@aegis-fluxion/core 0.7.2 → 0.8.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +51 -1
- package/dist/index.cjs +580 -20
- package/dist/index.cjs.map +1 -1
- package/dist/index.d.cts +31 -1
- package/dist/index.d.ts +31 -1
- package/dist/index.js +581 -21
- package/dist/index.js.map +1 -1
- package/package.json +1 -1
package/README.md
CHANGED
|
@@ -2,7 +2,7 @@
|
|
|
2
2
|
|
|
3
3
|
Low-level encrypted WebSocket primitives for the `aegis-fluxion` ecosystem.
|
|
4
4
|
|
|
5
|
-
Version: **0.
|
|
5
|
+
Version: **0.8.0**
|
|
6
6
|
|
|
7
7
|
---
|
|
8
8
|
|
|
@@ -14,6 +14,7 @@ Version: **0.7.2**
|
|
|
14
14
|
- Secure room routing (`join`, `leave`, `leaveAll`, `to(room).emit(...)`)
|
|
15
15
|
- Middleware phases: `connection`, `incoming`, `outgoing`
|
|
16
16
|
- Rate limiting and DDoS controls per connection and IP
|
|
17
|
+
- TLS 1.3-style session resumption with encrypted one-time tickets
|
|
17
18
|
- **Horizontal scaling hooks** via pluggable `SecureServerAdapter`
|
|
18
19
|
|
|
19
20
|
---
|
|
@@ -26,6 +27,55 @@ npm install @aegis-fluxion/core ws
|
|
|
26
27
|
|
|
27
28
|
---
|
|
28
29
|
|
|
30
|
+
## Session resumption (TLS 1.3-style)
|
|
31
|
+
|
|
32
|
+
`@aegis-fluxion/core@0.8.0` introduces secure resume-first reconnect behavior:
|
|
33
|
+
|
|
34
|
+
- Full handshake path uses ephemeral ECDH (`hello` frame).
|
|
35
|
+
- Resume path uses ticket-bound proofs (`resume` / `resume-ack` frames).
|
|
36
|
+
- Successful resumes derive fresh channel keys from ticket secret + client nonce.
|
|
37
|
+
- Servers enforce ticket TTL, bounded cache size, and one-time ticket consumption.
|
|
38
|
+
- Clients automatically fall back to full handshake when resume is rejected.
|
|
39
|
+
|
|
40
|
+
### Server configuration
|
|
41
|
+
|
|
42
|
+
```ts
|
|
43
|
+
import { SecureServer } from "@aegis-fluxion/core";
|
|
44
|
+
|
|
45
|
+
const server = new SecureServer({
|
|
46
|
+
host: "127.0.0.1",
|
|
47
|
+
port: 8080,
|
|
48
|
+
sessionResumption: {
|
|
49
|
+
enabled: true,
|
|
50
|
+
ticketTtlMs: 60_000,
|
|
51
|
+
maxCachedTickets: 10_000
|
|
52
|
+
}
|
|
53
|
+
});
|
|
54
|
+
```
|
|
55
|
+
|
|
56
|
+
### Client configuration
|
|
57
|
+
|
|
58
|
+
```ts
|
|
59
|
+
import { SecureClient } from "@aegis-fluxion/core";
|
|
60
|
+
|
|
61
|
+
const client = new SecureClient("ws://127.0.0.1:8080", {
|
|
62
|
+
reconnect: true,
|
|
63
|
+
sessionResumption: {
|
|
64
|
+
enabled: true,
|
|
65
|
+
maxAcceptedTicketTtlMs: 60_000
|
|
66
|
+
}
|
|
67
|
+
});
|
|
68
|
+
```
|
|
69
|
+
|
|
70
|
+
### Security model
|
|
71
|
+
|
|
72
|
+
- Resume proofs are validated with HMAC and constant-time comparison.
|
|
73
|
+
- Resume tickets are encrypted in transit (same channel protections as all payloads).
|
|
74
|
+
- Resume tickets are discarded if expired, policy-invalid, or already consumed.
|
|
75
|
+
- Reserved internal events (e.g., session-ticket transport) cannot be emitted by user code.
|
|
76
|
+
|
|
77
|
+
---
|
|
78
|
+
|
|
29
79
|
## SecureServer adapter API (horizontal scaling)
|
|
30
80
|
|
|
31
81
|
### Core types
|