@floegence/flowersec-core 0.4.0 → 0.6.0

package/dist/client-connect/connectCore.js

@@ -13,11 +13,20 @@ export async function connectCore(args) {
     const observer = normalizeObserver(args.opts.observer);
     const signal = args.opts.signal;
     const connectStart = nowSeconds();
-    const origin = args.opts.origin;
-    if (origin == null || origin === "") {
+    const origin = typeof args.opts.origin === "string" ? args.opts.origin.trim() : "";
+    if (origin === "") {
         throw new FlowersecError({ path: args.path, stage: "validate", code: "missing_origin", message: "missing origin" });
     }
-    if (args.wsUrl == null || args.wsUrl === "") {
+    if (args.path === "tunnel" && args.attach == null) {
+        throw new FlowersecError({
+            path: args.path,
+            stage: "validate",
+            code: "invalid_option",
+            message: "missing attach payload",
+        });
+    }
+    const wsUrl = typeof args.wsUrl === "string" ? args.wsUrl.trim() : "";
+    if (wsUrl === "") {
         const code = args.path === "tunnel" ? "missing_tunnel_url" : "missing_ws_url";
         throw new FlowersecError({ path: args.path, stage: "validate", code, message: "missing websocket url" });
     }
@@ -56,9 +65,28 @@ export async function connectCore(args) {
     if (!Number.isSafeInteger(maxWsQueuedBytes) || maxWsQueuedBytes < 0) {
         invalidOption("maxWsQueuedBytes must be a non-negative integer");
     }
+    const channelId = typeof args.channelId === "string" ? args.channelId.trim() : "";
+    if (channelId === "") {
+        throw new FlowersecError({ path: args.path, stage: "validate", code: "missing_channel_id", message: "missing channel_id" });
+    }
+    let psk;
+    try {
+        const pskB64u = typeof args.e2eePskB64u === "string" ? args.e2eePskB64u.trim() : "";
+        psk = base64urlDecode(pskB64u);
+    }
+    catch (e) {
+        throw new FlowersecError({ path: args.path, stage: "validate", code: "invalid_psk", message: "invalid e2ee_psk_b64u", cause: e });
+    }
+    if (psk.length !== 32) {
+        throw new FlowersecError({ path: args.path, stage: "validate", code: "invalid_psk", message: "psk must be 32 bytes" });
+    }
+    const suite = args.defaultSuite;
+    if (suite !== 1 && suite !== 2) {
+        throw new FlowersecError({ path: args.path, stage: "validate", code: "invalid_suite", message: "invalid suite" });
+    }
     let ws;
     try {
-        ws = createWebSocket(args.wsUrl, origin, args.opts.wsFactory);
+        ws = createWebSocket(wsUrl, origin, args.opts.wsFactory);
     }
     catch (e) {
         if (e instanceof OriginMismatchError) {
@@ -103,14 +131,6 @@ export async function connectCore(args) {
         }
         throwIfAborted(signal, "connect aborted");
         if (args.path === "tunnel") {
-            if (args.attach == null) {
-                throw new FlowersecError({
-                    path: args.path,
-                    stage: "validate",
-                    code: "invalid_option",
-                    message: "missing attach payload",
-                });
-            }
             try {
                 ws.send(args.attach.attachJson);
             }
@@ -125,32 +145,11 @@ export async function connectCore(args) {
                 throw new FlowersecError({ path: args.path, stage: "attach", code: "attach_failed", message: "attach failed", cause: err });
             }
         }
-        let psk;
-        try {
-            psk = base64urlDecode(args.e2eePskB64u);
-        }
-        catch (e) {
-            transport.close();
-            throw new FlowersecError({ path: args.path, stage: "validate", code: "invalid_psk", message: "invalid e2ee_psk_b64u", cause: e });
-        }
-        if (psk.length !== 32) {
-            transport.close();
-            throw new FlowersecError({ path: args.path, stage: "validate", code: "invalid_psk", message: "psk must be 32 bytes" });
-        }
-        if (args.channelId == null || args.channelId === "") {
-            transport.close();
-            throw new FlowersecError({ path: args.path, stage: "validate", code: "missing_channel_id", message: "missing channel_id" });
-        }
-        const suite = args.defaultSuite;
-        if (suite !== 1 && suite !== 2) {
-            transport.close();
-            throw new FlowersecError({ path: args.path, stage: "validate", code: "invalid_suite", message: "invalid suite" });
-        }
         const handshakeStart = nowSeconds();
         let secure;
         try {
             secure = await withAbortAndTimeout(clientHandshake(transport, {
-                channelId: args.channelId,
+                channelId,
                 suite,
                 psk,
                 clientFeatures,
@@ -386,6 +385,11 @@ export async function connectCore(args) {
                         cause: err,
                     });
                 }
+                if (signal != null && abortListener != null) {
+                    // AbortSignal is only used to cancel the open + StreamHello phase.
+                    // After the stream is ready, callers should close/reset it explicitly.
+                    signal.removeEventListener("abort", abortListener);
+                }
                 return s;
             },
             close: closeAll,

package/dist/client-connect/tunnelAttachCloseReason.d.ts

@@ -1,3 +1,3 @@
-export declare const tunnelAttachCloseReasons: readonly ["too_many_connections", "expected_attach", "invalid_attach", "invalid_token", "channel_mismatch", "init_exp_mismatch", "idle_timeout_mismatch", "role_mismatch", "token_replay", "replace_rate_limited", "attach_failed"];
+export declare const tunnelAttachCloseReasons: readonly ["too_many_connections", "expected_attach", "invalid_attach", "invalid_token", "channel_mismatch", "init_exp_mismatch", "idle_timeout_mismatch", "role_mismatch", "token_replay", "replace_rate_limited", "attach_failed", "timeout", "canceled"];
 export type TunnelAttachCloseReason = (typeof tunnelAttachCloseReasons)[number];
 export declare function isTunnelAttachCloseReason(v: string | undefined): v is TunnelAttachCloseReason;

package/dist/client-connect/tunnelAttachCloseReason.js

@@ -9,7 +9,9 @@ export const tunnelAttachCloseReasons = [
     "role_mismatch",
     "token_replay",
     "replace_rate_limited",
-    "attach_failed"
+    "attach_failed",
+    "timeout",
+    "canceled"
 ];
 export function isTunnelAttachCloseReason(v) {
     if (v == null)

package/dist/observability/observer.d.ts

@@ -2,7 +2,7 @@ import type { ClientPath } from "../client.js";
 export type ConnectResult = "ok" | "fail";
 export type ConnectReason = "websocket_error" | "websocket_closed" | "timeout" | "canceled";
 export type AttachResult = "ok" | "fail";
-export type AttachReason = "send_failed" | "too_many_connections" | "expected_attach" | "invalid_attach" | "invalid_token" | "channel_mismatch" | "role_mismatch" | "init_exp_mismatch" | "idle_timeout_mismatch" | "token_replay" | "replace_rate_limited" | "attach_failed";
+export type AttachReason = "send_failed" | "too_many_connections" | "expected_attach" | "invalid_attach" | "invalid_token" | "channel_mismatch" | "role_mismatch" | "init_exp_mismatch" | "idle_timeout_mismatch" | "token_replay" | "replace_rate_limited" | "attach_failed" | "timeout" | "canceled";
 export type HandshakeResult = "ok" | "fail";
 export type HandshakeReason = "auth_tag_mismatch" | "handshake_failed" | "invalid_suite" | "invalid_version" | "timestamp_after_init_exp" | "timestamp_out_of_skew" | "timeout" | "canceled";
 export type WsCloseKind = "local" | "peer_or_error";

package/dist/tunnel-client/connect.js

@@ -80,13 +80,16 @@ export async function connectTunnel(grant, opts) {
     catch (e) {
         throw new FlowersecError({ stage: "validate", code: "invalid_input", path: "tunnel", message: "invalid ChannelInitGrant", cause: e });
     }
-    if (checkedGrant.tunnel_url === "") {
+    const tunnelUrl = checkedGrant.tunnel_url.trim();
+    if (tunnelUrl === "") {
         throw new FlowersecError({ stage: "validate", code: "missing_tunnel_url", path: "tunnel", message: "missing tunnel_url" });
     }
-    if (checkedGrant.channel_id === "") {
+    const channelId = checkedGrant.channel_id.trim();
+    if (channelId === "") {
         throw new FlowersecError({ stage: "validate", code: "missing_channel_id", path: "tunnel", message: "missing channel_id" });
     }
-    if (checkedGrant.token === "") {
+    const token = checkedGrant.token.trim();
+    if (token === "") {
         throw new FlowersecError({ stage: "validate", code: "missing_token", path: "tunnel", message: "missing token" });
     }
     if (checkedGrant.channel_init_expire_at_unix_s <= 0) {
@@ -97,8 +100,9 @@ export async function connectTunnel(grant, opts) {
             message: "missing channel_init_expire_at_unix_s",
         });
     }
+    const e2eePskB64u = checkedGrant.e2ee_psk_b64u.trim();
     try {
-        const psk = base64urlDecode(checkedGrant.e2ee_psk_b64u);
+        const psk = base64urlDecode(e2eePskB64u);
         if (psk.length !== 32) {
             throw new Error("psk must be 32 bytes");
         }
@@ -134,18 +138,18 @@ export async function connectTunnel(grant, opts) {
     }
     const attach = {
         v: 1,
-        channel_id: checkedGrant.channel_id,
+        channel_id: channelId,
         role: TunnelRole.Role_client,
-        token: checkedGrant.token,
+        token,
         endpoint_instance_id: endpointInstanceId
     };
     const attachJson = JSON.stringify(attach);
     const keepaliveIntervalMs = opts.keepaliveIntervalMs ?? defaultKeepaliveIntervalMs(idleTimeoutSeconds);
     return await connectCore({
         path: "tunnel",
-        wsUrl: checkedGrant.tunnel_url,
-        channelId: checkedGrant.channel_id,
-        e2eePskB64u: checkedGrant.e2ee_psk_b64u,
+        wsUrl: tunnelUrl,
+        channelId,
+        e2eePskB64u,
         defaultSuite: checkedGrant.default_suite,
         opts: { ...opts, keepaliveIntervalMs },
         attach: { attachJson, endpointInstanceId }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@floegence/flowersec-core",
-  "version": "0.4.0",
+  "version": "0.6.0",
   "description": "Flowersec core TypeScript library (browser-friendly E2EE + multiplexing over WebSocket).",
   "license": "MIT",
   "repository": {