@push.rocks/smartproxy 16.0.2 → 16.0.3

package/dist_ts/proxies/network-proxy/security-manager.d.ts

@@ -0,0 +1,65 @@
+import type { ILogger } from './models/types.js';
+import type { IRouteConfig } from '../smart-proxy/models/route-types.js';
+import type { IRouteContext } from '../../core/models/route-context.js';
+/**
+ * Manages security features for the NetworkProxy
+ * Implements Phase 5.4: Security features like IP filtering and rate limiting
+ */
+export declare class SecurityManager {
+    private logger;
+    private routes;
+    private ipFilterCache;
+    private rateLimits;
+    constructor(logger: ILogger, routes?: IRouteConfig[]);
+    /**
+     * Update the routes configuration
+     */
+    setRoutes(routes: IRouteConfig[]): void;
+    /**
+     * Check if a client is allowed to access a specific route
+     *
+     * @param route The route to check access for
+     * @param context The route context with client information
+     * @returns True if access is allowed, false otherwise
+     */
+    isAllowed(route: IRouteConfig, context: IRouteContext): boolean;
+    /**
+     * Check if an IP is allowed based on route security settings
+     */
+    private isIpAllowed;
+    /**
+     * Check if IP matches any pattern in the list
+     */
+    private ipMatchesPattern;
+    /**
+     * Check if IP matches CIDR notation
+     * Very basic implementation - for production use, consider a dedicated IP library
+     */
+    private ipMatchesCidr;
+    /**
+     * Check if request is within rate limit
+     */
+    private isWithinRateLimit;
+    /**
+     * Clean up expired rate limits
+     * Should be called periodically to prevent memory leaks
+     */
+    cleanupExpiredRateLimits(): void;
+    /**
+     * Check basic auth credentials
+     *
+     * @param route The route to check auth for
+     * @param username The provided username
+     * @param password The provided password
+     * @returns True if credentials are valid, false otherwise
+     */
+    checkBasicAuth(route: IRouteConfig, username: string, password: string): boolean;
+    /**
+     * Verify a JWT token
+     *
+     * @param route The route to verify the token for
+     * @param token The JWT token to verify
+     * @returns True if the token is valid, false otherwise
+     */
+    verifyJwtToken(route: IRouteConfig, token: string): boolean;
+}

package/dist_ts/proxies/network-proxy/security-manager.js

@@ -0,0 +1,255 @@
+import * as plugins from '../../plugins.js';
+/**
+ * Manages security features for the NetworkProxy
+ * Implements Phase 5.4: Security features like IP filtering and rate limiting
+ */
+export class SecurityManager {
+    constructor(logger, routes = []) {
+        this.logger = logger;
+        this.routes = routes;
+        // Cache IP filtering results to avoid constant regex matching
+        this.ipFilterCache = new Map();
+        // Store rate limits per route and key
+        this.rateLimits = new Map();
+    }
+    /**
+     * Update the routes configuration
+     */
+    setRoutes(routes) {
+        this.routes = routes;
+        // Reset caches when routes change
+        this.ipFilterCache.clear();
+    }
+    /**
+     * Check if a client is allowed to access a specific route
+     *
+     * @param route The route to check access for
+     * @param context The route context with client information
+     * @returns True if access is allowed, false otherwise
+     */
+    isAllowed(route, context) {
+        if (!route.security) {
+            return true; // No security restrictions
+        }
+        // --- IP filtering ---
+        if (!this.isIpAllowed(route, context.clientIp)) {
+            this.logger.debug(`IP ${context.clientIp} is blocked for route ${route.name || route.id || 'unnamed'}`);
+            return false;
+        }
+        // --- Rate limiting ---
+        if (route.security.rateLimit?.enabled && !this.isWithinRateLimit(route, context)) {
+            this.logger.debug(`Rate limit exceeded for route ${route.name || route.id || 'unnamed'}`);
+            return false;
+        }
+        // --- Basic Auth (handled at HTTP level) ---
+        // Basic auth is not checked here as it requires HTTP headers
+        // and is handled in the RequestHandler
+        return true;
+    }
+    /**
+     * Check if an IP is allowed based on route security settings
+     */
+    isIpAllowed(route, clientIp) {
+        if (!route.security) {
+            return true; // No security restrictions
+        }
+        const routeId = route.id || route.name || 'unnamed';
+        // Check cache first
+        if (!this.ipFilterCache.has(routeId)) {
+            this.ipFilterCache.set(routeId, new Map());
+        }
+        const routeCache = this.ipFilterCache.get(routeId);
+        if (routeCache.has(clientIp)) {
+            return routeCache.get(clientIp);
+        }
+        let allowed = true;
+        // Check block list first (deny has priority over allow)
+        if (route.security.ipBlockList && route.security.ipBlockList.length > 0) {
+            if (this.ipMatchesPattern(clientIp, route.security.ipBlockList)) {
+                allowed = false;
+            }
+        }
+        // Then check allow list (overrides block list if specified)
+        if (route.security.ipAllowList && route.security.ipAllowList.length > 0) {
+            // If allow list is specified, IP must match an entry to be allowed
+            allowed = this.ipMatchesPattern(clientIp, route.security.ipAllowList);
+        }
+        // Cache the result
+        routeCache.set(clientIp, allowed);
+        return allowed;
+    }
+    /**
+     * Check if IP matches any pattern in the list
+     */
+    ipMatchesPattern(ip, patterns) {
+        for (const pattern of patterns) {
+            // CIDR notation
+            if (pattern.includes('/')) {
+                if (this.ipMatchesCidr(ip, pattern)) {
+                    return true;
+                }
+            }
+            // Wildcard notation
+            else if (pattern.includes('*')) {
+                const regex = new RegExp('^' + pattern.replace(/\./g, '\\.').replace(/\*/g, '.*') + '$');
+                if (regex.test(ip)) {
+                    return true;
+                }
+            }
+            // Exact match
+            else if (pattern === ip) {
+                return true;
+            }
+        }
+        return false;
+    }
+    /**
+     * Check if IP matches CIDR notation
+     * Very basic implementation - for production use, consider a dedicated IP library
+     */
+    ipMatchesCidr(ip, cidr) {
+        try {
+            const [subnet, bits] = cidr.split('/');
+            const mask = parseInt(bits, 10);
+            // Convert IP to numeric format
+            const ipParts = ip.split('.').map(part => parseInt(part, 10));
+            const subnetParts = subnet.split('.').map(part => parseInt(part, 10));
+            // Calculate the numeric IP and subnet
+            const ipNum = (ipParts[0] << 24) | (ipParts[1] << 16) | (ipParts[2] << 8) | ipParts[3];
+            const subnetNum = (subnetParts[0] << 24) | (subnetParts[1] << 16) | (subnetParts[2] << 8) | subnetParts[3];
+            // Calculate the mask
+            const maskNum = ~((1 << (32 - mask)) - 1);
+            // Check if IP is in subnet
+            return (ipNum & maskNum) === (subnetNum & maskNum);
+        }
+        catch (e) {
+            this.logger.error(`Invalid CIDR notation: ${cidr}`);
+            return false;
+        }
+    }
+    /**
+     * Check if request is within rate limit
+     */
+    isWithinRateLimit(route, context) {
+        if (!route.security?.rateLimit?.enabled) {
+            return true;
+        }
+        const rateLimit = route.security.rateLimit;
+        const routeId = route.id || route.name || 'unnamed';
+        // Determine rate limit key (by IP, path, or header)
+        let key = context.clientIp; // Default to IP
+        if (rateLimit.keyBy === 'path' && context.path) {
+            key = `${context.clientIp}:${context.path}`;
+        }
+        else if (rateLimit.keyBy === 'header' && rateLimit.headerName && context.headers) {
+            const headerValue = context.headers[rateLimit.headerName.toLowerCase()];
+            if (headerValue) {
+                key = `${context.clientIp}:${headerValue}`;
+            }
+        }
+        // Get or create rate limit tracking for this route
+        if (!this.rateLimits.has(routeId)) {
+            this.rateLimits.set(routeId, new Map());
+        }
+        const routeLimits = this.rateLimits.get(routeId);
+        const now = Date.now();
+        // Get or create rate limit tracking for this key
+        let limit = routeLimits.get(key);
+        if (!limit || limit.expiry < now) {
+            // Create new rate limit or reset expired one
+            limit = {
+                count: 1,
+                expiry: now + (rateLimit.window * 1000)
+            };
+            routeLimits.set(key, limit);
+            return true;
+        }
+        // Increment the counter
+        limit.count++;
+        // Check if rate limit is exceeded
+        return limit.count <= rateLimit.maxRequests;
+    }
+    /**
+     * Clean up expired rate limits
+     * Should be called periodically to prevent memory leaks
+     */
+    cleanupExpiredRateLimits() {
+        const now = Date.now();
+        for (const [routeId, routeLimits] of this.rateLimits.entries()) {
+            let removed = 0;
+            for (const [key, limit] of routeLimits.entries()) {
+                if (limit.expiry < now) {
+                    routeLimits.delete(key);
+                    removed++;
+                }
+            }
+            if (removed > 0) {
+                this.logger.debug(`Cleaned up ${removed} expired rate limits for route ${routeId}`);
+            }
+        }
+    }
+    /**
+     * Check basic auth credentials
+     *
+     * @param route The route to check auth for
+     * @param username The provided username
+     * @param password The provided password
+     * @returns True if credentials are valid, false otherwise
+     */
+    checkBasicAuth(route, username, password) {
+        if (!route.security?.basicAuth?.enabled) {
+            return true;
+        }
+        const basicAuth = route.security.basicAuth;
+        // Check credentials against configured users
+        for (const user of basicAuth.users) {
+            if (user.username === username && user.password === password) {
+                return true;
+            }
+        }
+        return false;
+    }
+    /**
+     * Verify a JWT token
+     *
+     * @param route The route to verify the token for
+     * @param token The JWT token to verify
+     * @returns True if the token is valid, false otherwise
+     */
+    verifyJwtToken(route, token) {
+        if (!route.security?.jwtAuth?.enabled) {
+            return true;
+        }
+        try {
+            // This is a simplified version - in production you'd use a proper JWT library
+            const jwtAuth = route.security.jwtAuth;
+            // Verify structure
+            const parts = token.split('.');
+            if (parts.length !== 3) {
+                return false;
+            }
+            // Decode payload
+            const payload = JSON.parse(Buffer.from(parts[1], 'base64').toString());
+            // Check expiration
+            if (payload.exp && payload.exp < Math.floor(Date.now() / 1000)) {
+                return false;
+            }
+            // Check issuer
+            if (jwtAuth.issuer && payload.iss !== jwtAuth.issuer) {
+                return false;
+            }
+            // Check audience
+            if (jwtAuth.audience && payload.aud !== jwtAuth.audience) {
+                return false;
+            }
+            // In a real implementation, you'd also verify the signature
+            // using the secret and algorithm specified in jwtAuth
+            return true;
+        }
+        catch (err) {
+            this.logger.error(`Error verifying JWT: ${err}`);
+            return false;
+        }
+    }
+}
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoic2VjdXJpdHktbWFuYWdlci5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uLy4uL3RzL3Byb3hpZXMvbmV0d29yay1wcm94eS9zZWN1cml0eS1tYW5hZ2VyLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiJBQUFBLE9BQU8sS0FBSyxPQUFPLE1BQU0sa0JBQWtCLENBQUM7QUFLNUM7OztHQUdHO0FBQ0gsTUFBTSxPQUFPLGVBQWU7SUFPMUIsWUFBb0IsTUFBZSxFQUFVLFNBQXlCLEVBQUU7UUFBcEQsV0FBTSxHQUFOLE1BQU0sQ0FBUztRQUFVLFdBQU0sR0FBTixNQUFNLENBQXFCO1FBTnhFLDhEQUE4RDtRQUN0RCxrQkFBYSxHQUFzQyxJQUFJLEdBQUcsRUFBRSxDQUFDO1FBRXJFLHNDQUFzQztRQUM5QixlQUFVLEdBQWdFLElBQUksR0FBRyxFQUFFLENBQUM7SUFFakIsQ0FBQztJQUU1RTs7T0FFRztJQUNJLFNBQVMsQ0FBQyxNQUFzQjtRQUNyQyxJQUFJLENBQUMsTUFBTSxHQUFHLE1BQU0sQ0FBQztRQUNyQixrQ0FBa0M7UUFDbEMsSUFBSSxDQUFDLGFBQWEsQ0FBQyxLQUFLLEVBQUUsQ0FBQztJQUM3QixDQUFDO0lBRUQ7Ozs7OztPQU1HO0lBQ0ksU0FBUyxDQUFDLEtBQW1CLEVBQUUsT0FBc0I7UUFDMUQsSUFBSSxDQUFDLEtBQUssQ0FBQyxRQUFRLEVBQUUsQ0FBQztZQUNwQixPQUFPLElBQUksQ0FBQyxDQUFDLDJCQUEyQjtRQUMxQyxDQUFDO1FBRUQsdUJBQXVCO1FBQ3ZCLElBQUksQ0FBQyxJQUFJLENBQUMsV0FBVyxDQUFDLEtBQUssRUFBRSxPQUFPLENBQUMsUUFBUSxDQUFDLEVBQUUsQ0FBQztZQUMvQyxJQUFJLENBQUMsTUFBTSxDQUFDLEtBQUssQ0FBQyxNQUFNLE9BQU8sQ0FBQyxRQUFRLHlCQUF5QixLQUFLLENBQUMsSUFBSSxJQUFJLEtBQUssQ0FBQyxFQUFFLElBQUksU0FBUyxFQUFFLENBQUMsQ0FBQztZQUN4RyxPQUFPLEtBQUssQ0FBQztRQUNmLENBQUM7UUFFRCx3QkFBd0I7UUFDeEIsSUFBSSxLQUFLLENBQUMsUUFBUSxDQUFDLFNBQVMsRUFBRSxPQUFPLElBQUksQ0FBQyxJQUFJLENBQUMsaUJBQWlCLENBQUMsS0FBSyxFQUFFLE9BQU8sQ0FBQyxFQUFFLENBQUM7WUFDakYsSUFBSSxDQUFDLE1BQU0sQ0FBQyxLQUFLLENBQUMsaUNBQWlDLEtBQUssQ0FBQyxJQUFJLElBQUksS0FBSyxDQUFDLEVBQUUsSUFBSSxTQUFTLEVBQUUsQ0FBQyxDQUFDO1lBQzFGLE9BQU8sS0FBSyxDQUFDO1FBQ2YsQ0FBQztRQUVELDZDQUE2QztRQUM3Qyw2REFBNkQ7UUFDN0QsdUNBQXVDO1FBRXZDLE9BQU8sSUFBSSxDQUFDO0lBQ2QsQ0FBQztJQUVEOztPQUVHO0lBQ0ssV0FBVyxDQUFDLEtBQW1CLEVBQUUsUUFBZ0I7UUFDdkQsSUFBSSxDQUFDLEtBQUssQ0FBQyxRQUFRLEVBQUUsQ0FBQztZQUNwQixPQUFPLElBQUksQ0FBQyxDQUFDLDJCQUEyQjtRQUMxQyxDQUFDO1FBRUQsTUFBTSxPQUFPLEdBQUcsS0FBSyxDQUFDLEVBQUUsSUFBSSxLQUFLLENBQUMsSUFBSSxJQUFJLFNBQVMsQ0FBQztRQUVwRCxvQkFBb0I7UUFDcEIsSUFBSSxDQUFDLElBQUksQ0FBQyxhQUFhLENBQUMsR0FBRyxDQUFDLE9BQU8sQ0FBQyxFQUFFLENBQUM7WUFDckMsSUFBSSxDQUFDLGFBQWEsQ0FBQyxHQUFHLENBQUMsT0FBTyxFQUFFLElBQUksR0FBRyxFQUFFLENBQUMsQ0FBQztRQUM3QyxDQUFDO1FBRUQsTUFBTSxVQUFVLEdBQUcsSUFBSSxDQUFDLGFBQWEsQ0FBQyxHQUFHLENBQUMsT0FBTyxDQUFFLENBQUM7UUFDcEQsSUFBSSxVQUFVLENBQUMsR0FBRyxDQUFDLFFBQVEsQ0FBQyxFQUFFLENBQUM7WUFDN0IsT0FBTyxVQUFVLENBQUMsR0FBRyxDQUFDLFFBQVEsQ0FBRSxDQUFDO1FBQ25DLENBQUM7UUFFRCxJQUFJLE9BQU8sR0FBRyxJQUFJLENBQUM7UUFFbkIsd0RBQXdEO1FBQ3hELElBQUksS0FBSyxDQUFDLFFBQVEsQ0FBQyxXQUFXLElBQUksS0FBSyxDQUFDLFFBQVEsQ0FBQyxXQUFXLENBQUMsTUFBTSxHQUFHLENBQUMsRUFBRSxDQUFDO1lBQ3hFLElBQUksSUFBSSxDQUFDLGdCQUFnQixDQUFDLFFBQVEsRUFBRSxLQUFLLENBQUMsUUFBUSxDQUFDLFdBQVcsQ0FBQyxFQUFFLENBQUM7Z0JBQ2hFLE9BQU8sR0FBRyxLQUFLLENBQUM7WUFDbEIsQ0FBQztRQUNILENBQUM7UUFFRCw0REFBNEQ7UUFDNUQsSUFBSSxLQUFLLENBQUMsUUFBUSxDQUFDLFdBQVcsSUFBSSxLQUFLLENBQUMsUUFBUSxDQUFDLFdBQVcsQ0FBQyxNQUFNLEdBQUcsQ0FBQyxFQUFFLENBQUM7WUFDeEUsbUVBQW1FO1lBQ25FLE9BQU8sR0FBRyxJQUFJLENBQUMsZ0JBQWdCLENBQUMsUUFBUSxFQUFFLEtBQUssQ0FBQyxRQUFRLENBQUMsV0FBVyxDQUFDLENBQUM7UUFDeEUsQ0FBQztRQUVELG1CQUFtQjtRQUNuQixVQUFVLENBQUMsR0FBRyxDQUFDLFFBQVEsRUFBRSxPQUFPLENBQUMsQ0FBQztRQUVsQyxPQUFPLE9BQU8sQ0FBQztJQUNqQixDQUFDO0lBRUQ7O09BRUc7SUFDSyxnQkFBZ0IsQ0FBQyxFQUFVLEVBQUUsUUFBa0I7UUFDckQsS0FBSyxNQUFNLE9BQU8sSUFBSSxRQUFRLEVBQUUsQ0FBQztZQUMvQixnQkFBZ0I7WUFDaEIsSUFBSSxPQUFPLENBQUMsUUFBUSxDQUFDLEdBQUcsQ0FBQyxFQUFFLENBQUM7Z0JBQzFCLElBQUksSUFBSSxDQUFDLGFBQWEsQ0FBQyxFQUFFLEVBQUUsT0FBTyxDQUFDLEVBQUUsQ0FBQztvQkFDcEMsT0FBTyxJQUFJLENBQUM7Z0JBQ2QsQ0FBQztZQUNILENBQUM7WUFDRCxvQkFBb0I7aUJBQ2YsSUFBSSxPQUFPLENBQUMsUUFBUSxDQUFDLEdBQUcsQ0FBQyxFQUFFLENBQUM7Z0JBQy9CLE1BQU0sS0FBSyxHQUFHLElBQUksTUFBTSxDQUFDLEdBQUcsR0FBRyxPQUFPLENBQUMsT0FBTyxDQUFDLEtBQUssRUFBRSxLQUFLLENBQUMsQ0FBQyxPQUFPLENBQUMsS0FBSyxFQUFFLElBQUksQ0FBQyxHQUFHLEdBQUcsQ0FBQyxDQUFDO2dCQUN6RixJQUFJLEtBQUssQ0FBQyxJQUFJLENBQUMsRUFBRSxDQUFDLEVBQUUsQ0FBQztvQkFDbkIsT0FBTyxJQUFJLENBQUM7Z0JBQ2QsQ0FBQztZQUNILENBQUM7WUFDRCxjQUFjO2lCQUNULElBQUksT0FBTyxLQUFLLEVBQUUsRUFBRSxDQUFDO2dCQUN4QixPQUFPLElBQUksQ0FBQztZQUNkLENBQUM7UUFDSCxDQUFDO1FBQ0QsT0FBTyxLQUFLLENBQUM7SUFDZixDQUFDO0lBRUQ7OztPQUdHO0lBQ0ssYUFBYSxDQUFDLEVBQVUsRUFBRSxJQUFZO1FBQzVDLElBQUksQ0FBQztZQUNILE1BQU0sQ0FBQyxNQUFNLEVBQUUsSUFBSSxDQUFDLEdBQUcsSUFBSSxDQUFDLEtBQUssQ0FBQyxHQUFHLENBQUMsQ0FBQztZQUN2QyxNQUFNLElBQUksR0FBRyxRQUFRLENBQUMsSUFBSSxFQUFFLEVBQUUsQ0FBQyxDQUFDO1lBRWhDLCtCQUErQjtZQUMvQixNQUFNLE9BQU8sR0FBRyxFQUFFLENBQUMsS0FBSyxDQUFDLEdBQUcsQ0FBQyxDQUFDLEdBQUcsQ0FBQyxJQUFJLENBQUMsRUFBRSxDQUFDLFFBQVEsQ0FBQyxJQUFJLEVBQUUsRUFBRSxDQUFDLENBQUMsQ0FBQztZQUM5RCxNQUFNLFdBQVcsR0FBRyxNQUFNLENBQUMsS0FBSyxDQUFDLEdBQUcsQ0FBQyxDQUFDLEdBQUcsQ0FBQyxJQUFJLENBQUMsRUFBRSxDQUFDLFFBQVEsQ0FBQyxJQUFJLEVBQUUsRUFBRSxDQUFDLENBQUMsQ0FBQztZQUV0RSxzQ0FBc0M7WUFDdEMsTUFBTSxLQUFLLEdBQUcsQ0FBQyxPQUFPLENBQUMsQ0FBQyxDQUFDLElBQUksRUFBRSxDQUFDLEdBQUcsQ0FBQyxPQUFPLENBQUMsQ0FBQyxDQUFDLElBQUksRUFBRSxDQUFDLEdBQUcsQ0FBQyxPQUFPLENBQUMsQ0FBQyxDQUFDLElBQUksQ0FBQyxDQUFDLEdBQUcsT0FBTyxDQUFDLENBQUMsQ0FBQyxDQUFDO1lBQ3ZGLE1BQU0sU0FBUyxHQUFHLENBQUMsV0FBVyxDQUFDLENBQUMsQ0FBQyxJQUFJLEVBQUUsQ0FBQyxHQUFHLENBQUMsV0FBVyxDQUFDLENBQUMsQ0FBQyxJQUFJLEVBQUUsQ0FBQyxHQUFHLENBQUMsV0FBVyxDQUFDLENBQUMsQ0FBQyxJQUFJLENBQUMsQ0FBQyxHQUFHLFdBQVcsQ0FBQyxDQUFDLENBQUMsQ0FBQztZQUUzRyxxQkFBcUI7WUFDckIsTUFBTSxPQUFPLEdBQUcsQ0FBQyxDQUFDLENBQUMsQ0FBQyxJQUFJLENBQUMsRUFBRSxHQUFHLElBQUksQ0FBQyxDQUFDLEdBQUcsQ0FBQyxDQUFDLENBQUM7WUFFMUMsMkJBQTJCO1lBQzNCLE9BQU8sQ0FBQyxLQUFLLEdBQUcsT0FBTyxDQUFDLEtBQUssQ0FBQyxTQUFTLEdBQUcsT0FBTyxDQUFDLENBQUM7UUFDckQsQ0FBQztRQUFDLE9BQU8sQ0FBQyxFQUFFLENBQUM7WUFDWCxJQUFJLENBQUMsTUFBTSxDQUFDLEtBQUssQ0FBQywwQkFBMEIsSUFBSSxFQUFFLENBQUMsQ0FBQztZQUNwRCxPQUFPLEtBQUssQ0FBQztRQUNmLENBQUM7SUFDSCxDQUFDO0lBRUQ7O09BRUc7SUFDSyxpQkFBaUIsQ0FBQyxLQUFtQixFQUFFLE9BQXNCO1FBQ25FLElBQUksQ0FBQyxLQUFLLENBQUMsUUFBUSxFQUFFLFNBQVMsRUFBRSxPQUFPLEVBQUUsQ0FBQztZQUN4QyxPQUFPLElBQUksQ0FBQztRQUNkLENBQUM7UUFFRCxNQUFNLFNBQVMsR0FBRyxLQUFLLENBQUMsUUFBUSxDQUFDLFNBQVMsQ0FBQztRQUMzQyxNQUFNLE9BQU8sR0FBRyxLQUFLLENBQUMsRUFBRSxJQUFJLEtBQUssQ0FBQyxJQUFJLElBQUksU0FBUyxDQUFDO1FBRXBELG9EQUFvRDtRQUNwRCxJQUFJLEdBQUcsR0FBRyxPQUFPLENBQUMsUUFBUSxDQUFDLENBQUMsZ0JBQWdCO1FBRTVDLElBQUksU0FBUyxDQUFDLEtBQUssS0FBSyxNQUFNLElBQUksT0FBTyxDQUFDLElBQUksRUFBRSxDQUFDO1lBQy9DLEdBQUcsR0FBRyxHQUFHLE9BQU8sQ0FBQyxRQUFRLElBQUksT0FBTyxDQUFDLElBQUksRUFBRSxDQUFDO1FBQzlDLENBQUM7YUFBTSxJQUFJLFNBQVMsQ0FBQyxLQUFLLEtBQUssUUFBUSxJQUFJLFNBQVMsQ0FBQyxVQUFVLElBQUksT0FBTyxDQUFDLE9BQU8sRUFBRSxDQUFDO1lBQ25GLE1BQU0sV0FBVyxHQUFHLE9BQU8sQ0FBQyxPQUFPLENBQUMsU0FBUyxDQUFDLFVBQVUsQ0FBQyxXQUFXLEVBQUUsQ0FBQyxDQUFDO1lBQ3hFLElBQUksV0FBVyxFQUFFLENBQUM7Z0JBQ2hCLEdBQUcsR0FBRyxHQUFHLE9BQU8sQ0FBQyxRQUFRLElBQUksV0FBVyxFQUFFLENBQUM7WUFDN0MsQ0FBQztRQUNILENBQUM7UUFFRCxtREFBbUQ7UUFDbkQsSUFBSSxDQUFDLElBQUksQ0FBQyxVQUFVLENBQUMsR0FBRyxDQUFDLE9BQU8sQ0FBQyxFQUFFLENBQUM7WUFDbEMsSUFBSSxDQUFDLFVBQVUsQ0FBQyxHQUFHLENBQUMsT0FBTyxFQUFFLElBQUksR0FBRyxFQUFFLENBQUMsQ0FBQztRQUMxQyxDQUFDO1FBRUQsTUFBTSxXQUFXLEdBQUcsSUFBSSxDQUFDLFVBQVUsQ0FBQyxHQUFHLENBQUMsT0FBTyxDQUFFLENBQUM7UUFDbEQsTUFBTSxHQUFHLEdBQUcsSUFBSSxDQUFDLEdBQUcsRUFBRSxDQUFDO1FBRXZCLGlEQUFpRDtRQUNqRCxJQUFJLEtBQUssR0FBRyxXQUFXLENBQUMsR0FBRyxDQUFDLEdBQUcsQ0FBQyxDQUFDO1FBQ2pDLElBQUksQ0FBQyxLQUFLLElBQUksS0FBSyxDQUFDLE1BQU0sR0FBRyxHQUFHLEVBQUUsQ0FBQztZQUNqQyw2Q0FBNkM7WUFDN0MsS0FBSyxHQUFHO2dCQUNOLEtBQUssRUFBRSxDQUFDO2dCQUNSLE1BQU0sRUFBRSxHQUFHLEdBQUcsQ0FBQyxTQUFTLENBQUMsTUFBTSxHQUFHLElBQUksQ0FBQzthQUN4QyxDQUFDO1lBQ0YsV0FBVyxDQUFDLEdBQUcsQ0FBQyxHQUFHLEVBQUUsS0FBSyxDQUFDLENBQUM7WUFDNUIsT0FBTyxJQUFJLENBQUM7UUFDZCxDQUFDO1FBRUQsd0JBQXdCO1FBQ3hCLEtBQUssQ0FBQyxLQUFLLEVBQUUsQ0FBQztRQUVkLGtDQUFrQztRQUNsQyxPQUFPLEtBQUssQ0FBQyxLQUFLLElBQUksU0FBUyxDQUFDLFdBQVcsQ0FBQztJQUM5QyxDQUFDO0lBRUQ7OztPQUdHO0lBQ0ksd0JBQXdCO1FBQzdCLE1BQU0sR0FBRyxHQUFHLElBQUksQ0FBQyxHQUFHLEVBQUUsQ0FBQztRQUN2QixLQUFLLE1BQU0sQ0FBQyxPQUFPLEVBQUUsV0FBVyxDQUFDLElBQUksSUFBSSxDQUFDLFVBQVUsQ0FBQyxPQUFPLEVBQUUsRUFBRSxDQUFDO1lBQy9ELElBQUksT0FBTyxHQUFHLENBQUMsQ0FBQztZQUNoQixLQUFLLE1BQU0sQ0FBQyxHQUFHLEVBQUUsS0FBSyxDQUFDLElBQUksV0FBVyxDQUFDLE9BQU8sRUFBRSxFQUFFLENBQUM7Z0JBQ2pELElBQUksS0FBSyxDQUFDLE1BQU0sR0FBRyxHQUFHLEVBQUUsQ0FBQztvQkFDdkIsV0FBVyxDQUFDLE1BQU0sQ0FBQyxHQUFHLENBQUMsQ0FBQztvQkFDeEIsT0FBTyxFQUFFLENBQUM7Z0JBQ1osQ0FBQztZQUNILENBQUM7WUFDRCxJQUFJLE9BQU8sR0FBRyxDQUFDLEVBQUUsQ0FBQztnQkFDaEIsSUFBSSxDQUFDLE1BQU0sQ0FBQyxLQUFLLENBQUMsY0FBYyxPQUFPLGtDQUFrQyxPQUFPLEVBQUUsQ0FBQyxDQUFDO1lBQ3RGLENBQUM7UUFDSCxDQUFDO0lBQ0gsQ0FBQztJQUVEOzs7Ozs7O09BT0c7SUFDSSxjQUFjLENBQUMsS0FBbUIsRUFBRSxRQUFnQixFQUFFLFFBQWdCO1FBQzNFLElBQUksQ0FBQyxLQUFLLENBQUMsUUFBUSxFQUFFLFNBQVMsRUFBRSxPQUFPLEVBQUUsQ0FBQztZQUN4QyxPQUFPLElBQUksQ0FBQztRQUNkLENBQUM7UUFFRCxNQUFNLFNBQVMsR0FBRyxLQUFLLENBQUMsUUFBUSxDQUFDLFNBQVMsQ0FBQztRQUUzQyw2Q0FBNkM7UUFDN0MsS0FBSyxNQUFNLElBQUksSUFBSSxTQUFTLENBQUMsS0FBSyxFQUFFLENBQUM7WUFDbkMsSUFBSSxJQUFJLENBQUMsUUFBUSxLQUFLLFFBQVEsSUFBSSxJQUFJLENBQUMsUUFBUSxLQUFLLFFBQVEsRUFBRSxDQUFDO2dCQUM3RCxPQUFPLElBQUksQ0FBQztZQUNkLENBQUM7UUFDSCxDQUFDO1FBRUQsT0FBTyxLQUFLLENBQUM7SUFDZixDQUFDO0lBRUQ7Ozs7OztPQU1HO0lBQ0ksY0FBYyxDQUFDLEtBQW1CLEVBQUUsS0FBYTtRQUN0RCxJQUFJLENBQUMsS0FBSyxDQUFDLFFBQVEsRUFBRSxPQUFPLEVBQUUsT0FBTyxFQUFFLENBQUM7WUFDdEMsT0FBTyxJQUFJLENBQUM7UUFDZCxDQUFDO1FBRUQsSUFBSSxDQUFDO1lBQ0gsOEVBQThFO1lBQzlFLE1BQU0sT0FBTyxHQUFHLEtBQUssQ0FBQyxRQUFRLENBQUMsT0FBTyxDQUFDO1lBRXZDLG1CQUFtQjtZQUNuQixNQUFNLEtBQUssR0FBRyxLQUFLLENBQUMsS0FBSyxDQUFDLEdBQUcsQ0FBQyxDQUFDO1lBQy9CLElBQUksS0FBSyxDQUFDLE1BQU0sS0FBSyxDQUFDLEVBQUUsQ0FBQztnQkFDdkIsT0FBTyxLQUFLLENBQUM7WUFDZixDQUFDO1lBRUQsaUJBQWlCO1lBQ2pCLE1BQU0sT0FBTyxHQUFHLElBQUksQ0FBQyxLQUFLLENBQUMsTUFBTSxDQUFDLElBQUksQ0FBQyxLQUFLLENBQUMsQ0FBQyxDQUFDLEVBQUUsUUFBUSxDQUFDLENBQUMsUUFBUSxFQUFFLENBQUMsQ0FBQztZQUV2RSxtQkFBbUI7WUFDbkIsSUFBSSxPQUFPLENBQUMsR0FBRyxJQUFJLE9BQU8sQ0FBQyxHQUFHLEdBQUcsSUFBSSxDQUFDLEtBQUssQ0FBQyxJQUFJLENBQUMsR0FBRyxFQUFFLEdBQUcsSUFBSSxDQUFDLEVBQUUsQ0FBQztnQkFDL0QsT0FBTyxLQUFLLENBQUM7WUFDZixDQUFDO1lBRUQsZUFBZTtZQUNmLElBQUksT0FBTyxDQUFDLE1BQU0sSUFBSSxPQUFPLENBQUMsR0FBRyxLQUFLLE9BQU8sQ0FBQyxNQUFNLEVBQUUsQ0FBQztnQkFDckQsT0FBTyxLQUFLLENBQUM7WUFDZixDQUFDO1lBRUQsaUJBQWlCO1lBQ2pCLElBQUksT0FBTyxDQUFDLFFBQVEsSUFBSSxPQUFPLENBQUMsR0FBRyxLQUFLLE9BQU8sQ0FBQyxRQUFRLEVBQUUsQ0FBQztnQkFDekQsT0FBTyxLQUFLLENBQUM7WUFDZixDQUFDO1lBRUQsNERBQTREO1lBQzVELHNEQUFzRDtZQUV0RCxPQUFPLElBQUksQ0FBQztRQUNkLENBQUM7UUFBQyxPQUFPLEdBQUcsRUFBRSxDQUFDO1lBQ2IsSUFBSSxDQUFDLE1BQU0sQ0FBQyxLQUFLLENBQUMsd0JBQXdCLEdBQUcsRUFBRSxDQUFDLENBQUM7WUFDakQsT0FBTyxLQUFLLENBQUM7UUFDZixDQUFDO0lBQ0gsQ0FBQztDQUNGIn0=

package/dist_ts/proxies/network-proxy/websocket-handler.d.ts

@@ -1,18 +1,29 @@
 import * as plugins from '../../plugins.js';
+import '../../core/models/socket-augmentation.js';
 import { type INetworkProxyOptions } from './models/types.js';
 import { ConnectionPool } from './connection-pool.js';
 import { ProxyRouter } from '../../http/router/index.js';
+import type { IRouteConfig } from '../smart-proxy/models/route-types.js';
 /**
  * Handles WebSocket connections and proxying
  */
 export declare class WebSocketHandler {
     private options;
     private connectionPool;
-    private router;
+    private legacyRouter;
+    private routes;
     private heartbeatInterval;
     private wsServer;
     private logger;
-    constructor(options: INetworkProxyOptions, connectionPool: ConnectionPool, router: ProxyRouter);
+    private contextCreator;
+    private routeRouter;
+    private securityManager;
+    constructor(options: INetworkProxyOptions, connectionPool: ConnectionPool, legacyRouter: ProxyRouter, // Legacy router for backward compatibility
+    routes?: IRouteConfig[]);
+    /**
+     * Set the route configurations
+     */
+    setRoutes(routes: IRouteConfig[]): void;
     /**
      * Initialize WebSocket server on an existing HTTPS server
      */