@xopcai/xopc 0.0.81 → 0.0.83

package/dist/src/gateway/hono/middleware/auth.js

@@ -1,25 +1,22 @@
 import { createLogger } from "../../../utils/logger/index.js";
 import { init_logger } from "../../../utils/logger.js";
-import { getClientIpFromHeaders, isAuthRateLimitGloballyDisabled, resolveAuthRateLimitConfig, resolveAuthRateLimitTracking } from "../../auth-rate-limit.js";
 import { safeEqualSecret } from "../../security/secret-equal.js";
 import { resolveClientIpFromRequest } from "../../client-ip.js";
+import { authPolicyConfig, buckets, resolveAuthRateLimit } from "../../rate-limit/buckets.js";
+import { getClientIpFromHeaders } from "../../security/loopback.js";
+import { resolveAuthTracking } from "../../rate-limit/auth-policy.js";
+import { isAuthRateLimitGloballyDisabled } from "../../rate-limit/env-flags.js";
+import "../../rate-limit/index.js";
 import { authorizeTrustedProxy } from "../../trusted-proxy.js";
 import { createMiddleware } from "hono/factory";
 import { getConnInfo } from "@hono/node-server/conninfo";
 //#region src/gateway/hono/middleware/auth.ts
 init_logger();
 const log = createLogger("Hono:Auth");
-/**
-* Validate token using constant-time comparison to prevent timing attacks.
-*/
 function validateToken(providedToken, expectedToken) {
 	if (!providedToken) return false;
 	return safeEqualSecret(providedToken, expectedToken);
 }
-/**
-* Extract token from Authorization header
-* Supports: "Bearer <token>", "<token>"
-*/
 function extractTokenFromHeader(authHeader) {
 	if (!authHeader) return null;
 	const parts = authHeader.split(" ");
@@ -27,8 +24,6 @@ function extractTokenFromHeader(authHeader) {
 	return authHeader;
 }
 /**
-* Extract token from query parameter.
-*
 * SECURITY: query-string tokens leak into server logs, Referer headers, and
 * browser history. We accept them only for SSE/WebSocket connections where
 * the `Authorization` header cannot be set by `EventSource`. For normal REST
@@ -37,7 +32,6 @@ function extractTokenFromHeader(authHeader) {
 function extractTokenFromQuery(url) {
 	return new URL(url).searchParams.get("token");
 }
-/** Paths where query-string token auth is acceptable (SSE / WebSocket). */
 const QUERY_TOKEN_ALLOWED_PATHS = new Set(["/api/events", "/api/ws"]);
 function isQueryTokenAllowedPath(path) {
 	return QUERY_TOKEN_ALLOWED_PATHS.has(path) || path.startsWith("/api/events");
@@ -58,9 +52,45 @@ function resolveMiddlewareClientIp(c, trustedProxies, allowRealIpFallback) {
 	});
 	return getClientIpFromHeaders({ get: (name) => c.req.header(name) ?? void 0 });
 }
-/**
-* Create auth middleware for HTTP routes
-*/
+function buildRateLimitContext(getGatewayAuth, clientIp, origin) {
+	const cfg = resolveAuthRateLimit(getGatewayAuth?.()?.rateLimit);
+	if (!(cfg.enabled && !isAuthRateLimitGloballyDisabled())) return {
+		active: false,
+		cfg,
+		trackingKey: void 0
+	};
+	const tracking = resolveAuthTracking({
+		clientIp,
+		origin,
+		cfg: authPolicyConfig(cfg)
+	});
+	return {
+		active: true,
+		cfg,
+		trackingKey: tracking.exempt ? void 0 : tracking.key
+	};
+}
+function checkBlocked(rl) {
+	if (!rl.active || rl.trackingKey === void 0) return { blocked: false };
+	return buckets.authFailure(rl.cfg).check(rl.trackingKey);
+}
+function recordFailure(rl) {
+	if (!rl.active || rl.trackingKey === void 0) return;
+	buckets.authFailure(rl.cfg).fail(rl.trackingKey);
+}
+function recordSuccess(rl) {
+	if (!rl.active || rl.trackingKey === void 0) return;
+	buckets.authFailure(rl.cfg).succeed(rl.trackingKey);
+}
+function blockedResponse(c, retryAfterSec) {
+	c.header("Retry-After", String(retryAfterSec));
+	return c.json({
+		error: "Too Many Requests",
+		code: "auth_blocked",
+		message: "Too many authentication attempts",
+		retryAfter: retryAfterSec
+	}, 429);
+}
 function auth(config) {
 	const { token, getGatewayAuth, getResolvedAuth, getTrustedProxyContext } = config || {};
 	return createMiddleware(async (c, next) => {
@@ -70,17 +100,10 @@ function auth(config) {
 			const proxyContext = getTrustedProxyContext?.();
 			const trustedProxies = proxyContext?.trustedProxies;
 			const trustedProxyConfig = resolvedAuth?.trustedProxy;
-			const rlInput = getGatewayAuth?.()?.rateLimit;
-			const rlCfg = resolveAuthRateLimitConfig(rlInput);
-			const rateLimitActive = rlCfg.enabled && !isAuthRateLimitGloballyDisabled();
 			const clientIp = resolveMiddlewareClientIp(c, trustedProxies, proxyContext?.allowRealIpFallback);
-			const { limiter, key: rateLimitKey, cfg: activeRlCfg } = resolveAuthRateLimitTracking({
-				clientIp,
-				origin: c.req.header("origin"),
-				cfg: rlCfg
-			});
+			const origin = c.req.header("origin");
+			const rl = buildRateLimitContext(getGatewayAuth, clientIp, origin);
 			if (!trustedProxyConfig) {
-				if (rateLimitActive) limiter.recordFailure(rateLimitKey, activeRlCfg);
 				log.warn({
 					path: c.req.path,
 					method: c.req.method,
@@ -89,56 +112,51 @@ function auth(config) {
 				}, "HTTP auth rejected: trusted-proxy config missing");
 				return c.json({
 					error: "Unauthorized",
+					code: "auth_unconfigured",
 					message: "Trusted-proxy auth is not configured"
 				}, 401);
 			}
+			const blocked = checkBlocked(rl);
+			if (blocked.blocked) {
+				log.warn({
+					clientIp,
+					origin: origin ?? void 0,
+					path: c.req.path,
+					method: c.req.method,
+					retryAfterSec: blocked.retryAfterSec,
+					reason: "auth_blocked"
+				}, "Auth rate limit blocked");
+				return blockedResponse(c, blocked.retryAfterSec);
+			}
 			const result = authorizeTrustedProxy({
 				remoteAddress: resolveRemoteAddress(c),
 				getHeader: (name) => c.req.header(name),
 				trustedProxies,
 				trustedProxyConfig
 			});
-			if (result.ok) {
-				if (rateLimitActive) limiter.recordSuccess(rateLimitKey);
-				await next();
-				return;
-			}
 			if (result.ok === false) {
-				if (rateLimitActive) {
-					const blocked = limiter.checkBlocked(rateLimitKey, activeRlCfg);
-					if (blocked.blocked) {
-						c.header("Retry-After", String(blocked.retryAfterSec));
-						return c.json({
-							error: "Too Many Requests",
-							message: "Too many authentication attempts",
-							retryAfter: blocked.retryAfterSec
-						}, 429);
-					}
-					limiter.recordFailure(rateLimitKey, activeRlCfg);
-				}
+				recordFailure(rl);
 				log.warn({
 					path: c.req.path,
 					method: c.req.method,
 					clientIp,
 					reason: result.reason
-				}, "HTTP auth rejected: trusted-proxy validation failed");
+				}, `HTTP auth rejected: trusted-proxy validation failed (${result.reason})`);
 				return c.json({
 					error: "Unauthorized",
+					code: "invalid_proxy_credentials",
 					message: "Trusted-proxy authentication failed"
 				}, 401);
 			}
+			recordSuccess(rl);
+			await next();
+			return;
 		}
 		if (authMode === "none" || !token) return next();
-		const rlInput = getGatewayAuth?.()?.rateLimit;
-		const rlCfg = resolveAuthRateLimitConfig(rlInput);
-		const rateLimitActive = rlCfg.enabled && !isAuthRateLimitGloballyDisabled();
 		const proxyContext = getTrustedProxyContext?.();
 		const clientIp = resolveMiddlewareClientIp(c, proxyContext?.trustedProxies, proxyContext?.allowRealIpFallback);
-		const { limiter, key: rateLimitKey, cfg: activeRlCfg } = resolveAuthRateLimitTracking({
-			clientIp,
-			origin: c.req.header("origin"),
-			cfg: rlCfg
-		});
+		const origin = c.req.header("origin");
+		const rl = buildRateLimitContext(getGatewayAuth, clientIp, origin);
 		const authHeader = extractTokenFromHeader(c.req.header("authorization"));
 		const requestPath = new URL(c.req.url).pathname;
 		const queryToken = isQueryTokenAllowedPath(requestPath) ? extractTokenFromQuery(c.req.url) : null;
@@ -149,23 +167,23 @@ function auth(config) {
 		}, "Token in query string rejected: use Authorization header for this endpoint");
 		const providedToken = authHeader || queryToken;
 		if (providedToken && validateToken(providedToken, token)) {
-			if (rateLimitActive) limiter.recordSuccess(rateLimitKey);
+			recordSuccess(rl);
 			await next();
 			return;
 		}
-		if (rateLimitActive) {
-			const blocked = limiter.checkBlocked(rateLimitKey, activeRlCfg);
-			if (blocked.blocked) {
-				c.header("Retry-After", String(blocked.retryAfterSec));
-				return c.json({
-					error: "Too Many Requests",
-					message: "Too many authentication attempts",
-					retryAfter: blocked.retryAfterSec
-				}, 429);
-			}
+		const blocked = checkBlocked(rl);
+		if (blocked.blocked) {
+			log.warn({
+				clientIp,
+				origin: origin ?? void 0,
+				path: requestPath,
+				method: c.req.method,
+				retryAfterSec: blocked.retryAfterSec,
+				reason: "auth_blocked"
+			}, "Auth rate limit blocked");
+			return blockedResponse(c, blocked.retryAfterSec);
 		}
 		if (!providedToken) {
-			if (rateLimitActive) limiter.recordFailure(rateLimitKey, activeRlCfg);
 			log.warn({
 				path: c.req.path,
 				method: c.req.method,
@@ -174,56 +192,25 @@ function auth(config) {
 			}, "HTTP auth rejected: no Bearer or ?token=");
 			return c.json({
 				error: "Unauthorized",
+				code: "missing_token",
 				message: "Missing authentication token"
 			}, 401);
 		}
-		if (!validateToken(providedToken, token)) {
-			if (rateLimitActive) limiter.recordFailure(rateLimitKey, activeRlCfg);
-			log.warn({
-				path: c.req.path,
-				method: c.req.method,
-				clientIp,
-				reason: "invalid_token"
-			}, "HTTP auth rejected: token mismatch");
-			return c.json({
-				error: "Unauthorized",
-				message: "Invalid authentication token"
-			}, 401);
-		}
-	});
-}
-/**
-* Validate WebSocket connection token
-*/
-function validateWebSocketAuth(url, authHeader, expectedToken) {
-	if (!expectedToken) return { valid: true };
-	const queryToken = url.searchParams.get("token");
-	const headerToken = extractTokenFromHeader(authHeader);
-	const providedToken = queryToken || headerToken;
-	if (!providedToken) {
+		recordFailure(rl);
 		log.warn({
-			path: url.pathname,
-			reason: "missing_token",
-			hasHeaderToken: Boolean(headerToken)
-		}, "WebSocket auth rejected: no token in query or Authorization");
-		return {
-			valid: false,
-			error: "Missing authentication token"
-		};
-	}
-	if (!safeEqualSecret(providedToken, expectedToken)) {
-		log.warn({
-			path: url.pathname,
+			path: c.req.path,
+			method: c.req.method,
+			clientIp,
 			reason: "invalid_token"
-		}, "WebSocket auth rejected: token mismatch");
-		return {
-			valid: false,
-			error: "Invalid authentication token"
-		};
-	}
-	return { valid: true };
+		}, "HTTP auth rejected: token mismatch");
+		return c.json({
+			error: "Unauthorized",
+			code: "invalid_token",
+			message: "Invalid authentication token"
+		}, 401);
+	});
 }
 //#endregion
-export { auth, validateWebSocketAuth };
+export { auth };
 
 //# sourceMappingURL=auth.js.map

package/dist/src/gateway/hono/middleware/auth.js.map

@@ -1 +1 @@
-{"version":3,"file":"auth.js","names":[],"sources":["../../../../../src/gateway/hono/middleware/auth.ts"],"sourcesContent":["import { createMiddleware } from 'hono/factory';\nimport type { Context } from 'hono';\nimport { getConnInfo } from '@hono/node-server/conninfo';\nimport type { GatewayAuthConfig } from '../../../config/schema.js';\nimport {\n  getClientIpFromHeaders,\n  isAuthRateLimitGloballyDisabled,\n  resolveAuthRateLimitConfig,\n  resolveAuthRateLimitTracking,\n} from '../../auth-rate-limit.js';\nimport type { ResolvedGatewayAuth } from '../../auth.js';\nimport { resolveClientIpFromRequest } from '../../client-ip.js';\nimport { safeEqualSecret } from '../../security/secret-equal.js';\nimport { authorizeTrustedProxy } from '../../trusted-proxy.js';\nimport { createLogger } from '../../../utils/logger.js';\n\nconst log = createLogger('Hono:Auth');\n\nexport interface AuthConfig {\n  token?: string;\n  /** Current gateway auth from config (for rate-limit settings); optional. */\n  getGatewayAuth?: () => GatewayAuthConfig | undefined;\n  getResolvedAuth?: () => ResolvedGatewayAuth;\n  getTrustedProxyContext?: () => {\n    trustedProxies?: string[];\n    allowRealIpFallback?: boolean;\n  };\n}\n\n/**\n * Validate token using constant-time comparison to prevent timing attacks.\n */\nfunction validateToken(providedToken: string | undefined, expectedToken: string): boolean {\n  if (!providedToken) return false;\n  return safeEqualSecret(providedToken, expectedToken);\n}\n\n/**\n * Extract token from Authorization header\n * Supports: \"Bearer <token>\", \"<token>\"\n */\nfunction extractTokenFromHeader(authHeader: string | null): string | null {\n  if (!authHeader) return null;\n\n  const parts = authHeader.split(' ');\n  if (parts.length === 2 && parts[0].toLowerCase() === 'bearer') {\n    return parts[1];\n  }\n  return authHeader;\n}\n\n/**\n * Extract token from query parameter.\n *\n * SECURITY: query-string tokens leak into server logs, Referer headers, and\n * browser history. We accept them only for SSE/WebSocket connections where\n * the `Authorization` header cannot be set by `EventSource`. For normal REST\n * requests prefer the `Authorization: Bearer <token>` header.\n */\nfunction extractTokenFromQuery(url: string): string | null {\n  const parsed = new URL(url);\n  return parsed.searchParams.get('token');\n}\n\n/** Paths where query-string token auth is acceptable (SSE / WebSocket). */\nconst QUERY_TOKEN_ALLOWED_PATHS = new Set(['/api/events', '/api/ws']);\n\nfunction isQueryTokenAllowedPath(path: string): boolean {\n  return QUERY_TOKEN_ALLOWED_PATHS.has(path) || path.startsWith('/api/events');\n}\n\nfunction resolveRemoteAddress(c: Context): string | undefined {\n  try {\n    return getConnInfo(c).remote.address;\n  } catch {\n    return undefined;\n  }\n}\n\nfunction resolveMiddlewareClientIp(\n  c: Context,\n  trustedProxies?: string[],\n  allowRealIpFallback?: boolean,\n): string {\n  if (trustedProxies?.length) {\n    return resolveClientIpFromRequest({\n      remoteAddress: resolveRemoteAddress(c),\n      getHeader: (name) => c.req.header(name),\n      trustedProxies,\n      allowRealIpFallback,\n    });\n  }\n  return getClientIpFromHeaders({\n    get: (name: string) => c.req.header(name) ?? undefined,\n  });\n}\n\n/**\n * Create auth middleware for HTTP routes\n */\nexport function auth(config?: AuthConfig) {\n  const { token, getGatewayAuth, getResolvedAuth, getTrustedProxyContext } = config || {};\n\n  return createMiddleware(async (c, next) => {\n    const resolvedAuth = getResolvedAuth?.();\n    const authMode = resolvedAuth?.mode ?? (token ? 'token' : 'none');\n\n    if (authMode === 'trusted-proxy') {\n      const proxyContext = getTrustedProxyContext?.();\n      const trustedProxies = proxyContext?.trustedProxies;\n      const trustedProxyConfig = resolvedAuth?.trustedProxy;\n\n      const rlInput = getGatewayAuth?.()?.rateLimit;\n      const rlCfg = resolveAuthRateLimitConfig(rlInput);\n      const rateLimitActive = rlCfg.enabled && !isAuthRateLimitGloballyDisabled();\n      const clientIp = resolveMiddlewareClientIp(\n        c,\n        trustedProxies,\n        proxyContext?.allowRealIpFallback,\n      );\n      const origin = c.req.header('origin');\n      const tracking = resolveAuthRateLimitTracking({ clientIp, origin, cfg: rlCfg });\n      const { limiter, key: rateLimitKey, cfg: activeRlCfg } = tracking;\n\n      if (!trustedProxyConfig) {\n        if (rateLimitActive) {\n          limiter.recordFailure(rateLimitKey, activeRlCfg);\n        }\n        log.warn(\n          { path: c.req.path, method: c.req.method, clientIp, reason: 'trusted_proxy_config_missing' },\n          'HTTP auth rejected: trusted-proxy config missing',\n        );\n        return c.json({ error: 'Unauthorized', message: 'Trusted-proxy auth is not configured' }, 401);\n      }\n\n      const result = authorizeTrustedProxy({\n        remoteAddress: resolveRemoteAddress(c),\n        getHeader: (name) => c.req.header(name),\n        trustedProxies,\n        trustedProxyConfig,\n      });\n\n      if (result.ok) {\n        if (rateLimitActive) {\n          limiter.recordSuccess(rateLimitKey);\n        }\n        await next();\n        return;\n      }\n\n      if (result.ok === false) {\n        if (rateLimitActive) {\n          const blocked = limiter.checkBlocked(rateLimitKey, activeRlCfg);\n          if (blocked.blocked) {\n            c.header('Retry-After', String(blocked.retryAfterSec));\n            return c.json(\n              {\n                error: 'Too Many Requests',\n                message: 'Too many authentication attempts',\n                retryAfter: blocked.retryAfterSec,\n              },\n              429,\n            );\n          }\n          limiter.recordFailure(rateLimitKey, activeRlCfg);\n        }\n\n        log.warn(\n          { path: c.req.path, method: c.req.method, clientIp, reason: result.reason },\n          'HTTP auth rejected: trusted-proxy validation failed',\n        );\n        return c.json({ error: 'Unauthorized', message: 'Trusted-proxy authentication failed' }, 401);\n      }\n    }\n\n    if (authMode === 'none' || !token) {\n      return next();\n    }\n\n    const rlInput = getGatewayAuth?.()?.rateLimit;\n    const rlCfg = resolveAuthRateLimitConfig(rlInput);\n    const rateLimitActive = rlCfg.enabled && !isAuthRateLimitGloballyDisabled();\n\n    const proxyContext = getTrustedProxyContext?.();\n    const clientIp = resolveMiddlewareClientIp(\n      c,\n      proxyContext?.trustedProxies,\n      proxyContext?.allowRealIpFallback,\n    );\n    const origin = c.req.header('origin');\n    const tracking = resolveAuthRateLimitTracking({ clientIp, origin, cfg: rlCfg });\n    const { limiter, key: rateLimitKey, cfg: activeRlCfg } = tracking;\n\n    const authHeader = extractTokenFromHeader(c.req.header('authorization'));\n    const requestPath = new URL(c.req.url).pathname;\n    const queryToken = isQueryTokenAllowedPath(requestPath)\n      ? extractTokenFromQuery(c.req.url)\n      : null;\n\n    if (!authHeader && queryToken === null && new URL(c.req.url).searchParams.has('token')) {\n      log.warn(\n        { path: requestPath, method: c.req.method, clientIp },\n        'Token in query string rejected: use Authorization header for this endpoint',\n      );\n    }\n\n    const providedToken = authHeader || queryToken;\n\n    if (providedToken && validateToken(providedToken, token)) {\n      if (rateLimitActive) {\n        limiter.recordSuccess(rateLimitKey);\n      }\n      await next();\n      return;\n    }\n\n    if (rateLimitActive) {\n      const blocked = limiter.checkBlocked(rateLimitKey, activeRlCfg);\n      if (blocked.blocked) {\n        c.header('Retry-After', String(blocked.retryAfterSec));\n        return c.json(\n          {\n            error: 'Too Many Requests',\n            message: 'Too many authentication attempts',\n            retryAfter: blocked.retryAfterSec,\n          },\n          429,\n        );\n      }\n    }\n\n    if (!providedToken) {\n      if (rateLimitActive) {\n        limiter.recordFailure(rateLimitKey, activeRlCfg);\n      }\n      log.warn(\n        { path: c.req.path, method: c.req.method, clientIp, reason: 'missing_token' },\n        'HTTP auth rejected: no Bearer or ?token=',\n      );\n      return c.json({ error: 'Unauthorized', message: 'Missing authentication token' }, 401);\n    }\n\n    if (!validateToken(providedToken, token)) {\n      if (rateLimitActive) {\n        limiter.recordFailure(rateLimitKey, activeRlCfg);\n      }\n      log.warn(\n        { path: c.req.path, method: c.req.method, clientIp, reason: 'invalid_token' },\n        'HTTP auth rejected: token mismatch',\n      );\n      return c.json({ error: 'Unauthorized', message: 'Invalid authentication token' }, 401);\n    }\n  });\n}\n\nexport interface WebSocketAuthResult {\n  valid: boolean;\n  error?: string;\n}\n\n/**\n * Validate WebSocket connection token\n */\nexport function validateWebSocketAuth(\n  url: URL,\n  authHeader: string | null,\n  expectedToken?: string\n): WebSocketAuthResult {\n  if (!expectedToken) {\n    return { valid: true };\n  }\n\n  const queryToken = url.searchParams.get('token');\n  const headerToken = extractTokenFromHeader(authHeader);\n\n  const providedToken = queryToken || headerToken;\n\n  if (!providedToken) {\n    log.warn(\n      { path: url.pathname, reason: 'missing_token', hasHeaderToken: Boolean(headerToken) },\n      'WebSocket auth rejected: no token in query or Authorization',\n    );\n    return { valid: false, error: 'Missing authentication token' };\n  }\n\n  if (!safeEqualSecret(providedToken, expectedToken)) {\n    log.warn({ path: url.pathname, reason: 'invalid_token' }, 'WebSocket auth rejected: token mismatch');\n    return { valid: false, error: 'Invalid authentication token' };\n  }\n\n  return { valid: true };\n}\n"],"mappings":";;;;;;;;;aAcwD;AAExD,MAAM,MAAM,aAAa,YAAY;;;;AAgBrC,SAAS,cAAc,eAAmC,eAAgC;AACxF,KAAI,CAAC,cAAe,QAAO;AAC3B,QAAO,gBAAgB,eAAe,cAAc;;;;;;AAOtD,SAAS,uBAAuB,YAA0C;AACxE,KAAI,CAAC,WAAY,QAAO;CAExB,MAAM,QAAQ,WAAW,MAAM,IAAI;AACnC,KAAI,MAAM,WAAW,KAAK,MAAM,GAAG,aAAa,KAAK,SACnD,QAAO,MAAM;AAEf,QAAO;;;;;;;;;;AAWT,SAAS,sBAAsB,KAA4B;AAEzD,QAAO,IADY,IAAI,IACV,CAAC,aAAa,IAAI,QAAQ;;;AAIzC,MAAM,4BAA4B,IAAI,IAAI,CAAC,eAAe,UAAU,CAAC;AAErE,SAAS,wBAAwB,MAAuB;AACtD,QAAO,0BAA0B,IAAI,KAAK,IAAI,KAAK,WAAW,cAAc;;AAG9E,SAAS,qBAAqB,GAAgC;AAC5D,KAAI;AACF,SAAO,YAAY,EAAE,CAAC,OAAO;SACvB;AACN;;;AAIJ,SAAS,0BACP,GACA,gBACA,qBACQ;AACR,KAAI,gBAAgB,OAClB,QAAO,2BAA2B;EAChC,eAAe,qBAAqB,EAAE;EACtC,YAAY,SAAS,EAAE,IAAI,OAAO,KAAK;EACvC;EACA;EACD,CAAC;AAEJ,QAAO,uBAAuB,EAC5B,MAAM,SAAiB,EAAE,IAAI,OAAO,KAAK,IAAI,KAAA,GAC9C,CAAC;;;;;AAMJ,SAAgB,KAAK,QAAqB;CACxC,MAAM,EAAE,OAAO,gBAAgB,iBAAiB,2BAA2B,UAAU,EAAE;AAEvF,QAAO,iBAAiB,OAAO,GAAG,SAAS;EACzC,MAAM,eAAe,mBAAmB;EACxC,MAAM,WAAW,cAAc,SAAS,QAAQ,UAAU;AAE1D,MAAI,aAAa,iBAAiB;GAChC,MAAM,eAAe,0BAA0B;GAC/C,MAAM,iBAAiB,cAAc;GACrC,MAAM,qBAAqB,cAAc;GAEzC,MAAM,UAAU,kBAAkB,EAAE;GACpC,MAAM,QAAQ,2BAA2B,QAAQ;GACjD,MAAM,kBAAkB,MAAM,WAAW,CAAC,iCAAiC;GAC3E,MAAM,WAAW,0BACf,GACA,gBACA,cAAc,oBACf;GAGD,MAAM,EAAE,SAAS,KAAK,cAAc,KAAK,gBADxB,6BAA6B;IAAE;IAAU,QAD3C,EAAE,IAAI,OAAO,SACoC;IAAE,KAAK;IAAO,CACb;AAEjE,OAAI,CAAC,oBAAoB;AACvB,QAAI,gBACF,SAAQ,cAAc,cAAc,YAAY;AAElD,QAAI,KACF;KAAE,MAAM,EAAE,IAAI;KAAM,QAAQ,EAAE,IAAI;KAAQ;KAAU,QAAQ;KAAgC,EAC5F,mDACD;AACD,WAAO,EAAE,KAAK;KAAE,OAAO;KAAgB,SAAS;KAAwC,EAAE,IAAI;;GAGhG,MAAM,SAAS,sBAAsB;IACnC,eAAe,qBAAqB,EAAE;IACtC,YAAY,SAAS,EAAE,IAAI,OAAO,KAAK;IACvC;IACA;IACD,CAAC;AAEF,OAAI,OAAO,IAAI;AACb,QAAI,gBACF,SAAQ,cAAc,aAAa;AAErC,UAAM,MAAM;AACZ;;AAGF,OAAI,OAAO,OAAO,OAAO;AACvB,QAAI,iBAAiB;KACnB,MAAM,UAAU,QAAQ,aAAa,cAAc,YAAY;AAC/D,SAAI,QAAQ,SAAS;AACnB,QAAE,OAAO,eAAe,OAAO,QAAQ,cAAc,CAAC;AACtD,aAAO,EAAE,KACP;OACE,OAAO;OACP,SAAS;OACT,YAAY,QAAQ;OACrB,EACD,IACD;;AAEH,aAAQ,cAAc,cAAc,YAAY;;AAGlD,QAAI,KACF;KAAE,MAAM,EAAE,IAAI;KAAM,QAAQ,EAAE,IAAI;KAAQ;KAAU,QAAQ,OAAO;KAAQ,EAC3E,sDACD;AACD,WAAO,EAAE,KAAK;KAAE,OAAO;KAAgB,SAAS;KAAuC,EAAE,IAAI;;;AAIjG,MAAI,aAAa,UAAU,CAAC,MAC1B,QAAO,MAAM;EAGf,MAAM,UAAU,kBAAkB,EAAE;EACpC,MAAM,QAAQ,2BAA2B,QAAQ;EACjD,MAAM,kBAAkB,MAAM,WAAW,CAAC,iCAAiC;EAE3E,MAAM,eAAe,0BAA0B;EAC/C,MAAM,WAAW,0BACf,GACA,cAAc,gBACd,cAAc,oBACf;EAGD,MAAM,EAAE,SAAS,KAAK,cAAc,KAAK,gBADxB,6BAA6B;GAAE;GAAU,QAD3C,EAAE,IAAI,OAAO,SACoC;GAAE,KAAK;GAAO,CACb;EAEjE,MAAM,aAAa,uBAAuB,EAAE,IAAI,OAAO,gBAAgB,CAAC;EACxE,MAAM,cAAc,IAAI,IAAI,EAAE,IAAI,IAAI,CAAC;EACvC,MAAM,aAAa,wBAAwB,YAAY,GACnD,sBAAsB,EAAE,IAAI,IAAI,GAChC;AAEJ,MAAI,CAAC,cAAc,eAAe,QAAQ,IAAI,IAAI,EAAE,IAAI,IAAI,CAAC,aAAa,IAAI,QAAQ,CACpF,KAAI,KACF;GAAE,MAAM;GAAa,QAAQ,EAAE,IAAI;GAAQ;GAAU,EACrD,6EACD;EAGH,MAAM,gBAAgB,cAAc;AAEpC,MAAI,iBAAiB,cAAc,eAAe,MAAM,EAAE;AACxD,OAAI,gBACF,SAAQ,cAAc,aAAa;AAErC,SAAM,MAAM;AACZ;;AAGF,MAAI,iBAAiB;GACnB,MAAM,UAAU,QAAQ,aAAa,cAAc,YAAY;AAC/D,OAAI,QAAQ,SAAS;AACnB,MAAE,OAAO,eAAe,OAAO,QAAQ,cAAc,CAAC;AACtD,WAAO,EAAE,KACP;KACE,OAAO;KACP,SAAS;KACT,YAAY,QAAQ;KACrB,EACD,IACD;;;AAIL,MAAI,CAAC,eAAe;AAClB,OAAI,gBACF,SAAQ,cAAc,cAAc,YAAY;AAElD,OAAI,KACF;IAAE,MAAM,EAAE,IAAI;IAAM,QAAQ,EAAE,IAAI;IAAQ;IAAU,QAAQ;IAAiB,EAC7E,2CACD;AACD,UAAO,EAAE,KAAK;IAAE,OAAO;IAAgB,SAAS;IAAgC,EAAE,IAAI;;AAGxF,MAAI,CAAC,cAAc,eAAe,MAAM,EAAE;AACxC,OAAI,gBACF,SAAQ,cAAc,cAAc,YAAY;AAElD,OAAI,KACF;IAAE,MAAM,EAAE,IAAI;IAAM,QAAQ,EAAE,IAAI;IAAQ;IAAU,QAAQ;IAAiB,EAC7E,qCACD;AACD,UAAO,EAAE,KAAK;IAAE,OAAO;IAAgB,SAAS;IAAgC,EAAE,IAAI;;GAExF;;;;;AAWJ,SAAgB,sBACd,KACA,YACA,eACqB;AACrB,KAAI,CAAC,cACH,QAAO,EAAE,OAAO,MAAM;CAGxB,MAAM,aAAa,IAAI,aAAa,IAAI,QAAQ;CAChD,MAAM,cAAc,uBAAuB,WAAW;CAEtD,MAAM,gBAAgB,cAAc;AAEpC,KAAI,CAAC,eAAe;AAClB,MAAI,KACF;GAAE,MAAM,IAAI;GAAU,QAAQ;GAAiB,gBAAgB,QAAQ,YAAY;GAAE,EACrF,8DACD;AACD,SAAO;GAAE,OAAO;GAAO,OAAO;GAAgC;;AAGhE,KAAI,CAAC,gBAAgB,eAAe,cAAc,EAAE;AAClD,MAAI,KAAK;GAAE,MAAM,IAAI;GAAU,QAAQ;GAAiB,EAAE,0CAA0C;AACpG,SAAO;GAAE,OAAO;GAAO,OAAO;GAAgC;;AAGhE,QAAO,EAAE,OAAO,MAAM"}
+{"version":3,"file":"auth.js","names":[],"sources":["../../../../../src/gateway/hono/middleware/auth.ts"],"sourcesContent":["import { createMiddleware } from 'hono/factory';\nimport type { Context } from 'hono';\nimport { getConnInfo } from '@hono/node-server/conninfo';\n\nimport type { GatewayAuthConfig } from '../../../config/schema.js';\nimport type { ResolvedGatewayAuth } from '../../auth.js';\nimport { resolveClientIpFromRequest } from '../../client-ip.js';\nimport {\n  authPolicyConfig,\n  buckets,\n  isAuthRateLimitGloballyDisabled,\n  resolveAuthRateLimit,\n  resolveAuthTracking,\n  type ResolvedAuthRateLimitConfig,\n} from '../../rate-limit/index.js';\nimport { getClientIpFromHeaders } from '../../security/loopback.js';\nimport { safeEqualSecret } from '../../security/secret-equal.js';\nimport { authorizeTrustedProxy } from '../../trusted-proxy.js';\nimport { createLogger } from '../../../utils/logger.js';\n\nconst log = createLogger('Hono:Auth');\n\nexport interface AuthConfig {\n  token?: string;\n  /** Current gateway auth from config (for rate-limit settings); optional. */\n  getGatewayAuth?: () => GatewayAuthConfig | undefined;\n  getResolvedAuth?: () => ResolvedGatewayAuth;\n  getTrustedProxyContext?: () => {\n    trustedProxies?: string[];\n    allowRealIpFallback?: boolean;\n  };\n}\n\nfunction validateToken(providedToken: string | undefined, expectedToken: string): boolean {\n  if (!providedToken) return false;\n  return safeEqualSecret(providedToken, expectedToken);\n}\n\nfunction extractTokenFromHeader(authHeader: string | null): string | null {\n  if (!authHeader) return null;\n  const parts = authHeader.split(' ');\n  if (parts.length === 2 && parts[0].toLowerCase() === 'bearer') return parts[1];\n  return authHeader;\n}\n\n/**\n * SECURITY: query-string tokens leak into server logs, Referer headers, and\n * browser history. We accept them only for SSE/WebSocket connections where\n * the `Authorization` header cannot be set by `EventSource`. For normal REST\n * requests prefer the `Authorization: Bearer <token>` header.\n */\nfunction extractTokenFromQuery(url: string): string | null {\n  return new URL(url).searchParams.get('token');\n}\n\nconst QUERY_TOKEN_ALLOWED_PATHS = new Set(['/api/events', '/api/ws']);\n\nfunction isQueryTokenAllowedPath(path: string): boolean {\n  return QUERY_TOKEN_ALLOWED_PATHS.has(path) || path.startsWith('/api/events');\n}\n\nfunction resolveRemoteAddress(c: Context): string | undefined {\n  try {\n    return getConnInfo(c).remote.address;\n  } catch {\n    return undefined;\n  }\n}\n\nfunction resolveMiddlewareClientIp(\n  c: Context,\n  trustedProxies?: string[],\n  allowRealIpFallback?: boolean,\n): string {\n  if (trustedProxies?.length) {\n    return resolveClientIpFromRequest({\n      remoteAddress: resolveRemoteAddress(c),\n      getHeader: (name) => c.req.header(name),\n      trustedProxies,\n      allowRealIpFallback,\n    });\n  }\n  return getClientIpFromHeaders({\n    get: (name: string) => c.req.header(name) ?? undefined,\n  });\n}\n\ntype RateLimitContext = {\n  active: boolean;\n  cfg: ResolvedAuthRateLimitConfig;\n  /** `undefined` when the client is exempted (loopback, disabled, etc.). */\n  trackingKey: string | undefined;\n};\n\nfunction buildRateLimitContext(\n  getGatewayAuth: AuthConfig['getGatewayAuth'],\n  clientIp: string,\n  origin: string | undefined,\n): RateLimitContext {\n  const cfg = resolveAuthRateLimit(getGatewayAuth?.()?.rateLimit);\n  const active = cfg.enabled && !isAuthRateLimitGloballyDisabled();\n  if (!active) return { active: false, cfg, trackingKey: undefined };\n  const tracking = resolveAuthTracking({ clientIp, origin, cfg: authPolicyConfig(cfg) });\n  return {\n    active: true,\n    cfg,\n    trackingKey: tracking.exempt ? undefined : tracking.key,\n  };\n}\n\nfunction checkBlocked(rl: RateLimitContext): { blocked: false } | { blocked: true; retryAfterSec: number } {\n  if (!rl.active || rl.trackingKey === undefined) return { blocked: false };\n  return buckets.authFailure(rl.cfg).check(rl.trackingKey);\n}\n\nfunction recordFailure(rl: RateLimitContext): void {\n  if (!rl.active || rl.trackingKey === undefined) return;\n  buckets.authFailure(rl.cfg).fail(rl.trackingKey);\n}\n\nfunction recordSuccess(rl: RateLimitContext): void {\n  if (!rl.active || rl.trackingKey === undefined) return;\n  buckets.authFailure(rl.cfg).succeed(rl.trackingKey);\n}\n\nfunction blockedResponse(c: Context, retryAfterSec: number) {\n  c.header('Retry-After', String(retryAfterSec));\n  return c.json(\n    {\n      error: 'Too Many Requests',\n      code: 'auth_blocked',\n      message: 'Too many authentication attempts',\n      retryAfter: retryAfterSec,\n    },\n    429,\n  );\n}\n\nexport function auth(config?: AuthConfig) {\n  const { token, getGatewayAuth, getResolvedAuth, getTrustedProxyContext } = config || {};\n\n  return createMiddleware(async (c, next) => {\n    const resolvedAuth = getResolvedAuth?.();\n    const authMode = resolvedAuth?.mode ?? (token ? 'token' : 'none');\n\n    if (authMode === 'trusted-proxy') {\n      const proxyContext = getTrustedProxyContext?.();\n      const trustedProxies = proxyContext?.trustedProxies;\n      const trustedProxyConfig = resolvedAuth?.trustedProxy;\n\n      const clientIp = resolveMiddlewareClientIp(c, trustedProxies, proxyContext?.allowRealIpFallback);\n      const origin = c.req.header('origin');\n      const rl = buildRateLimitContext(getGatewayAuth, clientIp, origin);\n\n      // Server misconfiguration — not an attack signal. Don't count.\n      if (!trustedProxyConfig) {\n        log.warn(\n          { path: c.req.path, method: c.req.method, clientIp, reason: 'trusted_proxy_config_missing' },\n          'HTTP auth rejected: trusted-proxy config missing',\n        );\n        return c.json(\n          { error: 'Unauthorized', code: 'auth_unconfigured', message: 'Trusted-proxy auth is not configured' },\n          401,\n        );\n      }\n\n      const blocked = checkBlocked(rl);\n      if (blocked.blocked) {\n        log.warn(\n          { clientIp, origin: origin ?? undefined, path: c.req.path, method: c.req.method, retryAfterSec: blocked.retryAfterSec, reason: 'auth_blocked' },\n          'Auth rate limit blocked',\n        );\n        return blockedResponse(c, blocked.retryAfterSec);\n      }\n\n      const result = authorizeTrustedProxy({\n        remoteAddress: resolveRemoteAddress(c),\n        getHeader: (name) => c.req.header(name),\n        trustedProxies,\n        trustedProxyConfig,\n      });\n\n      if (result.ok === false) {\n        recordFailure(rl);\n        log.warn(\n          { path: c.req.path, method: c.req.method, clientIp, reason: result.reason },\n          `HTTP auth rejected: trusted-proxy validation failed (${result.reason})`,\n        );\n        return c.json(\n          { error: 'Unauthorized', code: 'invalid_proxy_credentials', message: 'Trusted-proxy authentication failed' },\n          401,\n        );\n      }\n\n      recordSuccess(rl);\n      await next();\n      return;\n    }\n\n    if (authMode === 'none' || !token) {\n      return next();\n    }\n\n    const proxyContext = getTrustedProxyContext?.();\n    const clientIp = resolveMiddlewareClientIp(c, proxyContext?.trustedProxies, proxyContext?.allowRealIpFallback);\n    const origin = c.req.header('origin');\n    const rl = buildRateLimitContext(getGatewayAuth, clientIp, origin);\n\n    const authHeader = extractTokenFromHeader(c.req.header('authorization'));\n    const requestPath = new URL(c.req.url).pathname;\n    const queryToken = isQueryTokenAllowedPath(requestPath) ? extractTokenFromQuery(c.req.url) : null;\n\n    if (!authHeader && queryToken === null && new URL(c.req.url).searchParams.has('token')) {\n      log.warn(\n        { path: requestPath, method: c.req.method, clientIp },\n        'Token in query string rejected: use Authorization header for this endpoint',\n      );\n    }\n\n    const providedToken = authHeader || queryToken;\n\n    if (providedToken && validateToken(providedToken, token)) {\n      recordSuccess(rl);\n      await next();\n      return;\n    }\n\n    const blocked = checkBlocked(rl);\n    if (blocked.blocked) {\n      log.warn(\n        { clientIp, origin: origin ?? undefined, path: requestPath, method: c.req.method, retryAfterSec: blocked.retryAfterSec, reason: 'auth_blocked' },\n        'Auth rate limit blocked',\n      );\n      return blockedResponse(c, blocked.retryAfterSec);\n    }\n\n    // Missing token is an unauthenticated request, not a brute-force signal —\n    // page reloads / SDK cold starts often hit endpoints before the token is\n    // attached. Counting this would lock users out of the token-entry path.\n    if (!providedToken) {\n      log.warn(\n        { path: c.req.path, method: c.req.method, clientIp, reason: 'missing_token' },\n        'HTTP auth rejected: no Bearer or ?token=',\n      );\n      return c.json(\n        { error: 'Unauthorized', code: 'missing_token', message: 'Missing authentication token' },\n        401,\n      );\n    }\n\n    recordFailure(rl);\n    log.warn(\n      { path: c.req.path, method: c.req.method, clientIp, reason: 'invalid_token' },\n      'HTTP auth rejected: token mismatch',\n    );\n    return c.json(\n      { error: 'Unauthorized', code: 'invalid_token', message: 'Invalid authentication token' },\n      401,\n    );\n  });\n}\n"],"mappings":";;;;;;;;;;;;;aAkBwD;AAExD,MAAM,MAAM,aAAa,YAAY;AAarC,SAAS,cAAc,eAAmC,eAAgC;AACxF,KAAI,CAAC,cAAe,QAAO;AAC3B,QAAO,gBAAgB,eAAe,cAAc;;AAGtD,SAAS,uBAAuB,YAA0C;AACxE,KAAI,CAAC,WAAY,QAAO;CACxB,MAAM,QAAQ,WAAW,MAAM,IAAI;AACnC,KAAI,MAAM,WAAW,KAAK,MAAM,GAAG,aAAa,KAAK,SAAU,QAAO,MAAM;AAC5E,QAAO;;;;;;;;AAST,SAAS,sBAAsB,KAA4B;AACzD,QAAO,IAAI,IAAI,IAAI,CAAC,aAAa,IAAI,QAAQ;;AAG/C,MAAM,4BAA4B,IAAI,IAAI,CAAC,eAAe,UAAU,CAAC;AAErE,SAAS,wBAAwB,MAAuB;AACtD,QAAO,0BAA0B,IAAI,KAAK,IAAI,KAAK,WAAW,cAAc;;AAG9E,SAAS,qBAAqB,GAAgC;AAC5D,KAAI;AACF,SAAO,YAAY,EAAE,CAAC,OAAO;SACvB;AACN;;;AAIJ,SAAS,0BACP,GACA,gBACA,qBACQ;AACR,KAAI,gBAAgB,OAClB,QAAO,2BAA2B;EAChC,eAAe,qBAAqB,EAAE;EACtC,YAAY,SAAS,EAAE,IAAI,OAAO,KAAK;EACvC;EACA;EACD,CAAC;AAEJ,QAAO,uBAAuB,EAC5B,MAAM,SAAiB,EAAE,IAAI,OAAO,KAAK,IAAI,KAAA,GAC9C,CAAC;;AAUJ,SAAS,sBACP,gBACA,UACA,QACkB;CAClB,MAAM,MAAM,qBAAqB,kBAAkB,EAAE,UAAU;AAE/D,KAAI,EADW,IAAI,WAAW,CAAC,iCAAiC,EACnD,QAAO;EAAE,QAAQ;EAAO;EAAK,aAAa,KAAA;EAAW;CAClE,MAAM,WAAW,oBAAoB;EAAE;EAAU;EAAQ,KAAK,iBAAiB,IAAI;EAAE,CAAC;AACtF,QAAO;EACL,QAAQ;EACR;EACA,aAAa,SAAS,SAAS,KAAA,IAAY,SAAS;EACrD;;AAGH,SAAS,aAAa,IAAqF;AACzG,KAAI,CAAC,GAAG,UAAU,GAAG,gBAAgB,KAAA,EAAW,QAAO,EAAE,SAAS,OAAO;AACzE,QAAO,QAAQ,YAAY,GAAG,IAAI,CAAC,MAAM,GAAG,YAAY;;AAG1D,SAAS,cAAc,IAA4B;AACjD,KAAI,CAAC,GAAG,UAAU,GAAG,gBAAgB,KAAA,EAAW;AAChD,SAAQ,YAAY,GAAG,IAAI,CAAC,KAAK,GAAG,YAAY;;AAGlD,SAAS,cAAc,IAA4B;AACjD,KAAI,CAAC,GAAG,UAAU,GAAG,gBAAgB,KAAA,EAAW;AAChD,SAAQ,YAAY,GAAG,IAAI,CAAC,QAAQ,GAAG,YAAY;;AAGrD,SAAS,gBAAgB,GAAY,eAAuB;AAC1D,GAAE,OAAO,eAAe,OAAO,cAAc,CAAC;AAC9C,QAAO,EAAE,KACP;EACE,OAAO;EACP,MAAM;EACN,SAAS;EACT,YAAY;EACb,EACD,IACD;;AAGH,SAAgB,KAAK,QAAqB;CACxC,MAAM,EAAE,OAAO,gBAAgB,iBAAiB,2BAA2B,UAAU,EAAE;AAEvF,QAAO,iBAAiB,OAAO,GAAG,SAAS;EACzC,MAAM,eAAe,mBAAmB;EACxC,MAAM,WAAW,cAAc,SAAS,QAAQ,UAAU;AAE1D,MAAI,aAAa,iBAAiB;GAChC,MAAM,eAAe,0BAA0B;GAC/C,MAAM,iBAAiB,cAAc;GACrC,MAAM,qBAAqB,cAAc;GAEzC,MAAM,WAAW,0BAA0B,GAAG,gBAAgB,cAAc,oBAAoB;GAChG,MAAM,SAAS,EAAE,IAAI,OAAO,SAAS;GACrC,MAAM,KAAK,sBAAsB,gBAAgB,UAAU,OAAO;AAGlE,OAAI,CAAC,oBAAoB;AACvB,QAAI,KACF;KAAE,MAAM,EAAE,IAAI;KAAM,QAAQ,EAAE,IAAI;KAAQ;KAAU,QAAQ;KAAgC,EAC5F,mDACD;AACD,WAAO,EAAE,KACP;KAAE,OAAO;KAAgB,MAAM;KAAqB,SAAS;KAAwC,EACrG,IACD;;GAGH,MAAM,UAAU,aAAa,GAAG;AAChC,OAAI,QAAQ,SAAS;AACnB,QAAI,KACF;KAAE;KAAU,QAAQ,UAAU,KAAA;KAAW,MAAM,EAAE,IAAI;KAAM,QAAQ,EAAE,IAAI;KAAQ,eAAe,QAAQ;KAAe,QAAQ;KAAgB,EAC/I,0BACD;AACD,WAAO,gBAAgB,GAAG,QAAQ,cAAc;;GAGlD,MAAM,SAAS,sBAAsB;IACnC,eAAe,qBAAqB,EAAE;IACtC,YAAY,SAAS,EAAE,IAAI,OAAO,KAAK;IACvC;IACA;IACD,CAAC;AAEF,OAAI,OAAO,OAAO,OAAO;AACvB,kBAAc,GAAG;AACjB,QAAI,KACF;KAAE,MAAM,EAAE,IAAI;KAAM,QAAQ,EAAE,IAAI;KAAQ;KAAU,QAAQ,OAAO;KAAQ,EAC3E,wDAAwD,OAAO,OAAO,GACvE;AACD,WAAO,EAAE,KACP;KAAE,OAAO;KAAgB,MAAM;KAA6B,SAAS;KAAuC,EAC5G,IACD;;AAGH,iBAAc,GAAG;AACjB,SAAM,MAAM;AACZ;;AAGF,MAAI,aAAa,UAAU,CAAC,MAC1B,QAAO,MAAM;EAGf,MAAM,eAAe,0BAA0B;EAC/C,MAAM,WAAW,0BAA0B,GAAG,cAAc,gBAAgB,cAAc,oBAAoB;EAC9G,MAAM,SAAS,EAAE,IAAI,OAAO,SAAS;EACrC,MAAM,KAAK,sBAAsB,gBAAgB,UAAU,OAAO;EAElE,MAAM,aAAa,uBAAuB,EAAE,IAAI,OAAO,gBAAgB,CAAC;EACxE,MAAM,cAAc,IAAI,IAAI,EAAE,IAAI,IAAI,CAAC;EACvC,MAAM,aAAa,wBAAwB,YAAY,GAAG,sBAAsB,EAAE,IAAI,IAAI,GAAG;AAE7F,MAAI,CAAC,cAAc,eAAe,QAAQ,IAAI,IAAI,EAAE,IAAI,IAAI,CAAC,aAAa,IAAI,QAAQ,CACpF,KAAI,KACF;GAAE,MAAM;GAAa,QAAQ,EAAE,IAAI;GAAQ;GAAU,EACrD,6EACD;EAGH,MAAM,gBAAgB,cAAc;AAEpC,MAAI,iBAAiB,cAAc,eAAe,MAAM,EAAE;AACxD,iBAAc,GAAG;AACjB,SAAM,MAAM;AACZ;;EAGF,MAAM,UAAU,aAAa,GAAG;AAChC,MAAI,QAAQ,SAAS;AACnB,OAAI,KACF;IAAE;IAAU,QAAQ,UAAU,KAAA;IAAW,MAAM;IAAa,QAAQ,EAAE,IAAI;IAAQ,eAAe,QAAQ;IAAe,QAAQ;IAAgB,EAChJ,0BACD;AACD,UAAO,gBAAgB,GAAG,QAAQ,cAAc;;AAMlD,MAAI,CAAC,eAAe;AAClB,OAAI,KACF;IAAE,MAAM,EAAE,IAAI;IAAM,QAAQ,EAAE,IAAI;IAAQ;IAAU,QAAQ;IAAiB,EAC7E,2CACD;AACD,UAAO,EAAE,KACP;IAAE,OAAO;IAAgB,MAAM;IAAiB,SAAS;IAAgC,EACzF,IACD;;AAGH,gBAAc,GAAG;AACjB,MAAI,KACF;GAAE,MAAM,EAAE,IAAI;GAAM,QAAQ,EAAE,IAAI;GAAQ;GAAU,QAAQ;GAAiB,EAC7E,qCACD;AACD,SAAO,EAAE,KACP;GAAE,OAAO;GAAgB,MAAM;GAAiB,SAAS;GAAgC,EACzF,IACD;GACD"}

package/dist/src/gateway/hono/middleware/logger.d.ts

@@ -1 +1,5 @@
-export declare function logger(): import("hono/dist/types/types.js").MiddlewareHandler<any, string, {}, Response>;
+export interface LoggerMiddlewareConfig {
+    trustedProxies?: string[];
+    allowRealIpFallback?: boolean;
+}
+export declare function logger(config?: LoggerMiddlewareConfig): import("hono/dist/types/types.js").MiddlewareHandler<any, string, {}, Response>;

package/dist/src/gateway/hono/middleware/logger.js

@@ -1,20 +1,56 @@
 import { createLogger } from "../../../utils/logger/index.js";
 import { init_logger } from "../../../utils/logger.js";
+import { resolveClientIpFromRequest } from "../../client-ip.js";
+import { getClientIpFromHeaders } from "../../security/loopback.js";
 import { createMiddleware } from "hono/factory";
+import { getConnInfo } from "@hono/node-server/conninfo";
 //#region src/gateway/hono/middleware/logger.ts
 init_logger();
 const log = createLogger("Hono:Request");
-function logger() {
+function resolveRemoteAddress(c) {
+	try {
+		return getConnInfo(c).remote.address;
+	} catch {
+		return;
+	}
+}
+function resolveRequestClientIp(c, config) {
+	const trustedProxies = config?.trustedProxies;
+	if (trustedProxies?.length) return resolveClientIpFromRequest({
+		remoteAddress: resolveRemoteAddress(c),
+		getHeader: (name) => c.req.header(name),
+		trustedProxies,
+		allowRealIpFallback: config?.allowRealIpFallback
+	});
+	return getClientIpFromHeaders({ get: (name) => c.req.header(name) ?? void 0 });
+}
+function logger(config) {
 	return createMiddleware(async (c, next) => {
 		const start = Date.now();
+		const clientIp = resolveRequestClientIp(c, config);
+		const userAgent = c.req.header("user-agent") ?? void 0;
+		const contentLength = c.req.header("content-length");
+		const referer = c.req.header("referer") ?? void 0;
 		await next();
 		const duration = Date.now() - start;
-		log.debug({
+		const status = c.res.status;
+		const isServerError = status >= 500;
+		const isClientError = status >= 400 && status < 500;
+		const isSlow = duration > 1e3;
+		const logData = {
 			method: c.req.method,
 			path: c.req.path,
-			status: c.res.status,
-			duration: `${duration}ms`
-		}, "HTTP request");
+			status,
+			durationMs: duration,
+			clientIp,
+			...userAgent ? { userAgent } : {},
+			...contentLength ? { contentLength: Number(contentLength) } : {},
+			...referer ? { referer } : {}
+		};
+		const msg = `HTTP ${c.req.method} ${c.req.path} → ${status} (${duration}ms)`;
+		if (isServerError || isSlow) log.warn(logData, msg);
+		else if (isClientError) log.info(logData, msg);
+		else log.debug(logData, msg);
 	});
 }
 //#endregion

package/dist/src/gateway/hono/middleware/logger.js.map

@@ -1 +1 @@
-{"version":3,"file":"logger.js","names":[],"sources":["../../../../../src/gateway/hono/middleware/logger.ts"],"sourcesContent":["import { createMiddleware } from 'hono/factory';\nimport { createLogger } from '../../../utils/logger.js';\n\nconst log = createLogger('Hono:Request');\n\nexport function logger() {\n  return createMiddleware(async (c, next) => {\n    const start = Date.now();\n    \n    await next();\n    \n    const duration = Date.now() - start;\n    \n    log.debug({\n      method: c.req.method,\n      path: c.req.path,\n      status: c.res.status,\n      duration: `${duration}ms`,\n    }, 'HTTP request');\n  });\n}\n"],"mappings":";;;;aACwD;AAExD,MAAM,MAAM,aAAa,eAAe;AAExC,SAAgB,SAAS;AACvB,QAAO,iBAAiB,OAAO,GAAG,SAAS;EACzC,MAAM,QAAQ,KAAK,KAAK;AAExB,QAAM,MAAM;EAEZ,MAAM,WAAW,KAAK,KAAK,GAAG;AAE9B,MAAI,MAAM;GACR,QAAQ,EAAE,IAAI;GACd,MAAM,EAAE,IAAI;GACZ,QAAQ,EAAE,IAAI;GACd,UAAU,GAAG,SAAS;GACvB,EAAE,eAAe;GAClB"}
+{"version":3,"file":"logger.js","names":[],"sources":["../../../../../src/gateway/hono/middleware/logger.ts"],"sourcesContent":["import { createMiddleware } from 'hono/factory';\nimport type { Context } from 'hono';\nimport { getConnInfo } from '@hono/node-server/conninfo';\n\nimport { getClientIpFromHeaders } from '../../security/loopback.js';\nimport { resolveClientIpFromRequest } from '../../client-ip.js';\nimport { createLogger } from '../../../utils/logger.js';\n\nconst log = createLogger('Hono:Request');\n\nexport interface LoggerMiddlewareConfig {\n  trustedProxies?: string[];\n  allowRealIpFallback?: boolean;\n}\n\nfunction resolveRemoteAddress(c: Context): string | undefined {\n  try {\n    return getConnInfo(c).remote.address;\n  } catch {\n    return undefined;\n  }\n}\n\nfunction resolveRequestClientIp(c: Context, config?: LoggerMiddlewareConfig): string {\n  const trustedProxies = config?.trustedProxies;\n  if (trustedProxies?.length) {\n    return resolveClientIpFromRequest({\n      remoteAddress: resolveRemoteAddress(c),\n      getHeader: (name) => c.req.header(name),\n      trustedProxies,\n      allowRealIpFallback: config?.allowRealIpFallback,\n    });\n  }\n  return getClientIpFromHeaders({\n    get: (name) => c.req.header(name) ?? undefined,\n  });\n}\n\nexport function logger(config?: LoggerMiddlewareConfig) {\n  return createMiddleware(async (c, next) => {\n    const start = Date.now();\n\n    const clientIp = resolveRequestClientIp(c, config);\n    const userAgent = c.req.header('user-agent') ?? undefined;\n    const contentLength = c.req.header('content-length');\n    const referer = c.req.header('referer') ?? undefined;\n\n    await next();\n\n    const duration = Date.now() - start;\n    const status = c.res.status;\n    const isServerError = status >= 500;\n    const isClientError = status >= 400 && status < 500;\n    const isSlow = duration > 1000;\n\n    const logData = {\n      method: c.req.method,\n      path: c.req.path,\n      status,\n      durationMs: duration,\n      clientIp,\n      ...(userAgent ? { userAgent } : {}),\n      ...(contentLength ? { contentLength: Number(contentLength) } : {}),\n      ...(referer ? { referer } : {}),\n    };\n\n    const msg = `HTTP ${c.req.method} ${c.req.path} → ${status} (${duration}ms)`;\n\n    if (isServerError || isSlow) {\n      log.warn(logData, msg);\n    } else if (isClientError) {\n      // 4xx: info avoids doubling warn noise from auth / rate-limit handlers\n      log.info(logData, msg);\n    } else {\n      log.debug(logData, msg);\n    }\n  });\n}\n"],"mappings":";;;;;;;aAMwD;AAExD,MAAM,MAAM,aAAa,eAAe;AAOxC,SAAS,qBAAqB,GAAgC;AAC5D,KAAI;AACF,SAAO,YAAY,EAAE,CAAC,OAAO;SACvB;AACN;;;AAIJ,SAAS,uBAAuB,GAAY,QAAyC;CACnF,MAAM,iBAAiB,QAAQ;AAC/B,KAAI,gBAAgB,OAClB,QAAO,2BAA2B;EAChC,eAAe,qBAAqB,EAAE;EACtC,YAAY,SAAS,EAAE,IAAI,OAAO,KAAK;EACvC;EACA,qBAAqB,QAAQ;EAC9B,CAAC;AAEJ,QAAO,uBAAuB,EAC5B,MAAM,SAAS,EAAE,IAAI,OAAO,KAAK,IAAI,KAAA,GACtC,CAAC;;AAGJ,SAAgB,OAAO,QAAiC;AACtD,QAAO,iBAAiB,OAAO,GAAG,SAAS;EACzC,MAAM,QAAQ,KAAK,KAAK;EAExB,MAAM,WAAW,uBAAuB,GAAG,OAAO;EAClD,MAAM,YAAY,EAAE,IAAI,OAAO,aAAa,IAAI,KAAA;EAChD,MAAM,gBAAgB,EAAE,IAAI,OAAO,iBAAiB;EACpD,MAAM,UAAU,EAAE,IAAI,OAAO,UAAU,IAAI,KAAA;AAE3C,QAAM,MAAM;EAEZ,MAAM,WAAW,KAAK,KAAK,GAAG;EAC9B,MAAM,SAAS,EAAE,IAAI;EACrB,MAAM,gBAAgB,UAAU;EAChC,MAAM,gBAAgB,UAAU,OAAO,SAAS;EAChD,MAAM,SAAS,WAAW;EAE1B,MAAM,UAAU;GACd,QAAQ,EAAE,IAAI;GACd,MAAM,EAAE,IAAI;GACZ;GACA,YAAY;GACZ;GACA,GAAI,YAAY,EAAE,WAAW,GAAG,EAAE;GAClC,GAAI,gBAAgB,EAAE,eAAe,OAAO,cAAc,EAAE,GAAG,EAAE;GACjE,GAAI,UAAU,EAAE,SAAS,GAAG,EAAE;GAC/B;EAED,MAAM,MAAM,QAAQ,EAAE,IAAI,OAAO,GAAG,EAAE,IAAI,KAAK,KAAK,OAAO,IAAI,SAAS;AAExE,MAAI,iBAAiB,OACnB,KAAI,KAAK,SAAS,IAAI;WACb,cAET,KAAI,KAAK,SAAS,IAAI;MAEtB,KAAI,MAAM,SAAS,IAAI;GAEzB"}

package/dist/src/gateway/hono/middleware/strict-rate-limit.d.ts

@@ -0,0 +1,14 @@
+/**
+ * Per-client request-rate gate for sensitive admin/mutation endpoints.
+ * Backed by `buckets.strictApi()` — see {@link ../../rate-limit/buckets.ts}.
+ */
+export type StrictRateLimitDeps = {
+    getTrustedProxyContext: () => {
+        trustedProxies?: string[];
+        allowRealIpFallback?: boolean;
+    };
+};
+export declare function createStrictRateLimitMiddleware(deps: StrictRateLimitDeps): import("hono/dist/types/types.js").MiddlewareHandler<any, string, {}, Response & import("hono/dist/types/types.js").TypedResponse<{
+    error: string;
+    code: string;
+}, 429, "json">>;

package/dist/src/gateway/hono/middleware/strict-rate-limit.js

@@ -0,0 +1,62 @@
+import { createLogger } from "../../../utils/logger/index.js";
+import { init_logger } from "../../../utils/logger.js";
+import { resolveClientIpFromRequest } from "../../client-ip.js";
+import { buckets } from "../../rate-limit/buckets.js";
+import { getClientIpFromHeaders } from "../../security/loopback.js";
+import "../../rate-limit/index.js";
+import { createMiddleware } from "hono/factory";
+import { getConnInfo } from "@hono/node-server/conninfo";
+//#region src/gateway/hono/middleware/strict-rate-limit.ts
+/**
+* Per-client request-rate gate for sensitive admin/mutation endpoints.
+* Backed by `buckets.strictApi()` — see {@link ../../rate-limit/buckets.ts}.
+*/
+init_logger();
+const log = createLogger("Hono:StrictRateLimit");
+function resolveClientIp(c, deps) {
+	const { trustedProxies, allowRealIpFallback } = deps.getTrustedProxyContext();
+	if (trustedProxies?.length) {
+		let remoteAddress;
+		try {
+			remoteAddress = getConnInfo(c).remote.address;
+		} catch {
+			remoteAddress = void 0;
+		}
+		return resolveClientIpFromRequest({
+			remoteAddress,
+			getHeader: (name) => c.req.header(name),
+			trustedProxies,
+			allowRealIpFallback
+		});
+	}
+	return getClientIpFromHeaders({ get: (name) => c.req.header(name) ?? void 0 });
+}
+function createStrictRateLimitMiddleware(deps) {
+	return createMiddleware(async (c, next) => {
+		const limiter = buckets.strictApi();
+		const clientIp = resolveClientIp(c, deps);
+		const result = limiter.consume(clientIp);
+		if (!result.allowed) {
+			const retryAfterSec = Math.ceil(result.retryAfterMs / 1e3);
+			log.warn({
+				clientIp,
+				path: c.req.path,
+				method: c.req.method,
+				retryAfterSec,
+				reason: "strict_rate_limit_exceeded"
+			}, "Strict API rate limit exceeded");
+			c.header("Retry-After", String(retryAfterSec));
+			c.header("X-RateLimit-Remaining", "0");
+			return c.json({
+				error: "Too many requests",
+				code: "rate_limited"
+			}, 429);
+		}
+		c.header("X-RateLimit-Remaining", String(result.remaining));
+		await next();
+	});
+}
+//#endregion
+export { createStrictRateLimitMiddleware };
+
+//# sourceMappingURL=strict-rate-limit.js.map

package/dist/src/gateway/hono/middleware/strict-rate-limit.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"strict-rate-limit.js","names":[],"sources":["../../../../../src/gateway/hono/middleware/strict-rate-limit.ts"],"sourcesContent":["/**\n * Per-client request-rate gate for sensitive admin/mutation endpoints.\n * Backed by `buckets.strictApi()` — see {@link ../../rate-limit/buckets.ts}.\n */\n\nimport { createMiddleware } from 'hono/factory';\nimport type { Context } from 'hono';\nimport { getConnInfo } from '@hono/node-server/conninfo';\n\nimport { buckets } from '../../rate-limit/index.js';\nimport { getClientIpFromHeaders } from '../../security/loopback.js';\nimport { resolveClientIpFromRequest } from '../../client-ip.js';\nimport { createLogger } from '../../../utils/logger.js';\n\nconst log = createLogger('Hono:StrictRateLimit');\n\nexport type StrictRateLimitDeps = {\n  getTrustedProxyContext: () => {\n    trustedProxies?: string[];\n    allowRealIpFallback?: boolean;\n  };\n};\n\nfunction resolveClientIp(c: Context, deps: StrictRateLimitDeps): string {\n  const { trustedProxies, allowRealIpFallback } = deps.getTrustedProxyContext();\n  if (trustedProxies?.length) {\n    let remoteAddress: string | undefined;\n    try {\n      remoteAddress = getConnInfo(c).remote.address;\n    } catch {\n      remoteAddress = undefined;\n    }\n    return resolveClientIpFromRequest({\n      remoteAddress,\n      getHeader: (name) => c.req.header(name),\n      trustedProxies,\n      allowRealIpFallback,\n    });\n  }\n  return getClientIpFromHeaders({ get: (name) => c.req.header(name) ?? undefined });\n}\n\nexport function createStrictRateLimitMiddleware(deps: StrictRateLimitDeps) {\n  return createMiddleware(async (c, next) => {\n    const limiter = buckets.strictApi();\n    const clientIp = resolveClientIp(c, deps);\n    const result = limiter.consume(clientIp);\n\n    if (!result.allowed) {\n      const retryAfterSec = Math.ceil(result.retryAfterMs / 1000);\n      log.warn(\n        {\n          clientIp,\n          path: c.req.path,\n          method: c.req.method,\n          retryAfterSec,\n          reason: 'strict_rate_limit_exceeded',\n        },\n        'Strict API rate limit exceeded',\n      );\n      c.header('Retry-After', String(retryAfterSec));\n      c.header('X-RateLimit-Remaining', '0');\n      return c.json({ error: 'Too many requests', code: 'rate_limited' }, 429);\n    }\n\n    c.header('X-RateLimit-Remaining', String(result.remaining));\n    await next();\n  });\n}\n"],"mappings":";;;;;;;;;;;;;aAYwD;AAExD,MAAM,MAAM,aAAa,uBAAuB;AAShD,SAAS,gBAAgB,GAAY,MAAmC;CACtE,MAAM,EAAE,gBAAgB,wBAAwB,KAAK,wBAAwB;AAC7E,KAAI,gBAAgB,QAAQ;EAC1B,IAAI;AACJ,MAAI;AACF,mBAAgB,YAAY,EAAE,CAAC,OAAO;UAChC;AACN,mBAAgB,KAAA;;AAElB,SAAO,2BAA2B;GAChC;GACA,YAAY,SAAS,EAAE,IAAI,OAAO,KAAK;GACvC;GACA;GACD,CAAC;;AAEJ,QAAO,uBAAuB,EAAE,MAAM,SAAS,EAAE,IAAI,OAAO,KAAK,IAAI,KAAA,GAAW,CAAC;;AAGnF,SAAgB,gCAAgC,MAA2B;AACzE,QAAO,iBAAiB,OAAO,GAAG,SAAS;EACzC,MAAM,UAAU,QAAQ,WAAW;EACnC,MAAM,WAAW,gBAAgB,GAAG,KAAK;EACzC,MAAM,SAAS,QAAQ,QAAQ,SAAS;AAExC,MAAI,CAAC,OAAO,SAAS;GACnB,MAAM,gBAAgB,KAAK,KAAK,OAAO,eAAe,IAAK;AAC3D,OAAI,KACF;IACE;IACA,MAAM,EAAE,IAAI;IACZ,QAAQ,EAAE,IAAI;IACd;IACA,QAAQ;IACT,EACD,iCACD;AACD,KAAE,OAAO,eAAe,OAAO,cAAc,CAAC;AAC9C,KAAE,OAAO,yBAAyB,IAAI;AACtC,UAAO,EAAE,KAAK;IAAE,OAAO;IAAqB,MAAM;IAAgB,EAAE,IAAI;;AAG1E,IAAE,OAAO,yBAAyB,OAAO,OAAO,UAAU,CAAC;AAC3D,QAAM,MAAM;GACZ"}

package/dist/src/gateway/hono/oauth.js

@@ -1,6 +1,6 @@
 import { CredentialResolver, init_credentials } from "../../auth/credentials.js";
-import { init_providers, isProviderConfigured } from "../../providers/index.js";
 import { anthropicOAuthProvider } from "../../auth/oauth/anthropic.js";
+import { init_providers, isProviderConfigured } from "../../providers/index.js";
 import { minimaxOAuthProvider } from "../../auth/oauth/minimax.js";
 import { minimaxCnOAuthProvider } from "../../auth/oauth/minimax-cn.js";
 import { kimiCodingOAuthProvider } from "../../auth/oauth/kimi-coding.js";

package/dist/src/gateway/hono/routes/auth-registry-extensions.js

@@ -7,8 +7,8 @@ import { createOAuthHandler } from "../oauth.js";
 import { createOAuthAsyncHandler } from "../oauth-async.js";
 import { extensionAssetMimeType } from "../lib/extension-assets.js";
 import { loadExtensionStore, saveExtensionStore } from "../lib/extension-store.js";
-import { relative, resolve } from "node:path";
 import { existsSync, readFileSync, statSync } from "node:fs";
+import { relative, resolve } from "node:path";
 //#region src/gateway/hono/routes/auth-registry-extensions.ts
 init_providers();
 const EXTENSION_ASSET_CSP = "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob:; connect-src 'none'; frame-ancestors 'self'; frame-src 'none'; base-uri 'none'; object-src 'none'; form-action 'none'";
@@ -312,7 +312,7 @@ function registerAuthRegistryExtensionsRoutes(authenticated, deps) {
 			}, 400);
 		}
 		try {
-			const payload = await service.fetchExtensionMarketplacePackageDetail(pkgName);
+			const payload = await service.marketplace.fetchExtensionPackageDetail(pkgName);
 			return c.json({
 				ok: true,
 				payload
@@ -342,7 +342,7 @@ function registerAuthRegistryExtensionsRoutes(authenticated, deps) {
 			error: "Expected { name: string, version?: string, overwrite?: boolean }"
 		}, 400);
 		try {
-			const payload = await service.installExtensionFromMarketplace({
+			const payload = await service.marketplace.installExtension({
 				name,
 				version,
 				overwrite
@@ -374,7 +374,7 @@ function registerAuthRegistryExtensionsRoutes(authenticated, deps) {
 			error: "Expected { extensionId: string }"
 		}, 400);
 		try {
-			const payload = await service.uninstallUserExtension(extensionId);
+			const payload = await service.marketplace.uninstallExtension(extensionId);
 			return c.json({
 				ok: true,
 				payload