npm - @ripple-ts/adapter-node - Versions diffs - 0.2.211 → 0.2.213 - Mend

@ripple-ts/adapter-node 0.2.211 → 0.2.213

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,19 @@
 # @ripple-ts/adapter-node
+## 0.2.213
+### Patch Changes
+- Updated dependencies []:
+  - @ripple-ts/adapter@0.2.213
+## 0.2.212
+### Patch Changes
+- Updated dependencies []:
+  - @ripple-ts/adapter@0.2.212
 ## 0.2.211
 ### Patch Changes

package/README.md CHANGED Viewed

@@ -1,5 +1,8 @@
 # @ripple-ts/adapter-node
+[![npm version](https://img.shields.io/npm/v/%40ripple-ts%2Fadapter-node?logo=npm)](https://www.npmjs.com/package/@ripple-ts/adapter-node)
+[![npm downloads](https://img.shields.io/npm/dm/%40ripple-ts%2Fadapter-node?logo=npm&label=downloads)](https://www.npmjs.com/package/@ripple-ts/adapter-node)
 Node.js adapter for Ripple metaframework apps.
 It bridges Node's `IncomingMessage`/`ServerResponse` API to Web

package/package.json CHANGED Viewed

@@ -3,7 +3,7 @@
   "description": "Node.js adapter for Ripple metaframework (Web Request/Response bridge)",
   "license": "MIT",
   "author": "Dominic Gannaway",
-  "version": "0.2.211",
+  "version": "0.2.213",
   "type": "module",
   "module": "src/index.js",
   "main": "src/index.js",
@@ -15,7 +15,7 @@
     }
   },
   "dependencies": {
-    "@ripple-ts/adapter": "0.2.211"
+    "@ripple-ts/adapter": "0.2.213"
   },
   "homepage": "https://ripplejs.com",
   "repository": {

package/src/index.js CHANGED Viewed

@@ -30,18 +30,29 @@ function normalize_forwarded_value(value) {
 /**
  * @param {import('node:http').IncomingMessage} node_request
  * @param {AbortSignal} signal
+ * @param {boolean} [trust_proxy=false]
  * @returns {Request}
  */
-function node_request_to_web_request(node_request, signal) {
-	const forwarded_proto = normalize_forwarded_value(
-		first_header_value(node_request.headers['x-forwarded-proto']),
-	);
-	const forwarded_host = normalize_forwarded_value(
-		first_header_value(node_request.headers['x-forwarded-host']),
-	);
-	const proto = forwarded_proto ?? 'http';
-	const host = forwarded_host ?? first_header_value(node_request.headers.host) ?? 'localhost';
+function node_request_to_web_request(node_request, signal, trust_proxy = false) {
+	let proto = 'http';
+	let host = first_header_value(node_request.headers.host) ?? 'localhost';
+	if (trust_proxy) {
+		const forwarded_proto = normalize_forwarded_value(
+			first_header_value(node_request.headers['x-forwarded-proto']),
+		);
+		const forwarded_host = normalize_forwarded_value(
+			first_header_value(node_request.headers['x-forwarded-host']),
+		);
+		if (forwarded_proto) proto = forwarded_proto;
+		if (forwarded_host) host = forwarded_host;
+	} else {
+		// Derive protocol from the socket when not trusting proxy headers
+		if (/** @type {import('node:tls').TLSSocket} */ (node_request.socket).encrypted) {
+			proto = 'https';
+		}
+	}
 	const raw_url = node_request.url ?? '/';
 	const base = `${proto}://${host}`;
@@ -114,21 +125,6 @@ function web_response_to_node_response(web_response, node_response, request_meth
 	node_stream.pipe(node_response);
 }
-/** @typedef {import('@ripple-ts/adapter').ServeStaticDirectoryOptions} StaticServeOptions */
-/**
- * @typedef {{
- * 	port?: number,
- * 	hostname?: string,
- * 	middleware?: ((
- * 		req: import('node:http').IncomingMessage,
- * 		res: import('node:http').ServerResponse,
- * 		next: (error?: any) => void
- * 	) => void) | null,
- * 	static?: StaticServeOptions | false,
- * }} ServeOptions
- */
 /**
  * @param {(req: import('node:http').IncomingMessage, res: import('node:http').ServerResponse, next: (error?: any) => void) => void} middleware
  * @param {import('node:http').IncomingMessage} node_request
@@ -160,9 +156,7 @@ function run_node_middleware(middleware, node_request, node_response) {
 }
 /**
- * @param {(request: Request, platform?: any) => Response | Promise<Response>} fetch_handler
- * @param {ServeOptions} [options]
- * @returns {{ listen: (port?: number) => import('node:http').Server, close: () => void }}
+ * @type {typeof import('@ripple-ts/adapter-node').serve}
  */
 export function serve(fetch_handler, options = {}) {
 	const {
@@ -170,6 +164,7 @@ export function serve(fetch_handler, options = {}) {
 		hostname = DEFAULT_HOSTNAME,
 		middleware = null,
 		static: static_options = {},
+		trustProxy: trust_proxy = false,
 	} = options;
 	/** @type {ReturnType<typeof serveStatic> | null} */
@@ -191,7 +186,11 @@ export function serve(fetch_handler, options = {}) {
 		try {
 			const run_fetch_handler = async () => {
-				const request = node_request_to_web_request(node_request, abort_controller.signal);
+				const request = node_request_to_web_request(
+					node_request,
+					abort_controller.signal,
+					trust_proxy,
+				);
 				return await fetch_handler(request, { node_request, node_response });
 			};

package/tests/serve.test.js CHANGED Viewed

@@ -130,6 +130,7 @@ describe('@ripple-ts/adapter-node serve()', () => {
 				expect(response.headers.get('x-response')).toBe('ok');
 				expect(await response.text()).toBe('created');
 			},
+			{ trustProxy: true },
 		);
 		expect(captured).toEqual({
@@ -140,6 +141,32 @@ describe('@ripple-ts/adapter-node serve()', () => {
 		});
 	});
+	it('ignores x-forwarded-* headers when trustProxy is not enabled', async () => {
+		/** @type {{ url: string } | null} */
+		let captured = null;
+		await with_server(
+			async (request) => {
+				captured = { url: request.url };
+				return new Response('ok');
+			},
+			async (base_url) => {
+				await fetch(`${base_url}/test`, {
+					headers: {
+						'x-forwarded-proto': 'https',
+						'x-forwarded-host': 'evil.com',
+					},
+				});
+			},
+		);
+		// Should NOT use forwarded headers; URL should use http and the real host
+		expect(captured).not.toBeNull();
+		const url = new URL((captured ?? { url: '' }).url);
+		expect(url.protocol).toBe('http:');
+		expect(url.hostname).not.toBe('evil.com');
+	});
 	it('runs middleware before handler when middleware calls next()', async () => {
 		/** @type {string[]} */
 		const calls = [];

package/types/index.d.ts CHANGED Viewed

@@ -1,7 +1,6 @@
 import type {
 	AdapterCoreOptions,
-	FetchHandler,
-	ServeResult,
+	ServeFunction,
 	ServeStaticOptions as BaseServeStaticOptions,
 	ServeStaticDirectoryOptions as BaseServeStaticDirectoryOptions,
 } from '@ripple-ts/adapter';
@@ -25,13 +24,14 @@ export type StaticMiddleware = (
 	next: (error?: any) => void,
 ) => void;
-export function serve(
-	fetch_handler: FetchHandler<{
+export const serve: ServeFunction<
+	{
 		node_request: import('node:http').IncomingMessage;
 		node_response: import('node:http').ServerResponse;
-	}>,
-	options?: ServeOptions,
-): ServeResult<import('node:http').Server>;
+	},
+	ServeOptions,
+	import('node:http').Server
+>;
 /**
  * Create a middleware that serves static files from a directory