@zimic/interceptor 0.17.0-canary.1 → 0.17.0-canary.3

package/dist/{chunk-TYHJPU5G.js → chunk-PURXNE6R.js}

@@ -4,13 +4,24 @@ var chunkWCQVDF3K_js = require('./chunk-WCQVDF3K.js');
 var http = require('@zimic/http');
 var server = require('@whatwg-node/server');
 var http$1 = require('http');
-var color2 = require('picocolors');
+var color3 = require('picocolors');
 var ClientSocket = require('isomorphic-ws');
+var crypto = require('crypto');
+var fs = require('fs');
+var os = require('os');
+var path = require('path');
+var util = require('util');
+var zod = require('zod');
 
 function _interopDefault (e) { return e && e.__esModule ? e : { default: e }; }
 
-var color2__default = /*#__PURE__*/_interopDefault(color2);
+var color3__default = /*#__PURE__*/_interopDefault(color3);
 var ClientSocket__default = /*#__PURE__*/_interopDefault(ClientSocket);
+var crypto__default = /*#__PURE__*/_interopDefault(crypto);
+var fs__default = /*#__PURE__*/_interopDefault(fs);
+var os__default = /*#__PURE__*/_interopDefault(os);
+var path__default = /*#__PURE__*/_interopDefault(path);
+var util__default = /*#__PURE__*/_interopDefault(util);
 
 // src/server/errors/RunningInterceptorServerError.ts
 var RunningInterceptorServerError = class extends Error {
@@ -119,6 +130,19 @@ function methodCanHaveResponseBody(method) {
 }
 chunkWCQVDF3K_js.__name(methodCanHaveResponseBody, "methodCanHaveResponseBody");
 
+// src/webSocket/errors/UnauthorizedWebSocketConnectionError.ts
+var UnauthorizedWebSocketConnectionError = class extends Error {
+  constructor(event) {
+    super(`${event.reason} (code ${event.code})`);
+    this.event = event;
+    this.name = "UnauthorizedWebSocketConnectionError";
+  }
+  static {
+    chunkWCQVDF3K_js.__name(this, "UnauthorizedWebSocketConnectionError");
+  }
+};
+var UnauthorizedWebSocketConnectionError_default = UnauthorizedWebSocketConnectionError;
+
 // src/utils/webSocket.ts
 var WebSocketTimeoutError = class extends Error {
   static {
@@ -164,29 +188,58 @@ var WebSocketCloseTimeoutError = class extends WebSocketTimeoutError {
 var DEFAULT_WEB_SOCKET_LIFECYCLE_TIMEOUT = 60 * 1e3;
 var DEFAULT_WEB_SOCKET_MESSAGE_TIMEOUT = 3 * 60 * 1e3;
 async function waitForOpenClientSocket(socket, options = {}) {
-  const { timeout: timeoutDuration = DEFAULT_WEB_SOCKET_LIFECYCLE_TIMEOUT } = options;
+  const { timeout: timeoutDuration = DEFAULT_WEB_SOCKET_LIFECYCLE_TIMEOUT, waitForAuthentication = false } = options;
   const isAlreadyOpen = socket.readyState === socket.OPEN;
   if (isAlreadyOpen) {
     return;
   }
   await new Promise((resolve, reject) => {
-    function handleOpenError(error) {
+    function removeAllSocketListeners() {
+      socket.removeEventListener("message", handleSocketMessage);
       socket.removeEventListener("open", handleOpenSuccess);
+      socket.removeEventListener("error", handleOpenError);
+      socket.removeEventListener("close", handleClose);
+    }
+    chunkWCQVDF3K_js.__name(removeAllSocketListeners, "removeAllSocketListeners");
+    function handleOpenError(error) {
+      removeAllSocketListeners();
       reject(error);
     }
     chunkWCQVDF3K_js.__name(handleOpenError, "handleOpenError");
+    function handleClose(event) {
+      const isUnauthorized = event.code === 1008;
+      if (isUnauthorized) {
+        const unauthorizedError = new UnauthorizedWebSocketConnectionError_default(event);
+        handleOpenError(unauthorizedError);
+      } else {
+        handleOpenError(event);
+      }
+    }
+    chunkWCQVDF3K_js.__name(handleClose, "handleClose");
     const openTimeout = setTimeout(() => {
       const timeoutError = new WebSocketOpenTimeoutError(timeoutDuration);
       handleOpenError(timeoutError);
     }, timeoutDuration);
     function handleOpenSuccess() {
-      socket.removeEventListener("error", handleOpenError);
+      removeAllSocketListeners();
       clearTimeout(openTimeout);
       resolve();
     }
     chunkWCQVDF3K_js.__name(handleOpenSuccess, "handleOpenSuccess");
-    socket.addEventListener("open", handleOpenSuccess);
+    function handleSocketMessage(message) {
+      const hasValidAuth = message.data === "socket:auth:valid";
+      if (hasValidAuth) {
+        handleOpenSuccess();
+      }
+    }
+    chunkWCQVDF3K_js.__name(handleSocketMessage, "handleSocketMessage");
+    if (waitForAuthentication) {
+      socket.addEventListener("message", handleSocketMessage);
+    } else {
+      socket.addEventListener("open", handleOpenSuccess);
+    }
     socket.addEventListener("error", handleOpenError);
+    socket.addEventListener("close", handleClose);
   });
 }
 chunkWCQVDF3K_js.__name(waitForOpenClientSocket, "waitForOpenClientSocket");
@@ -197,23 +250,28 @@ async function closeClientSocket(socket, options = {}) {
     return;
   }
   await new Promise((resolve, reject) => {
-    function handleCloseError(error) {
-      socket.removeEventListener("close", handleCloseSuccess);
+    function removeAllSocketListeners() {
+      socket.removeEventListener("error", handleError);
+      socket.removeEventListener("close", handleClose);
+    }
+    chunkWCQVDF3K_js.__name(removeAllSocketListeners, "removeAllSocketListeners");
+    function handleError(error) {
+      removeAllSocketListeners();
       reject(error);
     }
-    chunkWCQVDF3K_js.__name(handleCloseError, "handleCloseError");
+    chunkWCQVDF3K_js.__name(handleError, "handleError");
     const closeTimeout = setTimeout(() => {
       const timeoutError = new WebSocketCloseTimeoutError(timeoutDuration);
-      handleCloseError(timeoutError);
+      handleError(timeoutError);
     }, timeoutDuration);
-    function handleCloseSuccess() {
-      socket.removeEventListener("error", handleCloseError);
+    function handleClose() {
+      removeAllSocketListeners();
       clearTimeout(closeTimeout);
       resolve();
     }
-    chunkWCQVDF3K_js.__name(handleCloseSuccess, "handleCloseSuccess");
-    socket.addEventListener("error", handleCloseError);
-    socket.addEventListener("close", handleCloseSuccess);
+    chunkWCQVDF3K_js.__name(handleClose, "handleClose");
+    socket.addEventListener("error", handleError);
+    socket.addEventListener("close", handleClose);
     socket.close();
   });
 }
@@ -302,6 +360,12 @@ function removeArrayElement(array, element) {
 }
 chunkWCQVDF3K_js.__name(removeArrayElement, "removeArrayElement");
 
+// src/utils/environment.ts
+function isClientSide() {
+  return typeof window !== "undefined" && typeof document !== "undefined";
+}
+chunkWCQVDF3K_js.__name(isClientSide, "isClientSide");
+
 // ../zimic-utils/dist/import/createCachedDynamicImport.mjs
 function createCachedDynamicImport(importModuleDynamically) {
   let cachedImportResult;
@@ -314,11 +378,87 @@ chunkWCQVDF3K_js.__name(createCachedDynamicImport, "createCachedDynamicImport");
 __name2(createCachedDynamicImport, "createCachedDynamicImport");
 var createCachedDynamicImport_default = createCachedDynamicImport;
 
-// src/utils/environment.ts
-function isClientSide() {
-  return typeof window !== "undefined" && typeof document !== "undefined";
-}
-chunkWCQVDF3K_js.__name(isClientSide, "isClientSide");
+// ../zimic-utils/dist/logging/Logger.mjs
+var Logger = class _Logger {
+  static {
+    chunkWCQVDF3K_js.__name(this, "_Logger");
+  }
+  static {
+    __name2(this, "Logger");
+  }
+  prefix;
+  raw;
+  constructor(options = {}) {
+    const { prefix } = options;
+    this.prefix = prefix;
+    this.raw = prefix ? new _Logger({ ...options, prefix: void 0 }) : this;
+  }
+  logWithLevel(level, ...messages) {
+    if (this.prefix) {
+      console[level](this.prefix, ...messages);
+    } else {
+      console[level](...messages);
+    }
+  }
+  info(...messages) {
+    this.logWithLevel("log", ...messages);
+  }
+  warn(...messages) {
+    this.logWithLevel("warn", ...messages);
+  }
+  error(...messages) {
+    this.logWithLevel("error", ...messages);
+  }
+  table(headers, rows) {
+    const columnLengths = headers.map((header) => {
+      let maxValueLength = header.title.length;
+      for (const row of rows) {
+        const value = row[header.property];
+        if (value.length > maxValueLength) {
+          maxValueLength = value.length;
+        }
+      }
+      return maxValueLength;
+    });
+    const formattedRows = [];
+    const horizontalLine = columnLengths.map((length) => "\u2500".repeat(length));
+    formattedRows.push(horizontalLine, []);
+    for (let headerIndex = 0; headerIndex < headers.length; headerIndex++) {
+      const header = headers[headerIndex];
+      const columnLength = columnLengths[headerIndex];
+      const value = header.title;
+      formattedRows.at(-1)?.push(value.padEnd(columnLength, " "));
+    }
+    formattedRows.push(horizontalLine);
+    for (const row of rows) {
+      formattedRows.push([]);
+      for (let headerIndex = 0; headerIndex < headers.length; headerIndex++) {
+        const header = headers[headerIndex];
+        const columnLength = columnLengths[headerIndex];
+        const value = row[header.property];
+        formattedRows.at(-1)?.push(value.padEnd(columnLength, " "));
+      }
+    }
+    formattedRows.push(horizontalLine);
+    const formattedTable = formattedRows.map((row, index) => {
+      const isFirstLine = index === 0;
+      if (isFirstLine) {
+        return `\u250C\u2500${row.join("\u2500\u252C\u2500")}\u2500\u2510`;
+      }
+      const isLineAfterHeaders = index === 2;
+      if (isLineAfterHeaders) {
+        return `\u251C\u2500${row.join("\u2500\u253C\u2500")}\u2500\u2524`;
+      }
+      const isLastLine = index === formattedRows.length - 1;
+      if (isLastLine) {
+        return `\u2514\u2500${row.join("\u2500\u2534\u2500")}\u2500\u2518`;
+      }
+      return `\u2502 ${row.join(" \u2502 ")} \u2502`;
+    }).join("\n");
+    this.logWithLevel("log", formattedTable);
+  }
+};
+var Logger_default = Logger;
 
 // src/utils/files.ts
 var importFile = createCachedDynamicImport_default(
@@ -327,16 +467,30 @@ var importFile = createCachedDynamicImport_default(
   // eslint-disable-next-line @typescript-eslint/no-unnecessary-condition
   async () => globalThis.File ?? (await import('buffer')).File
 );
+var importFilesystem = createCachedDynamicImport_default(() => import('fs'));
+async function pathExists(path2) {
+  const fs2 = await importFilesystem();
+  try {
+    await fs2.promises.access(path2);
+    return true;
+  } catch {
+    return false;
+  }
+}
+chunkWCQVDF3K_js.__name(pathExists, "pathExists");
 
-// src/utils/console.ts
+// src/utils/logging.ts
+var logger = new Logger_default({
+  prefix: color3__default.default.cyan("[@zimic/interceptor]")
+});
 var importUtil = createCachedDynamicImport_default(() => import('util'));
 async function formatValueToLog(value, options = {}) {
   if (isClientSide()) {
     return value;
   }
   const { colors = true } = options;
-  const util = await importUtil();
-  return util.inspect(value, {
+  const util2 = await importUtil();
+  return util2.inspect(value, {
     colors,
     compact: true,
     depth: Infinity,
@@ -347,12 +501,6 @@ async function formatValueToLog(value, options = {}) {
   });
 }
 chunkWCQVDF3K_js.__name(formatValueToLog, "formatValueToLog");
-function logWithPrefix(messageOrMessages, options = {}) {
-  const { method = "log" } = options;
-  const messages = Array.isArray(messageOrMessages) ? messageOrMessages : [messageOrMessages];
-  console[method](color2__default.default.cyan("[@zimic/interceptor]"), ...messages);
-}
-chunkWCQVDF3K_js.__name(logWithPrefix, "logWithPrefix");
 
 // src/http/requestHandler/types/requests.ts
 var HTTP_INTERCEPTOR_REQUEST_HIDDEN_PROPERTIES = Object.freeze(
@@ -712,21 +860,18 @@ var HttpInterceptorWorker = class _HttpInterceptorWorker {
       formatValueToLog(request.searchParams.toObject()),
       formatValueToLog(request.body)
     ]);
-    logWithPrefix(
-      [
-        `${action === "bypass" ? "Warning:" : "Error:"} Request was not handled and was ${action === "bypass" ? color2__default.default.yellow("bypassed") : color2__default.default.red("rejected")}.
+    logger[action === "bypass" ? "warn" : "error"](
+      `${action === "bypass" ? "Warning:" : "Error:"} Request was not handled and was ${action === "bypass" ? color3__default.default.yellow("bypassed") : color3__default.default.red("rejected")}.
 
  `,
-        `${request.method} ${request.url}`,
-        "\n    Headers:",
-        formattedHeaders,
-        "\n    Search params:",
-        formattedSearchParams,
-        "\n    Body:",
-        formattedBody,
-        "\n\nLearn more: https://github.com/zimicjs/zimic/wiki/api\u2010zimic\u2010interceptor\u2010http#unhandled-requests"
-      ],
-      { method: action === "bypass" ? "warn" : "error" }
+      `${request.method} ${request.url}`,
+      "\n    Headers:",
+      formattedHeaders,
+      "\n    Search params:",
+      formattedSearchParams,
+      "\n    Body:",
+      formattedBody,
+      "\n\nLearn more: https://github.com/zimicjs/zimic/wiki/api\u2010zimic\u2010interceptor\u2010http#unhandled-requests"
     );
   }
 };
@@ -758,6 +903,17 @@ function convertBase64ToArrayBuffer(base64Value) {
   }
 }
 chunkWCQVDF3K_js.__name(convertBase64ToArrayBuffer, "convertBase64ToArrayBuffer");
+var HEX_REGEX = /^[a-z0-9]+$/;
+function convertHexLengthToByteLength(hexLength) {
+  return Math.ceil(hexLength / 2);
+}
+chunkWCQVDF3K_js.__name(convertHexLengthToByteLength, "convertHexLengthToByteLength");
+var BASE64URL_REGEX = /^[a-zA-Z0-9-_]+$/;
+function convertHexLengthToBase64urlLength(hexLength) {
+  const byteLength = convertHexLengthToByteLength(hexLength);
+  return Math.ceil(byteLength * 4 / 3);
+}
+chunkWCQVDF3K_js.__name(convertHexLengthToBase64urlLength, "convertHexLengthToBase64urlLength");
 
 // src/utils/fetch.ts
 async function serializeRequest(request) {
@@ -795,6 +951,9 @@ var importCrypto = createCachedDynamicImport_default(async () => {
   return globalCrypto ?? await import('crypto');
 });
 
+// src/webSocket/constants.ts
+var WEB_SOCKET_CONTROL_MESSAGES = Object.freeze(["socket:auth:valid"]);
+
 // src/webSocket/errors/InvalidWebSocketMessage.ts
 var InvalidWebSocketMessage = class extends Error {
   static {
@@ -835,8 +994,11 @@ var WebSocketHandler = class {
     this.socketTimeout = options.socketTimeout ?? DEFAULT_WEB_SOCKET_LIFECYCLE_TIMEOUT;
     this.messageTimeout = options.messageTimeout ?? DEFAULT_WEB_SOCKET_MESSAGE_TIMEOUT;
   }
-  async registerSocket(socket) {
-    const openPromise = waitForOpenClientSocket(socket, { timeout: this.socketTimeout });
+  async registerSocket(socket, options = {}) {
+    const openPromise = waitForOpenClientSocket(socket, {
+      timeout: this.socketTimeout,
+      waitForAuthentication: options.waitForAuthentication
+    });
     const handleSocketMessage = /* @__PURE__ */ chunkWCQVDF3K_js.__name(async (rawMessage) => {
       await this.handleSocketMessage(socket, rawMessage);
     }, "handleSocketMessage");
@@ -849,8 +1011,8 @@ var WebSocketHandler = class {
     socket.addEventListener("error", handleSocketError);
     const handleSocketClose = /* @__PURE__ */ chunkWCQVDF3K_js.__name(() => {
       socket.removeEventListener("message", handleSocketMessage);
-      socket.removeEventListener("error", handleSocketError);
       socket.removeEventListener("close", handleSocketClose);
+      socket.removeEventListener("error", handleSocketError);
       this.removeSocket(socket);
     }, "handleSocketClose");
     socket.addEventListener("close", handleSocketClose);
@@ -858,6 +1020,9 @@ var WebSocketHandler = class {
   }
   handleSocketMessage = /* @__PURE__ */ chunkWCQVDF3K_js.__name(async (socket, rawMessage) => {
     try {
+      if (this.isControlMessageData(rawMessage.data)) {
+        return;
+      }
       const stringifiedMessageData = this.readRawMessageData(rawMessage.data);
       const parsedMessageData = this.parseMessage(stringifiedMessageData);
       await this.notifyListeners(parsedMessageData, socket);
@@ -865,6 +1030,9 @@ var WebSocketHandler = class {
       console.error(error);
     }
   }, "handleSocketMessage");
+  isControlMessageData(messageData) {
+    return typeof messageData === "string" && WEB_SOCKET_CONTROL_MESSAGES.includes(messageData);
+  }
   readRawMessageData(data) {
     if (typeof data === "string") {
       return data;
@@ -879,7 +1047,7 @@ var WebSocketHandler = class {
     } catch {
       throw new InvalidWebSocketMessage_default(stringifiedMessage);
     }
-    if (!this.isValidMessage(parsedMessage)) {
+    if (!this.isMessage(parsedMessage)) {
       throw new InvalidWebSocketMessage_default(stringifiedMessage);
     }
     if (this.isReplyMessage(parsedMessage)) {
@@ -896,7 +1064,7 @@ var WebSocketHandler = class {
       data: parsedMessage.data
     };
   }
-  isValidMessage(message) {
+  isMessage(message) {
     return typeof message === "object" && message !== null && "id" in message && typeof message.id === "string" && "channel" in message && typeof message.channel === "string" && (!("requestId" in message) || typeof message.requestId === "string");
   }
   async notifyListeners(message, socket) {
@@ -932,9 +1100,9 @@ var WebSocketHandler = class {
     this.sockets.delete(socket);
   }
   async createEventMessage(channel, eventData) {
-    const crypto = await importCrypto();
+    const crypto2 = await importCrypto();
     const eventMessage = {
-      id: crypto.randomUUID(),
+      id: crypto2.randomUUID(),
       channel,
       data: eventData
     };
@@ -984,9 +1152,9 @@ var WebSocketHandler = class {
     }
   }
   async createReplyMessage(request, replyData) {
-    const crypto = await importCrypto();
+    const crypto2 = await importCrypto();
     const replyMessage = {
-      id: crypto.randomUUID(),
+      id: crypto2.randomUUID(),
       channel: request.channel,
       requestId: request.id,
       data: replyData
@@ -1067,12 +1235,14 @@ var WebSocketServer = class extends WebSocketHandler_default {
   }
   webSocketServer;
   httpServer;
+  authenticate;
   constructor(options) {
     super({
       socketTimeout: options.socketTimeout,
       messageTimeout: options.messageTimeout
     });
     this.httpServer = options.httpServer;
+    this.authenticate = options.authenticate;
   }
   get isRunning() {
     return this.webSocketServer !== void 0;
@@ -1085,9 +1255,17 @@ var WebSocketServer = class extends WebSocketHandler_default {
     webSocketServer.on("error", (error) => {
       console.error(error);
     });
-    webSocketServer.on("connection", async (socket) => {
+    webSocketServer.on("connection", async (socket, request) => {
+      if (this.authenticate) {
+        const result = await this.authenticate(socket, request);
+        if (!result.isValid) {
+          socket.close(1008, result.message);
+          return;
+        }
+      }
       try {
         await super.registerSocket(socket);
+        socket.send("socket:auth:valid");
       } catch (error) {
         webSocketServer.emit("error", error);
       }
@@ -1108,8 +1286,242 @@ var WebSocketServer = class extends WebSocketHandler_default {
 };
 var WebSocketServer_default = WebSocketServer;
 
+// src/server/errors/InvalidInterceptorTokenError.ts
+var InvalidInterceptorTokenError = class extends Error {
+  static {
+    chunkWCQVDF3K_js.__name(this, "InvalidInterceptorTokenError");
+  }
+  constructor(tokenId) {
+    super(`Invalid interceptor token: ${tokenId}`);
+    this.name = "InvalidInterceptorTokenError";
+  }
+};
+var InvalidInterceptorTokenError_default = InvalidInterceptorTokenError;
+
+// src/server/errors/InvalidInterceptorTokenFileError.ts
+var InvalidInterceptorTokenFileError = class extends Error {
+  static {
+    chunkWCQVDF3K_js.__name(this, "InvalidInterceptorTokenFileError");
+  }
+  constructor(tokenFilePath, validationErrorMessage) {
+    super(`Invalid interceptor token file ${tokenFilePath}: ${validationErrorMessage}`);
+    this.name = "InvalidInterceptorTokenFileError";
+  }
+};
+var InvalidInterceptorTokenFileError_default = InvalidInterceptorTokenFileError;
+
+// src/server/errors/InvalidInterceptorTokenValueError.ts
+var InvalidInterceptorTokenValueError = class extends Error {
+  static {
+    chunkWCQVDF3K_js.__name(this, "InvalidInterceptorTokenValueError");
+  }
+  constructor(tokenValue) {
+    super(`Invalid interceptor token value: ${tokenValue}`);
+    this.name = "InvalidInterceptorTokenValueError";
+  }
+};
+var InvalidInterceptorTokenValueError_default = InvalidInterceptorTokenValueError;
+
+// src/server/utils/auth.ts
+var DEFAULT_INTERCEPTOR_TOKENS_DIRECTORY = path__default.default.join(
+  ".zimic",
+  "interceptor",
+  "server",
+  `tokens${""}`
+);
+var INTERCEPTOR_TOKEN_ID_HEX_LENGTH = 32;
+var INTERCEPTOR_TOKEN_SECRET_HEX_LENGTH = 64;
+var INTERCEPTOR_TOKEN_VALUE_HEX_LENGTH = INTERCEPTOR_TOKEN_ID_HEX_LENGTH + INTERCEPTOR_TOKEN_SECRET_HEX_LENGTH;
+var INTERCEPTOR_TOKEN_VALUE_BASE64URL_LENGTH = convertHexLengthToBase64urlLength(
+  INTERCEPTOR_TOKEN_VALUE_HEX_LENGTH
+);
+var INTERCEPTOR_TOKEN_SALT_HEX_LENGTH = 64;
+var INTERCEPTOR_TOKEN_HASH_ITERATIONS = Number("1000000");
+var INTERCEPTOR_TOKEN_HASH_HEX_LENGTH = 128;
+var INTERCEPTOR_TOKEN_HASH_ALGORITHM = "sha512";
+var pbkdf2 = util__default.default.promisify(crypto__default.default.pbkdf2);
+async function hashInterceptorToken(plainToken, salt) {
+  const hashBuffer = await pbkdf2(
+    plainToken,
+    salt,
+    INTERCEPTOR_TOKEN_HASH_ITERATIONS,
+    convertHexLengthToByteLength(INTERCEPTOR_TOKEN_HASH_HEX_LENGTH),
+    INTERCEPTOR_TOKEN_HASH_ALGORITHM
+  );
+  const hash = hashBuffer.toString("hex");
+  return hash;
+}
+chunkWCQVDF3K_js.__name(hashInterceptorToken, "hashInterceptorToken");
+function createInterceptorTokenId() {
+  return crypto__default.default.randomUUID().replace(/[^a-z0-9]/g, "");
+}
+chunkWCQVDF3K_js.__name(createInterceptorTokenId, "createInterceptorTokenId");
+function isValidInterceptorTokenId(tokenId) {
+  return tokenId.length === INTERCEPTOR_TOKEN_ID_HEX_LENGTH && HEX_REGEX.test(tokenId);
+}
+chunkWCQVDF3K_js.__name(isValidInterceptorTokenId, "isValidInterceptorTokenId");
+function isValidInterceptorTokenValue(tokenValue) {
+  return tokenValue.length === INTERCEPTOR_TOKEN_VALUE_BASE64URL_LENGTH && BASE64URL_REGEX.test(tokenValue);
+}
+chunkWCQVDF3K_js.__name(isValidInterceptorTokenValue, "isValidInterceptorTokenValue");
+async function createInterceptorTokensDirectory(tokensDirectory) {
+  try {
+    const parentTokensDirectory = path__default.default.dirname(tokensDirectory);
+    await fs__default.default.promises.mkdir(parentTokensDirectory, { recursive: true });
+    await fs__default.default.promises.mkdir(tokensDirectory, { mode: 448, recursive: true });
+    await fs__default.default.promises.appendFile(path__default.default.join(tokensDirectory, ".gitignore"), `*${os__default.default.EOL}`, { encoding: "utf-8" });
+  } catch (error) {
+    logger.error(
+      `${color3__default.default.red(color3__default.default.bold("\u2716"))} Failed to create the tokens directory: ${color3__default.default.magenta(tokensDirectory)}`
+    );
+    throw error;
+  }
+}
+chunkWCQVDF3K_js.__name(createInterceptorTokensDirectory, "createInterceptorTokensDirectory");
+var interceptorTokenFileContentSchema = zod.z.object({
+  version: zod.z.literal(1),
+  token: zod.z.object({
+    id: zod.z.string().length(INTERCEPTOR_TOKEN_ID_HEX_LENGTH).regex(HEX_REGEX),
+    name: zod.z.string().optional(),
+    secret: zod.z.object({
+      hash: zod.z.string().length(INTERCEPTOR_TOKEN_HASH_HEX_LENGTH).regex(HEX_REGEX),
+      salt: zod.z.string().length(INTERCEPTOR_TOKEN_SALT_HEX_LENGTH).regex(HEX_REGEX)
+    }),
+    createdAt: zod.z.string().datetime().transform((value) => new Date(value))
+  })
+});
+async function saveInterceptorTokenToFile(tokensDirectory, token) {
+  const tokeFilePath = path__default.default.join(tokensDirectory, token.id);
+  const persistedToken = {
+    id: token.id,
+    name: token.name,
+    secret: {
+      hash: token.secret.hash,
+      salt: token.secret.salt
+    },
+    createdAt: token.createdAt.toISOString()
+  };
+  const tokenFileContent = interceptorTokenFileContentSchema.parse({
+    version: 1,
+    token: persistedToken
+  });
+  await fs__default.default.promises.writeFile(tokeFilePath, JSON.stringify(tokenFileContent, null, 2), {
+    mode: 384,
+    encoding: "utf-8"
+  });
+  return tokeFilePath;
+}
+chunkWCQVDF3K_js.__name(saveInterceptorTokenToFile, "saveInterceptorTokenToFile");
+async function readInterceptorTokenFromFile(tokenId, options) {
+  if (!isValidInterceptorTokenId(tokenId)) {
+    throw new InvalidInterceptorTokenError_default(tokenId);
+  }
+  const tokenFilePath = path__default.default.join(options.tokensDirectory, tokenId);
+  const tokenFileExists = await pathExists(tokenFilePath);
+  if (!tokenFileExists) {
+    return null;
+  }
+  const tokenFileContentAsString = await fs__default.default.promises.readFile(tokenFilePath, { encoding: "utf-8" });
+  const validation = interceptorTokenFileContentSchema.safeParse(JSON.parse(tokenFileContentAsString));
+  if (!validation.success) {
+    throw new InvalidInterceptorTokenFileError_default(tokenFilePath, validation.error.message);
+  }
+  return validation.data.token;
+}
+chunkWCQVDF3K_js.__name(readInterceptorTokenFromFile, "readInterceptorTokenFromFile");
+async function createInterceptorToken(options) {
+  const { name, tokensDirectory } = options;
+  const tokensDirectoryExists = await pathExists(tokensDirectory);
+  if (!tokensDirectoryExists) {
+    await createInterceptorTokensDirectory(tokensDirectory);
+  }
+  const tokenId = createInterceptorTokenId();
+  if (!isValidInterceptorTokenId(tokenId)) {
+    throw new InvalidInterceptorTokenError_default(tokenId);
+  }
+  const tokenSecretSizeInBytes = convertHexLengthToByteLength(INTERCEPTOR_TOKEN_SECRET_HEX_LENGTH);
+  const tokenSecret = crypto__default.default.randomBytes(tokenSecretSizeInBytes).toString("hex");
+  const tokenSecretSaltSizeInBytes = convertHexLengthToByteLength(INTERCEPTOR_TOKEN_SALT_HEX_LENGTH);
+  const tokenSecretSalt = crypto__default.default.randomBytes(tokenSecretSaltSizeInBytes).toString("hex");
+  const tokenSecretHash = await hashInterceptorToken(tokenSecret, tokenSecretSalt);
+  const tokenValue = Buffer.from(`${tokenId}${tokenSecret}`, "hex").toString("base64url");
+  if (!isValidInterceptorTokenValue(tokenValue)) {
+    throw new InvalidInterceptorTokenValueError_default(tokenValue);
+  }
+  const token = {
+    id: tokenId,
+    name,
+    secret: {
+      hash: tokenSecretHash,
+      salt: tokenSecretSalt,
+      value: tokenSecret
+    },
+    value: tokenValue,
+    createdAt: /* @__PURE__ */ new Date()
+  };
+  await saveInterceptorTokenToFile(tokensDirectory, token);
+  return token;
+}
+chunkWCQVDF3K_js.__name(createInterceptorToken, "createInterceptorToken");
+async function listInterceptorTokens(options) {
+  const tokensDirectoryExists = await pathExists(options.tokensDirectory);
+  if (!tokensDirectoryExists) {
+    return [];
+  }
+  const files = await fs__default.default.promises.readdir(options.tokensDirectory);
+  const tokenReadPromises = files.map(async (file) => {
+    if (!isValidInterceptorTokenId(file)) {
+      return null;
+    }
+    const tokenId = file;
+    const token = await readInterceptorTokenFromFile(tokenId, options);
+    return token;
+  });
+  const tokenCandidates = await Promise.allSettled(tokenReadPromises);
+  const tokens = [];
+  for (const tokenCandidate of tokenCandidates) {
+    if (tokenCandidate.status === "rejected") {
+      console.error(tokenCandidate.reason);
+    } else if (tokenCandidate.value !== null) {
+      tokens.push(tokenCandidate.value);
+    }
+  }
+  tokens.sort((token, otherToken) => token.createdAt.getTime() - otherToken.createdAt.getTime());
+  return tokens;
+}
+chunkWCQVDF3K_js.__name(listInterceptorTokens, "listInterceptorTokens");
+async function validateInterceptorToken(tokenValue, options) {
+  if (!isValidInterceptorTokenValue(tokenValue)) {
+    throw new InvalidInterceptorTokenValueError_default(tokenValue);
+  }
+  const decodedTokenValue = Buffer.from(tokenValue, "base64url").toString("hex");
+  const tokenId = decodedTokenValue.slice(0, INTERCEPTOR_TOKEN_ID_HEX_LENGTH);
+  const tokenSecret = decodedTokenValue.slice(
+    INTERCEPTOR_TOKEN_ID_HEX_LENGTH,
+    INTERCEPTOR_TOKEN_ID_HEX_LENGTH + INTERCEPTOR_TOKEN_VALUE_HEX_LENGTH
+  );
+  const tokenFromFile = await readInterceptorTokenFromFile(tokenId, options);
+  if (!tokenFromFile) {
+    throw new InvalidInterceptorTokenValueError_default(tokenValue);
+  }
+  const tokenSecretHash = await hashInterceptorToken(tokenSecret, tokenFromFile.secret.salt);
+  if (tokenSecretHash !== tokenFromFile.secret.hash) {
+    throw new InvalidInterceptorTokenValueError_default(tokenValue);
+  }
+}
+chunkWCQVDF3K_js.__name(validateInterceptorToken, "validateInterceptorToken");
+async function removeInterceptorToken(tokenId, options) {
+  if (!isValidInterceptorTokenId(tokenId)) {
+    throw new InvalidInterceptorTokenError_default(tokenId);
+  }
+  const tokenFilePath = path__default.default.join(options.tokensDirectory, tokenId);
+  await fs__default.default.promises.rm(tokenFilePath, { force: true });
+}
+chunkWCQVDF3K_js.__name(removeInterceptorToken, "removeInterceptorToken");
+
 // src/server/utils/fetch.ts
 async function getFetchAPI() {
+  const File2 = await importFile();
   return {
     fetch,
     Request,
@@ -1124,7 +1536,7 @@ async function getFetchAPI() {
     TextDecoderStream,
     TextEncoderStream,
     Blob,
-    File: await importFile(),
+    File: File2,
     crypto: globalThis.crypto,
     btoa,
     TextEncoder,
@@ -1146,6 +1558,7 @@ var InterceptorServer = class {
   _hostname;
   _port;
   logUnhandledRequests;
+  tokensDirectory;
   httpHandlerGroups = {
     GET: [],
     POST: [],
@@ -1160,6 +1573,7 @@ var InterceptorServer = class {
     this._hostname = options.hostname ?? DEFAULT_HOSTNAME;
     this._port = options.port;
     this.logUnhandledRequests = options.logUnhandledRequests ?? DEFAULT_LOG_UNHANDLED_REQUESTS;
+    this.tokensDirectory = options.tokensDirectory;
   }
   get hostname() {
     return this._hostname;
@@ -1204,10 +1618,39 @@ var InterceptorServer = class {
     });
     await this.startHttpServer();
     this.webSocketServer = new WebSocketServer_default({
-      httpServer: this.httpServer
+      httpServer: this.httpServer,
+      authenticate: this.authenticateWebSocketConnection
     });
     this.startWebSocketServer();
   }
+  authenticateWebSocketConnection = /* @__PURE__ */ chunkWCQVDF3K_js.__name(async (_socket, request) => {
+    if (!this.tokensDirectory) {
+      return { isValid: true };
+    }
+    const tokenValue = this.getWebSocketRequestTokenValue(request);
+    if (!tokenValue) {
+      return { isValid: false, message: "An interceptor token is required, but none was provided." };
+    }
+    try {
+      await validateInterceptorToken(tokenValue, { tokensDirectory: this.tokensDirectory });
+      return { isValid: true };
+    } catch (error) {
+      console.error(error);
+      return { isValid: false, message: "The interceptor token is not valid." };
+    }
+  }, "authenticateWebSocketConnection");
+  getWebSocketRequestTokenValue(request) {
+    const protocols = request.headers["sec-websocket-protocol"] ?? "";
+    const parametersAsString = decodeURIComponent(protocols).split(", ");
+    for (const parameterAsString of parametersAsString) {
+      const tokenValueMatch = /^token=(?<tokenValue>.+?)$/.exec(parameterAsString);
+      const tokenValue = tokenValueMatch?.groups?.tokenValue;
+      if (tokenValue) {
+        return tokenValue;
+      }
+    }
+    return void 0;
+  }
   async startHttpServer() {
     await startHttpServer(this.httpServerOrThrow, {
       hostname: this.hostname,
@@ -1218,8 +1661,8 @@ var InterceptorServer = class {
   }
   startWebSocketServer() {
     this.webSocketServerOrThrow.start();
-    this.webSocketServerOrThrow.onEvent("interceptors/workers/use/commit", this.commitWorker);
-    this.webSocketServerOrThrow.onEvent("interceptors/workers/use/reset", this.resetWorker);
+    this.webSocketServerOrThrow.onEvent("interceptors/workers/commit", this.commitWorker);
+    this.webSocketServerOrThrow.onEvent("interceptors/workers/reset", this.resetWorker);
   }
   commitWorker = /* @__PURE__ */ chunkWCQVDF3K_js.__name((message, socket) => {
     const commit = message.data;
@@ -1283,8 +1726,8 @@ var InterceptorServer = class {
     this.httpServer = void 0;
   }
   async stopWebSocketServer() {
-    this.webSocketServerOrThrow.offEvent("interceptors/workers/use/commit", this.commitWorker);
-    this.webSocketServerOrThrow.offEvent("interceptors/workers/use/reset", this.resetWorker);
+    this.webSocketServerOrThrow.offEvent("interceptors/workers/commit", this.commitWorker);
+    this.webSocketServerOrThrow.offEvent("interceptors/workers/reset", this.resetWorker);
     await this.webSocketServerOrThrow.stop();
     this.webSocketServer = void 0;
   }
@@ -1396,6 +1839,10 @@ chunkWCQVDF3K_js.__name(createInterceptorServer, "createInterceptorServer");
  * This is expected not to happen since the servers are not stopped unless they are running. */
 /* istanbul ignore if -- @preserve
  * The address is expected to be an object because the server does not listen on a pipe or Unix domain socket.  */
+/* istanbul ignore else -- @preserve
+ * An unauthorized close event is the only one we expect to happen here. */
+/* istanbul ignore else -- @preserve
+ * We currently only support the 'socket:auth:valid' message and it is the only possible control message here. */
 /* istanbul ignore if -- @preserve
  * This is not expected since the server is not stopped unless it is running. */
 /* istanbul ignore next -- @preserve
@@ -1407,6 +1854,12 @@ chunkWCQVDF3K_js.__name(createInterceptorServer, "createInterceptorServer");
 /* istanbul ignore next -- @preserve
  * Reply listeners are always present when notified in normal conditions. If they were not present, the request
  * would reach a timeout and not be responded. The empty set serves as a fallback. */
+/* istanbul ignore if -- @preserve
+ * This should never happen, but let's check that the token identifier is valid after generated. */
+/* istanbul ignore if -- @preserve
+ * This should never happen, but let's check that the token value is valid after generated. */
+/* istanbul ignore if -- @preserve
+ * At this point, we should have a valid tokenId. This is just a sanity check. */
 /* istanbul ignore if -- @preserve
  * The HTTP server is initialized before using this method in normal conditions. */
 /* istanbul ignore if -- @preserve
@@ -1418,11 +1871,16 @@ chunkWCQVDF3K_js.__name(createInterceptorServer, "createInterceptorServer");
  * Since simulating this scenario is difficult, we are ignoring this branch fow now. */
 
 exports.DEFAULT_ACCESS_CONTROL_HEADERS = DEFAULT_ACCESS_CONTROL_HEADERS;
+exports.DEFAULT_INTERCEPTOR_TOKENS_DIRECTORY = DEFAULT_INTERCEPTOR_TOKENS_DIRECTORY;
 exports.DEFAULT_PREFLIGHT_STATUS_CODE = DEFAULT_PREFLIGHT_STATUS_CODE;
 exports.NotRunningInterceptorServerError_default = NotRunningInterceptorServerError_default;
 exports.RunningInterceptorServerError_default = RunningInterceptorServerError_default;
 exports.createCachedDynamicImport_default = createCachedDynamicImport_default;
 exports.createInterceptorServer = createInterceptorServer;
-exports.logWithPrefix = logWithPrefix;
-//# sourceMappingURL=chunk-TYHJPU5G.js.map
-//# sourceMappingURL=chunk-TYHJPU5G.js.map
+exports.createInterceptorToken = createInterceptorToken;
+exports.listInterceptorTokens = listInterceptorTokens;
+exports.logger = logger;
+exports.readInterceptorTokenFromFile = readInterceptorTokenFromFile;
+exports.removeInterceptorToken = removeInterceptorToken;
+//# sourceMappingURL=chunk-PURXNE6R.js.map
+//# sourceMappingURL=chunk-PURXNE6R.js.map