hono 4.12.19 → 4.12.21

package/dist/cjs/hono-base.js

@@ -139,7 +139,7 @@ class Hono {
         handler = async (c, next) => (await (0, import_compose.compose)([], app.errorHandler)(c, () => r.handler(c, next))).res;
         handler[import_constants.COMPOSED_HANDLER] = r.handler;
       }
-      subApp.#addRoute(r.method, r.path, handler);
+      subApp.#addRoute(r.method, r.path, handler, r.basePath);
     });
     return this;
   }
@@ -263,7 +263,7 @@ class Hono {
       const pathPrefixLength = mergedPath === "/" ? 0 : mergedPath.length;
       return (request) => {
         const url = new URL(request.url);
-        url.pathname = url.pathname.slice(pathPrefixLength) || "/";
+        url.pathname = this.getPath(request).slice(pathPrefixLength) || "/";
         return new Request(url, request);
       };
     })();
@@ -277,10 +277,15 @@ class Hono {
     this.#addRoute(import_router.METHOD_NAME_ALL, (0, import_url.mergePath)(path, "*"), handler);
     return this;
   }
-  #addRoute(method, path, handler) {
+  #addRoute(method, path, handler, baseRoutePath) {
     method = method.toUpperCase();
     path = (0, import_url.mergePath)(this._basePath, path);
-    const r = { basePath: this._basePath, path, method, handler };
+    const r = {
+      basePath: baseRoutePath !== void 0 ? (0, import_url.mergePath)(this._basePath, baseRoutePath) : this._basePath,
+      path,
+      method,
+      handler
+    };
     this.router.add(method, path, [handler, r]);
     this.routes.push(r);
   }

package/dist/cjs/middleware/ip-restriction/index.js

@@ -22,11 +22,45 @@ __export(ip_restriction_exports, {
 module.exports = __toCommonJS(ip_restriction_exports);
 var import_http_exception = require("../../http-exception");
 var import_ipaddr = require("../../utils/ipaddr");
-const IS_CIDR_NOTATION_REGEX = /\/[0-9]{0,3}$/;
+const IS_CIDR_NOTATION_REGEX = /\/[^/]*$/;
+const parseCidrPrefix = (rule, prefix, max) => {
+  if (!/^[0-9]{1,3}$/.test(prefix)) {
+    throw new TypeError(`Invalid rule: ${rule}`);
+  }
+  const parsedPrefix = parseInt(prefix);
+  if (parsedPrefix > max) {
+    throw new TypeError(`Invalid rule: ${rule}`);
+  }
+  return parsedPrefix;
+};
 const buildMatcher = (rules) => {
   const functionRules = [];
   const staticRules = /* @__PURE__ */ new Set();
+  const staticIPv4Rules = /* @__PURE__ */ new Set();
+  const staticIPv6Rules = /* @__PURE__ */ new Set();
   const cidrRules = [];
+  const registerStaticRule = (rule) => {
+    const type = (0, import_ipaddr.distinctRemoteAddr)(rule);
+    if (type === void 0) {
+      throw new TypeError(`Invalid rule: ${rule}`);
+    }
+    if (type === "IPv4") {
+      const ipv4binary = (0, import_ipaddr.convertIPv4ToBinary)(rule);
+      staticRules.add(rule);
+      staticRules.add(`::ffff:${rule}`);
+      staticIPv4Rules.add(ipv4binary);
+      staticIPv6Rules.add(0xffffn << 32n | ipv4binary);
+    } else {
+      const ipv6binary = (0, import_ipaddr.convertIPv6ToBinary)(rule);
+      const ipv6Addr = (0, import_ipaddr.convertIPv6BinaryToString)(ipv6binary);
+      staticRules.add(ipv6Addr);
+      staticIPv6Rules.add(ipv6binary);
+      if ((0, import_ipaddr.isIPv4MappedIPv6)(ipv6binary)) {
+        staticRules.add(ipv6Addr.substring(7));
+        staticIPv4Rules.add((0, import_ipaddr.convertIPv4MappedIPv6ToIPv4)(ipv6binary));
+      }
+    }
+  };
   for (let rule of rules) {
     if (rule === "*") {
       return () => true;
@@ -36,17 +70,17 @@ const buildMatcher = (rules) => {
       if (IS_CIDR_NOTATION_REGEX.test(rule)) {
         const separatedRule = rule.split("/");
         const addrStr = separatedRule[0];
-        const type2 = (0, import_ipaddr.distinctRemoteAddr)(addrStr);
-        if (type2 === void 0) {
+        const type = (0, import_ipaddr.distinctRemoteAddr)(addrStr);
+        if (type === void 0) {
           throw new TypeError(`Invalid rule: ${rule}`);
         }
-        let isIPv4 = type2 === "IPv4";
-        let prefix = parseInt(separatedRule[1]);
+        let isIPv4 = type === "IPv4";
+        let prefix = parseCidrPrefix(rule, separatedRule[1], isIPv4 ? 32 : 128);
         if (isIPv4 ? prefix === 32 : prefix === 128) {
           rule = addrStr;
         } else {
           let addr = (isIPv4 ? import_ipaddr.convertIPv4ToBinary : import_ipaddr.convertIPv6ToBinary)(addrStr);
-          if (type2 === "IPv6" && (0, import_ipaddr.isIPv4MappedIPv6)(addr) && prefix >= 96) {
+          if (type === "IPv6" && (0, import_ipaddr.isIPv4MappedIPv6)(addr) && prefix >= 96) {
             isIPv4 = true;
             addr = (0, import_ipaddr.convertIPv4MappedIPv6ToIPv4)(addr);
             prefix -= 96;
@@ -56,21 +90,7 @@ const buildMatcher = (rules) => {
           continue;
         }
       }
-      const type = (0, import_ipaddr.distinctRemoteAddr)(rule);
-      if (type === void 0) {
-        throw new TypeError(`Invalid rule: ${rule}`);
-      }
-      if (type === "IPv4") {
-        staticRules.add(rule);
-        staticRules.add(`::ffff:${rule}`);
-      } else {
-        const ipv6binary = (0, import_ipaddr.convertIPv6ToBinary)(rule);
-        const ipv6Addr = (0, import_ipaddr.convertIPv6BinaryToString)(ipv6binary);
-        staticRules.add(ipv6Addr);
-        if ((0, import_ipaddr.isIPv4MappedIPv6)(ipv6binary)) {
-          staticRules.add(ipv6Addr.substring(7));
-        }
-      }
+      registerStaticRule(rule);
     }
   }
   return (remote) => {
@@ -79,6 +99,9 @@ const buildMatcher = (rules) => {
     }
     const remoteAddr = remote.binaryAddr ||= (remote.isIPv4 ? import_ipaddr.convertIPv4ToBinary : import_ipaddr.convertIPv6ToBinary)(remote.addr);
     const remoteIPv4Addr = remote.isIPv4 || (0, import_ipaddr.isIPv4MappedIPv6)(remoteAddr) ? remote.isIPv4 ? remoteAddr : (0, import_ipaddr.convertIPv4MappedIPv6ToIPv4)(remoteAddr) : void 0;
+    if ((remote.isIPv4 ? staticIPv4Rules : staticIPv6Rules).has(remoteAddr)) {
+      return true;
+    }
     for (const [isIPv4, addr, mask] of cidrRules) {
       if (isIPv4) {
         if (remoteIPv4Addr === void 0) {
@@ -121,14 +144,21 @@ const ipRestriction = (getIP, { denyList = [], allowList = [] }, onError) => {
     }
     const type = typeof connInfo !== "string" && connInfo.remote.addressType || (0, import_ipaddr.distinctRemoteAddr)(addr);
     const remoteData = { addr, type, isIPv4: type === "IPv4" };
-    if (denyMatcher(remoteData)) {
-      if (onError) {
-        return onError({ addr, type }, c);
+    try {
+      if (denyMatcher(remoteData)) {
+        if (onError) {
+          return onError({ addr, type }, c);
+        }
+        throw blockError(c);
       }
-      throw blockError(c);
-    }
-    if (allowMatcher(remoteData)) {
-      return await next();
+      if (allowMatcher(remoteData)) {
+        return await next();
+      }
+    } catch (e) {
+      if (e instanceof TypeError && e.code === import_ipaddr.INVALID_IP_ADDRESS_ERROR_CODE) {
+        throw blockError(c);
+      }
+      throw e;
     }
     if (allowLength === 0) {
       return await next();

package/dist/cjs/middleware/jwk/jwk.js

@@ -38,7 +38,7 @@ const jwk = (options, init) => {
     let token;
     if (credentials) {
       const parts = credentials.split(/\s+/);
-      if (parts.length !== 2) {
+      if (parts.length !== 2 || parts[0].toLowerCase() !== "bearer") {
         const errDescription = "invalid credentials structure";
         throw new import_http_exception.HTTPException(401, {
           message: errDescription,

package/dist/cjs/middleware/jwt/jwt.js

@@ -45,7 +45,7 @@ const jwt = (options) => {
     let token;
     if (credentials) {
       const parts = credentials.split(/\s+/);
-      if (parts.length !== 2) {
+      if (parts.length !== 2 || parts[0].toLowerCase() !== "bearer") {
         const errDescription = "invalid credentials structure";
         throw new import_http_exception.HTTPException(401, {
           message: errDescription,

package/dist/cjs/utils/cookie.js

@@ -132,7 +132,7 @@ const _serialize = (name, value, opt = {}) => {
       throw new Error("__Host- Cookie must not have Domain attributes");
     }
   }
-  for (const key of ["domain", "path"]) {
+  for (const key of ["domain", "path", "sameSite", "priority"]) {
     if (opt[key] && /[;\r\n]/.test(opt[key])) {
       throw new Error(`${key} must not contain ";", "\\r", or "\\n"`);
     }

package/dist/cjs/utils/ipaddr.js

@@ -17,6 +17,7 @@ var __copyProps = (to, from, except, desc) => {
 var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
 var ipaddr_exports = {};
 __export(ipaddr_exports, {
+  INVALID_IP_ADDRESS_ERROR_CODE: () => INVALID_IP_ADDRESS_ERROR_CODE,
   convertIPv4BinaryToString: () => convertIPv4BinaryToString,
   convertIPv4MappedIPv6ToIPv4: () => convertIPv4MappedIPv6ToIPv4,
   convertIPv4ToBinary: () => convertIPv4ToBinary,
@@ -50,6 +51,16 @@ const expandIPv6 = (ipV6) => {
 };
 const IPV4_OCTET_PART = "(?:25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])";
 const IPV4_REGEX = new RegExp(`^(?:${IPV4_OCTET_PART}\\.){3}${IPV4_OCTET_PART}$`);
+const INVALID_IP_ADDRESS_ERROR_CODE = "ERR_INVALID_IP_ADDRESS";
+const CHAR_CODE_0 = 48;
+const CHAR_CODE_9 = 57;
+const CHAR_CODE_A = 65;
+const CHAR_CODE_F = 70;
+const CHAR_CODE_a = 97;
+const CHAR_CODE_f = 102;
+const CHAR_CODE_DOT = 46;
+const CHAR_CODE_COLON = 58;
+const CHAR_CODE_PERCENT = 37;
 const distinctRemoteAddr = (remoteAddr) => {
   if (IPV4_REGEX.test(remoteAddr)) {
     return "IPv4";
@@ -58,21 +69,187 @@ const distinctRemoteAddr = (remoteAddr) => {
     return "IPv6";
   }
 };
-const convertIPv4ToBinary = (ipv4) => {
-  const parts = ipv4.split(".");
+const createInvalidIPAddressError = (message) => {
+  const error = new TypeError(message);
+  error.code = INVALID_IP_ADDRESS_ERROR_CODE;
+  return error;
+};
+const throwInvalidIPv4Address = (ipv4) => {
+  throw createInvalidIPAddressError(`Invalid IPv4 address: ${ipv4}`);
+};
+const throwInvalidIPv6Address = (ipv6) => {
+  throw createInvalidIPAddressError(`Invalid IPv6 address: ${ipv6}`);
+};
+const parseIPv4ToBinary = (ipv4, start, end, onInvalid) => {
   let result = 0n;
-  for (let i = 0; i < 4; i++) {
-    result <<= 8n;
-    result += BigInt(parts[i]);
+  let octets = 0;
+  let octet = 0;
+  let digits = 0;
+  let firstDigit = 0;
+  for (let i = start; i <= end; i++) {
+    const code = i < end ? ipv4.charCodeAt(i) : CHAR_CODE_DOT;
+    if (code >= CHAR_CODE_0 && code <= CHAR_CODE_9) {
+      if (digits === 0) {
+        firstDigit = code;
+      } else if (firstDigit === CHAR_CODE_0) {
+        onInvalid();
+      }
+      octet = octet * 10 + code - CHAR_CODE_0;
+      if (octet > 255) {
+        onInvalid();
+      }
+      digits++;
+      continue;
+    }
+    if (code !== CHAR_CODE_DOT || digits === 0 || octets === 4) {
+      onInvalid();
+    }
+    result = (result << 8n) + BigInt(octet);
+    octets++;
+    octet = 0;
+    digits = 0;
+  }
+  if (octets !== 4) {
+    onInvalid();
   }
   return result;
 };
+const parseIPv6HexCode = (code) => {
+  if (code >= CHAR_CODE_0 && code <= CHAR_CODE_9) {
+    return code - CHAR_CODE_0;
+  }
+  if (code >= CHAR_CODE_A && code <= CHAR_CODE_F) {
+    return code - CHAR_CODE_A + 10;
+  }
+  if (code >= CHAR_CODE_a && code <= CHAR_CODE_f) {
+    return code - CHAR_CODE_a + 10;
+  }
+  return -1;
+};
+const isIPv6LinkLocal = (ipv6binary) => ipv6binary >> 118n === 0x3fan;
+const convertIPv4ToBinary = (ipv4) => {
+  return parseIPv4ToBinary(ipv4, 0, ipv4.length, () => throwInvalidIPv4Address(ipv4));
+};
 const convertIPv6ToBinary = (ipv6) => {
-  const sections = expandIPv6(ipv6).split(":");
+  const length = ipv6.length;
+  const sections = [];
+  let hasZoneId = false;
+  let compressAt = -1;
+  let index = 0;
+  if (length === 0) {
+    throwInvalidIPv6Address(ipv6);
+  }
+  while (index < length) {
+    if (sections.length > 8) {
+      throwInvalidIPv6Address(ipv6);
+    }
+    let code = ipv6.charCodeAt(index);
+    if (code === CHAR_CODE_PERCENT) {
+      if (index + 1 === length) {
+        throwInvalidIPv6Address(ipv6);
+      }
+      hasZoneId = true;
+      break;
+    }
+    if (code === CHAR_CODE_COLON) {
+      if (index + 1 < length && ipv6.charCodeAt(index + 1) === CHAR_CODE_COLON) {
+        if (compressAt !== -1) {
+          throwInvalidIPv6Address(ipv6);
+        }
+        compressAt = sections.length;
+        index += 2;
+        continue;
+      }
+      throwInvalidIPv6Address(ipv6);
+    }
+    let value = 0;
+    let digits = 0;
+    const sectionStart = index;
+    while (index < length) {
+      code = ipv6.charCodeAt(index);
+      const hex = parseIPv6HexCode(code);
+      if (hex === -1) {
+        break;
+      }
+      if (digits === 4) {
+        throwInvalidIPv6Address(ipv6);
+      }
+      value = value << 4 | hex;
+      digits++;
+      index++;
+    }
+    if (index < length && ipv6.charCodeAt(index) === CHAR_CODE_DOT) {
+      let ipv4End = length;
+      for (let i = index; i < length; i++) {
+        if (ipv6.charCodeAt(i) === CHAR_CODE_PERCENT) {
+          if (i + 1 === length) {
+            throwInvalidIPv6Address(ipv6);
+          }
+          hasZoneId = true;
+          ipv4End = i;
+          break;
+        }
+      }
+      const ipv4 = parseIPv4ToBinary(
+        ipv6,
+        sectionStart,
+        ipv4End,
+        () => throwInvalidIPv6Address(ipv6)
+      );
+      sections.push(Number(ipv4 >> 16n & 0xffffn), Number(ipv4 & 0xffffn));
+      index = length;
+      break;
+    }
+    if (digits === 0) {
+      throwInvalidIPv6Address(ipv6);
+    }
+    sections.push(value);
+    if (index === length) {
+      break;
+    }
+    code = ipv6.charCodeAt(index);
+    if (code === CHAR_CODE_PERCENT) {
+      if (index + 1 === length) {
+        throwInvalidIPv6Address(ipv6);
+      }
+      hasZoneId = true;
+      break;
+    }
+    if (code !== CHAR_CODE_COLON) {
+      throwInvalidIPv6Address(ipv6);
+    }
+    if (index + 1 < length && ipv6.charCodeAt(index + 1) === CHAR_CODE_COLON) {
+      if (compressAt !== -1) {
+        throwInvalidIPv6Address(ipv6);
+      }
+      compressAt = sections.length;
+      index += 2;
+      continue;
+    }
+    index++;
+    if (index === length) {
+      throwInvalidIPv6Address(ipv6);
+    }
+  }
+  if (compressAt === -1 ? sections.length !== 8 : sections.length >= 8) {
+    throwInvalidIPv6Address(ipv6);
+  }
   let result = 0n;
-  for (let i = 0; i < 8; i++) {
+  const zeros = compressAt === -1 ? 0 : 8 - sections.length;
+  const firstSectionEnd = compressAt === -1 ? sections.length : compressAt;
+  for (let i = 0; i < firstSectionEnd; i++) {
     result <<= 16n;
-    result += BigInt(parseInt(sections[i], 16));
+    result += BigInt(sections[i]);
+  }
+  for (let i = 0; i < zeros; i++) {
+    result <<= 16n;
+  }
+  for (let i = firstSectionEnd; i < sections.length; i++) {
+    result <<= 16n;
+    result += BigInt(sections[i]);
+  }
+  if (hasZoneId && !isIPv6LinkLocal(result)) {
+    throwInvalidIPv6Address(ipv6);
   }
   return result;
 };
@@ -124,6 +301,7 @@ const convertIPv6BinaryToString = (ipV6) => {
 };
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
+  INVALID_IP_ADDRESS_ERROR_CODE,
   convertIPv4BinaryToString,
   convertIPv4MappedIPv6ToIPv4,
   convertIPv4ToBinary,

package/dist/hono-base.js

@@ -118,7 +118,7 @@ var Hono = class _Hono {
         handler = async (c, next) => (await compose([], app.errorHandler)(c, () => r.handler(c, next))).res;
         handler[COMPOSED_HANDLER] = r.handler;
       }
-      subApp.#addRoute(r.method, r.path, handler);
+      subApp.#addRoute(r.method, r.path, handler, r.basePath);
     });
     return this;
   }
@@ -242,7 +242,7 @@ var Hono = class _Hono {
       const pathPrefixLength = mergedPath === "/" ? 0 : mergedPath.length;
       return (request) => {
         const url = new URL(request.url);
-        url.pathname = url.pathname.slice(pathPrefixLength) || "/";
+        url.pathname = this.getPath(request).slice(pathPrefixLength) || "/";
         return new Request(url, request);
       };
     })();
@@ -256,10 +256,15 @@ var Hono = class _Hono {
     this.#addRoute(METHOD_NAME_ALL, mergePath(path, "*"), handler);
     return this;
   }
-  #addRoute(method, path, handler) {
+  #addRoute(method, path, handler, baseRoutePath) {
     method = method.toUpperCase();
     path = mergePath(this._basePath, path);
-    const r = { basePath: this._basePath, path, method, handler };
+    const r = {
+      basePath: baseRoutePath !== void 0 ? mergePath(this._basePath, baseRoutePath) : this._basePath,
+      path,
+      method,
+      handler
+    };
     this.router.add(method, path, [handler, r]);
     this.routes.push(r);
   }

package/dist/middleware/ip-restriction/index.js

@@ -6,13 +6,48 @@ import {
   convertIPv6BinaryToString,
   convertIPv6ToBinary,
   distinctRemoteAddr,
-  isIPv4MappedIPv6
+  isIPv4MappedIPv6,
+  INVALID_IP_ADDRESS_ERROR_CODE
 } from "../../utils/ipaddr.js";
-var IS_CIDR_NOTATION_REGEX = /\/[0-9]{0,3}$/;
+var IS_CIDR_NOTATION_REGEX = /\/[^/]*$/;
+var parseCidrPrefix = (rule, prefix, max) => {
+  if (!/^[0-9]{1,3}$/.test(prefix)) {
+    throw new TypeError(`Invalid rule: ${rule}`);
+  }
+  const parsedPrefix = parseInt(prefix);
+  if (parsedPrefix > max) {
+    throw new TypeError(`Invalid rule: ${rule}`);
+  }
+  return parsedPrefix;
+};
 var buildMatcher = (rules) => {
   const functionRules = [];
   const staticRules = /* @__PURE__ */ new Set();
+  const staticIPv4Rules = /* @__PURE__ */ new Set();
+  const staticIPv6Rules = /* @__PURE__ */ new Set();
   const cidrRules = [];
+  const registerStaticRule = (rule) => {
+    const type = distinctRemoteAddr(rule);
+    if (type === void 0) {
+      throw new TypeError(`Invalid rule: ${rule}`);
+    }
+    if (type === "IPv4") {
+      const ipv4binary = convertIPv4ToBinary(rule);
+      staticRules.add(rule);
+      staticRules.add(`::ffff:${rule}`);
+      staticIPv4Rules.add(ipv4binary);
+      staticIPv6Rules.add(0xffffn << 32n | ipv4binary);
+    } else {
+      const ipv6binary = convertIPv6ToBinary(rule);
+      const ipv6Addr = convertIPv6BinaryToString(ipv6binary);
+      staticRules.add(ipv6Addr);
+      staticIPv6Rules.add(ipv6binary);
+      if (isIPv4MappedIPv6(ipv6binary)) {
+        staticRules.add(ipv6Addr.substring(7));
+        staticIPv4Rules.add(convertIPv4MappedIPv6ToIPv4(ipv6binary));
+      }
+    }
+  };
   for (let rule of rules) {
     if (rule === "*") {
       return () => true;
@@ -22,17 +57,17 @@ var buildMatcher = (rules) => {
       if (IS_CIDR_NOTATION_REGEX.test(rule)) {
         const separatedRule = rule.split("/");
         const addrStr = separatedRule[0];
-        const type2 = distinctRemoteAddr(addrStr);
-        if (type2 === void 0) {
+        const type = distinctRemoteAddr(addrStr);
+        if (type === void 0) {
           throw new TypeError(`Invalid rule: ${rule}`);
         }
-        let isIPv4 = type2 === "IPv4";
-        let prefix = parseInt(separatedRule[1]);
+        let isIPv4 = type === "IPv4";
+        let prefix = parseCidrPrefix(rule, separatedRule[1], isIPv4 ? 32 : 128);
         if (isIPv4 ? prefix === 32 : prefix === 128) {
           rule = addrStr;
         } else {
           let addr = (isIPv4 ? convertIPv4ToBinary : convertIPv6ToBinary)(addrStr);
-          if (type2 === "IPv6" && isIPv4MappedIPv6(addr) && prefix >= 96) {
+          if (type === "IPv6" && isIPv4MappedIPv6(addr) && prefix >= 96) {
             isIPv4 = true;
             addr = convertIPv4MappedIPv6ToIPv4(addr);
             prefix -= 96;
@@ -42,21 +77,7 @@ var buildMatcher = (rules) => {
           continue;
         }
       }
-      const type = distinctRemoteAddr(rule);
-      if (type === void 0) {
-        throw new TypeError(`Invalid rule: ${rule}`);
-      }
-      if (type === "IPv4") {
-        staticRules.add(rule);
-        staticRules.add(`::ffff:${rule}`);
-      } else {
-        const ipv6binary = convertIPv6ToBinary(rule);
-        const ipv6Addr = convertIPv6BinaryToString(ipv6binary);
-        staticRules.add(ipv6Addr);
-        if (isIPv4MappedIPv6(ipv6binary)) {
-          staticRules.add(ipv6Addr.substring(7));
-        }
-      }
+      registerStaticRule(rule);
     }
   }
   return (remote) => {
@@ -65,6 +86,9 @@ var buildMatcher = (rules) => {
     }
     const remoteAddr = remote.binaryAddr ||= (remote.isIPv4 ? convertIPv4ToBinary : convertIPv6ToBinary)(remote.addr);
     const remoteIPv4Addr = remote.isIPv4 || isIPv4MappedIPv6(remoteAddr) ? remote.isIPv4 ? remoteAddr : convertIPv4MappedIPv6ToIPv4(remoteAddr) : void 0;
+    if ((remote.isIPv4 ? staticIPv4Rules : staticIPv6Rules).has(remoteAddr)) {
+      return true;
+    }
     for (const [isIPv4, addr, mask] of cidrRules) {
       if (isIPv4) {
         if (remoteIPv4Addr === void 0) {
@@ -107,14 +131,21 @@ var ipRestriction = (getIP, { denyList = [], allowList = [] }, onError) => {
     }
     const type = typeof connInfo !== "string" && connInfo.remote.addressType || distinctRemoteAddr(addr);
     const remoteData = { addr, type, isIPv4: type === "IPv4" };
-    if (denyMatcher(remoteData)) {
-      if (onError) {
-        return onError({ addr, type }, c);
+    try {
+      if (denyMatcher(remoteData)) {
+        if (onError) {
+          return onError({ addr, type }, c);
+        }
+        throw blockError(c);
       }
-      throw blockError(c);
-    }
-    if (allowMatcher(remoteData)) {
-      return await next();
+      if (allowMatcher(remoteData)) {
+        return await next();
+      }
+    } catch (e) {
+      if (e instanceof TypeError && e.code === INVALID_IP_ADDRESS_ERROR_CODE) {
+        throw blockError(c);
+      }
+      throw e;
     }
     if (allowLength === 0) {
       return await next();

package/dist/middleware/jwk/jwk.js

@@ -17,7 +17,7 @@ var jwk = (options, init) => {
     let token;
     if (credentials) {
       const parts = credentials.split(/\s+/);
-      if (parts.length !== 2) {
+      if (parts.length !== 2 || parts[0].toLowerCase() !== "bearer") {
         const errDescription = "invalid credentials structure";
         throw new HTTPException(401, {
           message: errDescription,

package/dist/middleware/jwt/jwt.js

@@ -20,7 +20,7 @@ var jwt = (options) => {
     let token;
     if (credentials) {
       const parts = credentials.split(/\s+/);
-      if (parts.length !== 2) {
+      if (parts.length !== 2 || parts[0].toLowerCase() !== "bearer") {
         const errDescription = "invalid credentials structure";
         throw new HTTPException(401, {
           message: errDescription,