npm - @anteros/core - Versions diffs - 0.0.1-alpha.2 → 0.0.1-alpha.4 - Mend

@anteros/core 0.0.1-alpha.2 → 0.0.1-alpha.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/index.ts CHANGED Viewed

@@ -1,3 +1,4 @@
+import "./lib/buffer-polyfill";
 import { define } from "./lib/define";
 import { bootApp } from "./server/boot";
 import { useRest } from "./database/rest";

package/lib/buffer-polyfill.ts ADDED Viewed

@@ -0,0 +1,57 @@
+/**
+ * Polyfill for Bun's Buffer to accept numeric encodings.
+ *
+ * Node.js allows encoding to be passed as a number (e.g. 3 = 'latin1'),
+ * but Bun throws "Invalid encoding: 3". This patches Buffer.from,
+ * Buffer.alloc, and Buffer.allocUnsafe to convert numeric encodings
+ * to their string equivalents before calling the original methods.
+ *
+ * Required by: mongodb driver (bson), and any library that uses
+ * legacy numeric encoding values internally.
+ */
+const ENCODING_MAP: Record<number, string> = {
+  0: "utf8",
+  1: "utf-8",
+  2: "utf16le",
+  3: "latin1",
+  4: "latin1", // binary alias
+  5: "base64",
+  6: "base64url",
+  7: "hex",
+  8: "ascii",
+  9: "ucs2",
+  10: "ucs-2",
+};
+function normalizeEncoding(
+  encoding: string | number | undefined,
+): BufferEncoding | undefined {
+  if (encoding === undefined || typeof encoding === "string") {
+    return encoding as BufferEncoding | undefined;
+  }
+  const mapped = ENCODING_MAP[encoding];
+  if (mapped) return mapped as BufferEncoding;
+  return undefined;
+}
+// Patch Buffer.from
+const _Buffer_from = Buffer.from.bind(Buffer) as typeof Buffer.from;
+(Buffer as any).from = function (
+  ...args: any[]
+): Buffer {
+  if (args.length >= 2 && typeof args[1] === "number") {
+    args[1] = normalizeEncoding(args[1]);
+  }
+  return _Buffer_from(...args as [any, any?, any?]);
+};
+// Patch Buffer.alloc
+const _Buffer_alloc = Buffer.alloc.bind(Buffer);
+(Buffer as any).alloc = function (
+  ...args: any[]
+): Buffer {
+  if (args.length >= 2 && typeof args[1] === "number") {
+    args[1] = normalizeEncoding(args[1]);
+  }
+  return _Buffer_alloc(...args as [any, any?, any?]);
+};

package/package.json CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "name": "@anteros/core",
   "module": "index.ts",
-  "version": "0.0.1-alpha.2",
+  "version": "0.0.1-alpha.4",
   "type": "module",
   "description": "Anteros Core",
   "private": false,

package/server/api.ts CHANGED Viewed

@@ -42,6 +42,55 @@ const ActionsValues = [
+// ─── File access helper ────────────────────────────────────────────────────
+async function checkFileAccess(
+    access: { [key: string]: boolean | ((ctx: any) => boolean | Promise<boolean>) | undefined } | undefined,
+    operation: string,
+    tenant_id: string,
+    c: any,
+): Promise<void> {
+    // No access config at all → deny (secure by default)
+    if (!access) {
+        throw new AppError('Access denied', { status: 401, code: 'ACCESS_DENIED' });
+    }
+    const hasWildcard = access['*'] !== undefined;
+    const hasSpecific = access[operation] !== undefined;
+    // No matching rule at all → deny
+    if (!hasWildcard && !hasSpecific) {
+        throw new AppError('Access denied', { status: 401, code: 'ACCESS_DENIED' });
+    }
+    // Specific rule takes precedence over wildcard
+    const rule = hasSpecific ? access[operation] : access['*'];
+    if (rule === undefined) {
+        throw new AppError('Access denied', { status: 401, code: 'ACCESS_DENIED' });
+    }
+    const t = c.get('token');
+    const accessToken = { value: t?.value ?? null, decoded: t?.decoded ?? null, provided: t?.provided ?? false, expired: t?.expired ?? false };
+    if (accessToken.expired) {
+        throw new AppError('Token expired', { status: 401, code: 'TOKEN_EXPIRED' });
+    }
+    if (!accessToken.value) {
+        throw new AppError('Authentication required', { status: 401, code: 'AUTH_REQUIRED' });
+    }
+    let allowed: boolean;
+    if (typeof rule === 'function') {
+        const rest = new useRest({ internal: false, tenant_id });
+        allowed = await rule({ rest, error: fn.error, jwt: func.jwt, token: accessToken });
+    } else {
+        allowed = rule;
+    }
+    if (!allowed) {
+        throw new AppError(`${operation} not allowed`, { status: 401, code: 'ACCESS_DENIED' });
+    }
+}
 function initializeApi(app: Hono<{ Variables: HonoVariables }>) {
     // Crud API
@@ -567,29 +616,7 @@ function initializeApi(app: Hono<{ Variables: HonoVariables }>) {
       if (!colUpload) {
         throw new AppError('File collection `' + collection + '` not found', { status: 400, code: 'FILE_COLLECTION_NOT_FOUND' });
       }
-      if (colUpload?.api?.access?.upload) {
-        const t = c.get('token');
-        const accessToken = { value: t?.value ?? null, decoded: t?.decoded ?? null, provided: t?.provided ?? false, expired: t?.expired ?? false };
-        if (accessToken.expired) {
-          throw new AppError('Token expired', { status: 401, code: 'TOKEN_EXPIRED' });
-        }
-        if (!accessToken.value) {
-          throw new AppError('Authentication required', { status: 401, code: 'AUTH_REQUIRED' });
-        }
-        const accessCheck = colUpload.api.access.upload;
-        let allowed: boolean;
-        if (typeof accessCheck === 'function') {
-          const rest = new useRest({ internal: false, tenant_id });
-          allowed = await accessCheck({ rest, error: fn.error, jwt: func.jwt, token: accessToken });
-        } else {
-          allowed = accessCheck;
-        }
-        if (!allowed) {
-          throw new AppError('Upload not allowed', { status: 401, code: 'ACCESS_DENIED' });
-        }
-      }
+      await checkFileAccess(colUpload?.api?.access as any, 'upload', tenant_id, c);
       const contentType = c.req.header('Content-Type') || '';
       if (!contentType.includes('multipart/form-data')) {
@@ -646,29 +673,7 @@ function initializeApi(app: Hono<{ Variables: HonoVariables }>) {
       if (!colServe) {
         throw new AppError('File collection `' + collection + '` not found', { status: 400, code: 'FILE_COLLECTION_NOT_FOUND' });
       }
-      if (colServe?.api?.access?.read) {
-        const t = c.get('token');
-        const accessToken = { value: t?.value ?? null, decoded: t?.decoded ?? null, provided: t?.provided ?? false, expired: t?.expired ?? false };
-        if (accessToken.expired) {
-          throw new AppError('Token expired', { status: 401, code: 'TOKEN_EXPIRED' });
-        }
-        if (!accessToken.value) {
-          throw new AppError('Authentication required', { status: 401, code: 'AUTH_REQUIRED' });
-        }
-        const accessCheck = colServe.api.access.read;
-        let allowed: boolean;
-        if (typeof accessCheck === 'function') {
-          const rest = new useRest({ internal: false, tenant_id });
-          allowed = await accessCheck({ rest, error: fn.error, jwt: func.jwt, token: accessToken });
-        } else {
-          allowed = accessCheck;
-        }
-        if (!allowed) {
-          throw new AppError('Access denied', { status: 401, code: 'ACCESS_DENIED' });
-        }
-      }
+      await checkFileAccess(colServe?.api?.access as any, 'read', tenant_id, c);
       const filename = basename(c.req.param('file') as string);
       if (!filename || filename.startsWith('.') || filename.includes('..') || filename.includes('/')) {
@@ -721,29 +726,7 @@ function initializeApi(app: Hono<{ Variables: HonoVariables }>) {
       if (!colDelete) {
         throw new AppError('File collection `' + collection + '` not found', { status: 400, code: 'FILE_COLLECTION_NOT_FOUND' });
       }
-      if (colDelete?.api?.access?.delete) {
-        const t = c.get('token');
-        const accessToken = { value: t?.value ?? null, decoded: t?.decoded ?? null, provided: t?.provided ?? false, expired: t?.expired ?? false };
-        if (accessToken.expired) {
-          throw new AppError('Token expired', { status: 401, code: 'TOKEN_EXPIRED' });
-        }
-        if (!accessToken.value) {
-          throw new AppError('Authentication required', { status: 401, code: 'AUTH_REQUIRED' });
-        }
-        const accessCheck = colDelete.api.access.delete;
-        let allowed: boolean;
-        if (typeof accessCheck === 'function') {
-          const rest = new useRest({ internal: false, tenant_id });
-          allowed = await accessCheck({ rest, error: fn.error, jwt: func.jwt, token: accessToken });
-        } else {
-          allowed = accessCheck;
-        }
-        if (!allowed) {
-          throw new AppError('Access denied', { status: 401, code: 'ACCESS_DENIED' });
-        }
-      }
+      await checkFileAccess(colDelete?.api?.access as any, 'delete', tenant_id, c);
       const filename = basename(c.req.param('file') as string);
       if (!filename || filename.startsWith('.') || filename.includes('..') || filename.includes('/')) {

package/types/file.d.ts CHANGED Viewed

@@ -13,6 +13,8 @@ type FileAccessHandler = (ctx: {
 }) => boolean | Promise<boolean>;
 type FileApiAccess = {
+    /** Default access rule applied when no per-operation rule is set */
+    '*'?: boolean | FileAccessHandler;
     /** Access control for POST /upload/:tenant_id/:slug */
     upload?: boolean | FileAccessHandler;
     /** Access control for GET /files/:tenant_id/:slug/:file */