@zimic/interceptor 0.17.0-canary.1 → 0.17.0-canary.3

package/dist/{chunk-3SKHNQLL.mjs → chunk-L75WKVZO.mjs}

@@ -2,8 +2,14 @@ import { __name } from './chunk-CGILA3WO.mjs';
 import { HTTP_METHODS, HttpHeaders, HttpSearchParams, HttpFormData, HTTP_METHODS_WITH_RESPONSE_BODY } from '@zimic/http';
 import { normalizeNodeRequest, sendNodeResponse } from '@whatwg-node/server';
 import { createServer } from 'http';
-import color2 from 'picocolors';
+import color3 from 'picocolors';
 import ClientSocket from 'isomorphic-ws';
+import crypto from 'crypto';
+import fs from 'fs';
+import os from 'os';
+import path from 'path';
+import util from 'util';
+import { z } from 'zod';
 
 // src/server/errors/RunningInterceptorServerError.ts
 var RunningInterceptorServerError = class extends Error {
@@ -112,6 +118,19 @@ function methodCanHaveResponseBody(method) {
 }
 __name(methodCanHaveResponseBody, "methodCanHaveResponseBody");
 
+// src/webSocket/errors/UnauthorizedWebSocketConnectionError.ts
+var UnauthorizedWebSocketConnectionError = class extends Error {
+  constructor(event) {
+    super(`${event.reason} (code ${event.code})`);
+    this.event = event;
+    this.name = "UnauthorizedWebSocketConnectionError";
+  }
+  static {
+    __name(this, "UnauthorizedWebSocketConnectionError");
+  }
+};
+var UnauthorizedWebSocketConnectionError_default = UnauthorizedWebSocketConnectionError;
+
 // src/utils/webSocket.ts
 var WebSocketTimeoutError = class extends Error {
   static {
@@ -157,29 +176,58 @@ var WebSocketCloseTimeoutError = class extends WebSocketTimeoutError {
 var DEFAULT_WEB_SOCKET_LIFECYCLE_TIMEOUT = 60 * 1e3;
 var DEFAULT_WEB_SOCKET_MESSAGE_TIMEOUT = 3 * 60 * 1e3;
 async function waitForOpenClientSocket(socket, options = {}) {
-  const { timeout: timeoutDuration = DEFAULT_WEB_SOCKET_LIFECYCLE_TIMEOUT } = options;
+  const { timeout: timeoutDuration = DEFAULT_WEB_SOCKET_LIFECYCLE_TIMEOUT, waitForAuthentication = false } = options;
   const isAlreadyOpen = socket.readyState === socket.OPEN;
   if (isAlreadyOpen) {
     return;
   }
   await new Promise((resolve, reject) => {
-    function handleOpenError(error) {
+    function removeAllSocketListeners() {
+      socket.removeEventListener("message", handleSocketMessage);
       socket.removeEventListener("open", handleOpenSuccess);
+      socket.removeEventListener("error", handleOpenError);
+      socket.removeEventListener("close", handleClose);
+    }
+    __name(removeAllSocketListeners, "removeAllSocketListeners");
+    function handleOpenError(error) {
+      removeAllSocketListeners();
       reject(error);
     }
     __name(handleOpenError, "handleOpenError");
+    function handleClose(event) {
+      const isUnauthorized = event.code === 1008;
+      if (isUnauthorized) {
+        const unauthorizedError = new UnauthorizedWebSocketConnectionError_default(event);
+        handleOpenError(unauthorizedError);
+      } else {
+        handleOpenError(event);
+      }
+    }
+    __name(handleClose, "handleClose");
     const openTimeout = setTimeout(() => {
       const timeoutError = new WebSocketOpenTimeoutError(timeoutDuration);
       handleOpenError(timeoutError);
     }, timeoutDuration);
     function handleOpenSuccess() {
-      socket.removeEventListener("error", handleOpenError);
+      removeAllSocketListeners();
       clearTimeout(openTimeout);
       resolve();
     }
     __name(handleOpenSuccess, "handleOpenSuccess");
-    socket.addEventListener("open", handleOpenSuccess);
+    function handleSocketMessage(message) {
+      const hasValidAuth = message.data === "socket:auth:valid";
+      if (hasValidAuth) {
+        handleOpenSuccess();
+      }
+    }
+    __name(handleSocketMessage, "handleSocketMessage");
+    if (waitForAuthentication) {
+      socket.addEventListener("message", handleSocketMessage);
+    } else {
+      socket.addEventListener("open", handleOpenSuccess);
+    }
     socket.addEventListener("error", handleOpenError);
+    socket.addEventListener("close", handleClose);
   });
 }
 __name(waitForOpenClientSocket, "waitForOpenClientSocket");
@@ -190,23 +238,28 @@ async function closeClientSocket(socket, options = {}) {
     return;
   }
   await new Promise((resolve, reject) => {
-    function handleCloseError(error) {
-      socket.removeEventListener("close", handleCloseSuccess);
+    function removeAllSocketListeners() {
+      socket.removeEventListener("error", handleError);
+      socket.removeEventListener("close", handleClose);
+    }
+    __name(removeAllSocketListeners, "removeAllSocketListeners");
+    function handleError(error) {
+      removeAllSocketListeners();
       reject(error);
     }
-    __name(handleCloseError, "handleCloseError");
+    __name(handleError, "handleError");
     const closeTimeout = setTimeout(() => {
       const timeoutError = new WebSocketCloseTimeoutError(timeoutDuration);
-      handleCloseError(timeoutError);
+      handleError(timeoutError);
     }, timeoutDuration);
-    function handleCloseSuccess() {
-      socket.removeEventListener("error", handleCloseError);
+    function handleClose() {
+      removeAllSocketListeners();
       clearTimeout(closeTimeout);
       resolve();
     }
-    __name(handleCloseSuccess, "handleCloseSuccess");
-    socket.addEventListener("error", handleCloseError);
-    socket.addEventListener("close", handleCloseSuccess);
+    __name(handleClose, "handleClose");
+    socket.addEventListener("error", handleError);
+    socket.addEventListener("close", handleClose);
     socket.close();
   });
 }
@@ -295,6 +348,12 @@ function removeArrayElement(array, element) {
 }
 __name(removeArrayElement, "removeArrayElement");
 
+// src/utils/environment.ts
+function isClientSide() {
+  return typeof window !== "undefined" && typeof document !== "undefined";
+}
+__name(isClientSide, "isClientSide");
+
 // ../zimic-utils/dist/import/createCachedDynamicImport.mjs
 function createCachedDynamicImport(importModuleDynamically) {
   let cachedImportResult;
@@ -307,11 +366,87 @@ __name(createCachedDynamicImport, "createCachedDynamicImport");
 __name2(createCachedDynamicImport, "createCachedDynamicImport");
 var createCachedDynamicImport_default = createCachedDynamicImport;
 
-// src/utils/environment.ts
-function isClientSide() {
-  return typeof window !== "undefined" && typeof document !== "undefined";
-}
-__name(isClientSide, "isClientSide");
+// ../zimic-utils/dist/logging/Logger.mjs
+var Logger = class _Logger {
+  static {
+    __name(this, "_Logger");
+  }
+  static {
+    __name2(this, "Logger");
+  }
+  prefix;
+  raw;
+  constructor(options = {}) {
+    const { prefix } = options;
+    this.prefix = prefix;
+    this.raw = prefix ? new _Logger({ ...options, prefix: void 0 }) : this;
+  }
+  logWithLevel(level, ...messages) {
+    if (this.prefix) {
+      console[level](this.prefix, ...messages);
+    } else {
+      console[level](...messages);
+    }
+  }
+  info(...messages) {
+    this.logWithLevel("log", ...messages);
+  }
+  warn(...messages) {
+    this.logWithLevel("warn", ...messages);
+  }
+  error(...messages) {
+    this.logWithLevel("error", ...messages);
+  }
+  table(headers, rows) {
+    const columnLengths = headers.map((header) => {
+      let maxValueLength = header.title.length;
+      for (const row of rows) {
+        const value = row[header.property];
+        if (value.length > maxValueLength) {
+          maxValueLength = value.length;
+        }
+      }
+      return maxValueLength;
+    });
+    const formattedRows = [];
+    const horizontalLine = columnLengths.map((length) => "\u2500".repeat(length));
+    formattedRows.push(horizontalLine, []);
+    for (let headerIndex = 0; headerIndex < headers.length; headerIndex++) {
+      const header = headers[headerIndex];
+      const columnLength = columnLengths[headerIndex];
+      const value = header.title;
+      formattedRows.at(-1)?.push(value.padEnd(columnLength, " "));
+    }
+    formattedRows.push(horizontalLine);
+    for (const row of rows) {
+      formattedRows.push([]);
+      for (let headerIndex = 0; headerIndex < headers.length; headerIndex++) {
+        const header = headers[headerIndex];
+        const columnLength = columnLengths[headerIndex];
+        const value = row[header.property];
+        formattedRows.at(-1)?.push(value.padEnd(columnLength, " "));
+      }
+    }
+    formattedRows.push(horizontalLine);
+    const formattedTable = formattedRows.map((row, index) => {
+      const isFirstLine = index === 0;
+      if (isFirstLine) {
+        return `\u250C\u2500${row.join("\u2500\u252C\u2500")}\u2500\u2510`;
+      }
+      const isLineAfterHeaders = index === 2;
+      if (isLineAfterHeaders) {
+        return `\u251C\u2500${row.join("\u2500\u253C\u2500")}\u2500\u2524`;
+      }
+      const isLastLine = index === formattedRows.length - 1;
+      if (isLastLine) {
+        return `\u2514\u2500${row.join("\u2500\u2534\u2500")}\u2500\u2518`;
+      }
+      return `\u2502 ${row.join(" \u2502 ")} \u2502`;
+    }).join("\n");
+    this.logWithLevel("log", formattedTable);
+  }
+};
+var Logger_default = Logger;
 
 // src/utils/files.ts
 var importFile = createCachedDynamicImport_default(
@@ -320,16 +455,30 @@ var importFile = createCachedDynamicImport_default(
   // eslint-disable-next-line @typescript-eslint/no-unnecessary-condition
   async () => globalThis.File ?? (await import('buffer')).File
 );
+var importFilesystem = createCachedDynamicImport_default(() => import('fs'));
+async function pathExists(path2) {
+  const fs2 = await importFilesystem();
+  try {
+    await fs2.promises.access(path2);
+    return true;
+  } catch {
+    return false;
+  }
+}
+__name(pathExists, "pathExists");
 
-// src/utils/console.ts
+// src/utils/logging.ts
+var logger = new Logger_default({
+  prefix: color3.cyan("[@zimic/interceptor]")
+});
 var importUtil = createCachedDynamicImport_default(() => import('util'));
 async function formatValueToLog(value, options = {}) {
   if (isClientSide()) {
     return value;
   }
   const { colors = true } = options;
-  const util = await importUtil();
-  return util.inspect(value, {
+  const util2 = await importUtil();
+  return util2.inspect(value, {
     colors,
     compact: true,
     depth: Infinity,
@@ -340,12 +489,6 @@ async function formatValueToLog(value, options = {}) {
   });
 }
 __name(formatValueToLog, "formatValueToLog");
-function logWithPrefix(messageOrMessages, options = {}) {
-  const { method = "log" } = options;
-  const messages = Array.isArray(messageOrMessages) ? messageOrMessages : [messageOrMessages];
-  console[method](color2.cyan("[@zimic/interceptor]"), ...messages);
-}
-__name(logWithPrefix, "logWithPrefix");
 
 // src/http/requestHandler/types/requests.ts
 var HTTP_INTERCEPTOR_REQUEST_HIDDEN_PROPERTIES = Object.freeze(
@@ -705,21 +848,18 @@ var HttpInterceptorWorker = class _HttpInterceptorWorker {
       formatValueToLog(request.searchParams.toObject()),
       formatValueToLog(request.body)
     ]);
-    logWithPrefix(
-      [
-        `${action === "bypass" ? "Warning:" : "Error:"} Request was not handled and was ${action === "bypass" ? color2.yellow("bypassed") : color2.red("rejected")}.
+    logger[action === "bypass" ? "warn" : "error"](
+      `${action === "bypass" ? "Warning:" : "Error:"} Request was not handled and was ${action === "bypass" ? color3.yellow("bypassed") : color3.red("rejected")}.
 
  `,
-        `${request.method} ${request.url}`,
-        "\n    Headers:",
-        formattedHeaders,
-        "\n    Search params:",
-        formattedSearchParams,
-        "\n    Body:",
-        formattedBody,
-        "\n\nLearn more: https://github.com/zimicjs/zimic/wiki/api\u2010zimic\u2010interceptor\u2010http#unhandled-requests"
-      ],
-      { method: action === "bypass" ? "warn" : "error" }
+      `${request.method} ${request.url}`,
+      "\n    Headers:",
+      formattedHeaders,
+      "\n    Search params:",
+      formattedSearchParams,
+      "\n    Body:",
+      formattedBody,
+      "\n\nLearn more: https://github.com/zimicjs/zimic/wiki/api\u2010zimic\u2010interceptor\u2010http#unhandled-requests"
     );
   }
 };
@@ -751,6 +891,17 @@ function convertBase64ToArrayBuffer(base64Value) {
   }
 }
 __name(convertBase64ToArrayBuffer, "convertBase64ToArrayBuffer");
+var HEX_REGEX = /^[a-z0-9]+$/;
+function convertHexLengthToByteLength(hexLength) {
+  return Math.ceil(hexLength / 2);
+}
+__name(convertHexLengthToByteLength, "convertHexLengthToByteLength");
+var BASE64URL_REGEX = /^[a-zA-Z0-9-_]+$/;
+function convertHexLengthToBase64urlLength(hexLength) {
+  const byteLength = convertHexLengthToByteLength(hexLength);
+  return Math.ceil(byteLength * 4 / 3);
+}
+__name(convertHexLengthToBase64urlLength, "convertHexLengthToBase64urlLength");
 
 // src/utils/fetch.ts
 async function serializeRequest(request) {
@@ -788,6 +939,9 @@ var importCrypto = createCachedDynamicImport_default(async () => {
   return globalCrypto ?? await import('crypto');
 });
 
+// src/webSocket/constants.ts
+var WEB_SOCKET_CONTROL_MESSAGES = Object.freeze(["socket:auth:valid"]);
+
 // src/webSocket/errors/InvalidWebSocketMessage.ts
 var InvalidWebSocketMessage = class extends Error {
   static {
@@ -828,8 +982,11 @@ var WebSocketHandler = class {
     this.socketTimeout = options.socketTimeout ?? DEFAULT_WEB_SOCKET_LIFECYCLE_TIMEOUT;
     this.messageTimeout = options.messageTimeout ?? DEFAULT_WEB_SOCKET_MESSAGE_TIMEOUT;
   }
-  async registerSocket(socket) {
-    const openPromise = waitForOpenClientSocket(socket, { timeout: this.socketTimeout });
+  async registerSocket(socket, options = {}) {
+    const openPromise = waitForOpenClientSocket(socket, {
+      timeout: this.socketTimeout,
+      waitForAuthentication: options.waitForAuthentication
+    });
     const handleSocketMessage = /* @__PURE__ */ __name(async (rawMessage) => {
       await this.handleSocketMessage(socket, rawMessage);
     }, "handleSocketMessage");
@@ -842,8 +999,8 @@ var WebSocketHandler = class {
     socket.addEventListener("error", handleSocketError);
     const handleSocketClose = /* @__PURE__ */ __name(() => {
       socket.removeEventListener("message", handleSocketMessage);
-      socket.removeEventListener("error", handleSocketError);
       socket.removeEventListener("close", handleSocketClose);
+      socket.removeEventListener("error", handleSocketError);
       this.removeSocket(socket);
     }, "handleSocketClose");
     socket.addEventListener("close", handleSocketClose);
@@ -851,6 +1008,9 @@ var WebSocketHandler = class {
   }
   handleSocketMessage = /* @__PURE__ */ __name(async (socket, rawMessage) => {
     try {
+      if (this.isControlMessageData(rawMessage.data)) {
+        return;
+      }
       const stringifiedMessageData = this.readRawMessageData(rawMessage.data);
       const parsedMessageData = this.parseMessage(stringifiedMessageData);
       await this.notifyListeners(parsedMessageData, socket);
@@ -858,6 +1018,9 @@ var WebSocketHandler = class {
       console.error(error);
     }
   }, "handleSocketMessage");
+  isControlMessageData(messageData) {
+    return typeof messageData === "string" && WEB_SOCKET_CONTROL_MESSAGES.includes(messageData);
+  }
   readRawMessageData(data) {
     if (typeof data === "string") {
       return data;
@@ -872,7 +1035,7 @@ var WebSocketHandler = class {
     } catch {
       throw new InvalidWebSocketMessage_default(stringifiedMessage);
     }
-    if (!this.isValidMessage(parsedMessage)) {
+    if (!this.isMessage(parsedMessage)) {
       throw new InvalidWebSocketMessage_default(stringifiedMessage);
     }
     if (this.isReplyMessage(parsedMessage)) {
@@ -889,7 +1052,7 @@ var WebSocketHandler = class {
       data: parsedMessage.data
     };
   }
-  isValidMessage(message) {
+  isMessage(message) {
     return typeof message === "object" && message !== null && "id" in message && typeof message.id === "string" && "channel" in message && typeof message.channel === "string" && (!("requestId" in message) || typeof message.requestId === "string");
   }
   async notifyListeners(message, socket) {
@@ -925,9 +1088,9 @@ var WebSocketHandler = class {
     this.sockets.delete(socket);
   }
   async createEventMessage(channel, eventData) {
-    const crypto = await importCrypto();
+    const crypto2 = await importCrypto();
     const eventMessage = {
-      id: crypto.randomUUID(),
+      id: crypto2.randomUUID(),
       channel,
       data: eventData
     };
@@ -977,9 +1140,9 @@ var WebSocketHandler = class {
     }
   }
   async createReplyMessage(request, replyData) {
-    const crypto = await importCrypto();
+    const crypto2 = await importCrypto();
     const replyMessage = {
-      id: crypto.randomUUID(),
+      id: crypto2.randomUUID(),
       channel: request.channel,
       requestId: request.id,
       data: replyData
@@ -1060,12 +1223,14 @@ var WebSocketServer = class extends WebSocketHandler_default {
   }
   webSocketServer;
   httpServer;
+  authenticate;
   constructor(options) {
     super({
       socketTimeout: options.socketTimeout,
       messageTimeout: options.messageTimeout
     });
     this.httpServer = options.httpServer;
+    this.authenticate = options.authenticate;
   }
   get isRunning() {
     return this.webSocketServer !== void 0;
@@ -1078,9 +1243,17 @@ var WebSocketServer = class extends WebSocketHandler_default {
     webSocketServer.on("error", (error) => {
       console.error(error);
     });
-    webSocketServer.on("connection", async (socket) => {
+    webSocketServer.on("connection", async (socket, request) => {
+      if (this.authenticate) {
+        const result = await this.authenticate(socket, request);
+        if (!result.isValid) {
+          socket.close(1008, result.message);
+          return;
+        }
+      }
       try {
         await super.registerSocket(socket);
+        socket.send("socket:auth:valid");
       } catch (error) {
         webSocketServer.emit("error", error);
       }
@@ -1101,8 +1274,242 @@ var WebSocketServer = class extends WebSocketHandler_default {
 };
 var WebSocketServer_default = WebSocketServer;
 
+// src/server/errors/InvalidInterceptorTokenError.ts
+var InvalidInterceptorTokenError = class extends Error {
+  static {
+    __name(this, "InvalidInterceptorTokenError");
+  }
+  constructor(tokenId) {
+    super(`Invalid interceptor token: ${tokenId}`);
+    this.name = "InvalidInterceptorTokenError";
+  }
+};
+var InvalidInterceptorTokenError_default = InvalidInterceptorTokenError;
+
+// src/server/errors/InvalidInterceptorTokenFileError.ts
+var InvalidInterceptorTokenFileError = class extends Error {
+  static {
+    __name(this, "InvalidInterceptorTokenFileError");
+  }
+  constructor(tokenFilePath, validationErrorMessage) {
+    super(`Invalid interceptor token file ${tokenFilePath}: ${validationErrorMessage}`);
+    this.name = "InvalidInterceptorTokenFileError";
+  }
+};
+var InvalidInterceptorTokenFileError_default = InvalidInterceptorTokenFileError;
+
+// src/server/errors/InvalidInterceptorTokenValueError.ts
+var InvalidInterceptorTokenValueError = class extends Error {
+  static {
+    __name(this, "InvalidInterceptorTokenValueError");
+  }
+  constructor(tokenValue) {
+    super(`Invalid interceptor token value: ${tokenValue}`);
+    this.name = "InvalidInterceptorTokenValueError";
+  }
+};
+var InvalidInterceptorTokenValueError_default = InvalidInterceptorTokenValueError;
+
+// src/server/utils/auth.ts
+var DEFAULT_INTERCEPTOR_TOKENS_DIRECTORY = path.join(
+  ".zimic",
+  "interceptor",
+  "server",
+  `tokens${""}`
+);
+var INTERCEPTOR_TOKEN_ID_HEX_LENGTH = 32;
+var INTERCEPTOR_TOKEN_SECRET_HEX_LENGTH = 64;
+var INTERCEPTOR_TOKEN_VALUE_HEX_LENGTH = INTERCEPTOR_TOKEN_ID_HEX_LENGTH + INTERCEPTOR_TOKEN_SECRET_HEX_LENGTH;
+var INTERCEPTOR_TOKEN_VALUE_BASE64URL_LENGTH = convertHexLengthToBase64urlLength(
+  INTERCEPTOR_TOKEN_VALUE_HEX_LENGTH
+);
+var INTERCEPTOR_TOKEN_SALT_HEX_LENGTH = 64;
+var INTERCEPTOR_TOKEN_HASH_ITERATIONS = Number("1000000");
+var INTERCEPTOR_TOKEN_HASH_HEX_LENGTH = 128;
+var INTERCEPTOR_TOKEN_HASH_ALGORITHM = "sha512";
+var pbkdf2 = util.promisify(crypto.pbkdf2);
+async function hashInterceptorToken(plainToken, salt) {
+  const hashBuffer = await pbkdf2(
+    plainToken,
+    salt,
+    INTERCEPTOR_TOKEN_HASH_ITERATIONS,
+    convertHexLengthToByteLength(INTERCEPTOR_TOKEN_HASH_HEX_LENGTH),
+    INTERCEPTOR_TOKEN_HASH_ALGORITHM
+  );
+  const hash = hashBuffer.toString("hex");
+  return hash;
+}
+__name(hashInterceptorToken, "hashInterceptorToken");
+function createInterceptorTokenId() {
+  return crypto.randomUUID().replace(/[^a-z0-9]/g, "");
+}
+__name(createInterceptorTokenId, "createInterceptorTokenId");
+function isValidInterceptorTokenId(tokenId) {
+  return tokenId.length === INTERCEPTOR_TOKEN_ID_HEX_LENGTH && HEX_REGEX.test(tokenId);
+}
+__name(isValidInterceptorTokenId, "isValidInterceptorTokenId");
+function isValidInterceptorTokenValue(tokenValue) {
+  return tokenValue.length === INTERCEPTOR_TOKEN_VALUE_BASE64URL_LENGTH && BASE64URL_REGEX.test(tokenValue);
+}
+__name(isValidInterceptorTokenValue, "isValidInterceptorTokenValue");
+async function createInterceptorTokensDirectory(tokensDirectory) {
+  try {
+    const parentTokensDirectory = path.dirname(tokensDirectory);
+    await fs.promises.mkdir(parentTokensDirectory, { recursive: true });
+    await fs.promises.mkdir(tokensDirectory, { mode: 448, recursive: true });
+    await fs.promises.appendFile(path.join(tokensDirectory, ".gitignore"), `*${os.EOL}`, { encoding: "utf-8" });
+  } catch (error) {
+    logger.error(
+      `${color3.red(color3.bold("\u2716"))} Failed to create the tokens directory: ${color3.magenta(tokensDirectory)}`
+    );
+    throw error;
+  }
+}
+__name(createInterceptorTokensDirectory, "createInterceptorTokensDirectory");
+var interceptorTokenFileContentSchema = z.object({
+  version: z.literal(1),
+  token: z.object({
+    id: z.string().length(INTERCEPTOR_TOKEN_ID_HEX_LENGTH).regex(HEX_REGEX),
+    name: z.string().optional(),
+    secret: z.object({
+      hash: z.string().length(INTERCEPTOR_TOKEN_HASH_HEX_LENGTH).regex(HEX_REGEX),
+      salt: z.string().length(INTERCEPTOR_TOKEN_SALT_HEX_LENGTH).regex(HEX_REGEX)
+    }),
+    createdAt: z.string().datetime().transform((value) => new Date(value))
+  })
+});
+async function saveInterceptorTokenToFile(tokensDirectory, token) {
+  const tokeFilePath = path.join(tokensDirectory, token.id);
+  const persistedToken = {
+    id: token.id,
+    name: token.name,
+    secret: {
+      hash: token.secret.hash,
+      salt: token.secret.salt
+    },
+    createdAt: token.createdAt.toISOString()
+  };
+  const tokenFileContent = interceptorTokenFileContentSchema.parse({
+    version: 1,
+    token: persistedToken
+  });
+  await fs.promises.writeFile(tokeFilePath, JSON.stringify(tokenFileContent, null, 2), {
+    mode: 384,
+    encoding: "utf-8"
+  });
+  return tokeFilePath;
+}
+__name(saveInterceptorTokenToFile, "saveInterceptorTokenToFile");
+async function readInterceptorTokenFromFile(tokenId, options) {
+  if (!isValidInterceptorTokenId(tokenId)) {
+    throw new InvalidInterceptorTokenError_default(tokenId);
+  }
+  const tokenFilePath = path.join(options.tokensDirectory, tokenId);
+  const tokenFileExists = await pathExists(tokenFilePath);
+  if (!tokenFileExists) {
+    return null;
+  }
+  const tokenFileContentAsString = await fs.promises.readFile(tokenFilePath, { encoding: "utf-8" });
+  const validation = interceptorTokenFileContentSchema.safeParse(JSON.parse(tokenFileContentAsString));
+  if (!validation.success) {
+    throw new InvalidInterceptorTokenFileError_default(tokenFilePath, validation.error.message);
+  }
+  return validation.data.token;
+}
+__name(readInterceptorTokenFromFile, "readInterceptorTokenFromFile");
+async function createInterceptorToken(options) {
+  const { name, tokensDirectory } = options;
+  const tokensDirectoryExists = await pathExists(tokensDirectory);
+  if (!tokensDirectoryExists) {
+    await createInterceptorTokensDirectory(tokensDirectory);
+  }
+  const tokenId = createInterceptorTokenId();
+  if (!isValidInterceptorTokenId(tokenId)) {
+    throw new InvalidInterceptorTokenError_default(tokenId);
+  }
+  const tokenSecretSizeInBytes = convertHexLengthToByteLength(INTERCEPTOR_TOKEN_SECRET_HEX_LENGTH);
+  const tokenSecret = crypto.randomBytes(tokenSecretSizeInBytes).toString("hex");
+  const tokenSecretSaltSizeInBytes = convertHexLengthToByteLength(INTERCEPTOR_TOKEN_SALT_HEX_LENGTH);
+  const tokenSecretSalt = crypto.randomBytes(tokenSecretSaltSizeInBytes).toString("hex");
+  const tokenSecretHash = await hashInterceptorToken(tokenSecret, tokenSecretSalt);
+  const tokenValue = Buffer.from(`${tokenId}${tokenSecret}`, "hex").toString("base64url");
+  if (!isValidInterceptorTokenValue(tokenValue)) {
+    throw new InvalidInterceptorTokenValueError_default(tokenValue);
+  }
+  const token = {
+    id: tokenId,
+    name,
+    secret: {
+      hash: tokenSecretHash,
+      salt: tokenSecretSalt,
+      value: tokenSecret
+    },
+    value: tokenValue,
+    createdAt: /* @__PURE__ */ new Date()
+  };
+  await saveInterceptorTokenToFile(tokensDirectory, token);
+  return token;
+}
+__name(createInterceptorToken, "createInterceptorToken");
+async function listInterceptorTokens(options) {
+  const tokensDirectoryExists = await pathExists(options.tokensDirectory);
+  if (!tokensDirectoryExists) {
+    return [];
+  }
+  const files = await fs.promises.readdir(options.tokensDirectory);
+  const tokenReadPromises = files.map(async (file) => {
+    if (!isValidInterceptorTokenId(file)) {
+      return null;
+    }
+    const tokenId = file;
+    const token = await readInterceptorTokenFromFile(tokenId, options);
+    return token;
+  });
+  const tokenCandidates = await Promise.allSettled(tokenReadPromises);
+  const tokens = [];
+  for (const tokenCandidate of tokenCandidates) {
+    if (tokenCandidate.status === "rejected") {
+      console.error(tokenCandidate.reason);
+    } else if (tokenCandidate.value !== null) {
+      tokens.push(tokenCandidate.value);
+    }
+  }
+  tokens.sort((token, otherToken) => token.createdAt.getTime() - otherToken.createdAt.getTime());
+  return tokens;
+}
+__name(listInterceptorTokens, "listInterceptorTokens");
+async function validateInterceptorToken(tokenValue, options) {
+  if (!isValidInterceptorTokenValue(tokenValue)) {
+    throw new InvalidInterceptorTokenValueError_default(tokenValue);
+  }
+  const decodedTokenValue = Buffer.from(tokenValue, "base64url").toString("hex");
+  const tokenId = decodedTokenValue.slice(0, INTERCEPTOR_TOKEN_ID_HEX_LENGTH);
+  const tokenSecret = decodedTokenValue.slice(
+    INTERCEPTOR_TOKEN_ID_HEX_LENGTH,
+    INTERCEPTOR_TOKEN_ID_HEX_LENGTH + INTERCEPTOR_TOKEN_VALUE_HEX_LENGTH
+  );
+  const tokenFromFile = await readInterceptorTokenFromFile(tokenId, options);
+  if (!tokenFromFile) {
+    throw new InvalidInterceptorTokenValueError_default(tokenValue);
+  }
+  const tokenSecretHash = await hashInterceptorToken(tokenSecret, tokenFromFile.secret.salt);
+  if (tokenSecretHash !== tokenFromFile.secret.hash) {
+    throw new InvalidInterceptorTokenValueError_default(tokenValue);
+  }
+}
+__name(validateInterceptorToken, "validateInterceptorToken");
+async function removeInterceptorToken(tokenId, options) {
+  if (!isValidInterceptorTokenId(tokenId)) {
+    throw new InvalidInterceptorTokenError_default(tokenId);
+  }
+  const tokenFilePath = path.join(options.tokensDirectory, tokenId);
+  await fs.promises.rm(tokenFilePath, { force: true });
+}
+__name(removeInterceptorToken, "removeInterceptorToken");
+
 // src/server/utils/fetch.ts
 async function getFetchAPI() {
+  const File2 = await importFile();
   return {
     fetch,
     Request,
@@ -1117,7 +1524,7 @@ async function getFetchAPI() {
     TextDecoderStream,
     TextEncoderStream,
     Blob,
-    File: await importFile(),
+    File: File2,
     crypto: globalThis.crypto,
     btoa,
     TextEncoder,
@@ -1139,6 +1546,7 @@ var InterceptorServer = class {
   _hostname;
   _port;
   logUnhandledRequests;
+  tokensDirectory;
   httpHandlerGroups = {
     GET: [],
     POST: [],
@@ -1153,6 +1561,7 @@ var InterceptorServer = class {
     this._hostname = options.hostname ?? DEFAULT_HOSTNAME;
     this._port = options.port;
     this.logUnhandledRequests = options.logUnhandledRequests ?? DEFAULT_LOG_UNHANDLED_REQUESTS;
+    this.tokensDirectory = options.tokensDirectory;
   }
   get hostname() {
     return this._hostname;
@@ -1197,10 +1606,39 @@ var InterceptorServer = class {
     });
     await this.startHttpServer();
     this.webSocketServer = new WebSocketServer_default({
-      httpServer: this.httpServer
+      httpServer: this.httpServer,
+      authenticate: this.authenticateWebSocketConnection
     });
     this.startWebSocketServer();
   }
+  authenticateWebSocketConnection = /* @__PURE__ */ __name(async (_socket, request) => {
+    if (!this.tokensDirectory) {
+      return { isValid: true };
+    }
+    const tokenValue = this.getWebSocketRequestTokenValue(request);
+    if (!tokenValue) {
+      return { isValid: false, message: "An interceptor token is required, but none was provided." };
+    }
+    try {
+      await validateInterceptorToken(tokenValue, { tokensDirectory: this.tokensDirectory });
+      return { isValid: true };
+    } catch (error) {
+      console.error(error);
+      return { isValid: false, message: "The interceptor token is not valid." };
+    }
+  }, "authenticateWebSocketConnection");
+  getWebSocketRequestTokenValue(request) {
+    const protocols = request.headers["sec-websocket-protocol"] ?? "";
+    const parametersAsString = decodeURIComponent(protocols).split(", ");
+    for (const parameterAsString of parametersAsString) {
+      const tokenValueMatch = /^token=(?<tokenValue>.+?)$/.exec(parameterAsString);
+      const tokenValue = tokenValueMatch?.groups?.tokenValue;
+      if (tokenValue) {
+        return tokenValue;
+      }
+    }
+    return void 0;
+  }
   async startHttpServer() {
     await startHttpServer(this.httpServerOrThrow, {
       hostname: this.hostname,
@@ -1211,8 +1649,8 @@ var InterceptorServer = class {
   }
   startWebSocketServer() {
     this.webSocketServerOrThrow.start();
-    this.webSocketServerOrThrow.onEvent("interceptors/workers/use/commit", this.commitWorker);
-    this.webSocketServerOrThrow.onEvent("interceptors/workers/use/reset", this.resetWorker);
+    this.webSocketServerOrThrow.onEvent("interceptors/workers/commit", this.commitWorker);
+    this.webSocketServerOrThrow.onEvent("interceptors/workers/reset", this.resetWorker);
   }
   commitWorker = /* @__PURE__ */ __name((message, socket) => {
     const commit = message.data;
@@ -1276,8 +1714,8 @@ var InterceptorServer = class {
     this.httpServer = void 0;
   }
   async stopWebSocketServer() {
-    this.webSocketServerOrThrow.offEvent("interceptors/workers/use/commit", this.commitWorker);
-    this.webSocketServerOrThrow.offEvent("interceptors/workers/use/reset", this.resetWorker);
+    this.webSocketServerOrThrow.offEvent("interceptors/workers/commit", this.commitWorker);
+    this.webSocketServerOrThrow.offEvent("interceptors/workers/reset", this.resetWorker);
     await this.webSocketServerOrThrow.stop();
     this.webSocketServer = void 0;
   }
@@ -1389,6 +1827,10 @@ __name(createInterceptorServer, "createInterceptorServer");
  * This is expected not to happen since the servers are not stopped unless they are running. */
 /* istanbul ignore if -- @preserve
  * The address is expected to be an object because the server does not listen on a pipe or Unix domain socket.  */
+/* istanbul ignore else -- @preserve
+ * An unauthorized close event is the only one we expect to happen here. */
+/* istanbul ignore else -- @preserve
+ * We currently only support the 'socket:auth:valid' message and it is the only possible control message here. */
 /* istanbul ignore if -- @preserve
  * This is not expected since the server is not stopped unless it is running. */
 /* istanbul ignore next -- @preserve
@@ -1400,6 +1842,12 @@ __name(createInterceptorServer, "createInterceptorServer");
 /* istanbul ignore next -- @preserve
  * Reply listeners are always present when notified in normal conditions. If they were not present, the request
  * would reach a timeout and not be responded. The empty set serves as a fallback. */
+/* istanbul ignore if -- @preserve
+ * This should never happen, but let's check that the token identifier is valid after generated. */
+/* istanbul ignore if -- @preserve
+ * This should never happen, but let's check that the token value is valid after generated. */
+/* istanbul ignore if -- @preserve
+ * At this point, we should have a valid tokenId. This is just a sanity check. */
 /* istanbul ignore if -- @preserve
  * The HTTP server is initialized before using this method in normal conditions. */
 /* istanbul ignore if -- @preserve
@@ -1410,6 +1858,6 @@ __name(createInterceptorServer, "createInterceptorServer");
  * This try..catch is for the case when the remote interceptor web socket client is closed before responding.
  * Since simulating this scenario is difficult, we are ignoring this branch fow now. */
 
-export { DEFAULT_ACCESS_CONTROL_HEADERS, DEFAULT_PREFLIGHT_STATUS_CODE, NotRunningInterceptorServerError_default, RunningInterceptorServerError_default, createCachedDynamicImport_default, createInterceptorServer, logWithPrefix };
-//# sourceMappingURL=chunk-3SKHNQLL.mjs.map
-//# sourceMappingURL=chunk-3SKHNQLL.mjs.map
+export { DEFAULT_ACCESS_CONTROL_HEADERS, DEFAULT_INTERCEPTOR_TOKENS_DIRECTORY, DEFAULT_PREFLIGHT_STATUS_CODE, NotRunningInterceptorServerError_default, RunningInterceptorServerError_default, createCachedDynamicImport_default, createInterceptorServer, createInterceptorToken, listInterceptorTokens, logger, readInterceptorTokenFromFile, removeInterceptorToken };
+//# sourceMappingURL=chunk-L75WKVZO.mjs.map
+//# sourceMappingURL=chunk-L75WKVZO.mjs.map