@access-dlsu/leapify 0.260608.1 → 0.260608.2

package/dist/lib/middleware/turnstile-challenge.cjs

@@ -1,29 +1,145 @@
-'use strict';
-
-var chunkNYEPGZMP_cjs = require('../../chunk-NYEPGZMP.cjs');
-require('../../chunk-Q7SFCCGT.cjs');
-
-
-
-Object.defineProperty(exports, "TURNSTILE_COOKIE_NAME", {
-  enumerable: true,
-  get: function () { return chunkNYEPGZMP_cjs.TURNSTILE_COOKIE_NAME; }
-});
-Object.defineProperty(exports, "TURNSTILE_PATH", {
-  enumerable: true,
-  get: function () { return chunkNYEPGZMP_cjs.TURNSTILE_PATH; }
-});
-Object.defineProperty(exports, "TURNSTILE_VERIFY_PATH", {
-  enumerable: true,
-  get: function () { return chunkNYEPGZMP_cjs.TURNSTILE_VERIFY_PATH; }
-});
-Object.defineProperty(exports, "createTurnstileMiddleware", {
-  enumerable: true,
-  get: function () { return chunkNYEPGZMP_cjs.createTurnstileMiddleware; }
-});
-Object.defineProperty(exports, "handleTurnstileVerify", {
-  enumerable: true,
-  get: function () { return chunkNYEPGZMP_cjs.handleTurnstileVerify; }
-});
-//# sourceMappingURL=turnstile-challenge.cjs.map
-//# sourceMappingURL=turnstile-challenge.cjs.map
+Object.defineProperty(exports, Symbol.toStringTag, { value: "Module" });
+let hono_factory = require("hono/factory");
+//#region src/lib/middleware/turnstile-challenge.ts
+const TURNSTILE_PATH = "/.well-known/leapify/turnstile";
+const TURNSTILE_VERIFY_PATH = `${TURNSTILE_PATH}/verify`;
+const TURNSTILE_COOKIE_NAME = "leapify-turnstile";
+const VERIFY_URL = "https://challenges.cloudflare.com/turnstile/v0/siteverify";
+const COOKIE_MAX_AGE_SEC = 86400;
+const EXEMPT_PATHS = [
+	"/health",
+	"/internal",
+	"/api/auth",
+	"/api/uploads/images",
+	"/api/classes",
+	"/api/faqs",
+	"/api/config",
+	"/api/themes",
+	"/api/organizations",
+	"/api/docs",
+	"/api/openapi.json",
+	TURNSTILE_VERIFY_PATH
+];
+function base64urlEncode(bytes) {
+	let binary = "";
+	for (const byte of bytes) binary += String.fromCharCode(byte);
+	return btoa(binary).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+function base64urlDecode(str) {
+	const padded = str.replace(/-/g, "+").replace(/_/g, "/");
+	const binary = atob(padded);
+	const bytes = new Uint8Array(new ArrayBuffer(binary.length));
+	for (let i = 0; i < binary.length; i++) bytes[i] = binary.charCodeAt(i);
+	return bytes;
+}
+async function importHmacKey(secret) {
+	return crypto.subtle.importKey("raw", new TextEncoder().encode(secret), {
+		name: "HMAC",
+		hash: "SHA-256"
+	}, false, ["sign", "verify"]);
+}
+async function signCookie(secret, ip) {
+	const payload = `${ip}:${Date.now()}:${base64urlEncode(crypto.getRandomValues(new Uint8Array(8)))}`;
+	const key = await importHmacKey(secret);
+	const sig = await crypto.subtle.sign("HMAC", key, new TextEncoder().encode(payload));
+	const sigB64 = base64urlEncode(new Uint8Array(sig));
+	return `${base64urlEncode(new TextEncoder().encode(payload))}.${sigB64}`;
+}
+async function validateCookie(secret, cookie, ip) {
+	try {
+		const [payloadB64, sigB64] = cookie.split(".");
+		if (!payloadB64 || !sigB64) return false;
+		const payloadBytes = base64urlDecode(payloadB64);
+		const sigBytes = base64urlDecode(sigB64);
+		const key = await importHmacKey(secret);
+		if (!await crypto.subtle.verify("HMAC", key, sigBytes, payloadBytes)) return false;
+		const [cookieIp, tsStr] = new TextDecoder().decode(payloadBytes).split(":");
+		if (cookieIp !== ip) return false;
+		const ts = parseInt(tsStr, 10);
+		if (isNaN(ts) || Date.now() - ts > COOKIE_MAX_AGE_SEC * 1e3) return false;
+		return true;
+	} catch {
+		return false;
+	}
+}
+function getClientIp(c) {
+	return c.req.header("CF-Connecting-IP") ?? c.req.header("X-Real-IP") ?? c.req.header("X-Forwarded-For")?.split(",")[0]?.trim() ?? "unknown";
+}
+function isExempt(path) {
+	const normalized = path.toLowerCase().replace(/\/$/, "");
+	return EXEMPT_PATHS.some((p) => {
+		const ep = p.toLowerCase().replace(/\/$/, "");
+		return normalized === ep || normalized.startsWith(ep + "/");
+	});
+}
+function setCookieHeader(c, token) {
+	const isSecure = c.req.raw.url.startsWith("https") || c.req.header("x-forwarded-proto") === "https";
+	c.header("Set-Cookie", `${TURNSTILE_COOKIE_NAME}=${token}; Path=/; Max-Age=${COOKIE_MAX_AGE_SEC}; ${isSecure ? "Secure; " : ""}HttpOnly; SameSite=Lax`);
+}
+/**
+* POST /.well-known/leapify/turnstile/verify
+*
+* Validates a Turnstile token and issues a signed cookie on success.
+*/
+async function handleTurnstileVerify(c) {
+	const { token } = await c.req.json();
+	if (!token) return c.json({ error: {
+		code: "VALIDATION_ERROR",
+		message: "Missing Turnstile token"
+	} }, 422);
+	const secret = c.env.TURNSTILE_SECRET_KEY;
+	if (!secret) return c.json({ error: {
+		code: "CONFIG_ERROR",
+		message: "Turnstile not configured"
+	} }, 500);
+	const ip = getClientIp(c);
+	const formData = new URLSearchParams();
+	formData.append("secret", secret);
+	formData.append("response", token);
+	if (ip !== "unknown") formData.append("remoteip", ip);
+	const outcome = await (await fetch(VERIFY_URL, {
+		method: "POST",
+		body: formData
+	})).json();
+	if (!outcome.success) return c.json({ error: {
+		code: "TURNSTILE_FAILED",
+		message: "Turnstile verification failed",
+		details: outcome["error-codes"]
+	} }, 403);
+	setCookieHeader(c, await signCookie(secret, ip));
+	return c.json({ success: true });
+}
+/**
+* Turnstile challenge middleware.
+*
+* Requires a valid Turnstile-signed cookie on all non-exempt requests.
+* The client must first solve a Turnstile challenge and POST the token
+* to the verify endpoint to obtain the cookie.
+*
+* Exempt paths: /health, /internal, /api/auth, /api/uploads/images,
+* and the verify endpoint itself.
+*/
+function createTurnstileMiddleware() {
+	return (0, hono_factory.createMiddleware)(async (c, next) => {
+		if (isExempt(c.req.path)) return next();
+		if (c.req.method === "OPTIONS") return next();
+		if (c.req.header("Authorization")) return next();
+		const secret = c.env.TURNSTILE_SECRET_KEY;
+		if (!secret) return next();
+		const cookieMatch = (c.req.header("Cookie") ?? "").match(new RegExp(`${TURNSTILE_COOKIE_NAME}=([^;]+)`));
+		if (cookieMatch) {
+			const ip = getClientIp(c);
+			if (await validateCookie(secret, cookieMatch[1], ip)) return next();
+		}
+		return c.json({ error: {
+			code: "TURNSTILE_REQUIRED",
+			message: "Turnstile verification required"
+		} }, 401);
+	});
+}
+//#endregion
+exports.TURNSTILE_COOKIE_NAME = TURNSTILE_COOKIE_NAME;
+exports.TURNSTILE_PATH = TURNSTILE_PATH;
+exports.TURNSTILE_VERIFY_PATH = TURNSTILE_VERIFY_PATH;
+exports.createTurnstileMiddleware = createTurnstileMiddleware;
+exports.handleTurnstileVerify = handleTurnstileVerify;

package/dist/lib/middleware/turnstile-challenge.js

@@ -1,4 +1,140 @@
-export { TURNSTILE_COOKIE_NAME, TURNSTILE_PATH, TURNSTILE_VERIFY_PATH, createTurnstileMiddleware, handleTurnstileVerify } from '../../chunk-WEW5LGZC.js';
-import '../../chunk-PZ5AY32C.js';
-//# sourceMappingURL=turnstile-challenge.js.map
-//# sourceMappingURL=turnstile-challenge.js.map
+import { createMiddleware } from "hono/factory";
+//#region src/lib/middleware/turnstile-challenge.ts
+const TURNSTILE_PATH = "/.well-known/leapify/turnstile";
+const TURNSTILE_VERIFY_PATH = `${TURNSTILE_PATH}/verify`;
+const TURNSTILE_COOKIE_NAME = "leapify-turnstile";
+const VERIFY_URL = "https://challenges.cloudflare.com/turnstile/v0/siteverify";
+const COOKIE_MAX_AGE_SEC = 86400;
+const EXEMPT_PATHS = [
+	"/health",
+	"/internal",
+	"/api/auth",
+	"/api/uploads/images",
+	"/api/classes",
+	"/api/faqs",
+	"/api/config",
+	"/api/themes",
+	"/api/organizations",
+	"/api/docs",
+	"/api/openapi.json",
+	TURNSTILE_VERIFY_PATH
+];
+function base64urlEncode(bytes) {
+	let binary = "";
+	for (const byte of bytes) binary += String.fromCharCode(byte);
+	return btoa(binary).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+function base64urlDecode(str) {
+	const padded = str.replace(/-/g, "+").replace(/_/g, "/");
+	const binary = atob(padded);
+	const bytes = new Uint8Array(new ArrayBuffer(binary.length));
+	for (let i = 0; i < binary.length; i++) bytes[i] = binary.charCodeAt(i);
+	return bytes;
+}
+async function importHmacKey(secret) {
+	return crypto.subtle.importKey("raw", new TextEncoder().encode(secret), {
+		name: "HMAC",
+		hash: "SHA-256"
+	}, false, ["sign", "verify"]);
+}
+async function signCookie(secret, ip) {
+	const payload = `${ip}:${Date.now()}:${base64urlEncode(crypto.getRandomValues(new Uint8Array(8)))}`;
+	const key = await importHmacKey(secret);
+	const sig = await crypto.subtle.sign("HMAC", key, new TextEncoder().encode(payload));
+	const sigB64 = base64urlEncode(new Uint8Array(sig));
+	return `${base64urlEncode(new TextEncoder().encode(payload))}.${sigB64}`;
+}
+async function validateCookie(secret, cookie, ip) {
+	try {
+		const [payloadB64, sigB64] = cookie.split(".");
+		if (!payloadB64 || !sigB64) return false;
+		const payloadBytes = base64urlDecode(payloadB64);
+		const sigBytes = base64urlDecode(sigB64);
+		const key = await importHmacKey(secret);
+		if (!await crypto.subtle.verify("HMAC", key, sigBytes, payloadBytes)) return false;
+		const [cookieIp, tsStr] = new TextDecoder().decode(payloadBytes).split(":");
+		if (cookieIp !== ip) return false;
+		const ts = parseInt(tsStr, 10);
+		if (isNaN(ts) || Date.now() - ts > COOKIE_MAX_AGE_SEC * 1e3) return false;
+		return true;
+	} catch {
+		return false;
+	}
+}
+function getClientIp(c) {
+	return c.req.header("CF-Connecting-IP") ?? c.req.header("X-Real-IP") ?? c.req.header("X-Forwarded-For")?.split(",")[0]?.trim() ?? "unknown";
+}
+function isExempt(path) {
+	const normalized = path.toLowerCase().replace(/\/$/, "");
+	return EXEMPT_PATHS.some((p) => {
+		const ep = p.toLowerCase().replace(/\/$/, "");
+		return normalized === ep || normalized.startsWith(ep + "/");
+	});
+}
+function setCookieHeader(c, token) {
+	const isSecure = c.req.raw.url.startsWith("https") || c.req.header("x-forwarded-proto") === "https";
+	c.header("Set-Cookie", `${TURNSTILE_COOKIE_NAME}=${token}; Path=/; Max-Age=${COOKIE_MAX_AGE_SEC}; ${isSecure ? "Secure; " : ""}HttpOnly; SameSite=Lax`);
+}
+/**
+* POST /.well-known/leapify/turnstile/verify
+*
+* Validates a Turnstile token and issues a signed cookie on success.
+*/
+async function handleTurnstileVerify(c) {
+	const { token } = await c.req.json();
+	if (!token) return c.json({ error: {
+		code: "VALIDATION_ERROR",
+		message: "Missing Turnstile token"
+	} }, 422);
+	const secret = c.env.TURNSTILE_SECRET_KEY;
+	if (!secret) return c.json({ error: {
+		code: "CONFIG_ERROR",
+		message: "Turnstile not configured"
+	} }, 500);
+	const ip = getClientIp(c);
+	const formData = new URLSearchParams();
+	formData.append("secret", secret);
+	formData.append("response", token);
+	if (ip !== "unknown") formData.append("remoteip", ip);
+	const outcome = await (await fetch(VERIFY_URL, {
+		method: "POST",
+		body: formData
+	})).json();
+	if (!outcome.success) return c.json({ error: {
+		code: "TURNSTILE_FAILED",
+		message: "Turnstile verification failed",
+		details: outcome["error-codes"]
+	} }, 403);
+	setCookieHeader(c, await signCookie(secret, ip));
+	return c.json({ success: true });
+}
+/**
+* Turnstile challenge middleware.
+*
+* Requires a valid Turnstile-signed cookie on all non-exempt requests.
+* The client must first solve a Turnstile challenge and POST the token
+* to the verify endpoint to obtain the cookie.
+*
+* Exempt paths: /health, /internal, /api/auth, /api/uploads/images,
+* and the verify endpoint itself.
+*/
+function createTurnstileMiddleware() {
+	return createMiddleware(async (c, next) => {
+		if (isExempt(c.req.path)) return next();
+		if (c.req.method === "OPTIONS") return next();
+		if (c.req.header("Authorization")) return next();
+		const secret = c.env.TURNSTILE_SECRET_KEY;
+		if (!secret) return next();
+		const cookieMatch = (c.req.header("Cookie") ?? "").match(new RegExp(`${TURNSTILE_COOKIE_NAME}=([^;]+)`));
+		if (cookieMatch) {
+			const ip = getClientIp(c);
+			if (await validateCookie(secret, cookieMatch[1], ip)) return next();
+		}
+		return c.json({ error: {
+			code: "TURNSTILE_REQUIRED",
+			message: "Turnstile verification required"
+		} }, 401);
+	});
+}
+//#endregion
+export { TURNSTILE_COOKIE_NAME, TURNSTILE_PATH, TURNSTILE_VERIFY_PATH, createTurnstileMiddleware, handleTurnstileVerify };