npm - @sourceregistry/node-webserver - Versions diffs - 1.3.1 → 1.5.0 - Mend

@sourceregistry/node-webserver 1.3.1 → 1.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (14) hide show

package/README.md +111 -60
package/dist/app.d.ts +1 -0
package/dist/index.cjs.js +2 -2
package/dist/index.cjs.js.map +1 -1
package/dist/index.es.js +289 -133
package/dist/index.es.js.map +1 -1
package/dist/middlewares/index.d.ts +3 -0
package/dist/middlewares/requestid/index.d.ts +23 -0
package/dist/middlewares/security/index.d.ts +39 -0
package/dist/middlewares/timeout/index.d.ts +22 -0
package/dist/types/router.d.ts +0 -1
package/dist/types/server.d.ts +31 -3
package/examples/public-baseline.ts +75 -0
package/package.json +1 -1

package/dist/index.es.js CHANGED Viewed

@@ -1,36 +1,37 @@
-import { createServer as e } from "http";
-import { createServer as t } from "https";
-import { TLSSocket as n } from "tls";
-import { Readable as r, Transform as i, Writable as a } from "stream";
-import { WebSocket as o, WebSocketServer as s } from "ws";
-import { parse as c, serialize as l } from "cookie";
-import { createReadStream as u } from "node:fs";
-import { lstat as d, realpath as f, stat as p } from "node:fs/promises";
-import { extname as m, isAbsolute as h, relative as g, resolve as _, sep as v } from "node:path";
-import { Readable as y } from "node:stream";
+import { randomUUID as e } from "node:crypto";
+import { createServer as t } from "http";
+import { createServer as n } from "https";
+import { TLSSocket as r } from "tls";
+import { Readable as i, Transform as a, Writable as o } from "stream";
+import { WebSocket as s, WebSocketServer as c } from "ws";
+import { parse as l, serialize as u } from "cookie";
+import { createReadStream as d } from "node:fs";
+import { lstat as f, realpath as p, stat as m } from "node:fs/promises";
+import { extname as h, isAbsolute as g, relative as _, resolve as v, sep as y } from "node:path";
+import { Readable as b } from "node:stream";
 //#region \0rolldown/runtime.js
-var b = Object.defineProperty, x = (e, t) => {
+var x = Object.defineProperty, S = (e, t) => {
 	let n = {};
-	for (var r in e) b(n, r, {
+	for (var r in e) x(n, r, {
 		get: e[r],
 		enumerable: !0
 	});
-	return t || b(n, Symbol.toStringTag, { value: "Module" }), n;
+	return t || x(n, Symbol.toStringTag, { value: "Module" }), n;
 };
 //#endregion
 //#region src/utils.ts
-function S(e) {
-	return w(e) && e.status >= 400 && e.status < 600;
-}
 function C(e) {
-	return w(e) && e.status >= 300 && e.status < 400;
+	return T(e) && e.status >= 400 && e.status < 600;
 }
 function w(e) {
+	return T(e) && e.status >= 300 && e.status < 400;
+}
+function T(e) {
 	return e instanceof Response;
 }
 //#endregion
 //#region src/middlewares/ratelimiter/InMemory.ts
-var T = class {
+var ee = class {
 	constructor(e) {
 		this.data = /* @__PURE__ */ new Map(), this.windowMs = e.windowMs, this.startCleanup();
 	}
@@ -56,35 +57,37 @@ var T = class {
 	async resetAll() {
 		this.data.clear();
 	}
-}, E = /* @__PURE__ */ x({ fixedWindowLimit: () => D });
+}, E = /* @__PURE__ */ S({ fixedWindowLimit: () => D });
 function D(e) {
-	let { windowMs: t = 6e4, max: n, key: r = (e) => e.getClientAddress(), message: i = "Too many requests, please try again later.", statusCode: a = 429, headers: o = "include", onRateLimit: s, store: c = new T({ windowMs: t }) } = e;
+	let { windowMs: t = 6e4, max: n, key: r = (e) => e.getClientAddress(), message: i = "Too many requests, please try again later.", statusCode: a = 429, headers: o = "include", onRateLimit: s, store: c = new ee({ windowMs: t }) } = e;
 	return async (e, t) => {
-		let l = `rl:${r(e)}`, { current: u, reset: d } = await c.incr(l), f = Math.ceil((d - Date.now()) / 1e3);
-		if (u > n) {
+		let l = r(e);
+		if (typeof l != "string" || !/^[a-zA-Z0-9_.-]+$/.test(l)) throw Error("Invalid rate limit key: only alphanumeric, underscore, dot, and hyphen allowed");
+		let u = `rl:${l}`, { current: d, reset: f } = await c.incr(u), p = Math.ceil((f - Date.now()) / 1e3);
+		if (d > n) {
 			s && s(e, {
-				current: u,
+				current: d,
 				max: n,
-				key: l
+				key: u
 			});
 			let t = {
 				status: a,
 				headers: new Headers()
 			}, r = t.headers;
-			o === "include" && (r.set("X-RateLimit-Limit", String(n)), r.set("X-RateLimit-Remaining", "0"), r.set("X-RateLimit-Reset", String(Math.floor(d / 1e3))), r.set("Retry-After", String(f)));
+			o === "include" && (r.set("X-RateLimit-Limit", String(n)), r.set("X-RateLimit-Remaining", "0"), r.set("X-RateLimit-Reset", String(Math.floor(f / 1e3))), r.set("Retry-After", String(p)));
 			let c;
 			return typeof i == "string" ? (c = i, r.set("Content-Type", "text/plain")) : (c = JSON.stringify(i), r.set("Content-Type", "application/json")), new Response(c, t);
 		}
 		if (e.rateLimit = {
-			current: u,
+			current: d,
 			limit: n,
-			reset: new Date(d),
-			remaining: n - u
+			reset: new Date(f),
+			remaining: n - d
 		}, o === "include") {
 			let t = {
 				"X-RateLimit-Limit": String(n),
-				"X-RateLimit-Remaining": String(n - u),
-				"X-RateLimit-Reset": String(Math.floor(d / 1e3))
+				"X-RateLimit-Remaining": String(n - d),
+				"X-RateLimit-Reset": String(Math.floor(f / 1e3))
 			}, r = e.setHeaders;
 			e.setHeaders = (e) => {
 				r({
@@ -98,7 +101,7 @@ function D(e) {
 }
 //#endregion
 //#region src/middlewares/cros/index.ts
-var O = /* @__PURE__ */ x({ policy: () => P }), k = [
+var te = /* @__PURE__ */ S({ policy: () => j }), ne = [
 	"GET",
 	"POST",
 	"PUT",
@@ -106,13 +109,13 @@ var O = /* @__PURE__ */ x({ policy: () => P }), k = [
 	"PATCH",
 	"HEAD",
 	"OPTIONS"
-], A = [
+], re = [
 	"Accept",
 	"Accept-Language",
 	"Content-Language",
 	"Content-Type",
 	"Range"
-], j = [
+], O = [
 	"Authorization",
 	"X-Auth-Token",
 	"X-Requested-With",
@@ -122,21 +125,21 @@ var O = /* @__PURE__ */ x({ policy: () => P }), k = [
 	"X-Real-IP",
 	"X-Custom-Header"
 ];
-function M(e, t) {
-	return !e || !t ? !1 : t === "*" ? !0 : t === "null" ? e === "null" : Array.isArray(t) ? t.some((t) => M(e, t)) : typeof t == "function" ? t(e) : t instanceof RegExp ? t.test(e) : e === t;
+function k(e, t) {
+	return !e || !t ? !1 : t === "*" ? !0 : t === "null" ? e === "null" : Array.isArray(t) ? t.some((t) => k(e, t)) : typeof t == "function" ? t(e) : t instanceof RegExp ? t.test(e) : e === t;
 }
-function N(e, t) {
+function A(e, t) {
 	let { origin: n = "*" } = t;
-	return e ? n === "*" ? t.credentials ? e : "*" : M(e, n) ? e : null : n === "*" ? "*" : null;
+	return e ? n === "*" ? t.credentials ? e : "*" : k(e, n) ? e : null : n === "*" ? "*" : null;
 }
-function P(e = {}) {
-	let { methods: t = k, allowedHeaders: n = j, exposedHeaders: r, credentials: i = !1, maxAge: a = 86400, onResponse: o } = e, s = t.join(","), c = [...A, ...n].join(","), l = [
+function j(e = {}) {
+	let { methods: t = ne, allowedHeaders: n = O, exposedHeaders: r, credentials: i = !1, maxAge: a = 86400, onResponse: o } = e, s = t.join(","), c = [...re, ...n].join(","), l = [
 		["Vary", "Origin,Access-Control-Request-Method,Access-Control-Request-Headers"],
 		["Access-Control-Allow-Methods", s],
 		["Access-Control-Allow-Headers", c]
 	];
 	return r && l.push(["Access-Control-Expose-Headers", r.join(",")]), i && l.push(["Access-Control-Allow-Credentials", "true"]), a && l.push(["Access-Control-Max-Age", a.toString()]), async (t, n) => {
-		let r = t.request, i = r.headers.get("Origin"), a = r.method === "OPTIONS" && i !== null && r.headers.has("Access-Control-Request-Method"), s = N(i, e);
+		let r = t.request, i = r.headers.get("Origin"), a = r.method === "OPTIONS" && i !== null && r.headers.has("Access-Control-Request-Method"), s = A(i, e);
 		if (a) {
 			if (!s) return new Response(null, { status: 403 });
 			let e = new Response(null, { status: 204 });
@@ -158,8 +161,93 @@ function P(e = {}) {
 	};
 }
 //#endregion
+//#region src/middlewares/security/index.ts
+var M = /* @__PURE__ */ S({ headers: () => P }), N = {
+	contentSecurityPolicy: "default-src 'self'; base-uri 'self'; frame-ancestors 'none'; object-src 'none'",
+	frameOptions: "DENY",
+	referrerPolicy: "no-referrer",
+	permissionsPolicy: "geolocation=(), microphone=(), camera=()",
+	crossOriginOpenerPolicy: "same-origin",
+	crossOriginResourcePolicy: "same-origin",
+	strictTransportSecurity: !1
+};
+function P(e = {}) {
+	let t = {
+		...N,
+		...e
+	};
+	return async (e, n) => {
+		let r = await n();
+		if (!r) return;
+		let i = new Headers(r.headers);
+		return F(i, "content-security-policy", t.contentSecurityPolicy), F(i, "x-frame-options", t.frameOptions), F(i, "referrer-policy", t.referrerPolicy), F(i, "permissions-policy", t.permissionsPolicy), F(i, "cross-origin-opener-policy", t.crossOriginOpenerPolicy), F(i, "cross-origin-resource-policy", t.crossOriginResourcePolicy), F(i, "strict-transport-security", t.strictTransportSecurity), new Response(r.body, {
+			status: r.status,
+			statusText: r.statusText,
+			headers: i
+		});
+	};
+}
+function F(e, t, n) {
+	!n || e.has(t) || e.set(t, n);
+}
+//#endregion
+//#region src/middlewares/requestid/index.ts
+var I = /* @__PURE__ */ S({ assign: () => L });
+function L(t = {}) {
+	let n = t.headerName?.toLowerCase() ?? "x-request-id", r = t.generate ?? e, i = t.clientRequestId ?? !1;
+	return async (e, t) => {
+		let a = e.request.headers.get(n) ?? r();
+		if (i) {
+			let t = e.request.headers.get("x-client-request-id");
+			if (t !== null) {
+				if (!R(t) || t.length > 512) return new Response("Invalid X-Client-Request-Id header", { status: 400 });
+				a = t;
+			}
+		}
+		Object.assign(e.locals, { requestId: a });
+		let o = await t();
+		if (!o) return;
+		if (o.headers.has(n)) return o;
+		let s = new Headers(o.headers);
+		return s.set(n, a), new Response(o.body, {
+			status: o.status,
+			statusText: o.statusText,
+			headers: s
+		});
+	};
+}
+function R(e) {
+	return /^[\x00-\x7F]*$/.test(e);
+}
+//#endregion
+//#region src/middlewares/timeout/index.ts
+var z = /* @__PURE__ */ S({ deadline: () => B });
+function B(e) {
+	let { ms: t, status: n = 504, body: r = "Gateway Timeout", onTimeout: i } = e;
+	if (!Number.isFinite(t) || t <= 0) throw TypeError("Timeout.deadline requires a positive ms value");
+	return async (e, a) => {
+		let o = e.request, s = new AbortController(), c = () => s.abort();
+		o.signal.addEventListener("abort", c, { once: !0 });
+		let l = AbortSignal.any([o.signal, s.signal]);
+		e.request = new Request(o, {
+			signal: l,
+			duplex: o.body ? "half" : void 0
+		});
+		let u;
+		try {
+			return await Promise.race([a(), new Promise((e) => {
+				u = setTimeout(() => {
+					s.abort(), i?.(), e(new Response(r, { status: n }));
+				}, t);
+			})]);
+		} finally {
+			o.signal.removeEventListener("abort", c), u && clearTimeout(u);
+		}
+	};
+}
+//#endregion
 //#region src/types/RequestMethod.ts
-var F = [
+var V = [
 	"GET",
 	"PUT",
 	"POST",
@@ -167,7 +255,7 @@ var F = [
 	"PATCH",
 	"HEAD",
 	"OPTIONS"
-], I = class {
+], H = class {
 	static {
 		this.cache = /* @__PURE__ */ new Map();
 	}
@@ -177,7 +265,7 @@ var F = [
 	static set(e, t) {
 		this.cache.set(e, t);
 	}
-}, L = class e {
+}, U = class {
 	constructor() {
 		this._routes = [], this._wsRoutes = [], this._nestedRouters = [], this._middlewares = [], this._preHandlers = [], this._postHandlers = [], this.routesSorted = !1, this.wsRoutesSorted = !1;
 	}
@@ -209,7 +297,7 @@ var F = [
 		return this.addHandler("OPTIONS", e, t, n);
 	}
 	USE(e, t, ...n) {
-		return F.forEach((r) => this.addHandler(r, e, t, n)), this;
+		return V.forEach((r) => this.addHandler(r, e, t, n)), this;
 	}
 	action(e, t, ...n) {
 		return this.addHandler("POST", e, async (e) => {
@@ -300,7 +388,10 @@ var F = [
 			if (!r.regex.test(n)) continue;
 			let i = n.match(r.regex);
 			if (!i) continue;
-			let a = Object.fromEntries(r.paramNames.map((e, t) => [e, i[t + 1] || ""])), o = {
+			let a = Object.fromEntries(r.paramNames.map((e, t) => {
+				let n = i[t + 1];
+				return n === void 0 ? void 0 : [e, decodeURIComponent(n)];
+			}).filter((e) => e !== void 0)), o = {
 				...e,
 				params: {
 					...e.params,
@@ -312,7 +403,7 @@ var F = [
 				},
 				websocket: t
 			}, s = [...this._middlewares, ...r.middlewares];
-			if (await this.applyMiddlewaresWithList(o, s, () => r.handler(o)) === void 0) return !0;
+			if (await this.applyMiddlewaresWithList(o, s, () => r.handler(o)) !== void 0) return !0;
 		}
 		return !1;
 	}
@@ -326,7 +417,7 @@ var F = [
 			let i = r || new Response("No Content", { status: 204 });
 			return await this.runPostHandlers(e, i);
 		} catch (e) {
-			if (w(e)) return e;
+			if (T(e)) return e;
 			throw e;
 		}
 	}
@@ -362,7 +453,7 @@ var F = [
 		}), this.routesSorted = !1, this;
 	}
 	createPathRegex(e) {
-		let t = I.get(e);
+		let t = H.get(e);
 		if (t) return t;
 		let n = [], r = !1, i, a = e.split("/").filter(Boolean);
 		i = a.reduce((e, t) => t.startsWith("[...") ? e - 10 : t.startsWith("[[") ? e - 5 : t.startsWith("[") ? e - 1 : e + 1, 0);
@@ -385,7 +476,7 @@ var F = [
 			isCatchAll: r,
 			priority: i
 		};
-		return I.set(e, s), s;
+		return H.set(e, s), s;
 	}
 	createPrefixRegex(e) {
 		let t = [], n = !1, r, i = e.split("/").filter(Boolean);
@@ -416,9 +507,14 @@ var F = [
 		let n = t.match(e.regex);
 		if (!n) return {};
 		let r = {};
-		return e.isCatchAll && e.paramNames.length === 1 ? r[e.paramNames[0]] = n[1]?.replace(/^\//, "") || "" : e.paramNames.forEach((e, t) => {
-			r[e] = n[t + 1] || "";
-		}), r;
+		if (e.isCatchAll && e.paramNames.length === 1) {
+			let t = n[1]?.replace(/^\//, "");
+			t !== void 0 && (r[e.paramNames[0]] = decodeURIComponent(t));
+		} else e.paramNames.forEach((e, t) => {
+			let i = n[t + 1];
+			i !== void 0 && (r[e] = decodeURIComponent(i));
+		});
+		return r;
 	}
 	async handleNestedRouters(e, t) {
 		let n = [...this._nestedRouters].sort((e, t) => t.priority - e.priority);
@@ -442,7 +538,10 @@ var F = [
 			if (!a.regex.test(n) || (r.add(a.method), a.method === "GET" && (i = !0, r.add("HEAD")), !(a.method === t || t === "HEAD" && a.method === "GET"))) continue;
 			let o = n.match(a.regex);
 			if (!o) continue;
-			let s = Object.fromEntries(a.paramNames.map((e, t) => [e, o[t + 1] || ""]));
+			let s = Object.fromEntries(a.paramNames.map((e, t) => {
+				let n = o[t + 1];
+				return n === void 0 ? void 0 : [e, decodeURIComponent(n)];
+			}).filter((e) => e !== void 0));
 			return e.params = {
 				...e.params,
 				...s
@@ -470,20 +569,17 @@ var F = [
 		this._wsRoutes.sort((e, t) => t.priority - e.priority), this.wsRoutesSorted = !0;
 	}
 	formatActionResult(e) {
-		return e instanceof Response ? e : e?.type === "failure" && "status" in e ? R.fail(e.status, e.data) : R.success(200, e ?? void 0);
+		return e instanceof Response ? e : e?.type === "failure" && "status" in e ? W.fail(e.status, e.data) : W.success(200, e ?? void 0);
 	}
 	handleActionError(e) {
-		if (S(e)) return R.error(e.status, { message: e.statusText || "Error" });
-		if (C(e)) {
+		if (C(e)) return W.error(e.status, { message: e.statusText || "Error" });
+		if (w(e)) {
 			let t = e.headers.get("Location") || "/";
-			return R.redirect(e.status, t);
+			return W.redirect(e.status, t);
 		}
-		return console.error(e), R.error(500, { message: "Internal Server Error" });
-	}
-	static New() {
-		return new e();
+		return console.error(e), W.error(500, { message: "Internal Server Error" });
 	}
-}, R = {
+}, W = {
 	success: (e = 200, t) => new Response(JSON.stringify({
 		data: t,
 		type: "success",
@@ -516,21 +612,21 @@ var F = [
 		status: e,
 		headers: { "Content-Type": "application/json" }
 	})
-}, z = class {
+}, G = class {
 	constructor(e, t) {
 		this.raw = e.headers.get("cookie") ?? "", this.setCookieHeader = t;
 	}
 	get(e, t) {
-		return c(this.raw, t)[e];
+		return l(this.raw, t)[e];
 	}
 	getAll(e) {
-		return Object.entries(c(this.raw, e)).filter(([, e]) => e !== void 0).map(([e, t]) => ({
+		return Object.entries(l(this.raw, e)).filter(([, e]) => e !== void 0).map(([e, t]) => ({
 			name: e,
 			value: t
 		}));
 	}
 	set(e, t, n) {
-		this.setCookieHeader(l(e, t, n));
+		this.setCookieHeader(u(e, t, n));
 	}
 	delete(e, t) {
 		this.set(e, "", {
@@ -538,28 +634,28 @@ var F = [
 			maxAge: 0
 		});
 	}
-}, B = class extends Error {
+}, K = class extends Error {
 	constructor(e = "Payload Too Large") {
 		super(e), this.status = 413, this.name = "PayloadTooLargeError";
 	}
-}, V = class extends L {
+}, q = class extends U {
 	constructor(e) {
 		super(), this.upgradeHandlerInstalled = !1, this.config = e ?? {
 			type: "http",
 			options: {}
-		}, this.wss = new s({
+		}, this.wss = new c({
 			noServer: !0,
 			maxPayload: this.config.security?.maxWebSocketPayload ?? 1024 * 1024
 		});
 	}
 	get server() {
 		if (!this._server) {
-			let n = (e, t) => {
+			let e = (e, t) => {
 				this.handleRequest(e, t).catch((e) => {
 					console.error("Unhandled request error:", e), t.statusCode = 500, t.end("Internal Server Error");
 				});
 			};
-			this._server = this.config.type === "https" ? t(this.config.options, n) : e(this.config.options, n);
+			this._server = this.config.type === "https" ? n(this.config.options, e) : t(this.config.options, e), this.configureServerTimeouts(this._server);
 		}
 		return this._server;
 	}
@@ -580,7 +676,7 @@ var F = [
 				return;
 			}
 			let a = this.toRequestEvent(i, r, {
-				getClientAddress: () => e.socket.remoteAddress ?? "127.0.0.1",
+				getClientAddress: () => this.getClientAddress(e),
 				setHeader: () => {},
 				pushSetCookie: () => {}
 			});
@@ -591,9 +687,9 @@ var F = [
 				}
 				this.wss.handleUpgrade(e, t, n, (e) => {
 					this.handleWebSocket(a, e).then((t) => {
-						!t && e.readyState === o.OPEN && e.close(1008, "Route not found");
+						!t && e.readyState === s.OPEN && e.close(1008, "Route not found");
 					}).catch((t) => {
-						console.error("WebSocket routing error:", t), e.readyState === o.OPEN && e.close(1011, "Internal error");
+						console.error("WebSocket routing error:", t), e.readyState === s.OPEN && e.close(1011, "Internal error");
 					});
 				});
 			}).catch(() => t.destroy());
@@ -618,7 +714,7 @@ var F = [
 		let n = new AbortController(), r = () => n.abort();
 		e.once("aborted", r), e.once("close", r), t.once("close", r);
 		let i = this.toWebRequest(e, n.signal), a = new URL(i.url), o = {}, s = [], c = this.toRequestEvent(i, a, {
-			getClientAddress: () => e.socket.remoteAddress ?? "127.0.0.1",
+			getClientAddress: () => this.getClientAddress(e),
 			setHeader: (e, t) => {
 				o[e.toLowerCase()] = t;
 			},
@@ -638,21 +734,21 @@ var F = [
 		let n = this.toURL(e, !1);
 		return this.toRequest(e, n, !1, t);
 	}
-	toRequest(e, t, n, i) {
+	toRequest(e, t, n, r) {
 		let a = {
 			method: n ? "GET" : e.method,
 			headers: this.toHeaders(e.headers),
-			signal: i,
+			signal: r,
 			duplex: "half"
 		};
-		return !n && e.method !== "GET" && e.method !== "HEAD" && (a.body = r.toWeb(this.wrapRequestBody(e))), new Request(t, a);
+		return !n && e.method !== "GET" && e.method !== "HEAD" && (a.body = i.toWeb(this.wrapRequestBody(e))), new Request(t, a);
 	}
 	wrapRequestBody(e) {
 		let t = this.config.security?.maxRequestBodySize;
 		if (!t) return e;
-		let n = 0, r = new i({ transform(e, r, i) {
+		let n = 0, r = new a({ transform(e, r, i) {
 			if (n += Buffer.byteLength(e), n > t) {
-				i(new B());
+				i(new K());
 				return;
 			}
 			i(null, e);
@@ -660,14 +756,31 @@ var F = [
 		return e.on("aborted", () => r.destroy(/* @__PURE__ */ Error("Request aborted"))), e.on("error", (e) => r.destroy(e)), e.pipe(r), r;
 	}
 	toURL(e, t) {
-		let r = e.socket instanceof n ? t ? "wss" : "https" : t ? "ws" : "http", i = this.resolveAuthority(e);
-		return new URL(e.url ?? "/", `${r}://${i}`);
+		let n = this.resolveProtocol(e, t), r = this.resolveAuthority(e);
+		return new URL(e.url ?? "/", `${n}://${r}`);
+	}
+	resolveProtocol(e, t) {
+		let n = this.getTrustedForwardedHeader(e, "x-forwarded-proto")?.split(",")[0]?.trim().toLowerCase();
+		return n === "http" || n === "https" ? t ? n === "https" ? "wss" : "ws" : n : e.socket instanceof r ? t ? "wss" : "https" : t ? "ws" : "http";
 	}
 	resolveAuthority(e) {
-		let t = this.config.security?.trustHostHeader ? this.normalizeTrustedHost(e.headers.host) : null;
-		if (t) return t;
-		let n = this.server.address();
-		return n && typeof n == "object" ? `${n.address.includes(":") ? `[${n.address}]` : n.address}:${n.port}` : e.socket.localPort ? `127.0.0.1:${e.socket.localPort}` : "localhost";
+		let t = this.getTrustedForwardedHeader(e, "x-forwarded-host") ?? e.headers.host, n = this.config.security?.trustHostHeader ? this.normalizeTrustedHost(t) : null;
+		if (n) return n;
+		let r = this.server.address();
+		return r && typeof r == "object" ? `${r.address.includes(":") ? `[${r.address}]` : r.address}:${r.port}` : e.socket.localPort ? `127.0.0.1:${e.socket.localPort}` : "localhost";
+	}
+	getClientAddress(e) {
+		let t = e.socket.remoteAddress ?? "127.0.0.1";
+		if (!this.isTrustedProxy(t)) return this.normalizeAddress(t);
+		let n = e.headers["x-forwarded-for"];
+		if (!n) return this.normalizeAddress(t);
+		let r = this.parseForwardedHeader(n).filter((e) => this.isValidIP(e));
+		r.push(t);
+		for (let e = r.length - 1; e >= 0; --e) {
+			let t = r[e];
+			if (!this.isTrustedProxy(t)) return this.normalizeAddress(t);
+		}
+		return this.normalizeAddress(r[0] ?? t);
 	}
 	normalizeTrustedHost(e) {
 		if (!e) return null;
@@ -684,6 +797,43 @@ var F = [
 	matchesValue(e, t) {
 		return (Array.isArray(t) ? t : [t]).some((t) => typeof t == "string" ? t === e : t instanceof RegExp ? t.test(e) : t(e));
 	}
+	configureServerTimeouts(e) {
+		let t = this.config.security, n = this.isDevelopment();
+		e.headersTimeout = t?.headersTimeoutMs ?? 3e4, e.requestTimeout = t?.requestTimeoutMs ?? (n ? 0 : 6e4), e.keepAliveTimeout = t?.keepAliveTimeoutMs ?? 5e3;
+	}
+	isDevelopment() {
+		return process.env.NODE_ENV !== "production";
+	}
+	getTrustedForwardedHeader(e, t) {
+		if (!this.isTrustedProxy(e.socket.remoteAddress ?? "")) return;
+		let n = e.headers[t];
+		return Array.isArray(n) ? n[0] : n;
+	}
+	isTrustedProxy(e) {
+		let t = this.config.security?.trustedProxies;
+		if (!t) return !1;
+		let n = this.normalizeAddress(e);
+		return n !== e && this.matchesValue(n, t) ? !0 : this.matchesValue(e, t);
+	}
+	normalizeAddress(e) {
+		return e.startsWith("::ffff:") ? e.slice(7) : e;
+	}
+	isValidIP(e) {
+		if (e.includes(":")) {
+			if (e.includes(":::")) return !1;
+			let t = e.split(":");
+			return t.length <= 8 && t.every((e) => e === "" || /^[0-9a-fA-F]+$/.test(e));
+		}
+		let t = e.split(".");
+		return t.length === 4 && t.every((e) => {
+			if (e === "" || e.length > 3) return !1;
+			let t = parseInt(e, 10);
+			return !isNaN(t) && t >= 0 && t <= 255 && e === String(t);
+		});
+	}
+	parseForwardedHeader(e) {
+		return (Array.isArray(e) ? e.join(",") : e).split(",").map((e) => this.normalizeAddress(e.trim())).filter(Boolean);
+	}
 	toHeaders(e) {
 		let t = new Headers();
 		for (let [n, r] of Object.entries(e)) if (r !== void 0) {
@@ -705,15 +855,15 @@ var F = [
 		return Number.isFinite(r) && r <= t;
 	}
 	handleError(e) {
-		if (e instanceof B) return new Response(e.message, { status: e.status });
-		if (S(e)) return new Response(JSON.stringify({
+		if (e instanceof K) return new Response(e.message, { status: e.status });
+		if (C(e)) return new Response(JSON.stringify({
 			error: e.statusText || "Error",
 			status: e.status
 		}), {
 			status: e.status,
 			headers: { "Content-Type": "application/json" }
 		});
-		if (C(e)) {
+		if (w(e)) {
 			let t = e.headers.get("Location") || "/";
 			return new Response(null, {
 				status: e.status,
@@ -729,10 +879,10 @@ var F = [
 			e.end();
 			return;
 		}
-		let n = t.body.getReader(), r = a.toWeb(e).getWriter(), i = !1, o = async () => {
+		let n = t.body.getReader(), r = o.toWeb(e).getWriter(), i = !1, a = async () => {
 			i || (i = !0, await n.cancel().catch(() => {}));
 		}, s = () => {
-			o();
+			a();
 		};
 		e.once("close", s);
 		try {
@@ -743,7 +893,7 @@ var F = [
 			}
 			i = !0;
 		} catch (e) {
-			if (await o(), !this.isPrematureCloseError(e)) throw e;
+			if (await a(), !this.isPrematureCloseError(e)) throw e;
 		} finally {
 			e.off("close", s), await r.close().catch(() => {});
 		}
@@ -803,7 +953,10 @@ var F = [
 		r && t.set(n, r);
 	}
 	toRequestEvent(e, t, n) {
-		let r = new z(e, n.pushSetCookie), i = this.config, a = {}, o = { name: "WebHTTPServer" }, s = /* @__PURE__ */ new Set(), c = {
+		let r = new G(e, n.pushSetCookie), i = this.config, a = {}, o = {
+			name: "node-webserver",
+			dev: this.isDevelopment()
+		}, s = /* @__PURE__ */ new Set(), c = {
 			request: e,
 			url: t,
 			cookies: r,
@@ -828,7 +981,7 @@ var F = [
 		}, l = this.createEventFetch(c, n);
 		return i.locals && Object.assign(a, i.locals(c)), i.platform && Object.assign(o, i.platform(c)), c;
 	}
-}, H = {
+}, J = {
 	".avif": "image/avif",
 	".css": "text/css; charset=utf-8",
 	".gif": "image/gif",
@@ -846,24 +999,24 @@ var F = [
 	".wasm": "application/wasm",
 	".webp": "image/webp",
 	".xml": "application/xml; charset=utf-8"
-}, U = {
+}, Y = {
 	index: "index.html",
 	cacheControl: "public, max-age=0",
 	dotFiles: "ignore"
 };
-async function W(e, t, n = {}) {
-	let r = Z(t), i = {
-		...U,
+async function X(e, t, n = {}) {
+	let r = se(t), i = {
+		...Y,
 		...n
-	}, a = await G(e), o = K(r, i.dotFiles);
+	}, a = await ie(e), o = ae(r, i.dotFiles);
 	if (o instanceof Response) return o;
-	let s = _(a, o.length > 0 ? o.join(v) : "");
-	if (!Y(a, s)) return new Response("Forbidden", { status: 403 });
-	let c = await q(s, a, i.index);
+	let s = v(a, o.length > 0 ? o.join(y) : "");
+	if (!Q(a, s)) return new Response("Forbidden", { status: 403 });
+	let c = await oe(s, a, i.index);
 	if (c instanceof Response) return c;
-	let l = await p(c), d = new Headers({
+	let l = await m(c), u = new Headers({
 		"content-length": String(l.size),
-		"content-type": X(c),
+		"content-type": $(c),
 		"cache-control": i.cacheControl,
 		"last-modified": l.mtime.toUTCString(),
 		"x-content-type-options": "nosniff"
@@ -871,18 +1024,18 @@ async function W(e, t, n = {}) {
 	if (n.headers) {
 		let e = typeof n.headers == "function" ? n.headers(c, l) : n.headers;
 		new Headers(e).forEach((e, t) => {
-			d.set(t, e);
+			u.set(t, e);
 		});
 	}
-	return new Response(y.toWeb(u(c)), {
+	return new Response(b.toWeb(d(c)), {
 		status: 200,
-		headers: d
+		headers: u
 	});
 }
-async function G(e) {
-	return f(e);
+async function ie(e) {
+	return p(e);
 }
-function K(e, t) {
+function ae(e, t) {
 	if (e.includes("\0")) return new Response("Bad Request", { status: 400 });
 	let n = e.replace(/\\/g, "/").split("/").filter(Boolean), r = [];
 	for (let e of n) {
@@ -903,52 +1056,55 @@ function K(e, t) {
 	}
 	return r;
 }
-async function q(e, t, n) {
+async function oe(e, t, n) {
 	try {
-		return (await d(e)).isDirectory() ? J(_(e, n), t) : J(e, t);
+		return (await f(e)).isDirectory() ? Z(v(e, n), t) : Z(e, t);
 	} catch {
 		return new Response("Not Found", { status: 404 });
 	}
 }
-async function J(e, t) {
+async function Z(e, t) {
 	try {
-		let n = await f(e);
-		return Y(t, n) ? (await p(n)).isFile() ? n : new Response("Not Found", { status: 404 }) : new Response("Forbidden", { status: 403 });
+		let n = await p(e);
+		return Q(t, n) ? (await m(n)).isFile() ? n : new Response("Not Found", { status: 404 }) : new Response("Forbidden", { status: 403 });
 	} catch {
 		return new Response("Not Found", { status: 404 });
 	}
 }
-function Y(e, t) {
-	let n = g(e, t);
-	return n === "" || !n.startsWith("..") && !h(n);
+function Q(e, t) {
+	let n = _(e, t);
+	return n === "" || !n.startsWith("..") && !g(n);
 }
-function X(e) {
-	return H[m(e).toLowerCase()] ?? "application/octet-stream";
+function $(e) {
+	return J[h(e).toLowerCase()] ?? "application/octet-stream";
 }
-function Z(e) {
+function se(e) {
 	return typeof e.params.path == "string" ? e.params.path : e.url.pathname.replace(/^\/+/, "");
 }
-var Q = (e, t = {}) => (n) => W(e, n, t), $ = (e, ...t) => async (n) => {
+var ce = (e, t = {}) => (n) => X(e, n, t), le = (e, ...t) => async (n) => {
 	let r = {};
 	for (let e of t) {
 		let t = await e(n);
-		if (w(t)) return t;
+		if (T(t)) return t;
 		t && typeof t == "object" && Object.assign(r, t);
 	}
 	return e(Object.assign(n, { context: r }));
 };
 //#endregion
 //#region src/helpers/sse.ts
-function ee(e, t = {}) {
+function ue(e, t = {}) {
 	let n = [];
-	if (t.comment) for (let e of t.comment.split(/\r?\n/)) n.push(`: ${e}`);
+	if (t.comment) {
+		let e = t.comment.replace(/\r\n/g, " ").replace(/\r/g, " ").replace(/\n/g, " ");
+		n.push(`: ${e}`);
+	}
 	if (t.event && n.push(`event: ${t.event}`), t.id && n.push(`id: ${t.id}`), t.retry !== void 0 && n.push(`retry: ${t.retry}`), e !== void 0) {
 		let t = typeof e == "string" ? e : JSON.stringify(e);
 		for (let e of t.split(/\r?\n/)) n.push(`data: ${e}`);
 	}
 	return `${n.join("\n")}\n\n`;
 }
-var te = (e, t = {}) => (n) => {
+var de = (e, t = {}) => (n) => {
 	let r = new TextEncoder(), i = null, a = !1, o, s = async () => {
 		if (!a) {
 			a = !0;
@@ -964,7 +1120,7 @@ var te = (e, t = {}) => (n) => {
 		async start(t) {
 			i = t;
 			let c = (e, n = {}) => {
-				a || t.enqueue(r.encode(ee(e, n)));
+				a || t.enqueue(r.encode(ue(e, n)));
 			};
 			n.request.signal.addEventListener("abort", () => {
 				s();
@@ -992,7 +1148,7 @@ var te = (e, t = {}) => (n) => {
 			...t.headers
 		}
 	});
-}, ne = async (e, t) => {
+}, fe = async (e, t) => {
 	let n = JSON.stringify(await e);
 	return new Response(n, {
 		...t,
@@ -1003,19 +1159,19 @@ var te = (e, t = {}) => (n) => {
 		}
 	});
 };
-function re(e, t) {
+function pe(e, t) {
 	throw new Response(null, {
 		status: e,
 		headers: { location: t.toString() }
 	});
 }
-function ie(e, t) {
+function me(e, t) {
 	throw new Response(JSON.stringify(typeof t == "string" ? { message: t } : t), {
 		status: e,
 		headers: { "content-type": "application/json" }
 	});
 }
-var ae = async (e, t) => {
+var he = async (e, t) => {
 	let n = await e;
 	return new Response(n, {
 		...t,
@@ -1025,7 +1181,7 @@ var ae = async (e, t) => {
 			...t?.headers
 		}
 	});
-}, oe = async (e, t) => {
+}, ge = async (e, t) => {
 	let n = await e;
 	return new Response(n, {
 		...t,
@@ -1037,6 +1193,6 @@ var ae = async (e, t) => {
 	});
 };
 //#endregion
-export { R as Action, O as CORS, E as RateLimiter, F as RequestMethods, L as Router, V as WebServer, Q as dir, $ as enhance, ie as error, oe as html, S as isHttpError, C as isRedirect, w as isResponse, ne as json, re as redirect, W as serveStatic, te as sse, ae as text };
+export { W as Action, te as CORS, E as RateLimiter, I as RequestId, V as RequestMethods, U as Router, M as Security, z as Timeout, q as WebServer, ce as dir, le as enhance, me as error, ge as html, C as isHttpError, w as isRedirect, T as isResponse, fe as json, pe as redirect, X as serveStatic, de as sse, he as text };
 //# sourceMappingURL=index.es.js.map