Feature/add ip restriction middleware

[Octo8080X]

Why was this PR initiated?

I opened an issue and held discussions about officially providing middleware in Fresh by porting middleware from Hono.

#3011

What does this PR do?

I introduced the IP Restriction middleware bundled with Fresh by porting the IP Restriction middleware from Hono.

I appreciate your review.

[iuioiua]

First pass

[iuioiua]

These types already exist within the Deno runtime API. See https://docs.deno.com/api/deno/network.

[iuioiua]

Each test should be wrapped in a Deno.test() call.

[Octo8080X]

@iuioiua san.

Thanks for your comment!
Sorry if I’m mistaken, but I thought when writing in a BDD style, Deno.test would be replaced by describe. Was I incorrect about that?

https://jsr.io/@std/testing/doc/bdd#:~:text=()%2C%2018)%3B%0A%7D)%3B-,Mixed%20test%20grouping,-Both%20nested%20test

[Octo8080X]

I looked at the other code as well.
I understand now that using Deno.test instead of a BDD style is the standard.
I’ll prepare a fix.

[iuioiua]

There's a lot of IP address logic here that might be valuable in other domains. I recommend creating an issue for the Standard Library for any useful utilities to @std/net.

[Octo8080X]

The part you’re pointing out is indeed a generic utility — in Hono, it’s placed in utils as well.
I’ll go ahead and create an issue for now.

[Octo8080X]

@iuioiua

I have created an issue.Thanks.
denoland/std#6722

[Octo8080X]

@iuioiua
Hello.
The processing logic for IP addresses has been refactored and isolated into @std/net.
The middleware has been subsequently reconstructed utilizing this new module. Your review is requested.

[iuioiua]

I suggest using Deno.NetworkInterfaceInfo.family instead of this new type.

[iuioiua]

See first comment.

Suggested change

	function findType(addr: string): AddressType {
	if (isIPv4(addr)) {
	return "IPv4";
	} else if (isIPv6(addr)) {
	return "IPv6";
	}
	return "none";
	}
	function findType(addr: string): Deno.NetworkInterfaceInfo.family | undefined {
	if (isIPv4(addr)) {
	return "IPv4";
	} else if (isIPv6(addr)) {
	return "IPv6";
	}
	return undefined;
	}

[iuioiua]

Not needed. The content-type header by default is "text/plain;charset=UTF-8" anyway.

Suggested change

	headers: {
	"Content-Type": "text/plain",
	},

[iuioiua]

This interface and its properties should have JSDocs.

[iuioiua]

IIUC, this conditional will never be true because ctx.info.remoteAddr.hostname is always defined.

Suggested change

	if (!ctx.info.remoteAddr.hostname) {
	return blockError();
	}

[iuioiua]

Nit

Suggested change

	* @example custom error handling
	* @example Custom error handling

[iuioiua]

I think we should show how the onErrors parameters can be used here.

[Octo8080X]

I've gone ahead and added the usage examples.

[iuioiua]

Not needed if we go ahead with using matchSubnets inline, as stated below.

Suggested change

	function buildMatcher(ipList: string[]) {
	return (addr: string) => {
	return matchSubnets(addr, ipList);
	};
	}

[iuioiua]

Something like this will avoid the need for if (options?.onError) conditionals and being inline makes the behaviour of onError more immediately understood.

Suggested change

	const onError = options?.onError ?? (() =>
	new Response("Forbidden", {
	status: 403,
	headers: {
	"Content-Type": "text/plain",
	},
	}));

[Octo8080X]

I've made the adjustment to make it inline. Thanks!

[iuioiua]

I'm not strongly for or against this name... Are we sure about this name? Any other alternatives?

[Octo8080X]

@iuioiua
How about 'IpRule' or 'IpFilter' instead of 'IP Restriction'? They sound pretty good.

[iuioiua]

ipFilter sounds okay to me.

[iuioiua]

Getting closer to being ready, IMO. Few nits. HMU on Discord (same username) if you want to chat about any of this.

[iuioiua]

ipFilter sounds okay to me.

[iuioiua]

Suggested change

	const res = await ctx.next();
	return ctx.next();

Again, awaiting ctx.next() adds no value.

[iuioiua]

Suggested change

	return await ctx.next();
	return ctx.next();

Ditto

[iuioiua]

Suggested change

	return await options.onError({ addr, type }, ctx);
	return options.onError({ addr, type }, ctx);

Ditto

[iuioiua]

Suggested change

	): Middleware<State> {
	return async function ipRestriction<State>(ctx: Context<State>) {
	): Middleware<State> {
	const onBlock = options.onError ?? () => new Response("Forbidden", { status: 403 });
	return async function ipRestriction<State>(ctx: Context<State>) {

Reminder: avoids having to write if (options?.onError) blocks and makes things clear more immediately.

[iuioiua]

Ditto. See comment about onError being defined within the exported function.

[iuioiua]

Ditto. See comment about onError being defined within the exported function.

[iuioiua]

Suggested change

	* @param rules rules `{ denyList: string[], allowList: string[] }`.
	* @param rules Deny and allow rules object.

How you had it isn't how @param JSDoc tags should be written. They need to be written in natural human language describing what the variable is.

[iuioiua]

Suggested change

	* app.use(ipRestriction({denyList: ["192.168.1.10", "2001:db8::1"]}))
	* app.use(ipRestriction({
	* denyList: ["192.168.1.10", "2001:db8::1"],
	* }));

Nit

[iuioiua]

Suggested change

	* app.use(ipRestriction({denyList: ["192.168.1.10", "2001:db8::1"]}, customOnError))
	* app.use(ipRestriction({
	* denyList: ["192.168.1.10", "2001:db8::1"]
	* }, customOnError));

Nit

[iuioiua]

Getting closer.

[iuioiua]

Should these changes be reverted?

[Octo8080X]

I think ip_filter is necessary because it relies on @std/net.

[iuioiua]

This interface and its properties need documentation.

[Octo8080X]

We have addressed this matter.

[iuioiua]

I think whether you're using addr and type is unrelated to my point 😛

See my suggestion below.

[iuioiua]

Suggested change

	const type = findType(addr);
	const type = IPv4(addr) ? "IPv4" : "IPv6";

[Octo8080X]

I seem to have been overthinking it unnecessarily. I would like to adopt your proposal.

[iuioiua]

Yes, I do think it's unnecessary because type can only ever be IPv4 or IPv6.

[iuioiua]

Suggested change

	throw new TypeError(
	"Unsupported transport protocol. TCP & UDP is supported.",
	);
	return ctx.next();

[iuioiua]

Sorry, to correct my stance, yes, we should return early if not UDP or TCP traffic, because an IP address isn't being used. But I don't think throwing is the correct behaviour. Instead, we should just pass through. See my suggestion above.

[iuioiua]

Suggested change

	const onBlock = options?.onError ?? (() => blockError());
	const onBlock = options?.onError ?? (() => new Response("Forbidden", { status: 403 }));

So the reader doesn't have to scroll back up to see what onBlock does by default (since it's simple anyway).

[iuioiua]

Suggested change

	if ((rules.allowList || []).length === 0) {
	return ctx.next();
	} else {
	return onBlock({ addr, type }, ctx);
	return onBlock({ addr, type }, ctx);

I believe this first if statement is already covered by the preceding allow block.

[Octo8080X]

this section is needs.

This is because there were cases where the permission list was not explicitly set.
However, as pointed out, some parts seemed unnecessary, so I have reorganized the content.

Thank you

[iuioiua]

You should explain this filter. I.e. the precedence of rules. So deny rules take precedence over allow rules and traffic not matching any rule is denied by default (implicit deny).

[Octo8080X]

I mentioned this matter.

Thankyou

[iuioiua]

LGTM 👍🏾

[Octo8080X]

@marvinhagemeister

Thank you for the review on this PR a while back. It’s been about two months since iuioiua-san kindly provided feedback, and I truly appreciate the support. Please let me know if there is anything additional I can do to help get this merged—I'm ready to jump back in and make any necessary updates immediately.