@appwarden/middleware 1.0.18 → 1.0.19

package/chunk-5LAAKCPN.js

@@ -0,0 +1,232 @@
+import {
+  APPWARDEN_TEST_ROUTE,
+  LockValue,
+  MemoryCache,
+  debug,
+  printMessage
+} from "./chunk-D55SBZQF.js";
+
+// src/utils/cloudflare/cloudflare-cache.ts
+var store = {
+  json: (context, cacheKey, options) => {
+    const cacheKeyUrl = new URL(cacheKey, context.serviceOrigin);
+    return {
+      getValue: () => getCacheValue(context, cacheKeyUrl),
+      updateValue: (json) => updateCacheValue(
+        context,
+        cacheKeyUrl,
+        json,
+        options?.cacheExpirationSeconds
+      ),
+      deleteValue: () => clearCache(context, cacheKeyUrl)
+    };
+  }
+};
+var getCacheValue = async (context, cacheKey) => {
+  const match = await context.cache.match(cacheKey);
+  if (!match) {
+    debug(`[${cacheKey.pathname}] Cache MISS!`);
+    return void 0;
+  }
+  debug(`[${cacheKey.pathname}] Cache MATCH!`);
+  return match;
+};
+var updateCacheValue = async (context, cacheKey, value, cacheExpirationSeconds) => {
+  debug(
+    "updating cache...",
+    cacheKey.pathname,
+    value,
+    cacheExpirationSeconds ? `expires in ${cacheExpirationSeconds}s` : ""
+  );
+  await context.cache.put(
+    cacheKey,
+    new Response(JSON.stringify(value), {
+      headers: {
+        "content-type": "application/json",
+        ...cacheExpirationSeconds && {
+          "cache-control": `max-age=${cacheExpirationSeconds}`
+        }
+      }
+    })
+  );
+};
+var clearCache = (context, cacheKey) => context.cache.delete(cacheKey);
+
+// src/utils/cloudflare/create-response.ts
+var createResponse = (body, status) => new Response(body, {
+  status
+});
+
+// src/utils/cloudflare/delete-edge-value.ts
+var deleteEdgeValue = async (context) => {
+  try {
+    switch (context.provider) {
+      case "cloudflare-cache": {
+        const success = await context.edgeCache.deleteValue();
+        if (!success) {
+          throw new Error();
+        }
+        break;
+      }
+      default:
+        throw new Error(`Unsupported provider: ${context.provider}`);
+    }
+  } catch (e) {
+    const message = "Failed to delete edge value";
+    console.error(
+      printMessage(e instanceof Error ? `${message} - ${e.message}` : message)
+    );
+  }
+};
+
+// src/utils/cloudflare/get-lock-value.ts
+var getLockValue = async (context) => {
+  try {
+    let shouldDeleteEdgeValue = false;
+    let cacheResponse, lockValue = {
+      isLockedTest: 0,
+      isLocked: 0,
+      lastCheck: Date.now(),
+      code: ""
+    };
+    switch (context.provider) {
+      case "cloudflare-cache": {
+        cacheResponse = await context.edgeCache.getValue();
+        break;
+      }
+      default:
+        throw new Error(`Unsupported provider: ${context.provider}`);
+    }
+    if (!cacheResponse) {
+      return { lockValue: void 0 };
+    }
+    try {
+      const clonedResponse = cacheResponse?.clone();
+      lockValue = LockValue.parse(
+        clonedResponse ? await clonedResponse.json() : void 0
+      );
+    } catch (error) {
+      console.error(
+        printMessage(
+          `Failed to parse ${context.keyName} from edge cache - ${error}`
+        )
+      );
+      shouldDeleteEdgeValue = true;
+    }
+    return { lockValue, shouldDeleteEdgeValue };
+  } catch (e) {
+    const message = "Failed to retrieve edge value";
+    console.error(
+      printMessage(e instanceof Error ? `${message} - ${e.message}` : message)
+    );
+    return { lockValue: void 0 };
+  }
+};
+
+// src/utils/cloudflare/sync-edge-value.ts
+var APIError = class extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "APIError";
+  }
+};
+var syncEdgeValue = async (context) => {
+  debug(`syncing with api ${"https://bot-gateway.appwarden.io"}`);
+  try {
+    const response = await fetch(new URL("/v1/status/check", "https://bot-gateway.appwarden.io"), {
+      method: "POST",
+      headers: { "content-type": "application/json" },
+      body: JSON.stringify({
+        service: "cloudflare",
+        provider: context.provider,
+        fqdn: context.requestUrl.hostname,
+        appwardenApiToken: context.appwardenApiToken
+      })
+    });
+    if (response.status !== 200) {
+      throw new Error(`${response.status} ${response.statusText}`);
+    }
+    if (response.headers.get("content-type")?.includes("application/json")) {
+      const result = await response.json();
+      if (result.error) {
+        throw new APIError(result.error.message);
+      }
+      if (result.content) {
+        try {
+          const parsedValue = LockValue.omit({ lastCheck: true }).parse(
+            result.content
+          );
+          debug(
+            `syncing with api...DONE ${JSON.stringify(parsedValue, null, 2)}`
+          );
+          await context.edgeCache.updateValue({
+            ...parsedValue,
+            lastCheck: Date.now()
+          });
+        } catch (error) {
+          throw new APIError(`Failed to parse check endpoint result - ${error}`);
+        }
+      }
+    }
+  } catch (e) {
+    const message = "Failed to fetch from check endpoint";
+    console.error(
+      printMessage(
+        e instanceof APIError ? e.message : e instanceof Error ? `${message} - ${e.message}` : message
+      )
+    );
+  }
+};
+
+// src/handlers/maybe-quarantine.ts
+var resolveLockValue = async (context, options) => {
+  const { lockValue, shouldDeleteEdgeValue } = await getLockValue(context);
+  if (shouldDeleteEdgeValue) {
+    await deleteEdgeValue(context);
+  }
+  if (lockValue?.isLocked || context.requestUrl.pathname === APPWARDEN_TEST_ROUTE && !MemoryCache.isTestExpired(lockValue)) {
+    await options.onLocked();
+  }
+  return lockValue;
+};
+var maybeQuarantine = async (context, options) => {
+  const cachedLockValue = await resolveLockValue(context, {
+    onLocked: options.onLocked
+  });
+  const shouldRecheck = MemoryCache.isExpired(cachedLockValue);
+  if (shouldRecheck) {
+    if (!cachedLockValue || cachedLockValue.isLocked) {
+      await syncEdgeValue(context);
+      await resolveLockValue(context, {
+        onLocked: options.onLocked
+      });
+    } else {
+      context.waitUntil(syncEdgeValue(context));
+    }
+  }
+};
+
+// src/handlers/reset-cache.ts
+var isResetCacheRequest = (request) => request.method === "POST" && new URL(request.url).pathname === "/__appwarden/reset-cache" && request.headers.get("content-type") === "application/json";
+var handleResetCache = async (keyName, provider, edgeCache, request) => {
+  const { lockValue } = await getLockValue({
+    keyName,
+    provider,
+    edgeCache
+  });
+  try {
+    const body = await request.clone().json();
+    if (body.code === lockValue?.code) {
+      await edgeCache.deleteValue();
+    }
+  } catch (error) {
+  }
+};
+
+export {
+  store,
+  createResponse,
+  maybeQuarantine,
+  isResetCacheRequest,
+  handleResetCache
+};

package/chunk-D55SBZQF.js

@@ -0,0 +1,413 @@
+// src/constants.ts
+var LOCKDOWN_TEST_EXPIRY_MS = 5 * 60 * 1e3;
+var removedHeaders = ["X-Powered-By", "Server"];
+var securityHeaders = [
+  ["Strict-Transport-Security", "max-age=31536000; includeSubDomains; preload"],
+  ["X-Frame-Options", "DENY"],
+  ["X-XSS-Protection", "1; mode=block"],
+  ["X-Content-Type-Options", "nosniff"],
+  ["Referrer-Policy", "no-referrer, strict-origin-when-cross-origin"],
+  ["X-DNS-Prefetch-Control", "on"]
+];
+var errors = { badCacheConnection: "BAD_CACHE_CONNECTION" };
+var globalErrors = [errors.badCacheConnection];
+var APPWARDEN_TEST_ROUTE = "_appwarden/test";
+
+// src/schemas/vercel.ts
+import { z as z4 } from "zod";
+
+// src/utils/debug.ts
+var debug = (...msg) => {
+  if (true) {
+    console.log(...msg);
+  }
+};
+
+// src/utils/memory-cache.ts
+var MemoryCache = class {
+  cache = /* @__PURE__ */ new Map();
+  maxSize;
+  constructor(options) {
+    this.maxSize = options.maxSize;
+  }
+  get(key) {
+    let item;
+    if (this.cache.has(key)) {
+      item = this.cache.get(key);
+      this.cache.delete(key);
+      this.cache.set(key, item);
+    }
+    return item;
+  }
+  put(key, value) {
+    if (this.cache.has(key)) {
+      this.cache.delete(key);
+    } else if (this.cache.size >= this.maxSize) {
+      const firstKey = this.cache.keys().next().value;
+      this.cache.delete(firstKey);
+    }
+    this.cache.set(key, value);
+  }
+  getValues() {
+    return this.cache;
+  }
+  // the default value will be expired here
+  static isExpired = (lockValue) => {
+    if (!lockValue) {
+      return true;
+    }
+    return Date.now() > lockValue.lastCheck + 3e4;
+  };
+  static isTestExpired = (lockValue) => {
+    if (!lockValue) {
+      return true;
+    }
+    return Date.now() > lockValue.isLockedTest + LOCKDOWN_TEST_EXPIRY_MS;
+  };
+};
+
+// src/utils/print-message.ts
+var printMessage = (message) => `[@appwarden/middleware] ${message}`;
+
+// src/utils/vercel/delete-edge-value.ts
+var deleteEdgeValue = async ({
+  keyName,
+  provider,
+  connectionString,
+  edgeConfigId,
+  vercelApiToken
+}) => {
+  try {
+    switch (provider) {
+      case "edge-config": {
+        const res = await fetch(
+          `https://api.vercel.com/v1/edge-config/${edgeConfigId}/items`,
+          {
+            method: "PATCH",
+            headers: {
+              Authorization: `Bearer ${vercelApiToken}`,
+              "Content-Type": "application/json"
+            },
+            body: JSON.stringify({
+              items: [
+                {
+                  key: keyName,
+                  operation: "delete"
+                }
+              ]
+            })
+          }
+        );
+        if (res.status !== 200) {
+          let response = void 0;
+          try {
+            response = await res.json();
+          } catch (error) {
+          }
+          throw new Error(
+            `api.vercel.com/v1/edge-config responded with ${res.status} - ${res.statusText}${response?.error?.message ? ` - ${response?.error?.message}` : ""}`
+          );
+        }
+        break;
+      }
+      case "upstash": {
+        const [url, token] = connectionString.split("@");
+        const { Redis } = await import("@upstash/redis");
+        const redis = new Redis({ url, token });
+        await redis.del(keyName);
+        break;
+      }
+      default:
+        throw new Error(`Unsupported provider: ${provider}`);
+    }
+  } catch (e) {
+    const message = "Failed to delete edge value";
+    console.error(
+      printMessage(e instanceof Error ? `${message} - ${e.message}` : message)
+    );
+  }
+};
+
+// src/schemas/cloudflare.ts
+import { z as z2 } from "zod";
+
+// src/schemas/helpers.ts
+import { z } from "zod";
+var BoolOrStringSchema = z.union([z.string(), z.boolean()]).optional();
+var BooleanSchema = BoolOrStringSchema.transform((val) => {
+  if (val === "true" || val === true) {
+    return true;
+  } else if (val === "false" || val === false) {
+    return false;
+  }
+  throw new Error("Invalid value");
+});
+var BaseOutputConfigSchema = z.object({
+  debug: BooleanSchema.default(false),
+  appwardenApiToken: z.string().refine((appwardenApiToken) => !!appwardenApiToken, {
+    message: printMessage(
+      "Please provide a valid `appwardenApiToken`. Learn more at https://appwarden.com/docs/api-tokens."
+    ),
+    path: ["appwardenApiToken"]
+  }),
+  lockPageSlug: z.string()
+});
+var LockValue = z.object({
+  isLocked: z.number(),
+  isLockedTest: z.number(),
+  lastCheck: z.number(),
+  code: z.string()
+});
+
+// src/schemas/cloudflare.ts
+var ConfigOutputSchema = BaseOutputConfigSchema.extend({
+  middleware: z2.object({ before: z2.custom().array().default([]) }).default({})
+});
+var ConfigFnInputSchema = z2.function().args(z2.custom()).returns(
+  ConfigOutputSchema.extend({
+    debug: BoolOrStringSchema
+  })
+);
+var CloudflareConfigFnOutputSchema = z2.function().args(z2.custom()).returns(ConfigOutputSchema);
+
+// src/schemas/nextjs.ts
+import { z as z3 } from "zod";
+var ConfigOutputSchema2 = BaseOutputConfigSchema;
+var NextJsConfigFnOutputSchema = z3.function().args(z3.custom()).returns(ConfigOutputSchema2);
+
+// src/utils/vercel/get-lock-value.ts
+var getLockValue = async (context) => {
+  try {
+    let shouldDeleteEdgeValue = false;
+    let serializedValue, lockValue = {
+      isLocked: 0,
+      isLockedTest: 0,
+      lastCheck: 0,
+      code: ""
+    };
+    switch (context.provider) {
+      case "edge-config": {
+        const { createClient } = await import("@vercel/edge-config");
+        const edgeConfig = createClient(context.connectionString);
+        serializedValue = await edgeConfig.get(
+          context.keyName
+        );
+        break;
+      }
+      case "upstash": {
+        const [url, token] = context.connectionString.split("@");
+        const { Redis } = await import("@upstash/redis");
+        const redis = new Redis({ url, token });
+        const redisValue = await redis.get(context.keyName);
+        serializedValue = redisValue === null ? void 0 : redisValue;
+        break;
+      }
+      default:
+        throw new Error(`Unsupported provider: ${context.provider}`);
+    }
+    if (!serializedValue) {
+      return { lockValue: void 0 };
+    }
+    try {
+      lockValue = LockValue.parse(JSON.parse(serializedValue));
+    } catch (error) {
+      console.error(
+        printMessage(
+          `Failed to parse ${context.keyName} from edge cache - ${error}`
+        )
+      );
+      shouldDeleteEdgeValue = true;
+    }
+    return { lockValue, shouldDeleteEdgeValue };
+  } catch (e) {
+    const message = "Failed to retrieve edge value";
+    console.error(
+      printMessage(e instanceof Error ? `${message} - ${e.message}` : message)
+    );
+    if (e instanceof Error) {
+      if (e.message.includes("Invalid connection string provided")) {
+        throw new Error(errors.badCacheConnection);
+      }
+    }
+    return { lockValue: void 0 };
+  }
+};
+
+// src/utils/vercel/sync-edge-value.ts
+var APIError = class extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "APIError";
+  }
+};
+var syncEdgeValue = async (context) => {
+  debug("syncing with api");
+  try {
+    const response = await fetch(new URL("/v1/status/check", "https://bot-gateway.appwarden.io"), {
+      method: "POST",
+      headers: { "content-type": "application/json" },
+      body: JSON.stringify({
+        service: "vercel",
+        provider: context.provider,
+        fqdn: context.requestUrl.hostname,
+        edgeConfigId: context.edgeConfigId ?? "",
+        vercelApiToken: context.vercelApiToken ?? "",
+        appwardenApiToken: context.appwardenApiToken,
+        connectionString: context.connectionString
+      })
+    });
+    if (response.status !== 200) {
+      throw new Error(`${response.status} ${response.statusText}`);
+    }
+    if (response.headers.get("content-type")?.includes("application/json")) {
+      const result = await response.json();
+      if (result.error) {
+        throw new APIError(result.error.message);
+      }
+    }
+  } catch (e) {
+    const message = "Failed to fetch from check endpoint";
+    console.error(
+      printMessage(
+        e instanceof APIError ? e.message : e instanceof Error ? `${message} - ${e.message}` : message
+      )
+    );
+  }
+};
+
+// src/utils/handle-vercel-request.ts
+var handleVercelRequest = async (context, options) => {
+  let cachedLockValue = context.memoryCache.get(context.keyName);
+  const shouldRecheck = MemoryCache.isExpired(cachedLockValue);
+  if (shouldRecheck) {
+    const { lockValue, shouldDeleteEdgeValue } = await getLockValue(context);
+    if (lockValue) {
+      context.memoryCache.put(context.keyName, lockValue);
+    }
+    if (shouldDeleteEdgeValue) {
+      await deleteEdgeValue(context);
+    }
+    cachedLockValue = lockValue;
+  }
+  if (cachedLockValue?.isLocked || context.requestUrl.pathname === APPWARDEN_TEST_ROUTE && !MemoryCache.isTestExpired(cachedLockValue)) {
+    options.onLocked();
+  }
+  return cachedLockValue;
+};
+
+// src/utils/middleware.ts
+var usePipeline = (...initMiddlewares) => {
+  const stack = [...initMiddlewares];
+  const execute = async (context) => {
+    const runner = async (prevIndex, index) => {
+      if (index === prevIndex) {
+        throw new Error("next() called multiple times");
+      }
+      if (index >= stack.length) {
+        return;
+      }
+      const middleware = stack[index];
+      const next = async () => runner(index, index + 1);
+      await middleware(context, next);
+    };
+    await runner(-1, 0);
+  };
+  return {
+    execute
+  };
+};
+
+// src/utils/render-lock-page.ts
+var renderLockPage = (context) => fetch(new URL(context.lockPageSlug, context.requestUrl.origin), {
+  headers: {
+    // no browser caching, otherwise we need to hard refresh to disable lock screen
+    "Cache-Control": "no-store"
+  }
+});
+
+// src/schemas/vercel.ts
+var MiddlewareSchema = z4.custom(
+  (val) => typeof val === "function"
+);
+var BaseNextJsConfigSchema = z4.object({
+  provider: z4.enum(["upstash", "edge-config"]),
+  lockPageSlug: z4.string(),
+  connectionString: z4.string(),
+  edgeConfigId: z4.string().optional(),
+  vercelApiToken: z4.string().optional(),
+  appwardenApiToken: z4.string()
+});
+var AppwardenConfigSchema = BaseNextJsConfigSchema.refine(
+  (data) => !!data.appwardenApiToken,
+  {
+    message: printMessage(
+      "Please provide a valid `appwardenApiToken`. Learn more at https://appwarden.com/docs/api-tokens."
+    ),
+    path: ["appwardenApiToken"]
+  }
+).refine(
+  (data) => {
+    return data.provider === "upstash" && data.connectionString.includes("upstash.io") || data.provider === "edge-config" && data.connectionString.includes("edge-config.vercel.com");
+  },
+  {
+    message: printMessage(
+      "Invalid connection string for the selected `provider`"
+    ),
+    path: ["connectionString"]
+  }
+).refine(
+  (data) => {
+    return data.provider === "upstash" && data.connectionString.includes("upstash") || data.provider === "edge-config" && data.connectionString.includes("edge-config");
+  },
+  {
+    message: printMessage(
+      "Invalid connection string for the selected `provider`"
+    ),
+    path: ["connectionString"]
+  }
+).refine(
+  (data) => {
+    if (data.provider === "edge-config") {
+      return !!data.vercelApiToken;
+    }
+    return true;
+  },
+  {
+    message: printMessage("Missing vercelApiToken when provider=edge-config"),
+    path: ["vercelApiToken"]
+  }
+).refine(
+  (data) => {
+    if (data.provider === "edge-config") {
+      return !!data.edgeConfigId;
+    }
+    return true;
+  },
+  {
+    message: printMessage(
+      "Missing `edgeConfigId` when `provider=edge-config`"
+    ),
+    path: ["edgeConfigId"]
+  }
+);
+
+export {
+  LOCKDOWN_TEST_EXPIRY_MS,
+  removedHeaders,
+  securityHeaders,
+  globalErrors,
+  APPWARDEN_TEST_ROUTE,
+  debug,
+  MemoryCache,
+  printMessage,
+  BoolOrStringSchema,
+  LockValue,
+  CloudflareConfigFnOutputSchema,
+  NextJsConfigFnOutputSchema,
+  BaseNextJsConfigSchema,
+  AppwardenConfigSchema,
+  syncEdgeValue,
+  handleVercelRequest,
+  usePipeline,
+  renderLockPage
+};