react-native-nitro-net 0.1.5 → 0.3.0

package/README.md

@@ -1,13 +1,20 @@
 # react-native-nitro-net
 
-Node.js `net` API implementation for React Native using [Nitro Modules](https://github.com/mrousavy/nitro) and Rust.
+Ultra-high-performance networking to React Native by combining a memory-safe Rust core with the zero-overhead Nitro Modules JSI bridge. Provides Node.js-compatible net, tls, http(s) API.
+
+[![license](https://img.shields.io/badge/license-ISC-blue.svg)]()
+[![platform](https://img.shields.io/badge/platform-ios%20%7C%20android-lightgrey.svg)]()
+[![compatibility](https://img.shields.io/badge/Node.js-100%25%20dns-green.svg)]()
+[中文文档](./README_zh.md)
 
 ## Features
 
 *   🚀 **High Performance**: Built on top of Rust's `tokio` asynchronous runtime.
-*   🤝 **Node.js Compatible**: Implements the standard `net` API including `Socket` (Duplex stream) and `Server`.
+*   🤝 **Node.js Compatible**: Implements standard `net`, `tls`, `http`, and `https` APIs.
+*   🛡️ **Modern Security**: TLS implementation powered by **Rustls 0.23** (Ring provider), supporting TLS 1.2 and 1.3.
+*   🔒 **Full Protocol Support**: Support for PEM/PFX certificates, SNI, HTTP Trailers, 100 Continue, Protocol Upgrades (101), and HTTP Tunneling (CONNECT).
 *   ⚡ **Nitro Modules**: Uses JSI for zero-overhead communication between JavaScript and Native code.
-*   🛡️ **Robust & Stable**: Advanced fixes for common networking issues like port reuse, deadlocks, and DNS reliability.
+*   🛡️ **Robust & Stable**: Advanced fixes for port reuse, deadlocks, and connection pooling hangs.
 *   📱 **Cross-Platform**: Supports both iOS and Android.
 
 ## Installation
@@ -30,7 +37,7 @@ cd ios && pod install
 
 This library uses a high-performance three-layer architecture:
 
-1.  **JavaScript Layer**: Provides the high-level Node.js compatible `net.Socket` (Duplex) and `net.Server` APIs using `readable-stream` and `EventEmitter`.
+1.  **JavaScript Layer**: Provides high-level Node.js compatible `net` and `tls` APIs using `readable-stream` and `EventEmitter`.
 2.  **C++ Bridge (Nitro)**: Handles the zero-copy orchestration between JS and Rust using Nitro Hybrid Objects and JSI.
 3.  **Rust Core**: Implements the actual networking logic using the **Tokio** asynchronous runtime, providing memory safety and high concurrency.
 
@@ -73,15 +80,97 @@ server.listen(0, '127.0.0.1', () => {
 });
 ```
 
-## Stability Improvements
+### TLS (Secure Socket)
+
+```typescript
+import { tls } from 'react-native-nitro-net';
+
+// Client connection
+const socket = tls.connect({
+  host: 'example.com',
+  port: 443,
+  servername: 'example.com', // SNI
+}, () => {
+  console.log('Securely connected!');
+  console.log('Protocol:', socket.getProtocol());
+});
 
-We have implemented several critical fixes to ensure production-grade stability:
+// Server with PFX
+const server = tls.createServer({
+  pfx: fs.readFileSync('server.pfx'),
+  passphrase: 'your-password'
+}, (socket) => {
+  socket.write('Secure hello!');
+});
+server.listen(443);
+```
 
-*   **Port Reuse (`SO_REUSEPORT`)**: Automatically enabled on Unix/iOS to allow immediate server restarts without the "Address already in use" error.
-*   **Anti-Deadlock Logic**: C++ layer uses lock-free callback dispatching to prevent UI freezes during high-frequency events.
-*   **DNS Reliability**: Automatically retries all resolved IP addresses if the first one fails to connect.
+*   **Advanced Features**: Supports `keylog` event re-emission for Wireshark, session resumption, and `asyncDispose`.
+*   **Performance Tuning**: Configurable `headersTimeout`, `keepAliveTimeout`, and `requestTimeout`.
 *   **Resource Management**: Strict protective shutdown logic in Rust to prevent socket and Unix domain socket file leaks.
 
+## Usage
+
+### HTTP Request
+
+Implementation of the standard Node.js `http` API.
+
+```typescript
+import { http } from 'react-native-nitro-net';
+
+http.get('http://google.com', (res) => {
+  console.log(`Status: ${res.statusCode}`);
+  res.on('data', (chunk) => console.log(`Body segment: ${chunk.length} bytes`));
+  res.on('end', () => console.log('Request complete'));
+});
+```
+
+### HTTPS with Connection Pooling
+
+Uses `https` and the built-in `Agent` for connection reuse.
+
+```typescript
+import { https } from 'react-native-nitro-net';
+
+const agent = new https.Agent({ keepAlive: true });
+
+https.get('https://api.github.com/users/margelo', { agent }, (res) => {
+  // ... handle response
+});
+```
+
+### TCP Client (Socket)
+
+```typescript
+import net from 'react-native-nitro-net';
+
+const client = net.createConnection({ port: 8080, host: '127.0.0.1' }, () => {
+  client.write('Hello Server!');
+});
+```
+
+### Server (Dynamic Port Support)
+
+The server supports binding to a dynamic port by using `0`.
+
+```typescript
+import net from 'react-native-nitro-net';
+
+const server = net.createServer((socket) => {
+  socket.write('Echo: ' + socket.read());
+});
+
+server.listen(0, '127.0.0.1', () => {
+  const address = server.address();
+  console.log(`Server listening on dynamic port: ${address?.port}`);
+});
+```
+
+## Compatibility Notes
+
+> [!IMPORTANT]
+> **`Server.close()` Behavior**: Unlike Node.js's default behavior where `server.close()` only stops accepting new connections, this implementation **immediately destroys all active connections** when `close()` is called. This ensures clean resource release and is more intuitive for mobile applications.
+
 ## API Reference
 
 ### `net.Socket`
@@ -97,11 +186,25 @@ We have implemented several critical fixes to ensure production-grade stability:
 
 **Events**: `connect`, `ready`, `data`, `error`, `close`, `timeout`, `lookup`.
 
+### `tls.TLSSocket`
+*Extends `net.Socket`*
+
+| Property / Method | Description |
+| --- | --- |
+| `authorized` | `true` if peer certificate is verified. |
+| `getProtocol()` | Returns negotiated TLS version (e.g., "TLSv1.3"). |
+| `getCipher()` | Returns current cipher information. |
+| `getPeerCertificate()`| Returns detailed JSON of the peer certificate. |
+| `getSession()` | Returns the session ticket for resumption. |
+| `encrypted` | Always `true`. |
+
+**Events**: `secureConnect`, `session`, `keylog`, `OCSPResponse`.
+
 ### Global APIs
 
 | Method | Description |
 | --- | --- |
-| `initWithConfig(options)` | Optional. Initializes the Rust runtime with custom settings (e.g., `workerThreads`). Must be called before any other operation. |
+| `initWithConfig(options)` | Optional. Initializes the Rust runtime with custom settings (e.g., `workerThreads`, `debug`). Must be called before any other operation. |
 | `setVerbose(bool)` | Toggle detailed logging for JS, C++, and Rust. |
 | `isIP(string)` | Returns `0`, `4`, or `6`. |
 
@@ -110,11 +213,18 @@ We have implemented several critical fixes to ensure production-grade stability:
 | Method | Description |
 | --- | --- |
 | `listen(options)` | Start listening. Supports `port: 0` for dynamic allocation. |
-| `close()` | Stops the server from accepting new connections. |
+| `close()` | Stops the server and **destroys all active connections**. |
 | `address()` | Returns the bound address (crucial for dynamic ports). |
 | `getConnections(cb)`| Get count of active connections. |
+| `renegotiate(opt, cb)`| **Shim**: Returns `ERR_TLS_RENEGOTIATION_DISABLED` (Rustls security policy). |
+
+**Events**: `listening`, `connection`, `error`, `close`, `connect` (HTTP Tunneling).
+
+### `tls.Server`
+*Extends `net.Server`*
 
-**Events**: `listening`, `connection`, `error`, `close`.
+Supported methods: `listen`, `close`, `addContext`, `setTicketKeys`, `getTicketKeys`.
+**Events**: `secureConnection`, `keylog`, `newSession`.
 
 ## Debugging
 

package/cpp/HybridHttpParser.hpp

@@ -0,0 +1,67 @@
+#pragma once
+
+#include "../nitrogen/generated/shared/c++/HybridHttpParserSpec.hpp"
+#include "NetBindings.hpp"
+#include <NitroModules/ArrayBuffer.hpp>
+#include <string>
+
+namespace margelo {
+namespace nitro {
+namespace net {
+
+using namespace margelo::nitro;
+
+class HybridHttpParser : public HybridHttpParserSpec {
+public:
+  HybridHttpParser(int mode) : HybridObject(TAG) {
+    _id = net_http_parser_create(mode);
+  }
+
+  ~HybridHttpParser() { net_http_parser_destroy(_id); }
+
+  std::string feed(const std::shared_ptr<ArrayBuffer> &data) override {
+    if (!data)
+      return "";
+
+    char buf[4096];
+    int res =
+        net_http_parser_feed(_id, data->data(), data->size(), buf, sizeof(buf));
+
+    if (res > 0) {
+      // Complete message
+      return std::string(buf, res);
+    } else if (res == 0) {
+      // Partial message
+      return "";
+    } else if (res < -3) {
+      // Buffer too small, required size is -res
+      size_t requiredSize = static_cast<size_t>(-res);
+      std::string largerBuf(requiredSize, '\0');
+      res = net_http_parser_feed(_id, nullptr, 0, &largerBuf[0],
+                                 requiredSize + 1);
+      if (res > 0) {
+        return std::string(largerBuf.data(), res);
+      }
+      return "ERROR: Re-parse failed after enlarging buffer";
+    } else {
+      // Error
+      switch (res) {
+      case -1:
+        return "ERROR: JSON serialization failed";
+      case -2:
+        return "ERROR: HTTP parse failed";
+      case -3:
+        return "ERROR: Parser not found";
+      default:
+        return "ERROR: Unknown error";
+      }
+    }
+  }
+
+private:
+  uint32_t _id;
+};
+
+} // namespace net
+} // namespace nitro
+} // namespace margelo

package/cpp/HybridNetDriver.hpp

@@ -1,14 +1,21 @@
 #pragma once
 
+#include "../nitrogen/generated/shared/c++/HybridHttpParserSpec.hpp"
 #include "../nitrogen/generated/shared/c++/HybridNetDriverSpec.hpp"
+#include "HybridHttpParser.hpp"
 #include "HybridNetServerDriver.hpp"
 #include "HybridNetSocketDriver.hpp"
 #include "NetManager.hpp"
+#include <NitroModules/ArrayBuffer.hpp>
+#include <optional>
+#include <string>
 
 namespace margelo {
 namespace nitro {
 namespace net {
 
+using namespace margelo::nitro;
+
 class HybridNetDriver : public HybridNetDriverSpec {
 public:
   HybridNetDriver() : HybridObject(TAG) {}
@@ -31,6 +38,73 @@ public:
     return std::make_shared<HybridNetServerDriver>();
   }
 
+  std::shared_ptr<HybridHttpParserSpec> createHttpParser(double mode) override {
+    return std::make_shared<HybridHttpParser>(static_cast<int>(mode));
+  }
+
+  double
+  createSecureContext(const std::string &cert, const std::string &key,
+                      const std::optional<std::string> &passphrase) override {
+    return static_cast<double>(net_create_secure_context(
+        cert.c_str(), key.c_str(),
+        passphrase.has_value() ? passphrase.value().c_str() : nullptr));
+  }
+
+  double createEmptySecureContext() override {
+    return static_cast<double>(net_secure_context_create());
+  }
+
+  void addCACertToSecureContext(double scId, const std::string &ca) override {
+    net_secure_context_add_ca(static_cast<uint32_t>(scId), ca.c_str());
+  }
+
+  void addContextToSecureContext(
+      double scId, const std::string &hostname, const std::string &cert,
+      const std::string &key,
+      const std::optional<std::string> &passphrase) override {
+    net_secure_context_add_context(
+        static_cast<uint32_t>(scId), hostname.c_str(), cert.c_str(),
+        key.c_str(),
+        passphrase.has_value() ? passphrase.value().c_str() : nullptr);
+  }
+
+  void
+  setPFXToSecureContext(double scId, const std::shared_ptr<ArrayBuffer> &pfx,
+                        const std::optional<std::string> &passphrase) override {
+    if (pfx) {
+      net_secure_context_set_pfx(
+          static_cast<uint32_t>(scId), pfx->data(), pfx->size(),
+          passphrase.has_value() ? passphrase.value().c_str() : nullptr);
+    }
+  }
+
+  void setOCSPResponseToSecureContext(
+      double scId, const std::shared_ptr<ArrayBuffer> &ocsp) override {
+    if (ocsp) {
+      net_secure_context_set_ocsp_response(static_cast<uint32_t>(scId),
+                                           ocsp->data(), ocsp->size());
+    }
+  }
+
+  std::optional<std::shared_ptr<ArrayBuffer>>
+  getTicketKeys(double scId) override {
+    uint8_t buf[256];
+    size_t len = net_server_get_ticket_keys(static_cast<uint32_t>(scId), buf,
+                                            sizeof(buf));
+    if (len > 0) {
+      return ArrayBuffer::copy(buf, len);
+    }
+    return std::nullopt;
+  }
+
+  void setTicketKeys(double scId,
+                     const std::shared_ptr<ArrayBuffer> &keys) override {
+    if (keys) {
+      net_server_set_ticket_keys(static_cast<uint32_t>(scId), keys->data(),
+                                 keys->size());
+    }
+  }
+
   void initWithConfig(const NetConfig &config) override {
     uint32_t workerThreads = config.workerThreads.value_or(0);
     NetManager::shared().initWithConfig(workerThreads);

package/cpp/HybridNetServerDriver.hpp

@@ -49,11 +49,27 @@ public:
                ipv6Only.value_or(false), reusePort.value_or(false));
   }
 
+  void listenTLS(double port, double secureContextId,
+                 std::optional<double> backlog, std::optional<bool> ipv6Only,
+                 std::optional<bool> reusePort) override {
+    net_listen_tls(_id, static_cast<int>(port),
+                   static_cast<int>(backlog.value_or(128)),
+                   ipv6Only.value_or(false), reusePort.value_or(false),
+                   static_cast<uint32_t>(secureContextId));
+  }
+
   void listenUnix(const std::string &path,
                   std::optional<double> backlog) override {
     net_listen_unix(_id, path.c_str(), static_cast<int>(backlog.value_or(128)));
   }
 
+  void listenTLSUnix(const std::string &path, double secureContextId,
+                     std::optional<double> backlog) override {
+    net_listen_tls_unix(_id, path.c_str(),
+                        static_cast<int>(backlog.value_or(128)),
+                        static_cast<uint32_t>(secureContextId));
+  }
+
   void listenHandle(double fd, std::optional<double> backlog) override {
     net_listen_handle(_id, static_cast<int>(fd),
                       static_cast<int>(backlog.value_or(128)));

package/cpp/HybridNetSocketDriver.hpp

@@ -4,12 +4,17 @@
 #include "NetBindings.hpp"
 #include "NetManager.hpp"
 #include <NitroModules/ArrayBuffer.hpp>
+#include <memory>
+#include <optional>
 #include <string>
+#include <vector>
 
 namespace margelo {
 namespace nitro {
 namespace net {
 
+using namespace margelo::nitro;
+
 class HybridNetSocketDriver : public HybridNetSocketDriverSpec {
 public:
   HybridNetSocketDriver() : HybridObject(TAG) {
@@ -48,6 +53,111 @@ public:
     net_connect(_id, host.c_str(), static_cast<int>(port));
   }
 
+  void connectTLS(const std::string &host, double port,
+                  const std::optional<std::string> &serverName,
+                  std::optional<bool> rejectUnauthorized) override {
+    const char *sni = serverName.has_value() ? serverName->c_str() : nullptr;
+    bool ru = rejectUnauthorized.value_or(true);
+    net_connect_tls(_id, host.c_str(), static_cast<int>(port), sni,
+                    static_cast<int>(ru));
+  }
+
+  void connectTLSWithContext(const std::string &host, double port,
+                             const std::optional<std::string> &serverName,
+                             std::optional<bool> rejectUnauthorized,
+                             std::optional<double> secureContextId) override {
+    const char *sni = serverName.has_value() ? serverName->c_str() : nullptr;
+    bool ru = rejectUnauthorized.value_or(true);
+    if (secureContextId.has_value()) {
+      net_connect_tls_with_context(
+          _id, host.c_str(), static_cast<int>(port), sni, static_cast<int>(ru),
+          static_cast<uint32_t>(secureContextId.value()));
+    } else {
+      net_connect_tls(_id, host.c_str(), static_cast<int>(port), sni,
+                      static_cast<int>(ru));
+    }
+  }
+
+  std::optional<std::string> getAuthorizationError() override {
+    char buf[1024];
+    size_t len = net_get_authorization_error(_id, buf, sizeof(buf));
+    if (len > 0) {
+      return std::string(buf);
+    }
+    return std::nullopt;
+  }
+
+  std::optional<std::string> getProtocol() override {
+    char buf[128];
+    size_t len = net_get_protocol(_id, buf, sizeof(buf));
+    if (len > 0) {
+      return std::string(buf);
+    }
+    return std::nullopt;
+  }
+
+  std::optional<std::string> getCipher() override {
+    char buf[256];
+    size_t len = net_get_cipher(_id, buf, sizeof(buf));
+    if (len > 0) {
+      return std::string(buf);
+    }
+    return std::nullopt;
+  }
+
+  std::optional<std::string> getALPN() override {
+    char buf[64];
+    size_t len = net_get_alpn(_id, buf, sizeof(buf));
+    if (len > 0) {
+      return std::string(buf);
+    }
+    return std::nullopt;
+  }
+
+  std::optional<std::string> getPeerCertificateJSON() override {
+    char buf[16384];
+    size_t len = net_get_peer_certificate_json(_id, buf, sizeof(buf));
+    if (len > 0) {
+      return std::string(buf, len);
+    }
+    return std::nullopt;
+  }
+
+  std::optional<std::string> getEphemeralKeyInfo() override {
+    char buf[512];
+    size_t len = net_get_ephemeral_key_info(_id, buf, sizeof(buf));
+    if (len > 0) {
+      return std::string(buf, len);
+    }
+    return std::nullopt;
+  }
+
+  std::optional<std::string> getSharedSigalgs() override {
+    char buf[1024];
+    size_t len = net_get_shared_sigalgs(_id, buf, sizeof(buf));
+    if (len > 0) {
+      return std::string(buf, len);
+    }
+    return std::nullopt;
+  }
+
+  bool isSessionReused() override { return net_is_session_reused(_id); }
+
+  std::optional<std::shared_ptr<ArrayBuffer>> getSession() override {
+    uint8_t buf[2048];
+    size_t len = net_get_session(_id, buf, sizeof(buf));
+    if (len > 0) {
+      return ArrayBuffer::copy(buf, len);
+    }
+    return std::nullopt;
+  }
+
+  void setSession(const std::shared_ptr<ArrayBuffer> &session) override {
+    if (session && session->size() > 0) {
+      net_set_session(_id, session->data(), session->size());
+    }
+  }
+
   void write(const std::shared_ptr<ArrayBuffer> &data) override {
     if (!data)
       return;
@@ -70,6 +180,33 @@ public:
     }
   }
 
+  void enableKeylog() override { net_socket_enable_keylog(_id); }
+
+  void enableTrace() override { net_socket_enable_trace(_id); }
+
+  std::optional<std::shared_ptr<ArrayBuffer>> exportKeyingMaterial(
+      double length, const std::string &label,
+      const std::optional<std::shared_ptr<ArrayBuffer>> &context) override {
+    size_t len = static_cast<size_t>(length);
+    std::vector<uint8_t> output(len);
+
+    const uint8_t *ctx_data = nullptr;
+    size_t ctx_len = 0;
+    if (context.has_value() && context.value()) {
+      ctx_data = context.value()->data();
+      ctx_len = context.value()->size();
+    }
+
+    int result = net_socket_export_keying_material(
+        _id, len, label.c_str(), ctx_data, ctx_len, output.data(),
+        output.size());
+
+    if (result > 0) {
+      return ArrayBuffer::copy(output.data(), static_cast<size_t>(result));
+    }
+    return std::nullopt;
+  }
+
   void setNoDelay(bool enable) override { net_set_nodelay(_id, enable); }
 
   void setKeepAlive(bool enable, double delay) override {
@@ -107,6 +244,45 @@ public:
     net_connect_unix(_id, path.c_str());
   }
 
+  void connectUnixTLS(const std::string &path,
+                      const std::optional<std::string> &serverName,
+                      std::optional<bool> rejectUnauthorized) override {
+#if !defined(__ANDROID__)
+    const char *sni = serverName.has_value() ? serverName->c_str() : "";
+    bool ru = rejectUnauthorized.value_or(true);
+    net_connect_unix_tls(_id, path.c_str(), sni, static_cast<int>(ru));
+#else
+    // Unix TLS not supported on Android
+    (void)path;
+    (void)serverName;
+    (void)rejectUnauthorized;
+#endif
+  }
+
+  void
+  connectUnixTLSWithContext(const std::string &path,
+                            const std::optional<std::string> &serverName,
+                            std::optional<bool> rejectUnauthorized,
+                            std::optional<double> secureContextId) override {
+#if !defined(__ANDROID__)
+    const char *sni = serverName.has_value() ? serverName->c_str() : "";
+    bool ru = rejectUnauthorized.value_or(true);
+    if (secureContextId.has_value()) {
+      net_connect_unix_tls_with_context(
+          _id, path.c_str(), sni, static_cast<int>(ru),
+          static_cast<uint32_t>(secureContextId.value()));
+    } else {
+      net_connect_unix_tls(_id, path.c_str(), sni, static_cast<int>(ru));
+    }
+#else
+    // Unix TLS not supported on Android
+    (void)path;
+    (void)serverName;
+    (void)rejectUnauthorized;
+    (void)secureContextId;
+#endif
+  }
+
 private:
   void onNativeEvent(int type, const uint8_t *data, size_t len) {
     if (!_onEvent)