@alteran/astro 0.6.1 → 0.6.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (4) hide show
  1. package/README.md +12 -0
  2. package/package.json +1 -1
  3. package/src/handlers/root.ts +1 -1
  4. package/src/worker/runtime.ts +23 -1
package/README.md CHANGED
@@ -254,6 +254,18 @@ validateConfigOrThrow(env);
254
254
  - Handle format is valid
255
255
  - Numeric values are positive
256
256
 
257
+ ### Cloudflare Security Rules
258
+
259
+ `com.atproto.server.refreshSession` is a valid bodyless `POST`. Production deployments must allow this request shape through to the XRPC handler:
260
+
261
+ ```txt
262
+ (http.request.method eq "POST" and http.request.uri.path eq "/xrpc/com.atproto.server.refreshSession")
263
+ ```
264
+
265
+ Astro's SSR origin-check middleware rejects unsafe requests with no `Origin` header before project middleware runs. Alteran normalizes `/xrpc/*` requests at the Worker entrypoint so bearer-token XRPC clients can send bodyless POSTs without tripping Astro's form CSRF guard.
266
+
267
+ If Cloudflare WAF/API Shield also protects the deployment, keep any exception narrow to the expression above. This exception is not configured in `wrangler.jsonc`; Wrangler only manages the Worker deployment and bindings.
268
+
257
269
  ### Environment-Specific Settings
258
270
 
259
271
  See [`wrangler.jsonc`](wrangler.jsonc:40) for environment-specific configurations:
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@alteran/astro",
3
- "version": "0.6.1",
3
+ "version": "0.6.3",
4
4
  "description": "Astro integration for running a Cloudflare-hosted Bluesky PDS with Alteran.",
5
5
  "module": "index.js",
6
6
  "types": "index.d.ts",
package/src/handlers/root.ts CHANGED
@@ -81,7 +81,7 @@ const HTML_TEMPLATE = (
81
81
  <strong>DID:</strong>
82
82
  <span class="pill">${did}</span>
83
83
  </p>
84
- <a href="https://github.com/alteran-dev/alteran" target="_blank" rel="noopener noreferrer">
84
+ <a href="https://github.com/alteran-social/alteran" target="_blank" rel="noopener noreferrer">
85
85
  <svg viewBox="0 0 24 24" role="img" aria-hidden="true" focusable="false">
86
86
  <path
87
87
  fill="currentColor"
package/src/worker/runtime.ts CHANGED
@@ -140,11 +140,33 @@ export function createPdsFetchHandler(options?: CreatePdsFetchHandlerOptions): P
140
140
  }
141
141
 
142
142
  const astroFetch = await getAstroFetch(options);
143
- const response = await astroFetch(request, resolvedEnv as any, ctx);
143
+ const response = await astroFetch(normalizeXrpcRequestForAstro(request), resolvedEnv as any, ctx);
144
144
  return response as unknown as WorkersResponse;
145
145
  };
146
146
  }
147
147
 
148
+ export function normalizeXrpcRequestForAstro(request: WorkersRequest): WorkersRequest {
149
+ const url = new URL(request.url);
150
+ if (!url.pathname.startsWith('/xrpc/')) {
151
+ return request;
152
+ }
153
+
154
+ // Astro's SSR origin-check middleware rejects unsafe requests when Origin is
155
+ // absent or cross-origin. XRPC is a bearer-token API, not cookie/form auth,
156
+ // and atproto clients legitimately send bodyless POSTs from native runtimes.
157
+ if (request.headers.get('origin') === url.origin) {
158
+ return request;
159
+ }
160
+
161
+ const headerRecord: Record<string, string> = {};
162
+ request.headers.forEach((value, key) => {
163
+ headerRecord[key] = value;
164
+ });
165
+ headerRecord.origin = url.origin;
166
+
167
+ return new Request(request as any, { headers: headerRecord }) as unknown as WorkersRequest;
168
+ }
169
+
148
170
  type AstroFetchHandler = (
149
171
  request: WorkersRequest,
150
172
  env: Env,