@appwarden/middleware 3.2.0 → 3.3.0

package/vercel.js

@@ -4,22 +4,27 @@ import {
 } from "./chunk-QEFORWCW.js";
 import {
   validateConfig
-} from "./chunk-COV6SHCD.js";
+} from "./chunk-7AVYENM2.js";
 import {
-  LockValue,
   MemoryCache,
   TEMPORARY_REDIRECT_STATUS,
   buildLockPageUrl,
   isOnLockPage
-} from "./chunk-ZX5QO4Y2.js";
+} from "./chunk-SUZPTFWY.js";
 import {
   APPWARDEN_CACHE_KEY,
-  debug,
+  CSPDirectivesSchema,
+  CSPModeSchema,
   errors,
   globalErrors,
-  isHTMLRequest,
+  isHTMLRequest
+} from "./chunk-HCGLR3Z3.js";
+import {
+  LockValue,
+  debug,
+  makeCSPHeader,
   printMessage
-} from "./chunk-L5EQIJZB.js";
+} from "./chunk-ZBYVJ3HA.js";
 
 // src/runners/appwarden-on-vercel.ts
 import { waitUntil } from "@vercel/functions";
@@ -134,11 +139,42 @@ var syncEdgeValue = async (context) => {
 };
 
 // src/schemas/vercel.ts
+var VercelCSPSchema = z.object({
+  mode: CSPModeSchema,
+  directives: z.lazy(() => CSPDirectivesSchema).optional().refine(
+    (val) => {
+      try {
+        if (typeof val === "string") {
+          JSON.parse(val);
+        }
+        return true;
+      } catch {
+        return false;
+      }
+    },
+    { message: "DirectivesBadParse" /* DirectivesBadParse */ }
+  ).refine(
+    (val) => {
+      if (!val) return true;
+      const serialized = typeof val === "string" ? val : JSON.stringify(val);
+      return !serialized.includes("{{nonce}}");
+    },
+    {
+      message: "Nonce-based CSP is not supported in Vercel Edge Middleware. Remove '{{nonce}}' placeholders from your CSP directives, as Vercel does not support nonce injection."
+    }
+  ).transform(
+    (val) => typeof val === "string" ? JSON.parse(val) : val
+  )
+}).refine(
+  (values) => ["report-only", "enforced"].includes(values.mode) ? !!values.directives : true,
+  { path: ["directives"], message: "DirectivesRequired" /* DirectivesRequired */ }
+);
 var BaseNextJsConfigSchema = z.object({
   cacheUrl: z.string(),
   appwardenApiToken: z.string(),
   vercelApiToken: z.string().optional(),
-  lockPageSlug: z.string().default("").transform((val) => val.replace(/^\/?/, "/"))
+  lockPageSlug: z.string().default("").transform((val) => val.replace(/^\/?/, "/")),
+  contentSecurityPolicy: VercelCSPSchema.optional()
 });
 var AppwardenConfigSchema = BaseNextJsConfigSchema.refine(
   (data) => {
@@ -203,6 +239,18 @@ function createAppwardenMiddleware(config) {
       return NextResponse.next();
     }
     const parsedConfig = AppwardenConfigSchema.parse(config);
+    const applyCspHeaders = (response) => {
+      const cspConfig = parsedConfig.contentSecurityPolicy;
+      if (cspConfig && ["enforced", "report-only"].includes(cspConfig.mode)) {
+        const [headerName, headerValue] = makeCSPHeader(
+          "",
+          cspConfig.directives,
+          cspConfig.mode
+        );
+        response.headers.set(headerName, headerValue);
+      }
+      return response;
+    };
     try {
       const requestUrl = new URL(request.url);
       const isHTML = isHTMLRequest(request);
@@ -239,12 +287,14 @@ function createAppwardenMiddleware(config) {
           parsedConfig.lockPageSlug,
           request.url
         );
-        return Response.redirect(
+        const redirectResponse = Response.redirect(
           lockPageUrl.toString(),
           TEMPORARY_REDIRECT_STATUS
         );
+        return applyCspHeaders(redirectResponse);
       }
-      return NextResponse.next();
+      const response = NextResponse.next();
+      return applyCspHeaders(response);
     } catch (e) {
       const message = "Appwarden encountered an unknown error. Please contact Appwarden support at https://appwarden.io/join-community.";
       if (e instanceof Error) {

package/chunk-L5EQIJZB.js

@@ -1,54 +0,0 @@
-// src/constants.ts
-var LOCKDOWN_TEST_EXPIRY_MS = 5 * 60 * 1e3;
-var errors = { badCacheConnection: "BAD_CACHE_CONNECTION" };
-var globalErrors = [errors.badCacheConnection];
-var APPWARDEN_TEST_ROUTE = "/_appwarden/test";
-var APPWARDEN_CACHE_KEY = "appwarden-lock";
-
-// src/utils/debug.ts
-var debug = (...msg) => {
-  if (true) {
-    const formatted = msg.map((m) => {
-      if (typeof m === "object" && m !== null) {
-        if (m instanceof Error) {
-          return m.stack ?? m.message;
-        }
-        try {
-          return JSON.stringify(m);
-        } catch {
-          try {
-            return String(m);
-          } catch {
-            return "[Unserializable value]";
-          }
-        }
-      }
-      return m;
-    });
-    console.log(...formatted);
-  }
-};
-
-// src/utils/print-message.ts
-var addSlashes = (str) => str.replace(/\\/g, "\\\\").replace(/`/g, "\\`").replace(/\$/g, "\\$").replace(/"/g, '\\"').replace(/'/g, "\\'").replace(/\u0000/g, "\\0").replace(/<\/script>/gi, "<\\/script>");
-var printMessage = (message) => `[@appwarden/middleware] ${addSlashes(message)}`;
-
-// src/utils/request-checks.ts
-function isHTMLResponse(response) {
-  return response.headers.get("Content-Type")?.includes("text/html") ?? false;
-}
-function isHTMLRequest(request) {
-  return request.headers.get("accept")?.includes("text/html") ?? false;
-}
-
-export {
-  LOCKDOWN_TEST_EXPIRY_MS,
-  errors,
-  globalErrors,
-  APPWARDEN_TEST_ROUTE,
-  APPWARDEN_CACHE_KEY,
-  debug,
-  printMessage,
-  isHTMLResponse,
-  isHTMLRequest
-};

package/chunk-MDODCAA3.js

@@ -1,232 +0,0 @@
-import {
-  LockValue,
-  MemoryCache
-} from "./chunk-ZX5QO4Y2.js";
-import {
-  APPWARDEN_CACHE_KEY,
-  APPWARDEN_TEST_ROUTE,
-  debug,
-  printMessage
-} from "./chunk-L5EQIJZB.js";
-
-// src/utils/cloudflare/cloudflare-cache.ts
-var store = {
-  json: (context, cacheKey, options) => {
-    const cacheKeyUrl = new URL(cacheKey, context.serviceOrigin);
-    return {
-      getValue: () => getCacheValue(context, cacheKeyUrl),
-      updateValue: (json) => updateCacheValue(context, cacheKeyUrl, json, options?.ttl),
-      deleteValue: () => clearCache(context, cacheKeyUrl)
-    };
-  }
-};
-var getCacheValue = async (context, cacheKey) => {
-  const match = await context.cache.match(cacheKey);
-  if (!match) {
-    debug(`[${cacheKey.pathname}] Cache MISS!`);
-    return void 0;
-  }
-  debug(`[${cacheKey.pathname}] Cache MATCH!`);
-  return match;
-};
-var updateCacheValue = async (context, cacheKey, value, ttl) => {
-  debug(
-    "updating cache...",
-    cacheKey.href,
-    value,
-    ttl ? `expires in ${ttl}s` : ""
-  );
-  await context.cache.put(
-    cacheKey,
-    new Response(JSON.stringify(value), {
-      headers: {
-        "content-type": "application/json",
-        ...ttl && {
-          "cache-control": `max-age=${ttl}`
-        }
-      }
-    })
-  );
-};
-var clearCache = (context, cacheKey) => context.cache.delete(cacheKey);
-
-// src/utils/cloudflare/delete-edge-value.ts
-var deleteEdgeValue = async (context) => {
-  try {
-    switch (context.provider) {
-      case "cloudflare-cache": {
-        const success = await context.edgeCache.deleteValue();
-        if (!success) {
-          throw new Error();
-        }
-        break;
-      }
-      default:
-        throw new Error(`Unsupported provider: ${context.provider}`);
-    }
-  } catch (e) {
-    const message = "Failed to delete edge value";
-    console.error(
-      printMessage(e instanceof Error ? `${message} - ${e.message}` : message)
-    );
-  }
-};
-
-// src/utils/cloudflare/get-lock-value.ts
-var getLockValue = async (context) => {
-  try {
-    let shouldDeleteEdgeValue = false;
-    let cacheResponse, lockValue = {
-      isLocked: 0,
-      isLockedTest: 0,
-      lastCheck: Date.now(),
-      code: ""
-    };
-    switch (context.provider) {
-      case "cloudflare-cache": {
-        cacheResponse = await context.edgeCache.getValue();
-        break;
-      }
-      default:
-        throw new Error(`Unsupported provider: ${context.provider}`);
-    }
-    if (!cacheResponse) {
-      return { lockValue: void 0 };
-    }
-    try {
-      const clonedResponse = cacheResponse?.clone();
-      lockValue = LockValue.parse(
-        clonedResponse ? await clonedResponse.json() : void 0
-      );
-    } catch (error) {
-      console.error(
-        printMessage(
-          `Failed to parse ${context.keyName} from edge cache - ${error}`
-        )
-      );
-      shouldDeleteEdgeValue = true;
-    }
-    return { lockValue, shouldDeleteEdgeValue };
-  } catch (e) {
-    const message = "Failed to retrieve edge value";
-    console.error(
-      printMessage(e instanceof Error ? `${message} - ${e.message}` : message)
-    );
-    return { lockValue: void 0 };
-  }
-};
-
-// src/utils/cloudflare/sync-edge-value.ts
-var APIError = class extends Error {
-  constructor(message) {
-    super(message);
-    this.name = "APIError";
-  }
-};
-var DEFAULT_API_HOSTNAME = "https://api.appwarden.io";
-var syncEdgeValue = async (context) => {
-  debug(`syncing with api`);
-  try {
-    const apiHostname = context.appwardenApiHostname ?? DEFAULT_API_HOSTNAME;
-    const response = await fetch(new URL("/v1/status/check", apiHostname), {
-      method: "POST",
-      headers: { "content-type": "application/json" },
-      body: JSON.stringify({
-        service: "cloudflare",
-        provider: context.provider,
-        fqdn: context.requestUrl.hostname,
-        appwardenApiToken: context.appwardenApiToken
-      })
-    });
-    if (response.status !== 200) {
-      throw new Error(`${response.status} ${response.statusText}`);
-    }
-    if (response.headers.get("content-type")?.includes("application/json")) {
-      const result = await response.json();
-      if (result.error) {
-        throw new APIError(result.error.message);
-      }
-      if (!result.content) {
-        throw new APIError("no content from api");
-      }
-      try {
-        const parsedValue = LockValue.omit({ lastCheck: true }).parse(
-          result.content
-        );
-        debug(`syncing with api...DONE ${JSON.stringify(parsedValue, null, 2)}`);
-        await context.edgeCache.updateValue({
-          ...parsedValue,
-          lastCheck: Date.now()
-        });
-      } catch (error) {
-        throw new APIError(`Failed to parse check endpoint result - ${error}`);
-      }
-    }
-  } catch (e) {
-    const message = "Failed to fetch from check endpoint";
-    console.error(
-      printMessage(
-        e instanceof APIError ? e.message : e instanceof Error ? `${message} - ${e.message}` : message
-      )
-    );
-  }
-};
-
-// src/core/check-lock-status.ts
-var createContext = async (config) => {
-  const requestUrl = new URL(config.request.url);
-  const keyName = APPWARDEN_CACHE_KEY;
-  const provider = "cloudflare-cache";
-  const edgeCache = store.json(
-    {
-      serviceOrigin: requestUrl.origin,
-      cache: await caches.open("appwarden:lock")
-    },
-    keyName
-  );
-  return {
-    keyName,
-    request: config.request,
-    edgeCache,
-    requestUrl,
-    provider,
-    debug: config.debug ?? false,
-    lockPageSlug: config.lockPageSlug,
-    appwardenApiToken: config.appwardenApiToken,
-    appwardenApiHostname: config.appwardenApiHostname,
-    waitUntil: config.waitUntil
-  };
-};
-var resolveLockStatus = async (context) => {
-  const { lockValue, shouldDeleteEdgeValue } = await getLockValue(context);
-  if (shouldDeleteEdgeValue) {
-    await deleteEdgeValue(context);
-  }
-  const isTestRoute = context.requestUrl.pathname === APPWARDEN_TEST_ROUTE;
-  const isTestLock = isTestRoute && !MemoryCache.isTestExpired(lockValue) && !!lockValue;
-  return {
-    isLocked: !!lockValue?.isLocked || isTestLock,
-    isTestLock,
-    lockValue,
-    wasDeleted: shouldDeleteEdgeValue ?? false
-  };
-};
-var checkLockStatus = async (config) => {
-  const context = await createContext(config);
-  let { isLocked, isTestLock, lockValue, wasDeleted } = await resolveLockStatus(context);
-  if (MemoryCache.isExpired(lockValue) || wasDeleted) {
-    if (!lockValue || wasDeleted || lockValue.isLocked) {
-      await syncEdgeValue(context);
-      ({ isLocked, isTestLock } = await resolveLockStatus(context));
-    } else {
-      config.waitUntil(syncEdgeValue(context));
-    }
-  }
-  return { isLocked, isTestLock };
-};
-
-export {
-  store,
-  getLockValue,
-  checkLockStatus
-};