@cappitolian/http-local-server-swifter 0.0.33 → 0.0.35

package/README.md

@@ -1,18 +1,24 @@
 # @cappitolian/http-local-server-swifter
 
-A Capacitor plugin to run a local HTTP server on your device, allowing you to receive and respond to HTTP requests directly from Angular/JavaScript.
+[![npm version](https://img.shields.io/npm/v/@cappitolian/http-local-server-swifter)](https://www.npmjs.com/package/@cappitolian/http-local-server-swifter)
+[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
+[![Capacitor 8](https://img.shields.io/badge/Capacitor-8-blue)](https://capacitorjs.com/)
+
+A Capacitor plugin that embeds a real HTTP server directly on your device — powered by **NanoHTTPD** on Android and **Swifter** on iOS. It allows you to receive and respond to HTTP requests from the JavaScript layer, enabling local peer-to-peer communication between devices on the same network without a cloud backend.
 
 ---
 
-## Features
+## Table of Contents
 
-- ✅ Embed a real HTTP server (NanoHTTPD on Android, **Swifter** on iOS)
-- ✅ Receive requests via events and send responses back from the JS layer
-- ✅ CORS support enabled by default for local communication
-- ✅ Support for all HTTP methods (GET, POST, PUT, PATCH, DELETE, OPTIONS)
-- ✅ Dynamic URL routing (e.g. `/orders/:id`) supported via middleware
-- ✅ Swift Package Manager (SPM) support
-- ✅ Tested with **Capacitor 8** and **Ionic 8**
+- [Installation](#installation)
+- [Platform Configuration](#platform-configuration)
+- [Usage](#usage)
+- [Security](#security)
+- [API Reference](#api-reference)
+- [Platform Support](#platform-support)
+- [Contributing](#contributing)
+- [Changelog](#changelog)
+- [License](#license)
 
 ---
 
@@ -25,6 +31,52 @@ npx cap sync
 
 ---
 
+## Platform Configuration
+
+### Android
+
+Add the following permissions to your `AndroidManifest.xml`:
+
+```xml
+<uses-permission android:name="android.permission.INTERNET" />
+<uses-permission android:name="android.permission.ACCESS_WIFI_STATE" />
+<uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" />
+```
+
+To allow cleartext HTTP traffic on the local network, add or update your `network_security_config.xml`:
+
+```xml
+<!-- res/xml/network_security_config.xml -->
+<network-security-config>
+    <domain-config cleartextTrafficPermitted="true">
+        <domain includeSubdomains="true">192.168.0.0/16</domain>
+    </domain-config>
+</network-security-config>
+```
+
+Then reference it in `AndroidManifest.xml`:
+
+```xml
+<application
+    android:networkSecurityConfig="@xml/network_security_config"
+    ...>
+```
+
+### iOS
+
+No additional `Info.plist` entries are required for local HTTP servers. However, if your app uses **Bonjour/mDNS** for Network Discovery, add the following:
+
+```xml
+<key>NSLocalNetworkUsageDescription</key>
+<string>This app uses the local network to communicate with nearby devices.</string>
+<key>NSBonjourServices</key>
+<array>
+    <string>_http._tcp</string>
+</array>
+```
+
+---
+
 ## Usage
 
 ### Import
@@ -33,130 +85,209 @@ npx cap sync
 import { HttpLocalServerSwifter } from '@cappitolian/http-local-server-swifter';
 ```
 
-### Listen and Respond
+### Start the server and listen for requests
 
 ```typescript
-// 1. Set up the listener for incoming requests
+// 1. Register the request listener
 await HttpLocalServerSwifter.addListener('onRequest', async (data) => {
   console.log(`${data.method} ${data.path}`);
-  console.log('Body:', data.body);
   console.log('Headers:', data.headers);
+  console.log('Body:', data.body);
   console.log('Query:', data.query);
 
-  // 2. Send a response back to the client using the requestId
+  // 2. Send a response back using the requestId
   await HttpLocalServerSwifter.sendResponse({
     requestId: data.requestId,
-    body: JSON.stringify({
-      success: true,
-      message: 'Request processed!'
-    })
+    status: 200,
+    headers: {
+      'Content-Type': 'application/json'
+    },
+    body: JSON.stringify({ success: true, message: 'Hello from the device!' })
   });
 });
 
 // 3. Start the server
-HttpLocalServerSwifter.connect().then(result => {
-  console.log('Server running at:', result.ip, 'Port:', result.port);
-});
+const { ip, port } = await HttpLocalServerSwifter.connect();
+console.log(`Server running at http://${ip}:${port}`);
 ```
 
-### Stop Server
+### Stop the server
 
 ```typescript
-// 4. Stop the server
 await HttpLocalServerSwifter.disconnect();
 ```
 
 ---
 
-## Platforms
+## Security
+
+This plugin runs an HTTP server on the local network. The following mechanisms are built into the native layer and recommended at the application layer.
+
+### Rate Limiting (Native — Android & iOS)
+
+IP-based rate limiting is enforced natively before requests reach TypeScript, protecting the server against denial-of-service (DoS) attacks.
+
+| Platform | Limit | Window |
+|---|---|---|
+| Android | 30 requests | 60 seconds |
+| iOS | 30 requests | 60 seconds |
+
+Requests exceeding the limit receive a `429 Too Many Requests` response automatically:
+
+```json
+{ "success": false, "error": "Too many requests" }
+```
+
+### API Key Pairing (Application layer)
 
-- **iOS** (Swift with Swifter)
-- **Android** (Java with NanoHTTPD)
-- **Web** (Returns mock values for development)
+To prevent unauthorized clients from accessing your endpoints, implement an API Key pairing flow:
+
+1. The server generates a cryptographically random key on first launch using `crypto.getRandomValues` and persists it with `@capacitor/preferences`.
+2. The client calls `GET /pair` (the only unauthenticated endpoint) immediately after discovering the server IP.
+3. The server returns the key. The client stores it locally.
+4. All subsequent requests must include the `x-api-key` header. The server validates it before processing any route.
+
+```
+Server generates key → Client calls /pair → Client stores key
+        ↓
+All requests: x-api-key: <key> → Server validates → 401 if invalid
+```
+
+> ⚠️ Since this plugin operates over HTTP, the API key is transmitted in plaintext. For sensitive environments, consider implementing HMAC request signing with short-lived timestamps to prevent replay attacks.
+
+### CORS
+
+CORS headers are set by default in the native layer. The `x-api-key` header is explicitly included in `Access-Control-Allow-Headers` on both platforms.
 
 ---
 
-## Requirements
+## API Reference
+
+<!-- Auto-generated by @capacitor/docgen -->
+
+### Methods
 
-- [Capacitor 8](https://capacitorjs.com/)
-- iOS 13.0+
-- Android API 22+
+#### `connect() => Promise<HttpConnectResult>`
+
+Starts the HTTP server and begins listening for incoming requests.
+
+**Returns:** `Promise<HttpConnectResult>`
 
 ---
 
-## Migration from v0.1.x
+#### `disconnect() => Promise<void>`
 
-Version 0.2.0 introduces middleware-based routing on iOS and dynamic response support (custom `status` and `headers`) on both platforms. See changes below.
+Stops the HTTP server and releases all resources.
 
 ---
 
-## License
+#### `sendResponse(options: HttpSendResponseOptions) => Promise<void>`
 
-MIT
+Sends an HTTP response back to the client for a given request.
+
+| Param | Type | Description |
+|---|---|---|
+| `options` | `HttpSendResponseOptions` | Response options including requestId, status, headers, and body |
 
 ---
 
-## Support
+#### `addListener('onRequest', handler) => Promise<PluginListenerHandle>`
+
+Registers a listener for incoming HTTP requests.
 
-If you have any issues or feature requests, please open an issue on the repository.
+| Param | Type | Description |
+|---|---|---|
+| `eventName` | `'onRequest'` | Event name |
+| `handler` | `(data: HttpRequestData) => void` | Callback receiving the request data |
 
 ---
 
-## 📋 Cambios Principales
+#### `removeAllListeners() => Promise<void>`
 
-### **Route Handlers → Middleware (iOS)**
+Removes all registered listeners.
 
-| Aspecto | v0.1.x | v0.2.0 |
-|---------|--------|--------|
-| **Routing** | `server["/:path"] = { ... }` | `server.middleware.append { ... }` |
-| **Rutas dinámicas** | ❌ Solo un segmento (`/menu`) | ✅ Cualquier ruta (`/orders/:id`) |
-| **CORS preflight** | Manejado por handler estático | Interceptado en middleware antes del JS |
-| **Thread de inicio** | Main thread | Background thread (`DispatchQueue.global`) |
-| **Respuesta dinámica** | Solo `body` | `body` + `status` + `headers` |
+---
 
-### **sendResponse — Nuevos campos opcionales**
+### Interfaces
 
-```typescript
-await HttpLocalServerSwifter.sendResponse({
-  requestId: data.requestId,
-  body: JSON.stringify({ success: true }),
-  status: 200,           // NEW: opcional, default 200
-  headers: {             // NEW: opcional, headers custom
-    'X-Custom-Header': 'value'
-  }
-});
-```
+#### `HttpConnectResult`
 
-### **Archivos modificados**
+| Property | Type | Description |
+|---|---|---|
+| `ip` | `string` | Local IP address where the server is bound |
+| `port` | `number` | Port the server is listening on (default: 8080) |
 
-| Archivo | Cambio |
-|---------|--------|
-| `HttpLocalServerSwifter.swift` | Middleware en lugar de route handlers; `handleJsResponse` acepta `[String: Any]` |
-| `HttpLocalServerSwifterPlugin.swift` | `sendResponse` pasa `dictionaryRepresentation` completo |
-| `HttpLocalServerSwifterPlugin.java` | `sendResponse` pasa `call.getData()` completo |
-| `definitions.ts` | `HttpSendResponseOptions` agrega `status?` y `headers?` |
-| `web.ts` | Mock actualizado con los nuevos campos |
+---
+
+#### `HttpRequestData`
+
+| Property | Type | Description |
+|---|---|---|
+| `requestId` | `string` | Unique ID used to correlate the response |
+| `method` | `string` | HTTP method (GET, POST, PUT, PATCH, DELETE, OPTIONS) |
+| `path` | `string` | Request path (e.g. `/menu`, `/orders/123`) |
+| `headers` | `Record<string, string>` | Request headers |
+| `query` | `Record<string, string>` | Query string parameters |
+| `body` | `string \| null` | Raw request body (for POST, PUT, PATCH) |
 
 ---
 
-## ✅ Pasos para Aplicar
+#### `HttpSendResponseOptions`
 
-1. **Reemplaza `HttpLocalServerSwifter.swift`** con la versión nueva (middleware)
-2. **Reemplaza `HttpLocalServerSwifterPlugin.swift`** con la versión nueva
-3. **Reemplaza `HttpLocalServerSwifterPlugin.java`** con la versión nueva
-4. **Actualiza `definitions.ts`**, **`web.ts`** e **`index.ts`**
-5. **En Xcode**:
-```
-   File → Packages → Reset Package Caches
-   File → Packages → Resolve Package Versions
-   Product → Clean Build Folder
-   Product → Run
-```
-6. **En Android Studio**:
+| Property | Type | Required | Description |
+|---|---|---|---|
+| `requestId` | `string` | ✅ | ID of the request to respond to |
+| `status` | `number` | ❌ | HTTP status code (default: `200`) |
+| `headers` | `Record<string, string>` | ❌ | Custom response headers |
+| `body` | `string` | ❌ | Response body |
+
+---
+
+## Platform Support
+
+| Feature | Android | iOS | Web |
+|---|---|---|---|
+| Start HTTP server | ✅ | ✅ | ✅ (mock) |
+| Receive requests | ✅ | ✅ | ✅ (mock) |
+| Send responses | ✅ | ✅ | ✅ (mock) |
+| Custom status codes | ✅ | ✅ | ✅ (mock) |
+| Custom response headers | ✅ | ✅ | ✅ (mock) |
+| Request headers forwarding | ✅ | ✅ | ✅ (mock) |
+| Dynamic routing | ✅ | ✅ | ❌ |
+| IP-based rate limiting | ✅ | ✅ | ❌ |
+| CORS preflight handling | ✅ | ✅ | ❌ |
+
+---
+
+## Contributing
+
+Clone the repository and install dependencies:
+
+```bash
+git clone https://github.com/cappitolian/http-local-server-swifter
+cd http-local-server-swifter
+npm install
 ```
-   Build → Clean Project
-   Build → Rebuild Project
-   Run
+
+Run the example project:
+
+```bash
+cd example
+npm install
+npx cap sync
+# Open in Android Studio or Xcode
 ```
 
-> ⚠️ `npx cap sync` solo sincroniza archivos web. Los cambios en código nativo Swift/Java **requieren recompilación desde el IDE**.
+> ⚠️ Changes to native Swift/Java code require recompilation from the IDE. `npx cap sync` only syncs web assets.
+
+---
+
+## Changelog
+
+See [CHANGELOG.md](./CHANGELOG.md) for the full list of changes.
+
+---
+
+## License
+
+MIT — see [LICENSE](./LICENSE) for details.

package/android/src/main/java/com/cappitolian/plugins/httplocalserviceswifter/HttpLocalServerSwifter.java

@@ -304,7 +304,7 @@ public class HttpLocalServerSwifter {
             response.addHeader("Access-Control-Allow-Origin", "*");
             response.addHeader("Access-Control-Allow-Methods", "GET, POST, PUT, PATCH, DELETE, OPTIONS");
             response.addHeader("Access-Control-Allow-Headers",
-                    "Origin, Content-Type, Accept, Authorization, X-Requested-With, x-api-key");
+                    "Origin, Content-Type, Accept, Authorization, X-Requested-With, x-api-key, x-signature, x-timestamp");
             response.addHeader("Access-Control-Max-Age", "3600");
             // Prevents TCP connection reuse. NanoHTTPD does not handle keep-alive
             // correctly under rapid sequential requests, causing ERR_INVALID_HTTP_RESPONSE.

package/ios/Sources/HttpLocalServerSwifterPlugin/HttpLocalServerSwifter.swift

@@ -186,7 +186,7 @@ public protocol HttpLocalServerSwifterDelegate: AnyObject {
             "Content-Type":                     "application/json",
             "Access-Control-Allow-Origin":      "*",
             "Access-Control-Allow-Methods":     "GET, POST, PUT, PATCH, DELETE, OPTIONS",
-            "Access-Control-Allow-Headers":     "Origin, Content-Type, Accept, Authorization, X-Requested-With, x-api-key"
+            "Access-Control-Allow-Headers":     "Origin, Content-Type, Accept, Authorization, X-Requested-With, x-api-key, x-signature, x-timestamp"
         ]
 
         if
@@ -210,7 +210,7 @@ public protocol HttpLocalServerSwifterDelegate: AnyObject {
         return .raw(204, "No Content", [
             "Access-Control-Allow-Origin":  "*",
             "Access-Control-Allow-Methods": "GET, POST, PUT, PATCH, DELETE, OPTIONS",
-            "Access-Control-Allow-Headers": "Origin, Content-Type, Accept, Authorization, X-Requested-With, x-api-key",
+            "Access-Control-Allow-Headers": "Origin, Content-Type, Accept, Authorization, X-Requested-With, x-api-key, x-signature, x-timestamp",
             "Access-Control-Max-Age":       "86400"
         ], nil)
     }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cappitolian/http-local-server-swifter",
-  "version": "0.0.33",
+  "version": "0.0.35",
   "description": "Runs a local HTTP server on your device, accessible over LAN. Supports connect, disconnect, GET, and POST methods with IP and port discovery.",
   "main": "dist/plugin.cjs.js",
   "module": "dist/esm/index.js",