@access-dlsu/leapify 0.260608.1 → 0.260608.2

package/package.json

@@ -1,157 +1,158 @@
-{
-  "name": "@access-dlsu/leapify",
-  "version": "0.260608.1",
-  "description": "DLSU CSO LEAP backend (run as a standalone Cloudflare Worker or install as an npm module)",
-  "type": "module",
-  "main": "./dist/index.cjs",
-  "module": "./dist/index.js",
-  "types": "./dist/index.d.ts",
-  "exports": {
-    ".": {
-      "types": "./dist/index.d.ts",
-      "import": "./dist/index.js",
-      "require": "./dist/index.cjs"
-    },
-    "./worker": {
-      "import": "./dist/worker.js"
-    },
-    "./client": {
-      "types": "./dist/client/index.d.ts",
-      "import": "./dist/client/index.js",
-      "require": "./dist/client/index.cjs"
-    },
-    "./types": {
-      "types": "./dist/client/types.d.ts",
-      "import": "./dist/client/types.js",
-      "require": "./dist/client/types.cjs"
-    },
-    "./middleware/turnstile-challenge": {
-      "types": "./dist/lib/middleware/turnstile-challenge.d.ts",
-      "import": "./dist/lib/middleware/turnstile-challenge.js",
-      "require": "./dist/lib/middleware/turnstile-challenge.cjs"
-    }
-  },
-  "files": [
-    "dist"
-  ],
-  "sideEffects": false,
-  "scripts": {
-    "build": "npx tsup src/index.ts src/client/index.ts src/client/types.ts src/lib/middleware/turnstile-challenge.ts --format esm,cjs --outDir dist --target es2022 --splitting --sourcemap false --no-dts --no-clean --external @opentelemetry/api && npx tsup src/worker.ts --format esm --outDir dist --target es2022 --no-splitting --sourcemap false --no-dts --no-clean --external @opentelemetry/api && tsc -p tsconfig.build.json --emitDeclarationOnly --declaration --declarationDir dist",
-    "dev": "tsup --watch",
-    "start": "npm run build && wrangler dev",
-    "deploy": "npm run build && wrangler deploy",
-    "test": "vitest",
-    "test:run": "vitest run",
-    "cf-typegen": "wrangler types",
-    "typecheck": "tsc --noEmit",
-    "db:generate": "drizzle-kit generate",
-    "db:migrate": "drizzle-kit migrate",
-    "clean": "node scripts/clean.mjs",
-    "version:auto": "node scripts/auto-version.mjs",
-    "pack": "npm run clean && npm run version:auto && npm run build && npm pack",
-    "pub": "npm whoami && npm run clean && npm run build && npm publish --access public"
-  },
-  "cloudflare": {
-    "bindings": {
-      "ALLOWED_ORIGINS": {
-        "description": "Comma-separated allowed origins (e.g., https://yoursite.com). Leave empty to block all cross-origin requests."
-      },
-      "BETTER_AUTH_SECRET": {
-        "description": "Better Auth signing secret. Generate with: openssl rand -base64 32"
-      },
-      "BETTER_AUTH_URL": {
-        "description": "Public HTTPS base URL of this Worker (e.g. https://leap.yourdomain.com). Used for OAuth redirects."
-      },
-      "GOOGLE_CLIENT_ID": {
-        "description": "Google OAuth 2.0 Client ID from Google Cloud Console."
-      },
-      "GOOGLE_CLIENT_SECRET": {
-        "description": "Google OAuth 2.0 Client Secret from Google Cloud Console."
-      },
-      "GFORMS_SERVICE_ACCOUNT_JSON": {
-        "description": "Google Forms Service Account JSON."
-      },
-      "GFORMS_WEBHOOK_SECRET": {
-        "description": "Secret for Google Forms Webhook."
-      },
-      "CONTENTFUL_SPACE_ID": {
-        "description": "Contentful Space ID."
-      },
-      "CONTENTFUL_ACCESS_TOKEN": {
-        "description": "Contentful Access Token."
-      },
-      "CONTENTFUL_ENVIRONMENT": {
-        "description": "Contentful Environment (usually `master`)."
-      },
-      "SES_REGION": {
-        "description": "Amazon SES Region (e.g., `us-east-1`)."
-      },
-      "SES_ACCESS_KEY_ID": {
-        "description": "Amazon SES Access Key ID."
-      },
-      "SES_SECRET_ACCESS_KEY": {
-        "description": "Amazon SES Secret Access Key."
-      },
-      "SES_FROM_ADDRESS": {
-        "description": "Verified from address for Amazon SES."
-      },
-      "RESEND_API_KEY": {
-        "description": "Resend API Key for fallback email (Optional)."
-      },
-      "RESEND_FROM_ADDRESS": {
-        "description": "Resend From Address (Optional)."
-      },
-      "INTERNAL_API_SECRET": {
-        "description": "Secret key for internal API routes. Also used as HMAC signing key for PoW challenge cookies."
-      },
-      "TURNSTILE_SITE_KEY": {
-        "description": "Cloudflare Turnstile site key (public)."
-      },
-      "TURNSTILE_SECRET_KEY": {
-        "description": "Cloudflare Turnstile secret key (sensitive)."
-      }
-    }
-  },
-  "peerDependencies": {
-    "@cloudflare/workers-types": "^4.0.0",
-    "drizzle-orm": "^0.45.2",
-    "hono": "^4.0.0"
-  },
-  "peerDependenciesMeta": {
-    "@cloudflare/workers-types": {
-      "optional": true
-    }
-  },
-  "dependencies": {
-    "@hono/standard-validator": "^0.2.2",
-    "@hono/swagger-ui": "^0.6.1",
-    "@hono/zod-validator": "^0.8.0",
-    "better-auth": "^1.6.9 <1.6.12 || ^1.7",
-    "hono-openapi": "^1.3.0",
-    "zod": "^4.4.0"
-  },
-  "devDependencies": {
-    "@cloudflare/workers-types": "^4.20260606.1",
-    "@types/better-sqlite3": "^7.6.13",
-    "better-sqlite3": "^12.10.0",
-    "drizzle-kit": "^0.31.10",
-    "hono": "^4.12.0",
-    "prettier": "^3.8.0",
-    "tsup": "^8.5.0",
-    "typescript": "^6.0.0",
-    "vitest": "^4.1.0"
-  },
-  "overrides": {
-    "esbuild": "^0.28.0"
-  },
-  "homepage": "https://github.com/access-dlsu/leapify#readme",
-  "bugs": {
-    "url": "https://github.com/access-dlsu/leapify/issues"
-  },
-  "repository": {
-    "type": "git",
-    "url": "git+https://github.com/access-dlsu/leapify.git"
-  },
-  "license": "MIT",
-  "author": "ACCESS DLSU"
+{
+  "name": "@access-dlsu/leapify",
+  "version": "0.260608.2",
+  "description": "DLSU CSO LEAP backend (run as a standalone Cloudflare Worker or install as an npm module)",
+  "type": "module",
+  "main": "./dist/index.cjs",
+  "module": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js",
+      "require": "./dist/index.cjs"
+    },
+    "./worker": {
+      "import": "./dist/worker.js"
+    },
+    "./client": {
+      "types": "./dist/client/index.d.ts",
+      "import": "./dist/client/index.js",
+      "require": "./dist/client/index.cjs"
+    },
+    "./types": {
+      "types": "./dist/client/types.d.ts",
+      "import": "./dist/client/types.js",
+      "require": "./dist/client/types.cjs"
+    },
+    "./middleware/turnstile-challenge": {
+      "types": "./dist/lib/middleware/turnstile-challenge.d.ts",
+      "import": "./dist/lib/middleware/turnstile-challenge.js",
+      "require": "./dist/lib/middleware/turnstile-challenge.cjs"
+    }
+  },
+  "files": [
+    "dist"
+  ],
+  "sideEffects": false,
+  "scripts": {
+    "build": "tsdown && tsc -p tsconfig.build.json --emitDeclarationOnly --declaration --declarationDir dist",
+    "dev": "tsdown --watch",
+    "start": "npm run build && wrangler dev",
+    "deploy": "npm run build && wrangler deploy",
+    "test": "vitest",
+    "test:run": "vitest run",
+    "cf-typegen": "wrangler types",
+    "typecheck": "tsc --noEmit",
+    "db:generate": "drizzle-kit generate",
+    "db:migrate": "drizzle-kit migrate",
+    "clean": "node scripts/clean.mjs",
+    "version:auto": "node scripts/auto-version.mjs",
+    "pack": "npm run clean && npm run version:auto && npm run build && npm pack",
+    "pub": "npm whoami && npm run clean && npm run build && npm publish --access public"
+  },
+  "cloudflare": {
+    "bindings": {
+      "ALLOWED_ORIGINS": {
+        "description": "Comma-separated allowed origins (e.g., https://yoursite.com). Leave empty to block all cross-origin requests."
+      },
+      "BETTER_AUTH_SECRET": {
+        "description": "Better Auth signing secret. Generate with: openssl rand -base64 32"
+      },
+      "BETTER_AUTH_URL": {
+        "description": "Public HTTPS base URL of this Worker (e.g. https://leap.yourdomain.com). Used for OAuth redirects."
+      },
+      "GOOGLE_CLIENT_ID": {
+        "description": "Google OAuth 2.0 Client ID from Google Cloud Console."
+      },
+      "GOOGLE_CLIENT_SECRET": {
+        "description": "Google OAuth 2.0 Client Secret from Google Cloud Console."
+      },
+      "GFORMS_SERVICE_ACCOUNT_JSON": {
+        "description": "Google Forms Service Account JSON."
+      },
+      "GFORMS_WEBHOOK_SECRET": {
+        "description": "Secret for Google Forms Webhook."
+      },
+      "CONTENTFUL_SPACE_ID": {
+        "description": "Contentful Space ID."
+      },
+      "CONTENTFUL_ACCESS_TOKEN": {
+        "description": "Contentful Access Token."
+      },
+      "CONTENTFUL_ENVIRONMENT": {
+        "description": "Contentful Environment (usually `master`)."
+      },
+      "SES_REGION": {
+        "description": "Amazon SES Region (e.g., `us-east-1`)."
+      },
+      "SES_ACCESS_KEY_ID": {
+        "description": "Amazon SES Access Key ID."
+      },
+      "SES_SECRET_ACCESS_KEY": {
+        "description": "Amazon SES Secret Access Key."
+      },
+      "SES_FROM_ADDRESS": {
+        "description": "Verified from address for Amazon SES."
+      },
+      "RESEND_API_KEY": {
+        "description": "Resend API Key for fallback email (Optional)."
+      },
+      "RESEND_FROM_ADDRESS": {
+        "description": "Resend From Address (Optional)."
+      },
+      "INTERNAL_API_SECRET": {
+        "description": "Secret key for internal API routes. Also used as HMAC signing key for PoW challenge cookies."
+      },
+      "TURNSTILE_SITE_KEY": {
+        "description": "Cloudflare Turnstile site key (public)."
+      },
+      "TURNSTILE_SECRET_KEY": {
+        "description": "Cloudflare Turnstile secret key (sensitive)."
+      }
+    }
+  },
+  "peerDependencies": {
+    "@cloudflare/workers-types": "^4.0.0",
+    "drizzle-orm": "^0.45.2",
+    "hono": "^4.0.0"
+  },
+  "peerDependenciesMeta": {
+    "@cloudflare/workers-types": {
+      "optional": true
+    }
+  },
+  "dependencies": {
+    "@hono/standard-validator": "^0.2.2",
+    "@hono/swagger-ui": "^0.6.1",
+    "@hono/zod-validator": "^0.8.0",
+    "better-auth": "^1.6.0",
+    "hono-openapi": "^1.3.0",
+    "zod": "^4.4.0"
+  },
+  "devDependencies": {
+    "@cloudflare/workers-types": "^4.20260606.1",
+    "@types/better-sqlite3": "^7.6.13",
+    "better-sqlite3": "^12.10.0",
+    "drizzle-kit": "^0.31.10",
+    "hono": "^4.12.0",
+    "prettier": "^3.8.0",
+    "tsdown": "^0.22.2",
+    "typescript": "^6.0.0",
+    "vitest": "^4.1.0"
+  },
+  "overrides": {
+    "esbuild": "^0.28.0",
+    "kysely": "^0.28.0"
+  },
+  "homepage": "https://github.com/access-dlsu/leapify#readme",
+  "bugs": {
+    "url": "https://github.com/access-dlsu/leapify/issues"
+  },
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/access-dlsu/leapify.git"
+  },
+  "license": "MIT",
+  "author": "ACCESS DLSU"
 }

package/dist/chunk-NYEPGZMP.cjs

@@ -1,171 +0,0 @@
-'use strict';
-
-var factory = require('hono/factory');
-
-// src/lib/middleware/turnstile-challenge.ts
-var TURNSTILE_PATH = "/.well-known/leapify/turnstile";
-var TURNSTILE_VERIFY_PATH = `${TURNSTILE_PATH}/verify`;
-var TURNSTILE_COOKIE_NAME = "leapify-turnstile";
-var VERIFY_URL = "https://challenges.cloudflare.com/turnstile/v0/siteverify";
-var COOKIE_MAX_AGE_SEC = 86400;
-var EXEMPT_PATHS = [
-  "/health",
-  "/internal",
-  "/api/auth",
-  "/api/uploads/images",
-  "/api/classes",
-  "/api/faqs",
-  "/api/config",
-  "/api/themes",
-  "/api/organizations",
-  "/api/docs",
-  "/api/openapi.json",
-  TURNSTILE_VERIFY_PATH
-];
-function base64urlEncode(bytes) {
-  let binary = "";
-  for (const byte of bytes) {
-    binary += String.fromCharCode(byte);
-  }
-  return btoa(binary).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
-}
-function base64urlDecode(str) {
-  const padded = str.replace(/-/g, "+").replace(/_/g, "/");
-  const binary = atob(padded);
-  const bytes = new Uint8Array(new ArrayBuffer(binary.length));
-  for (let i = 0; i < binary.length; i++) {
-    bytes[i] = binary.charCodeAt(i);
-  }
-  return bytes;
-}
-async function importHmacKey(secret) {
-  return crypto.subtle.importKey(
-    "raw",
-    new TextEncoder().encode(secret),
-    { name: "HMAC", hash: "SHA-256" },
-    false,
-    ["sign", "verify"]
-  );
-}
-async function signCookie(secret, ip) {
-  const ts = Date.now();
-  const nonce = base64urlEncode(crypto.getRandomValues(new Uint8Array(8)));
-  const payload = `${ip}:${ts}:${nonce}`;
-  const key = await importHmacKey(secret);
-  const sig = await crypto.subtle.sign(
-    "HMAC",
-    key,
-    new TextEncoder().encode(payload)
-  );
-  const sigB64 = base64urlEncode(new Uint8Array(sig));
-  return `${base64urlEncode(new TextEncoder().encode(payload))}.${sigB64}`;
-}
-async function validateCookie(secret, cookie, ip) {
-  try {
-    const [payloadB64, sigB64] = cookie.split(".");
-    if (!payloadB64 || !sigB64) return false;
-    const payloadBytes = base64urlDecode(payloadB64);
-    const sigBytes = base64urlDecode(sigB64);
-    const key = await importHmacKey(secret);
-    const valid = await crypto.subtle.verify(
-      "HMAC",
-      key,
-      sigBytes,
-      payloadBytes
-    );
-    if (!valid) return false;
-    const payload = new TextDecoder().decode(payloadBytes);
-    const [cookieIp, tsStr] = payload.split(":");
-    if (cookieIp !== ip) return false;
-    const ts = parseInt(tsStr, 10);
-    if (isNaN(ts) || Date.now() - ts > COOKIE_MAX_AGE_SEC * 1e3) return false;
-    return true;
-  } catch {
-    return false;
-  }
-}
-function getClientIp(c) {
-  return c.req.header("CF-Connecting-IP") ?? c.req.header("X-Real-IP") ?? c.req.header("X-Forwarded-For")?.split(",")[0]?.trim() ?? "unknown";
-}
-function isExempt(path) {
-  const normalized = path.toLowerCase().replace(/\/$/, "");
-  return EXEMPT_PATHS.some((p) => {
-    const ep = p.toLowerCase().replace(/\/$/, "");
-    return normalized === ep || normalized.startsWith(ep + "/");
-  });
-}
-function setCookieHeader(c, token) {
-  const isSecure = c.req.raw.url.startsWith("https") || c.req.header("x-forwarded-proto") === "https";
-  c.header(
-    "Set-Cookie",
-    `${TURNSTILE_COOKIE_NAME}=${token}; Path=/; Max-Age=${COOKIE_MAX_AGE_SEC}; ${isSecure ? "Secure; " : ""}HttpOnly; SameSite=Lax`
-  );
-}
-async function handleTurnstileVerify(c) {
-  const body = await c.req.json();
-  const { token } = body;
-  if (!token) {
-    return c.json(
-      { error: { code: "VALIDATION_ERROR", message: "Missing Turnstile token" } },
-      422
-    );
-  }
-  const secret = c.env.TURNSTILE_SECRET_KEY;
-  if (!secret) {
-    return c.json(
-      { error: { code: "CONFIG_ERROR", message: "Turnstile not configured" } },
-      500
-    );
-  }
-  const ip = getClientIp(c);
-  const formData = new URLSearchParams();
-  formData.append("secret", secret);
-  formData.append("response", token);
-  if (ip !== "unknown") {
-    formData.append("remoteip", ip);
-  }
-  const res = await fetch(VERIFY_URL, {
-    method: "POST",
-    body: formData
-  });
-  const outcome = await res.json();
-  if (!outcome.success) {
-    return c.json(
-      { error: { code: "TURNSTILE_FAILED", message: "Turnstile verification failed", details: outcome["error-codes"] } },
-      403
-    );
-  }
-  const cookieToken = await signCookie(secret, ip);
-  setCookieHeader(c, cookieToken);
-  return c.json({ success: true });
-}
-function createTurnstileMiddleware() {
-  return factory.createMiddleware(async (c, next) => {
-    if (isExempt(c.req.path)) return next();
-    if (c.req.method === "OPTIONS") return next();
-    if (c.req.header("Authorization")) return next();
-    const secret = c.env.TURNSTILE_SECRET_KEY;
-    if (!secret) return next();
-    const cookieHeader = c.req.header("Cookie") ?? "";
-    const cookieMatch = cookieHeader.match(
-      new RegExp(`${TURNSTILE_COOKIE_NAME}=([^;]+)`)
-    );
-    if (cookieMatch) {
-      const ip = getClientIp(c);
-      const valid = await validateCookie(secret, cookieMatch[1], ip);
-      if (valid) return next();
-    }
-    return c.json(
-      { error: { code: "TURNSTILE_REQUIRED", message: "Turnstile verification required" } },
-      401
-    );
-  });
-}
-
-exports.TURNSTILE_COOKIE_NAME = TURNSTILE_COOKIE_NAME;
-exports.TURNSTILE_PATH = TURNSTILE_PATH;
-exports.TURNSTILE_VERIFY_PATH = TURNSTILE_VERIFY_PATH;
-exports.createTurnstileMiddleware = createTurnstileMiddleware;
-exports.handleTurnstileVerify = handleTurnstileVerify;
-//# sourceMappingURL=chunk-NYEPGZMP.cjs.map
-//# sourceMappingURL=chunk-NYEPGZMP.cjs.map

package/dist/chunk-NYEPGZMP.cjs.map

@@ -1 +0,0 @@
-{"version":3,"sources":["../src/lib/middleware/turnstile-challenge.ts"],"names":["createMiddleware"],"mappings":";;;;;AAIO,IAAM,cAAA,GAAiB;AAEvB,IAAM,qBAAA,GAAwB,GAAG,cAAc,CAAA,OAAA;AAE/C,IAAM,qBAAA,GAAwB;AAErC,IAAM,UAAA,GAAa,2DAAA;AAEnB,IAAM,kBAAA,GAAqB,KAAA;AAE3B,IAAM,YAAA,GAAe;AAAA,EACnB,SAAA;AAAA,EACA,WAAA;AAAA,EACA,WAAA;AAAA,EACA,qBAAA;AAAA,EACA,cAAA;AAAA,EACA,WAAA;AAAA,EACA,aAAA;AAAA,EACA,aAAA;AAAA,EACA,oBAAA;AAAA,EACA,WAAA;AAAA,EACA,mBAAA;AAAA,EACA;AACF,CAAA;AAEA,SAAS,gBAAgB,KAAA,EAA2B;AAClD,EAAA,IAAI,MAAA,GAAS,EAAA;AACb,EAAA,KAAA,MAAW,QAAQ,KAAA,EAAO;AACxB,IAAA,MAAA,IAAU,MAAA,CAAO,aAAa,IAAI,CAAA;AAAA,EACpC;AACA,EAAA,OAAO,IAAA,CAAK,MAAM,CAAA,CAAE,OAAA,CAAQ,KAAA,EAAO,GAAG,CAAA,CAAE,OAAA,CAAQ,KAAA,EAAO,GAAG,CAAA,CAAE,OAAA,CAAQ,OAAO,EAAE,CAAA;AAC/E;AAEA,SAAS,gBAAgB,GAAA,EAAsC;AAC7D,EAAA,MAAM,MAAA,GAAS,IAAI,OAAA,CAAQ,IAAA,EAAM,GAAG,CAAA,CAAE,OAAA,CAAQ,MAAM,GAAG,CAAA;AACvD,EAAA,MAAM,MAAA,GAAS,KAAK,MAAM,CAAA;AAC1B,EAAA,MAAM,QAAQ,IAAI,UAAA,CAAW,IAAI,WAAA,CAAY,MAAA,CAAO,MAAM,CAAC,CAAA;AAC3D,EAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,MAAA,CAAO,QAAQ,CAAA,EAAA,EAAK;AACtC,IAAA,KAAA,CAAM,CAAC,CAAA,GAAI,MAAA,CAAO,UAAA,CAAW,CAAC,CAAA;AAAA,EAChC;AACA,EAAA,OAAO,KAAA;AACT;AAEA,eAAe,cAAc,MAAA,EAAoC;AAC/D,EAAA,OAAO,OAAO,MAAA,CAAO,SAAA;AAAA,IACnB,KAAA;AAAA,IACA,IAAI,WAAA,EAAY,CAAE,MAAA,CAAO,MAAM,CAAA;AAAA,IAC/B,EAAE,IAAA,EAAM,MAAA,EAAQ,IAAA,EAAM,SAAA,EAAU;AAAA,IAChC,KAAA;AAAA,IACA,CAAC,QAAQ,QAAQ;AAAA,GACnB;AACF;AAEA,eAAe,UAAA,CAAW,QAAgB,EAAA,EAA6B;AACrE,EAAA,MAAM,EAAA,GAAK,KAAK,GAAA,EAAI;AACpB,EAAA,MAAM,KAAA,GAAQ,gBAAgB,MAAA,CAAO,eAAA,CAAgB,IAAI,UAAA,CAAW,CAAC,CAAC,CAAC,CAAA;AACvE,EAAA,MAAM,UAAU,CAAA,EAAG,EAAE,CAAA,CAAA,EAAI,EAAE,IAAI,KAAK,CAAA,CAAA;AACpC,EAAA,MAAM,GAAA,GAAM,MAAM,aAAA,CAAc,MAAM,CAAA;AACtC,EAAA,MAAM,GAAA,GAAM,MAAM,MAAA,CAAO,MAAA,CAAO,IAAA;AAAA,IAC9B,MAAA;AAAA,IACA,GAAA;AAAA,IACA,IAAI,WAAA,EAAY,CAAE,MAAA,CAAO,OAAO;AAAA,GAClC;AACA,EAAA,MAAM,MAAA,GAAS,eAAA,CAAgB,IAAI,UAAA,CAAW,GAAG,CAAC,CAAA;AAClD,EAAA,OAAO,CAAA,EAAG,eAAA,CAAgB,IAAI,WAAA,EAAY,CAAE,OAAO,OAAO,CAAC,CAAC,CAAA,CAAA,EAAI,MAAM,CAAA,CAAA;AACxE;AAEA,eAAe,cAAA,CACb,MAAA,EACA,MAAA,EACA,EAAA,EACkB;AAClB,EAAA,IAAI;AACF,IAAA,MAAM,CAAC,UAAA,EAAY,MAAM,CAAA,GAAI,MAAA,CAAO,MAAM,GAAG,CAAA;AAC7C,IAAA,IAAI,CAAC,UAAA,IAAc,CAAC,MAAA,EAAQ,OAAO,KAAA;AAEnC,IAAA,MAAM,YAAA,GAAe,gBAAgB,UAAU,CAAA;AAC/C,IAAA,MAAM,QAAA,GAAW,gBAAgB,MAAM,CAAA;AAEvC,IAAA,MAAM,GAAA,GAAM,MAAM,aAAA,CAAc,MAAM,CAAA;AACtC,IAAA,MAAM,KAAA,GAAQ,MAAM,MAAA,CAAO,MAAA,CAAO,MAAA;AAAA,MAChC,MAAA;AAAA,MACA,GAAA;AAAA,MACA,QAAA;AAAA,MACA;AAAA,KACF;AACA,IAAA,IAAI,CAAC,OAAO,OAAO,KAAA;AAEnB,IAAA,MAAM,OAAA,GAAU,IAAI,WAAA,EAAY,CAAE,OAAO,YAAY,CAAA;AACrD,IAAA,MAAM,CAAC,QAAA,EAAU,KAAK,CAAA,GAAI,OAAA,CAAQ,MAAM,GAAG,CAAA;AAE3C,IAAA,IAAI,QAAA,KAAa,IAAI,OAAO,KAAA;AAE5B,IAAA,MAAM,EAAA,GAAK,QAAA,CAAS,KAAA,EAAO,EAAE,CAAA;AAC7B,IAAA,IAAI,KAAA,CAAM,EAAE,CAAA,IAAK,IAAA,CAAK,KAAI,GAAI,EAAA,GAAK,kBAAA,GAAqB,GAAA,EAAM,OAAO,KAAA;AAErE,IAAA,OAAO,IAAA;AAAA,EACT,CAAA,CAAA,MAAQ;AACN,IAAA,OAAO,KAAA;AAAA,EACT;AACF;AAEA,SAAS,YAAY,CAAA,EAAmD;AACtE,EAAA,OACE,CAAA,CAAE,IAAI,MAAA,CAAO,kBAAkB,KAC/B,CAAA,CAAE,GAAA,CAAI,OAAO,WAAW,CAAA,IACxB,EAAE,GAAA,CAAI,MAAA,CAAO,iBAAiB,CAAA,EAAG,KAAA,CAAM,GAAG,CAAA,CAAE,CAAC,CAAA,EAAG,IAAA,EAAK,IACrD,SAAA;AAEJ;AAEA,SAAS,SAAS,IAAA,EAAuB;AACvC,EAAA,MAAM,aAAa,IAAA,CAAK,WAAA,EAAY,CAAE,OAAA,CAAQ,OAAO,EAAE,CAAA;AACvD,EAAA,OAAO,YAAA,CAAa,IAAA,CAAK,CAAC,CAAA,KAAM;AAC9B,IAAA,MAAM,KAAK,CAAA,CAAE,WAAA,EAAY,CAAE,OAAA,CAAQ,OAAO,EAAE,CAAA;AAC5C,IAAA,OAAO,UAAA,KAAe,EAAA,IAAM,UAAA,CAAW,UAAA,CAAW,KAAK,GAAG,CAAA;AAAA,EAC5D,CAAC,CAAA;AACH;AAEA,SAAS,eAAA,CAAgB,GAA2C,KAAA,EAAqB;AACvF,EAAA,MAAM,QAAA,GAAW,CAAA,CAAE,GAAA,CAAI,GAAA,CAAI,GAAA,CAAI,UAAA,CAAW,OAAO,CAAA,IAAK,CAAA,CAAE,GAAA,CAAI,MAAA,CAAO,mBAAmB,CAAA,KAAM,OAAA;AAC5F,EAAA,CAAA,CAAE,MAAA;AAAA,IACA,YAAA;AAAA,IACA,CAAA,EAAG,qBAAqB,CAAA,CAAA,EAAI,KAAK,qBAAqB,kBAAkB,CAAA,EAAA,EACtE,QAAA,GAAW,UAAA,GAAa,EAC1B,CAAA,sBAAA;AAAA,GACF;AACF;AAOA,eAAsB,sBACpB,CAAA,EACA;AACA,EAAA,MAAM,IAAA,GAAO,MAAM,CAAA,CAAE,GAAA,CAAI,IAAA,EAAyB;AAClD,EAAA,MAAM,EAAE,OAAM,GAAI,IAAA;AAElB,EAAA,IAAI,CAAC,KAAA,EAAO;AACV,IAAA,OAAO,CAAA,CAAE,IAAA;AAAA,MACP,EAAE,KAAA,EAAO,EAAE,MAAM,kBAAA,EAAoB,OAAA,EAAS,2BAA0B,EAAE;AAAA,MAC1E;AAAA,KACF;AAAA,EACF;AAEA,EAAA,MAAM,MAAA,GAAS,EAAE,GAAA,CAAI,oBAAA;AACrB,EAAA,IAAI,CAAC,MAAA,EAAQ;AACX,IAAA,OAAO,CAAA,CAAE,IAAA;AAAA,MACP,EAAE,KAAA,EAAO,EAAE,MAAM,cAAA,EAAgB,OAAA,EAAS,4BAA2B,EAAE;AAAA,MACvE;AAAA,KACF;AAAA,EACF;AAEA,EAAA,MAAM,EAAA,GAAK,YAAY,CAAC,CAAA;AACxB,EAAA,MAAM,QAAA,GAAW,IAAI,eAAA,EAAgB;AACrC,EAAA,QAAA,CAAS,MAAA,CAAO,UAAU,MAAM,CAAA;AAChC,EAAA,QAAA,CAAS,MAAA,CAAO,YAAY,KAAK,CAAA;AACjC,EAAA,IAAI,OAAO,SAAA,EAAW;AACpB,IAAA,QAAA,CAAS,MAAA,CAAO,YAAY,EAAE,CAAA;AAAA,EAChC;AAEA,EAAA,MAAM,GAAA,GAAM,MAAM,KAAA,CAAM,UAAA,EAAY;AAAA,IAClC,MAAA,EAAQ,MAAA;AAAA,IACR,IAAA,EAAM;AAAA,GACP,CAAA;AACD,EAAA,MAAM,OAAA,GAAU,MAAM,GAAA,CAAI,IAAA,EAAK;AAE/B,EAAA,IAAI,CAAC,QAAQ,OAAA,EAAS;AACpB,IAAA,OAAO,CAAA,CAAE,IAAA;AAAA,MACP,EAAE,KAAA,EAAO,EAAE,IAAA,EAAM,kBAAA,EAAoB,OAAA,EAAS,+BAAA,EAAiC,OAAA,EAAS,OAAA,CAAQ,aAAa,CAAA,EAAE,EAAE;AAAA,MACjH;AAAA,KACF;AAAA,EACF;AAEA,EAAA,MAAM,WAAA,GAAc,MAAM,UAAA,CAAW,MAAA,EAAQ,EAAE,CAAA;AAC/C,EAAA,eAAA,CAAgB,GAAG,WAAW,CAAA;AAE9B,EAAA,OAAO,CAAA,CAAE,IAAA,CAAK,EAAE,OAAA,EAAS,MAAM,CAAA;AACjC;AAYO,SAAS,yBAAA,GAA4B;AAC1C,EAAA,OAAOA,wBAAA,CAAgD,OAAO,CAAA,EAAG,IAAA,KAAS;AACxE,IAAA,IAAI,SAAS,CAAA,CAAE,GAAA,CAAI,IAAI,CAAA,SAAU,IAAA,EAAK;AAEtC,IAAA,IAAI,CAAA,CAAE,GAAA,CAAI,MAAA,KAAW,SAAA,SAAkB,IAAA,EAAK;AAI5C,IAAA,IAAI,EAAE,GAAA,CAAI,MAAA,CAAO,eAAe,CAAA,SAAU,IAAA,EAAK;AAE/C,IAAA,MAAM,MAAA,GAAS,EAAE,GAAA,CAAI,oBAAA;AACrB,IAAA,IAAI,CAAC,MAAA,EAAQ,OAAO,IAAA,EAAK;AAEzB,IAAA,MAAM,YAAA,GAAe,CAAA,CAAE,GAAA,CAAI,MAAA,CAAO,QAAQ,CAAA,IAAK,EAAA;AAC/C,IAAA,MAAM,cAAc,YAAA,CAAa,KAAA;AAAA,MAC/B,IAAI,MAAA,CAAO,CAAA,EAAG,qBAAqB,CAAA,QAAA,CAAU;AAAA,KAC/C;AACA,IAAA,IAAI,WAAA,EAAa;AACf,MAAA,MAAM,EAAA,GAAK,YAAY,CAAC,CAAA;AACxB,MAAA,MAAM,QAAQ,MAAM,cAAA,CAAe,QAAQ,WAAA,CAAY,CAAC,GAAG,EAAE,CAAA;AAC7D,MAAA,IAAI,KAAA,SAAc,IAAA,EAAK;AAAA,IACzB;AAEA,IAAA,OAAO,CAAA,CAAE,IAAA;AAAA,MACP,EAAE,KAAA,EAAO,EAAE,MAAM,oBAAA,EAAsB,OAAA,EAAS,mCAAkC,EAAE;AAAA,MACpF;AAAA,KACF;AAAA,EACF,CAAC,CAAA;AACH","file":"chunk-NYEPGZMP.cjs","sourcesContent":["import { createMiddleware } from 'hono/factory'\r\nimport type { Context } from 'hono'\r\nimport type { LeapifyBindings } from '../../types'\r\n\r\nexport const TURNSTILE_PATH = '/.well-known/leapify/turnstile'\r\n\r\nexport const TURNSTILE_VERIFY_PATH = `${TURNSTILE_PATH}/verify`\r\n\r\nexport const TURNSTILE_COOKIE_NAME = 'leapify-turnstile'\r\n\r\nconst VERIFY_URL = 'https://challenges.cloudflare.com/turnstile/v0/siteverify'\r\n\r\nconst COOKIE_MAX_AGE_SEC = 86400\r\n\r\nconst EXEMPT_PATHS = [\r\n  \"/health\",\r\n  \"/internal\",\r\n  \"/api/auth\",\r\n  \"/api/uploads/images\",\r\n  \"/api/classes\",\r\n  \"/api/faqs\",\r\n  \"/api/config\",\r\n  \"/api/themes\",\r\n  \"/api/organizations\",\r\n  \"/api/docs\",\r\n  \"/api/openapi.json\",\r\n  TURNSTILE_VERIFY_PATH,\r\n];\r\n\r\nfunction base64urlEncode(bytes: Uint8Array): string {\r\n  let binary = ''\r\n  for (const byte of bytes) {\r\n    binary += String.fromCharCode(byte)\r\n  }\r\n  return btoa(binary).replace(/\\+/g, '-').replace(/\\//g, '_').replace(/=+$/, '')\r\n}\r\n\r\nfunction base64urlDecode(str: string): Uint8Array<ArrayBuffer> {\r\n  const padded = str.replace(/-/g, '+').replace(/_/g, '/')\r\n  const binary = atob(padded)\r\n  const bytes = new Uint8Array(new ArrayBuffer(binary.length))\r\n  for (let i = 0; i < binary.length; i++) {\r\n    bytes[i] = binary.charCodeAt(i)\r\n  }\r\n  return bytes\r\n}\r\n\r\nasync function importHmacKey(secret: string): Promise<CryptoKey> {\r\n  return crypto.subtle.importKey(\r\n    'raw',\r\n    new TextEncoder().encode(secret),\r\n    { name: 'HMAC', hash: 'SHA-256' },\r\n    false,\r\n    ['sign', 'verify']\r\n  )\r\n}\r\n\r\nasync function signCookie(secret: string, ip: string): Promise<string> {\r\n  const ts = Date.now()\r\n  const nonce = base64urlEncode(crypto.getRandomValues(new Uint8Array(8)))\r\n  const payload = `${ip}:${ts}:${nonce}`\r\n  const key = await importHmacKey(secret)\r\n  const sig = await crypto.subtle.sign(\r\n    'HMAC',\r\n    key,\r\n    new TextEncoder().encode(payload)\r\n  )\r\n  const sigB64 = base64urlEncode(new Uint8Array(sig))\r\n  return `${base64urlEncode(new TextEncoder().encode(payload))}.${sigB64}`\r\n}\r\n\r\nasync function validateCookie(\r\n  secret: string,\r\n  cookie: string,\r\n  ip: string\r\n): Promise<boolean> {\r\n  try {\r\n    const [payloadB64, sigB64] = cookie.split('.')\r\n    if (!payloadB64 || !sigB64) return false\r\n\r\n    const payloadBytes = base64urlDecode(payloadB64)\r\n    const sigBytes = base64urlDecode(sigB64)\r\n\r\n    const key = await importHmacKey(secret)\r\n    const valid = await crypto.subtle.verify(\r\n      'HMAC',\r\n      key,\r\n      sigBytes,\r\n      payloadBytes\r\n    )\r\n    if (!valid) return false\r\n\r\n    const payload = new TextDecoder().decode(payloadBytes)\r\n    const [cookieIp, tsStr] = payload.split(':')\r\n\r\n    if (cookieIp !== ip) return false\r\n\r\n    const ts = parseInt(tsStr, 10)\r\n    if (isNaN(ts) || Date.now() - ts > COOKIE_MAX_AGE_SEC * 1000) return false\r\n\r\n    return true\r\n  } catch {\r\n    return false\r\n  }\r\n}\r\n\r\nfunction getClientIp(c: Context<{ Bindings: LeapifyBindings }>): string {\r\n  return (\r\n    c.req.header('CF-Connecting-IP') ??\r\n    c.req.header('X-Real-IP') ??\r\n    c.req.header('X-Forwarded-For')?.split(',')[0]?.trim() ??\r\n    'unknown'\r\n  )\r\n}\r\n\r\nfunction isExempt(path: string): boolean {\r\n  const normalized = path.toLowerCase().replace(/\\/$/, '')\r\n  return EXEMPT_PATHS.some((p) => {\r\n    const ep = p.toLowerCase().replace(/\\/$/, '')\r\n    return normalized === ep || normalized.startsWith(ep + '/')\r\n  })\r\n}\r\n\r\nfunction setCookieHeader(c: Context<{ Bindings: LeapifyBindings }>, token: string): void {\r\n  const isSecure = c.req.raw.url.startsWith(\"https\") || c.req.header(\"x-forwarded-proto\") === \"https\";\r\n  c.header(\r\n    \"Set-Cookie\",\r\n    `${TURNSTILE_COOKIE_NAME}=${token}; Path=/; Max-Age=${COOKIE_MAX_AGE_SEC}; ${\r\n      isSecure ? \"Secure; \" : \"\"\r\n    }HttpOnly; SameSite=Lax`,\r\n  );\r\n}\r\n\r\n/**\r\n * POST /.well-known/leapify/turnstile/verify\r\n *\r\n * Validates a Turnstile token and issues a signed cookie on success.\r\n */\r\nexport async function handleTurnstileVerify(\r\n  c: Context<{ Bindings: LeapifyBindings }>\r\n) {\r\n  const body = await c.req.json<{ token?: string }>()\r\n  const { token } = body\r\n\r\n  if (!token) {\r\n    return c.json(\r\n      { error: { code: 'VALIDATION_ERROR', message: 'Missing Turnstile token' } },\r\n      422\r\n    )\r\n  }\r\n\r\n  const secret = c.env.TURNSTILE_SECRET_KEY\r\n  if (!secret) {\r\n    return c.json(\r\n      { error: { code: 'CONFIG_ERROR', message: 'Turnstile not configured' } },\r\n      500\r\n    )\r\n  }\r\n\r\n  const ip = getClientIp(c)\r\n  const formData = new URLSearchParams()\r\n  formData.append('secret', secret)\r\n  formData.append('response', token)\r\n  if (ip !== 'unknown') {\r\n    formData.append('remoteip', ip)\r\n  }\r\n\r\n  const res = await fetch(VERIFY_URL, {\r\n    method: 'POST',\r\n    body: formData,\r\n  })\r\n  const outcome = await res.json() as { success: boolean; 'error-codes'?: string[] }\r\n\r\n  if (!outcome.success) {\r\n    return c.json(\r\n      { error: { code: 'TURNSTILE_FAILED', message: 'Turnstile verification failed', details: outcome['error-codes'] } },\r\n      403\r\n    )\r\n  }\r\n\r\n  const cookieToken = await signCookie(secret, ip)\r\n  setCookieHeader(c, cookieToken)\r\n\r\n  return c.json({ success: true })\r\n}\r\n\r\n/**\r\n * Turnstile challenge middleware.\r\n *\r\n * Requires a valid Turnstile-signed cookie on all non-exempt requests.\r\n * The client must first solve a Turnstile challenge and POST the token\r\n * to the verify endpoint to obtain the cookie.\r\n *\r\n * Exempt paths: /health, /internal, /api/auth, /api/uploads/images,\r\n * and the verify endpoint itself.\r\n */\r\nexport function createTurnstileMiddleware() {\r\n  return createMiddleware<{ Bindings: LeapifyBindings }>(async (c, next) => {\r\n    if (isExempt(c.req.path)) return next()\r\n\r\n    if (c.req.method === 'OPTIONS') return next()\r\n\r\n    // Skip challenge for authenticated requests (Bearer token present)\r\n    // The auth middleware will handle session validation instead.\r\n    if (c.req.header('Authorization')) return next()\r\n\r\n    const secret = c.env.TURNSTILE_SECRET_KEY\r\n    if (!secret) return next()\r\n\r\n    const cookieHeader = c.req.header('Cookie') ?? ''\r\n    const cookieMatch = cookieHeader.match(\r\n      new RegExp(`${TURNSTILE_COOKIE_NAME}=([^;]+)`)\r\n    )\r\n    if (cookieMatch) {\r\n      const ip = getClientIp(c)\r\n      const valid = await validateCookie(secret, cookieMatch[1], ip)\r\n      if (valid) return next()\r\n    }\r\n\r\n    return c.json(\r\n      { error: { code: 'TURNSTILE_REQUIRED', message: 'Turnstile verification required' } },\r\n      401\r\n    )\r\n  })\r\n}\r\n"]}

package/dist/chunk-PZ5AY32C.js

@@ -1,9 +0,0 @@
-var __defProp = Object.defineProperty;
-var __export = (target, all) => {
-  for (var name in all)
-    __defProp(target, name, { get: all[name], enumerable: true });
-};
-
-export { __export };
-//# sourceMappingURL=chunk-PZ5AY32C.js.map
-//# sourceMappingURL=chunk-PZ5AY32C.js.map

package/dist/chunk-PZ5AY32C.js.map

@@ -1 +0,0 @@
-{"version":3,"sources":[],"names":[],"mappings":"","file":"chunk-PZ5AY32C.js"}

package/dist/chunk-Q7SFCCGT.cjs

@@ -1,11 +0,0 @@
-'use strict';
-
-var __defProp = Object.defineProperty;
-var __export = (target, all) => {
-  for (var name in all)
-    __defProp(target, name, { get: all[name], enumerable: true });
-};
-
-exports.__export = __export;
-//# sourceMappingURL=chunk-Q7SFCCGT.cjs.map
-//# sourceMappingURL=chunk-Q7SFCCGT.cjs.map

package/dist/chunk-Q7SFCCGT.cjs.map

@@ -1 +0,0 @@
-{"version":3,"sources":[],"names":[],"mappings":"","file":"chunk-Q7SFCCGT.cjs"}