Feature/add ip restriction middleware

deno.json

@@ -47,6 +47,7 @@
     "@std/collections": "jsr:@std/collections@^1.1.2",
     "@std/dotenv": "jsr:@std/dotenv@^0.225.5",
     "@std/http": "jsr:@std/http@^1.0.15",
+    "@std/net": "jsr:@std/net@^1.0.6",
     "@std/uuid": "jsr:@std/uuid@^1.0.7",
     "@supabase/postgrest-js": "npm:@supabase/postgrest-js@^1.21.4",
     "@types/mime-db": "npm:@types/mime-db@^1.43.6",

packages/fresh/deno.json

@@ -21,6 +21,7 @@
     "@std/http": "jsr:@std/http@^1.0.21",
     "@std/jsonc": "jsr:@std/jsonc@^1.0.2",
     "@std/media-types": "jsr:@std/media-types@^1.1.0",
+    "@std/net": "jsr:@std/net@^1.0.6",
     "@std/path": "jsr:@std/path@^1.1.2",
     "@std/semver": "jsr:@std/semver@^1.0.6",
     "@std/uuid": "jsr:@std/uuid@^1.0.9",

packages/fresh/src/middlewares/ip_filter.ts

@@ -0,0 +1,126 @@
+import type { Context } from "../context.ts";
+import type { Middleware } from "./mod.ts";
+import { isIPv4, matchSubnets } from "@std/net/unstable-ip";
+
+/**
+ * Configuration rules for IP restriction middleware.
+ */
+export interface IpFilterRules {
+  /**
+   * List of IP addresses or CIDR blocks to deny access.
+   * If an IP matches any entry in this list, access will be blocked.
+   *
+   * @example ["192.168.1.10", "10.0.0.0/8", "2001:db8::1"]
+   */
+  denyList?: string[];
+
+  /**
+   * List of IP addresses or CIDR blocks to allow access.
+   * If specified, only IPs matching entries in this list will be allowed.
+   * If empty or undefined, all IPs are allowed (unless in denyList).
+   *
+   * @example ["192.168.1.0/24", "203.0.113.0/24", "2001:db8::/32"]
+   */
+  allowList?: string[];
+}
+
+export interface ipFilterOptions {
+  /**
+   * Called when a request is blocked by the IP filter.
+   *
+   * The function receives the remote information and the current request
+   * context and should return a Response (or a Promise resolving to one)
+   * which will be sent back to the client. If not provided, a default
+   * 403 Forbidden response will be used.
+   *
+   * Parameters:
+   * - `remote.addr` - the remote IP address as a string.
+   * - `remote.type` - the network family: "IPv4", "IPv6", or `undefined`.
+   * - `ctx` - the request `Context` which can be used to inspect the
+   *   request or produce a custom response.
+   *
+   * @example
+   * ```ts
+   * const options: ipFilterOptions = {
+   *   onError: (remote, ctx) => {
+   *     console.log(`Blocked ${remote.addr} (${remote.type})`, ctx.url);
+   *     return new Response("Access denied", { status: 401 });
+   *   },
+   * };
+   * ```
+   */
+  onError?: <State>(
+    remote: {
+      addr: string;
+      type: Deno.NetworkInterfaceInfo["family"] | undefined;
+    },
+    ctx: Context<State>,
+  ) => Response | Promise<Response>;
+}
+
+/**
+ * IP restriction Middleware for Fresh.
+ *
+ * @param rules Deny and allow rules object.
+ * @param options Options for the IP Restriction middleware.
+ * @returns The middleware handler function.
+ *
+ * Filters rule priority is denyList, then allowList.
+ * If an IP is in the denyList, it will be blocked regardless of the allowList.
+ *
+ * @example Basic usage (with defaults)
+ * ```ts
+ * const app = new App<State>()
+ *
+ * app.use(ipFilter({
+ *   denyList: ["192.168.1.10", "2001:db8::1"]
+ * }));
+ * ```
+ *
+ * @example Custom error handling
+ * ```ts
+ * const customOnError: ipFilterOptions = {
+ *   onError: (remote, ctx) => {
+ *     console.log(
+ *       `Request URL: ${ctx.url}, Blocked IP: ${remote.addr} of type ${remote.type}`,
+ *     );
+ *
+ *     return new Response("custom onError", { status: 401 });
+ *   },
+ * };
+ * app.use(ipFilter({
+ *   denyList: ["192.168.1.10", "2001:db8::1"]
+ * }, customOnError));
+ * ```
+ */
+export function ipFilter<State>(
+  rules: IpFilterRules,
+  options?: ipFilterOptions,
+): Middleware<State> {
+  const onBlock = options?.onError ??
+    (() => new Response("Forbidden", { status: 403 }));
+  return function ipFilter<State>(ctx: Context<State>) {
+    if (
+      ctx.info.remoteAddr.transport !== "udp" &&
+      ctx.info.remoteAddr.transport !== "tcp"
+    ) {
+      return ctx.next();
+    }
+
+    const addr = ctx.info.remoteAddr.hostname;
+    const type = isIPv4(addr) ? "IPv4" : "IPv6";
+
+    if (matchSubnets(addr, rules.denyList || [])) {
+      return onBlock({ addr, type }, ctx);
+    }
+
+    if (
+      (rules.allowList || []).length === 0 ||
+      matchSubnets(addr, rules.allowList || [])
+    ) {
+      return ctx.next();
+    }
+
+    return onBlock({ addr, type }, ctx);
+  };
+}

packages/fresh/src/middlewares/ip_filter_test.ts

@@ -0,0 +1,105 @@
+import { App } from "../app.ts";
+import type { Context } from "../context.ts";
+import {
+  ipFilter,
+  type ipFilterOptions,
+  type IpFilterRules,
+} from "./ip_filter.ts";
+import { expect } from "@std/expect";
+
+function testHandler<T>(
+  remortAddr: string,
+  ipFilterRules: IpFilterRules,
+  options?: ipFilterOptions,
+): (request: Request) => Promise<Response> {
+  function remoteHostOverRide(ctx: Context<T>) {
+    (ctx.info.remoteAddr as { hostname: string }).hostname = remortAddr;
+    return ctx.next();
+  }
+
+  if (!options) {
+    return new App<T>()
+      .use(remoteHostOverRide)
+      .use(ipFilter(ipFilterRules))
+      .all("/", () => new Response("hello"))
+      .handler();
+  }
+
+  return new App<T>()
+    .use(remoteHostOverRide)
+    .use(ipFilter(ipFilterRules, options))
+    .all("/", () => new Response("hello"))
+    .handler();
+}
+
+async function createTest(
+  addr: string,
+  ipFilterRules: IpFilterRules,
+  options?: ipFilterOptions,
+): Promise<number> {
+  const handler = testHandler(addr, ipFilterRules, options);
+
+  const res = await handler(new Request("https://localhost/"));
+
+  return res.status;
+}
+
+Deno.test("ipFilter - no option", async () => {
+  expect(await createTest("192.168.1.10", {})).toBe(200);
+});
+Deno.test("ipFilter - set ipFilterRules deny only", async () => {
+  const ipFilterRules = {
+    denyList: ["192.168.1.10", "2001:db8::1"],
+  };
+
+  expect(await createTest("192.168.1.10", ipFilterRules)).toBe(403);
+  expect(await createTest("192.168.1.11", ipFilterRules)).toBe(200);
+  expect(await createTest("2001:db8::1", ipFilterRules)).toBe(403);
+  expect(await createTest("2001:db8::2", ipFilterRules)).toBe(200);
+});
+
+Deno.test("ipFilter - set ipFilterRules arrow only", async () => {
+  const ipFilterRules = {
+    allowList: ["192.168.1.10", "2001:db8::1"],
+  };
+  expect(await createTest("192.168.1.10", ipFilterRules)).toBe(200);
+  expect(await createTest("192.168.1.11", ipFilterRules)).toBe(403);
+  expect(await createTest("2001:db8::1", ipFilterRules)).toBe(200);
+  expect(await createTest("2001:db8::2", ipFilterRules)).toBe(403);
+});
+
+// arrow and deny
+// deny の方が優先されるを英語で
+// When both allow and deny are set, deny takes precedence
+Deno.test("ipFilter - set ipFilterRules arrow and deny", async () => {
+  const ipFilterRules = {
+    denyList: ["192.168.1.10", "2001:db8::1"],
+    allowList: ["192.168.1.10", "2001:db8::1"],
+  };
+  expect(await createTest("192.168.1.10", ipFilterRules)).toBe(403);
+  expect(await createTest("2001:db8::1", ipFilterRules)).toBe(403);
+});
+
+// adapt subnet mask
+Deno.test("ipFilter - adapt subnet mask", async () => {
+  const ipFilterRules = {
+    denyList: ["192.168.1.0/24"],
+  };
+  expect(await createTest("192.168.1.10", ipFilterRules)).toBe(403);
+});
+
+// onError
+Deno.test("ipFilter - custom onError", async () => {
+  const ipFilterRules = {
+    denyList: ["192.168.1.0/24"],
+  };
+
+  const customOnError: ipFilterOptions = {
+    onError: () => {
+      return new Response("custom onError", { status: 401 });
+    },
+  };
+
+  expect(await createTest("192.168.1.10", ipFilterRules, customOnError))
+    .toBe(401);
+});

packages/fresh/src/mod.ts

@@ -13,6 +13,7 @@ export type { Middleware, MiddlewareFn } from "./middlewares/mod.ts";
 export { staticFiles } from "./middlewares/static_files.ts";
 export { csrf, type CsrfOptions } from "./middlewares/csrf.ts";
 export { cors, type CORSOptions } from "./middlewares/cors.ts";
+export { ipFilter, type IpFilterRules } from "./middlewares/ip_filter.ts";
 export { csp, type CSPOptions } from "./middlewares/csp.ts";
 export type { FreshConfig, ResolvedFreshConfig } from "./config.ts";
 export type { Context, FreshContext, Island } from "./context.ts";