@sourceregistry/node-webserver 1.3.0 → 1.4.0

package/dist/middlewares/requestid/index.d.ts

@@ -0,0 +1,16 @@
+import { Middleware } from '../../types';
+export interface Options {
+    /**
+     * Header name used for the request ID
+     * @default "x-request-id"
+     */
+    headerName?: string;
+    /**
+     * Custom request ID generator
+     * @default crypto.randomUUID
+     */
+    generate?: () => string;
+}
+export declare function assign(options?: Options): Middleware<string, {
+    requestId: string;
+}>;

package/dist/middlewares/security/index.d.ts

@@ -0,0 +1,39 @@
+import { Middleware } from '../../types';
+export interface Options {
+    /**
+     * Content Security Policy header value
+     * @default "default-src 'self'; base-uri 'self'; frame-ancestors 'none'; object-src 'none'"
+     */
+    contentSecurityPolicy?: string | false;
+    /**
+     * X-Frame-Options header value
+     * @default "DENY"
+     */
+    frameOptions?: "DENY" | "SAMEORIGIN" | false;
+    /**
+     * Referrer-Policy header value
+     * @default "no-referrer"
+     */
+    referrerPolicy?: string | false;
+    /**
+     * Permissions-Policy header value
+     * @default "geolocation=(), microphone=(), camera=()"
+     */
+    permissionsPolicy?: string | false;
+    /**
+     * Cross-Origin-Opener-Policy header value
+     * @default "same-origin"
+     */
+    crossOriginOpenerPolicy?: string | false;
+    /**
+     * Cross-Origin-Resource-Policy header value
+     * @default "same-origin"
+     */
+    crossOriginResourcePolicy?: string | false;
+    /**
+     * Strict-Transport-Security header value
+     * @default false
+     */
+    strictTransportSecurity?: string | false;
+}
+export declare function headers(options?: Options): Middleware;

package/dist/middlewares/timeout/index.d.ts

@@ -0,0 +1,22 @@
+import { Middleware } from '../../types';
+export interface Options {
+    /**
+     * Deadline in milliseconds
+     */
+    ms: number;
+    /**
+     * Status code to return on timeout
+     * @default 504
+     */
+    status?: number;
+    /**
+     * Response body to return on timeout
+     * @default "Gateway Timeout"
+     */
+    body?: BodyInit | null;
+    /**
+     * Optional callback invoked when the deadline is exceeded
+     */
+    onTimeout?: () => void;
+}
+export declare function deadline(options: Options): Middleware;

package/dist/types/router.d.ts

@@ -98,7 +98,6 @@ export declare class Router<Locals extends App.Locals = App.Locals> {
     private sortWsRoutes;
     private formatActionResult;
     private handleActionError;
-    static New(): Router;
 }
 export declare const Action: {
     readonly success: (code?: number, data?: Record<string, any>) => Response;

package/dist/types/server.d.ts

@@ -2,7 +2,7 @@ import { ServerOptions } from 'http';
 import { ServerOptions as HttpsServerOptions } from 'https';
 import { RequestEvent, Router } from './';
 import { ListenOptions } from 'net';
-type HostMatcher = string | RegExp | ((host: string) => boolean);
+type ValueMatcher = string | RegExp | ((value: string) => boolean);
 type InferServerLocals<TServerConfig extends ServerConfig> = Extract<TServerConfig['locals'], (event: RequestEvent) => any> extends (event: RequestEvent) => infer TLocals ? TLocals extends App.Locals ? TLocals : App.Locals : App.Locals;
 export type SecurityConfig = {
     /**
@@ -13,17 +13,36 @@ export type SecurityConfig = {
     /**
      * Restrict trusted Host values when trustHostHeader is enabled.
      */
-    allowedHosts?: HostMatcher | HostMatcher[];
+    allowedHosts?: ValueMatcher | ValueMatcher[];
+    /**
+     * Trust forwarded proxy headers only when the direct peer matches one of these values.
+     */
+    trustedProxies?: ValueMatcher | ValueMatcher[];
     /**
      * Restrict accepted WebSocket Origin values.
      * When omitted, Origin is not enforced by default.
      */
-    allowedWebSocketOrigins?: HostMatcher | HostMatcher[];
+    allowedWebSocketOrigins?: ValueMatcher | ValueMatcher[];
     /**
      * Maximum accepted request body size based on Content-Length.
      * Requests above the limit are rejected before the body is read.
      */
     maxRequestBodySize?: number;
+    /**
+     * Maximum time allowed to receive the complete request headers.
+     * @default 30000
+     */
+    headersTimeoutMs?: number;
+    /**
+     * Maximum time allowed for the full request lifecycle.
+     * @default 60000
+     */
+    requestTimeoutMs?: number;
+    /**
+     * How long to keep idle keep-alive connections open.
+     * @default 5000
+     */
+    keepAliveTimeoutMs?: number;
     /**
      * Maximum accepted WebSocket message size in bytes.
      * Passed to ws as maxPayload.
@@ -69,13 +88,22 @@ export declare class WebServer<TServerConfig extends ServerConfig = ServerConfig
     private toRequest;
     private wrapRequestBody;
     private toURL;
+    private resolveProtocol;
     private resolveAuthority;
+    private getClientAddress;
     private normalizeTrustedHost;
     private matchesValue;
+    private configureServerTimeouts;
+    private isDevelopment;
+    private getTrustedForwardedHeader;
+    private isTrustedProxy;
+    private normalizeAddress;
+    private parseForwardedHeader;
     private toHeaders;
     private isRequestBodyAllowed;
     private handleError;
     private sendWebResponse;
+    private isPrematureCloseError;
     private shouldOmitResponseBody;
     private isAllowedWebSocketOrigin;
     private createEventFetch;

package/examples/public-baseline.ts

@@ -0,0 +1,75 @@
+import {
+    CORS,
+    RequestId,
+    RateLimiter,
+    Security,
+    Timeout,
+    WebServer,
+    json,
+    text
+} from "../src";
+
+const app = new WebServer({
+    type: "http",
+    options: {},
+    locals: () => ({
+        startedAt: Date.now()
+    }),
+    security: {
+        trustedProxies: ["127.0.0.1"],
+        trustHostHeader: true,
+        allowedHosts: ["app.example.com"],
+        headersTimeoutMs: 30_000,
+        requestTimeoutMs: 60_000,
+        keepAliveTimeoutMs: 5_000,
+        maxRequestBodySize: 1024 * 1024,
+        allowedWebSocketOrigins: "https://app.example.com"
+    }
+});
+
+app.pre(async (event) => {
+    if (event.url.pathname.startsWith("/private")) {
+        const auth = event.request.headers.get("authorization");
+        if (!auth) {
+            return new Response("Unauthorized", {status: 401});
+        }
+    }
+});
+
+app.useMiddleware(
+    RequestId.assign(),
+    Security.headers({
+        strictTransportSecurity: "max-age=31536000; includeSubDomains"
+    }),
+    Timeout.deadline({
+        ms: 15_000,
+        status: 503,
+        body: "Request timed out"
+    }),
+    CORS.policy({
+        origin: "https://app.example.com",
+        credentials: true
+    }),
+    RateLimiter.fixedWindowLimit({
+        max: 60,
+        windowMs: 60_000
+    })
+);
+
+app.GET("/", () => text("hello"));
+
+app.GET("/users/[id]", (event) => json({
+    id: event.params.id,
+    requestId: event.locals.requestId,
+    startedAt: event.locals.startedAt
+}));
+
+app.post(async (_event, response) => {
+    const nextResponse = new Response(response.body, response);
+    nextResponse.headers.set("x-server", "node-webserver");
+    return nextResponse;
+});
+
+app.listen(3000, () => {
+    console.log("server listening on port 3000");
+});

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sourceregistry/node-webserver",
-  "version": "1.3.0",
+  "version": "1.4.0",
   "description": "TypeScript web server for Node.js with web-standard Request and Response APIs",
   "type": "module",
   "main": "./dist/index.cjs.js",
@@ -68,16 +68,16 @@
     "@semantic-release/git": "^10.0.1",
     "@semantic-release/npm": "^13.1.3",
     "@semantic-release/release-notes-generator": "^14.1.0",
-    "@types/node": "^24.3.0",
+    "@types/node": "^25.5.0",
     "@vitest/coverage-v8": "^4.0.16",
     "@vitest/ui": "^4.0.16",
     "tsx": "^4.21.0",
     "typedoc": "^0.28.15",
     "typescript": "^5.9.3",
-    "vite": "^7.3.0",
+    "vite": "^8.0.1",
     "vite-plugin-dts": "^4.5.4",
     "@types/ws": "^8.18.1",
-    "vitest": "^4.0.16"
+    "vitest": "^4.1.0"
   },
   "release": {
     "branches": [