Merge pull request #3 from NullNet-ai/dev

GyulyVGC · web-flow · commit e909963e4e0d · 2025-09-12T17:42:18.000+02:00
Implement client-side caching
diff --git a/.gitignore b/.gitignore
@@ -8,6 +8,7 @@ app_id.txt
 app_secret.txt
 firewall_defaults.json
 uuid.txt
+cache.txt
 .env
 # See https://help.github.com/articles/ignoring-files/ for more about ignoring files.
 
diff --git a/client_common/proto/appguard.proto b/client_common/proto/appguard.proto
@@ -56,7 +56,7 @@ message AppGuardIpInfo {
   optional string region = 7;
   optional string postal = 8;
   optional string timezone = 9;
-  bool blacklist = 100;
+//  bool blacklist = 100;
 }
 
 message AppGuardTcpInfo {
diff --git a/client_common/proto/commands.proto b/client_common/proto/commands.proto
@@ -46,6 +46,7 @@ message ServerMessage {
 message FirewallDefaults {
     uint32 timeout = 1;
     FirewallPolicy policy = 2;
+    bool cache = 3;
 }
 
 enum FirewallPolicy {
diff --git a/client_common/src/appguard.ts b/client_common/src/appguard.ts
@@ -7,11 +7,13 @@ import {AppGuardResponse__Output} from './proto/appguard/AppGuardResponse'
 import {AppGuardTcpConnection} from './proto/appguard/AppGuardTcpConnection'
 import {AppGuardHttpResponse} from './proto/appguard/AppGuardHttpResponse'
 import {AppGuardTcpResponse__Output} from "./proto/appguard/AppGuardTcpResponse";
-import {APP_ID_FILE, APP_SECRET_FILE, FIREWALL_DEFAULTS_FILE, TOKEN_FILE} from "./auth";
+import {APP_ID_FILE, APP_SECRET_FILE, CACHE_FILE, FIREWALL_DEFAULTS_FILE, TOKEN_FILE} from "./auth";
 import {AuthorizationRequest} from "./proto/appguard_commands/AuthorizationRequest";
 import {ClientMessage} from "./proto/appguard_commands/ClientMessage";
 import {ServerMessage__Output} from "./proto/appguard_commands/ServerMessage";
 import {FirewallDefaults, FirewallDefaults__Output} from "./proto/appguard_commands/FirewallDefaults";
+import {CacheKey} from "./cache";
+import {FirewallPolicy} from "./proto/appguard_commands/FirewallPolicy";
 
 const opts = {includeDirs: [
     'node_modules/@nullnet/appguard-express/node_modules/appguard-client-common/proto/',
@@ -186,6 +188,9 @@ export class AppGuardService {
                 let firewallDefaults: FirewallDefaults = server_msg.setFirewallDefaults;
                 console.log("Received firewall defaults from server:", firewallDefaults);
                 fs.writeFileSync(FIREWALL_DEFAULTS_FILE, JSON.stringify(firewallDefaults), {flag: 'w'});
+                // empty and update cache
+                let cache: Map<string, FirewallPolicy> = new Map([]);
+                writeCache(cache);
             }
             if (server_msg.deviceDeauthorized) {
                 // delete saved app secret and app id
@@ -206,9 +211,49 @@ export class AppGuardService {
             }, 10000);
         });
     }
+
+    getFromCache(key: CacheKey) : FirewallPolicy | undefined {
+        let defaults = readFirewallDefaults();
+        if (defaults.cache) {
+            let cache = readCache();
+            return cache.get(JSON.stringify(key));
+        }
+    }
+
+    insertToCache(key: CacheKey, policy: FirewallPolicy) {
+        let defaults = readFirewallDefaults();
+        if (defaults.cache) {
+            let cache = readCache();
+            cache.set(JSON.stringify(key), policy);
+            writeCache(cache);
+        }
+    }
 }
 
 function readFirewallDefaults(): FirewallDefaults {
     let text = fs.readFileSync(FIREWALL_DEFAULTS_FILE, 'utf8');
-    return JSON.parse(text);
+    if (text.trim() === '') {
+        return {
+            policy: FirewallPolicy.ALLOW,
+            timeout: 1000,
+            cache: true,
+        };
+    } else {
+        return JSON.parse(text);
+    }
+}
+
+function readCache(): Map<string, FirewallPolicy> {
+    let text = fs.readFileSync(CACHE_FILE, 'utf8');
+    if (text.trim() === '') {
+        return new Map([]);
+    } else {
+        let map: Map<string, FirewallPolicy> = new Map(JSON.parse(text))
+        return map;
+    }
+}
+
+function writeCache(cache: Map<string, FirewallPolicy>) {
+    let mySerialMap = JSON.stringify(Array.from(cache.entries()));
+    fs.writeFileSync(CACHE_FILE, mySerialMap, {flag: 'w'});
 }
diff --git a/client_common/src/auth.ts b/client_common/src/auth.ts
@@ -3,11 +3,12 @@ import {AuthorizationRequest} from "./proto/appguard_commands/AuthorizationReque
 import {FirewallDefaults} from "./proto/appguard_commands/FirewallDefaults";
 import { v4 as uuidv4 } from 'uuid';
 
-export const TOKEN_FILE = process.cwd() + '/../token.txt'
-export const APP_ID_FILE = process.cwd() + '/../app_id.txt'
-export const APP_SECRET_FILE = process.cwd() + '/../app_secret.txt'
-export const FIREWALL_DEFAULTS_FILE = process.cwd() + '/../firewall_defaults.json'
-export const UUID_FILE = process.cwd() + '/../uuid.txt'
+export const TOKEN_FILE = process.cwd() + '/token.txt'
+export const APP_ID_FILE = process.cwd() + '/app_id.txt'
+export const APP_SECRET_FILE = process.cwd() + '/app_secret.txt'
+export const FIREWALL_DEFAULTS_FILE = process.cwd() + '/firewall_defaults.json'
+export const UUID_FILE = process.cwd() + '/uuid.txt'
+export const CACHE_FILE = process.cwd() + '/cache.txt'
 
 const fs = require('fs');
 
@@ -32,6 +33,10 @@ export class AuthHandler {
 
         // empty token file content
         fs.writeFileSync(TOKEN_FILE, '', {flag: 'w'});
+        // empty cache file content
+        fs.writeFileSync(CACHE_FILE, '', {flag: 'w'});
+        // empty firewall defaults file content
+        fs.writeFileSync(FIREWALL_DEFAULTS_FILE, '', {flag: 'w'});
     }
 
     async init(type: string){
diff --git a/client_common/src/cache.ts b/client_common/src/cache.ts
@@ -0,0 +1,10 @@
+import {FirewallPolicy} from "./proto/appguard_commands/FirewallPolicy";
+
+export class CacheKey {
+    originalUrl: string;
+    method: string;
+    body: string;
+    sourceIp: string;
+    userAgent: string;
+    query: Record<string, string>;
+}
diff --git a/client_common/src/index.ts b/client_common/src/index.ts
@@ -1,4 +1,5 @@
 export {FirewallPolicy} from "./proto/appguard_commands/FirewallPolicy";
 export {AppGuardService} from './appguard';
 export {AuthHandler} from './auth';
-export {AppGuardTcpInfo} from './proto/appguard/AppGuardTcpInfo';
+export {AppGuardTcpInfo} from './proto/appguard/AppGuardTcpInfo';
+export {CacheKey} from './cache';
diff --git a/client_common/src/proto/appguard/AppGuardIpInfo.ts b/client_common/src/proto/appguard/AppGuardIpInfo.ts
@@ -11,7 +11,6 @@ export interface AppGuardIpInfo {
   'region'?: (string);
   'postal'?: (string);
   'timezone'?: (string);
-  'blacklist'?: (boolean);
   '_country'?: "country";
   '_asn'?: "asn";
   '_org'?: "org";
@@ -32,5 +31,4 @@ export interface AppGuardIpInfo__Output {
   'region'?: (string);
   'postal'?: (string);
   'timezone'?: (string);
-  'blacklist'?: (boolean);
 }
diff --git a/client_common/src/proto/appguard_commands/FirewallDefaults.ts b/client_common/src/proto/appguard_commands/FirewallDefaults.ts
@@ -5,9 +5,11 @@ import type { FirewallPolicy as _appguard_commands_FirewallPolicy } from '../app
 export interface FirewallDefaults {
   'timeout'?: (number);
   'policy'?: (_appguard_commands_FirewallPolicy | keyof typeof _appguard_commands_FirewallPolicy);
+  'cache'?: (boolean);
 }
 
 export interface FirewallDefaults__Output {
   'timeout'?: (number);
   'policy'?: (_appguard_commands_FirewallPolicy);
+  'cache'?: (boolean);
 }
diff --git a/clients/express/src/express-middleware.ts b/clients/express/src/express-middleware.ts
@@ -1,5 +1,5 @@
 import { NextFunction, Request, Response, Send } from 'express';
-import { FirewallPolicy, AppGuardTcpInfo, AppGuardService, AuthHandler } from 'appguard-client-common';
+import { FirewallPolicy, AppGuardTcpInfo, AppGuardService, AuthHandler, CacheKey } from 'appguard-client-common';
 
 type ExpressMiddleware = (
   req: Request,
@@ -21,7 +21,8 @@ export const createAppGuardMiddleware = () => {
 
   const attachResponseHandlers = (
     res: Response,
-    tcp_info: AppGuardTcpInfo
+    tcp_info: AppGuardTcpInfo,
+    cacheKey: CacheKey,
   ) => {
     // Storing the original send function
     // @ts-ignore
@@ -49,10 +50,12 @@ export const createAppGuardMiddleware = () => {
       ));
 
       if (handleHTTPResponseResponse.policy === FirewallPolicy.DENY) {
+        appGuardService.insertToCache(cacheKey, FirewallPolicy.DENY);
         // Destroying the socket connection instead of sending the response
         // @ts-ignore
         res.socket?.destroy();
       } else {
+        appGuardService.insertToCache(cacheKey, FirewallPolicy.ALLOW);
         // Intercepting the response.send() call
         // Calling the original send function
         //@ts-expect-error: This function is this context
@@ -72,6 +75,7 @@ export const createAppGuardMiddleware = () => {
         // @ts-ignore
         req.socket.remoteAddress;
 
+
       // console.log(
       //   // @ts-ignore
       //   `Appguard Debug XRI:${req.headers['x-real-ip']} - XFF:${req.headers['x-forwarded-for']} TCP/PROXY:${req.socket.remoteAddress} SRC=${sourceIp}`
@@ -82,6 +86,32 @@ export const createAppGuardMiddleware = () => {
       //   `Appguard Debug From - ${sourceIp} - ${req.method} ${req.originalUrl}`
       // );
 
+        let cacheKey: CacheKey = {
+            // @ts-ignore
+            originalUrl: req.originalUrl,
+            // @ts-ignore
+            method: req.method,
+            // @ts-ignore
+            body: req.body,
+            // @ts-ignore
+            sourceIp: sourceIp,
+            // @ts-ignore
+            userAgent: req.headers["user-agent"],
+            // @ts-ignore
+            query: req.query as Record<string, string>,
+        };
+
+        let cached = appGuardService.getFromCache(cacheKey);
+        if (cached !== undefined) {
+            if (cached === FirewallPolicy.DENY) {
+                // @ts-ignore
+                res.socket?.destroy();
+            } else {
+                next();
+            }
+            return;
+        }
+
       const handleTCPConnectionResponse = await appGuardService.connectionPromise(
           {
               // @ts-ignore
@@ -122,6 +152,7 @@ export const createAppGuardMiddleware = () => {
 
       const policy = handleHTTPRequestResponse.policy;
       if (policy === FirewallPolicy.DENY) {
+        appGuardService.insertToCache(cacheKey, FirewallPolicy.DENY);
         // Destroying the socket connection instead of sending the response
         // @ts-ignore
         res.socket?.destroy();
@@ -130,7 +161,8 @@ export const createAppGuardMiddleware = () => {
         // attach response handlers after we get the req.id
         attachResponseHandlers(
           res,
-          handleTCPConnectionResponse.tcpInfo as AppGuardTcpInfo
+          handleTCPConnectionResponse.tcpInfo as AppGuardTcpInfo,
+          cacheKey
         );
         next();
       }
diff --git a/clients/nextjs/src/nextjs-middleware.ts b/clients/nextjs/src/nextjs-middleware.ts
@@ -1,5 +1,5 @@
 import {NextRequest, NextResponse} from 'next/server';
-import { FirewallPolicy, AppGuardTcpInfo, AppGuardService, AuthHandler } from 'appguard-client-common';
+import { FirewallPolicy, AppGuardTcpInfo, AppGuardService, AuthHandler, CacheKey } from 'appguard-client-common';
 
 type NextjsMiddleware = (req: NextRequest) => Promise<NextResponse>;
 
@@ -15,7 +15,7 @@ export const createAppGuardMiddleware = async () => {
     }
     await initialize();
 
-    const handleOutgoingResponse = async (tcp_info: AppGuardTcpInfo): Promise<NextResponse> => {
+    const handleOutgoingResponse = async (tcp_info: AppGuardTcpInfo, cacheKey: CacheKey): Promise<NextResponse> => {
         let res = NextResponse.next();
         const response_headers = res.headers;
 
@@ -30,11 +30,13 @@ export const createAppGuardMiddleware = async () => {
         ));
 
         if (handleHTTPResponseResponse.policy === FirewallPolicy.DENY) {
+            appGuardService.insertToCache(cacheKey, FirewallPolicy.DENY);
             return NextResponse.json(
                 {success: false, message: 'Unauthorized'},
                 {status: 401}
             );
         } else {
+            appGuardService.insertToCache(cacheKey, FirewallPolicy.ALLOW);
             return NextResponse.next();
         }
     };
@@ -49,6 +51,31 @@ export const createAppGuardMiddleware = async () => {
                 parseInt(req.headers.get('x-forwarded-port') as string, 10) :
                 undefined;
 
+            let cacheKey: CacheKey = {
+                originalUrl: req.nextUrl.pathname,
+                method: req.method,
+                // @ts-ignore
+                body: req.body,
+                // @ts-ignore
+                sourceIp: sourceIp,
+                // @ts-ignore
+                userAgent: req.headers["user-agent"],
+                // @ts-ignore
+                query: req.nextUrl.searchParams as Record<string, string>,
+            };
+
+            let cached = appGuardService.getFromCache(cacheKey);
+            if (cached !== undefined) {
+                if (cached === FirewallPolicy.DENY) {
+                    return NextResponse.json(
+                        {success: false, message: 'Unauthorized'},
+                        {status: 401}
+                    );
+                } else {
+                    return NextResponse.next();
+                }
+            }
+
             const handleTCPConnectionResponse = await appGuardService.connectionPromise(
                 {
                     sourceIp: sourceIp,
@@ -80,12 +107,13 @@ export const createAppGuardMiddleware = async () => {
 
             const policy = handleHTTPRequestResponse.policy;
             if (policy === FirewallPolicy.DENY) {
+                appGuardService.insertToCache(cacheKey, FirewallPolicy.DENY);
                 return NextResponse.json(
                     {success: false, message: 'Unauthorized'},
                     {status: 401}
                 );
             } else {
-                return await handleOutgoingResponse(handleTCPConnectionResponse.tcpInfo as AppGuardTcpInfo);
+                return await handleOutgoingResponse(handleTCPConnectionResponse.tcpInfo as AppGuardTcpInfo, cacheKey);
             }
         } catch (error) {
             console.error(error);

Original file line number	Diff line number	Diff line change
`@@ -56,7 +56,7 @@ message AppGuardIpInfo {`
`56`	`56`	`optional string region = 7;`
`57`	`57`	`optional string postal = 8;`
`58`	`58`	`optional string timezone = 9;`
`59`		`- bool blacklist = 100;`
	`59`	`+// bool blacklist = 100;`
`60`	`60`	`}`
`61`	`61`
`62`	`62`	`message AppGuardTcpInfo {`
Original file line number	Diff line number	Diff line change
`@@ -46,6 +46,7 @@ message ServerMessage {`
`46`	`46`	`message FirewallDefaults {`
`47`	`47`	`uint32 timeout = 1;`
`48`	`48`	`FirewallPolicy policy = 2;`
	`49`	`+ bool cache = 3;`
`49`	`50`	`}`
`50`	`51`
`51`	`52`	`enum FirewallPolicy {`
Original file line number	Diff line number	Diff line change
`@@ -5,9 +5,11 @@ import type { FirewallPolicy as _appguard_commands_FirewallPolicy } from '../app`
`5`	`5`	`export interface FirewallDefaults {`
`6`	`6`	`'timeout'?: (number);`
`7`	`7`	`'policy'?: (_appguard_commands_FirewallPolicy \| keyof typeof _appguard_commands_FirewallPolicy);`
	`8`	`+ 'cache'?: (boolean);`
`8`	`9`	`}`
`9`	`10`
`10`	`11`	`export interface FirewallDefaults__Output {`
`11`	`12`	`'timeout'?: (number);`
`12`	`13`	`'policy'?: (_appguard_commands_FirewallPolicy);`
	`14`	`+ 'cache'?: (boolean);`
`13`	`15`	`}`