chore: add changeset for IP core upgrade

TeaCoder52 · TeaCoder52 · commit 4c9bb12ccfcc · 2025-12-17T09:39:43.000+03:00
diff --git a/.changeset/silver-views-type.md b/.changeset/silver-views-type.md
@@ -0,0 +1,6 @@
+---
+'@ip-kit/express': patch
+'@ip-kit/core': minor
+---
+
+Improve IP parsing, CIDR matching and trust proxy logic. Introduce structured IP model for security-grade IP resolution.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -1,9 +1,14 @@
 name: Release
 
 on:
+    push:
+        branches:
+          - main
+        paths:
+          - '.changeset/**'
     push:
         tags:
-            - 'v*.*.*'
+          - 'v*.*.*'
     workflow_dispatch:
 
 permissions:
diff --git a/packages/core/src/ip/cidr.test.ts b/packages/core/src/ip/cidr.test.ts
@@ -1,47 +1,78 @@
 import { describe, it, expect } from 'vitest'
-import { ipInCidr } from './cidr'
+import { parseCidr, ipInCidr } from './cidr'
 
-describe('ipInCidr', () => {
+describe('CIDR matching', () => {
 	describe('IPv4', () => {
 		it('matches IP inside CIDR', () => {
-			expect(ipInCidr('192.168.1.10', '192.168.1.0/24')).toBe(true)
+			const cidr = parseCidr('192.168.1.0/24')
+			expect(cidr).not.toBeNull()
+
+			expect(ipInCidr('192.168.1.10', cidr!)).toBe(true)
 		})
 
 		it('does not match IP outside CIDR', () => {
-			expect(ipInCidr('192.168.2.10', '192.168.1.0/24')).toBe(false)
+			const cidr = parseCidr('192.168.1.0/24')
+			expect(cidr).not.toBeNull()
+
+			expect(ipInCidr('192.168.2.10', cidr!)).toBe(false)
 		})
 
 		it('matches /32 correctly', () => {
-			expect(ipInCidr('8.8.8.8', '8.8.8.8/32')).toBe(true)
-			expect(ipInCidr('8.8.8.9', '8.8.8.8/32')).toBe(false)
+			const cidr = parseCidr('8.8.8.8/32')
+			expect(cidr).not.toBeNull()
+
+			expect(ipInCidr('8.8.8.8', cidr!)).toBe(true)
+			expect(ipInCidr('8.8.8.9', cidr!)).toBe(false)
 		})
 	})
 
 	describe('IPv6', () => {
 		it('matches IPv6 inside CIDR', () => {
-			expect(ipInCidr('2001:db8::1', '2001:db8::/32')).toBe(true)
+			const cidr = parseCidr('2001:db8::/32')
+			expect(cidr).not.toBeNull()
+
+			expect(ipInCidr('2001:db8::1', cidr!)).toBe(true)
 		})
 
 		it('does not match IPv6 outside CIDR', () => {
-			expect(ipInCidr('2001:dead::1', '2001:db8::/32')).toBe(false)
+			const cidr = parseCidr('2001:db8::/32')
+			expect(cidr).not.toBeNull()
+
+			expect(ipInCidr('2001:dead::1', cidr!)).toBe(false)
 		})
 
 		it('matches /128 correctly', () => {
-			expect(ipInCidr('::1', '::1/128')).toBe(true)
+			const cidr = parseCidr('::1/128')
+			expect(cidr).not.toBeNull()
+
+			expect(ipInCidr('::1', cidr!)).toBe(true)
+			expect(ipInCidr('::2', cidr!)).toBe(false)
 		})
 	})
 
 	describe('invalid input', () => {
-		it('returns false for invalid IP', () => {
-			expect(ipInCidr('unknown', '192.168.0.0/16')).toBe(false)
+		it('returns null for invalid CIDR string', () => {
+			expect(parseCidr('invalid')).toBeNull()
+			expect(parseCidr('192.168.0.0')).toBeNull()
+			expect(parseCidr('192.168.0.0/99')).toBeNull()
 		})
 
-		it('returns false for invalid CIDR', () => {
-			expect(ipInCidr('192.168.1.1', 'invalid')).toBe(false)
+		it('returns false for invalid IP', () => {
+			const cidr = parseCidr('192.168.0.0/16')
+			expect(cidr).not.toBeNull()
+
+			expect(ipInCidr('unknown', cidr!)).toBe(false)
 		})
 
-		it('returns false for invalid prefix', () => {
-			expect(ipInCidr('192.168.1.1', '192.168.0.0/99')).toBe(false)
+		it('returns false for mismatched IP version', () => {
+			const ipv4 = parseCidr('192.168.0.0/16')
+			const ipv6 = parseCidr('2001:db8::/32')
+
+			expect(ipv4).not.toBeNull()
+			expect(ipv6).not.toBeNull()
+
+			expect(ipInCidr('::1', ipv4!)).toBe(false)
+			expect(ipInCidr('192.168.0.1', ipv6!)).toBe(false)
 		})
 	})
 })
diff --git a/packages/core/src/ip/is-private.ts b/packages/core/src/ip/is-private.ts
@@ -1,6 +1,6 @@
-import { ipInCidr } from './cidr'
+import { parseCidr, ipInCidr, type ParsedCidr } from './cidr'
 
-const PRIVATE_CIDRS = [
+const PRIVATE_CIDRS: ParsedCidr[] = [
 	// IPv4
 	'10.0.0.0/8',
 	'172.16.0.0/12',
@@ -12,6 +12,8 @@ const PRIVATE_CIDRS = [
 	'fc00::/7',
 	'fe80::/10',
 ]
+	.map(parseCidr)
+	.filter((v): v is ParsedCidr => v !== null)
 
 export function isPrivateIp(ip: string): boolean {
 	return PRIVATE_CIDRS.some((cidr) => ipInCidr(ip, cidr))
diff --git a/packages/core/src/trust/presets.test.ts b/packages/core/src/trust/presets.test.ts
@@ -4,25 +4,30 @@ import { createTrustProxy } from './trust-proxy'
 
 describe('trustPresets', () => {
 	it('loopback trusts localhost', () => {
-		const trust = createTrustProxy(trustPresets.loopback)
+		const proxy = createTrustProxy(trustPresets.loopback)
 
-		expect(trust('127.0.0.1')).toBe(true)
-		expect(trust('::1')).toBe(true)
-		expect(trust('8.8.8.8')).toBe(false)
+		expect(proxy.fn('127.0.0.1')).toBe(true)
+		expect(proxy.fn('::1')).toBe(true)
+		expect(proxy.fn('8.8.8.8')).toBe(false)
+
+		expect(proxy.test('127.0.0.1')).toEqual({
+			trusted: true,
+			reason: 'LOOPBACK',
+		})
 	})
 
 	it('private trusts private networks', () => {
-		const trust = createTrustProxy(trustPresets.private)
+		const proxy = createTrustProxy(trustPresets.private)
 
-		expect(trust('10.0.0.1')).toBe(true)
-		expect(trust('192.168.1.1')).toBe(true)
-		expect(trust('8.8.8.8')).toBe(false)
+		expect(proxy.fn('10.0.0.1')).toBe(true)
+		expect(proxy.fn('192.168.1.1')).toBe(true)
+		expect(proxy.fn('8.8.8.8')).toBe(false)
 	})
 
-	it('cloudflare trusts CF IPs', () => {
-		const trust = createTrustProxy(trustPresets.cloudflare)
+	it('cloudflare trusts Cloudflare IPs', () => {
+		const proxy = createTrustProxy(trustPresets.cloudflare)
 
-		expect(trust('173.245.48.10')).toBe(true)
-		expect(trust('8.8.8.8')).toBe(false)
+		expect(proxy.fn('173.245.48.10')).toBe(true)
+		expect(proxy.fn('8.8.8.8')).toBe(false)
 	})
 })
diff --git a/packages/core/src/trust/presets.ts b/packages/core/src/trust/presets.ts
@@ -7,7 +7,6 @@ export const trustPresets = {
 		name: 'LOOPBACK',
 		fn: (ip) => ip === '127.0.0.1' || ip === '::1',
 	},
-
 	private: {
 		mode: 'fn',
 		name: 'PRIVATE_NETWORK',
@@ -21,7 +20,6 @@ export const trustPresets = {
 			'fe80::/10',
 		]),
 	},
-
 	cloudflare: {
 		mode: 'fn',
 		name: 'CLOUDFLARE',
diff --git a/packages/core/src/trust/trust-proxy.test.ts b/packages/core/src/trust/trust-proxy.test.ts
@@ -3,32 +3,59 @@ import { createTrustProxy } from './trust-proxy'
 
 describe('createTrustProxy', () => {
 	it('mode=all trusts everything', () => {
-		const trust = createTrustProxy({ mode: 'all' })
+		const proxy = createTrustProxy({ mode: 'all' })
 
-		expect(trust('8.8.8.8')).toBe(true)
-		expect(trust('127.0.0.1')).toBe(true)
+		expect(proxy.fn('8.8.8.8')).toBe(true)
+		expect(proxy.fn('127.0.0.1')).toBe(true)
+
+		expect(proxy.test('8.8.8.8')).toEqual({
+			trusted: true,
+			reason: 'ALL_TRUSTED',
+		})
 	})
 
 	it('mode=none trusts nothing', () => {
-		const trust = createTrustProxy({ mode: 'none' })
+		const proxy = createTrustProxy({ mode: 'none' })
+
+		expect(proxy.fn('8.8.8.8')).toBe(false)
+		expect(proxy.fn('127.0.0.1')).toBe(false)
 
-		expect(trust('8.8.8.8')).toBe(false)
-		expect(trust('127.0.0.1')).toBe(false)
+		expect(proxy.test('8.8.8.8')).toEqual({
+			trusted: false,
+			reason: 'NONE_TRUSTED',
+		})
 	})
 
-	it('mode=fn delegates to function', () => {
-		const trust = createTrustProxy({
+	it('mode=fn delegates to custom function', () => {
+		const proxy = createTrustProxy({
 			mode: 'fn',
+			name: 'LOOPBACK_ONLY',
 			fn: (ip) => ip === '127.0.0.1',
 		})
 
-		expect(trust('127.0.0.1')).toBe(true)
-		expect(trust('8.8.8.8')).toBe(false)
+		expect(proxy.fn('127.0.0.1')).toBe(true)
+		expect(proxy.fn('8.8.8.8')).toBe(false)
+
+		expect(proxy.test('127.0.0.1')).toEqual({
+			trusted: true,
+			reason: 'LOOPBACK_ONLY',
+		})
+
+		expect(proxy.test('8.8.8.8')).toEqual({
+			trusted: false,
+			reason: 'LOOPBACK_ONLY',
+		})
 	})
 
 	it('mode=fn without fn returns false', () => {
-		const trust = createTrustProxy({ mode: 'fn' })
+		const proxy = createTrustProxy({ mode: 'fn' })
 
-		expect(trust('127.0.0.1')).toBe(false)
+		expect(proxy.fn('127.0.0.1')).toBe(false)
+		expect(proxy.fn('8.8.8.8')).toBe(false)
+
+		expect(proxy.test('127.0.0.1')).toEqual({
+			trusted: false,
+			reason: 'CUSTOM_FN',
+		})
 	})
 })
diff --git a/packages/express/src/middleware.ts b/packages/express/src/middleware.ts
@@ -10,8 +10,8 @@ export interface IpKitExpressOptions {
 	trustProxy?: TrustProxyConfig | keyof typeof trustPresets
 }
 
-export function ipKitExpress(options: IpKitExpressOptions = {}) {
-	const trust =
+export function ipKit(options: IpKitExpressOptions = {}) {
+	const proxy =
 		typeof options.trustProxy === 'string'
 			? createTrustProxy(trustPresets[options.trustProxy])
 			: options.trustProxy
@@ -23,9 +23,9 @@ export function ipKitExpress(options: IpKitExpressOptions = {}) {
 		_res: Response,
 		next: NextFunction
 	) {
-		const result = extractIp(req, { trustProxy: trust })
-
-		req.ipKit = result
+		req.ipKit = extractIp(req, {
+			trustProxy: proxy.fn,
+		})
 
 		next()
 	}
