download.js

Go to the documentation of this file.

/**
 * @file download.js
 * @description Agent installer and plugin download distribution system. Handles bootstrapper generation (dynamic/static),
 * dev-agent installers with JWT token injection, plugin binary serving, enrollment token generation,
 * and checksum verification. Supports Windows/Linux/Mac with Inno Setup and Wine-based builds.
 * @module routes/download
 */
 
/**
 * @apiDefine DownloadGroup Agent Download & Distribution
 * Agent installer, bootstrapper, and plugin distribution endpoints
 */
 
const express = require('express');
const path = require('path');
const fs = require('fs');
const authenticateToken = require('../middleware/auth');
const router = express.Router();
const { exec, execFileSync } = require('child_process');
const os = require('os');
 
/**
 * @api {get} /api/download/bootstrapper-dynamic/:tenantId.exe Dynamic Bootstrapper EXE Generator
 * @apiName GetDynamicBootstrapper
 * @apiGroup DownloadGroup
 * @apiDescription Dynamically generates tenant-specific bootstrapper EXE with embedded JWT token. Builds via Node.js
 * builder script (build_bootstrapper.js) and caches result for future downloads. No authentication
 * required. Build timeout: 5 minutes.
 * @apiParam {string} tenantId Tenant ID for JWT embedding
 * @apiSuccess (200) {Binary} file Bootstrapper EXE binary
 * @apiHeader {string} Content-Disposition attachment; filename=bootstrapper_${tenantId}.exe
 * @apiError 400 Missing tenantId
 * @apiError 500 Missing AGENT_SIGN_KEY or build/download failed
 * @apiExample {curl} Example:
 *   curl -O -J https://api.example.com/api/download/bootstrapper-dynamic/tenant-123.exe
 */
// Dynamic bootstrapper EXE generator
const jwt = require('jsonwebtoken');
const AGENT_SIGN_KEY = process.env.AGENT_SIGN_KEY;
router.get('/bootstrapper-dynamic/:tenantId.exe', async (req, res) => {
  const tenantId = req.params.tenantId;
  console.log(`[BOOTSTRAPPER] Incoming request for tenantId: ${tenantId}`);
  
  // Extend timeout for build process (5 minutes)
  req.setTimeout(5 * 60 * 1000);
  res.setTimeout(5 * 60 * 1000);
  
  // Authenticate user and determine tenant context here if needed
  if (!tenantId) {
    console.error('[BOOTSTRAPPER] Missing tenantId');
    return res.status(400).json({ error: 'Missing tenantId' });
  }
  if (!AGENT_SIGN_KEY) {
    console.error('[BOOTSTRAPPER] Missing AGENT_SIGN_KEY');
    return res.status(500).json({ error: 'Missing AGENT_SIGN_KEY' });
  }
  // Generate JWT for agent onboarding
  const token = jwt.sign({ tenantId }, AGENT_SIGN_KEY, { expiresIn: '30d' });
  console.log(`[BOOTSTRAPPER] Generated JWT for tenantId: ${tenantId}`);
 
  // Use Node.js builder script
  const builderScript = path.resolve(__dirname, '../downloads/build_bootstrapper.js');
  const downloadsDir = path.resolve(__dirname, '../downloads');
  const outputExe = path.join(downloadsDir, `bootstrapper_${tenantId}.exe`);
  // Defensive: ensure outputExe is always in backend/downloads
  if (!outputExe.startsWith(downloadsDir)) {
    console.error(`[BOOTSTRAPPER] Output path is not in backend/downloads: ${outputExe}`);
    return res.status(500).json({ error: 'Output path misconfiguration', details: outputExe });
  }
  // If EXE already exists, serve it
  if (fs.existsSync(outputExe)) {
    console.log(`[BOOTSTRAPPER] Found existing EXE for tenantId: ${tenantId}, serving.`);
    return res.download(outputExe, `bootstrapper_${tenantId}.exe`);
  }
  try {
    console.log(`[BOOTSTRAPPER] Building EXE for tenantId: ${tenantId} using builder script: ${builderScript}`);
    // Synchronously build the EXE and keep it for future downloads
    execFileSync('node', [builderScript, tenantId, outputExe], { 
      stdio: 'inherit',
      timeout: 4 * 60 * 1000, // 4 minute timeout for build
      maxBuffer: 10 * 1024 * 1024 // 10MB buffer
    });
    console.log(`[BOOTSTRAPPER] Build complete, streaming EXE: ${outputExe}`);
    res.download(outputExe, `bootstrapper_${tenantId}.exe`, (err) => {
      if (err) {
        console.error(`[BOOTSTRAPPER] Download error: ${err.message}`);
      } else {
        console.log(`[BOOTSTRAPPER] Download successful for tenantId: ${tenantId}`);
      }
      // Do NOT delete outputExe; keep for future downloads
    });
  } catch (err) {
    console.error(`[BOOTSTRAPPER] Build or download failed for tenantId: ${tenantId}: ${err.message}`);
    return res.status(500).json({ error: 'Build or download failed', details: err.message });
  }
});
 
/**
 * @api {get} /api/download/bootstrapper-static/:tenantId.exe Static Bootstrapper EXE
 * @apiName GetStaticBootstrapper
 * @apiGroup DownloadGroup
 * @apiDescription Serves pre-built tenant-specific static bootstrapper EXE from downloads folder.
 * No dynamic generation. No authentication required.
 * @apiParam {string} tenantId Tenant ID
 * @apiSuccess (200) {Binary} file Bootstrapper EXE binary
 * @apiHeader {string} Content-Disposition attachment; filename=bootstrapper_${tenantId}.exe
 * @apiError 404 Bootstrapper not found
 * @apiExample {curl} Example:
 *   curl -O -J https://api.example.com/api/download/bootstrapper-static/tenant-123.exe
 */
// Serve tenant-specific static bootstrapper EXE
router.get('/bootstrapper-static/:tenantId.exe', async (req, res) => {
  const filePath = path.resolve(__dirname, `../downloads/bootstrapper_${req.params.tenantId}.exe`);
  if (!fs.existsSync(filePath)) {
    return res.status(404).json({ error: 'Bootstrapper not found' });
  }
  res.download(filePath, `bootstrapper_${req.params.tenantId}.exe`);
});
 
 
/**
 * @api {get} /api/download/bootstrapper.exe Default Bootstrapper EXE
 * @apiName GetDefaultBootstrapper
 * @apiGroup DownloadGroup
 * @apiDescription Serves default static bootstrapper EXE (no tenant specificity) for Syncro-style installer.
 * No authentication required.
 * @apiSuccess (200) {Binary} file Bootstrapper EXE binary
 * @apiHeader {string} Content-Disposition attachment; filename=bootstrapper.exe
 * @apiError 404 Bootstrapper not found
 * @apiExample {curl} Example:
 *   curl -O -J https://api.example.com/api/download/bootstrapper.exe
 */
// Serve static bootstrapper EXE for Syncro-style installer (no auth)
router.get('/bootstrapper.exe', async (req, res) => {
  const bootstrapperPath = path.resolve(__dirname, '../downloads/bootstrapper.exe');
  if (!fs.existsSync(bootstrapperPath)) {
    return res.status(404).json({ error: 'Bootstrapper not found' });
  }
  res.download(bootstrapperPath, 'bootstrapper.exe');
});
 
/**
 * @api {get} /api/download/dev-agent/quick/:tenantId Quick Install Batch Script
 * @apiName GetQuickInstallScript
 * @apiGroup DownloadGroup
 * @apiDescription Generates tenant-specific quick install batch script (.bat) for Windows. Creates bootstrap.json
 * in ProgramData with embedded JWT (365-day expiration), downloads Inno Setup installer, and runs
 * silent installation. No authentication required.
 * @apiParam {string} tenantId Tenant ID for JWT embedding
 * @apiSuccess (200) {string} file Batch script (.bat)
 * @apiHeader {string} Content-Type application/octet-stream
 * @apiHeader {string} Content-Disposition attachment; filename=Install_Agent.bat
 * @apiError 400 Missing tenantId
 * @apiError 500 Missing AGENT_SIGN_KEY or generation failed
 * @apiExample {curl} Example:
 *   curl -O -J https://api.example.com/api/download/dev-agent/quick/tenant-123
 * @apiExample {txt} Batch Script Output:
 *   @echo off
 *   REM EverydayTech Agent Quick Install
 *   echo Creating bootstrap configuration...
 *   echo { > "%PROGRAMDATA%\EverydayTechAgent\bootstrap.json"
 *   ...
 */
// Quick install - downloads PowerShell GUI installer as EXE (built via Wine)
router.get('/dev-agent/quick/:tenantId', async (req, res) => {
  const tenantId = req.params.tenantId;
  
  if (!tenantId) {
    return res.status(400).json({ error: 'Missing tenantId' });
  }
  
  const AGENT_SIGN_KEY = process.env.AGENT_SIGN_KEY;
  if (!AGENT_SIGN_KEY) {
    return res.status(500).json({ error: 'Missing AGENT_SIGN_KEY' });
  }
  
  const jwtToken = jwt.sign({ tenantId }, AGENT_SIGN_KEY, { expiresIn: '365d' });
  
  try {
    console.log(`[QUICK-INSTALL] Generating batch installer for tenant: ${tenantId}`);
    
    // Create batch script that downloads Inno Setup installer
    const batchScript = `@echo off
REM EverydayTech Agent Quick Install
REM Generated for tenant: ${tenantId}
 
echo.
echo ========================================
echo  EverydayTech Agent Installer
echo ========================================
echo.
 
REM Create bootstrap.json in agent data directory
echo Creating bootstrap configuration...
set "DATADIR=%PROGRAMDATA%\\EverydayTechAgent"
if not exist "%DATADIR%" mkdir "%DATADIR%"
 
echo { > "%DATADIR%\\bootstrap.json"
echo   "tenantId": "${tenantId}", >> "%DATADIR%\\bootstrap.json"
echo   "jwt": "${jwtToken}", >> "%DATADIR%\\bootstrap.json"
echo   "backend": "https://everydaytech.au/api" >> "%DATADIR%\\bootstrap.json"
echo } >> "%DATADIR%\\bootstrap.json"
 
echo Bootstrap configuration created.
echo.
 
echo Downloading installer...
set "INSTALLER=%TEMP%\\EverydayTechAgent_Installer.exe"
 
powershell -NoProfile -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'https://everydaytech.au/api/download/dev-agent' -OutFile '%INSTALLER%' -UseBasicParsing"
 
if not exist "%INSTALLER%" (
    echo.
    echo ERROR: Download failed. Please check your internet connection.
    echo.
    pause
    exit /b 1
)
 
echo.
echo Starting installation...
echo.
 
REM Run Inno Setup installer (will detect bootstrap.json)
"%INSTALLER%" /VERYSILENT /SUPPRESSMSGBOXES /NORESTART
 
echo.
echo Installation complete! The agent will appear in your dashboard shortly.
echo.
pause
exit /b 0
`;
    
    // Send as downloadable batch file
    res.setHeader('Content-Type', 'application/octet-stream');
    res.setHeader('Content-Disposition', 'attachment; filename="Install_Agent.bat"');
    res.send(batchScript);
    
  } catch (err) {
    console.error(`[QUICK-INSTALL] Failed to generate installer: ${err.message}`);
    return res.status(500).json({ error: 'Failed to generate installer', details: err.message });
  }
});
 
/**
 * @api {get} /api/download/dev-agent/bootstrap.ps1 PowerShell Bootstrap Script (Legacy)
 * @apiName GetBootstrapScript
 * @apiGroup DownloadGroup
 * @apiDescription Generates legacy PowerShell bootstrap script for agent installation. Requires tenant and token
 * query parameters. Downloads installer and runs with tenant/token arguments. No authentication required.
 * @apiParam (Query) {string} tenant Tenant ID
 * @apiParam (Query) {string} token JWT token for agent enrollment
 * @apiSuccess (200) {string} file PowerShell script (.ps1)
 * @apiHeader {string} Content-Type application/x-powershell
 * @apiHeader {string} Content-Disposition attachment; filename=agent_bootstrap_${tenant}.ps1
 * @apiError 400 Missing tenant or token query parameter
 * @apiExample {curl} Example:
 *   curl -O -J "https://api.example.com/api/download/dev-agent/bootstrap.ps1?tenant=tenant-123&token=eyJhbGc..."
 */
// Legacy PowerShell bootstrap script generator (keeping for compatibility)
router.get('/dev-agent/bootstrap.ps1', async (req, res) => {
  const { tenant, token } = req.query;
  if (!tenant)
    return res.status(400).json({ error: 'Missing ?tenant=' });
  if (!token)
    return res.status(400).json({ error: 'Missing ?token=' });
 
  const installerUrl = `https://everydaytech.au/api/download/dev-agent?tenant=${encodeURIComponent(tenant)}&token=${encodeURIComponent(token)}`;
  const script = `
$tenant = "${tenant}"
$token = "${token}"
$installer = "$env:TEMP\\EverydayTechAgent_Installer.exe"
 
Invoke-WebRequest "${installerUrl}" -OutFile $installer
Start-Process $installer -ArgumentList "/tenant=$tenant /token=$token" -Wait
`;
  res.setHeader('Content-Type', 'application/x-powershell');
  res.setHeader('Content-Disposition', `attachment; filename=agent_bootstrap_${tenant}.ps1`);
  res.send(script);
});
 
/**
 * @api {get} /api/download/dev-agent Dev Agent Installer
 * @apiName GetDevAgentInstaller
 * @apiGroup DownloadGroup
 * @apiDescription Downloads pre-built dev-agent Inno Setup installer (.exe) with optional tenant context.
 * If tenant query parameter provided, generates JWT and customizes filename. Sets no-cache headers
 * to prevent Cloudflare caching. No authentication required.
 * @apiParam (Query) {string} [tenant] Optional tenant ID for JWT generation and custom filename
 * @apiParam (Query) {string} [token] Optional legacy token parameter (unused)
 * @apiSuccess (200) {Binary} file Inno Setup installer EXE
 * @apiHeader {string} Content-Disposition attachment; filename=EverydayTechAgent_${tenantId}.exe or EverydayTechAgent_Installer.exe
 * @apiHeader {string} Cache-Control no-store, no-cache, must-revalidate
 * @apiError 404 Installer not built (run: builder/dev/installer/build_installer.sh)
 * @apiExample {curl} Example with tenant:
 *   curl -O -J "https://api.example.com/api/download/dev-agent?tenant=tenant-123"
 * @apiExample {curl} Example without tenant:
 *   curl -O -J https://api.example.com/api/download/dev-agent
 */
router.get('/dev-agent', async (req, res) => {
  const { tenant, token } = req.query;
  
  // Path to pre-built installer
  const installerPath = path.resolve(__dirname, '../downloads/dev-agent.exe');
  
  if (!fs.existsSync(installerPath)) {
    return res.status(404).json({ error: 'Installer not built yet. Run: builder/dev/installer/build_installer.sh' });
  }
  
  console.log(`[DEV-INSTALLER] Download requested for tenant=${tenant || 'none'}`);
  
  // Set cache control headers to prevent Cloudflare caching
  res.setHeader('Cache-Control', 'no-store, no-cache, must-revalidate, proxy-revalidate');
  res.setHeader('Pragma', 'no-cache');
  res.setHeader('Expires', '0');
  res.setHeader('Surrogate-Control', 'no-store');
  
  // If tenant provided, generate JWT and write bootstrap.json hint
  if (tenant) {
    const AGENT_SIGN_KEY = process.env.AGENT_SIGN_KEY;
    if (AGENT_SIGN_KEY) {
      const jwtToken = jwt.sign({ tenantId: tenant }, AGENT_SIGN_KEY, { expiresIn: '30d' });
      console.log(`[DEV-INSTALLER] Generated JWT for tenant ${tenant}`);
      
      // Optional: Set custom filename with tenant ID for tracking
      const filename = `EverydayTechAgent_${tenant.substring(0, 8)}.exe`;
      return res.download(installerPath, filename);
    }
  }
  
  // Default download without tenant context
  res.download(installerPath, 'EverydayTechAgent_Installer.exe');
});
 
/**
 * EverydayTechAgent Download / Installer Route (Patched)
 * -----------------------------------------------------
 * Adds dynamic JWT + state/config.json injection into installer package
 */
 
 
 
/**
 * @api {get} /api/download/:pluginName Plugin Binary Download (Catch-All)
 * @apiName GetPluginBinary
 * @apiGroup DownloadGroup
 * @apiDescription Downloads plugin binary from agent/plugins folders. Searches agent/plugins/agent first,
 * then OS-specific folders (windows, linux, mac). Returns 404 with available plugins list if not found.
 * Requires authentication.
 * @apiParam {string} pluginName Plugin filename/path
 * @apiSuccess (200) {Binary} file Plugin binary
 * @apiError 404 Plugin not found (includes available plugins list)
 * @apiExample {curl} Example:
 *   curl https://api.example.com/api/download/network-scanner.exe \
 *     -H "Authorization: Bearer YOUR_TOKEN" \
 *     -O -J
 * @apiExample {json} Error-Response (404):
 *   {
 *     "error": "Plugin not found",
 *     "requested": "network-scanner.exe",
 *     "availablePlugins": ["plugin1.exe", "plugin2.sh"],
 *     "searchedDirs": ["/path/to/agent/plugins/agent/network-scanner.exe", ...]
 *   }
 */
// Serve plugin binaries: /api/plugins/:pluginName
router.get('/:pluginName', authenticateToken, async (req, res) => {
  const pluginName = req.params.pluginName;
  console.log(`[Plugin DL] ${pluginName} requested`);
  // Try all OS plugin folders and agent binary folder
  const osList = ['windows', 'linux', 'mac'];
  let foundPath = null;
  const projectRoot = path.resolve(__dirname, '../../');
  // Check agent binary folder first
  const agentBinPath = path.join(projectRoot, 'agent', 'plugins', 'agent', pluginName);
  console.log(`[PLUGIN DL] Checking agent binary: ${agentBinPath}`);
  if (fs.existsSync(agentBinPath)) {
    foundPath = agentBinPath;
  } else {
    for (const os of osList) {
      const pluginPath = path.join(projectRoot, 'agent', 'plugins', os, pluginName);
      console.log(`[PLUGIN DL] Checking: ${pluginPath}`);
      if (fs.existsSync(pluginPath)) {
        foundPath = pluginPath;
        break;
      }
    }
  }
  if (!foundPath) {
    // Gather available plugins for better error reporting
    const availablePlugins = [];
    try {
      // Check agent/plugins/agent
      const agentDir = path.join(projectRoot, 'agent', 'plugins', 'agent');
      if (fs.existsSync(agentDir)) {
        availablePlugins.push(...fs.readdirSync(agentDir));
      }
      // Check OS plugin folders
      for (const os of osList) {
        const osDir = path.join(projectRoot, 'agent', 'plugins', os);
        if (fs.existsSync(osDir)) {
          availablePlugins.push(...fs.readdirSync(osDir));
        }
      }
    } catch (err) {
      console.error('[Plugin DL] Error listing plugins:', err);
    }
    return res.status(404).json({
      error: 'Plugin not found',
      requested: pluginName,
      availablePlugins,
      searchedDirs: [agentBinPath, ...osList.map(os => path.join(projectRoot, 'agent', 'plugins', os, pluginName))]
    });
  }
  res.sendFile(foundPath);
});
 
module.exports = router;
 
/**
 * @api {get} /api/download/plugin-manifest.json Plugin Manifest
 * @apiName GetPluginManifest
 * @apiGroup DownloadGroup
 * @apiDescription Retrieves plugin manifest with name, SHA-256 hash, and download URL from database.
 * Used by agents to check for plugin updates. Requires authentication.
 * @apiSuccess {object} manifest Plugin manifest
 * @apiSuccess {object[]} manifest.plugins Array of plugin records
 * @apiSuccess {string} manifest.plugins.name Plugin name
 * @apiSuccess {string} manifest.plugins.hash SHA-256 hash
 * @apiSuccess {string} manifest.plugins.url Download URL
 * @apiError 500 Database error
 * @apiExample {curl} Example:
 *   curl https://api.example.com/api/download/plugin-manifest.json \
 *     -H "Authorization: Bearer YOUR_TOKEN"
 * @apiExample {json} Success-Response (200):
 *   {
 *     "plugins": [
 *       {
 *         "name": "network-scanner",
 *         "hash": "abc123...",
 *         "url": "https://api.example.com/api/download/network-scanner.exe"
 *       }
 *     ]
 *   }
 */
// ----------------------
// Plugin manifest passthrough
// ----------------------
const pool = require('../services/db');
router.get('/plugin-manifest.json', authenticateToken, async (req, res) => {
  try {
    const result = await pool.query('SELECT name, hash, url FROM plugins');
    res.json({ plugins: result.rows });
  } catch (err) {
    console.error('[Plugin Manifest] DB error:', err);
    res.status(500).json({ error: 'DB error' });
  }
});
 
/**
 * @api {get} /api/download/:os/config Config Route for Bare Agent (Legacy)
 * @apiName GetAgentConfig
 * @apiGroup DownloadGroup
 * @apiDescription Legacy endpoint returning minimal JWT token for bare agent configuration. Requires authentication.
 * @apiParam {string} os Operating system (unused)
 * @apiSuccess {string} jwt JWT token (30-day expiration)
 * @apiExample {curl} Example:
 *   curl https://api.example.com/api/download/windows/config \
 *     -H "Authorization: Bearer YOUR_TOKEN"
 * @apiExample {json} Success-Response (200):
 *   {
 *     "jwt": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
 *   }
 */
// ----------------------
// Config route for bare agent (legacy)
// ----------------------
router.get('/:os/config', authenticateToken, (req, res) => {
  const jwtToken = jwt.sign({}, JWT_SECRET, { expiresIn: '30d' });
  res.json({ jwt: jwtToken });
});
 
/**
 * @api {post} /api/download/enroll Enrollment Token Generator
 * @apiName GenerateEnrollmentToken
 * @apiGroup DownloadGroup
 * @apiDescription Generates agent enrollment token with new agent UUID, tenant ID, and optional customer ID.
 * Token valid for 30 days. Requires authentication.
 * @apiParam {string} tenantId Tenant ID for agent enrollment
 * @apiParam {string} [customerId] Optional customer ID
 * @apiSuccess {string} agentId Generated agent UUID (v4)
 * @apiSuccess {string} token JWT enrollment token (30-day expiration)
 * @apiError 400 Missing tenantId
 * @apiError 500 Enrollment failed
 * @apiExample {curl} Example:
 *   curl -X POST https://api.example.com/api/download/enroll \
 *     -H "Authorization: Bearer YOUR_TOKEN" \
 *     -H "Content-Type: application/json" \
 *     -d '{"tenantId":"tenant-123", "customerId":"cust-456"}'
 * @apiExample {json} Success-Response (200):
 *   {
 *     "agentId": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
 *     "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
 *   }
 */
// ----------------------
// Enrollment token generator
// ----------------------
router.post('/enroll', authenticateToken, (req, res) => {
  try {
    const { tenantId, customerId } = req.body;
    if (!tenantId) return res.status(400).json({ error: 'Missing tenantId' });
    const agentId = uuidv4();
    const token = jwt.sign({ agentId, tenantId, customerId }, JWT_SECRET, { expiresIn: '30d' });
    res.json({ agentId, token });
  } catch (err) {
    console.error('[Enroll] Failed:', err);
    res.status(500).json({ error: 'Enrollment failed' });
  }
});
 
 
/**
 *
 * @param cmd
 */
function execPromise(cmd) {
  const { exec } = require('child_process');
  return new Promise((resolve, reject) =>
    exec(cmd, (err, stdout, stderr) => (err ? reject(stderr || err) : resolve(stdout)))
  );
}
 
 
/**
 * @api {get} /api/download/:os/tenant Tenant-Only Direct Download
 * @apiName GetTenantDirectDownload
 * @apiGroup DownloadGroup
 * @apiDescription Downloads OS-specific agent installer or binary for tenant without config injection.
 * Uses FILE_MAP for OS lookup. Requires authentication + 't' query parameter with JWT token.
 * @apiParam {string} os Operating system (windows, linux, mac)
 * @apiParam (Query) {String} t JWT token for verification
 * @apiParam (Query) {String} [type=installer] File type (installer, agent, etc.)
 * @apiSuccess (200) {Binary} file Agent installer or binary
 * @apiError 400 Missing token, unsupported OS, or invalid/expired token
 * @apiError 404 File not found for OS/type combination
 * @apiExample {curl} Example:
 *   curl -O -J "https://api.example.com/api/download/windows/tenant?t=eyJhbGc...&type=installer" \
 *     -H "Authorization: Bearer YOUR_TOKEN"
 */
// ----------------------
// Tenant-only direct download (no config injection)
// ----------------------
router.get('/:os/tenant', authenticateToken, (req, res) => {
  try {
    const token = req.query.t;
    if (!token) return res.status(400).send('Missing token');
    const decoded = jwt.verify(token, JWT_SECRET);
    const osName = (req.params.os || '').toLowerCase();
    const type = (req.query.type || 'installer').toLowerCase();
    const osFiles = FILE_MAP[osName];
    if (!osFiles) return res.status(400).send('Unsupported OS');
    const filePath = osFiles[type];
    if (!filePath || !fs.existsSync(filePath))
      return res.status(404).send(`${type} not found`);
    res.download(filePath, path.basename(filePath));
  } catch (err) {
    console.error('[DL TENANT] Failed:', err);
    res.status(400).send('Invalid or expired token');
  }
});
 
/**
 * @api {get} /api/download/checksum SHA-256 Checksum
 * @apiName GetFileChecksum
 * @apiGroup DownloadGroup
 * @apiDescription Computes SHA-256 checksum for agent installer or binary. Uses FILE_MAP for OS/type lookup.
 * Requires authentication.
 * @apiParam (Query) {string} [os=windows] Operating system (windows, linux, mac)
 * @apiParam (Query) {string} [type=agent] File type (agent, installer, etc.)
 * @apiSuccess {string} os Operating system
 * @apiSuccess {string} type File type
 * @apiSuccess {string} checksum SHA-256 hash (hex)
 * @apiError 400 Unsupported OS
 * @apiError 404 File not found
 * @apiError 500 Checksum computation failed
 * @apiExample {curl} Example:
 *   curl "https://api.example.com/api/download/checksum?os=windows&type=agent" \
 *     -H "Authorization: Bearer YOUR_TOKEN"
 * @apiExample {json} Success-Response (200):
 *   {
 *     "os": "windows",
 *     "type": "agent",
 *     "checksum": "abc123def456..."
 *   }
 */
// ----------------------
// SHA256 Checksum
// ----------------------
router.get('/checksum', authenticateToken, (req, res) => {
  try {
    const { os = 'windows', type = 'agent' } = req.query;
    const osFiles = FILE_MAP[os.toLowerCase()];
    if (!osFiles) return res.status(400).json({ error: 'Unsupported OS' });
    const filePath = osFiles[type];
    if (!filePath || !fs.existsSync(filePath))
      return res.status(404).json({ error: 'File not found' });
    const hash = crypto.createHash('sha256').update(fs.readFileSync(filePath)).digest('hex');
    res.json({ os, type, checksum: hash });
  } catch (err) {
    console.error('[Checksum] Failed:', err);
    res.status(500).json({ error: 'Checksum failed' });
  }
});
 
/**
 * @api {get} /api/download/plugins/:pluginName Plugin File Serving
 * @apiName GetPluginFile
 * @apiGroup DownloadGroup
 * @apiDescription Downloads plugin file from agent/plugins directory with access verification. Alternative to
 * catch-all /:pluginName endpoint. Requires authentication.
 * @apiParam {string} pluginName Plugin filename
 * @apiSuccess (200) {Binary} file Plugin binary
 * @apiError 404 Plugin not found
 * @apiError 400 Plugin access error (permission denied)
 * @apiExample {curl} Example:
 *   curl https://api.example.com/api/download/plugins/network-scanner.exe \
 *     -H "Authorization: Bearer YOUR_TOKEN" \
 *     -O -J
 */
// ----------------------
// Plugin file serving
// ----------------------
router.get('/plugins/:pluginName', authenticateToken, (req, res) => {
  const pluginName = req.params.pluginName;
  const pluginDir = path.resolve(__dirname, '../../agent/plugins');
  const pluginPath = path.join(pluginDir, pluginName);
  console.log(`[Plugin DL] ${pluginName} requested`);
  try {
    if (!fs.existsSync(pluginPath))
      return res.status(404).send('Plugin not found');
    fs.accessSync(pluginPath, fs.constants.R_OK);
    res.download(pluginPath, pluginName);
  } catch (err) {
    console.error(`[Plugin DL] Error: ${pluginName}`, err);
    res.status(400).send('Plugin access error');
  }
});
 
module.exports = router;