npm - @access-dlsu/leapify - Versions diffs - 0.260524.3 → 0.260601.1 - Mend

@access-dlsu/leapify 0.260524.3 → 0.260601.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (27) hide show

package/dist/auth/auth.d.ts +2 -2
package/dist/{chunk-AKCERDGP.js → chunk-2JEY6TSO.js} +2 -2
package/dist/chunk-2JEY6TSO.js.map +1 -0
package/dist/{chunk-64MMUYMK.cjs → chunk-X4OB4DZ3.cjs} +2 -2
package/dist/chunk-X4OB4DZ3.cjs.map +1 -0
package/dist/client/auth.d.ts +57 -41
package/dist/client/auth.d.ts.map +1 -1
package/dist/client/index.cjs +2 -0
package/dist/client/index.cjs.map +1 -1
package/dist/client/index.js +2 -0
package/dist/client/index.js.map +1 -1
package/dist/index.cjs +129 -64
package/dist/index.cjs.map +1 -1
package/dist/index.js +125 -60
package/dist/index.js.map +1 -1
package/dist/lib/middleware/cors.d.ts.map +1 -1
package/dist/lib/middleware/referer-guard.d.ts +1 -1
package/dist/lib/middleware/referer-guard.d.ts.map +1 -1
package/dist/lib/middleware/turnstile-challenge.cjs +6 -6
package/dist/lib/middleware/turnstile-challenge.js +1 -1
package/dist/routes/site-config.d.ts +2 -2
package/dist/routes/site-config.d.ts.map +1 -1
package/dist/worker.js +278 -213
package/dist/worker.js.map +1 -1
package/package.json +155 -155
package/dist/chunk-64MMUYMK.cjs.map +0 -1
package/dist/chunk-AKCERDGP.js.map +0 -1

package/dist/index.js CHANGED Viewed

@@ -1,14 +1,14 @@
-import { createTurnstileMiddleware, TURNSTILE_VERIFY_PATH, handleTurnstileVerify } from './chunk-AKCERDGP.js';
+import { createTurnstileMiddleware, TURNSTILE_VERIFY_PATH, handleTurnstileVerify } from './chunk-2JEY6TSO.js';
 import { __export } from './chunk-PZ5AY32C.js';
 import { Hono } from 'hono';
 import { cors } from 'hono/cors';
+import { drizzle } from 'drizzle-orm/d1';
+import { sqliteTable, integer, text, index, uniqueIndex } from 'drizzle-orm/sqlite-core';
+import { sql, relations, eq, and, count, lte } from 'drizzle-orm';
 import { createMiddleware } from 'hono/factory';
 import { betterAuth } from 'better-auth';
 import { drizzleAdapter } from 'better-auth/adapters/drizzle';
 import { bearer } from 'better-auth/plugins';
-import { sql, relations, eq, and, count, lte } from 'drizzle-orm';
-import { drizzle } from 'drizzle-orm/d1';
-import { sqliteTable, integer, text, index, uniqueIndex } from 'drizzle-orm/sqlite-core';
 import { zValidator } from '@hono/zod-validator';
 import { z } from 'zod';
@@ -20,6 +20,8 @@ var LeapifyError = class extends Error {
     this.code = code;
     this.name = "LeapifyError";
   }
+  statusCode;
+  code;
 };
 var unauthorized = (message = "Unauthorized") => new LeapifyError(401, "UNAUTHORIZED", message);
 var domainRestricted = () => new LeapifyError(
@@ -48,58 +50,6 @@ var errorHandler = (err, c) => {
     500
   );
 };
-function createCorsMiddleware(allowedOrigins) {
-  return async (c, next) => {
-    const origin = c.req.header("origin");
-    const dynamicOriginsJson = await c.env.KV.get("config:allowed_origins", "json");
-    const currentAllowedOrigins = dynamicOriginsJson ?? allowedOrigins;
-    if (c.req.path.startsWith("/api/uploads/images")) {
-      c.header("Access-Control-Allow-Origin", "*");
-      c.header("Access-Control-Allow-Methods", "GET, OPTIONS");
-      if (c.req.method === "OPTIONS") {
-        return c.body(null, 204);
-      }
-      return next();
-    }
-    if (!c.req.path.startsWith("/health") && !c.req.path.startsWith("/api/auth") && !c.req.path.startsWith("/internal") && origin && !currentAllowedOrigins.includes("*") && !currentAllowedOrigins.includes(origin)) {
-      return c.json(
-        {
-          error: {
-            code: "DOMAIN_RESTRICTED",
-            message: `Origin ${origin} is not allowed`
-          }
-        },
-        403
-      );
-    }
-    const honoCors = cors({
-      origin: currentAllowedOrigins,
-      allowMethods: ["GET", "POST", "PATCH", "DELETE", "OPTIONS"],
-      allowHeaders: ["Content-Type", "Authorization"],
-      exposeHeaders: ["ETag", "Last-Modified", "Cache-Control"],
-      maxAge: 86400,
-      credentials: true
-    });
-    return honoCors(c, next);
-  };
-}
-function createRefererGuard(allowedOrigins) {
-  const MUTATION_METHODS = /* @__PURE__ */ new Set(["POST", "PATCH", "PUT", "DELETE"]);
-  const SKIP_PREFIXES = ["/health", "/internal", "/api/auth", "/.well-known"];
-  return createMiddleware(async (c, next) => {
-    if (!MUTATION_METHODS.has(c.req.method)) return next();
-    if (SKIP_PREFIXES.some((p) => c.req.path.startsWith(p))) return next();
-    const dynamicOriginsJson = await c.env.KV.get("config:allowed_origins", "json");
-    const currentAllowedOrigins = dynamicOriginsJson ?? allowedOrigins;
-    if (currentAllowedOrigins.includes("*")) return next();
-    const referer = c.req.header("referer") ?? "";
-    const isAllowed = currentAllowedOrigins.some((origin) => referer.startsWith(origin));
-    if (!isAllowed) {
-      throw forbidden("Request origin not permitted");
-    }
-    return next();
-  });
-}
 // src/db/schema/index.ts
 var schema_exports = {};
@@ -332,8 +282,112 @@ var authVerification = sqliteTable(
 function createDb(d1) {
   return drizzle(d1, { schema: schema_exports });
 }
-// src/auth/auth.ts
+async function getOriginsFromDb(env) {
+  try {
+    const db = createDb(env.DB);
+    const row = await db.query.siteConfig.findFirst({
+      where: eq(siteConfig.key, "allowed_origins")
+    });
+    if (row) return JSON.parse(row.value);
+  } catch {
+  }
+  return null;
+}
+function createCorsMiddleware(allowedOrigins) {
+  return async (c, next) => {
+    const origin = c.req.header("origin");
+    const dynamicOriginsJson = await c.env.KV.get(
+      "config:allowed_origins",
+      "json"
+    );
+    let currentAllowedOrigins = dynamicOriginsJson ?? allowedOrigins;
+    if (!dynamicOriginsJson) {
+      const dbOrigins = await getOriginsFromDb(c.env);
+      if (dbOrigins) {
+        currentAllowedOrigins = dbOrigins;
+        await c.env.KV.put(
+          "config:allowed_origins",
+          JSON.stringify(dbOrigins),
+          { expirationTtl: 86400 }
+        );
+      }
+    }
+    if (c.req.path.startsWith("/api/uploads/images")) {
+      c.header("Access-Control-Allow-Origin", "*");
+      c.header("Access-Control-Allow-Methods", "GET, OPTIONS");
+      if (c.req.method === "OPTIONS") {
+        return c.body(null, 204);
+      }
+      return next();
+    }
+    if (!c.req.path.startsWith("/health") && !c.req.path.startsWith("/api/auth") && !c.req.path.startsWith("/internal") && origin && !currentAllowedOrigins.includes("*") && !currentAllowedOrigins.includes(origin) && origin !== new URL(c.req.url).origin) {
+      return c.json(
+        {
+          error: {
+            code: "DOMAIN_RESTRICTED",
+            message: `Origin ${origin} is not allowed`
+          }
+        },
+        403
+      );
+    }
+    const honoCors = cors({
+      origin: currentAllowedOrigins,
+      allowMethods: ["GET", "POST", "PATCH", "DELETE", "OPTIONS"],
+      allowHeaders: ["Content-Type", "Authorization"],
+      exposeHeaders: ["ETag", "Last-Modified", "Cache-Control"],
+      maxAge: 86400,
+      credentials: true
+    });
+    return honoCors(c, next);
+  };
+}
+async function getOriginsFromDb2(env) {
+  try {
+    const db = createDb(env.DB);
+    const row = await db.query.siteConfig.findFirst({
+      where: eq(siteConfig.key, "allowed_origins")
+    });
+    if (row) return JSON.parse(row.value);
+  } catch {
+  }
+  return null;
+}
+function createRefererGuard(allowedOrigins) {
+  const MUTATION_METHODS = /* @__PURE__ */ new Set(["POST", "PATCH", "PUT", "DELETE"]);
+  const SKIP_PREFIXES = ["/health", "/internal", "/api/auth", "/.well-known"];
+  return createMiddleware(async (c, next) => {
+    if (!MUTATION_METHODS.has(c.req.method)) return next();
+    if (SKIP_PREFIXES.some((p) => c.req.path.startsWith(p))) return next();
+    const dynamicOriginsJson = await c.env.KV.get(
+      "config:allowed_origins",
+      "json"
+    );
+    let currentAllowedOrigins = dynamicOriginsJson ?? allowedOrigins;
+    if (!dynamicOriginsJson) {
+      const dbOrigins = await getOriginsFromDb2(c.env);
+      if (dbOrigins) {
+        currentAllowedOrigins = dbOrigins;
+        await c.env.KV.put(
+          "config:allowed_origins",
+          JSON.stringify(dbOrigins),
+          { expirationTtl: 86400 }
+        );
+      }
+    }
+    if (currentAllowedOrigins.includes("*")) return next();
+    const referer = c.req.header("referer") ?? "";
+    const requestOrigin = new URL(c.req.url).origin;
+    if (referer.startsWith(requestOrigin)) return next();
+    const isAllowed = currentAllowedOrigins.some(
+      (origin) => referer.startsWith(origin)
+    );
+    if (!isAllowed) {
+      throw forbidden("Request origin not permitted");
+    }
+    return next();
+  });
+}
 var DLSU_DOMAIN = "@dlsu.edu.ph";
 function createAuth(env) {
   const db = createDb(env.DB);
@@ -629,7 +683,14 @@ healthRoute.get("/", async (c) => {
   const env = c.env;
   const hasSes = Boolean(env.SES_REGION) && Boolean(env.SES_ACCESS_KEY_ID) && Boolean(env.SES_SECRET_ACCESS_KEY);
   const hasResend = Boolean(env.RESEND_API_KEY);
-  const hasGForms = Boolean(env.GFORMS_SERVICE_ACCOUNT_JSON);
+  let hasGForms = false;
+  if (env.GFORMS_SERVICE_ACCOUNT_JSON) {
+    try {
+      const parsed = JSON.parse(env.GFORMS_SERVICE_ACCOUNT_JSON);
+      hasGForms = Boolean(parsed.client_email && parsed.private_key);
+    } catch {
+    }
+  }
   const probes = [];
   if (hasSes) {
     probes.push(
@@ -687,6 +748,7 @@ var CacheService = class {
   constructor(kv) {
     this.kv = kv;
   }
+  kv;
   async get(key) {
     return this.kv.get(key, "json");
   }
@@ -732,6 +794,8 @@ var SlotsService = class {
     this.db = db;
     this.cache = cache;
   }
+  db;
+  cache;
   kvKey(slug) {
     return `${SLOT_KV_PREFIX}${slug}`;
   }
@@ -1346,7 +1410,7 @@ siteConfigRoute.patch("/:key", authMiddleware, adminMiddleware, async (c) => {
     set: { value: JSON.stringify(value), updatedAt: now }
   });
   await c.env.KV.put(`config:${key}`, JSON.stringify(value), {
-    expirationTtl: 600
+    expirationTtl: 86400
   });
   return c.json({ data: { key, value } });
 });
@@ -1838,6 +1902,7 @@ var SesError = class extends Error {
     this.status = status;
     this.name = "SesError";
   }
+  status;
   /**
    * True for errors that are permanent (not worth retrying via SES again).
    * 400 BadRequest, 403 Forbidden, 404 NotFound → non-retryable.