@interopio/gateway-server 0.5.2-beta → 0.6.1-beta

package/dist/index.cjs

@@ -169,7 +169,7 @@ var HttpServerRequest = class {
     this._body ??= new Promise((resolve, reject) => {
       const chunks = [];
       this._req.on("error", (err) => reject(err)).on("data", (chunk) => chunks.push(chunk)).on("end", () => {
-        resolve(new Blob(chunks));
+        resolve(new Blob(chunks, { type: this.headers.one("content-type") }));
       });
     });
     return this._body;
@@ -186,74 +186,79 @@ var HttpServerRequest = class {
   }
   get json() {
     return this.body.then(async (blob) => {
-      const json = JSON.parse(await blob.text());
+      if (blob.size === 0) {
+        return void 0;
+      }
+      const text = await blob.text();
+      const json = JSON.parse(text);
       return json;
     });
   }
 };
 var IncomingMessageHeaders = class {
-  constructor(_msg) {
-    this._msg = _msg;
+  #msg;
+  constructor(msg) {
+    this.#msg = msg;
   }
   has(name) {
-    return this._msg.headers[name] !== void 0;
+    return this.#msg.headers[name] !== void 0;
   }
   get(name) {
-    return this._msg.headers[name];
+    return this.#msg.headers[name];
   }
   list(name) {
-    return toList(this._msg.headers[name]);
+    return toList(this.#msg.headers[name]);
   }
   one(name) {
-    const value = this._msg.headers[name];
+    const value = this.#msg.headers[name];
     if (Array.isArray(value)) {
       return value[0];
     }
     return value;
   }
   keys() {
-    return Object.keys(this._msg.headers).values();
+    return Object.keys(this.#msg.headers).values();
   }
 };
 var OutgoingMessageHeaders = class {
-  _msg;
+  #msg;
   constructor(msg) {
-    this._msg = msg;
+    this.#msg = msg;
   }
   has(name) {
-    return this._msg.hasHeader(name);
+    return this.#msg.hasHeader(name);
   }
   keys() {
-    return this._msg.getHeaderNames().values();
+    return this.#msg.getHeaderNames().values();
   }
   get(name) {
-    return this._msg.getHeader(name);
+    return this.#msg.getHeader(name);
   }
   one(name) {
-    const value = this._msg.getHeader(name);
+    const value = this.#msg.getHeader(name);
     if (Array.isArray(value)) {
       return value[0];
     }
     return value;
   }
   set(name, value) {
-    if (!this._msg.headersSent) {
+    if (!this.#msg.headersSent) {
       if (Array.isArray(value)) {
         value = value.map((v) => typeof v === "number" ? String(v) : v);
       } else if (typeof value === "number") {
         value = String(value);
       }
       if (value) {
-        this._msg.setHeader(name, value);
+        this.#msg.setHeader(name, value);
       } else {
-        this._msg.removeHeader(name);
+        this.#msg.removeHeader(name);
       }
     }
     return this;
   }
   add(name, value) {
-    if (!this._msg.headersSent) {
-      this._msg.appendHeader(name, value);
+    if (!this.#msg.headersSent) {
+      this.#msg.appendHeader(name, value);
     }
     return this;
   }
@@ -301,7 +306,7 @@ var HttpServerResponse = class {
   }
   end(chunk) {
     if (!this._res.headersSent) {
-      return new Promise((resolve, reject) => {
+      return new Promise((resolve) => {
         if (chunk === void 0) {
           this._res.end(() => {
             resolve(true);
@@ -331,6 +336,8 @@ var HttpServerResponse = class {
   }
 };
 var DefaultWebExchange = class extends WebExchange {
+  request;
+  response;
   constructor(request, response) {
     super();
     this.request = request;
@@ -419,6 +426,92 @@ var MapHttpHeaders = class extends Map {
     return this;
   }
 };
+var MockHttpRequest = class {
+  #url;
+  #body;
+  headers = new MapHttpHeaders();
+  constructor(url, method) {
+    if (typeof url === "string") {
+      if (URL.canParse(url)) {
+        url = new URL(url);
+      } else if (URL.canParse(url, "http://localhost")) {
+        url = new URL(url, "http://localhost");
+      } else {
+        throw new TypeError("URL cannot parse url");
+      }
+    }
+    this.#url = url;
+    this.method = method ?? "GET";
+    this.headers.set("Host", this.#url.hostname);
+    this.path = this.#url.pathname ?? "/";
+  }
+  method;
+  path;
+  get host() {
+    return requestToHost(this, this.#url.host);
+  }
+  get protocol() {
+    return requestToProtocol(this, this.#url.protocol.slice(0, -1));
+  }
+  get cookies() {
+    return parseCookies(this);
+  }
+  get body() {
+    const body = this.#body;
+    return body ? Promise.resolve(body) : Promise.reject(new Error(`no body set`));
+  }
+  get json() {
+    return this.body.then(async (blob) => JSON.parse(await blob.text()));
+  }
+  get text() {
+    return this.body.then(async (blob) => await blob.text());
+  }
+  set body(value) {
+    this.#body = value;
+    if (!this.headers.has("content-type")) {
+      this.headers.set("content-type", value.type || "application/octet-stream");
+    }
+  }
+  get formData() {
+    return this.body.then(async (b) => new URLSearchParams(await b.text()));
+  }
+  get URL() {
+    return new URL(this.path + this.#url.search + this.#url.hash, `${this.protocol}://${this.host}`);
+  }
+};
+var MockHttpResponse = class {
+  statusCode;
+  headers = new MapHttpHeaders();
+  cookies = [];
+  addCookie(cookie) {
+    this.cookies.push(cookie);
+    return this;
+  }
+  _body;
+  async end(chunk) {
+    if (this._body) {
+      return false;
+    }
+    switch (typeof chunk) {
+      case "string":
+        this._body = new Blob([chunk], { type: "text/plain" });
+        break;
+      case "object":
+        if (chunk instanceof Blob) {
+          this._body = chunk;
+        } else if (chunk !== null) {
+          this._body = new Blob([JSON.stringify(chunk)], { type: "application/json" });
+        }
+        break;
+      case "undefined":
+        this._body = new Blob([]);
+        break;
+      default:
+        throw new Error(`Unsupported chunk type: ${typeof chunk}`);
+    }
+    return true;
+  }
+};
 
 // src/gateway/ws/core.ts
 var import_gateway2 = require("@interopio/gateway");
@@ -589,22 +682,129 @@ var InMemoryNodeConnections = class {
   }
 };
 
+// src/server/util/matchers.ts
+var or = (matchers) => {
+  return async (exchange) => {
+    for (const matcher of matchers) {
+      const result = await matcher(exchange);
+      if (result.match) {
+        return { match: true };
+      }
+    }
+    return { match: false };
+  };
+};
+var and = (matchers) => {
+  const matcher = async (exchange) => {
+    for (const matcher2 of matchers) {
+      const result = await matcher2(exchange);
+      if (!result.match) {
+        return { match: false };
+      }
+    }
+    return { match: true };
+  };
+  matcher.toString = () => `and(${matchers.map((m) => m.toString()).join(", ")})`;
+  return matcher;
+};
+var not = (matcher) => {
+  return async (exchange) => {
+    const result = await matcher(exchange);
+    return { match: !result.match };
+  };
+};
+var anyExchange = async (_exchange) => {
+  return { match: true };
+};
+anyExchange.toString = () => "any-exchange";
+var pattern = (pattern2, opts) => {
+  const method = opts?.method;
+  const matcher = async (exchange) => {
+    const request = exchange.request;
+    const path = request.path;
+    if (method !== void 0 && request.method !== method) {
+      return { match: false };
+    }
+    if (typeof pattern2 === "string") {
+      if (path === pattern2) {
+        return { match: true };
+      } else {
+        return { match: false };
+      }
+    } else {
+      const match = pattern2.exec(path);
+      if (match !== null) {
+        return { match: true };
+      } else {
+        return { match: false };
+      }
+    }
+  };
+  matcher.toString = () => {
+    return `pattern(${pattern2.toString()})${method ? ` method=${method}` : ""}`;
+  };
+  return matcher;
+};
+var mediaType = (opts) => {
+  const shouldIgnore = (requestedMediaType) => {
+    if (opts.ignoredMediaTypes !== void 0) {
+      for (const ignoredMediaType of opts.ignoredMediaTypes) {
+        if (requestedMediaType === ignoredMediaType || ignoredMediaType === "*/*") {
+          return true;
+        }
+      }
+    }
+    return false;
+  };
+  return async (exchange) => {
+    const request = exchange.request;
+    let requestMediaTypes;
+    try {
+      requestMediaTypes = request.headers.list("accept");
+    } catch (e) {
+      return { match: false };
+    }
+    for (const requestedMediaType of requestMediaTypes) {
+      if (shouldIgnore(requestedMediaType)) {
+        continue;
+      }
+      for (const mediaType2 of opts.mediaTypes) {
+        if (requestedMediaType.startsWith(mediaType2)) {
+          return { match: true };
+        }
+      }
+    }
+    return { match: false };
+  };
+};
+var upgradeMatcher = async ({ request }) => {
+  const match = request["_req"]?.["upgrade"] && request.headers.one("upgrade")?.toLowerCase() === "websocket";
+  return { match };
+};
+upgradeMatcher.toString = () => "websocket upgrade";
+
 // src/mesh/rest-directory/routes.ts
-function routes(connections) {
+function routes(connections, config, authorize) {
+  config.cors.push(
+    [pattern("/api/nodes"), { allowMethods: ["GET", "POST"] }],
+    [pattern(/\/api\/nodes\/(?<nodeId>.*)/), { allowMethods: ["GET", "DELETE"] }]
+  );
+  if (authorize) {
+    config.authorize.push([pattern(/\/api\/nodes(\/.*)?/), authorize]);
+  }
   return [
     async (ctx, next) => {
       if (ctx.method === "POST" && ctx.path === "/api/nodes") {
         const json = await ctx.request.json;
         if (!Array.isArray(json)) {
           ctx.response.statusCode = 400;
-          ctx.response._res.end();
+          await ctx.response.end();
         } else {
           const nodes = json;
           const result = connections.announce(nodes);
-          const body = JSON.stringify(result);
-          ctx.response.headers.set("content-type", "application/json");
+          const body = new Blob([JSON.stringify(result)], { type: "application/json" });
           ctx.response.statusCode = 200;
-          ctx.response._res.end(body);
+          await ctx.response.end(body);
         }
       } else {
         await next();
@@ -615,7 +815,7 @@ function routes(connections) {
         const nodeId = path?.substring("/api/nodes/".length);
         connections.remove(nodeId);
         response.statusCode = 200;
-        response._res.end();
+        await response.end();
       } else {
         await next();
       }
@@ -976,68 +1176,38 @@ var core_default4 = create4;
 
 // src/metrics/routes.ts
 var logger5 = getLogger("metrics");
-var COOKIE_NAME = "GW_LOGIN";
-function loggedIn(auth, ctx) {
-  if (auth) {
-    const value = ctx.request.cookies.find((cookie) => cookie.name === COOKIE_NAME)?.value;
-    return value && parseInt(value) > Date.now();
-  }
-  return true;
-}
-async function routes2(config) {
+async function routes2(config, { cors, authorize }) {
   const { jsonFileAppender } = await import("@interopio/gateway/metrics/publisher/file");
   const appender = jsonFileAppender(logger5);
   await appender.open(config.file?.location ?? "metrics.ndjson", config.file?.append ?? true);
+  cors.push([pattern("/api/metrics"), { allowMethods: ["GET", "POST"] }]);
+  if (config.authorize) {
+    authorize.push([pattern("/api/metrics"), config.authorize]);
+  }
   return [
     async (ctx, next) => {
       if (ctx.method === "GET" && ctx.path === "/api/metrics") {
-        if (loggedIn(config.auth, ctx)) {
-          ctx.response.statusCode = 200;
-        } else {
-          ctx.response.statusCode = 302;
-          ctx.response.headers.set("location", "/api/login?redirectTo=/api/metrics");
-        }
-        ctx.response._res.end();
-      } else {
-        await next();
-      }
-    },
-    async (ctx, next) => {
-      if (ctx.method === "GET" && ctx.path === "/api/login") {
-        const redirectTo = new URLSearchParams(ctx.request.query ?? void 0).get("redirectTo");
-        const expires = Date.now() + 180 * 1e3;
-        ctx.response.addCookie({ name: COOKIE_NAME, value: `${expires}`, maxAge: Infinity, path: "/api", sameSite: "strict" });
-        if (redirectTo) {
-          ctx.response.statusCode = 302;
-          ctx.response.headers.set("location", redirectTo);
-        } else {
-          ctx.response.statusCode = 200;
-        }
-        ctx.response._res.end();
+        ctx.response.statusCode = 200;
+        await ctx.response.end();
       } else {
         await next();
       }
     },
-    async (ctx, next) => {
-      if (ctx.method === "POST" && ctx.path === "/api/metrics") {
-        if (loggedIn(config.auth, ctx)) {
-          ctx.response.statusCode = 202;
-          ctx.response._res.end();
-          try {
-            const json = await ctx.request.json;
-            const update = json;
-            if (logger5.enabledFor("debug")) {
-              logger5.debug(`${JSON.stringify(update)}`);
-            }
-            if ((config.file?.status ?? false) || update.status === void 0) {
-              await appender.write(update);
-            }
-          } catch (e) {
-            logger5.error(`error processing metrics`, e);
+    async ({ request, response }, next) => {
+      if (request.method === "POST" && request.path === "/api/metrics") {
+        response.statusCode = 202;
+        await response.end();
+        try {
+          const json = await request.json;
+          const update = json;
+          if (logger5.enabledFor("debug")) {
+            logger5.debug(`${JSON.stringify(update)}`);
           }
-        } else {
-          ctx.response.statusCode = 401;
-          ctx.response._res.end();
+          if ((config.file?.status ?? false) || update.status === void 0) {
+            await appender.write(update);
+          }
+        } catch (e) {
+          logger5.error(`error processing metrics`, e);
         }
       } else {
         await next();
@@ -1118,9 +1288,9 @@ var localIp = (() => {
     return a.length > 0 ? a[0] : void 0;
   }
   const addresses = Object.values((0, import_node_os.networkInterfaces)()).flatMap((details) => {
-    return (details ?? []).filter((info) => info.family === "IPv4");
-  }).reduce((acc, info) => {
-    acc[info.internal ? "internal" : "external"].push(info);
+    return (details ?? []).filter((info2) => info2.family === "IPv4");
+  }).reduce((acc, info2) => {
+    acc[info2.internal ? "internal" : "external"].push(info2);
     return acc;
   }, { internal: [], external: [] });
   return (first(addresses.internal) ?? first(addresses.external))?.address;
@@ -1267,7 +1437,7 @@ async function stop(m) {
   return await run(m, "stop");
 }
 
-// src/server/ws-client-verify.ts
+// src/app/ws-client-verify.ts
 var import_gateway5 = require("@interopio/gateway");
 var log3 = getLogger("gateway.ws.client-verify");
 function acceptsMissing(originFilters) {
@@ -1339,272 +1509,57 @@ function regexifyOriginFilters(originFilters) {
   }
 }
 
-// src/server/cors.ts
-var import_gateway6 = require("@interopio/gateway");
-function isSameOrigin(request) {
-  const origin = request.headers.one("origin");
-  if (origin === void 0) {
-    return true;
-  }
-  const url = request.URL;
-  const actualProtocol = url.protocol;
-  const actualHost = url.host;
-  const originUrl = new URL(origin);
-  const originHost = originUrl.host;
-  const originProtocol = originUrl.protocol;
-  return actualProtocol === originProtocol && actualHost === originHost;
-}
-function isCorsRequest(request) {
-  return request.headers.has("origin") && !isSameOrigin(request);
-}
-function isPreFlightRequest(request) {
-  return request.method === "OPTIONS" && request.headers.has("origin") && request.headers.has("access-control-request-method");
-}
-var VARY_HEADERS = ["Origin", "Access-Control-Request-Method", "Access-Control-Request-Headers"];
-function processRequest(exchange, config) {
-  const { request, response } = exchange;
-  const responseHeaders = response.headers;
-  if (!responseHeaders.has("Vary")) {
-    responseHeaders.set("Vary", VARY_HEADERS.join(", "));
-  } else {
-    const varyHeaders = responseHeaders.list("Vary");
-    for (const header of VARY_HEADERS) {
-      if (!varyHeaders.find((h) => h === header)) {
-        varyHeaders.push(header);
-      }
+// src/server/server-header.ts
+var import_package = __toESM(require("@interopio/gateway-server/package.json"), 1);
+var serverHeader = (server) => {
+  server ??= `${import_package.default.name} - v${import_package.default.version}`;
+  return async ({ response }, next) => {
+    if (server !== false && !response.headers.has("server")) {
+      response.headers.set("Server", server);
     }
-    responseHeaders.set("Vary", varyHeaders.join(", "));
-  }
-  try {
-    if (!isCorsRequest(request)) {
+    await next();
+  };
+};
+var server_header_default = (server) => serverHeader(server);
+
+// src/app/route.ts
+function findSocketRoute({ request }, { sockets: routes3 }) {
+  const path = request.path ?? "/";
+  const route = routes3.get(path) ?? Array.from(routes3.values()).find((route2) => {
+    if (path === "/" && route2.default === true) {
       return true;
     }
-  } catch (e) {
-    if (logger6.enabledFor("debug")) {
-      logger6.debug(`reject: origin is malformed`);
-    }
-    rejectRequest(response);
-    return false;
-  }
-  if (responseHeaders.has("access-control-allow-origin")) {
-    logger6.trace(`skip: already contains "Access-Control-Allow-Origin"`);
-    return true;
-  }
-  const preFlightRequest = isPreFlightRequest(request);
-  if (config) {
-    return handleInternal(exchange, config, preFlightRequest);
-  }
-  if (preFlightRequest) {
-    rejectRequest(response);
-    return false;
-  }
-  return true;
+  });
+  return [route, path];
 }
-function validateConfig(config) {
-  if (config) {
-    const headers2 = config.headers;
-    if (headers2?.allow && headers2.allow !== ALL) {
-      headers2.allow = headers2.allow.map((header) => header.toLowerCase());
-    }
-    const origins = config.origins;
-    if (origins?.allow && origins.allow !== ALL) {
-      origins.allow = origins.allow.map((origin) => {
-        if (typeof origin === "string") {
-          return origin.toLowerCase();
-        }
-        return origin;
-      });
+
+// src/server/security/http-headers.ts
+var staticServerHttpHeadersWriter = (headers2) => {
+  return async (exchange) => {
+    let containsNoHeaders = true;
+    const { response } = exchange;
+    for (const name of headers2.keys()) {
+      if (response.headers.has(name)) {
+        containsNoHeaders = false;
+      }
     }
-    return config;
-  }
-}
-var handler = (config) => {
-  validateConfig(config);
-  return async (ctx, next) => {
-    const isValid = processRequest(ctx, config);
-    if (!isValid || isPreFlightRequest(ctx.request)) {
-      await ctx.response.end();
-    } else {
-      await next();
+    if (containsNoHeaders) {
+      for (const [name, value] of headers2) {
+        response.headers.set(name, value);
+      }
     }
   };
 };
-var cors_default = (config) => [handler(config)];
-var logger6 = getLogger("cors");
-function rejectRequest(response) {
-  response.statusCode = 403;
-}
-function handleInternal(exchange, config, preFlightRequest) {
-  const { request, response } = exchange;
-  const responseHeaders = response.headers;
-  const requestOrigin = request.headers.one("origin");
-  const allowOrigin = checkOrigin(config, requestOrigin);
-  if (allowOrigin === void 0) {
-    if (logger6.enabledFor("debug")) {
-      logger6.debug(`reject: '${requestOrigin}' origin is not allowed`);
-    }
-    rejectRequest(response);
-    return false;
-  }
-  const requestMethod = getMethodToUse(request, preFlightRequest);
-  const allowMethods = checkMethods(config, requestMethod);
-  if (allowMethods === void 0) {
-    if (logger6.enabledFor("debug")) {
-      logger6.debug(`reject: HTTP '${requestMethod}' is not allowed`);
-    }
-    rejectRequest(response);
-    return false;
-  }
-  const requestHeaders = getHeadersToUse(request, preFlightRequest);
-  const allowHeaders = checkHeaders(config, requestHeaders);
-  if (preFlightRequest && allowHeaders === void 0) {
-    if (logger6.enabledFor("debug")) {
-      logger6.debug(`reject: headers '${requestHeaders}' are not allowed`);
-    }
-    rejectRequest(response);
-    return false;
-  }
-  responseHeaders.set("access-control-allow-origin", allowOrigin);
-  if (preFlightRequest) {
-    responseHeaders.set("access-control-allow-methods", allowMethods.join(","));
-  }
-  if (preFlightRequest && allowHeaders !== void 0 && allowHeaders.length > 0) {
-    responseHeaders.set("access-control-allow-headers", allowHeaders.join(", "));
-  }
-  const exposeHeaders = config.headers?.expose;
-  if (exposeHeaders && exposeHeaders.length > 0) {
-    responseHeaders.set("access-control-expose-headers", exposeHeaders.join(", "));
-  }
-  if (config.credentials?.allow) {
-    responseHeaders.set("access-control-allow-credentials", "true");
-  }
-  if (config.privateNetwork?.allow && request.headers.one("access-control-request-private-network") === "true") {
-    responseHeaders.set("access-control-allow-private-network", "true");
-  }
-  return true;
-}
-var ALL = "*";
-var DEFAULT_METHODS = ["GET", "HEAD"];
-function validateAllowCredentials(config) {
-  if (config.credentials?.allow === true && config.origins?.allow === ALL) {
-    throw new Error(`when credentials.allow is true origins.allow cannot be "*"`);
-  }
-}
-function validateAllowPrivateNetwork(config) {
-  if (config.privateNetwork?.allow === true && config.origins?.allow === ALL) {
-    throw new Error(`when privateNetwork.allow is true origins.allow cannot be "*"`);
-  }
-}
-function checkOrigin(config, origin) {
-  if (origin) {
-    const allowedOrigins = config.origins?.allow;
-    if (allowedOrigins) {
-      if (allowedOrigins === ALL) {
-        validateAllowCredentials(config);
-        validateAllowPrivateNetwork(config);
-        return ALL;
-      }
-      const originToCheck = trimTrailingSlash(origin.toLowerCase());
-      for (const allowedOrigin of allowedOrigins) {
-        if (allowedOrigin === ALL || import_gateway6.IOGateway.Filtering.valueMatches(allowedOrigin, originToCheck)) {
-          return origin;
-        }
-      }
-    }
-  }
-}
-function checkMethods(config, requestMethod) {
-  if (requestMethod) {
-    const allowedMethods = config.methods?.allow ?? DEFAULT_METHODS;
-    if (allowedMethods === ALL) {
-      return [requestMethod];
-    }
-    if (import_gateway6.IOGateway.Filtering.valuesMatch(allowedMethods, requestMethod)) {
-      return allowedMethods;
-    }
-  }
-}
-function checkHeaders(config, requestHeaders) {
-  if (requestHeaders === void 0) {
-    return;
-  }
-  if (requestHeaders.length == 0) {
-    return [];
-  }
-  const allowedHeaders = config.headers?.allow;
-  if (allowedHeaders === void 0) {
-    return;
-  }
-  const allowAnyHeader = allowedHeaders === ALL;
-  const result = [];
-  for (const requestHeader of requestHeaders) {
-    const value = requestHeader?.trim();
-    if (value) {
-      if (allowAnyHeader) {
-        result.push(value);
-      } else {
-        for (const allowedHeader of allowedHeaders) {
-          if (value.toLowerCase() == allowedHeader) {
-            result.push(value);
-            break;
-          }
-        }
-      }
-    }
-  }
-  if (result.length > 0) {
-    return result;
-  }
-}
-function trimTrailingSlash(origin) {
-  return origin.endsWith("/") ? origin.slice(0, -1) : origin;
-}
-function getMethodToUse(request, isPreFlight) {
-  return isPreFlight ? request.headers.one("access-control-request-method") : request.method;
-}
-function getHeadersToUse(request, isPreFlight) {
-  const headers2 = request.headers;
-  return isPreFlight ? headers2.list("access-control-request-headers") : Array.from(headers2.keys());
-}
-
-// src/server/server-header.ts
-var serverHeader = (server) => {
-  return async ({ response }, next) => {
-    if (!response.headers.has("server")) {
-      response.headers.set("Server", server);
-    }
-    await next();
-  };
-};
-var server_header_default = (server = "gateway-server") => serverHeader(server);
-
-// src/server/security/http-headers.ts
-var staticServerHttpHeadersWriter = (headers2) => {
-  return async (exchange) => {
-    let containsNoHeaders = true;
-    const { response } = exchange;
-    for (const name of headers2.keys()) {
-      if (response.headers.has(name)) {
-        containsNoHeaders = false;
-      }
-    }
-    if (containsNoHeaders) {
-      for (const [name, value] of headers2) {
-        response.headers.set(name, value);
-      }
-    }
-  };
-};
-var cacheControlServerHttpHeadersWriter = () => staticServerHttpHeadersWriter(
-  new MapHttpHeaders().add("cache-control", "no-cache, no-store, max-age=0, must-revalidate").add("pragma", "no-cache").add("expires", "0")
-);
-var contentTypeServerHttpHeadersWriter = () => staticServerHttpHeadersWriter(
-  new MapHttpHeaders().add("x-content-type-options", "nosniff")
-);
-var strictTransportSecurityServerHttpHeadersWriter = (maxAgeInSeconds, includeSubDomains, preload) => {
-  let headerValue = `max-age=${maxAgeInSeconds}`;
-  if (includeSubDomains) {
-    headerValue += " ; includeSubDomains";
+var cacheControlServerHttpHeadersWriter = () => staticServerHttpHeadersWriter(
+  new MapHttpHeaders().add("cache-control", "no-cache, no-store, max-age=0, must-revalidate").add("pragma", "no-cache").add("expires", "0")
+);
+var contentTypeServerHttpHeadersWriter = () => staticServerHttpHeadersWriter(
+  new MapHttpHeaders().add("x-content-type-options", "nosniff")
+);
+var strictTransportSecurityServerHttpHeadersWriter = (maxAgeInSeconds, includeSubDomains, preload) => {
+  let headerValue = `max-age=${maxAgeInSeconds}`;
+  if (includeSubDomains) {
+    headerValue += " ; includeSubDomains";
   }
   if (preload) {
     headerValue += " ; preload";
@@ -1764,18 +1719,18 @@ var AuthorizationDecision = class {
   granted;
 };
 var DefaultAuthorizationManager = class {
-  check;
+  #check;
   constructor(check) {
-    this.check = check;
+    this.#check = check;
   }
   async verify(authentication, object) {
-    const decision = await this.check(authentication, object);
+    const decision = await this.#check(authentication, object);
     if (!decision?.granted) {
       throw new AccessDeniedError("Access denied");
     }
   }
   async authorize(authentication, object) {
-    return await this.check(authentication, object);
+    return await this.#check(authentication, object);
   }
 };
 var AuthenticationServiceError = class extends AuthenticationError {
@@ -1829,71 +1784,6 @@ var httpBasicAuthenticationConverter = (opts) => {
   };
 };
 
-// src/server/util/matchers.ts
-var or = (matchers) => {
-  return async (exchange) => {
-    for (const matcher of matchers) {
-      const result = await matcher(exchange);
-      if (result.match) {
-        return { match: true };
-      }
-    }
-    return { match: false };
-  };
-};
-var and = (matchers) => {
-  return async (exchange) => {
-    for (const matcher of matchers) {
-      const result = await matcher(exchange);
-      if (!result.match) {
-        return { match: false };
-      }
-    }
-    return { match: true };
-  };
-};
-var not = (matcher) => {
-  return async (exchange) => {
-    const result = await matcher(exchange);
-    return { match: !result.match };
-  };
-};
-var anyExchange = async (_exchange) => {
-  return { match: true };
-};
-var mediaType = (opts) => {
-  const shouldIgnore = (requestedMediaType) => {
-    if (opts.ignoredMediaTypes !== void 0) {
-      for (const ignoredMediaType of opts.ignoredMediaTypes) {
-        if (requestedMediaType === ignoredMediaType || ignoredMediaType === "*/*") {
-          return true;
-        }
-      }
-    }
-    return false;
-  };
-  return async (exchange) => {
-    const request = exchange.request;
-    let requestMediaTypes;
-    try {
-      requestMediaTypes = request.headers.list("accept");
-    } catch (e) {
-      return { match: false };
-    }
-    for (const requestedMediaType of requestMediaTypes) {
-      if (shouldIgnore(requestedMediaType)) {
-        continue;
-      }
-      for (const mediaType2 of opts.mediaTypes) {
-        if (requestedMediaType.startsWith(mediaType2)) {
-          return { match: true };
-        }
-      }
-    }
-    return { match: false };
-  };
-};
-
 // src/server/security/security-context.ts
 var import_node_async_hooks = require("node:async_hooks");
 var AsyncStorageSecurityContextHolder = class _AsyncStorageSecurityContextHolder {
@@ -2207,6 +2097,7 @@ var httpStatusEntryPoint = (opts) => {
 };
 
 // src/server/security/delegating-entry-point.ts
+var logger6 = getLogger("auth.entry-point");
 var delegatingEntryPoint = (opts) => {
   const defaultEntryPoint = opts.defaultEntryPoint ?? (async ({ response }, _error) => {
     response.statusCode = 401;
@@ -2214,11 +2105,20 @@ var delegatingEntryPoint = (opts) => {
   });
   return async (exchange, error) => {
     for (const [matcher, entryPoint] of opts.entryPoints) {
+      if (logger6.enabledFor("debug")) {
+        logger6.debug(`trying to match using: ${matcher}`);
+      }
       const match = await matcher(exchange);
       if (match.match) {
+        if (logger6.enabledFor("debug")) {
+          logger6.debug(`match found. using default entry point ${entryPoint}`);
+        }
         return entryPoint(exchange, error);
       }
     }
+    if (logger6.enabledFor("debug")) {
+      logger6.debug(`no match found. using default entry point ${defaultEntryPoint}`);
+    }
     return defaultEntryPoint(exchange, error);
   };
 };
@@ -2226,8 +2126,8 @@ var delegatingEntryPoint = (opts) => {
 // src/server/security/delegating-success-handler.ts
 var delegatingSuccessHandler = (handlers) => {
   return async ({ exchange, next }, authentication) => {
-    for (const handler2 of handlers) {
-      await handler2({ exchange, next }, authentication);
+    for (const handler of handlers) {
+      await handler({ exchange, next }, authentication);
     }
   };
 };
@@ -2321,14 +2221,21 @@ var errorFilter = (opts) => {
 };
 
 // src/server/security/authorization-filter.ts
+var logger7 = getLogger("security.auth");
 function authorizationFilter(opts) {
   const { manager, storage } = opts;
   return async (exchange, next) => {
     const promise = AsyncStorageSecurityContextHolder.getContext(storage).then((c) => c?.authentication);
     try {
       await manager.verify(promise, exchange);
+      if (logger7.enabledFor("debug")) {
+        logger7.debug("authorization successful");
+      }
     } catch (error) {
       if (error instanceof AccessDeniedError) {
+        if (logger7.enabledFor("debug")) {
+          logger7.debug(`authorization failed: ${error.message}`);
+        }
       }
       throw error;
     }
@@ -2337,12 +2244,14 @@ function authorizationFilter(opts) {
 }
 
 // src/server/security/delegating-authorization-manager.ts
+var logger8 = getLogger("auth");
 function delegatingAuthorizationManager(opts) {
   const check = async (authentication, exchange) => {
     let decision;
     for (const [matcher, manager] of opts.mappings) {
       if ((await matcher(exchange))?.match) {
-        const checkResult = await manager.check(authentication, { exchange });
+        logger8.debug(`checking authorization on '${exchange.path}' using [${matcher}, ${manager}]`);
+        const checkResult = await manager.authorize(authentication, { exchange });
         if (checkResult !== void 0) {
           decision = checkResult;
           break;
@@ -2355,6 +2264,308 @@ function delegatingAuthorizationManager(opts) {
   return new DefaultAuthorizationManager(check);
 }
 
+// src/server/cors.ts
+var import_gateway6 = require("@interopio/gateway");
+function isSameOrigin(request) {
+  const origin = request.headers.one("origin");
+  if (origin === void 0) {
+    return true;
+  }
+  const url = request.URL;
+  const actualProtocol = url.protocol;
+  const actualHost = url.host;
+  const originUrl = URL.parse(origin);
+  const originHost = originUrl?.host;
+  const originProtocol = originUrl?.protocol;
+  return actualProtocol === originProtocol && actualHost === originHost;
+}
+function isCorsRequest(request) {
+  return request.headers.has("origin") && !isSameOrigin(request);
+}
+function isPreFlightRequest(request) {
+  return request.method === "OPTIONS" && request.headers.has("origin") && request.headers.has("access-control-request-method");
+}
+var VARY_HEADERS = ["Origin", "Access-Control-Request-Method", "Access-Control-Request-Headers"];
+var processRequest = (exchange, config) => {
+  const { request, response } = exchange;
+  const responseHeaders = response.headers;
+  if (!responseHeaders.has("Vary")) {
+    responseHeaders.set("Vary", VARY_HEADERS.join(", "));
+  } else {
+    const varyHeaders = responseHeaders.list("Vary");
+    for (const header of VARY_HEADERS) {
+      if (!varyHeaders.find((h) => h === header)) {
+        varyHeaders.push(header);
+      }
+    }
+    responseHeaders.set("Vary", varyHeaders.join(", "));
+  }
+  try {
+    if (!isCorsRequest(request)) {
+      return true;
+    }
+  } catch (e) {
+    if (logger9.enabledFor("debug")) {
+      logger9.debug(`reject: origin is malformed`);
+    }
+    rejectRequest(response);
+    return false;
+  }
+  if (responseHeaders.has("access-control-allow-origin")) {
+    logger9.trace(`skip: already contains "Access-Control-Allow-Origin"`);
+    return true;
+  }
+  const preFlightRequest = isPreFlightRequest(request);
+  if (config) {
+    return handleInternal(exchange, config, preFlightRequest);
+  }
+  if (preFlightRequest) {
+    rejectRequest(response);
+    return false;
+  }
+  return true;
+};
+var DEFAULT_PERMIT_ALL = ["*"];
+var DEFAULT_PERMIT_METHODS = ["GET", "HEAD", "POST"];
+var PERMIT_DEFAULT_CONFIG = {
+  allowOrigins: DEFAULT_PERMIT_ALL,
+  allowMethods: DEFAULT_PERMIT_METHODS,
+  allowHeaders: DEFAULT_PERMIT_ALL,
+  maxAge: 1800
+  // 30 minutes
+};
+function validateCorsConfig(config) {
+  if (config) {
+    const allowHeaders = config.allowHeaders;
+    if (allowHeaders && allowHeaders !== ALL) {
+      config = {
+        ...config,
+        allowHeaders: allowHeaders.map((header) => header.toLowerCase())
+      };
+    }
+    const allowOrigins = config.allowOrigins;
+    if (allowOrigins) {
+      if (allowOrigins === "*") {
+        validateAllowCredentials(config);
+        validateAllowPrivateNetwork(config);
+      } else {
+        config = {
+          ...config,
+          allowOrigins: allowOrigins.map((origin) => {
+            if (typeof origin === "string" && origin !== ALL) {
+              origin = import_gateway6.IOGateway.Filtering.regexify(origin);
+              if (typeof origin === "string") {
+                return trimTrailingSlash(origin).toLowerCase();
+              }
+            }
+            return origin;
+          })
+        };
+      }
+    }
+    return config;
+  }
+}
+function combine(source, other) {
+  if (other === void 0) {
+    return source !== void 0 ? source === ALL ? [ALL] : source : [];
+  }
+  if (source === void 0) {
+    return other === ALL ? [ALL] : other;
+  }
+  if (source == DEFAULT_PERMIT_ALL || source === DEFAULT_PERMIT_METHODS) {
+    return other === ALL ? [ALL] : other;
+  }
+  if (other == DEFAULT_PERMIT_ALL || other === DEFAULT_PERMIT_METHODS) {
+    return source === ALL ? [ALL] : source;
+  }
+  if (source === ALL || source.includes(ALL) || other === ALL || other.includes(ALL)) {
+    return [ALL];
+  }
+  const combined = /* @__PURE__ */ new Set();
+  source.forEach((v) => combined.add(v));
+  other.forEach((v) => combined.add(v));
+  return Array.from(combined);
+}
+var combineCorsConfig = (source, other) => {
+  if (other === void 0) {
+    return source;
+  }
+  const config = {
+    allowOrigins: combine(source.allowOrigins, other?.allowOrigins),
+    allowMethods: combine(source.allowMethods, other?.allowMethods),
+    allowHeaders: combine(source.allowHeaders, other?.allowHeaders),
+    exposeHeaders: combine(source.exposeHeaders, other?.exposeHeaders),
+    allowCredentials: other?.allowCredentials ?? source.allowCredentials,
+    allowPrivateNetwork: other?.allowPrivateNetwork ?? source.allowPrivateNetwork,
+    maxAge: other?.maxAge ?? source.maxAge
+  };
+  return config;
+};
+var corsFilter = (opts) => {
+  const source = opts.corsConfigSource;
+  const processor = opts.corsProcessor ?? processRequest;
+  return async (ctx, next) => {
+    const config = await source(ctx);
+    const isValid = processor(ctx, config);
+    if (!isValid || isPreFlightRequest(ctx.request)) {
+      return;
+    } else {
+      await next();
+    }
+  };
+};
+var cors_default = corsFilter;
+var logger9 = getLogger("cors");
+function rejectRequest(response) {
+  response.statusCode = 403;
+}
+function handleInternal(exchange, config, preFlightRequest) {
+  const { request, response } = exchange;
+  const responseHeaders = response.headers;
+  const requestOrigin = request.headers.one("origin");
+  const allowOrigin = checkOrigin(config, requestOrigin);
+  if (allowOrigin === void 0) {
+    if (logger9.enabledFor("debug")) {
+      logger9.debug(`reject: '${requestOrigin}' origin is not allowed`);
+    }
+    rejectRequest(response);
+    return false;
+  }
+  const requestMethod = getMethodToUse(request, preFlightRequest);
+  const allowMethods = checkMethods(config, requestMethod);
+  if (allowMethods === void 0) {
+    if (logger9.enabledFor("debug")) {
+      logger9.debug(`reject: HTTP '${requestMethod}' is not allowed`);
+    }
+    rejectRequest(response);
+    return false;
+  }
+  const requestHeaders = getHeadersToUse(request, preFlightRequest);
+  const allowHeaders = checkHeaders(config, requestHeaders);
+  if (preFlightRequest && allowHeaders === void 0) {
+    if (logger9.enabledFor("debug")) {
+      logger9.debug(`reject: headers '${requestHeaders}' are not allowed`);
+    }
+    rejectRequest(response);
+    return false;
+  }
+  responseHeaders.set("Access-Control-Allow-Origin", allowOrigin);
+  if (preFlightRequest) {
+    responseHeaders.set("Access-Control-Allow-Methods", allowMethods.join(","));
+  }
+  if (preFlightRequest && allowHeaders !== void 0 && allowHeaders.length > 0) {
+    responseHeaders.set("Access-Control-Allow-Headers", allowHeaders.join(", "));
+  }
+  const exposeHeaders = config.exposeHeaders;
+  if (exposeHeaders && exposeHeaders.length > 0) {
+    responseHeaders.set("Access-Control-Expose-Headers", exposeHeaders.join(", "));
+  }
+  if (config.allowCredentials) {
+    responseHeaders.set("Access-Control-Allow-Credentials", "true");
+  }
+  if (config.allowPrivateNetwork && request.headers.one("access-control-request-private-network") === "true") {
+    responseHeaders.set("Access-Control-Allow-Private-Network", "true");
+  }
+  if (preFlightRequest && config.maxAge !== void 0) {
+    responseHeaders.set("Access-Control-Max-Age", config.maxAge.toString());
+  }
+  return true;
+}
+var ALL = "*";
+var DEFAULT_METHODS = ["GET", "HEAD"];
+function validateAllowCredentials(config) {
+  if (config.allowCredentials === true && config.allowOrigins === ALL) {
+    throw new Error(`when allowCredentials is true allowOrigins cannot be "*"`);
+  }
+}
+function validateAllowPrivateNetwork(config) {
+  if (config.allowPrivateNetwork === true && config.allowOrigins === ALL) {
+    throw new Error(`when allowPrivateNetwork is true allowOrigins cannot be "*"`);
+  }
+}
+function checkOrigin(config, origin) {
+  if (origin) {
+    const allowedOrigins = config.allowOrigins;
+    if (allowedOrigins) {
+      if (allowedOrigins === ALL) {
+        validateAllowCredentials(config);
+        validateAllowPrivateNetwork(config);
+        return ALL;
+      }
+      const originToCheck = trimTrailingSlash(origin.toLowerCase());
+      for (const allowedOrigin of allowedOrigins) {
+        if (allowedOrigin === ALL || import_gateway6.IOGateway.Filtering.valueMatches(allowedOrigin, originToCheck)) {
+          return origin;
+        }
+      }
+    }
+  }
+}
+function checkMethods(config, requestMethod) {
+  if (requestMethod) {
+    const allowedMethods = config.allowMethods ?? DEFAULT_METHODS;
+    if (allowedMethods === ALL) {
+      return [requestMethod];
+    }
+    if (import_gateway6.IOGateway.Filtering.valuesMatch(allowedMethods, requestMethod)) {
+      return allowedMethods;
+    }
+  }
+}
+function checkHeaders(config, requestHeaders) {
+  if (requestHeaders === void 0) {
+    return;
+  }
+  if (requestHeaders.length == 0) {
+    return [];
+  }
+  const allowedHeaders = config.allowHeaders;
+  if (allowedHeaders === void 0) {
+    return;
+  }
+  const allowAnyHeader = allowedHeaders === ALL || allowedHeaders.includes(ALL);
+  const result = [];
+  for (const requestHeader of requestHeaders) {
+    const value = requestHeader?.trim();
+    if (value) {
+      if (allowAnyHeader) {
+        result.push(value);
+      } else {
+        for (const allowedHeader of allowedHeaders) {
+          if (value.toLowerCase() === allowedHeader) {
+            result.push(value);
+            break;
+          }
+        }
+      }
+    }
+  }
+  if (result.length > 0) {
+    return result;
+  }
+}
+function trimTrailingSlash(origin) {
+  return origin.endsWith("/") ? origin.slice(0, -1) : origin;
+}
+function getMethodToUse(request, isPreFlight) {
+  return isPreFlight ? request.headers.one("access-control-request-method") : request.method;
+}
+function getHeadersToUse(request, isPreFlight) {
+  const headers2 = request.headers;
+  return isPreFlight ? headers2.list("access-control-request-headers") : Array.from(headers2.keys());
+}
+var matchingCorsConfigSource = (opts) => {
+  return async (exchange) => {
+    for (const [matcher, config] of opts.mappings) {
+      if ((await matcher(exchange)).match) {
+        logger9.debug(`resolved cors config on '${exchange.path}' using ${matcher}: ${JSON.stringify(config)}`);
+        return config;
+      }
+    }
+  };
+};
+
 // src/server/security/config.ts
 var filterOrder = {
   first: Number.MAX_SAFE_INTEGER,
@@ -2368,7 +2579,7 @@ var filterOrder = {
   last: Number.MAX_SAFE_INTEGER
 };
 var filterOrderSymbol = Symbol.for("filterOrder");
-var config_default = (config, storage) => {
+var config_default = (config, context) => {
   const middleware = [];
   class ServerHttpSecurity {
     #authenticationEntryPoint;
@@ -2392,6 +2603,11 @@ var config_default = (config, storage) => {
         writer[filterOrderSymbol] = filterOrder.http_headers;
         middleware.push(writer);
       }
+      if (config.cors?.disabled !== true && context.corsConfigSource !== void 0) {
+        const filter = cors_default({ corsConfigSource: context.corsConfigSource });
+        filter[filterOrderSymbol] = filterOrder.cors;
+        middleware.push(filter);
+      }
       if (config.basic !== void 0 && config.basic?.disabled !== true) {
         const username = config.basic.user?.name.toLowerCase();
         const password = config.basic.user?.password ?? "";
@@ -2410,7 +2626,7 @@ var config_default = (config, storage) => {
           }
         ];
         const filter = httpBasic({
-          storage,
+          storage: context.storage,
           manager,
           defaultEntryPoints: this.#defaultEntryPoints,
           defaultSuccessHandlers
@@ -2420,20 +2636,43 @@ var config_default = (config, storage) => {
       }
       if (config.jwt !== void 0 && config.jwt.disabled !== true) {
         const verifier = (0, import_jwt.jwtVerifier)({
-          issuerBaseUri: config.jwt.issuerBaseUri,
+          issuerBaseUri: config.jwt.issuerUri,
           issuer: config.jwt.issuer,
           audience: config.jwt.audience
         });
         const decoder = async (token) => {
-          const { payload } = await verifier(token);
-          return {
-            subject: payload.sub,
-            getClaimAsString(claim) {
-              return payload[claim];
+          try {
+            const { payload } = await verifier(token);
+            return {
+              subject: payload.sub,
+              getClaimAsString(claim) {
+                return payload[claim];
+              }
+            };
+          } catch (e) {
+            if (e instanceof import_jwt.JwtVerifyError) {
+              throw new BadJwtError(e.message, { cause: e });
             }
-          };
+            throw new JwtError("error occurred while attempting to decoding jwt", { cause: e });
+          }
         };
-        const filter = resourceServer({ storage, jwt: { decoder } });
+        const authenticationConverter = token_converter_default({ uriQueryParameter: true });
+        const authenticationConverterMatcher = async (exchange) => {
+          try {
+            const a = await authenticationConverter(exchange);
+            return { match: a !== void 0 };
+          } catch (e) {
+            return { match: false };
+          }
+        };
+        const entryPoint = token_entry_point_default({});
+        this.#defaultEntryPoints.push([authenticationConverterMatcher, entryPoint]);
+        const filter = resourceServer({
+          storage: context.storage,
+          entryPoint,
+          converter: authenticationConverter,
+          jwt: { decoder }
+        });
         filter[filterOrderSymbol] = filterOrder.authentication;
         middleware.push(filter);
       }
@@ -2455,10 +2694,12 @@ var config_default = (config, storage) => {
               serverMatcher = matcher;
             }
             let manager2;
-            if (access2.access === "permit-all") {
+            if (access2.access === "permitted") {
               manager2 = new DefaultAuthorizationManager(async () => new AuthorizationDecision(true));
-            } else if (access2.access === "deny-all") {
+              manager2.toString = () => "AuthorizationManager[permitted]";
+            } else if (access2.access === "denied") {
               manager2 = new DefaultAuthorizationManager(async () => new AuthorizationDecision(false));
+              manager2.toString = () => "AuthorizationManager[denied]";
             } else if (access2.access === "authenticated") {
               manager2 = new DefaultAuthorizationManager(async (p) => {
                 const authentication = await p;
@@ -2467,6 +2708,7 @@ var config_default = (config, storage) => {
                 }
                 return new AuthorizationDecision(false);
               });
+              manager2.toString = () => "AuthorizationManager[authenticated]";
             } else {
               throw new Error(`Unknown access type: ${JSON.stringify(access2)}`);
             }
@@ -2475,7 +2717,7 @@ var config_default = (config, storage) => {
           return delegatingAuthorizationManager({ mappings });
         };
         const manager = buildAuthorizationManager(config.authorize);
-        const filter = authorizationFilter({ manager, storage });
+        const filter = authorizationFilter({ manager, storage: context.storage });
         filter[filterOrderSymbol] = filterOrder.authorization;
         middleware.push(filter);
       }
@@ -2491,8 +2733,80 @@ var config_default = (config, storage) => {
   return middleware;
 };
 
+// src/app/cors.ts
+function mockUpgradeExchange(path) {
+  const request = new MockHttpRequest(path, "GET");
+  request.headers.set("upgrade", "websocket");
+  request["_req"] = { upgrade: true };
+  return new DefaultWebExchange(request, new MockHttpResponse());
+}
+async function createCorsConfigSource(context) {
+  const { sockets: routes3, cors } = context;
+  const defaultCorsConfig = combineCorsConfig(PERMIT_DEFAULT_CONFIG, context.corsConfig);
+  const validatedConfigs = [];
+  for (const [path, route] of routes3) {
+    let routeCorsConfig = defaultCorsConfig;
+    const upgradeExchange = mockUpgradeExchange(path);
+    for (const [matcher, config] of cors) {
+      if ((await matcher(upgradeExchange)).match) {
+        routeCorsConfig = combineCorsConfig(routeCorsConfig, config);
+      }
+    }
+    routeCorsConfig = combineCorsConfig(routeCorsConfig, {
+      allowOrigins: route.originFilters?.allow,
+      allowMethods: ["GET", "CONNECT"],
+      allowHeaders: ["upgrade", "connection", "origin", "sec-websocket-key", "sec-websocket-version", "sec-websocket-protocol", "sec-websocket-extensions"],
+      exposeHeaders: ["sec-websocket-accept", "sec-websocket-protocol", "sec-websocket-extensions"],
+      allowCredentials: route.authorize?.access !== "permitted"
+    });
+    validatedConfigs.push([and([upgradeMatcher, pattern(path)]), validateCorsConfig(routeCorsConfig)]);
+  }
+  for (const [matcher, config] of cors) {
+    const routeCorsConfig = combineCorsConfig(defaultCorsConfig, config);
+    validatedConfigs.push([matcher, validateCorsConfig(routeCorsConfig)]);
+  }
+  validatedConfigs.push([pattern(/\/api\/.*/), validateCorsConfig(defaultCorsConfig)]);
+  return matchingCorsConfigSource({ mappings: validatedConfigs });
+}
+
+// src/app/auth.ts
+function createSecurityConfig(context) {
+  const authorize = [];
+  const defaultAccess = { access: context.authConfig?.type !== "none" ? "authenticated" : "permitted" };
+  for (const [path, route] of context.sockets) {
+    const rule = route.authorize ?? defaultAccess;
+    let matcher = pattern(path, { method: "GET" });
+    matcher = and([upgradeMatcher, matcher]);
+    authorize.push([matcher, rule]);
+  }
+  authorize.push([pattern("/", { method: "GET" }), { access: "permitted" }]);
+  authorize.push([pattern("/favicon.ico", { method: "GET" }), { access: "permitted" }]);
+  authorize.push([pattern("/health", { method: "GET" }), { access: "permitted" }]);
+  if (context.authorize.length > 0) {
+    authorize.push(...context.authorize);
+  }
+  authorize.push(["any-exchange", defaultAccess]);
+  return {
+    authorize,
+    basic: {
+      disabled: context.authConfig?.type !== "basic",
+      ...context.authConfig?.basic
+    },
+    jwt: {
+      disabled: context.authConfig?.type !== "oauth2",
+      ...context.authConfig?.oauth2?.jwt
+    }
+  };
+}
+async function httpSecurity(context) {
+  const corsConfigSource = await createCorsConfigSource(context);
+  const config = createSecurityConfig(context);
+  const { storage } = context;
+  return config_default(config, { storage, corsConfigSource });
+}
+
 // src/server.ts
-var logger7 = getLogger("app");
+var logger10 = getLogger("app");
 function secureContextOptions(ssl) {
   const options = {};
   if (ssl.key) options.key = (0, import_node_fs.readFileSync)(ssl.key);
@@ -2500,60 +2814,38 @@ function secureContextOptions(ssl) {
   if (ssl.ca) options.ca = (0, import_node_fs.readFileSync)(ssl.ca);
   return options;
 }
-function createListener(storage, middleware, routes3, onSocketError) {
+async function createListener(middleware, context, onSocketError) {
+  const storage = context.storage;
+  const security = await httpSecurity(context);
   const listener = compose(
-    server_header_default(),
-    ...config_default({
-      authorize: [
-        [async (exchange) => {
-          return { match: exchange.path === "/health" && exchange.method === "GET" };
-        }, { access: "permit-all" }],
-        // ['any-exchange', {access: 'authenticated'}],
-        ["any-exchange", { access: "permit-all" }]
-      ],
-      basic: {
-        disabled: true,
-        realm: "Gateway Server"
-      },
-      jwt: {
-        disabled: true
-      }
-    }, storage),
-    ...cors_default({
-      origins: { allow: [/http:\/\/localhost(:\d+)?/, /file:\//] },
-      methods: { allow: ["GET", "HEAD", "POST", "DELETE"] },
-      headers: { allow: "*" },
-      credentials: { allow: true }
-    }),
-    ...middleware,
-    async ({ request, response }, next) => {
-      const path = request.path ?? "/";
-      const route = routes3.get(path) ?? Array.from(routes3.values()).find((route2) => {
-        if (path === "/" && route2.default === true) {
-          return true;
-        }
-      });
-      if (route) {
-        if (request.method === "GET" && request._req["upgrade"] && request.headers.one("upgrade")?.toLowerCase() === "websocket") {
+    server_header_default(context.serverHeader),
+    ...security,
+    // websocket upgrade handler
+    async (exchange, next) => {
+      const [route, path] = findSocketRoute(exchange, context);
+      if (route !== void 0) {
+        const { request, response } = exchange;
+        const upgradeMatchResult = await upgradeMatcher(exchange);
+        if ((request.method === "GET" || request.method === "CONNECT") && upgradeMatchResult.match) {
           const socket = request.socket;
           const host = request.host;
-          const info = socketKey(request._req.socket);
-          if (route?.wss) {
+          const info2 = socketKey(request._req.socket);
+          if (route.wss) {
             socket.removeListener("error", onSocketError);
             const wss = route.wss;
             if (route.maxConnections !== void 0 && wss.clients?.size >= route.maxConnections) {
-              logger7.warn(`${info} dropping ws connection request from ${host} on ${path}. max connections exceeded.`);
+              logger10.warn(`${info2} dropping ws connection request from ${host} on ${path}. max connections exceeded.`);
               socket.destroy();
               return;
             }
-            const origin = request.headers["origin"];
+            const origin = request.headers.one("origin");
             if (!acceptsOrigin(origin, route.originFilters)) {
-              logger7.info(`${info} dropping ws connection request from ${host} on ${path}. origin ${origin ?? "<missing>"}`);
+              logger10.info(`${info2} dropping ws connection request from ${host} on ${path}. origin ${origin ?? "<missing>"}`);
               socket.destroy();
               return;
             }
-            if (logger7.enabledFor("debug")) {
-              logger7.debug(`${info} accepted new ws connection request from ${host} on ${path}`);
+            if (logger10.enabledFor("debug")) {
+              logger10.debug(`${info2} accepted new ws connection request from ${host} on ${path}`);
             }
             wss.handleUpgrade(request._req, socket, request._req["_upgradeHead"], (ws) => {
               response._res["_header"] = true;
@@ -2563,29 +2855,36 @@ function createListener(storage, middleware, routes3, onSocketError) {
               wss.emit("connection", ws, request._req);
             });
           } else {
-            logger7.warn(`${info} rejected upgrade request from ${host} on ${path}`);
+            logger10.warn(`${info2} rejected upgrade request from ${host} on ${path}`);
             socket.destroy();
           }
         } else {
-          if (logger7.enabledFor("debug")) {
-            logger7.debug(`rejecting request for ${path} with method ${request.method} from ${request.socket.remoteAddress}:${request.socket.remotePort} with headers: ${JSON.stringify(request._req.rawHeaders)}`);
+          if (route.default) {
+            await next();
+            return;
+          }
+          if (logger10.enabledFor("debug")) {
+            logger10.debug(`rejecting request for ${path} with method ${request.method} from ${request.socket.remoteAddress}:${request.socket.remotePort} with headers: ${JSON.stringify(request._req.rawHeaders)}`);
           }
           response.statusCode = 426;
-          response._res.appendHeader("Upgrade", "websocket").appendHeader("Connection", "Upgrade").appendHeader("Content-Type", "text/plain");
+          response.headers.set("Upgrade", "websocket").set("Connection", "Upgrade").set("Content-Type", "text/plain");
           await response.end(`This service [${request.path}] requires use of the websocket protocol.`);
         }
       } else {
         await next();
       }
     },
+    ...middleware,
+    // helth check
     async ({ request, response }, next) => {
       if (request.method === "GET" && request.path === "/health") {
         response.statusCode = 200;
-        response._res.end(import_node_http.default.STATUS_CODES[200]);
+        await response.end(import_node_http.default.STATUS_CODES[200]);
       } else {
         await next();
       }
     },
+    // home page
     async ({ request, response }, next) => {
       if (request.method === "GET" && request.path === "/") {
         await response.end(`io.Gateway Server`);
@@ -2593,7 +2892,8 @@ function createListener(storage, middleware, routes3, onSocketError) {
         await next();
       }
     },
-    async ({ request, response }, _next) => {
+    // not found
+    async ({ response }, _next) => {
       response.statusCode = 404;
       await response.end(import_node_http.default.STATUS_CODES[404]);
     }
@@ -2602,17 +2902,17 @@ function createListener(storage, middleware, routes3, onSocketError) {
     request.socket.addListener("error", onSocketError);
     const exchange = new DefaultWebExchange(new HttpServerRequest(request), new HttpServerResponse(response));
     return storage.run({ exchange }, async () => {
-      if (logger7.enabledFor("debug")) {
+      if (logger10.enabledFor("debug")) {
         const socket = exchange.request._req.socket;
-        if (logger7.enabledFor("debug")) {
-          logger7.debug(`received ${exchange.method} request for ${exchange.path} from ${socket.remoteAddress}:${socket.remotePort}`);
+        if (logger10.enabledFor("debug")) {
+          logger10.debug(`received ${exchange.method} request for ${exchange.path} from ${socket.remoteAddress}:${socket.remotePort}`);
         }
       }
       try {
         return await listener(exchange);
       } catch (e) {
-        if (logger7.enabledFor("warn")) {
-          logger7.warn(`error processing request for ${exchange.path}`, e);
+        if (logger10.enabledFor("warn")) {
+          logger10.warn(`error processing request for ${exchange.path}`, e);
         }
       } finally {
         await exchange.response.end();
@@ -2647,65 +2947,75 @@ function regexAwareReplacer(_key, value) {
 }
 var Factory = async (options) => {
   const ssl = options.ssl;
-  const createServer = ssl ? (options2, handler2) => import_node_https.default.createServer({ ...options2, ...secureContextOptions(ssl) }, handler2) : (options2, handler2) => import_node_http.default.createServer(options2, handler2);
+  const createServer = ssl ? (options2, handler) => import_node_https.default.createServer({ ...options2, ...secureContextOptions(ssl) }, handler) : (options2, handler) => import_node_http.default.createServer(options2, handler);
   const monitor = memoryMonitor(options.memory);
   const middleware = [];
-  const routes3 = /* @__PURE__ */ new Map();
+  const context = {
+    corsConfig: options.cors,
+    cors: [],
+    authConfig: options.auth,
+    authorize: [],
+    storage: new import_node_async_hooks2.AsyncLocalStorage(),
+    sockets: /* @__PURE__ */ new Map()
+  };
   const gw = import_gateway7.IOGateway.Factory({ ...options.gateway });
   if (options.gateway) {
     const config = options.gateway;
-    routes3.set(config.route ?? "/", {
+    const route = config.route ?? "/";
+    context.sockets.set(route, {
       default: config.route === void 0,
       ping: options.gateway.ping,
       factory: core_default.bind(gw),
       maxConnections: config.limits?.max_connections,
+      authorize: config.authorize,
       originFilters: regexifyOriginFilters(config.origins)
     });
   }
   if (options.mesh) {
     const connections = new InMemoryNodeConnections(options.mesh.timeout ?? 6e4);
-    middleware.push(...routes_default(connections));
+    const authorize = options.mesh.authorize;
+    middleware.push(...routes_default(connections, context, authorize));
     const ping = options.mesh.ping ?? 3e4;
-    routes3.set("/broker", { factory: core_default2, ping });
-    routes3.set("/cluster", { factory: core_default4, ping });
-    routes3.set("/relays", { factory: core_default3, ping });
+    const originFilters = regexifyOriginFilters(options.mesh.origins);
+    context.sockets.set("/broker", { factory: core_default2, ping, originFilters, authorize });
+    context.sockets.set("/cluster", { factory: core_default4, ping, originFilters, authorize });
+    context.sockets.set("/relays", { factory: core_default3, ping, originFilters, authorize });
   }
   if (options.metrics) {
-    middleware.push(...await routes_default2(options.metrics));
+    middleware.push(...await routes_default2(options.metrics, context));
   }
   const ports = portRange(options.port ?? 0);
   const host = options.host;
-  const storage = new import_node_async_hooks2.AsyncLocalStorage();
+  const onSocketError = (err) => logger10.error(`socket error: ${err}`, err);
+  const listener = await createListener(middleware, context, onSocketError);
   const serverP = new Promise((resolve, reject) => {
-    const onSocketError = (err) => logger7.error(`socket error: ${err}`, err);
-    const listener = createListener(storage, middleware, routes3, onSocketError);
     const server2 = createServer({}, listener);
     server2.on("error", (e) => {
       if (e["code"] === "EADDRINUSE") {
-        logger7.debug(`port ${e["port"]} already in use on address ${e["address"]}`);
+        logger10.debug(`port ${e["port"]} already in use on address ${e["address"]}`);
         const { value: port } = ports.next();
         if (port) {
-          logger7.info(`retry starting server on port ${port} and host ${host ?? "<unspecified>"}`);
+          logger10.info(`retry starting server on port ${port} and host ${host ?? "<unspecified>"}`);
           server2.close();
           server2.listen(port, host);
         } else {
-          logger7.warn(`all configured port(s) ${options.port} are in use. closing...`);
+          logger10.warn(`all configured port(s) ${options.port} are in use. closing...`);
           server2.close();
           reject(e);
         }
       } else {
-        logger7.error(`server error: ${e.message}`, e);
+        logger10.error(`server error: ${e.message}`, e);
         reject(e);
       }
     });
     server2.on("listening", async () => {
-      const info = server2.address();
-      for (const [path, route] of routes3) {
+      const info2 = server2.address();
+      for (const [path, route] of context.sockets) {
         try {
-          logger7.info(`creating ws server for [${path}]. max connections: ${route.maxConnections ?? "<unlimited>"}, origin filters: ${route.originFilters ? JSON.stringify(route.originFilters, regexAwareReplacer) : "<none>"}`);
+          logger10.info(`creating ws server for [${path}]. max connections: ${route.maxConnections ?? "<unlimited>"}, origin filters: ${route.originFilters ? JSON.stringify(route.originFilters, regexAwareReplacer) : "<none>"}`);
           const wss = new import_ws.WebSocketServer({ noServer: true });
-          const endpoint = `${ssl ? "wss" : "ws"}://${localIp}:${info.port}${path}`;
-          const handler2 = await route.factory({ endpoint, wss, storage });
+          const endpoint = `${ssl ? "wss" : "ws"}://${localIp}:${info2.port}${path}`;
+          const handler = await route.factory({ endpoint, wss, storage: context.storage });
           const pingInterval = route.ping;
           if (pingInterval) {
             const pingIntervalId = setInterval(() => {
@@ -2722,12 +3032,12 @@ var Factory = async (options) => {
             });
           }
           route.wss = wss;
-          route.close = handler2.close?.bind(handler2);
+          route.close = handler.close?.bind(handler);
         } catch (e) {
-          logger7.warn(`failed to init route ${path}`, e);
+          logger10.warn(`failed to init route ${path}`, e);
         }
       }
-      logger7.info(`http server listening on ${info.address}:${info.port}`);
+      logger10.info(`http server listening on ${info2.address}:${info2.port}`);
       resolve(server2);
     });
     server2.on("upgrade", (req, socket, head) => {
@@ -2738,16 +3048,16 @@ var Factory = async (options) => {
         res.assignSocket(socket);
         listener(req, res);
       } catch (err) {
-        logger7.error(`upgrade error: ${err}`, err);
+        logger10.error(`upgrade error: ${err}`, err);
       }
     }).on("close", async () => {
-      logger7.info(`http server closed.`);
+      logger10.info(`http server closed.`);
     });
     try {
       const { value: port } = ports.next();
       server2.listen(port, host);
     } catch (e) {
-      logger7.error(`error starting web socket server`, e);
+      logger10.error(`error starting web socket server`, e);
       reject(e instanceof Error ? e : new Error(`listen failed: ${e}`));
     }
   });
@@ -2755,18 +3065,18 @@ var Factory = async (options) => {
   return new class {
     gateway = gw;
     async close() {
-      for (const [path, route] of routes3) {
+      for (const [path, route] of context.sockets) {
         try {
           if (route.close) {
             await route.close();
           }
-          logger7.info(`stopping ws server for [${path}]. clients: ${route.wss?.clients?.size ?? 0}`);
+          logger10.info(`stopping ws server for [${path}]. clients: ${route.wss?.clients?.size ?? 0}`);
           route.wss?.clients?.forEach((client) => {
             client.terminate();
           });
           route.wss?.close();
         } catch (e) {
-          logger7.warn(`error closing route ${path}`, e);
+          logger10.warn(`error closing route ${path}`, e);
         }
       }
       await promisify((cb) => {