cpeak 2.5.0 → 2.7.0

package/dist/index.js

@@ -2,71 +2,120 @@
 import http from "http";
 import fs3 from "fs/promises";
 import { createReadStream } from "fs";
-import { pipeline } from "stream/promises";
+import { pipeline as pipeline2 } from "stream/promises";
 
-// lib/utils/serveStatic.ts
-import fs from "fs";
-import path from "path";
-var MIME_TYPES = {
-  html: "text/html",
-  css: "text/css",
-  js: "application/javascript",
-  jpg: "image/jpeg",
-  jpeg: "image/jpeg",
-  png: "image/png",
-  svg: "image/svg+xml",
-  txt: "text/plain",
-  eot: "application/vnd.ms-fontobject",
-  otf: "font/otf",
-  ttf: "font/ttf",
-  woff: "font/woff",
-  woff2: "font/woff2"
-};
-var serveStatic = (folderPath, newMimeTypes) => {
-  if (newMimeTypes) {
-    Object.assign(MIME_TYPES, newMimeTypes);
-  }
-  function processFolder(folderPath2, parentFolder) {
-    const staticFiles = [];
-    const files = fs.readdirSync(folderPath2);
-    for (const file of files) {
-      const fullPath = path.join(folderPath2, file);
-      if (fs.statSync(fullPath).isDirectory()) {
-        const subfolderFiles = processFolder(fullPath, parentFolder);
-        staticFiles.push(...subfolderFiles);
-      } else {
-        const relativePath = path.relative(parentFolder, fullPath);
-        const fileExtension = path.extname(file).slice(1);
-        if (MIME_TYPES[fileExtension]) staticFiles.push("/" + relativePath);
-      }
+// lib/utils/compression.ts
+import zlib from "zlib";
+import { Readable } from "stream";
+import { Buffer as Buffer2 } from "buffer";
+import { pipeline } from "stream/promises";
+var COMPRESSIBLE_TYPE = /text|json|javascript|css|xml|svg/i;
+var NO_TRANSFORM = /(?:^|,)\s*no-transform\s*(?:,|$)/i;
+function pickEncoding(header) {
+  if (!header) return null;
+  const accepted = {};
+  let wildcard;
+  for (const part of header.split(",")) {
+    const [rawName, ...params] = part.trim().split(";");
+    const name = rawName.trim().toLowerCase();
+    if (!name) continue;
+    let q = 1;
+    for (const p of params) {
+      const m = p.trim().match(/^q=([\d.]+)$/i);
+      if (m) q = Number(m[1]);
     }
-    return staticFiles;
+    if (Number.isNaN(q)) q = 0;
+    if (name === "*") wildcard = q;
+    else accepted[name] = q;
   }
-  const filesArrayToFilesMap = (filesArray) => {
-    const filesMap2 = {};
-    for (const file of filesArray) {
-      const fileExtension = path.extname(file).slice(1);
-      filesMap2[file] = {
-        path: folderPath + file,
-        mime: MIME_TYPES[fileExtension]
-      };
-    }
-    return filesMap2;
+  const tryPick = (enc) => {
+    const q = enc in accepted ? accepted[enc] : wildcard;
+    return q !== void 0 && q > 0;
   };
-  const filesMap = filesArrayToFilesMap(processFolder(folderPath, folderPath));
-  return function(req, res, next) {
-    const url = req.url;
-    if (typeof url !== "string") return next();
-    if (Object.prototype.hasOwnProperty.call(filesMap, url)) {
-      const fileRoute = filesMap[url];
-      return res.sendFile(fileRoute.path, fileRoute.mime);
+  if (tryPick("br")) return "br";
+  if (tryPick("gzip")) return "gzip";
+  if (tryPick("deflate")) return "deflate";
+  return null;
+}
+function appendVary(res, value) {
+  const existing = res.getHeader("Vary");
+  if (!existing) return res.setHeader("Vary", value);
+  const current = String(existing).split(",").map((s) => s.trim()).filter(Boolean);
+  if (current.includes("*") || current.some((v) => v.toLowerCase() === value.toLowerCase()))
+    return;
+  res.setHeader("Vary", [...current, value].join(", "));
+}
+function brotliOptsFor(config) {
+  const userBrotli = config.brotli || {};
+  return {
+    ...userBrotli,
+    params: {
+      [zlib.constants.BROTLI_PARAM_QUALITY]: 4,
+      ...userBrotli.params || {}
     }
-    next();
   };
-};
+}
+function createCompressorStream(encoding, config) {
+  if (encoding === "br")
+    return zlib.createBrotliCompress(brotliOptsFor(config));
+  if (encoding === "gzip") return zlib.createGzip(config.gzip);
+  return zlib.createDeflate(config.deflate);
+}
+function negotiate(res, mime, size, config) {
+  if (!COMPRESSIBLE_TYPE.test(mime)) return { encoding: null, eligible: false };
+  if (res.req?.method === "HEAD") return { encoding: null, eligible: false };
+  const cc = res.getHeader("Cache-Control");
+  if (cc && NO_TRANSFORM.test(String(cc)))
+    return { encoding: null, eligible: false };
+  const existing = res.getHeader("Content-Encoding");
+  if (existing && existing !== "identity")
+    return { encoding: null, eligible: false };
+  if (size < config.threshold) return { encoding: null, eligible: true };
+  const encoding = pickEncoding(
+    String(res.req?.headers["accept-encoding"] || "")
+  );
+  return { encoding, eligible: true };
+}
+function bodyAsReadable(body) {
+  if (Buffer2.isBuffer(body)) return Readable.from([body]);
+  if (typeof body === "string") return Readable.from([Buffer2.from(body)]);
+  return body;
+}
+function resolveCompressionOptions(input) {
+  const options = input === true ? {} : input;
+  return {
+    threshold: options.threshold ?? 1024,
+    brotli: options.brotli ?? {},
+    gzip: options.gzip ?? {},
+    deflate: options.deflate ?? {}
+  };
+}
+async function compressAndSend(res, mime, body, config, size) {
+  res.setHeader("Content-Type", mime);
+  const knownSize = Buffer2.isBuffer(body) ? body.length : typeof body === "string" ? Buffer2.byteLength(body) : size ?? Infinity;
+  const { encoding, eligible } = negotiate(res, mime, knownSize, config);
+  if (!encoding) {
+    if (eligible) appendVary(res, "Accept-Encoding");
+    if (Buffer2.isBuffer(body) || typeof body === "string") {
+      res.setHeader("Content-Length", String(knownSize));
+      res.end(body);
+      return;
+    }
+    if (size !== void 0) res.setHeader("Content-Length", String(size));
+    await pipeline(body, res);
+    return;
+  }
+  res.setHeader("Content-Encoding", encoding);
+  appendVary(res, "Accept-Encoding");
+  await pipeline(
+    bodyAsReadable(body),
+    createCompressorStream(encoding, config),
+    res
+  );
+}
 
-// lib/utils/paseJSON.ts
-import { Buffer } from "buffer";
+// lib/utils/parseJSON.ts
+import { Buffer as Buffer3 } from "buffer";
 function isJSON(contentType) {
   if (!contentType) return false;
   if (contentType === "application/json") return true;
@@ -99,7 +148,7 @@ var parseJSON = (options = {}) => {
     };
     const onEnd = () => {
       try {
-        const rawBody = chunks.length === 1 ? chunks[0].toString("utf-8") : Buffer.concat(chunks).toString("utf-8");
+        const rawBody = chunks.length === 1 ? chunks[0].toString("utf-8") : Buffer3.concat(chunks).toString("utf-8");
         req.body = rawBody ? JSON.parse(rawBody) : {};
         next();
       } catch (err) {
@@ -119,6 +168,73 @@ var parseJSON = (options = {}) => {
   };
 };
 
+// lib/utils/serveStatic.ts
+import fs from "fs";
+import path from "path";
+var MIME_TYPES = {
+  html: "text/html",
+  css: "text/css",
+  js: "application/javascript",
+  jpg: "image/jpeg",
+  jpeg: "image/jpeg",
+  png: "image/png",
+  svg: "image/svg+xml",
+  txt: "text/plain",
+  eot: "application/vnd.ms-fontobject",
+  otf: "font/otf",
+  ttf: "font/ttf",
+  woff: "font/woff",
+  woff2: "font/woff2",
+  gif: "image/gif",
+  ico: "image/x-icon",
+  json: "application/json",
+  webmanifest: "application/manifest+json"
+};
+var serveStatic = (folderPath, newMimeTypes, options) => {
+  if (newMimeTypes) {
+    Object.assign(MIME_TYPES, newMimeTypes);
+  }
+  const prefix = options?.prefix ?? "";
+  function processFolder(folderPath2, parentFolder) {
+    const staticFiles = [];
+    const files = fs.readdirSync(folderPath2);
+    for (const file of files) {
+      const fullPath = path.join(folderPath2, file);
+      if (fs.statSync(fullPath).isDirectory()) {
+        const subfolderFiles = processFolder(fullPath, parentFolder);
+        staticFiles.push(...subfolderFiles);
+      } else {
+        const relativePath = path.relative(parentFolder, fullPath);
+        const fileExtension = path.extname(file).slice(1);
+        if (MIME_TYPES[fileExtension]) staticFiles.push("/" + relativePath);
+      }
+    }
+    return staticFiles;
+  }
+  const filesArrayToFilesMap = (filesArray) => {
+    const filesMap2 = {};
+    for (const file of filesArray) {
+      const fileExtension = path.extname(file).slice(1);
+      filesMap2[prefix + file] = {
+        path: folderPath + file,
+        mime: MIME_TYPES[fileExtension]
+      };
+    }
+    return filesMap2;
+  };
+  const filesMap = filesArrayToFilesMap(processFolder(folderPath, folderPath));
+  return function(req, res, next) {
+    const url = req.url;
+    if (typeof url !== "string") return next();
+    const pathname = url.split("?")[0];
+    if (Object.prototype.hasOwnProperty.call(filesMap, pathname)) {
+      const fileRoute = filesMap[pathname];
+      return res.sendFile(fileRoute.path, fileRoute.mime);
+    }
+    next();
+  };
+};
+
 // lib/utils/render.ts
 import fs2 from "fs/promises";
 function renderTemplate(templateStr, data) {
@@ -154,6 +270,11 @@ var render = () => {
       }
       let fileStr = await fs2.readFile(path2, "utf-8");
       const finalStr = renderTemplate(fileStr, data);
+      const config = res.socket?.server?._cpeakCompression;
+      if (config) {
+        await compressAndSend(res, mime, finalStr, config);
+        return;
+      }
       res.setHeader("Content-Type", mime);
       res.end(finalStr);
     };
@@ -161,6 +282,326 @@ var render = () => {
   };
 };
 
+// lib/utils/swagger.ts
+var swagger = (spec, prefix = "/api-docs") => {
+  const initializerJs = `window.onload = function() {
+  SwaggerUIBundle({
+    url: "${prefix}/spec.json",
+    dom_id: '#swagger-ui',
+    presets: [SwaggerUIBundle.presets.apis, SwaggerUIStandalonePreset],
+    layout: "StandaloneLayout"
+  });
+};`;
+  return (req, res, next) => {
+    if (req.url === prefix || req.url === `${prefix}/`) {
+      res.writeHead(302, { Location: `${prefix}/index.html` });
+      res.end();
+      return;
+    }
+    if (req.url === `${prefix}/spec.json`) {
+      return res.json(spec);
+    }
+    if (req.url === `${prefix}/swagger-initializer.js`) {
+      res.setHeader("Content-Type", "application/javascript");
+      res.end(initializerJs);
+      return;
+    }
+    next();
+  };
+};
+
+// lib/utils/auth.ts
+import { randomBytes, pbkdf2, createHmac, timingSafeEqual } from "crypto";
+import { promisify } from "util";
+var pbkdf2Async = promisify(pbkdf2);
+var DEFAULTS = {
+  iterations: 21e4,
+  keylen: 64,
+  digest: "sha512",
+  saltSize: 32,
+  hmacAlgorithm: "sha256",
+  tokenIdSize: 20,
+  tokenExpiry: 7 * 24 * 60 * 60 * 1e3
+  // 7 days in ms
+};
+async function hashPassword(password, options) {
+  const iterations = options?.iterations ?? DEFAULTS.iterations;
+  const keylen = options?.keylen ?? DEFAULTS.keylen;
+  const digest = options?.digest ?? DEFAULTS.digest;
+  const saltSize = options?.saltSize ?? DEFAULTS.saltSize;
+  const salt = randomBytes(saltSize);
+  const hash = await pbkdf2Async(password, salt, iterations, keylen, digest);
+  return `pbkdf2:${iterations}:${keylen}:${digest}:${salt.toString("hex")}:${hash.toString("hex")}`;
+}
+async function verifyPassword(password, stored) {
+  const withoutPrefix = stored.slice(stored.indexOf(":") + 1);
+  const parts = withoutPrefix.split(":");
+  if (parts.length !== 5) return false;
+  const [itersStr, keylenStr, digest, saltHex, hashHex] = parts;
+  const iterations = parseInt(itersStr, 10);
+  const keylen = parseInt(keylenStr, 10);
+  if (!digest || !saltHex || !hashHex || isNaN(iterations) || isNaN(keylen))
+    return false;
+  const salt = Buffer.from(saltHex, "hex");
+  const hash = await pbkdf2Async(password, salt, iterations, keylen, digest);
+  const storedHash = Buffer.from(hashHex, "hex");
+  if (storedHash.length !== hash.length) return false;
+  return timingSafeEqual(hash, storedHash);
+}
+function signToken(tokenId, secret, algorithm) {
+  const sig = createHmac(algorithm, secret).update(tokenId).digest("hex");
+  return `${tokenId}.${sig}`;
+}
+function extractTokenId(token, secret, algorithm) {
+  const dot = token.indexOf(".");
+  if (dot === -1) return null;
+  const tokenId = token.slice(0, dot);
+  const sig = token.slice(dot + 1);
+  const expected = createHmac(algorithm, secret).update(tokenId).digest("hex");
+  const expectedBuf = Buffer.from(expected, "hex");
+  const actualBuf = Buffer.from(sig, "hex");
+  if (expectedBuf.length !== actualBuf.length) return null;
+  if (!timingSafeEqual(expectedBuf, actualBuf)) return null;
+  return tokenId;
+}
+function auth(options) {
+  if (!options.secret || options.secret.length < 32) {
+    throw frameworkError(
+      "Secret must be at least 32 characters. HMAC security is only as strong as the key.",
+      auth,
+      "CPEAK_ERR_WEAK_SECRET" /* WEAK_SECRET */
+    );
+  }
+  const {
+    secret,
+    saveToken,
+    findToken,
+    revokeToken,
+    tokenExpiry = DEFAULTS.tokenExpiry,
+    hmacAlgorithm = DEFAULTS.hmacAlgorithm,
+    tokenIdSize = DEFAULTS.tokenIdSize
+  } = options;
+  const pbkdfOpts = {
+    iterations: options.iterations,
+    keylen: options.keylen,
+    digest: options.digest,
+    saltSize: options.saltSize
+  };
+  const _hashPassword = ({ password }) => hashPassword(password, pbkdfOpts);
+  const login = async ({
+    password,
+    hashedPassword,
+    userId
+  }) => {
+    const isMatch = await verifyPassword(password, hashedPassword);
+    if (!isMatch) return null;
+    const tokenId = randomBytes(tokenIdSize).toString("hex");
+    const token = signToken(tokenId, secret, hmacAlgorithm);
+    await saveToken(tokenId, userId, new Date(Date.now() + tokenExpiry));
+    return token;
+  };
+  const verifyToken = async (token) => {
+    if (!token) return null;
+    const tokenId = extractTokenId(token, secret, hmacAlgorithm);
+    if (!tokenId) return null;
+    const record = await findToken(tokenId);
+    if (!record) return null;
+    if (new Date(record.expiresAt) < /* @__PURE__ */ new Date()) return null;
+    return { userId: record.userId };
+  };
+  const logout = revokeToken ? async (token) => {
+    const tokenId = extractTokenId(token, secret, hmacAlgorithm);
+    if (!tokenId) return false;
+    await revokeToken(tokenId);
+    return true;
+  } : void 0;
+  return (req, _res, next) => {
+    req.hashPassword = _hashPassword;
+    req.login = login;
+    req.verifyToken = verifyToken;
+    if (logout) req.logout = logout;
+    next();
+  };
+}
+
+// lib/utils/cookieParser.ts
+import { createHmac as createHmac2, timingSafeEqual as timingSafeEqual2 } from "crypto";
+function sign(value, secret) {
+  const sig = createHmac2("sha256", secret).update(value).digest("base64url");
+  return `s:${value}.${sig}`;
+}
+function unsign(signed, secret) {
+  if (!signed.startsWith("s:")) return false;
+  const withoutPrefix = signed.slice(2);
+  const lastDot = withoutPrefix.lastIndexOf(".");
+  if (lastDot === -1) return false;
+  const value = withoutPrefix.slice(0, lastDot);
+  const sig = withoutPrefix.slice(lastDot + 1);
+  const expected = createHmac2("sha256", secret).update(value).digest("base64url");
+  const expectedBuf = Buffer.from(expected);
+  const actualBuf = Buffer.from(sig);
+  if (expectedBuf.length !== actualBuf.length) return false;
+  if (!timingSafeEqual2(expectedBuf, actualBuf)) return false;
+  return value;
+}
+function parseRawCookies(header) {
+  const cookies = /* @__PURE__ */ Object.create(null);
+  if (!header) return cookies;
+  const pairs = header.split(";");
+  for (let i = 0; i < pairs.length; i++) {
+    const pair = pairs[i];
+    const equalSignIndex = pair.indexOf("=");
+    if (equalSignIndex === -1) continue;
+    const key = pair.slice(0, equalSignIndex).trim();
+    if (!key || cookies[key] !== void 0) continue;
+    let val = pair.slice(equalSignIndex + 1).trim();
+    if (val.length > 1 && val[0] === '"' && val[val.length - 1] === '"') {
+      val = val.slice(1, -1);
+    }
+    try {
+      cookies[key] = val.indexOf("%") !== -1 ? decodeURIComponent(val) : val;
+    } catch (e) {
+      cookies[key] = val;
+    }
+  }
+  return cookies;
+}
+function buildSetCookieHeader(name, value, options) {
+  const parts = [`${name}=${encodeURIComponent(value)}`];
+  const path2 = options.path ?? "/";
+  parts.push(`Path=${path2}`);
+  if (options.domain) parts.push(`Domain=${options.domain}`);
+  if (options.maxAge !== void 0)
+    parts.push(`Max-Age=${Math.floor(options.maxAge / 1e3)}`);
+  if (options.expires) parts.push(`Expires=${options.expires.toUTCString()}`);
+  if (options.httpOnly) parts.push("HttpOnly");
+  if (options.secure) parts.push("Secure");
+  if (options.sameSite) parts.push(`SameSite=${options.sameSite}`);
+  return parts.join("; ");
+}
+function appendSetCookie(res, header) {
+  const existing = res.getHeader("Set-Cookie");
+  if (!existing) {
+    res.setHeader("Set-Cookie", [header]);
+  } else if (Array.isArray(existing)) {
+    res.setHeader("Set-Cookie", [...existing, header]);
+  } else {
+    res.setHeader("Set-Cookie", [String(existing), header]);
+  }
+}
+function cookieParser(options = {}) {
+  const { secret } = options;
+  if (secret !== void 0 && secret.length < 32) {
+    throw frameworkError(
+      "Secret must be at least 32 characters. HMAC security is only as strong as the key.",
+      cookieParser,
+      "CPEAK_ERR_WEAK_SECRET" /* WEAK_SECRET */
+    );
+  }
+  return (req, res, next) => {
+    const rawHeader = req.headers["cookie"] || "";
+    const raw = parseRawCookies(rawHeader);
+    const cookies = /* @__PURE__ */ Object.create(null);
+    const signedCookies = /* @__PURE__ */ Object.create(null);
+    for (const [key, val] of Object.entries(raw)) {
+      if (val.startsWith("s:") && secret) {
+        signedCookies[key] = unsign(val, secret);
+      } else {
+        cookies[key] = val;
+      }
+    }
+    req.cookies = cookies;
+    req.signedCookies = signedCookies;
+    res.cookie = (name, value, options2 = {}) => {
+      let finalValue = value;
+      if (options2.signed) {
+        if (!secret)
+          throw new Error(
+            "cookieParser: secret is required to use signed cookies"
+          );
+        finalValue = sign(value, secret);
+      }
+      appendSetCookie(res, buildSetCookieHeader(name, finalValue, options2));
+      return res;
+    };
+    res.clearCookie = (name, options2 = {}) => {
+      appendSetCookie(
+        res,
+        buildSetCookieHeader(name, "", {
+          ...options2,
+          maxAge: 0,
+          expires: /* @__PURE__ */ new Date(0)
+        })
+      );
+      return res;
+    };
+    next();
+  };
+}
+
+// lib/utils/cors.ts
+function appendVary2(res, value) {
+  const existing = res.getHeader("Vary");
+  if (!existing) return res.setHeader("Vary", value);
+  const current = String(existing).split(",").map((s) => s.trim()).filter(Boolean);
+  if (current.includes("*") || current.includes(value)) return;
+  res.setHeader("Vary", [...current, value].join(", "));
+}
+async function isAllowed(origin, rule) {
+  if (rule === true || rule === "*") return true;
+  if (rule === false || !origin) return false;
+  if (typeof rule === "string") return rule === origin;
+  if (Array.isArray(rule)) return rule.includes(origin);
+  if (rule instanceof RegExp) return rule.test(origin);
+  if (typeof rule === "function") return await rule(origin);
+  return false;
+}
+var cors = (options = {}) => {
+  const {
+    origin = "*",
+    methods = "GET,HEAD,PUT,PATCH,POST,DELETE",
+    allowedHeaders,
+    exposedHeaders,
+    credentials = false,
+    maxAge = 86400,
+    preflightContinue = false,
+    optionsSuccessStatus = 204
+  } = options;
+  const methodsStr = Array.isArray(methods) ? methods.join(",") : methods;
+  const allowedHeadersStr = Array.isArray(allowedHeaders) ? allowedHeaders.join(",") : allowedHeaders;
+  const exposedHeadersStr = Array.isArray(exposedHeaders) ? exposedHeaders.join(",") : exposedHeaders;
+  return async (req, res, next) => {
+    const requestOrigin = req.headers.origin;
+    if (!requestOrigin) return next();
+    const allowed = await isAllowed(requestOrigin, origin);
+    if (!allowed) return next();
+    const allowOriginValue = origin === "*" && !credentials ? "*" : requestOrigin;
+    res.setHeader("Access-Control-Allow-Origin", allowOriginValue);
+    if (allowOriginValue !== "*") appendVary2(res, "Origin");
+    if (credentials) res.setHeader("Access-Control-Allow-Credentials", "true");
+    if (exposedHeadersStr)
+      res.setHeader("Access-Control-Expose-Headers", exposedHeadersStr);
+    const isPreflight = req.method === "OPTIONS" && req.headers["access-control-request-method"] !== void 0;
+    if (!isPreflight) return next();
+    res.setHeader("Access-Control-Allow-Methods", methodsStr);
+    if (allowedHeadersStr) {
+      res.setHeader("Access-Control-Allow-Headers", allowedHeadersStr);
+    } else if (origin === "*") {
+      const requested = req.headers["access-control-request-headers"];
+      if (requested) res.setHeader("Access-Control-Allow-Headers", requested);
+    } else {
+      res.setHeader(
+        "Access-Control-Allow-Headers",
+        "Content-Type, Authorization"
+      );
+    }
+    res.setHeader("Access-Control-Max-Age", String(maxAge));
+    if (preflightContinue) return next();
+    res.statusCode = optionsSuccessStatus;
+    res.end();
+  };
+};
+
 // lib/index.ts
 function frameworkError(message, skipFn, code, status) {
   const err = new Error(message);
@@ -177,27 +618,32 @@ var ErrorCode = /* @__PURE__ */ ((ErrorCode2) => {
   ErrorCode2["SEND_FILE_FAIL"] = "CPEAK_ERR_SEND_FILE_FAIL";
   ErrorCode2["INVALID_JSON"] = "CPEAK_ERR_INVALID_JSON";
   ErrorCode2["PAYLOAD_TOO_LARGE"] = "CPEAK_ERR_PAYLOAD_TOO_LARGE";
+  ErrorCode2["WEAK_SECRET"] = "CPEAK_ERR_WEAK_SECRET";
+  ErrorCode2["COMPRESSION_NOT_ENABLED"] = "CPEAK_ERR_COMPRESSION_NOT_ENABLED";
   return ErrorCode2;
 })(ErrorCode || {});
+function compressionConfigFor(res) {
+  return res.socket?.server?._cpeakCompression;
+}
 var CpeakIncomingMessage = class extends http.IncomingMessage {
   // We define body and params here for better V8 optimization (not changing the shape of the object at runtime)
   body = void 0;
   params = {};
-  _query;
+  #query;
   // Parse the URL parameters (like /users?key1=value1&key2=value2)
   // We will call this query to be more familiar with other node.js frameworks.
   // This is a getter method (accessed like a property)
   get query() {
-    if (this._query) return this._query;
+    if (this.#query) return this.#query;
     const url = this.url || "";
     const qIndex = url.indexOf("?");
     if (qIndex === -1) {
-      this._query = {};
+      this.#query = {};
     } else {
       const searchParams = new URLSearchParams(url.substring(qIndex + 1));
-      this._query = Object.fromEntries(searchParams.entries());
+      this.#query = Object.fromEntries(searchParams.entries());
     }
-    return this._query;
+    return this.#query;
   }
 };
 var CpeakServerResponse = class extends http.ServerResponse {
@@ -219,9 +665,14 @@ var CpeakServerResponse = class extends http.ServerResponse {
           "CPEAK_ERR_NOT_A_FILE" /* NOT_A_FILE */
         );
       }
+      const config = compressionConfigFor(this);
+      if (config) {
+        await compressAndSend(this, mime, createReadStream(path2), config, stat.size);
+        return;
+      }
       this.setHeader("Content-Type", mime);
       this.setHeader("Content-Length", String(stat.size));
-      await pipeline(createReadStream(path2), this);
+      await pipeline2(createReadStream(path2), this);
     } catch (err) {
       if (err?.code === "ENOENT") {
         throw frameworkError(
@@ -242,142 +693,170 @@ var CpeakServerResponse = class extends http.ServerResponse {
     this.statusCode = code;
     return this;
   }
+  // Set the Content-Disposition header to prompt the user to download a file
+  attachment(filename) {
+    const contentDisposition = filename ? `attachment; filename="${filename}"` : "attachment";
+    this.setHeader("Content-Disposition", contentDisposition);
+    return this;
+  }
   // Redirects to a new URL
   redirect(location) {
     this.writeHead(302, { Location: location });
     this.end();
-    return this;
   }
-  // Send a json data back to the client (for small json data, less than the highWaterMark)
+  // Send a json data back to the client. Sync hot path when compression is
+  // off — no Promise allocation, no microtask. Branches into compressAndSend
+  // (async) when compression was enabled at cpeak() construction.
   json(data) {
+    const body = JSON.stringify(data);
+    const config = compressionConfigFor(this);
+    if (config) {
+      return compressAndSend(this, "application/json", body, config);
+    }
     this.setHeader("Content-Type", "application/json");
-    this.end(JSON.stringify(data));
+    this.end(body);
+  }
+  // Explicit compression entry point. Throws if compression wasn't configured —
+  // the developer asked to compress but the framework was never told to.
+  compress(mime, body, size) {
+    const config = compressionConfigFor(this);
+    if (!config) {
+      throw frameworkError(
+        "compression is not enabled. Pass `compression` to cpeak({ compression: true | { ... } }) to use res.compress.",
+        this.compress,
+        "CPEAK_ERR_COMPRESSION_NOT_ENABLED" /* COMPRESSION_NOT_ENABLED */
+      );
+    }
+    return compressAndSend(this, mime, body, config, size);
   }
 };
 var Cpeak = class {
-  server;
-  routes;
-  middleware;
-  _handleErr;
-  constructor() {
-    this.server = http.createServer({
+  #server;
+  #routes;
+  #middleware;
+  #handleErr;
+  constructor(options = {}) {
+    this.#server = http.createServer({
       IncomingMessage: CpeakIncomingMessage,
       ServerResponse: CpeakServerResponse
     });
-    this.routes = {};
-    this.middleware = [];
-    this.server.on("request", async (req, res) => {
-      const qIndex = req.url?.indexOf("?");
-      const urlWithoutQueries = qIndex === -1 ? req.url || "" : req.url?.substring(0, qIndex);
-      const runHandler = async (req2, res2, middleware, cb, index) => {
-        if (index === middleware.length) {
-          try {
-            await cb(req2, res2, (error) => {
-              res2.setHeader("Connection", "close");
-              this._handleErr?.(error, req2, res2);
-            });
-          } catch (error) {
-            res2.setHeader("Connection", "close");
-            this._handleErr?.(error, req2, res2);
+    this.#routes = {};
+    this.#middleware = [];
+    if (options.compression) {
+      this.#server._cpeakCompression = resolveCompressionOptions(
+        options.compression
+      );
+    }
+    this.#server.on(
+      "request",
+      async (req, res) => {
+        const qIndex = req.url?.indexOf("?");
+        const urlWithoutQueries = qIndex === -1 ? req.url || "" : req.url?.substring(0, qIndex);
+        const dispatchError = (error) => {
+          if (res.headersSent) {
+            req.socket?.destroy();
+            return;
           }
-        } else {
-          try {
-            await middleware[index](
-              req2,
-              res2,
-              // The next function
-              async (error) => {
-                if (error) {
-                  res2.setHeader("Connection", "close");
-                  return this._handleErr?.(error, req2, res2);
-                }
-                await runHandler(req2, res2, middleware, cb, index + 1);
-              },
-              // Error handler for a route middleware
-              (error) => {
-                res2.setHeader("Connection", "close");
-                this._handleErr?.(error, req2, res2);
-              }
-            );
-          } catch (error) {
-            res2.setHeader("Connection", "close");
-            this._handleErr?.(error, req2, res2);
+          res.setHeader("Connection", "close");
+          this.#handleErr?.(error, req, res);
+        };
+        const runHandler = async (req2, res2, middleware, cb, index) => {
+          if (index === middleware.length) {
+            try {
+              await cb(req2, res2, dispatchError);
+            } catch (error) {
+              dispatchError(error);
+            }
+          } else {
+            try {
+              await middleware[index](
+                req2,
+                res2,
+                // The next function
+                async (error) => {
+                  if (error) {
+                    return dispatchError(error);
+                  }
+                  await runHandler(req2, res2, middleware, cb, index + 1);
+                },
+                // Error handler for a route middleware
+                dispatchError
+              );
+            } catch (error) {
+              dispatchError(error);
+            }
           }
-        }
-      };
-      const runMiddleware = async (req2, res2, middleware, index) => {
-        if (index === middleware.length) {
-          const routes = this.routes[req2.method?.toLowerCase() || ""];
-          if (routes && typeof routes[Symbol.iterator] === "function")
-            for (const route of routes) {
-              const match = urlWithoutQueries?.match(route.regex);
-              if (match) {
-                const pathVariables = this.#extractPathVariables(
-                  route.path,
-                  match
-                );
-                req2.params = pathVariables;
-                return await runHandler(
-                  req2,
-                  res2,
-                  route.middleware,
-                  route.cb,
-                  0
-                );
+        };
+        const runMiddleware = async (req2, res2, middleware, index) => {
+          if (index === middleware.length) {
+            const routes = this.#routes[req2.method?.toLowerCase() || ""];
+            if (routes && typeof routes[Symbol.iterator] === "function")
+              for (const route of routes) {
+                const match = urlWithoutQueries?.match(route.regex);
+                if (match) {
+                  const pathVariables = this.#extractPathVariables(
+                    route.path,
+                    match
+                  );
+                  req2.params = pathVariables;
+                  return await runHandler(
+                    req2,
+                    res2,
+                    route.middleware,
+                    route.cb,
+                    0
+                  );
+                }
               }
+            return res2.status(404).json({ error: `Cannot ${req2.method} ${urlWithoutQueries}` });
+          } else {
+            try {
+              await middleware[index](req2, res2, async (err) => {
+                if (err) {
+                  return dispatchError(err);
+                }
+                await runMiddleware(req2, res2, middleware, index + 1);
+              });
+            } catch (error) {
+              dispatchError(error);
             }
-          return res2.status(404).json({ error: `Cannot ${req2.method} ${urlWithoutQueries}` });
-        } else {
-          try {
-            await middleware[index](req2, res2, async (err) => {
-              if (err) {
-                res2.setHeader("Connection", "close");
-                return this._handleErr?.(err, req2, res2);
-              }
-              await runMiddleware(req2, res2, middleware, index + 1);
-            });
-          } catch (error) {
-            res2.setHeader("Connection", "close");
-            this._handleErr?.(error, req2, res2);
           }
-        }
-      };
-      await runMiddleware(req, res, this.middleware, 0);
-    });
+        };
+        await runMiddleware(req, res, this.#middleware, 0);
+      }
+    );
   }
   route(method, path2, ...args) {
-    if (!this.routes[method]) this.routes[method] = [];
+    if (!this.#routes[method]) this.#routes[method] = [];
     const cb = args.pop();
     if (!cb || typeof cb !== "function") {
       throw new Error("Route definition must include a handler");
     }
     const middleware = args.flat();
     const regex = this.#pathToRegex(path2);
-    this.routes[method].push({ path: path2, regex, middleware, cb });
+    this.#routes[method].push({ path: path2, regex, middleware, cb });
   }
   beforeEach(cb) {
-    this.middleware.push(cb);
+    this.#middleware.push(cb);
   }
   handleErr(cb) {
-    this._handleErr = cb;
+    this.#handleErr = cb;
   }
   listen(port, cb) {
-    return this.server.listen(port, cb);
+    return this.#server.listen(port, cb);
+  }
+  address() {
+    return this.#server.address();
   }
   close(cb) {
-    this.server.close(cb);
+    this.#server.close(cb);
   }
   // ------------------------------
   // PRIVATE METHODS:
   // ------------------------------
   #pathToRegex(path2) {
-    const paramNames = [];
-    const regexString = "^" + path2.replace(/:\w+/g, (match, offset) => {
-      paramNames.push(match.slice(1));
-      return "([^/]+)";
-    }) + "$";
-    const regex = new RegExp(regexString);
-    return regex;
+    const regexString = "^" + path2.replace(/:\w+/g, "([^/]+)").replace(/\*/g, ".*") + "$";
+    return new RegExp(regexString);
   }
   #extractPathVariables(path2, match) {
     const paramNames = (path2.match(/:\w+/g) || []).map(
@@ -390,15 +869,24 @@ var Cpeak = class {
     return params;
   }
 };
-function cpeak() {
-  return new Cpeak();
+function cpeak(options) {
+  return new Cpeak(options);
 }
 export {
+  Cpeak,
+  CpeakIncomingMessage,
+  CpeakServerResponse,
   ErrorCode,
+  auth,
+  cookieParser,
+  cors,
   cpeak as default,
   frameworkError,
+  hashPassword,
   parseJSON,
   render,
-  serveStatic
+  serveStatic,
+  swagger,
+  verifyPassword
 };
 //# sourceMappingURL=index.js.map