hono-ip 1.0.1 → 2.0.1

package/LICENSE

@@ -0,0 +1,201 @@
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

package/README.md

@@ -1,119 +1,197 @@
 # hono-ip
 
-A tiny, fast middleware for [Hono](https://hono.dev) that figures out your client's real IP address - even when your app sits behind proxies, load balancers, or CDNs.
+Resolve the real client IP in [Hono](https://hono.dev) without getting spoofed.
 
-Works on **Node.js** and **Bun** out of the box. No regex. No dependencies.
+Works on Node, Bun, Deno, and Cloudflare Workers. Three dependencies, no regex parsing of security-sensitive headers, branded types end-to-end.
 
-## Why?
+## Why this exists
 
-Getting the "real" client IP in a web app is surprisingly annoying. Your server sees the proxy's address, not the user's. Different infrastructure stacks stuff the original IP into different headers - Cloudflare uses `CF-Connecting-IP`, AWS might use `X-Forwarded-For`, Fastly has its own thing, and so on.
+Most "get the client IP" libraries try a list of headers in a fixed order and return the first one that looks like an address. That's the bug. `X-Real-IP`, `X-Client-IP`, `True-Client-IP` - any client can send any of those, and most servers will believe them. The result is silent IP spoofing affecting rate limits, audit logs, fraud signals, and geofencing.
 
-This middleware checks all the common headers in a sensible order, validates every candidate with native `net.isIP` and hands you back a single, trustworthy string.
+`hono-ip` inverts the model. The operator declares the topology - "I'm behind Cloudflare," "I'm behind nginx with one trusted hop," "I'm direct" - and the middleware reads only what's been declared trustworthy. There is no fallback chain that can be tricked. There is no "try every header" mode.
 
-## Quick start
+## Install
 
 ```bash
 npm install hono-ip
 ```
 
+## A minimal example
+
 ```ts
 import { Hono } from "hono";
-import { ipMiddleware } from "hono-ip";
+import { ipMiddleware, cloudflare } from "hono-ip";
 
 const app = new Hono();
+app.use(ipMiddleware({ strategy: cloudflare() }));
 
-app.use(ipMiddleware());
+app.get("/", (c) => c.text(`Hello ${c.var.ip ?? "stranger"}`));
+```
 
-app.get("/", (c) => {
-  const ip = c.get("ip"); // string | null
-  return c.text(`Hello, ${ip ?? "stranger"}`);
-});
+`c.var.ip` is typed as `IpAddress | null`, where `IpAddress` is a branded string. You cannot pass a raw, unvalidated string where an `IpAddress` is expected - the validator is the only constructor.
+
+## Strategies
+
+A strategy tells the middleware exactly where to look and how to interpret what it finds. Pick one that matches your deployment.
+
+### Behind a known CDN
+
+Presets exist for the common ones. Each reads a single platform-specific header and trusts it directly, because the platform strips client-supplied copies before your code runs.
+
+```ts
+import { ipMiddleware, cloudflare, fly, vercel } from "hono-ip";
+
+app.use(ipMiddleware({ strategy: cloudflare() })); // CF-Connecting-IP
+app.use(ipMiddleware({ strategy: fly() }));        // Fly-Client-IP
+app.use(ipMiddleware({ strategy: vercel() }));     // X-Real-IP behind Vercel
 ```
 
-That's it. Every route after the middleware can read `c.get("ip")` or `c.var.ip`.
+For any other platform that sets a single trusted header, use `single-header` directly:
+
+```ts
+app.use(ipMiddleware({
+  strategy: { kind: "single-header", header: "x-azure-clientip" },
+}));
+```
 
-## Going deeper
+### Behind a reverse proxy you control
 
-### Trusted proxies
+Walks `X-Forwarded-For` right-to-left, skipping any address that matches your trusted CIDR ranges, and returns the first untrusted hop. That hop is, by definition, the closest address your proxy chain didn't add.
 
-By default, the middleware returns the **leftmost** IP from `X-Forwarded-For` - the classic approach. The problem is that a malicious client can prepend whatever they want to that header:
+```ts
+import { ipMiddleware, behindReverseProxy } from "hono-ip";
 
+app.use(ipMiddleware({
+  strategy: behindReverseProxy({
+    trustedProxies: ["loopback", "uniquelocal", "10.42.0.0/16"],
+  }),
+}));
 ```
-X-Forwarded-For: 6.6.6.6, <actual client>, <your proxy>
-                 ↑ attacker injected this
+
+`trustedProxies` accepts CIDR strings, named presets (`loopback`, `linklocal`, `uniquelocal`, `private`, `cloudflare`), or a custom predicate `(ip) => boolean` for fully dynamic trust (e.g. Kubernetes pod CIDRs resolved at startup). Validation happens at compile time - invalid CIDRs throw before the middleware ever runs.
+
+### RFC 7239 Forwarded header
+
+If your infrastructure emits the standardized `Forwarded` header instead of (or alongside) XFF:
+
+```ts
+app.use(ipMiddleware({
+  strategy: {
+    kind: "forwarded-rightmost-untrusted",
+    trustedProxies: ["loopback", "uniquelocal"],
+  },
+}));
 ```
 
-If you know your proxy IPs, pass them in. The middleware will then walk `X-Forwarded-For` **from the right**, skipping trusted addresses, and return the first IP it doesn't recognise - which is the real client:
+Parsing uses `forwarded-parse`, the only widely-vetted spec-compliant parser. Malformed headers - including [sabotage attempts](https://adam-p.ca/blog/2022/03/forwarded-header-sabotage/) using unclosed quotes - cause the entire header to be discarded rather than partially interpreted.
+
+### Direct connections
+
+When there's no proxy, fall back to the runtime's connection info. You import the helper for your runtime to keep the package free of cross-runtime imports.
 
 ```ts
-app.use(
-  ipMiddleware({
-    trustedProxies: new Set(["10.0.0.1", "10.0.0.2"]),
-  })
-);
+import { ipMiddleware, direct } from "hono-ip";
+import { getConnInfo } from "@hono/node-server/conninfo"; // or hono/bun, hono/deno
+
+app.use(ipMiddleware({ strategy: direct(getConnInfo) }));
 ```
 
-### Runtime-level connection info
+### Hybrid deployments
 
-Headers can be spoofed. The one thing that _can't_ be faked is the TCP connection's remote address, which Hono exposes through its `getConnInfo` helper. Pass it in to use it as a final fallback:
+Compose strategies with `first-of`. Each child carries its own trust configuration, so the composition stays safe.
 
 ```ts
-// Bun
+import { ipMiddleware } from "hono-ip";
 import { getConnInfo } from "hono/bun";
 
-// Node.js
-// import { getConnInfo } from "@hono/node-server/conninfo";
+app.use(ipMiddleware({
+  strategy: {
+    kind: "first-of",
+    strategies: [
+      { kind: "single-header", header: "cf-connecting-ip" },
+      { kind: "conn-info", getConnInfo },
+    ],
+  },
+}));
+```
+
+## Audit and observability
+
+Every resolution is recorded as a tagged outcome. The middleware writes both the IP and the full outcome to the context, so you can log exactly which strategy succeeded, which hop index was chosen, or which failure mode occurred.
 
-app.use(ipMiddleware({ getConnInfo }));
+```ts
+app.use(ipMiddleware({
+  strategy: behindReverseProxy({ trustedProxies: ["loopback"] }),
+  onFailure: (outcome) => {
+    // outcome.reason: "no-header" | "header-empty" | "all-hops-trusted"
+    //               | "header-too-large" | "too-many-entries" | ...
+    logger.warn({ outcome }, "ip resolution failed");
+  },
+}));
+
+app.get("/debug", (c) => {
+  const outcome = c.var.ipOutcome;
+  if (outcome.ok) {
+    return c.json({ ip: outcome.ip, source: outcome.source, hop: outcome.hopIndex });
+  }
+  return c.json({ failed: outcome.reason }, 400);
+});
 ```
 
-When no header yields a valid IP, the middleware will call `getConnInfo(c).remote.address` and use that instead. If `getConnInfo` throws (e.g. during tests where there's no real server), it's caught silently.
+For endpoints that genuinely cannot serve a request without a client IP - rate limiters, fraud scoring, geofencing - set `required: true` to short-circuit with `400` when resolution fails.
 
-### Using `getClientIp` directly
+```ts
+app.use("/api/*", ipMiddleware({
+  strategy: cloudflare(),
+  required: true,
+}));
+```
+
+## Custom variable names
 
-You don't have to use the middleware. The core function is exported on its own:
+The variable name flows through the type system. Whatever name you pass becomes a typed property on `c.var`.
 
 ```ts
-import { getClientIp } from "hono-ip";
+app.use(ipMiddleware({ strategy: cloudflare(), variable: "clientIp" }));
 
-app.get("/ip", (c) => {
-  const ip = getClientIp(c, {
-    trustedProxies: new Set(["10.0.0.1"]),
-  });
-  return c.json({ ip });
+app.get("/", (c) => {
+  c.var.clientIp; // IpAddress | null, fully typed
 });
 ```
 
-### Custom context variable name
+## Direct API
 
-If `"ip"` collides with something in your app:
+The middleware is a thin wrapper around composable primitives. Use them directly when you need finer control:
 
 ```ts
-app.use(ipMiddleware({ attributeName: "clientIp" }));
-
-// later
-c.get("clientIp");
+import {
+  parseIp,           // (raw: string) => IpAddress | null
+  extractIp,         // unwraps "[::1]:443", "1.2.3.4:80", brackets, zone IDs
+  isIpV4, isIpV6,    // type predicates narrowing IpAddress -> IpV4 / IpV6
+  parseXForwardedFor,
+  parseForwarded,    // RFC 7239, returns left-to-right chain
+  compileTrust,      // build a reusable CIDR matcher from preset names + CIDRs
+  compileStrategy,   // pre-build a resolver, run it against any Hono context
+} from "hono-ip";
 ```
 
-## Resolution order
-
-The middleware checks these sources top-to-bottom and returns the first valid IP it finds:
-
-| Priority | Source | Notes |
-|----------|--------|-------|
-| 1 | `X-Client-IP` | Set by some proxies and load balancers |
-| 2 | `X-Forwarded-For` | Leftmost valid IP, or rightmost untrusted if `trustedProxies` is set |
-| 3 | `CF-Connecting-IP` | Cloudflare |
-| 4 | `Fastly-Client-Ip` | Fastly |
-| 5 | `True-Client-Ip` | Akamai, Cloudflare enterprise |
-| 6 | `X-Real-IP` | Nginx default config |
-| 7 | `X-Cluster-Client-IP` | Rackspace, Riverbed |
-| 8 | `X-Forwarded` | Non-standard single-IP variant |
-| 9 | `Forwarded-For` | Non-standard single-IP variant |
-| 10 | `Forwarded` | RFC 7239 - parses `for="..."` value, handles bracketed IPv6 |
-| 11 | `X-Appengine-User-Ip` | Google App Engine |
-| 12 | `getConnInfo()` | Hono runtime adapter (Bun / Node / CF Workers / Deno / …) |
-| 13 | `Cf-Pseudo-IPv4` | Cloudflare pseudo IPv4 for IPv6 visitors |
+All parsers return discriminated unions. All validators return branded types or `null`. There are no thrown exceptions on the request path.
+
+## What's enforced for you
+
+IPv6 addresses are normalized; zone identifiers (`fe80::1%eth0`) are stripped before validation. IPv4-mapped IPv6 (`::ffff:1.2.3.4`) is collapsed to the v4 form so rate-limit keys are consistent. Only four-part-decimal IPv4 is accepted - odd forms like `0xc0.168.1.1` are rejected to prevent parser-mismatch vulnerabilities. Headers larger than 8 KiB or containing more than 50 entries are refused outright, neutralizing header-flood attacks. Trusted-proxy CIDR ranges are compiled once at middleware construction; the per-request hot path is a header read, a bounded split, and a linear scan with bitmask comparisons.
+
+## Strategy reference
+
+| Strategy | When to use | Reads | Trust model |
+|---|---|---|---|
+| `single-header` | Behind a CDN that sets and strips its own header | One specific header | Implicit - the platform is the perimeter |
+| `xff-rightmost-untrusted` | Behind your own reverse proxy chain | `X-Forwarded-For` | CIDR ranges you declare |
+| `forwarded-rightmost-untrusted` | Modern proxy emitting RFC 7239 | `Forwarded` | CIDR ranges you declare |
+| `xff-leftmost-insecure` | Migration only - flagged in audit logs | `X-Forwarded-For` | None (spoofable) |
+| `conn-info` | Direct connections, no proxy | TCP socket | Inherent (cannot be spoofed) |
+| `first-of` | Hybrid environments | Children in order | Each child carries its own |
 
 ## License
-Apache-2.0
+
+[Apache-2.0](LICENSE)

package/dist/index.d.ts

@@ -0,0 +1,8 @@
+export type { IpAddress, IpV4, IpV6, IpKind, Cidr, ResolutionOutcome, ResolutionSource, ResolutionFailure, } from "./types.js";
+export { parseIp, extractIp, isIpV4, isIpV6, ipKind, isCidr, } from "./validate.js";
+export { compileTrust, PRESETS, type TrustedProxiesInput, type PresetName, } from "./trust.js";
+export { parseXForwardedFor, parseForwarded } from "./parsers.js";
+export type { Strategy } from "./strategies.js";
+export { cloudflare, fly, vercel, behindReverseProxy, direct, } from "./presets.js";
+export { ipMiddleware, type IpMiddlewareOptions, type IpVariables, } from "./middleware.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,YAAY,EACV,SAAS,EACT,IAAI,EACJ,IAAI,EACJ,MAAM,EACN,IAAI,EACJ,iBAAiB,EACjB,gBAAgB,EAChB,iBAAiB,GAClB,MAAM,YAAY,CAAC;AAEpB,OAAO,EACL,OAAO,EACP,SAAS,EACT,MAAM,EACN,MAAM,EACN,MAAM,EACN,MAAM,GACP,MAAM,eAAe,CAAC;AACvB,OAAO,EACL,YAAY,EACZ,OAAO,EACP,KAAK,mBAAmB,EACxB,KAAK,UAAU,GAChB,MAAM,YAAY,CAAC;AACpB,OAAO,EAAE,kBAAkB,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAClE,YAAY,EAAE,QAAQ,EAAE,MAAM,iBAAiB,CAAC;AAChD,OAAO,EACL,UAAU,EACV,GAAG,EACH,MAAM,EACN,kBAAkB,EAClB,MAAM,GACP,MAAM,cAAc,CAAC;AACtB,OAAO,EACL,YAAY,EACZ,KAAK,mBAAmB,EACxB,KAAK,WAAW,GACjB,MAAM,iBAAiB,CAAC"}

package/dist/index.js

@@ -1,4 +1,20 @@
-import{createMiddleware as c}from"hono/factory";import{isIP as g}from"node:net";function f(n){if(!n||typeof n!=="string")return!1;return g(n)!==0}function b(n){return g(n)===4}function R(n){return g(n)===6}function W(n){if(n.startsWith("[")){let t=n.indexOf("]");if(t===-1)return n;return n.slice(1,t)}return n}function V(n){let t=n.lastIndexOf(":");if(t===-1)return n;let r=n.slice(0,t);if(g(r)===4)return r;return n}function P(n){if(!n||typeof n!=="string")return null;let t=n.trim();if(!t)return null;if(t.startsWith("["))t=W(t);else t=V(t);return f(t)?t:null}function x(n,t){if(!n||typeof n!=="string")return null;let r=n.split(","),i=[];for(let u=0;u<r.length;u++){let e=P(r[u]);if(e)i.push(e)}if(i.length===0)return null;if(!t?.trustedProxies)return i[0];for(let u=i.length-1;u>=0;u--)if(!t.trustedProxies.has(i[u]))return i[u];return i[0]}var X=/for=(?:"([^"]+)"|([^;\s,]+))/i;function O(n){if(!n||typeof n!=="string")return null;let t=X.exec(n);if(!t)return null;return P(t[1]??t[2])}var h=["x-client-ip","cf-connecting-ip","fastly-client-ip","true-client-ip","x-real-ip","x-cluster-client-ip"],_=["x-appengine-user-ip","cf-pseudo-ipv4"];function o(n,t){let r=n.req.header(t);if(!r)return null;let i=r.trim();return f(i)?i:null}function j(n,t){let r=o(n,"x-client-ip");if(r)return r;let i=x(n.req.header("x-forwarded-for"),t);if(i)return i;for(let l of h){if(l==="x-client-ip")continue;let s=o(n,l);if(s)return s}let u=o(n,"x-forwarded");if(u)return u;let e=o(n,"forwarded-for");if(e)return e;let y=O(n.req.header("forwarded"));if(y)return y;for(let l of _){let s=o(n,l);if(s)return s}if(t?.getConnInfo)try{let s=t.getConnInfo(n)?.remote?.address;if(s&&f(s))return s}catch{}return console.log("No IP found"),null}function D(n={}){let t=n.attributeName??"ip";return c(async(r,i)=>{r.set(t,j(r,n)),await i()})}export{O as parseForwarded,R as isIpV6,b as isIpV4,f as isIp,D as ipMiddleware,x as getFirstFromXForwardedFor,j as getClientIp,P as extractIp};
+export {
+  vercel,
+  parseXForwardedFor,
+  parseIp,
+  parseForwarded,
+  isIpV6,
+  isIpV4,
+  isCidr,
+  ipMiddleware,
+  ipKind,
+  fly,
+  extractIp,
+  direct,
+  compileTrust,
+  cloudflare,
+  behindReverseProxy,
+  PRESETS
+};
 
-//# debugId=5B4660AD822724D264756E2164756E21
-//# sourceMappingURL=index.js.map
+//# debugId=211C0359C15CA00664756E2164756E21

package/dist/index.js.map

@@ -1,11 +1,9 @@
 {
   "version": 3,
-  "sources": ["..\\src\\index.ts", "..\\src\\ip.ts"],
+  "sources": [],
   "sourcesContent": [
-    "import { createMiddleware } from \"hono/factory\";\nimport type { Context } from \"hono\";\nimport {\n  isIp,\n  extractIp,\n  getFirstFromXForwardedFor,\n  parseForwarded,\n  type XffOptions,\n} from \"./ip\";\n\ndeclare module \"hono\" {\n  interface ContextVariableMap {\n    ip: string | null;\n  }\n}\n\n// ──────────────────────────────────────────────\n// Header priority (same order as request-ip):\n//   1. X-Client-IP\n//   2. X-Forwarded-For  (leftmost valid, or rightmost untrusted)\n//   3. CF-Connecting-IP\n//   4. Fastly-Client-Ip\n//   5. True-Client-Ip\n//   6. X-Real-IP\n//   7. X-Cluster-Client-IP\n//   8. X-Forwarded / Forwarded-For / Forwarded (RFC 7239)\n//   9. X-Appengine-User-Ip\n//  10. Hono getConnInfo  (Bun / Node / CF Workers / …)\n//  11. Cf-Pseudo-IPv4\n// ──────────────────────────────────────────────\n\nconst SIMPLE_HEADERS = [\n  \"x-client-ip\",\n  \"cf-connecting-ip\",\n  \"fastly-client-ip\",\n  \"true-client-ip\",\n  \"x-real-ip\",\n  \"x-cluster-client-ip\",\n] as const;\n\nconst FALLBACK_HEADERS = [\n  \"x-appengine-user-ip\",\n  \"cf-pseudo-ipv4\",\n] as const;\n\nfunction headerIp(c: Context, name: string): string | null {\n  const v = c.req.header(name);\n  if (!v) return null;\n  const ip = v.trim();\n  return isIp(ip) ? ip : null;\n}\n\nexport interface IpMiddlewareOptions extends XffOptions {\n  attributeName?: string;\n\n  getConnInfo?: (c: Context) => { remote: { address?: string } };\n}\n\nexport function getClientIp(c: Context, opts?: IpMiddlewareOptions): string | null {\n  const xClientIp = headerIp(c, \"x-client-ip\");\n  if (xClientIp) return xClientIp;\n\n  const xff = getFirstFromXForwardedFor(c.req.header(\"x-forwarded-for\"), opts);\n  if (xff) return xff;\n\n  for (const name of SIMPLE_HEADERS) {\n    if (name === \"x-client-ip\") continue;\n    const ip = headerIp(c, name);\n    if (ip) return ip;\n  }\n\n  const xForwarded = headerIp(c, \"x-forwarded\");\n  if (xForwarded) return xForwarded;\n\n  const forwardedFor = headerIp(c, \"forwarded-for\");\n  if (forwardedFor) return forwardedFor;\n\n  const forwarded = parseForwarded(c.req.header(\"forwarded\"));\n  if (forwarded) return forwarded;\n\n  for (const name of FALLBACK_HEADERS) {\n    const ip = headerIp(c, name);\n    if (ip) return ip;\n  }\n\n  if (opts?.getConnInfo) {\n    try {\n      const info = opts.getConnInfo(c);\n      const addr = info?.remote?.address;\n      if (addr && isIp(addr)) return addr;\n    } catch {}\n  }\n\n  console.log(\"No IP found\");\n  return null;\n}\n\nexport function ipMiddleware(opts: IpMiddlewareOptions = {}) {\n  const key = (opts.attributeName ?? \"ip\") as \"ip\";\n\n  return createMiddleware(async (c, next) => {\n    c.set(key, getClientIp(c, opts));\n    await next();\n  });\n}\n\nexport { isIp, isIpV4, isIpV6, extractIp, getFirstFromXForwardedFor, parseForwarded } from \"./ip\";",
-    "import { isIP as _netIsIP } from \"node:net\";\n\nexport function isIp(value: string | null | undefined): value is string {\n  if (!value || typeof value !== \"string\") return false;\n  return _netIsIP(value) !== 0;\n}\n\nexport function isIpV4(value: string): boolean {\n  return _netIsIP(value) === 4;\n}\n\nexport function isIpV6(value: string): boolean {\n  return _netIsIP(value) === 6;\n}\n\nfunction unwrapIPv6(raw: string): string {\n  if (raw.startsWith(\"[\")) {\n    const closeBracket = raw.indexOf(\"]\");\n    if (closeBracket === -1) return raw;\n    return raw.slice(1, closeBracket);\n  }\n  return raw;\n}\n\nfunction stripIPv4Port(raw: string): string {\n  const colon = raw.lastIndexOf(\":\");\n  if (colon === -1) return raw;\n  const maybeIp = raw.slice(0, colon);\n  if (_netIsIP(maybeIp) === 4) return maybeIp;\n  return raw;\n}\n\nexport function extractIp(raw: string | null | undefined): string | null {\n  if (!raw || typeof raw !== \"string\") return null;\n  let ip = raw.trim();\n  if (!ip) return null;\n\n  if (ip.startsWith(\"[\")) {\n    ip = unwrapIPv6(ip);\n  } else {\n    ip = stripIPv4Port(ip);\n  }\n\n  return isIp(ip) ? ip : null;\n}\n\nexport interface XffOptions {\n  trustedProxies?: ReadonlySet<string>;\n}\n\nexport function getFirstFromXForwardedFor(\n  value: string | null | undefined,\n  opts?: XffOptions,\n): string | null {\n  if (!value || typeof value !== \"string\") return null;\n\n  const parts = value.split(\",\");\n  const cleaned: string[] = [];\n  for (let i = 0; i < parts.length; i++) {\n    const ip = extractIp(parts[i]);\n    if (ip) cleaned.push(ip);\n  }\n\n  if (cleaned.length === 0) return null;\n\n  if (!opts?.trustedProxies) return cleaned[0]!;\n\n  for (let i = cleaned.length - 1; i >= 0; i--) {\n    if (!opts.trustedProxies.has(cleaned[i]!)) return cleaned[i]!;\n  }\n\n  return cleaned[0]!;\n}\n\nconst FORWARDED_FOR_RE = /for=(?:\"([^\"]+)\"|([^;\\s,]+))/i;\n\nexport function parseForwarded(value: string | null | undefined): string | null {\n  if (!value || typeof value !== \"string\") return null;\n  const m = FORWARDED_FOR_RE.exec(value);\n  if (!m) return null;\n  return extractIp(m[1] ?? m[2]);\n}"
   ],
-  "mappings": "AAAA,2BAAS,qBCAT,eAAS,iBAEF,SAAS,CAAI,CAAC,EAAmD,CACtE,GAAI,CAAC,GAAS,OAAO,IAAU,SAAU,MAAO,GAChD,OAAO,EAAS,CAAK,IAAM,EAGtB,SAAS,CAAM,CAAC,EAAwB,CAC7C,OAAO,EAAS,CAAK,IAAM,EAGtB,SAAS,CAAM,CAAC,EAAwB,CAC7C,OAAO,EAAS,CAAK,IAAM,EAG7B,SAAS,CAAU,CAAC,EAAqB,CACvC,GAAI,EAAI,WAAW,GAAG,EAAG,CACvB,IAAM,EAAe,EAAI,QAAQ,GAAG,EACpC,GAAI,IAAiB,GAAI,OAAO,EAChC,OAAO,EAAI,MAAM,EAAG,CAAY,EAElC,OAAO,EAGT,SAAS,CAAa,CAAC,EAAqB,CAC1C,IAAM,EAAQ,EAAI,YAAY,GAAG,EACjC,GAAI,IAAU,GAAI,OAAO,EACzB,IAAM,EAAU,EAAI,MAAM,EAAG,CAAK,EAClC,GAAI,EAAS,CAAO,IAAM,EAAG,OAAO,EACpC,OAAO,EAGF,SAAS,CAAS,CAAC,EAA+C,CACvE,GAAI,CAAC,GAAO,OAAO,IAAQ,SAAU,OAAO,KAC5C,IAAI,EAAK,EAAI,KAAK,EAClB,GAAI,CAAC,EAAI,OAAO,KAEhB,GAAI,EAAG,WAAW,GAAG,EACnB,EAAK,EAAW,CAAE,EAElB,OAAK,EAAc,CAAE,EAGvB,OAAO,EAAK,CAAE,EAAI,EAAK,KAOlB,SAAS,CAAyB,CACvC,EACA,EACe,CACf,GAAI,CAAC,GAAS,OAAO,IAAU,SAAU,OAAO,KAEhD,IAAM,EAAQ,EAAM,MAAM,GAAG,EACvB,EAAoB,CAAC,EAC3B,QAAS,EAAI,EAAG,EAAI,EAAM,OAAQ,IAAK,CACrC,IAAM,EAAK,EAAU,EAAM,EAAE,EAC7B,GAAI,EAAI,EAAQ,KAAK,CAAE,EAGzB,GAAI,EAAQ,SAAW,EAAG,OAAO,KAEjC,GAAI,CAAC,GAAM,eAAgB,OAAO,EAAQ,GAE1C,QAAS,EAAI,EAAQ,OAAS,EAAG,GAAK,EAAG,IACvC,GAAI,CAAC,EAAK,eAAe,IAAI,EAAQ,EAAG,EAAG,OAAO,EAAQ,GAG5D,OAAO,EAAQ,GAGjB,IAAM,EAAmB,gCAElB,SAAS,CAAc,CAAC,EAAiD,CAC9E,GAAI,CAAC,GAAS,OAAO,IAAU,SAAU,OAAO,KAChD,IAAM,EAAI,EAAiB,KAAK,CAAK,EACrC,GAAI,CAAC,EAAG,OAAO,KACf,OAAO,EAAU,EAAE,IAAM,EAAE,EAAE,EDjD/B,IAAM,EAAiB,CACrB,cACA,mBACA,mBACA,iBACA,YACA,qBACF,EAEM,EAAmB,CACvB,sBACA,gBACF,EAEA,SAAS,CAAQ,CAAC,EAAY,EAA6B,CACzD,IAAM,EAAI,EAAE,IAAI,OAAO,CAAI,EAC3B,GAAI,CAAC,EAAG,OAAO,KACf,IAAM,EAAK,EAAE,KAAK,EAClB,OAAO,EAAK,CAAE,EAAI,EAAK,KASlB,SAAS,CAAW,CAAC,EAAY,EAA2C,CACjF,IAAM,EAAY,EAAS,EAAG,aAAa,EAC3C,GAAI,EAAW,OAAO,EAEtB,IAAM,EAAM,EAA0B,EAAE,IAAI,OAAO,iBAAiB,EAAG,CAAI,EAC3E,GAAI,EAAK,OAAO,EAEhB,QAAW,KAAQ,EAAgB,CACjC,GAAI,IAAS,cAAe,SAC5B,IAAM,EAAK,EAAS,EAAG,CAAI,EAC3B,GAAI,EAAI,OAAO,EAGjB,IAAM,EAAa,EAAS,EAAG,aAAa,EAC5C,GAAI,EAAY,OAAO,EAEvB,IAAM,EAAe,EAAS,EAAG,eAAe,EAChD,GAAI,EAAc,OAAO,EAEzB,IAAM,EAAY,EAAe,EAAE,IAAI,OAAO,WAAW,CAAC,EAC1D,GAAI,EAAW,OAAO,EAEtB,QAAW,KAAQ,EAAkB,CACnC,IAAM,EAAK,EAAS,EAAG,CAAI,EAC3B,GAAI,EAAI,OAAO,EAGjB,GAAI,GAAM,YACR,GAAI,CAEF,IAAM,EADO,EAAK,YAAY,CAAC,GACZ,QAAQ,QAC3B,GAAI,GAAQ,EAAK,CAAI,EAAG,OAAO,EAC/B,KAAM,EAIV,OADA,QAAQ,IAAI,aAAa,EAClB,KAGF,SAAS,CAAY,CAAC,EAA4B,CAAC,EAAG,CAC3D,IAAM,EAAO,EAAK,eAAiB,KAEnC,OAAO,EAAiB,MAAO,EAAG,IAAS,CACzC,EAAE,IAAI,EAAK,EAAY,EAAG,CAAI,CAAC,EAC/B,MAAM,EAAK,EACZ",
-  "debugId": "5B4660AD822724D264756E2164756E21",
+  "mappings": "",
+  "debugId": "211C0359C15CA00664756E2164756E21",
   "names": []
 }

package/dist/middleware.d.ts

@@ -0,0 +1,20 @@
+import type { Env, MiddlewareHandler } from "hono";
+import { type Strategy } from "./strategies.js";
+import type { IpAddress, ResolutionOutcome } from "./types.js";
+export interface IpMiddlewareOptions<K extends string = "ip"> {
+    readonly strategy: Strategy;
+    readonly variable?: K;
+    readonly onFailure?: (outcome: Extract<ResolutionOutcome, {
+        ok: false;
+    }>) => void;
+    readonly required?: boolean;
+}
+export type IpVariables<K extends string = "ip"> = {
+    readonly [P in K]: IpAddress | null;
+} & {
+    readonly [P in `${K}Outcome`]: ResolutionOutcome;
+};
+export declare function ipMiddleware<K extends string = "ip">(opts: IpMiddlewareOptions<K>): MiddlewareHandler<{
+    Variables: IpVariables<K>;
+} & Env>;
+//# sourceMappingURL=middleware.d.ts.map

package/dist/middleware.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"middleware.d.ts","sourceRoot":"","sources":["../src/middleware.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,GAAG,EAAE,iBAAiB,EAAE,MAAM,MAAM,CAAC;AACnD,OAAO,EAAmB,KAAK,QAAQ,EAAE,MAAM,iBAAiB,CAAC;AACjE,OAAO,KAAK,EAAE,SAAS,EAAE,iBAAiB,EAAE,MAAM,YAAY,CAAC;AAE/D,MAAM,WAAW,mBAAmB,CAAC,CAAC,SAAS,MAAM,GAAG,IAAI;IAC1D,QAAQ,CAAC,QAAQ,EAAE,QAAQ,CAAC;IAC5B,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC;IACtB,QAAQ,CAAC,SAAS,CAAC,EAAE,CACnB,OAAO,EAAE,OAAO,CAAC,iBAAiB,EAAE;QAAE,EAAE,EAAE,KAAK,CAAA;KAAE,CAAC,KAC/C,IAAI,CAAC;IACV,QAAQ,CAAC,QAAQ,CAAC,EAAE,OAAO,CAAC;CAC7B;AAED,MAAM,MAAM,WAAW,CAAC,CAAC,SAAS,MAAM,GAAG,IAAI,IAAI;IACjD,QAAQ,EAAE,CAAC,IAAI,CAAC,GAAG,SAAS,GAAG,IAAI;CACpC,GAAG;IACF,QAAQ,EAAE,CAAC,IAAI,GAAG,CAAC,SAAS,GAAG,iBAAiB;CACjD,CAAC;AAEF,wBAAgB,YAAY,CAAC,CAAC,SAAS,MAAM,GAAG,IAAI,EAClD,IAAI,EAAE,mBAAmB,CAAC,CAAC,CAAC,GAC3B,iBAAiB,CAAC;IAAE,SAAS,EAAE,WAAW,CAAC,CAAC,CAAC,CAAA;CAAE,GAAG,GAAG,CAAC,CAoBxD"}

package/dist/parsers.d.ts

@@ -0,0 +1,11 @@
+import { type IpAddress, type NonEmptyReadonlyArray } from "./types.js";
+export type ChainParseResult = {
+    readonly ok: true;
+    readonly chain: NonEmptyReadonlyArray<IpAddress>;
+} | {
+    readonly ok: false;
+    readonly reason: "too-large" | "too-many" | "empty";
+};
+export declare function parseXForwardedFor(raw: string | undefined): ChainParseResult;
+export declare function parseForwarded(raw: string | undefined): ChainParseResult;
+//# sourceMappingURL=parsers.d.ts.map

package/dist/parsers.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"parsers.d.ts","sourceRoot":"","sources":["../src/parsers.ts"],"names":[],"mappings":"AAEA,OAAO,EAGL,KAAK,SAAS,EACd,KAAK,qBAAqB,EAC3B,MAAM,YAAY,CAAC;AAEpB,MAAM,MAAM,gBAAgB,GACxB;IACE,QAAQ,CAAC,EAAE,EAAE,IAAI,CAAC;IAClB,QAAQ,CAAC,KAAK,EAAE,qBAAqB,CAAC,SAAS,CAAC,CAAC;CAClD,GACD;IACE,QAAQ,CAAC,EAAE,EAAE,KAAK,CAAC;IACnB,QAAQ,CAAC,MAAM,EAAE,WAAW,GAAG,UAAU,GAAG,OAAO,CAAC;CACrD,CAAC;AAON,wBAAgB,kBAAkB,CAAC,GAAG,EAAE,MAAM,GAAG,SAAS,GAAG,gBAAgB,CAiB5E;AAED,wBAAgB,cAAc,CAAC,GAAG,EAAE,MAAM,GAAG,SAAS,GAAG,gBAAgB,CAyBxE"}

package/dist/presets.d.ts

@@ -0,0 +1,18 @@
+import type { Context } from "hono";
+import type { Strategy } from "./strategies.js";
+export declare const cloudflare: () => Strategy;
+export declare const fly: () => Strategy;
+export declare const vercel: () => Strategy;
+export declare const behindReverseProxy: (opts?: {
+    trustedProxies?: Strategy & {
+        kind: "xff-rightmost-untrusted";
+    } extends {
+        trustedProxies: infer T;
+    } ? T : never;
+}) => Strategy;
+export declare const direct: (getConnInfo: (c: Context) => {
+    remote?: {
+        address?: string;
+    };
+}) => Strategy;
+//# sourceMappingURL=presets.d.ts.map

package/dist/presets.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"presets.d.ts","sourceRoot":"","sources":["../src/presets.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,MAAM,CAAC;AACpC,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,iBAAiB,CAAC;AAEhD,eAAO,MAAM,UAAU,QAAO,QAG5B,CAAC;AAEH,eAAO,MAAM,GAAG,QAAO,QAGrB,CAAC;AAEH,eAAO,MAAM,MAAM,QAAO,QAGxB,CAAC;AAEH,eAAO,MAAM,kBAAkB,GAC7B,OAAM;IACJ,cAAc,CAAC,EAAE,QAAQ,GAAG;QAAE,IAAI,EAAE,yBAAyB,CAAA;KAAE,SAAS;QACtE,cAAc,EAAE,MAAM,CAAC,CAAC;KACzB,GACG,CAAC,GACD,KAAK,CAAC;CACN,KACL,QAGD,CAAC;AAEH,eAAO,MAAM,MAAM,GACjB,aAAa,CAAC,CAAC,EAAE,OAAO,KAAK;IAAE,MAAM,CAAC,EAAE;QAAE,OAAO,CAAC,EAAE,MAAM,CAAA;KAAE,CAAA;CAAE,KAC7D,QAGD,CAAC"}

package/dist/strategies.d.ts

@@ -0,0 +1,29 @@
+import type { Context } from "hono";
+import { type TrustedProxiesInput } from "./trust.js";
+import type { ResolutionOutcome } from "./types.js";
+export type Strategy = {
+    readonly kind: "single-header";
+    readonly header: string;
+} | {
+    readonly kind: "xff-rightmost-untrusted";
+    readonly trustedProxies: TrustedProxiesInput;
+} | {
+    readonly kind: "xff-leftmost-insecure";
+} | {
+    readonly kind: "forwarded-rightmost-untrusted";
+    readonly trustedProxies: TrustedProxiesInput;
+} | {
+    readonly kind: "conn-info";
+    readonly getConnInfo: (c: Context) => {
+        remote?: {
+            address?: string;
+        };
+    };
+} | {
+    readonly kind: "first-of";
+    readonly strategies: readonly Strategy[];
+};
+type Resolver = (c: Context) => ResolutionOutcome;
+export declare function compileStrategy(strategy: Strategy): Resolver;
+export {};
+//# sourceMappingURL=strategies.d.ts.map

package/dist/strategies.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"strategies.d.ts","sourceRoot":"","sources":["../src/strategies.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,MAAM,CAAC;AAGpC,OAAO,EAEL,KAAK,mBAAmB,EAEzB,MAAM,YAAY,CAAC;AACpB,OAAO,KAAK,EAAa,iBAAiB,EAAE,MAAM,YAAY,CAAC;AAE/D,MAAM,MAAM,QAAQ,GAChB;IAAE,QAAQ,CAAC,IAAI,EAAE,eAAe,CAAC;IAAC,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAA;CAAE,GAC3D;IACE,QAAQ,CAAC,IAAI,EAAE,yBAAyB,CAAC;IACzC,QAAQ,CAAC,cAAc,EAAE,mBAAmB,CAAC;CAC9C,GACD;IAAE,QAAQ,CAAC,IAAI,EAAE,uBAAuB,CAAA;CAAE,GAC1C;IACE,QAAQ,CAAC,IAAI,EAAE,+BAA+B,CAAC;IAC/C,QAAQ,CAAC,cAAc,EAAE,mBAAmB,CAAC;CAC9C,GACD;IACE,QAAQ,CAAC,IAAI,EAAE,WAAW,CAAC;IAC3B,QAAQ,CAAC,WAAW,EAAE,CAAC,CAAC,EAAE,OAAO,KAAK;QAAE,MAAM,CAAC,EAAE;YAAE,OAAO,CAAC,EAAE,MAAM,CAAA;SAAE,CAAA;KAAE,CAAC;CACzE,GACD;IAAE,QAAQ,CAAC,IAAI,EAAE,UAAU,CAAC;IAAC,QAAQ,CAAC,UAAU,EAAE,SAAS,QAAQ,EAAE,CAAA;CAAE,CAAC;AAE5E,KAAK,QAAQ,GAAG,CAAC,CAAC,EAAE,OAAO,KAAK,iBAAiB,CAAC;AAElD,wBAAgB,eAAe,CAAC,QAAQ,EAAE,QAAQ,GAAG,QAAQ,CA6B5D"}

package/dist/trust.d.ts

@@ -0,0 +1,13 @@
+import type { IpAddress } from "./types.js";
+export declare const PRESETS: {
+    readonly loopback: readonly ["127.0.0.0/8", "::1/128"];
+    readonly linklocal: readonly ["169.254.0.0/16", "fe80::/10"];
+    readonly uniquelocal: readonly ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "fc00::/7"];
+    readonly private: readonly ["127.0.0.0/8", "::1/128", "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "fc00::/7", "fe80::/10"];
+    readonly cloudflare: readonly ["173.245.48.0/20", "103.21.244.0/22", "103.22.200.0/22", "103.31.4.0/22", "141.101.64.0/18", "108.162.192.0/18", "190.93.240.0/20", "188.114.96.0/20", "197.234.240.0/22", "198.41.128.0/17", "162.158.0.0/15", "104.16.0.0/13", "104.24.0.0/14", "172.64.0.0/13", "131.0.72.0/22", "2400:cb00::/32", "2606:4700::/32", "2803:f800::/32", "2405:b500::/32", "2405:8100::/32", "2a06:98c0::/29", "2c0f:f248::/32"];
+};
+export type PresetName = keyof typeof PRESETS;
+export type TrustedProxiesInput = ReadonlyArray<string | PresetName> | ((ip: IpAddress) => boolean) | "all" | "none";
+export type TrustFn = (ip: IpAddress) => boolean;
+export declare function compileTrust(input: TrustedProxiesInput): TrustFn;
+//# sourceMappingURL=trust.d.ts.map

package/dist/trust.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"trust.d.ts","sourceRoot":"","sources":["../src/trust.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,SAAS,EAAQ,MAAM,YAAY,CAAC;AAGlD,eAAO,MAAM,OAAO;;;;;;CAqCkC,CAAC;AAEvD,MAAM,MAAM,UAAU,GAAG,MAAM,OAAO,OAAO,CAAC;AAE9C,MAAM,MAAM,mBAAmB,GAC3B,aAAa,CAAC,MAAM,GAAG,UAAU,CAAC,GAClC,CAAC,CAAC,EAAE,EAAE,SAAS,KAAK,OAAO,CAAC,GAC5B,KAAK,GACL,MAAM,CAAC;AAIX,MAAM,MAAM,OAAO,GAAG,CAAC,EAAE,EAAE,SAAS,KAAK,OAAO,CAAC;AAEjD,wBAAgB,YAAY,CAAC,KAAK,EAAE,mBAAmB,GAAG,OAAO,CAoChE"}

package/dist/types.d.ts

@@ -0,0 +1,34 @@
+declare const IpAddressBrand: unique symbol;
+declare const IpV4Brand: unique symbol;
+declare const IpV6Brand: unique symbol;
+declare const CidrBrand: unique symbol;
+export type IpAddress = string & {
+    readonly [IpAddressBrand]: true;
+};
+export type IpV4 = IpAddress & {
+    readonly [IpV4Brand]: true;
+};
+export type IpV6 = IpAddress & {
+    readonly [IpV6Brand]: true;
+};
+export type Cidr = string & {
+    readonly [CidrBrand]: true;
+};
+export type IpKind = "ipv4" | "ipv6";
+export type NonEmptyReadonlyArray<T> = readonly [T, ...T[]];
+export type ResolutionOutcome = {
+    readonly ok: true;
+    readonly ip: IpAddress;
+    readonly source: ResolutionSource;
+    readonly hopIndex?: number;
+} | {
+    readonly ok: false;
+    readonly reason: ResolutionFailure;
+    readonly attempted: ResolutionSource;
+};
+export type ResolutionSource = "single-header" | "xff-rightmost-untrusted" | "xff-leftmost-explicit-insecure" | "forwarded-rightmost-untrusted" | "conn-info" | "none";
+export type ResolutionFailure = "no-header" | "header-empty" | "header-malformed" | "all-hops-trusted" | "no-untrusted-hop" | "conn-info-unavailable" | "header-too-large" | "too-many-entries";
+export declare const MAX_HEADER_BYTES: number;
+export declare const MAX_CHAIN_ENTRIES = 50;
+export {};
+//# sourceMappingURL=types.d.ts.map

package/dist/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA,OAAO,CAAC,MAAM,cAAc,EAAE,OAAO,MAAM,CAAC;AAC5C,OAAO,CAAC,MAAM,SAAS,EAAE,OAAO,MAAM,CAAC;AACvC,OAAO,CAAC,MAAM,SAAS,EAAE,OAAO,MAAM,CAAC;AACvC,OAAO,CAAC,MAAM,SAAS,EAAE,OAAO,MAAM,CAAC;AAEvC,MAAM,MAAM,SAAS,GAAG,MAAM,GAAG;IAAE,QAAQ,CAAC,CAAC,cAAc,CAAC,EAAE,IAAI,CAAA;CAAE,CAAC;AACrE,MAAM,MAAM,IAAI,GAAG,SAAS,GAAG;IAAE,QAAQ,CAAC,CAAC,SAAS,CAAC,EAAE,IAAI,CAAA;CAAE,CAAC;AAC9D,MAAM,MAAM,IAAI,GAAG,SAAS,GAAG;IAAE,QAAQ,CAAC,CAAC,SAAS,CAAC,EAAE,IAAI,CAAA;CAAE,CAAC;AAC9D,MAAM,MAAM,IAAI,GAAG,MAAM,GAAG;IAAE,QAAQ,CAAC,CAAC,SAAS,CAAC,EAAE,IAAI,CAAA;CAAE,CAAC;AAE3D,MAAM,MAAM,MAAM,GAAG,MAAM,GAAG,MAAM,CAAC;AAErC,MAAM,MAAM,qBAAqB,CAAC,CAAC,IAAI,SAAS,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,CAAC,CAAC;AAE5D,MAAM,MAAM,iBAAiB,GACzB;IACE,QAAQ,CAAC,EAAE,EAAE,IAAI,CAAC;IAClB,QAAQ,CAAC,EAAE,EAAE,SAAS,CAAC;IACvB,QAAQ,CAAC,MAAM,EAAE,gBAAgB,CAAC;IAClC,QAAQ,CAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;CAC5B,GACD;IACE,QAAQ,CAAC,EAAE,EAAE,KAAK,CAAC;IACnB,QAAQ,CAAC,MAAM,EAAE,iBAAiB,CAAC;IACnC,QAAQ,CAAC,SAAS,EAAE,gBAAgB,CAAC;CACtC,CAAC;AAEN,MAAM,MAAM,gBAAgB,GACxB,eAAe,GACf,yBAAyB,GACzB,gCAAgC,GAChC,+BAA+B,GAC/B,WAAW,GACX,MAAM,CAAC;AAEX,MAAM,MAAM,iBAAiB,GACzB,WAAW,GACX,cAAc,GACd,kBAAkB,GAClB,kBAAkB,GAClB,kBAAkB,GAClB,uBAAuB,GACvB,kBAAkB,GAClB,kBAAkB,CAAC;AAEvB,eAAO,MAAM,gBAAgB,QAAW,CAAC;AACzC,eAAO,MAAM,iBAAiB,KAAK,CAAC"}

package/dist/validate.d.ts

@@ -0,0 +1,8 @@
+import type { IpAddress, IpV4, IpV6, IpKind, Cidr } from "./types.js";
+export declare function parseIp(raw: string): IpAddress | null;
+export declare function isIpV4(ip: IpAddress): ip is IpV4;
+export declare function isIpV6(ip: IpAddress): ip is IpV6;
+export declare function ipKind(ip: IpAddress): IpKind;
+export declare function extractIp(raw: string): IpAddress | null;
+export declare function isCidr(value: string): value is Cidr;
+//# sourceMappingURL=validate.d.ts.map

package/dist/validate.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"validate.d.ts","sourceRoot":"","sources":["../src/validate.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,YAAY,CAAC;AAEtE,wBAAgB,OAAO,CAAC,GAAG,EAAE,MAAM,GAAG,SAAS,GAAG,IAAI,CAmBrD;AAED,wBAAgB,MAAM,CAAC,EAAE,EAAE,SAAS,GAAG,EAAE,IAAI,IAAI,CAEhD;AAED,wBAAgB,MAAM,CAAC,EAAE,EAAE,SAAS,GAAG,EAAE,IAAI,IAAI,CAEhD;AAED,wBAAgB,MAAM,CAAC,EAAE,EAAE,SAAS,GAAG,MAAM,CAE5C;AAED,wBAAgB,SAAS,CAAC,GAAG,EAAE,MAAM,GAAG,SAAS,GAAG,IAAI,CAqBvD;AAED,wBAAgB,MAAM,CAAC,KAAK,EAAE,MAAM,GAAG,KAAK,IAAI,IAAI,CAEnD"}

package/package.json

@@ -1,36 +1,68 @@
 {
   "name": "hono-ip",
-  "version": "1.0.1",
-  "description": "A tiny, fast middleware for Hono that figures out your client's real IP address - even when your app sits behind proxies, load balancers, or CDNs.",
+  "version": "2.0.1",
+  "description": "Tiny and fast middleware for Hono that figures out your client's real IP address",
   "keywords": [
     "hono",
     "ip",
-    "middleware"
+    "middleware",
+    "client-ip",
+    "x-forwarded-for",
+    "forwarded",
+    "rfc7239",
+    "cloudflare",
+    "proxy",
+    "cidr",
+    "trusted-proxies"
   ],
-  "module": "dist/index.js",
+  "type": "module",
+  "main": "./dist/index.js",
+  "module": "./dist/index.js",
+  "types": "./dist/index.d.ts",
   "exports": {
     ".": {
+      "types": "./dist/index.d.ts",
       "import": "./dist/index.js"
-    }
+    },
+    "./package.json": "./package.json"
   },
-  "type": "module",
   "sideEffects": false,
   "files": [
-    "dist"
+    "dist",
+    "README.md",
+    "LICENSE"
   ],
+  "engines": {
+    "node": ">=18"
+  },
   "scripts": {
-    "build": "bun run build.ts"
+    "build": "bun run build.ts",
+    "typecheck": "tsc --noEmit",
+    "lint": "biome check src",
+    "format": "biome format --write src",
+    "prepublishOnly": "bun run build"
   },
   "license": "Apache-2.0",
   "author": "orielhaim",
   "repository": {
     "type": "git",
-    "url": "https://github.com/orielhaim/hono-ip"
+    "url": "git+https://github.com/orielhaim/hono-ip.git"
   },
-  "devDependencies": {
-    "@types/bun": "^1.3.9"
+  "bugs": {
+    "url": "https://github.com/orielhaim/hono-ip/issues"
+  },
+  "homepage": "https://github.com/orielhaim/hono-ip#readme",
+  "peerDependencies": {
+    "hono": "^4.0.0"
   },
   "dependencies": {
-    "hono": "^4.12.3"
+    "forwarded-parse": "^2.1.2",
+    "ipaddr.js": "^2.4.0"
+  },
+  "devDependencies": {
+    "@biomejs/biome": "2.4.15",
+    "@types/bun": "^1.3.14",
+    "hono": "^4.12.18",
+    "typescript": "^6.0.3"
   }
-}
+}