@appwarden/middleware 3.2.1 → 3.3.0

package/chunk-ZBYVJ3HA.js

@@ -0,0 +1,354 @@
+// src/utils/debug.ts
+var debug = (...msg) => {
+  if (true) {
+    const formatted = msg.map((m) => {
+      if (typeof m === "object" && m !== null) {
+        if (m instanceof Error) {
+          return m.stack ?? m.message;
+        }
+        try {
+          return JSON.stringify(m);
+        } catch {
+          try {
+            return String(m);
+          } catch {
+            return "[Unserializable value]";
+          }
+        }
+      }
+      return m;
+    });
+    console.log(...formatted);
+  }
+};
+
+// src/utils/cloudflare/cloudflare-cache.ts
+var store = {
+  json: (context, cacheKey, options) => {
+    const cacheKeyUrl = new URL(cacheKey, context.serviceOrigin);
+    return {
+      getValue: () => getCacheValue(context, cacheKeyUrl),
+      updateValue: (json) => updateCacheValue(context, cacheKeyUrl, json, options?.ttl),
+      deleteValue: () => clearCache(context, cacheKeyUrl)
+    };
+  }
+};
+var getCacheValue = async (context, cacheKey) => {
+  const match = await context.cache.match(cacheKey);
+  if (!match) {
+    debug(`[${cacheKey.pathname}] Cache MISS!`);
+    return void 0;
+  }
+  debug(`[${cacheKey.pathname}] Cache MATCH!`);
+  return match;
+};
+var updateCacheValue = async (context, cacheKey, value, ttl) => {
+  debug(
+    "updating cache...",
+    cacheKey.href,
+    value,
+    ttl ? `expires in ${ttl}s` : ""
+  );
+  await context.cache.put(
+    cacheKey,
+    new Response(JSON.stringify(value), {
+      headers: {
+        "content-type": "application/json",
+        ...ttl && {
+          "cache-control": `max-age=${ttl}`
+        }
+      }
+    })
+  );
+};
+var clearCache = (context, cacheKey) => context.cache.delete(cacheKey);
+
+// src/utils/cloudflare/csp-keywords.ts
+var CSP_KEYWORDS = [
+  "self",
+  "none",
+  "unsafe-inline",
+  "unsafe-eval",
+  "unsafe-hashes",
+  "strict-dynamic",
+  "report-sample",
+  "unsafe-allow-redirects",
+  "wasm-unsafe-eval",
+  "trusted-types-eval",
+  "report-sha256",
+  "report-sha384",
+  "report-sha512",
+  "unsafe-webtransport-hashes"
+];
+var CSP_KEYWORDS_SET = new Set(CSP_KEYWORDS);
+var isCSPKeyword = (value) => {
+  return CSP_KEYWORDS_SET.has(value.toLowerCase());
+};
+var isQuoted = (value) => {
+  return value.startsWith("'") && value.endsWith("'");
+};
+var autoQuoteCSPKeyword = (value) => {
+  const trimmed = value.trim();
+  if (isQuoted(trimmed)) {
+    return trimmed;
+  }
+  if (isCSPKeyword(trimmed)) {
+    return `'${trimmed}'`;
+  }
+  return trimmed;
+};
+var autoQuoteCSPDirectiveValue = (value) => {
+  return value.trim().split(/\s+/).filter(Boolean).map(autoQuoteCSPKeyword).join(" ");
+};
+var autoQuoteCSPDirectiveArray = (values) => {
+  return values.map(autoQuoteCSPKeyword);
+};
+
+// src/utils/print-message.ts
+var addSlashes = (str) => str.replace(/\\/g, "\\\\").replace(/`/g, "\\`").replace(/\$/g, "\\$").replace(/"/g, '\\"').replace(/'/g, "\\'").replace(/\u0000/g, "\\0").replace(/<\/script>/gi, "<\\/script>");
+var printMessage = (message) => `[@appwarden/middleware] ${addSlashes(message)}`;
+
+// src/utils/cloudflare/delete-edge-value.ts
+var deleteEdgeValue = async (context) => {
+  try {
+    switch (context.provider) {
+      case "cloudflare-cache": {
+        const success = await context.edgeCache.deleteValue();
+        if (!success) {
+          throw new Error();
+        }
+        break;
+      }
+      default:
+        throw new Error(`Unsupported provider: ${context.provider}`);
+    }
+  } catch (e) {
+    const message = "Failed to delete edge value";
+    console.error(
+      printMessage(e instanceof Error ? `${message} - ${e.message}` : message)
+    );
+  }
+};
+
+// src/schemas/helpers.ts
+import { z } from "zod";
+var BoolOrStringSchema = z.union([z.string(), z.boolean()]).optional();
+var BooleanSchema = BoolOrStringSchema.transform((val) => {
+  if (val === "true" || val === true) {
+    return true;
+  } else if (val === "false" || val === false) {
+    return false;
+  }
+  throw new Error("Invalid value");
+});
+var AppwardenApiTokenSchema = z.string().refine((val) => !!val, { message: "appwardenApiToken is required" });
+var LockValue = z.object({
+  isLocked: z.number(),
+  isLockedTest: z.number(),
+  lastCheck: z.number(),
+  code: z.string()
+});
+
+// src/utils/errors.ts
+var errorsMap = {
+  mode: '`CSP_MODE` must be one of "disabled", "report-only", or "enforced"',
+  directives: {
+    ["DirectivesRequired" /* DirectivesRequired */]: '`CSP_DIRECTIVES` must be provided when `CSP_MODE` is "report-only" or "enforced"',
+    ["DirectivesBadParse" /* DirectivesBadParse */]: "Failed to parse `CSP_DIRECTIVES`. Is it a valid JSON string?"
+  },
+  appwardenApiToken: "Please provide a valid `appwardenApiToken`. Learn more at https://appwarden.com/docs/guides/api-token-management."
+};
+var getErrors = (error) => {
+  const matches = [];
+  const errors = [...Object.entries(error.flatten().fieldErrors)];
+  for (const issue of error.issues) {
+    errors.push(
+      ...Object.entries(
+        "returnTypeError" in issue ? issue.returnTypeError.flatten().fieldErrors : {}
+      )
+    );
+  }
+  for (const [field, maybeSchemaErrorKey] of errors) {
+    let match = errorsMap[field];
+    if (match) {
+      if (match instanceof Object) {
+        if (maybeSchemaErrorKey) {
+          match = match[maybeSchemaErrorKey[0]];
+        }
+      }
+      matches.push(match);
+    }
+  }
+  return matches;
+};
+
+// src/utils/cloudflare/get-lock-value.ts
+var getLockValue = async (context) => {
+  try {
+    let shouldDeleteEdgeValue = false;
+    let cacheResponse, lockValue = {
+      isLocked: 0,
+      isLockedTest: 0,
+      lastCheck: Date.now(),
+      code: ""
+    };
+    switch (context.provider) {
+      case "cloudflare-cache": {
+        cacheResponse = await context.edgeCache.getValue();
+        break;
+      }
+      default:
+        throw new Error(`Unsupported provider: ${context.provider}`);
+    }
+    if (!cacheResponse) {
+      return { lockValue: void 0 };
+    }
+    try {
+      const clonedResponse = cacheResponse?.clone();
+      lockValue = LockValue.parse(
+        clonedResponse ? await clonedResponse.json() : void 0
+      );
+    } catch (error) {
+      console.error(
+        printMessage(
+          `Failed to parse ${context.keyName} from edge cache - ${error}`
+        )
+      );
+      shouldDeleteEdgeValue = true;
+    }
+    return { lockValue, shouldDeleteEdgeValue };
+  } catch (e) {
+    const message = "Failed to retrieve edge value";
+    console.error(
+      printMessage(e instanceof Error ? `${message} - ${e.message}` : message)
+    );
+    return { lockValue: void 0 };
+  }
+};
+
+// src/utils/cloudflare/insert-errors-logs.ts
+var insertErrorLogs = async (context, error) => {
+  const errors = getErrors(error);
+  for (const err of errors) {
+    console.log(printMessage(err));
+  }
+  return new HTMLRewriter().on("body", {
+    element: (elem) => {
+      elem.append(
+        `<script>
+            ${errors.map((err) => `console.error(\`${printMessage(err)}\`)`).join("\n")}
+          </script>`,
+        { html: true }
+      );
+    }
+  }).transform(await fetch(context.request));
+};
+
+// src/utils/cloudflare/make-csp-header.ts
+var addNonce = (value, cspNonce) => value.replace("{{nonce}}", `'nonce-${cspNonce}'`);
+var makeCSPHeader = (cspNonce, directives, mode) => {
+  const namesSeen = /* @__PURE__ */ new Set(), result = [];
+  Object.entries(directives ?? {}).forEach(([originalName, value]) => {
+    const name = originalName.replace(/([a-z])([A-Z])/g, "$1-$2").toLowerCase();
+    if (namesSeen.has(name)) {
+      throw new Error(`${originalName} is specified more than once`);
+    }
+    namesSeen.add(name);
+    let directiveValue;
+    if (Array.isArray(value)) {
+      directiveValue = autoQuoteCSPDirectiveArray(value).join(" ");
+    } else if (value === true) {
+      directiveValue = "";
+    } else if (typeof value === "string") {
+      directiveValue = autoQuoteCSPDirectiveValue(value);
+    } else {
+      return;
+    }
+    if (directiveValue) {
+      result.push(`${name} ${addNonce(directiveValue, cspNonce)}`);
+    } else {
+      result.push(name);
+    }
+  });
+  return [
+    mode === "enforced" ? "Content-Security-Policy" : "Content-Security-Policy-Report-Only",
+    result.join("; ")
+  ];
+};
+
+// src/utils/cloudflare/sync-edge-value.ts
+var APIError = class extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "APIError";
+  }
+};
+var DEFAULT_API_HOSTNAME = "https://api.appwarden.io";
+var syncEdgeValue = async (context) => {
+  debug(`syncing with api`);
+  try {
+    const apiHostname = context.appwardenApiHostname ?? DEFAULT_API_HOSTNAME;
+    const response = await fetch(new URL("/v1/status/check", apiHostname), {
+      method: "POST",
+      headers: { "content-type": "application/json" },
+      body: JSON.stringify({
+        service: "cloudflare",
+        provider: context.provider,
+        fqdn: context.requestUrl.hostname,
+        appwardenApiToken: context.appwardenApiToken
+      })
+    });
+    if (response.status !== 200) {
+      throw new Error(`${response.status} ${response.statusText}`);
+    }
+    if (response.headers.get("content-type")?.includes("application/json")) {
+      const result = await response.json();
+      if (result.error) {
+        throw new APIError(result.error.message);
+      }
+      if (!result.content) {
+        throw new APIError("no content from api");
+      }
+      try {
+        const parsedValue = LockValue.omit({ lastCheck: true }).parse(
+          result.content
+        );
+        debug(`syncing with api...DONE ${JSON.stringify(parsedValue, null, 2)}`);
+        await context.edgeCache.updateValue({
+          ...parsedValue,
+          lastCheck: Date.now()
+        });
+      } catch (error) {
+        throw new APIError(`Failed to parse check endpoint result - ${error}`);
+      }
+    }
+  } catch (e) {
+    const message = "Failed to fetch from check endpoint";
+    console.error(
+      printMessage(
+        e instanceof APIError ? e.message : e instanceof Error ? `${message} - ${e.message}` : message
+      )
+    );
+  }
+};
+
+export {
+  debug,
+  getErrors,
+  printMessage,
+  BooleanSchema,
+  AppwardenApiTokenSchema,
+  LockValue,
+  store,
+  CSP_KEYWORDS,
+  isCSPKeyword,
+  isQuoted,
+  autoQuoteCSPKeyword,
+  autoQuoteCSPDirectiveValue,
+  autoQuoteCSPDirectiveArray,
+  deleteEdgeValue,
+  getLockValue,
+  insertErrorLogs,
+  makeCSPHeader,
+  syncEdgeValue
+};

package/cloudflare/astro.d.ts

@@ -1,5 +1,7 @@
 import { Runtime } from '@astrojs/cloudflare';
 import { APIContext, MiddlewareHandler } from 'astro';
+import { U as UseCSPInput } from '../use-content-security-policy-DUYpyUPy.js';
+import 'zod';
 
 /**
  * Cloudflare runtime context provided by Astro on Cloudflare Workers.
@@ -20,6 +22,8 @@ interface AstroAppwardenConfig {
     appwardenApiHostname?: string;
     /** Enable debug logging */
     debug?: boolean;
+    /** Optional Content Security Policy configuration */
+    contentSecurityPolicy?: UseCSPInput;
 }
 /**
  * Configuration function that receives the Cloudflare runtime and returns the config.

package/cloudflare/astro.js

@@ -1,21 +1,27 @@
+import {
+  useContentSecurityPolicy
+} from "../chunk-BYRGGUK7.js";
 import {
   validateConfig
-} from "../chunk-COV6SHCD.js";
+} from "../chunk-7AVYENM2.js";
 import {
   checkLockStatus
-} from "../chunk-MDODCAA3.js";
+} from "../chunk-PH77FI6C.js";
 import {
-  AppwardenApiTokenSchema,
-  BooleanSchema,
   TEMPORARY_REDIRECT_STATUS,
   buildLockPageUrl,
   createRedirect,
   isOnLockPage
-} from "../chunk-ZX5QO4Y2.js";
+} from "../chunk-SUZPTFWY.js";
 import {
-  isHTMLRequest,
+  UseCSPInputSchema,
+  isHTMLRequest
+} from "../chunk-HCGLR3Z3.js";
+import {
+  AppwardenApiTokenSchema,
+  BooleanSchema,
   printMessage
-} from "../chunk-L5EQIJZB.js";
+} from "../chunk-ZBYVJ3HA.js";
 
 // src/schemas/astro-cloudflare.ts
 import { z } from "zod";
@@ -27,7 +33,9 @@ var AstroCloudflareConfigSchema = z.object({
   /** Optional custom API hostname (defaults to https://api.appwarden.io) */
   appwardenApiHostname: z.string().optional(),
   /** Enable debug logging */
-  debug: BooleanSchema.default(false)
+  debug: BooleanSchema.default(false),
+  /** Optional Content Security Policy configuration */
+  contentSecurityPolicy: z.lazy(() => UseCSPInputSchema).optional()
 });
 
 // src/adapters/astro-cloudflare.ts
@@ -74,7 +82,23 @@ function createAppwardenMiddleware(configFn) {
         }
         return createRedirect(lockPageUrl);
       }
-      return next();
+      const response = await next();
+      if (config.contentSecurityPolicy) {
+        const cspContext = {
+          request,
+          response,
+          hostname: new URL(request.url).hostname,
+          waitUntil: (fn) => runtime.ctx.waitUntil(fn)
+        };
+        await useContentSecurityPolicy(config.contentSecurityPolicy)(
+          cspContext,
+          async () => {
+          }
+          // no-op next
+        );
+        return cspContext.response;
+      }
+      return response;
     } catch (error) {
       if (error instanceof Response) {
         throw error;

package/cloudflare/nextjs.d.ts

@@ -1,4 +1,6 @@
 import { NextRequest, NextFetchEvent, NextResponse } from 'next/server';
+import { U as UseCSPInput } from '../use-content-security-policy-DUYpyUPy.js';
+import 'zod';
 
 /**
  * Cloudflare runtime context provided by @opennextjs/cloudflare.
@@ -20,6 +22,8 @@ interface NextJsCloudflareAppwardenConfig {
     appwardenApiHostname?: string;
     /** Enable debug logging */
     debug?: boolean;
+    /** Optional Content Security Policy configuration (headers only, no HTML rewriting; `{{nonce}}` placeholders are not supported) */
+    contentSecurityPolicy?: UseCSPInput;
 }
 /**
  * Configuration function that receives the Cloudflare runtime and returns the config.

package/cloudflare/nextjs.js

@@ -1,20 +1,23 @@
 import {
   validateConfig
-} from "../chunk-COV6SHCD.js";
+} from "../chunk-7AVYENM2.js";
 import {
   checkLockStatus
-} from "../chunk-MDODCAA3.js";
+} from "../chunk-PH77FI6C.js";
 import {
-  AppwardenApiTokenSchema,
-  BooleanSchema,
   TEMPORARY_REDIRECT_STATUS,
   buildLockPageUrl,
   isOnLockPage
-} from "../chunk-ZX5QO4Y2.js";
+} from "../chunk-SUZPTFWY.js";
+import {
+  UseCSPInputSchema,
+  isHTMLRequest
+} from "../chunk-HCGLR3Z3.js";
 import {
-  isHTMLRequest,
+  AppwardenApiTokenSchema,
+  BooleanSchema,
   printMessage
-} from "../chunk-L5EQIJZB.js";
+} from "../chunk-ZBYVJ3HA.js";
 
 // src/adapters/nextjs-cloudflare.ts
 import {
@@ -23,6 +26,17 @@ import {
 
 // src/schemas/nextjs-cloudflare.ts
 import { z } from "zod";
+var NextJsCloudflareCSPInputSchema = UseCSPInputSchema.refine(
+  (values) => {
+    if (!values.directives) return true;
+    const serialized = JSON.stringify(values.directives);
+    return !serialized.includes("{{nonce}}");
+  },
+  {
+    path: ["directives"],
+    message: "Nonce-based CSP is not supported in the Next.js Cloudflare adapter. Remove '{{nonce}}' placeholders from your CSP directives, as this adapter does not inject nonces into HTML."
+  }
+);
 var NextJsCloudflareConfigSchema = z.object({
   /** The slug/path of the lock page to redirect to when the site is locked */
   lockPageSlug: z.string(),
@@ -31,7 +45,9 @@ var NextJsCloudflareConfigSchema = z.object({
   /** Optional custom API hostname (defaults to https://api.appwarden.io) */
   appwardenApiHostname: z.string().optional(),
   /** Enable debug logging */
-  debug: BooleanSchema.default(false)
+  debug: BooleanSchema.default(false),
+  /** Optional Content Security Policy configuration (headers only, no HTML rewriting; '{{nonce}}' is not supported) */
+  contentSecurityPolicy: z.lazy(() => NextJsCloudflareCSPInputSchema).optional()
 });
 
 // src/adapters/nextjs-cloudflare.ts
@@ -63,6 +79,17 @@ function createAppwardenMiddleware(configFn) {
         const lockPageUrl = buildLockPageUrl(config.lockPageSlug, request.url);
         return NextResponse.redirect(lockPageUrl, TEMPORARY_REDIRECT_STATUS);
       }
+      if (config.contentSecurityPolicy && config.contentSecurityPolicy.mode !== "disabled") {
+        const { makeCSPHeader } = await import("../cloudflare-LUT5TVEV.js");
+        const [headerName, headerValue] = makeCSPHeader(
+          "",
+          config.contentSecurityPolicy.directives,
+          config.contentSecurityPolicy.mode
+        );
+        const response = NextResponse.next();
+        response.headers.set(headerName, headerValue);
+        return response;
+      }
       return NextResponse.next();
     } catch (error) {
       console.error(

package/cloudflare/react-router.d.ts

@@ -1,3 +1,6 @@
+import { U as UseCSPInput } from '../use-content-security-policy-DUYpyUPy.js';
+import 'zod';
+
 /**
  * Cloudflare context provided by React Router on Cloudflare Workers.
  * This is the shape of `context.cloudflare` in React Router loaders/actions.
@@ -23,6 +26,8 @@ interface ReactRouterAppwardenConfig {
     appwardenApiHostname?: string;
     /** Enable debug logging */
     debug?: boolean;
+    /** Optional Content Security Policy configuration */
+    contentSecurityPolicy?: UseCSPInput;
 }
 /**
  * Configuration function that receives the Cloudflare context and returns the config.

package/cloudflare/react-router.js

@@ -1,20 +1,26 @@
+import {
+  useContentSecurityPolicy
+} from "../chunk-BYRGGUK7.js";
 import {
   validateConfig
-} from "../chunk-COV6SHCD.js";
+} from "../chunk-7AVYENM2.js";
 import {
   checkLockStatus
-} from "../chunk-MDODCAA3.js";
+} from "../chunk-PH77FI6C.js";
 import {
-  AppwardenApiTokenSchema,
-  BooleanSchema,
   buildLockPageUrl,
   createRedirect,
   isOnLockPage
-} from "../chunk-ZX5QO4Y2.js";
+} from "../chunk-SUZPTFWY.js";
 import {
-  isHTMLRequest,
+  UseCSPInputSchema,
+  isHTMLRequest
+} from "../chunk-HCGLR3Z3.js";
+import {
+  AppwardenApiTokenSchema,
+  BooleanSchema,
   printMessage
-} from "../chunk-L5EQIJZB.js";
+} from "../chunk-ZBYVJ3HA.js";
 
 // src/schemas/react-router-cloudflare.ts
 import { z } from "zod";
@@ -26,7 +32,9 @@ var ReactRouterCloudflareConfigSchema = z.object({
   /** Optional custom API hostname (defaults to https://api.appwarden.io) */
   appwardenApiHostname: z.string().optional(),
   /** Enable debug logging */
-  debug: BooleanSchema.default(false)
+  debug: BooleanSchema.default(false),
+  /** Optional Content Security Policy configuration */
+  contentSecurityPolicy: z.lazy(() => UseCSPInputSchema).optional()
 });
 
 // src/adapters/react-router-cloudflare.ts
@@ -84,7 +92,23 @@ function createAppwardenMiddleware(configFn) {
         const lockPageUrl = buildLockPageUrl(config.lockPageSlug, request.url);
         throw createRedirect(lockPageUrl);
       }
-      return next();
+      const response = await next();
+      if (config.contentSecurityPolicy && response instanceof Response) {
+        const cspContext = {
+          request,
+          response,
+          hostname: new URL(request.url).hostname,
+          waitUntil: (fn) => cloudflare.ctx.waitUntil(fn)
+        };
+        await useContentSecurityPolicy(config.contentSecurityPolicy)(
+          cspContext,
+          async () => {
+          }
+          // no-op next
+        );
+        return cspContext.response;
+      }
+      return response;
     } catch (error) {
       if (error instanceof Response) {
         throw error;

package/cloudflare/tanstack-start.d.ts

@@ -1,3 +1,6 @@
+import { U as UseCSPInput } from '../use-content-security-policy-DUYpyUPy.js';
+import 'zod';
+
 /**
  * Cloudflare context provided by TanStack Start on Cloudflare Workers.
  * This is the shape of the cloudflare context available in middleware.
@@ -18,6 +21,8 @@ interface TanStackStartAppwardenConfig {
     appwardenApiHostname?: string;
     /** Enable debug logging */
     debug?: boolean;
+    /** Optional Content Security Policy configuration */
+    contentSecurityPolicy?: UseCSPInput;
 }
 /**
  * Configuration function that receives the Cloudflare context and returns the config.