UNPKG

hono

Version:

Web framework built on Web Standards

163 lines (162 loc) 5.18 kB
// src/middleware/ip-restriction/index.ts import { HTTPException } from "../../http-exception.js"; import { convertIPv4MappedIPv6ToIPv4, convertIPv4ToBinary, convertIPv6BinaryToString, convertIPv6ToBinary, distinctRemoteAddr, isIPv4MappedIPv6, INVALID_IP_ADDRESS_ERROR_CODE } from "../../utils/ipaddr.js"; var IS_CIDR_NOTATION_REGEX = /\/[^/]*$/; var parseCidrPrefix = (rule, prefix, max) => { if (!/^[0-9]{1,3}$/.test(prefix)) { throw new TypeError(`Invalid rule: ${rule}`); } const parsedPrefix = parseInt(prefix); if (parsedPrefix > max) { throw new TypeError(`Invalid rule: ${rule}`); } return parsedPrefix; }; var buildMatcher = (rules) => { const functionRules = []; const staticRules = /* @__PURE__ */ new Set(); const staticIPv4Rules = /* @__PURE__ */ new Set(); const staticIPv6Rules = /* @__PURE__ */ new Set(); const cidrRules = []; const registerStaticRule = (rule) => { const type = distinctRemoteAddr(rule); if (type === void 0) { throw new TypeError(`Invalid rule: ${rule}`); } if (type === "IPv4") { const ipv4binary = convertIPv4ToBinary(rule); staticRules.add(rule); staticRules.add(`::ffff:${rule}`); staticIPv4Rules.add(ipv4binary); staticIPv6Rules.add(0xffffn << 32n | ipv4binary); } else { const ipv6binary = convertIPv6ToBinary(rule); const ipv6Addr = convertIPv6BinaryToString(ipv6binary); staticRules.add(ipv6Addr); staticIPv6Rules.add(ipv6binary); if (isIPv4MappedIPv6(ipv6binary)) { staticRules.add(ipv6Addr.substring(7)); staticIPv4Rules.add(convertIPv4MappedIPv6ToIPv4(ipv6binary)); } } }; for (let rule of rules) { if (rule === "*") { return () => true; } else if (typeof rule === "function") { functionRules.push(rule); } else { if (IS_CIDR_NOTATION_REGEX.test(rule)) { const separatedRule = rule.split("/"); const addrStr = separatedRule[0]; const type = distinctRemoteAddr(addrStr); if (type === void 0) { throw new TypeError(`Invalid rule: ${rule}`); } let isIPv4 = type === "IPv4"; let prefix = parseCidrPrefix(rule, separatedRule[1], isIPv4 ? 32 : 128); if (isIPv4 ? prefix === 32 : prefix === 128) { rule = addrStr; } else { let addr = (isIPv4 ? convertIPv4ToBinary : convertIPv6ToBinary)(addrStr); if (type === "IPv6" && isIPv4MappedIPv6(addr) && prefix >= 96) { isIPv4 = true; addr = convertIPv4MappedIPv6ToIPv4(addr); prefix -= 96; } const mask = (1n << BigInt(prefix)) - 1n << BigInt((isIPv4 ? 32 : 128) - prefix); cidrRules.push([isIPv4, addr & mask, mask]); continue; } } registerStaticRule(rule); } } return (remote) => { if (staticRules.has(remote.addr)) { return true; } const remoteAddr = remote.binaryAddr ||= (remote.isIPv4 ? convertIPv4ToBinary : convertIPv6ToBinary)(remote.addr); const remoteIPv4Addr = remote.isIPv4 || isIPv4MappedIPv6(remoteAddr) ? remote.isIPv4 ? remoteAddr : convertIPv4MappedIPv6ToIPv4(remoteAddr) : void 0; if ((remote.isIPv4 ? staticIPv4Rules : staticIPv6Rules).has(remoteAddr)) { return true; } for (const [isIPv4, addr, mask] of cidrRules) { if (isIPv4) { if (remoteIPv4Addr === void 0) { continue; } if ((remoteIPv4Addr & mask) === addr) { return true; } continue; } if (remote.isIPv4) { continue; } if ((remoteAddr & mask) === addr) { return true; } } for (const rule of functionRules) { if (rule({ addr: remote.addr, type: remote.type })) { return true; } } return false; }; }; var ipRestriction = (getIP, { denyList = [], allowList = [] }, onError) => { const allowLength = allowList.length; const denyMatcher = buildMatcher(denyList); const allowMatcher = buildMatcher(allowList); const blockError = (c) => new HTTPException(403, { res: c.text("Forbidden", { status: 403 }) }); return async function ipRestriction2(c, next) { const connInfo = getIP(c); const addr = typeof connInfo === "string" ? connInfo : connInfo.remote.address; if (!addr) { throw blockError(c); } const type = typeof connInfo !== "string" && connInfo.remote.addressType || distinctRemoteAddr(addr); const remoteData = { addr, type, isIPv4: type === "IPv4" }; try { if (denyMatcher(remoteData)) { if (onError) { return onError({ addr, type }, c); } throw blockError(c); } if (allowMatcher(remoteData)) { return await next(); } } catch (e) { if (e instanceof TypeError && e.code === INVALID_IP_ADDRESS_ERROR_CODE) { throw blockError(c); } throw e; } if (allowLength === 0) { return await next(); } else { if (onError) { return await onError({ addr, type }, c); } throw blockError(c); } }; }; export { ipRestriction };