opentunnel-cli 1.0.22 → 1.0.25

package/dist/shared/credentials.d.ts

@@ -0,0 +1,101 @@
+import { CloudflareCredentials, NgrokCredentials, GlobalCredentials } from "./types";
+/**
+ * Credentials Manager
+ *
+ * Handles secure storage and retrieval of provider credentials.
+ * Credential resolution priority: CLI > ENV > YAML > credentials.json
+ */
+export declare class CredentialsManager {
+    private credentials;
+    constructor();
+    /**
+     * Get the credentials directory path
+     */
+    static getCredentialsDir(): string;
+    /**
+     * Get the credentials file path
+     */
+    static getCredentialsFile(): string;
+    /**
+     * Ensure the credentials directory exists with secure permissions
+     */
+    private ensureDir;
+    /**
+     * Load credentials from file
+     */
+    load(): GlobalCredentials;
+    /**
+     * Save credentials to file with secure permissions (0600)
+     */
+    save(): void;
+    /**
+     * Get all credentials
+     */
+    getAll(): GlobalCredentials;
+    /**
+     * Get ngrok credentials
+     */
+    getNgrok(): NgrokCredentials | undefined;
+    /**
+     * Set ngrok credentials
+     */
+    setNgrok(creds: NgrokCredentials): void;
+    /**
+     * Remove ngrok credentials
+     */
+    removeNgrok(): boolean;
+    /**
+     * Get Cloudflare credentials
+     */
+    getCloudflare(): CloudflareCredentials | undefined;
+    /**
+     * Set Cloudflare credentials
+     */
+    setCloudflare(creds: CloudflareCredentials): void;
+    /**
+     * Remove Cloudflare credentials
+     */
+    removeCloudflare(): boolean;
+    /**
+     * Remove all credentials for a provider
+     */
+    removeProvider(provider: "ngrok" | "cloudflare"): boolean;
+    /**
+     * Set a specific credential value using dot notation
+     * e.g., "ngrok.token", "cloudflare.accountId"
+     */
+    set(key: string, value: string): void;
+    /**
+     * Get a specific credential value using dot notation
+     * e.g., "ngrok.token", "cloudflare.accountId"
+     */
+    get(key: string): string | undefined;
+    /**
+     * List all stored credential keys (not values for security)
+     */
+    listKeys(): string[];
+    /**
+     * Clear all credentials
+     */
+    clear(): void;
+}
+/**
+ * Resolve ngrok token with priority: CLI > ENV > YAML > credentials.json
+ */
+export declare function resolveNgrokToken(options: {
+    cliToken?: string;
+    yamlToken?: string;
+}): string | undefined;
+/**
+ * Resolve Cloudflare credentials with priority: CLI > ENV > YAML > credentials.json
+ */
+export declare function resolveCloudflareCredentials(options: {
+    cliAccountId?: string;
+    cliTunnelToken?: string;
+    cliCertPath?: string;
+    yamlAccountId?: string;
+    yamlTunnelToken?: string;
+    yamlCertPath?: string;
+}): CloudflareCredentials;
+export declare function getCredentialsManager(): CredentialsManager;
+//# sourceMappingURL=credentials.d.ts.map

package/dist/shared/credentials.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"credentials.d.ts","sourceRoot":"","sources":["../../src/shared/credentials.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,qBAAqB,EAAE,gBAAgB,EAAE,iBAAiB,EAAE,MAAM,SAAS,CAAC;AAMrF;;;;;GAKG;AACH,qBAAa,kBAAkB;IAC3B,OAAO,CAAC,WAAW,CAAyB;;IAM5C;;OAEG;IACH,MAAM,CAAC,iBAAiB,IAAI,MAAM;IAIlC;;OAEG;IACH,MAAM,CAAC,kBAAkB,IAAI,MAAM;IAInC;;OAEG;IACH,OAAO,CAAC,SAAS;IAMjB;;OAEG;IACH,IAAI,IAAI,iBAAiB;IAYzB;;OAEG;IACH,IAAI,IAAI,IAAI;IAOZ;;OAEG;IACH,MAAM,IAAI,iBAAiB;IAI3B;;OAEG;IACH,QAAQ,IAAI,gBAAgB,GAAG,SAAS;IAIxC;;OAEG;IACH,QAAQ,CAAC,KAAK,EAAE,gBAAgB,GAAG,IAAI;IAKvC;;OAEG;IACH,WAAW,IAAI,OAAO;IAStB;;OAEG;IACH,aAAa,IAAI,qBAAqB,GAAG,SAAS;IAIlD;;OAEG;IACH,aAAa,CAAC,KAAK,EAAE,qBAAqB,GAAG,IAAI;IAQjD;;OAEG;IACH,gBAAgB,IAAI,OAAO;IAS3B;;OAEG;IACH,cAAc,CAAC,QAAQ,EAAE,OAAO,GAAG,YAAY,GAAG,OAAO;IASzD;;;OAGG;IACH,GAAG,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,IAAI;IA0BrC;;;OAGG;IACH,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS;IAoBpC;;OAEG;IACH,QAAQ,IAAI,MAAM,EAAE;IAgBpB;;OAEG;IACH,KAAK,IAAI,IAAI;CAIhB;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,EAAE;IACvC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,SAAS,CAAC,EAAE,MAAM,CAAC;CACtB,GAAG,MAAM,GAAG,SAAS,CAoBrB;AAED;;GAEG;AACH,wBAAgB,4BAA4B,CAAC,OAAO,EAAE;IAClD,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,YAAY,CAAC,EAAE,MAAM,CAAC;CACzB,GAAG,qBAAqB,CAkBxB;AAKD,wBAAgB,qBAAqB,IAAI,kBAAkB,CAK1D"}

package/dist/shared/credentials.js

@@ -0,0 +1,302 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CredentialsManager = void 0;
+exports.resolveNgrokToken = resolveNgrokToken;
+exports.resolveCloudflareCredentials = resolveCloudflareCredentials;
+exports.getCredentialsManager = getCredentialsManager;
+const fs = __importStar(require("fs"));
+const path = __importStar(require("path"));
+const os = __importStar(require("os"));
+// Credentials file location
+const OPENTUNNEL_DIR = path.join(os.homedir(), ".opentunnel");
+const CREDENTIALS_FILE = path.join(OPENTUNNEL_DIR, "credentials.json");
+/**
+ * Credentials Manager
+ *
+ * Handles secure storage and retrieval of provider credentials.
+ * Credential resolution priority: CLI > ENV > YAML > credentials.json
+ */
+class CredentialsManager {
+    constructor() {
+        this.credentials = {};
+        this.load();
+    }
+    /**
+     * Get the credentials directory path
+     */
+    static getCredentialsDir() {
+        return OPENTUNNEL_DIR;
+    }
+    /**
+     * Get the credentials file path
+     */
+    static getCredentialsFile() {
+        return CREDENTIALS_FILE;
+    }
+    /**
+     * Ensure the credentials directory exists with secure permissions
+     */
+    ensureDir() {
+        if (!fs.existsSync(OPENTUNNEL_DIR)) {
+            fs.mkdirSync(OPENTUNNEL_DIR, { recursive: true, mode: 0o700 });
+        }
+    }
+    /**
+     * Load credentials from file
+     */
+    load() {
+        try {
+            if (fs.existsSync(CREDENTIALS_FILE)) {
+                const content = fs.readFileSync(CREDENTIALS_FILE, "utf-8");
+                this.credentials = JSON.parse(content);
+            }
+        }
+        catch {
+            this.credentials = {};
+        }
+        return this.credentials;
+    }
+    /**
+     * Save credentials to file with secure permissions (0600)
+     */
+    save() {
+        this.ensureDir();
+        fs.writeFileSync(CREDENTIALS_FILE, JSON.stringify(this.credentials, null, 2), {
+            mode: 0o600,
+        });
+    }
+    /**
+     * Get all credentials
+     */
+    getAll() {
+        return this.credentials;
+    }
+    /**
+     * Get ngrok credentials
+     */
+    getNgrok() {
+        return this.credentials.ngrok;
+    }
+    /**
+     * Set ngrok credentials
+     */
+    setNgrok(creds) {
+        this.credentials.ngrok = creds;
+        this.save();
+    }
+    /**
+     * Remove ngrok credentials
+     */
+    removeNgrok() {
+        if (this.credentials.ngrok) {
+            delete this.credentials.ngrok;
+            this.save();
+            return true;
+        }
+        return false;
+    }
+    /**
+     * Get Cloudflare credentials
+     */
+    getCloudflare() {
+        return this.credentials.cloudflare;
+    }
+    /**
+     * Set Cloudflare credentials
+     */
+    setCloudflare(creds) {
+        this.credentials.cloudflare = {
+            ...this.credentials.cloudflare,
+            ...creds,
+        };
+        this.save();
+    }
+    /**
+     * Remove Cloudflare credentials
+     */
+    removeCloudflare() {
+        if (this.credentials.cloudflare) {
+            delete this.credentials.cloudflare;
+            this.save();
+            return true;
+        }
+        return false;
+    }
+    /**
+     * Remove all credentials for a provider
+     */
+    removeProvider(provider) {
+        if (provider === "ngrok") {
+            return this.removeNgrok();
+        }
+        else if (provider === "cloudflare") {
+            return this.removeCloudflare();
+        }
+        return false;
+    }
+    /**
+     * Set a specific credential value using dot notation
+     * e.g., "ngrok.token", "cloudflare.accountId"
+     */
+    set(key, value) {
+        const [provider, field] = key.split(".");
+        if (provider === "ngrok") {
+            if (!this.credentials.ngrok) {
+                this.credentials.ngrok = { token: "" };
+            }
+            if (field === "token") {
+                this.credentials.ngrok.token = value;
+            }
+        }
+        else if (provider === "cloudflare") {
+            if (!this.credentials.cloudflare) {
+                this.credentials.cloudflare = {};
+            }
+            if (field === "accountId") {
+                this.credentials.cloudflare.accountId = value;
+            }
+            else if (field === "tunnelToken") {
+                this.credentials.cloudflare.tunnelToken = value;
+            }
+            else if (field === "certPath") {
+                this.credentials.cloudflare.certPath = value;
+            }
+        }
+        this.save();
+    }
+    /**
+     * Get a specific credential value using dot notation
+     * e.g., "ngrok.token", "cloudflare.accountId"
+     */
+    get(key) {
+        const [provider, field] = key.split(".");
+        if (provider === "ngrok" && this.credentials.ngrok) {
+            if (field === "token") {
+                return this.credentials.ngrok.token;
+            }
+        }
+        else if (provider === "cloudflare" && this.credentials.cloudflare) {
+            if (field === "accountId") {
+                return this.credentials.cloudflare.accountId;
+            }
+            else if (field === "tunnelToken") {
+                return this.credentials.cloudflare.tunnelToken;
+            }
+            else if (field === "certPath") {
+                return this.credentials.cloudflare.certPath;
+            }
+        }
+        return undefined;
+    }
+    /**
+     * List all stored credential keys (not values for security)
+     */
+    listKeys() {
+        const keys = [];
+        if (this.credentials.ngrok) {
+            if (this.credentials.ngrok.token)
+                keys.push("ngrok.token");
+        }
+        if (this.credentials.cloudflare) {
+            if (this.credentials.cloudflare.accountId)
+                keys.push("cloudflare.accountId");
+            if (this.credentials.cloudflare.tunnelToken)
+                keys.push("cloudflare.tunnelToken");
+            if (this.credentials.cloudflare.certPath)
+                keys.push("cloudflare.certPath");
+        }
+        return keys;
+    }
+    /**
+     * Clear all credentials
+     */
+    clear() {
+        this.credentials = {};
+        this.save();
+    }
+}
+exports.CredentialsManager = CredentialsManager;
+/**
+ * Resolve ngrok token with priority: CLI > ENV > YAML > credentials.json
+ */
+function resolveNgrokToken(options) {
+    // 1. CLI flag (highest priority)
+    if (options.cliToken) {
+        return options.cliToken;
+    }
+    // 2. Environment variable
+    const envToken = process.env.NGROK_TOKEN || process.env.NGROK_AUTHTOKEN;
+    if (envToken) {
+        return envToken;
+    }
+    // 3. YAML config
+    if (options.yamlToken) {
+        return options.yamlToken;
+    }
+    // 4. Stored credentials (lowest priority)
+    const manager = new CredentialsManager();
+    return manager.getNgrok()?.token;
+}
+/**
+ * Resolve Cloudflare credentials with priority: CLI > ENV > YAML > credentials.json
+ */
+function resolveCloudflareCredentials(options) {
+    const manager = new CredentialsManager();
+    const stored = manager.getCloudflare() || {};
+    return {
+        accountId: options.cliAccountId
+            || process.env.CLOUDFLARE_ACCOUNT_ID
+            || options.yamlAccountId
+            || stored.accountId,
+        tunnelToken: options.cliTunnelToken
+            || process.env.CLOUDFLARE_TUNNEL_TOKEN
+            || options.yamlTunnelToken
+            || stored.tunnelToken,
+        certPath: options.cliCertPath
+            || process.env.CLOUDFLARE_CERT_PATH
+            || options.yamlCertPath
+            || stored.certPath,
+    };
+}
+// Singleton instance for convenience
+let _instance = null;
+function getCredentialsManager() {
+    if (!_instance) {
+        _instance = new CredentialsManager();
+    }
+    return _instance;
+}
+//# sourceMappingURL=credentials.js.map

package/dist/shared/credentials.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"credentials.js","sourceRoot":"","sources":["../../src/shared/credentials.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAuOA,8CAuBC;AAKD,oEAyBC;AAKD,sDAKC;AAtSD,uCAAyB;AACzB,2CAA6B;AAC7B,uCAAyB;AAGzB,4BAA4B;AAC5B,MAAM,cAAc,GAAG,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,aAAa,CAAC,CAAC;AAC9D,MAAM,gBAAgB,GAAG,IAAI,CAAC,IAAI,CAAC,cAAc,EAAE,kBAAkB,CAAC,CAAC;AAEvE;;;;;GAKG;AACH,MAAa,kBAAkB;IAG3B;QAFQ,gBAAW,GAAsB,EAAE,CAAC;QAGxC,IAAI,CAAC,IAAI,EAAE,CAAC;IAChB,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,iBAAiB;QACpB,OAAO,cAAc,CAAC;IAC1B,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,kBAAkB;QACrB,OAAO,gBAAgB,CAAC;IAC5B,CAAC;IAED;;OAEG;IACK,SAAS;QACb,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,cAAc,CAAC,EAAE,CAAC;YACjC,EAAE,CAAC,SAAS,CAAC,cAAc,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;QACnE,CAAC;IACL,CAAC;IAED;;OAEG;IACH,IAAI;QACA,IAAI,CAAC;YACD,IAAI,EAAE,CAAC,UAAU,CAAC,gBAAgB,CAAC,EAAE,CAAC;gBAClC,MAAM,OAAO,GAAG,EAAE,CAAC,YAAY,CAAC,gBAAgB,EAAE,OAAO,CAAC,CAAC;gBAC3D,IAAI,CAAC,WAAW,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;YAC3C,CAAC;QACL,CAAC;QAAC,MAAM,CAAC;YACL,IAAI,CAAC,WAAW,GAAG,EAAE,CAAC;QAC1B,CAAC;QACD,OAAO,IAAI,CAAC,WAAW,CAAC;IAC5B,CAAC;IAED;;OAEG;IACH,IAAI;QACA,IAAI,CAAC,SAAS,EAAE,CAAC;QACjB,EAAE,CAAC,aAAa,CAAC,gBAAgB,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,WAAW,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE;YAC1E,IAAI,EAAE,KAAK;SACd,CAAC,CAAC;IACP,CAAC;IAED;;OAEG;IACH,MAAM;QACF,OAAO,IAAI,CAAC,WAAW,CAAC;IAC5B,CAAC;IAED;;OAEG;IACH,QAAQ;QACJ,OAAO,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC;IAClC,CAAC;IAED;;OAEG;IACH,QAAQ,CAAC,KAAuB;QAC5B,IAAI,CAAC,WAAW,CAAC,KAAK,GAAG,KAAK,CAAC;QAC/B,IAAI,CAAC,IAAI,EAAE,CAAC;IAChB,CAAC;IAED;;OAEG;IACH,WAAW;QACP,IAAI,IAAI,CAAC,WAAW,CAAC,KAAK,EAAE,CAAC;YACzB,OAAO,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC;YAC9B,IAAI,CAAC,IAAI,EAAE,CAAC;YACZ,OAAO,IAAI,CAAC;QAChB,CAAC;QACD,OAAO,KAAK,CAAC;IACjB,CAAC;IAED;;OAEG;IACH,aAAa;QACT,OAAO,IAAI,CAAC,WAAW,CAAC,UAAU,CAAC;IACvC,CAAC;IAED;;OAEG;IACH,aAAa,CAAC,KAA4B;QACtC,IAAI,CAAC,WAAW,CAAC,UAAU,GAAG;YAC1B,GAAG,IAAI,CAAC,WAAW,CAAC,UAAU;YAC9B,GAAG,KAAK;SACX,CAAC;QACF,IAAI,CAAC,IAAI,EAAE,CAAC;IAChB,CAAC;IAED;;OAEG;IACH,gBAAgB;QACZ,IAAI,IAAI,CAAC,WAAW,CAAC,UAAU,EAAE,CAAC;YAC9B,OAAO,IAAI,CAAC,WAAW,CAAC,UAAU,CAAC;YACnC,IAAI,CAAC,IAAI,EAAE,CAAC;YACZ,OAAO,IAAI,CAAC;QAChB,CAAC;QACD,OAAO,KAAK,CAAC;IACjB,CAAC;IAED;;OAEG;IACH,cAAc,CAAC,QAAgC;QAC3C,IAAI,QAAQ,KAAK,OAAO,EAAE,CAAC;YACvB,OAAO,IAAI,CAAC,WAAW,EAAE,CAAC;QAC9B,CAAC;aAAM,IAAI,QAAQ,KAAK,YAAY,EAAE,CAAC;YACnC,OAAO,IAAI,CAAC,gBAAgB,EAAE,CAAC;QACnC,CAAC;QACD,OAAO,KAAK,CAAC;IACjB,CAAC;IAED;;;OAGG;IACH,GAAG,CAAC,GAAW,EAAE,KAAa;QAC1B,MAAM,CAAC,QAAQ,EAAE,KAAK,CAAC,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAEzC,IAAI,QAAQ,KAAK,OAAO,EAAE,CAAC;YACvB,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,KAAK,EAAE,CAAC;gBAC1B,IAAI,CAAC,WAAW,CAAC,KAAK,GAAG,EAAE,KAAK,EAAE,EAAE,EAAE,CAAC;YAC3C,CAAC;YACD,IAAI,KAAK,KAAK,OAAO,EAAE,CAAC;gBACpB,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC,KAAK,GAAG,KAAK,CAAC;YACzC,CAAC;QACL,CAAC;aAAM,IAAI,QAAQ,KAAK,YAAY,EAAE,CAAC;YACnC,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,UAAU,EAAE,CAAC;gBAC/B,IAAI,CAAC,WAAW,CAAC,UAAU,GAAG,EAAE,CAAC;YACrC,CAAC;YACD,IAAI,KAAK,KAAK,WAAW,EAAE,CAAC;gBACxB,IAAI,CAAC,WAAW,CAAC,UAAU,CAAC,SAAS,GAAG,KAAK,CAAC;YAClD,CAAC;iBAAM,IAAI,KAAK,KAAK,aAAa,EAAE,CAAC;gBACjC,IAAI,CAAC,WAAW,CAAC,UAAU,CAAC,WAAW,GAAG,KAAK,CAAC;YACpD,CAAC;iBAAM,IAAI,KAAK,KAAK,UAAU,EAAE,CAAC;gBAC9B,IAAI,CAAC,WAAW,CAAC,UAAU,CAAC,QAAQ,GAAG,KAAK,CAAC;YACjD,CAAC;QACL,CAAC;QAED,IAAI,CAAC,IAAI,EAAE,CAAC;IAChB,CAAC;IAED;;;OAGG;IACH,GAAG,CAAC,GAAW;QACX,MAAM,CAAC,QAAQ,EAAE,KAAK,CAAC,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAEzC,IAAI,QAAQ,KAAK,OAAO,IAAI,IAAI,CAAC,WAAW,CAAC,KAAK,EAAE,CAAC;YACjD,IAAI,KAAK,KAAK,OAAO,EAAE,CAAC;gBACpB,OAAO,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC,KAAK,CAAC;YACxC,CAAC;QACL,CAAC;aAAM,IAAI,QAAQ,KAAK,YAAY,IAAI,IAAI,CAAC,WAAW,CAAC,UAAU,EAAE,CAAC;YAClE,IAAI,KAAK,KAAK,WAAW,EAAE,CAAC;gBACxB,OAAO,IAAI,CAAC,WAAW,CAAC,UAAU,CAAC,SAAS,CAAC;YACjD,CAAC;iBAAM,IAAI,KAAK,KAAK,aAAa,EAAE,CAAC;gBACjC,OAAO,IAAI,CAAC,WAAW,CAAC,UAAU,CAAC,WAAW,CAAC;YACnD,CAAC;iBAAM,IAAI,KAAK,KAAK,UAAU,EAAE,CAAC;gBAC9B,OAAO,IAAI,CAAC,WAAW,CAAC,UAAU,CAAC,QAAQ,CAAC;YAChD,CAAC;QACL,CAAC;QAED,OAAO,SAAS,CAAC;IACrB,CAAC;IAED;;OAEG;IACH,QAAQ;QACJ,MAAM,IAAI,GAAa,EAAE,CAAC;QAE1B,IAAI,IAAI,CAAC,WAAW,CAAC,KAAK,EAAE,CAAC;YACzB,IAAI,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC,KAAK;gBAAE,IAAI,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;QAC/D,CAAC;QAED,IAAI,IAAI,CAAC,WAAW,CAAC,UAAU,EAAE,CAAC;YAC9B,IAAI,IAAI,CAAC,WAAW,CAAC,UAAU,CAAC,SAAS;gBAAE,IAAI,CAAC,IAAI,CAAC,sBAAsB,CAAC,CAAC;YAC7E,IAAI,IAAI,CAAC,WAAW,CAAC,UAAU,CAAC,WAAW;gBAAE,IAAI,CAAC,IAAI,CAAC,wBAAwB,CAAC,CAAC;YACjF,IAAI,IAAI,CAAC,WAAW,CAAC,UAAU,CAAC,QAAQ;gBAAE,IAAI,CAAC,IAAI,CAAC,qBAAqB,CAAC,CAAC;QAC/E,CAAC;QAED,OAAO,IAAI,CAAC;IAChB,CAAC;IAED;;OAEG;IACH,KAAK;QACD,IAAI,CAAC,WAAW,GAAG,EAAE,CAAC;QACtB,IAAI,CAAC,IAAI,EAAE,CAAC;IAChB,CAAC;CACJ;AAnND,gDAmNC;AAED;;GAEG;AACH,SAAgB,iBAAiB,CAAC,OAGjC;IACG,iCAAiC;IACjC,IAAI,OAAO,CAAC,QAAQ,EAAE,CAAC;QACnB,OAAO,OAAO,CAAC,QAAQ,CAAC;IAC5B,CAAC;IAED,0BAA0B;IAC1B,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,WAAW,IAAI,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC;IACxE,IAAI,QAAQ,EAAE,CAAC;QACX,OAAO,QAAQ,CAAC;IACpB,CAAC;IAED,iBAAiB;IACjB,IAAI,OAAO,CAAC,SAAS,EAAE,CAAC;QACpB,OAAO,OAAO,CAAC,SAAS,CAAC;IAC7B,CAAC;IAED,0CAA0C;IAC1C,MAAM,OAAO,GAAG,IAAI,kBAAkB,EAAE,CAAC;IACzC,OAAO,OAAO,CAAC,QAAQ,EAAE,EAAE,KAAK,CAAC;AACrC,CAAC;AAED;;GAEG;AACH,SAAgB,4BAA4B,CAAC,OAO5C;IACG,MAAM,OAAO,GAAG,IAAI,kBAAkB,EAAE,CAAC;IACzC,MAAM,MAAM,GAAG,OAAO,CAAC,aAAa,EAAE,IAAI,EAAE,CAAC;IAE7C,OAAO;QACH,SAAS,EAAE,OAAO,CAAC,YAAY;eACxB,OAAO,CAAC,GAAG,CAAC,qBAAqB;eACjC,OAAO,CAAC,aAAa;eACrB,MAAM,CAAC,SAAS;QACvB,WAAW,EAAE,OAAO,CAAC,cAAc;eAC5B,OAAO,CAAC,GAAG,CAAC,uBAAuB;eACnC,OAAO,CAAC,eAAe;eACvB,MAAM,CAAC,WAAW;QACzB,QAAQ,EAAE,OAAO,CAAC,WAAW;eACtB,OAAO,CAAC,GAAG,CAAC,oBAAoB;eAChC,OAAO,CAAC,YAAY;eACpB,MAAM,CAAC,QAAQ;KACzB,CAAC;AACN,CAAC;AAED,qCAAqC;AACrC,IAAI,SAAS,GAA8B,IAAI,CAAC;AAEhD,SAAgB,qBAAqB;IACjC,IAAI,CAAC,SAAS,EAAE,CAAC;QACb,SAAS,GAAG,IAAI,kBAAkB,EAAE,CAAC;IACzC,CAAC;IACD,OAAO,SAAS,CAAC;AACrB,CAAC"}

package/dist/shared/ip-filter.d.ts

@@ -0,0 +1,75 @@
+import { IncomingMessage } from "http";
+import { IpAccessConfig } from "./types";
+/**
+ * Result of an IP access check
+ */
+export interface IpCheckResult {
+    allowed: boolean;
+    reason?: string;
+}
+/**
+ * Shared IP filtering class for cross-provider security
+ *
+ * Supports:
+ * - Allowlist mode: Only IPs in the list are allowed
+ * - Denylist mode: IPs in the list are denied, others allowed
+ * - CIDR notation (e.g., 192.168.0.0/16)
+ * - IPv6-mapped IPv4 normalization
+ * - X-Forwarded-For / CF-Connecting-IP header extraction
+ */
+export declare class IpFilter {
+    private config;
+    constructor(config?: IpAccessConfig);
+    /**
+     * Update the filter configuration
+     */
+    setConfig(config: IpAccessConfig): void;
+    /**
+     * Get the current configuration
+     */
+    getConfig(): IpAccessConfig;
+    /**
+     * Check if an IP matches a CIDR range or single IP
+     */
+    ipMatchesCidr(ip: string, cidr: string): boolean;
+    /**
+     * Check if an IP is in a list (supports CIDR notation)
+     */
+    ipInList(ip: string, list: string[]): boolean;
+    /**
+     * Check if an IP is allowed based on the access config
+     */
+    isAllowed(ip: string): IpCheckResult;
+    /**
+     * Normalize an IP address (removes IPv6-mapped IPv4 prefix)
+     */
+    static normalizeIp(ip: string): string;
+    /**
+     * Extract client IP from various headers and socket
+     *
+     * Priority:
+     * 1. CF-Connecting-IP (Cloudflare)
+     * 2. X-Real-IP (nginx, common proxies)
+     * 3. X-Forwarded-For (first IP, standard proxy header)
+     * 4. Socket remoteAddress (direct connection)
+     */
+    static extractClientIp(req: IncomingMessage): string;
+    /**
+     * Extract client IP from headers object (for use without IncomingMessage)
+     */
+    static extractClientIpFromHeaders(headers: Record<string, string | string[] | undefined>, socketAddress?: string): string;
+    /**
+     * Merge two IP access configs, with the second one taking priority for non-undefined values
+     * Useful for per-tunnel config overriding global config
+     */
+    static mergeConfigs(base?: IpAccessConfig, override?: IpAccessConfig): IpAccessConfig | undefined;
+}
+/**
+ * Create a filter middleware function for HTTP servers
+ *
+ * @param config IP access configuration
+ * @param onDenied Optional callback when access is denied
+ * @returns Middleware function that returns true if allowed, false if denied
+ */
+export declare function createIpFilterMiddleware(config?: IpAccessConfig, onDenied?: (ip: string, reason: string) => void): (req: IncomingMessage) => IpCheckResult;
+//# sourceMappingURL=ip-filter.d.ts.map

package/dist/shared/ip-filter.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ip-filter.d.ts","sourceRoot":"","sources":["../../src/shared/ip-filter.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,MAAM,CAAC;AACvC,OAAO,EAAE,cAAc,EAAE,MAAM,SAAS,CAAC;AAEzC;;GAEG;AACH,MAAM,WAAW,aAAa;IAC1B,OAAO,EAAE,OAAO,CAAC;IACjB,MAAM,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;;;;;;;;GASG;AACH,qBAAa,QAAQ;IACjB,OAAO,CAAC,MAAM,CAAiB;gBAEnB,MAAM,CAAC,EAAE,cAAc;IAInC;;OAEG;IACH,SAAS,CAAC,MAAM,EAAE,cAAc,GAAG,IAAI;IAIvC;;OAEG;IACH,SAAS,IAAI,cAAc;IAI3B;;OAEG;IACH,aAAa,CAAC,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO;IA6BhD;;OAEG;IACH,QAAQ,CAAC,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,OAAO;IAI7C;;OAEG;IACH,SAAS,CAAC,EAAE,EAAE,MAAM,GAAG,aAAa;IA4BpC;;OAEG;IACH,MAAM,CAAC,WAAW,CAAC,EAAE,EAAE,MAAM,GAAG,MAAM;IAItC;;;;;;;;OAQG;IACH,MAAM,CAAC,eAAe,CAAC,GAAG,EAAE,eAAe,GAAG,MAAM;IAkCpD;;OAEG;IACH,MAAM,CAAC,0BAA0B,CAAC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,GAAG,SAAS,CAAC,EAAE,aAAa,CAAC,EAAE,MAAM,GAAG,MAAM;IAiCzH;;;OAGG;IACH,MAAM,CAAC,YAAY,CAAC,IAAI,CAAC,EAAE,cAAc,EAAE,QAAQ,CAAC,EAAE,cAAc,GAAG,cAAc,GAAG,SAAS;CAmBpG;AAED;;;;;;GAMG;AACH,wBAAgB,wBAAwB,CACpC,MAAM,CAAC,EAAE,cAAc,EACvB,QAAQ,CAAC,EAAE,CAAC,EAAE,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,KAAK,IAAI,GAChD,CAAC,GAAG,EAAE,eAAe,KAAK,aAAa,CAazC"}