@aetherframework/middleware 1.0.2

package/src/middleware/params.js

@@ -0,0 +1,227 @@
+/**
+ * @license MIT
+ * Copyright (c) 2026-present AetherFramework Contributors.
+ * SPDX-License-Identifier: MIT
+ * @module @aetherframework/middleware/middleware/middleware/params.js
+ */
+
+function createParamsMiddleware(options = {}) {
+  const defaults = {
+    // Parameter parsing configuration
+    parseNumbers: true, // Auto-convert numbers
+    parseBooleans: true, // Auto-convert booleans
+    parseArrays: true, // Auto-convert arrays
+    trimStrings: true, // Auto-trim strings
+    
+    // Validation configuration
+    validation: {
+      enabled: true,
+      onError: (context, errors) => {
+        context.setStatus(400).json({
+          error: "Validation Error",
+          message: "Invalid request parameters",
+          details: errors
+        });
+      }
+    }
+  };
+
+  const config = { ...defaults, ...options };
+
+  // Parameter type conversion
+  function parseValue(value, options) {
+    if (value === undefined || value === null) return value;
+    
+    let result = String(value);
+    
+    // Trim strings
+    if (options.trimStrings) {
+      result = result.trim();
+    }
+    
+    // Parse numbers
+    if (options.parseNumbers && /^-?\d+(\.\d+)?$/.test(result)) {
+      const num = parseFloat(result);
+      if (!isNaN(num)) return num;
+    }
+    
+    // Parse booleans
+    if (options.parseBooleans) {
+      const lower = result.toLowerCase();
+      if (lower === "true") return true;
+      if (lower === "false") return false;
+      if (lower === "1") return true;
+      if (lower === "0") return false;
+    }
+    
+    // Parse arrays (comma-separated)
+    if (options.parseArrays && result.includes(",")) {
+      return result.split(",").map(item => parseValue(item.trim(), options));
+    }
+    
+    return result;
+  }
+
+  // Validate parameters
+  function validateParams(params, rules) {
+    if (!config.validation.enabled || !rules) return null;
+    
+    const errors = [];
+    
+    for (const [key, rule] of Object.entries(rules)) {
+      const value = params[key];
+      const isRequired = rule.required !== false;
+      
+      // Required check
+      if (isRequired && (value === undefined || value === null || value === "")) {
+        errors.push({
+          field: key,
+          message: rule.message || `${key} is required`,
+          type: "required"
+        });
+        continue;
+      }
+      
+      // Type checking
+      if (value !== undefined && value !== null) {
+        if (rule.type === "number" && typeof value !== "number") {
+          errors.push({
+            field: key,
+            message: rule.message || `${key} must be a number`,
+            type: "type"
+          });
+        } else if (rule.type === "string" && typeof value !== "string") {
+          errors.push({
+            field: key,
+            message: rule.message || `${key} must be a string`,
+            type: "type"
+          });
+        } else if (rule.type === "boolean" && typeof value !== "boolean") {
+          errors.push({
+            field: key,
+            message: rule.message || `${key} must be a boolean`,
+            type: "type"
+          });
+        } else if (rule.type === "array" && !Array.isArray(value)) {
+          errors.push({
+            field: key,
+            message: rule.message || `${key} must be an array`,
+            type: "type"
+          });
+        } else if (rule.type === "object" && (typeof value !== "object" || Array.isArray(value))) {
+          errors.push({
+            field: key,
+            message: rule.message || `${key} must be an object`,
+            type: "type"
+          });
+        }
+        
+        // Length validation
+        if (rule.minLength !== undefined && String(value).length < rule.minLength) {
+          errors.push({
+            field: key,
+            message: rule.message || `${key} must be at least ${rule.minLength} characters`,
+            type: "minLength"
+          });
+        }
+        
+        if (rule.maxLength !== undefined && String(value).length > rule.maxLength) {
+          errors.push({
+            field: key,
+            message: rule.message || `${key} must be at most ${rule.maxLength} characters`,
+            type: "maxLength"
+          });
+        }
+        
+        // Range validation
+        if (rule.min !== undefined && Number(value) < rule.min) {
+          errors.push({
+            field: key,
+            message: rule.message || `${key} must be at least ${rule.min}`,
+            type: "min"
+          });
+        }
+        
+        if (rule.max !== undefined && Number(value) > rule.max) {
+          errors.push({
+            field: key,
+            message: rule.message || `${key} must be at most ${rule.max}`,
+            type: "max"
+          });
+        }
+        
+        // Pattern validation
+        if (rule.pattern && !new RegExp(rule.pattern).test(String(value))) {
+          errors.push({
+            field: key,
+            message: rule.message || `${key} does not match the required pattern`,
+            type: "pattern"
+          });
+        }
+        
+        // Enum validation
+        if (rule.enum && !rule.enum.includes(value)) {
+          errors.push({
+            field: key,
+            message: rule.message || `${key} must be one of: ${rule.enum.join(", ")}`,
+            type: "enum"
+          });
+        }
+      }
+    }
+    
+    return errors.length > 0 ? errors : null;
+  }
+
+  return async function paramsMiddleware(context, next) {
+    // Merge all parameters
+    const allParams = {
+      ...context.params || {},
+      ...context.query || {},
+      ...(context.getState("parsedBody") || {})
+    };
+    
+    // Parameter type conversion
+    const parsedParams = {};
+    for (const [key, value] of Object.entries(allParams)) {
+      parsedParams[key] = parseValue(value, config);
+    }
+    
+    // Set to context
+    context.allParams = parsedParams;
+    
+    // Get validation rules (from route metadata)
+    const validationRules = context.route?.validationRules;
+    
+    // Execute validation
+    if (validationRules) {
+      const errors = validateParams(parsedParams, validationRules);
+      if (errors) {
+        return config.validation.onError(context, errors);
+      }
+    }
+    
+    // Add convenience methods
+    context.getParam = (key, defaultValue) => {
+      return parsedParams[key] !== undefined ? parsedParams[key] : defaultValue;
+    };
+    
+    context.hasParam = (key) => {
+      return parsedParams[key] !== undefined;
+    };
+    
+    context.requireParam = (key) => {
+      const value = parsedParams[key];
+      if (value === undefined) {
+        throw new Error(`Parameter ${key} is required`);
+      }
+      return value;
+    };
+    
+    if (typeof next === "function") {
+      await next();
+    }
+  };
+}
+
+export default createParamsMiddleware;

package/src/middleware/rate-limit.js

@@ -0,0 +1,167 @@
+/**
+ * @license MIT
+ * Copyright (c) 2026-present AetherFramework Contributors.
+ * SPDX-License-Identifier: MIT
+ * @module @aetherframework/middleware/middleware/rate-limit.js
+ */
+
+import crypto from "crypto";
+
+// Ultimate optimization: Use the most primitive, zero object allocation for-loop for single-point cookie lookup, reducing GC overhead to absolute zero
+function getCookieValue(cookieHeader, name) {
+  if (!cookieHeader) return undefined;
+  const target = name + "=";
+  const len = cookieHeader.length;
+  let pos = 0;
+  while (pos < len) {
+    pos = cookieHeader.indexOf(target, pos);
+    if (pos === -1) break;
+    // Ensure it's an independent cookie name, not a prefix of another
+    if (
+      pos === 0 ||
+      cookieHeader.charCodeAt(pos - 1) === 32 ||
+      cookieHeader.charCodeAt(pos - 1) === 59
+    ) {
+      pos += target.length;
+      let end = cookieHeader.indexOf(";", pos);
+      if (end === -1) end = len;
+      return cookieHeader.substring(pos, end).trim();
+    }
+    pos += 1;
+  }
+  return undefined;
+}
+
+// Abandon long UUID, use 16-byte high-performance hexadecimal ID, shorten cookie length, reduce network and compression middleware overhead
+const genId = () => crypto.randomBytes(16).toString("hex");
+
+class MemoryStore {
+  constructor() {
+    this.cache = new Map();
+  }
+  async get(id) {
+    const s = this.cache.get(id);
+    if (!s) return null;
+    if (Date.now() > s.exp) {
+      this.cache.delete(id);
+      return null;
+    }
+    return s.data;
+  }
+  async set(id, data, ttl) {
+    this.cache.set(id, { data, exp: Date.now() + ttl });
+  }
+  async delete(id) {
+    this.cache.delete(id);
+  }
+  prune() {
+    const now = Date.now();
+    for (const [k, v] of this.cache) if (now > v.exp) this.cache.delete(k);
+  }
+}
+
+export class SessionManager {
+  constructor(options = {}) {
+    const { store, ...restOptions } = options;
+    this.config = {
+      enabled: process.env.SESSION_ENABLED !== "false",
+      maxAge: parseInt(process.env.SESSION_MAX_AGE) || 86400000,
+      cookieName: process.env.SESSION_COOKIE_NAME || "aether_sid",
+      ...restOptions,
+    };
+    this.config.store =
+      store && typeof store === "object" ? store : new MemoryStore();
+    if (this.config.store instanceof MemoryStore) {
+      this.cleanup = setInterval(
+        () => this.config.store.prune(),
+        60000,
+      ).unref();
+    }
+  }
+
+  middleware() {
+    if (!this.config.enabled)
+      return (ctx, next) => next && (next.next ? next.next() : next());
+
+    const { store, maxAge, cookieName } = this.config;
+    const cookieSuffix = `; HttpOnly; Secure; SameSite=Strict; Max-Age=${Math.floor(maxAge / 1000)}; Path=/`;
+
+    return async (ctx, next) => {
+      ctx.state ??= {};
+
+      const sid = getCookieValue(ctx.getHeader("cookie"), cookieName);
+      let sessionData = sid ? await store.get(sid) : null;
+
+      // 🚀 Strategy adjustment: If not obtained, first give an empty object, never write to storage early, never set cookie early
+      let isNew = false;
+      if (!sessionData) {
+        sessionData = {};
+        isNew = true;
+      }
+
+      const sessionState = { id: sid, data: sessionData, dirty: false };
+
+      ctx.session = {
+        get: (key) => sessionState.data[key],
+        set: (key, val) => {
+          sessionState.data[key] = val;
+          sessionState.dirty = true;
+        },
+        delete: (key) => {
+          delete sessionState.data[key];
+          sessionState.dirty = true;
+        },
+        clear: () => {
+          sessionState.data = {};
+          sessionState.dirty = true;
+        },
+        destroy: async () => {
+          if (sessionState.id) await store.delete(sessionState.id);
+          sessionState.id = null;
+          sessionState.data = {};
+          sessionState.dirty = false;
+          ctx.setHeader(
+            "Set-Cookie",
+            `${cookieName}=; HttpOnly; Secure; SameSite=Strict; Max-Age=0; Path=/`,
+          );
+        },
+        regenerate: async () => {
+          if (sessionState.id) await store.delete(sessionState.id);
+          sessionState.id = genId();
+          await store.set(sessionState.id, sessionState.data, maxAge);
+          ctx.setHeader(
+            "Set-Cookie",
+            `${cookieName}=${sessionState.id}${cookieSuffix}`,
+          );
+          sessionState.dirty = false;
+          isNew = false;
+        },
+      };
+
+      // Use the most reliable and well-isolated try...finally to ensure pipeline smoothness, while strictly limiting persistence logic to the "actually modified" checkpoint
+      try {
+        if (next) {
+          next.next ? await next.next() : await next();
+        }
+      } finally {
+        if (sessionState.dirty) {
+          // If it's a new session and the route has written data, only now generate the ID and issue the cookie
+          if (isNew || !sessionState.id) {
+            sessionState.id = genId();
+            ctx.setHeader(
+              "Set-Cookie",
+              `${cookieName}=${sessionState.id}${cookieSuffix}`,
+            );
+          }
+          await store.set(sessionState.id, sessionState.data, maxAge);
+        }
+      }
+    };
+  }
+
+  destroy() {
+    if (this.cleanup) clearInterval(this.cleanup);
+  }
+}
+
+export default SessionManager;

package/src/middleware/router.js

@@ -0,0 +1,36 @@
+/**
+ * @license MIT
+ * Copyright (c) 2026-present AetherFramework Contributors.
+ * SPDX-License-Identifier: MIT
+ * @module @aetherframework/middleware/middleware/router.js
+ */
+
+
+import AetherRouter from "../core/AetherRouter.js";
+
+/**
+ * Create router middleware for AetherJS
+ * @param {Object} routes - Route definitions
+ * @param {Object} options - Router options
+ * @returns {Function} - Router middleware function
+ */
+function createRouterMiddleware(routes = {}, options = {}) {
+  const router = new AetherRouter(options);
+  
+  // Register routes from configuration
+  for (const [methodPath, handler] of Object.entries(routes)) {
+    const [method, path] = methodPath.split(" ");
+    if (method && path && handler) {
+      router[method.toLowerCase()](path, handler);
+    }
+  }
+  
+  return router.middleware();
+}
+
+
+createRouterMiddleware.Router = AetherRouter;
+
+
+export default createRouterMiddleware;
+export { createRouterMiddleware as createRouter, AetherRouter };

package/src/middleware/security.js

@@ -0,0 +1,116 @@
+/**
+ * @license MIT
+ * Copyright (c) 2026-present AetherFramework Contributors.
+ * SPDX-License-Identifier: MIT
+ * @module @aetherframework/middleware/middleware/security.js
+ */
+
+
+function parsePermissionsPolicy(directivesString) {
+  if (!directivesString || typeof directivesString !== "string") {
+    return null;
+  }
+  const directives = {};
+  const pairs = directivesString.split(/[,;]/);
+  for (const pair of pairs) {
+    const trimmed = pair.trim();
+    if (!trimmed) continue;
+    const equalIndex = trimmed.indexOf("=");
+    if (equalIndex !== -1) {
+      const feature = trimmed.substring(0, equalIndex).trim();
+      const value = trimmed.substring(equalIndex + 1).trim();
+      if (feature && value) directives[feature] = value;
+    }
+  }
+  return Object.keys(directives).length > 0 ? directives : null;
+}
+
+/**
+ * Create security headers middleware for AetherJS
+ * @param {Object} options - Security headers configuration
+ * @returns {Function} - Standard AetherJS middleware (ctx, next)
+ */
+function createSecurityMiddleware(options = {}) {
+  const envConfig = {
+    hstsEnabled: process.env.SECURITY_HSTS_ENABLED,
+    hstsMaxAge: process.env.SECURITY_HSTS_MAX_AGE,
+    noSniffEnabled: process.env.SECURITY_NO_SNIFF,
+    xssFilterEnabled: process.env.SECURITY_XSS_FILTER,
+    frameguardAction: process.env.SECURITY_FRAMEGUARD_ACTION,
+    hidePoweredBy: process.env.SECURITY_HIDE_POWERED_BY,
+    referrerPolicy: process.env.SECURITY_REFERRER_POLICY,
+  };
+
+  const defaults = {
+    hsts: {
+      enabled: envConfig.hstsEnabled !== "false",
+      maxAge: envConfig.hstsMaxAge ? parseInt(envConfig.hstsMaxAge) : 31536000,
+      includeSubDomains: true,
+      preload: false,
+    },
+    noSniff: { enabled: envConfig.noSniffEnabled !== "false" },
+    xssFilter: { enabled: envConfig.xssFilterEnabled !== "false" },
+    frameguard: { enabled: true, action: envConfig.frameguardAction || "DENY" },
+    hidePoweredBy: envConfig.hidePoweredBy !== "false",
+    referrerPolicy: {
+      enabled: true,
+      value: envConfig.referrerPolicy || "strict-origin-when-cross-origin",
+    },
+    permissionsPolicy: {
+      enabled: true,
+      directives: { camera: "()", microphone: "()", geolocation: "()" },
+    },
+  };
+
+  // Deep merge simple version for performance
+  const config = { ...defaults, ...options };
+
+  // 🚀 性能优化：预计算所有 Header 字符串，避免在请求响应循环中构造字符串
+  const staticHeaders = [];
+
+  if (config.hsts.enabled) {
+    let val = `max-age=${config.hsts.maxAge}${config.hsts.includeSubDomains ? "; includeSubDomains" : ""}${config.hsts.preload ? "; preload" : ""}`;
+    staticHeaders.push(["Strict-Transport-Security", val]);
+  }
+  if (config.noSniff.enabled)
+    staticHeaders.push(["X-Content-Type-Options", "nosniff"]);
+  if (config.xssFilter.enabled)
+    staticHeaders.push(["X-XSS-Protection", "1; mode=block"]);
+  if (config.frameguard.enabled)
+    staticHeaders.push([
+      "X-Frame-Options",
+      config.frameguard.action.toUpperCase(),
+    ]);
+  if (config.referrerPolicy.enabled)
+    staticHeaders.push(["Referrer-Policy", config.referrerPolicy.value]);
+  if (config.permissionsPolicy.enabled) {
+    const p = Object.entries(config.permissionsPolicy.directives)
+      .map(([f, v]) => `${f}=${v}`)
+      .join(", ");
+    staticHeaders.push(["Permissions-Policy", p]);
+  }
+
+  /**
+   * 💡 修复后的核心中间件函数
+   * 使用 (context, next) 签名替代旧版的 (context, signal)
+   */
+  return async function securityMiddleware(context, next) {
+    console.log("Security middleware executing for URL:", context.url);
+    // 1. 批量写入预计算的 Header
+    for (let i = 0; i < staticHeaders.length; i++) {
+      context.setHeader(staticHeaders[i][0], staticHeaders[i][1]);
+    }
+
+    // 2. 移除敏感 Header
+    if (config.hidePoweredBy && context._response) {
+      context._response.removeHeader("X-Powered-By");
+    }
+
+    // 3. 💡 修复点：调用标准 next() 而不是 signal.next()
+    if (typeof next === "function") {
+      return next();
+    }
+  };
+}
+
+export default createSecurityMiddleware;