@appwarden/middleware 3.1.1 → 3.2.1

package/README.md

@@ -1,6 +1,6 @@
 # @appwarden/middleware
 
-![Test Coverage](https://img.shields.io/badge/coverage-95.44%25-brightgreen)
+![Test Coverage](https://img.shields.io/badge/coverage-95.58%25-brightgreen)
 [![npm version](https://img.shields.io/npm/v/@appwarden/middleware.svg)](https://www.npmjs.com/package/@appwarden/middleware)
 [![npm provenance](https://img.shields.io/badge/npm-provenance-green)](https://docs.npmjs.com/generating-provenance-statements)
 [![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](https://opensource.org/licenses/MIT)

package/{chunk-MOTPEQEU.js → chunk-A5XGYLYS.js}

@@ -2,7 +2,7 @@ import {
   debug,
   isHTMLResponse,
   printMessage
-} from "./chunk-7UTT3M2S.js";
+} from "./chunk-L5EQIJZB.js";
 
 // src/schemas/use-content-security-policy.ts
 import { z as z2 } from "zod";
@@ -75,6 +75,47 @@ var UseCSPInputSchema = z2.object({
   { path: ["directives"], message: "DirectivesRequired" /* DirectivesRequired */ }
 );
 
+// src/utils/cloudflare/csp-keywords.ts
+var CSP_KEYWORDS = [
+  "self",
+  "none",
+  "unsafe-inline",
+  "unsafe-eval",
+  "unsafe-hashes",
+  "strict-dynamic",
+  "report-sample",
+  "unsafe-allow-redirects",
+  "wasm-unsafe-eval",
+  "trusted-types-eval",
+  "report-sha256",
+  "report-sha384",
+  "report-sha512",
+  "unsafe-webtransport-hashes"
+];
+var CSP_KEYWORDS_SET = new Set(CSP_KEYWORDS);
+var isCSPKeyword = (value) => {
+  return CSP_KEYWORDS_SET.has(value.toLowerCase());
+};
+var isQuoted = (value) => {
+  return value.startsWith("'") && value.endsWith("'");
+};
+var autoQuoteCSPKeyword = (value) => {
+  const trimmed = value.trim();
+  if (isQuoted(trimmed)) {
+    return trimmed;
+  }
+  if (isCSPKeyword(trimmed)) {
+    return `'${trimmed}'`;
+  }
+  return trimmed;
+};
+var autoQuoteCSPDirectiveValue = (value) => {
+  return value.trim().split(/\s+/).filter(Boolean).map(autoQuoteCSPKeyword).join(" ");
+};
+var autoQuoteCSPDirectiveArray = (values) => {
+  return values.map(autoQuoteCSPKeyword);
+};
+
 // src/utils/cloudflare/make-csp-header.ts
 var addNonce = (value, cspNonce) => value.replace("{{nonce}}", `'nonce-${cspNonce}'`);
 var makeCSPHeader = (cspNonce, directives, mode) => {
@@ -85,14 +126,19 @@ var makeCSPHeader = (cspNonce, directives, mode) => {
       throw new Error(`${originalName} is specified more than once`);
     }
     namesSeen.add(name);
+    let directiveValue;
     if (Array.isArray(value)) {
-      value = addNonce(value.join(" "), cspNonce);
+      directiveValue = autoQuoteCSPDirectiveArray(value).join(" ");
     } else if (value === true) {
-      value = "";
+      directiveValue = "";
+    } else if (typeof value === "string") {
+      directiveValue = autoQuoteCSPDirectiveValue(value);
+    } else {
+      return;
     }
-    if (value) {
-      result.push(`${name} ${addNonce(value, cspNonce)}`);
-    } else if (value !== false) {
+    if (directiveValue) {
+      result.push(`${name} ${addNonce(directiveValue, cspNonce)}`);
+    } else {
       result.push(name);
     }
   });

package/{chunk-RDASXYYU.js → chunk-COV6SHCD.js}

@@ -1,9 +1,9 @@
 import {
   getErrors
-} from "./chunk-OPZQCRC4.js";
+} from "./chunk-ZX5QO4Y2.js";
 import {
   printMessage
-} from "./chunk-7UTT3M2S.js";
+} from "./chunk-L5EQIJZB.js";
 
 // src/utils/validate-config.ts
 function validateConfig(config, schema) {

package/{chunk-7UTT3M2S.js → chunk-L5EQIJZB.js}

@@ -8,7 +8,24 @@ var APPWARDEN_CACHE_KEY = "appwarden-lock";
 // src/utils/debug.ts
 var debug = (...msg) => {
   if (true) {
-    console.log(...msg);
+    const formatted = msg.map((m) => {
+      if (typeof m === "object" && m !== null) {
+        if (m instanceof Error) {
+          return m.stack ?? m.message;
+        }
+        try {
+          return JSON.stringify(m);
+        } catch {
+          try {
+            return String(m);
+          } catch {
+            return "[Unserializable value]";
+          }
+        }
+      }
+      return m;
+    });
+    console.log(...formatted);
   }
 };
 

package/{chunk-RB2LXM55.js → chunk-MDODCAA3.js}

@@ -1,13 +1,13 @@
 import {
   LockValue,
   MemoryCache
-} from "./chunk-OPZQCRC4.js";
+} from "./chunk-ZX5QO4Y2.js";
 import {
   APPWARDEN_CACHE_KEY,
   APPWARDEN_TEST_ROUTE,
   debug,
   printMessage
-} from "./chunk-7UTT3M2S.js";
+} from "./chunk-L5EQIJZB.js";
 
 // src/utils/cloudflare/cloudflare-cache.ts
 var store = {

package/{chunk-OPZQCRC4.js → chunk-ZX5QO4Y2.js}

@@ -1,6 +1,6 @@
 import {
   LOCKDOWN_TEST_EXPIRY_MS
-} from "./chunk-7UTT3M2S.js";
+} from "./chunk-L5EQIJZB.js";
 
 // src/utils/build-lock-page-url.ts
 function normalizeLockPageSlug(lockPageSlug) {
@@ -23,6 +23,17 @@ function isOnLockPage(lockPageSlug, requestUrl) {
   return normalizedPathname === normalizedSlug;
 }
 
+// src/utils/create-redirect.ts
+var TEMPORARY_REDIRECT_STATUS = 302;
+var createRedirect = (url) => {
+  return new Response(null, {
+    status: TEMPORARY_REDIRECT_STATUS,
+    headers: {
+      Location: url.toString()
+    }
+  });
+};
+
 // src/utils/memory-cache.ts
 var MemoryCache = class {
   cache = /* @__PURE__ */ new Map();
@@ -125,6 +136,8 @@ var LockValue = z.object({
 export {
   buildLockPageUrl,
   isOnLockPage,
+  TEMPORARY_REDIRECT_STATUS,
+  createRedirect,
   getErrors,
   MemoryCache,
   BooleanSchema,

package/cloudflare/astro.js

@@ -1,23 +1,21 @@
-import {
-  TEMPORARY_REDIRECT_STATUS,
-  createRedirect
-} from "../chunk-6M7BE3AW.js";
 import {
   validateConfig
-} from "../chunk-RDASXYYU.js";
+} from "../chunk-COV6SHCD.js";
 import {
   checkLockStatus
-} from "../chunk-RB2LXM55.js";
+} from "../chunk-MDODCAA3.js";
 import {
   AppwardenApiTokenSchema,
   BooleanSchema,
+  TEMPORARY_REDIRECT_STATUS,
   buildLockPageUrl,
+  createRedirect,
   isOnLockPage
-} from "../chunk-OPZQCRC4.js";
+} from "../chunk-ZX5QO4Y2.js";
 import {
   isHTMLRequest,
   printMessage
-} from "../chunk-7UTT3M2S.js";
+} from "../chunk-L5EQIJZB.js";
 
 // src/schemas/astro-cloudflare.ts
 import { z } from "zod";

package/cloudflare/nextjs.js

@@ -1,22 +1,20 @@
-import {
-  TEMPORARY_REDIRECT_STATUS
-} from "../chunk-6M7BE3AW.js";
 import {
   validateConfig
-} from "../chunk-RDASXYYU.js";
+} from "../chunk-COV6SHCD.js";
 import {
   checkLockStatus
-} from "../chunk-RB2LXM55.js";
+} from "../chunk-MDODCAA3.js";
 import {
   AppwardenApiTokenSchema,
   BooleanSchema,
+  TEMPORARY_REDIRECT_STATUS,
   buildLockPageUrl,
   isOnLockPage
-} from "../chunk-OPZQCRC4.js";
+} from "../chunk-ZX5QO4Y2.js";
 import {
   isHTMLRequest,
   printMessage
-} from "../chunk-7UTT3M2S.js";
+} from "../chunk-L5EQIJZB.js";
 
 // src/adapters/nextjs-cloudflare.ts
 import {

package/cloudflare/react-router.js

@@ -1,22 +1,20 @@
-import {
-  createRedirect
-} from "../chunk-6M7BE3AW.js";
 import {
   validateConfig
-} from "../chunk-RDASXYYU.js";
+} from "../chunk-COV6SHCD.js";
 import {
   checkLockStatus
-} from "../chunk-RB2LXM55.js";
+} from "../chunk-MDODCAA3.js";
 import {
   AppwardenApiTokenSchema,
   BooleanSchema,
   buildLockPageUrl,
+  createRedirect,
   isOnLockPage
-} from "../chunk-OPZQCRC4.js";
+} from "../chunk-ZX5QO4Y2.js";
 import {
   isHTMLRequest,
   printMessage
-} from "../chunk-7UTT3M2S.js";
+} from "../chunk-L5EQIJZB.js";
 
 // src/schemas/react-router-cloudflare.ts
 import { z } from "zod";

package/cloudflare/tanstack-start.js

@@ -1,22 +1,20 @@
-import {
-  createRedirect
-} from "../chunk-6M7BE3AW.js";
 import {
   validateConfig
-} from "../chunk-RDASXYYU.js";
+} from "../chunk-COV6SHCD.js";
 import {
   checkLockStatus
-} from "../chunk-RB2LXM55.js";
+} from "../chunk-MDODCAA3.js";
 import {
   AppwardenApiTokenSchema,
   BooleanSchema,
   buildLockPageUrl,
+  createRedirect,
   isOnLockPage
-} from "../chunk-OPZQCRC4.js";
+} from "../chunk-ZX5QO4Y2.js";
 import {
   isHTMLRequest,
   printMessage
-} from "../chunk-7UTT3M2S.js";
+} from "../chunk-L5EQIJZB.js";
 
 // src/schemas/tanstack-start-cloudflare.ts
 import { z } from "zod";

package/cloudflare.js

@@ -1,22 +1,24 @@
 import {
   useContentSecurityPolicy
-} from "./chunk-MOTPEQEU.js";
+} from "./chunk-A5XGYLYS.js";
 import {
   checkLockStatus,
   getLockValue,
   store
-} from "./chunk-RB2LXM55.js";
+} from "./chunk-MDODCAA3.js";
 import {
   AppwardenApiTokenSchema,
   BooleanSchema,
+  buildLockPageUrl,
+  createRedirect,
   getErrors,
   isOnLockPage
-} from "./chunk-OPZQCRC4.js";
+} from "./chunk-ZX5QO4Y2.js";
 import {
   APPWARDEN_CACHE_KEY,
   isHTMLRequest,
   printMessage
-} from "./chunk-7UTT3M2S.js";
+} from "./chunk-L5EQIJZB.js";
 
 // src/runners/appwarden-on-cloudflare.ts
 import { ZodError } from "zod";
@@ -80,14 +82,6 @@ var usePipeline = (...initMiddlewares) => {
   };
 };
 
-// src/utils/render-lock-page.ts
-var renderLockPage = (context) => fetch(new URL(context.lockPageSlug, context.requestUrl.origin), {
-  headers: {
-    // no browser caching, otherwise we need to hard refresh to disable lock screen
-    "Cache-Control": "no-store"
-  }
-});
-
 // src/utils/cloudflare/insert-errors-logs.ts
 var insertErrorLogs = async (context, error) => {
   const errors = getErrors(error);
@@ -161,10 +155,8 @@ var useAppwarden = (input) => async (context, next) => {
       waitUntil: (fn) => context.waitUntil(fn)
     });
     if (result.isLocked) {
-      context.response = await renderLockPage({
-        lockPageSlug,
-        requestUrl
-      });
+      const lockPageUrl = buildLockPageUrl(lockPageSlug, request.url);
+      context.response = createRedirect(lockPageUrl);
       shouldCallNext = false;
       return;
     }

package/index.js

@@ -7,11 +7,11 @@ import {
   CSPDirectivesSchema,
   CSPModeSchema,
   useContentSecurityPolicy
-} from "./chunk-MOTPEQEU.js";
+} from "./chunk-A5XGYLYS.js";
 import {
   APPWARDEN_CACHE_KEY,
   LOCKDOWN_TEST_EXPIRY_MS
-} from "./chunk-7UTT3M2S.js";
+} from "./chunk-L5EQIJZB.js";
 export {
   APPWARDEN_CACHE_KEY,
   CSPDirectivesSchema,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@appwarden/middleware",
-  "version": "3.1.1",
+  "version": "3.2.1",
   "description": "Instantly shut off access your app deployed on Cloudflare or Vercel",
   "type": "module",
   "license": "MIT",

package/vercel.js

@@ -4,12 +4,14 @@ import {
 } from "./chunk-QEFORWCW.js";
 import {
   validateConfig
-} from "./chunk-RDASXYYU.js";
+} from "./chunk-COV6SHCD.js";
 import {
   LockValue,
   MemoryCache,
+  TEMPORARY_REDIRECT_STATUS,
+  buildLockPageUrl,
   isOnLockPage
-} from "./chunk-OPZQCRC4.js";
+} from "./chunk-ZX5QO4Y2.js";
 import {
   APPWARDEN_CACHE_KEY,
   debug,
@@ -17,7 +19,7 @@ import {
   globalErrors,
   isHTMLRequest,
   printMessage
-} from "./chunk-7UTT3M2S.js";
+} from "./chunk-L5EQIJZB.js";
 
 // src/runners/appwarden-on-vercel.ts
 import { waitUntil } from "@vercel/functions";
@@ -233,8 +235,14 @@ function createAppwardenMiddleware(config) {
         provider
       })).lockValue;
       if (lockValue?.isLocked) {
-        const lockPageUrl = new URL(parsedConfig.lockPageSlug, request.url);
-        return Response.redirect(lockPageUrl.toString(), 302);
+        const lockPageUrl = buildLockPageUrl(
+          parsedConfig.lockPageSlug,
+          request.url
+        );
+        return Response.redirect(
+          lockPageUrl.toString(),
+          TEMPORARY_REDIRECT_STATUS
+        );
       }
       return NextResponse.next();
     } catch (e) {

package/chunk-6M7BE3AW.js

@@ -1,15 +0,0 @@
-// src/utils/create-redirect.ts
-var TEMPORARY_REDIRECT_STATUS = 302;
-var createRedirect = (url) => {
-  return new Response(null, {
-    status: TEMPORARY_REDIRECT_STATUS,
-    headers: {
-      Location: url.toString()
-    }
-  });
-};
-
-export {
-  TEMPORARY_REDIRECT_STATUS,
-  createRedirect
-};