@access-dlsu/leapify 0.260605.2 → 0.260608.2

package/dist/lib/middleware/turnstile-challenge.cjs

@@ -1,29 +1,145 @@
-'use strict';
-
-var chunkNYEPGZMP_cjs = require('../../chunk-NYEPGZMP.cjs');
-require('../../chunk-Q7SFCCGT.cjs');
-
-
-
-Object.defineProperty(exports, "TURNSTILE_COOKIE_NAME", {
-  enumerable: true,
-  get: function () { return chunkNYEPGZMP_cjs.TURNSTILE_COOKIE_NAME; }
-});
-Object.defineProperty(exports, "TURNSTILE_PATH", {
-  enumerable: true,
-  get: function () { return chunkNYEPGZMP_cjs.TURNSTILE_PATH; }
-});
-Object.defineProperty(exports, "TURNSTILE_VERIFY_PATH", {
-  enumerable: true,
-  get: function () { return chunkNYEPGZMP_cjs.TURNSTILE_VERIFY_PATH; }
-});
-Object.defineProperty(exports, "createTurnstileMiddleware", {
-  enumerable: true,
-  get: function () { return chunkNYEPGZMP_cjs.createTurnstileMiddleware; }
-});
-Object.defineProperty(exports, "handleTurnstileVerify", {
-  enumerable: true,
-  get: function () { return chunkNYEPGZMP_cjs.handleTurnstileVerify; }
-});
-//# sourceMappingURL=turnstile-challenge.cjs.map
-//# sourceMappingURL=turnstile-challenge.cjs.map
+Object.defineProperty(exports, Symbol.toStringTag, { value: "Module" });
+let hono_factory = require("hono/factory");
+//#region src/lib/middleware/turnstile-challenge.ts
+const TURNSTILE_PATH = "/.well-known/leapify/turnstile";
+const TURNSTILE_VERIFY_PATH = `${TURNSTILE_PATH}/verify`;
+const TURNSTILE_COOKIE_NAME = "leapify-turnstile";
+const VERIFY_URL = "https://challenges.cloudflare.com/turnstile/v0/siteverify";
+const COOKIE_MAX_AGE_SEC = 86400;
+const EXEMPT_PATHS = [
+	"/health",
+	"/internal",
+	"/api/auth",
+	"/api/uploads/images",
+	"/api/classes",
+	"/api/faqs",
+	"/api/config",
+	"/api/themes",
+	"/api/organizations",
+	"/api/docs",
+	"/api/openapi.json",
+	TURNSTILE_VERIFY_PATH
+];
+function base64urlEncode(bytes) {
+	let binary = "";
+	for (const byte of bytes) binary += String.fromCharCode(byte);
+	return btoa(binary).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+function base64urlDecode(str) {
+	const padded = str.replace(/-/g, "+").replace(/_/g, "/");
+	const binary = atob(padded);
+	const bytes = new Uint8Array(new ArrayBuffer(binary.length));
+	for (let i = 0; i < binary.length; i++) bytes[i] = binary.charCodeAt(i);
+	return bytes;
+}
+async function importHmacKey(secret) {
+	return crypto.subtle.importKey("raw", new TextEncoder().encode(secret), {
+		name: "HMAC",
+		hash: "SHA-256"
+	}, false, ["sign", "verify"]);
+}
+async function signCookie(secret, ip) {
+	const payload = `${ip}:${Date.now()}:${base64urlEncode(crypto.getRandomValues(new Uint8Array(8)))}`;
+	const key = await importHmacKey(secret);
+	const sig = await crypto.subtle.sign("HMAC", key, new TextEncoder().encode(payload));
+	const sigB64 = base64urlEncode(new Uint8Array(sig));
+	return `${base64urlEncode(new TextEncoder().encode(payload))}.${sigB64}`;
+}
+async function validateCookie(secret, cookie, ip) {
+	try {
+		const [payloadB64, sigB64] = cookie.split(".");
+		if (!payloadB64 || !sigB64) return false;
+		const payloadBytes = base64urlDecode(payloadB64);
+		const sigBytes = base64urlDecode(sigB64);
+		const key = await importHmacKey(secret);
+		if (!await crypto.subtle.verify("HMAC", key, sigBytes, payloadBytes)) return false;
+		const [cookieIp, tsStr] = new TextDecoder().decode(payloadBytes).split(":");
+		if (cookieIp !== ip) return false;
+		const ts = parseInt(tsStr, 10);
+		if (isNaN(ts) || Date.now() - ts > COOKIE_MAX_AGE_SEC * 1e3) return false;
+		return true;
+	} catch {
+		return false;
+	}
+}
+function getClientIp(c) {
+	return c.req.header("CF-Connecting-IP") ?? c.req.header("X-Real-IP") ?? c.req.header("X-Forwarded-For")?.split(",")[0]?.trim() ?? "unknown";
+}
+function isExempt(path) {
+	const normalized = path.toLowerCase().replace(/\/$/, "");
+	return EXEMPT_PATHS.some((p) => {
+		const ep = p.toLowerCase().replace(/\/$/, "");
+		return normalized === ep || normalized.startsWith(ep + "/");
+	});
+}
+function setCookieHeader(c, token) {
+	const isSecure = c.req.raw.url.startsWith("https") || c.req.header("x-forwarded-proto") === "https";
+	c.header("Set-Cookie", `${TURNSTILE_COOKIE_NAME}=${token}; Path=/; Max-Age=${COOKIE_MAX_AGE_SEC}; ${isSecure ? "Secure; " : ""}HttpOnly; SameSite=Lax`);
+}
+/**
+* POST /.well-known/leapify/turnstile/verify
+*
+* Validates a Turnstile token and issues a signed cookie on success.
+*/
+async function handleTurnstileVerify(c) {
+	const { token } = await c.req.json();
+	if (!token) return c.json({ error: {
+		code: "VALIDATION_ERROR",
+		message: "Missing Turnstile token"
+	} }, 422);
+	const secret = c.env.TURNSTILE_SECRET_KEY;
+	if (!secret) return c.json({ error: {
+		code: "CONFIG_ERROR",
+		message: "Turnstile not configured"
+	} }, 500);
+	const ip = getClientIp(c);
+	const formData = new URLSearchParams();
+	formData.append("secret", secret);
+	formData.append("response", token);
+	if (ip !== "unknown") formData.append("remoteip", ip);
+	const outcome = await (await fetch(VERIFY_URL, {
+		method: "POST",
+		body: formData
+	})).json();
+	if (!outcome.success) return c.json({ error: {
+		code: "TURNSTILE_FAILED",
+		message: "Turnstile verification failed",
+		details: outcome["error-codes"]
+	} }, 403);
+	setCookieHeader(c, await signCookie(secret, ip));
+	return c.json({ success: true });
+}
+/**
+* Turnstile challenge middleware.
+*
+* Requires a valid Turnstile-signed cookie on all non-exempt requests.
+* The client must first solve a Turnstile challenge and POST the token
+* to the verify endpoint to obtain the cookie.
+*
+* Exempt paths: /health, /internal, /api/auth, /api/uploads/images,
+* and the verify endpoint itself.
+*/
+function createTurnstileMiddleware() {
+	return (0, hono_factory.createMiddleware)(async (c, next) => {
+		if (isExempt(c.req.path)) return next();
+		if (c.req.method === "OPTIONS") return next();
+		if (c.req.header("Authorization")) return next();
+		const secret = c.env.TURNSTILE_SECRET_KEY;
+		if (!secret) return next();
+		const cookieMatch = (c.req.header("Cookie") ?? "").match(new RegExp(`${TURNSTILE_COOKIE_NAME}=([^;]+)`));
+		if (cookieMatch) {
+			const ip = getClientIp(c);
+			if (await validateCookie(secret, cookieMatch[1], ip)) return next();
+		}
+		return c.json({ error: {
+			code: "TURNSTILE_REQUIRED",
+			message: "Turnstile verification required"
+		} }, 401);
+	});
+}
+//#endregion
+exports.TURNSTILE_COOKIE_NAME = TURNSTILE_COOKIE_NAME;
+exports.TURNSTILE_PATH = TURNSTILE_PATH;
+exports.TURNSTILE_VERIFY_PATH = TURNSTILE_VERIFY_PATH;
+exports.createTurnstileMiddleware = createTurnstileMiddleware;
+exports.handleTurnstileVerify = handleTurnstileVerify;

package/dist/lib/middleware/turnstile-challenge.js

@@ -1,4 +1,140 @@
-export { TURNSTILE_COOKIE_NAME, TURNSTILE_PATH, TURNSTILE_VERIFY_PATH, createTurnstileMiddleware, handleTurnstileVerify } from '../../chunk-WEW5LGZC.js';
-import '../../chunk-PZ5AY32C.js';
-//# sourceMappingURL=turnstile-challenge.js.map
-//# sourceMappingURL=turnstile-challenge.js.map
+import { createMiddleware } from "hono/factory";
+//#region src/lib/middleware/turnstile-challenge.ts
+const TURNSTILE_PATH = "/.well-known/leapify/turnstile";
+const TURNSTILE_VERIFY_PATH = `${TURNSTILE_PATH}/verify`;
+const TURNSTILE_COOKIE_NAME = "leapify-turnstile";
+const VERIFY_URL = "https://challenges.cloudflare.com/turnstile/v0/siteverify";
+const COOKIE_MAX_AGE_SEC = 86400;
+const EXEMPT_PATHS = [
+	"/health",
+	"/internal",
+	"/api/auth",
+	"/api/uploads/images",
+	"/api/classes",
+	"/api/faqs",
+	"/api/config",
+	"/api/themes",
+	"/api/organizations",
+	"/api/docs",
+	"/api/openapi.json",
+	TURNSTILE_VERIFY_PATH
+];
+function base64urlEncode(bytes) {
+	let binary = "";
+	for (const byte of bytes) binary += String.fromCharCode(byte);
+	return btoa(binary).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+function base64urlDecode(str) {
+	const padded = str.replace(/-/g, "+").replace(/_/g, "/");
+	const binary = atob(padded);
+	const bytes = new Uint8Array(new ArrayBuffer(binary.length));
+	for (let i = 0; i < binary.length; i++) bytes[i] = binary.charCodeAt(i);
+	return bytes;
+}
+async function importHmacKey(secret) {
+	return crypto.subtle.importKey("raw", new TextEncoder().encode(secret), {
+		name: "HMAC",
+		hash: "SHA-256"
+	}, false, ["sign", "verify"]);
+}
+async function signCookie(secret, ip) {
+	const payload = `${ip}:${Date.now()}:${base64urlEncode(crypto.getRandomValues(new Uint8Array(8)))}`;
+	const key = await importHmacKey(secret);
+	const sig = await crypto.subtle.sign("HMAC", key, new TextEncoder().encode(payload));
+	const sigB64 = base64urlEncode(new Uint8Array(sig));
+	return `${base64urlEncode(new TextEncoder().encode(payload))}.${sigB64}`;
+}
+async function validateCookie(secret, cookie, ip) {
+	try {
+		const [payloadB64, sigB64] = cookie.split(".");
+		if (!payloadB64 || !sigB64) return false;
+		const payloadBytes = base64urlDecode(payloadB64);
+		const sigBytes = base64urlDecode(sigB64);
+		const key = await importHmacKey(secret);
+		if (!await crypto.subtle.verify("HMAC", key, sigBytes, payloadBytes)) return false;
+		const [cookieIp, tsStr] = new TextDecoder().decode(payloadBytes).split(":");
+		if (cookieIp !== ip) return false;
+		const ts = parseInt(tsStr, 10);
+		if (isNaN(ts) || Date.now() - ts > COOKIE_MAX_AGE_SEC * 1e3) return false;
+		return true;
+	} catch {
+		return false;
+	}
+}
+function getClientIp(c) {
+	return c.req.header("CF-Connecting-IP") ?? c.req.header("X-Real-IP") ?? c.req.header("X-Forwarded-For")?.split(",")[0]?.trim() ?? "unknown";
+}
+function isExempt(path) {
+	const normalized = path.toLowerCase().replace(/\/$/, "");
+	return EXEMPT_PATHS.some((p) => {
+		const ep = p.toLowerCase().replace(/\/$/, "");
+		return normalized === ep || normalized.startsWith(ep + "/");
+	});
+}
+function setCookieHeader(c, token) {
+	const isSecure = c.req.raw.url.startsWith("https") || c.req.header("x-forwarded-proto") === "https";
+	c.header("Set-Cookie", `${TURNSTILE_COOKIE_NAME}=${token}; Path=/; Max-Age=${COOKIE_MAX_AGE_SEC}; ${isSecure ? "Secure; " : ""}HttpOnly; SameSite=Lax`);
+}
+/**
+* POST /.well-known/leapify/turnstile/verify
+*
+* Validates a Turnstile token and issues a signed cookie on success.
+*/
+async function handleTurnstileVerify(c) {
+	const { token } = await c.req.json();
+	if (!token) return c.json({ error: {
+		code: "VALIDATION_ERROR",
+		message: "Missing Turnstile token"
+	} }, 422);
+	const secret = c.env.TURNSTILE_SECRET_KEY;
+	if (!secret) return c.json({ error: {
+		code: "CONFIG_ERROR",
+		message: "Turnstile not configured"
+	} }, 500);
+	const ip = getClientIp(c);
+	const formData = new URLSearchParams();
+	formData.append("secret", secret);
+	formData.append("response", token);
+	if (ip !== "unknown") formData.append("remoteip", ip);
+	const outcome = await (await fetch(VERIFY_URL, {
+		method: "POST",
+		body: formData
+	})).json();
+	if (!outcome.success) return c.json({ error: {
+		code: "TURNSTILE_FAILED",
+		message: "Turnstile verification failed",
+		details: outcome["error-codes"]
+	} }, 403);
+	setCookieHeader(c, await signCookie(secret, ip));
+	return c.json({ success: true });
+}
+/**
+* Turnstile challenge middleware.
+*
+* Requires a valid Turnstile-signed cookie on all non-exempt requests.
+* The client must first solve a Turnstile challenge and POST the token
+* to the verify endpoint to obtain the cookie.
+*
+* Exempt paths: /health, /internal, /api/auth, /api/uploads/images,
+* and the verify endpoint itself.
+*/
+function createTurnstileMiddleware() {
+	return createMiddleware(async (c, next) => {
+		if (isExempt(c.req.path)) return next();
+		if (c.req.method === "OPTIONS") return next();
+		if (c.req.header("Authorization")) return next();
+		const secret = c.env.TURNSTILE_SECRET_KEY;
+		if (!secret) return next();
+		const cookieMatch = (c.req.header("Cookie") ?? "").match(new RegExp(`${TURNSTILE_COOKIE_NAME}=([^;]+)`));
+		if (cookieMatch) {
+			const ip = getClientIp(c);
+			if (await validateCookie(secret, cookieMatch[1], ip)) return next();
+		}
+		return c.json({ error: {
+			code: "TURNSTILE_REQUIRED",
+			message: "Turnstile verification required"
+		} }, 401);
+	});
+}
+//#endregion
+export { TURNSTILE_COOKIE_NAME, TURNSTILE_PATH, TURNSTILE_VERIFY_PATH, createTurnstileMiddleware, handleTurnstileVerify };

package/dist/routes/internal/gforms-webhook.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"gforms-webhook.d.ts","sourceRoot":"","sources":["../../../src/routes/internal/gforms-webhook.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAG5B,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAO9C,eAAO,MAAM,kBAAkB,yDAAyB,CAAC"}
+{"version":3,"file":"gforms-webhook.d.ts","sourceRoot":"","sources":["../../../src/routes/internal/gforms-webhook.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAG5B,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAM9C,eAAO,MAAM,kBAAkB,yDAAyB,CAAC"}

package/dist/services/slots.d.ts

@@ -1,34 +1,26 @@
 import type { LeapifyDb } from '../db';
-import type { CacheService } from './cache';
 export interface SlotInfo {
-    available: number;
     total: number;
     registered: number;
-    isFull: boolean;
 }
 /**
- * Manages real-time slot counts using a local D1 counter + KV cache.
- * Google Forms Watch webhook increments the counter; reads go through KV.
- *
- * CF Cache (Cache-Control: public, max-age=5) sits in front of the /slots
- * endpoint, so KV is only read once per 5-second window per edge location.
+ * Manages real-time slot counts using D1 directly (no KV cache).
+ * Google Forms Watch webhook increments the counter.
  */
 export declare class SlotsService {
     private readonly db;
-    private readonly cache;
-    constructor(db: LeapifyDb, cache: CacheService);
-    kvKey(slug: string): string;
+    constructor(db: LeapifyDb);
     /**
-     * Read current slot info — KV first, D1 on miss.
+     * Read current slot info from D1.
      */
     getSlots(slug: string): Promise<SlotInfo | null>;
     /**
-     * Atomically increment registered_slots in D1 and update KV.
+     * Atomically increment registered_slots in D1.
      * Called by the Google Forms Watch webhook handler.
      */
     increment(slug: string): Promise<SlotInfo | null>;
     /**
-     * Atomically decrement registered_slots in D1 and update KV.
+     * Atomically decrement registered_slots in D1.
      * Used during reconciliation drift correction (not from user actions).
      */
     decrement(slug: string): Promise<SlotInfo | null>;
@@ -36,13 +28,5 @@ export declare class SlotsService {
      * Set registered_slots to a specific value (used by reconciliation cron).
      */
     correctCount(slug: string, actualCount: number): Promise<void>;
-    /**
-     * Read from D1, write to KV, and return slot info.
-     */
-    refreshFromDb(slug: string): Promise<SlotInfo | null>;
-    /**
-     * Invalidate the KV cache for a specific event.
-     */
-    invalidate(slug: string): Promise<void>;
 }
 //# sourceMappingURL=slots.d.ts.map

package/dist/services/slots.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"slots.d.ts","sourceRoot":"","sources":["../../src/services/slots.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,OAAO,CAAA;AAEtC,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,SAAS,CAAA;AAI3C,MAAM,WAAW,QAAQ;IACvB,SAAS,EAAE,MAAM,CAAA;IACjB,KAAK,EAAE,MAAM,CAAA;IACb,UAAU,EAAE,MAAM,CAAA;IAClB,MAAM,EAAE,OAAO,CAAA;CAChB;AAED;;;;;;GAMG;AACH,qBAAa,YAAY;IAErB,OAAO,CAAC,QAAQ,CAAC,EAAE;IACnB,OAAO,CAAC,QAAQ,CAAC,KAAK;gBADL,EAAE,EAAE,SAAS,EACb,KAAK,EAAE,YAAY;IAGtC,KAAK,CAAC,IAAI,EAAE,MAAM;IAIlB;;OAEG;IACG,QAAQ,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,QAAQ,GAAG,IAAI,CAAC;IAStD;;;OAGG;IACG,SAAS,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,QAAQ,GAAG,IAAI,CAAC;IASvD;;;OAGG;IACG,SAAS,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,QAAQ,GAAG,IAAI,CAAC;IAWvD;;OAEG;IACG,YAAY,CAAC,IAAI,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IASpE;;OAEG;IACG,aAAa,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,QAAQ,GAAG,IAAI,CAAC;IAqB3D;;OAEG;IACG,UAAU,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;CAG9C"}
+{"version":3,"file":"slots.d.ts","sourceRoot":"","sources":["../../src/services/slots.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,OAAO,CAAA;AAGtC,MAAM,WAAW,QAAQ;IACvB,KAAK,EAAE,MAAM,CAAA;IACb,UAAU,EAAE,MAAM,CAAA;CACnB;AAED;;;GAGG;AACH,qBAAa,YAAY;IACX,OAAO,CAAC,QAAQ,CAAC,EAAE;gBAAF,EAAE,EAAE,SAAS;IAE1C;;OAEG;IACG,QAAQ,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,QAAQ,GAAG,IAAI,CAAC;IActD;;;OAGG;IACG,SAAS,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,QAAQ,GAAG,IAAI,CAAC;IASvD;;;OAGG;IACG,SAAS,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,QAAQ,GAAG,IAAI,CAAC;IAWvD;;OAEG;IACG,YAAY,CAAC,IAAI,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;CAMrE"}