@interopio/gateway-server 0.4.0-beta → 0.5.0-beta

package/dist/index.js

@@ -13,7 +13,7 @@ import { WebSocketServer } from "ws";
 import http from "node:http";
 import https from "node:https";
 import { readFileSync } from "node:fs";
-import { AsyncLocalStorage } from "node:async_hooks";
+import { AsyncLocalStorage as AsyncLocalStorage2 } from "node:async_hooks";
 import { IOGateway as IOGateway7 } from "@interopio/gateway";
 
 // src/logger.ts
@@ -42,6 +42,7 @@ var WebExchange = class {
 };
 
 // src/server/exchange.ts
+import { Cookie } from "tough-cookie";
 function requestToProtocol(request, defaultProtocol) {
   let proto = request.headers.get("x-forwarded-proto");
   if (Array.isArray(proto)) {
@@ -65,9 +66,7 @@ function requestToHost(request, defaultHost) {
         host = `${host}:${port}`;
       }
     }
-    if (host === void 0) {
-      host = request.headers.one("host");
-    }
+    host ??= request.headers.one("host");
   }
   if (Array.isArray(host)) {
     host = host[0];
@@ -77,14 +76,22 @@ function requestToHost(request, defaultHost) {
   }
   return defaultHost;
 }
+function parseCookies(request) {
+  return request.headers.list("cookie").map((s) => s.split(";").map((cs) => Cookie.parse(cs))).flat(1).filter((tc) => tc !== void 0).map((tc) => {
+    const result = { name: tc.key, value: tc.value };
+    return result;
+  });
+}
 var HttpServerRequest = class {
-  constructor(_req) {
-    this._req = _req;
-    this._headers = new IncomingMessageHeaders(_req);
-  }
   _body;
   _url;
+  _cookies;
   _headers;
+  _req;
+  constructor(req) {
+    this._req = req;
+    this._headers = new IncomingMessageHeaders(this._req);
+  }
   get http2() {
     return this._req.httpVersionMajor >= 2;
   }
@@ -109,9 +116,7 @@ var HttpServerRequest = class {
     if (this._req.httpVersionMajor >= 2) {
       dh = (this._req?.headers)[":authority"];
     }
-    if (dh === void 0) {
-      dh = this._req?.socket.remoteAddress;
-    }
+    dh ??= this._req?.socket.remoteAddress;
     return requestToHost(this, dh);
   }
   get protocol() {
@@ -119,14 +124,16 @@ var HttpServerRequest = class {
     if (this._req.httpVersionMajor > 2) {
       dp = this._req.headers[":scheme"];
     }
-    if (dp === void 0) {
-      dp = this._req?.socket["encrypted"] ? "https" : "http";
-    }
+    dp ??= this._req?.socket["encrypted"] ? "https" : "http";
     return requestToProtocol(this, dp);
   }
   get socket() {
     return this._req.socket;
   }
+  get cookies() {
+    this._cookies ??= parseCookies(this);
+    return this._cookies;
+  }
   get body() {
     this._body ??= new Promise((resolve, reject) => {
       const chunks = [];
@@ -139,6 +146,13 @@ var HttpServerRequest = class {
   get text() {
     return this.body.then(async (blob) => await blob.text());
   }
+  get formData() {
+    return this.body.then(async (blob) => {
+      const text = await blob.text();
+      const formData = new URLSearchParams(text);
+      return formData;
+    });
+  }
   get json() {
     return this.body.then(async (blob) => {
       const json = JSON.parse(await blob.text());
@@ -171,8 +185,9 @@ var IncomingMessageHeaders = class {
   }
 };
 var OutgoingMessageHeaders = class {
-  constructor(_msg) {
-    this._msg = _msg;
+  _msg;
+  constructor(msg) {
+    this._msg = msg;
   }
   has(name) {
     return this._msg.hasHeader(name);
@@ -217,11 +232,12 @@ var OutgoingMessageHeaders = class {
   }
 };
 var HttpServerResponse = class {
-  constructor(_res) {
-    this._res = _res;
-    this._headers = new OutgoingMessageHeaders(_res);
-  }
   _headers;
+  _res;
+  constructor(res) {
+    this._res = res;
+    this._headers = new OutgoingMessageHeaders(res);
+  }
   get statusCode() {
     return this._res.statusCode;
   }
@@ -231,9 +247,57 @@ var HttpServerResponse = class {
     }
     this._res.statusCode = value;
   }
+  set statusMessage(value) {
+    this._res.statusMessage = value;
+  }
   get headers() {
     return this._headers;
   }
+  get cookies() {
+    return this.headers.list("set-cookie").map((cookie) => {
+      const parsed = Cookie.parse(cookie);
+      if (parsed) {
+        const result = { name: parsed.key, value: parsed.value, maxAge: Number(parsed.maxAge ?? -1) };
+        if (parsed.httpOnly) result.httpOnly = true;
+        if (parsed.domain) result.domain = parsed.domain;
+        if (parsed.path) result.path = parsed.path;
+        if (parsed.secure) result.secure = true;
+        if (parsed.httpOnly) result.httpOnly = true;
+        if (parsed.sameSite) result.sameSite = parsed.sameSite;
+        return result;
+      }
+    }).filter((cookie) => cookie !== void 0);
+  }
+  end(chunk) {
+    if (!this._res.headersSent) {
+      return new Promise((resolve, reject) => {
+        if (chunk === void 0) {
+          this._res.end(() => {
+            resolve(true);
+          });
+        } else {
+          this._res.end(chunk, () => {
+            resolve(true);
+          });
+        }
+      });
+    } else {
+      return Promise.resolve(false);
+    }
+  }
+  addCookie(cookie) {
+    this.headers.add("set-cookie", new Cookie({
+      key: cookie.name,
+      value: cookie.value,
+      maxAge: cookie.maxAge,
+      domain: cookie.domain,
+      path: cookie.path,
+      secure: cookie.secure,
+      httpOnly: cookie.httpOnly,
+      sameSite: cookie.sameSite
+    }).toString());
+    return this;
+  }
 };
 var DefaultWebExchange = class extends WebExchange {
   constructor(request, response) {
@@ -241,6 +305,9 @@ var DefaultWebExchange = class extends WebExchange {
     this.request = request;
     this.response = response;
   }
+  get principal() {
+    return Promise.resolve(void 0);
+  }
 };
 function toList(values) {
   if (typeof values === "string") {
@@ -284,17 +351,61 @@ function parseHeader(value) {
   }
   return list;
 }
+var MapHttpHeaders = class extends Map {
+  get(name) {
+    return super.get(name.toLowerCase());
+  }
+  one(name) {
+    return this.get(name)?.[0];
+  }
+  list(name) {
+    const values = super.get(name.toLowerCase());
+    return toList(values);
+  }
+  set(name, value) {
+    if (typeof value === "number") {
+      value = String(value);
+    }
+    if (typeof value === "string") {
+      value = [value];
+    }
+    if (value) {
+      return super.set(name.toLowerCase(), value);
+    } else {
+      super.delete(name.toLowerCase());
+      return this;
+    }
+  }
+  add(name, value) {
+    const prev = super.get(name.toLowerCase());
+    if (typeof value === "string") {
+      value = [value];
+    }
+    if (prev) {
+      value = prev.concat(value);
+    }
+    this.set(name, value);
+    return this;
+  }
+};
 
 // src/gateway/ws/core.ts
 import { IOGateway as IOGateway2 } from "@interopio/gateway";
 var GatewayEncoders = IOGateway2.Encoding;
 var log = getLogger("ws");
 var codec = GatewayEncoders.json();
-function initClient(key, socket, host) {
+function initClient(key, socket, host, securityContextPromise) {
   const opts = {
     key,
     host,
     codec,
+    onAuthenticate: async () => {
+      const authentication = (await securityContextPromise)?.authentication;
+      if (authentication?.authenticated) {
+        return { type: "success", user: authentication.name };
+      }
+      throw new Error(`no valid client authentication ${key}`);
+    },
     onPing: () => {
       socket.ping((err) => {
         if (err) {
@@ -331,10 +442,11 @@ async function create(server) {
     log.error("error starting the gateway websocket server", err);
   }).on("connection", (socket, req) => {
     const request = new HttpServerRequest(req);
+    const securityContextPromise = server.storage?.getStore()?.securityContext;
     const key = socketKey(request.socket);
     const host = request.host;
     log.info(`${key} connected on gw from ${host}`);
-    const client = initClient.call(this, key, socket);
+    const client = initClient.call(this, key, socket, host, securityContextPromise);
     if (!client) {
       log.error(`${key} gw client init failed`);
       socket.terminate();
@@ -836,9 +948,8 @@ var logger5 = getLogger("metrics");
 var COOKIE_NAME = "GW_LOGIN";
 function loggedIn(auth, ctx) {
   if (auth) {
-    const cookieHeaderValue = ctx.request.headers.list("cookie");
-    const cookie = cookieHeaderValue?.join("; ").split("; ").find((value) => value.startsWith(`${COOKIE_NAME}=`));
-    return cookie && parseInt(cookie?.substring(COOKIE_NAME.length + 1)) > Date.now();
+    const value = ctx.request.cookies.find((cookie) => cookie.name === COOKIE_NAME)?.value;
+    return value && parseInt(value) > Date.now();
   }
   return true;
 }
@@ -864,7 +975,7 @@ async function routes2(config) {
       if (ctx.method === "GET" && ctx.path === "/api/login") {
         const redirectTo = new URLSearchParams(ctx.request.query ?? void 0).get("redirectTo");
         const expires = Date.now() + 180 * 1e3;
-        ctx.response.headers.add("set-cookie", `${COOKIE_NAME}=${expires}; Path=/api; SameSite=strict`);
+        ctx.response.addCookie({ name: COOKIE_NAME, value: `${expires}`, maxAge: Infinity, path: "/api", sameSite: "strict" });
         if (redirectTo) {
           ctx.response.statusCode = 302;
           ctx.response.headers.set("location", redirectTo);
@@ -910,30 +1021,38 @@ function compose(...middleware) {
   if (!Array.isArray(middleware)) {
     throw new Error("middleware must be array!");
   }
-  for (const fn of middleware) {
+  const fns = middleware.flat();
+  for (const fn of fns) {
     if (typeof fn !== "function") {
       throw new Error("middleware must be compose of functions!");
     }
   }
   return async function(ctx, next) {
-    let index = -1;
-    return await dispatch(0);
-    async function dispatch(i) {
-      if (i < index) {
-        throw new Error("next() called multiple times");
-      }
-      index = i;
-      let fn;
-      if (i === middleware.length) {
-        fn = next;
-      } else {
-        fn = middleware[i];
-      }
-      if (!fn) {
+    const dispatch = async (i) => {
+      const fn = i === fns.length ? next : fns[i];
+      if (fn === void 0) {
         return;
       }
-      await fn(ctx, dispatch.bind(null, i + 1));
-    }
+      let nextCalled = false;
+      let nextResolved = false;
+      const nextFn = async () => {
+        if (nextCalled) {
+          throw new Error("next() called multiple times");
+        }
+        nextCalled = true;
+        try {
+          return await dispatch(i + 1);
+        } finally {
+          nextResolved = true;
+        }
+      };
+      const result = await fn(ctx, nextFn);
+      if (nextCalled && !nextResolved) {
+        throw new Error("middleware resolved before downstream.\n	 You are probably missing an await or return statement in your middleware function.");
+      }
+      return result;
+    };
+    return dispatch(0);
   };
 }
 
@@ -1252,9 +1371,9 @@ function processRequest(exchange, config) {
 }
 function validateConfig(config) {
   if (config) {
-    const headers = config.headers;
-    if (headers?.allow && headers.allow !== ALL) {
-      headers.allow = headers.allow.map((header) => header.toLowerCase());
+    const headers2 = config.headers;
+    if (headers2?.allow && headers2.allow !== ALL) {
+      headers2.allow = headers2.allow.map((header) => header.toLowerCase());
     }
     const origins = config.origins;
     if (origins?.allow && origins.allow !== ALL) {
@@ -1273,7 +1392,7 @@ var handler = (config) => {
   return async (ctx, next) => {
     const isValid = processRequest(ctx, config);
     if (!isValid || isPreFlightRequest(ctx.request)) {
-      ctx.response._res.end();
+      await ctx.response.end();
     } else {
       await next();
     }
@@ -1413,10 +1532,934 @@ function getMethodToUse(request, isPreFlight) {
   return isPreFlight ? request.headers.one("access-control-request-method") : request.method;
 }
 function getHeadersToUse(request, isPreFlight) {
-  const headers = request.headers;
-  return isPreFlight ? headers.list("access-control-request-headers") : Array.from(headers.keys());
+  const headers2 = request.headers;
+  return isPreFlight ? headers2.list("access-control-request-headers") : Array.from(headers2.keys());
+}
+
+// src/server/server-header.ts
+var serverHeader = (server) => {
+  return async ({ response }, next) => {
+    if (!response.headers.has("server")) {
+      response.headers.set("Server", server);
+    }
+    await next();
+  };
+};
+var server_header_default = (server = "gateway-server") => serverHeader(server);
+
+// src/server/security/http-headers.ts
+var staticServerHttpHeadersWriter = (headers2) => {
+  return async (exchange) => {
+    let containsNoHeaders = true;
+    const { response } = exchange;
+    for (const name of headers2.keys()) {
+      if (response.headers.has(name)) {
+        containsNoHeaders = false;
+      }
+    }
+    if (containsNoHeaders) {
+      for (const [name, value] of headers2) {
+        response.headers.set(name, value);
+      }
+    }
+  };
+};
+var cacheControlServerHttpHeadersWriter = () => staticServerHttpHeadersWriter(
+  new MapHttpHeaders().add("cache-control", "no-cache, no-store, max-age=0, must-revalidate").add("pragma", "no-cache").add("expires", "0")
+);
+var contentTypeServerHttpHeadersWriter = () => staticServerHttpHeadersWriter(
+  new MapHttpHeaders().add("x-content-type-options", "nosniff")
+);
+var strictTransportSecurityServerHttpHeadersWriter = (maxAgeInSeconds, includeSubDomains, preload) => {
+  let headerValue = `max-age=${maxAgeInSeconds}`;
+  if (includeSubDomains) {
+    headerValue += " ; includeSubDomains";
+  }
+  if (preload) {
+    headerValue += " ; preload";
+  }
+  const delegate = staticServerHttpHeadersWriter(
+    new MapHttpHeaders().add("strict-transport-security", headerValue)
+  );
+  const isSecure = (exchange) => {
+    const protocol = exchange.request.URL.protocol;
+    return protocol === "https:";
+  };
+  return async (exchange) => {
+    if (isSecure(exchange)) {
+      await delegate(exchange);
+    }
+  };
+};
+var frameOptionsServerHttpHeadersWriter = (mode) => {
+  return staticServerHttpHeadersWriter(
+    new MapHttpHeaders().add("x-frame-options", mode)
+  );
+};
+var xssProtectionServerHttpHeadersWriter = (headerValue) => staticServerHttpHeadersWriter(
+  new MapHttpHeaders().add("x-xss-protection", headerValue)
+);
+var permissionsPolicyServerHttpHeadersWriter = (policyDirectives) => {
+  const delegate = policyDirectives === void 0 ? void 0 : staticServerHttpHeadersWriter(
+    new MapHttpHeaders().add("permissions-policy", policyDirectives)
+  );
+  return async (exchange) => {
+    if (delegate !== void 0) {
+      await delegate(exchange);
+    }
+  };
+};
+var contentSecurityPolicyServerHttpHeadersWriter = (policyDirectives, reportOnly) => {
+  const headerName = reportOnly ? "content-security-policy-report-only" : "content-security-policy";
+  const delegate = policyDirectives === void 0 ? void 0 : staticServerHttpHeadersWriter(
+    new MapHttpHeaders().add(headerName, policyDirectives)
+  );
+  return async (exchange) => {
+    if (delegate !== void 0) {
+      await delegate(exchange);
+    }
+  };
+};
+var refererPolicyServerHttpHeadersWriter = (policy = "no-referrer") => {
+  return staticServerHttpHeadersWriter(
+    new MapHttpHeaders().add("referer-policy", policy)
+  );
+};
+var crossOriginOpenerPolicyServerHttpHeadersWriter = (policy) => {
+  const delegate = policy === void 0 ? void 0 : staticServerHttpHeadersWriter(
+    new MapHttpHeaders().add("cross-origin-opener-policy", policy)
+  );
+  return async (exchange) => {
+    if (delegate !== void 0) {
+      await delegate(exchange);
+    }
+  };
+};
+var crossOriginEmbedderPolicyServerHttpHeadersWriter = (policy) => {
+  const delegate = policy === void 0 ? void 0 : staticServerHttpHeadersWriter(
+    new MapHttpHeaders().add("cross-origin-embedder-policy", policy)
+  );
+  return async (exchange) => {
+    if (delegate !== void 0) {
+      await delegate(exchange);
+    }
+  };
+};
+var crossOriginResourcePolicyServerHttpHeadersWriter = (policy) => {
+  const delegate = policy === void 0 ? void 0 : staticServerHttpHeadersWriter(
+    new MapHttpHeaders().add("cross-origin-resource-policy", policy)
+  );
+  return async (exchange) => {
+    if (delegate !== void 0) {
+      await delegate(exchange);
+    }
+  };
+};
+var compositeServerHttpHeadersWriter = (...writers) => {
+  return async (exchange) => {
+    for (const writer of writers) {
+      await writer(exchange);
+    }
+  };
+};
+function headers(opts) {
+  const writers = [];
+  if (!opts?.cache?.disabled) {
+    writers.push(cacheControlServerHttpHeadersWriter());
+  }
+  if (!opts?.contentType?.disabled) {
+    writers.push(contentTypeServerHttpHeadersWriter());
+  }
+  if (!opts?.hsts?.disabled) {
+    writers.push(strictTransportSecurityServerHttpHeadersWriter(opts?.hsts?.maxAge ?? 365 * 24 * 60 * 60, opts?.hsts?.includeSubDomains ?? true, opts?.hsts?.preload ?? false));
+  }
+  if (!opts?.frameOptions?.disabled) {
+    writers.push(frameOptionsServerHttpHeadersWriter(opts?.frameOptions?.mode ?? "DENY"));
+  }
+  if (!opts?.xss?.disabled) {
+    writers.push(xssProtectionServerHttpHeadersWriter(opts?.xss?.headerValue ?? "0"));
+  }
+  if (!opts?.permissionsPolicy?.disabled) {
+    writers.push(permissionsPolicyServerHttpHeadersWriter(opts?.permissionsPolicy?.policyDirectives));
+  }
+  if (!opts?.contentSecurityPolicy?.disabled) {
+    writers.push(contentSecurityPolicyServerHttpHeadersWriter(opts?.contentSecurityPolicy?.policyDirectives ?? "default-src 'self'", opts?.contentSecurityPolicy?.reportOnly));
+  }
+  if (!opts?.refererPolicy?.disabled) {
+    writers.push(refererPolicyServerHttpHeadersWriter(opts?.refererPolicy?.policy ?? "no-referrer"));
+  }
+  if (!opts?.crossOriginOpenerPolicy?.disabled) {
+    writers.push(crossOriginOpenerPolicyServerHttpHeadersWriter(opts?.crossOriginOpenerPolicy?.policy));
+  }
+  if (!opts?.crossOriginEmbedderPolicy?.disabled) {
+    writers.push(crossOriginEmbedderPolicyServerHttpHeadersWriter(opts?.crossOriginEmbedderPolicy?.policy));
+  }
+  if (!opts?.crossOriginResourcePolicy?.disabled) {
+    writers.push(crossOriginResourcePolicyServerHttpHeadersWriter(opts?.crossOriginResourcePolicy?.policy));
+  }
+  if (opts?.writers) {
+    writers.push(...opts.writers);
+  }
+  const writer = compositeServerHttpHeadersWriter(...writers);
+  return async (exchange, next) => {
+    await writer(exchange);
+    await next();
+  };
 }
 
+// src/server/security/types.ts
+var AuthenticationError = class extends Error {
+  _authentication;
+  get authentication() {
+    return this._authentication;
+  }
+  set authentication(value) {
+    if (value === void 0) {
+      throw new TypeError("Authentication cannot be undefined");
+    }
+    this._authentication = value;
+  }
+};
+var InsufficientAuthenticationError = class extends AuthenticationError {
+};
+var BadCredentialsError = class extends AuthenticationError {
+};
+var AccessDeniedError = class extends Error {
+};
+var AuthorizationDecision = class {
+  constructor(granted) {
+    this.granted = granted;
+  }
+  granted;
+};
+var DefaultAuthorizationManager = class {
+  check;
+  constructor(check) {
+    this.check = check;
+  }
+  async verify(authentication, object) {
+    const decision = await this.check(authentication, object);
+    if (!decision?.granted) {
+      throw new AccessDeniedError("Access denied");
+    }
+  }
+  async authorize(authentication, object) {
+    return await this.check(authentication, object);
+  }
+};
+var AuthenticationServiceError = class extends AuthenticationError {
+};
+
+// src/server/security/entry-point-failure-handler.ts
+var serverAuthenticationEntryPointFailureHandler = (opts) => {
+  const entryPoint = opts.entryPoint;
+  const rethrowAuthenticationServiceError = opts?.rethrowAuthenticationServiceError ?? true;
+  return async ({ exchange }, error) => {
+    if (!rethrowAuthenticationServiceError) {
+      return entryPoint(exchange, error);
+    }
+    if (!(error instanceof AuthenticationServiceError)) {
+      return entryPoint(exchange, error);
+    }
+    throw error;
+  };
+};
+
+// src/server/security/http-basic-entry-point.ts
+var DEFAULT_REALM = "Realm";
+var createHeaderValue = (realm) => {
+  return `Basic realm="${realm}"`;
+};
+var httpBasicEntryPoint = (opts) => {
+  const headerValue = createHeaderValue(opts?.realm ?? DEFAULT_REALM);
+  return async (exchange, _error) => {
+    const { response } = exchange;
+    response.statusCode = 401;
+    response.headers.set("WWW-Authenticate", headerValue);
+  };
+};
+
+// src/server/security/http-basic-converter.ts
+var BASIC = "Basic ";
+var httpBasicAuthenticationConverter = (opts) => {
+  return async (exchange) => {
+    const { request } = exchange;
+    const authorization = request.headers.one("authorization");
+    if (!authorization || !/basic/i.test(authorization.substring(0))) {
+      return;
+    }
+    const credentials = authorization.length <= BASIC.length ? "" : authorization.substring(BASIC.length);
+    const decoded = Buffer.from(credentials, "base64").toString(opts?.credentialsEncoding ?? "utf-8");
+    const parts = decoded.split(":", 2);
+    if (parts.length !== 2) {
+      return void 0;
+    }
+    return { type: "UsernamePassword", authenticated: false, principal: parts[0], credentials: parts[1] };
+  };
+};
+
+// src/server/util/matchers.ts
+var or = (matchers) => {
+  return async (exchange) => {
+    for (const matcher of matchers) {
+      const result = await matcher(exchange);
+      if (result.match) {
+        return { match: true };
+      }
+    }
+    return { match: false };
+  };
+};
+var and = (matchers) => {
+  return async (exchange) => {
+    for (const matcher of matchers) {
+      const result = await matcher(exchange);
+      if (!result.match) {
+        return { match: false };
+      }
+    }
+    return { match: true };
+  };
+};
+var not = (matcher) => {
+  return async (exchange) => {
+    const result = await matcher(exchange);
+    return { match: !result.match };
+  };
+};
+var anyExchange = async (_exchange) => {
+  return { match: true };
+};
+var mediaType = (opts) => {
+  const shouldIgnore = (requestedMediaType) => {
+    if (opts.ignoredMediaTypes !== void 0) {
+      for (const ignoredMediaType of opts.ignoredMediaTypes) {
+        if (requestedMediaType === ignoredMediaType || ignoredMediaType === "*/*") {
+          return true;
+        }
+      }
+    }
+    return false;
+  };
+  return async (exchange) => {
+    const request = exchange.request;
+    let requestMediaTypes;
+    try {
+      requestMediaTypes = request.headers.list("accept");
+    } catch (e) {
+      return { match: false };
+    }
+    for (const requestedMediaType of requestMediaTypes) {
+      if (shouldIgnore(requestedMediaType)) {
+        continue;
+      }
+      for (const mediaType2 of opts.mediaTypes) {
+        if (requestedMediaType.startsWith(mediaType2)) {
+          return { match: true };
+        }
+      }
+    }
+    return { match: false };
+  };
+};
+
+// src/server/security/security-context.ts
+import { AsyncLocalStorage } from "node:async_hooks";
+var AsyncStorageSecurityContextHolder = class _AsyncStorageSecurityContextHolder {
+  static hasSecurityContext(storage) {
+    return storage.getStore()?.securityContext !== void 0;
+  }
+  static async getSecurityContext(storage) {
+    return await storage.getStore()?.securityContext;
+  }
+  static clearSecurityContext(storage) {
+    delete storage.getStore()?.securityContext;
+  }
+  static withSecurityContext(securityContext) {
+    return (storage = new AsyncLocalStorage()) => {
+      storage.getStore().securityContext = securityContext;
+      return storage;
+    };
+  }
+  static withAuthentication(authentication) {
+    return _AsyncStorageSecurityContextHolder.withSecurityContext(Promise.resolve({ authentication }));
+  }
+  static async getContext(storage) {
+    if (_AsyncStorageSecurityContextHolder.hasSecurityContext(storage)) {
+      return _AsyncStorageSecurityContextHolder.getSecurityContext(storage);
+    }
+  }
+};
+
+// src/server/security/authentication-filter.ts
+async function authenticate(exchange, next, token, managerResolver, successHandler, storage) {
+  const authManager = await managerResolver(exchange);
+  const authentication = await authManager?.(token);
+  if (authentication === void 0) {
+    throw new Error("No authentication manager found for the exchange");
+  }
+  try {
+    await onAuthenticationSuccess(authentication, { exchange, next }, successHandler, storage);
+  } catch (e) {
+    if (e instanceof AuthenticationError) {
+    }
+    throw e;
+  }
+}
+async function onAuthenticationSuccess(authentication, filterExchange, successHandler, storage) {
+  AsyncStorageSecurityContextHolder.withAuthentication(authentication)(storage);
+  await successHandler(filterExchange, authentication);
+}
+function authenticationFilter(opts) {
+  const auth = {
+    matcher: anyExchange,
+    successHandler: async ({ next }) => {
+      await next();
+    },
+    converter: httpBasicAuthenticationConverter({}),
+    failureHandler: serverAuthenticationEntryPointFailureHandler({ entryPoint: httpBasicEntryPoint({}) }),
+    ...opts
+  };
+  let managerResolver = auth.managerResolver;
+  if (managerResolver === void 0 && auth.manager !== void 0) {
+    const manager = auth.manager;
+    managerResolver = async (_exchange) => {
+      return manager;
+    };
+  }
+  if (managerResolver === void 0) {
+    throw new Error("Authentication filter requires a managerResolver or a manager");
+  }
+  return async (exchange, next) => {
+    const matchResult = await auth.matcher(exchange);
+    const token = matchResult.match ? await auth.converter(exchange) : void 0;
+    if (token === void 0) {
+      await next();
+      return;
+    }
+    try {
+      await authenticate(exchange, next, token, managerResolver, auth.successHandler, auth.storage);
+    } catch (error) {
+      if (error instanceof AuthenticationError) {
+        await auth.failureHandler({ exchange, next }, error);
+        return;
+      }
+      throw error;
+    }
+  };
+}
+
+// src/server/security/oauth2/token-error.ts
+var BearerTokenErrorCodes = {
+  invalid_request: "invalid_request",
+  invalid_token: "invalid_token"
+};
+var DEFAULT_URI = "https://tools.ietf.org/html/rfc6750#section-3.1";
+function invalidToken(message) {
+  return { errorCode: BearerTokenErrorCodes.invalid_token, httpStatus: 401, description: message, uri: DEFAULT_URI };
+}
+function invalidRequest(message) {
+  return { errorCode: BearerTokenErrorCodes.invalid_request, httpStatus: 400, description: message, uri: DEFAULT_URI };
+}
+
+// src/server/security/oauth2/token-converter.ts
+var ACCESS_TOKEN_PARAMETER_NAME = "access_token";
+var authorizationPattern = /^Bearer\s+(?<token>[a-zA-Z0-9-._~+/]+=*)$/i;
+var Oauth2AuthenticationError = class extends AuthenticationError {
+  error;
+  constructor(error, message, options) {
+    super(message ?? (typeof error === "string" ? void 0 : error.description), options);
+    this.error = typeof error === "string" ? { errorCode: error } : error;
+  }
+};
+var isBearerTokenAuthenticationToken = (authentication) => {
+  return authentication.type === "BearerToken";
+};
+var serverBearerTokenAuthenticationConverter = (opts) => {
+  return async (exchange) => {
+    const { request } = exchange;
+    return Promise.all([
+      resolveFromAuthorizationHeader(request.headers, opts?.headerName).then((token) => token !== void 0 ? [token] : void 0),
+      resolveFromQueryString(request, opts?.uriQueryParameter),
+      resolveFromBody(exchange, opts?.formEncodedBodyParameter)
+    ]).then((rs) => rs.filter((r) => r !== void 0).flat(1)).then(resolveToken).then((token) => {
+      if (token) return { authenticated: false, type: "BearerToken", token };
+    });
+  };
+};
+async function resolveToken(accessTokens) {
+  if (accessTokens.length === 0) {
+    return;
+  }
+  if (accessTokens.length > 1) {
+    const error = invalidRequest("Found multiple access tokens in the request");
+    throw new Oauth2AuthenticationError(error);
+  }
+  const accessToken = accessTokens[0];
+  if (!accessToken || accessToken.length === 0) {
+    const error = invalidRequest("The requested access token parameter is an empty string");
+    throw new Oauth2AuthenticationError(error);
+  }
+  return accessToken;
+}
+async function resolveFromAuthorizationHeader(headers2, headerName = "authorization") {
+  const authorization = headers2.one(headerName);
+  if (!authorization || !/bearer/i.test(authorization.substring(0))) {
+    return;
+  }
+  const match = authorizationPattern.exec(authorization);
+  if (match === null) {
+    const error = invalidToken("Bearer token is malformed");
+    throw new Oauth2AuthenticationError(error);
+  }
+  return match.groups?.token;
+}
+async function resolveTokens(parameters) {
+  const accessTokens = parameters.getAll(ACCESS_TOKEN_PARAMETER_NAME);
+  if (accessTokens.length === 0) {
+    return;
+  }
+  return accessTokens;
+}
+async function resolveFromQueryString(request, allow = false) {
+  if (!allow || request.method !== "GET") {
+    return;
+  }
+  return resolveTokens(request.URL.searchParams);
+}
+async function resolveFromBody(exchange, allow = false) {
+  const { request } = exchange;
+  if (!allow || "application/x-www-form-urlencoded" !== request.headers.one("content-type") || request.method !== "POST") {
+    return;
+  }
+  return resolveTokens(await exchange.request.formData);
+}
+var token_converter_default = serverBearerTokenAuthenticationConverter;
+
+// src/server/security/oauth2/token-entry-point.ts
+function computeWWWAuthenticate(parameters) {
+  let wwwAuthenticate = "Bearer";
+  if (parameters.size !== 0) {
+    wwwAuthenticate += " ";
+    let i = 0;
+    for (const [key, value] of parameters) {
+      wwwAuthenticate += `${key}="${value}"`;
+      if (i !== parameters.size - 1) {
+        wwwAuthenticate += ", ";
+      }
+      i++;
+    }
+  }
+  return wwwAuthenticate;
+}
+var isBearerTokenError = (error) => {
+  return error.httpStatus !== void 0;
+};
+function getStatus(authError) {
+  if (authError instanceof Oauth2AuthenticationError) {
+    const { error } = authError;
+    if (isBearerTokenError(error)) {
+      return error.httpStatus;
+    }
+  }
+  return 401;
+}
+function createParameters(authError, realm) {
+  const parameters = /* @__PURE__ */ new Map();
+  if (realm) {
+    parameters.set("realm", realm);
+  }
+  if (authError instanceof Oauth2AuthenticationError) {
+    const { error } = authError;
+    parameters.set("error", error.errorCode);
+    if (error.description) {
+      parameters.set("error_description", error.description);
+    }
+    if (error.uri) {
+      parameters.set("error_uri", error.uri);
+    }
+    if (isBearerTokenError(error) && error.scope) {
+      parameters.set("scope", error.scope);
+    }
+  }
+  return parameters;
+}
+var bearerTokenServerAuthenticationEntryPoint = (opts) => {
+  return async (exchange, error) => {
+    const status = getStatus(error);
+    const parameters = createParameters(error, opts?.realmName);
+    const wwwAuthenticate = computeWWWAuthenticate(parameters);
+    const { response } = exchange;
+    response.headers.set("WWW-Authenticate", wwwAuthenticate);
+    response.statusCode = status;
+    await response.end();
+  };
+};
+var token_entry_point_default = bearerTokenServerAuthenticationEntryPoint;
+
+// src/server/security/oauth2/jwt-auth-manager.ts
+var jwtAuthConverter = (opts) => {
+  const principalClaimName = opts?.principalClaimName ?? "sub";
+  return (jwt) => {
+    const name = jwt.getClaimAsString(principalClaimName);
+    return { type: "JwtToken", authenticated: true, name };
+  };
+};
+var asyncJwtConverter = (converter) => {
+  return async (jwt) => {
+    return converter(jwt);
+  };
+};
+var JwtError = class extends Error {
+};
+var BadJwtError = class extends JwtError {
+};
+function onError(error) {
+  if (error instanceof BadJwtError) {
+    return new Oauth2AuthenticationError(invalidToken(error.message), error.message, { cause: error });
+  }
+  throw new AuthenticationServiceError(error.message, { cause: error });
+}
+function jwtAuthManager(opts) {
+  const decoder = opts.decoder;
+  const authConverter = opts.authConverter ?? asyncJwtConverter(jwtAuthConverter({}));
+  return async (authentication) => {
+    if (isBearerTokenAuthenticationToken(authentication)) {
+      const token = authentication.token;
+      try {
+        const jwt = await decoder(token);
+        return await authConverter(jwt);
+      } catch (e) {
+        if (e instanceof JwtError) {
+          throw onError(e);
+        }
+        throw e;
+      }
+    }
+  };
+}
+
+// src/server/security/oauth2-resource-server.ts
+function resourceServer(opts) {
+  const entryPoint = opts.entryPoint ?? token_entry_point_default({});
+  const converter = opts?.converter ?? token_converter_default({});
+  const failureHandler = opts.failureHandler ?? serverAuthenticationEntryPointFailureHandler({ entryPoint });
+  if (opts.managerResolver !== void 0) {
+    return authenticationFilter({
+      storage: opts.storage,
+      converter,
+      failureHandler,
+      managerResolver: opts.managerResolver
+    });
+  }
+  if (opts.jwt !== void 0) {
+    const manager = opts.jwt.manager ?? jwtAuthManager(opts.jwt);
+    return authenticationFilter({
+      storage: opts.storage,
+      converter,
+      failureHandler,
+      managerResolver: async (_exchange) => {
+        return manager;
+      }
+    });
+  }
+  throw new Error("Invalid resource server configuration: either managerResolver or jwt must be provided");
+}
+
+// src/server/security/http-status-entry-point.ts
+var httpStatusEntryPoint = (opts) => {
+  return async (exchange, _error) => {
+    const response = exchange.response;
+    response.statusCode = opts.httpStatus.code;
+    response.statusMessage = opts.httpStatus.message;
+  };
+};
+
+// src/server/security/delegating-entry-point.ts
+var delegatingEntryPoint = (opts) => {
+  const defaultEntryPoint = opts.defaultEntryPoint ?? (async ({ response }, _error) => {
+    response.statusCode = 401;
+    await response.end();
+  });
+  return async (exchange, error) => {
+    for (const [matcher, entryPoint] of opts.entryPoints) {
+      const match = await matcher(exchange);
+      if (match.match) {
+        return entryPoint(exchange, error);
+      }
+    }
+    return defaultEntryPoint(exchange, error);
+  };
+};
+
+// src/server/security/delegating-success-handler.ts
+var delegatingSuccessHandler = (handlers) => {
+  return async ({ exchange, next }, authentication) => {
+    for (const handler2 of handlers) {
+      await handler2({ exchange, next }, authentication);
+    }
+  };
+};
+
+// src/server/security/http-basic.ts
+function httpBasic(opts) {
+  const xhrMatcher = async (exchange) => {
+    const headers2 = exchange.request.headers;
+    const h = headers2.list("X-Requested-With");
+    if (h.includes("XMLHttpRequest")) {
+      return { match: true };
+    }
+    return { match: false };
+  };
+  const defaultEntryPoint = delegatingEntryPoint({
+    entryPoints: [[xhrMatcher, httpStatusEntryPoint({ httpStatus: { code: 401 } })]],
+    defaultEntryPoint: httpBasicEntryPoint({})
+  });
+  const entryPoint = opts.entryPoint ?? defaultEntryPoint;
+  const manager = opts.manager;
+  const restMatcher = mediaType({
+    mediaTypes: [
+      "application/atom+xml",
+      "application/x-www-form-urlencoded",
+      "application/json",
+      "application/octet-stream",
+      "application/xml",
+      "multipart/form-data",
+      "text/xml"
+    ],
+    ignoredMediaTypes: ["*/*"]
+  });
+  const notHtmlMatcher = not(mediaType({ mediaTypes: ["text/html"] }));
+  const restNoHtmlMatcher = and([notHtmlMatcher, restMatcher]);
+  const preferredMatcher = or([xhrMatcher, restNoHtmlMatcher]);
+  opts.defaultEntryPoints.push([preferredMatcher, entryPoint]);
+  const failureHandler = opts.failureHandler ?? serverAuthenticationEntryPointFailureHandler({ entryPoint });
+  const successHandler = delegatingSuccessHandler(opts.successHandlers === void 0 ? opts.defaultSuccessHandlers : opts.successHandlers);
+  const converter = httpBasicAuthenticationConverter({});
+  return authenticationFilter({
+    storage: opts.storage,
+    manager,
+    failureHandler,
+    successHandler,
+    converter
+  });
+}
+
+// src/server/security/config.ts
+import { jwtVerifier } from "@interopio/gateway/jose/jwt";
+
+// src/server/security/error-filter.ts
+async function commenceAuthentication(exchange, authentication, entryPoint) {
+  const cause = new InsufficientAuthenticationError(`Full authentication is required to access this resource.`);
+  const e = new AuthenticationError("Access Denied", { cause });
+  if (authentication) {
+    e.authentication = authentication;
+  }
+  await entryPoint(exchange, e);
+}
+function httpStatusAccessDeniedHandler(status, message) {
+  return async (exchange, _error) => {
+    exchange.response.statusCode = status;
+    exchange.response.statusMessage = message;
+    exchange.response.headers.set("Content-Type", "text/plain");
+    const bytes = Buffer.from("Access Denied", "utf-8");
+    exchange.response.headers.set("Content-Length", bytes.length);
+    await exchange.response.end(bytes);
+  };
+}
+var errorFilter = (opts) => {
+  const accessDeniedHandler = httpStatusAccessDeniedHandler(403, "Forbidden");
+  const authenticationEntryPoint = opts.authenticationEntryPoint ?? httpBasicEntryPoint();
+  return async (exchange, next) => {
+    try {
+      await next();
+    } catch (error) {
+      if (error instanceof AccessDeniedError) {
+        const principal = await exchange.principal;
+        if (principal === void 0) {
+          await commenceAuthentication(exchange, void 0, authenticationEntryPoint);
+        } else {
+          if (!principal.authenticated) {
+            return accessDeniedHandler(exchange, error);
+          }
+          await commenceAuthentication(exchange, principal, authenticationEntryPoint);
+        }
+      }
+    }
+  };
+};
+
+// src/server/security/authorization-filter.ts
+function authorizationFilter(opts) {
+  const { manager, storage } = opts;
+  return async (exchange, next) => {
+    const promise = AsyncStorageSecurityContextHolder.getContext(storage).then((c) => c?.authentication);
+    try {
+      await manager.verify(promise, exchange);
+    } catch (error) {
+      if (error instanceof AccessDeniedError) {
+      }
+      throw error;
+    }
+    await next();
+  };
+}
+
+// src/server/security/delegating-authorization-manager.ts
+function delegatingAuthorizationManager(opts) {
+  const check = async (authentication, exchange) => {
+    let decision;
+    for (const [matcher, manager] of opts.mappings) {
+      if ((await matcher(exchange))?.match) {
+        const checkResult = await manager.check(authentication, { exchange });
+        if (checkResult !== void 0) {
+          decision = checkResult;
+          break;
+        }
+      }
+    }
+    decision ??= new AuthorizationDecision(false);
+    return decision;
+  };
+  return new DefaultAuthorizationManager(check);
+}
+
+// src/server/security/config.ts
+var filterOrder = {
+  first: Number.MAX_SAFE_INTEGER,
+  http_headers: 1 * 100,
+  https_redirect: 2 * 100,
+  cors: 3 * 100,
+  http_basic: 6 * 100,
+  authentication: 8 * 100,
+  error_translation: 18 * 100,
+  authorization: 19 * 100,
+  last: Number.MAX_SAFE_INTEGER
+};
+var filterOrderSymbol = Symbol.for("filterOrder");
+var config_default = (config, storage) => {
+  const middleware = [];
+  class ServerHttpSecurity {
+    #authenticationEntryPoint;
+    #defaultEntryPoints = [];
+    manager;
+    get authenticationEntryPoint() {
+      if (this.#authenticationEntryPoint !== void 0 || this.#defaultEntryPoints.length === 0) {
+        return this.#authenticationEntryPoint;
+      }
+      if (this.#defaultEntryPoints.length === 1) {
+        return this.#defaultEntryPoints[0][1];
+      }
+      return delegatingEntryPoint({
+        entryPoints: this.#defaultEntryPoints,
+        defaultEntryPoint: this.#defaultEntryPoints[this.#defaultEntryPoints.length - 1][1]
+      });
+    }
+    build() {
+      if (config.headers !== void 0 && config.headers.disabled !== true) {
+        const writer = headers(config.headers);
+        writer[filterOrderSymbol] = filterOrder.http_headers;
+        middleware.push(writer);
+      }
+      if (config.basic !== void 0 && config.basic?.disabled !== true) {
+        const username = config.basic.user?.name.toLowerCase();
+        const password = config.basic.user?.password ?? "";
+        const authorities = config.basic.user?.authorities ?? [];
+        const manager = async (auth) => {
+          const principal = auth["principal"];
+          const credentials = auth["credentials"];
+          if (principal.toLowerCase() !== username || credentials !== password) {
+            throw new BadCredentialsError("Invalid username or password");
+          }
+          return { type: "UsernamePassword", authenticated: true, principal, credentials, authorities: [...authorities] };
+        };
+        const defaultSuccessHandlers = [
+          async ({ exchange: _, next }, _authentication) => {
+            return next();
+          }
+        ];
+        const filter = httpBasic({
+          storage,
+          manager,
+          defaultEntryPoints: this.#defaultEntryPoints,
+          defaultSuccessHandlers
+        });
+        filter[filterOrderSymbol] = filterOrder.http_basic;
+        middleware.push(filter);
+      }
+      if (config.jwt !== void 0 && config.jwt.disabled !== true) {
+        const verifier = jwtVerifier({
+          issuerBaseUri: config.jwt.issuerBaseUri,
+          issuer: config.jwt.issuer,
+          audience: config.jwt.audience
+        });
+        const decoder = async (token) => {
+          const { payload } = await verifier(token);
+          return {
+            subject: payload.sub,
+            getClaimAsString(claim) {
+              return payload[claim];
+            }
+          };
+        };
+        const filter = resourceServer({ storage, jwt: { decoder } });
+        filter[filterOrderSymbol] = filterOrder.authentication;
+        middleware.push(filter);
+      }
+      if (config.authorize !== void 0) {
+        const errorFf = errorFilter({ authenticationEntryPoint: this.authenticationEntryPoint });
+        errorFf[filterOrderSymbol] = filterOrder.error_translation;
+        middleware.push(errorFf);
+        const buildAuthorizationManager = (authorize) => {
+          const mappings = [];
+          let anyExchangeRegistered = false;
+          for (const [matcher, access2] of authorize ?? []) {
+            let serverMatcher;
+            if (matcher === "any-exchange") {
+              anyExchangeRegistered = true;
+              serverMatcher = anyExchange;
+            } else if (anyExchangeRegistered) {
+              throw new Error("Cannot register other matchers after 'any-exchange' matcher");
+            } else {
+              serverMatcher = matcher;
+            }
+            let manager2;
+            if (access2.access === "permit-all") {
+              manager2 = new DefaultAuthorizationManager(async () => new AuthorizationDecision(true));
+            } else if (access2.access === "deny-all") {
+              manager2 = new DefaultAuthorizationManager(async () => new AuthorizationDecision(false));
+            } else if (access2.access === "authenticated") {
+              manager2 = new DefaultAuthorizationManager(async (p) => {
+                const authentication = await p;
+                if (authentication !== void 0) {
+                  return new AuthorizationDecision(authentication.authenticated);
+                }
+                return new AuthorizationDecision(false);
+              });
+            } else {
+              throw new Error(`Unknown access type: ${JSON.stringify(access2)}`);
+            }
+            mappings.push([serverMatcher, manager2]);
+          }
+          return delegatingAuthorizationManager({ mappings });
+        };
+        const manager = buildAuthorizationManager(config.authorize);
+        const filter = authorizationFilter({ manager, storage });
+        filter[filterOrderSymbol] = filterOrder.authorization;
+        middleware.push(filter);
+      }
+      middleware.sort((a, b) => {
+        const aOrder = a[filterOrderSymbol] ?? filterOrder.last;
+        const bOrder = b[filterOrderSymbol] ?? filterOrder.last;
+        return aOrder - bOrder;
+      });
+    }
+  }
+  const security = new ServerHttpSecurity();
+  security.build();
+  return middleware;
+};
+
 // src/server.ts
 var logger7 = getLogger("app");
 function secureContextOptions(ssl) {
@@ -1426,20 +2469,81 @@ function secureContextOptions(ssl) {
   if (ssl.ca) options.ca = readFileSync(ssl.ca);
   return options;
 }
-function createListener(middleware, routes3) {
-  const storage = new AsyncLocalStorage();
+function createListener(storage, middleware, routes3, onSocketError) {
   const listener = compose(
-    async ({ response }, next) => {
-      response.headers.set("server", "gateway-server");
-      await next();
-    },
+    server_header_default(),
+    ...config_default({
+      authorize: [
+        [async (exchange) => {
+          return { match: exchange.path === "/health" && exchange.method === "GET" };
+        }, { access: "permit-all" }],
+        // ['any-exchange', {access: 'authenticated'}],
+        ["any-exchange", { access: "permit-all" }]
+      ],
+      basic: {
+        disabled: true,
+        realm: "Gateway Server"
+      },
+      jwt: {
+        disabled: true
+      }
+    }, storage),
     ...cors_default({
-      origins: { allow: [/http:\/\/localhost(:\d+)?/] },
+      origins: { allow: [/http:\/\/localhost(:\d+)?/, /file:\//] },
       methods: { allow: ["GET", "HEAD", "POST", "DELETE"] },
       headers: { allow: "*" },
       credentials: { allow: true }
     }),
     ...middleware,
+    async ({ request, response }, next) => {
+      const path = request.path ?? "/";
+      const route = routes3.get(path) ?? Array.from(routes3.values()).find((route2) => {
+        if (path === "/" && route2.default === true) {
+          return true;
+        }
+      });
+      if (route) {
+        if (request.method === "GET" && request.headers.one("connection") === "Upgrade" && request.headers.one("upgrade")?.toLowerCase() === "websocket") {
+          const socket = request.socket;
+          const host = request.host;
+          const info = socketKey(request._req.socket);
+          if (route?.wss) {
+            socket.removeListener("error", onSocketError);
+            const wss = route.wss;
+            if (route.maxConnections !== void 0 && wss.clients?.size >= route.maxConnections) {
+              logger7.warn(`${info} dropping ws connection request from ${host} on ${path}. max connections exceeded.`);
+              socket.destroy();
+              return;
+            }
+            const origin = request.headers["origin"];
+            if (!acceptsOrigin(origin, route.originFilters)) {
+              logger7.info(`${info} dropping ws connection request from ${host} on ${path}. origin ${origin ?? "<missing>"}`);
+              socket.destroy();
+              return;
+            }
+            if (logger7.enabledFor("debug")) {
+              logger7.debug(`${info} accepted new ws connection request from ${host} on ${path}`);
+            }
+            wss.handleUpgrade(request._req, socket, request._req["_upgradeHead"], (ws) => {
+              response._res["_header"] = true;
+              ws.on("pong", () => ws["connected"] = true);
+              ws.on("ping", () => {
+              });
+              wss.emit("connection", ws, request._req);
+            });
+          } else {
+            logger7.warn(`${info} rejected upgrade request from ${host} on ${path}`);
+            socket.destroy();
+          }
+        } else {
+          response.statusCode = 426;
+          response._res.appendHeader("Upgrade", "websocket").appendHeader("Connection", "Upgrade").appendHeader("Content-Type", "text/plain");
+          await response.end(`This service [${request.path}] requires use of the websocket protocol.`);
+        }
+      } else {
+        await next();
+      }
+    },
     async ({ request, response }, next) => {
       if (request.method === "GET" && request.path === "/health") {
         response.statusCode = 200;
@@ -1450,33 +2554,35 @@ function createListener(middleware, routes3) {
     },
     async ({ request, response }, next) => {
       if (request.method === "GET" && request.path === "/") {
-        response._res.end(`io.Gateway Server`);
+        await response.end(`io.Gateway Server`);
       } else {
         await next();
       }
     },
     async ({ request, response }, _next) => {
-      const route = routes3.get(request.path);
-      if (route) {
-        response.statusCode = 426;
-        response._res.appendHeader("Upgrade", "websocket").appendHeader("Connection", "Upgrade").appendHeader("Content-Type", "text/plain");
-        response._res.end(`This service [${request.path}] requires use of the websocket protocol.`);
-      } else {
-        response.statusCode = 404;
-        response._res.end(http.STATUS_CODES[404]);
-      }
+      response.statusCode = 404;
+      await response.end(http.STATUS_CODES[404]);
     }
   );
   return (request, response) => {
+    request.socket.addListener("error", onSocketError);
     const exchange = new DefaultWebExchange(new HttpServerRequest(request), new HttpServerResponse(response));
-    return storage.run(exchange, async () => {
+    return storage.run({ exchange }, async () => {
       if (logger7.enabledFor("debug")) {
         const socket = exchange.request._req.socket;
         if (logger7.enabledFor("debug")) {
           logger7.debug(`received ${exchange.method} request for ${exchange.path} from ${socket.remoteAddress}:${socket.remotePort}`);
         }
       }
-      return await listener(exchange);
+      try {
+        return await listener(exchange);
+      } catch (e) {
+        if (logger7.enabledFor("warn")) {
+          logger7.warn(`error processing request for ${exchange.path}`, e);
+        }
+      } finally {
+        await exchange.response.end();
+      }
     });
   };
 }
@@ -1535,12 +2641,11 @@ var Factory = async (options) => {
   }
   const ports = portRange(options.port ?? 0);
   const host = options.host;
+  const storage = new AsyncLocalStorage2();
   const serverP = new Promise((resolve, reject) => {
     const onSocketError = (err) => logger7.error(`socket error: ${err}`, err);
-    const server2 = createServer(
-      {},
-      createListener(middleware, routes3)
-    );
+    const listener = createListener(storage, middleware, routes3, onSocketError);
+    const server2 = createServer({}, listener);
     server2.on("error", (e) => {
       if (e["code"] === "EADDRINUSE") {
         logger7.debug(`port ${e["port"]} already in use on address ${e["address"]}`);
@@ -1566,7 +2671,7 @@ var Factory = async (options) => {
           logger7.info(`creating ws server for [${path}]. max connections: ${route.maxConnections ?? "<unlimited>"}, origin filters: ${route.originFilters ? JSON.stringify(route.originFilters, regexAwareReplacer) : "<none>"}`);
           const wss = new WebSocketServer({ noServer: true });
           const endpoint = `${ssl ? "wss" : "ws"}://${localIp}:${info.port}${path}`;
-          const handler2 = await route.factory({ endpoint, wss });
+          const handler2 = await route.factory({ endpoint, wss, storage });
           const pingInterval = route.ping;
           if (pingInterval) {
             const pingIntervalId = setInterval(() => {
@@ -1594,42 +2699,10 @@ var Factory = async (options) => {
     server2.on("upgrade", (req, socket, head) => {
       socket.addListener("error", onSocketError);
       try {
-        const request = new HttpServerRequest(req);
-        const path = request.path ?? "/";
-        const route = routes3.get(path) ?? Array.from(routes3.values()).find((route2) => {
-          if (path === "/" && route2.default === true) {
-            return true;
-          }
-        });
-        const host2 = request.host;
-        const info = socketKey(request.socket);
-        if (route?.wss) {
-          socket.removeListener("error", onSocketError);
-          const wss = route.wss;
-          if (route.maxConnections !== void 0 && wss.clients?.size >= route.maxConnections) {
-            logger7.warn(`${info} dropping ws connection request from ${host2} on ${path}. max connections exceeded.`);
-            socket.destroy();
-            return;
-          }
-          const origin = request.headers["origin"];
-          if (!acceptsOrigin(origin, route.originFilters)) {
-            logger7.info(`${info} dropping ws connection request from ${host2} on ${path}. origin ${origin ?? "<missing>"}`);
-            socket.destroy();
-            return;
-          }
-          if (logger7.enabledFor("debug")) {
-            logger7.debug(`${info} accepted new ws connection request from ${host2} on ${path}`);
-          }
-          wss.handleUpgrade(req, socket, head, (ws) => {
-            ws.on("pong", () => ws["connected"] = true);
-            ws.on("ping", () => {
-            });
-            wss.emit("connection", ws, req);
-          });
-        } else {
-          logger7.warn(`${info} rejected upgrade request from ${host2} on ${path}`);
-          socket.destroy();
-        }
+        req._upgradeHead = head;
+        const res = new http.ServerResponse(req);
+        res.assignSocket(socket);
+        listener(req, res);
       } catch (err) {
         logger7.error(`upgrade error: ${err}`, err);
       }