npm - 0http-bun - Versions diffs - 1.1.3 → 1.2.1 - Mend

0http-bun 1.1.3 → 1.2.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (12) hide show

package/README.md +72 -3
package/common.d.ts +37 -2
package/lib/middleware/README.md +870 -0
package/lib/middleware/body-parser.js +783 -0
package/lib/middleware/cors.js +225 -0
package/lib/middleware/index.d.ts +236 -0
package/lib/middleware/index.js +45 -0
package/lib/middleware/jwt-auth.js +406 -0
package/lib/middleware/logger.js +310 -0
package/lib/middleware/rate-limit.js +270 -0
package/lib/router/sequential.js +10 -2
package/package.json +6 -3

package/lib/middleware/jwt-auth.js ADDED Viewed

@@ -0,0 +1,406 @@
+const {jwtVerify, createRemoteJWKSet, errors} = require('jose')
+/**
+ * Creates JWT authentication middleware
+ * @param {Object} options - JWT configuration options
+ * @param {string|Uint8Array|Function} options.secret - JWT secret or key getter function
+ * @param {string} options.jwksUri - JWKS URI for remote key verification
+ * @param {Object} options.jwtOptions - Additional JWT verification options
+ * @param {Function} options.getToken - Custom token extraction function
+ * @param {string} options.tokenHeader - Custom header for token extraction
+ * @param {string} options.tokenQuery - Query parameter name for token extraction
+ * @param {boolean} options.optional - Whether authentication is optional
+ * @param {Array<string>} options.excludePaths - Paths to exclude from authentication
+ * @param {Array<string>|Function} options.apiKeys - Valid API keys for API key authentication
+ * @param {string} options.apiKeyHeader - Header name for API key
+ * @param {Function} options.apiKeyValidator - Custom API key validation function
+ * @param {Function} options.unauthorizedResponse - Custom unauthorized response generator
+ * @param {Function} options.onError - Custom error handler
+ * @param {string|Array<string>} options.audience - Expected JWT audience
+ * @param {string} options.issuer - Expected JWT issuer
+ * @returns {Function} Middleware function
+ */
+function createJWTAuth(options = {}) {
+  const {
+    secret,
+    jwksUri,
+    jwks,
+    jwtOptions = {},
+    getToken,
+    tokenHeader,
+    tokenQuery,
+    optional = false,
+    excludePaths = [],
+    apiKeys,
+    apiKeyHeader = 'x-api-key',
+    apiKeyValidator,
+    validateApiKey,
+    unauthorizedResponse,
+    onError,
+    audience,
+    issuer,
+    algorithms,
+  } = options
+  // API key mode doesn't require JWT secret
+  const hasApiKeyMode = apiKeys || apiKeyValidator || validateApiKey
+  if (!secret && !jwksUri && !jwks && !hasApiKeyMode) {
+    throw new Error('JWT middleware requires either secret or jwksUri')
+  }
+  // Setup key resolver for JWT
+  let keyLike
+  if (jwks) {
+    // If jwks is a mock or custom resolver with getKey method
+    if (typeof jwks.getKey === 'function') {
+      keyLike = async (protectedHeader, token) => {
+        return jwks.getKey(protectedHeader, token)
+      }
+    } else {
+      keyLike = jwks
+    }
+  } else if (jwksUri) {
+    keyLike = createRemoteJWKSet(new URL(jwksUri))
+  } else if (typeof secret === 'function') {
+    keyLike = secret
+  } else {
+    keyLike = secret
+  }
+  // Default JWT verification options
+  const defaultJwtOptions = {
+    algorithms: algorithms || ['HS256', 'RS256'],
+    audience,
+    issuer,
+    ...jwtOptions,
+  }
+  return async function jwtAuthMiddleware(req, next) {
+    const url = new URL(req.url)
+    // Skip authentication for excluded paths
+    if (excludePaths.some((path) => url.pathname.startsWith(path))) {
+      return next()
+    }
+    try {
+      // Try API key authentication first if configured
+      if (hasApiKeyMode) {
+        const apiKey = req.headers.get(apiKeyHeader)
+        if (apiKey) {
+          const validationResult = await validateApiKeyInternal(
+            apiKey,
+            apiKeys,
+            apiKeyValidator || validateApiKey,
+            req,
+          )
+          if (validationResult !== false) {
+            // Set API key context
+            req.ctx = req.ctx || {}
+            req.ctx.apiKey = apiKey
+            // If validation result is an object, use it as user data, otherwise default
+            const userData =
+              validationResult && typeof validationResult === 'object'
+                ? validationResult
+                : {apiKey}
+            req.ctx.user = userData
+            req.apiKey = apiKey
+            req.user = userData
+            return next()
+          } else {
+            return handleAuthError(
+              new Error('Invalid API key'),
+              {unauthorizedResponse, onError},
+              req,
+            )
+          }
+        }
+      }
+      // Extract JWT token from request
+      const token = extractToken(req, {getToken, tokenHeader, tokenQuery})
+      if (!token) {
+        if (optional) {
+          return next()
+        }
+        return handleAuthError(
+          new Error('Authentication required'),
+          {unauthorizedResponse, onError},
+          req,
+        )
+      }
+      // Only verify JWT if we have JWT configuration
+      if (!keyLike) {
+        return handleAuthError(
+          new Error('JWT verification not configured'),
+          {unauthorizedResponse, onError},
+          req,
+        )
+      }
+      // Verify JWT token
+      const {payload, protectedHeader} = await jwtVerify(
+        token,
+        keyLike,
+        defaultJwtOptions,
+      )
+      // Add user info to request context
+      req.ctx = req.ctx || {}
+      req.ctx.user = payload
+      req.ctx.jwt = {
+        payload,
+        header: protectedHeader,
+        token,
+      }
+      req.user = payload // Mirror to root for compatibility
+      req.jwt = {
+        payload,
+        header: protectedHeader,
+        token,
+      }
+      return next()
+    } catch (error) {
+      if (optional && (!hasApiKeyMode || !req.headers.get(apiKeyHeader))) {
+        return next()
+      }
+      return handleAuthError(error, {unauthorizedResponse, onError}, req)
+    }
+  }
+}
+/**
+ * Validates API key
+ * @param {string} apiKey - API key to validate
+ * @param {Array<string>|Function} apiKeys - Valid API keys or validator function
+ * @param {Function} apiKeyValidator - Custom validator function
+ * @param {Request} req - Request object
+ * @returns {boolean|Object} Whether API key is valid or user object
+ */
+async function validateApiKeyInternal(apiKey, apiKeys, apiKeyValidator, req) {
+  if (apiKeyValidator) {
+    // Check if this is the simplified validateApiKey function (expects only key)
+    if (apiKeyValidator.length === 1) {
+      const result = await apiKeyValidator(apiKey)
+      return result || false
+    }
+    // Otherwise call with both key and req
+    const result = await apiKeyValidator(apiKey, req)
+    return result || false
+  }
+  if (typeof apiKeys === 'function') {
+    const result = await apiKeys(apiKey, req)
+    return result || false
+  }
+  if (Array.isArray(apiKeys)) {
+    return apiKeys.includes(apiKey)
+  }
+  return apiKeys === apiKey
+}
+/**
+ * Extracts JWT token from request
+ * @param {Request} req - Request object
+ * @param {Object} options - Extraction options
+ * @returns {string|null} JWT token or null if not found
+ */
+function extractToken(req, options = {}) {
+  const {getToken, tokenHeader, tokenQuery} = options
+  // Use custom token extractor if provided
+  if (getToken) {
+    return getToken(req)
+  }
+  // Try custom header
+  if (tokenHeader) {
+    const token = req.headers.get(tokenHeader)
+    if (token) return token
+  }
+  // Try query parameter
+  if (tokenQuery) {
+    const url = new URL(req.url)
+    const token = url.searchParams.get(tokenQuery)
+    if (token) return token
+  }
+  // Default: Authorization header
+  return extractTokenFromHeader(req)
+}
+/**
+ * Handles authentication errors
+ * @param {Error} error - Authentication error
+ * @param {Object} handlers - Error handling functions
+ * @param {Request} req - Request object
+ * @returns {Response} Error response
+ */
+function handleAuthError(error, handlers = {}, req) {
+  const {unauthorizedResponse, onError} = handlers
+  // Call custom error handler if provided
+  if (onError) {
+    try {
+      const result = onError(error, req)
+      if (result instanceof Response) {
+        return result
+      }
+    } catch (handlerError) {
+      // Fall back to default handling if custom handler fails
+    }
+  }
+  // Use custom unauthorized response if provided
+  if (unauthorizedResponse) {
+    try {
+      // If it's already a Response object, return it directly
+      if (unauthorizedResponse instanceof Response) {
+        return unauthorizedResponse
+      }
+      // If it's a function, call it
+      if (typeof unauthorizedResponse === 'function') {
+        const response = unauthorizedResponse(error, req)
+        if (response instanceof Response) {
+          return response
+        }
+        // If not a Response object, treat as response data
+        if (response && typeof response === 'object') {
+          return new Response(
+            typeof response.body === 'string'
+              ? response.body
+              : JSON.stringify(response.body || response),
+            {
+              status: response.status || 401,
+              headers: response.headers || {'Content-Type': 'application/json'},
+            },
+          )
+        }
+      }
+    } catch (responseError) {
+      // Fall back to default response if custom response fails
+    }
+  }
+  // Default error handling
+  let statusCode = 401
+  let message = 'Invalid token'
+  if (error.message === 'Authentication required') {
+    message = 'Authentication required'
+  } else if (error.message === 'Invalid API key') {
+    message = 'Invalid API key'
+  } else if (error.message === 'JWT verification not configured') {
+    message = 'JWT verification not configured'
+  } else if (error instanceof errors.JWTExpired) {
+    message = 'Token expired'
+  } else if (error instanceof errors.JWTInvalid) {
+    message = 'Invalid token format'
+  } else if (error instanceof errors.JWKSNoMatchingKey) {
+    message = 'Token signature verification failed'
+  } else if (error.message.includes('audience')) {
+    message = 'Invalid token audience'
+  } else if (error.message.includes('issuer')) {
+    message = 'Invalid token issuer'
+  }
+  return new Response(JSON.stringify({error: message}), {
+    status: statusCode,
+    headers: {'Content-Type': 'application/json'},
+  })
+}
+/**
+ * Extracts JWT token from Authorization header
+ * @param {Request} req - Request object
+ * @returns {string|null} JWT token or null if not found
+ */
+function extractTokenFromHeader(req) {
+  const authorization = req.headers.get('authorization')
+  if (!authorization) {
+    return null
+  }
+  const parts = authorization.split(' ')
+  if (parts.length !== 2 || parts[0].toLowerCase() !== 'bearer') {
+    return null
+  }
+  return parts[1]
+}
+/**
+ * Creates a simple API key authentication middleware
+ * @param {Object} options - API key configuration
+ * @param {string|Array<string>|Function} options.keys - Valid API keys or validation function
+ * @param {string} options.header - Header name for API key (default: 'x-api-key')
+ * @param {Function} options.getKey - Custom key extraction function
+ * @returns {Function} Middleware function
+ */
+function createAPIKeyAuth(options = {}) {
+  const {keys, header = 'x-api-key', getKey} = options
+  if (!keys) {
+    throw new Error('API key middleware requires keys configuration')
+  }
+  const validateKey =
+    typeof keys === 'function'
+      ? keys
+      : (key) => (Array.isArray(keys) ? keys.includes(key) : keys === key)
+  return async function apiKeyAuthMiddleware(req, next) {
+    try {
+      // Extract API key
+      const apiKey = getKey ? getKey(req) : req.headers.get(header)
+      if (!apiKey) {
+        return new Response(JSON.stringify({error: 'API key required'}), {
+          status: 401,
+          headers: {'Content-Type': 'application/json'},
+        })
+      }
+      // Validate API key
+      const isValid = await validateKey(apiKey, req)
+      if (!isValid) {
+        return new Response(JSON.stringify({error: 'Invalid API key'}), {
+          status: 401,
+          headers: {'Content-Type': 'application/json'},
+        })
+      }
+      // Add API key info to context
+      req.ctx = req.ctx || {}
+      req.ctx.apiKey = apiKey
+      return next()
+    } catch (error) {
+      return new Response(JSON.stringify({error: 'Authentication failed'}), {
+        status: 500,
+        headers: {'Content-Type': 'application/json'},
+      })
+    }
+  }
+}
+module.exports = {
+  createJWTAuth,
+  createAPIKeyAuth,
+  extractTokenFromHeader,
+  extractToken,
+  validateApiKeyInternal,
+  handleAuthError,
+}

package/lib/middleware/logger.js ADDED Viewed

@@ -0,0 +1,310 @@
+const pino = require('pino')
+const crypto = require('crypto')
+/**
+ * Creates a logging middleware using Pino logger
+ * @param {Object} options - Logger configuration options
+ * @param {Object} options.pinoOptions - Pino logger options
+ * @param {Function} options.serializers - Custom serializers for request/response
+ * @param {boolean} options.logBody - Whether to log request/response bodies
+ * @param {Array<string>} options.excludePaths - Paths to exclude from logging
+ * @param {Object} options.logger - Injected logger instance
+ * @param {string} options.level - Log level (alternative to pinoOptions.level)
+ * @param {string} options.requestIdHeader - Header name to read request ID from
+ * @param {Function} options.generateRequestId - Custom request ID generator function
+ * @returns {Function} Middleware function
+ */
+function createLogger(options = {}) {
+  const {
+    pinoOptions = {},
+    logBody = false,
+    excludePaths = ['/health', '/ping', '/favicon.ico'],
+    logger: injectedLogger,
+    level,
+    serializers,
+    requestIdHeader,
+    generateRequestId,
+  } = options
+  // Build final pino options with proper precedence
+  const finalPinoOptions = {
+    level: level || pinoOptions.level || process.env.LOG_LEVEL || 'info',
+    timestamp: pino.stdTimeFunctions.isoTime,
+    formatters: {
+      level: (label) => ({level: label.toUpperCase()}),
+    },
+    serializers: {
+      req: (req) => ({
+        method: req.method,
+        url: req.url,
+        headers: req.headers,
+        ...(logBody && req.body ? {body: req.body} : {}),
+      }),
+      // Default res serializer removed to allow logResponse to handle it fully
+      err: pino.stdSerializers.err,
+      // Merge in custom serializers if provided
+      ...(serializers || {}),
+    },
+    ...pinoOptions,
+  }
+  // Use injected logger if provided (for tests), otherwise create a new one
+  const logger = injectedLogger || pino(finalPinoOptions)
+  return function loggerMiddleware(req, next) {
+    const startTime = process.hrtime.bigint()
+    const url = new URL(req.url)
+    if (excludePaths.some((path) => url.pathname.startsWith(path))) {
+      return next()
+    }
+    // Generate or extract request ID
+    let requestId
+    if (requestIdHeader && req.headers.get(requestIdHeader)) {
+      requestId = req.headers.get(requestIdHeader)
+    } else if (generateRequestId) {
+      requestId = generateRequestId()
+    } else {
+      requestId = crypto.randomUUID()
+    }
+    // Add logger and requestId to context and root
+    req.ctx = req.ctx || {}
+    req.ctx.requestId = requestId
+    req.requestId = requestId
+    // Create child logger with request context
+    const childLogger = logger.child({
+      requestId: requestId,
+      method: req.method,
+      path: url.pathname,
+    })
+    req.ctx.log = childLogger
+    req.log = childLogger
+    // Check if we should log based on level
+    const effectiveLevel =
+      level || pinoOptions.level || process.env.LOG_LEVEL || 'info'
+    const shouldLogInfo = shouldLog('info', effectiveLevel)
+    // Log request started
+    if (shouldLogInfo) {
+      const logObj = {
+        msg: 'Request started',
+        method: req.method,
+        url: url.pathname,
+      }
+      // Apply custom serializers if provided
+      if (serializers && serializers.req) {
+        Object.assign(logObj, serializers.req(req))
+      } else if (logBody && req.body) {
+        // Add body to log if logBody is enabled and no custom serializer
+        logObj.body = req.body
+      }
+      childLogger.info(logObj)
+    }
+    try {
+      const result = next()
+      if (result instanceof Promise) {
+        return result
+          .then((response) => {
+            logResponse(
+              childLogger,
+              response,
+              startTime,
+              req,
+              url,
+              shouldLogInfo,
+              serializers,
+              logBody,
+            )
+            return response
+          })
+          .catch((error) => {
+            logError(childLogger, error, startTime)
+            throw error
+          })
+      } else {
+        logResponse(
+          childLogger,
+          result,
+          startTime,
+          req,
+          url,
+          shouldLogInfo,
+          serializers,
+          logBody,
+        )
+        return result
+      }
+    } catch (error) {
+      logError(childLogger, error, startTime)
+      throw error
+    }
+  }
+}
+// Helper function to determine if we should log at a given level
+function shouldLog(logLevel, configuredLevel) {
+  const levels = {
+    trace: 10,
+    debug: 20,
+    info: 30,
+    warn: 40,
+    error: 50,
+    fatal: 60,
+  }
+  const logLevelNum = levels[logLevel] || 30
+  const configuredLevelNum = levels[configuredLevel] || 30
+  return logLevelNum >= configuredLevelNum
+}
+function logResponse(
+  logger,
+  response,
+  startTime,
+  req,
+  url,
+  shouldLogInfo,
+  customSerializers, // serializers from createLogger options
+  logBodyOpt, // logBody from createLogger options
+) {
+  if (!shouldLogInfo) return
+  const duration = Number(process.hrtime.bigint() - startTime) / 1000000
+  let responseSize
+  if (response) {
+    if (response.headers && response.headers.get) {
+      const contentLength = response.headers.get('content-length')
+      if (contentLength) {
+        responseSize = parseInt(contentLength, 10)
+      }
+    }
+    if (responseSize === undefined) {
+      const bodyToMeasure = response.hasOwnProperty('_bodyForLogger')
+        ? response._bodyForLogger
+        : response.body
+      if (bodyToMeasure instanceof ReadableStream) {
+        responseSize = undefined
+      } else if (typeof bodyToMeasure === 'string') {
+        responseSize = Buffer.byteLength(bodyToMeasure, 'utf8')
+      } else if (bodyToMeasure instanceof ArrayBuffer) {
+        responseSize = bodyToMeasure.byteLength
+      } else if (bodyToMeasure instanceof Uint8Array) {
+        responseSize = bodyToMeasure.length
+      } else if (bodyToMeasure === null || bodyToMeasure === undefined) {
+        responseSize = 0
+      }
+    }
+  }
+  const logEntry = {
+    msg: 'Request completed',
+    method: req.method,
+    url: url.pathname,
+    status: response && response.status,
+    duration: duration,
+  }
+  if (responseSize !== undefined) {
+    logEntry.responseSize = responseSize
+  }
+  // Handle response serialization
+  if (customSerializers && customSerializers.res) {
+    // Custom serializer is responsible for all response fields it wants to log
+    const serializedRes = customSerializers.res(response)
+    Object.assign(logEntry, serializedRes)
+  } else {
+    // No custom res serializer: default handling for headers
+    if (
+      response &&
+      response.headers &&
+      typeof response.headers.entries === 'function'
+    ) {
+      logEntry.headers = Object.fromEntries(response.headers.entries())
+    } else if (response && response.headers) {
+      logEntry.headers = response.headers
+    } else {
+      logEntry.headers = {}
+    }
+  }
+  // If logBodyOpt is true and body wasn't added by a custom serializer (or no custom serializer)
+  if (logBodyOpt && response && !logEntry.hasOwnProperty('body')) {
+    logEntry.body = response.hasOwnProperty('_bodyForLogger')
+      ? response._bodyForLogger
+      : response.body
+  }
+  logger.info(logEntry)
+}
+function logError(logger, error, startTime) {
+  const duration = Number(process.hrtime.bigint() - startTime) / 1000000
+  logger.error({
+    msg: 'Request failed',
+    error: error && error.message,
+    duration: duration,
+  })
+}
+/**
+ * Simple request logger for development
+ * @returns {Function} Middleware function
+ */
+function simpleLogger() {
+  return function simpleLoggerMiddleware(req, next) {
+    const startTime = Date.now()
+    const method = req.method
+    const url = new URL(req.url)
+    const pathname = url.pathname
+    console.log(`→ ${method} ${pathname}`)
+    try {
+      const result = next()
+      if (result instanceof Promise) {
+        return result
+          .then((response) => {
+            const duration = Date.now() - startTime
+            console.log(
+              `← ${method} ${pathname} ${response.status} (${duration}ms)`,
+            )
+            return response
+          })
+          .catch((error) => {
+            const duration = Date.now() - startTime
+            console.log(
+              `✗ ${method} ${pathname} ERROR (${duration}ms): ${error.message}`,
+            )
+            throw error
+          })
+      } else {
+        const duration = Date.now() - startTime
+        console.log(`← ${method} ${pathname} ${result.status} (${duration}ms)`)
+        return result
+      }
+    } catch (error) {
+      const duration = Date.now() - startTime
+      console.log(
+        `✗ ${method} ${pathname} ERROR (${duration}ms): ${error.message}`,
+      )
+      throw error
+    }
+  }
+}
+module.exports = {
+  createLogger,
+  simpleLogger,
+}