@appwarden/middleware 3.2.1 → 3.4.0

package/vercel.js

@@ -4,22 +4,27 @@ import {
 } from "./chunk-QEFORWCW.js";
 import {
   validateConfig
-} from "./chunk-COV6SHCD.js";
+} from "./chunk-U3T4R5KZ.js";
 import {
-  LockValue,
   MemoryCache,
   TEMPORARY_REDIRECT_STATUS,
   buildLockPageUrl,
+  debug,
   isOnLockPage
-} from "./chunk-ZX5QO4Y2.js";
+} from "./chunk-QVRWMYGL.js";
 import {
   APPWARDEN_CACHE_KEY,
-  debug,
+  CSPDirectivesSchema,
+  CSPModeSchema,
   errors,
   globalErrors,
-  isHTMLRequest,
+  isHTMLRequest
+} from "./chunk-HCGLR3Z3.js";
+import {
+  LockValue,
+  makeCSPHeader,
   printMessage
-} from "./chunk-L5EQIJZB.js";
+} from "./chunk-G4RRFNHY.js";
 
 // src/runners/appwarden-on-vercel.ts
 import { waitUntil } from "@vercel/functions";
@@ -101,7 +106,7 @@ var APIError = class extends Error {
   }
 };
 var syncEdgeValue = async (context) => {
-  debug(`syncing with api`);
+  context.debug("syncing with api");
   try {
     const response = await fetch(new URL("/v1/status/check", "https://api.appwarden.io"), {
       method: "POST",
@@ -134,11 +139,43 @@ var syncEdgeValue = async (context) => {
 };
 
 // src/schemas/vercel.ts
+var VercelCSPSchema = z.object({
+  mode: CSPModeSchema,
+  directives: z.lazy(() => CSPDirectivesSchema).optional().refine(
+    (val) => {
+      try {
+        if (typeof val === "string") {
+          JSON.parse(val);
+        }
+        return true;
+      } catch {
+        return false;
+      }
+    },
+    { message: "DirectivesBadParse" /* DirectivesBadParse */ }
+  ).refine(
+    (val) => {
+      if (!val) return true;
+      const serialized = typeof val === "string" ? val : JSON.stringify(val);
+      return !serialized.includes("{{nonce}}");
+    },
+    {
+      message: "Nonce-based CSP is not supported in Vercel Edge Middleware. Remove '{{nonce}}' placeholders from your CSP directives, as Vercel does not support nonce injection."
+    }
+  ).transform(
+    (val) => typeof val === "string" ? JSON.parse(val) : val
+  )
+}).refine(
+  (values) => ["report-only", "enforced"].includes(values.mode) ? !!values.directives : true,
+  { path: ["directives"], message: "DirectivesRequired" /* DirectivesRequired */ }
+);
 var BaseNextJsConfigSchema = z.object({
   cacheUrl: z.string(),
   appwardenApiToken: z.string(),
   vercelApiToken: z.string().optional(),
-  lockPageSlug: z.string().default("").transform((val) => val.replace(/^\/?/, "/"))
+  debug: z.boolean().optional(),
+  lockPageSlug: z.string().default("").transform((val) => val.replace(/^\/?/, "/")),
+  contentSecurityPolicy: VercelCSPSchema.optional()
 });
 var AppwardenConfigSchema = BaseNextJsConfigSchema.refine(
   (data) => {
@@ -188,7 +225,6 @@ var AppwardenConfigSchema = BaseNextJsConfigSchema.refine(
 });
 
 // src/runners/appwarden-on-vercel.ts
-debug("Instantiating isolate");
 var memoryCache = new MemoryCache({ maxSize: 1 });
 function safeWaitUntil(promise) {
   try {
@@ -203,29 +239,54 @@ function createAppwardenMiddleware(config) {
       return NextResponse.next();
     }
     const parsedConfig = AppwardenConfigSchema.parse(config);
+    const debugFn = debug(parsedConfig.debug ?? false);
+    const applyCspHeaders = (response) => {
+      const cspConfig = parsedConfig.contentSecurityPolicy;
+      if (cspConfig && ["enforced", "report-only"].includes(cspConfig.mode)) {
+        const [headerName, headerValue] = makeCSPHeader(
+          "",
+          cspConfig.directives,
+          cspConfig.mode
+        );
+        response.headers.set(headerName, headerValue);
+      }
+      return response;
+    };
     try {
       const requestUrl = new URL(request.url);
       const isHTML = isHTMLRequest(request);
-      debug({ isHTMLRequest: isHTML, url: requestUrl.pathname });
+      debugFn(
+        `Appwarden middleware invoked for ${requestUrl.pathname}`,
+        `isHTML: ${isHTML}`
+      );
       if (!isHTML) {
+        debugFn("Non-HTML request detected - passing through");
         return NextResponse.next();
       }
       if (!parsedConfig.lockPageSlug) {
+        debugFn("No lockPageSlug configured - passing through");
         return NextResponse.next();
       }
       if (isOnLockPage(parsedConfig.lockPageSlug, request.url)) {
+        debugFn("Already on lock page - passing through");
         return NextResponse.next();
       }
       const provider = isCacheUrl.edgeConfig(parsedConfig.cacheUrl) ? "edge-config" : "upstash";
+      debugFn(`Using provider: ${provider}`);
       const cacheValue = memoryCache.get(APPWARDEN_CACHE_KEY);
       const shouldRecheck = MemoryCache.isExpired(cacheValue);
       if (!cacheValue || shouldRecheck) {
+        debugFn(
+          "Memory cache miss or expired - syncing edge value in background",
+          `shouldRecheck=${shouldRecheck}`
+        );
         safeWaitUntil(
           syncEdgeValue({
             requestUrl,
             cacheUrl: parsedConfig.cacheUrl,
             appwardenApiToken: parsedConfig.appwardenApiToken,
-            vercelApiToken: parsedConfig.vercelApiToken
+            vercelApiToken: parsedConfig.vercelApiToken,
+            debug: debugFn
           })
         );
       }
@@ -235,17 +296,25 @@ function createAppwardenMiddleware(config) {
         provider
       })).lockValue;
       if (lockValue?.isLocked) {
+        debugFn("Site is locked - redirecting to lock page");
         const lockPageUrl = buildLockPageUrl(
           parsedConfig.lockPageSlug,
           request.url
         );
-        return Response.redirect(
+        const redirectResponse = Response.redirect(
           lockPageUrl.toString(),
           TEMPORARY_REDIRECT_STATUS
         );
+        return applyCspHeaders(redirectResponse);
       }
-      return NextResponse.next();
+      const response = NextResponse.next();
+      debugFn("Site is not locked - passing through");
+      return applyCspHeaders(response);
     } catch (e) {
+      debugFn(
+        "Error in Appwarden Vercel middleware",
+        e instanceof Error ? e.message : String(e)
+      );
       const message = "Appwarden encountered an unknown error. Please contact Appwarden support at https://appwarden.io/join-community.";
       if (e instanceof Error) {
         if (!globalErrors.includes(e.message)) {

package/chunk-A5XGYLYS.js

@@ -1,196 +0,0 @@
-import {
-  debug,
-  isHTMLResponse,
-  printMessage
-} from "./chunk-L5EQIJZB.js";
-
-// src/schemas/use-content-security-policy.ts
-import { z as z2 } from "zod";
-
-// src/types/csp.ts
-import { z } from "zod";
-var stringySchema = z.union([z.array(z.string()), z.string(), z.boolean()]);
-var ContentSecurityPolicySchema = z.object({
-  "default-src": stringySchema.optional(),
-  "script-src": stringySchema.optional(),
-  "style-src": stringySchema.optional(),
-  "img-src": stringySchema.optional(),
-  "connect-src": stringySchema.optional(),
-  "font-src": stringySchema.optional(),
-  "object-src": stringySchema.optional(),
-  "media-src": stringySchema.optional(),
-  "frame-src": stringySchema.optional(),
-  sandbox: stringySchema.optional(),
-  "report-uri": stringySchema.optional(),
-  "child-src": stringySchema.optional(),
-  "form-action": stringySchema.optional(),
-  "frame-ancestors": stringySchema.optional(),
-  "plugin-types": stringySchema.optional(),
-  "base-uri": stringySchema.optional(),
-  "report-to": stringySchema.optional(),
-  "worker-src": stringySchema.optional(),
-  "manifest-src": stringySchema.optional(),
-  "prefetch-src": stringySchema.optional(),
-  "navigate-to": stringySchema.optional(),
-  "require-sri-for": stringySchema.optional(),
-  "block-all-mixed-content": stringySchema.optional(),
-  "upgrade-insecure-requests": stringySchema.optional(),
-  "trusted-types": stringySchema.optional(),
-  "require-trusted-types-for": stringySchema.optional()
-});
-
-// src/schemas/use-content-security-policy.ts
-var CSPDirectivesSchema = z2.union([
-  z2.string(),
-  ContentSecurityPolicySchema
-]);
-var CSPModeSchema = z2.union([
-  z2.literal("disabled"),
-  z2.literal("report-only"),
-  z2.literal("enforced")
-]).optional().default("disabled");
-var UseCSPInputSchema = z2.object({
-  hostname: z2.string().optional(),
-  mode: CSPModeSchema,
-  directives: CSPDirectivesSchema.optional().refine(
-    (val) => {
-      try {
-        if (typeof val === "string") {
-          JSON.parse(val);
-        }
-        return true;
-      } catch (error) {
-        return false;
-      }
-    },
-    { message: "DirectivesBadParse" /* DirectivesBadParse */ }
-  ).transform(
-    (val) => typeof val === "string" ? JSON.parse(val) : val
-  )
-}).refine(
-  (values) => (
-    // validate that directives are provided when the mode is "report-only" or "enforced"
-    ["report-only", "enforced"].includes(values.mode) ? !!values.directives : true
-  ),
-  { path: ["directives"], message: "DirectivesRequired" /* DirectivesRequired */ }
-);
-
-// src/utils/cloudflare/csp-keywords.ts
-var CSP_KEYWORDS = [
-  "self",
-  "none",
-  "unsafe-inline",
-  "unsafe-eval",
-  "unsafe-hashes",
-  "strict-dynamic",
-  "report-sample",
-  "unsafe-allow-redirects",
-  "wasm-unsafe-eval",
-  "trusted-types-eval",
-  "report-sha256",
-  "report-sha384",
-  "report-sha512",
-  "unsafe-webtransport-hashes"
-];
-var CSP_KEYWORDS_SET = new Set(CSP_KEYWORDS);
-var isCSPKeyword = (value) => {
-  return CSP_KEYWORDS_SET.has(value.toLowerCase());
-};
-var isQuoted = (value) => {
-  return value.startsWith("'") && value.endsWith("'");
-};
-var autoQuoteCSPKeyword = (value) => {
-  const trimmed = value.trim();
-  if (isQuoted(trimmed)) {
-    return trimmed;
-  }
-  if (isCSPKeyword(trimmed)) {
-    return `'${trimmed}'`;
-  }
-  return trimmed;
-};
-var autoQuoteCSPDirectiveValue = (value) => {
-  return value.trim().split(/\s+/).filter(Boolean).map(autoQuoteCSPKeyword).join(" ");
-};
-var autoQuoteCSPDirectiveArray = (values) => {
-  return values.map(autoQuoteCSPKeyword);
-};
-
-// src/utils/cloudflare/make-csp-header.ts
-var addNonce = (value, cspNonce) => value.replace("{{nonce}}", `'nonce-${cspNonce}'`);
-var makeCSPHeader = (cspNonce, directives, mode) => {
-  const namesSeen = /* @__PURE__ */ new Set(), result = [];
-  Object.entries(directives ?? {}).forEach(([originalName, value]) => {
-    const name = originalName.replace(/([a-z])([A-Z])/g, "$1-$2").toLowerCase();
-    if (namesSeen.has(name)) {
-      throw new Error(`${originalName} is specified more than once`);
-    }
-    namesSeen.add(name);
-    let directiveValue;
-    if (Array.isArray(value)) {
-      directiveValue = autoQuoteCSPDirectiveArray(value).join(" ");
-    } else if (value === true) {
-      directiveValue = "";
-    } else if (typeof value === "string") {
-      directiveValue = autoQuoteCSPDirectiveValue(value);
-    } else {
-      return;
-    }
-    if (directiveValue) {
-      result.push(`${name} ${addNonce(directiveValue, cspNonce)}`);
-    } else {
-      result.push(name);
-    }
-  });
-  return [
-    mode === "enforced" ? "Content-Security-Policy" : "Content-Security-Policy-Report-Only",
-    result.join("; ")
-  ];
-};
-
-// src/middlewares/use-content-security-policy.ts
-var AppendAttribute = (attribute, nonce) => ({
-  element: function(element) {
-    element.setAttribute(attribute, nonce);
-  }
-});
-var useContentSecurityPolicy = (input) => {
-  const parsedInput = UseCSPInputSchema.safeParse(input);
-  if (!parsedInput.success) {
-    throw parsedInput.error;
-  }
-  const config = parsedInput.data;
-  return async (context, next) => {
-    await next();
-    if (config.hostname && context.hostname !== config.hostname) {
-      return;
-    }
-    const { response } = context;
-    if (
-      // if the csp is disabled
-      !["enforced", "report-only"].includes(config.mode)
-    ) {
-      debug(printMessage("csp is disabled"));
-      return;
-    }
-    if (response.headers.has("Content-Type") && !isHTMLResponse(response)) {
-      return;
-    }
-    const cspNonce = crypto.randomUUID();
-    const [cspHeaderName, cspHeaderValue] = makeCSPHeader(
-      cspNonce,
-      config.directives,
-      config.mode
-    );
-    const nextResponse = new Response(response.body, response);
-    nextResponse.headers.set(cspHeaderName, cspHeaderValue);
-    nextResponse.headers.set("content-type", "text/html; charset=utf-8");
-    context.response = new HTMLRewriter().on("style", AppendAttribute("nonce", cspNonce)).on("script", AppendAttribute("nonce", cspNonce)).transform(nextResponse);
-  };
-};
-
-export {
-  CSPDirectivesSchema,
-  CSPModeSchema,
-  useContentSecurityPolicy
-};

package/chunk-L5EQIJZB.js

@@ -1,54 +0,0 @@
-// src/constants.ts
-var LOCKDOWN_TEST_EXPIRY_MS = 5 * 60 * 1e3;
-var errors = { badCacheConnection: "BAD_CACHE_CONNECTION" };
-var globalErrors = [errors.badCacheConnection];
-var APPWARDEN_TEST_ROUTE = "/_appwarden/test";
-var APPWARDEN_CACHE_KEY = "appwarden-lock";
-
-// src/utils/debug.ts
-var debug = (...msg) => {
-  if (true) {
-    const formatted = msg.map((m) => {
-      if (typeof m === "object" && m !== null) {
-        if (m instanceof Error) {
-          return m.stack ?? m.message;
-        }
-        try {
-          return JSON.stringify(m);
-        } catch {
-          try {
-            return String(m);
-          } catch {
-            return "[Unserializable value]";
-          }
-        }
-      }
-      return m;
-    });
-    console.log(...formatted);
-  }
-};
-
-// src/utils/print-message.ts
-var addSlashes = (str) => str.replace(/\\/g, "\\\\").replace(/`/g, "\\`").replace(/\$/g, "\\$").replace(/"/g, '\\"').replace(/'/g, "\\'").replace(/\u0000/g, "\\0").replace(/<\/script>/gi, "<\\/script>");
-var printMessage = (message) => `[@appwarden/middleware] ${addSlashes(message)}`;
-
-// src/utils/request-checks.ts
-function isHTMLResponse(response) {
-  return response.headers.get("Content-Type")?.includes("text/html") ?? false;
-}
-function isHTMLRequest(request) {
-  return request.headers.get("accept")?.includes("text/html") ?? false;
-}
-
-export {
-  LOCKDOWN_TEST_EXPIRY_MS,
-  errors,
-  globalErrors,
-  APPWARDEN_TEST_ROUTE,
-  APPWARDEN_CACHE_KEY,
-  debug,
-  printMessage,
-  isHTMLResponse,
-  isHTMLRequest
-};

package/chunk-MDODCAA3.js

@@ -1,232 +0,0 @@
-import {
-  LockValue,
-  MemoryCache
-} from "./chunk-ZX5QO4Y2.js";
-import {
-  APPWARDEN_CACHE_KEY,
-  APPWARDEN_TEST_ROUTE,
-  debug,
-  printMessage
-} from "./chunk-L5EQIJZB.js";
-
-// src/utils/cloudflare/cloudflare-cache.ts
-var store = {
-  json: (context, cacheKey, options) => {
-    const cacheKeyUrl = new URL(cacheKey, context.serviceOrigin);
-    return {
-      getValue: () => getCacheValue(context, cacheKeyUrl),
-      updateValue: (json) => updateCacheValue(context, cacheKeyUrl, json, options?.ttl),
-      deleteValue: () => clearCache(context, cacheKeyUrl)
-    };
-  }
-};
-var getCacheValue = async (context, cacheKey) => {
-  const match = await context.cache.match(cacheKey);
-  if (!match) {
-    debug(`[${cacheKey.pathname}] Cache MISS!`);
-    return void 0;
-  }
-  debug(`[${cacheKey.pathname}] Cache MATCH!`);
-  return match;
-};
-var updateCacheValue = async (context, cacheKey, value, ttl) => {
-  debug(
-    "updating cache...",
-    cacheKey.href,
-    value,
-    ttl ? `expires in ${ttl}s` : ""
-  );
-  await context.cache.put(
-    cacheKey,
-    new Response(JSON.stringify(value), {
-      headers: {
-        "content-type": "application/json",
-        ...ttl && {
-          "cache-control": `max-age=${ttl}`
-        }
-      }
-    })
-  );
-};
-var clearCache = (context, cacheKey) => context.cache.delete(cacheKey);
-
-// src/utils/cloudflare/delete-edge-value.ts
-var deleteEdgeValue = async (context) => {
-  try {
-    switch (context.provider) {
-      case "cloudflare-cache": {
-        const success = await context.edgeCache.deleteValue();
-        if (!success) {
-          throw new Error();
-        }
-        break;
-      }
-      default:
-        throw new Error(`Unsupported provider: ${context.provider}`);
-    }
-  } catch (e) {
-    const message = "Failed to delete edge value";
-    console.error(
-      printMessage(e instanceof Error ? `${message} - ${e.message}` : message)
-    );
-  }
-};
-
-// src/utils/cloudflare/get-lock-value.ts
-var getLockValue = async (context) => {
-  try {
-    let shouldDeleteEdgeValue = false;
-    let cacheResponse, lockValue = {
-      isLocked: 0,
-      isLockedTest: 0,
-      lastCheck: Date.now(),
-      code: ""
-    };
-    switch (context.provider) {
-      case "cloudflare-cache": {
-        cacheResponse = await context.edgeCache.getValue();
-        break;
-      }
-      default:
-        throw new Error(`Unsupported provider: ${context.provider}`);
-    }
-    if (!cacheResponse) {
-      return { lockValue: void 0 };
-    }
-    try {
-      const clonedResponse = cacheResponse?.clone();
-      lockValue = LockValue.parse(
-        clonedResponse ? await clonedResponse.json() : void 0
-      );
-    } catch (error) {
-      console.error(
-        printMessage(
-          `Failed to parse ${context.keyName} from edge cache - ${error}`
-        )
-      );
-      shouldDeleteEdgeValue = true;
-    }
-    return { lockValue, shouldDeleteEdgeValue };
-  } catch (e) {
-    const message = "Failed to retrieve edge value";
-    console.error(
-      printMessage(e instanceof Error ? `${message} - ${e.message}` : message)
-    );
-    return { lockValue: void 0 };
-  }
-};
-
-// src/utils/cloudflare/sync-edge-value.ts
-var APIError = class extends Error {
-  constructor(message) {
-    super(message);
-    this.name = "APIError";
-  }
-};
-var DEFAULT_API_HOSTNAME = "https://api.appwarden.io";
-var syncEdgeValue = async (context) => {
-  debug(`syncing with api`);
-  try {
-    const apiHostname = context.appwardenApiHostname ?? DEFAULT_API_HOSTNAME;
-    const response = await fetch(new URL("/v1/status/check", apiHostname), {
-      method: "POST",
-      headers: { "content-type": "application/json" },
-      body: JSON.stringify({
-        service: "cloudflare",
-        provider: context.provider,
-        fqdn: context.requestUrl.hostname,
-        appwardenApiToken: context.appwardenApiToken
-      })
-    });
-    if (response.status !== 200) {
-      throw new Error(`${response.status} ${response.statusText}`);
-    }
-    if (response.headers.get("content-type")?.includes("application/json")) {
-      const result = await response.json();
-      if (result.error) {
-        throw new APIError(result.error.message);
-      }
-      if (!result.content) {
-        throw new APIError("no content from api");
-      }
-      try {
-        const parsedValue = LockValue.omit({ lastCheck: true }).parse(
-          result.content
-        );
-        debug(`syncing with api...DONE ${JSON.stringify(parsedValue, null, 2)}`);
-        await context.edgeCache.updateValue({
-          ...parsedValue,
-          lastCheck: Date.now()
-        });
-      } catch (error) {
-        throw new APIError(`Failed to parse check endpoint result - ${error}`);
-      }
-    }
-  } catch (e) {
-    const message = "Failed to fetch from check endpoint";
-    console.error(
-      printMessage(
-        e instanceof APIError ? e.message : e instanceof Error ? `${message} - ${e.message}` : message
-      )
-    );
-  }
-};
-
-// src/core/check-lock-status.ts
-var createContext = async (config) => {
-  const requestUrl = new URL(config.request.url);
-  const keyName = APPWARDEN_CACHE_KEY;
-  const provider = "cloudflare-cache";
-  const edgeCache = store.json(
-    {
-      serviceOrigin: requestUrl.origin,
-      cache: await caches.open("appwarden:lock")
-    },
-    keyName
-  );
-  return {
-    keyName,
-    request: config.request,
-    edgeCache,
-    requestUrl,
-    provider,
-    debug: config.debug ?? false,
-    lockPageSlug: config.lockPageSlug,
-    appwardenApiToken: config.appwardenApiToken,
-    appwardenApiHostname: config.appwardenApiHostname,
-    waitUntil: config.waitUntil
-  };
-};
-var resolveLockStatus = async (context) => {
-  const { lockValue, shouldDeleteEdgeValue } = await getLockValue(context);
-  if (shouldDeleteEdgeValue) {
-    await deleteEdgeValue(context);
-  }
-  const isTestRoute = context.requestUrl.pathname === APPWARDEN_TEST_ROUTE;
-  const isTestLock = isTestRoute && !MemoryCache.isTestExpired(lockValue) && !!lockValue;
-  return {
-    isLocked: !!lockValue?.isLocked || isTestLock,
-    isTestLock,
-    lockValue,
-    wasDeleted: shouldDeleteEdgeValue ?? false
-  };
-};
-var checkLockStatus = async (config) => {
-  const context = await createContext(config);
-  let { isLocked, isTestLock, lockValue, wasDeleted } = await resolveLockStatus(context);
-  if (MemoryCache.isExpired(lockValue) || wasDeleted) {
-    if (!lockValue || wasDeleted || lockValue.isLocked) {
-      await syncEdgeValue(context);
-      ({ isLocked, isTestLock } = await resolveLockStatus(context));
-    } else {
-      config.waitUntil(syncEdgeValue(context));
-    }
-  }
-  return { isLocked, isTestLock };
-};
-
-export {
-  store,
-  getLockValue,
-  checkLockStatus
-};