npm - @xopcai/xopc - Versions diffs - 0.0.82 → 0.0.83 - Mend

@xopcai/xopc 0.0.82 → 0.0.83

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (704) hide show

package/dist/src/gateway/hono/middleware/auth.js CHANGED Viewed

@@ -1,25 +1,22 @@
 import { createLogger } from "../../../utils/logger/index.js";
 import { init_logger } from "../../../utils/logger.js";
-import { getClientIpFromHeaders, isAuthRateLimitGloballyDisabled, resolveAuthRateLimitConfig, resolveAuthRateLimitTracking } from "../../auth-rate-limit.js";
 import { safeEqualSecret } from "../../security/secret-equal.js";
 import { resolveClientIpFromRequest } from "../../client-ip.js";
+import { authPolicyConfig, buckets, resolveAuthRateLimit } from "../../rate-limit/buckets.js";
+import { getClientIpFromHeaders } from "../../security/loopback.js";
+import { resolveAuthTracking } from "../../rate-limit/auth-policy.js";
+import { isAuthRateLimitGloballyDisabled } from "../../rate-limit/env-flags.js";
+import "../../rate-limit/index.js";
 import { authorizeTrustedProxy } from "../../trusted-proxy.js";
 import { createMiddleware } from "hono/factory";
 import { getConnInfo } from "@hono/node-server/conninfo";
 //#region src/gateway/hono/middleware/auth.ts
 init_logger();
 const log = createLogger("Hono:Auth");
-/**
-* Validate token using constant-time comparison to prevent timing attacks.
-*/
 function validateToken(providedToken, expectedToken) {
 	if (!providedToken) return false;
 	return safeEqualSecret(providedToken, expectedToken);
 }
-/**
-* Extract token from Authorization header
-* Supports: "Bearer <token>", "<token>"
-*/
 function extractTokenFromHeader(authHeader) {
 	if (!authHeader) return null;
 	const parts = authHeader.split(" ");
@@ -27,8 +24,6 @@ function extractTokenFromHeader(authHeader) {
 	return authHeader;
 }
 /**
-* Extract token from query parameter.
-*
 * SECURITY: query-string tokens leak into server logs, Referer headers, and
 * browser history. We accept them only for SSE/WebSocket connections where
 * the `Authorization` header cannot be set by `EventSource`. For normal REST
@@ -37,7 +32,6 @@ function extractTokenFromHeader(authHeader) {
 function extractTokenFromQuery(url) {
 	return new URL(url).searchParams.get("token");
 }
-/** Paths where query-string token auth is acceptable (SSE / WebSocket). */
 const QUERY_TOKEN_ALLOWED_PATHS = new Set(["/api/events", "/api/ws"]);
 function isQueryTokenAllowedPath(path) {
 	return QUERY_TOKEN_ALLOWED_PATHS.has(path) || path.startsWith("/api/events");
@@ -58,9 +52,45 @@ function resolveMiddlewareClientIp(c, trustedProxies, allowRealIpFallback) {
 	});
 	return getClientIpFromHeaders({ get: (name) => c.req.header(name) ?? void 0 });
 }
-/**
-* Create auth middleware for HTTP routes
-*/
+function buildRateLimitContext(getGatewayAuth, clientIp, origin) {
+	const cfg = resolveAuthRateLimit(getGatewayAuth?.()?.rateLimit);
+	if (!(cfg.enabled && !isAuthRateLimitGloballyDisabled())) return {
+		active: false,
+		cfg,
+		trackingKey: void 0
+	};
+	const tracking = resolveAuthTracking({
+		clientIp,
+		origin,
+		cfg: authPolicyConfig(cfg)
+	});
+	return {
+		active: true,
+		cfg,
+		trackingKey: tracking.exempt ? void 0 : tracking.key
+	};
+}
+function checkBlocked(rl) {
+	if (!rl.active || rl.trackingKey === void 0) return { blocked: false };
+	return buckets.authFailure(rl.cfg).check(rl.trackingKey);
+}
+function recordFailure(rl) {
+	if (!rl.active || rl.trackingKey === void 0) return;
+	buckets.authFailure(rl.cfg).fail(rl.trackingKey);
+}
+function recordSuccess(rl) {
+	if (!rl.active || rl.trackingKey === void 0) return;
+	buckets.authFailure(rl.cfg).succeed(rl.trackingKey);
+}
+function blockedResponse(c, retryAfterSec) {
+	c.header("Retry-After", String(retryAfterSec));
+	return c.json({
+		error: "Too Many Requests",
+		code: "auth_blocked",
+		message: "Too many authentication attempts",
+		retryAfter: retryAfterSec
+	}, 429);
+}
 function auth(config) {
 	const { token, getGatewayAuth, getResolvedAuth, getTrustedProxyContext } = config || {};
 	return createMiddleware(async (c, next) => {
@@ -70,18 +100,10 @@ function auth(config) {
 			const proxyContext = getTrustedProxyContext?.();
 			const trustedProxies = proxyContext?.trustedProxies;
 			const trustedProxyConfig = resolvedAuth?.trustedProxy;
-			const rlInput = getGatewayAuth?.()?.rateLimit;
-			const rlCfg = resolveAuthRateLimitConfig(rlInput);
-			const rateLimitActive = rlCfg.enabled && !isAuthRateLimitGloballyDisabled();
 			const clientIp = resolveMiddlewareClientIp(c, trustedProxies, proxyContext?.allowRealIpFallback);
 			const origin = c.req.header("origin");
-			const { limiter, key: rateLimitKey, cfg: activeRlCfg } = resolveAuthRateLimitTracking({
-				clientIp,
-				origin,
-				cfg: rlCfg
-			});
+			const rl = buildRateLimitContext(getGatewayAuth, clientIp, origin);
 			if (!trustedProxyConfig) {
-				if (rateLimitActive) limiter.recordFailure(rateLimitKey, activeRlCfg);
 				log.warn({
 					path: c.req.path,
 					method: c.req.method,
@@ -90,44 +112,30 @@ function auth(config) {
 				}, "HTTP auth rejected: trusted-proxy config missing");
 				return c.json({
 					error: "Unauthorized",
+					code: "auth_unconfigured",
 					message: "Trusted-proxy auth is not configured"
 				}, 401);
 			}
+			const blocked = checkBlocked(rl);
+			if (blocked.blocked) {
+				log.warn({
+					clientIp,
+					origin: origin ?? void 0,
+					path: c.req.path,
+					method: c.req.method,
+					retryAfterSec: blocked.retryAfterSec,
+					reason: "auth_blocked"
+				}, "Auth rate limit blocked");
+				return blockedResponse(c, blocked.retryAfterSec);
+			}
 			const result = authorizeTrustedProxy({
 				remoteAddress: resolveRemoteAddress(c),
 				getHeader: (name) => c.req.header(name),
 				trustedProxies,
 				trustedProxyConfig
 			});
-			if (result.ok) {
-				if (rateLimitActive) limiter.recordSuccess(rateLimitKey);
-				await next();
-				return;
-			}
 			if (result.ok === false) {
-				if (rateLimitActive) {
-					const blocked = limiter.checkBlocked(rateLimitKey, activeRlCfg);
-					if (blocked.blocked) {
-						log.warn({
-							clientIp,
-							origin: origin ?? void 0,
-							path: c.req.path,
-							method: c.req.method,
-							attemptCount: activeRlCfg.maxAttempts,
-							windowSec: Math.round(activeRlCfg.windowMs / 1e3),
-							blockDurationSec: Math.round(activeRlCfg.blockDurationMs / 1e3),
-							retryAfterSec: blocked.retryAfterSec,
-							reason: "auth_failure_rate_limit"
-						}, `Auth rate limit blocked: ${activeRlCfg.maxAttempts} failures in ${activeRlCfg.windowMs / 1e3}s, blocking for ${activeRlCfg.blockDurationMs / 1e3}s`);
-						c.header("Retry-After", String(blocked.retryAfterSec));
-						return c.json({
-							error: "Too Many Requests",
-							message: "Too many authentication attempts",
-							retryAfter: blocked.retryAfterSec
-						}, 429);
-					}
-					limiter.recordFailure(rateLimitKey, activeRlCfg);
-				}
+				recordFailure(rl);
 				log.warn({
 					path: c.req.path,
 					method: c.req.method,
@@ -136,22 +144,19 @@ function auth(config) {
 				}, `HTTP auth rejected: trusted-proxy validation failed (${result.reason})`);
 				return c.json({
 					error: "Unauthorized",
+					code: "invalid_proxy_credentials",
 					message: "Trusted-proxy authentication failed"
 				}, 401);
 			}
+			recordSuccess(rl);
+			await next();
+			return;
 		}
 		if (authMode === "none" || !token) return next();
-		const rlInput = getGatewayAuth?.()?.rateLimit;
-		const rlCfg = resolveAuthRateLimitConfig(rlInput);
-		const rateLimitActive = rlCfg.enabled && !isAuthRateLimitGloballyDisabled();
 		const proxyContext = getTrustedProxyContext?.();
 		const clientIp = resolveMiddlewareClientIp(c, proxyContext?.trustedProxies, proxyContext?.allowRealIpFallback);
 		const origin = c.req.header("origin");
-		const { limiter, key: rateLimitKey, cfg: activeRlCfg } = resolveAuthRateLimitTracking({
-			clientIp,
-			origin,
-			cfg: rlCfg
-		});
+		const rl = buildRateLimitContext(getGatewayAuth, clientIp, origin);
 		const authHeader = extractTokenFromHeader(c.req.header("authorization"));
 		const requestPath = new URL(c.req.url).pathname;
 		const queryToken = isQueryTokenAllowedPath(requestPath) ? extractTokenFromQuery(c.req.url) : null;
@@ -162,34 +167,23 @@ function auth(config) {
 		}, "Token in query string rejected: use Authorization header for this endpoint");
 		const providedToken = authHeader || queryToken;
 		if (providedToken && validateToken(providedToken, token)) {
-			if (rateLimitActive) limiter.recordSuccess(rateLimitKey);
+			recordSuccess(rl);
 			await next();
 			return;
 		}
-		if (rateLimitActive) {
-			const blocked = limiter.checkBlocked(rateLimitKey, activeRlCfg);
-			if (blocked.blocked) {
-				log.warn({
-					clientIp,
-					origin: origin ?? void 0,
-					path: requestPath,
-					method: c.req.method,
-					attemptCount: activeRlCfg.maxAttempts,
-					windowSec: Math.round(activeRlCfg.windowMs / 1e3),
-					blockDurationSec: Math.round(activeRlCfg.blockDurationMs / 1e3),
-					retryAfterSec: blocked.retryAfterSec,
-					reason: "auth_failure_rate_limit"
-				}, `Auth rate limit blocked: ${activeRlCfg.maxAttempts} failures in ${activeRlCfg.windowMs / 1e3}s, blocking for ${activeRlCfg.blockDurationMs / 1e3}s`);
-				c.header("Retry-After", String(blocked.retryAfterSec));
-				return c.json({
-					error: "Too Many Requests",
-					message: "Too many authentication attempts",
-					retryAfter: blocked.retryAfterSec
-				}, 429);
-			}
+		const blocked = checkBlocked(rl);
+		if (blocked.blocked) {
+			log.warn({
+				clientIp,
+				origin: origin ?? void 0,
+				path: requestPath,
+				method: c.req.method,
+				retryAfterSec: blocked.retryAfterSec,
+				reason: "auth_blocked"
+			}, "Auth rate limit blocked");
+			return blockedResponse(c, blocked.retryAfterSec);
 		}
 		if (!providedToken) {
-			if (rateLimitActive) limiter.recordFailure(rateLimitKey, activeRlCfg);
 			log.warn({
 				path: c.req.path,
 				method: c.req.method,
@@ -198,56 +192,25 @@ function auth(config) {
 			}, "HTTP auth rejected: no Bearer or ?token=");
 			return c.json({
 				error: "Unauthorized",
+				code: "missing_token",
 				message: "Missing authentication token"
 			}, 401);
 		}
-		if (!validateToken(providedToken, token)) {
-			if (rateLimitActive) limiter.recordFailure(rateLimitKey, activeRlCfg);
-			log.warn({
-				path: c.req.path,
-				method: c.req.method,
-				clientIp,
-				reason: "invalid_token"
-			}, "HTTP auth rejected: token mismatch");
-			return c.json({
-				error: "Unauthorized",
-				message: "Invalid authentication token"
-			}, 401);
-		}
-	});
-}
-/**
-* Validate WebSocket connection token
-*/
-function validateWebSocketAuth(url, authHeader, expectedToken) {
-	if (!expectedToken) return { valid: true };
-	const queryToken = url.searchParams.get("token");
-	const headerToken = extractTokenFromHeader(authHeader);
-	const providedToken = queryToken || headerToken;
-	if (!providedToken) {
+		recordFailure(rl);
 		log.warn({
-			path: url.pathname,
-			reason: "missing_token",
-			hasHeaderToken: Boolean(headerToken)
-		}, "WebSocket auth rejected: no token in query or Authorization");
-		return {
-			valid: false,
-			error: "Missing authentication token"
-		};
-	}
-	if (!safeEqualSecret(providedToken, expectedToken)) {
-		log.warn({
-			path: url.pathname,
+			path: c.req.path,
+			method: c.req.method,
+			clientIp,
 			reason: "invalid_token"
-		}, "WebSocket auth rejected: token mismatch");
-		return {
-			valid: false,
-			error: "Invalid authentication token"
-		};
-	}
-	return { valid: true };
+		}, "HTTP auth rejected: token mismatch");
+		return c.json({
+			error: "Unauthorized",
+			code: "invalid_token",
+			message: "Invalid authentication token"
+		}, 401);
+	});
 }
 //#endregion
-export { auth, validateWebSocketAuth };
+export { auth };
 //# sourceMappingURL=auth.js.map

package/dist/src/gateway/hono/middleware/auth.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"auth.js","names":[],"sources":["../../../../../src/gateway/hono/middleware/auth.ts"],"sourcesContent":["import { createMiddleware } from 'hono/factory';\nimport type { Context } from 'hono';\nimport { getConnInfo } from '@hono/node-server/conninfo';\nimport type { GatewayAuthConfig } from '../../../config/schema.js';\nimport {\n getClientIpFromHeaders,\n isAuthRateLimitGloballyDisabled,\n resolveAuthRateLimitConfig,\n resolveAuthRateLimitTracking,\n} from '../../auth-rate-limit.js';\nimport type { ResolvedGatewayAuth } from '../../auth.js';\nimport { resolveClientIpFromRequest } from '../../client-ip.js';\nimport { safeEqualSecret } from '../../security/secret-equal.js';\nimport { authorizeTrustedProxy } from '../../trusted-proxy.js';\nimport { createLogger } from '../../../utils/logger.js';\n\nconst log = createLogger('Hono:Auth');\n\nexport interface AuthConfig {\n token?: string;\n /** Current gateway auth from config (for rate-limit settings); optional. /\n getGatewayAuth?: () => GatewayAuthConfig \| undefined;\n getResolvedAuth?: () => ResolvedGatewayAuth;\n getTrustedProxyContext?: () => {\n trustedProxies?: string[];\n allowRealIpFallback?: boolean;\n };\n}\n\n/\n Validate token using constant-time comparison to prevent timing attacks.\n /\nfunction validateToken(providedToken: string \| undefined, expectedToken: string): boolean {\n if (!providedToken) return false;\n return safeEqualSecret(providedToken, expectedToken);\n}\n\n/\n Extract token from Authorization header\n * Supports: \"Bearer <token>\", \"<token>\"\n /\nfunction extractTokenFromHeader(authHeader: string \| null): string \| null {\n if (!authHeader) return null;\n\n const parts = authHeader.split(' ');\n if (parts.length === 2 && parts[0].toLowerCase() === 'bearer') {\n return parts[1];\n }\n return authHeader;\n}\n\n/\n Extract token from query parameter.\n \n SECURITY: query-string tokens leak into server logs, Referer headers, and\n * browser history. We accept them only for SSE/WebSocket connections where\n * the `Authorization` header cannot be set by `EventSource`. For normal REST\n * requests prefer the `Authorization: Bearer <token>` header.\n /\nfunction extractTokenFromQuery(url: string): string \| null {\n const parsed = new URL(url);\n return parsed.searchParams.get('token');\n}\n\n/* Paths where query-string token auth is acceptable (SSE / WebSocket). /\nconst QUERY_TOKEN_ALLOWED_PATHS = new Set(['/api/events', '/api/ws']);\n\nfunction isQueryTokenAllowedPath(path: string): boolean {\n return QUERY_TOKEN_ALLOWED_PATHS.has(path) \|\| path.startsWith('/api/events');\n}\n\nfunction resolveRemoteAddress(c: Context): string \| undefined {\n try {\n return getConnInfo(c).remote.address;\n } catch {\n return undefined;\n }\n}\n\nfunction resolveMiddlewareClientIp(\n c: Context,\n trustedProxies?: string[],\n allowRealIpFallback?: boolean,\n): string {\n if (trustedProxies?.length) {\n return resolveClientIpFromRequest({\n remoteAddress: resolveRemoteAddress(c),\n getHeader: (name) => c.req.header(name),\n trustedProxies,\n allowRealIpFallback,\n });\n }\n return getClientIpFromHeaders({\n get: (name: string) => c.req.header(name) ?? undefined,\n });\n}\n\n/\n Create auth middleware for HTTP routes\n /\nexport function auth(config?: AuthConfig) {\n const { token, getGatewayAuth, getResolvedAuth, getTrustedProxyContext } = config \|\| {};\n\n return createMiddleware(async (c, next) => {\n const resolvedAuth = getResolvedAuth?.();\n const authMode = resolvedAuth?.mode ?? (token ? 'token' : 'none');\n\n if (authMode === 'trusted-proxy') {\n const proxyContext = getTrustedProxyContext?.();\n const trustedProxies = proxyContext?.trustedProxies;\n const trustedProxyConfig = resolvedAuth?.trustedProxy;\n\n const rlInput = getGatewayAuth?.()?.rateLimit;\n const rlCfg = resolveAuthRateLimitConfig(rlInput);\n const rateLimitActive = rlCfg.enabled && !isAuthRateLimitGloballyDisabled();\n const clientIp = resolveMiddlewareClientIp(\n c,\n trustedProxies,\n proxyContext?.allowRealIpFallback,\n );\n const origin = c.req.header('origin');\n const tracking = resolveAuthRateLimitTracking({ clientIp, origin, cfg: rlCfg });\n const { limiter, key: rateLimitKey, cfg: activeRlCfg } = tracking;\n\n if (!trustedProxyConfig) {\n if (rateLimitActive) {\n limiter.recordFailure(rateLimitKey, activeRlCfg);\n }\n log.warn(\n { path: c.req.path, method: c.req.method, clientIp, reason: 'trusted_proxy_config_missing' },\n 'HTTP auth rejected: trusted-proxy config missing',\n );\n return c.json({ error: 'Unauthorized', message: 'Trusted-proxy auth is not configured' }, 401);\n }\n\n const result = authorizeTrustedProxy({\n remoteAddress: resolveRemoteAddress(c),\n getHeader: (name) => c.req.header(name),\n trustedProxies,\n trustedProxyConfig,\n });\n\n if (result.ok) {\n if (rateLimitActive) {\n limiter.recordSuccess(rateLimitKey);\n }\n await next();\n return;\n }\n\n if (result.ok === false) {\n if (rateLimitActive) {\n const blocked = limiter.checkBlocked(rateLimitKey, activeRlCfg);\n if (blocked.blocked) {\n log.warn(\n {\n clientIp,\n origin: origin ?? undefined,\n path: c.req.path,\n method: c.req.method,\n attemptCount: activeRlCfg.maxAttempts,\n windowSec: Math.round(activeRlCfg.windowMs / 1000),\n blockDurationSec: Math.round(activeRlCfg.blockDurationMs / 1000),\n retryAfterSec: blocked.retryAfterSec,\n reason: 'auth_failure_rate_limit',\n },\n `Auth rate limit blocked: ${activeRlCfg.maxAttempts} failures in ${activeRlCfg.windowMs / 1000}s, blocking for ${activeRlCfg.blockDurationMs / 1000}s`,\n );\n c.header('Retry-After', String(blocked.retryAfterSec));\n return c.json(\n {\n error: 'Too Many Requests',\n message: 'Too many authentication attempts',\n retryAfter: blocked.retryAfterSec,\n },\n 429,\n );\n }\n limiter.recordFailure(rateLimitKey, activeRlCfg);\n }\n\n log.warn(\n {\n path: c.req.path,\n method: c.req.method,\n clientIp,\n reason: result.reason,\n },\n `HTTP auth rejected: trusted-proxy validation failed (${result.reason})`,\n );\n return c.json({ error: 'Unauthorized', message: 'Trusted-proxy authentication failed' }, 401);\n }\n }\n\n if (authMode === 'none' \|\| !token) {\n return next();\n }\n\n const rlInput = getGatewayAuth?.()?.rateLimit;\n const rlCfg = resolveAuthRateLimitConfig(rlInput);\n const rateLimitActive = rlCfg.enabled && !isAuthRateLimitGloballyDisabled();\n\n const proxyContext = getTrustedProxyContext?.();\n const clientIp = resolveMiddlewareClientIp(\n c,\n proxyContext?.trustedProxies,\n proxyContext?.allowRealIpFallback,\n );\n const origin = c.req.header('origin');\n const tracking = resolveAuthRateLimitTracking({ clientIp, origin, cfg: rlCfg });\n const { limiter, key: rateLimitKey, cfg: activeRlCfg } = tracking;\n\n const authHeader = extractTokenFromHeader(c.req.header('authorization'));\n const requestPath = new URL(c.req.url).pathname;\n const queryToken = isQueryTokenAllowedPath(requestPath)\n ? extractTokenFromQuery(c.req.url)\n : null;\n\n if (!authHeader && queryToken === null && new URL(c.req.url).searchParams.has('token')) {\n log.warn(\n { path: requestPath, method: c.req.method, clientIp },\n 'Token in query string rejected: use Authorization header for this endpoint',\n );\n }\n\n const providedToken = authHeader \|\| queryToken;\n\n if (providedToken && validateToken(providedToken, token)) {\n if (rateLimitActive) {\n limiter.recordSuccess(rateLimitKey);\n }\n await next();\n return;\n }\n\n if (rateLimitActive) {\n const blocked = limiter.checkBlocked(rateLimitKey, activeRlCfg);\n if (blocked.blocked) {\n log.warn(\n {\n clientIp,\n origin: origin ?? undefined,\n path: requestPath,\n method: c.req.method,\n attemptCount: activeRlCfg.maxAttempts,\n windowSec: Math.round(activeRlCfg.windowMs / 1000),\n blockDurationSec: Math.round(activeRlCfg.blockDurationMs / 1000),\n retryAfterSec: blocked.retryAfterSec,\n reason: 'auth_failure_rate_limit',\n },\n `Auth rate limit blocked: ${activeRlCfg.maxAttempts} failures in ${activeRlCfg.windowMs / 1000}s, blocking for ${activeRlCfg.blockDurationMs / 1000}s`,\n );\n c.header('Retry-After', String(blocked.retryAfterSec));\n return c.json(\n {\n error: 'Too Many Requests',\n message: 'Too many authentication attempts',\n retryAfter: blocked.retryAfterSec,\n },\n 429,\n );\n }\n }\n\n if (!providedToken) {\n if (rateLimitActive) {\n limiter.recordFailure(rateLimitKey, activeRlCfg);\n }\n log.warn(\n { path: c.req.path, method: c.req.method, clientIp, reason: 'missing_token' },\n 'HTTP auth rejected: no Bearer or ?token=',\n );\n return c.json({ error: 'Unauthorized', message: 'Missing authentication token' }, 401);\n }\n\n if (!validateToken(providedToken, token)) {\n if (rateLimitActive) {\n limiter.recordFailure(rateLimitKey, activeRlCfg);\n }\n log.warn(\n { path: c.req.path, method: c.req.method, clientIp, reason: 'invalid_token' },\n 'HTTP auth rejected: token mismatch',\n );\n return c.json({ error: 'Unauthorized', message: 'Invalid authentication token' }, 401);\n }\n });\n}\n\nexport interface WebSocketAuthResult {\n valid: boolean;\n error?: string;\n}\n\n/\n Validate WebSocket connection token\n */\nexport function validateWebSocketAuth(\n url: URL,\n authHeader: string \| null,\n expectedToken?: string\n): WebSocketAuthResult {\n if (!expectedToken) {\n return { valid: true };\n }\n\n const queryToken = url.searchParams.get('token');\n const headerToken = extractTokenFromHeader(authHeader);\n\n const providedToken = queryToken \|\| headerToken;\n\n if (!providedToken) {\n log.warn(\n { path: url.pathname, reason: 'missing_token', hasHeaderToken: Boolean(headerToken) },\n 'WebSocket auth rejected: no token in query or Authorization',\n );\n return { valid: false, error: 'Missing authentication token' };\n }\n\n if (!safeEqualSecret(providedToken, expectedToken)) {\n log.warn({ path: url.pathname, reason: 'invalid_token' }, 'WebSocket auth rejected: token mismatch');\n return { valid: false, error: 'Invalid authentication token' };\n }\n\n return { valid: true };\n}\n"],"mappings":";;;;;;;;;aAcwD;AAExD,MAAM,MAAM,aAAa,YAAY;;;;AAgBrC,SAAS,cAAc,eAAmC,eAAgC;AACxF,KAAI,CAAC,cAAe,QAAO;AAC3B,QAAO,gBAAgB,eAAe,cAAc;;;;;;AAOtD,SAAS,uBAAuB,YAA0C;AACxE,KAAI,CAAC,WAAY,QAAO;CAExB,MAAM,QAAQ,WAAW,MAAM,IAAI;AACnC,KAAI,MAAM,WAAW,KAAK,MAAM,GAAG,aAAa,KAAK,SACnD,QAAO,MAAM;AAEf,QAAO;;;;;;;;;;AAWT,SAAS,sBAAsB,KAA4B;AAEzD,QAAO,IADY,IAAI,IACV,CAAC,aAAa,IAAI,QAAQ;;;AAIzC,MAAM,4BAA4B,IAAI,IAAI,CAAC,eAAe,UAAU,CAAC;AAErE,SAAS,wBAAwB,MAAuB;AACtD,QAAO,0BAA0B,IAAI,KAAK,IAAI,KAAK,WAAW,cAAc;;AAG9E,SAAS,qBAAqB,GAAgC;AAC5D,KAAI;AACF,SAAO,YAAY,EAAE,CAAC,OAAO;SACvB;AACN;;;AAIJ,SAAS,0BACP,GACA,gBACA,qBACQ;AACR,KAAI,gBAAgB,OAClB,QAAO,2BAA2B;EAChC,eAAe,qBAAqB,EAAE;EACtC,YAAY,SAAS,EAAE,IAAI,OAAO,KAAK;EACvC;EACA;EACD,CAAC;AAEJ,QAAO,uBAAuB,EAC5B,MAAM,SAAiB,EAAE,IAAI,OAAO,KAAK,IAAI,KAAA,GAC9C,CAAC;;;;;AAMJ,SAAgB,KAAK,QAAqB;CACxC,MAAM,EAAE,OAAO,gBAAgB,iBAAiB,2BAA2B,UAAU,EAAE;AAEvF,QAAO,iBAAiB,OAAO,GAAG,SAAS;EACzC,MAAM,eAAe,mBAAmB;EACxC,MAAM,WAAW,cAAc,SAAS,QAAQ,UAAU;AAE1D,MAAI,aAAa,iBAAiB;GAChC,MAAM,eAAe,0BAA0B;GAC/C,MAAM,iBAAiB,cAAc;GACrC,MAAM,qBAAqB,cAAc;GAEzC,MAAM,UAAU,kBAAkB,EAAE;GACpC,MAAM,QAAQ,2BAA2B,QAAQ;GACjD,MAAM,kBAAkB,MAAM,WAAW,CAAC,iCAAiC;GAC3E,MAAM,WAAW,0BACf,GACA,gBACA,cAAc,oBACf;GACD,MAAM,SAAS,EAAE,IAAI,OAAO,SAAS;GAErC,MAAM,EAAE,SAAS,KAAK,cAAc,KAAK,gBADxB,6BAA6B;IAAE;IAAU;IAAQ,KAAK;IAAO,CACb;AAEjE,OAAI,CAAC,oBAAoB;AACvB,QAAI,gBACF,SAAQ,cAAc,cAAc,YAAY;AAElD,QAAI,KACF;KAAE,MAAM,EAAE,IAAI;KAAM,QAAQ,EAAE,IAAI;KAAQ;KAAU,QAAQ;KAAgC,EAC5F,mDACD;AACD,WAAO,EAAE,KAAK;KAAE,OAAO;KAAgB,SAAS;KAAwC,EAAE,IAAI;;GAGhG,MAAM,SAAS,sBAAsB;IACnC,eAAe,qBAAqB,EAAE;IACtC,YAAY,SAAS,EAAE,IAAI,OAAO,KAAK;IACvC;IACA;IACD,CAAC;AAEF,OAAI,OAAO,IAAI;AACb,QAAI,gBACF,SAAQ,cAAc,aAAa;AAErC,UAAM,MAAM;AACZ;;AAGF,OAAI,OAAO,OAAO,OAAO;AACvB,QAAI,iBAAiB;KACnB,MAAM,UAAU,QAAQ,aAAa,cAAc,YAAY;AAC/D,SAAI,QAAQ,SAAS;AACnB,UAAI,KACF;OACE;OACA,QAAQ,UAAU,KAAA;OAClB,MAAM,EAAE,IAAI;OACZ,QAAQ,EAAE,IAAI;OACd,cAAc,YAAY;OAC1B,WAAW,KAAK,MAAM,YAAY,WAAW,IAAK;OAClD,kBAAkB,KAAK,MAAM,YAAY,kBAAkB,IAAK;OAChE,eAAe,QAAQ;OACvB,QAAQ;OACT,EACD,4BAA4B,YAAY,YAAY,eAAe,YAAY,WAAW,IAAK,kBAAkB,YAAY,kBAAkB,IAAK,GACrJ;AACD,QAAE,OAAO,eAAe,OAAO,QAAQ,cAAc,CAAC;AACtD,aAAO,EAAE,KACP;OACE,OAAO;OACP,SAAS;OACT,YAAY,QAAQ;OACrB,EACD,IACD;;AAEH,aAAQ,cAAc,cAAc,YAAY;;AAGlD,QAAI,KACF;KACE,MAAM,EAAE,IAAI;KACZ,QAAQ,EAAE,IAAI;KACd;KACA,QAAQ,OAAO;KAChB,EACD,wDAAwD,OAAO,OAAO,GACvE;AACD,WAAO,EAAE,KAAK;KAAE,OAAO;KAAgB,SAAS;KAAuC,EAAE,IAAI;;;AAIjG,MAAI,aAAa,UAAU,CAAC,MAC1B,QAAO,MAAM;EAGf,MAAM,UAAU,kBAAkB,EAAE;EACpC,MAAM,QAAQ,2BAA2B,QAAQ;EACjD,MAAM,kBAAkB,MAAM,WAAW,CAAC,iCAAiC;EAE3E,MAAM,eAAe,0BAA0B;EAC/C,MAAM,WAAW,0BACf,GACA,cAAc,gBACd,cAAc,oBACf;EACD,MAAM,SAAS,EAAE,IAAI,OAAO,SAAS;EAErC,MAAM,EAAE,SAAS,KAAK,cAAc,KAAK,gBADxB,6BAA6B;GAAE;GAAU;GAAQ,KAAK;GAAO,CACb;EAEjE,MAAM,aAAa,uBAAuB,EAAE,IAAI,OAAO,gBAAgB,CAAC;EACxE,MAAM,cAAc,IAAI,IAAI,EAAE,IAAI,IAAI,CAAC;EACvC,MAAM,aAAa,wBAAwB,YAAY,GACnD,sBAAsB,EAAE,IAAI,IAAI,GAChC;AAEJ,MAAI,CAAC,cAAc,eAAe,QAAQ,IAAI,IAAI,EAAE,IAAI,IAAI,CAAC,aAAa,IAAI,QAAQ,CACpF,KAAI,KACF;GAAE,MAAM;GAAa,QAAQ,EAAE,IAAI;GAAQ;GAAU,EACrD,6EACD;EAGH,MAAM,gBAAgB,cAAc;AAEpC,MAAI,iBAAiB,cAAc,eAAe,MAAM,EAAE;AACxD,OAAI,gBACF,SAAQ,cAAc,aAAa;AAErC,SAAM,MAAM;AACZ;;AAGF,MAAI,iBAAiB;GACnB,MAAM,UAAU,QAAQ,aAAa,cAAc,YAAY;AAC/D,OAAI,QAAQ,SAAS;AACnB,QAAI,KACF;KACE;KACA,QAAQ,UAAU,KAAA;KAClB,MAAM;KACN,QAAQ,EAAE,IAAI;KACd,cAAc,YAAY;KAC1B,WAAW,KAAK,MAAM,YAAY,WAAW,IAAK;KAClD,kBAAkB,KAAK,MAAM,YAAY,kBAAkB,IAAK;KAChE,eAAe,QAAQ;KACvB,QAAQ;KACT,EACD,4BAA4B,YAAY,YAAY,eAAe,YAAY,WAAW,IAAK,kBAAkB,YAAY,kBAAkB,IAAK,GACrJ;AACD,MAAE,OAAO,eAAe,OAAO,QAAQ,cAAc,CAAC;AACtD,WAAO,EAAE,KACP;KACE,OAAO;KACP,SAAS;KACT,YAAY,QAAQ;KACrB,EACD,IACD;;;AAIL,MAAI,CAAC,eAAe;AAClB,OAAI,gBACF,SAAQ,cAAc,cAAc,YAAY;AAElD,OAAI,KACF;IAAE,MAAM,EAAE,IAAI;IAAM,QAAQ,EAAE,IAAI;IAAQ;IAAU,QAAQ;IAAiB,EAC7E,2CACD;AACD,UAAO,EAAE,KAAK;IAAE,OAAO;IAAgB,SAAS;IAAgC,EAAE,IAAI;;AAGxF,MAAI,CAAC,cAAc,eAAe,MAAM,EAAE;AACxC,OAAI,gBACF,SAAQ,cAAc,cAAc,YAAY;AAElD,OAAI,KACF;IAAE,MAAM,EAAE,IAAI;IAAM,QAAQ,EAAE,IAAI;IAAQ;IAAU,QAAQ;IAAiB,EAC7E,qCACD;AACD,UAAO,EAAE,KAAK;IAAE,OAAO;IAAgB,SAAS;IAAgC,EAAE,IAAI;;GAExF;;;;;AAWJ,SAAgB,sBACd,KACA,YACA,eACqB;AACrB,KAAI,CAAC,cACH,QAAO,EAAE,OAAO,MAAM;CAGxB,MAAM,aAAa,IAAI,aAAa,IAAI,QAAQ;CAChD,MAAM,cAAc,uBAAuB,WAAW;CAEtD,MAAM,gBAAgB,cAAc;AAEpC,KAAI,CAAC,eAAe;AAClB,MAAI,KACF;GAAE,MAAM,IAAI;GAAU,QAAQ;GAAiB,gBAAgB,QAAQ,YAAY;GAAE,EACrF,8DACD;AACD,SAAO;GAAE,OAAO;GAAO,OAAO;GAAgC;;AAGhE,KAAI,CAAC,gBAAgB,eAAe,cAAc,EAAE;AAClD,MAAI,KAAK;GAAE,MAAM,IAAI;GAAU,QAAQ;GAAiB,EAAE,0CAA0C;AACpG,SAAO;GAAE,OAAO;GAAO,OAAO;GAAgC;;AAGhE,QAAO,EAAE,OAAO,MAAM"}
1	+ {"version":3,"file":"auth.js","names":[],"sources":["../../../../../src/gateway/hono/middleware/auth.ts"],"sourcesContent":["import { createMiddleware } from 'hono/factory';\nimport type { Context } from 'hono';\nimport { getConnInfo } from '@hono/node-server/conninfo';\n\nimport type { GatewayAuthConfig } from '../../../config/schema.js';\nimport type { ResolvedGatewayAuth } from '../../auth.js';\nimport { resolveClientIpFromRequest } from '../../client-ip.js';\nimport {\n authPolicyConfig,\n buckets,\n isAuthRateLimitGloballyDisabled,\n resolveAuthRateLimit,\n resolveAuthTracking,\n type ResolvedAuthRateLimitConfig,\n} from '../../rate-limit/index.js';\nimport { getClientIpFromHeaders } from '../../security/loopback.js';\nimport { safeEqualSecret } from '../../security/secret-equal.js';\nimport { authorizeTrustedProxy } from '../../trusted-proxy.js';\nimport { createLogger } from '../../../utils/logger.js';\n\nconst log = createLogger('Hono:Auth');\n\nexport interface AuthConfig {\n token?: string;\n /** Current gateway auth from config (for rate-limit settings); optional. /\n getGatewayAuth?: () => GatewayAuthConfig \| undefined;\n getResolvedAuth?: () => ResolvedGatewayAuth;\n getTrustedProxyContext?: () => {\n trustedProxies?: string[];\n allowRealIpFallback?: boolean;\n };\n}\n\nfunction validateToken(providedToken: string \| undefined, expectedToken: string): boolean {\n if (!providedToken) return false;\n return safeEqualSecret(providedToken, expectedToken);\n}\n\nfunction extractTokenFromHeader(authHeader: string \| null): string \| null {\n if (!authHeader) return null;\n const parts = authHeader.split(' ');\n if (parts.length === 2 && parts[0].toLowerCase() === 'bearer') return parts[1];\n return authHeader;\n}\n\n/\n SECURITY: query-string tokens leak into server logs, Referer headers, and\n * browser history. We accept them only for SSE/WebSocket connections where\n * the `Authorization` header cannot be set by `EventSource`. For normal REST\n * requests prefer the `Authorization: Bearer <token>` header.\n /\nfunction extractTokenFromQuery(url: string): string \| null {\n return new URL(url).searchParams.get('token');\n}\n\nconst QUERY_TOKEN_ALLOWED_PATHS = new Set(['/api/events', '/api/ws']);\n\nfunction isQueryTokenAllowedPath(path: string): boolean {\n return QUERY_TOKEN_ALLOWED_PATHS.has(path) \|\| path.startsWith('/api/events');\n}\n\nfunction resolveRemoteAddress(c: Context): string \| undefined {\n try {\n return getConnInfo(c).remote.address;\n } catch {\n return undefined;\n }\n}\n\nfunction resolveMiddlewareClientIp(\n c: Context,\n trustedProxies?: string[],\n allowRealIpFallback?: boolean,\n): string {\n if (trustedProxies?.length) {\n return resolveClientIpFromRequest({\n remoteAddress: resolveRemoteAddress(c),\n getHeader: (name) => c.req.header(name),\n trustedProxies,\n allowRealIpFallback,\n });\n }\n return getClientIpFromHeaders({\n get: (name: string) => c.req.header(name) ?? undefined,\n });\n}\n\ntype RateLimitContext = {\n active: boolean;\n cfg: ResolvedAuthRateLimitConfig;\n /* `undefined` when the client is exempted (loopback, disabled, etc.). */\n trackingKey: string \| undefined;\n};\n\nfunction buildRateLimitContext(\n getGatewayAuth: AuthConfig['getGatewayAuth'],\n clientIp: string,\n origin: string \| undefined,\n): RateLimitContext {\n const cfg = resolveAuthRateLimit(getGatewayAuth?.()?.rateLimit);\n const active = cfg.enabled && !isAuthRateLimitGloballyDisabled();\n if (!active) return { active: false, cfg, trackingKey: undefined };\n const tracking = resolveAuthTracking({ clientIp, origin, cfg: authPolicyConfig(cfg) });\n return {\n active: true,\n cfg,\n trackingKey: tracking.exempt ? undefined : tracking.key,\n };\n}\n\nfunction checkBlocked(rl: RateLimitContext): { blocked: false } \| { blocked: true; retryAfterSec: number } {\n if (!rl.active \|\| rl.trackingKey === undefined) return { blocked: false };\n return buckets.authFailure(rl.cfg).check(rl.trackingKey);\n}\n\nfunction recordFailure(rl: RateLimitContext): void {\n if (!rl.active \|\| rl.trackingKey === undefined) return;\n buckets.authFailure(rl.cfg).fail(rl.trackingKey);\n}\n\nfunction recordSuccess(rl: RateLimitContext): void {\n if (!rl.active \|\| rl.trackingKey === undefined) return;\n buckets.authFailure(rl.cfg).succeed(rl.trackingKey);\n}\n\nfunction blockedResponse(c: Context, retryAfterSec: number) {\n c.header('Retry-After', String(retryAfterSec));\n return c.json(\n {\n error: 'Too Many Requests',\n code: 'auth_blocked',\n message: 'Too many authentication attempts',\n retryAfter: retryAfterSec,\n },\n 429,\n );\n}\n\nexport function auth(config?: AuthConfig) {\n const { token, getGatewayAuth, getResolvedAuth, getTrustedProxyContext } = config \|\| {};\n\n return createMiddleware(async (c, next) => {\n const resolvedAuth = getResolvedAuth?.();\n const authMode = resolvedAuth?.mode ?? (token ? 'token' : 'none');\n\n if (authMode === 'trusted-proxy') {\n const proxyContext = getTrustedProxyContext?.();\n const trustedProxies = proxyContext?.trustedProxies;\n const trustedProxyConfig = resolvedAuth?.trustedProxy;\n\n const clientIp = resolveMiddlewareClientIp(c, trustedProxies, proxyContext?.allowRealIpFallback);\n const origin = c.req.header('origin');\n const rl = buildRateLimitContext(getGatewayAuth, clientIp, origin);\n\n // Server misconfiguration — not an attack signal. Don't count.\n if (!trustedProxyConfig) {\n log.warn(\n { path: c.req.path, method: c.req.method, clientIp, reason: 'trusted_proxy_config_missing' },\n 'HTTP auth rejected: trusted-proxy config missing',\n );\n return c.json(\n { error: 'Unauthorized', code: 'auth_unconfigured', message: 'Trusted-proxy auth is not configured' },\n 401,\n );\n }\n\n const blocked = checkBlocked(rl);\n if (blocked.blocked) {\n log.warn(\n { clientIp, origin: origin ?? undefined, path: c.req.path, method: c.req.method, retryAfterSec: blocked.retryAfterSec, reason: 'auth_blocked' },\n 'Auth rate limit blocked',\n );\n return blockedResponse(c, blocked.retryAfterSec);\n }\n\n const result = authorizeTrustedProxy({\n remoteAddress: resolveRemoteAddress(c),\n getHeader: (name) => c.req.header(name),\n trustedProxies,\n trustedProxyConfig,\n });\n\n if (result.ok === false) {\n recordFailure(rl);\n log.warn(\n { path: c.req.path, method: c.req.method, clientIp, reason: result.reason },\n `HTTP auth rejected: trusted-proxy validation failed (${result.reason})`,\n );\n return c.json(\n { error: 'Unauthorized', code: 'invalid_proxy_credentials', message: 'Trusted-proxy authentication failed' },\n 401,\n );\n }\n\n recordSuccess(rl);\n await next();\n return;\n }\n\n if (authMode === 'none' \|\| !token) {\n return next();\n }\n\n const proxyContext = getTrustedProxyContext?.();\n const clientIp = resolveMiddlewareClientIp(c, proxyContext?.trustedProxies, proxyContext?.allowRealIpFallback);\n const origin = c.req.header('origin');\n const rl = buildRateLimitContext(getGatewayAuth, clientIp, origin);\n\n const authHeader = extractTokenFromHeader(c.req.header('authorization'));\n const requestPath = new URL(c.req.url).pathname;\n const queryToken = isQueryTokenAllowedPath(requestPath) ? extractTokenFromQuery(c.req.url) : null;\n\n if (!authHeader && queryToken === null && new URL(c.req.url).searchParams.has('token')) {\n log.warn(\n { path: requestPath, method: c.req.method, clientIp },\n 'Token in query string rejected: use Authorization header for this endpoint',\n );\n }\n\n const providedToken = authHeader \|\| queryToken;\n\n if (providedToken && validateToken(providedToken, token)) {\n recordSuccess(rl);\n await next();\n return;\n }\n\n const blocked = checkBlocked(rl);\n if (blocked.blocked) {\n log.warn(\n { clientIp, origin: origin ?? undefined, path: requestPath, method: c.req.method, retryAfterSec: blocked.retryAfterSec, reason: 'auth_blocked' },\n 'Auth rate limit blocked',\n );\n return blockedResponse(c, blocked.retryAfterSec);\n }\n\n // Missing token is an unauthenticated request, not a brute-force signal —\n // page reloads / SDK cold starts often hit endpoints before the token is\n // attached. Counting this would lock users out of the token-entry path.\n if (!providedToken) {\n log.warn(\n { path: c.req.path, method: c.req.method, clientIp, reason: 'missing_token' },\n 'HTTP auth rejected: no Bearer or ?token=',\n );\n return c.json(\n { error: 'Unauthorized', code: 'missing_token', message: 'Missing authentication token' },\n 401,\n );\n }\n\n recordFailure(rl);\n log.warn(\n { path: c.req.path, method: c.req.method, clientIp, reason: 'invalid_token' },\n 'HTTP auth rejected: token mismatch',\n );\n return c.json(\n { error: 'Unauthorized', code: 'invalid_token', message: 'Invalid authentication token' },\n 401,\n );\n });\n}\n"],"mappings":";;;;;;;;;;;;;aAkBwD;AAExD,MAAM,MAAM,aAAa,YAAY;AAarC,SAAS,cAAc,eAAmC,eAAgC;AACxF,KAAI,CAAC,cAAe,QAAO;AAC3B,QAAO,gBAAgB,eAAe,cAAc;;AAGtD,SAAS,uBAAuB,YAA0C;AACxE,KAAI,CAAC,WAAY,QAAO;CACxB,MAAM,QAAQ,WAAW,MAAM,IAAI;AACnC,KAAI,MAAM,WAAW,KAAK,MAAM,GAAG,aAAa,KAAK,SAAU,QAAO,MAAM;AAC5E,QAAO;;;;;;;;AAST,SAAS,sBAAsB,KAA4B;AACzD,QAAO,IAAI,IAAI,IAAI,CAAC,aAAa,IAAI,QAAQ;;AAG/C,MAAM,4BAA4B,IAAI,IAAI,CAAC,eAAe,UAAU,CAAC;AAErE,SAAS,wBAAwB,MAAuB;AACtD,QAAO,0BAA0B,IAAI,KAAK,IAAI,KAAK,WAAW,cAAc;;AAG9E,SAAS,qBAAqB,GAAgC;AAC5D,KAAI;AACF,SAAO,YAAY,EAAE,CAAC,OAAO;SACvB;AACN;;;AAIJ,SAAS,0BACP,GACA,gBACA,qBACQ;AACR,KAAI,gBAAgB,OAClB,QAAO,2BAA2B;EAChC,eAAe,qBAAqB,EAAE;EACtC,YAAY,SAAS,EAAE,IAAI,OAAO,KAAK;EACvC;EACA;EACD,CAAC;AAEJ,QAAO,uBAAuB,EAC5B,MAAM,SAAiB,EAAE,IAAI,OAAO,KAAK,IAAI,KAAA,GAC9C,CAAC;;AAUJ,SAAS,sBACP,gBACA,UACA,QACkB;CAClB,MAAM,MAAM,qBAAqB,kBAAkB,EAAE,UAAU;AAE/D,KAAI,EADW,IAAI,WAAW,CAAC,iCAAiC,EACnD,QAAO;EAAE,QAAQ;EAAO;EAAK,aAAa,KAAA;EAAW;CAClE,MAAM,WAAW,oBAAoB;EAAE;EAAU;EAAQ,KAAK,iBAAiB,IAAI;EAAE,CAAC;AACtF,QAAO;EACL,QAAQ;EACR;EACA,aAAa,SAAS,SAAS,KAAA,IAAY,SAAS;EACrD;;AAGH,SAAS,aAAa,IAAqF;AACzG,KAAI,CAAC,GAAG,UAAU,GAAG,gBAAgB,KAAA,EAAW,QAAO,EAAE,SAAS,OAAO;AACzE,QAAO,QAAQ,YAAY,GAAG,IAAI,CAAC,MAAM,GAAG,YAAY;;AAG1D,SAAS,cAAc,IAA4B;AACjD,KAAI,CAAC,GAAG,UAAU,GAAG,gBAAgB,KAAA,EAAW;AAChD,SAAQ,YAAY,GAAG,IAAI,CAAC,KAAK,GAAG,YAAY;;AAGlD,SAAS,cAAc,IAA4B;AACjD,KAAI,CAAC,GAAG,UAAU,GAAG,gBAAgB,KAAA,EAAW;AAChD,SAAQ,YAAY,GAAG,IAAI,CAAC,QAAQ,GAAG,YAAY;;AAGrD,SAAS,gBAAgB,GAAY,eAAuB;AAC1D,GAAE,OAAO,eAAe,OAAO,cAAc,CAAC;AAC9C,QAAO,EAAE,KACP;EACE,OAAO;EACP,MAAM;EACN,SAAS;EACT,YAAY;EACb,EACD,IACD;;AAGH,SAAgB,KAAK,QAAqB;CACxC,MAAM,EAAE,OAAO,gBAAgB,iBAAiB,2BAA2B,UAAU,EAAE;AAEvF,QAAO,iBAAiB,OAAO,GAAG,SAAS;EACzC,MAAM,eAAe,mBAAmB;EACxC,MAAM,WAAW,cAAc,SAAS,QAAQ,UAAU;AAE1D,MAAI,aAAa,iBAAiB;GAChC,MAAM,eAAe,0BAA0B;GAC/C,MAAM,iBAAiB,cAAc;GACrC,MAAM,qBAAqB,cAAc;GAEzC,MAAM,WAAW,0BAA0B,GAAG,gBAAgB,cAAc,oBAAoB;GAChG,MAAM,SAAS,EAAE,IAAI,OAAO,SAAS;GACrC,MAAM,KAAK,sBAAsB,gBAAgB,UAAU,OAAO;AAGlE,OAAI,CAAC,oBAAoB;AACvB,QAAI,KACF;KAAE,MAAM,EAAE,IAAI;KAAM,QAAQ,EAAE,IAAI;KAAQ;KAAU,QAAQ;KAAgC,EAC5F,mDACD;AACD,WAAO,EAAE,KACP;KAAE,OAAO;KAAgB,MAAM;KAAqB,SAAS;KAAwC,EACrG,IACD;;GAGH,MAAM,UAAU,aAAa,GAAG;AAChC,OAAI,QAAQ,SAAS;AACnB,QAAI,KACF;KAAE;KAAU,QAAQ,UAAU,KAAA;KAAW,MAAM,EAAE,IAAI;KAAM,QAAQ,EAAE,IAAI;KAAQ,eAAe,QAAQ;KAAe,QAAQ;KAAgB,EAC/I,0BACD;AACD,WAAO,gBAAgB,GAAG,QAAQ,cAAc;;GAGlD,MAAM,SAAS,sBAAsB;IACnC,eAAe,qBAAqB,EAAE;IACtC,YAAY,SAAS,EAAE,IAAI,OAAO,KAAK;IACvC;IACA;IACD,CAAC;AAEF,OAAI,OAAO,OAAO,OAAO;AACvB,kBAAc,GAAG;AACjB,QAAI,KACF;KAAE,MAAM,EAAE,IAAI;KAAM,QAAQ,EAAE,IAAI;KAAQ;KAAU,QAAQ,OAAO;KAAQ,EAC3E,wDAAwD,OAAO,OAAO,GACvE;AACD,WAAO,EAAE,KACP;KAAE,OAAO;KAAgB,MAAM;KAA6B,SAAS;KAAuC,EAC5G,IACD;;AAGH,iBAAc,GAAG;AACjB,SAAM,MAAM;AACZ;;AAGF,MAAI,aAAa,UAAU,CAAC,MAC1B,QAAO,MAAM;EAGf,MAAM,eAAe,0BAA0B;EAC/C,MAAM,WAAW,0BAA0B,GAAG,cAAc,gBAAgB,cAAc,oBAAoB;EAC9G,MAAM,SAAS,EAAE,IAAI,OAAO,SAAS;EACrC,MAAM,KAAK,sBAAsB,gBAAgB,UAAU,OAAO;EAElE,MAAM,aAAa,uBAAuB,EAAE,IAAI,OAAO,gBAAgB,CAAC;EACxE,MAAM,cAAc,IAAI,IAAI,EAAE,IAAI,IAAI,CAAC;EACvC,MAAM,aAAa,wBAAwB,YAAY,GAAG,sBAAsB,EAAE,IAAI,IAAI,GAAG;AAE7F,MAAI,CAAC,cAAc,eAAe,QAAQ,IAAI,IAAI,EAAE,IAAI,IAAI,CAAC,aAAa,IAAI,QAAQ,CACpF,KAAI,KACF;GAAE,MAAM;GAAa,QAAQ,EAAE,IAAI;GAAQ;GAAU,EACrD,6EACD;EAGH,MAAM,gBAAgB,cAAc;AAEpC,MAAI,iBAAiB,cAAc,eAAe,MAAM,EAAE;AACxD,iBAAc,GAAG;AACjB,SAAM,MAAM;AACZ;;EAGF,MAAM,UAAU,aAAa,GAAG;AAChC,MAAI,QAAQ,SAAS;AACnB,OAAI,KACF;IAAE;IAAU,QAAQ,UAAU,KAAA;IAAW,MAAM;IAAa,QAAQ,EAAE,IAAI;IAAQ,eAAe,QAAQ;IAAe,QAAQ;IAAgB,EAChJ,0BACD;AACD,UAAO,gBAAgB,GAAG,QAAQ,cAAc;;AAMlD,MAAI,CAAC,eAAe;AAClB,OAAI,KACF;IAAE,MAAM,EAAE,IAAI;IAAM,QAAQ,EAAE,IAAI;IAAQ;IAAU,QAAQ;IAAiB,EAC7E,2CACD;AACD,UAAO,EAAE,KACP;IAAE,OAAO;IAAgB,MAAM;IAAiB,SAAS;IAAgC,EACzF,IACD;;AAGH,gBAAc,GAAG;AACjB,MAAI,KACF;GAAE,MAAM,EAAE,IAAI;GAAM,QAAQ,EAAE,IAAI;GAAQ;GAAU,QAAQ;GAAiB,EAC7E,qCACD;AACD,SAAO,EAAE,KACP;GAAE,OAAO;GAAgB,MAAM;GAAiB,SAAS;GAAgC,EACzF,IACD;GACD"}

package/dist/src/gateway/hono/middleware/logger.js CHANGED Viewed

@@ -1,7 +1,7 @@
 import { createLogger } from "../../../utils/logger/index.js";
 import { init_logger } from "../../../utils/logger.js";
-import { getClientIpFromHeaders } from "../../auth-rate-limit.js";
 import { resolveClientIpFromRequest } from "../../client-ip.js";
+import { getClientIpFromHeaders } from "../../security/loopback.js";
 import { createMiddleware } from "hono/factory";
 import { getConnInfo } from "@hono/node-server/conninfo";
 //#region src/gateway/hono/middleware/logger.ts

package/dist/src/gateway/hono/middleware/logger.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"logger.js","names":[],"sources":["../../../../../src/gateway/hono/middleware/logger.ts"],"sourcesContent":["import { createMiddleware } from 'hono/factory';\nimport type { Context } from 'hono';\nimport { getConnInfo } from '@hono/node-server/conninfo';\n\nimport { getClientIpFromHeaders } from '../../~~auth-rate-limit~~.js';\nimport { resolveClientIpFromRequest } from '../../client-ip.js';\nimport { createLogger } from '../../../utils/logger.js';\n\nconst log = createLogger('Hono:Request');\n\nexport interface LoggerMiddlewareConfig {\n trustedProxies?: string[];\n allowRealIpFallback?: boolean;\n}\n\nfunction resolveRemoteAddress(c: Context): string \| undefined {\n try {\n return getConnInfo(c).remote.address;\n } catch {\n return undefined;\n }\n}\n\nfunction resolveRequestClientIp(c: Context, config?: LoggerMiddlewareConfig): string {\n const trustedProxies = config?.trustedProxies;\n if (trustedProxies?.length) {\n return resolveClientIpFromRequest({\n remoteAddress: resolveRemoteAddress(c),\n getHeader: (name) => c.req.header(name),\n trustedProxies,\n allowRealIpFallback: config?.allowRealIpFallback,\n });\n }\n return getClientIpFromHeaders({\n get: (name) => c.req.header(name) ?? undefined,\n });\n}\n\nexport function logger(config?: LoggerMiddlewareConfig) {\n return createMiddleware(async (c, next) => {\n const start = Date.now();\n\n const clientIp = resolveRequestClientIp(c, config);\n const userAgent = c.req.header('user-agent') ?? undefined;\n const contentLength = c.req.header('content-length');\n const referer = c.req.header('referer') ?? undefined;\n\n await next();\n\n const duration = Date.now() - start;\n const status = c.res.status;\n const isServerError = status >= 500;\n const isClientError = status >= 400 && status < 500;\n const isSlow = duration > 1000;\n\n const logData = {\n method: c.req.method,\n path: c.req.path,\n status,\n durationMs: duration,\n clientIp,\n ...(userAgent ? { userAgent } : {}),\n ...(contentLength ? { contentLength: Number(contentLength) } : {}),\n ...(referer ? { referer } : {}),\n };\n\n const msg = `HTTP ${c.req.method} ${c.req.path} → ${status} (${duration}ms)`;\n\n if (isServerError \|\| isSlow) {\n log.warn(logData, msg);\n } else if (isClientError) {\n // 4xx: info avoids doubling warn noise from auth / rate-limit handlers\n log.info(logData, msg);\n } else {\n log.debug(logData, msg);\n }\n });\n}\n"],"mappings":";;;;;;;aAMwD;AAExD,MAAM,MAAM,aAAa,eAAe;AAOxC,SAAS,qBAAqB,GAAgC;AAC5D,KAAI;AACF,SAAO,YAAY,EAAE,CAAC,OAAO;SACvB;AACN;;;AAIJ,SAAS,uBAAuB,GAAY,QAAyC;CACnF,MAAM,iBAAiB,QAAQ;AAC/B,KAAI,gBAAgB,OAClB,QAAO,2BAA2B;EAChC,eAAe,qBAAqB,EAAE;EACtC,YAAY,SAAS,EAAE,IAAI,OAAO,KAAK;EACvC;EACA,qBAAqB,QAAQ;EAC9B,CAAC;AAEJ,QAAO,uBAAuB,EAC5B,MAAM,SAAS,EAAE,IAAI,OAAO,KAAK,IAAI,KAAA,GACtC,CAAC;;AAGJ,SAAgB,OAAO,QAAiC;AACtD,QAAO,iBAAiB,OAAO,GAAG,SAAS;EACzC,MAAM,QAAQ,KAAK,KAAK;EAExB,MAAM,WAAW,uBAAuB,GAAG,OAAO;EAClD,MAAM,YAAY,EAAE,IAAI,OAAO,aAAa,IAAI,KAAA;EAChD,MAAM,gBAAgB,EAAE,IAAI,OAAO,iBAAiB;EACpD,MAAM,UAAU,EAAE,IAAI,OAAO,UAAU,IAAI,KAAA;AAE3C,QAAM,MAAM;EAEZ,MAAM,WAAW,KAAK,KAAK,GAAG;EAC9B,MAAM,SAAS,EAAE,IAAI;EACrB,MAAM,gBAAgB,UAAU;EAChC,MAAM,gBAAgB,UAAU,OAAO,SAAS;EAChD,MAAM,SAAS,WAAW;EAE1B,MAAM,UAAU;GACd,QAAQ,EAAE,IAAI;GACd,MAAM,EAAE,IAAI;GACZ;GACA,YAAY;GACZ;GACA,GAAI,YAAY,EAAE,WAAW,GAAG,EAAE;GAClC,GAAI,gBAAgB,EAAE,eAAe,OAAO,cAAc,EAAE,GAAG,EAAE;GACjE,GAAI,UAAU,EAAE,SAAS,GAAG,EAAE;GAC/B;EAED,MAAM,MAAM,QAAQ,EAAE,IAAI,OAAO,GAAG,EAAE,IAAI,KAAK,KAAK,OAAO,IAAI,SAAS;AAExE,MAAI,iBAAiB,OACnB,KAAI,KAAK,SAAS,IAAI;WACb,cAET,KAAI,KAAK,SAAS,IAAI;MAEtB,KAAI,MAAM,SAAS,IAAI;GAEzB"}
1	+ {"version":3,"file":"logger.js","names":[],"sources":["../../../../../src/gateway/hono/middleware/logger.ts"],"sourcesContent":["import { createMiddleware } from 'hono/factory';\nimport type { Context } from 'hono';\nimport { getConnInfo } from '@hono/node-server/conninfo';\n\nimport { getClientIpFromHeaders } from '../../security/loopback.js';\nimport { resolveClientIpFromRequest } from '../../client-ip.js';\nimport { createLogger } from '../../../utils/logger.js';\n\nconst log = createLogger('Hono:Request');\n\nexport interface LoggerMiddlewareConfig {\n trustedProxies?: string[];\n allowRealIpFallback?: boolean;\n}\n\nfunction resolveRemoteAddress(c: Context): string \| undefined {\n try {\n return getConnInfo(c).remote.address;\n } catch {\n return undefined;\n }\n}\n\nfunction resolveRequestClientIp(c: Context, config?: LoggerMiddlewareConfig): string {\n const trustedProxies = config?.trustedProxies;\n if (trustedProxies?.length) {\n return resolveClientIpFromRequest({\n remoteAddress: resolveRemoteAddress(c),\n getHeader: (name) => c.req.header(name),\n trustedProxies,\n allowRealIpFallback: config?.allowRealIpFallback,\n });\n }\n return getClientIpFromHeaders({\n get: (name) => c.req.header(name) ?? undefined,\n });\n}\n\nexport function logger(config?: LoggerMiddlewareConfig) {\n return createMiddleware(async (c, next) => {\n const start = Date.now();\n\n const clientIp = resolveRequestClientIp(c, config);\n const userAgent = c.req.header('user-agent') ?? undefined;\n const contentLength = c.req.header('content-length');\n const referer = c.req.header('referer') ?? undefined;\n\n await next();\n\n const duration = Date.now() - start;\n const status = c.res.status;\n const isServerError = status >= 500;\n const isClientError = status >= 400 && status < 500;\n const isSlow = duration > 1000;\n\n const logData = {\n method: c.req.method,\n path: c.req.path,\n status,\n durationMs: duration,\n clientIp,\n ...(userAgent ? { userAgent } : {}),\n ...(contentLength ? { contentLength: Number(contentLength) } : {}),\n ...(referer ? { referer } : {}),\n };\n\n const msg = `HTTP ${c.req.method} ${c.req.path} → ${status} (${duration}ms)`;\n\n if (isServerError \|\| isSlow) {\n log.warn(logData, msg);\n } else if (isClientError) {\n // 4xx: info avoids doubling warn noise from auth / rate-limit handlers\n log.info(logData, msg);\n } else {\n log.debug(logData, msg);\n }\n });\n}\n"],"mappings":";;;;;;;aAMwD;AAExD,MAAM,MAAM,aAAa,eAAe;AAOxC,SAAS,qBAAqB,GAAgC;AAC5D,KAAI;AACF,SAAO,YAAY,EAAE,CAAC,OAAO;SACvB;AACN;;;AAIJ,SAAS,uBAAuB,GAAY,QAAyC;CACnF,MAAM,iBAAiB,QAAQ;AAC/B,KAAI,gBAAgB,OAClB,QAAO,2BAA2B;EAChC,eAAe,qBAAqB,EAAE;EACtC,YAAY,SAAS,EAAE,IAAI,OAAO,KAAK;EACvC;EACA,qBAAqB,QAAQ;EAC9B,CAAC;AAEJ,QAAO,uBAAuB,EAC5B,MAAM,SAAS,EAAE,IAAI,OAAO,KAAK,IAAI,KAAA,GACtC,CAAC;;AAGJ,SAAgB,OAAO,QAAiC;AACtD,QAAO,iBAAiB,OAAO,GAAG,SAAS;EACzC,MAAM,QAAQ,KAAK,KAAK;EAExB,MAAM,WAAW,uBAAuB,GAAG,OAAO;EAClD,MAAM,YAAY,EAAE,IAAI,OAAO,aAAa,IAAI,KAAA;EAChD,MAAM,gBAAgB,EAAE,IAAI,OAAO,iBAAiB;EACpD,MAAM,UAAU,EAAE,IAAI,OAAO,UAAU,IAAI,KAAA;AAE3C,QAAM,MAAM;EAEZ,MAAM,WAAW,KAAK,KAAK,GAAG;EAC9B,MAAM,SAAS,EAAE,IAAI;EACrB,MAAM,gBAAgB,UAAU;EAChC,MAAM,gBAAgB,UAAU,OAAO,SAAS;EAChD,MAAM,SAAS,WAAW;EAE1B,MAAM,UAAU;GACd,QAAQ,EAAE,IAAI;GACd,MAAM,EAAE,IAAI;GACZ;GACA,YAAY;GACZ;GACA,GAAI,YAAY,EAAE,WAAW,GAAG,EAAE;GAClC,GAAI,gBAAgB,EAAE,eAAe,OAAO,cAAc,EAAE,GAAG,EAAE;GACjE,GAAI,UAAU,EAAE,SAAS,GAAG,EAAE;GAC/B;EAED,MAAM,MAAM,QAAQ,EAAE,IAAI,OAAO,GAAG,EAAE,IAAI,KAAK,KAAK,OAAO,IAAI,SAAS;AAExE,MAAI,iBAAiB,OACnB,KAAI,KAAK,SAAS,IAAI;WACb,cAET,KAAI,KAAK,SAAS,IAAI;MAEtB,KAAI,MAAM,SAAS,IAAI;GAEzB"}

package/dist/src/gateway/hono/middleware/strict-rate-limit.d.ts ADDED Viewed

@@ -0,0 +1,14 @@
+/**
+ * Per-client request-rate gate for sensitive admin/mutation endpoints.
+ * Backed by `buckets.strictApi()` — see {@link ../../rate-limit/buckets.ts}.
+ */
+export type StrictRateLimitDeps = {
+    getTrustedProxyContext: () => {
+        trustedProxies?: string[];
+        allowRealIpFallback?: boolean;
+    };
+};
+export declare function createStrictRateLimitMiddleware(deps: StrictRateLimitDeps): import("hono/dist/types/types.js").MiddlewareHandler<any, string, {}, Response & import("hono/dist/types/types.js").TypedResponse<{
+    error: string;
+    code: string;
+}, 429, "json">>;

package/dist/src/gateway/hono/middleware/strict-rate-limit.js ADDED Viewed

@@ -0,0 +1,62 @@
+import { createLogger } from "../../../utils/logger/index.js";
+import { init_logger } from "../../../utils/logger.js";
+import { resolveClientIpFromRequest } from "../../client-ip.js";
+import { buckets } from "../../rate-limit/buckets.js";
+import { getClientIpFromHeaders } from "../../security/loopback.js";
+import "../../rate-limit/index.js";
+import { createMiddleware } from "hono/factory";
+import { getConnInfo } from "@hono/node-server/conninfo";
+//#region src/gateway/hono/middleware/strict-rate-limit.ts
+/**
+* Per-client request-rate gate for sensitive admin/mutation endpoints.
+* Backed by `buckets.strictApi()` — see {@link ../../rate-limit/buckets.ts}.
+*/
+init_logger();
+const log = createLogger("Hono:StrictRateLimit");
+function resolveClientIp(c, deps) {
+	const { trustedProxies, allowRealIpFallback } = deps.getTrustedProxyContext();
+	if (trustedProxies?.length) {
+		let remoteAddress;
+		try {
+			remoteAddress = getConnInfo(c).remote.address;
+		} catch {
+			remoteAddress = void 0;
+		}
+		return resolveClientIpFromRequest({
+			remoteAddress,
+			getHeader: (name) => c.req.header(name),
+			trustedProxies,
+			allowRealIpFallback
+		});
+	}
+	return getClientIpFromHeaders({ get: (name) => c.req.header(name) ?? void 0 });
+}
+function createStrictRateLimitMiddleware(deps) {
+	return createMiddleware(async (c, next) => {
+		const limiter = buckets.strictApi();
+		const clientIp = resolveClientIp(c, deps);
+		const result = limiter.consume(clientIp);
+		if (!result.allowed) {
+			const retryAfterSec = Math.ceil(result.retryAfterMs / 1e3);
+			log.warn({
+				clientIp,
+				path: c.req.path,
+				method: c.req.method,
+				retryAfterSec,
+				reason: "strict_rate_limit_exceeded"
+			}, "Strict API rate limit exceeded");
+			c.header("Retry-After", String(retryAfterSec));
+			c.header("X-RateLimit-Remaining", "0");
+			return c.json({
+				error: "Too many requests",
+				code: "rate_limited"
+			}, 429);
+		}
+		c.header("X-RateLimit-Remaining", String(result.remaining));
+		await next();
+	});
+}
+//#endregion
+export { createStrictRateLimitMiddleware };
+//# sourceMappingURL=strict-rate-limit.js.map

package/dist/src/gateway/hono/middleware/strict-rate-limit.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"strict-rate-limit.js","names":[],"sources":["../../../../../src/gateway/hono/middleware/strict-rate-limit.ts"],"sourcesContent":["/**\n * Per-client request-rate gate for sensitive admin/mutation endpoints.\n * Backed by `buckets.strictApi()` — see {@link ../../rate-limit/buckets.ts}.\n */\n\nimport { createMiddleware } from 'hono/factory';\nimport type { Context } from 'hono';\nimport { getConnInfo } from '@hono/node-server/conninfo';\n\nimport { buckets } from '../../rate-limit/index.js';\nimport { getClientIpFromHeaders } from '../../security/loopback.js';\nimport { resolveClientIpFromRequest } from '../../client-ip.js';\nimport { createLogger } from '../../../utils/logger.js';\n\nconst log = createLogger('Hono:StrictRateLimit');\n\nexport type StrictRateLimitDeps = {\n getTrustedProxyContext: () => {\n trustedProxies?: string[];\n allowRealIpFallback?: boolean;\n };\n};\n\nfunction resolveClientIp(c: Context, deps: StrictRateLimitDeps): string {\n const { trustedProxies, allowRealIpFallback } = deps.getTrustedProxyContext();\n if (trustedProxies?.length) {\n let remoteAddress: string | undefined;\n try {\n remoteAddress = getConnInfo(c).remote.address;\n } catch {\n remoteAddress = undefined;\n }\n return resolveClientIpFromRequest({\n remoteAddress,\n getHeader: (name) => c.req.header(name),\n trustedProxies,\n allowRealIpFallback,\n });\n }\n return getClientIpFromHeaders({ get: (name) => c.req.header(name) ?? undefined });\n}\n\nexport function createStrictRateLimitMiddleware(deps: StrictRateLimitDeps) {\n return createMiddleware(async (c, next) => {\n const limiter = buckets.strictApi();\n const clientIp = resolveClientIp(c, deps);\n const result = limiter.consume(clientIp);\n\n if (!result.allowed) {\n const retryAfterSec = Math.ceil(result.retryAfterMs / 1000);\n log.warn(\n {\n clientIp,\n path: c.req.path,\n method: c.req.method,\n retryAfterSec,\n reason: 'strict_rate_limit_exceeded',\n },\n 'Strict API rate limit exceeded',\n );\n c.header('Retry-After', String(retryAfterSec));\n c.header('X-RateLimit-Remaining', '0');\n return c.json({ error: 'Too many requests', code: 'rate_limited' }, 429);\n }\n\n c.header('X-RateLimit-Remaining', String(result.remaining));\n await next();\n });\n}\n"],"mappings":";;;;;;;;;;;;;aAYwD;AAExD,MAAM,MAAM,aAAa,uBAAuB;AAShD,SAAS,gBAAgB,GAAY,MAAmC;CACtE,MAAM,EAAE,gBAAgB,wBAAwB,KAAK,wBAAwB;AAC7E,KAAI,gBAAgB,QAAQ;EAC1B,IAAI;AACJ,MAAI;AACF,mBAAgB,YAAY,EAAE,CAAC,OAAO;UAChC;AACN,mBAAgB,KAAA;;AAElB,SAAO,2BAA2B;GAChC;GACA,YAAY,SAAS,EAAE,IAAI,OAAO,KAAK;GACvC;GACA;GACD,CAAC;;AAEJ,QAAO,uBAAuB,EAAE,MAAM,SAAS,EAAE,IAAI,OAAO,KAAK,IAAI,KAAA,GAAW,CAAC;;AAGnF,SAAgB,gCAAgC,MAA2B;AACzE,QAAO,iBAAiB,OAAO,GAAG,SAAS;EACzC,MAAM,UAAU,QAAQ,WAAW;EACnC,MAAM,WAAW,gBAAgB,GAAG,KAAK;EACzC,MAAM,SAAS,QAAQ,QAAQ,SAAS;AAExC,MAAI,CAAC,OAAO,SAAS;GACnB,MAAM,gBAAgB,KAAK,KAAK,OAAO,eAAe,IAAK;AAC3D,OAAI,KACF;IACE;IACA,MAAM,EAAE,IAAI;IACZ,QAAQ,EAAE,IAAI;IACd;IACA,QAAQ;IACT,EACD,iCACD;AACD,KAAE,OAAO,eAAe,OAAO,cAAc,CAAC;AAC9C,KAAE,OAAO,yBAAyB,IAAI;AACtC,UAAO,EAAE,KAAK;IAAE,OAAO;IAAqB,MAAM;IAAgB,EAAE,IAAI;;AAG1E,IAAE,OAAO,yBAAyB,OAAO,OAAO,UAAU,CAAC;AAC3D,QAAM,MAAM;GACZ"}

package/dist/src/gateway/hono/oauth.js CHANGED Viewed

@@ -1,6 +1,6 @@
 import { CredentialResolver, init_credentials } from "../../auth/credentials.js";
-import { init_providers, isProviderConfigured } from "../../providers/index.js";
 import { anthropicOAuthProvider } from "../../auth/oauth/anthropic.js";
+import { init_providers, isProviderConfigured } from "../../providers/index.js";
 import { minimaxOAuthProvider } from "../../auth/oauth/minimax.js";
 import { minimaxCnOAuthProvider } from "../../auth/oauth/minimax-cn.js";
 import { kimiCodingOAuthProvider } from "../../auth/oauth/kimi-coding.js";

package/dist/src/gateway/hono/routes/auth-registry-extensions.js CHANGED Viewed

@@ -7,8 +7,8 @@ import { createOAuthHandler } from "../oauth.js";
 import { createOAuthAsyncHandler } from "../oauth-async.js";
 import { extensionAssetMimeType } from "../lib/extension-assets.js";
 import { loadExtensionStore, saveExtensionStore } from "../lib/extension-store.js";
-import { relative, resolve } from "node:path";
 import { existsSync, readFileSync, statSync } from "node:fs";
+import { relative, resolve } from "node:path";
 //#region src/gateway/hono/routes/auth-registry-extensions.ts
 init_providers();
 const EXTENSION_ASSET_CSP = "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob:; connect-src 'none'; frame-ancestors 'self'; frame-src 'none'; base-uri 'none'; object-src 'none'; form-action 'none'";
@@ -312,7 +312,7 @@ function registerAuthRegistryExtensionsRoutes(authenticated, deps) {
 			}, 400);
 		}
 		try {
-			const payload = await service.fetchExtensionMarketplacePackageDetail(pkgName);
+			const payload = await service.marketplace.fetchExtensionPackageDetail(pkgName);
 			return c.json({
 				ok: true,
 				payload
@@ -342,7 +342,7 @@ function registerAuthRegistryExtensionsRoutes(authenticated, deps) {
 			error: "Expected { name: string, version?: string, overwrite?: boolean }"
 		}, 400);
 		try {
-			const payload = await service.installExtensionFromMarketplace({
+			const payload = await service.marketplace.installExtension({
 				name,
 				version,
 				overwrite
@@ -374,7 +374,7 @@ function registerAuthRegistryExtensionsRoutes(authenticated, deps) {
 			error: "Expected { extensionId: string }"
 		}, 400);
 		try {
-			const payload = await service.uninstallUserExtension(extensionId);
+			const payload = await service.marketplace.uninstallExtension(extensionId);
 			return c.json({
 				ok: true,
 				payload