@tapflowio/relay 0.8.1 → 0.9.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/RelayServer.d.ts +13 -0
- package/dist/RelayServer.d.ts.map +1 -1
- package/dist/RelayServer.js +80 -9
- package/dist/RelayServer.js.map +1 -1
- package/dist/api/auth.d.ts +3 -2
- package/dist/api/auth.d.ts.map +1 -1
- package/dist/api/auth.js +37 -3
- package/dist/api/auth.js.map +1 -1
- package/dist/api/builds.d.ts.map +1 -1
- package/dist/api/builds.js +14 -13
- package/dist/api/builds.js.map +1 -1
- package/dist/api/comments.d.ts.map +1 -1
- package/dist/api/comments.js +23 -10
- package/dist/api/comments.js.map +1 -1
- package/dist/api/team.d.ts.map +1 -1
- package/dist/api/team.js +4 -2
- package/dist/api/team.js.map +1 -1
- package/dist/index.d.ts +7 -0
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +3 -0
- package/dist/index.js.map +1 -1
- package/dist/lib/cert/AcmeCertProvider.d.ts +55 -0
- package/dist/lib/cert/AcmeCertProvider.d.ts.map +1 -0
- package/dist/lib/cert/AcmeCertProvider.js +62 -0
- package/dist/lib/cert/AcmeCertProvider.js.map +1 -0
- package/dist/lib/cert/AcmeClientIssuer.d.ts +23 -0
- package/dist/lib/cert/AcmeClientIssuer.d.ts.map +1 -0
- package/dist/lib/cert/AcmeClientIssuer.js +54 -0
- package/dist/lib/cert/AcmeClientIssuer.js.map +1 -0
- package/dist/lib/cert/CertProvider.d.ts +30 -0
- package/dist/lib/cert/CertProvider.d.ts.map +1 -0
- package/dist/lib/cert/CertProvider.js +4 -0
- package/dist/lib/cert/CertProvider.js.map +1 -0
- package/dist/lib/cert/CloudflareDnsProvider.d.ts +40 -0
- package/dist/lib/cert/CloudflareDnsProvider.d.ts.map +1 -0
- package/dist/lib/cert/CloudflareDnsProvider.js +93 -0
- package/dist/lib/cert/CloudflareDnsProvider.js.map +1 -0
- package/dist/lib/cert/DiskCertStore.d.ts +10 -0
- package/dist/lib/cert/DiskCertStore.d.ts.map +1 -0
- package/dist/lib/cert/DiskCertStore.js +35 -0
- package/dist/lib/cert/DiskCertStore.js.map +1 -0
- package/dist/lib/cert/DnsProvider.d.ts +7 -0
- package/dist/lib/cert/DnsProvider.d.ts.map +1 -0
- package/dist/lib/cert/DnsProvider.js +2 -0
- package/dist/lib/cert/DnsProvider.js.map +1 -0
- package/dist/lib/cert/ImportCertProvider.d.ts +20 -0
- package/dist/lib/cert/ImportCertProvider.d.ts.map +1 -0
- package/dist/lib/cert/ImportCertProvider.js +24 -0
- package/dist/lib/cert/ImportCertProvider.js.map +1 -0
- package/dist/lib/cert/VercelDnsProvider.d.ts +38 -0
- package/dist/lib/cert/VercelDnsProvider.d.ts.map +1 -0
- package/dist/lib/cert/VercelDnsProvider.js +146 -0
- package/dist/lib/cert/VercelDnsProvider.js.map +1 -0
- package/dist/lib/cert/accountKey.d.ts +2 -0
- package/dist/lib/cert/accountKey.d.ts.map +1 -0
- package/dist/lib/cert/accountKey.js +23 -0
- package/dist/lib/cert/accountKey.js.map +1 -0
- package/dist/lib/cert/addressPublisher.d.ts +20 -0
- package/dist/lib/cert/addressPublisher.d.ts.map +1 -0
- package/dist/lib/cert/addressPublisher.js +103 -0
- package/dist/lib/cert/addressPublisher.js.map +1 -0
- package/dist/lib/cert/createCertProvider.d.ts +20 -0
- package/dist/lib/cert/createCertProvider.d.ts.map +1 -0
- package/dist/lib/cert/createCertProvider.js +25 -0
- package/dist/lib/cert/createCertProvider.js.map +1 -0
- package/dist/lib/cert/dnsRegistry.d.ts +24 -0
- package/dist/lib/cert/dnsRegistry.d.ts.map +1 -0
- package/dist/lib/cert/dnsRegistry.js +36 -0
- package/dist/lib/cert/dnsRegistry.js.map +1 -0
- package/dist/lib/cert/index.d.ts +23 -0
- package/dist/lib/cert/index.d.ts.map +1 -0
- package/dist/lib/cert/index.js +12 -0
- package/dist/lib/cert/index.js.map +1 -0
- package/dist/lib/cert/parseCert.d.ts +3 -0
- package/dist/lib/cert/parseCert.d.ts.map +1 -0
- package/dist/lib/cert/parseCert.js +6 -0
- package/dist/lib/cert/parseCert.js.map +1 -0
- package/dist/lib/cert/renewal.d.ts +13 -0
- package/dist/lib/cert/renewal.d.ts.map +1 -0
- package/dist/lib/cert/renewal.js +28 -0
- package/dist/lib/cert/renewal.js.map +1 -0
- package/dist/lib/clientAddress.d.ts +12 -0
- package/dist/lib/clientAddress.d.ts.map +1 -0
- package/dist/lib/clientAddress.js +46 -0
- package/dist/lib/clientAddress.js.map +1 -0
- package/dist/lib/config.d.ts +25 -0
- package/dist/lib/config.d.ts.map +1 -1
- package/dist/lib/config.js +69 -3
- package/dist/lib/config.js.map +1 -1
- package/dist/lib/cors.d.ts +2 -0
- package/dist/lib/cors.d.ts.map +1 -0
- package/dist/lib/cors.js +18 -0
- package/dist/lib/cors.js.map +1 -0
- package/dist/lib/csrf.d.ts +3 -0
- package/dist/lib/csrf.d.ts.map +1 -0
- package/dist/lib/csrf.js +42 -0
- package/dist/lib/csrf.js.map +1 -0
- package/dist/lib/loadEnvFile.d.ts +2 -0
- package/dist/lib/loadEnvFile.d.ts.map +1 -0
- package/dist/lib/loadEnvFile.js +17 -0
- package/dist/lib/loadEnvFile.js.map +1 -0
- package/dist/lib/proxyConfig.d.ts +6 -0
- package/dist/lib/proxyConfig.d.ts.map +1 -0
- package/dist/lib/proxyConfig.js +27 -0
- package/dist/lib/proxyConfig.js.map +1 -0
- package/dist/lib/publicUrl.d.ts +3 -0
- package/dist/lib/publicUrl.d.ts.map +1 -0
- package/dist/lib/publicUrl.js +17 -0
- package/dist/lib/publicUrl.js.map +1 -0
- package/dist/lib/uploads.d.ts +2 -0
- package/dist/lib/uploads.d.ts.map +1 -0
- package/dist/lib/uploads.js +14 -0
- package/dist/lib/uploads.js.map +1 -0
- package/dist/middleware/rateLimit.d.ts +18 -0
- package/dist/middleware/rateLimit.d.ts.map +1 -0
- package/dist/middleware/rateLimit.js +55 -0
- package/dist/middleware/rateLimit.js.map +1 -0
- package/dist/router.d.ts.map +1 -1
- package/dist/router.js +13 -1
- package/dist/router.js.map +1 -1
- package/dist/server.js +44 -5
- package/dist/server.js.map +1 -1
- package/package.json +6 -5
- package/public/assets/AppCenter-CaY73Tvf.js +16 -0
- package/public/assets/AppCenter-CaY73Tvf.js.br +0 -0
- package/public/assets/Default-DQiKj0NT.js +1 -0
- package/public/assets/Default-DQiKj0NT.js.br +0 -0
- package/public/assets/Invite-B4MMcQtw.js +1 -0
- package/public/assets/Invite-B4MMcQtw.js.br +0 -0
- package/public/assets/MacResources-BfZAJ5BP.js +5 -0
- package/public/assets/MacResources-BfZAJ5BP.js.br +0 -0
- package/public/assets/NotFound-D85RKzwv.js +1 -0
- package/public/assets/NotFound-D85RKzwv.js.br +0 -0
- package/public/assets/QASession-B9FSUtZo.js +130 -0
- package/public/assets/QASession-B9FSUtZo.js.br +0 -0
- package/public/assets/ResetPassword-Degmb6sl.js +1 -0
- package/public/assets/ResetPassword-Degmb6sl.js.br +0 -0
- package/public/assets/Setup-DKOFxDo2.js +1 -0
- package/public/assets/Setup-DKOFxDo2.js.br +0 -0
- package/public/assets/Team-Bgspan2B.js +6 -0
- package/public/assets/Team-Bgspan2B.js.br +0 -0
- package/public/assets/Tokens-C3u48FUG.js +6 -0
- package/public/assets/Tokens-C3u48FUG.js.br +0 -0
- package/public/assets/alert-dialog-Ci_cWoVo.js +7 -0
- package/public/assets/alert-dialog-Ci_cWoVo.js.br +0 -0
- package/public/assets/badge-Cktrrdvf.js +1 -0
- package/public/assets/badge-Cktrrdvf.js.br +0 -0
- package/public/assets/build-format-Blzidb1D.js +11 -0
- package/public/assets/build-format-Blzidb1D.js.br +0 -0
- package/public/assets/dialog-BuZjQWBQ.js +11 -0
- package/public/assets/dialog-BuZjQWBQ.js.br +0 -0
- package/public/assets/index-BI7E3MD-.css +1 -0
- package/public/assets/index-BI7E3MD-.css.br +0 -0
- package/public/assets/index-ClAB0eKw.js +258 -0
- package/public/assets/index-ClAB0eKw.js.br +0 -0
- package/public/assets/inter-latin-ext-standard-normal-DpK-iCPk.woff2 +0 -0
- package/public/assets/inter-latin-standard-normal-BwkfbSeq.woff2 +0 -0
- package/public/assets/jetbrains-mono-latin-ext-wght-normal-DBQx-q_a.woff2 +0 -0
- package/public/assets/jetbrains-mono-latin-wght-normal-B9CIFXIH.woff2 +0 -0
- package/public/assets/pencil-BoxokH2R.js +6 -0
- package/public/assets/pencil-BoxokH2R.js.br +0 -0
- package/public/assets/plus-C0Y4Yk9P.js +6 -0
- package/public/assets/plus-C0Y4Yk9P.js.br +0 -0
- package/public/assets/table-NBRnBazr.js +1 -0
- package/public/assets/table-NBRnBazr.js.br +0 -0
- package/public/assets/tabs-CB9a8dpY.js +1 -0
- package/public/assets/tabs-CB9a8dpY.js.br +0 -0
- package/public/assets/tinyh264.worker-DiJ50Hai.js.br +0 -0
- package/public/favicon.svg.br +0 -0
- package/public/index.html +2 -2
- package/public/index.html.br +0 -0
- package/public/logo-dark.svg.br +0 -0
- package/public/logo.svg.br +0 -0
- package/public/assets/index-Bhoumejm.js +0 -520
- package/public/assets/index-DX5Pf9T6.css +0 -1
- package/public/assets/inter-cyrillic-400-normal-HOLc17fK.woff +0 -0
- package/public/assets/inter-cyrillic-400-normal-obahsSVq.woff2 +0 -0
- package/public/assets/inter-cyrillic-500-normal-BasfLYem.woff2 +0 -0
- package/public/assets/inter-cyrillic-500-normal-CxZf_p3X.woff +0 -0
- package/public/assets/inter-cyrillic-600-normal-4D_pXhcN.woff +0 -0
- package/public/assets/inter-cyrillic-600-normal-CWCymEST.woff2 +0 -0
- package/public/assets/inter-cyrillic-ext-400-normal-BQZuk6qB.woff2 +0 -0
- package/public/assets/inter-cyrillic-ext-400-normal-DQukG94-.woff +0 -0
- package/public/assets/inter-cyrillic-ext-500-normal-B0yAr1jD.woff2 +0 -0
- package/public/assets/inter-cyrillic-ext-500-normal-BmqWE9Dz.woff +0 -0
- package/public/assets/inter-cyrillic-ext-600-normal-Bcila6Z-.woff +0 -0
- package/public/assets/inter-cyrillic-ext-600-normal-Dfes3d0z.woff2 +0 -0
- package/public/assets/inter-greek-400-normal-B4URO6DV.woff2 +0 -0
- package/public/assets/inter-greek-400-normal-q2sYcFCs.woff +0 -0
- package/public/assets/inter-greek-500-normal-BIZE56-Y.woff2 +0 -0
- package/public/assets/inter-greek-500-normal-Xzm54t5V.woff +0 -0
- package/public/assets/inter-greek-600-normal-BZpKdvQh.woff +0 -0
- package/public/assets/inter-greek-600-normal-plRanbMR.woff2 +0 -0
- package/public/assets/inter-greek-ext-400-normal-DGGRlc-M.woff2 +0 -0
- package/public/assets/inter-greek-ext-400-normal-KugGGMne.woff +0 -0
- package/public/assets/inter-greek-ext-500-normal-2j5mBUwD.woff +0 -0
- package/public/assets/inter-greek-ext-500-normal-C4iEst2y.woff2 +0 -0
- package/public/assets/inter-greek-ext-600-normal-B8X0CLgF.woff +0 -0
- package/public/assets/inter-greek-ext-600-normal-DRtmH8MT.woff2 +0 -0
- package/public/assets/inter-latin-400-normal-C38fXH4l.woff2 +0 -0
- package/public/assets/inter-latin-400-normal-CyCys3Eg.woff +0 -0
- package/public/assets/inter-latin-500-normal-BL9OpVg8.woff +0 -0
- package/public/assets/inter-latin-500-normal-Cerq10X2.woff2 +0 -0
- package/public/assets/inter-latin-600-normal-CiBQ2DWP.woff +0 -0
- package/public/assets/inter-latin-600-normal-LgqL8muc.woff2 +0 -0
- package/public/assets/inter-latin-ext-400-normal-77YHD8bZ.woff +0 -0
- package/public/assets/inter-latin-ext-400-normal-C1nco2VV.woff2 +0 -0
- package/public/assets/inter-latin-ext-500-normal-BxGbmqWO.woff +0 -0
- package/public/assets/inter-latin-ext-500-normal-CV4jyFjo.woff2 +0 -0
- package/public/assets/inter-latin-ext-600-normal-CIVaiw4L.woff +0 -0
- package/public/assets/inter-latin-ext-600-normal-D2bJ5OIk.woff2 +0 -0
- package/public/assets/inter-vietnamese-400-normal-Bbgyi5SW.woff +0 -0
- package/public/assets/inter-vietnamese-400-normal-DMkecbls.woff2 +0 -0
- package/public/assets/inter-vietnamese-500-normal-DOriooB6.woff2 +0 -0
- package/public/assets/inter-vietnamese-500-normal-mJboJaSs.woff +0 -0
- package/public/assets/inter-vietnamese-600-normal-BuLX-rYi.woff +0 -0
- package/public/assets/inter-vietnamese-600-normal-Cc8MFFhd.woff2 +0 -0
- package/public/assets/jetbrains-mono-cyrillic-400-normal-BEIGL1Tu.woff2 +0 -0
- package/public/assets/jetbrains-mono-cyrillic-400-normal-ugxPyKxw.woff +0 -0
- package/public/assets/jetbrains-mono-greek-400-normal-B9oWc5Lo.woff +0 -0
- package/public/assets/jetbrains-mono-greek-400-normal-C190GLew.woff2 +0 -0
- package/public/assets/jetbrains-mono-latin-400-normal-6-qcROiO.woff +0 -0
- package/public/assets/jetbrains-mono-latin-400-normal-V6pRDFza.woff2 +0 -0
- package/public/assets/jetbrains-mono-latin-ext-400-normal-Bc8Ftmh3.woff2 +0 -0
- package/public/assets/jetbrains-mono-latin-ext-400-normal-fXTG6kC5.woff +0 -0
- package/public/assets/jetbrains-mono-vietnamese-400-normal-CqNFfHCs.woff +0 -0
|
@@ -0,0 +1,25 @@
|
|
|
1
|
+
import path from 'path';
|
|
2
|
+
import { AcmeCertProvider } from './AcmeCertProvider.js';
|
|
3
|
+
import { AcmeClientIssuer } from './AcmeClientIssuer.js';
|
|
4
|
+
import { dnsProviders } from './dnsRegistry.js';
|
|
5
|
+
import { ImportCertProvider } from './ImportCertProvider.js';
|
|
6
|
+
import { DiskCertStore } from './DiskCertStore.js';
|
|
7
|
+
/** config.tls를 적절한 CertProvider로 매핑한다. 비밀(토큰)은 env에서 읽는다. */
|
|
8
|
+
export function createCertProvider(tls, deps) {
|
|
9
|
+
if (tls.mode === 'import-cert') {
|
|
10
|
+
return new ImportCertProvider({ certPath: tls.certPath, keyPath: tls.keyPath });
|
|
11
|
+
}
|
|
12
|
+
// byo-api-token: 레지스트리에서 provider를 찾아 자기 DNS 계정 토큰(env)으로 DNS-01.
|
|
13
|
+
const entry = dnsProviders.get(tls.dnsProvider);
|
|
14
|
+
if (!entry)
|
|
15
|
+
throw new Error(`unknown dnsProvider "${tls.dnsProvider}" — available: ${dnsProviders.names().join(', ')}`);
|
|
16
|
+
const dns = entry.fromEnv();
|
|
17
|
+
const issuer = new AcmeClientIssuer({
|
|
18
|
+
email: deps.email ?? process.env.TAPFLOW_ACME_EMAIL ?? '',
|
|
19
|
+
staging: deps.staging ?? process.env.TAPFLOW_ACME_STAGING === '1',
|
|
20
|
+
accountKeyPath: path.join(deps.dataDir, 'tls', 'account.pem'),
|
|
21
|
+
});
|
|
22
|
+
const store = new DiskCertStore(path.join(deps.dataDir, 'tls'));
|
|
23
|
+
return new AcmeCertProvider({ domain: tls.domain, dns, issuer, store });
|
|
24
|
+
}
|
|
25
|
+
//# sourceMappingURL=createCertProvider.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"createCertProvider.js","sourceRoot":"","sources":["../../../src/lib/cert/createCertProvider.ts"],"names":[],"mappings":"AAAA,OAAO,IAAI,MAAM,MAAM,CAAA;AAGvB,OAAO,EAAE,gBAAgB,EAAE,MAAM,uBAAuB,CAAA;AACxD,OAAO,EAAE,gBAAgB,EAAE,MAAM,uBAAuB,CAAA;AACxD,OAAO,EAAE,YAAY,EAAE,MAAM,kBAAkB,CAAA;AAC/C,OAAO,EAAE,kBAAkB,EAAE,MAAM,yBAAyB,CAAA;AAC5D,OAAO,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAA;AAelD,6DAA6D;AAC7D,MAAM,UAAU,kBAAkB,CAAC,GAAc,EAAE,IAA4B;IAC7E,IAAI,GAAG,CAAC,IAAI,KAAK,aAAa,EAAE,CAAC;QAC/B,OAAO,IAAI,kBAAkB,CAAC,EAAE,QAAQ,EAAE,GAAG,CAAC,QAAQ,EAAE,OAAO,EAAE,GAAG,CAAC,OAAO,EAAE,CAAC,CAAA;IACjF,CAAC;IACD,kEAAkE;IAClE,MAAM,KAAK,GAAG,YAAY,CAAC,GAAG,CAAC,GAAG,CAAC,WAAW,CAAC,CAAA;IAC/C,IAAI,CAAC,KAAK;QAAE,MAAM,IAAI,KAAK,CAAC,wBAAwB,GAAG,CAAC,WAAW,kBAAkB,YAAY,CAAC,KAAK,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAA;IACvH,MAAM,GAAG,GAAgB,KAAK,CAAC,OAAO,EAAE,CAAA;IACxC,MAAM,MAAM,GAAG,IAAI,gBAAgB,CAAC;QAClC,KAAK,EAAE,IAAI,CAAC,KAAK,IAAI,OAAO,CAAC,GAAG,CAAC,kBAAkB,IAAI,EAAE;QACzD,OAAO,EAAE,IAAI,CAAC,OAAO,IAAI,OAAO,CAAC,GAAG,CAAC,oBAAoB,KAAK,GAAG;QACjE,cAAc,EAAE,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,KAAK,EAAE,aAAa,CAAC;KAC9D,CAAC,CAAA;IACF,MAAM,KAAK,GAAG,IAAI,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC,CAAA;IAC/D,OAAO,IAAI,gBAAgB,CAAC,EAAE,MAAM,EAAE,GAAG,CAAC,MAAM,EAAE,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAA;AACzE,CAAC"}
|
|
@@ -0,0 +1,24 @@
|
|
|
1
|
+
import type { DnsProvider } from './DnsProvider.js';
|
|
2
|
+
export interface DnsProviderEntry {
|
|
3
|
+
/** config의 dnsProvider 값이자 식별자. */
|
|
4
|
+
name: string;
|
|
5
|
+
/** wizard 표시 라벨. */
|
|
6
|
+
label: string;
|
|
7
|
+
/** wizard 힌트. */
|
|
8
|
+
hint: string;
|
|
9
|
+
/** 자격 증명 env 변수(검증·요약용). 비밀은 config가 아니라 env에서만 읽는다. */
|
|
10
|
+
envVars: string[];
|
|
11
|
+
/** env에서 자격을 읽어 DnsProvider를 만든다(미설정 시 throw). */
|
|
12
|
+
fromEnv(zoneName?: string): DnsProvider;
|
|
13
|
+
}
|
|
14
|
+
declare class DnsProviderRegistry {
|
|
15
|
+
private readonly entries;
|
|
16
|
+
register(entry: DnsProviderEntry): void;
|
|
17
|
+
get(name: string): DnsProviderEntry | undefined;
|
|
18
|
+
has(name: string): boolean;
|
|
19
|
+
list(): DnsProviderEntry[];
|
|
20
|
+
names(): string[];
|
|
21
|
+
}
|
|
22
|
+
export declare const dnsProviders: DnsProviderRegistry;
|
|
23
|
+
export {};
|
|
24
|
+
//# sourceMappingURL=dnsRegistry.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"dnsRegistry.d.ts","sourceRoot":"","sources":["../../../src/lib/cert/dnsRegistry.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,kBAAkB,CAAA;AAMnD,MAAM,WAAW,gBAAgB;IAC/B,mCAAmC;IACnC,IAAI,EAAE,MAAM,CAAA;IACZ,oBAAoB;IACpB,KAAK,EAAE,MAAM,CAAA;IACb,iBAAiB;IACjB,IAAI,EAAE,MAAM,CAAA;IACZ,wDAAwD;IACxD,OAAO,EAAE,MAAM,EAAE,CAAA;IACjB,kDAAkD;IAClD,OAAO,CAAC,QAAQ,CAAC,EAAE,MAAM,GAAG,WAAW,CAAA;CACxC;AAED,cAAM,mBAAmB;IACvB,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAsC;IAC9D,QAAQ,CAAC,KAAK,EAAE,gBAAgB,GAAG,IAAI;IAGvC,GAAG,CAAC,IAAI,EAAE,MAAM,GAAG,gBAAgB,GAAG,SAAS;IAG/C,GAAG,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO;IAG1B,IAAI,IAAI,gBAAgB,EAAE;IAG1B,KAAK,IAAI,MAAM,EAAE;CAGlB;AAED,eAAO,MAAM,YAAY,qBAA4B,CAAA"}
|
|
@@ -0,0 +1,36 @@
|
|
|
1
|
+
import { cloudflareDnsFromEnv } from './CloudflareDnsProvider.js';
|
|
2
|
+
import { vercelDnsFromEnv } from './VercelDnsProvider.js';
|
|
3
|
+
class DnsProviderRegistry {
|
|
4
|
+
entries = new Map();
|
|
5
|
+
register(entry) {
|
|
6
|
+
this.entries.set(entry.name, entry);
|
|
7
|
+
}
|
|
8
|
+
get(name) {
|
|
9
|
+
return this.entries.get(name);
|
|
10
|
+
}
|
|
11
|
+
has(name) {
|
|
12
|
+
return this.entries.has(name);
|
|
13
|
+
}
|
|
14
|
+
list() {
|
|
15
|
+
return [...this.entries.values()];
|
|
16
|
+
}
|
|
17
|
+
names() {
|
|
18
|
+
return [...this.entries.keys()];
|
|
19
|
+
}
|
|
20
|
+
}
|
|
21
|
+
export const dnsProviders = new DnsProviderRegistry();
|
|
22
|
+
dnsProviders.register({
|
|
23
|
+
name: 'cloudflare',
|
|
24
|
+
label: 'Cloudflare DNS',
|
|
25
|
+
hint: 'auto-issue & renew via API token (env TAPFLOW_CLOUDFLARE_TOKEN)',
|
|
26
|
+
envVars: ['TAPFLOW_CLOUDFLARE_TOKEN'],
|
|
27
|
+
fromEnv: cloudflareDnsFromEnv,
|
|
28
|
+
});
|
|
29
|
+
dnsProviders.register({
|
|
30
|
+
name: 'vercel',
|
|
31
|
+
label: 'Vercel DNS',
|
|
32
|
+
hint: 'auto-issue & renew via API token (env TAPFLOW_VERCEL_TOKEN)',
|
|
33
|
+
envVars: ['TAPFLOW_VERCEL_TOKEN'],
|
|
34
|
+
fromEnv: vercelDnsFromEnv,
|
|
35
|
+
});
|
|
36
|
+
//# sourceMappingURL=dnsRegistry.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"dnsRegistry.js","sourceRoot":"","sources":["../../../src/lib/cert/dnsRegistry.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,oBAAoB,EAAE,MAAM,4BAA4B,CAAA;AACjE,OAAO,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAA;AAiBzD,MAAM,mBAAmB;IACN,OAAO,GAAG,IAAI,GAAG,EAA4B,CAAA;IAC9D,QAAQ,CAAC,KAAuB;QAC9B,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,EAAE,KAAK,CAAC,CAAA;IACrC,CAAC;IACD,GAAG,CAAC,IAAY;QACd,OAAO,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,CAAA;IAC/B,CAAC;IACD,GAAG,CAAC,IAAY;QACd,OAAO,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,CAAA;IAC/B,CAAC;IACD,IAAI;QACF,OAAO,CAAC,GAAG,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC,CAAA;IACnC,CAAC;IACD,KAAK;QACH,OAAO,CAAC,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC,CAAA;IACjC,CAAC;CACF;AAED,MAAM,CAAC,MAAM,YAAY,GAAG,IAAI,mBAAmB,EAAE,CAAA;AAErD,YAAY,CAAC,QAAQ,CAAC;IACpB,IAAI,EAAE,YAAY;IAClB,KAAK,EAAE,gBAAgB;IACvB,IAAI,EAAE,iEAAiE;IACvE,OAAO,EAAE,CAAC,0BAA0B,CAAC;IACrC,OAAO,EAAE,oBAAoB;CAC9B,CAAC,CAAA;AACF,YAAY,CAAC,QAAQ,CAAC;IACpB,IAAI,EAAE,QAAQ;IACd,KAAK,EAAE,YAAY;IACnB,IAAI,EAAE,6DAA6D;IACnE,OAAO,EAAE,CAAC,sBAAsB,CAAC;IACjC,OAAO,EAAE,gBAAgB;CAC1B,CAAC,CAAA"}
|
|
@@ -0,0 +1,23 @@
|
|
|
1
|
+
export type { CertProvider, CertMaterial, CertStrategy } from './CertProvider.js';
|
|
2
|
+
export type { DnsProvider } from './DnsProvider.js';
|
|
3
|
+
export { CloudflareDnsProvider, cloudflareDnsFromEnv } from './CloudflareDnsProvider.js';
|
|
4
|
+
export type { CloudflareDnsProviderOptions, FetchLike } from './CloudflareDnsProvider.js';
|
|
5
|
+
export { VercelDnsProvider, vercelDnsFromEnv } from './VercelDnsProvider.js';
|
|
6
|
+
export type { VercelDnsProviderOptions } from './VercelDnsProvider.js';
|
|
7
|
+
export { AcmeCertProvider, InMemoryCertStore } from './AcmeCertProvider.js';
|
|
8
|
+
export type { AcmeIssuer, IssuedCert, CertStore, AcmeCertProviderOptions } from './AcmeCertProvider.js';
|
|
9
|
+
export { AcmeClientIssuer } from './AcmeClientIssuer.js';
|
|
10
|
+
export type { AcmeClientIssuerOptions } from './AcmeClientIssuer.js';
|
|
11
|
+
export { ImportCertProvider } from './ImportCertProvider.js';
|
|
12
|
+
export type { ImportCertProviderOptions } from './ImportCertProvider.js';
|
|
13
|
+
export { parseCertNotAfter } from './parseCert.js';
|
|
14
|
+
export { DiskCertStore } from './DiskCertStore.js';
|
|
15
|
+
export { startCertRenewal, renewalTick } from './renewal.js';
|
|
16
|
+
export type { CertRenewalOptions } from './renewal.js';
|
|
17
|
+
export { startAddressPublisher, detectLanIPv4 } from './addressPublisher.js';
|
|
18
|
+
export type { AddressPublisherTls, AddressPublisherOptions } from './addressPublisher.js';
|
|
19
|
+
export { dnsProviders } from './dnsRegistry.js';
|
|
20
|
+
export type { DnsProviderEntry } from './dnsRegistry.js';
|
|
21
|
+
export { createCertProvider } from './createCertProvider.js';
|
|
22
|
+
export type { TlsConfig, CreateCertProviderDeps } from './createCertProvider.js';
|
|
23
|
+
//# sourceMappingURL=index.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/lib/cert/index.ts"],"names":[],"mappings":"AAAA,YAAY,EAAE,YAAY,EAAE,YAAY,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAA;AACjF,YAAY,EAAE,WAAW,EAAE,MAAM,kBAAkB,CAAA;AACnD,OAAO,EAAE,qBAAqB,EAAE,oBAAoB,EAAE,MAAM,4BAA4B,CAAA;AACxF,YAAY,EAAE,4BAA4B,EAAE,SAAS,EAAE,MAAM,4BAA4B,CAAA;AACzF,OAAO,EAAE,iBAAiB,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAA;AAC5E,YAAY,EAAE,wBAAwB,EAAE,MAAM,wBAAwB,CAAA;AACtE,OAAO,EAAE,gBAAgB,EAAE,iBAAiB,EAAE,MAAM,uBAAuB,CAAA;AAC3E,YAAY,EAAE,UAAU,EAAE,UAAU,EAAE,SAAS,EAAE,uBAAuB,EAAE,MAAM,uBAAuB,CAAA;AACvG,OAAO,EAAE,gBAAgB,EAAE,MAAM,uBAAuB,CAAA;AACxD,YAAY,EAAE,uBAAuB,EAAE,MAAM,uBAAuB,CAAA;AACpE,OAAO,EAAE,kBAAkB,EAAE,MAAM,yBAAyB,CAAA;AAC5D,YAAY,EAAE,yBAAyB,EAAE,MAAM,yBAAyB,CAAA;AACxE,OAAO,EAAE,iBAAiB,EAAE,MAAM,gBAAgB,CAAA;AAClD,OAAO,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAA;AAClD,OAAO,EAAE,gBAAgB,EAAE,WAAW,EAAE,MAAM,cAAc,CAAA;AAC5D,YAAY,EAAE,kBAAkB,EAAE,MAAM,cAAc,CAAA;AACtD,OAAO,EAAE,qBAAqB,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAA;AAC5E,YAAY,EAAE,mBAAmB,EAAE,uBAAuB,EAAE,MAAM,uBAAuB,CAAA;AACzF,OAAO,EAAE,YAAY,EAAE,MAAM,kBAAkB,CAAA;AAC/C,YAAY,EAAE,gBAAgB,EAAE,MAAM,kBAAkB,CAAA;AACxD,OAAO,EAAE,kBAAkB,EAAE,MAAM,yBAAyB,CAAA;AAC5D,YAAY,EAAE,SAAS,EAAE,sBAAsB,EAAE,MAAM,yBAAyB,CAAA"}
|
|
@@ -0,0 +1,12 @@
|
|
|
1
|
+
export { CloudflareDnsProvider, cloudflareDnsFromEnv } from './CloudflareDnsProvider.js';
|
|
2
|
+
export { VercelDnsProvider, vercelDnsFromEnv } from './VercelDnsProvider.js';
|
|
3
|
+
export { AcmeCertProvider, InMemoryCertStore } from './AcmeCertProvider.js';
|
|
4
|
+
export { AcmeClientIssuer } from './AcmeClientIssuer.js';
|
|
5
|
+
export { ImportCertProvider } from './ImportCertProvider.js';
|
|
6
|
+
export { parseCertNotAfter } from './parseCert.js';
|
|
7
|
+
export { DiskCertStore } from './DiskCertStore.js';
|
|
8
|
+
export { startCertRenewal, renewalTick } from './renewal.js';
|
|
9
|
+
export { startAddressPublisher, detectLanIPv4 } from './addressPublisher.js';
|
|
10
|
+
export { dnsProviders } from './dnsRegistry.js';
|
|
11
|
+
export { createCertProvider } from './createCertProvider.js';
|
|
12
|
+
//# sourceMappingURL=index.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/lib/cert/index.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,qBAAqB,EAAE,oBAAoB,EAAE,MAAM,4BAA4B,CAAA;AAExF,OAAO,EAAE,iBAAiB,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAA;AAE5E,OAAO,EAAE,gBAAgB,EAAE,iBAAiB,EAAE,MAAM,uBAAuB,CAAA;AAE3E,OAAO,EAAE,gBAAgB,EAAE,MAAM,uBAAuB,CAAA;AAExD,OAAO,EAAE,kBAAkB,EAAE,MAAM,yBAAyB,CAAA;AAE5D,OAAO,EAAE,iBAAiB,EAAE,MAAM,gBAAgB,CAAA;AAClD,OAAO,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAA;AAClD,OAAO,EAAE,gBAAgB,EAAE,WAAW,EAAE,MAAM,cAAc,CAAA;AAE5D,OAAO,EAAE,qBAAqB,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAA;AAE5E,OAAO,EAAE,YAAY,EAAE,MAAM,kBAAkB,CAAA;AAE/C,OAAO,EAAE,kBAAkB,EAAE,MAAM,yBAAyB,CAAA"}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"parseCert.d.ts","sourceRoot":"","sources":["../../../src/lib/cert/parseCert.ts"],"names":[],"mappings":"AAEA,wDAAwD;AACxD,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,MAAM,GAAG,IAAI,CAEvD"}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"parseCert.js","sourceRoot":"","sources":["../../../src/lib/cert/parseCert.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,QAAQ,CAAA;AAExC,wDAAwD;AACxD,MAAM,UAAU,iBAAiB,CAAC,OAAe;IAC/C,OAAO,IAAI,IAAI,CAAC,IAAI,eAAe,CAAC,OAAO,CAAC,CAAC,OAAO,CAAC,CAAA;AACvD,CAAC"}
|
|
@@ -0,0 +1,13 @@
|
|
|
1
|
+
import type { CertProvider, CertMaterial } from './CertProvider.js';
|
|
2
|
+
export interface CertRenewalOptions {
|
|
3
|
+
intervalMs?: number;
|
|
4
|
+
/** 갱신이 일어났을 때(새 자료) 호출 — 예: relay TLS 컨텍스트 핫스왑. */
|
|
5
|
+
onRenew?: (material: CertMaterial) => void;
|
|
6
|
+
/** 갱신 중 오류. 미지정 시 경고 로그. 절대 전파하지 않는다. */
|
|
7
|
+
onError?: (err: unknown) => void;
|
|
8
|
+
}
|
|
9
|
+
/** 1회 점검 — renewIfNeeded 호출, 갱신 시 onRenew, 오류는 삼키고 onError/로그. */
|
|
10
|
+
export declare function renewalTick(provider: CertProvider, opts?: CertRenewalOptions): Promise<void>;
|
|
11
|
+
/** 주기 갱신 타이머를 시작하고 정지 함수를 반환한다. */
|
|
12
|
+
export declare function startCertRenewal(provider: CertProvider, opts?: CertRenewalOptions): () => void;
|
|
13
|
+
//# sourceMappingURL=renewal.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"renewal.d.ts","sourceRoot":"","sources":["../../../src/lib/cert/renewal.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,YAAY,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAA;AAOnE,MAAM,WAAW,kBAAkB;IACjC,UAAU,CAAC,EAAE,MAAM,CAAA;IACnB,mDAAmD;IACnD,OAAO,CAAC,EAAE,CAAC,QAAQ,EAAE,YAAY,KAAK,IAAI,CAAA;IAC1C,yCAAyC;IACzC,OAAO,CAAC,EAAE,CAAC,GAAG,EAAE,OAAO,KAAK,IAAI,CAAA;CACjC;AAED,kEAAkE;AAClE,wBAAsB,WAAW,CAAC,QAAQ,EAAE,YAAY,EAAE,IAAI,GAAE,kBAAuB,GAAG,OAAO,CAAC,IAAI,CAAC,CAQtG;AAED,mCAAmC;AACnC,wBAAgB,gBAAgB,CAAC,QAAQ,EAAE,YAAY,EAAE,IAAI,GAAE,kBAAuB,GAAG,MAAM,IAAI,CAOlG"}
|
|
@@ -0,0 +1,28 @@
|
|
|
1
|
+
import { createLogger } from '@tapflowio/agent-core';
|
|
2
|
+
const logger = createLogger('relay:cert');
|
|
3
|
+
// ACME 클라이언트 관례대로 하루 두 번 점검. 실제 발급은 만료 30일 이내일 때만 일어난다.
|
|
4
|
+
const DEFAULT_INTERVAL_MS = 12 * 60 * 60 * 1000;
|
|
5
|
+
/** 1회 점검 — renewIfNeeded 호출, 갱신 시 onRenew, 오류는 삼키고 onError/로그. */
|
|
6
|
+
export async function renewalTick(provider, opts = {}) {
|
|
7
|
+
try {
|
|
8
|
+
const renewed = await provider.renewIfNeeded();
|
|
9
|
+
if (renewed)
|
|
10
|
+
opts.onRenew?.(renewed);
|
|
11
|
+
}
|
|
12
|
+
catch (err) {
|
|
13
|
+
if (opts.onError)
|
|
14
|
+
opts.onError(err);
|
|
15
|
+
else
|
|
16
|
+
logger.warn(`cert renewal failed: ${String(err)}`);
|
|
17
|
+
}
|
|
18
|
+
}
|
|
19
|
+
/** 주기 갱신 타이머를 시작하고 정지 함수를 반환한다. */
|
|
20
|
+
export function startCertRenewal(provider, opts = {}) {
|
|
21
|
+
const interval = opts.intervalMs ?? DEFAULT_INTERVAL_MS;
|
|
22
|
+
const timer = setInterval(() => {
|
|
23
|
+
void renewalTick(provider, opts);
|
|
24
|
+
}, interval);
|
|
25
|
+
timer.unref?.();
|
|
26
|
+
return () => clearInterval(timer);
|
|
27
|
+
}
|
|
28
|
+
//# sourceMappingURL=renewal.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"renewal.js","sourceRoot":"","sources":["../../../src/lib/cert/renewal.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,uBAAuB,CAAA;AAGpD,MAAM,MAAM,GAAG,YAAY,CAAC,YAAY,CAAC,CAAA;AAEzC,wDAAwD;AACxD,MAAM,mBAAmB,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAA;AAU/C,kEAAkE;AAClE,MAAM,CAAC,KAAK,UAAU,WAAW,CAAC,QAAsB,EAAE,OAA2B,EAAE;IACrF,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,aAAa,EAAE,CAAA;QAC9C,IAAI,OAAO;YAAE,IAAI,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,CAAA;IACtC,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,IAAI,CAAC,OAAO;YAAE,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAA;;YAC9B,MAAM,CAAC,IAAI,CAAC,wBAAwB,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAA;IACzD,CAAC;AACH,CAAC;AAED,mCAAmC;AACnC,MAAM,UAAU,gBAAgB,CAAC,QAAsB,EAAE,OAA2B,EAAE;IACpF,MAAM,QAAQ,GAAG,IAAI,CAAC,UAAU,IAAI,mBAAmB,CAAA;IACvD,MAAM,KAAK,GAAG,WAAW,CAAC,GAAG,EAAE;QAC7B,KAAK,WAAW,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAA;IAClC,CAAC,EAAE,QAAQ,CAAC,CAAA;IACZ,KAAK,CAAC,KAAK,EAAE,EAAE,CAAA;IACf,OAAO,GAAG,EAAE,CAAC,aAAa,CAAC,KAAK,CAAC,CAAA;AACnC,CAAC"}
|
|
@@ -0,0 +1,12 @@
|
|
|
1
|
+
export declare function parseTrustedProxies(raw: string | undefined): string[];
|
|
2
|
+
export interface ResolveClientAddressInput {
|
|
3
|
+
socketAddr: string;
|
|
4
|
+
forwardedFor: string | undefined;
|
|
5
|
+
trustedProxies: string[];
|
|
6
|
+
}
|
|
7
|
+
export interface ResolvedClientAddress {
|
|
8
|
+
addr: string;
|
|
9
|
+
isLocal: boolean;
|
|
10
|
+
}
|
|
11
|
+
export declare function resolveClientAddress(input: ResolveClientAddressInput): ResolvedClientAddress;
|
|
12
|
+
//# sourceMappingURL=clientAddress.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"clientAddress.d.ts","sourceRoot":"","sources":["../../src/lib/clientAddress.ts"],"names":[],"mappings":"AAiBA,wBAAgB,mBAAmB,CAAC,GAAG,EAAE,MAAM,GAAG,SAAS,GAAG,MAAM,EAAE,CAMrE;AAED,MAAM,WAAW,yBAAyB;IACxC,UAAU,EAAE,MAAM,CAAA;IAClB,YAAY,EAAE,MAAM,GAAG,SAAS,CAAA;IAChC,cAAc,EAAE,MAAM,EAAE,CAAA;CACzB;AAED,MAAM,WAAW,qBAAqB;IACpC,IAAI,EAAE,MAAM,CAAA;IACZ,OAAO,EAAE,OAAO,CAAA;CACjB;AAED,wBAAgB,oBAAoB,CAAC,KAAK,EAAE,yBAAyB,GAAG,qBAAqB,CAoB5F"}
|
|
@@ -0,0 +1,46 @@
|
|
|
1
|
+
// ⑤ trusted-proxy — same-host 리버스 프록시 뒤에서 loopback 무인증 우회를 막는 IP 해석.
|
|
2
|
+
// classifyConnection 앞단에서 "이 연결의 실제 클라이언트 IP가 무엇이고 loopback인가"만 판정한다.
|
|
3
|
+
// IPv4-mapped IPv6(`::ffff:127.0.0.1`)를 IPv4로 풀고, IPv6 zone id(`%en0`)를 떼낸다.
|
|
4
|
+
function normalize(addr) {
|
|
5
|
+
let a = addr.trim();
|
|
6
|
+
const zone = a.indexOf('%');
|
|
7
|
+
if (zone !== -1)
|
|
8
|
+
a = a.slice(0, zone);
|
|
9
|
+
if (a.toLowerCase().startsWith('::ffff:') && a.includes('.'))
|
|
10
|
+
a = a.slice(7);
|
|
11
|
+
return a;
|
|
12
|
+
}
|
|
13
|
+
function isLoopback(addr) {
|
|
14
|
+
const a = normalize(addr);
|
|
15
|
+
return a === '::1' || a.startsWith('127.');
|
|
16
|
+
}
|
|
17
|
+
export function parseTrustedProxies(raw) {
|
|
18
|
+
if (!raw)
|
|
19
|
+
return [];
|
|
20
|
+
return raw
|
|
21
|
+
.split(',')
|
|
22
|
+
.map((s) => normalize(s))
|
|
23
|
+
.filter((s) => s.length > 0);
|
|
24
|
+
}
|
|
25
|
+
export function resolveClientAddress(input) {
|
|
26
|
+
const socket = normalize(input.socketAddr);
|
|
27
|
+
const fromTrustedProxy = input.trustedProxies.includes(socket);
|
|
28
|
+
const xff = (input.forwardedFor ?? '').trim();
|
|
29
|
+
if (fromTrustedProxy && xff.length > 0) {
|
|
30
|
+
// 신뢰 프록시 경유: XFF 최좌측은 클라이언트가 임의 주입할 수 있다(nginx 등은 기존 헤더에 append).
|
|
31
|
+
// 우측(프록시가 직접 관찰한 쪽)부터 신뢰 프록시 IP를 벗겨내고, 첫 비신뢰 IP를 원 클라이언트로 본다.
|
|
32
|
+
const chain = xff.split(',').map((s) => normalize(s.trim())).filter((s) => s.length > 0);
|
|
33
|
+
let i = chain.length - 1;
|
|
34
|
+
while (i >= 0 && input.trustedProxies.includes(chain[i]))
|
|
35
|
+
i--;
|
|
36
|
+
// 전부 신뢰 프록시(원 클라이언트 식별 불가) → 안전 기본(원격 간주).
|
|
37
|
+
if (i < 0)
|
|
38
|
+
return { addr: socket, isLocal: false };
|
|
39
|
+
return { addr: chain[i], isLocal: isLoopback(chain[i]) };
|
|
40
|
+
}
|
|
41
|
+
// 직접 연결: 신뢰 프록시 IP라도 XFF가 없으면 프록시 미경유 직접 접근으로 본다(프록시는 항상 XFF를
|
|
42
|
+
// 추가하므로) — 호스트에서의 admin init / CLI / agent가 막히지 않게 한다.
|
|
43
|
+
// 비신뢰 출발지가 보낸 XFF는 스푸핑 가능하므로 무시하고, 어느 경우든 소켓 IP로 판정한다.
|
|
44
|
+
return { addr: socket, isLocal: isLoopback(socket) };
|
|
45
|
+
}
|
|
46
|
+
//# sourceMappingURL=clientAddress.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"clientAddress.js","sourceRoot":"","sources":["../../src/lib/clientAddress.ts"],"names":[],"mappings":"AAAA,qEAAqE;AACrE,sEAAsE;AAEtE,6EAA6E;AAC7E,SAAS,SAAS,CAAC,IAAY;IAC7B,IAAI,CAAC,GAAG,IAAI,CAAC,IAAI,EAAE,CAAA;IACnB,MAAM,IAAI,GAAG,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,CAAA;IAC3B,IAAI,IAAI,KAAK,CAAC,CAAC;QAAE,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,IAAI,CAAC,CAAA;IACrC,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC,UAAU,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC;QAAE,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAA;IAC5E,OAAO,CAAC,CAAA;AACV,CAAC;AAED,SAAS,UAAU,CAAC,IAAY;IAC9B,MAAM,CAAC,GAAG,SAAS,CAAC,IAAI,CAAC,CAAA;IACzB,OAAO,CAAC,KAAK,KAAK,IAAI,CAAC,CAAC,UAAU,CAAC,MAAM,CAAC,CAAA;AAC5C,CAAC;AAED,MAAM,UAAU,mBAAmB,CAAC,GAAuB;IACzD,IAAI,CAAC,GAAG;QAAE,OAAO,EAAE,CAAA;IACnB,OAAO,GAAG;SACP,KAAK,CAAC,GAAG,CAAC;SACV,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;SACxB,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAA;AAChC,CAAC;AAaD,MAAM,UAAU,oBAAoB,CAAC,KAAgC;IACnE,MAAM,MAAM,GAAG,SAAS,CAAC,KAAK,CAAC,UAAU,CAAC,CAAA;IAC1C,MAAM,gBAAgB,GAAG,KAAK,CAAC,cAAc,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAA;IAC9D,MAAM,GAAG,GAAG,CAAC,KAAK,CAAC,YAAY,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAA;IAE7C,IAAI,gBAAgB,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACvC,kEAAkE;QAClE,8DAA8D;QAC9D,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAA;QACxF,IAAI,CAAC,GAAG,KAAK,CAAC,MAAM,GAAG,CAAC,CAAA;QACxB,OAAO,CAAC,IAAI,CAAC,IAAI,KAAK,CAAC,cAAc,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;YAAE,CAAC,EAAE,CAAA;QAC7D,2CAA2C;QAC3C,IAAI,CAAC,GAAG,CAAC;YAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,KAAK,EAAE,CAAA;QAClD,OAAO,EAAE,IAAI,EAAE,KAAK,CAAC,CAAC,CAAC,EAAE,OAAO,EAAE,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAA;IAC1D,CAAC;IAED,8DAA8D;IAC9D,uDAAuD;IACvD,uDAAuD;IACvD,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,UAAU,CAAC,MAAM,CAAC,EAAE,CAAA;AACtD,CAAC"}
|
package/dist/lib/config.d.ts
CHANGED
|
@@ -4,6 +4,7 @@ declare const configSchema: z.ZodObject<{
|
|
|
4
4
|
port: z.ZodNumber;
|
|
5
5
|
dataDir: z.ZodString;
|
|
6
6
|
wsBackpressureBytes: z.ZodNumber;
|
|
7
|
+
trustedProxies: z.ZodArray<z.ZodString>;
|
|
7
8
|
}, z.core.$strip>;
|
|
8
9
|
relay: z.ZodObject<{
|
|
9
10
|
url: z.ZodNullable<z.ZodString>;
|
|
@@ -21,6 +22,17 @@ declare const configSchema: z.ZodObject<{
|
|
|
21
22
|
provider: z.ZodLiteral<"tailscale">;
|
|
22
23
|
publicUrl: z.ZodOptional<z.ZodString>;
|
|
23
24
|
}, z.core.$strip>], "provider">>;
|
|
25
|
+
tls: z.ZodNullable<z.ZodDiscriminatedUnion<[z.ZodObject<{
|
|
26
|
+
mode: z.ZodLiteral<"byo-api-token">;
|
|
27
|
+
domain: z.ZodString;
|
|
28
|
+
dnsProvider: z.ZodString;
|
|
29
|
+
publishAddress: z.ZodOptional<z.ZodBoolean>;
|
|
30
|
+
address: z.ZodOptional<z.ZodString>;
|
|
31
|
+
}, z.core.$strip>, z.ZodObject<{
|
|
32
|
+
mode: z.ZodLiteral<"import-cert">;
|
|
33
|
+
certPath: z.ZodString;
|
|
34
|
+
keyPath: z.ZodString;
|
|
35
|
+
}, z.core.$strip>], "mode">>;
|
|
24
36
|
smtp: z.ZodObject<{
|
|
25
37
|
host: z.ZodString;
|
|
26
38
|
port: z.ZodNumber;
|
|
@@ -31,11 +43,13 @@ declare const configSchema: z.ZodObject<{
|
|
|
31
43
|
}, z.core.$strip>;
|
|
32
44
|
}, z.core.$strip>;
|
|
33
45
|
export type TapflowConfig = z.infer<typeof configSchema>;
|
|
46
|
+
export declare function loadOrCreatePersistedSecret(dataDir: string): string;
|
|
34
47
|
export declare const config: {
|
|
35
48
|
local: {
|
|
36
49
|
port: number;
|
|
37
50
|
dataDir: string;
|
|
38
51
|
wsBackpressureBytes: number;
|
|
52
|
+
trustedProxies: string[];
|
|
39
53
|
};
|
|
40
54
|
relay: {
|
|
41
55
|
url: string | null;
|
|
@@ -53,6 +67,17 @@ export declare const config: {
|
|
|
53
67
|
provider: "tailscale";
|
|
54
68
|
publicUrl?: string | undefined;
|
|
55
69
|
} | null;
|
|
70
|
+
tls: {
|
|
71
|
+
mode: "byo-api-token";
|
|
72
|
+
domain: string;
|
|
73
|
+
dnsProvider: string;
|
|
74
|
+
publishAddress?: boolean | undefined;
|
|
75
|
+
address?: string | undefined;
|
|
76
|
+
} | {
|
|
77
|
+
mode: "import-cert";
|
|
78
|
+
certPath: string;
|
|
79
|
+
keyPath: string;
|
|
80
|
+
} | null;
|
|
56
81
|
smtp: {
|
|
57
82
|
host: string;
|
|
58
83
|
port: number;
|
package/dist/lib/config.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../../src/lib/config.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../../src/lib/config.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAkDvB,QAAA,MAAM,YAAY;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;iBAoBhB,CAAA;AAEF,MAAM,MAAM,aAAa,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,YAAY,CAAC,CAAA;AAiIxD,wBAAgB,2BAA2B,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,CAkBnE;AAaD,eAAO,MAAM,MAAM;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAAS,CAAA;AAC5B,eAAO,MAAM,SAAS,QAAkB,CAAA"}
|
package/dist/lib/config.js
CHANGED
|
@@ -1,9 +1,11 @@
|
|
|
1
1
|
import fs from 'fs';
|
|
2
2
|
import path from 'path';
|
|
3
|
+
import crypto from 'crypto';
|
|
3
4
|
import { z } from 'zod';
|
|
4
5
|
import { createLogger } from '@tapflowio/agent-core';
|
|
6
|
+
import { parseTrustedProxies } from './clientAddress.js';
|
|
7
|
+
import { dnsProviders } from './cert/dnsRegistry.js';
|
|
5
8
|
const logger = createLogger('relay:config');
|
|
6
|
-
const DEV_DEFAULT_SECRET = 'tapflow-dev-secret-change-in-production';
|
|
7
9
|
const tunnelSshSchema = z.object({
|
|
8
10
|
host: z.string().min(1),
|
|
9
11
|
user: z.string().min(1),
|
|
@@ -20,16 +22,38 @@ const tailscaleTunnelSchema = z.object({
|
|
|
20
22
|
publicUrl: z.string().optional(),
|
|
21
23
|
});
|
|
22
24
|
const tunnelSchema = z.discriminatedUnion('provider', [ratholeTunnelSchema, tailscaleTunnelSchema]);
|
|
25
|
+
// LAN HTTPS (issue #232) — secure context용 TLS 종단 설정. 골격: v1은 LAN 가지만 구현.
|
|
26
|
+
// 비밀(DNS API 토큰)은 config 파일이 아니라 env에서 읽는다(예: TAPFLOW_CLOUDFLARE_TOKEN).
|
|
27
|
+
const importCertTlsSchema = z.object({
|
|
28
|
+
mode: z.literal('import-cert'),
|
|
29
|
+
certPath: z.string().min(1),
|
|
30
|
+
keyPath: z.string().min(1),
|
|
31
|
+
});
|
|
32
|
+
const byoApiTokenTlsSchema = z.object({
|
|
33
|
+
mode: z.literal('byo-api-token'),
|
|
34
|
+
domain: z.string().min(1),
|
|
35
|
+
// 유효 provider는 레지스트리가 정한다(새 provider 추가 시 스키마 무변경).
|
|
36
|
+
dnsProvider: z.string().min(1).refine((n) => dnsProviders.has(n), {
|
|
37
|
+
message: `unknown dnsProvider (available: ${dnsProviders.names().join(', ')})`,
|
|
38
|
+
}),
|
|
39
|
+
// 도메인 A 레코드를 LAN IP로 자동 발행(기본 ON). false면 사용자가 직접 관리.
|
|
40
|
+
publishAddress: z.boolean().optional(),
|
|
41
|
+
// 자동 감지 대신 쓸 고정 LAN IP(멀티NIC/VPN 환경 오버라이드).
|
|
42
|
+
address: z.string().min(1).optional(),
|
|
43
|
+
});
|
|
44
|
+
const tlsSchema = z.discriminatedUnion('mode', [byoApiTokenTlsSchema, importCertTlsSchema]);
|
|
23
45
|
const configSchema = z.object({
|
|
24
46
|
local: z.object({
|
|
25
47
|
port: z.number().int().min(1).max(65535),
|
|
26
48
|
dataDir: z.string().min(1),
|
|
27
49
|
wsBackpressureBytes: z.number().int().min(1),
|
|
50
|
+
trustedProxies: z.array(z.string()),
|
|
28
51
|
}),
|
|
29
52
|
relay: z.object({
|
|
30
53
|
url: z.string().nullable(),
|
|
31
54
|
}),
|
|
32
55
|
tunnel: tunnelSchema.nullable(),
|
|
56
|
+
tls: tlsSchema.nullable(),
|
|
33
57
|
smtp: z.object({
|
|
34
58
|
host: z.string(),
|
|
35
59
|
port: z.number().int().min(1).max(65535),
|
|
@@ -44,11 +68,13 @@ const DEFAULTS = {
|
|
|
44
68
|
port: 4000,
|
|
45
69
|
dataDir: '.tapflow-data',
|
|
46
70
|
wsBackpressureBytes: 1_048_576,
|
|
71
|
+
trustedProxies: [],
|
|
47
72
|
},
|
|
48
73
|
relay: {
|
|
49
74
|
url: null,
|
|
50
75
|
},
|
|
51
76
|
tunnel: null,
|
|
77
|
+
tls: null,
|
|
52
78
|
smtp: {
|
|
53
79
|
host: '',
|
|
54
80
|
port: 587,
|
|
@@ -80,6 +106,7 @@ function load() {
|
|
|
80
106
|
port: file.local?.port ?? DEFAULTS.local.port,
|
|
81
107
|
dataDir: resolveDataDir(file.local?.dataDir ?? DEFAULTS.local.dataDir),
|
|
82
108
|
wsBackpressureBytes: DEFAULTS.local.wsBackpressureBytes,
|
|
109
|
+
trustedProxies: parseTrustedProxies(process.env.TAPFLOW_TRUSTED_PROXIES),
|
|
83
110
|
},
|
|
84
111
|
relay: {
|
|
85
112
|
url: file.relay?.url || null,
|
|
@@ -101,6 +128,22 @@ function load() {
|
|
|
101
128
|
: null,
|
|
102
129
|
};
|
|
103
130
|
})(),
|
|
131
|
+
tls: (() => {
|
|
132
|
+
if (file.tls == null)
|
|
133
|
+
return null;
|
|
134
|
+
const t = file.tls;
|
|
135
|
+
if (t.mode === 'import-cert') {
|
|
136
|
+
return { mode: 'import-cert', certPath: t.certPath ?? '', keyPath: t.keyPath ?? '' };
|
|
137
|
+
}
|
|
138
|
+
// Pass mode/provider through (no silent default) so zod rejects a missing/misspelled provider.
|
|
139
|
+
return {
|
|
140
|
+
mode: t.mode,
|
|
141
|
+
domain: t.domain ?? '',
|
|
142
|
+
dnsProvider: t.dnsProvider ?? '',
|
|
143
|
+
...(t.publishAddress !== undefined ? { publishAddress: t.publishAddress } : {}),
|
|
144
|
+
...(t.address !== undefined ? { address: t.address } : {}),
|
|
145
|
+
};
|
|
146
|
+
})(),
|
|
104
147
|
smtp: {
|
|
105
148
|
host: file.smtp?.host ?? DEFAULTS.smtp.host,
|
|
106
149
|
port: file.smtp?.port ?? DEFAULTS.smtp.port,
|
|
@@ -143,6 +186,30 @@ function load() {
|
|
|
143
186
|
}
|
|
144
187
|
return result.data;
|
|
145
188
|
}
|
|
189
|
+
// JWT_SECRET 미설정 시: 공개된 공유 기본값 대신 per-install 시크릿을 생성·영속화한다.
|
|
190
|
+
// dataDir에 0600으로 저장하고 재시작 시 재사용 → 설정 없이도 위조 불가, 온보딩 friction 없음.
|
|
191
|
+
export function loadOrCreatePersistedSecret(dataDir) {
|
|
192
|
+
const secretPath = path.join(dataDir, 'jwt-secret');
|
|
193
|
+
try {
|
|
194
|
+
const existing = fs.readFileSync(secretPath, 'utf-8').trim();
|
|
195
|
+
if (existing.length >= 32)
|
|
196
|
+
return existing;
|
|
197
|
+
}
|
|
198
|
+
catch {
|
|
199
|
+
// not yet created
|
|
200
|
+
}
|
|
201
|
+
const secret = crypto.randomBytes(48).toString('base64url');
|
|
202
|
+
fs.mkdirSync(dataDir, { recursive: true });
|
|
203
|
+
fs.writeFileSync(secretPath, secret, { mode: 0o600 });
|
|
204
|
+
try {
|
|
205
|
+
fs.chmodSync(secretPath, 0o600);
|
|
206
|
+
}
|
|
207
|
+
catch {
|
|
208
|
+
// best-effort on platforms without POSIX permissions
|
|
209
|
+
}
|
|
210
|
+
logger.info(`Generated a per-install JWT secret at ${secretPath} (set JWT_SECRET to override)`);
|
|
211
|
+
return secret;
|
|
212
|
+
}
|
|
146
213
|
function loadJwtSecret() {
|
|
147
214
|
if (process.env.JWT_SECRET !== undefined) {
|
|
148
215
|
if (process.env.JWT_SECRET.length < 32) {
|
|
@@ -151,8 +218,7 @@ function loadJwtSecret() {
|
|
|
151
218
|
}
|
|
152
219
|
return process.env.JWT_SECRET;
|
|
153
220
|
}
|
|
154
|
-
|
|
155
|
-
return DEV_DEFAULT_SECRET;
|
|
221
|
+
return loadOrCreatePersistedSecret(config.local.dataDir);
|
|
156
222
|
}
|
|
157
223
|
export const config = load();
|
|
158
224
|
export const jwtSecret = loadJwtSecret();
|
package/dist/lib/config.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"config.js","sourceRoot":"","sources":["../../src/lib/config.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,IAAI,CAAA;AACnB,OAAO,IAAI,MAAM,MAAM,CAAA;AACvB,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AACvB,OAAO,EAAE,YAAY,EAAE,MAAM,uBAAuB,CAAA;
|
|
1
|
+
{"version":3,"file":"config.js","sourceRoot":"","sources":["../../src/lib/config.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,IAAI,CAAA;AACnB,OAAO,IAAI,MAAM,MAAM,CAAA;AACvB,OAAO,MAAM,MAAM,QAAQ,CAAA;AAC3B,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AACvB,OAAO,EAAE,YAAY,EAAE,MAAM,uBAAuB,CAAA;AACpD,OAAO,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAA;AACxD,OAAO,EAAE,YAAY,EAAE,MAAM,uBAAuB,CAAA;AAEpD,MAAM,MAAM,GAAG,YAAY,CAAC,cAAc,CAAC,CAAA;AAE3C,MAAM,eAAe,GAAG,CAAC,CAAC,MAAM,CAAC;IAC/B,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACvB,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACvB,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;CAC/B,CAAC,CAAA;AAEF,MAAM,mBAAmB,GAAG,CAAC,CAAC,MAAM,CAAC;IACnC,QAAQ,EAAE,CAAC,CAAC,OAAO,CAAC,SAAS,CAAC;IAC9B,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAC7B,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAC5B,GAAG,EAAE,eAAe,CAAC,QAAQ,EAAE;CAChC,CAAC,CAAA;AAEF,MAAM,qBAAqB,GAAG,CAAC,CAAC,MAAM,CAAC;IACrC,QAAQ,EAAE,CAAC,CAAC,OAAO,CAAC,WAAW,CAAC;IAChC,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;CACjC,CAAC,CAAA;AAEF,MAAM,YAAY,GAAG,CAAC,CAAC,kBAAkB,CAAC,UAAU,EAAE,CAAC,mBAAmB,EAAE,qBAAqB,CAAC,CAAC,CAAA;AAEnG,0EAA0E;AAC1E,yEAAyE;AACzE,MAAM,mBAAmB,GAAG,CAAC,CAAC,MAAM,CAAC;IACnC,IAAI,EAAE,CAAC,CAAC,OAAO,CAAC,aAAa,CAAC;IAC9B,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAC3B,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;CAC3B,CAAC,CAAA;AAEF,MAAM,oBAAoB,GAAG,CAAC,CAAC,MAAM,CAAC;IACpC,IAAI,EAAE,CAAC,CAAC,OAAO,CAAC,eAAe,CAAC;IAChC,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACzB,oDAAoD;IACpD,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE;QAChE,OAAO,EAAE,mCAAmC,YAAY,CAAC,KAAK,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG;KAC/E,CAAC;IACF,sDAAsD;IACtD,cAAc,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;IACtC,4CAA4C;IAC5C,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE;CACtC,CAAC,CAAA;AAEF,MAAM,SAAS,GAAG,CAAC,CAAC,kBAAkB,CAAC,MAAM,EAAE,CAAC,oBAAoB,EAAE,mBAAmB,CAAC,CAAC,CAAA;AAE3F,MAAM,YAAY,GAAG,CAAC,CAAC,MAAM,CAAC;IAC5B,KAAK,EAAE,CAAC,CAAC,MAAM,CAAC;QACd,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC;QACxC,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;QAC1B,mBAAmB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;QAC5C,cAAc,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;KACpC,CAAC;IACF,KAAK,EAAE,CAAC,CAAC,MAAM,CAAC;QACd,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;KAC3B,CAAC;IACF,MAAM,EAAE,YAAY,CAAC,QAAQ,EAAE;IAC/B,GAAG,EAAE,SAAS,CAAC,QAAQ,EAAE;IACzB,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC;QACb,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE;QAChB,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC;QACxC,MAAM,EAAE,CAAC,CAAC,OAAO,EAAE;QACnB,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE;QAChB,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE;QAChB,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE;KACjB,CAAC;CACH,CAAC,CAAA;AAMF,MAAM,QAAQ,GAAG;IACf,KAAK,EAAE;QACL,IAAI,EAAE,IAAI;QACV,OAAO,EAAE,eAAe;QACxB,mBAAmB,EAAE,SAAS;QAC9B,cAAc,EAAE,EAAE;KACnB;IACD,KAAK,EAAE;QACL,GAAG,EAAE,IAAI;KACV;IACD,MAAM,EAAE,IAAI;IACZ,GAAG,EAAE,IAAI;IACT,IAAI,EAAE;QACJ,IAAI,EAAE,EAAE;QACR,IAAI,EAAE,GAAG;QACT,MAAM,EAAE,KAAK;QACb,IAAI,EAAE,EAAE;QACR,IAAI,EAAE,EAAE;QACR,IAAI,EAAE,iCAAiC;KACxC;CACsB,CAAA;AAEzB,SAAS,cAAc,CAAC,GAAW;IACjC,OAAO,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,GAAG,CAAC,CAAA;AACnE,CAAC;AAED,SAAS,IAAI;IACX,IAAI,IAAI,GAAqE,EAAE,CAAA;IAE/E,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,qBAAqB,CAAC,CAAA;IAClE,IAAI,EAAE,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;QAC9B,IAAI,CAAC;YACH,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,YAAY,CAAC,UAAU,EAAE,OAAO,CAAC,CAAgB,CAAA;QACxE,CAAC;QAAC,MAAM,CAAC;YACP,MAAM,CAAC,IAAI,CAAC,sDAAsD,CAAC,CAAA;QACrE,CAAC;IACH,CAAC;IAED,IAAI,IAAI,CAAC,KAAK,IAAI,IAAI,IAAI,WAAW,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;QACpD,MAAM,CAAC,IAAI,CAAC,uFAAuF,CAAC,CAAA;IACtG,CAAC;IAED,MAAM,GAAG,GAAkB;QACzB,KAAK,EAAE;YACL,IAAI,EAAE,IAAI,CAAC,KAAK,EAAE,IAAI,IAAI,QAAQ,CAAC,KAAK,CAAC,IAAI;YAC7C,OAAO,EAAE,cAAc,CAAC,IAAI,CAAC,KAAK,EAAE,OAAO,IAAI,QAAQ,CAAC,KAAK,CAAC,OAAO,CAAC;YACtE,mBAAmB,EAAE,QAAQ,CAAC,KAAK,CAAC,mBAAmB;YACvD,cAAc,EAAE,mBAAmB,CAAC,OAAO,CAAC,GAAG,CAAC,uBAAuB,CAAC;SACzE;QACD,KAAK,EAAE;YACL,GAAG,EAAE,IAAI,CAAC,KAAK,EAAE,GAAG,IAAI,IAAI;SAC7B;QACD,MAAM,EAAE,CAAC,GAAG,EAAE;YACZ,IAAI,IAAI,CAAC,MAAM,IAAI,IAAI;gBAAE,OAAO,IAAI,CAAA;YACpC,MAAM,CAAC,GAAG,IAAI,CAAC,MAAyI,CAAA;YACxJ,IAAI,CAAC,CAAC,QAAQ,KAAK,WAAW,EAAE,CAAC;gBAC/B,OAAO,EAAE,QAAQ,EAAE,WAAoB,EAAE,SAAS,EAAE,CAAC,CAAC,SAAS,EAAE,CAAA;YACnE,CAAC;YACD,qFAAqF;YACrF,OAAO;gBACL,QAAQ,EAAE,CAAC,CAAC,QAAqB;gBACjC,UAAU,EAAE,CAAC,CAAC,UAAU,IAAI,EAAE;gBAC9B,SAAS,EAAE,CAAC,CAAC,SAAS,IAAI,EAAE;gBAC5B,GAAG,EAAE,CAAC,CAAC,GAAG,IAAI,IAAI;oBAChB,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,IAAI,IAAI,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,IAAI,IAAI,EAAE,EAAE,OAAO,EAAE,CAAC,CAAC,GAAG,CAAC,OAAO,EAAE;oBAC5E,CAAC,CAAC,IAAI;aACT,CAAA;QACH,CAAC,CAAC,EAAE;QACJ,GAAG,EAAE,CAAC,GAAG,EAAE;YACT,IAAI,IAAI,CAAC,GAAG,IAAI,IAAI;gBAAE,OAAO,IAAI,CAAA;YACjC,MAAM,CAAC,GAAG,IAAI,CAAC,GAGd,CAAA;YACD,IAAI,CAAC,CAAC,IAAI,KAAK,aAAa,EAAE,CAAC;gBAC7B,OAAO,EAAE,IAAI,EAAE,aAAsB,EAAE,QAAQ,EAAE,CAAC,CAAC,QAAQ,IAAI,EAAE,EAAE,OAAO,EAAE,CAAC,CAAC,OAAO,IAAI,EAAE,EAAE,CAAA;YAC/F,CAAC;YACD,+FAA+F;YAC/F,OAAO;gBACL,IAAI,EAAE,CAAC,CAAC,IAAuB;gBAC/B,MAAM,EAAE,CAAC,CAAC,MAAM,IAAI,EAAE;gBACtB,WAAW,EAAE,CAAC,CAAC,WAAW,IAAI,EAAE;gBAChC,GAAG,CAAC,CAAC,CAAC,cAAc,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,cAAc,EAAE,CAAC,CAAC,cAAc,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;gBAC/E,GAAG,CAAC,CAAC,CAAC,OAAO,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,OAAO,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;aAC3D,CAAA;QACH,CAAC,CAAC,EAAE;QACJ,IAAI,EAAE;YACJ,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,IAAI,IAAI,QAAQ,CAAC,IAAI,CAAC,IAAI;YAC3C,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,IAAI,IAAI,QAAQ,CAAC,IAAI,CAAC,IAAI;YAC3C,MAAM,EAAE,IAAI,CAAC,IAAI,EAAE,MAAM,IAAI,QAAQ,CAAC,IAAI,CAAC,MAAM;YACjD,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,IAAI,IAAI,QAAQ,CAAC,IAAI,CAAC,IAAI;YAC3C,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,IAAI,IAAI,QAAQ,CAAC,IAAI,CAAC,IAAI;YAC3C,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,IAAI,IAAI,QAAQ,CAAC,IAAI,CAAC,IAAI;SAC5C;KACF,CAAA;IAED,IAAI,OAAO,CAAC,GAAG,CAAC,YAAY;QAAE,GAAG,CAAC,KAAK,CAAC,IAAI,GAAG,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,CAAA;IAC/E,IAAI,OAAO,CAAC,GAAG,CAAC,gBAAgB;QAAE,GAAG,CAAC,KAAK,CAAC,OAAO,GAAG,cAAc,CAAC,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,CAAA;IAClG,IAAI,OAAO,CAAC,GAAG,CAAC,6BAA6B;QAAE,GAAG,CAAC,KAAK,CAAC,mBAAmB,GAAG,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,6BAA6B,CAAC,CAAA;IAChI,IAAI,OAAO,CAAC,GAAG,CAAC,iBAAiB;QAAE,GAAG,CAAC,KAAK,CAAC,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,iBAAiB,IAAI,IAAI,CAAA;IACxF,IAAI,OAAO,CAAC,GAAG,CAAC,SAAS;QAAE,GAAG,CAAC,IAAI,CAAC,IAAI,GAAG,OAAO,CAAC,GAAG,CAAC,SAAS,CAAA;IAChE,IAAI,OAAO,CAAC,GAAG,CAAC,SAAS;QAAE,GAAG,CAAC,IAAI,CAAC,IAAI,GAAG,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC,CAAA;IACxE,IAAI,OAAO,CAAC,GAAG,CAAC,WAAW;QAAE,GAAG,CAAC,IAAI,CAAC,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,WAAW,KAAK,MAAM,CAAA;IACjF,IAAI,OAAO,CAAC,GAAG,CAAC,SAAS;QAAE,GAAG,CAAC,IAAI,CAAC,IAAI,GAAG,OAAO,CAAC,GAAG,CAAC,SAAS,CAAA;IAChE,IAAI,OAAO,CAAC,GAAG,CAAC,SAAS;QAAE,GAAG,CAAC,IAAI,CAAC,IAAI,GAAG,OAAO,CAAC,GAAG,CAAC,SAAS,CAAA;IAChE,IAAI,OAAO,CAAC,GAAG,CAAC,SAAS;QAAE,GAAG,CAAC,IAAI,CAAC,IAAI,GAAG,OAAO,CAAC,GAAG,CAAC,SAAS,CAAA;IAEhE,qFAAqF;IACrF,IAAI,GAAG,CAAC,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,IAAI,EAAE,IAAI,KAAK,SAAS,IAAI,OAAO,CAAC,GAAG,CAAC,SAAS,KAAK,SAAS,EAAE,CAAC;QAC1F,GAAG,CAAC,IAAI,CAAC,IAAI,GAAG,YAAY,GAAG,CAAC,IAAI,CAAC,IAAI,GAAG,CAAA;IAC9C,CAAC;IAED,MAAM,MAAM,GAAG,YAAY,CAAC,SAAS,CAAC,GAAG,CAAC,CAAA;IAC1C,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;QACpB,KAAK,MAAM,KAAK,IAAI,MAAM,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC;YACxC,MAAM,CAAC,KAAK,CAAC,iBAAiB,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,KAAK,CAAC,OAAO,EAAE,CAAC,CAAA;QAC1E,CAAC;QACD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;IACjB,CAAC;IAED,OAAO,MAAM,CAAC,IAAI,CAAA;AACpB,CAAC;AAED,6DAA6D;AAC7D,kEAAkE;AAClE,MAAM,UAAU,2BAA2B,CAAC,OAAe;IACzD,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,YAAY,CAAC,CAAA;IACnD,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,EAAE,CAAC,YAAY,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC,IAAI,EAAE,CAAA;QAC5D,IAAI,QAAQ,CAAC,MAAM,IAAI,EAAE;YAAE,OAAO,QAAQ,CAAA;IAC5C,CAAC;IAAC,MAAM,CAAC;QACP,kBAAkB;IACpB,CAAC;IACD,MAAM,MAAM,GAAG,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAA;IAC3D,EAAE,CAAC,SAAS,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAA;IAC1C,EAAE,CAAC,aAAa,CAAC,UAAU,EAAE,MAAM,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAA;IACrD,IAAI,CAAC;QACH,EAAE,CAAC,SAAS,CAAC,UAAU,EAAE,KAAK,CAAC,CAAA;IACjC,CAAC;IAAC,MAAM,CAAC;QACP,qDAAqD;IACvD,CAAC;IACD,MAAM,CAAC,IAAI,CAAC,yCAAyC,UAAU,+BAA+B,CAAC,CAAA;IAC/F,OAAO,MAAM,CAAA;AACf,CAAC;AAED,SAAS,aAAa;IACpB,IAAI,OAAO,CAAC,GAAG,CAAC,UAAU,KAAK,SAAS,EAAE,CAAC;QACzC,IAAI,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;YACvC,MAAM,CAAC,KAAK,CAAC,2DAA2D,CAAC,CAAA;YACzE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;QACjB,CAAC;QACD,OAAO,OAAO,CAAC,GAAG,CAAC,UAAU,CAAA;IAC/B,CAAC;IACD,OAAO,2BAA2B,CAAC,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,CAAA;AAC1D,CAAC;AAED,MAAM,CAAC,MAAM,MAAM,GAAG,IAAI,EAAE,CAAA;AAC5B,MAAM,CAAC,MAAM,SAAS,GAAG,aAAa,EAAE,CAAA"}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"cors.d.ts","sourceRoot":"","sources":["../../src/lib/cors.ts"],"names":[],"mappings":"AAKA,wBAAgB,kBAAkB,CAChC,MAAM,EAAE,MAAM,GAAG,SAAS,EAC1B,cAAc,EAAE,GAAG,CAAC,MAAM,CAAC,GAC1B,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,IAAI,CAS/B"}
|
package/dist/lib/cors.js
ADDED
|
@@ -0,0 +1,18 @@
|
|
|
1
|
+
// #4 — CORS 출처 제한.
|
|
2
|
+
// 기존엔 모든 응답에 `Access-Control-Allow-Origin: *` + `Allow-Headers: Authorization`을 줘서,
|
|
3
|
+
// PAT(Authorization 헤더)를 cross-origin 스크립트에서 사용할 수 있었다. 허용 출처 allowlist에
|
|
4
|
+
// 든 origin만 에코하고, 그 외에는 CORS 헤더를 부여하지 않는다(브라우저가 cross-origin을 차단).
|
|
5
|
+
// same-origin 요청과 비-브라우저(CLI/서버-서버, Origin 헤더 없음)는 CORS와 무관하게 그대로 동작한다.
|
|
6
|
+
export function resolveCorsHeaders(origin, allowedOrigins) {
|
|
7
|
+
if (!origin)
|
|
8
|
+
return null;
|
|
9
|
+
if (!allowedOrigins.has(origin))
|
|
10
|
+
return null;
|
|
11
|
+
return {
|
|
12
|
+
'Access-Control-Allow-Origin': origin,
|
|
13
|
+
'Vary': 'Origin',
|
|
14
|
+
'Access-Control-Allow-Headers': 'Content-Type, Authorization',
|
|
15
|
+
'Access-Control-Allow-Methods': 'GET, POST, PATCH, DELETE, OPTIONS',
|
|
16
|
+
};
|
|
17
|
+
}
|
|
18
|
+
//# sourceMappingURL=cors.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"cors.js","sourceRoot":"","sources":["../../src/lib/cors.ts"],"names":[],"mappings":"AAAA,mBAAmB;AACnB,oFAAoF;AACpF,yEAAyE;AACzE,mEAAmE;AACnE,wEAAwE;AACxE,MAAM,UAAU,kBAAkB,CAChC,MAA0B,EAC1B,cAA2B;IAE3B,IAAI,CAAC,MAAM;QAAE,OAAO,IAAI,CAAA;IACxB,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,MAAM,CAAC;QAAE,OAAO,IAAI,CAAA;IAC5C,OAAO;QACL,6BAA6B,EAAE,MAAM;QACrC,MAAM,EAAE,QAAQ;QAChB,8BAA8B,EAAE,6BAA6B;QAC7D,8BAA8B,EAAE,mCAAmC;KACpE,CAAA;AACH,CAAC"}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"csrf.d.ts","sourceRoot":"","sources":["../../src/lib/csrf.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,IAAI,MAAM,MAAM,CAAA;AAkB5B,wBAAgB,aAAa,CAC3B,MAAM,EAAE,MAAM,GAAG,SAAS,EAC1B,OAAO,EAAE,IAAI,CAAC,mBAAmB,EACjC,cAAc,EAAE,GAAG,CAAC,MAAM,CAAC,GAC1B,OAAO,CAoBT"}
|
package/dist/lib/csrf.js
ADDED
|
@@ -0,0 +1,42 @@
|
|
|
1
|
+
// #5 — CSRF 경량 가드.
|
|
2
|
+
// 상태 변경 API가 `SameSite=Lax` 쿠키에만 의존하면 일부 cross-site 요청이 통과할 수 있다.
|
|
3
|
+
// 쿠키로 인증된 상태 변경 요청은 Origin이 same-origin(Host 일치)이거나 신뢰 allowlist에 있을 때만
|
|
4
|
+
// 허용하고, 그 외 cross-origin은 차단한다. 브라우저는 상태 변경 요청에 Origin을 강제로 붙이므로
|
|
5
|
+
// 대시보드(same-origin)는 그대로 통과하고, 공격자 origin은 막힌다.
|
|
6
|
+
// 면제: 안전 메서드(GET/HEAD/OPTIONS), PAT 인증(Authorization — 쿠키 자동 전송이 아님),
|
|
7
|
+
// 쿠키 없는 요청(미인증/login/init), Origin 없는 요청(비-브라우저; 브라우저는 cross-site에 Origin을 생략하지 못한다).
|
|
8
|
+
const SAFE_METHODS = new Set(['GET', 'HEAD', 'OPTIONS']);
|
|
9
|
+
// Loopback origins are the local dev machine (e.g. Vite :3001 proxying to the relay :4000), never a
|
|
10
|
+
// remote attacker — a cross-site page can't forge a localhost Origin, so exempting these is safe.
|
|
11
|
+
function isLoopbackHost(hostname) {
|
|
12
|
+
const h = hostname.replace(/^\[|\]$/g, '');
|
|
13
|
+
return h === 'localhost' || h === '127.0.0.1' || h === '::1';
|
|
14
|
+
}
|
|
15
|
+
export function isCsrfBlocked(method, headers, allowedOrigins) {
|
|
16
|
+
if (SAFE_METHODS.has((method ?? 'GET').toUpperCase()))
|
|
17
|
+
return false;
|
|
18
|
+
if (headers['authorization'])
|
|
19
|
+
return false;
|
|
20
|
+
const cookie = headers['cookie'];
|
|
21
|
+
const hasCookieAuth = typeof cookie === 'string' && cookie.includes('tapflow_token=');
|
|
22
|
+
if (!hasCookieAuth)
|
|
23
|
+
return false;
|
|
24
|
+
const origin = headers['origin'];
|
|
25
|
+
if (!origin)
|
|
26
|
+
return false;
|
|
27
|
+
if (allowedOrigins.has(origin))
|
|
28
|
+
return false;
|
|
29
|
+
const host = headers['host'];
|
|
30
|
+
try {
|
|
31
|
+
const url = new URL(origin);
|
|
32
|
+
if (host && url.host === host)
|
|
33
|
+
return false;
|
|
34
|
+
if (isLoopbackHost(url.hostname))
|
|
35
|
+
return false;
|
|
36
|
+
}
|
|
37
|
+
catch {
|
|
38
|
+
// malformed Origin → treat as cross-origin (blocked below)
|
|
39
|
+
}
|
|
40
|
+
return true;
|
|
41
|
+
}
|
|
42
|
+
//# sourceMappingURL=csrf.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"csrf.js","sourceRoot":"","sources":["../../src/lib/csrf.ts"],"names":[],"mappings":"AAEA,mBAAmB;AACnB,kEAAkE;AAClE,wEAAwE;AACxE,iEAAiE;AACjE,gDAAgD;AAChD,sEAAsE;AACtE,4FAA4F;AAC5F,MAAM,YAAY,GAAG,IAAI,GAAG,CAAC,CAAC,KAAK,EAAE,MAAM,EAAE,SAAS,CAAC,CAAC,CAAA;AAExD,oGAAoG;AACpG,kGAAkG;AAClG,SAAS,cAAc,CAAC,QAAgB;IACtC,MAAM,CAAC,GAAG,QAAQ,CAAC,OAAO,CAAC,UAAU,EAAE,EAAE,CAAC,CAAA;IAC1C,OAAO,CAAC,KAAK,WAAW,IAAI,CAAC,KAAK,WAAW,IAAI,CAAC,KAAK,KAAK,CAAA;AAC9D,CAAC;AAED,MAAM,UAAU,aAAa,CAC3B,MAA0B,EAC1B,OAAiC,EACjC,cAA2B;IAE3B,IAAI,YAAY,CAAC,GAAG,CAAC,CAAC,MAAM,IAAI,KAAK,CAAC,CAAC,WAAW,EAAE,CAAC;QAAE,OAAO,KAAK,CAAA;IACnE,IAAI,OAAO,CAAC,eAAe,CAAC;QAAE,OAAO,KAAK,CAAA;IAC1C,MAAM,MAAM,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAA;IAChC,MAAM,aAAa,GAAG,OAAO,MAAM,KAAK,QAAQ,IAAI,MAAM,CAAC,QAAQ,CAAC,gBAAgB,CAAC,CAAA;IACrF,IAAI,CAAC,aAAa;QAAE,OAAO,KAAK,CAAA;IAEhC,MAAM,MAAM,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAA;IAChC,IAAI,CAAC,MAAM;QAAE,OAAO,KAAK,CAAA;IACzB,IAAI,cAAc,CAAC,GAAG,CAAC,MAAM,CAAC;QAAE,OAAO,KAAK,CAAA;IAE5C,MAAM,IAAI,GAAG,OAAO,CAAC,MAAM,CAAC,CAAA;IAC5B,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,CAAA;QAC3B,IAAI,IAAI,IAAI,GAAG,CAAC,IAAI,KAAK,IAAI;YAAE,OAAO,KAAK,CAAA;QAC3C,IAAI,cAAc,CAAC,GAAG,CAAC,QAAQ,CAAC;YAAE,OAAO,KAAK,CAAA;IAChD,CAAC;IAAC,MAAM,CAAC;QACP,2DAA2D;IAC7D,CAAC;IACD,OAAO,IAAI,CAAA;AACb,CAAC"}
|