@appwarden/middleware 3.2.1 → 3.4.0

package/cloudflare/astro.js

@@ -1,21 +1,28 @@
+import {
+  useContentSecurityPolicy
+} from "../chunk-YBWFEBZC.js";
 import {
   validateConfig
-} from "../chunk-COV6SHCD.js";
+} from "../chunk-U3T4R5KZ.js";
 import {
   checkLockStatus
-} from "../chunk-MDODCAA3.js";
+} from "../chunk-3MKVGKH7.js";
 import {
-  AppwardenApiTokenSchema,
-  BooleanSchema,
   TEMPORARY_REDIRECT_STATUS,
   buildLockPageUrl,
   createRedirect,
+  debug,
   isOnLockPage
-} from "../chunk-ZX5QO4Y2.js";
+} from "../chunk-QVRWMYGL.js";
 import {
-  isHTMLRequest,
+  UseCSPInputSchema,
+  isHTMLRequest
+} from "../chunk-HCGLR3Z3.js";
+import {
+  AppwardenApiTokenSchema,
+  BooleanSchema,
   printMessage
-} from "../chunk-L5EQIJZB.js";
+} from "../chunk-G4RRFNHY.js";
 
 // src/schemas/astro-cloudflare.ts
 import { z } from "zod";
@@ -27,12 +34,16 @@ var AstroCloudflareConfigSchema = z.object({
   /** Optional custom API hostname (defaults to https://api.appwarden.io) */
   appwardenApiHostname: z.string().optional(),
   /** Enable debug logging */
-  debug: BooleanSchema.default(false)
+  debug: BooleanSchema.default(false),
+  /** Optional Content Security Policy configuration */
+  contentSecurityPolicy: z.lazy(() => UseCSPInputSchema).optional()
 });
 
 // src/adapters/astro-cloudflare.ts
+var getNowMs = () => typeof performance !== "undefined" && typeof performance.now === "function" ? performance.now() : Date.now();
 function createAppwardenMiddleware(configFn) {
   return async (context, next) => {
+    const startTime = getNowMs();
     const { request } = context;
     const locals = context.locals;
     try {
@@ -45,15 +56,23 @@ function createAppwardenMiddleware(configFn) {
         );
         return next();
       }
-      if (!isHTMLRequest(request)) {
+      const config = configFn(runtime);
+      const debugFn = debug(config.debug ?? false);
+      const requestUrl = new URL(request.url);
+      const isHTML = isHTMLRequest(request);
+      debugFn(
+        `Appwarden middleware invoked for ${requestUrl.pathname}`,
+        `isHTML: ${isHTML}`
+      );
+      if (!isHTML) {
         return next();
       }
-      const config = configFn(runtime);
       const hasError = validateConfig(config, AstroCloudflareConfigSchema);
       if (hasError) {
         return next();
       }
       if (isOnLockPage(config.lockPageSlug, request.url)) {
+        debugFn("Already on lock page - skipping");
         return next();
       }
       const result = await checkLockStatus({
@@ -66,6 +85,7 @@ function createAppwardenMiddleware(configFn) {
       });
       if (result.isLocked) {
         const lockPageUrl = buildLockPageUrl(config.lockPageSlug, request.url);
+        debugFn(`Site is locked - redirecting to ${lockPageUrl.pathname}`);
         if (context.redirect) {
           return context.redirect(
             lockPageUrl.toString(),
@@ -74,7 +94,30 @@ function createAppwardenMiddleware(configFn) {
         }
         return createRedirect(lockPageUrl);
       }
-      return next();
+      debugFn("Site is unlocked to origin");
+      const response = await next();
+      if (config.contentSecurityPolicy) {
+        debugFn("Applying CSP middleware");
+        const cspContext = {
+          request,
+          response,
+          hostname: requestUrl.hostname,
+          waitUntil: (fn) => runtime.ctx.waitUntil(fn),
+          debug: debugFn
+        };
+        await useContentSecurityPolicy(config.contentSecurityPolicy)(
+          cspContext,
+          async () => {
+          }
+          // no-op next
+        );
+        const elapsed2 = Math.round(getNowMs() - startTime);
+        debugFn(`Middleware executed in ${elapsed2}ms`);
+        return cspContext.response;
+      }
+      const elapsed = Math.round(getNowMs() - startTime);
+      debugFn(`Middleware executed in ${elapsed}ms`);
+      return response;
     } catch (error) {
       if (error instanceof Response) {
         throw error;

package/cloudflare/nextjs.d.ts

@@ -1,4 +1,6 @@
 import { NextRequest, NextFetchEvent, NextResponse } from 'next/server';
+import { U as UseCSPInput } from '../use-content-security-policy-DUYpyUPy.js';
+import 'zod';
 
 /**
  * Cloudflare runtime context provided by @opennextjs/cloudflare.
@@ -20,6 +22,8 @@ interface NextJsCloudflareAppwardenConfig {
     appwardenApiHostname?: string;
     /** Enable debug logging */
     debug?: boolean;
+    /** Optional Content Security Policy configuration (headers only, no HTML rewriting; `{{nonce}}` placeholders are not supported) */
+    contentSecurityPolicy?: UseCSPInput;
 }
 /**
  * Configuration function that receives the Cloudflare runtime and returns the config.

package/cloudflare/nextjs.js

@@ -1,20 +1,24 @@
 import {
   validateConfig
-} from "../chunk-COV6SHCD.js";
+} from "../chunk-U3T4R5KZ.js";
 import {
   checkLockStatus
-} from "../chunk-MDODCAA3.js";
+} from "../chunk-3MKVGKH7.js";
 import {
-  AppwardenApiTokenSchema,
-  BooleanSchema,
   TEMPORARY_REDIRECT_STATUS,
   buildLockPageUrl,
+  debug,
   isOnLockPage
-} from "../chunk-ZX5QO4Y2.js";
+} from "../chunk-QVRWMYGL.js";
+import {
+  UseCSPInputSchema,
+  isHTMLRequest
+} from "../chunk-HCGLR3Z3.js";
 import {
-  isHTMLRequest,
+  AppwardenApiTokenSchema,
+  BooleanSchema,
   printMessage
-} from "../chunk-L5EQIJZB.js";
+} from "../chunk-G4RRFNHY.js";
 
 // src/adapters/nextjs-cloudflare.ts
 import {
@@ -23,6 +27,17 @@ import {
 
 // src/schemas/nextjs-cloudflare.ts
 import { z } from "zod";
+var NextJsCloudflareCSPInputSchema = UseCSPInputSchema.refine(
+  (values) => {
+    if (!values.directives) return true;
+    const serialized = JSON.stringify(values.directives);
+    return !serialized.includes("{{nonce}}");
+  },
+  {
+    path: ["directives"],
+    message: "Nonce-based CSP is not supported in the Next.js Cloudflare adapter. Remove '{{nonce}}' placeholders from your CSP directives, as this adapter does not inject nonces into HTML."
+  }
+);
 var NextJsCloudflareConfigSchema = z.object({
   /** The slug/path of the lock page to redirect to when the site is locked */
   lockPageSlug: z.string(),
@@ -31,24 +46,36 @@ var NextJsCloudflareConfigSchema = z.object({
   /** Optional custom API hostname (defaults to https://api.appwarden.io) */
   appwardenApiHostname: z.string().optional(),
   /** Enable debug logging */
-  debug: BooleanSchema.default(false)
+  debug: BooleanSchema.default(false),
+  /** Optional Content Security Policy configuration (headers only, no HTML rewriting; '{{nonce}}' is not supported) */
+  contentSecurityPolicy: z.lazy(() => NextJsCloudflareCSPInputSchema).optional()
 });
 
 // src/adapters/nextjs-cloudflare.ts
+var getNowMs = () => typeof performance !== "undefined" && typeof performance.now === "function" ? performance.now() : Date.now();
 function createAppwardenMiddleware(configFn) {
   return async (request, _event) => {
+    const startTime = getNowMs();
     try {
       const { getCloudflareContext } = await import("@opennextjs/cloudflare");
       const { env, ctx } = await getCloudflareContext();
-      if (!isHTMLRequest(request)) {
+      const config = configFn({ env, ctx });
+      const debugFn = debug(config.debug ?? false);
+      const requestUrl = new URL(request.url);
+      const isHTML = isHTMLRequest(request);
+      debugFn(
+        `Appwarden middleware invoked for ${requestUrl.pathname}`,
+        `isHTML: ${isHTML}`
+      );
+      if (!isHTML) {
         return NextResponse.next();
       }
-      const config = configFn({ env, ctx });
       const hasError = validateConfig(config, NextJsCloudflareConfigSchema);
       if (hasError) {
         return NextResponse.next();
       }
       if (isOnLockPage(config.lockPageSlug, request.url)) {
+        debugFn("Already on lock page - skipping");
         return NextResponse.next();
       }
       const result = await checkLockStatus({
@@ -61,8 +88,28 @@ function createAppwardenMiddleware(configFn) {
       });
       if (result.isLocked) {
         const lockPageUrl = buildLockPageUrl(config.lockPageSlug, request.url);
+        debugFn(`Site is locked - redirecting to ${lockPageUrl.pathname}`);
         return NextResponse.redirect(lockPageUrl, TEMPORARY_REDIRECT_STATUS);
       }
+      debugFn("Site is unlocked");
+      if (config.contentSecurityPolicy && config.contentSecurityPolicy.mode !== "disabled") {
+        debugFn(
+          `Applying CSP headers in ${config.contentSecurityPolicy.mode} mode`
+        );
+        const { makeCSPHeader } = await import("../cloudflare-36BOGAYU.js");
+        const [headerName, headerValue] = makeCSPHeader(
+          "",
+          config.contentSecurityPolicy.directives,
+          config.contentSecurityPolicy.mode
+        );
+        const response = NextResponse.next();
+        response.headers.set(headerName, headerValue);
+        const elapsed2 = Math.round(getNowMs() - startTime);
+        debugFn(`Middleware executed in ${elapsed2}ms`);
+        return response;
+      }
+      const elapsed = Math.round(getNowMs() - startTime);
+      debugFn(`Middleware executed in ${elapsed}ms`);
       return NextResponse.next();
     } catch (error) {
       console.error(

package/cloudflare/react-router.d.ts

@@ -1,3 +1,6 @@
+import { U as UseCSPInput } from '../use-content-security-policy-DUYpyUPy.js';
+import 'zod';
+
 /**
  * Cloudflare context provided by React Router on Cloudflare Workers.
  * This is the shape of `context.cloudflare` in React Router loaders/actions.
@@ -23,6 +26,8 @@ interface ReactRouterAppwardenConfig {
     appwardenApiHostname?: string;
     /** Enable debug logging */
     debug?: boolean;
+    /** Optional Content Security Policy configuration */
+    contentSecurityPolicy?: UseCSPInput;
 }
 /**
  * Configuration function that receives the Cloudflare context and returns the config.

package/cloudflare/react-router.js

@@ -1,20 +1,27 @@
+import {
+  useContentSecurityPolicy
+} from "../chunk-YBWFEBZC.js";
 import {
   validateConfig
-} from "../chunk-COV6SHCD.js";
+} from "../chunk-U3T4R5KZ.js";
 import {
   checkLockStatus
-} from "../chunk-MDODCAA3.js";
+} from "../chunk-3MKVGKH7.js";
 import {
-  AppwardenApiTokenSchema,
-  BooleanSchema,
   buildLockPageUrl,
   createRedirect,
+  debug,
   isOnLockPage
-} from "../chunk-ZX5QO4Y2.js";
+} from "../chunk-QVRWMYGL.js";
 import {
-  isHTMLRequest,
+  UseCSPInputSchema,
+  isHTMLRequest
+} from "../chunk-HCGLR3Z3.js";
+import {
+  AppwardenApiTokenSchema,
+  BooleanSchema,
   printMessage
-} from "../chunk-L5EQIJZB.js";
+} from "../chunk-G4RRFNHY.js";
 
 // src/schemas/react-router-cloudflare.ts
 import { z } from "zod";
@@ -26,13 +33,16 @@ var ReactRouterCloudflareConfigSchema = z.object({
   /** Optional custom API hostname (defaults to https://api.appwarden.io) */
   appwardenApiHostname: z.string().optional(),
   /** Enable debug logging */
-  debug: BooleanSchema.default(false)
+  debug: BooleanSchema.default(false),
+  /** Optional Content Security Policy configuration */
+  contentSecurityPolicy: z.lazy(() => UseCSPInputSchema).optional()
 });
 
 // src/adapters/react-router-cloudflare.ts
 var cloudflareContextSymbol = /* @__PURE__ */ Symbol.for(
   "@appwarden/middleware:cloudflare"
 );
+var getNowMs = () => typeof performance !== "undefined" && typeof performance.now === "function" ? performance.now() : Date.now();
 function getCloudflareContext(context) {
   if (context?.cloudflare) {
     return context.cloudflare;
@@ -50,6 +60,7 @@ function getCloudflareContext(context) {
 }
 function createAppwardenMiddleware(configFn) {
   return async (args, next) => {
+    const startTime = getNowMs();
     const { request, context } = args;
     try {
       const cloudflare = getCloudflareContext(context);
@@ -61,15 +72,23 @@ function createAppwardenMiddleware(configFn) {
         );
         return next();
       }
-      if (!isHTMLRequest(request)) {
+      const config = configFn(cloudflare);
+      const debugFn = debug(config.debug ?? false);
+      const requestUrl = new URL(request.url);
+      const isHTML = isHTMLRequest(request);
+      debugFn(
+        `Appwarden middleware invoked for ${requestUrl.pathname}`,
+        `isHTML: ${isHTML}`
+      );
+      if (!isHTML) {
         return next();
       }
-      const config = configFn(cloudflare);
       const hasError = validateConfig(config, ReactRouterCloudflareConfigSchema);
       if (hasError) {
         return next();
       }
       if (isOnLockPage(config.lockPageSlug, request.url)) {
+        debugFn("Already on lock page - skipping");
         return next();
       }
       const result = await checkLockStatus({
@@ -82,9 +101,33 @@ function createAppwardenMiddleware(configFn) {
       });
       if (result.isLocked) {
         const lockPageUrl = buildLockPageUrl(config.lockPageSlug, request.url);
+        debugFn(`Site is locked - redirecting to ${lockPageUrl.pathname}`);
         throw createRedirect(lockPageUrl);
       }
-      return next();
+      debugFn("Site is unlocked to origin");
+      const response = await next();
+      if (config.contentSecurityPolicy && response instanceof Response) {
+        debugFn("Applying CSP middleware");
+        const cspContext = {
+          request,
+          response,
+          hostname: requestUrl.hostname,
+          waitUntil: (fn) => cloudflare.ctx.waitUntil(fn),
+          debug: debugFn
+        };
+        await useContentSecurityPolicy(config.contentSecurityPolicy)(
+          cspContext,
+          async () => {
+          }
+          // no-op next
+        );
+        const elapsed2 = Math.round(getNowMs() - startTime);
+        debugFn(`Middleware executed in ${elapsed2}ms`);
+        return cspContext.response;
+      }
+      const elapsed = Math.round(getNowMs() - startTime);
+      debugFn(`Middleware executed in ${elapsed}ms`);
+      return response;
     } catch (error) {
       if (error instanceof Response) {
         throw error;

package/cloudflare/tanstack-start.d.ts

@@ -1,3 +1,6 @@
+import { U as UseCSPInput } from '../use-content-security-policy-DUYpyUPy.js';
+import 'zod';
+
 /**
  * Cloudflare context provided by TanStack Start on Cloudflare Workers.
  * This is the shape of the cloudflare context available in middleware.
@@ -18,6 +21,8 @@ interface TanStackStartAppwardenConfig {
     appwardenApiHostname?: string;
     /** Enable debug logging */
     debug?: boolean;
+    /** Optional Content Security Policy configuration */
+    contentSecurityPolicy?: UseCSPInput;
 }
 /**
  * Configuration function that receives the Cloudflare context and returns the config.

package/cloudflare/tanstack-start.js

@@ -1,20 +1,27 @@
+import {
+  useContentSecurityPolicy
+} from "../chunk-YBWFEBZC.js";
 import {
   validateConfig
-} from "../chunk-COV6SHCD.js";
+} from "../chunk-U3T4R5KZ.js";
 import {
   checkLockStatus
-} from "../chunk-MDODCAA3.js";
+} from "../chunk-3MKVGKH7.js";
 import {
-  AppwardenApiTokenSchema,
-  BooleanSchema,
   buildLockPageUrl,
   createRedirect,
+  debug,
   isOnLockPage
-} from "../chunk-ZX5QO4Y2.js";
+} from "../chunk-QVRWMYGL.js";
 import {
-  isHTMLRequest,
+  UseCSPInputSchema,
+  isHTMLRequest
+} from "../chunk-HCGLR3Z3.js";
+import {
+  AppwardenApiTokenSchema,
+  BooleanSchema,
   printMessage
-} from "../chunk-L5EQIJZB.js";
+} from "../chunk-G4RRFNHY.js";
 
 // src/schemas/tanstack-start-cloudflare.ts
 import { z } from "zod";
@@ -26,12 +33,16 @@ var TanStackStartCloudflareConfigSchema = z.object({
   /** Optional custom API hostname (defaults to https://api.appwarden.io) */
   appwardenApiHostname: z.string().optional(),
   /** Enable debug logging */
-  debug: BooleanSchema.default(false)
+  debug: BooleanSchema.default(false),
+  /** Optional Content Security Policy configuration */
+  contentSecurityPolicy: z.lazy(() => UseCSPInputSchema).optional()
 });
 
 // src/adapters/tanstack-start-cloudflare.ts
+var getNowMs = () => typeof performance !== "undefined" && typeof performance.now === "function" ? performance.now() : Date.now();
 function createAppwardenMiddleware(configFn) {
   return async (args) => {
+    const startTime = getNowMs();
     const { request, next, context } = args;
     try {
       const cloudflare = context.cloudflare;
@@ -43,10 +54,17 @@ function createAppwardenMiddleware(configFn) {
         );
         return next();
       }
-      if (!isHTMLRequest(request)) {
+      const config = configFn(cloudflare);
+      const debugFn = debug(config.debug ?? false);
+      const requestUrl = new URL(request.url);
+      const isHTML = isHTMLRequest(request);
+      debugFn(
+        `Appwarden middleware invoked for ${requestUrl.pathname}`,
+        `isHTML: ${isHTML}`
+      );
+      if (!isHTML) {
         return next();
       }
-      const config = configFn(cloudflare);
       const hasError = validateConfig(
         config,
         TanStackStartCloudflareConfigSchema
@@ -55,6 +73,7 @@ function createAppwardenMiddleware(configFn) {
         return next();
       }
       if (isOnLockPage(config.lockPageSlug, request.url)) {
+        debugFn("Already on lock page - skipping");
         return next();
       }
       const result = await checkLockStatus({
@@ -67,9 +86,33 @@ function createAppwardenMiddleware(configFn) {
       });
       if (result.isLocked) {
         const lockPageUrl = buildLockPageUrl(config.lockPageSlug, request.url);
+        debugFn(`Site is locked - redirecting to ${lockPageUrl.pathname}`);
         throw createRedirect(lockPageUrl);
       }
-      return next();
+      debugFn("Site is unlocked to origin");
+      const response = await next();
+      if (config.contentSecurityPolicy && response instanceof Response) {
+        debugFn("Applying CSP middleware");
+        const cspContext = {
+          request,
+          response,
+          hostname: requestUrl.hostname,
+          waitUntil: (fn) => cloudflare.ctx.waitUntil(fn),
+          debug: debugFn
+        };
+        await useContentSecurityPolicy(config.contentSecurityPolicy)(
+          cspContext,
+          async () => {
+          }
+          // no-op next
+        );
+        const elapsed2 = Math.round(getNowMs() - startTime);
+        debugFn(`Middleware executed in ${elapsed2}ms`);
+        return cspContext.response;
+      }
+      const elapsed = Math.round(getNowMs() - startTime);
+      debugFn(`Middleware executed in ${elapsed}ms`);
+      return response;
     } catch (error) {
       if (error instanceof Response) {
         throw error;

package/cloudflare-36BOGAYU.js

@@ -0,0 +1,28 @@
+import {
+  CSP_KEYWORDS,
+  autoQuoteCSPDirectiveArray,
+  autoQuoteCSPDirectiveValue,
+  autoQuoteCSPKeyword,
+  deleteEdgeValue,
+  getLockValue,
+  insertErrorLogs,
+  isCSPKeyword,
+  isQuoted,
+  makeCSPHeader,
+  store,
+  syncEdgeValue
+} from "./chunk-G4RRFNHY.js";
+export {
+  CSP_KEYWORDS,
+  autoQuoteCSPDirectiveArray,
+  autoQuoteCSPDirectiveValue,
+  autoQuoteCSPKeyword,
+  deleteEdgeValue,
+  getLockValue,
+  insertErrorLogs,
+  isCSPKeyword,
+  isQuoted,
+  makeCSPHeader,
+  store,
+  syncEdgeValue
+};