chore(): improvements

.github/workflows/e2e-interop.yml

@@ -0,0 +1,80 @@
+name: Spore E2E Interop
+
+on:
+  workflow_dispatch: {}
+
+jobs:
+  interop-linux:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Determine working directory
+        id: workdir
+        run: |
+          if [ -d bore-erlang ]; then
+            echo "WORKDIR=bore-erlang" >> $GITHUB_ENV
+          else
+            echo "WORKDIR=." >> $GITHUB_ENV
+          fi
+          echo "Using WORKDIR=$WORKDIR"
+
+      - name: Setup Elixir/OTP
+        uses: erlef/setup-beam@v1
+        with:
+          otp-version: '26'
+          elixir-version: '1.16'
+
+      - name: Build Spore escript
+        working-directory: ${{ env.WORKDIR }}
+        run: |
+          mix deps.get
+          mix escript.build
+
+      - name: Setup Rust toolchain
+        uses: dtolnay/rust-toolchain@stable
+
+      - name: Install bore-cli
+        run: |
+          cargo install bore-cli
+          echo "$HOME/.cargo/bin" >> $GITHUB_PATH
+
+      - name: Start local HTTP server (backend)
+        working-directory: ${{ env.WORKDIR }}
+        run: |
+          nohup python3 -m http.server 25565 >/tmp/http.log 2>&1 &
+          sleep 1
+
+      - name: Start Spore server
+        working-directory: ${{ env.WORKDIR }}
+        run: |
+          nohup ./spore server --min-port 20000 --max-port 21000 --bind-addr 127.0.0.1 >/tmp/server.log 2>&1 &
+          sleep 1
+
+      - name: Start bore (Rust) client
+        run: |
+          nohup bore local 25565 --to 127.0.0.1 --port 0 >/tmp/bore-client.log 2>&1 &
+          sleep 2
+          echo "Bore client log:" && tail -n +1 /tmp/bore-client.log
+
+      - name: Discover assigned remote port
+        id: discover
+        run: |
+          PORT=$(grep -oE 'listening at 127.0.0.1:[0-9]+' /tmp/bore-client.log | tail -n1 | sed 's/.*://')
+          if [ -z "$PORT" ]; then echo "Could not find assigned port"; exit 1; fi
+          echo "REMOTE_PORT=$PORT" >> $GITHUB_ENV
+
+      - name: Curl through the tunnel
+        run: |
+          echo "Curling 127.0.0.1:${REMOTE_PORT}/"
+          curl -sSf -v 127.0.0.1:${REMOTE_PORT}/ >/tmp/curl.out
+          test -s /tmp/curl.out
+
+      - name: Show logs on failure
+        if: failure()
+        run: |
+          echo "=== server.log ==="; cat /tmp/server.log || true
+          echo "=== bore-client.log ==="; cat /tmp/bore-client.log || true
+          echo "=== http.log ==="; cat /tmp/http.log || true
+          echo "=== curl.out ==="; cat /tmp/curl.out || true

.github/workflows/e2e.yml

@@ -0,0 +1,73 @@
+name: Spore E2E
+
+on:
+  workflow_dispatch: {}
+
+jobs:
+  e2e-linux:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Determine working directory
+        id: workdir
+        run: |
+          if [ -d bore-erlang ]; then
+            echo "WORKDIR=bore-erlang" >> $GITHUB_ENV
+          else
+            echo "WORKDIR=." >> $GITHUB_ENV
+          fi
+          echo "Using WORKDIR=$WORKDIR"
+
+      - name: Setup Elixir/OTP
+        uses: erlef/setup-beam@v1
+        with:
+          otp-version: '26'
+          elixir-version: '1.16'
+
+      - name: Install deps and build escript
+        working-directory: ${{ env.WORKDIR }}
+        run: |
+          mix deps.get
+          mix escript.build
+
+      - name: Start local HTTP server (backend)
+        working-directory: ${{ env.WORKDIR }}
+        run: |
+          nohup python3 -m http.server 25565 >/tmp/http.log 2>&1 &
+          sleep 1
+
+      - name: Start Spore server
+        working-directory: ${{ env.WORKDIR }}
+        run: |
+          nohup ./spore server --min-port 20000 --max-port 21000 --bind-addr 127.0.0.1 --metrics-port 9568 >/tmp/server.log 2>&1 &
+          sleep 1
+
+      - name: Start Spore client
+        working-directory: ${{ env.WORKDIR }}
+        run: |
+          nohup ./spore local --local-host 127.0.0.1 --local-port 25565 --to 127.0.0.1 --port 0 >/tmp/client.log 2>&1 &
+          sleep 2
+          echo "Client log:" && tail -n +1 /tmp/client.log
+
+      - name: Discover assigned remote port
+        id: discover
+        run: |
+          PORT=$(grep -oE 'listening at 127.0.0.1:[0-9]+' /tmp/client.log | tail -n1 | sed 's/.*://')
+          if [ -z "$PORT" ]; then echo "Could not find assigned port"; exit 1; fi
+          echo "REMOTE_PORT=$PORT" >> $GITHUB_ENV
+
+      - name: Curl through the tunnel
+        run: |
+          echo "Curling 127.0.0.1:${REMOTE_PORT}/"
+          curl -sSf -v 127.0.0.1:${REMOTE_PORT}/ >/tmp/curl.out
+          test -s /tmp/curl.out
+
+      - name: Show logs on failure
+        if: failure()
+        run: |
+          echo "=== server.log ==="; cat /tmp/server.log || true
+          echo "=== client.log ==="; cat /tmp/client.log || true
+          echo "=== http.log ==="; cat /tmp/http.log || true
+          echo "=== curl.out ==="; cat /tmp/curl.out || true

.github/workflows/release-matrix.yml

@@ -0,0 +1,80 @@
+name: Spore Release Matrix
+
+on:
+  workflow_dispatch:
+    inputs:
+      name:
+        description: 'Release name (optional)'
+        required: false
+        type: string
+
+jobs:
+  build-release:
+    strategy:
+      matrix:
+        os: [ubuntu-latest, macos-latest, windows-latest]
+    runs-on: ${{ matrix.os }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Determine working directory
+        id: workdir
+        run: |
+          if [ -d bore-erlang ]; then
+            echo "WORKDIR=bore-erlang" >> $GITHUB_ENV
+          else
+            echo "WORKDIR=." >> $GITHUB_ENV
+          fi
+          echo "Using WORKDIR=$WORKDIR"
+        shell: bash
+
+      - name: Setup Elixir/OTP
+        uses: erlef/setup-beam@v1
+        with:
+          otp-version: '26'
+          elixir-version: '1.16'
+
+      - name: Install deps
+        working-directory: ${{ env.WORKDIR }}
+        run: |
+          mix local.hex --force
+          mix deps.get
+
+      - name: Compile (prod)
+        working-directory: ${{ env.WORKDIR }}
+        run: MIX_ENV=prod mix compile
+
+      - name: Build release
+        working-directory: ${{ env.WORKDIR }}
+        run: MIX_ENV=prod mix release
+
+      - name: Archive release (Unix)
+        if: runner.os != 'Windows'
+        working-directory: ${{ env.WORKDIR }}
+        run: |
+          cd _build/prod/rel
+          tar czf spore-${{ runner.os }}.tar.gz spore
+
+      - name: Archive release (Windows)
+        if: runner.os == 'Windows'
+        working-directory: ${{ env.WORKDIR }}
+        run: |
+          cd _build/prod/rel
+          powershell -Command "Compress-Archive -Path spore -DestinationPath spore-Windows.zip"
+
+      - name: Upload artifact (Unix)
+        if: runner.os != 'Windows'
+        uses: actions/upload-artifact@v4
+        with:
+          name: spore-${{ runner.os }}-release
+          path: ${{ env.WORKDIR }}/_build/prod/rel/spore-${{ runner.os }}.tar.gz
+          if-no-files-found: error
+
+      - name: Upload artifact (Windows)
+        if: runner.os == 'Windows'
+        uses: actions/upload-artifact@v4
+        with:
+          name: spore-${{ runner.os }}-release
+          path: ${{ env.WORKDIR }}/_build/prod/rel/spore-Windows.zip
+          if-no-files-found: error

README.md

@@ -20,6 +20,10 @@ mix escript.build
 ```
 This produces an executable named `spore` in the project directory.
 
+### Optional config file (JSON)
+You can pass a JSON config with `--config FILE.json` on both server and client. Supported keys:
+`control_port`, `tls`, `cacertfile`, `client_certfile`, `client_keyfile`, `certfile`, `keyfile`, `allow`, `deny`, `max_conns_per_ip`, `metrics_port`, `sndbuf`, `recbuf`.
+
 ## Quickstart
 ### Server (choose a public range)
 ```bash

config_example.json

@@ -0,0 +1,12 @@
+{
+  "control_port": 9000,
+  "tls": true,
+  "certfile": "cert.pem",
+  "keyfile": "key.pem",
+  "allow": "10.0.0.0/8,192.168.0.0/16",
+  "deny": "0.0.0.0/0",
+  "max_conns_per_ip": 50,
+  "metrics_port": 9568,
+  "sndbuf": 1048576,
+  "recbuf": 1048576
+}

lib/spore/application.ex

@@ -4,11 +4,15 @@ defmodule Spore.Application do
 
   @impl true
   def start(_type, _args) do
+    _ = Spore.Tracing.start()
+
     children = [
       {Registry, keys: :unique, name: Spore.Pending.Registry},
       {DynamicSupervisor, name: Spore.Pending.Supervisor, strategy: :one_for_one},
       {Spore.Pending, []},
       {Spore.Limits, []},
+      {Spore.Banlist, []},
+      {Spore.SecretQuota, []},
       {Spore.Metrics, []}
     ]
 

lib/spore/auth.ex

@@ -8,11 +8,13 @@ defmodule Spore.Auth do
 
   import Bitwise
 
-  @type t :: %{key: binary()}
+  @type t :: %{key: binary(), id: String.t()}
 
   @spec new(String.t()) :: t
   def new(secret) do
-    %{key: :crypto.hash(:sha256, secret)}
+    hash = :crypto.hash(:sha256, secret)
+    id = Base.encode16(hash, case: :lower)
+    %{key: hash, id: id}
   end
 
   @doc "Create multiple authenticators from a comma-separated list."
@@ -74,8 +76,10 @@ defmodule Spore.Auth do
 
     case Spore.Shared.Delimited.recv_timeout(d) do
       {%{"Authenticate" => tag}, d2} ->
-        ok = Enum.any?(auths, fn a -> validate(a, challenge, tag) end)
-        if ok, do: {:ok, d2}, else: {{:error, :invalid_secret}, d2}
+        case Enum.find(auths, fn a -> validate(a, challenge, tag) end) do
+          %{id: id} -> {:ok, d2, id}
+          _ -> {{:error, :invalid_secret}, d2}
+        end
 
       {_, d2} ->
         {{:error, :missing_authentication}, d2}

lib/spore/banlist.ex

@@ -0,0 +1,39 @@
+defmodule Spore.Banlist do
+  @moduledoc false
+  use GenServer
+
+  def start_link(_), do: GenServer.start_link(__MODULE__, %{}, name: __MODULE__)
+
+  @impl true
+  def init(state), do: {:ok, state}
+
+  def allow?(ip), do: GenServer.call(__MODULE__, {:allow?, ip})
+  def note_failure(ip), do: GenServer.cast(__MODULE__, {:failure, ip})
+
+  @impl true
+  def handle_call({:allow?, ip}, _from, state) do
+    now = System.monotonic_time(:millisecond)
+
+    case Map.get(state, ip) do
+      {:banned, until_ms} when now < until_ms -> {:reply, false, state}
+      {:banned, _} -> {:reply, true, Map.delete(state, ip)}
+      _ -> {:reply, true, state}
+    end
+  end
+
+  @impl true
+  def handle_cast({:failure, ip}, state) do
+    {count, state2} = Map.get_and_update(state, {:count, ip}, fn v -> {v || 0, (v || 0) + 1} end)
+    threshold = Application.get_env(:spore, :auth_fail_threshold, 5)
+    ban_ms = Application.get_env(:spore, :auth_ban_ms, 60_000)
+
+    state3 =
+      if count + 1 >= threshold do
+        Map.put(state2, ip, {:banned, System.monotonic_time(:millisecond) + ban_ms})
+      else
+        state2
+      end
+
+    {:noreply, state3}
+  end
+end