npm - @lastshotlabs/bunshot - Versions diffs - 0.0.1 - Mend

@lastshotlabs/bunshot 0.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (50) hide show

package/CLAUDE.md +102 -0
package/README.md +1458 -0
package/bun.lock +170 -0
package/package.json +47 -0
package/src/adapters/memoryAuth.ts +240 -0
package/src/adapters/mongoAuth.ts +91 -0
package/src/adapters/sqliteAuth.ts +320 -0
package/src/app.ts +368 -0
package/src/cli.ts +265 -0
package/src/index.ts +52 -0
package/src/lib/HttpError.ts +5 -0
package/src/lib/appConfig.ts +29 -0
package/src/lib/authAdapter.ts +46 -0
package/src/lib/authRateLimit.ts +104 -0
package/src/lib/constants.ts +2 -0
package/src/lib/context.ts +17 -0
package/src/lib/emailVerification.ts +105 -0
package/src/lib/fingerprint.ts +43 -0
package/src/lib/jwt.ts +17 -0
package/src/lib/logger.ts +9 -0
package/src/lib/mongo.ts +70 -0
package/src/lib/oauth.ts +114 -0
package/src/lib/queue.ts +18 -0
package/src/lib/redis.ts +45 -0
package/src/lib/roles.ts +23 -0
package/src/lib/session.ts +91 -0
package/src/lib/validate.ts +14 -0
package/src/lib/ws.ts +82 -0
package/src/middleware/bearerAuth.ts +15 -0
package/src/middleware/botProtection.ts +73 -0
package/src/middleware/cacheResponse.ts +189 -0
package/src/middleware/cors.ts +19 -0
package/src/middleware/errorHandler.ts +14 -0
package/src/middleware/identify.ts +36 -0
package/src/middleware/index.ts +8 -0
package/src/middleware/logger.ts +9 -0
package/src/middleware/rateLimit.ts +37 -0
package/src/middleware/requireRole.ts +42 -0
package/src/middleware/requireVerifiedEmail.ts +31 -0
package/src/middleware/userAuth.ts +9 -0
package/src/models/AuthUser.ts +17 -0
package/src/routes/auth.ts +245 -0
package/src/routes/health.ts +27 -0
package/src/routes/home.ts +21 -0
package/src/routes/oauth.ts +174 -0
package/src/schemas/auth.ts +14 -0
package/src/server.ts +91 -0
package/src/services/auth.ts +59 -0
package/src/ws/index.ts +42 -0
package/tsconfig.json +43 -0

package/src/lib/jwt.ts ADDED Viewed

@@ -0,0 +1,17 @@
+import { SignJWT, jwtVerify } from "jose";
+const isProd = process.env.NODE_ENV === "production";
+const secret = new TextEncoder().encode(
+  isProd ? process.env.JWT_SECRET_PROD! : process.env.JWT_SECRET_DEV!
+);
+export const signToken = async (userId: string): Promise<string> =>
+  new SignJWT({ sub: userId })
+    .setProtectedHeader({ alg: "HS256" })
+    .setExpirationTime("7d")
+    .sign(secret);
+export const verifyToken = async (token: string) => {
+  const { payload } = await jwtVerify(token, secret);
+  return payload;
+};

package/src/lib/logger.ts ADDED Viewed

@@ -0,0 +1,9 @@
+const isDev = process.env.NODE_ENV !== "production";
+const verboseEnv = process.env.LOGGING_VERBOSE;
+const verbose =
+  verboseEnv !== undefined ? verboseEnv === "true" : isDev;
+export const log = (...args: unknown[]) => {
+  if (verbose) console.log(...args);
+};

package/src/lib/mongo.ts ADDED Viewed

@@ -0,0 +1,70 @@
+import mongoose from "mongoose";
+import { log } from "./logger";
+const isProd = process.env.NODE_ENV === "production";
+function buildUri(user: string, password: string, host: string, db: string): string {
+  const [hostPart, queryPart] = host.split("?");
+  return `mongodb+srv://${user}:${password}@${hostPart.replace(/\/$/, "")}/${db}${queryPart ? `?${queryPart}` : ""}`;
+}
+/**
+ * Named connection used exclusively for auth data (AuthUser model).
+ * Connected via connectAuthMongo() or connectMongo() (backward compat).
+ */
+export const authConnection = mongoose.createConnection();
+/**
+ * Named connection for app/tenant data.
+ * Connected via connectAppMongo() or connectMongo() (backward compat).
+ * Use this when registering your own models: appConnection.model("Product", schema).
+ */
+export const appConnection = mongoose.createConnection();
+/**
+ * Connect the auth connection to its dedicated MongoDB server.
+ * Uses MONGO_AUTH_USER_*, MONGO_AUTH_PW_*, MONGO_AUTH_HOST_*, MONGO_AUTH_DB_* env vars.
+ */
+export const connectAuthMongo = async (): Promise<void> => {
+  const user     = isProd ? process.env.MONGO_AUTH_USER_PROD!     : process.env.MONGO_AUTH_USER_DEV!;
+  const password = isProd ? process.env.MONGO_AUTH_PW_PROD!       : process.env.MONGO_AUTH_PW_DEV!;
+  const host     = isProd ? process.env.MONGO_AUTH_HOST_PROD!     : process.env.MONGO_AUTH_HOST_DEV!;
+  const db       = isProd ? process.env.MONGO_AUTH_DB_PROD!       : process.env.MONGO_AUTH_DB_DEV!;
+  const uri = buildUri(user, password, host, db);
+  await authConnection.openUri(uri);
+  log(`[mongo] auth connected to ${host} as ${user}`);
+};
+/**
+ * Connect the app connection to its MongoDB server.
+ * Uses MONGO_USER_*, MONGO_PW_*, MONGO_HOST_*, MONGO_DB_* env vars.
+ */
+export const connectAppMongo = async (): Promise<void> => {
+  const user     = isProd ? process.env.MONGO_USER_PROD!     : process.env.MONGO_USER_DEV!;
+  const password = isProd ? process.env.MONGO_PW_PROD!       : process.env.MONGO_PW_DEV!;
+  const host     = isProd ? process.env.MONGO_HOST_PROD!     : process.env.MONGO_HOST_DEV!;
+  const db       = isProd ? process.env.MONGO_DB_PROD!       : process.env.MONGO_DB_DEV!;
+  const uri = buildUri(user, password, host, db);
+  await appConnection.openUri(uri);
+  log(`[mongo] app connected to ${host} as ${user}`);
+};
+/**
+ * Connect both auth and app connections to the same MongoDB server.
+ * Backward-compatible shorthand for single-DB setups.
+ * Uses MONGO_USER_*, MONGO_PW_*, MONGO_HOST_*, MONGO_DB_* env vars.
+ */
+export const connectMongo = async (): Promise<void> => {
+  const user     = isProd ? process.env.MONGO_USER_PROD!     : process.env.MONGO_USER_DEV!;
+  const password = isProd ? process.env.MONGO_PW_PROD!       : process.env.MONGO_PW_DEV!;
+  const host     = isProd ? process.env.MONGO_HOST_PROD!     : process.env.MONGO_HOST_DEV!;
+  const db       = isProd ? process.env.MONGO_DB_PROD!       : process.env.MONGO_DB_DEV!;
+  const uri = buildUri(user, password, host, db);
+  await Promise.all([
+    authConnection.openUri(uri),
+    appConnection.openUri(uri),
+  ]);
+  log(`[mongo] connected to ${host} as ${user}`);
+};
+export { mongoose };

package/src/lib/oauth.ts ADDED Viewed

@@ -0,0 +1,114 @@
+import { Google, Apple, generateState, generateCodeVerifier } from "arctic";
+import { getRedis } from "./redis";
+import { appConnection } from "./mongo";
+import { getAppName } from "./appConfig";
+import { Schema } from "mongoose";
+import { sqliteStoreOAuthState, sqliteConsumeOAuthState } from "../adapters/sqliteAuth";
+import { memoryStoreOAuthState, memoryConsumeOAuthState } from "../adapters/memoryAuth";
+export type OAuthProviderConfig = {
+  google?: { clientId: string; clientSecret: string; redirectUri: string };
+  apple?: { clientId: string; teamId: string; keyId: string; privateKey: string; redirectUri: string };
+};
+type Providers = { google?: Google; apple?: Apple };
+let _providers: Providers = {};
+export const initOAuthProviders = (config: OAuthProviderConfig) => {
+  if (config.google) {
+    const { clientId, clientSecret, redirectUri } = config.google;
+    _providers.google = new Google(clientId, clientSecret, redirectUri);
+  }
+  if (config.apple) {
+    const { clientId, teamId, keyId, privateKey, redirectUri } = config.apple;
+    _providers.apple = new Apple(clientId, teamId, keyId, new TextEncoder().encode(privateKey), redirectUri);
+  }
+};
+export const getGoogle = (): Google => {
+  if (!_providers.google) throw new Error("Google OAuth not configured");
+  return _providers.google;
+};
+export const getApple = (): Apple => {
+  if (!_providers.apple) throw new Error("Apple OAuth not configured");
+  return _providers.apple;
+};
+export const getConfiguredOAuthProviders = (): string[] =>
+  (Object.entries(_providers) as [string, unknown][])
+    .filter(([, v]) => v != null)
+    .map(([k]) => k);
+// ---------------------------------------------------------------------------
+// Mongo OAuth state model
+// ---------------------------------------------------------------------------
+interface OAuthStateDoc {
+  state: string;
+  codeVerifier?: string;
+  linkUserId?: string;
+  expiresAt: Date;
+}
+const oauthStateSchema = new Schema<OAuthStateDoc>(
+  {
+    state:        { type: String, required: true, unique: true },
+    codeVerifier: { type: String },
+    linkUserId:   { type: String },
+    expiresAt:    { type: Date, required: true, index: { expireAfterSeconds: 0 } },
+  },
+  { collection: "oauth_states" }
+);
+function getOAuthStateModel() {
+  return appConnection.models["OAuthState"] ??
+    appConnection.model<OAuthStateDoc>("OAuthState", oauthStateSchema);
+}
+// ---------------------------------------------------------------------------
+// Store configuration — set once at startup via setOAuthStateStore()
+// ---------------------------------------------------------------------------
+type OAuthStateStore = "redis" | "mongo" | "sqlite" | "memory";
+let _oauthStore: OAuthStateStore = "redis";
+export const setOAuthStateStore = (store: OAuthStateStore) => { _oauthStore = store; };
+// ---------------------------------------------------------------------------
+// State helpers
+// ---------------------------------------------------------------------------
+const STATE_TTL = 300; // 5 minutes
+export const storeOAuthState = async (state: string, codeVerifier?: string, linkUserId?: string): Promise<void> => {
+  if (_oauthStore === "memory") { memoryStoreOAuthState(state, codeVerifier, linkUserId); return; }
+  if (_oauthStore === "sqlite") {
+    sqliteStoreOAuthState(state, codeVerifier, linkUserId);
+    return;
+  }
+  if (_oauthStore === "mongo") {
+    const expiresAt = new Date(Date.now() + STATE_TTL * 1000);
+    await getOAuthStateModel().create({ state, codeVerifier, linkUserId, expiresAt });
+    return;
+  }
+  await getRedis().set(`oauth:${getAppName()}:state:${state}`, JSON.stringify({ codeVerifier, linkUserId }), "EX", STATE_TTL);
+};
+export const consumeOAuthState = async (state: string): Promise<{ codeVerifier?: string; linkUserId?: string } | null> => {
+  if (_oauthStore === "memory") return memoryConsumeOAuthState(state);
+  if (_oauthStore === "sqlite") return sqliteConsumeOAuthState(state);
+  if (_oauthStore === "mongo") {
+    const doc = await getOAuthStateModel()
+      .findOneAndDelete({ state, expiresAt: { $gt: new Date() } })
+      .lean();
+    return doc ? { codeVerifier: doc.codeVerifier, linkUserId: doc.linkUserId } : null;
+  }
+  const key = `oauth:${getAppName()}:state:${state}`;
+  const value = await getRedis().get(key);
+  if (!value) return null;
+  await getRedis().del(key);
+  return JSON.parse(value);
+};
+export { generateState, generateCodeVerifier };

package/src/lib/queue.ts ADDED Viewed

@@ -0,0 +1,18 @@
+import { Queue, Worker } from "bullmq";
+import type { Processor, QueueOptions, WorkerOptions, Job } from "bullmq";
+import { getRedisConnectionOptions } from "./redis";
+export const createQueue = <T = unknown, R = unknown>(
+  name: string,
+  options?: Omit<QueueOptions, "connection">
+): Queue<T, R> =>
+  new Queue<T, R>(name, { connection: getRedisConnectionOptions(), ...options });
+export const createWorker = <T = unknown, R = unknown>(
+  name: string,
+  processor: Processor<T, R>,
+  options?: Omit<WorkerOptions, "connection">
+): Worker<T, R> =>
+  new Worker<T, R>(name, processor, { connection: getRedisConnectionOptions(), ...options });
+export type { Job };

package/src/lib/redis.ts ADDED Viewed

@@ -0,0 +1,45 @@
+import Redis from "ioredis";
+import { log } from "./logger";
+const isProd = process.env.NODE_ENV === "production";
+export const getRedisConnectionOptions = () => {
+  const host_port = isProd ? process.env.REDIS_HOST_PROD : process.env.REDIS_HOST_DEV;
+  if (!host_port) throw new Error(`Missing env var: ${isProd ? "REDIS_HOST_PROD" : "REDIS_HOST_DEV"}`);
+  const [host, port] = host_port.split(":");
+  if (!host || !port) throw new Error(`Invalid Redis host format — expected "host:port", got "${host_port}"`);
+  const username = isProd ? process.env.REDIS_USER_PROD : process.env.REDIS_USER_DEV;
+  const password = isProd ? process.env.REDIS_PW_PROD : process.env.REDIS_PW_DEV;
+  return {
+    host,
+    port: Number(port),
+    ...(username && { username }),
+    ...(password && { password }),
+  };
+};
+let client: Redis | null = null;
+const createClient = (): Redis => {
+  const redis = new Redis(getRedisConnectionOptions());
+  redis.on("error", (err) => log(`[redis] error: ${err.message}`));
+  return redis;
+};
+export const connectRedis = (): Promise<void> => {
+  if (client) return Promise.resolve();
+  client = createClient();
+  return new Promise((resolve, reject) => {
+    client!.once("ready", () => { log(`[redis] connected to ${getRedisConnectionOptions().host}:${getRedisConnectionOptions().port} as ${getRedisConnectionOptions().username || "default user"}`); resolve(); });
+    client!.once("error", reject);
+  });
+};
+export const getRedis = (): Redis => {
+  if (!client) throw new Error("Redis not connected — call connectRedis() first");
+  return client;
+};

package/src/lib/roles.ts ADDED Viewed

@@ -0,0 +1,23 @@
+import { getAuthAdapter } from "./authAdapter";
+const requireMethod = (method: string) => {
+  throw new Error(`Auth adapter does not implement ${method} — add it to your adapter to manage roles`);
+};
+export const setUserRoles = async (userId: string, roles: string[]): Promise<void> => {
+  const adapter = getAuthAdapter();
+  if (!adapter.setRoles) requireMethod("setRoles");
+  await adapter.setRoles!(userId, roles);
+};
+export const addUserRole = async (userId: string, role: string): Promise<void> => {
+  const adapter = getAuthAdapter();
+  if (!adapter.addRole) requireMethod("addRole");
+  await adapter.addRole!(userId, role);
+};
+export const removeUserRole = async (userId: string, role: string): Promise<void> => {
+  const adapter = getAuthAdapter();
+  if (!adapter.removeRole) requireMethod("removeRole");
+  await adapter.removeRole!(userId, role);
+};

package/src/lib/session.ts ADDED Viewed

@@ -0,0 +1,91 @@
+import { getRedis } from "./redis";
+import { appConnection } from "./mongo";
+import { getAppName } from "./appConfig";
+import { Schema } from "mongoose";
+import { sqliteCreateSession, sqliteGetSession, sqliteDeleteSession } from "../adapters/sqliteAuth";
+import { memoryCreateSession, memoryGetSession, memoryDeleteSession } from "../adapters/memoryAuth";
+// ---------------------------------------------------------------------------
+// Mongo session model
+// ---------------------------------------------------------------------------
+interface SessionDoc {
+  userId: string;
+  token: string;
+  expiresAt: Date;
+}
+const sessionSchema = new Schema<SessionDoc>(
+  {
+    userId:    { type: String, required: true, unique: true },
+    token:     { type: String, required: true },
+    expiresAt: { type: Date,   required: true, index: { expireAfterSeconds: 0 } },
+  },
+  { collection: "sessions" }
+);
+function getSessionModel() {
+  return appConnection.models["Session"] ??
+    appConnection.model<SessionDoc>("Session", sessionSchema);
+}
+// ---------------------------------------------------------------------------
+// Store configuration — set once at startup via setSessionStore()
+// ---------------------------------------------------------------------------
+type SessionStore = "redis" | "mongo" | "sqlite" | "memory";
+let _store: SessionStore = "redis";
+export const setSessionStore = (store: SessionStore) => { _store = store; };
+// ---------------------------------------------------------------------------
+// TTL
+// ---------------------------------------------------------------------------
+const TTL_SECONDS = 60 * 60 * 24 * 7; // 7 days
+// ---------------------------------------------------------------------------
+// Public API
+// ---------------------------------------------------------------------------
+export const createSession = async (userId: string, token: string) => {
+  if (_store === "memory") { memoryCreateSession(userId, token); return; }
+  if (_store === "sqlite") {
+    sqliteCreateSession(userId, token);
+    return;
+  }
+  if (_store === "mongo") {
+    const expiresAt = new Date(Date.now() + TTL_SECONDS * 1000);
+    await getSessionModel().updateOne(
+      { userId },
+      { $set: { token, expiresAt } },
+      { upsert: true }
+    );
+    return;
+  }
+  await getRedis().set(`session:${getAppName()}:${userId}`, token, "EX", TTL_SECONDS);
+};
+export const getSession = async (userId: string) => {
+  if (_store === "memory") return memoryGetSession(userId);
+  if (_store === "sqlite") return sqliteGetSession(userId);
+  if (_store === "mongo") {
+    const doc = await getSessionModel()
+      .findOne({ userId, expiresAt: { $gt: new Date() } }, "token")
+      .lean();
+    return doc ? doc.token : null;
+  }
+  return getRedis().get(`session:${getAppName()}:${userId}`);
+};
+export const deleteSession = async (userId: string) => {
+  if (_store === "memory") { memoryDeleteSession(userId); return; }
+  if (_store === "sqlite") {
+    sqliteDeleteSession(userId);
+    return;
+  }
+  if (_store === "mongo") {
+    await getSessionModel().deleteOne({ userId });
+    return;
+  }
+  await getRedis().del(`session:${getAppName()}:${userId}`);
+};

package/src/lib/validate.ts ADDED Viewed

@@ -0,0 +1,14 @@
+import { z } from "zod";
+import { HttpError } from "./HttpError";
+export const validate = async <T extends z.ZodType>(schema: T, req: Request): Promise<z.output<T>> => {
+  try {
+    const body = await req.json();
+    return schema.parse(body);
+  } catch (err) {
+    if (err instanceof z.ZodError) {
+      throw new HttpError(400, err.issues.map((i) => i.message).join(", "));
+    }
+    throw err;
+  }
+};

package/src/lib/ws.ts ADDED Viewed

@@ -0,0 +1,82 @@
+import type { Server, ServerWebSocket } from "bun";
+type WithRooms = { rooms: Set<string> };
+type WithSocketId = { id: string } & WithRooms;
+// eslint-disable-next-line @typescript-eslint/no-explicit-any
+let _server: Server<any> | null = null;
+// eslint-disable-next-line @typescript-eslint/no-explicit-any
+export const setWsServer = (server: Server<any>) => { _server = server; };
+export const publish = (topic: string, data: unknown) => {
+  _server?.publish(topic, JSON.stringify(data));
+};
+/** room → Set of socket IDs */
+const _roomRegistry = new Map<string, Set<string>>();
+/** All rooms that currently have at least one subscriber */
+export const getRooms = (): string[] => [..._roomRegistry.keys()];
+/** Socket IDs subscribed to a given room */
+export const getRoomSubscribers = (room: string): string[] =>
+  [...(_roomRegistry.get(room) ?? [])];
+type RoomGuard<T extends WithRooms> = (ws: ServerWebSocket<T>, room: string) => boolean | Promise<boolean>;
+export const handleRoomActions = async <T extends WithSocketId>(
+  ws: ServerWebSocket<T>,
+  message: string | Buffer,
+  onSubscribe?: RoomGuard<T>,
+): Promise<boolean> => {
+  try {
+    const data = JSON.parse(typeof message === "string" ? message : Buffer.from(message).toString());
+    if (data.action === "subscribe" && typeof data.room === "string") {
+      if (onSubscribe && !(await onSubscribe(ws, data.room))) {
+        ws.send(JSON.stringify({ event: "subscribe_denied", room: data.room }));
+      } else {
+        subscribe(ws, data.room);
+        ws.send(JSON.stringify({ event: "subscribed", room: data.room }));
+      }
+      return true;
+    }
+    if (data.action === "unsubscribe" && typeof data.room === "string") {
+      unsubscribe(ws, data.room);
+      ws.send(JSON.stringify({ event: "unsubscribed", room: data.room }));
+      return true;
+    }
+  } catch { /* not JSON */ }
+  return false;
+};
+export const subscribe = <T extends WithSocketId>(ws: ServerWebSocket<T>, room: string) => {
+  ws.subscribe(room);
+  ws.data.rooms.add(room);
+  if (!_roomRegistry.has(room)) _roomRegistry.set(room, new Set());
+  _roomRegistry.get(room)!.add(ws.data.id);
+};
+export const unsubscribe = <T extends WithSocketId>(ws: ServerWebSocket<T>, room: string) => {
+  ws.unsubscribe(room);
+  ws.data.rooms.delete(room);
+  const ids = _roomRegistry.get(room);
+  if (ids) {
+    ids.delete(ws.data.id);
+    if (ids.size === 0) _roomRegistry.delete(room);
+  }
+};
+export const getSubscriptions = <T extends WithRooms>(ws: ServerWebSocket<T>): string[] =>
+  [...ws.data.rooms];
+/** Called on socket close to prune the registry. Internal use only. */
+export const cleanupSocket = (socketId: string, rooms: Set<string>) => {
+  for (const room of rooms) {
+    const ids = _roomRegistry.get(room);
+    if (ids) {
+      ids.delete(socketId);
+      if (ids.size === 0) _roomRegistry.delete(room);
+    }
+  }
+};

package/src/middleware/bearerAuth.ts ADDED Viewed

@@ -0,0 +1,15 @@
+import type { MiddlewareHandler } from "hono";
+const isProd = process.env.NODE_ENV === "production";
+const validToken = isProd ? process.env.BEARER_TOKEN_PROD! : process.env.BEARER_TOKEN_DEV!;
+export const bearerAuth: MiddlewareHandler = async (c, next) => {
+  const header = c.req.header("Authorization");
+  const token = header?.startsWith("Bearer ") ? header.slice(7) : null;
+  if (!token || token !== validToken) {
+    return c.json({ error: "Unauthorized" }, 401);
+  }
+  await next();
+};

package/src/middleware/botProtection.ts ADDED Viewed

@@ -0,0 +1,73 @@
+import type { MiddlewareHandler } from "hono";
+// ---------------------------------------------------------------------------
+// CIDR helpers (IPv4 only; IPv6 exact-match supported)
+// ---------------------------------------------------------------------------
+function ipv4ToUint32(ip: string): number {
+  const parts = ip.split(".").map(Number);
+  return (
+    ((parts[0]! << 24) | (parts[1]! << 16) | (parts[2]! << 8) | parts[3]!) >>>
+    0
+  );
+}
+function cidrMatchesIpv4(cidr: string, ip: string): boolean {
+  const slash = cidr.indexOf("/");
+  const network = slash === -1 ? cidr : cidr.slice(0, slash);
+  const prefixLen = slash === -1 ? 32 : parseInt(cidr.slice(slash + 1), 10);
+  const mask = prefixLen === 0 ? 0 : (~0 << (32 - prefixLen)) >>> 0;
+  return (ipv4ToUint32(network) & mask) === (ipv4ToUint32(ip) & mask);
+}
+const IPV4_RE = /^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/;
+function normalizeIp(ip: string): string {
+  // Strip IPv4-mapped IPv6 prefix (::ffff:1.2.3.4)
+  if (ip.startsWith("::ffff:")) return ip.slice(7);
+  return ip;
+}
+function isBlocked(ip: string, blockList: string[]): boolean {
+  const normalized = normalizeIp(ip);
+  const isV4 = IPV4_RE.test(normalized);
+  for (const entry of blockList) {
+    if (isV4) {
+      if (cidrMatchesIpv4(entry, normalized)) return true;
+    } else {
+      // IPv6: exact match only (CIDR support is v2)
+      if (entry === normalized) return true;
+    }
+  }
+  return false;
+}
+// ---------------------------------------------------------------------------
+// Middleware
+// ---------------------------------------------------------------------------
+export interface BotProtectionOptions {
+  /**
+   * List of IPv4 CIDRs (e.g. "198.51.100.0/24"), IPv4 exact addresses,
+   * or IPv6 exact addresses to block with a 403.
+   */
+  blockList?: string[];
+}
+export const botProtection = ({
+  blockList = [],
+}: BotProtectionOptions): MiddlewareHandler => {
+  if (blockList.length === 0) return (_c, next) => next();
+  return async (c, next) => {
+    const raw = c.req.header("x-forwarded-for") ?? "";
+    const ip = raw.split(",")[0]?.trim() ?? "unknown";
+    if (ip !== "unknown" && isBlocked(ip, blockList)) {
+      return c.json({ error: "Forbidden" }, 403);
+    }
+    await next();
+  };
+};