@appwarden/middleware 1.0.19 → 1.1.0

package/{chunk-5LAAKCPN.js → chunk-BHCQJZWE.js}

@@ -1,10 +1,15 @@
 import {
+  APPWARDEN_CACHE_KEY,
   APPWARDEN_TEST_ROUTE,
   LockValue,
   MemoryCache,
+  UseCSPInputSchema,
   debug,
-  printMessage
-} from "./chunk-D55SBZQF.js";
+  getErrors,
+  printMessage,
+  removedHeaders,
+  renderLockPage
+} from "./chunk-WVVSYKJM.js";
 
 // src/utils/cloudflare/cloudflare-cache.ts
 var store = {
@@ -52,11 +57,6 @@ var updateCacheValue = async (context, cacheKey, value, cacheExpirationSeconds)
 };
 var clearCache = (context, cacheKey) => context.cache.delete(cacheKey);
 
-// src/utils/cloudflare/create-response.ts
-var createResponse = (body, status) => new Response(body, {
-  status
-});
-
 // src/utils/cloudflare/delete-edge-value.ts
 var deleteEdgeValue = async (context) => {
   try {
@@ -123,6 +123,45 @@ var getLockValue = async (context) => {
   }
 };
 
+// src/utils/cloudflare/insert-errors-logs.ts
+var insertErrorLogs = async (context, error) => new HTMLRewriter().on("body", {
+  element: (elem) => {
+    elem.append(
+      `<script>
+            ${getErrors(error).map((err) => `console.error(\`${printMessage(err)}\`)`).join("\n")}
+          </script>`,
+      { html: true }
+    );
+  }
+}).transform(await fetch(context.request));
+
+// src/utils/cloudflare/make-csp-header.ts
+var addNonce = (value, cspNonce) => value.replace("{{nonce}}", `'nonce-${cspNonce}'`);
+var makeCSPHeader = (cspNonce, directives, mode) => {
+  const namesSeen = /* @__PURE__ */ new Set(), result = [];
+  Object.entries(directives ?? {}).forEach(([originalName, value]) => {
+    const name = originalName.replace(/([a-z])([A-Z])/g, "$1-$2").toLowerCase();
+    if (namesSeen.has(name)) {
+      throw new Error(`${originalName} is specified more than once`);
+    }
+    namesSeen.add(name);
+    if (Array.isArray(value)) {
+      value = addNonce(value.join(" "), cspNonce);
+    } else if (value === true) {
+      value = "";
+    }
+    if (value) {
+      result.push(`${name} ${addNonce(value, cspNonce)}`);
+    } else if (value !== false) {
+      result.push(name);
+    }
+  });
+  return [
+    mode === "enforced" ? "Content-Security-Policy" : "Content-Security-Policy-Report-Only",
+    result.join("; ")
+  ];
+};
+
 // src/utils/cloudflare/sync-edge-value.ts
 var APIError = class extends Error {
   constructor(message) {
@@ -131,7 +170,7 @@ var APIError = class extends Error {
   }
 };
 var syncEdgeValue = async (context) => {
-  debug(`syncing with api ${"https://bot-gateway.appwarden.io"}`);
+  debug(`syncing with api`);
   try {
     const response = await fetch(new URL("/v1/status/check", "https://bot-gateway.appwarden.io"), {
       method: "POST",
@@ -178,6 +217,47 @@ var syncEdgeValue = async (context) => {
   }
 };
 
+// src/middlewares/use-content-security-policy.ts
+var AppendAttribute = (attribute, nonce) => ({
+  element: function(element) {
+    element.setAttribute(attribute, nonce);
+  }
+});
+var useContentSecurityPolicy = (input) => {
+  const parsedInput = UseCSPInputSchema.safeParse(input);
+  if (!parsedInput.success) {
+    throw parsedInput.error;
+  }
+  const config = parsedInput.data;
+  return async (context, next) => {
+    await next();
+    const { response } = context;
+    if (
+      // if the csp is disabled
+      !["enforced", "report-only"].includes(config.mode)
+    ) {
+      debug(printMessage("csp is disabled"));
+      return;
+    }
+    if (response.headers.has("Content-Type") && !response.headers.get("Content-Type")?.includes("text/html")) {
+      return;
+    }
+    const cspNonce = btoa(crypto.getRandomValues(new Uint32Array(2)).toString());
+    const [cspHeaderName, cspHeaderValue] = makeCSPHeader(
+      cspNonce,
+      config.directives,
+      config.mode
+    );
+    const nextResponse = new Response(response.body, response);
+    nextResponse.headers.set(cspHeaderName, cspHeaderValue);
+    nextResponse.headers.set("content-type", "text/html; charset=utf-8");
+    removedHeaders.forEach((name) => {
+      nextResponse.headers.delete(name);
+    });
+    context.response = new HTMLRewriter().on("style", AppendAttribute("nonce", cspNonce)).on("script", AppendAttribute("nonce", cspNonce)).transform(nextResponse);
+  };
+};
+
 // src/handlers/maybe-quarantine.ts
 var resolveLockValue = async (context, options) => {
   const { lockValue, shouldDeleteEdgeValue } = await getLockValue(context);
@@ -223,10 +303,56 @@ var handleResetCache = async (keyName, provider, edgeCache, request) => {
   }
 };
 
+// src/middlewares/use-appwarden.ts
+var useAppwarden = (input) => async (context, next) => {
+  await next();
+  const { request, response } = context;
+  try {
+    const requestUrl = new URL(request.url);
+    const provider = "cloudflare-cache";
+    const keyName = APPWARDEN_CACHE_KEY;
+    const edgeCache = store.json(
+      {
+        serviceOrigin: requestUrl.origin,
+        cache: await caches.open("appwarden:lock")
+      },
+      keyName
+    );
+    if (isResetCacheRequest(request)) {
+      await handleResetCache(keyName, provider, edgeCache, request);
+      return;
+    }
+    const isHTMLRequest = response.headers.get("Content-Type")?.includes("text/html");
+    if (isHTMLRequest) {
+      const innerContext = {
+        keyName,
+        request,
+        edgeCache,
+        requestUrl,
+        provider,
+        debug: input.debug,
+        lockPageSlug: input.lockPageSlug,
+        appwardenApiToken: input.appwardenApiToken,
+        waitUntil: (fn) => context.waitUntil(fn)
+      };
+      await maybeQuarantine(innerContext, {
+        onLocked: async () => {
+          context.response = await renderLockPage(innerContext);
+        }
+      });
+    }
+  } catch (e) {
+    const message = "Appwarden encountered an unknown error. Please contact Appwarden support at https://appwarden.io/join-community.";
+    console.error(
+      printMessage(
+        e instanceof Error ? `${message} - ${e.message}` : message
+      )
+    );
+  }
+};
+
 export {
-  store,
-  createResponse,
-  maybeQuarantine,
-  isResetCacheRequest,
-  handleResetCache
+  insertErrorLogs,
+  useAppwarden,
+  useContentSecurityPolicy
 };

package/{chunk-D55SBZQF.js → chunk-WVVSYKJM.js}

@@ -1,20 +1,78 @@
 // src/constants.ts
 var LOCKDOWN_TEST_EXPIRY_MS = 5 * 60 * 1e3;
 var removedHeaders = ["X-Powered-By", "Server"];
-var securityHeaders = [
-  ["Strict-Transport-Security", "max-age=31536000; includeSubDomains; preload"],
-  ["X-Frame-Options", "DENY"],
-  ["X-XSS-Protection", "1; mode=block"],
-  ["X-Content-Type-Options", "nosniff"],
-  ["Referrer-Policy", "no-referrer, strict-origin-when-cross-origin"],
-  ["X-DNS-Prefetch-Control", "on"]
-];
 var errors = { badCacheConnection: "BAD_CACHE_CONNECTION" };
 var globalErrors = [errors.badCacheConnection];
 var APPWARDEN_TEST_ROUTE = "_appwarden/test";
+var APPWARDEN_CACHE_KEY = "appwarden-lock";
 
-// src/schemas/vercel.ts
-import { z as z4 } from "zod";
+// src/utils/is-cache-url.ts
+var getEdgeConfigId = (value = "") => isValidCacheUrl.edgeConfig(value) ? new URL(value).pathname.replace("/", "") : void 0;
+var isCacheUrl = {
+  edgeConfig: (value = "") => value.includes("edge-config.vercel.com"),
+  upstash: (value = "") => value.includes(".upstash.io")
+};
+var isValidCacheUrl = {
+  edgeConfig: (value = "") => {
+    try {
+      const url = new URL(value);
+      return url.hostname === "edge-config.vercel.com" && url.pathname.startsWith("/ecfg_") && url.searchParams.has("token");
+    } catch (error) {
+      return false;
+    }
+  },
+  upstash: (value = "") => {
+    try {
+      const url = new URL(value);
+      return ["redis:", "rediss:"].includes(url.protocol) && url.hostname.endsWith("upstash.io") && url.password;
+    } catch (error) {
+      return false;
+    }
+  }
+};
+
+// src/schemas/use-content-security-policy.ts
+import { z as z8 } from "zod";
+
+// src/types/csp.ts
+import { z } from "zod";
+var stringySchema = z.union([z.array(z.string()), z.string(), z.boolean()]);
+var ContentSecurityPolicySchema = z.object({
+  "default-src": stringySchema.optional(),
+  "script-src": stringySchema.optional(),
+  "style-src": stringySchema.optional(),
+  "img-src": stringySchema.optional(),
+  "connect-src": stringySchema.optional(),
+  "font-src": stringySchema.optional(),
+  "object-src": stringySchema.optional(),
+  "media-src": stringySchema.optional(),
+  "frame-src": stringySchema.optional(),
+  sandbox: stringySchema.optional(),
+  "report-uri": stringySchema.optional(),
+  "child-src": stringySchema.optional(),
+  "form-action": stringySchema.optional(),
+  "frame-ancestors": stringySchema.optional(),
+  "plugin-types": stringySchema.optional(),
+  "base-uri": stringySchema.optional(),
+  "report-to": stringySchema.optional(),
+  "worker-src": stringySchema.optional(),
+  "manifest-src": stringySchema.optional(),
+  "prefetch-src": stringySchema.optional(),
+  "navigate-to": stringySchema.optional(),
+  "require-sri-for": stringySchema.optional(),
+  "block-all-mixed-content": stringySchema.optional(),
+  "upgrade-insecure-requests": stringySchema.optional(),
+  "trusted-types": stringySchema.optional(),
+  "require-trusted-types-for": stringySchema.optional()
+});
+
+// src/types/middleware.ts
+import { z as z2 } from "zod";
+var MiddlewareNextSchema = z2.union([
+  z2.void(),
+  z2.null(),
+  z2.promise(z2.union([z2.void(), z2.null()]))
+]);
 
 // src/utils/debug.ts
 var debug = (...msg) => {
@@ -23,6 +81,39 @@ var debug = (...msg) => {
   }
 };
 
+// src/utils/errors.ts
+var errorsMap = {
+  mode: '`CSP_MODE` must be one of "disabled", "report-only", or "enforced"',
+  directives: {
+    ["DirectivesRequired" /* DirectivesRequired */]: '`CSP_DIRECTIVES` must be provided when `CSP_MODE` is "report-only" or "enforced"',
+    ["DirectivesBadParse" /* DirectivesBadParse */]: "Failed to parse `CSP_DIRECTIVES`. Is it a valid JSON string?"
+  },
+  appwardenApiToken: "Please provide a valid `appwardenApiToken`. Learn more at https://appwarden.com/docs/api-tokens."
+};
+var getErrors = (error) => {
+  const matches = [];
+  const errors2 = [...Object.entries(error.flatten().fieldErrors)];
+  for (const issue of error.issues) {
+    errors2.push(
+      ...Object.entries(
+        "returnTypeError" in issue ? issue.returnTypeError.flatten().fieldErrors : {}
+      )
+    );
+  }
+  for (const [field, maybeSchemaErrorKey] of errors2) {
+    let match = errorsMap[field];
+    if (match) {
+      if (match instanceof Object) {
+        if (maybeSchemaErrorKey) {
+          match = match[maybeSchemaErrorKey[0]];
+        }
+      }
+      matches.push(match);
+    }
+  }
+  return matches;
+};
+
 // src/utils/memory-cache.ts
 var MemoryCache = class {
   cache = /* @__PURE__ */ new Map();
@@ -67,19 +158,23 @@ var MemoryCache = class {
 };
 
 // src/utils/print-message.ts
-var printMessage = (message) => `[@appwarden/middleware] ${message}`;
+var addSlashes = (str) => str.replace(/[\\"'`]/g, "\\$&").replace(/\u0000/g, "\\0");
+var printMessage = (message) => `[@appwarden/middleware] ${addSlashes(message)}`;
 
 // src/utils/vercel/delete-edge-value.ts
 var deleteEdgeValue = async ({
   keyName,
   provider,
-  connectionString,
-  edgeConfigId,
+  cacheUrl,
   vercelApiToken
 }) => {
   try {
     switch (provider) {
       case "edge-config": {
+        const edgeConfigId = getEdgeConfigId(cacheUrl);
+        if (!edgeConfigId) {
+          throw new Error("Failed to parse `edgeConfigId`");
+        }
         const res = await fetch(
           `https://api.vercel.com/v1/edge-config/${edgeConfigId}/items`,
           {
@@ -111,9 +206,9 @@ var deleteEdgeValue = async ({
         break;
       }
       case "upstash": {
-        const [url, token] = connectionString.split("@");
+        const { hostname, password } = new URL(cacheUrl);
         const { Redis } = await import("@upstash/redis");
-        const redis = new Redis({ url, token });
+        const redis = new Redis({ url: `https://${hostname}`, token: password });
         await redis.del(keyName);
         break;
       }
@@ -129,11 +224,14 @@ var deleteEdgeValue = async ({
 };
 
 // src/schemas/cloudflare.ts
-import { z as z2 } from "zod";
+import { z as z5 } from "zod";
+
+// src/schemas/use-appwarden.ts
+import { z as z4 } from "zod";
 
 // src/schemas/helpers.ts
-import { z } from "zod";
-var BoolOrStringSchema = z.union([z.string(), z.boolean()]).optional();
+import { z as z3 } from "zod";
+var BoolOrStringSchema = z3.union([z3.string(), z3.boolean()]).optional();
 var BooleanSchema = BoolOrStringSchema.transform((val) => {
   if (val === "true" || val === true) {
     return true;
@@ -142,38 +240,77 @@ var BooleanSchema = BoolOrStringSchema.transform((val) => {
   }
   throw new Error("Invalid value");
 });
-var BaseOutputConfigSchema = z.object({
-  debug: BooleanSchema.default(false),
-  appwardenApiToken: z.string().refine((appwardenApiToken) => !!appwardenApiToken, {
-    message: printMessage(
-      "Please provide a valid `appwardenApiToken`. Learn more at https://appwarden.com/docs/api-tokens."
-    ),
-    path: ["appwardenApiToken"]
-  }),
-  lockPageSlug: z.string()
+var LockValue = z3.object({
+  isLocked: z3.number(),
+  isLockedTest: z3.number(),
+  lastCheck: z3.number(),
+  code: z3.string()
 });
-var LockValue = z.object({
-  isLocked: z.number(),
-  isLockedTest: z.number(),
-  lastCheck: z.number(),
-  code: z.string()
+
+// src/schemas/use-appwarden.ts
+var UseAppwardenInputSchema = z4.object({
+  debug: BooleanSchema.default(false),
+  lockPageSlug: z4.string(),
+  appwardenApiToken: z4.string().refine((val) => !!val, { path: ["appwardenApiToken"] })
 });
 
 // src/schemas/cloudflare.ts
-var ConfigOutputSchema = BaseOutputConfigSchema.extend({
-  middleware: z2.object({ before: z2.custom().array().default([]) }).default({})
-});
-var ConfigFnInputSchema = z2.function().args(z2.custom()).returns(
-  ConfigOutputSchema.extend({
-    debug: BoolOrStringSchema
+var ConfigFnInputSchema = z5.function().args(z5.custom()).returns(
+  UseAppwardenInputSchema.extend({
+    middleware: z5.object({ before: z5.custom().array().default([]) }).default({})
   })
 );
-var CloudflareConfigFnOutputSchema = z2.function().args(z2.custom()).returns(ConfigOutputSchema);
 
 // src/schemas/nextjs.ts
-import { z as z3 } from "zod";
-var ConfigOutputSchema2 = BaseOutputConfigSchema;
-var NextJsConfigFnOutputSchema = z3.function().args(z3.custom()).returns(ConfigOutputSchema2);
+import { z as z6 } from "zod";
+var NextJsConfigFnOutputSchema = z6.function().args(z6.custom()).returns(UseAppwardenInputSchema);
+
+// src/schemas/vercel.ts
+import { z as z7 } from "zod";
+var BaseNextJsConfigSchema = z7.object({
+  cacheUrl: z7.string(),
+  appwardenApiToken: z7.string(),
+  vercelApiToken: z7.string().optional(),
+  lockPageSlug: z7.string().default("").transform((val) => val.replace(/^\/?/, "/"))
+});
+var AppwardenConfigSchema = BaseNextJsConfigSchema.refine(
+  (data) => isCacheUrl.edgeConfig(data.cacheUrl) || isCacheUrl.upstash(data.cacheUrl),
+  {
+    message: printMessage(
+      "Provided `cacheUrl` is not recognized. Please provide a Vercel Edge Config or Upstash KV url."
+    ),
+    path: ["cacheUrl"]
+  }
+).refine(
+  (data) => isCacheUrl.edgeConfig(data.cacheUrl) ? isValidCacheUrl.edgeConfig(data.cacheUrl) : true,
+  {
+    message: printMessage(
+      "Provided Vercel Edge Config `cacheUrl` is not valid. Please provide a valid Vercel Edge Config url."
+    ),
+    path: ["cacheUrl"]
+  }
+).refine(
+  (data) => isCacheUrl.upstash(data.cacheUrl) ? isValidCacheUrl.upstash(data.cacheUrl) : true,
+  {
+    message: printMessage(
+      "Provided Upstash KV `cacheUrl` is not valid. Please provide a valid Upstash KV url."
+    ),
+    path: ["cacheUrl"]
+  }
+).refine(
+  (data) => isCacheUrl.edgeConfig(data.cacheUrl) ? !!data.vercelApiToken : true,
+  {
+    message: printMessage(
+      "The `vercelApiToken` option is required when using Vercel Edge Config"
+    ),
+    path: ["vercelApiToken"]
+  }
+).refine((data) => !!data.appwardenApiToken, {
+  message: printMessage(
+    "Please provide a valid `appwardenApiToken`. Learn more at https://appwarden.com/docs/api-tokens."
+  ),
+  path: ["appwardenApiToken"]
+});
 
 // src/utils/vercel/get-lock-value.ts
 var getLockValue = async (context) => {
@@ -188,17 +325,22 @@ var getLockValue = async (context) => {
     switch (context.provider) {
       case "edge-config": {
         const { createClient } = await import("@vercel/edge-config");
-        const edgeConfig = createClient(context.connectionString);
+        const edgeConfig = createClient(context.cacheUrl);
         serializedValue = await edgeConfig.get(
           context.keyName
         );
         break;
       }
       case "upstash": {
-        const [url, token] = context.connectionString.split("@");
+        const { hostname, password } = new URL(context.cacheUrl);
         const { Redis } = await import("@upstash/redis");
-        const redis = new Redis({ url, token });
-        const redisValue = await redis.get(context.keyName);
+        const redis = new Redis({
+          url: `https://${hostname}`,
+          token: password
+        });
+        const redisValue = await redis.get(
+          context.keyName
+        );
         serializedValue = redisValue === null ? void 0 : redisValue;
         break;
       }
@@ -209,7 +351,9 @@ var getLockValue = async (context) => {
       return { lockValue: void 0 };
     }
     try {
-      lockValue = LockValue.parse(JSON.parse(serializedValue));
+      lockValue = LockValue.parse(
+        typeof serializedValue === "string" ? JSON.parse(serializedValue) : serializedValue
+      );
     } catch (error) {
       console.error(
         printMessage(
@@ -241,19 +385,17 @@ var APIError = class extends Error {
   }
 };
 var syncEdgeValue = async (context) => {
-  debug("syncing with api");
+  debug(`syncing with api`);
   try {
     const response = await fetch(new URL("/v1/status/check", "https://bot-gateway.appwarden.io"), {
       method: "POST",
       headers: { "content-type": "application/json" },
       body: JSON.stringify({
         service: "vercel",
-        provider: context.provider,
+        cacheUrl: context.cacheUrl,
         fqdn: context.requestUrl.hostname,
-        edgeConfigId: context.edgeConfigId ?? "",
         vercelApiToken: context.vercelApiToken ?? "",
-        appwardenApiToken: context.appwardenApiToken,
-        connectionString: context.connectionString
+        appwardenApiToken: context.appwardenApiToken
       })
     });
     if (response.status !== 200) {
@@ -325,85 +467,55 @@ var renderLockPage = (context) => fetch(new URL(context.lockPageSlug, context.re
   }
 });
 
-// src/schemas/vercel.ts
-var MiddlewareSchema = z4.custom(
-  (val) => typeof val === "function"
-);
-var BaseNextJsConfigSchema = z4.object({
-  provider: z4.enum(["upstash", "edge-config"]),
-  lockPageSlug: z4.string(),
-  connectionString: z4.string(),
-  edgeConfigId: z4.string().optional(),
-  vercelApiToken: z4.string().optional(),
-  appwardenApiToken: z4.string()
-});
-var AppwardenConfigSchema = BaseNextJsConfigSchema.refine(
-  (data) => !!data.appwardenApiToken,
-  {
-    message: printMessage(
-      "Please provide a valid `appwardenApiToken`. Learn more at https://appwarden.com/docs/api-tokens."
-    ),
-    path: ["appwardenApiToken"]
-  }
-).refine(
-  (data) => {
-    return data.provider === "upstash" && data.connectionString.includes("upstash.io") || data.provider === "edge-config" && data.connectionString.includes("edge-config.vercel.com");
-  },
-  {
-    message: printMessage(
-      "Invalid connection string for the selected `provider`"
-    ),
-    path: ["connectionString"]
-  }
-).refine(
-  (data) => {
-    return data.provider === "upstash" && data.connectionString.includes("upstash") || data.provider === "edge-config" && data.connectionString.includes("edge-config");
-  },
-  {
-    message: printMessage(
-      "Invalid connection string for the selected `provider`"
-    ),
-    path: ["connectionString"]
-  }
-).refine(
-  (data) => {
-    if (data.provider === "edge-config") {
-      return !!data.vercelApiToken;
-    }
-    return true;
-  },
-  {
-    message: printMessage("Missing vercelApiToken when provider=edge-config"),
-    path: ["vercelApiToken"]
-  }
-).refine(
-  (data) => {
-    if (data.provider === "edge-config") {
-      return !!data.edgeConfigId;
-    }
-    return true;
-  },
-  {
-    message: printMessage(
-      "Missing `edgeConfigId` when `provider=edge-config`"
-    ),
-    path: ["edgeConfigId"]
-  }
+// src/schemas/use-content-security-policy.ts
+var CSPDirectivesSchema = z8.union([
+  z8.string(),
+  ContentSecurityPolicySchema
+]);
+var CSPModeSchema = z8.literal("disabled").or(z8.literal("report-only")).or(z8.literal("enforced")).optional().default("disabled");
+var UseCSPInputSchema = z8.object({
+  mode: CSPModeSchema,
+  directives: CSPDirectivesSchema.optional().refine(
+    (val) => {
+      try {
+        if (typeof val === "string") {
+          JSON.parse(val);
+        }
+        return true;
+      } catch (error) {
+        return false;
+      }
+    },
+    { message: "DirectivesBadParse" /* DirectivesBadParse */ }
+  ).transform(
+    (val) => typeof val === "string" ? JSON.parse(val) : val
+  )
+}).refine(
+  (values) => (
+    // validate that directives are provided when the mode is "report-only" or "enforced"
+    ["report-only", "enforced"].includes(values.mode) && values.directives
+  ),
+  { path: ["directives"], message: "DirectivesRequired" /* DirectivesRequired */ }
 );
 
 export {
   LOCKDOWN_TEST_EXPIRY_MS,
   removedHeaders,
-  securityHeaders,
   globalErrors,
   APPWARDEN_TEST_ROUTE,
+  APPWARDEN_CACHE_KEY,
   debug,
+  getErrors,
   MemoryCache,
+  getEdgeConfigId,
+  isCacheUrl,
+  isValidCacheUrl,
   printMessage,
-  BoolOrStringSchema,
   LockValue,
-  CloudflareConfigFnOutputSchema,
-  NextJsConfigFnOutputSchema,
+  ConfigFnInputSchema,
+  CSPDirectivesSchema,
+  CSPModeSchema,
+  UseCSPInputSchema,
   BaseNextJsConfigSchema,
   AppwardenConfigSchema,
   syncEdgeValue,