feat(proxy): update sandbox last activity (#2754)

Signed-off-by: Toma Puljak <[email protected]>

Author: Tpuljak

apps/api/src/organization/guards/organization-access.guard.ts

@@ -39,6 +39,7 @@ export class OrganizationAccessGuard implements CanActivate {
     if (
       authContext.role !== 'ssh-gateway' &&
       authContext.role !== 'runner' &&
+      authContext.role !== 'proxy' &&
       !organizationIdParam &&
       !authContext.organizationId
     ) {

apps/api/src/sandbox/controllers/sandbox.controller.ts

@@ -69,6 +69,8 @@ import { AuditTarget } from '../../audit/enums/audit-target.enum'
 import { SshAccessDto, SshAccessValidationDto } from '../dto/ssh-access.dto'
 import { ListSandboxesQueryDto } from '../dto/list-sandboxes-query.dto'
 import { RegionDto } from '../dto/region.dto'
+import { ProxyGuard } from '../../auth/proxy.guard'
+import { OrGuard } from '../../auth/or.guard'
 
 @ApiTags('sandbox')
 @Controller('sandbox')
@@ -607,6 +609,25 @@ export class SandboxController {
     return SandboxDto.fromSandbox(sandbox)
   }
 
+  @Post(':sandboxId/last-activity')
+  @ApiOperation({
+    summary: 'Update sandbox last activity',
+    operationId: 'updateLastActivity',
+  })
+  @ApiParam({
+    name: 'sandboxId',
+    description: 'ID of the sandbox',
+    type: 'string',
+  })
+  @ApiResponse({
+    status: 201,
+    description: 'Last activity has been updated',
+  })
+  @UseGuards(OrGuard([SandboxAccessGuard, ProxyGuard]))
+  async updateLastActivity(@Param('sandboxId') sandboxId: string): Promise<void> {
+    await this.sandboxService.updateLastActivityAt(sandboxId, new Date())
+  }
+
   @Post(':sandboxIdOrName/autostop/:interval')
   @ApiOperation({
     summary: 'Set sandbox auto-stop interval',

apps/api/src/sandbox/entities/sandbox.entity.ts

@@ -18,7 +18,6 @@ import { SandboxState } from '../enums/sandbox-state.enum'
 import { SandboxDesiredState } from '../enums/sandbox-desired-state.enum'
 import { SandboxClass } from '../enums/sandbox-class.enum'
 import { BackupState } from '../enums/backup-state.enum'
-import { nanoid } from 'nanoid'
 import { v4 as uuidv4 } from 'uuid'
 import { SandboxVolume } from '../dto/sandbox.dto'
 import { BuildInfo } from './build-info.entity'
@@ -245,13 +244,6 @@ export class Sandbox {
     }
   }
 
-  @BeforeUpdate()
-  updateAccessToken() {
-    if (this.state === SandboxState.STARTED) {
-      this.authToken = nanoid(32).toLocaleLowerCase()
-    }
-  }
-
   @BeforeUpdate()
   updateLastActivityAt() {
     this.lastActivityAt = new Date()

apps/api/src/sandbox/guards/sandbox-access.guard.ts

@@ -8,6 +8,8 @@ import { SandboxService } from '../services/sandbox.service'
 import { OrganizationAuthContext, BaseAuthContext } from '../../common/interfaces/auth-context.interface'
 import { isRunnerContext, RunnerContext } from '../../common/interfaces/runner-context.interface'
 import { SystemRole } from '../../user/enums/system-role.enum'
+import { isProxyContext } from '../../common/interfaces/proxy-context.interface'
+import { isSshGatewayContext } from '../../common/interfaces/ssh-gateway-context.interface'
 
 @Injectable()
 export class SandboxAccessGuard implements CanActivate {
@@ -23,30 +25,31 @@ export class SandboxAccessGuard implements CanActivate {
     const authContext: BaseAuthContext = request.user
 
     try {
-      // Check if this is a runner making the request
-      if (isRunnerContext(authContext)) {
-        // For runner authentication, verify that the runner ID matches the sandbox's runner ID
-        const runnerContext = authContext as RunnerContext
-        const sandboxRunnerId = await this.sandboxService.getRunnerId(sandboxIdOrName)
-        if (sandboxRunnerId !== runnerContext.runnerId) {
-          throw new ForbiddenException('Runner ID does not match sandbox runner ID')
+      switch (true) {
+        case isRunnerContext(authContext): {
+          // For runner authentication, verify that the runner ID matches the sandbox's runner ID
+          const runnerContext = authContext as RunnerContext
+          const sandboxRunnerId = await this.sandboxService.getRunnerId(sandboxIdOrName)
+          if (sandboxRunnerId !== runnerContext.runnerId) {
+            throw new ForbiddenException('Runner ID does not match sandbox runner ID')
+          }
+          break
         }
-      } else {
-        // For user/organization authentication, check organization access
-        const orgAuthContext = authContext as OrganizationAuthContext
-        const sandboxOrganizationId = await this.sandboxService.getOrganizationId(
-          sandboxIdOrName,
-          orgAuthContext.organizationId,
-        )
-        if (
-          orgAuthContext.role !== 'ssh-gateway' &&
-          orgAuthContext.role !== SystemRole.ADMIN &&
-          sandboxOrganizationId !== orgAuthContext.organizationId
-        ) {
-          throw new ForbiddenException('Request organization ID does not match resource organization ID')
+        case isProxyContext(authContext):
+        case isSshGatewayContext(authContext):
+          return true
+        default: {
+          // For user/organization authentication, check organization access
+          const orgAuthContext = authContext as OrganizationAuthContext
+          const sandboxOrganizationId = await this.sandboxService.getOrganizationId(
+            sandboxIdOrName,
+            orgAuthContext.organizationId,
+          )
+          if (orgAuthContext.role !== SystemRole.ADMIN && sandboxOrganizationId !== orgAuthContext.organizationId) {
+            throw new ForbiddenException('Request organization ID does not match resource organization ID')
+          }
         }
       }
-
       return true
     } catch (error) {
       if (!(error instanceof NotFoundException)) {

apps/api/src/sandbox/services/sandbox.service.ts

@@ -62,7 +62,8 @@ import {
   ARCHIVE_SANDBOXES_MESSAGE,
   PER_SANDBOX_LIMIT_MESSAGE,
 } from '../../common/constants/error-messages'
-import { customAlphabet as customNanoid, urlAlphabet } from 'nanoid'
+import { RedisLockProvider } from '../common/redis-lock.provider'
+import { customAlphabet as customNanoid, nanoid, urlAlphabet } from 'nanoid'
 import { WithInstrumentation } from '../../common/decorators/otel.decorator'
 import { validateMountPaths } from '../utils/volume-mount-path-validation.util'
 import { SandboxRepository } from '../repositories/sandbox.repository'
@@ -94,6 +95,7 @@ export class SandboxService {
     private readonly organizationService: OrganizationService,
     private readonly runnerAdapterFactory: RunnerAdapterFactory,
     private readonly organizationUsageService: OrganizationUsageService,
+    private readonly redisLockProvider: RedisLockProvider,
   ) {}
 
   protected getLockKey(id: string): string {
@@ -1004,6 +1006,7 @@ export class SandboxService {
 
     sandbox.pending = true
     sandbox.desiredState = SandboxDesiredState.STARTED
+    sandbox.authToken = nanoid(32).toLocaleLowerCase()
 
     try {
       await this.sandboxRepository.saveWhere(sandbox, { pending: false, state: sandbox.state })
@@ -1064,6 +1067,21 @@ export class SandboxService {
     return sandbox
   }
 
+  async updateLastActivityAt(sandboxId: string, lastActivityAt: Date): Promise<void> {
+    // Prevent spamming updates
+    const lockKey = `sandbox:update-last-activity:${sandboxId}`
+    const acquired = await this.redisLockProvider.lock(lockKey, 45)
+    if (!acquired) {
+      return
+    }
+
+    const result = await this.sandboxRepository.update({ id: sandboxId }, { lastActivityAt })
+
+    if (!result.affected) {
+      throw new NotFoundException(`Sandbox with ID ${sandboxId} not found`)
+    }
+  }
+
   private getValidatedOrDefaultRegion(region?: string): string {
     if (!region || region.trim().length === 0) {
       return 'us'

apps/docs/src/content/docs/en/custom-domain-authentication.mdx

@@ -48,7 +48,17 @@ To override Daytona's default CORS settings, send:
 X-Daytona-Disable-CORS: true
 ```
 
-#### Authentication
+### Disable Last Activity Update
+
+To prevent sandbox last activity updates when previewing, you can set the `X-Daytona-Skip-Last-Activity-Update` header to `true`.
+This will stop Daytona from keeping sandboxes, that have [auto-stop enabled](/docs/sandbox-management#auto-stop-interval), started:
+
+```bash
+curl -H "X-Daytona-Skip-Last-Activity-Update: true" \
+https://3000-sandbox-123456.proxy.daytona.work
+```
+
+### Authentication
 
 For private preview links, users should send:
 

apps/docs/src/content/docs/en/sandbox-management.mdx

@@ -208,7 +208,6 @@ Setting ["autoDeleteInterval: 0"](#auto-delete-interval) has the same effect as
 Daytona Sandboxes provide configurable network firewall controls to enhance security and manage connectivity. By default, network access follows standard security policies, but you can customize network settings when creating a Sandbox.
 Learn more about network limits in the [Network Limits](/docs/en/network-limits) documentation.
 
-
 ## Sandbox Information
 
 The Daytona SDK provides methods to get information about a Sandbox, such as ID, root directory, and status using Python and TypeScript.
@@ -389,15 +388,15 @@ Daytona Sandboxes can be automatically stopped, archived, and deleted based on u
 
 The auto-stop interval parameter sets the amount of time after which a running Sandbox will be automatically stopped.
 
+Sandbox activity, such as SDK API calls or network requests through [preview URLs](/docs/en/preview-and-authentication), will reset the auto-stop timer.
+
 The parameter can either be set to:
 
 - a time interval in minutes
 - `0`, which disables the auto-stop functionality, allowing the sandbox to run indefinitely
 
 If the parameter is not set, the default interval of `15` minutes will be used.
 
-:::
-
 <Tabs>
   <TabItem label="Python" icon="seti:python">
     ```python

apps/proxy/pkg/proxy/auth.go

@@ -29,19 +29,19 @@ func (p *Proxy) Authenticate(ctx *gin.Context, sandboxId string) (err error, did
 		}
 	}
 
-	authKey := ctx.Request.Header.Get(DAYTONA_SANDBOX_AUTH_KEY_HEADER)
+	authKey := ctx.Request.Header.Get(SANDBOX_AUTH_KEY_HEADER)
 	if authKey == "" {
-		if ctx.Query(DAYTONA_SANDBOX_AUTH_KEY_QUERY_PARAM) != "" {
-			authKey = ctx.Query(DAYTONA_SANDBOX_AUTH_KEY_QUERY_PARAM)
+		if ctx.Query(SANDBOX_AUTH_KEY_QUERY_PARAM) != "" {
+			authKey = ctx.Query(SANDBOX_AUTH_KEY_QUERY_PARAM)
 			newQuery := ctx.Request.URL.Query()
-			newQuery.Del(DAYTONA_SANDBOX_AUTH_KEY_QUERY_PARAM)
+			newQuery.Del(SANDBOX_AUTH_KEY_QUERY_PARAM)
 			ctx.Request.URL.RawQuery = newQuery.Encode()
 		} else {
 			// Check for cookie
-			cookieSandboxId, err := ctx.Cookie(DAYTONA_SANDBOX_AUTH_COOKIE_NAME + sandboxId)
+			cookieSandboxId, err := ctx.Cookie(SANDBOX_AUTH_COOKIE_NAME + sandboxId)
 			if err == nil && cookieSandboxId != "" {
 				decodedValue := ""
-				err = p.secureCookie.Decode(DAYTONA_SANDBOX_AUTH_COOKIE_NAME+sandboxId, cookieSandboxId, &decodedValue)
+				err = p.secureCookie.Decode(SANDBOX_AUTH_COOKIE_NAME+sandboxId, cookieSandboxId, &decodedValue)
 				if err != nil {
 					return errors.New("sandbox not found"), false
 				}

apps/proxy/pkg/proxy/auth_callback.go

@@ -96,13 +96,13 @@ func (p *Proxy) AuthCallback(ctx *gin.Context) {
 		return
 	}
 
-	encoded, err := p.secureCookie.Encode(DAYTONA_SANDBOX_AUTH_COOKIE_NAME+sandboxId, sandboxId)
+	encoded, err := p.secureCookie.Encode(SANDBOX_AUTH_COOKIE_NAME+sandboxId, sandboxId)
 	if err != nil {
 		ctx.Error(common_errors.NewBadRequestError(fmt.Errorf("failed to encode cookie: %w", err)))
 		return
 	}
 
-	ctx.SetCookie(DAYTONA_SANDBOX_AUTH_COOKIE_NAME+sandboxId, encoded, 3600, "/", p.cookieDomain, p.config.EnableTLS, true)
+	ctx.SetCookie(SANDBOX_AUTH_COOKIE_NAME+sandboxId, encoded, 3600, "/", p.cookieDomain, p.config.EnableTLS, true)
 
 	// Redirect back to the original URL
 	ctx.Redirect(http.StatusFound, returnTo)

apps/proxy/pkg/proxy/get_target.go

@@ -59,6 +59,12 @@ func (p *Proxy) GetProxyTarget(ctx *gin.Context) (*url.URL, map[string]string, e
 		return nil, nil, fmt.Errorf("failed to get runner info: %w", err)
 	}
 
+	// Skip last activity update if header is set
+	if ctx.Request.Header.Get(SKIP_LAST_ACTIVITY_UPDATE_HEADER) != "true" {
+		p.updateLastActivity(ctx.Request.Context(), sandboxID, true)
+		ctx.Request.Header.Del(SKIP_LAST_ACTIVITY_UPDATE_HEADER)
+	}
+
 	// Build the target URL
 	targetURL := fmt.Sprintf("%s/sandboxes/%s/toolbox/proxy/%s", runnerInfo.ApiUrl, sandboxID, targetPort)
 
@@ -204,3 +210,43 @@ func (p *Proxy) parseHost(host string) (targetPort string, sandboxID string, err
 
 	return targetPort, sandboxID, nil
 }
+
+func (p *Proxy) updateLastActivity(ctx context.Context, sandboxId string, shouldPollUpdate bool) {
+	// Prevent frequent updates by caching the last update
+	cached, err := p.sandboxLastActivityUpdateCache.Has(ctx, sandboxId)
+	if err != nil {
+		// If cache doesn't work, skip the update to avoid spamming the API
+		log.Errorf("failed to check last activity update cache for sandbox %s: %v", sandboxId, err)
+		return
+	}
+
+	if !cached {
+		_, err := p.apiclient.SandboxAPI.UpdateLastActivity(ctx, sandboxId).Execute()
+		if err != nil {
+			log.Errorf("failed to update last activity for sandbox %s: %v", sandboxId, err)
+			return
+		}
+
+		err = p.sandboxLastActivityUpdateCache.Set(ctx, sandboxId, true, 45*time.Second)
+		if err != nil {
+			log.Errorf("failed to set last activity update cache for sandbox %s: %v", sandboxId, err)
+		}
+	}
+
+	if shouldPollUpdate {
+		// Update keep alive every 45 seconds until the request is done
+		go func() {
+			ticker := time.NewTicker(45 * time.Second)
+			defer ticker.Stop()
+
+			for {
+				select {
+				case <-ticker.C:
+					p.updateLastActivity(ctx, sandboxId, false)
+				case <-ctx.Done():
+					return
+				}
+			}
+		}()
+	}
+}