npm - @access-dlsu/leapify - Versions diffs - 0.260524.3 → 0.260601.1 - Mend

@access-dlsu/leapify 0.260524.3 → 0.260601.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (27) hide show

package/dist/auth/auth.d.ts +2 -2
package/dist/{chunk-AKCERDGP.js → chunk-2JEY6TSO.js} +2 -2
package/dist/chunk-2JEY6TSO.js.map +1 -0
package/dist/{chunk-64MMUYMK.cjs → chunk-X4OB4DZ3.cjs} +2 -2
package/dist/chunk-X4OB4DZ3.cjs.map +1 -0
package/dist/client/auth.d.ts +57 -41
package/dist/client/auth.d.ts.map +1 -1
package/dist/client/index.cjs +2 -0
package/dist/client/index.cjs.map +1 -1
package/dist/client/index.js +2 -0
package/dist/client/index.js.map +1 -1
package/dist/index.cjs +129 -64
package/dist/index.cjs.map +1 -1
package/dist/index.js +125 -60
package/dist/index.js.map +1 -1
package/dist/lib/middleware/cors.d.ts.map +1 -1
package/dist/lib/middleware/referer-guard.d.ts +1 -1
package/dist/lib/middleware/referer-guard.d.ts.map +1 -1
package/dist/lib/middleware/turnstile-challenge.cjs +6 -6
package/dist/lib/middleware/turnstile-challenge.js +1 -1
package/dist/routes/site-config.d.ts +2 -2
package/dist/routes/site-config.d.ts.map +1 -1
package/dist/worker.js +278 -213
package/dist/worker.js.map +1 -1
package/package.json +155 -155
package/dist/chunk-64MMUYMK.cjs.map +0 -1
package/dist/chunk-AKCERDGP.js.map +0 -1

package/dist/index.cjs CHANGED Viewed

@@ -1,16 +1,16 @@
 'use strict';
-var chunk64MMUYMK_cjs = require('./chunk-64MMUYMK.cjs');
+var chunkX4OB4DZ3_cjs = require('./chunk-X4OB4DZ3.cjs');
 var chunkQ7SFCCGT_cjs = require('./chunk-Q7SFCCGT.cjs');
 var hono = require('hono');
 var cors = require('hono/cors');
+var d1 = require('drizzle-orm/d1');
+var sqliteCore = require('drizzle-orm/sqlite-core');
+var drizzleOrm = require('drizzle-orm');
 var factory = require('hono/factory');
 var betterAuth = require('better-auth');
 var drizzle = require('better-auth/adapters/drizzle');
 var plugins = require('better-auth/plugins');
-var drizzleOrm = require('drizzle-orm');
-var d1 = require('drizzle-orm/d1');
-var sqliteCore = require('drizzle-orm/sqlite-core');
 var zodValidator = require('@hono/zod-validator');
 var zod = require('zod');
@@ -22,6 +22,8 @@ var LeapifyError = class extends Error {
     this.code = code;
     this.name = "LeapifyError";
   }
+  statusCode;
+  code;
 };
 var unauthorized = (message = "Unauthorized") => new LeapifyError(401, "UNAUTHORIZED", message);
 var domainRestricted = () => new LeapifyError(
@@ -50,58 +52,6 @@ var errorHandler = (err, c) => {
     500
   );
 };
-function createCorsMiddleware(allowedOrigins) {
-  return async (c, next) => {
-    const origin = c.req.header("origin");
-    const dynamicOriginsJson = await c.env.KV.get("config:allowed_origins", "json");
-    const currentAllowedOrigins = dynamicOriginsJson ?? allowedOrigins;
-    if (c.req.path.startsWith("/api/uploads/images")) {
-      c.header("Access-Control-Allow-Origin", "*");
-      c.header("Access-Control-Allow-Methods", "GET, OPTIONS");
-      if (c.req.method === "OPTIONS") {
-        return c.body(null, 204);
-      }
-      return next();
-    }
-    if (!c.req.path.startsWith("/health") && !c.req.path.startsWith("/api/auth") && !c.req.path.startsWith("/internal") && origin && !currentAllowedOrigins.includes("*") && !currentAllowedOrigins.includes(origin)) {
-      return c.json(
-        {
-          error: {
-            code: "DOMAIN_RESTRICTED",
-            message: `Origin ${origin} is not allowed`
-          }
-        },
-        403
-      );
-    }
-    const honoCors = cors.cors({
-      origin: currentAllowedOrigins,
-      allowMethods: ["GET", "POST", "PATCH", "DELETE", "OPTIONS"],
-      allowHeaders: ["Content-Type", "Authorization"],
-      exposeHeaders: ["ETag", "Last-Modified", "Cache-Control"],
-      maxAge: 86400,
-      credentials: true
-    });
-    return honoCors(c, next);
-  };
-}
-function createRefererGuard(allowedOrigins) {
-  const MUTATION_METHODS = /* @__PURE__ */ new Set(["POST", "PATCH", "PUT", "DELETE"]);
-  const SKIP_PREFIXES = ["/health", "/internal", "/api/auth", "/.well-known"];
-  return factory.createMiddleware(async (c, next) => {
-    if (!MUTATION_METHODS.has(c.req.method)) return next();
-    if (SKIP_PREFIXES.some((p) => c.req.path.startsWith(p))) return next();
-    const dynamicOriginsJson = await c.env.KV.get("config:allowed_origins", "json");
-    const currentAllowedOrigins = dynamicOriginsJson ?? allowedOrigins;
-    if (currentAllowedOrigins.includes("*")) return next();
-    const referer = c.req.header("referer") ?? "";
-    const isAllowed = currentAllowedOrigins.some((origin) => referer.startsWith(origin));
-    if (!isAllowed) {
-      throw forbidden("Request origin not permitted");
-    }
-    return next();
-  });
-}
 // src/db/schema/index.ts
 var schema_exports = {};
@@ -334,8 +284,112 @@ var authVerification = sqliteCore.sqliteTable(
 function createDb(d1$1) {
   return d1.drizzle(d1$1, { schema: schema_exports });
 }
-// src/auth/auth.ts
+async function getOriginsFromDb(env) {
+  try {
+    const db = createDb(env.DB);
+    const row = await db.query.siteConfig.findFirst({
+      where: drizzleOrm.eq(siteConfig.key, "allowed_origins")
+    });
+    if (row) return JSON.parse(row.value);
+  } catch {
+  }
+  return null;
+}
+function createCorsMiddleware(allowedOrigins) {
+  return async (c, next) => {
+    const origin = c.req.header("origin");
+    const dynamicOriginsJson = await c.env.KV.get(
+      "config:allowed_origins",
+      "json"
+    );
+    let currentAllowedOrigins = dynamicOriginsJson ?? allowedOrigins;
+    if (!dynamicOriginsJson) {
+      const dbOrigins = await getOriginsFromDb(c.env);
+      if (dbOrigins) {
+        currentAllowedOrigins = dbOrigins;
+        await c.env.KV.put(
+          "config:allowed_origins",
+          JSON.stringify(dbOrigins),
+          { expirationTtl: 86400 }
+        );
+      }
+    }
+    if (c.req.path.startsWith("/api/uploads/images")) {
+      c.header("Access-Control-Allow-Origin", "*");
+      c.header("Access-Control-Allow-Methods", "GET, OPTIONS");
+      if (c.req.method === "OPTIONS") {
+        return c.body(null, 204);
+      }
+      return next();
+    }
+    if (!c.req.path.startsWith("/health") && !c.req.path.startsWith("/api/auth") && !c.req.path.startsWith("/internal") && origin && !currentAllowedOrigins.includes("*") && !currentAllowedOrigins.includes(origin) && origin !== new URL(c.req.url).origin) {
+      return c.json(
+        {
+          error: {
+            code: "DOMAIN_RESTRICTED",
+            message: `Origin ${origin} is not allowed`
+          }
+        },
+        403
+      );
+    }
+    const honoCors = cors.cors({
+      origin: currentAllowedOrigins,
+      allowMethods: ["GET", "POST", "PATCH", "DELETE", "OPTIONS"],
+      allowHeaders: ["Content-Type", "Authorization"],
+      exposeHeaders: ["ETag", "Last-Modified", "Cache-Control"],
+      maxAge: 86400,
+      credentials: true
+    });
+    return honoCors(c, next);
+  };
+}
+async function getOriginsFromDb2(env) {
+  try {
+    const db = createDb(env.DB);
+    const row = await db.query.siteConfig.findFirst({
+      where: drizzleOrm.eq(siteConfig.key, "allowed_origins")
+    });
+    if (row) return JSON.parse(row.value);
+  } catch {
+  }
+  return null;
+}
+function createRefererGuard(allowedOrigins) {
+  const MUTATION_METHODS = /* @__PURE__ */ new Set(["POST", "PATCH", "PUT", "DELETE"]);
+  const SKIP_PREFIXES = ["/health", "/internal", "/api/auth", "/.well-known"];
+  return factory.createMiddleware(async (c, next) => {
+    if (!MUTATION_METHODS.has(c.req.method)) return next();
+    if (SKIP_PREFIXES.some((p) => c.req.path.startsWith(p))) return next();
+    const dynamicOriginsJson = await c.env.KV.get(
+      "config:allowed_origins",
+      "json"
+    );
+    let currentAllowedOrigins = dynamicOriginsJson ?? allowedOrigins;
+    if (!dynamicOriginsJson) {
+      const dbOrigins = await getOriginsFromDb2(c.env);
+      if (dbOrigins) {
+        currentAllowedOrigins = dbOrigins;
+        await c.env.KV.put(
+          "config:allowed_origins",
+          JSON.stringify(dbOrigins),
+          { expirationTtl: 86400 }
+        );
+      }
+    }
+    if (currentAllowedOrigins.includes("*")) return next();
+    const referer = c.req.header("referer") ?? "";
+    const requestOrigin = new URL(c.req.url).origin;
+    if (referer.startsWith(requestOrigin)) return next();
+    const isAllowed = currentAllowedOrigins.some(
+      (origin) => referer.startsWith(origin)
+    );
+    if (!isAllowed) {
+      throw forbidden("Request origin not permitted");
+    }
+    return next();
+  });
+}
 var DLSU_DOMAIN = "@dlsu.edu.ph";
 function createAuth(env) {
   const db = createDb(env.DB);
@@ -631,7 +685,14 @@ healthRoute.get("/", async (c) => {
   const env = c.env;
   const hasSes = Boolean(env.SES_REGION) && Boolean(env.SES_ACCESS_KEY_ID) && Boolean(env.SES_SECRET_ACCESS_KEY);
   const hasResend = Boolean(env.RESEND_API_KEY);
-  const hasGForms = Boolean(env.GFORMS_SERVICE_ACCOUNT_JSON);
+  let hasGForms = false;
+  if (env.GFORMS_SERVICE_ACCOUNT_JSON) {
+    try {
+      const parsed = JSON.parse(env.GFORMS_SERVICE_ACCOUNT_JSON);
+      hasGForms = Boolean(parsed.client_email && parsed.private_key);
+    } catch {
+    }
+  }
   const probes = [];
   if (hasSes) {
     probes.push(
@@ -689,6 +750,7 @@ var CacheService = class {
   constructor(kv) {
     this.kv = kv;
   }
+  kv;
   async get(key) {
     return this.kv.get(key, "json");
   }
@@ -734,6 +796,8 @@ var SlotsService = class {
     this.db = db;
     this.cache = cache;
   }
+  db;
+  cache;
   kvKey(slug) {
     return `${SLOT_KV_PREFIX}${slug}`;
   }
@@ -1348,7 +1412,7 @@ siteConfigRoute.patch("/:key", authMiddleware, adminMiddleware, async (c) => {
     set: { value: JSON.stringify(value), updatedAt: now }
   });
   await c.env.KV.put(`config:${key}`, JSON.stringify(value), {
-    expirationTtl: 600
+    expirationTtl: 86400
   });
   return c.json({ data: { key, value } });
 });
@@ -1694,7 +1758,7 @@ function createApp(options = {}) {
     });
   }
   app.use("*", createCorsMiddleware(options.allowedOrigins ?? ["*"]));
-  app.use("*", chunk64MMUYMK_cjs.createTurnstileMiddleware());
+  app.use("*", chunkX4OB4DZ3_cjs.createTurnstileMiddleware());
   app.use("*", createRefererGuard(options.allowedOrigins ?? ["*"]));
   app.on(["POST", "GET"], "/api/auth/*", (c) => {
     const auth = createAuth(c.env);
@@ -1725,7 +1789,7 @@ function createApp(options = {}) {
     }
     return next();
   });
-  app.post(chunk64MMUYMK_cjs.TURNSTILE_VERIFY_PATH, chunk64MMUYMK_cjs.handleTurnstileVerify);
+  app.post(chunkX4OB4DZ3_cjs.TURNSTILE_VERIFY_PATH, chunkX4OB4DZ3_cjs.handleTurnstileVerify);
   app.route("/health", healthRoute);
   app.route("/api/config", siteConfigRoute);
   app.route("/api/classes", classesRoute);
@@ -1840,6 +1904,7 @@ var SesError = class extends Error {
     this.status = status;
     this.name = "SesError";
   }
+  status;
   /**
    * True for errors that are permanent (not worth retrying via SES again).
    * 400 BadRequest, 403 Forbidden, 404 NotFound → non-retryable.
@@ -2532,7 +2597,7 @@ function defaultGetRuntimeConfig(env) {
   };
 }
 function injectConfig(html, config) {
-  const configScript = `<script>window.__CONFIG__=${JSON.stringify(config)};<\/script>`;
+  const configScript = `<script>window.__CONFIG__=${JSON.stringify(config)};</script>`;
   return html.replace("</head>", `${configScript}</head>`);
 }
 function createWorkerHandler(options) {
@@ -2654,7 +2719,7 @@ function getRuntimeConfig(env) {
   };
 }
 function injectConfig2(html, config) {
-  const configScript = `<script>window.__CONFIG__=${JSON.stringify(config)};<\/script>`;
+  const configScript = `<script>window.__CONFIG__=${JSON.stringify(config)};</script>`;
   return html.replace("</head>", `${configScript}</head>`);
 }