spikard 0.2.5 → 0.3.0

data/vendor/crates/spikard-http/src/cors.rs

@@ -1,490 +0,0 @@
-//! CORS (Cross-Origin Resource Sharing) handling
-//!
-//! Handles CORS preflight requests and adds CORS headers to responses
-
-use crate::CorsConfig;
-use axum::body::Body;
-use axum::http::{HeaderMap, HeaderValue, Response, StatusCode};
-use axum::response::IntoResponse;
-
-/// Check if an origin is allowed by the CORS configuration
-///
-/// Supports exact matches and wildcard ("*") for any origin.
-/// Empty origins always return false for security.
-///
-/// # Arguments
-/// * `origin` - The origin string from the HTTP request (e.g., "https://example.com")
-/// * `allowed_origins` - List of allowed origins configured for CORS
-///
-/// # Returns
-/// `true` if the origin is allowed, `false` otherwise
-fn is_origin_allowed(origin: &str, allowed_origins: &[String]) -> bool {
-    if origin.is_empty() {
-        return false;
-    }
-
-    allowed_origins
-        .iter()
-        .any(|allowed| allowed == "*" || allowed == origin)
-}
-
-/// Check if a method is allowed by the CORS configuration
-///
-/// Supports exact matches and wildcard ("*") for any method.
-/// Comparison is case-insensitive (e.g., "get" matches "GET").
-///
-/// # Arguments
-/// * `method` - The HTTP method requested (e.g., "GET", "POST")
-/// * `allowed_methods` - List of allowed HTTP methods configured for CORS
-///
-/// # Returns
-/// `true` if the method is allowed, `false` otherwise
-fn is_method_allowed(method: &str, allowed_methods: &[String]) -> bool {
-    allowed_methods
-        .iter()
-        .any(|allowed| allowed == "*" || allowed.eq_ignore_ascii_case(method))
-}
-
-/// Check if all requested headers are allowed by CORS configuration
-///
-/// Headers are case-insensitive. Supports wildcard ("*") for allowing any header.
-/// If a wildcard is configured, all requested headers are allowed.
-///
-/// # Arguments
-/// * `requested` - Array of header names requested by the client
-/// * `allowed` - List of allowed header names configured for CORS
-///
-/// # Returns
-/// `true` if all requested headers are allowed, `false` if any header is not allowed
-fn are_headers_allowed(requested: &[&str], allowed: &[String]) -> bool {
-    if allowed.iter().any(|h| h == "*") {
-        return true;
-    }
-
-    requested.iter().all(|req_header| {
-        allowed
-            .iter()
-            .any(|allowed_header| allowed_header.eq_ignore_ascii_case(req_header))
-    })
-}
-
-/// Handle CORS preflight (OPTIONS) request
-///
-/// Validates the request against the CORS configuration and returns appropriate
-/// response or error. This function processes OPTIONS requests as defined in the
-/// CORS specification (RFC 7231).
-///
-/// # Validation
-///
-/// Checks the following conditions:
-/// 1. **Origin Header:** Must be present and match configured allowed origins
-/// 2. **Access-Control-Request-Method:** Must match configured allowed methods
-/// 3. **Access-Control-Request-Headers:** All requested headers must match configured allowed headers
-///
-/// # Success Response
-///
-/// Returns HTTP 204 (No Content) with the following response headers:
-/// - `Access-Control-Allow-Origin` - The origin that is allowed
-/// - `Access-Control-Allow-Methods` - Comma-separated list of allowed methods
-/// - `Access-Control-Allow-Headers` - Comma-separated list of allowed headers
-/// - `Access-Control-Max-Age` - Caching duration in seconds (if configured)
-/// - `Access-Control-Allow-Credentials` - "true" if credentials are allowed
-///
-/// # Error Response
-///
-/// Returns HTTP 403 (Forbidden) if validation fails for:
-/// - Origin not in allowed list
-/// - Requested method not allowed
-/// - Requested headers not allowed
-///
-/// # Arguments
-/// * `headers` - Request headers containing CORS preflight information
-/// * `cors_config` - CORS configuration to validate against
-///
-/// # Returns
-/// * `Ok(Response)` - 204 No Content with CORS headers
-/// * `Err(Response)` - 403 Forbidden or 500 Internal Server Error
-pub fn handle_preflight(headers: &HeaderMap, cors_config: &CorsConfig) -> Result<Response<Body>, Box<Response<Body>>> {
-    let origin = headers.get("origin").and_then(|v| v.to_str().ok()).unwrap_or("");
-
-    if origin.is_empty() || !is_origin_allowed(origin, &cors_config.allowed_origins) {
-        return Err(Box::new(
-            (
-                StatusCode::FORBIDDEN,
-                axum::Json(serde_json::json!({
-                    "detail": format!("CORS request from origin '{}' not allowed", origin)
-                })),
-            )
-                .into_response(),
-        ));
-    }
-
-    let requested_method = headers
-        .get("access-control-request-method")
-        .and_then(|v| v.to_str().ok())
-        .unwrap_or("");
-
-    if !requested_method.is_empty() && !is_method_allowed(requested_method, &cors_config.allowed_methods) {
-        return Err(Box::new((StatusCode::FORBIDDEN).into_response()));
-    }
-
-    let requested_headers_str = headers
-        .get("access-control-request-headers")
-        .and_then(|v| v.to_str().ok());
-
-    if let Some(req_headers) = requested_headers_str {
-        let requested_headers: Vec<&str> = req_headers.split(',').map(|h| h.trim()).collect();
-
-        if !are_headers_allowed(&requested_headers, &cors_config.allowed_headers) {
-            return Err(Box::new((StatusCode::FORBIDDEN).into_response()));
-        }
-    }
-
-    let mut response = Response::builder().status(StatusCode::NO_CONTENT);
-
-    let headers_mut = match response.headers_mut() {
-        Some(headers) => headers,
-        None => {
-            return Err(Box::new(
-                (
-                    StatusCode::INTERNAL_SERVER_ERROR,
-                    axum::Json(serde_json::json!({
-                        "detail": "Failed to construct response headers"
-                    })),
-                )
-                    .into_response(),
-            ));
-        }
-    };
-
-    headers_mut.insert(
-        "access-control-allow-origin",
-        HeaderValue::from_str(origin).unwrap_or_else(|_| HeaderValue::from_static("*")),
-    );
-
-    let methods = cors_config.allowed_methods.join(", ");
-    headers_mut.insert(
-        "access-control-allow-methods",
-        HeaderValue::from_str(&methods).unwrap_or_else(|_| HeaderValue::from_static("*")),
-    );
-
-    let allowed_headers = cors_config.allowed_headers.join(", ");
-    headers_mut.insert(
-        "access-control-allow-headers",
-        HeaderValue::from_str(&allowed_headers).unwrap_or_else(|_| HeaderValue::from_static("*")),
-    );
-
-    if let Some(max_age) = cors_config.max_age
-        && let Ok(header_val) = HeaderValue::from_str(&max_age.to_string())
-    {
-        headers_mut.insert("access-control-max-age", header_val);
-    }
-
-    if let Some(true) = cors_config.allow_credentials {
-        headers_mut.insert("access-control-allow-credentials", HeaderValue::from_static("true"));
-    }
-
-    match response.body(Body::empty()) {
-        Ok(resp) => Ok(resp),
-        Err(_) => Err(Box::new(
-            (
-                StatusCode::INTERNAL_SERVER_ERROR,
-                axum::Json(serde_json::json!({
-                    "detail": "Failed to construct response body"
-                })),
-            )
-                .into_response(),
-        )),
-    }
-}
-
-/// Add CORS headers to a successful response
-///
-/// Adds appropriate CORS headers to the response based on the configuration.
-/// This function should be called for successful (non-error) responses to
-/// cross-origin requests.
-///
-/// # Headers Added
-///
-/// - `Access-Control-Allow-Origin` - The origin that is allowed (if valid)
-/// - `Access-Control-Expose-Headers` - Headers that are safe to expose to the client
-/// - `Access-Control-Allow-Credentials` - "true" if credentials are allowed
-///
-/// # Arguments
-/// * `response` - Mutable reference to the response to modify
-/// * `origin` - The origin from the request (e.g., `<https://example.com>`)
-/// * `cors_config` - CORS configuration to apply
-///
-/// # Example
-///
-/// ```ignore
-/// let mut response = Response::new(Body::empty());
-/// add_cors_headers(&mut response, "https://example.com", &cors_config);
-/// ```
-pub fn add_cors_headers(response: &mut Response<Body>, origin: &str, cors_config: &CorsConfig) {
-    let headers = response.headers_mut();
-
-    if let Ok(origin_value) = HeaderValue::from_str(origin) {
-        headers.insert("access-control-allow-origin", origin_value);
-    }
-
-    if let Some(ref expose_headers) = cors_config.expose_headers {
-        let expose = expose_headers.join(", ");
-        if let Ok(expose_value) = HeaderValue::from_str(&expose) {
-            headers.insert("access-control-expose-headers", expose_value);
-        }
-    }
-
-    if let Some(true) = cors_config.allow_credentials {
-        headers.insert("access-control-allow-credentials", HeaderValue::from_static("true"));
-    }
-}
-
-/// Validate a non-preflight CORS request
-///
-/// Checks if the Origin header is present and allowed for non-preflight (actual) requests.
-/// Returns an error response if validation fails.
-///
-/// # Validation
-///
-/// - If no Origin header is present, the request is allowed (not a CORS request)
-/// - If Origin header is present, it must match the allowed origins
-///
-/// # Arguments
-/// * `headers` - Request headers containing origin information
-/// * `cors_config` - CORS configuration to validate against
-///
-/// # Returns
-/// * `Ok(())` - Request is allowed
-/// * `Err(Response)` - 403 Forbidden with error details
-///
-/// # Note
-///
-/// This function is for actual requests, not OPTIONS preflight requests.
-/// Use `handle_preflight` for OPTIONS requests.
-pub fn validate_cors_request(headers: &HeaderMap, cors_config: &CorsConfig) -> Result<(), Box<Response<Body>>> {
-    let origin = headers.get("origin").and_then(|v| v.to_str().ok()).unwrap_or("");
-
-    if !origin.is_empty() && !is_origin_allowed(origin, &cors_config.allowed_origins) {
-        return Err(Box::new(
-            (
-                StatusCode::FORBIDDEN,
-                axum::Json(serde_json::json!({
-                    "detail": format!("CORS request from origin '{}' not allowed", origin)
-                })),
-            )
-                .into_response(),
-        ));
-    }
-    Ok(())
-}
-
-#[cfg(test)]
-mod tests {
-    use super::*;
-
-    fn make_cors_config() -> CorsConfig {
-        CorsConfig {
-            allowed_origins: vec!["https://example.com".to_string()],
-            allowed_methods: vec!["GET".to_string(), "POST".to_string()],
-            allowed_headers: vec!["content-type".to_string(), "authorization".to_string()],
-            expose_headers: Some(vec!["x-custom-header".to_string()]),
-            max_age: Some(3600),
-            allow_credentials: Some(true),
-        }
-    }
-
-    #[test]
-    fn test_is_origin_allowed_exact_match() {
-        let allowed = vec!["https://example.com".to_string()];
-        assert!(is_origin_allowed("https://example.com", &allowed));
-        assert!(!is_origin_allowed("https://evil.com", &allowed));
-    }
-
-    #[test]
-    fn test_is_origin_allowed_wildcard() {
-        let allowed = vec!["*".to_string()];
-        assert!(is_origin_allowed("https://example.com", &allowed));
-        assert!(is_origin_allowed("https://any-domain.com", &allowed));
-    }
-
-    #[test]
-    fn test_is_origin_allowed_empty_origin() {
-        let allowed = vec!["*".to_string()];
-        assert!(!is_origin_allowed("", &allowed));
-    }
-
-    #[test]
-    fn test_is_method_allowed_case_insensitive() {
-        let allowed = vec!["GET".to_string(), "POST".to_string()];
-        assert!(is_method_allowed("GET", &allowed));
-        assert!(is_method_allowed("get", &allowed));
-        assert!(is_method_allowed("POST", &allowed));
-        assert!(is_method_allowed("post", &allowed));
-        assert!(!is_method_allowed("DELETE", &allowed));
-    }
-
-    #[test]
-    fn test_is_method_allowed_wildcard() {
-        let allowed = vec!["*".to_string()];
-        assert!(is_method_allowed("GET", &allowed));
-        assert!(is_method_allowed("DELETE", &allowed));
-        assert!(is_method_allowed("PATCH", &allowed));
-    }
-
-    #[test]
-    fn test_are_headers_allowed_case_insensitive() {
-        let allowed = vec!["Content-Type".to_string(), "Authorization".to_string()];
-        assert!(are_headers_allowed(&["content-type"], &allowed));
-        assert!(are_headers_allowed(&["AUTHORIZATION"], &allowed));
-        assert!(are_headers_allowed(&["content-type", "authorization"], &allowed));
-        assert!(!are_headers_allowed(&["x-custom"], &allowed));
-    }
-
-    #[test]
-    fn test_are_headers_allowed_wildcard() {
-        let allowed = vec!["*".to_string()];
-        assert!(are_headers_allowed(&["any-header"], &allowed));
-        assert!(are_headers_allowed(&["multiple", "headers"], &allowed));
-    }
-
-    #[test]
-    fn test_handle_preflight_success() {
-        let config = make_cors_config();
-        let mut headers = HeaderMap::new();
-        headers.insert("origin", HeaderValue::from_static("https://example.com"));
-        headers.insert("access-control-request-method", HeaderValue::from_static("POST"));
-        headers.insert(
-            "access-control-request-headers",
-            HeaderValue::from_static("content-type"),
-        );
-
-        let result = handle_preflight(&headers, &config);
-        assert!(result.is_ok());
-
-        let response = result.unwrap();
-        assert_eq!(response.status(), StatusCode::NO_CONTENT);
-
-        let resp_headers = response.headers();
-        assert_eq!(
-            resp_headers.get("access-control-allow-origin").unwrap(),
-            "https://example.com"
-        );
-        assert!(
-            resp_headers
-                .get("access-control-allow-methods")
-                .unwrap()
-                .to_str()
-                .unwrap()
-                .contains("POST")
-        );
-        assert_eq!(resp_headers.get("access-control-max-age").unwrap(), "3600");
-        assert_eq!(resp_headers.get("access-control-allow-credentials").unwrap(), "true");
-    }
-
-    #[test]
-    fn test_handle_preflight_origin_not_allowed() {
-        let config = make_cors_config();
-        let mut headers = HeaderMap::new();
-        headers.insert("origin", HeaderValue::from_static("https://evil.com"));
-        headers.insert("access-control-request-method", HeaderValue::from_static("GET"));
-
-        let result = handle_preflight(&headers, &config);
-        assert!(result.is_err());
-
-        let response = *result.unwrap_err();
-        assert_eq!(response.status(), StatusCode::FORBIDDEN);
-    }
-
-    #[test]
-    fn test_handle_preflight_method_not_allowed() {
-        let config = make_cors_config();
-        let mut headers = HeaderMap::new();
-        headers.insert("origin", HeaderValue::from_static("https://example.com"));
-        headers.insert("access-control-request-method", HeaderValue::from_static("DELETE"));
-
-        let result = handle_preflight(&headers, &config);
-        assert!(result.is_err());
-
-        let response = *result.unwrap_err();
-        assert_eq!(response.status(), StatusCode::FORBIDDEN);
-    }
-
-    #[test]
-    fn test_handle_preflight_header_not_allowed() {
-        let config = make_cors_config();
-        let mut headers = HeaderMap::new();
-        headers.insert("origin", HeaderValue::from_static("https://example.com"));
-        headers.insert("access-control-request-method", HeaderValue::from_static("POST"));
-        headers.insert(
-            "access-control-request-headers",
-            HeaderValue::from_static("x-forbidden-header"),
-        );
-
-        let result = handle_preflight(&headers, &config);
-        assert!(result.is_err());
-
-        let response = *result.unwrap_err();
-        assert_eq!(response.status(), StatusCode::FORBIDDEN);
-    }
-
-    #[test]
-    fn test_handle_preflight_empty_origin() {
-        let config = make_cors_config();
-        let headers = HeaderMap::new();
-
-        let result = handle_preflight(&headers, &config);
-        assert!(result.is_err());
-
-        let response = *result.unwrap_err();
-        assert_eq!(response.status(), StatusCode::FORBIDDEN);
-    }
-
-    #[test]
-    fn test_add_cors_headers() {
-        let config = make_cors_config();
-        let mut response = Response::new(Body::empty());
-
-        add_cors_headers(&mut response, "https://example.com", &config);
-
-        let headers = response.headers();
-        assert_eq!(
-            headers.get("access-control-allow-origin").unwrap(),
-            "https://example.com"
-        );
-        assert_eq!(headers.get("access-control-expose-headers").unwrap(), "x-custom-header");
-        assert_eq!(headers.get("access-control-allow-credentials").unwrap(), "true");
-    }
-
-    #[test]
-    fn test_validate_cors_request_allowed() {
-        let config = make_cors_config();
-        let mut headers = HeaderMap::new();
-        headers.insert("origin", HeaderValue::from_static("https://example.com"));
-
-        let result = validate_cors_request(&headers, &config);
-        assert!(result.is_ok());
-    }
-
-    #[test]
-    fn test_validate_cors_request_not_allowed() {
-        let config = make_cors_config();
-        let mut headers = HeaderMap::new();
-        headers.insert("origin", HeaderValue::from_static("https://evil.com"));
-
-        let result = validate_cors_request(&headers, &config);
-        assert!(result.is_err());
-
-        let response = *result.unwrap_err();
-        assert_eq!(response.status(), StatusCode::FORBIDDEN);
-    }
-
-    #[test]
-    fn test_validate_cors_request_no_origin() {
-        let config = make_cors_config();
-        let headers = HeaderMap::new();
-
-        let result = validate_cors_request(&headers, &config);
-        assert!(result.is_ok());
-    }
-}

data/vendor/crates/spikard-http/src/debug.rs

@@ -1,63 +0,0 @@
-//! Debug logging utilities for spikard-http
-//!
-//! This module provides debug logging that can be enabled via:
-//! - Building in debug mode (cfg(debug_assertions))
-//! - Setting SPIKARD_DEBUG=1 environment variable
-
-use std::sync::atomic::{AtomicBool, Ordering};
-
-static DEBUG_ENABLED: AtomicBool = AtomicBool::new(false);
-
-/// Initialize debug logging based on environment and build mode
-pub fn init() {
-    let enabled = cfg!(debug_assertions) || std::env::var("SPIKARD_DEBUG").is_ok() || std::env::var("DEBUG").is_ok();
-
-    eprintln!(
-        "[spikard-http::debug] init() called, cfg!(debug_assertions)={}, DEBUG={}, enabled={}",
-        cfg!(debug_assertions),
-        std::env::var("DEBUG").is_ok(),
-        enabled
-    );
-
-    DEBUG_ENABLED.store(enabled, Ordering::Relaxed);
-
-    if enabled {
-        eprintln!("[spikard-http] Debug logging enabled");
-    }
-}
-
-/// Check if debug logging is enabled
-#[inline]
-pub fn is_enabled() -> bool {
-    DEBUG_ENABLED.load(Ordering::Relaxed)
-}
-
-/// Log a debug message if debugging is enabled
-#[macro_export]
-macro_rules! debug_log {
-    ($($arg:tt)*) => {
-        if $crate::debug::is_enabled() {
-            eprintln!("[spikard-http] {}", format!($($arg)*));
-        }
-    };
-}
-
-/// Log a debug message with a specific module/component name
-#[macro_export]
-macro_rules! debug_log_module {
-    ($module:expr, $($arg:tt)*) => {
-        if $crate::debug::is_enabled() {
-            eprintln!("[spikard-http::{}] {}", $module, format!($($arg)*));
-        }
-    };
-}
-
-/// Log a debug value with pretty-printing
-#[macro_export]
-macro_rules! debug_log_value {
-    ($name:expr, $value:expr) => {
-        if $crate::debug::is_enabled() {
-            eprintln!("[spikard-http] {} = {:?}", $name, $value);
-        }
-    };
-}