@appwarden/middleware 3.11.5 → 3.12.0

package/{chunk-XFG6SUSV.js → chunk-M2YVPCTG.js}

@@ -1,3 +1,17 @@
+import {
+  useContentSecurityPolicy
+} from "./chunk-ILIYP3TG.js";
+
+// src/utils/apply-content-security-policy-to-response.ts
+var applyContentSecurityPolicyToResponse = async ({
+  contentSecurityPolicy,
+  ...context
+}) => {
+  await useContentSecurityPolicy(contentSecurityPolicy)(context, async () => {
+  });
+  return context.response;
+};
+
 // src/utils/is-response-like.ts
 var isResponseLike = (value) => {
   if (!value || typeof value !== "object") return false;
@@ -7,5 +21,6 @@ var isResponseLike = (value) => {
 };
 
 export {
+  applyContentSecurityPolicyToResponse,
   isResponseLike
 };

package/chunk-NV7K5PRA.js

@@ -0,0 +1,36 @@
+// src/utils/errors.ts
+var errorsMap = {
+  mode: '`CSP_MODE` must be one of "disabled", "report-only", or "enforced"',
+  directives: {
+    ["DirectivesRequired" /* DirectivesRequired */]: '`CSP_DIRECTIVES` must be provided when `CSP_MODE` is "report-only" or "enforced"',
+    ["DirectivesBadParse" /* DirectivesBadParse */]: "Failed to parse `CSP_DIRECTIVES`. Is it a valid JSON string?"
+  },
+  appwardenApiToken: "Please provide a valid `appwardenApiToken`. Learn more at https://appwarden.com/docs/guides/api-token-management."
+};
+var getErrors = (error) => {
+  const matches = [];
+  const errors = [...Object.entries(error.flatten().fieldErrors)];
+  for (const issue of error.issues) {
+    errors.push(
+      ...Object.entries(
+        "returnTypeError" in issue ? issue.returnTypeError.flatten().fieldErrors : {}
+      )
+    );
+  }
+  for (const [field, maybeSchemaErrorKey] of errors) {
+    let match = errorsMap[field];
+    if (match) {
+      if (match instanceof Object) {
+        if (maybeSchemaErrorKey) {
+          match = match[maybeSchemaErrorKey[0]];
+        }
+      }
+      matches.push(match);
+    }
+  }
+  return matches;
+};
+
+export {
+  getErrors
+};

package/{chunk-ZTVJBORU.js → chunk-Z7P4QVEY.js}

@@ -3,10 +3,41 @@ var LOCKDOWN_TEST_EXPIRY_MS = 5 * 60 * 1e3;
 var errors = { badCacheConnection: "BAD_CACHE_CONNECTION" };
 var globalErrors = [errors.badCacheConnection];
 var APPWARDEN_TEST_ROUTE = "/_appwarden/test";
+var APPWARDEN_HEARTBEAT_ROUTE = "/_appwarden/heartbeat";
+var HEARTBEAT_CONTRACT_VERSION = 1;
+var HEARTBEAT_CONFIG_ERROR_MAX_COUNT = 10;
+var HEARTBEAT_CONFIG_ERROR_MAX_PATH_DEPTH = 10;
+var HEARTBEAT_CONFIG_ERROR_MAX_CODE_LENGTH = 100;
+var HEARTBEAT_CONFIG_ERROR_MAX_MESSAGE_LENGTH = 500;
+var HEARTBEAT_CONFIG_ERROR_MAX_PATH_SEGMENT_LENGTH = 100;
 var APPWARDEN_CACHE_KEY = "appwarden-lock";
+var HEARTBEAT_SERVICE_VALUES = [
+  "cloudflare",
+  "cloudflare-astro",
+  "cloudflare-react-router",
+  "cloudflare-tanstack-start",
+  "cloudflare-nextjs",
+  "vercel"
+];
+var [
+  CLOUDFLARE,
+  CLOUDFLARE_ASTRO,
+  CLOUDFLARE_REACT_ROUTER,
+  CLOUDFLARE_TANSTACK_START,
+  CLOUDFLARE_NEXTJS,
+  VERCEL
+] = HEARTBEAT_SERVICE_VALUES;
+var HEARTBEAT_SERVICES = {
+  CLOUDFLARE,
+  CLOUDFLARE_ASTRO,
+  CLOUDFLARE_REACT_ROUTER,
+  CLOUDFLARE_TANSTACK_START,
+  CLOUDFLARE_NEXTJS,
+  VERCEL
+};
 
 // src/schemas/use-content-security-policy.ts
-import { z as z2 } from "zod";
+import { z as z3 } from "zod";
 
 // src/types/csp.ts
 import { z } from "zod";
@@ -40,17 +71,40 @@ var ContentSecurityPolicySchema = z.object({
   "require-trusted-types-for": stringySchema.optional()
 });
 
+// src/schemas/helpers.ts
+import { z as z2 } from "zod";
+var BoolOrStringSchema = z2.union([z2.string(), z2.boolean()]).optional();
+var BooleanSchema = BoolOrStringSchema.transform((val) => {
+  if (val === "true" || val === true) {
+    return true;
+  } else if (val === "false" || val === false) {
+    return false;
+  }
+  throw new Error("Invalid value");
+});
+var AppwardenApiTokenSchema = z2.string().refine((val) => !!val, { message: "appwardenApiToken is required" });
+var AppwardenApiHostnameSchema = z2.string().url({
+  message: "Invalid `appwardenApiHostname`. Please provide an absolute URL (e.g. https://api.appwarden.io)."
+}).refine((value) => value.startsWith("https://"), {
+  message: "`appwardenApiHostname` must use the https:// scheme (e.g. https://api.appwarden.io)."
+});
+var LockValue = z2.object({
+  isLocked: z2.number(),
+  isLockedTest: z2.number(),
+  lastCheck: z2.number()
+});
+
 // src/schemas/use-content-security-policy.ts
-var CSPDirectivesSchema = z2.union([
-  z2.string(),
+var CSPDirectivesSchema = z3.union([
+  z3.string(),
   ContentSecurityPolicySchema
 ]);
-var CSPModeSchema = z2.union([
-  z2.literal("disabled"),
-  z2.literal("report-only"),
-  z2.literal("enforced")
+var CSPModeSchema = z3.union([
+  z3.literal("disabled"),
+  z3.literal("report-only"),
+  z3.literal("enforced")
 ]);
-var UseCSPInputSchema = z2.object({
+var UseCSPInputSchema = z3.object({
   mode: CSPModeSchema,
   directives: CSPDirectivesSchema.refine(
     (val) => {
@@ -74,7 +128,19 @@ export {
   errors,
   globalErrors,
   APPWARDEN_TEST_ROUTE,
+  APPWARDEN_HEARTBEAT_ROUTE,
+  HEARTBEAT_CONTRACT_VERSION,
+  HEARTBEAT_CONFIG_ERROR_MAX_COUNT,
+  HEARTBEAT_CONFIG_ERROR_MAX_PATH_DEPTH,
+  HEARTBEAT_CONFIG_ERROR_MAX_CODE_LENGTH,
+  HEARTBEAT_CONFIG_ERROR_MAX_MESSAGE_LENGTH,
+  HEARTBEAT_CONFIG_ERROR_MAX_PATH_SEGMENT_LENGTH,
   APPWARDEN_CACHE_KEY,
+  HEARTBEAT_SERVICES,
+  BooleanSchema,
+  AppwardenApiTokenSchema,
+  AppwardenApiHostnameSchema,
+  LockValue,
   CSPDirectivesSchema,
   CSPModeSchema,
   UseCSPInputSchema

package/cloudflare/astro.d.ts

@@ -270,8 +270,8 @@ declare const AstroCloudflareConfigSchema: z.ZodObject<{
         };
     }>>>;
 }, "strip", z.ZodTypeAny, {
-    debug: boolean;
     lockPageSlug: string;
+    debug: boolean;
     appwardenApiToken: string;
     contentSecurityPolicy?: {
         mode: "disabled" | "report-only" | "enforced";
@@ -308,7 +308,6 @@ declare const AstroCloudflareConfigSchema: z.ZodObject<{
 }, {
     lockPageSlug: string;
     appwardenApiToken: string;
-    debug?: string | boolean | undefined;
     contentSecurityPolicy?: {
         mode: "disabled" | "report-only" | "enforced";
         directives: string | {
@@ -340,6 +339,7 @@ declare const AstroCloudflareConfigSchema: z.ZodObject<{
             "require-trusted-types-for"?: string | boolean | string[] | undefined;
         };
     } | undefined;
+    debug?: string | boolean | undefined;
     appwardenApiHostname?: string | undefined;
 }>;
 type AstroCloudflareConfig = z.infer<typeof AstroCloudflareConfigSchema>;
@@ -383,7 +383,7 @@ type AstroConfigFn = (runtime: AstroCloudflareRuntime) => AstroCloudflareConfigI
  * ```typescript
  * // src/middleware.ts
  * import { sequence } from "astro:middleware"
- * import { createAppwardenMiddleware } from "@appwarden/middleware/astro"
+ * import { createAppwardenMiddleware } from "@appwarden/middleware/cloudflare/astro"
  *
  * const appwarden = createAppwardenMiddleware(({ env }) => ({
  *   lockPageSlug: env.APPWARDEN_LOCK_PAGE_SLUG,

package/cloudflare/astro.js

@@ -1,34 +1,35 @@
 import {
+  applyContentSecurityPolicyToResponse,
   isResponseLike
-} from "../chunk-XFG6SUSV.js";
+} from "../chunk-M2YVPCTG.js";
+import "../chunk-ILIYP3TG.js";
 import {
-  useContentSecurityPolicy
-} from "../chunk-WBWF3PPX.js";
-import {
-  getNowMs
-} from "../chunk-X7WZVYQS.js";
+  getNowMs,
+  logElapsed
+} from "../chunk-G6BMPIYD.js";
 import {
   checkLockStatus
-} from "../chunk-QC2ZUZWY.js";
+} from "../chunk-EXGUJ5XK.js";
 import {
   TEMPORARY_REDIRECT_STATUS,
   buildLockPageUrl,
+  createHeartbeatConfigError,
   createRedirect,
   debug,
+  handleHeartbeatRequest,
   isHTMLRequest,
-  isOnLockPage
-} from "../chunk-AY4ZKZTF.js";
-import {
-  UseCSPInputSchema
-} from "../chunk-ZTVJBORU.js";
-import {
-  printMessage
-} from "../chunk-R7TXTHSG.js";
+  isHeartbeatRequest,
+  isOnLockPage,
+  printMessage,
+  sanitizeConfigErrors
+} from "../chunk-HTSD4WPC.js";
 import {
   AppwardenApiHostnameSchema,
   AppwardenApiTokenSchema,
-  BooleanSchema
-} from "../chunk-WEM7GS4M.js";
+  BooleanSchema,
+  HEARTBEAT_SERVICES,
+  UseCSPInputSchema
+} from "../chunk-Z7P4QVEY.js";
 
 // src/adapters/astro-cloudflare.ts
 import { waitUntil } from "cloudflare:workers";
@@ -49,11 +50,76 @@ var AstroCloudflareConfigSchema = z.object({
 });
 
 // src/adapters/astro-cloudflare.ts
+var createAstroHeartbeatResponse = (request, runtime, configFn) => {
+  if (!runtime) {
+    return handleHeartbeatRequest(
+      request,
+      HEARTBEAT_SERVICES.CLOUDFLARE_ASTRO,
+      [
+        createHeartbeatConfigError(
+          ["runtime"],
+          "custom",
+          "Cloudflare runtime unavailable"
+        )
+      ]
+    );
+  }
+  try {
+    const validationResult = AstroCloudflareConfigSchema.safeParse(
+      configFn(runtime)
+    );
+    return handleHeartbeatRequest(
+      request,
+      HEARTBEAT_SERVICES.CLOUDFLARE_ASTRO,
+      validationResult.success ? [] : sanitizeConfigErrors(validationResult.error)
+    );
+  } catch {
+    return handleHeartbeatRequest(
+      request,
+      HEARTBEAT_SERVICES.CLOUDFLARE_ASTRO,
+      [
+        createHeartbeatConfigError(
+          ["config"],
+          "custom",
+          "Appwarden config evaluation failed"
+        )
+      ]
+    );
+  }
+};
 function createAppwardenMiddleware(configFn) {
   return async (context, next) => {
     const startTime = getNowMs();
     const { request } = context;
+    let config;
+    let debugFn;
+    const requestUrl = new URL(request.url);
+    const applyCspToResponse = async (response2) => {
+      if (!config.contentSecurityPolicy || !isResponseLike(response2)) {
+        return response2;
+      }
+      try {
+        return await applyContentSecurityPolicyToResponse({
+          request,
+          response: response2,
+          hostname: requestUrl.hostname,
+          waitUntil,
+          debug: debugFn,
+          contentSecurityPolicy: config.contentSecurityPolicy
+        });
+      } catch (error) {
+        console.error(
+          printMessage(
+            `Failed to apply content security policy: ${error instanceof Error ? error.message : String(error)}`
+          )
+        );
+        return response2;
+      }
+    };
     const locals = context.locals;
+    if (isHeartbeatRequest(request, requestUrl)) {
+      return createAstroHeartbeatResponse(request, locals.runtime, configFn);
+    }
     try {
       const runtime = locals.runtime;
       if (!runtime) {
@@ -74,9 +140,8 @@ function createAppwardenMiddleware(configFn) {
         );
         return next();
       }
-      const config = validationResult.data;
-      const debugFn = debug(config.debug);
-      const requestUrl = new URL(request.url);
+      config = validationResult.data;
+      debugFn = debug(config.debug);
       const isHTML = isHTMLRequest(request);
       debugFn(
         `Appwarden middleware invoked for ${requestUrl.pathname}`,
@@ -86,51 +151,29 @@ function createAppwardenMiddleware(configFn) {
         return next();
       }
       if (isOnLockPage(config.lockPageSlug, request.url)) {
-        debugFn("Already on lock page - skipping");
-        return next();
-      }
-      const result = await checkLockStatus({
-        request,
-        appwardenApiToken: config.appwardenApiToken,
-        appwardenApiHostname: config.appwardenApiHostname,
-        debug: config.debug,
-        lockPageSlug: config.lockPageSlug,
-        waitUntil
-      });
-      if (result.isLocked) {
-        const lockPageUrl = buildLockPageUrl(config.lockPageSlug, request.url);
-        debugFn(`Website is locked - redirecting to ${lockPageUrl.pathname}`);
-        if (context.redirect) {
-          return context.redirect(
-            lockPageUrl.toString(),
-            TEMPORARY_REDIRECT_STATUS
-          );
-        }
-        return createRedirect(lockPageUrl);
-      }
-      debugFn("Website is unlocked");
-      const response = await next();
-      if (config.contentSecurityPolicy && isResponseLike(response)) {
-        const cspContext = {
+        debugFn("Already on lock page - skipping lock status check");
+      } else {
+        const result = await checkLockStatus({
           request,
-          response,
-          hostname: requestUrl.hostname,
-          waitUntil,
-          debug: debugFn
-        };
-        await useContentSecurityPolicy(config.contentSecurityPolicy)(
-          cspContext,
-          async () => {
+          appwardenApiToken: config.appwardenApiToken,
+          appwardenApiHostname: config.appwardenApiHostname,
+          debug: config.debug,
+          lockPageSlug: config.lockPageSlug,
+          waitUntil
+        });
+        if (result.isLocked) {
+          const lockPageUrl = buildLockPageUrl(config.lockPageSlug, request.url);
+          debugFn(`Website is locked - redirecting to ${lockPageUrl.pathname}`);
+          if (context.redirect) {
+            return context.redirect(
+              lockPageUrl.toString(),
+              TEMPORARY_REDIRECT_STATUS
+            );
           }
-          // no-op next
-        );
-        const elapsed2 = Math.round(getNowMs() - startTime);
-        debugFn(`Middleware executed in ${elapsed2}ms`);
-        return cspContext.response;
+          return createRedirect(lockPageUrl);
+        }
+        debugFn("Website is unlocked");
       }
-      const elapsed = Math.round(getNowMs() - startTime);
-      debugFn(`Middleware executed in ${elapsed}ms`);
-      return response;
     } catch (error) {
       if (isResponseLike(error)) {
         throw error;
@@ -142,6 +185,10 @@ function createAppwardenMiddleware(configFn) {
       );
       return next();
     }
+    const response = await next();
+    const finalResponse = await applyCspToResponse(response);
+    logElapsed(debugFn, startTime);
+    return finalResponse;
   };
 }
 export {

package/cloudflare/nextjs.d.ts

@@ -329,8 +329,8 @@ declare const NextJsCloudflareConfigSchema: z.ZodObject<{
         };
     }>>>;
 }, "strip", z.ZodTypeAny, {
-    debug: boolean;
     lockPageSlug: string;
+    debug: boolean;
     appwardenApiToken: string;
     contentSecurityPolicy?: {
         mode: "disabled" | "report-only" | "enforced";
@@ -367,7 +367,6 @@ declare const NextJsCloudflareConfigSchema: z.ZodObject<{
 }, {
     lockPageSlug: string;
     appwardenApiToken: string;
-    debug?: string | boolean | undefined;
     contentSecurityPolicy?: {
         mode: "disabled" | "report-only" | "enforced";
         directives: string | {
@@ -399,6 +398,7 @@ declare const NextJsCloudflareConfigSchema: z.ZodObject<{
             "require-trusted-types-for"?: string | boolean | string[] | undefined;
         };
     } | undefined;
+    debug?: string | boolean | undefined;
     appwardenApiHostname?: string | undefined;
 }>;
 type NextJsCloudflareConfig = z.infer<typeof NextJsCloudflareConfigSchema>;

package/cloudflare/nextjs.js

@@ -1,29 +1,36 @@
 import {
-  getNowMs
-} from "../chunk-X7WZVYQS.js";
+  toNextResponse
+} from "../chunk-HUWGPM4M.js";
+import {
+  getNowMs,
+  logElapsed
+} from "../chunk-G6BMPIYD.js";
 import {
   checkLockStatus
-} from "../chunk-QC2ZUZWY.js";
+} from "../chunk-EXGUJ5XK.js";
 import {
   TEMPORARY_REDIRECT_STATUS,
   buildLockPageUrl,
+  createHeartbeatConfigError,
   debug,
+  handleHeartbeatRequest,
   isHTMLRequest,
-  isOnLockPage
-} from "../chunk-AY4ZKZTF.js";
-import {
-  UseCSPInputSchema
-} from "../chunk-ZTVJBORU.js";
-import {
-  printMessage
-} from "../chunk-R7TXTHSG.js";
+  isHeartbeatRequest,
+  isOnLockPage,
+  makeCSPHeader,
+  printMessage,
+  sanitizeConfigErrors
+} from "../chunk-HTSD4WPC.js";
 import {
   AppwardenApiHostnameSchema,
   AppwardenApiTokenSchema,
-  BooleanSchema
-} from "../chunk-WEM7GS4M.js";
+  BooleanSchema,
+  HEARTBEAT_SERVICES,
+  UseCSPInputSchema
+} from "../chunk-Z7P4QVEY.js";
 
 // src/adapters/nextjs-cloudflare.ts
+import { getCloudflareContext } from "@opennextjs/cloudflare";
 import {
   NextResponse
 } from "next/server";
@@ -55,12 +62,53 @@ var NextJsCloudflareConfigSchema = z.object({
 });
 
 // src/adapters/nextjs-cloudflare.ts
+var createNextJsHeartbeatResponse = (request, configFn) => {
+  let runtime;
+  try {
+    runtime = getCloudflareContext();
+  } catch {
+    return toNextResponse(
+      handleHeartbeatRequest(request, HEARTBEAT_SERVICES.CLOUDFLARE_NEXTJS, [
+        createHeartbeatConfigError(
+          ["context"],
+          "custom",
+          "Cloudflare context unavailable"
+        )
+      ])
+    );
+  }
+  try {
+    const validationResult = NextJsCloudflareConfigSchema.safeParse(
+      configFn(runtime)
+    );
+    return toNextResponse(
+      handleHeartbeatRequest(
+        request,
+        HEARTBEAT_SERVICES.CLOUDFLARE_NEXTJS,
+        validationResult.success ? [] : sanitizeConfigErrors(validationResult.error)
+      )
+    );
+  } catch {
+    return toNextResponse(
+      handleHeartbeatRequest(request, HEARTBEAT_SERVICES.CLOUDFLARE_NEXTJS, [
+        createHeartbeatConfigError(
+          ["config"],
+          "custom",
+          "Appwarden config evaluation failed"
+        )
+      ])
+    );
+  }
+};
 function createAppwardenMiddleware(configFn) {
   return async (request, _event) => {
     const startTime = getNowMs();
+    const requestUrl = new URL(request.url);
+    if (isHeartbeatRequest(request, requestUrl)) {
+      return createNextJsHeartbeatResponse(request, configFn);
+    }
     try {
-      const { getCloudflareContext } = await import("@opennextjs/cloudflare");
-      const { env, ctx } = await getCloudflareContext();
+      const { env, ctx } = getCloudflareContext();
       const rawConfig = configFn({ env, ctx });
       const validationResult = NextJsCloudflareConfigSchema.safeParse(rawConfig);
       if (!validationResult.success) {
@@ -73,7 +121,6 @@ function createAppwardenMiddleware(configFn) {
       }
       const config = validationResult.data;
       const debugFn = debug(config.debug);
-      const requestUrl = new URL(request.url);
       const isHTML = isHTMLRequest(request);
       debugFn(
         `Appwarden middleware invoked for ${requestUrl.pathname}`,
@@ -104,7 +151,6 @@ function createAppwardenMiddleware(configFn) {
         debugFn(
           `Applying CSP headers in ${config.contentSecurityPolicy.mode} mode`
         );
-        const { makeCSPHeader } = await import("../cloudflare-MAHYENA6.js");
         const [headerName, headerValue] = makeCSPHeader(
           "",
           config.contentSecurityPolicy.directives,
@@ -112,12 +158,10 @@ function createAppwardenMiddleware(configFn) {
         );
         const response = NextResponse.next();
         response.headers.set(headerName, headerValue);
-        const elapsed2 = Math.round(getNowMs() - startTime);
-        debugFn(`Middleware executed in ${elapsed2}ms`);
+        logElapsed(debugFn, startTime);
         return response;
       }
-      const elapsed = Math.round(getNowMs() - startTime);
-      debugFn(`Middleware executed in ${elapsed}ms`);
+      logElapsed(debugFn, startTime);
       return NextResponse.next();
     } catch (error) {
       console.error(

package/cloudflare/react-router.d.ts

@@ -268,8 +268,8 @@ declare const ReactRouterCloudflareConfigSchema: z.ZodObject<{
         };
     }>>>;
 }, "strip", z.ZodTypeAny, {
-    debug: boolean;
     lockPageSlug: string;
+    debug: boolean;
     appwardenApiToken: string;
     contentSecurityPolicy?: {
         mode: "disabled" | "report-only" | "enforced";
@@ -306,7 +306,6 @@ declare const ReactRouterCloudflareConfigSchema: z.ZodObject<{
 }, {
     lockPageSlug: string;
     appwardenApiToken: string;
-    debug?: string | boolean | undefined;
     contentSecurityPolicy?: {
         mode: "disabled" | "report-only" | "enforced";
         directives: string | {
@@ -338,6 +337,7 @@ declare const ReactRouterCloudflareConfigSchema: z.ZodObject<{
             "require-trusted-types-for"?: string | boolean | string[] | undefined;
         };
     } | undefined;
+    debug?: string | boolean | undefined;
     appwardenApiHostname?: string | undefined;
 }>;
 type ReactRouterCloudflareConfig = z.infer<typeof ReactRouterCloudflareConfigSchema>;
@@ -377,7 +377,7 @@ type ReactRouterMiddlewareFunction = (args: ReactRouterMiddlewareArgs, next: ()
  * ```typescript
  * // app/root.tsx
  * import { env } from "cloudflare:workers"
- * import { createAppwardenMiddleware } from "@appwarden/middleware/react-router"
+ * import { createAppwardenMiddleware } from "@appwarden/middleware/cloudflare/react-router"
  *
  * export const unstable_middleware = [
  *   createAppwardenMiddleware(() => ({