@appwarden/middleware 3.2.1 → 3.4.0

package/chunk-G4RRFNHY.js

@@ -0,0 +1,332 @@
+// src/utils/cloudflare/cloudflare-cache.ts
+var store = {
+  json: (context, cacheKey, options) => {
+    const cacheKeyUrl = new URL(cacheKey, context.serviceOrigin);
+    return {
+      getValue: () => getCacheValue(context, cacheKeyUrl),
+      updateValue: (json) => updateCacheValue(context, cacheKeyUrl, json, options?.ttl),
+      deleteValue: () => clearCache(context, cacheKeyUrl)
+    };
+  }
+};
+var getCacheValue = async (context, cacheKey) => {
+  const match = await context.cache.match(cacheKey);
+  if (!match) {
+    context.debug(`[${cacheKey.pathname}] Cache MISS!`);
+    return void 0;
+  }
+  context.debug(`[${cacheKey.pathname}] Cache MATCH!`);
+  return match;
+};
+var updateCacheValue = async (context, cacheKey, value, ttl) => {
+  context.debug(
+    "updating cache...",
+    cacheKey.href,
+    value,
+    ttl ? `expires in ${ttl}s` : ""
+  );
+  await context.cache.put(
+    cacheKey,
+    new Response(JSON.stringify(value), {
+      headers: {
+        "content-type": "application/json",
+        ...ttl && {
+          "cache-control": `max-age=${ttl}`
+        }
+      }
+    })
+  );
+};
+var clearCache = (context, cacheKey) => context.cache.delete(cacheKey);
+
+// src/utils/cloudflare/csp-keywords.ts
+var CSP_KEYWORDS = [
+  "self",
+  "none",
+  "unsafe-inline",
+  "unsafe-eval",
+  "unsafe-hashes",
+  "strict-dynamic",
+  "report-sample",
+  "unsafe-allow-redirects",
+  "wasm-unsafe-eval",
+  "trusted-types-eval",
+  "report-sha256",
+  "report-sha384",
+  "report-sha512",
+  "unsafe-webtransport-hashes"
+];
+var CSP_KEYWORDS_SET = new Set(CSP_KEYWORDS);
+var isCSPKeyword = (value) => {
+  return CSP_KEYWORDS_SET.has(value.toLowerCase());
+};
+var isQuoted = (value) => {
+  return value.startsWith("'") && value.endsWith("'");
+};
+var autoQuoteCSPKeyword = (value) => {
+  const trimmed = value.trim();
+  if (isQuoted(trimmed)) {
+    return trimmed;
+  }
+  if (isCSPKeyword(trimmed)) {
+    return `'${trimmed}'`;
+  }
+  return trimmed;
+};
+var autoQuoteCSPDirectiveValue = (value) => {
+  return value.trim().split(/\s+/).filter(Boolean).map(autoQuoteCSPKeyword).join(" ");
+};
+var autoQuoteCSPDirectiveArray = (values) => {
+  return values.map(autoQuoteCSPKeyword);
+};
+
+// src/utils/print-message.ts
+var addSlashes = (str) => str.replace(/\\/g, "\\\\").replace(/`/g, "\\`").replace(/\$/g, "\\$").replace(/"/g, '\\"').replace(/'/g, "\\'").replace(/\u0000/g, "\\0").replace(/<\/script>/gi, "<\\/script>");
+var printMessage = (message) => `[@appwarden/middleware] ${addSlashes(message)}`;
+
+// src/utils/cloudflare/delete-edge-value.ts
+var deleteEdgeValue = async (context) => {
+  try {
+    switch (context.provider) {
+      case "cloudflare-cache": {
+        const success = await context.edgeCache.deleteValue();
+        if (!success) {
+          throw new Error();
+        }
+        break;
+      }
+      default:
+        throw new Error(`Unsupported provider: ${context.provider}`);
+    }
+  } catch (e) {
+    const message = "Failed to delete edge value";
+    console.error(
+      printMessage(e instanceof Error ? `${message} - ${e.message}` : message)
+    );
+  }
+};
+
+// src/schemas/helpers.ts
+import { z } from "zod";
+var BoolOrStringSchema = z.union([z.string(), z.boolean()]).optional();
+var BooleanSchema = BoolOrStringSchema.transform((val) => {
+  if (val === "true" || val === true) {
+    return true;
+  } else if (val === "false" || val === false) {
+    return false;
+  }
+  throw new Error("Invalid value");
+});
+var AppwardenApiTokenSchema = z.string().refine((val) => !!val, { message: "appwardenApiToken is required" });
+var LockValue = z.object({
+  isLocked: z.number(),
+  isLockedTest: z.number(),
+  lastCheck: z.number(),
+  code: z.string()
+});
+
+// src/utils/errors.ts
+var errorsMap = {
+  mode: '`CSP_MODE` must be one of "disabled", "report-only", or "enforced"',
+  directives: {
+    ["DirectivesRequired" /* DirectivesRequired */]: '`CSP_DIRECTIVES` must be provided when `CSP_MODE` is "report-only" or "enforced"',
+    ["DirectivesBadParse" /* DirectivesBadParse */]: "Failed to parse `CSP_DIRECTIVES`. Is it a valid JSON string?"
+  },
+  appwardenApiToken: "Please provide a valid `appwardenApiToken`. Learn more at https://appwarden.com/docs/guides/api-token-management."
+};
+var getErrors = (error) => {
+  const matches = [];
+  const errors = [...Object.entries(error.flatten().fieldErrors)];
+  for (const issue of error.issues) {
+    errors.push(
+      ...Object.entries(
+        "returnTypeError" in issue ? issue.returnTypeError.flatten().fieldErrors : {}
+      )
+    );
+  }
+  for (const [field, maybeSchemaErrorKey] of errors) {
+    let match = errorsMap[field];
+    if (match) {
+      if (match instanceof Object) {
+        if (maybeSchemaErrorKey) {
+          match = match[maybeSchemaErrorKey[0]];
+        }
+      }
+      matches.push(match);
+    }
+  }
+  return matches;
+};
+
+// src/utils/cloudflare/get-lock-value.ts
+var getLockValue = async (context) => {
+  try {
+    let shouldDeleteEdgeValue = false;
+    let cacheResponse, lockValue = {
+      isLocked: 0,
+      isLockedTest: 0,
+      lastCheck: Date.now(),
+      code: ""
+    };
+    switch (context.provider) {
+      case "cloudflare-cache": {
+        cacheResponse = await context.edgeCache.getValue();
+        break;
+      }
+      default:
+        throw new Error(`Unsupported provider: ${context.provider}`);
+    }
+    if (!cacheResponse) {
+      return { lockValue: void 0 };
+    }
+    try {
+      const clonedResponse = cacheResponse?.clone();
+      lockValue = LockValue.parse(
+        clonedResponse ? await clonedResponse.json() : void 0
+      );
+    } catch (error) {
+      console.error(
+        printMessage(
+          `Failed to parse ${context.keyName} from edge cache - ${error}`
+        )
+      );
+      shouldDeleteEdgeValue = true;
+    }
+    return { lockValue, shouldDeleteEdgeValue };
+  } catch (e) {
+    const message = "Failed to retrieve edge value";
+    console.error(
+      printMessage(e instanceof Error ? `${message} - ${e.message}` : message)
+    );
+    return { lockValue: void 0 };
+  }
+};
+
+// src/utils/cloudflare/insert-errors-logs.ts
+var insertErrorLogs = async (context, error) => {
+  const errors = getErrors(error);
+  for (const err of errors) {
+    console.log(printMessage(err));
+  }
+  return new HTMLRewriter().on("body", {
+    element: (elem) => {
+      elem.append(
+        `<script>
+            ${errors.map((err) => `console.error(\`${printMessage(err)}\`)`).join("\n")}
+          </script>`,
+        { html: true }
+      );
+    }
+  }).transform(await fetch(context.request));
+};
+
+// src/utils/cloudflare/make-csp-header.ts
+var addNonce = (value, cspNonce) => value.replace("{{nonce}}", `'nonce-${cspNonce}'`);
+var makeCSPHeader = (cspNonce, directives, mode) => {
+  const namesSeen = /* @__PURE__ */ new Set(), result = [];
+  Object.entries(directives ?? {}).forEach(([originalName, value]) => {
+    const name = originalName.replace(/([a-z])([A-Z])/g, "$1-$2").toLowerCase();
+    if (namesSeen.has(name)) {
+      throw new Error(`${originalName} is specified more than once`);
+    }
+    namesSeen.add(name);
+    let directiveValue;
+    if (Array.isArray(value)) {
+      directiveValue = autoQuoteCSPDirectiveArray(value).join(" ");
+    } else if (value === true) {
+      directiveValue = "";
+    } else if (typeof value === "string") {
+      directiveValue = autoQuoteCSPDirectiveValue(value);
+    } else {
+      return;
+    }
+    if (directiveValue) {
+      result.push(`${name} ${addNonce(directiveValue, cspNonce)}`);
+    } else {
+      result.push(name);
+    }
+  });
+  return [
+    mode === "enforced" ? "Content-Security-Policy" : "Content-Security-Policy-Report-Only",
+    result.join("; ")
+  ];
+};
+
+// src/utils/cloudflare/sync-edge-value.ts
+var APIError = class extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "APIError";
+  }
+};
+var DEFAULT_API_HOSTNAME = "https://api.appwarden.io";
+var syncEdgeValue = async (context) => {
+  const apiHostname = context.appwardenApiHostname ?? DEFAULT_API_HOSTNAME;
+  context.debug(`Fetching lock value from API: ${apiHostname}`);
+  try {
+    const response = await fetch(new URL("/v1/status/check", apiHostname), {
+      method: "POST",
+      headers: { "content-type": "application/json" },
+      body: JSON.stringify({
+        service: "cloudflare",
+        provider: context.provider,
+        fqdn: context.requestUrl.hostname,
+        appwardenApiToken: context.appwardenApiToken
+      })
+    });
+    if (response.status !== 200) {
+      throw new Error(`${response.status} ${response.statusText}`);
+    }
+    if (response.headers.get("content-type")?.includes("application/json")) {
+      const result = await response.json();
+      if (result.error) {
+        throw new APIError(result.error.message);
+      }
+      if (!result.content) {
+        throw new APIError("no content from api");
+      }
+      try {
+        const parsedValue = LockValue.omit({ lastCheck: true }).parse(
+          result.content
+        );
+        context.debug(
+          `API call to ${apiHostname} succeeded`,
+          `Lock status: ${parsedValue.isLocked ? "LOCKED" : "UNLOCKED"}`
+        );
+        await context.edgeCache.updateValue({
+          ...parsedValue,
+          lastCheck: Date.now()
+        });
+      } catch (error) {
+        throw new APIError(`Failed to parse check endpoint result - ${error}`);
+      }
+    }
+  } catch (e) {
+    const message = `API call to ${apiHostname} failed`;
+    console.error(
+      printMessage(
+        e instanceof APIError ? e.message : e instanceof Error ? `${message}: ${e.message}` : message
+      )
+    );
+  }
+};
+
+export {
+  printMessage,
+  getErrors,
+  BooleanSchema,
+  AppwardenApiTokenSchema,
+  LockValue,
+  store,
+  CSP_KEYWORDS,
+  isCSPKeyword,
+  isQuoted,
+  autoQuoteCSPKeyword,
+  autoQuoteCSPDirectiveValue,
+  autoQuoteCSPDirectiveArray,
+  deleteEdgeValue,
+  getLockValue,
+  insertErrorLogs,
+  makeCSPHeader,
+  syncEdgeValue
+};

package/chunk-HCGLR3Z3.js

@@ -0,0 +1,97 @@
+// src/constants.ts
+var LOCKDOWN_TEST_EXPIRY_MS = 5 * 60 * 1e3;
+var errors = { badCacheConnection: "BAD_CACHE_CONNECTION" };
+var globalErrors = [errors.badCacheConnection];
+var APPWARDEN_TEST_ROUTE = "/_appwarden/test";
+var APPWARDEN_CACHE_KEY = "appwarden-lock";
+
+// src/schemas/use-content-security-policy.ts
+import { z as z2 } from "zod";
+
+// src/types/csp.ts
+import { z } from "zod";
+var stringySchema = z.union([z.array(z.string()), z.string(), z.boolean()]);
+var ContentSecurityPolicySchema = z.object({
+  "default-src": stringySchema.optional(),
+  "script-src": stringySchema.optional(),
+  "style-src": stringySchema.optional(),
+  "img-src": stringySchema.optional(),
+  "connect-src": stringySchema.optional(),
+  "font-src": stringySchema.optional(),
+  "object-src": stringySchema.optional(),
+  "media-src": stringySchema.optional(),
+  "frame-src": stringySchema.optional(),
+  sandbox: stringySchema.optional(),
+  "report-uri": stringySchema.optional(),
+  "child-src": stringySchema.optional(),
+  "form-action": stringySchema.optional(),
+  "frame-ancestors": stringySchema.optional(),
+  "plugin-types": stringySchema.optional(),
+  "base-uri": stringySchema.optional(),
+  "report-to": stringySchema.optional(),
+  "worker-src": stringySchema.optional(),
+  "manifest-src": stringySchema.optional(),
+  "prefetch-src": stringySchema.optional(),
+  "navigate-to": stringySchema.optional(),
+  "require-sri-for": stringySchema.optional(),
+  "block-all-mixed-content": stringySchema.optional(),
+  "upgrade-insecure-requests": stringySchema.optional(),
+  "trusted-types": stringySchema.optional(),
+  "require-trusted-types-for": stringySchema.optional()
+});
+
+// src/utils/request-checks.ts
+function isHTMLResponse(response) {
+  return response.headers.get("Content-Type")?.includes("text/html") ?? false;
+}
+function isHTMLRequest(request) {
+  return request.headers.get("accept")?.includes("text/html") ?? false;
+}
+
+// src/schemas/use-content-security-policy.ts
+var CSPDirectivesSchema = z2.union([
+  z2.string(),
+  ContentSecurityPolicySchema
+]);
+var CSPModeSchema = z2.union([
+  z2.literal("disabled"),
+  z2.literal("report-only"),
+  z2.literal("enforced")
+]).optional().default("disabled");
+var UseCSPInputSchema = z2.object({
+  mode: CSPModeSchema,
+  directives: CSPDirectivesSchema.optional().refine(
+    (val) => {
+      try {
+        if (typeof val === "string") {
+          JSON.parse(val);
+        }
+        return true;
+      } catch (error) {
+        return false;
+      }
+    },
+    { message: "DirectivesBadParse" /* DirectivesBadParse */ }
+  ).transform(
+    (val) => typeof val === "string" ? JSON.parse(val) : val
+  )
+}).refine(
+  (values) => (
+    // validate that directives are provided when the mode is "report-only" or "enforced"
+    ["report-only", "enforced"].includes(values.mode) ? !!values.directives : true
+  ),
+  { path: ["directives"], message: "DirectivesRequired" /* DirectivesRequired */ }
+);
+
+export {
+  LOCKDOWN_TEST_EXPIRY_MS,
+  errors,
+  globalErrors,
+  APPWARDEN_TEST_ROUTE,
+  APPWARDEN_CACHE_KEY,
+  CSPDirectivesSchema,
+  CSPModeSchema,
+  UseCSPInputSchema,
+  isHTMLResponse,
+  isHTMLRequest
+};

package/{chunk-ZX5QO4Y2.js → chunk-QVRWMYGL.js}

@@ -1,6 +1,9 @@
 import {
   LOCKDOWN_TEST_EXPIRY_MS
-} from "./chunk-L5EQIJZB.js";
+} from "./chunk-HCGLR3Z3.js";
+import {
+  printMessage
+} from "./chunk-G4RRFNHY.js";
 
 // src/utils/build-lock-page-url.ts
 function normalizeLockPageSlug(lockPageSlug) {
@@ -34,6 +37,31 @@ var createRedirect = (url) => {
   });
 };
 
+// src/utils/debug.ts
+var debug = (isDebug) => (...msg) => {
+  if (!isDebug) return;
+  const formatted = msg.map((m) => {
+    let content;
+    if (m instanceof Error) {
+      content = m.stack ?? m.message;
+    } else if (typeof m === "object" && m !== null) {
+      try {
+        content = JSON.stringify(m);
+      } catch {
+        try {
+          content = String(m);
+        } catch {
+          content = "[Unserializable value]";
+        }
+      }
+    } else {
+      content = String(m);
+    }
+    return printMessage(content);
+  });
+  console.log(...formatted);
+};
+
 // src/utils/memory-cache.ts
 var MemoryCache = class {
   cache = /* @__PURE__ */ new Map();
@@ -81,66 +109,11 @@ var MemoryCache = class {
   };
 };
 
-// src/utils/errors.ts
-var errorsMap = {
-  mode: '`CSP_MODE` must be one of "disabled", "report-only", or "enforced"',
-  directives: {
-    ["DirectivesRequired" /* DirectivesRequired */]: '`CSP_DIRECTIVES` must be provided when `CSP_MODE` is "report-only" or "enforced"',
-    ["DirectivesBadParse" /* DirectivesBadParse */]: "Failed to parse `CSP_DIRECTIVES`. Is it a valid JSON string?"
-  },
-  appwardenApiToken: "Please provide a valid `appwardenApiToken`. Learn more at https://appwarden.com/docs/guides/api-token-management."
-};
-var getErrors = (error) => {
-  const matches = [];
-  const errors = [...Object.entries(error.flatten().fieldErrors)];
-  for (const issue of error.issues) {
-    errors.push(
-      ...Object.entries(
-        "returnTypeError" in issue ? issue.returnTypeError.flatten().fieldErrors : {}
-      )
-    );
-  }
-  for (const [field, maybeSchemaErrorKey] of errors) {
-    let match = errorsMap[field];
-    if (match) {
-      if (match instanceof Object) {
-        if (maybeSchemaErrorKey) {
-          match = match[maybeSchemaErrorKey[0]];
-        }
-      }
-      matches.push(match);
-    }
-  }
-  return matches;
-};
-
-// src/schemas/helpers.ts
-import { z } from "zod";
-var BoolOrStringSchema = z.union([z.string(), z.boolean()]).optional();
-var BooleanSchema = BoolOrStringSchema.transform((val) => {
-  if (val === "true" || val === true) {
-    return true;
-  } else if (val === "false" || val === false) {
-    return false;
-  }
-  throw new Error("Invalid value");
-});
-var AppwardenApiTokenSchema = z.string().refine((val) => !!val, { message: "appwardenApiToken is required" });
-var LockValue = z.object({
-  isLocked: z.number(),
-  isLockedTest: z.number(),
-  lastCheck: z.number(),
-  code: z.string()
-});
-
 export {
   buildLockPageUrl,
   isOnLockPage,
   TEMPORARY_REDIRECT_STATUS,
   createRedirect,
-  getErrors,
-  MemoryCache,
-  BooleanSchema,
-  AppwardenApiTokenSchema,
-  LockValue
+  debug,
+  MemoryCache
 };

package/{chunk-COV6SHCD.js → chunk-U3T4R5KZ.js}

@@ -1,9 +1,7 @@
 import {
-  getErrors
-} from "./chunk-ZX5QO4Y2.js";
-import {
+  getErrors,
   printMessage
-} from "./chunk-L5EQIJZB.js";
+} from "./chunk-G4RRFNHY.js";
 
 // src/utils/validate-config.ts
 function validateConfig(config, schema) {

package/chunk-YBWFEBZC.js

@@ -0,0 +1,53 @@
+import {
+  UseCSPInputSchema,
+  isHTMLResponse
+} from "./chunk-HCGLR3Z3.js";
+import {
+  makeCSPHeader
+} from "./chunk-G4RRFNHY.js";
+
+// src/middlewares/use-content-security-policy.ts
+var AppendAttribute = (attribute, nonce) => ({
+  element: function(element) {
+    element.setAttribute(attribute, nonce);
+  }
+});
+var useContentSecurityPolicy = (input) => {
+  const parsedInput = UseCSPInputSchema.safeParse(input);
+  if (!parsedInput.success) {
+    throw parsedInput.error;
+  }
+  const config = parsedInput.data;
+  return async (context, next) => {
+    await next();
+    const { response } = context;
+    if (
+      // if the csp is disabled
+      !["enforced", "report-only"].includes(config.mode)
+    ) {
+      context.debug("CSP is disabled");
+      return;
+    }
+    if (response.headers.has("Content-Type") && !isHTMLResponse(response)) {
+      return;
+    }
+    const cspNonce = crypto.randomUUID();
+    const [cspHeaderName, cspHeaderValue] = makeCSPHeader(
+      cspNonce,
+      config.directives,
+      config.mode
+    );
+    context.debug(
+      `Applying CSP in ${config.mode} mode`,
+      `Directives: ${config.directives ? Object.keys(config.directives).join(", ") : "none"}`
+    );
+    const nextResponse = new Response(response.body, response);
+    nextResponse.headers.set(cspHeaderName, cspHeaderValue);
+    nextResponse.headers.set("content-type", "text/html; charset=utf-8");
+    context.response = new HTMLRewriter().on("style", AppendAttribute("nonce", cspNonce)).on("script", AppendAttribute("nonce", cspNonce)).transform(nextResponse);
+  };
+};
+
+export {
+  useContentSecurityPolicy
+};

package/cloudflare/astro.d.ts

@@ -1,5 +1,7 @@
 import { Runtime } from '@astrojs/cloudflare';
 import { APIContext, MiddlewareHandler } from 'astro';
+import { U as UseCSPInput } from '../use-content-security-policy-DUYpyUPy.js';
+import 'zod';
 
 /**
  * Cloudflare runtime context provided by Astro on Cloudflare Workers.
@@ -20,6 +22,8 @@ interface AstroAppwardenConfig {
     appwardenApiHostname?: string;
     /** Enable debug logging */
     debug?: boolean;
+    /** Optional Content Security Policy configuration */
+    contentSecurityPolicy?: UseCSPInput;
 }
 /**
  * Configuration function that receives the Cloudflare runtime and returns the config.