@access-dlsu/leapify 0.260507.4 → 0.260524.1

package/dist/app.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"app.d.ts","sourceRoot":"","sources":["../src/app.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAA;AAC3B,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,SAAS,CAAA;AAuBzC,MAAM,WAAW,iBAAiB;IAChC,cAAc,CAAC,EAAE,MAAM,EAAE,CAAA;IACzB;;;;;;OAMG;IACH,gBAAgB,CAAC,EAAE,MAAM,CAAA;CAC1B;AAED,wBAAgB,SAAS,CAAC,OAAO,GAAE,iBAAsB,GAAG,IAAI,CAAC,UAAU,CAAC,CA4F3E"}
+{"version":3,"file":"app.d.ts","sourceRoot":"","sources":["../src/app.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAA;AAC3B,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,SAAS,CAAA;AAqBzC,MAAM,WAAW,iBAAiB;IAChC,cAAc,CAAC,EAAE,MAAM,EAAE,CAAA;IACzB;;;;;;OAMG;IACH,gBAAgB,CAAC,EAAE,MAAM,CAAA;CAC1B;AAED,wBAAgB,SAAS,CAAC,OAAO,GAAE,iBAAsB,GAAG,IAAI,CAAC,UAAU,CAAC,CAkF3E"}

package/dist/auth/auth.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../src/auth/auth.ts"],"names":[],"mappings":"AAYA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,UAAU,CAAA;AAI/C;;;;;;;;;;;;;GAaG;AACH,wBAAgB,UAAU,CAAC,GAAG,EAAE,eAAe;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;gBAoCrC;;;mBAGG;;;;;;;;;;;;;;;;;;;;gBAWH;;;;;;;mBAOG;;;;;;;;;;;;;GAiCZ;AAED,MAAM,MAAM,IAAI,GAAG,UAAU,CAAC,OAAO,UAAU,CAAC,CAAA"}
+{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../src/auth/auth.ts"],"names":[],"mappings":"AAYA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,UAAU,CAAA;AAI/C;;;;;;;;;;;;;GAaG;AACH,wBAAgB,UAAU,CAAC,GAAG,EAAE,eAAe;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;gBAoCrC;;;mBAGG;;;;;;;;;;;;;;;;;;;;gBAWH;;;;;;;mBAOG;;;;;;;;;;;;;GA2CZ;AAED,MAAM,MAAM,IAAI,GAAG,UAAU,CAAC,OAAO,UAAU,CAAC,CAAA"}

package/dist/auth/middleware.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"middleware.d.ts","sourceRoot":"","sources":["../../src/auth/middleware.ts"],"names":[],"mappings":"AAMA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,UAAU,CAAA;AAC/C,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,SAAS,CAAA;AAM1C,OAAO,QAAQ,MAAM,CAAC;IACpB,UAAU,kBAAkB;QAC1B,IAAI,EAAE,WAAW,CAAA;KAClB;CACF;AA4DD,eAAO,MAAM,cAAc;cAAgC,eAAe;wBAsDzE,CAAA;AAID,eAAO,MAAM,sBAAsB;cACvB,eAAe;wBAUzB,CAAA;AAIF,eAAO,MAAM,eAAe;cAAgC,eAAe;wBAQ1E,CAAA;AAID,eAAO,MAAM,kBAAkB;cACnB,eAAe;wBAOzB,CAAA"}
+{"version":3,"file":"middleware.d.ts","sourceRoot":"","sources":["../../src/auth/middleware.ts"],"names":[],"mappings":"AAMA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,UAAU,CAAA;AAC/C,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,SAAS,CAAA;AAM1C,OAAO,QAAQ,MAAM,CAAC;IACpB,UAAU,kBAAkB;QAC1B,IAAI,EAAE,WAAW,CAAA;KAClB;CACF;AAkED,eAAO,MAAM,cAAc;cAAgC,eAAe;wBAsDzE,CAAA;AAID,eAAO,MAAM,sBAAsB;cACvB,eAAe;wBAUzB,CAAA;AAIF,eAAO,MAAM,eAAe;cAAgC,eAAe;wBAQ1E,CAAA;AAID,eAAO,MAAM,kBAAkB;cACnB,eAAe;wBAOzB,CAAA"}

package/dist/chunk-64MMUYMK.cjs

@@ -0,0 +1,167 @@
+'use strict';
+
+var factory = require('hono/factory');
+
+// src/lib/middleware/turnstile-challenge.ts
+var TURNSTILE_PATH = "/.well-known/leapify/turnstile";
+var TURNSTILE_VERIFY_PATH = `${TURNSTILE_PATH}/verify`;
+var TURNSTILE_COOKIE_NAME = "leapify-turnstile";
+var VERIFY_URL = "https://challenges.cloudflare.com/turnstile/v0/siteverify";
+var COOKIE_MAX_AGE_SEC = 86400;
+var EXEMPT_PATHS = [
+  "/health",
+  "/internal",
+  "/api/auth",
+  "/api/uploads/images",
+  "/api/classes",
+  "/api/faqs",
+  "/api/config",
+  TURNSTILE_VERIFY_PATH
+];
+function base64urlEncode(bytes) {
+  let binary = "";
+  for (const byte of bytes) {
+    binary += String.fromCharCode(byte);
+  }
+  return btoa(binary).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+function base64urlDecode(str) {
+  const padded = str.replace(/-/g, "+").replace(/_/g, "/");
+  const binary = atob(padded);
+  const bytes = new Uint8Array(new ArrayBuffer(binary.length));
+  for (let i = 0; i < binary.length; i++) {
+    bytes[i] = binary.charCodeAt(i);
+  }
+  return bytes;
+}
+async function importHmacKey(secret) {
+  return crypto.subtle.importKey(
+    "raw",
+    new TextEncoder().encode(secret),
+    { name: "HMAC", hash: "SHA-256" },
+    false,
+    ["sign", "verify"]
+  );
+}
+async function signCookie(secret, ip) {
+  const ts = Date.now();
+  const nonce = base64urlEncode(crypto.getRandomValues(new Uint8Array(8)));
+  const payload = `${ip}:${ts}:${nonce}`;
+  const key = await importHmacKey(secret);
+  const sig = await crypto.subtle.sign(
+    "HMAC",
+    key,
+    new TextEncoder().encode(payload)
+  );
+  const sigB64 = base64urlEncode(new Uint8Array(sig));
+  return `${base64urlEncode(new TextEncoder().encode(payload))}.${sigB64}`;
+}
+async function validateCookie(secret, cookie, ip) {
+  try {
+    const [payloadB64, sigB64] = cookie.split(".");
+    if (!payloadB64 || !sigB64) return false;
+    const payloadBytes = base64urlDecode(payloadB64);
+    const sigBytes = base64urlDecode(sigB64);
+    const key = await importHmacKey(secret);
+    const valid = await crypto.subtle.verify(
+      "HMAC",
+      key,
+      sigBytes,
+      payloadBytes
+    );
+    if (!valid) return false;
+    const payload = new TextDecoder().decode(payloadBytes);
+    const [cookieIp, tsStr] = payload.split(":");
+    if (cookieIp !== ip) return false;
+    const ts = parseInt(tsStr, 10);
+    if (isNaN(ts) || Date.now() - ts > COOKIE_MAX_AGE_SEC * 1e3) return false;
+    return true;
+  } catch {
+    return false;
+  }
+}
+function getClientIp(c) {
+  return c.req.header("CF-Connecting-IP") ?? c.req.header("X-Real-IP") ?? c.req.header("X-Forwarded-For")?.split(",")[0]?.trim() ?? "unknown";
+}
+function isExempt(path) {
+  const normalized = path.toLowerCase().replace(/\/$/, "");
+  return EXEMPT_PATHS.some((p) => {
+    const ep = p.toLowerCase().replace(/\/$/, "");
+    return normalized === ep || normalized.startsWith(ep + "/");
+  });
+}
+function setCookieHeader(c, token) {
+  const isSecure = c.req.raw.url.startsWith("https") || c.req.header("x-forwarded-proto") === "https";
+  c.header(
+    "Set-Cookie",
+    `${TURNSTILE_COOKIE_NAME}=${token}; Path=/; Max-Age=${COOKIE_MAX_AGE_SEC}; ${isSecure ? "Secure; " : ""}HttpOnly; SameSite=Lax`
+  );
+}
+async function handleTurnstileVerify(c) {
+  const body = await c.req.json();
+  const { token } = body;
+  if (!token) {
+    return c.json(
+      { error: { code: "VALIDATION_ERROR", message: "Missing Turnstile token" } },
+      422
+    );
+  }
+  const secret = c.env.TURNSTILE_SECRET_KEY;
+  if (!secret) {
+    return c.json(
+      { error: { code: "CONFIG_ERROR", message: "Turnstile not configured" } },
+      500
+    );
+  }
+  const ip = getClientIp(c);
+  const formData = new URLSearchParams();
+  formData.append("secret", secret);
+  formData.append("response", token);
+  if (ip !== "unknown") {
+    formData.append("remoteip", ip);
+  }
+  const res = await fetch(VERIFY_URL, {
+    method: "POST",
+    body: formData
+  });
+  const outcome = await res.json();
+  if (!outcome.success) {
+    return c.json(
+      { error: { code: "TURNSTILE_FAILED", message: "Turnstile verification failed", details: outcome["error-codes"] } },
+      403
+    );
+  }
+  const cookieToken = await signCookie(secret, ip);
+  setCookieHeader(c, cookieToken);
+  return c.json({ success: true });
+}
+function createTurnstileMiddleware() {
+  return factory.createMiddleware(async (c, next) => {
+    if (isExempt(c.req.path)) return next();
+    if (c.req.method === "OPTIONS") return next();
+    if (c.req.header("Authorization")) return next();
+    const secret = c.env.TURNSTILE_SECRET_KEY;
+    if (!secret) return next();
+    const cookieHeader = c.req.header("Cookie") ?? "";
+    const cookieMatch = cookieHeader.match(
+      new RegExp(`${TURNSTILE_COOKIE_NAME}=([^;]+)`)
+    );
+    if (cookieMatch) {
+      const ip = getClientIp(c);
+      const valid = await validateCookie(secret, cookieMatch[1], ip);
+      if (valid) return next();
+    }
+    return c.json(
+      { error: { code: "TURNSTILE_REQUIRED", message: "Turnstile verification required" } },
+      401
+    );
+  });
+}
+
+exports.TURNSTILE_COOKIE_NAME = TURNSTILE_COOKIE_NAME;
+exports.TURNSTILE_PATH = TURNSTILE_PATH;
+exports.TURNSTILE_VERIFY_PATH = TURNSTILE_VERIFY_PATH;
+exports.createTurnstileMiddleware = createTurnstileMiddleware;
+exports.handleTurnstileVerify = handleTurnstileVerify;
+//# sourceMappingURL=chunk-64MMUYMK.cjs.map
+//# sourceMappingURL=chunk-64MMUYMK.cjs.map

package/dist/chunk-64MMUYMK.cjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/lib/middleware/turnstile-challenge.ts"],"names":["createMiddleware"],"mappings":";;;;;AAIO,IAAM,cAAA,GAAiB;AAEvB,IAAM,qBAAA,GAAwB,GAAG,cAAc,CAAA,OAAA;AAE/C,IAAM,qBAAA,GAAwB;AAErC,IAAM,UAAA,GAAa,2DAAA;AAEnB,IAAM,kBAAA,GAAqB,KAAA;AAE3B,IAAM,YAAA,GAAe;AAAA,EACnB,SAAA;AAAA,EACA,WAAA;AAAA,EACA,WAAA;AAAA,EACA,qBAAA;AAAA,EACA,cAAA;AAAA,EACA,WAAA;AAAA,EACA,aAAA;AAAA,EACA;AACF,CAAA;AAEA,SAAS,gBAAgB,KAAA,EAA2B;AAClD,EAAA,IAAI,MAAA,GAAS,EAAA;AACb,EAAA,KAAA,MAAW,QAAQ,KAAA,EAAO;AACxB,IAAA,MAAA,IAAU,MAAA,CAAO,aAAa,IAAI,CAAA;AAAA,EACpC;AACA,EAAA,OAAO,IAAA,CAAK,MAAM,CAAA,CAAE,OAAA,CAAQ,KAAA,EAAO,GAAG,CAAA,CAAE,OAAA,CAAQ,KAAA,EAAO,GAAG,CAAA,CAAE,OAAA,CAAQ,OAAO,EAAE,CAAA;AAC/E;AAEA,SAAS,gBAAgB,GAAA,EAAsC;AAC7D,EAAA,MAAM,MAAA,GAAS,IAAI,OAAA,CAAQ,IAAA,EAAM,GAAG,CAAA,CAAE,OAAA,CAAQ,MAAM,GAAG,CAAA;AACvD,EAAA,MAAM,MAAA,GAAS,KAAK,MAAM,CAAA;AAC1B,EAAA,MAAM,QAAQ,IAAI,UAAA,CAAW,IAAI,WAAA,CAAY,MAAA,CAAO,MAAM,CAAC,CAAA;AAC3D,EAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,MAAA,CAAO,QAAQ,CAAA,EAAA,EAAK;AACtC,IAAA,KAAA,CAAM,CAAC,CAAA,GAAI,MAAA,CAAO,UAAA,CAAW,CAAC,CAAA;AAAA,EAChC;AACA,EAAA,OAAO,KAAA;AACT;AAEA,eAAe,cAAc,MAAA,EAAoC;AAC/D,EAAA,OAAO,OAAO,MAAA,CAAO,SAAA;AAAA,IACnB,KAAA;AAAA,IACA,IAAI,WAAA,EAAY,CAAE,MAAA,CAAO,MAAM,CAAA;AAAA,IAC/B,EAAE,IAAA,EAAM,MAAA,EAAQ,IAAA,EAAM,SAAA,EAAU;AAAA,IAChC,KAAA;AAAA,IACA,CAAC,QAAQ,QAAQ;AAAA,GACnB;AACF;AAEA,eAAe,UAAA,CAAW,QAAgB,EAAA,EAA6B;AACrE,EAAA,MAAM,EAAA,GAAK,KAAK,GAAA,EAAI;AACpB,EAAA,MAAM,KAAA,GAAQ,gBAAgB,MAAA,CAAO,eAAA,CAAgB,IAAI,UAAA,CAAW,CAAC,CAAC,CAAC,CAAA;AACvE,EAAA,MAAM,UAAU,CAAA,EAAG,EAAE,CAAA,CAAA,EAAI,EAAE,IAAI,KAAK,CAAA,CAAA;AACpC,EAAA,MAAM,GAAA,GAAM,MAAM,aAAA,CAAc,MAAM,CAAA;AACtC,EAAA,MAAM,GAAA,GAAM,MAAM,MAAA,CAAO,MAAA,CAAO,IAAA;AAAA,IAC9B,MAAA;AAAA,IACA,GAAA;AAAA,IACA,IAAI,WAAA,EAAY,CAAE,MAAA,CAAO,OAAO;AAAA,GAClC;AACA,EAAA,MAAM,MAAA,GAAS,eAAA,CAAgB,IAAI,UAAA,CAAW,GAAG,CAAC,CAAA;AAClD,EAAA,OAAO,CAAA,EAAG,eAAA,CAAgB,IAAI,WAAA,EAAY,CAAE,OAAO,OAAO,CAAC,CAAC,CAAA,CAAA,EAAI,MAAM,CAAA,CAAA;AACxE;AAEA,eAAe,cAAA,CACb,MAAA,EACA,MAAA,EACA,EAAA,EACkB;AAClB,EAAA,IAAI;AACF,IAAA,MAAM,CAAC,UAAA,EAAY,MAAM,CAAA,GAAI,MAAA,CAAO,MAAM,GAAG,CAAA;AAC7C,IAAA,IAAI,CAAC,UAAA,IAAc,CAAC,MAAA,EAAQ,OAAO,KAAA;AAEnC,IAAA,MAAM,YAAA,GAAe,gBAAgB,UAAU,CAAA;AAC/C,IAAA,MAAM,QAAA,GAAW,gBAAgB,MAAM,CAAA;AAEvC,IAAA,MAAM,GAAA,GAAM,MAAM,aAAA,CAAc,MAAM,CAAA;AACtC,IAAA,MAAM,KAAA,GAAQ,MAAM,MAAA,CAAO,MAAA,CAAO,MAAA;AAAA,MAChC,MAAA;AAAA,MACA,GAAA;AAAA,MACA,QAAA;AAAA,MACA;AAAA,KACF;AACA,IAAA,IAAI,CAAC,OAAO,OAAO,KAAA;AAEnB,IAAA,MAAM,OAAA,GAAU,IAAI,WAAA,EAAY,CAAE,OAAO,YAAY,CAAA;AACrD,IAAA,MAAM,CAAC,QAAA,EAAU,KAAK,CAAA,GAAI,OAAA,CAAQ,MAAM,GAAG,CAAA;AAE3C,IAAA,IAAI,QAAA,KAAa,IAAI,OAAO,KAAA;AAE5B,IAAA,MAAM,EAAA,GAAK,QAAA,CAAS,KAAA,EAAO,EAAE,CAAA;AAC7B,IAAA,IAAI,KAAA,CAAM,EAAE,CAAA,IAAK,IAAA,CAAK,KAAI,GAAI,EAAA,GAAK,kBAAA,GAAqB,GAAA,EAAM,OAAO,KAAA;AAErE,IAAA,OAAO,IAAA;AAAA,EACT,CAAA,CAAA,MAAQ;AACN,IAAA,OAAO,KAAA;AAAA,EACT;AACF;AAEA,SAAS,YAAY,CAAA,EAAmD;AACtE,EAAA,OACE,CAAA,CAAE,IAAI,MAAA,CAAO,kBAAkB,KAC/B,CAAA,CAAE,GAAA,CAAI,OAAO,WAAW,CAAA,IACxB,EAAE,GAAA,CAAI,MAAA,CAAO,iBAAiB,CAAA,EAAG,KAAA,CAAM,GAAG,CAAA,CAAE,CAAC,CAAA,EAAG,IAAA,EAAK,IACrD,SAAA;AAEJ;AAEA,SAAS,SAAS,IAAA,EAAuB;AACvC,EAAA,MAAM,aAAa,IAAA,CAAK,WAAA,EAAY,CAAE,OAAA,CAAQ,OAAO,EAAE,CAAA;AACvD,EAAA,OAAO,YAAA,CAAa,IAAA,CAAK,CAAC,CAAA,KAAM;AAC9B,IAAA,MAAM,KAAK,CAAA,CAAE,WAAA,EAAY,CAAE,OAAA,CAAQ,OAAO,EAAE,CAAA;AAC5C,IAAA,OAAO,UAAA,KAAe,EAAA,IAAM,UAAA,CAAW,UAAA,CAAW,KAAK,GAAG,CAAA;AAAA,EAC5D,CAAC,CAAA;AACH;AAEA,SAAS,eAAA,CAAgB,GAA2C,KAAA,EAAqB;AACvF,EAAA,MAAM,QAAA,GAAW,CAAA,CAAE,GAAA,CAAI,GAAA,CAAI,GAAA,CAAI,UAAA,CAAW,OAAO,CAAA,IAAK,CAAA,CAAE,GAAA,CAAI,MAAA,CAAO,mBAAmB,CAAA,KAAM,OAAA;AAC5F,EAAA,CAAA,CAAE,MAAA;AAAA,IACA,YAAA;AAAA,IACA,CAAA,EAAG,qBAAqB,CAAA,CAAA,EAAI,KAAK,qBAAqB,kBAAkB,CAAA,EAAA,EACtE,QAAA,GAAW,UAAA,GAAa,EAC1B,CAAA,sBAAA;AAAA,GACF;AACF;AAOA,eAAsB,sBACpB,CAAA,EACA;AACA,EAAA,MAAM,IAAA,GAAO,MAAM,CAAA,CAAE,GAAA,CAAI,IAAA,EAAyB;AAClD,EAAA,MAAM,EAAE,OAAM,GAAI,IAAA;AAElB,EAAA,IAAI,CAAC,KAAA,EAAO;AACV,IAAA,OAAO,CAAA,CAAE,IAAA;AAAA,MACP,EAAE,KAAA,EAAO,EAAE,MAAM,kBAAA,EAAoB,OAAA,EAAS,2BAA0B,EAAE;AAAA,MAC1E;AAAA,KACF;AAAA,EACF;AAEA,EAAA,MAAM,MAAA,GAAS,EAAE,GAAA,CAAI,oBAAA;AACrB,EAAA,IAAI,CAAC,MAAA,EAAQ;AACX,IAAA,OAAO,CAAA,CAAE,IAAA;AAAA,MACP,EAAE,KAAA,EAAO,EAAE,MAAM,cAAA,EAAgB,OAAA,EAAS,4BAA2B,EAAE;AAAA,MACvE;AAAA,KACF;AAAA,EACF;AAEA,EAAA,MAAM,EAAA,GAAK,YAAY,CAAC,CAAA;AACxB,EAAA,MAAM,QAAA,GAAW,IAAI,eAAA,EAAgB;AACrC,EAAA,QAAA,CAAS,MAAA,CAAO,UAAU,MAAM,CAAA;AAChC,EAAA,QAAA,CAAS,MAAA,CAAO,YAAY,KAAK,CAAA;AACjC,EAAA,IAAI,OAAO,SAAA,EAAW;AACpB,IAAA,QAAA,CAAS,MAAA,CAAO,YAAY,EAAE,CAAA;AAAA,EAChC;AAEA,EAAA,MAAM,GAAA,GAAM,MAAM,KAAA,CAAM,UAAA,EAAY;AAAA,IAClC,MAAA,EAAQ,MAAA;AAAA,IACR,IAAA,EAAM;AAAA,GACP,CAAA;AACD,EAAA,MAAM,OAAA,GAAU,MAAM,GAAA,CAAI,IAAA,EAAK;AAE/B,EAAA,IAAI,CAAC,QAAQ,OAAA,EAAS;AACpB,IAAA,OAAO,CAAA,CAAE,IAAA;AAAA,MACP,EAAE,KAAA,EAAO,EAAE,IAAA,EAAM,kBAAA,EAAoB,OAAA,EAAS,+BAAA,EAAiC,OAAA,EAAS,OAAA,CAAQ,aAAa,CAAA,EAAE,EAAE;AAAA,MACjH;AAAA,KACF;AAAA,EACF;AAEA,EAAA,MAAM,WAAA,GAAc,MAAM,UAAA,CAAW,MAAA,EAAQ,EAAE,CAAA;AAC/C,EAAA,eAAA,CAAgB,GAAG,WAAW,CAAA;AAE9B,EAAA,OAAO,CAAA,CAAE,IAAA,CAAK,EAAE,OAAA,EAAS,MAAM,CAAA;AACjC;AAYO,SAAS,yBAAA,GAA4B;AAC1C,EAAA,OAAOA,wBAAA,CAAgD,OAAO,CAAA,EAAG,IAAA,KAAS;AACxE,IAAA,IAAI,SAAS,CAAA,CAAE,GAAA,CAAI,IAAI,CAAA,SAAU,IAAA,EAAK;AAEtC,IAAA,IAAI,CAAA,CAAE,GAAA,CAAI,MAAA,KAAW,SAAA,SAAkB,IAAA,EAAK;AAI5C,IAAA,IAAI,EAAE,GAAA,CAAI,MAAA,CAAO,eAAe,CAAA,SAAU,IAAA,EAAK;AAE/C,IAAA,MAAM,MAAA,GAAS,EAAE,GAAA,CAAI,oBAAA;AACrB,IAAA,IAAI,CAAC,MAAA,EAAQ,OAAO,IAAA,EAAK;AAEzB,IAAA,MAAM,YAAA,GAAe,CAAA,CAAE,GAAA,CAAI,MAAA,CAAO,QAAQ,CAAA,IAAK,EAAA;AAC/C,IAAA,MAAM,cAAc,YAAA,CAAa,KAAA;AAAA,MAC/B,IAAI,MAAA,CAAO,CAAA,EAAG,qBAAqB,CAAA,QAAA,CAAU;AAAA,KAC/C;AACA,IAAA,IAAI,WAAA,EAAa;AACf,MAAA,MAAM,EAAA,GAAK,YAAY,CAAC,CAAA;AACxB,MAAA,MAAM,QAAQ,MAAM,cAAA,CAAe,QAAQ,WAAA,CAAY,CAAC,GAAG,EAAE,CAAA;AAC7D,MAAA,IAAI,KAAA,SAAc,IAAA,EAAK;AAAA,IACzB;AAEA,IAAA,OAAO,CAAA,CAAE,IAAA;AAAA,MACP,EAAE,KAAA,EAAO,EAAE,MAAM,oBAAA,EAAsB,OAAA,EAAS,mCAAkC,EAAE;AAAA,MACpF;AAAA,KACF;AAAA,EACF,CAAC,CAAA;AACH","file":"chunk-64MMUYMK.cjs","sourcesContent":["import { createMiddleware } from 'hono/factory'\nimport type { Context } from 'hono'\nimport type { LeapifyBindings } from '../../types'\n\nexport const TURNSTILE_PATH = '/.well-known/leapify/turnstile'\n\nexport const TURNSTILE_VERIFY_PATH = `${TURNSTILE_PATH}/verify`\n\nexport const TURNSTILE_COOKIE_NAME = 'leapify-turnstile'\n\nconst VERIFY_URL = 'https://challenges.cloudflare.com/turnstile/v0/siteverify'\n\nconst COOKIE_MAX_AGE_SEC = 86400\n\nconst EXEMPT_PATHS = [\n  \"/health\",\n  \"/internal\",\n  \"/api/auth\",\n  \"/api/uploads/images\",\n  \"/api/classes\",\n  \"/api/faqs\",\n  \"/api/config\",\n  TURNSTILE_VERIFY_PATH,\n];\n\nfunction base64urlEncode(bytes: Uint8Array): string {\n  let binary = ''\n  for (const byte of bytes) {\n    binary += String.fromCharCode(byte)\n  }\n  return btoa(binary).replace(/\\+/g, '-').replace(/\\//g, '_').replace(/=+$/, '')\n}\n\nfunction base64urlDecode(str: string): Uint8Array<ArrayBuffer> {\n  const padded = str.replace(/-/g, '+').replace(/_/g, '/')\n  const binary = atob(padded)\n  const bytes = new Uint8Array(new ArrayBuffer(binary.length))\n  for (let i = 0; i < binary.length; i++) {\n    bytes[i] = binary.charCodeAt(i)\n  }\n  return bytes\n}\n\nasync function importHmacKey(secret: string): Promise<CryptoKey> {\n  return crypto.subtle.importKey(\n    'raw',\n    new TextEncoder().encode(secret),\n    { name: 'HMAC', hash: 'SHA-256' },\n    false,\n    ['sign', 'verify']\n  )\n}\n\nasync function signCookie(secret: string, ip: string): Promise<string> {\n  const ts = Date.now()\n  const nonce = base64urlEncode(crypto.getRandomValues(new Uint8Array(8)))\n  const payload = `${ip}:${ts}:${nonce}`\n  const key = await importHmacKey(secret)\n  const sig = await crypto.subtle.sign(\n    'HMAC',\n    key,\n    new TextEncoder().encode(payload)\n  )\n  const sigB64 = base64urlEncode(new Uint8Array(sig))\n  return `${base64urlEncode(new TextEncoder().encode(payload))}.${sigB64}`\n}\n\nasync function validateCookie(\n  secret: string,\n  cookie: string,\n  ip: string\n): Promise<boolean> {\n  try {\n    const [payloadB64, sigB64] = cookie.split('.')\n    if (!payloadB64 || !sigB64) return false\n\n    const payloadBytes = base64urlDecode(payloadB64)\n    const sigBytes = base64urlDecode(sigB64)\n\n    const key = await importHmacKey(secret)\n    const valid = await crypto.subtle.verify(\n      'HMAC',\n      key,\n      sigBytes,\n      payloadBytes\n    )\n    if (!valid) return false\n\n    const payload = new TextDecoder().decode(payloadBytes)\n    const [cookieIp, tsStr] = payload.split(':')\n\n    if (cookieIp !== ip) return false\n\n    const ts = parseInt(tsStr, 10)\n    if (isNaN(ts) || Date.now() - ts > COOKIE_MAX_AGE_SEC * 1000) return false\n\n    return true\n  } catch {\n    return false\n  }\n}\n\nfunction getClientIp(c: Context<{ Bindings: LeapifyBindings }>): string {\n  return (\n    c.req.header('CF-Connecting-IP') ??\n    c.req.header('X-Real-IP') ??\n    c.req.header('X-Forwarded-For')?.split(',')[0]?.trim() ??\n    'unknown'\n  )\n}\n\nfunction isExempt(path: string): boolean {\n  const normalized = path.toLowerCase().replace(/\\/$/, '')\n  return EXEMPT_PATHS.some((p) => {\n    const ep = p.toLowerCase().replace(/\\/$/, '')\n    return normalized === ep || normalized.startsWith(ep + '/')\n  })\n}\n\nfunction setCookieHeader(c: Context<{ Bindings: LeapifyBindings }>, token: string): void {\n  const isSecure = c.req.raw.url.startsWith(\"https\") || c.req.header(\"x-forwarded-proto\") === \"https\";\n  c.header(\n    \"Set-Cookie\",\n    `${TURNSTILE_COOKIE_NAME}=${token}; Path=/; Max-Age=${COOKIE_MAX_AGE_SEC}; ${\n      isSecure ? \"Secure; \" : \"\"\n    }HttpOnly; SameSite=Lax`,\n  );\n}\n\n/**\n * POST /.well-known/leapify/turnstile/verify\n *\n * Validates a Turnstile token and issues a signed cookie on success.\n */\nexport async function handleTurnstileVerify(\n  c: Context<{ Bindings: LeapifyBindings }>\n) {\n  const body = await c.req.json<{ token?: string }>()\n  const { token } = body\n\n  if (!token) {\n    return c.json(\n      { error: { code: 'VALIDATION_ERROR', message: 'Missing Turnstile token' } },\n      422\n    )\n  }\n\n  const secret = c.env.TURNSTILE_SECRET_KEY\n  if (!secret) {\n    return c.json(\n      { error: { code: 'CONFIG_ERROR', message: 'Turnstile not configured' } },\n      500\n    )\n  }\n\n  const ip = getClientIp(c)\n  const formData = new URLSearchParams()\n  formData.append('secret', secret)\n  formData.append('response', token)\n  if (ip !== 'unknown') {\n    formData.append('remoteip', ip)\n  }\n\n  const res = await fetch(VERIFY_URL, {\n    method: 'POST',\n    body: formData,\n  })\n  const outcome = await res.json() as { success: boolean; 'error-codes'?: string[] }\n\n  if (!outcome.success) {\n    return c.json(\n      { error: { code: 'TURNSTILE_FAILED', message: 'Turnstile verification failed', details: outcome['error-codes'] } },\n      403\n    )\n  }\n\n  const cookieToken = await signCookie(secret, ip)\n  setCookieHeader(c, cookieToken)\n\n  return c.json({ success: true })\n}\n\n/**\n * Turnstile challenge middleware.\n *\n * Requires a valid Turnstile-signed cookie on all non-exempt requests.\n * The client must first solve a Turnstile challenge and POST the token\n * to the verify endpoint to obtain the cookie.\n *\n * Exempt paths: /health, /internal, /api/auth, /api/uploads/images,\n * and the verify endpoint itself.\n */\nexport function createTurnstileMiddleware() {\n  return createMiddleware<{ Bindings: LeapifyBindings }>(async (c, next) => {\n    if (isExempt(c.req.path)) return next()\n\n    if (c.req.method === 'OPTIONS') return next()\n\n    // Skip challenge for authenticated requests (Bearer token present)\n    // The auth middleware will handle session validation instead.\n    if (c.req.header('Authorization')) return next()\n\n    const secret = c.env.TURNSTILE_SECRET_KEY\n    if (!secret) return next()\n\n    const cookieHeader = c.req.header('Cookie') ?? ''\n    const cookieMatch = cookieHeader.match(\n      new RegExp(`${TURNSTILE_COOKIE_NAME}=([^;]+)`)\n    )\n    if (cookieMatch) {\n      const ip = getClientIp(c)\n      const valid = await validateCookie(secret, cookieMatch[1], ip)\n      if (valid) return next()\n    }\n\n    return c.json(\n      { error: { code: 'TURNSTILE_REQUIRED', message: 'Turnstile verification required' } },\n      401\n    )\n  })\n}\n"]}

package/dist/chunk-AKCERDGP.js

@@ -0,0 +1,161 @@
+import { createMiddleware } from 'hono/factory';
+
+// src/lib/middleware/turnstile-challenge.ts
+var TURNSTILE_PATH = "/.well-known/leapify/turnstile";
+var TURNSTILE_VERIFY_PATH = `${TURNSTILE_PATH}/verify`;
+var TURNSTILE_COOKIE_NAME = "leapify-turnstile";
+var VERIFY_URL = "https://challenges.cloudflare.com/turnstile/v0/siteverify";
+var COOKIE_MAX_AGE_SEC = 86400;
+var EXEMPT_PATHS = [
+  "/health",
+  "/internal",
+  "/api/auth",
+  "/api/uploads/images",
+  "/api/classes",
+  "/api/faqs",
+  "/api/config",
+  TURNSTILE_VERIFY_PATH
+];
+function base64urlEncode(bytes) {
+  let binary = "";
+  for (const byte of bytes) {
+    binary += String.fromCharCode(byte);
+  }
+  return btoa(binary).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+function base64urlDecode(str) {
+  const padded = str.replace(/-/g, "+").replace(/_/g, "/");
+  const binary = atob(padded);
+  const bytes = new Uint8Array(new ArrayBuffer(binary.length));
+  for (let i = 0; i < binary.length; i++) {
+    bytes[i] = binary.charCodeAt(i);
+  }
+  return bytes;
+}
+async function importHmacKey(secret) {
+  return crypto.subtle.importKey(
+    "raw",
+    new TextEncoder().encode(secret),
+    { name: "HMAC", hash: "SHA-256" },
+    false,
+    ["sign", "verify"]
+  );
+}
+async function signCookie(secret, ip) {
+  const ts = Date.now();
+  const nonce = base64urlEncode(crypto.getRandomValues(new Uint8Array(8)));
+  const payload = `${ip}:${ts}:${nonce}`;
+  const key = await importHmacKey(secret);
+  const sig = await crypto.subtle.sign(
+    "HMAC",
+    key,
+    new TextEncoder().encode(payload)
+  );
+  const sigB64 = base64urlEncode(new Uint8Array(sig));
+  return `${base64urlEncode(new TextEncoder().encode(payload))}.${sigB64}`;
+}
+async function validateCookie(secret, cookie, ip) {
+  try {
+    const [payloadB64, sigB64] = cookie.split(".");
+    if (!payloadB64 || !sigB64) return false;
+    const payloadBytes = base64urlDecode(payloadB64);
+    const sigBytes = base64urlDecode(sigB64);
+    const key = await importHmacKey(secret);
+    const valid = await crypto.subtle.verify(
+      "HMAC",
+      key,
+      sigBytes,
+      payloadBytes
+    );
+    if (!valid) return false;
+    const payload = new TextDecoder().decode(payloadBytes);
+    const [cookieIp, tsStr] = payload.split(":");
+    if (cookieIp !== ip) return false;
+    const ts = parseInt(tsStr, 10);
+    if (isNaN(ts) || Date.now() - ts > COOKIE_MAX_AGE_SEC * 1e3) return false;
+    return true;
+  } catch {
+    return false;
+  }
+}
+function getClientIp(c) {
+  return c.req.header("CF-Connecting-IP") ?? c.req.header("X-Real-IP") ?? c.req.header("X-Forwarded-For")?.split(",")[0]?.trim() ?? "unknown";
+}
+function isExempt(path) {
+  const normalized = path.toLowerCase().replace(/\/$/, "");
+  return EXEMPT_PATHS.some((p) => {
+    const ep = p.toLowerCase().replace(/\/$/, "");
+    return normalized === ep || normalized.startsWith(ep + "/");
+  });
+}
+function setCookieHeader(c, token) {
+  const isSecure = c.req.raw.url.startsWith("https") || c.req.header("x-forwarded-proto") === "https";
+  c.header(
+    "Set-Cookie",
+    `${TURNSTILE_COOKIE_NAME}=${token}; Path=/; Max-Age=${COOKIE_MAX_AGE_SEC}; ${isSecure ? "Secure; " : ""}HttpOnly; SameSite=Lax`
+  );
+}
+async function handleTurnstileVerify(c) {
+  const body = await c.req.json();
+  const { token } = body;
+  if (!token) {
+    return c.json(
+      { error: { code: "VALIDATION_ERROR", message: "Missing Turnstile token" } },
+      422
+    );
+  }
+  const secret = c.env.TURNSTILE_SECRET_KEY;
+  if (!secret) {
+    return c.json(
+      { error: { code: "CONFIG_ERROR", message: "Turnstile not configured" } },
+      500
+    );
+  }
+  const ip = getClientIp(c);
+  const formData = new URLSearchParams();
+  formData.append("secret", secret);
+  formData.append("response", token);
+  if (ip !== "unknown") {
+    formData.append("remoteip", ip);
+  }
+  const res = await fetch(VERIFY_URL, {
+    method: "POST",
+    body: formData
+  });
+  const outcome = await res.json();
+  if (!outcome.success) {
+    return c.json(
+      { error: { code: "TURNSTILE_FAILED", message: "Turnstile verification failed", details: outcome["error-codes"] } },
+      403
+    );
+  }
+  const cookieToken = await signCookie(secret, ip);
+  setCookieHeader(c, cookieToken);
+  return c.json({ success: true });
+}
+function createTurnstileMiddleware() {
+  return createMiddleware(async (c, next) => {
+    if (isExempt(c.req.path)) return next();
+    if (c.req.method === "OPTIONS") return next();
+    if (c.req.header("Authorization")) return next();
+    const secret = c.env.TURNSTILE_SECRET_KEY;
+    if (!secret) return next();
+    const cookieHeader = c.req.header("Cookie") ?? "";
+    const cookieMatch = cookieHeader.match(
+      new RegExp(`${TURNSTILE_COOKIE_NAME}=([^;]+)`)
+    );
+    if (cookieMatch) {
+      const ip = getClientIp(c);
+      const valid = await validateCookie(secret, cookieMatch[1], ip);
+      if (valid) return next();
+    }
+    return c.json(
+      { error: { code: "TURNSTILE_REQUIRED", message: "Turnstile verification required" } },
+      401
+    );
+  });
+}
+
+export { TURNSTILE_COOKIE_NAME, TURNSTILE_PATH, TURNSTILE_VERIFY_PATH, createTurnstileMiddleware, handleTurnstileVerify };
+//# sourceMappingURL=chunk-AKCERDGP.js.map
+//# sourceMappingURL=chunk-AKCERDGP.js.map

package/dist/chunk-AKCERDGP.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/lib/middleware/turnstile-challenge.ts"],"names":[],"mappings":";;;AAIO,IAAM,cAAA,GAAiB;AAEvB,IAAM,qBAAA,GAAwB,GAAG,cAAc,CAAA,OAAA;AAE/C,IAAM,qBAAA,GAAwB;AAErC,IAAM,UAAA,GAAa,2DAAA;AAEnB,IAAM,kBAAA,GAAqB,KAAA;AAE3B,IAAM,YAAA,GAAe;AAAA,EACnB,SAAA;AAAA,EACA,WAAA;AAAA,EACA,WAAA;AAAA,EACA,qBAAA;AAAA,EACA,cAAA;AAAA,EACA,WAAA;AAAA,EACA,aAAA;AAAA,EACA;AACF,CAAA;AAEA,SAAS,gBAAgB,KAAA,EAA2B;AAClD,EAAA,IAAI,MAAA,GAAS,EAAA;AACb,EAAA,KAAA,MAAW,QAAQ,KAAA,EAAO;AACxB,IAAA,MAAA,IAAU,MAAA,CAAO,aAAa,IAAI,CAAA;AAAA,EACpC;AACA,EAAA,OAAO,IAAA,CAAK,MAAM,CAAA,CAAE,OAAA,CAAQ,KAAA,EAAO,GAAG,CAAA,CAAE,OAAA,CAAQ,KAAA,EAAO,GAAG,CAAA,CAAE,OAAA,CAAQ,OAAO,EAAE,CAAA;AAC/E;AAEA,SAAS,gBAAgB,GAAA,EAAsC;AAC7D,EAAA,MAAM,MAAA,GAAS,IAAI,OAAA,CAAQ,IAAA,EAAM,GAAG,CAAA,CAAE,OAAA,CAAQ,MAAM,GAAG,CAAA;AACvD,EAAA,MAAM,MAAA,GAAS,KAAK,MAAM,CAAA;AAC1B,EAAA,MAAM,QAAQ,IAAI,UAAA,CAAW,IAAI,WAAA,CAAY,MAAA,CAAO,MAAM,CAAC,CAAA;AAC3D,EAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,MAAA,CAAO,QAAQ,CAAA,EAAA,EAAK;AACtC,IAAA,KAAA,CAAM,CAAC,CAAA,GAAI,MAAA,CAAO,UAAA,CAAW,CAAC,CAAA;AAAA,EAChC;AACA,EAAA,OAAO,KAAA;AACT;AAEA,eAAe,cAAc,MAAA,EAAoC;AAC/D,EAAA,OAAO,OAAO,MAAA,CAAO,SAAA;AAAA,IACnB,KAAA;AAAA,IACA,IAAI,WAAA,EAAY,CAAE,MAAA,CAAO,MAAM,CAAA;AAAA,IAC/B,EAAE,IAAA,EAAM,MAAA,EAAQ,IAAA,EAAM,SAAA,EAAU;AAAA,IAChC,KAAA;AAAA,IACA,CAAC,QAAQ,QAAQ;AAAA,GACnB;AACF;AAEA,eAAe,UAAA,CAAW,QAAgB,EAAA,EAA6B;AACrE,EAAA,MAAM,EAAA,GAAK,KAAK,GAAA,EAAI;AACpB,EAAA,MAAM,KAAA,GAAQ,gBAAgB,MAAA,CAAO,eAAA,CAAgB,IAAI,UAAA,CAAW,CAAC,CAAC,CAAC,CAAA;AACvE,EAAA,MAAM,UAAU,CAAA,EAAG,EAAE,CAAA,CAAA,EAAI,EAAE,IAAI,KAAK,CAAA,CAAA;AACpC,EAAA,MAAM,GAAA,GAAM,MAAM,aAAA,CAAc,MAAM,CAAA;AACtC,EAAA,MAAM,GAAA,GAAM,MAAM,MAAA,CAAO,MAAA,CAAO,IAAA;AAAA,IAC9B,MAAA;AAAA,IACA,GAAA;AAAA,IACA,IAAI,WAAA,EAAY,CAAE,MAAA,CAAO,OAAO;AAAA,GAClC;AACA,EAAA,MAAM,MAAA,GAAS,eAAA,CAAgB,IAAI,UAAA,CAAW,GAAG,CAAC,CAAA;AAClD,EAAA,OAAO,CAAA,EAAG,eAAA,CAAgB,IAAI,WAAA,EAAY,CAAE,OAAO,OAAO,CAAC,CAAC,CAAA,CAAA,EAAI,MAAM,CAAA,CAAA;AACxE;AAEA,eAAe,cAAA,CACb,MAAA,EACA,MAAA,EACA,EAAA,EACkB;AAClB,EAAA,IAAI;AACF,IAAA,MAAM,CAAC,UAAA,EAAY,MAAM,CAAA,GAAI,MAAA,CAAO,MAAM,GAAG,CAAA;AAC7C,IAAA,IAAI,CAAC,UAAA,IAAc,CAAC,MAAA,EAAQ,OAAO,KAAA;AAEnC,IAAA,MAAM,YAAA,GAAe,gBAAgB,UAAU,CAAA;AAC/C,IAAA,MAAM,QAAA,GAAW,gBAAgB,MAAM,CAAA;AAEvC,IAAA,MAAM,GAAA,GAAM,MAAM,aAAA,CAAc,MAAM,CAAA;AACtC,IAAA,MAAM,KAAA,GAAQ,MAAM,MAAA,CAAO,MAAA,CAAO,MAAA;AAAA,MAChC,MAAA;AAAA,MACA,GAAA;AAAA,MACA,QAAA;AAAA,MACA;AAAA,KACF;AACA,IAAA,IAAI,CAAC,OAAO,OAAO,KAAA;AAEnB,IAAA,MAAM,OAAA,GAAU,IAAI,WAAA,EAAY,CAAE,OAAO,YAAY,CAAA;AACrD,IAAA,MAAM,CAAC,QAAA,EAAU,KAAK,CAAA,GAAI,OAAA,CAAQ,MAAM,GAAG,CAAA;AAE3C,IAAA,IAAI,QAAA,KAAa,IAAI,OAAO,KAAA;AAE5B,IAAA,MAAM,EAAA,GAAK,QAAA,CAAS,KAAA,EAAO,EAAE,CAAA;AAC7B,IAAA,IAAI,KAAA,CAAM,EAAE,CAAA,IAAK,IAAA,CAAK,KAAI,GAAI,EAAA,GAAK,kBAAA,GAAqB,GAAA,EAAM,OAAO,KAAA;AAErE,IAAA,OAAO,IAAA;AAAA,EACT,CAAA,CAAA,MAAQ;AACN,IAAA,OAAO,KAAA;AAAA,EACT;AACF;AAEA,SAAS,YAAY,CAAA,EAAmD;AACtE,EAAA,OACE,CAAA,CAAE,IAAI,MAAA,CAAO,kBAAkB,KAC/B,CAAA,CAAE,GAAA,CAAI,OAAO,WAAW,CAAA,IACxB,EAAE,GAAA,CAAI,MAAA,CAAO,iBAAiB,CAAA,EAAG,KAAA,CAAM,GAAG,CAAA,CAAE,CAAC,CAAA,EAAG,IAAA,EAAK,IACrD,SAAA;AAEJ;AAEA,SAAS,SAAS,IAAA,EAAuB;AACvC,EAAA,MAAM,aAAa,IAAA,CAAK,WAAA,EAAY,CAAE,OAAA,CAAQ,OAAO,EAAE,CAAA;AACvD,EAAA,OAAO,YAAA,CAAa,IAAA,CAAK,CAAC,CAAA,KAAM;AAC9B,IAAA,MAAM,KAAK,CAAA,CAAE,WAAA,EAAY,CAAE,OAAA,CAAQ,OAAO,EAAE,CAAA;AAC5C,IAAA,OAAO,UAAA,KAAe,EAAA,IAAM,UAAA,CAAW,UAAA,CAAW,KAAK,GAAG,CAAA;AAAA,EAC5D,CAAC,CAAA;AACH;AAEA,SAAS,eAAA,CAAgB,GAA2C,KAAA,EAAqB;AACvF,EAAA,MAAM,QAAA,GAAW,CAAA,CAAE,GAAA,CAAI,GAAA,CAAI,GAAA,CAAI,UAAA,CAAW,OAAO,CAAA,IAAK,CAAA,CAAE,GAAA,CAAI,MAAA,CAAO,mBAAmB,CAAA,KAAM,OAAA;AAC5F,EAAA,CAAA,CAAE,MAAA;AAAA,IACA,YAAA;AAAA,IACA,CAAA,EAAG,qBAAqB,CAAA,CAAA,EAAI,KAAK,qBAAqB,kBAAkB,CAAA,EAAA,EACtE,QAAA,GAAW,UAAA,GAAa,EAC1B,CAAA,sBAAA;AAAA,GACF;AACF;AAOA,eAAsB,sBACpB,CAAA,EACA;AACA,EAAA,MAAM,IAAA,GAAO,MAAM,CAAA,CAAE,GAAA,CAAI,IAAA,EAAyB;AAClD,EAAA,MAAM,EAAE,OAAM,GAAI,IAAA;AAElB,EAAA,IAAI,CAAC,KAAA,EAAO;AACV,IAAA,OAAO,CAAA,CAAE,IAAA;AAAA,MACP,EAAE,KAAA,EAAO,EAAE,MAAM,kBAAA,EAAoB,OAAA,EAAS,2BAA0B,EAAE;AAAA,MAC1E;AAAA,KACF;AAAA,EACF;AAEA,EAAA,MAAM,MAAA,GAAS,EAAE,GAAA,CAAI,oBAAA;AACrB,EAAA,IAAI,CAAC,MAAA,EAAQ;AACX,IAAA,OAAO,CAAA,CAAE,IAAA;AAAA,MACP,EAAE,KAAA,EAAO,EAAE,MAAM,cAAA,EAAgB,OAAA,EAAS,4BAA2B,EAAE;AAAA,MACvE;AAAA,KACF;AAAA,EACF;AAEA,EAAA,MAAM,EAAA,GAAK,YAAY,CAAC,CAAA;AACxB,EAAA,MAAM,QAAA,GAAW,IAAI,eAAA,EAAgB;AACrC,EAAA,QAAA,CAAS,MAAA,CAAO,UAAU,MAAM,CAAA;AAChC,EAAA,QAAA,CAAS,MAAA,CAAO,YAAY,KAAK,CAAA;AACjC,EAAA,IAAI,OAAO,SAAA,EAAW;AACpB,IAAA,QAAA,CAAS,MAAA,CAAO,YAAY,EAAE,CAAA;AAAA,EAChC;AAEA,EAAA,MAAM,GAAA,GAAM,MAAM,KAAA,CAAM,UAAA,EAAY;AAAA,IAClC,MAAA,EAAQ,MAAA;AAAA,IACR,IAAA,EAAM;AAAA,GACP,CAAA;AACD,EAAA,MAAM,OAAA,GAAU,MAAM,GAAA,CAAI,IAAA,EAAK;AAE/B,EAAA,IAAI,CAAC,QAAQ,OAAA,EAAS;AACpB,IAAA,OAAO,CAAA,CAAE,IAAA;AAAA,MACP,EAAE,KAAA,EAAO,EAAE,IAAA,EAAM,kBAAA,EAAoB,OAAA,EAAS,+BAAA,EAAiC,OAAA,EAAS,OAAA,CAAQ,aAAa,CAAA,EAAE,EAAE;AAAA,MACjH;AAAA,KACF;AAAA,EACF;AAEA,EAAA,MAAM,WAAA,GAAc,MAAM,UAAA,CAAW,MAAA,EAAQ,EAAE,CAAA;AAC/C,EAAA,eAAA,CAAgB,GAAG,WAAW,CAAA;AAE9B,EAAA,OAAO,CAAA,CAAE,IAAA,CAAK,EAAE,OAAA,EAAS,MAAM,CAAA;AACjC;AAYO,SAAS,yBAAA,GAA4B;AAC1C,EAAA,OAAO,gBAAA,CAAgD,OAAO,CAAA,EAAG,IAAA,KAAS;AACxE,IAAA,IAAI,SAAS,CAAA,CAAE,GAAA,CAAI,IAAI,CAAA,SAAU,IAAA,EAAK;AAEtC,IAAA,IAAI,CAAA,CAAE,GAAA,CAAI,MAAA,KAAW,SAAA,SAAkB,IAAA,EAAK;AAI5C,IAAA,IAAI,EAAE,GAAA,CAAI,MAAA,CAAO,eAAe,CAAA,SAAU,IAAA,EAAK;AAE/C,IAAA,MAAM,MAAA,GAAS,EAAE,GAAA,CAAI,oBAAA;AACrB,IAAA,IAAI,CAAC,MAAA,EAAQ,OAAO,IAAA,EAAK;AAEzB,IAAA,MAAM,YAAA,GAAe,CAAA,CAAE,GAAA,CAAI,MAAA,CAAO,QAAQ,CAAA,IAAK,EAAA;AAC/C,IAAA,MAAM,cAAc,YAAA,CAAa,KAAA;AAAA,MAC/B,IAAI,MAAA,CAAO,CAAA,EAAG,qBAAqB,CAAA,QAAA,CAAU;AAAA,KAC/C;AACA,IAAA,IAAI,WAAA,EAAa;AACf,MAAA,MAAM,EAAA,GAAK,YAAY,CAAC,CAAA;AACxB,MAAA,MAAM,QAAQ,MAAM,cAAA,CAAe,QAAQ,WAAA,CAAY,CAAC,GAAG,EAAE,CAAA;AAC7D,MAAA,IAAI,KAAA,SAAc,IAAA,EAAK;AAAA,IACzB;AAEA,IAAA,OAAO,CAAA,CAAE,IAAA;AAAA,MACP,EAAE,KAAA,EAAO,EAAE,MAAM,oBAAA,EAAsB,OAAA,EAAS,mCAAkC,EAAE;AAAA,MACpF;AAAA,KACF;AAAA,EACF,CAAC,CAAA;AACH","file":"chunk-AKCERDGP.js","sourcesContent":["import { createMiddleware } from 'hono/factory'\nimport type { Context } from 'hono'\nimport type { LeapifyBindings } from '../../types'\n\nexport const TURNSTILE_PATH = '/.well-known/leapify/turnstile'\n\nexport const TURNSTILE_VERIFY_PATH = `${TURNSTILE_PATH}/verify`\n\nexport const TURNSTILE_COOKIE_NAME = 'leapify-turnstile'\n\nconst VERIFY_URL = 'https://challenges.cloudflare.com/turnstile/v0/siteverify'\n\nconst COOKIE_MAX_AGE_SEC = 86400\n\nconst EXEMPT_PATHS = [\n  \"/health\",\n  \"/internal\",\n  \"/api/auth\",\n  \"/api/uploads/images\",\n  \"/api/classes\",\n  \"/api/faqs\",\n  \"/api/config\",\n  TURNSTILE_VERIFY_PATH,\n];\n\nfunction base64urlEncode(bytes: Uint8Array): string {\n  let binary = ''\n  for (const byte of bytes) {\n    binary += String.fromCharCode(byte)\n  }\n  return btoa(binary).replace(/\\+/g, '-').replace(/\\//g, '_').replace(/=+$/, '')\n}\n\nfunction base64urlDecode(str: string): Uint8Array<ArrayBuffer> {\n  const padded = str.replace(/-/g, '+').replace(/_/g, '/')\n  const binary = atob(padded)\n  const bytes = new Uint8Array(new ArrayBuffer(binary.length))\n  for (let i = 0; i < binary.length; i++) {\n    bytes[i] = binary.charCodeAt(i)\n  }\n  return bytes\n}\n\nasync function importHmacKey(secret: string): Promise<CryptoKey> {\n  return crypto.subtle.importKey(\n    'raw',\n    new TextEncoder().encode(secret),\n    { name: 'HMAC', hash: 'SHA-256' },\n    false,\n    ['sign', 'verify']\n  )\n}\n\nasync function signCookie(secret: string, ip: string): Promise<string> {\n  const ts = Date.now()\n  const nonce = base64urlEncode(crypto.getRandomValues(new Uint8Array(8)))\n  const payload = `${ip}:${ts}:${nonce}`\n  const key = await importHmacKey(secret)\n  const sig = await crypto.subtle.sign(\n    'HMAC',\n    key,\n    new TextEncoder().encode(payload)\n  )\n  const sigB64 = base64urlEncode(new Uint8Array(sig))\n  return `${base64urlEncode(new TextEncoder().encode(payload))}.${sigB64}`\n}\n\nasync function validateCookie(\n  secret: string,\n  cookie: string,\n  ip: string\n): Promise<boolean> {\n  try {\n    const [payloadB64, sigB64] = cookie.split('.')\n    if (!payloadB64 || !sigB64) return false\n\n    const payloadBytes = base64urlDecode(payloadB64)\n    const sigBytes = base64urlDecode(sigB64)\n\n    const key = await importHmacKey(secret)\n    const valid = await crypto.subtle.verify(\n      'HMAC',\n      key,\n      sigBytes,\n      payloadBytes\n    )\n    if (!valid) return false\n\n    const payload = new TextDecoder().decode(payloadBytes)\n    const [cookieIp, tsStr] = payload.split(':')\n\n    if (cookieIp !== ip) return false\n\n    const ts = parseInt(tsStr, 10)\n    if (isNaN(ts) || Date.now() - ts > COOKIE_MAX_AGE_SEC * 1000) return false\n\n    return true\n  } catch {\n    return false\n  }\n}\n\nfunction getClientIp(c: Context<{ Bindings: LeapifyBindings }>): string {\n  return (\n    c.req.header('CF-Connecting-IP') ??\n    c.req.header('X-Real-IP') ??\n    c.req.header('X-Forwarded-For')?.split(',')[0]?.trim() ??\n    'unknown'\n  )\n}\n\nfunction isExempt(path: string): boolean {\n  const normalized = path.toLowerCase().replace(/\\/$/, '')\n  return EXEMPT_PATHS.some((p) => {\n    const ep = p.toLowerCase().replace(/\\/$/, '')\n    return normalized === ep || normalized.startsWith(ep + '/')\n  })\n}\n\nfunction setCookieHeader(c: Context<{ Bindings: LeapifyBindings }>, token: string): void {\n  const isSecure = c.req.raw.url.startsWith(\"https\") || c.req.header(\"x-forwarded-proto\") === \"https\";\n  c.header(\n    \"Set-Cookie\",\n    `${TURNSTILE_COOKIE_NAME}=${token}; Path=/; Max-Age=${COOKIE_MAX_AGE_SEC}; ${\n      isSecure ? \"Secure; \" : \"\"\n    }HttpOnly; SameSite=Lax`,\n  );\n}\n\n/**\n * POST /.well-known/leapify/turnstile/verify\n *\n * Validates a Turnstile token and issues a signed cookie on success.\n */\nexport async function handleTurnstileVerify(\n  c: Context<{ Bindings: LeapifyBindings }>\n) {\n  const body = await c.req.json<{ token?: string }>()\n  const { token } = body\n\n  if (!token) {\n    return c.json(\n      { error: { code: 'VALIDATION_ERROR', message: 'Missing Turnstile token' } },\n      422\n    )\n  }\n\n  const secret = c.env.TURNSTILE_SECRET_KEY\n  if (!secret) {\n    return c.json(\n      { error: { code: 'CONFIG_ERROR', message: 'Turnstile not configured' } },\n      500\n    )\n  }\n\n  const ip = getClientIp(c)\n  const formData = new URLSearchParams()\n  formData.append('secret', secret)\n  formData.append('response', token)\n  if (ip !== 'unknown') {\n    formData.append('remoteip', ip)\n  }\n\n  const res = await fetch(VERIFY_URL, {\n    method: 'POST',\n    body: formData,\n  })\n  const outcome = await res.json() as { success: boolean; 'error-codes'?: string[] }\n\n  if (!outcome.success) {\n    return c.json(\n      { error: { code: 'TURNSTILE_FAILED', message: 'Turnstile verification failed', details: outcome['error-codes'] } },\n      403\n    )\n  }\n\n  const cookieToken = await signCookie(secret, ip)\n  setCookieHeader(c, cookieToken)\n\n  return c.json({ success: true })\n}\n\n/**\n * Turnstile challenge middleware.\n *\n * Requires a valid Turnstile-signed cookie on all non-exempt requests.\n * The client must first solve a Turnstile challenge and POST the token\n * to the verify endpoint to obtain the cookie.\n *\n * Exempt paths: /health, /internal, /api/auth, /api/uploads/images,\n * and the verify endpoint itself.\n */\nexport function createTurnstileMiddleware() {\n  return createMiddleware<{ Bindings: LeapifyBindings }>(async (c, next) => {\n    if (isExempt(c.req.path)) return next()\n\n    if (c.req.method === 'OPTIONS') return next()\n\n    // Skip challenge for authenticated requests (Bearer token present)\n    // The auth middleware will handle session validation instead.\n    if (c.req.header('Authorization')) return next()\n\n    const secret = c.env.TURNSTILE_SECRET_KEY\n    if (!secret) return next()\n\n    const cookieHeader = c.req.header('Cookie') ?? ''\n    const cookieMatch = cookieHeader.match(\n      new RegExp(`${TURNSTILE_COOKIE_NAME}=([^;]+)`)\n    )\n    if (cookieMatch) {\n      const ip = getClientIp(c)\n      const valid = await validateCookie(secret, cookieMatch[1], ip)\n      if (valid) return next()\n    }\n\n    return c.json(\n      { error: { code: 'TURNSTILE_REQUIRED', message: 'Turnstile verification required' } },\n      401\n    )\n  })\n}\n"]}

package/dist/client/auth.d.ts

@@ -709,19 +709,7 @@ export declare function createLeapifyAuthClient(baseUrl: string): {
         referrerPolicy?: ReferrerPolicy | undefined;
         signal?: (AbortSignal | null) | undefined;
         window?: null | undefined;
-        onRetry
-        /**
-         * Get the current bearer token from storage, or null for guests.
-         * Pass this to `createLeapifyClient` as the `getToken` option.
-         *
-         * @example
-         * import { createLeapifyClient } from 'leapify/client'
-         * import { createLeapifyAuthClient, getLeapifyToken } from 'leapify/client'
-         *
-         * const authClient = createLeapifyAuthClient(API_URL)
-         * const api = createLeapifyClient(API_URL, () => getLeapifyToken(authClient))
-         */
-        ?: ((response: import("@better-fetch/fetch").ResponseContext) => Promise<void> | void) | undefined;
+        onRetry?: ((response: import("@better-fetch/fetch").ResponseContext) => Promise<void> | void) | undefined;
         hookOptions?: {
             cloneResponse?: boolean;
         } | undefined;

package/dist/client/auth.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../src/client/auth.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAMH;;;;;GAKG;AACH,wBAAgB,uBAAuB,CAAC,OAAO,EAAE,MAAM;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;6BA0BtD,CAAC;iBAAe,CAAC;;;;;;;;;;;;;;;;;;;;gBA+BA,CAAC;aAAwC,CAAC;mBAEjC,CAAC;eAAiC,CAAC;;;;;iBAWvD,CAAC;iBAEM,CAAC;;YACE,CAAA;gBAAuC,CAAC;gBACpC,CAAC;sBAEhB,CAAD;cAAwC,CAAC;cAGzB,CAAC;;QAItB;;;;;;;;;;WAUG;QACH,CAZC;mBAG+B,CAAC;yBAAuB,CAAC;;eAGzC,CAAC;;;aACiD,CAAC;YAEnD,CAAC;;;;;;;;;;;;YAgBmB,CAAC;aAAgB,CAAC;cAC9C,CAAA;cAAiB,CAAC;;aAES,CAAC;oBAIL,CAAC;cAAgC,CAAC;mBAAkG,CAAC;yBAA0E,CAAC;qBAAwC,CAAC;;;uBAAkF,CAAC;+GAAuL,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAnGliB;AAED,MAAM,MAAM,iBAAiB,GAAG,UAAU,CAAC,OAAO,uBAAuB,CAAC,CAAA;AAE1E;;;;;;;;;;;;;;;;;;;GAmBG;AACH,wBAAsB,wBAAwB,CAC5C,UAAU,EAAE,iBAAiB,EAC7B,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC,IAAI,CAAC,CAKf;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAsB,0BAA0B,CAC9C,UAAU,EAAE,iBAAiB,GAC5B,OAAO,CAAC,IAAI,CAAC,CAWf;AAED;;;;;;;;;;GAUG;AACH,wBAAsB,eAAe,CAEnC,UAAU,CAAC,EAAE,iBAAiB,GAC7B,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAKxB;AAED;;GAEG;AACH,wBAAsB,OAAO,CAAC,UAAU,EAAE,iBAAiB;;;;;;;;;;;;;GAM1D"}
+{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../src/client/auth.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAMH;;;;;GAKG;AACH,wBAAgB,uBAAuB,CAAC,OAAO,EAAE,MAAM;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;6BA0BA,CAAC;iBACnD,CAAC;;;;;;;;;;;;;;;;;;;;gBAgCwB,CAAA;aAE3B,CAAA;mBAC+B,CAAC;eAAiC,CAAC;;;;;iBAWvC,CAAA;iBAAoC,CAAA;;YAE9D,CAAH;gBACsB,CAAC;gBAItB,CADF;sBAAwC,CAAC;cAKf,CAAC;cACnB,CAAA;eAA+B,CAAC;mBAI9B,CAAC;yBAAuB,CAAC;;eAClC,CAAD;;;aAEgD,CAAC;YAChD,CAAC;;;;;;;;;;;;YAiBuB,CAAC;aAAgB,CAAC;cAE/B,CAAC;cAED,CAAC;;aAA8F,CAAC;oBAAiE,CAAC;cAAgC,CAAC;mBAAkG,CAAC;yBAA0E,CAAC;qBAAwC,CAAC;;;uBAAkF,CAAC;+GAAuL,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAnGhrB;AAED,MAAM,MAAM,iBAAiB,GAAG,UAAU,CAAC,OAAO,uBAAuB,CAAC,CAAA;AAE1E;;;;;;;;;;;;;;;;;;;GAmBG;AACH,wBAAsB,wBAAwB,CAC5C,UAAU,EAAE,iBAAiB,EAC7B,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC,IAAI,CAAC,CAKf;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAsB,0BAA0B,CAC9C,UAAU,EAAE,iBAAiB,GAC5B,OAAO,CAAC,IAAI,CAAC,CAWf;AAED;;;;;;;;;;GAUG;AACH,wBAAsB,eAAe,CAEnC,UAAU,CAAC,EAAE,iBAAiB,GAC7B,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAKxB;AAED;;GAEG;AACH,wBAAsB,OAAO,CAAC,UAAU,EAAE,iBAAiB;;;;;;;;;;;;;GAM1D"}