@sourceregistry/node-webserver 1.4.0 → 1.5.0

package/dist/index.es.js

@@ -31,7 +31,7 @@ function T(e) {
 }
 //#endregion
 //#region src/middlewares/ratelimiter/InMemory.ts
-var E = class {
+var ee = class {
 	constructor(e) {
 		this.data = /* @__PURE__ */ new Map(), this.windowMs = e.windowMs, this.startCleanup();
 	}
@@ -57,35 +57,37 @@ var E = class {
 	async resetAll() {
 		this.data.clear();
 	}
-}, D = /* @__PURE__ */ S({ fixedWindowLimit: () => O });
-function O(e) {
-	let { windowMs: t = 6e4, max: n, key: r = (e) => e.getClientAddress(), message: i = "Too many requests, please try again later.", statusCode: a = 429, headers: o = "include", onRateLimit: s, store: c = new E({ windowMs: t }) } = e;
+}, E = /* @__PURE__ */ S({ fixedWindowLimit: () => D });
+function D(e) {
+	let { windowMs: t = 6e4, max: n, key: r = (e) => e.getClientAddress(), message: i = "Too many requests, please try again later.", statusCode: a = 429, headers: o = "include", onRateLimit: s, store: c = new ee({ windowMs: t }) } = e;
 	return async (e, t) => {
-		let l = `rl:${r(e)}`, { current: u, reset: d } = await c.incr(l), f = Math.ceil((d - Date.now()) / 1e3);
-		if (u > n) {
+		let l = r(e);
+		if (typeof l != "string" || !/^[a-zA-Z0-9_.-]+$/.test(l)) throw Error("Invalid rate limit key: only alphanumeric, underscore, dot, and hyphen allowed");
+		let u = `rl:${l}`, { current: d, reset: f } = await c.incr(u), p = Math.ceil((f - Date.now()) / 1e3);
+		if (d > n) {
 			s && s(e, {
-				current: u,
+				current: d,
 				max: n,
-				key: l
+				key: u
 			});
 			let t = {
 				status: a,
 				headers: new Headers()
 			}, r = t.headers;
-			o === "include" && (r.set("X-RateLimit-Limit", String(n)), r.set("X-RateLimit-Remaining", "0"), r.set("X-RateLimit-Reset", String(Math.floor(d / 1e3))), r.set("Retry-After", String(f)));
+			o === "include" && (r.set("X-RateLimit-Limit", String(n)), r.set("X-RateLimit-Remaining", "0"), r.set("X-RateLimit-Reset", String(Math.floor(f / 1e3))), r.set("Retry-After", String(p)));
 			let c;
 			return typeof i == "string" ? (c = i, r.set("Content-Type", "text/plain")) : (c = JSON.stringify(i), r.set("Content-Type", "application/json")), new Response(c, t);
 		}
 		if (e.rateLimit = {
-			current: u,
+			current: d,
 			limit: n,
-			reset: new Date(d),
-			remaining: n - u
+			reset: new Date(f),
+			remaining: n - d
 		}, o === "include") {
 			let t = {
 				"X-RateLimit-Limit": String(n),
-				"X-RateLimit-Remaining": String(n - u),
-				"X-RateLimit-Reset": String(Math.floor(d / 1e3))
+				"X-RateLimit-Remaining": String(n - d),
+				"X-RateLimit-Reset": String(Math.floor(f / 1e3))
 			}, r = e.setHeaders;
 			e.setHeaders = (e) => {
 				r({
@@ -99,7 +101,7 @@ function O(e) {
 }
 //#endregion
 //#region src/middlewares/cros/index.ts
-var ee = /* @__PURE__ */ S({ policy: () => M }), te = [
+var te = /* @__PURE__ */ S({ policy: () => j }), ne = [
 	"GET",
 	"POST",
 	"PUT",
@@ -107,13 +109,13 @@ var ee = /* @__PURE__ */ S({ policy: () => M }), te = [
 	"PATCH",
 	"HEAD",
 	"OPTIONS"
-], ne = [
+], re = [
 	"Accept",
 	"Accept-Language",
 	"Content-Language",
 	"Content-Type",
 	"Range"
-], k = [
+], O = [
 	"Authorization",
 	"X-Auth-Token",
 	"X-Requested-With",
@@ -123,21 +125,21 @@ var ee = /* @__PURE__ */ S({ policy: () => M }), te = [
 	"X-Real-IP",
 	"X-Custom-Header"
 ];
-function A(e, t) {
-	return !e || !t ? !1 : t === "*" ? !0 : t === "null" ? e === "null" : Array.isArray(t) ? t.some((t) => A(e, t)) : typeof t == "function" ? t(e) : t instanceof RegExp ? t.test(e) : e === t;
+function k(e, t) {
+	return !e || !t ? !1 : t === "*" ? !0 : t === "null" ? e === "null" : Array.isArray(t) ? t.some((t) => k(e, t)) : typeof t == "function" ? t(e) : t instanceof RegExp ? t.test(e) : e === t;
 }
-function j(e, t) {
+function A(e, t) {
 	let { origin: n = "*" } = t;
-	return e ? n === "*" ? t.credentials ? e : "*" : A(e, n) ? e : null : n === "*" ? "*" : null;
+	return e ? n === "*" ? t.credentials ? e : "*" : k(e, n) ? e : null : n === "*" ? "*" : null;
 }
-function M(e = {}) {
-	let { methods: t = te, allowedHeaders: n = k, exposedHeaders: r, credentials: i = !1, maxAge: a = 86400, onResponse: o } = e, s = t.join(","), c = [...ne, ...n].join(","), l = [
+function j(e = {}) {
+	let { methods: t = ne, allowedHeaders: n = O, exposedHeaders: r, credentials: i = !1, maxAge: a = 86400, onResponse: o } = e, s = t.join(","), c = [...re, ...n].join(","), l = [
 		["Vary", "Origin,Access-Control-Request-Method,Access-Control-Request-Headers"],
 		["Access-Control-Allow-Methods", s],
 		["Access-Control-Allow-Headers", c]
 	];
 	return r && l.push(["Access-Control-Expose-Headers", r.join(",")]), i && l.push(["Access-Control-Allow-Credentials", "true"]), a && l.push(["Access-Control-Max-Age", a.toString()]), async (t, n) => {
-		let r = t.request, i = r.headers.get("Origin"), a = r.method === "OPTIONS" && i !== null && r.headers.has("Access-Control-Request-Method"), s = j(i, e);
+		let r = t.request, i = r.headers.get("Origin"), a = r.method === "OPTIONS" && i !== null && r.headers.has("Access-Control-Request-Method"), s = A(i, e);
 		if (a) {
 			if (!s) return new Response(null, { status: 403 });
 			let e = new Response(null, { status: 204 });
@@ -160,7 +162,7 @@ function M(e = {}) {
 }
 //#endregion
 //#region src/middlewares/security/index.ts
-var N = /* @__PURE__ */ S({ headers: () => F }), P = {
+var M = /* @__PURE__ */ S({ headers: () => P }), N = {
 	contentSecurityPolicy: "default-src 'self'; base-uri 'self'; frame-ancestors 'none'; object-src 'none'",
 	frameOptions: "DENY",
 	referrerPolicy: "no-referrer",
@@ -169,44 +171,54 @@ var N = /* @__PURE__ */ S({ headers: () => F }), P = {
 	crossOriginResourcePolicy: "same-origin",
 	strictTransportSecurity: !1
 };
-function F(e = {}) {
+function P(e = {}) {
 	let t = {
-		...P,
+		...N,
 		...e
 	};
 	return async (e, n) => {
 		let r = await n();
 		if (!r) return;
 		let i = new Headers(r.headers);
-		return I(i, "content-security-policy", t.contentSecurityPolicy), I(i, "x-frame-options", t.frameOptions), I(i, "referrer-policy", t.referrerPolicy), I(i, "permissions-policy", t.permissionsPolicy), I(i, "cross-origin-opener-policy", t.crossOriginOpenerPolicy), I(i, "cross-origin-resource-policy", t.crossOriginResourcePolicy), I(i, "strict-transport-security", t.strictTransportSecurity), new Response(r.body, {
+		return F(i, "content-security-policy", t.contentSecurityPolicy), F(i, "x-frame-options", t.frameOptions), F(i, "referrer-policy", t.referrerPolicy), F(i, "permissions-policy", t.permissionsPolicy), F(i, "cross-origin-opener-policy", t.crossOriginOpenerPolicy), F(i, "cross-origin-resource-policy", t.crossOriginResourcePolicy), F(i, "strict-transport-security", t.strictTransportSecurity), new Response(r.body, {
 			status: r.status,
 			statusText: r.statusText,
 			headers: i
 		});
 	};
 }
-function I(e, t, n) {
+function F(e, t, n) {
 	!n || e.has(t) || e.set(t, n);
 }
 //#endregion
 //#region src/middlewares/requestid/index.ts
-var L = /* @__PURE__ */ S({ assign: () => R });
-function R(t = {}) {
-	let n = t.headerName?.toLowerCase() ?? "x-request-id", r = t.generate ?? e;
+var I = /* @__PURE__ */ S({ assign: () => L });
+function L(t = {}) {
+	let n = t.headerName?.toLowerCase() ?? "x-request-id", r = t.generate ?? e, i = t.clientRequestId ?? !1;
 	return async (e, t) => {
-		let i = e.request.headers.get(n) ?? r();
-		Object.assign(e.locals, { requestId: i });
-		let a = await t();
-		if (!a) return;
-		if (a.headers.has(n)) return a;
-		let o = new Headers(a.headers);
-		return o.set(n, i), new Response(a.body, {
-			status: a.status,
-			statusText: a.statusText,
-			headers: o
+		let a = e.request.headers.get(n) ?? r();
+		if (i) {
+			let t = e.request.headers.get("x-client-request-id");
+			if (t !== null) {
+				if (!R(t) || t.length > 512) return new Response("Invalid X-Client-Request-Id header", { status: 400 });
+				a = t;
+			}
+		}
+		Object.assign(e.locals, { requestId: a });
+		let o = await t();
+		if (!o) return;
+		if (o.headers.has(n)) return o;
+		let s = new Headers(o.headers);
+		return s.set(n, a), new Response(o.body, {
+			status: o.status,
+			statusText: o.statusText,
+			headers: s
 		});
 	};
 }
+function R(e) {
+	return /^[\x00-\x7F]*$/.test(e);
+}
 //#endregion
 //#region src/middlewares/timeout/index.ts
 var z = /* @__PURE__ */ S({ deadline: () => B });
@@ -600,7 +612,7 @@ var V = [
 		status: e,
 		headers: { "Content-Type": "application/json" }
 	})
-}, re = class {
+}, G = class {
 	constructor(e, t) {
 		this.raw = e.headers.get("cookie") ?? "", this.setCookieHeader = t;
 	}
@@ -622,11 +634,11 @@ var V = [
 			maxAge: 0
 		});
 	}
-}, G = class extends Error {
+}, K = class extends Error {
 	constructor(e = "Payload Too Large") {
 		super(e), this.status = 413, this.name = "PayloadTooLargeError";
 	}
-}, K = class extends U {
+}, q = class extends U {
 	constructor(e) {
 		super(), this.upgradeHandlerInstalled = !1, this.config = e ?? {
 			type: "http",
@@ -736,7 +748,7 @@ var V = [
 		if (!t) return e;
 		let n = 0, r = new a({ transform(e, r, i) {
 			if (n += Buffer.byteLength(e), n > t) {
-				i(new G());
+				i(new K());
 				return;
 			}
 			i(null, e);
@@ -762,7 +774,7 @@ var V = [
 		if (!this.isTrustedProxy(t)) return this.normalizeAddress(t);
 		let n = e.headers["x-forwarded-for"];
 		if (!n) return this.normalizeAddress(t);
-		let r = this.parseForwardedHeader(n);
+		let r = this.parseForwardedHeader(n).filter((e) => this.isValidIP(e));
 		r.push(t);
 		for (let e = r.length - 1; e >= 0; --e) {
 			let t = r[e];
@@ -806,6 +818,19 @@ var V = [
 	normalizeAddress(e) {
 		return e.startsWith("::ffff:") ? e.slice(7) : e;
 	}
+	isValidIP(e) {
+		if (e.includes(":")) {
+			if (e.includes(":::")) return !1;
+			let t = e.split(":");
+			return t.length <= 8 && t.every((e) => e === "" || /^[0-9a-fA-F]+$/.test(e));
+		}
+		let t = e.split(".");
+		return t.length === 4 && t.every((e) => {
+			if (e === "" || e.length > 3) return !1;
+			let t = parseInt(e, 10);
+			return !isNaN(t) && t >= 0 && t <= 255 && e === String(t);
+		});
+	}
 	parseForwardedHeader(e) {
 		return (Array.isArray(e) ? e.join(",") : e).split(",").map((e) => this.normalizeAddress(e.trim())).filter(Boolean);
 	}
@@ -830,7 +855,7 @@ var V = [
 		return Number.isFinite(r) && r <= t;
 	}
 	handleError(e) {
-		if (e instanceof G) return new Response(e.message, { status: e.status });
+		if (e instanceof K) return new Response(e.message, { status: e.status });
 		if (C(e)) return new Response(JSON.stringify({
 			error: e.statusText || "Error",
 			status: e.status
@@ -928,7 +953,7 @@ var V = [
 		r && t.set(n, r);
 	}
 	toRequestEvent(e, t, n) {
-		let r = new re(e, n.pushSetCookie), i = this.config, a = {}, o = {
+		let r = new G(e, n.pushSetCookie), i = this.config, a = {}, o = {
 			name: "node-webserver",
 			dev: this.isDevelopment()
 		}, s = /* @__PURE__ */ new Set(), c = {
@@ -956,7 +981,7 @@ var V = [
 		}, l = this.createEventFetch(c, n);
 		return i.locals && Object.assign(a, i.locals(c)), i.platform && Object.assign(o, i.platform(c)), c;
 	}
-}, q = {
+}, J = {
 	".avif": "image/avif",
 	".css": "text/css; charset=utf-8",
 	".gif": "image/gif",
@@ -974,24 +999,24 @@ var V = [
 	".wasm": "application/wasm",
 	".webp": "image/webp",
 	".xml": "application/xml; charset=utf-8"
-}, J = {
+}, Y = {
 	index: "index.html",
 	cacheControl: "public, max-age=0",
 	dotFiles: "ignore"
 };
-async function Y(e, t, n = {}) {
-	let r = $(t), i = {
-		...J,
+async function X(e, t, n = {}) {
+	let r = se(t), i = {
+		...Y,
 		...n
-	}, a = await X(e), o = ie(r, i.dotFiles);
+	}, a = await ie(e), o = ae(r, i.dotFiles);
 	if (o instanceof Response) return o;
 	let s = v(a, o.length > 0 ? o.join(y) : "");
 	if (!Q(a, s)) return new Response("Forbidden", { status: 403 });
-	let c = await ae(s, a, i.index);
+	let c = await oe(s, a, i.index);
 	if (c instanceof Response) return c;
 	let l = await m(c), u = new Headers({
 		"content-length": String(l.size),
-		"content-type": oe(c),
+		"content-type": $(c),
 		"cache-control": i.cacheControl,
 		"last-modified": l.mtime.toUTCString(),
 		"x-content-type-options": "nosniff"
@@ -1007,10 +1032,10 @@ async function Y(e, t, n = {}) {
 		headers: u
 	});
 }
-async function X(e) {
+async function ie(e) {
 	return p(e);
 }
-function ie(e, t) {
+function ae(e, t) {
 	if (e.includes("\0")) return new Response("Bad Request", { status: 400 });
 	let n = e.replace(/\\/g, "/").split("/").filter(Boolean), r = [];
 	for (let e of n) {
@@ -1031,7 +1056,7 @@ function ie(e, t) {
 	}
 	return r;
 }
-async function ae(e, t, n) {
+async function oe(e, t, n) {
 	try {
 		return (await f(e)).isDirectory() ? Z(v(e, n), t) : Z(e, t);
 	} catch {
@@ -1050,13 +1075,13 @@ function Q(e, t) {
 	let n = _(e, t);
 	return n === "" || !n.startsWith("..") && !g(n);
 }
-function oe(e) {
-	return q[h(e).toLowerCase()] ?? "application/octet-stream";
-}
 function $(e) {
+	return J[h(e).toLowerCase()] ?? "application/octet-stream";
+}
+function se(e) {
 	return typeof e.params.path == "string" ? e.params.path : e.url.pathname.replace(/^\/+/, "");
 }
-var se = (e, t = {}) => (n) => Y(e, n, t), ce = (e, ...t) => async (n) => {
+var ce = (e, t = {}) => (n) => X(e, n, t), le = (e, ...t) => async (n) => {
 	let r = {};
 	for (let e of t) {
 		let t = await e(n);
@@ -1067,16 +1092,19 @@ var se = (e, t = {}) => (n) => Y(e, n, t), ce = (e, ...t) => async (n) => {
 };
 //#endregion
 //#region src/helpers/sse.ts
-function le(e, t = {}) {
+function ue(e, t = {}) {
 	let n = [];
-	if (t.comment) for (let e of t.comment.split(/\r?\n/)) n.push(`: ${e}`);
+	if (t.comment) {
+		let e = t.comment.replace(/\r\n/g, " ").replace(/\r/g, " ").replace(/\n/g, " ");
+		n.push(`: ${e}`);
+	}
 	if (t.event && n.push(`event: ${t.event}`), t.id && n.push(`id: ${t.id}`), t.retry !== void 0 && n.push(`retry: ${t.retry}`), e !== void 0) {
 		let t = typeof e == "string" ? e : JSON.stringify(e);
 		for (let e of t.split(/\r?\n/)) n.push(`data: ${e}`);
 	}
 	return `${n.join("\n")}\n\n`;
 }
-var ue = (e, t = {}) => (n) => {
+var de = (e, t = {}) => (n) => {
 	let r = new TextEncoder(), i = null, a = !1, o, s = async () => {
 		if (!a) {
 			a = !0;
@@ -1092,7 +1120,7 @@ var ue = (e, t = {}) => (n) => {
 		async start(t) {
 			i = t;
 			let c = (e, n = {}) => {
-				a || t.enqueue(r.encode(le(e, n)));
+				a || t.enqueue(r.encode(ue(e, n)));
 			};
 			n.request.signal.addEventListener("abort", () => {
 				s();
@@ -1120,7 +1148,7 @@ var ue = (e, t = {}) => (n) => {
 			...t.headers
 		}
 	});
-}, de = async (e, t) => {
+}, fe = async (e, t) => {
 	let n = JSON.stringify(await e);
 	return new Response(n, {
 		...t,
@@ -1131,19 +1159,19 @@ var ue = (e, t = {}) => (n) => {
 		}
 	});
 };
-function fe(e, t) {
+function pe(e, t) {
 	throw new Response(null, {
 		status: e,
 		headers: { location: t.toString() }
 	});
 }
-function pe(e, t) {
+function me(e, t) {
 	throw new Response(JSON.stringify(typeof t == "string" ? { message: t } : t), {
 		status: e,
 		headers: { "content-type": "application/json" }
 	});
 }
-var me = async (e, t) => {
+var he = async (e, t) => {
 	let n = await e;
 	return new Response(n, {
 		...t,
@@ -1153,7 +1181,7 @@ var me = async (e, t) => {
 			...t?.headers
 		}
 	});
-}, he = async (e, t) => {
+}, ge = async (e, t) => {
 	let n = await e;
 	return new Response(n, {
 		...t,
@@ -1165,6 +1193,6 @@ var me = async (e, t) => {
 	});
 };
 //#endregion
-export { W as Action, ee as CORS, D as RateLimiter, L as RequestId, V as RequestMethods, U as Router, N as Security, z as Timeout, K as WebServer, se as dir, ce as enhance, pe as error, he as html, C as isHttpError, w as isRedirect, T as isResponse, de as json, fe as redirect, Y as serveStatic, ue as sse, me as text };
+export { W as Action, te as CORS, E as RateLimiter, I as RequestId, V as RequestMethods, U as Router, M as Security, z as Timeout, q as WebServer, ce as dir, le as enhance, me as error, ge as html, C as isHttpError, w as isRedirect, T as isResponse, fe as json, pe as redirect, X as serveStatic, de as sse, he as text };
 
 //# sourceMappingURL=index.es.js.map