@appwarden/middleware 3.11.6 → 3.13.0

package/README.md

@@ -4,7 +4,7 @@
 [![GitHub](https://img.shields.io/badge/GitHub-appwarden%2Fmiddleware-181717?logo=github&logoColor=white)](https://github.com/appwarden/middleware)
 [![npm version](https://img.shields.io/npm/v/@appwarden/middleware.svg)](https://www.npmjs.com/package/@appwarden/middleware)
 [![npm provenance](https://img.shields.io/badge/npm-provenance-green)](https://docs.npmjs.com/generating-provenance-statements)
-![Test Coverage](https://img.shields.io/badge/coverage-93.08%25-brightgreen)
+![Test Coverage](https://img.shields.io/badge/coverage-94.3%25-brightgreen)
 [![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](https://opensource.org/licenses/MIT)
 
 ## Core Features

package/chunk-2ZSJUEHK.js

@@ -0,0 +1,445 @@
+import {
+  APPWARDEN_HEARTBEAT_ROUTE,
+  HEARTBEAT_CONFIG_ERRORS_MAX_SERIALIZED_BYTES,
+  HEARTBEAT_CONFIG_ERROR_MAX_CODE_LENGTH,
+  HEARTBEAT_CONFIG_ERROR_MAX_COUNT,
+  HEARTBEAT_CONFIG_ERROR_MAX_MESSAGE_LENGTH,
+  HEARTBEAT_CONFIG_ERROR_MAX_PATH_DEPTH,
+  HEARTBEAT_CONFIG_ERROR_MAX_PATH_SEGMENT_LENGTH,
+  HEARTBEAT_CONTRACT_VERSION,
+  HEARTBEAT_RESPONSE_BODY_MAX_SERIALIZED_BYTES,
+  LOCKDOWN_TEST_EXPIRY_MS,
+  validateHeartbeatResponseBody
+} from "./chunk-SREQAAZC.js";
+
+// src/utils/build-lock-page-url.ts
+function normalizeLockPageSlug(lockPageSlug) {
+  return lockPageSlug.startsWith("/") ? lockPageSlug : `/${lockPageSlug}`;
+}
+function buildLockPageUrl(lockPageSlug, requestUrl) {
+  const normalizedSlug = normalizeLockPageSlug(lockPageSlug);
+  return new URL(normalizedSlug, requestUrl);
+}
+function normalizeTrailingSlash(path) {
+  if (path === "/") return path;
+  return path.endsWith("/") ? path.slice(0, -1) : path;
+}
+function isOnLockPage(lockPageSlug, requestUrl) {
+  const normalizedSlug = normalizeTrailingSlash(
+    normalizeLockPageSlug(lockPageSlug)
+  );
+  const url = typeof requestUrl === "string" ? new URL(requestUrl) : requestUrl;
+  const normalizedPathname = normalizeTrailingSlash(url.pathname);
+  return normalizedPathname === normalizedSlug;
+}
+
+// src/utils/create-redirect.ts
+var TEMPORARY_REDIRECT_STATUS = 302;
+var createRedirect = (url) => {
+  return new Response(null, {
+    status: TEMPORARY_REDIRECT_STATUS,
+    headers: {
+      Location: url.toString()
+    }
+  });
+};
+
+// src/utils/print-message.ts
+var addSlashes = (str) => str.replace(/\\/g, "\\\\").replace(/`/g, "\\`").replace(/\$/g, "\\$").replace(/"/g, '\\"').replace(/'/g, "\\'").replace(/\u0000/g, "\\0").replace(/<\/script>/gi, "<\\/script>");
+var printMessage = (message) => `[@appwarden/middleware] ${addSlashes(message)}`;
+
+// src/utils/debug.ts
+var debug = (isDebug) => (...msg) => {
+  if (!isDebug) return;
+  const parts = msg.map((m) => {
+    let content;
+    if (m instanceof Error) {
+      content = m.stack ?? m.message;
+    } else if (typeof m === "object" && m !== null) {
+      try {
+        content = JSON.stringify(m);
+      } catch {
+        try {
+          content = String(m);
+        } catch {
+          content = "[Unserializable value]";
+        }
+      }
+    } else {
+      content = String(m);
+    }
+    return content;
+  });
+  const message = parts.join(" ");
+  console.log(printMessage(message));
+};
+
+// src/utils/memory-cache.ts
+var MemoryCache = class {
+  cache = /* @__PURE__ */ new Map();
+  maxSize;
+  constructor(options) {
+    this.maxSize = options.maxSize;
+  }
+  get(key) {
+    let item;
+    if (this.cache.has(key)) {
+      item = this.cache.get(key);
+      this.cache.delete(key);
+      if (item !== void 0) {
+        this.cache.set(key, item);
+      }
+    }
+    return item;
+  }
+  put(key, value) {
+    if (this.cache.has(key)) {
+      this.cache.delete(key);
+    } else if (this.cache.size >= this.maxSize) {
+      const firstKey = this.cache.keys().next().value;
+      if (firstKey !== void 0) {
+        this.cache.delete(firstKey);
+      }
+    }
+    this.cache.set(key, value);
+  }
+  getValues() {
+    return this.cache;
+  }
+  // the default value will be expired here
+  static isExpired = (lockValue) => {
+    if (!lockValue) {
+      return true;
+    }
+    return Date.now() > lockValue.lastCheck + 3e4;
+  };
+  static isTestExpired = (lockValue) => {
+    if (!lockValue) {
+      return true;
+    }
+    return Date.now() > lockValue.isLockedTest + LOCKDOWN_TEST_EXPIRY_MS;
+  };
+};
+
+// src/version.ts
+var MIDDLEWARE_VERSION = "3.12.0";
+
+// src/utils/heartbeat.ts
+var DEFAULT_HEARTBEAT_CONFIG_ERROR_CODE = "custom";
+var DEFAULT_HEARTBEAT_CONFIG_ERROR_MESSAGE = "Appwarden configuration validation failed";
+var HEARTBEAT_CONSTRUCTION_FAILURE_BODY = JSON.stringify({
+  error: "appwarden_heartbeat_construction_failed"
+});
+function createSanitizedMessage(code, path) {
+  const fieldName = path.length > 0 ? path[path.length - 1] : "field";
+  switch (code) {
+    case "invalid_type":
+      return `Invalid type for ${fieldName}`;
+    case "invalid_literal":
+      return `Invalid value for ${fieldName}`;
+    case "unrecognized_keys":
+      return `Unrecognized keys in ${fieldName}`;
+    case "invalid_union":
+      return `Invalid union value for ${fieldName}`;
+    case "invalid_enum_value":
+      return `Invalid enum value for ${fieldName}`;
+    case "invalid_arguments":
+      return `Invalid arguments for ${fieldName}`;
+    case "invalid_return_type":
+      return `Invalid return type for ${fieldName}`;
+    case "invalid_date":
+      return `Invalid date for ${fieldName}`;
+    case "invalid_string":
+      return `Invalid string format for ${fieldName}`;
+    case "too_small":
+      return `Value too small for ${fieldName}`;
+    case "too_big":
+      return `Value too large for ${fieldName}`;
+    case "invalid_intersection_types":
+      return `Invalid intersection types for ${fieldName}`;
+    case "not_multiple_of":
+      return `Value not a multiple of required value for ${fieldName}`;
+    case "not_finite":
+      return `Value must be finite for ${fieldName}`;
+    case "custom":
+      return `Validation failed for ${fieldName}`;
+    default:
+      return `Validation error for ${fieldName}`;
+  }
+}
+function truncateWithEllipsis(value, maxLength) {
+  if (value.length <= maxLength) {
+    return value;
+  }
+  if (maxLength <= 3) {
+    return value.substring(0, maxLength);
+  }
+  return value.substring(0, maxLength - 3) + "...";
+}
+function sanitizePathSegment(segment) {
+  if (typeof segment === "number" && Number.isFinite(segment)) {
+    return Number.isSafeInteger(segment) ? Math.max(0, segment) : Math.max(0, Math.trunc(segment));
+  }
+  return truncateWithEllipsis(
+    typeof segment === "string" ? segment : String(segment),
+    HEARTBEAT_CONFIG_ERROR_MAX_PATH_SEGMENT_LENGTH
+  );
+}
+function sanitizePath(path) {
+  const truncatedPath = path.slice(0, HEARTBEAT_CONFIG_ERROR_MAX_PATH_DEPTH);
+  return truncatedPath.map(sanitizePathSegment);
+}
+function truncateMessage(message) {
+  return truncateWithEllipsis(
+    message,
+    HEARTBEAT_CONFIG_ERROR_MAX_MESSAGE_LENGTH
+  );
+}
+function truncateCode(code) {
+  return truncateWithEllipsis(code, HEARTBEAT_CONFIG_ERROR_MAX_CODE_LENGTH);
+}
+function normalizeNonEmptyString(value, fallback, truncate) {
+  const normalizedValue = truncate(value.trim());
+  if (normalizedValue.length > 0) {
+    return normalizedValue;
+  }
+  return truncate(fallback);
+}
+function getSerializedJsonByteLength(value) {
+  return new TextEncoder().encode(JSON.stringify(value)).length;
+}
+function isConfigErrorsWithinByteBudget(configErrors) {
+  return getSerializedJsonByteLength(configErrors) <= HEARTBEAT_CONFIG_ERRORS_MAX_SERIALIZED_BYTES;
+}
+function isResponseBodyWithinByteBudget(body) {
+  return getSerializedJsonByteLength(body) <= HEARTBEAT_RESPONSE_BODY_MAX_SERIALIZED_BYTES;
+}
+function createHeartbeatConfigError(path, code, message) {
+  return {
+    path: sanitizePath(path),
+    code: normalizeNonEmptyString(
+      code,
+      DEFAULT_HEARTBEAT_CONFIG_ERROR_CODE,
+      truncateCode
+    ),
+    message: normalizeNonEmptyString(
+      message,
+      DEFAULT_HEARTBEAT_CONFIG_ERROR_MESSAGE,
+      truncateMessage
+    )
+  };
+}
+function normalizeHeartbeatConfigErrors(configErrors) {
+  const normalizedConfigErrors = configErrors.slice(0, HEARTBEAT_CONFIG_ERROR_MAX_COUNT).map(
+    (configError) => createHeartbeatConfigError(
+      configError.path,
+      configError.code,
+      configError.message
+    )
+  );
+  while (normalizedConfigErrors.length > 0 && !isConfigErrorsWithinByteBudget(normalizedConfigErrors)) {
+    normalizedConfigErrors.pop();
+  }
+  return normalizedConfigErrors;
+}
+function sanitizeConfigErrors(error) {
+  if (!error) {
+    return [];
+  }
+  const errors = [];
+  const issues = error.issues.slice(0, HEARTBEAT_CONFIG_ERROR_MAX_COUNT);
+  for (const issue of issues) {
+    const sanitizedPath = sanitizePath(issue.path);
+    const message = truncateMessage(
+      createSanitizedMessage(issue.code, sanitizedPath)
+    );
+    errors.push({
+      path: sanitizedPath,
+      code: issue.code,
+      message
+    });
+  }
+  return errors;
+}
+function createHeartbeatResponseBody(service, configErrors = []) {
+  const normalizedConfigErrors = normalizeHeartbeatConfigErrors(configErrors);
+  const body = {
+    app: "appwarden",
+    kind: "heartbeat",
+    status: "ok",
+    contractVersion: HEARTBEAT_CONTRACT_VERSION,
+    service,
+    version: MIDDLEWARE_VERSION,
+    configErrors: normalizedConfigErrors
+  };
+  while (body.configErrors.length > 0 && !isResponseBodyWithinByteBudget(body)) {
+    body.configErrors.pop();
+  }
+  return validateHeartbeatResponseBody(body);
+}
+function createHeartbeatConstructionFailureResponse() {
+  return new Response(HEARTBEAT_CONSTRUCTION_FAILURE_BODY, {
+    status: 500,
+    headers: {
+      "content-type": "application/json",
+      "cache-control": "no-store"
+    }
+  });
+}
+function createHeartbeatResponse(service, configErrors = []) {
+  try {
+    const body = createHeartbeatResponseBody(service, configErrors);
+    return new Response(JSON.stringify(body), {
+      status: 200,
+      headers: {
+        "content-type": "application/json",
+        "cache-control": "no-store",
+        "x-appwarden-heartbeat": "1",
+        "x-appwarden-contract-version": String(HEARTBEAT_CONTRACT_VERSION),
+        "x-appwarden-service": service,
+        "x-appwarden-version": MIDDLEWARE_VERSION
+      }
+    });
+  } catch {
+    return createHeartbeatConstructionFailureResponse();
+  }
+}
+function isHeartbeatRoute(url) {
+  return url.pathname === APPWARDEN_HEARTBEAT_ROUTE;
+}
+function isHeartbeatRequest(request, url) {
+  return request.method === "GET" && isHeartbeatRoute(url);
+}
+function handleHeartbeatRequest(request, service, configErrors = []) {
+  return createHeartbeatResponse(service, configErrors);
+}
+
+// src/utils/request-checks.ts
+function isHTMLResponse(response) {
+  return response.headers.get("Content-Type")?.includes("text/html") ?? false;
+}
+function isHTMLRequest(request) {
+  const accept = request.headers.get("accept");
+  if (!accept) {
+    return false;
+  }
+  const normalizedAccept = accept.toLowerCase();
+  const isWildcardOnlyAccept = (value) => {
+    const mediaRanges2 = value.split(",");
+    let hasNonEmptyRange = false;
+    for (const range of mediaRanges2) {
+      const [typeSubtype] = range.split(";");
+      const trimmed = typeSubtype.trim();
+      if (!trimmed) {
+        continue;
+      }
+      hasNonEmptyRange = true;
+      if (trimmed !== "*/*" && trimmed !== "*") {
+        return false;
+      }
+    }
+    return hasNonEmptyRange;
+  };
+  if (isWildcardOnlyAccept(normalizedAccept)) {
+    return false;
+  }
+  const mediaRanges = normalizedAccept.split(",");
+  for (const range of mediaRanges) {
+    const [typeSubtype] = range.split(";");
+    const token = typeSubtype.trim();
+    if (token === "text/html") {
+      return true;
+    }
+  }
+  return false;
+}
+
+// src/utils/cloudflare/csp-keywords.ts
+var CSP_KEYWORDS = [
+  "self",
+  "none",
+  "unsafe-inline",
+  "unsafe-eval",
+  "unsafe-hashes",
+  "strict-dynamic",
+  "report-sample",
+  "unsafe-allow-redirects",
+  "wasm-unsafe-eval",
+  "trusted-types-eval",
+  "report-sha256",
+  "report-sha384",
+  "report-sha512",
+  "unsafe-webtransport-hashes"
+];
+var CSP_KEYWORDS_SET = new Set(CSP_KEYWORDS);
+var isCSPKeyword = (value) => {
+  return CSP_KEYWORDS_SET.has(value.toLowerCase());
+};
+var isQuoted = (value) => {
+  return value.startsWith("'") && value.endsWith("'");
+};
+var autoQuoteCSPKeyword = (value) => {
+  const trimmed = value.trim();
+  if (isQuoted(trimmed)) {
+    return trimmed;
+  }
+  if (isCSPKeyword(trimmed)) {
+    return `'${trimmed}'`;
+  }
+  return trimmed;
+};
+var autoQuoteCSPDirectiveValue = (value) => {
+  return value.trim().split(/\s+/).filter(Boolean).map(autoQuoteCSPKeyword).join(" ");
+};
+var autoQuoteCSPDirectiveArray = (values) => {
+  return values.map(autoQuoteCSPKeyword);
+};
+
+// src/utils/cloudflare/make-csp-header.ts
+var addNonce = (value, cspNonce) => value.replace("{{nonce}}", `'nonce-${cspNonce}'`);
+var makeCSPHeader = (cspNonce, directives, mode) => {
+  const namesSeen = /* @__PURE__ */ new Set(), result = [];
+  Object.entries(directives ?? {}).forEach(([originalName, value]) => {
+    const name = originalName.replace(/([a-z])([A-Z])/g, "$1-$2").toLowerCase();
+    if (namesSeen.has(name)) {
+      throw new Error(`${originalName} is specified more than once`);
+    }
+    namesSeen.add(name);
+    let directiveValue;
+    if (Array.isArray(value)) {
+      directiveValue = autoQuoteCSPDirectiveArray(value).join(" ");
+    } else if (value === true) {
+      directiveValue = "";
+    } else if (typeof value === "string") {
+      directiveValue = autoQuoteCSPDirectiveValue(value);
+    } else {
+      return;
+    }
+    if (directiveValue) {
+      result.push(`${name} ${addNonce(directiveValue, cspNonce)}`);
+    } else {
+      result.push(name);
+    }
+  });
+  return [
+    mode === "enforced" ? "Content-Security-Policy" : "Content-Security-Policy-Report-Only",
+    result.join("; ")
+  ];
+};
+
+export {
+  buildLockPageUrl,
+  isOnLockPage,
+  TEMPORARY_REDIRECT_STATUS,
+  createRedirect,
+  printMessage,
+  debug,
+  MemoryCache,
+  createHeartbeatConfigError,
+  sanitizeConfigErrors,
+  isHeartbeatRequest,
+  handleHeartbeatRequest,
+  isHTMLResponse,
+  isHTMLRequest,
+  makeCSPHeader
+};

package/{chunk-5HCAAVK5.js → chunk-GNDWHKJ5.js}

@@ -1,11 +1,9 @@
-import {
-  UseCSPInputSchema
-} from "./chunk-ZTVJBORU.js";
 import {
   AppwardenApiHostnameSchema,
   AppwardenApiTokenSchema,
-  BooleanSchema
-} from "./chunk-WEM7GS4M.js";
+  BooleanSchema,
+  UseCSPInputSchema
+} from "./chunk-SREQAAZC.js";
 
 // src/schemas/use-appwarden.ts
 import { z } from "zod";