autotel-devtools 8.0.0 → 8.1.1

package/dist/server/exporter.d.cts

@@ -1,4 +1,4 @@
 import '@opentelemetry/sdk-trace-base';
 import '@opentelemetry/core';
-export { a as DevtoolsSpanExporter } from '../exporter-DjLkU621.cjs';
+export { a as DevtoolsSpanExporter } from '../exporter-De6p4iAD.cjs';
 import 'node:http';

package/dist/server/exporter.d.ts

@@ -1,4 +1,4 @@
 import '@opentelemetry/sdk-trace-base';
 import '@opentelemetry/core';
-export { a as DevtoolsSpanExporter } from '../exporter-DjLkU621.js';
+export { a as DevtoolsSpanExporter } from '../exporter-De6p4iAD.js';
 import 'node:http';

package/dist/server/index.cjs

@@ -363,6 +363,40 @@ function applyTelemetryLimits(data, limits) {
   };
 }
 
+// src/server/origin-guard.ts
+var LOOPBACK_IPV6 = /* @__PURE__ */ new Set(["::1", "0:0:0:0:0:0:0:1"]);
+function isLoopbackHostname(hostname) {
+  const h = hostname.toLowerCase().replace(/^\[|\]$/g, "");
+  return h === "localhost" || /^127\./.test(h) || LOOPBACK_IPV6.has(h);
+}
+function hostnameFromHostHeader(host) {
+  const h = host.trim();
+  if (h.startsWith("[")) {
+    const end = h.indexOf("]");
+    return end > 0 ? h.slice(1, end) : h;
+  }
+  const colon = h.indexOf(":");
+  return colon === -1 ? h : h.slice(0, colon);
+}
+function hostHeaderIsLoopback(host) {
+  return isLoopbackHostname(hostnameFromHostHeader(host));
+}
+function originIsLoopback(origin) {
+  try {
+    return isLoopbackHostname(new URL(origin).hostname);
+  } catch {
+    return false;
+  }
+}
+function allowSensitiveRequest(headers, loopbackOnly) {
+  const { origin, host } = headers;
+  if (origin && origin.length > 0 && !originIsLoopback(origin)) return false;
+  if (loopbackOnly && host && host.length > 0 && !hostHeaderIsLoopback(host)) {
+    return false;
+  }
+  return true;
+}
+
 // src/server/server.ts
 var DevtoolsServer = class {
   wss;
@@ -382,7 +416,12 @@ var DevtoolsServer = class {
     this._port = options.port ?? 4318;
     this.onData = options.onData;
     this.httpServer = options.server ?? http.createServer();
-    this.wss = new ws.WebSocketServer({ server: this.httpServer, path: options.path ?? "/ws" });
+    const loopbackOnly = options.host == null || hostHeaderIsLoopback(options.host);
+    this.wss = new ws.WebSocketServer({
+      server: this.httpServer,
+      path: options.path ?? "/ws",
+      verifyClient: ({ origin, req }) => allowSensitiveRequest({ origin, host: req.headers.host }, loopbackOnly)
+    });
     this.wss.on("error", (err) => {
       if (this.httpServer.listening) throw err;
     });
@@ -416,6 +455,7 @@ var DevtoolsServer = class {
   }
   addTrace(trace) {
     const existing = this.traces.find((t) => t.traceId === trace.traceId);
+    const merged = existing ?? trace;
     if (existing) {
       const existingSpanIds = new Set(existing.spans.map((s) => s.spanId));
       for (const span of trace.spans) {
@@ -427,6 +467,14 @@ var DevtoolsServer = class {
       existing.endTime = Math.max(existing.endTime, trace.endTime);
       existing.duration = existing.endTime - existing.startTime;
       if (trace.status === "ERROR") existing.status = "ERROR";
+      const root = existing.spans.find((s) => !s.parentSpanId);
+      if (root) {
+        existing.rootSpan = root;
+        const rootService = root.attributes?.["service.name"];
+        if (typeof rootService === "string" && rootService.length > 0) {
+          existing.service = rootService;
+        }
+      }
     } else {
       this.traces = appendWithLimit(
         this.traces,
@@ -435,7 +483,7 @@ var DevtoolsServer = class {
       );
     }
     this.errorAggregator.addErrorsFromTrace(trace);
-    this.broadcast({ traces: [trace], metrics: [], logs: [], errors: this.errorAggregator.getErrorGroups() });
+    this.broadcast({ traces: [merged], metrics: [], logs: [], errors: this.errorAggregator.getErrorGroups() });
   }
   addTraces(traces) {
     for (const trace of traces) this.addTrace(trace);
@@ -1447,7 +1495,8 @@ function findPackageRoot() {
   }
   return dir;
 }
-var FULLPAGE_HTML = `<!DOCTYPE html><html><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width, initial-scale=1.0"><title>autotel-devtools</title><style>*{margin:0;padding:0;box-sizing:border-box}html,body{height:100%;width:100%;overflow:hidden}</style></head><body><script src="/widget.js?mode=fullpage"></script></body></html>`;
+var DEVTOOLS_FAVICON_SVG = '<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 64 64"><rect width="64" height="64" rx="14" fill="#0f172a"/><text x="32" y="41" text-anchor="middle" font-size="32">\u{1F6F0}\uFE0F</text></svg>';
+var FULLPAGE_HTML = `<!DOCTYPE html><html><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width, initial-scale=1.0"><title>autotel-devtools</title><link rel="icon" href="/favicon.svg" type="image/svg+xml"><style>*{margin:0;padding:0;box-sizing:border-box}html,body{height:100%;width:100%;overflow:hidden}</style></head><body><script src="/widget.js?mode=fullpage"></script></body></html>`;
 var cachedVersion = null;
 function getVersion() {
   if (cachedVersion !== null) return cachedVersion;
@@ -1481,8 +1530,10 @@ function getWidgetJs() {
   }
   return cachedWidgetJs;
 }
-function attachDevtoolsRoutes(httpServer, devtools) {
+function attachDevtoolsRoutes(httpServer, devtools, options = {}) {
+  const loopbackOnly = options.loopbackOnly ?? true;
   httpServer.on("request", async (req, res) => {
+    if (req.headers.upgrade?.toLowerCase() === "websocket") return;
     res.setHeader("Access-Control-Allow-Origin", "*");
     res.setHeader("Access-Control-Allow-Methods", "GET, POST, DELETE, OPTIONS");
     res.setHeader("Access-Control-Allow-Headers", "Content-Type");
@@ -1505,6 +1556,15 @@ function attachDevtoolsRoutes(httpServer, devtools) {
       res.end(js);
       return;
     }
+    if (req.method === "GET" && (url === "/favicon.svg" || url === "/favicon.ico")) {
+      res.writeHead(200, {
+        "Content-Type": "image/svg+xml; charset=utf-8",
+        "Cache-Control": "public, max-age=86400",
+        "Content-Length": Buffer.byteLength(DEVTOOLS_FAVICON_SVG)
+      });
+      res.end(DEVTOOLS_FAVICON_SVG);
+      return;
+    }
     if (req.method === "GET" && url === "/healthz") {
       sendJson(res, 200, {
         ok: true,
@@ -1515,11 +1575,19 @@ function attachDevtoolsRoutes(httpServer, devtools) {
       return;
     }
     if (req.method === "GET" && url === "/v1/traces") {
+      if (!allowSensitiveRequest(req.headers, loopbackOnly)) {
+        sendJson(res, 403, { error: "Forbidden" });
+        return;
+      }
       const data = devtools.getCurrentData();
       sendJson(res, 200, { traces: data.traces, count: data.traces.length });
       return;
     }
     if (req.method === "DELETE" && url === "/v1/traces") {
+      if (!allowSensitiveRequest(req.headers, loopbackOnly)) {
+        sendJson(res, 403, { error: "Forbidden" });
+        return;
+      }
       devtools.clearData();
       sendJson(res, 200, { cleared: true });
       return;
@@ -1571,6 +1639,7 @@ exports.DevtoolsRemoteExporter = DevtoolsRemoteExporter;
 exports.DevtoolsServer = DevtoolsServer;
 exports.DevtoolsSpanExporter = DevtoolsSpanExporter;
 exports.ErrorAggregator = ErrorAggregator;
+exports.allowSensitiveRequest = allowSensitiveRequest;
 exports.appendManyWithLimit = appendManyWithLimit;
 exports.appendWithLimit = appendWithLimit;
 exports.applyTelemetryLimits = applyTelemetryLimits;
@@ -1579,7 +1648,10 @@ exports.createDevtoolsHttpServer = createDevtoolsHttpServer;
 exports.decodeOtlpLogsRequest = decodeOtlpLogsRequest;
 exports.decodeOtlpMetricsRequest = decodeOtlpMetricsRequest;
 exports.decodeOtlpTraceRequest = decodeOtlpTraceRequest;
+exports.hostHeaderIsLoopback = hostHeaderIsLoopback;
+exports.isLoopbackHostname = isLoopbackHostname;
 exports.isProtobufContentType = isProtobufContentType;
+exports.originIsLoopback = originIsLoopback;
 exports.parseOtlpLogs = parseOtlpLogs;
 exports.parseOtlpTraces = parseOtlpTraces;
 exports.probePortHolder = probePortHolder;