@serve.zone/dcrouter 14.2.2 → 14.3.0

package/ts_web/elements/network/ops-view-routes.ts

@@ -31,7 +31,17 @@ const tlsCertOptions = [
   { key: 'custom', option: 'Custom certificate' },
 ];
 const giteaSourcePolicyProfileNames = ['TRUSTED NETWORKS', 'AI CRAWLERS', 'PUBLIC'] as const;
-type TSzRouteSecurity = NonNullable<ISzSourceProfileOption['security']>;
+type TSzRouteSecurityBase = NonNullable<ISzSourceProfileOption['security']>;
+type TSzRouteSecurity = Omit<TSzRouteSecurityBase, 'rateLimit'> & {
+  rateLimit?: interfaces.data.IRouteSecurity['rateLimit'];
+  challenge?: interfaces.data.IRouteSecurity['challenge'];
+};
+type TSourceProfileOption = Omit<ISzSourceProfileOption, 'security'> & {
+  security?: TSzRouteSecurity;
+};
+type TSzRouteSourcePolicyPreset = Omit<ISzRouteSourcePolicyPreset, 'bindings'> & {
+  bindings: interfaces.data.IRouteSourceBinding[];
+};
 
 function rateLimit(maxRequests: number): interfaces.data.IRouteSecurity['rateLimit'] {
   return { enabled: true, maxRequests, window: 60, keyBy: 'ip' };
@@ -92,7 +102,7 @@ function buildGiteaSourceBindingsMetadata(profileRefs: string[]): interfaces.dat
   ];
 }
 
-function getGiteaSourcePolicyPresets(profiles: interfaces.data.ISourceProfile[]): ISzRouteSourcePolicyPreset[] {
+function getGiteaSourcePolicyPresets(profiles: interfaces.data.ISourceProfile[]): TSzRouteSourcePolicyPreset[] {
   const { refs, missingNames } = getGiteaPresetProfileRefs(profiles);
   if (missingNames.length > 0) {
     return [];
@@ -136,25 +146,40 @@ function sourceProfileHasSourceMatches(profile: interfaces.data.ISourceProfile):
 function normalizeCatalogRateLimit(
   rateLimitValue: interfaces.data.IRouteSecurity['rateLimit'] | undefined,
 ): TSzRouteSecurity['rateLimit'] | undefined {
+  if (rateLimitValue === null) return null;
   if (!rateLimitValue) return undefined;
+  const keyBy = ['ip', 'path', 'header'].includes(String(rateLimitValue.keyBy))
+    ? rateLimitValue.keyBy as 'ip' | 'path' | 'header'
+    : undefined;
   return {
     enabled: Boolean(rateLimitValue.enabled),
     maxRequests: Number(rateLimitValue.maxRequests) || 0,
     window: Number(rateLimitValue.window) || 0,
-    ...(rateLimitValue.keyBy ? { keyBy: String(rateLimitValue.keyBy) } : {}),
+    ...(keyBy ? { keyBy } : {}),
+    ...(rateLimitValue.onExceeded ? { onExceeded: rateLimitValue.onExceeded } : {}),
   };
 }
 
-function getSourceProfileOptions(profiles: interfaces.data.ISourceProfile[]): ISzSourceProfileOption[] {
+function normalizeCatalogChallenge(
+  challengeValue: interfaces.data.IRouteSecurity['challenge'] | undefined,
+): TSzRouteSecurity['challenge'] | undefined {
+  if (challengeValue === null) return null;
+  if (!challengeValue) return undefined;
+  return structuredClone(challengeValue) as TSzRouteSecurity['challenge'];
+}
+
+function getSourceProfileOptions(profiles: interfaces.data.ISourceProfile[]): TSourceProfileOption[] {
   return profiles.map((profile) => {
     const ipAllowList = normalizeSecurityListEntries(profile.security?.ipAllowList);
     const ipBlockList = normalizeSecurityListEntries(profile.security?.ipBlockList);
     const rateLimitValue = normalizeCatalogRateLimit(profile.security?.rateLimit);
+    const challengeValue = normalizeCatalogChallenge(profile.security?.challenge);
     const security: TSzRouteSecurity = {
       ...(ipAllowList.length ? { ipAllowList } : {}),
       ...(ipBlockList.length ? { ipBlockList } : {}),
       ...(typeof profile.security?.maxConnections === 'number' ? { maxConnections: profile.security.maxConnections } : {}),
-      ...(rateLimitValue ? { rateLimit: rateLimitValue } : {}),
+      ...(rateLimitValue !== undefined ? { rateLimit: rateLimitValue } : {}),
+      ...(challengeValue !== undefined ? { challenge: challengeValue } : {}),
     };
     return {
       id: profile.id,

package/ts_web/elements/network/ops-view-sourceprofiles.ts

@@ -21,22 +21,91 @@ function parseOptionalPositiveInteger(value: unknown): number | undefined {
   return Number.isInteger(parsed) && parsed > 0 ? parsed : undefined;
 }
 
-function buildRateLimitFromFormData(data: Record<string, any>) {
-  if (!Boolean(data.rateLimitEnabled)) {
+const protectionModeOptions = [
+  { key: 'inherit', option: 'Inherit / unset' },
+  { key: 'none', option: 'None (clear inherited)' },
+  { key: 'custom', option: 'Custom' },
+];
+
+const rateLimitExceededOptions = [
+  { key: '429', option: 'Return 429' },
+  { key: 'challenge', option: 'Browser challenge' },
+];
+
+function getDropdownKey(value: unknown): string {
+  if (typeof value === 'string') {
+    return value;
+  }
+  if (value && typeof value === 'object' && 'key' in value) {
+    const key = (value as { key?: unknown }).key;
+    return typeof key === 'string' ? key : '';
+  }
+  return '';
+}
+
+function protectionModeForValue(value: unknown): 'inherit' | 'none' | 'custom' {
+  if (value === null) return 'none';
+  if (value === undefined) return 'inherit';
+  return 'custom';
+}
+
+function buildChallengeConfigFromFormData(data: Record<string, unknown>): NonNullable<interfaces.data.IRouteSecurity['challenge']> | undefined {
+  const providerId = String(data.challengeProviderId || 'smartchallenge').trim();
+  const challengeType = String(data.challengeType || 'wait').trim();
+  const ttlSeconds = parseOptionalPositiveInteger(data.challengeTtlSeconds) || 300;
+  if (!providerId || !challengeType) {
+    alert('Challenge requires Provider ID and Challenge Type.');
+    return undefined;
+  }
+  return {
+    providerId,
+    challengeType,
+    ...(challengeType === 'wait' ? { settings: { waitSeconds: 0, ttlSeconds } } : {}),
+    clearance: { ttlSeconds, bindToHost: true },
+  };
+}
+
+function buildRateLimitFromFormData(data: Record<string, unknown>): interfaces.data.IRouteSecurity['rateLimit'] | null | undefined {
+  const mode = getDropdownKey(data.rateLimitMode) || (Boolean(data.rateLimitEnabled) ? 'custom' : 'inherit');
+  if (mode === 'inherit') {
     return undefined;
   }
+  if (mode === 'none') {
+    return null;
+  }
   const maxRequests = parseOptionalPositiveInteger(data.rateLimitMaxRequests);
   const window = parseOptionalPositiveInteger(data.rateLimitWindow);
   if (!maxRequests || !window) {
     alert('Rate limit requires positive Max Requests and Window values.');
     return null;
   }
-  return {
+  const rateLimit: NonNullable<interfaces.data.IRouteSecurity['rateLimit']> = {
     enabled: true,
     maxRequests,
     window,
     keyBy: 'ip' as const,
   };
+  if (getDropdownKey(data.rateLimitExceededMode) === 'challenge') {
+    const challenge = buildChallengeConfigFromFormData(data);
+    if (!challenge) return null;
+    rateLimit.onExceeded = {
+      type: 'challenge',
+      challenge,
+      clearanceEffect: 'bypass-rate-limit',
+    };
+  }
+  return rateLimit;
+}
+
+function buildChallengeFromFormData(data: Record<string, unknown>): interfaces.data.IRouteSecurity['challenge'] | null | undefined {
+  const mode = getDropdownKey(data.challengeMode) || 'inherit';
+  if (mode === 'inherit') {
+    return undefined;
+  }
+  if (mode === 'none') {
+    return null;
+  }
+  return buildChallengeConfigFromFormData(data) || null;
 }
 
 declare global {
@@ -105,7 +174,14 @@ export class OpsViewSourceProfiles extends DeesElement {
             'IP Allow List': (profile.security?.ipAllowList || []).join(', ') || '-',
             'IP Block List': (profile.security?.ipBlockList || []).join(', ') || '-',
             'Max Connections': profile.security?.maxConnections ?? '-',
-            'Rate Limit': profile.security?.rateLimit?.enabled ? `${profile.security.rateLimit.maxRequests}/${profile.security.rateLimit.window}s` : '-',
+            'Rate Limit': profile.security?.rateLimit === null
+              ? 'none'
+              : profile.security?.rateLimit?.enabled
+                ? `${profile.security.rateLimit.maxRequests}/${profile.security.rateLimit.window}s${profile.security.rateLimit.onExceeded?.type === 'challenge' ? ' -> challenge' : ''}`
+                : '-',
+            Challenge: profile.security?.challenge === null
+              ? 'none'
+              : profile.security?.challenge ? `${profile.security.challenge.providerId}/${profile.security.challenge.challengeType}` : '-',
             Extends: (profile.extendsProfiles || []).length > 0
               ? profile.extendsProfiles!.map(id => {
                   const p = profiles.find(pp => pp.id === id);
@@ -165,9 +241,14 @@ export class OpsViewSourceProfiles extends DeesElement {
           <dees-input-list .key=${'ipAllowList'} .label=${'IP Allow List'} .placeholder=${'Add IP or CIDR...'}></dees-input-list>
           <dees-input-list .key=${'ipBlockList'} .label=${'IP Block List'} .placeholder=${'Add IP or CIDR...'}></dees-input-list>
           <dees-input-text .key=${'maxConnections'} .label=${'Max Connections'}></dees-input-text>
-          <dees-input-checkbox .key=${'rateLimitEnabled'} .label=${'Enable Rate Limit'} .description=${'Per source IP. Exceeded requests receive 429.'} .value=${false}></dees-input-checkbox>
+          <dees-input-dropdown .key=${'rateLimitMode'} .label=${'Rate Limit'} .description=${'Default for route bindings. Use none to clear inherited parent defaults.'} .options=${protectionModeOptions} .selectedOption=${protectionModeOptions[0]}></dees-input-dropdown>
           <dees-input-text .key=${'rateLimitMaxRequests'} .label=${'Max Requests'} .description=${'Requests per source IP'}></dees-input-text>
           <dees-input-text .key=${'rateLimitWindow'} .label=${'Window Seconds'}></dees-input-text>
+          <dees-input-dropdown .key=${'rateLimitExceededMode'} .label=${'When Rate Limit Is Exceeded'} .description=${'Return 429 or issue the configured browser challenge.'} .options=${rateLimitExceededOptions} .selectedOption=${rateLimitExceededOptions[0]}></dees-input-dropdown>
+          <dees-input-dropdown .key=${'challengeMode'} .label=${'Browser Challenge'} .description=${'Default for HTTP-visible route bindings.'} .options=${protectionModeOptions} .selectedOption=${protectionModeOptions[0]}></dees-input-dropdown>
+          <dees-input-text .key=${'challengeProviderId'} .label=${'Challenge Provider ID'} .value=${'smartchallenge'}></dees-input-text>
+          <dees-input-text .key=${'challengeType'} .label=${'Challenge Type'} .value=${'wait'}></dees-input-text>
+          <dees-input-text .key=${'challengeTtlSeconds'} .label=${'Clearance TTL Seconds'} .value=${'300'}></dees-input-text>
         </dees-form>
       `,
       menuOptions: [
@@ -182,7 +263,9 @@ export class OpsViewSourceProfiles extends DeesElement {
             const ipBlockList: string[] = Array.isArray(data.ipBlockList) ? data.ipBlockList : [];
             const maxConnections = parseOptionalPositiveInteger(data.maxConnections);
             const rateLimit = buildRateLimitFromFormData(data);
-            if (rateLimit === null) return;
+            if (rateLimit === null && getDropdownKey(data.rateLimitMode) === 'custom') return;
+            const challenge = buildChallengeFromFormData(data);
+            if (challenge === null && getDropdownKey(data.challengeMode) === 'custom') return;
 
             await appstate.profilesTargetsStatePart.dispatchAction(appstate.createProfileAction, {
               name: String(data.name),
@@ -191,7 +274,8 @@ export class OpsViewSourceProfiles extends DeesElement {
                 ...(ipAllowList.length > 0 ? { ipAllowList } : {}),
                 ...(ipBlockList.length > 0 ? { ipBlockList } : {}),
                 ...(maxConnections ? { maxConnections } : {}),
-                ...(rateLimit ? { rateLimit } : {}),
+                ...(rateLimit !== undefined ? { rateLimit } : {}),
+                ...(challenge !== undefined ? { challenge } : {}),
               },
             });
             modalArg.destroy();
@@ -203,6 +287,16 @@ export class OpsViewSourceProfiles extends DeesElement {
 
   private async showEditProfileDialog(profile: interfaces.data.ISourceProfile) {
     const { DeesModal } = await import('@design.estate/dees-catalog');
+    const rateLimitMode = protectionModeForValue(profile.security?.rateLimit);
+    const rateLimitExceededMode = profile.security?.rateLimit && profile.security.rateLimit !== null && profile.security.rateLimit.onExceeded?.type === 'challenge'
+      ? 'challenge'
+      : '429';
+    const challengeMode = protectionModeForValue(profile.security?.challenge);
+    const challengeDefaults = profile.security?.rateLimit && profile.security.rateLimit !== null && profile.security.rateLimit.onExceeded?.type === 'challenge'
+      ? profile.security.rateLimit.onExceeded.challenge
+      : profile.security?.challenge && profile.security.challenge !== null
+        ? profile.security.challenge
+        : undefined;
     DeesModal.createAndShow({
       heading: `Edit Profile: ${profile.name}`,
       content: html`
@@ -212,9 +306,14 @@ export class OpsViewSourceProfiles extends DeesElement {
           <dees-input-list .key=${'ipAllowList'} .label=${'IP Allow List'} .placeholder=${'Add IP or CIDR...'} .value=${profile.security?.ipAllowList || []}></dees-input-list>
           <dees-input-list .key=${'ipBlockList'} .label=${'IP Block List'} .placeholder=${'Add IP or CIDR...'} .value=${profile.security?.ipBlockList || []}></dees-input-list>
           <dees-input-text .key=${'maxConnections'} .label=${'Max Connections'} .value=${String(profile.security?.maxConnections || '')}></dees-input-text>
-          <dees-input-checkbox .key=${'rateLimitEnabled'} .label=${'Enable Rate Limit'} .description=${'Per source IP. Exceeded requests receive 429.'} .value=${profile.security?.rateLimit?.enabled === true}></dees-input-checkbox>
+          <dees-input-dropdown .key=${'rateLimitMode'} .label=${'Rate Limit'} .description=${'Default for route bindings. Use none to clear inherited parent defaults.'} .options=${protectionModeOptions} .selectedOption=${protectionModeOptions.find((option) => option.key === rateLimitMode) || protectionModeOptions[0]}></dees-input-dropdown>
           <dees-input-text .key=${'rateLimitMaxRequests'} .label=${'Max Requests'} .description=${'Requests per source IP'} .value=${String(profile.security?.rateLimit?.maxRequests || '')}></dees-input-text>
           <dees-input-text .key=${'rateLimitWindow'} .label=${'Window Seconds'} .value=${String(profile.security?.rateLimit?.window || '')}></dees-input-text>
+          <dees-input-dropdown .key=${'rateLimitExceededMode'} .label=${'When Rate Limit Is Exceeded'} .description=${'Return 429 or issue the configured browser challenge.'} .options=${rateLimitExceededOptions} .selectedOption=${rateLimitExceededOptions.find((option) => option.key === rateLimitExceededMode) || rateLimitExceededOptions[0]}></dees-input-dropdown>
+          <dees-input-dropdown .key=${'challengeMode'} .label=${'Browser Challenge'} .description=${'Default for HTTP-visible route bindings.'} .options=${protectionModeOptions} .selectedOption=${protectionModeOptions.find((option) => option.key === challengeMode) || protectionModeOptions[0]}></dees-input-dropdown>
+          <dees-input-text .key=${'challengeProviderId'} .label=${'Challenge Provider ID'} .value=${challengeDefaults?.providerId || 'smartchallenge'}></dees-input-text>
+          <dees-input-text .key=${'challengeType'} .label=${'Challenge Type'} .value=${challengeDefaults?.challengeType || 'wait'}></dees-input-text>
+          <dees-input-text .key=${'challengeTtlSeconds'} .label=${'Clearance TTL Seconds'} .value=${String(challengeDefaults?.clearance?.ttlSeconds || 300)}></dees-input-text>
         </dees-form>
       `,
       menuOptions: [
@@ -229,7 +328,9 @@ export class OpsViewSourceProfiles extends DeesElement {
             const ipBlockList: string[] = Array.isArray(data.ipBlockList) ? data.ipBlockList : [];
             const maxConnections = parseOptionalPositiveInteger(data.maxConnections);
             const rateLimit = buildRateLimitFromFormData(data);
-            if (rateLimit === null) return;
+            if (rateLimit === null && getDropdownKey(data.rateLimitMode) === 'custom') return;
+            const challenge = buildChallengeFromFormData(data);
+            if (challenge === null && getDropdownKey(data.challengeMode) === 'custom') return;
 
             await appstate.profilesTargetsStatePart.dispatchAction(appstate.updateProfileAction, {
               id: profile.id,
@@ -239,8 +340,8 @@ export class OpsViewSourceProfiles extends DeesElement {
                 ipAllowList,
                 ipBlockList,
                 ...(maxConnections ? { maxConnections } : {}),
-                ...(rateLimit ? { rateLimit } : {}),
-                ...(profile.security?.challenge ? { challenge: profile.security.challenge } : {}),
+                ...(rateLimit !== undefined ? { rateLimit } : {}),
+                ...(challenge !== undefined ? { challenge } : {}),
               },
             });
             modalArg.destroy();