0http-bun 1.1.3 → 1.2.1

package/lib/middleware/cors.js

@@ -0,0 +1,225 @@
+/**
+ * Creates CORS (Cross-Origin Resource Sharing) middleware
+ * @param {Object} options - CORS configuration options
+ * @param {string|Array<string>|Function} options.origin - Allowed origins
+ * @param {Array<string>} options.methods - Allowed HTTP methods
+ * @param {Array<string>} options.allowedHeaders - Allowed request headers
+ * @param {Array<string>} options.exposedHeaders - Headers exposed to the client
+ * @param {boolean} options.credentials - Whether to include credentials
+ * @param {number} options.maxAge - Preflight cache time in seconds
+ * @param {boolean} options.preflightContinue - Pass control to next handler after preflight
+ * @param {number} options.optionsSuccessStatus - Status code for successful OPTIONS requests
+ * @returns {Function} Middleware function
+ */
+function createCORS(options = {}) {
+  const {
+    origin = '*',
+    methods = ['GET', 'HEAD', 'PUT', 'PATCH', 'POST', 'DELETE'],
+    allowedHeaders = ['Content-Type', 'Authorization'],
+    exposedHeaders = [],
+    credentials = false,
+    maxAge = 86400, // 24 hours
+    preflightContinue = false,
+    optionsSuccessStatus = 204,
+  } = options
+
+  return function corsMiddleware(req, next) {
+    const requestOrigin = req.headers.get('origin')
+    const allowedOrigin = getAllowedOrigin(origin, requestOrigin, req)
+
+    const addCorsHeaders = (response) => {
+      // Add Vary header for dynamic origins (regardless of whether origin is allowed)
+      if (typeof origin === 'function' || Array.isArray(origin)) {
+        const existingVary = response.headers.get('Vary')
+        if (existingVary) {
+          if (!existingVary.includes('Origin')) {
+            response.headers.set('Vary', `${existingVary}, Origin`)
+          }
+        } else {
+          response.headers.set('Vary', 'Origin')
+        }
+      }
+
+      if (allowedOrigin !== false) {
+        response.headers.set('Access-Control-Allow-Origin', allowedOrigin)
+      }
+
+      // Don't allow wildcard origin with credentials
+      if (credentials && allowedOrigin !== '*') {
+        response.headers.set('Access-Control-Allow-Credentials', 'true')
+      }
+
+      // Handle exposedHeaders (can be string or array)
+      const exposedHeadersList = Array.isArray(exposedHeaders)
+        ? exposedHeaders
+        : typeof exposedHeaders === 'string'
+          ? [exposedHeaders]
+          : []
+      if (exposedHeadersList.length > 0) {
+        response.headers.set(
+          'Access-Control-Expose-Headers',
+          exposedHeadersList.join(', '),
+        )
+      }
+
+      // Add method and header info for all requests (not just OPTIONS)
+      response.headers.set(
+        'Access-Control-Allow-Methods',
+        (Array.isArray(methods) ? methods : [methods]).join(', '),
+      )
+
+      const resolvedAllowedHeaders =
+        typeof allowedHeaders === 'function'
+          ? allowedHeaders(req)
+          : allowedHeaders
+      const allowedHeadersList = Array.isArray(resolvedAllowedHeaders)
+        ? resolvedAllowedHeaders
+        : typeof resolvedAllowedHeaders === 'string'
+          ? [resolvedAllowedHeaders]
+          : []
+      response.headers.set(
+        'Access-Control-Allow-Headers',
+        allowedHeadersList.join(', '),
+      )
+
+      return response
+    }
+
+    if (req.method === 'OPTIONS') {
+      // Handle preflight request
+      const requestMethod = req.headers.get('access-control-request-method')
+      const requestHeaders = req.headers.get('access-control-request-headers')
+
+      // Check if requested method is allowed
+      if (requestMethod && !methods.includes(requestMethod)) {
+        return new Response(null, {status: 404})
+      }
+
+      // Check if requested headers are allowed
+      if (requestHeaders) {
+        const requestedHeaders = requestHeaders.split(',').map((h) => h.trim())
+        const resolvedAllowedHeaders =
+          typeof allowedHeaders === 'function'
+            ? allowedHeaders(req)
+            : allowedHeaders
+        const allowedHeadersList = Array.isArray(resolvedAllowedHeaders)
+          ? resolvedAllowedHeaders
+          : []
+
+        const hasDisallowedHeaders = requestedHeaders.some(
+          (header) =>
+            !allowedHeadersList.some(
+              (allowed) => allowed.toLowerCase() === header.toLowerCase(),
+            ),
+        )
+
+        if (hasDisallowedHeaders) {
+          return new Response(null, {status: 404})
+        }
+      }
+
+      const response = new Response(null, {status: optionsSuccessStatus})
+
+      if (allowedOrigin !== false) {
+        response.headers.set('Access-Control-Allow-Origin', allowedOrigin)
+
+        // Add Vary header for dynamic origins
+        if (typeof origin === 'function' || Array.isArray(origin)) {
+          response.headers.set('Vary', 'Origin')
+        }
+      }
+
+      // Don't allow wildcard origin with credentials
+      if (credentials && allowedOrigin !== '*') {
+        response.headers.set('Access-Control-Allow-Credentials', 'true')
+      }
+
+      response.headers.set(
+        'Access-Control-Allow-Methods',
+        (Array.isArray(methods) ? methods : [methods]).join(', '),
+      )
+
+      const resolvedAllowedHeaders =
+        typeof allowedHeaders === 'function'
+          ? allowedHeaders(req)
+          : allowedHeaders
+      const allowedHeadersList = Array.isArray(resolvedAllowedHeaders)
+        ? resolvedAllowedHeaders
+        : []
+      response.headers.set(
+        'Access-Control-Allow-Headers',
+        allowedHeadersList.join(', '),
+      )
+
+      response.headers.set('Access-Control-Max-Age', maxAge.toString())
+
+      if (preflightContinue) {
+        const result = next()
+        if (result instanceof Promise) {
+          return result.then(addCorsHeaders)
+        }
+        return addCorsHeaders(result)
+      } else {
+        return response
+      }
+    }
+
+    const result = next()
+    if (result instanceof Promise) {
+      return result.then(addCorsHeaders)
+    }
+    return addCorsHeaders(result)
+  }
+}
+
+/**
+ * Determines the allowed origin for CORS
+ * @param {string|Array<string>|Function} origin - Origin configuration
+ * @param {string} requestOrigin - Origin from request header
+ * @param {Request} req - Request object
+ * @returns {string|false} Allowed origin or false if not allowed
+ */
+function getAllowedOrigin(origin, requestOrigin, req) {
+  if (origin === '*') {
+    return '*'
+  }
+
+  if (origin === false) {
+    return false
+  }
+
+  if (typeof origin === 'string') {
+    return origin === requestOrigin ? requestOrigin : false
+  }
+
+  if (Array.isArray(origin)) {
+    return origin.includes(requestOrigin) ? requestOrigin : false
+  }
+
+  if (typeof origin === 'function') {
+    const result = origin(requestOrigin)
+    return result === true ? requestOrigin : result || false
+  }
+
+  return false
+}
+
+/**
+ * Simple CORS middleware for development
+ * Allows all origins, methods, and headers
+ * @returns {Function} Middleware function
+ */
+function simpleCORS() {
+  return createCORS({
+    origin: '*',
+    methods: ['GET', 'HEAD', 'PUT', 'PATCH', 'POST', 'DELETE', 'OPTIONS'],
+    allowedHeaders: ['*'],
+    credentials: false,
+  })
+}
+
+module.exports = {
+  createCORS,
+  simpleCORS,
+  getAllowedOrigin,
+}

package/lib/middleware/index.d.ts

@@ -0,0 +1,236 @@
+import {RequestHandler, ZeroRequest, StepFunction} from '../../common'
+import {Logger} from 'pino'
+
+// Logger middleware types
+export interface LoggerOptions {
+  pinoOptions?: any
+  serializers?: Record<string, (obj: any) => any>
+  logBody?: boolean
+  excludePaths?: string[]
+}
+
+export function createLogger(options?: LoggerOptions): RequestHandler
+export function simpleLogger(): RequestHandler
+
+// JWT Authentication middleware types
+export interface JWKSLike {
+  getKey?: (protectedHeader: any, token: string) => Promise<any>
+  [key: string]: any
+}
+
+export interface JWTAuthOptions {
+  secret?:
+    | string
+    | Uint8Array
+    | ((req: ZeroRequest) => Promise<string | Uint8Array>)
+    | ((protectedHeader: any, token: string) => Promise<string | Uint8Array>)
+  jwksUri?: string
+  jwks?: JWKSLike
+  jwtOptions?: {
+    algorithms?: string[]
+    audience?: string | string[]
+    issuer?: string | string[]
+    subject?: string
+    clockTolerance?: number
+    maxTokenAge?: number
+  }
+  // Token extraction options
+  getToken?: (req: ZeroRequest) => string | null
+  tokenHeader?: string
+  tokenQuery?: string
+  // Authentication behavior options
+  optional?: boolean
+  excludePaths?: string[]
+  // API key authentication options
+  apiKeys?:
+    | string
+    | string[]
+    | ((
+        key: string,
+        req: ZeroRequest,
+      ) => Promise<boolean | any> | boolean | any)
+  apiKeyHeader?: string
+  apiKeyValidator?:
+    | ((key: string) => Promise<boolean | any> | boolean | any)
+    | ((
+        key: string,
+        req: ZeroRequest,
+      ) => Promise<boolean | any> | boolean | any)
+  validateApiKey?:
+    | ((key: string) => Promise<boolean | any> | boolean | any)
+    | ((
+        key: string,
+        req: ZeroRequest,
+      ) => Promise<boolean | any> | boolean | any)
+  // JWT specific options (can also be in jwtOptions)
+  audience?: string | string[]
+  issuer?: string
+  algorithms?: string[]
+  // Custom response and error handling
+  unauthorizedResponse?:
+    | Response
+    | ((error: Error, req: ZeroRequest) => Response | any)
+    | {
+        status?: number
+        body?: any
+        headers?: Record<string, string>
+      }
+  onError?: (error: Error, req: ZeroRequest) => Response | any
+}
+
+export interface APIKeyAuthOptions {
+  keys:
+    | string
+    | string[]
+    | ((key: string, req: ZeroRequest) => Promise<boolean> | boolean)
+  header?: string
+  getKey?: (req: ZeroRequest) => string | null
+}
+
+export interface TokenExtractionOptions {
+  getToken?: (req: ZeroRequest) => string | null
+  tokenHeader?: string
+  tokenQuery?: string
+}
+
+export function createJWTAuth(options?: JWTAuthOptions): RequestHandler
+export function createAPIKeyAuth(options: APIKeyAuthOptions): RequestHandler
+export function extractTokenFromHeader(req: ZeroRequest): string | null
+export function extractToken(
+  req: ZeroRequest,
+  options?: TokenExtractionOptions,
+): string | null
+export function validateApiKeyInternal(
+  apiKey: string,
+  apiKeys: JWTAuthOptions['apiKeys'],
+  apiKeyValidator: JWTAuthOptions['apiKeyValidator'],
+  req: ZeroRequest,
+): Promise<boolean | any>
+export function handleAuthError(
+  error: Error,
+  handlers: {
+    unauthorizedResponse?: JWTAuthOptions['unauthorizedResponse']
+    onError?: JWTAuthOptions['onError']
+  },
+  req: ZeroRequest,
+): Response
+
+// Rate limiting middleware types
+export interface RateLimitOptions {
+  windowMs?: number
+  max?: number
+  keyGenerator?: (req: ZeroRequest) => Promise<string> | string
+  handler?: (
+    req: ZeroRequest,
+    totalHits: number,
+    max: number,
+    resetTime: Date,
+  ) => Promise<Response> | Response
+  store?: RateLimitStore
+  standardHeaders?: boolean
+  excludePaths?: string[]
+  skip?: (req: ZeroRequest) => boolean
+}
+
+export interface RateLimitStore {
+  increment(
+    key: string,
+    windowMs: number,
+  ): Promise<{totalHits: number; resetTime: Date}>
+  reset(key: string): Promise<void>
+}
+
+export class MemoryStore implements RateLimitStore {
+  constructor()
+  increment(
+    key: string,
+    windowMs: number,
+  ): Promise<{totalHits: number; resetTime: Date}>
+  reset(key: string): Promise<void>
+  cleanup(now: number): void
+}
+
+export function createRateLimit(options?: RateLimitOptions): RequestHandler
+export function createSlidingWindowRateLimit(
+  options?: RateLimitOptions,
+): RequestHandler
+export function defaultKeyGenerator(req: ZeroRequest): string
+export function defaultHandler(
+  req: ZeroRequest,
+  totalHits: number,
+  max: number,
+  resetTime: Date,
+): Response
+
+// CORS middleware types
+export interface CORSOptions {
+  origin?:
+    | string
+    | string[]
+    | boolean
+    | ((origin: string, req: ZeroRequest) => boolean | string)
+  methods?: string[]
+  allowedHeaders?: string[]
+  exposedHeaders?: string[]
+  credentials?: boolean
+  maxAge?: number
+  preflightContinue?: boolean
+  optionsSuccessStatus?: number
+}
+
+export function createCORS(options?: CORSOptions): RequestHandler
+export function simpleCORS(): RequestHandler
+export function getAllowedOrigin(
+  origin: any,
+  requestOrigin: string,
+  req: ZeroRequest,
+): string | false
+
+// Body parser middleware types
+export interface JSONParserOptions {
+  limit?: number
+  reviver?: (key: string, value: any) => any
+  strict?: boolean
+  type?: string
+}
+
+export interface TextParserOptions {
+  limit?: number
+  type?: string
+  defaultCharset?: string
+}
+
+export interface URLEncodedParserOptions {
+  limit?: number
+  extended?: boolean
+}
+
+export interface MultipartParserOptions {
+  limit?: number
+}
+
+export interface BodyParserOptions {
+  json?: JSONParserOptions
+  text?: TextParserOptions
+  urlencoded?: URLEncodedParserOptions
+  multipart?: MultipartParserOptions
+}
+
+export interface ParsedFile {
+  name: string
+  size: number
+  type: string
+  data: File
+}
+
+export function createJSONParser(options?: JSONParserOptions): RequestHandler
+export function createTextParser(options?: TextParserOptions): RequestHandler
+export function createURLEncodedParser(
+  options?: URLEncodedParserOptions,
+): RequestHandler
+export function createMultipartParser(
+  options?: MultipartParserOptions,
+): RequestHandler
+export function createBodyParser(options?: BodyParserOptions): RequestHandler
+export function hasBody(req: ZeroRequest): boolean
+export function shouldParse(req: ZeroRequest, type: string): boolean

package/lib/middleware/index.js

@@ -0,0 +1,45 @@
+// Export all middleware modules
+const loggerModule = require('./logger')
+const jwtAuthModule = require('./jwt-auth')
+const rateLimitModule = require('./rate-limit')
+const corsModule = require('./cors')
+const bodyParserModule = require('./body-parser')
+
+module.exports = {
+  // Simple interface for common use cases (matches test expectations)
+  logger: loggerModule.createLogger,
+  jwtAuth: jwtAuthModule.createJWTAuth,
+  rateLimit: rateLimitModule.createRateLimit,
+  cors: corsModule.createCORS,
+  bodyParser: bodyParserModule.createBodyParser,
+
+  // Complete factory functions for advanced usage
+  createLogger: loggerModule.createLogger,
+  simpleLogger: loggerModule.simpleLogger,
+
+  // Authentication middleware
+  createJWTAuth: jwtAuthModule.createJWTAuth,
+  createAPIKeyAuth: jwtAuthModule.createAPIKeyAuth,
+  extractTokenFromHeader: jwtAuthModule.extractTokenFromHeader,
+
+  // Rate limiting middleware
+  createRateLimit: rateLimitModule.createRateLimit,
+  createSlidingWindowRateLimit: rateLimitModule.createSlidingWindowRateLimit,
+  MemoryStore: rateLimitModule.MemoryStore,
+  defaultKeyGenerator: rateLimitModule.defaultKeyGenerator,
+  defaultHandler: rateLimitModule.defaultHandler,
+
+  // CORS middleware
+  createCORS: corsModule.createCORS,
+  simpleCORS: corsModule.simpleCORS,
+  getAllowedOrigin: corsModule.getAllowedOrigin,
+
+  // Body parser middleware
+  createJSONParser: bodyParserModule.createJSONParser,
+  createTextParser: bodyParserModule.createTextParser,
+  createURLEncodedParser: bodyParserModule.createURLEncodedParser,
+  createMultipartParser: bodyParserModule.createMultipartParser,
+  createBodyParser: bodyParserModule.createBodyParser,
+  hasBody: bodyParserModule.hasBody,
+  shouldParse: bodyParserModule.shouldParse,
+}