@sourceregistry/node-webserver 1.4.0 → 1.6.0

package/dist/index.es.js

@@ -57,35 +57,123 @@ var E = class {
 	async resetAll() {
 		this.data.clear();
 	}
-}, D = /* @__PURE__ */ S({ fixedWindowLimit: () => O });
+}, D = class {
+	constructor(e) {
+		this.data = /* @__PURE__ */ new Map(), this.windowMs = e.windowMs, this.startCleanup();
+	}
+	async incr(e) {
+		let t = Date.now(), n = t - this.windowMs, r = this.data.get(e) || [];
+		r = r.filter((e) => e > n), r.push(t), this.data.set(e, r);
+		let i = t + this.windowMs;
+		return {
+			current: r.length,
+			reset: i
+		};
+	}
+	startCleanup() {
+		this.cleanupInterval = setInterval(() => {
+			let e = Date.now();
+			for (let [t, n] of this.data) {
+				let r = e - this.windowMs, i = n.filter((e) => e > r);
+				i.length === 0 ? this.data.delete(t) : this.data.set(t, i);
+			}
+		}, Math.min(this.windowMs, 3e5));
+	}
+	stop() {
+		this.cleanupInterval && clearInterval(this.cleanupInterval);
+	}
+	async resetAll() {
+		this.data.clear();
+	}
+}, ee = /* @__PURE__ */ S({
+	MemoryStore: () => E,
+	SlidingWindowStore: () => D,
+	fixedWindowLimit: () => te,
+	slidingWindowLimit: () => O
+});
 function O(e) {
+	let { windowMs: t = 6e4, max: n, key: r = (e) => e.getClientAddress(), message: i = "Too many requests, please try again later.", statusCode: a = 429, headers: o = "include", onRateLimit: s, store: c = new D({ windowMs: t }) } = e;
+	return async (e, t) => {
+		let l = r(e);
+		if (typeof l != "string" || !/^[a-zA-Z0-9_.-]+$/.test(l)) throw Error("Invalid rate limit key: only alphanumeric, underscore, dot, and hyphen allowed");
+		let u = `rl:${l}`, { current: d, reset: f } = await c.incr(u), p = Math.ceil((f - Date.now()) / 1e3);
+		if (d > n) {
+			if (s) {
+				let t = f - Date.now();
+				s(e, {
+					current: d,
+					max: n,
+					key: u,
+					reset: Math.floor(f / 1e3),
+					remaining: 0,
+					resetTimeMs: t
+				});
+			}
+			let t = {
+				status: a,
+				headers: new Headers()
+			}, r = t.headers;
+			o === "include" && (r.set("X-RateLimit-Limit", String(n)), r.set("X-RateLimit-Remaining", "0"), r.set("X-RateLimit-Reset", String(Math.floor(f / 1e3))), r.set("Retry-After", String(p)));
+			let c;
+			return typeof i == "string" ? (c = i, r.set("Content-Type", "text/plain")) : (c = JSON.stringify(i), r.set("Content-Type", "application/json")), new Response(c, t);
+		}
+		if (e.rateLimit = {
+			current: d,
+			limit: n,
+			reset: new Date(f),
+			remaining: n - d
+		}, o === "include") {
+			let t = {
+				"X-RateLimit-Limit": String(n),
+				"X-RateLimit-Remaining": String(n - d),
+				"X-RateLimit-Reset": String(Math.floor(f / 1e3))
+			}, r = e.setHeaders;
+			e.setHeaders = (e) => {
+				r({
+					...t,
+					...e
+				});
+			}, r(t);
+		}
+		return t();
+	};
+}
+function te(e) {
 	let { windowMs: t = 6e4, max: n, key: r = (e) => e.getClientAddress(), message: i = "Too many requests, please try again later.", statusCode: a = 429, headers: o = "include", onRateLimit: s, store: c = new E({ windowMs: t }) } = e;
 	return async (e, t) => {
-		let l = `rl:${r(e)}`, { current: u, reset: d } = await c.incr(l), f = Math.ceil((d - Date.now()) / 1e3);
-		if (u > n) {
-			s && s(e, {
-				current: u,
-				max: n,
-				key: l
-			});
+		let l = r(e);
+		if (typeof l != "string" || !/^[a-zA-Z0-9_.-]+$/.test(l)) throw Error("Invalid rate limit key: only alphanumeric, underscore, dot, and hyphen allowed");
+		let u = `rl:${l}`, { current: d, reset: f } = await c.incr(u), p = Math.ceil((f - Date.now()) / 1e3);
+		if (d > n) {
+			if (s) {
+				let t = f - Date.now();
+				s(e, {
+					current: d,
+					max: n,
+					key: u,
+					reset: Math.floor(f / 1e3),
+					remaining: 0,
+					resetTimeMs: t
+				});
+			}
 			let t = {
 				status: a,
 				headers: new Headers()
 			}, r = t.headers;
-			o === "include" && (r.set("X-RateLimit-Limit", String(n)), r.set("X-RateLimit-Remaining", "0"), r.set("X-RateLimit-Reset", String(Math.floor(d / 1e3))), r.set("Retry-After", String(f)));
+			o === "include" && (r.set("X-RateLimit-Limit", String(n)), r.set("X-RateLimit-Remaining", "0"), r.set("X-RateLimit-Reset", String(Math.floor(f / 1e3))), r.set("Retry-After", String(p)));
 			let c;
 			return typeof i == "string" ? (c = i, r.set("Content-Type", "text/plain")) : (c = JSON.stringify(i), r.set("Content-Type", "application/json")), new Response(c, t);
 		}
 		if (e.rateLimit = {
-			current: u,
+			current: d,
 			limit: n,
-			reset: new Date(d),
-			remaining: n - u
+			reset: new Date(f),
+			remaining: n - d
 		}, o === "include") {
 			let t = {
 				"X-RateLimit-Limit": String(n),
-				"X-RateLimit-Remaining": String(n - u),
-				"X-RateLimit-Reset": String(Math.floor(d / 1e3))
+				"X-RateLimit-Remaining": String(n - d),
+				"X-RateLimit-Reset": String(Math.floor(f / 1e3))
 			}, r = e.setHeaders;
 			e.setHeaders = (e) => {
 				r({
@@ -99,7 +187,7 @@ function O(e) {
 }
 //#endregion
 //#region src/middlewares/cros/index.ts
-var ee = /* @__PURE__ */ S({ policy: () => M }), te = [
+var ne = /* @__PURE__ */ S({ policy: () => M }), re = [
 	"GET",
 	"POST",
 	"PUT",
@@ -107,7 +195,7 @@ var ee = /* @__PURE__ */ S({ policy: () => M }), te = [
 	"PATCH",
 	"HEAD",
 	"OPTIONS"
-], ne = [
+], ie = [
 	"Accept",
 	"Accept-Language",
 	"Content-Language",
@@ -131,7 +219,7 @@ function j(e, t) {
 	return e ? n === "*" ? t.credentials ? e : "*" : A(e, n) ? e : null : n === "*" ? "*" : null;
 }
 function M(e = {}) {
-	let { methods: t = te, allowedHeaders: n = k, exposedHeaders: r, credentials: i = !1, maxAge: a = 86400, onResponse: o } = e, s = t.join(","), c = [...ne, ...n].join(","), l = [
+	let { methods: t = re, allowedHeaders: n = k, exposedHeaders: r, credentials: i = !1, maxAge: a = 86400, onResponse: o } = e, s = t.join(","), c = [...ie, ...n].join(","), l = [
 		["Vary", "Origin,Access-Control-Request-Method,Access-Control-Request-Headers"],
 		["Access-Control-Allow-Methods", s],
 		["Access-Control-Allow-Headers", c]
@@ -192,25 +280,35 @@ function I(e, t, n) {
 //#region src/middlewares/requestid/index.ts
 var L = /* @__PURE__ */ S({ assign: () => R });
 function R(t = {}) {
-	let n = t.headerName?.toLowerCase() ?? "x-request-id", r = t.generate ?? e;
+	let n = t.headerName?.toLowerCase() ?? "x-request-id", r = t.generate ?? e, i = t.clientRequestId ?? !1;
 	return async (e, t) => {
-		let i = e.request.headers.get(n) ?? r();
-		Object.assign(e.locals, { requestId: i });
-		let a = await t();
-		if (!a) return;
-		if (a.headers.has(n)) return a;
-		let o = new Headers(a.headers);
-		return o.set(n, i), new Response(a.body, {
-			status: a.status,
-			statusText: a.statusText,
-			headers: o
+		let a = e.request.headers.get(n) ?? r();
+		if (i) {
+			let t = e.request.headers.get("x-client-request-id");
+			if (t !== null) {
+				if (!z(t) || t.length > 512) return new Response("Invalid X-Client-Request-Id header", { status: 400 });
+				a = t;
+			}
+		}
+		Object.assign(e.locals, { requestId: a });
+		let o = await t();
+		if (!o) return;
+		if (o.headers.has(n)) return o;
+		let s = new Headers(o.headers);
+		return s.set(n, a), new Response(o.body, {
+			status: o.status,
+			statusText: o.statusText,
+			headers: s
 		});
 	};
 }
+function z(e) {
+	return /^[\x00-\x7F]*$/.test(e);
+}
 //#endregion
 //#region src/middlewares/timeout/index.ts
-var z = /* @__PURE__ */ S({ deadline: () => B });
-function B(e) {
+var B = /* @__PURE__ */ S({ deadline: () => V });
+function V(e) {
 	let { ms: t, status: n = 504, body: r = "Gateway Timeout", onTimeout: i } = e;
 	if (!Number.isFinite(t) || t <= 0) throw TypeError("Timeout.deadline requires a positive ms value");
 	return async (e, a) => {
@@ -235,7 +333,7 @@ function B(e) {
 }
 //#endregion
 //#region src/types/RequestMethod.ts
-var V = [
+var H = [
 	"GET",
 	"PUT",
 	"POST",
@@ -243,7 +341,7 @@ var V = [
 	"PATCH",
 	"HEAD",
 	"OPTIONS"
-], H = class {
+], U = class {
 	static {
 		this.cache = /* @__PURE__ */ new Map();
 	}
@@ -253,7 +351,7 @@ var V = [
 	static set(e, t) {
 		this.cache.set(e, t);
 	}
-}, U = class {
+}, W = class {
 	constructor() {
 		this._routes = [], this._wsRoutes = [], this._nestedRouters = [], this._middlewares = [], this._preHandlers = [], this._postHandlers = [], this.routesSorted = !1, this.wsRoutesSorted = !1;
 	}
@@ -285,7 +383,7 @@ var V = [
 		return this.addHandler("OPTIONS", e, t, n);
 	}
 	USE(e, t, ...n) {
-		return V.forEach((r) => this.addHandler(r, e, t, n)), this;
+		return H.forEach((r) => this.addHandler(r, e, t, n)), this;
 	}
 	action(e, t, ...n) {
 		return this.addHandler("POST", e, async (e) => {
@@ -441,7 +539,7 @@ var V = [
 		}), this.routesSorted = !1, this;
 	}
 	createPathRegex(e) {
-		let t = H.get(e);
+		let t = U.get(e);
 		if (t) return t;
 		let n = [], r = !1, i, a = e.split("/").filter(Boolean);
 		i = a.reduce((e, t) => t.startsWith("[...") ? e - 10 : t.startsWith("[[") ? e - 5 : t.startsWith("[") ? e - 1 : e + 1, 0);
@@ -464,7 +562,7 @@ var V = [
 			isCatchAll: r,
 			priority: i
 		};
-		return H.set(e, s), s;
+		return U.set(e, s), s;
 	}
 	createPrefixRegex(e) {
 		let t = [], n = !1, r, i = e.split("/").filter(Boolean);
@@ -557,17 +655,17 @@ var V = [
 		this._wsRoutes.sort((e, t) => t.priority - e.priority), this.wsRoutesSorted = !0;
 	}
 	formatActionResult(e) {
-		return e instanceof Response ? e : e?.type === "failure" && "status" in e ? W.fail(e.status, e.data) : W.success(200, e ?? void 0);
+		return e instanceof Response ? e : e?.type === "failure" && "status" in e ? G.fail(e.status, e.data) : G.success(200, e ?? void 0);
 	}
 	handleActionError(e) {
-		if (C(e)) return W.error(e.status, { message: e.statusText || "Error" });
+		if (C(e)) return G.error(e.status, { message: e.statusText || "Error" });
 		if (w(e)) {
 			let t = e.headers.get("Location") || "/";
-			return W.redirect(e.status, t);
+			return G.redirect(e.status, t);
 		}
-		return console.error(e), W.error(500, { message: "Internal Server Error" });
+		return console.error(e), G.error(500, { message: "Internal Server Error" });
 	}
-}, W = {
+}, G = {
 	success: (e = 200, t) => new Response(JSON.stringify({
 		data: t,
 		type: "success",
@@ -600,7 +698,7 @@ var V = [
 		status: e,
 		headers: { "Content-Type": "application/json" }
 	})
-}, re = class {
+}, K = class {
 	constructor(e, t) {
 		this.raw = e.headers.get("cookie") ?? "", this.setCookieHeader = t;
 	}
@@ -622,11 +720,11 @@ var V = [
 			maxAge: 0
 		});
 	}
-}, G = class extends Error {
+}, q = class extends Error {
 	constructor(e = "Payload Too Large") {
 		super(e), this.status = 413, this.name = "PayloadTooLargeError";
 	}
-}, K = class extends U {
+}, J = class extends W {
 	constructor(e) {
 		super(), this.upgradeHandlerInstalled = !1, this.config = e ?? {
 			type: "http",
@@ -736,7 +834,7 @@ var V = [
 		if (!t) return e;
 		let n = 0, r = new a({ transform(e, r, i) {
 			if (n += Buffer.byteLength(e), n > t) {
-				i(new G());
+				i(new q());
 				return;
 			}
 			i(null, e);
@@ -762,7 +860,7 @@ var V = [
 		if (!this.isTrustedProxy(t)) return this.normalizeAddress(t);
 		let n = e.headers["x-forwarded-for"];
 		if (!n) return this.normalizeAddress(t);
-		let r = this.parseForwardedHeader(n);
+		let r = this.parseForwardedHeader(n).filter((e) => this.isValidIP(e));
 		r.push(t);
 		for (let e = r.length - 1; e >= 0; --e) {
 			let t = r[e];
@@ -806,6 +904,19 @@ var V = [
 	normalizeAddress(e) {
 		return e.startsWith("::ffff:") ? e.slice(7) : e;
 	}
+	isValidIP(e) {
+		if (e.includes(":")) {
+			if (e.includes(":::")) return !1;
+			let t = e.split(":");
+			return t.length <= 8 && t.every((e) => e === "" || /^[0-9a-fA-F]+$/.test(e));
+		}
+		let t = e.split(".");
+		return t.length === 4 && t.every((e) => {
+			if (e === "" || e.length > 3) return !1;
+			let t = parseInt(e, 10);
+			return !isNaN(t) && t >= 0 && t <= 255 && e === String(t);
+		});
+	}
 	parseForwardedHeader(e) {
 		return (Array.isArray(e) ? e.join(",") : e).split(",").map((e) => this.normalizeAddress(e.trim())).filter(Boolean);
 	}
@@ -830,7 +941,7 @@ var V = [
 		return Number.isFinite(r) && r <= t;
 	}
 	handleError(e) {
-		if (e instanceof G) return new Response(e.message, { status: e.status });
+		if (e instanceof q) return new Response(e.message, { status: e.status });
 		if (C(e)) return new Response(JSON.stringify({
 			error: e.statusText || "Error",
 			status: e.status
@@ -928,7 +1039,7 @@ var V = [
 		r && t.set(n, r);
 	}
 	toRequestEvent(e, t, n) {
-		let r = new re(e, n.pushSetCookie), i = this.config, a = {}, o = {
+		let r = new K(e, n.pushSetCookie), i = this.config, a = {}, o = {
 			name: "node-webserver",
 			dev: this.isDevelopment()
 		}, s = /* @__PURE__ */ new Set(), c = {
@@ -956,7 +1067,7 @@ var V = [
 		}, l = this.createEventFetch(c, n);
 		return i.locals && Object.assign(a, i.locals(c)), i.platform && Object.assign(o, i.platform(c)), c;
 	}
-}, q = {
+}, Y = {
 	".avif": "image/avif",
 	".css": "text/css; charset=utf-8",
 	".gif": "image/gif",
@@ -974,24 +1085,24 @@ var V = [
 	".wasm": "application/wasm",
 	".webp": "image/webp",
 	".xml": "application/xml; charset=utf-8"
-}, J = {
+}, ae = {
 	index: "index.html",
 	cacheControl: "public, max-age=0",
 	dotFiles: "ignore"
 };
-async function Y(e, t, n = {}) {
-	let r = $(t), i = {
-		...J,
+async function X(e, t, n = {}) {
+	let r = ue(t), i = {
+		...ae,
 		...n
-	}, a = await X(e), o = ie(r, i.dotFiles);
+	}, a = await oe(e), o = se(r, i.dotFiles);
 	if (o instanceof Response) return o;
 	let s = v(a, o.length > 0 ? o.join(y) : "");
 	if (!Q(a, s)) return new Response("Forbidden", { status: 403 });
-	let c = await ae(s, a, i.index);
+	let c = await ce(s, a, i.index);
 	if (c instanceof Response) return c;
 	let l = await m(c), u = new Headers({
 		"content-length": String(l.size),
-		"content-type": oe(c),
+		"content-type": le(c),
 		"cache-control": i.cacheControl,
 		"last-modified": l.mtime.toUTCString(),
 		"x-content-type-options": "nosniff"
@@ -1007,10 +1118,10 @@ async function Y(e, t, n = {}) {
 		headers: u
 	});
 }
-async function X(e) {
+async function oe(e) {
 	return p(e);
 }
-function ie(e, t) {
+function se(e, t) {
 	if (e.includes("\0")) return new Response("Bad Request", { status: 400 });
 	let n = e.replace(/\\/g, "/").split("/").filter(Boolean), r = [];
 	for (let e of n) {
@@ -1031,7 +1142,7 @@ function ie(e, t) {
 	}
 	return r;
 }
-async function ae(e, t, n) {
+async function ce(e, t, n) {
 	try {
 		return (await f(e)).isDirectory() ? Z(v(e, n), t) : Z(e, t);
 	} catch {
@@ -1050,13 +1161,13 @@ function Q(e, t) {
 	let n = _(e, t);
 	return n === "" || !n.startsWith("..") && !g(n);
 }
-function oe(e) {
-	return q[h(e).toLowerCase()] ?? "application/octet-stream";
+function le(e) {
+	return Y[h(e).toLowerCase()] ?? "application/octet-stream";
 }
-function $(e) {
+function ue(e) {
 	return typeof e.params.path == "string" ? e.params.path : e.url.pathname.replace(/^\/+/, "");
 }
-var se = (e, t = {}) => (n) => Y(e, n, t), ce = (e, ...t) => async (n) => {
+var de = (e, t = {}) => (n) => X(e, n, t), fe = (e, ...t) => async (n) => {
 	let r = {};
 	for (let e of t) {
 		let t = await e(n);
@@ -1067,16 +1178,19 @@ var se = (e, t = {}) => (n) => Y(e, n, t), ce = (e, ...t) => async (n) => {
 };
 //#endregion
 //#region src/helpers/sse.ts
-function le(e, t = {}) {
+function pe(e, t = {}) {
 	let n = [];
-	if (t.comment) for (let e of t.comment.split(/\r?\n/)) n.push(`: ${e}`);
+	if (t.comment) {
+		let e = t.comment.replace(/\r\n/g, " ").replace(/\r/g, " ").replace(/\n/g, " ");
+		n.push(`: ${e}`);
+	}
 	if (t.event && n.push(`event: ${t.event}`), t.id && n.push(`id: ${t.id}`), t.retry !== void 0 && n.push(`retry: ${t.retry}`), e !== void 0) {
 		let t = typeof e == "string" ? e : JSON.stringify(e);
 		for (let e of t.split(/\r?\n/)) n.push(`data: ${e}`);
 	}
 	return `${n.join("\n")}\n\n`;
 }
-var ue = (e, t = {}) => (n) => {
+var $ = (e, t = {}) => (n) => {
 	let r = new TextEncoder(), i = null, a = !1, o, s = async () => {
 		if (!a) {
 			a = !0;
@@ -1092,7 +1206,7 @@ var ue = (e, t = {}) => (n) => {
 		async start(t) {
 			i = t;
 			let c = (e, n = {}) => {
-				a || t.enqueue(r.encode(le(e, n)));
+				a || t.enqueue(r.encode(pe(e, n)));
 			};
 			n.request.signal.addEventListener("abort", () => {
 				s();
@@ -1120,7 +1234,7 @@ var ue = (e, t = {}) => (n) => {
 			...t.headers
 		}
 	});
-}, de = async (e, t) => {
+}, me = async (e, t) => {
 	let n = JSON.stringify(await e);
 	return new Response(n, {
 		...t,
@@ -1131,19 +1245,19 @@ var ue = (e, t = {}) => (n) => {
 		}
 	});
 };
-function fe(e, t) {
+function he(e, t) {
 	throw new Response(null, {
 		status: e,
 		headers: { location: t.toString() }
 	});
 }
-function pe(e, t) {
+function ge(e, t) {
 	throw new Response(JSON.stringify(typeof t == "string" ? { message: t } : t), {
 		status: e,
 		headers: { "content-type": "application/json" }
 	});
 }
-var me = async (e, t) => {
+var _e = async (e, t) => {
 	let n = await e;
 	return new Response(n, {
 		...t,
@@ -1153,7 +1267,7 @@ var me = async (e, t) => {
 			...t?.headers
 		}
 	});
-}, he = async (e, t) => {
+}, ve = async (e, t) => {
 	let n = await e;
 	return new Response(n, {
 		...t,
@@ -1165,6 +1279,6 @@ var me = async (e, t) => {
 	});
 };
 //#endregion
-export { W as Action, ee as CORS, D as RateLimiter, L as RequestId, V as RequestMethods, U as Router, N as Security, z as Timeout, K as WebServer, se as dir, ce as enhance, pe as error, he as html, C as isHttpError, w as isRedirect, T as isResponse, de as json, fe as redirect, Y as serveStatic, ue as sse, me as text };
+export { G as Action, ne as CORS, ee as RateLimiter, L as RequestId, H as RequestMethods, W as Router, N as Security, B as Timeout, J as WebServer, de as dir, fe as enhance, ge as error, ve as html, C as isHttpError, w as isRedirect, T as isResponse, me as json, he as redirect, X as serveStatic, $ as sse, _e as text };
 
 //# sourceMappingURL=index.es.js.map