
+				}
+				else if (key.startsWith("net")) {
+					if (config[key].includes("rate=")) { // only count instances with a rate limit
+						used.network += Number(config[key].split("rate=")[1].split(",")[0]);
+					}
+				}
+			}
+		}
+	}
+	return used;
+}
+
+export async function getDiskInfo(node, type, vmid, disk) {
+	try {
+		let config = await requestPVE(`/nodes/${node}/${type}/${vmid}/config`, "GET", null, null, pveAPIToken);
+		let storageID = config.data.data[disk].split(":")[0];
+		let volID = config.data.data[disk].split(",")[0];
+		let volInfo = await requestPVE(`/nodes/${node}/storage/${storageID}/content/${volID}`, "GET", null, null, pveAPIToken);
+		volInfo.data.data.storage = storageID;
+		return volInfo.data.data;
+	}
+	catch {
+		return null;
+	}
+}

src/utils.js

@@ -0,0 +1,56 @@
+import { getUsedResources, requestPVE } from "./pve.js";
+import { db } from "./db.js";
+
+export async function checkAuth(cookies, res, vmpath = null) {
+	let auth = false;
+
+	if (db.getUserConfig(cookies.username) === null) {
+		auth = false;
+		res.status(401).send({ auth: auth, path: vmpath ? `${vmpath}/config` : "/version", error: `user ${cookies.username} not found in localdb` });
+		res.end();
+		return false;
+	}
+
+	if (vmpath) {
+		let result = await requestPVE(`/${vmpath}/config`, "GET", cookies);
+		auth = result.status === 200;
+	}
+	else { // if no path is specified, then do a simple authentication
+		let result = await requestPVE("/version", "GET", cookies);
+		auth = result.status === 200;
+	}
+
+	if (!auth) {
+		res.status(401).send({ auth: auth, path: vmpath ? `${vmpath}/config` : "/version", error: `user token did not pass authentication check` });
+		res.end();
+	}
+	return auth;
+}
+
+export async function getUserResources(req, username) {
+	let dbResources = db.getResourceConfig();
+	let used = await getUsedResources(req, dbResources);
+	let max = db.getUserConfig(username).resources.max;
+	let avail = {};
+	Object.keys(max).forEach((k) => {
+		avail[k] = max[k] - used[k];
+	});
+	return { used: used, max: max, avail: avail, units: dbResources };
+}
+
+export async function approveResources(req, username, request) {
+	let avail = (await getUserResources(req, username)).avail;
+	let approved = true;
+	Object.keys(request).forEach((key) => {
+		if (!(key in avail)) { // if requested resource is not in avail, block
+			approved = false;
+		}
+		else if (isNaN(avail[key]) || isNaN(request[key])) { // if either the requested or avail resource is NaN, block
+			approved = false;
+		}
+		else if (avail[key] - request[key] < 0) { // if the avail resources is less than the requested resources, block
+			approved = false;
+		}
+	});
+	return approved; // if all requested resources pass, allow
+}