@mt-tl/server 0.1.0

package/src/transport/connection.ts

@@ -0,0 +1,113 @@
+import { noopLogger, type Logger } from '@mt-tl/tl'
+import { Framing } from './framing.js'
+import { nextMessageId, nextSeqNo, type MsgIdState } from '../session/message-id.js'
+import { InboundTracker } from '../session/inbound-tracker.js'
+
+/**
+ * Per-connection state. Holds transport framing, the negotiated TL layer,
+ * auth-key/session binding (filled after the handshake and first encrypted
+ * message), and outgoing message-id/seq counters.
+ */
+export interface ConnectionCtx extends MsgIdState {
+    connectionId: number
+    remoteAddress?: string
+    apiLayer: number
+
+    authKeyId?: bigint
+    authKey?: Buffer
+    sessionId?: bigint
+    uniqueId?: bigint
+    serverSalt?: bigint
+
+    // Captured from `initConnection` (and persisted onto the auth key's meta).
+    apiId?: number
+    deviceModel?: string
+    systemVersion?: string
+    appVersion?: string
+    systemLangCode?: string
+    langCode?: string
+    /** Bound subject (internal user id) once the auth key is authorized. */
+    subject?: string
+
+    /** Set when the client wrapped a query in `invokeWithoutUpdates` — this
+     * connection is excluded from server-push delivery. */
+    noUpdates?: boolean
+}
+
+export class Connection {
+    readonly id: number
+    /** Per-connection logger (carrier-scoped child); also passed to framing. */
+    readonly log: Logger
+    readonly framing: Framing
+    /** Inbound msg_id/seqno validation + received-message state (per session). */
+    readonly tracker = new InboundTracker()
+    ctx: ConnectionCtx
+    closed = false
+    private tail: Promise<void> = Promise.resolve()
+    /** Idle-disconnect window (ms) requested via `ping_delay_disconnect`; 0 = none. */
+    private disconnectMs = 0
+    private disconnectTimer?: ReturnType<typeof setTimeout>
+
+    constructor(
+        id: number,
+        private readonly transportSend: (bytes: Buffer) => void,
+        private readonly transportClose: () => void,
+        remoteAddress?: string,
+        defaultLayer = 204,
+        log: Logger = noopLogger,
+    ) {
+        this.id = id
+        this.log = log
+        this.framing = new Framing(log)
+        this.ctx = {
+            connectionId: id,
+            remoteAddress,
+            apiLayer: defaultLayer,
+            lastMessageId: null,
+            messageSeqNo: 0,
+        }
+    }
+
+    /** Frame a fully-built MTProto packet (plaintext or encrypted) and send it. */
+    send(packet: Buffer): void {
+        if (this.closed) return
+        this.transportSend(this.framing.frame(packet))
+    }
+
+    nextMessageId(isNotification = false): bigint {
+        return nextMessageId(this.ctx, isNotification)
+    }
+
+    nextSeqNo(contentRelated = true): number {
+        return nextSeqNo(this.ctx, contentRelated)
+    }
+
+    /** Serialize async work per connection so messages are processed in order. */
+    enqueue(fn: () => void | Promise<void>): void {
+        this.tail = this.tail.then(fn).catch(() => {})
+    }
+
+    /**
+     * Arm (or re-arm) the `ping_delay_disconnect` idle timer: close the connection
+     * after `delaySec` seconds of inactivity. A delay of 0 disarms it.
+     */
+    armDisconnect(delaySec: number): void {
+        this.disconnectMs = Math.max(0, Math.floor(delaySec)) * 1000
+        this.resetDisconnect()
+    }
+
+    /** Reset the idle timer on activity. No-op unless armed via {@link armDisconnect}. */
+    resetDisconnect(): void {
+        if (this.disconnectTimer) clearTimeout(this.disconnectTimer)
+        if (!this.disconnectMs) return
+        this.disconnectTimer = setTimeout(() => this.close(), this.disconnectMs)
+        if (typeof this.disconnectTimer.unref === 'function') this.disconnectTimer.unref()
+    }
+
+    close(): void {
+        if (this.closed) return
+        this.closed = true
+        if (this.disconnectTimer) clearTimeout(this.disconnectTimer)
+        this.transportClose()
+    }
+}

package/src/transport/framing.ts

@@ -0,0 +1,223 @@
+import { createDecipheriv } from 'node:crypto'
+import CRC32 from 'crc-32'
+import { noopLogger, type Logger } from '@mt-tl/tl'
+import { calculatePadding } from '../crypto/dh.js'
+
+type Decipher = ReturnType<typeof createDecipheriv>
+
+/**
+ * MTProto transport framing. The same four modes the existing server supports
+ * are delivered identically over TCP or inside binary WebSocket frames, so the
+ * gateway feeds raw bytes here regardless of carrier.
+ *
+ * Modes: abridged (0xef), intermediate (0xeeeeeeee), full, and obfuscated
+ * (a 64-byte AES-CTR header that wraps abridged/intermediate). Detection mirrors
+ * `server.js` exactly for wire-compatibility.
+ */
+export type InnerMode = 'abridged' | 'intermediate' | 'full'
+export type Mode = InnerMode | 'obfuscated'
+
+function looksLikeTcpFullStreamStart(buf: Buffer): boolean {
+    const len = buf.readUInt32LE(0)
+    if (len > 65536 || buf.length < len) return false
+    return buf.readUInt32LE(len - 8) === 0
+}
+
+export class Framing {
+    mode?: Mode
+    private inner?: InnerMode
+    /** Plaintext queue from which inner packets are read. */
+    private queue = Buffer.alloc(0)
+    /** Pre-detection accumulation. */
+    private detectBuf = Buffer.alloc(0)
+    private sequenceIn = 0
+    private sequenceOut = 0
+    private decryptor?: Decipher
+    private encryptor?: Decipher
+
+    constructor(private readonly log: Logger = noopLogger) {}
+
+    /** Feed received bytes; returns any complete packets that became available. */
+    feed(chunk: Buffer): Buffer[] {
+        if (this.mode === undefined) {
+            this.detectBuf = Buffer.concat([this.detectBuf, chunk])
+            if (!this.detect()) return []
+        } else if (this.mode === 'obfuscated') {
+            this.queue = Buffer.concat([this.queue, this.decryptor!.update(chunk)])
+        } else {
+            this.queue = Buffer.concat([this.queue, chunk])
+        }
+        return this.drain()
+    }
+
+    /** Frame an outgoing packet for the negotiated mode. */
+    frame(packet: Buffer): Buffer {
+        const eff = this.effectiveMode()
+        const framed = this.frameInner(eff, packet)
+        return this.mode === 'obfuscated' ? this.encryptor!.update(framed) : framed
+    }
+
+    private effectiveMode(): InnerMode {
+        if (this.mode === 'obfuscated') return this.inner!
+        return this.mode as InnerMode
+    }
+
+    private detect(): boolean {
+        const buf = this.detectBuf
+        if (buf.length < 4) return false
+
+        if (buf.readUInt8(0) === 0xef) {
+            this.mode = 'abridged'
+            this.queue = Buffer.from(buf.subarray(1))
+            return true
+        }
+        if (buf.readUInt32LE(0) === 0xeeeeeeee) {
+            this.mode = 'intermediate'
+            this.queue = Buffer.from(buf.subarray(4))
+            return true
+        }
+        if (buf.length < 8) return false
+        if (buf.readUInt32LE(4) === 0 || looksLikeTcpFullStreamStart(buf)) {
+            this.mode = 'full'
+            this.queue = Buffer.from(buf)
+            return true
+        }
+        if (buf.length < 64) return false
+
+        // Obfuscated: 64-byte header sets up AES-CTR streams.
+        const header = Buffer.from(buf.subarray(0, 64))
+        const rev = Buffer.from(header).reverse()
+        this.decryptor = createDecipheriv('aes-256-ctr', header.subarray(8, 40), header.subarray(40, 56))
+        this.encryptor = createDecipheriv('aes-256-ctr', rev.subarray(8, 40), rev.subarray(40, 56))
+        const decHeader = this.decryptor.update(header)
+        if (this.log.isLevelEnabled('trace')) {
+            this.log.trace('framing.obfuscated', {
+                tag: decHeader.subarray(56, 60).toString('hex'),
+                rawHead: header.subarray(0, 16).toString('hex'),
+                decHead: decHeader.subarray(0, 16).toString('hex'),
+            })
+        }
+        switch (decHeader[56]) {
+            case 0xdd:
+            case 0xee:
+                this.inner = 'intermediate'
+                break
+            case 0xef:
+                this.inner = 'abridged'
+                break
+            default:
+                throw new Error(
+                    `obfuscated: cannot determine inner mode (tag ${decHeader.subarray(56, 60).toString('hex')})`,
+                )
+        }
+        this.mode = 'obfuscated'
+        this.queue = this.decryptor.update(Buffer.from(buf.subarray(64)))
+        if (this.log.isLevelEnabled('trace')) {
+            this.log.trace('framing.detected', {
+                mode: this.mode,
+                inner: this.inner,
+                queued: this.queue.length,
+            })
+        }
+        return true
+    }
+
+    private drain(): Buffer[] {
+        const out: Buffer[] = []
+        for (;;) {
+            const p = this.readOne()
+            if (p === undefined) break
+            out.push(p)
+        }
+        return out
+    }
+
+    private readOne(): Buffer | undefined {
+        switch (this.effectiveMode()) {
+            case 'abridged':
+                return this.readAbridged()
+            case 'intermediate':
+                return this.readIntermediate()
+            case 'full':
+                return this.readFull()
+        }
+    }
+
+    private readAbridged(): Buffer | undefined {
+        const q = this.queue
+        if (q.length < 1) return undefined
+        let len = q.readUInt8(0)
+        let shift = 1
+        if (len === 0x7f) {
+            if (q.length < 4) return undefined
+            len = (q.readUInt8(1) | (q.readUInt8(2) << 8) | (q.readUInt8(3) << 16)) << 2
+            shift = 4
+        } else {
+            len <<= 2
+        }
+        if (q.length < len + shift) return undefined
+        const packet = Buffer.from(q.subarray(shift, shift + len))
+        this.queue = q.subarray(shift + len)
+        return packet
+    }
+
+    private readIntermediate(): Buffer | undefined {
+        const q = this.queue
+        if (q.length < 4) return undefined
+        const len = q.readUInt32LE(0)
+        if (q.length < len + 4) return undefined
+        const packet = Buffer.from(q.subarray(4, 4 + len))
+        this.queue = q.subarray(4 + len)
+        return packet
+    }
+
+    private readFull(): Buffer | undefined {
+        // Standard tcp_full layout: [len(4)][seq(4)][payload][crc(4)], len = payload + 12.
+        const q = this.queue
+        if (q.length < 4) return undefined
+        const len = q.readUInt32LE(0)
+        if (len < 12 || q.length < len) return undefined
+        const seqNo = q.readUInt32LE(4)
+        if (seqNo !== this.sequenceIn) {
+            throw new Error(`tcp_full: wrong sequence ${seqNo}, expected ${this.sequenceIn}`)
+        }
+        this.sequenceIn++
+        const packet = Buffer.from(q.subarray(8, len - 4))
+        this.queue = q.subarray(len)
+        return packet
+    }
+
+    private frameInner(mode: InnerMode, packet: Buffer): Buffer {
+        switch (mode) {
+            case 'abridged': {
+                const pad = Buffer.alloc(calculatePadding(packet.length, 4))
+                const lenValue = (packet.length + pad.length) / 4
+                const lenB =
+                    lenValue < 127
+                        ? Buffer.from([lenValue])
+                        : Buffer.from([
+                              0x7f,
+                              lenValue & 0xff,
+                              (lenValue >> 8) & 0xff,
+                              (lenValue >> 16) & 0xff,
+                          ])
+                return Buffer.concat([lenB, packet, pad])
+            }
+            case 'intermediate': {
+                const lenB = Buffer.alloc(4)
+                lenB.writeUInt32LE(packet.length, 0)
+                return Buffer.concat([lenB, packet])
+            }
+            case 'full': {
+                const lenB = Buffer.alloc(4)
+                lenB.writeUInt32LE(packet.length + 12, 0)
+                const seqB = Buffer.alloc(4)
+                seqB.writeUInt32LE(this.sequenceOut++, 0)
+                const body = Buffer.concat([lenB, seqB, packet])
+                const crc = Buffer.alloc(4)
+                crc.writeUInt32LE(CRC32.buf(body) >>> 0, 0)
+                return Buffer.concat([body, crc])
+            }
+        }
+    }
+}

package/src/transport/proxy-protocol.ts

@@ -0,0 +1,109 @@
+// PROXY protocol (HAProxy) header parsing for the raw-TCP carrier. When a TCP
+// load balancer / proxy sits in front, it prepends a small header announcing the
+// real client address before the MTProto byte stream. We parse it (v1 text and
+// v2 binary) so `RpcContext.ip` reflects the client, not the proxy. Only used
+// when `trustProxy` is set — the spec assumes a trusted proxy always prepends it.
+// Ref: https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
+
+/** 12-byte v2 signature: `\r\n\r\n\0\r\nQUIT\n`. */
+const V2_SIG = Buffer.from([0x0d, 0x0a, 0x0d, 0x0a, 0x00, 0x0d, 0x0a, 0x51, 0x55, 0x49, 0x54, 0x0a])
+/** v1 lines start with `PROXY ` and are at most 107 bytes incl. CRLF. */
+const V1_PREFIX = Buffer.from('PROXY ')
+const V1_MAX = 107
+/** Cap buffered bytes while a header is still incomplete (guards a slow/malicious peer). */
+const MAX_HEADER = 1024
+
+export type ProxyParse =
+    /** A complete header. `sourceIp` is undefined for UNKNOWN/LOCAL/UNSPEC (use the socket address). */
+    | { status: 'done'; sourceIp?: string; consumed: number }
+    /** Need more bytes — the buffer is a valid prefix of a header so far. */
+    | { status: 'incomplete' }
+    /** No PROXY header — treat the bytes as the start of the MTProto stream. */
+    | { status: 'absent' }
+
+/**
+ * Inspects the start of a freshly-accepted TCP stream for a PROXY-protocol
+ * header. Returns `done` (with the parsed source IP and how many bytes the header
+ * occupied), `incomplete` (call again with more bytes), or `absent` (no header —
+ * the bytes are the MTProto stream itself).
+ */
+export function parseProxyHeader(buf: Buffer): ProxyParse {
+    if (buf.length === 0) return { status: 'incomplete' }
+    const b0 = buf[0]!
+
+    // v2 — binary, begins with 0x0D.
+    if (b0 === 0x0d) {
+        const n = Math.min(buf.length, V2_SIG.length)
+        for (let i = 0; i < n; i++) if (buf[i] !== V2_SIG[i]) return { status: 'absent' }
+        if (buf.length < 16) return buf.length > MAX_HEADER ? { status: 'absent' } : { status: 'incomplete' }
+        return parseV2(buf)
+    }
+
+    // v1 — text, begins with 'P' (0x50) of "PROXY ".
+    if (b0 === 0x50) {
+        const crlf = buf.indexOf('\r\n')
+        if (crlf === -1) {
+            if (buf.length > V1_MAX) return { status: 'absent' }
+            const n = Math.min(buf.length, V1_PREFIX.length)
+            for (let i = 0; i < n; i++) if (buf[i] !== V1_PREFIX[i]) return { status: 'absent' }
+            return { status: 'incomplete' }
+        }
+        return parseV1(buf.toString('latin1', 0, crlf), crlf + 2)
+    }
+
+    return { status: 'absent' }
+}
+
+function parseV1(line: string, consumed: number): ProxyParse {
+    // "PROXY TCP4 <src> <dst> <srcPort> <dstPort>" | "PROXY UNKNOWN ..."
+    const parts = line.split(' ')
+    if (parts[0] !== 'PROXY') return { status: 'absent' }
+    if (parts[1] === 'TCP4' || parts[1] === 'TCP6') return { status: 'done', sourceIp: parts[2], consumed }
+    return { status: 'done', consumed } // UNKNOWN — no announced address
+}
+
+function parseV2(buf: Buffer): ProxyParse {
+    const cmd = buf[12]! & 0x0f // 0 = LOCAL (health check), 1 = PROXY
+    const family = buf[13]! >> 4 // 1 = AF_INET, 2 = AF_INET6
+    const addrLen = buf.readUInt16BE(14)
+    const total = 16 + addrLen
+    if (buf.length < total) return total > MAX_HEADER ? { status: 'absent' } : { status: 'incomplete' }
+
+    let sourceIp: string | undefined
+    if (cmd === 0x1) {
+        if (family === 0x1 && addrLen >= 12) {
+            sourceIp = `${buf[16]}.${buf[17]}.${buf[18]}.${buf[19]}`
+        } else if (family === 0x2 && addrLen >= 36) {
+            sourceIp = formatIpv6(buf.subarray(16, 32))
+        }
+    }
+    return { status: 'done', sourceIp, consumed: total }
+}
+
+/** 16 bytes → a compressed IPv6 string (longest run of zero groups → `::`). */
+function formatIpv6(b: Buffer): string {
+    const groups: number[] = []
+    for (let i = 0; i < 16; i += 2) groups.push((b[i]! << 8) | b[i + 1]!)
+    // Find the longest run of zero groups to compress.
+    let bestStart = -1
+    let bestLen = 0
+    let curStart = -1
+    let curLen = 0
+    for (let i = 0; i < 8; i++) {
+        if (groups[i] === 0) {
+            if (curStart === -1) curStart = i
+            curLen++
+            if (curLen > bestLen) {
+                bestLen = curLen
+                bestStart = curStart
+            }
+        } else {
+            curStart = -1
+            curLen = 0
+        }
+    }
+    if (bestLen < 2) return groups.map(g => g.toString(16)).join(':')
+    const head = groups.slice(0, bestStart).map(g => g.toString(16))
+    const tail = groups.slice(bestStart + bestLen).map(g => g.toString(16))
+    return `${head.join(':')}::${tail.join(':')}`
+}

package/src/transport/server-common.ts

@@ -0,0 +1,49 @@
+import type { Logger } from '@mt-tl/tl'
+import type { Connection } from './connection.js'
+
+export type PacketHandler = (packet: Buffer, conn: Connection) => void | Promise<void>
+
+export interface TransportHandlers {
+    onPacket: PacketHandler
+    onConnect?: (conn: Connection) => void
+    onClose?: (conn: Connection) => void
+}
+
+export interface TransportOptions {
+    port: number
+    defaultLayer: number
+    /**
+     * Trust an upstream proxy for the client address: parse the PROXY-protocol
+     * header on raw TCP, and trust `X-Forwarded-For` on WebSocket. Leave off
+     * (default) when clients connect directly — the headers are spoofable.
+     */
+    trustProxy?: boolean
+    /** Structured logger; the carrier derives a per-connection child from it. */
+    logger?: Logger
+}
+
+/**
+ * Feed a received byte chunk into a connection's framing and enqueue any
+ * complete packets. Shared by the WebSocket and raw-TCP carriers — both deliver
+ * bytes (WS as binary frames, TCP as a stream) to the same stateful framer.
+ */
+export function pump(conn: Connection, chunk: Buffer, handlers: TransportHandlers): void {
+    let packets: Buffer[]
+    try {
+        packets = conn.framing.feed(chunk)
+    } catch (err) {
+        // Unframable bytes = a broken/hostile client; drop the connection. Expected
+        // enough to be a warn, not an error (no server fault).
+        conn.log.warn('framing.error', { err: String(err) })
+        conn.close()
+        return
+    }
+    if (packets.length && conn.log.isLevelEnabled('trace')) {
+        conn.log.trace('framing.packets', {
+            packets: packets.map(p => ({ bytes: p.length, head: p.subarray(0, 8).toString('hex') })),
+        })
+    }
+    for (const packet of packets) {
+        conn.enqueue(() => handlers.onPacket(packet, conn))
+    }
+}

package/src/transport/tcp-server.ts

@@ -0,0 +1,102 @@
+import { createServer, type AddressInfo, type Server, type Socket } from 'node:net'
+import { noopLogger } from '@mt-tl/tl'
+import { Connection } from './connection.js'
+import { pump, type TransportHandlers, type TransportOptions } from './server-common.js'
+import { parseProxyHeader } from './proxy-protocol.js'
+
+/**
+ * Raw TCP carrier for MTProto, for legacy clients that connect over a plain
+ * socket rather than WebSocket. The byte stream is fed into the same framing as
+ * WS (the framer already reassembles packets across `data` events), so abridged
+ * / intermediate / full / obfuscated transports all work identically here.
+ */
+export class MtprotoTcpServer {
+    private server?: Server
+    private lastId = 0
+
+    constructor(
+        private readonly options: TransportOptions,
+        private readonly handlers: TransportHandlers,
+    ) {}
+
+    listen(): Promise<void> {
+        return new Promise((resolve, reject) => {
+            this.server = createServer({ allowHalfOpen: false }, socket => this.onConnection(socket))
+            this.server.once('error', reject)
+            this.server.listen(this.options.port, () => resolve())
+        })
+    }
+
+    get port(): number {
+        const addr = this.server?.address()
+        return addr && typeof addr === 'object' ? (addr as AddressInfo).port : this.options.port
+    }
+
+    private onConnection(socket: Socket): void {
+        socket.setNoDelay(true)
+        const id = ++this.lastId
+
+        const log = (this.options.logger ?? noopLogger).child({ scope: 'tcp', conn: id })
+        log.info('conn.open', { remote: socket.remoteAddress })
+
+        const conn = new Connection(
+            id,
+            bytes => {
+                try {
+                    socket.write(bytes)
+                } catch {
+                    conn.close()
+                }
+            },
+            () => socket.destroy(),
+            socket.remoteAddress,
+            this.options.defaultLayer,
+            log,
+        )
+
+        this.handlers.onConnect?.(conn)
+        socket.on(
+            'data',
+            this.options.trustProxy ? this.proxyAware(conn) : chunk => pump(conn, chunk, this.handlers),
+        )
+        socket.on('close', () => {
+            log.info('conn.close')
+            conn.closed = true
+            this.handlers.onClose?.(conn)
+        })
+        socket.on('error', err => {
+            log.warn('tcp.error', { err: String(err) })
+            conn.close()
+        })
+    }
+
+    /**
+     * Data handler that strips a leading PROXY-protocol header (when present)
+     * before the byte stream reaches framing, recording the announced client IP
+     * on the connection. Once the header is consumed (or shown absent), all
+     * further bytes pass straight to `pump`.
+     */
+    private proxyAware(conn: Connection): (chunk: Buffer) => void {
+        let header: Buffer | null = Buffer.alloc(0)
+        return (chunk: Buffer) => {
+            if (header === null) return pump(conn, chunk, this.handlers)
+            header = header.length ? Buffer.concat([header, chunk]) : chunk
+            const res = parseProxyHeader(header)
+            if (res.status === 'incomplete') return
+            const buffered = header
+            header = null // done parsing; subsequent chunks bypass this path
+            if (res.status === 'done') {
+                if (res.sourceIp) conn.ctx.remoteAddress = res.sourceIp
+                const rest = buffered.subarray(res.consumed)
+                if (rest.length) pump(conn, rest, this.handlers)
+            } else {
+                // No PROXY header — the bytes are the MTProto stream itself.
+                pump(conn, buffered, this.handlers)
+            }
+        }
+    }
+
+    close(): void {
+        this.server?.close()
+    }
+}

package/src/transport/ws-server.ts

@@ -0,0 +1,94 @@
+import { WebSocketServer, type WebSocket } from 'ws'
+import type { AddressInfo } from 'node:net'
+import type { IncomingMessage } from 'node:http'
+import { noopLogger } from '@mt-tl/tl'
+import { Connection } from './connection.js'
+import { pump, type TransportHandlers, type TransportOptions } from './server-common.js'
+
+export type { PacketHandler, TransportHandlers } from './server-common.js'
+
+function toBuffer(data: Buffer | ArrayBuffer | Buffer[]): Buffer {
+    if (Buffer.isBuffer(data)) return data
+    if (Array.isArray(data)) return Buffer.concat(data)
+    return Buffer.from(data)
+}
+
+/**
+ * WebSocket carrier for MTProto. Each binary frame is fed into the connection's
+ * transport framing; complete packets are handed to `onPacket` in arrival order.
+ */
+export class MtprotoWsServer {
+    private wss?: WebSocketServer
+    private lastId = 0
+
+    constructor(
+        private readonly options: TransportOptions,
+        private readonly handlers: TransportHandlers,
+    ) {}
+
+    listen(): Promise<void> {
+        return new Promise(resolve => {
+            this.wss = new WebSocketServer({ port: this.options.port, clientTracking: false })
+            this.wss.on('connection', (socket, req) => this.onConnection(socket, req))
+            this.wss.on('listening', () => resolve())
+        })
+    }
+
+    /** Bound TCP port (useful when listening on port 0 in tests). */
+    get port(): number {
+        const addr = this.wss?.address()
+        return addr && typeof addr === 'object' ? (addr as AddressInfo).port : this.options.port
+    }
+
+    private onConnection(socket: WebSocket, req: IncomingMessage): void {
+        const id = ++this.lastId
+        // Only trust the (spoofable) X-Forwarded-For when an upstream proxy is declared.
+        const forwarded = this.options.trustProxy
+            ? (req.headers['x-forwarded-for'] as string | undefined)?.split(',')[0]?.trim()
+            : undefined
+        const remote = forwarded ?? req.socket.remoteAddress ?? undefined
+
+        const log = (this.options.logger ?? noopLogger).child({ scope: 'ws', conn: id })
+        log.info('conn.open', { remote })
+        if (log.isLevelEnabled('trace')) {
+            log.trace('ws.connect', {
+                host: req.headers.host,
+                xff: req.headers['x-forwarded-for'],
+                proto: req.headers['sec-websocket-protocol'],
+                ua: req.headers['user-agent'],
+            })
+        }
+
+        const conn = new Connection(
+            id,
+            bytes => socket.send(bytes, { binary: true }),
+            () => socket.close(),
+            remote,
+            this.options.defaultLayer,
+            log,
+        )
+
+        this.handlers.onConnect?.(conn)
+        socket.on('message', (data: Buffer | ArrayBuffer | Buffer[]) => {
+            const buf = toBuffer(data)
+            if (log.isLevelEnabled('trace'))
+                log.trace('ws.recv', { bytes: buf.length, head: buf.subarray(0, 16).toString('hex') })
+            pump(conn, buf, this.handlers)
+        })
+        socket.on('close', (code, reason) => {
+            log.info('conn.close', { code })
+            if (reason?.length && log.isLevelEnabled('trace'))
+                log.trace('ws.close', { reason: reason.toString() })
+            conn.closed = true
+            this.handlers.onClose?.(conn)
+        })
+        socket.on('error', err => {
+            log.warn('ws.error', { err: String(err) })
+            conn.close()
+        })
+    }
+
+    close(): void {
+        this.wss?.close()
+    }
+}