@appwarden/middleware 3.3.0 → 3.4.1

package/README.md

@@ -4,7 +4,7 @@
 [![GitHub](https://img.shields.io/badge/GitHub-appwarden%2Fmiddleware-181717?logo=github&logoColor=white)](https://github.com/appwarden/middleware)
 [![npm version](https://img.shields.io/npm/v/@appwarden/middleware.svg)](https://www.npmjs.com/package/@appwarden/middleware)
 [![npm provenance](https://img.shields.io/badge/npm-provenance-green)](https://docs.npmjs.com/generating-provenance-statements)
-![Test Coverage](https://img.shields.io/badge/coverage-95.72%25-brightgreen)
+![Test Coverage](https://img.shields.io/badge/coverage-91.52%25-brightgreen)
 [![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](https://opensource.org/licenses/MIT)
 
 ## Core Features

package/{chunk-BYRGGUK7.js → chunk-AXWJZE7U.js}

@@ -3,10 +3,8 @@ import {
   isHTMLResponse
 } from "./chunk-HCGLR3Z3.js";
 import {
-  debug,
-  makeCSPHeader,
-  printMessage
-} from "./chunk-ZBYVJ3HA.js";
+  makeCSPHeader
+} from "./chunk-GK6JL5NZ.js";
 
 // src/middlewares/use-content-security-policy.ts
 var AppendAttribute = (attribute, nonce) => ({
@@ -27,7 +25,7 @@ var useContentSecurityPolicy = (input) => {
       // if the csp is disabled
       !["enforced", "report-only"].includes(config.mode)
     ) {
-      debug(printMessage("csp is disabled"));
+      context.debug("CSP is disabled");
       return;
     }
     if (response.headers.has("Content-Type") && !isHTMLResponse(response)) {
@@ -39,6 +37,10 @@ var useContentSecurityPolicy = (input) => {
       config.directives,
       config.mode
     );
+    context.debug(
+      `Applying CSP in ${config.mode} mode`,
+      `Directives: ${config.directives ? Object.keys(config.directives).join(", ") : "none"}`
+    );
     const nextResponse = new Response(response.body, response);
     nextResponse.headers.set(cspHeaderName, cspHeaderValue);
     nextResponse.headers.set("content-type", "text/html; charset=utf-8");

package/{chunk-SUZPTFWY.js → chunk-EPJ4ZVO6.js}

@@ -1,6 +1,9 @@
 import {
   LOCKDOWN_TEST_EXPIRY_MS
 } from "./chunk-HCGLR3Z3.js";
+import {
+  printMessage
+} from "./chunk-GK6JL5NZ.js";
 
 // src/utils/build-lock-page-url.ts
 function normalizeLockPageSlug(lockPageSlug) {
@@ -34,6 +37,32 @@ var createRedirect = (url) => {
   });
 };
 
+// src/utils/debug.ts
+var debug = (isDebug) => (...msg) => {
+  if (!isDebug) return;
+  const parts = msg.map((m) => {
+    let content;
+    if (m instanceof Error) {
+      content = m.stack ?? m.message;
+    } else if (typeof m === "object" && m !== null) {
+      try {
+        content = JSON.stringify(m);
+      } catch {
+        try {
+          content = String(m);
+        } catch {
+          content = "[Unserializable value]";
+        }
+      }
+    } else {
+      content = String(m);
+    }
+    return content;
+  });
+  const message = parts.join(" ");
+  console.log(printMessage(message));
+};
+
 // src/utils/memory-cache.ts
 var MemoryCache = class {
   cache = /* @__PURE__ */ new Map();
@@ -86,5 +115,6 @@ export {
   isOnLockPage,
   TEMPORARY_REDIRECT_STATUS,
   createRedirect,
+  debug,
   MemoryCache
 };

package/{chunk-PH77FI6C.js → chunk-G5FWKV2Q.js}

@@ -1,6 +1,7 @@
 import {
-  MemoryCache
-} from "./chunk-SUZPTFWY.js";
+  MemoryCache,
+  debug
+} from "./chunk-EPJ4ZVO6.js";
 import {
   APPWARDEN_CACHE_KEY,
   APPWARDEN_TEST_ROUTE
@@ -10,17 +11,19 @@ import {
   getLockValue,
   store,
   syncEdgeValue
-} from "./chunk-ZBYVJ3HA.js";
+} from "./chunk-GK6JL5NZ.js";
 
 // src/core/check-lock-status.ts
 var createContext = async (config) => {
   const requestUrl = new URL(config.request.url);
   const keyName = APPWARDEN_CACHE_KEY;
   const provider = "cloudflare-cache";
+  const debugFn = debug(config.debug ?? false);
   const edgeCache = store.json(
     {
       serviceOrigin: requestUrl.origin,
-      cache: await caches.open("appwarden:lock")
+      cache: await caches.open("appwarden:lock"),
+      debug: debugFn
     },
     keyName
   );
@@ -30,7 +33,7 @@ var createContext = async (config) => {
     edgeCache,
     requestUrl,
     provider,
-    debug: config.debug ?? false,
+    debug: debugFn,
     lockPageSlug: config.lockPageSlug,
     appwardenApiToken: config.appwardenApiToken,
     appwardenApiHostname: config.appwardenApiHostname,
@@ -40,6 +43,7 @@ var createContext = async (config) => {
 var resolveLockStatus = async (context) => {
   const { lockValue, shouldDeleteEdgeValue } = await getLockValue(context);
   if (shouldDeleteEdgeValue) {
+    context.debug("Deleting corrupted cache value");
     await deleteEdgeValue(context);
   }
   const isTestRoute = context.requestUrl.pathname === APPWARDEN_TEST_ROUTE;
@@ -54,11 +58,21 @@ var resolveLockStatus = async (context) => {
 var checkLockStatus = async (config) => {
   const context = await createContext(config);
   let { isLocked, isTestLock, lockValue, wasDeleted } = await resolveLockStatus(context);
-  if (MemoryCache.isExpired(lockValue) || wasDeleted) {
+  const isExpired = MemoryCache.isExpired(lockValue);
+  if (!isExpired && !wasDeleted && lockValue) {
+    context.debug("Lock value resolved from cache");
+  }
+  if (isExpired || wasDeleted) {
     if (!lockValue || wasDeleted || lockValue.isLocked) {
+      context.debug(
+        "No fresh cached lock status available - syncing with API synchronously"
+      );
       await syncEdgeValue(context);
       ({ isLocked, isTestLock } = await resolveLockStatus(context));
     } else {
+      context.debug(
+        "Cached lock status expired but last known state unlocked - syncing with API in background"
+      );
       config.waitUntil(syncEdgeValue(context));
     }
   }

package/{chunk-ZBYVJ3HA.js → chunk-GK6JL5NZ.js}

@@ -1,27 +1,3 @@
-// src/utils/debug.ts
-var debug = (...msg) => {
-  if (true) {
-    const formatted = msg.map((m) => {
-      if (typeof m === "object" && m !== null) {
-        if (m instanceof Error) {
-          return m.stack ?? m.message;
-        }
-        try {
-          return JSON.stringify(m);
-        } catch {
-          try {
-            return String(m);
-          } catch {
-            return "[Unserializable value]";
-          }
-        }
-      }
-      return m;
-    });
-    console.log(...formatted);
-  }
-};
-
 // src/utils/cloudflare/cloudflare-cache.ts
 var store = {
   json: (context, cacheKey, options) => {
@@ -35,15 +11,10 @@ var store = {
 };
 var getCacheValue = async (context, cacheKey) => {
   const match = await context.cache.match(cacheKey);
-  if (!match) {
-    debug(`[${cacheKey.pathname}] Cache MISS!`);
-    return void 0;
-  }
-  debug(`[${cacheKey.pathname}] Cache MATCH!`);
-  return match;
+  return match ?? void 0;
 };
 var updateCacheValue = async (context, cacheKey, value, ttl) => {
-  debug(
+  context.debug(
     "updating cache...",
     cacheKey.href,
     value,
@@ -285,9 +256,9 @@ var APIError = class extends Error {
 };
 var DEFAULT_API_HOSTNAME = "https://api.appwarden.io";
 var syncEdgeValue = async (context) => {
-  debug(`syncing with api`);
+  const apiHostname = context.appwardenApiHostname ?? DEFAULT_API_HOSTNAME;
+  context.debug(`GET ${apiHostname}`);
   try {
-    const apiHostname = context.appwardenApiHostname ?? DEFAULT_API_HOSTNAME;
     const response = await fetch(new URL("/v1/status/check", apiHostname), {
       method: "POST",
       headers: { "content-type": "application/json" },
@@ -313,7 +284,7 @@ var syncEdgeValue = async (context) => {
         const parsedValue = LockValue.omit({ lastCheck: true }).parse(
           result.content
         );
-        debug(`syncing with api...DONE ${JSON.stringify(parsedValue, null, 2)}`);
+        context.debug(`GET ${apiHostname} succeeded`);
         await context.edgeCache.updateValue({
           ...parsedValue,
           lastCheck: Date.now()
@@ -323,19 +294,18 @@ var syncEdgeValue = async (context) => {
       }
     }
   } catch (e) {
-    const message = "Failed to fetch from check endpoint";
+    const message = `GET ${apiHostname} failed`;
     console.error(
       printMessage(
-        e instanceof APIError ? e.message : e instanceof Error ? `${message} - ${e.message}` : message
+        e instanceof APIError ? e.message : e instanceof Error ? `${message}: ${e.message}` : message
       )
     );
   }
 };
 
 export {
-  debug,
-  getErrors,
   printMessage,
+  getErrors,
   BooleanSchema,
   AppwardenApiTokenSchema,
   LockValue,

package/{chunk-7AVYENM2.js → chunk-MNGMTDH3.js}

@@ -1,7 +1,7 @@
 import {
   getErrors,
   printMessage
-} from "./chunk-ZBYVJ3HA.js";
+} from "./chunk-GK6JL5NZ.js";
 
 // src/utils/validate-config.ts
 function validateConfig(config, schema) {

package/cloudflare/astro.js

@@ -1,18 +1,19 @@
 import {
   useContentSecurityPolicy
-} from "../chunk-BYRGGUK7.js";
+} from "../chunk-AXWJZE7U.js";
 import {
   validateConfig
-} from "../chunk-7AVYENM2.js";
+} from "../chunk-MNGMTDH3.js";
 import {
   checkLockStatus
-} from "../chunk-PH77FI6C.js";
+} from "../chunk-G5FWKV2Q.js";
 import {
   TEMPORARY_REDIRECT_STATUS,
   buildLockPageUrl,
   createRedirect,
+  debug,
   isOnLockPage
-} from "../chunk-SUZPTFWY.js";
+} from "../chunk-EPJ4ZVO6.js";
 import {
   UseCSPInputSchema,
   isHTMLRequest
@@ -21,7 +22,7 @@ import {
   AppwardenApiTokenSchema,
   BooleanSchema,
   printMessage
-} from "../chunk-ZBYVJ3HA.js";
+} from "../chunk-GK6JL5NZ.js";
 
 // src/schemas/astro-cloudflare.ts
 import { z } from "zod";
@@ -39,8 +40,10 @@ var AstroCloudflareConfigSchema = z.object({
 });
 
 // src/adapters/astro-cloudflare.ts
+var getNowMs = () => typeof performance !== "undefined" && typeof performance.now === "function" ? performance.now() : Date.now();
 function createAppwardenMiddleware(configFn) {
   return async (context, next) => {
+    const startTime = getNowMs();
     const { request } = context;
     const locals = context.locals;
     try {
@@ -53,15 +56,23 @@ function createAppwardenMiddleware(configFn) {
         );
         return next();
       }
-      if (!isHTMLRequest(request)) {
+      const config = configFn(runtime);
+      const debugFn = debug(config.debug ?? false);
+      const requestUrl = new URL(request.url);
+      const isHTML = isHTMLRequest(request);
+      debugFn(
+        `Appwarden middleware invoked for ${requestUrl.pathname}`,
+        `isHTML: ${isHTML}`
+      );
+      if (!isHTML) {
         return next();
       }
-      const config = configFn(runtime);
       const hasError = validateConfig(config, AstroCloudflareConfigSchema);
       if (hasError) {
         return next();
       }
       if (isOnLockPage(config.lockPageSlug, request.url)) {
+        debugFn("Already on lock page - skipping");
         return next();
       }
       const result = await checkLockStatus({
@@ -74,6 +85,7 @@ function createAppwardenMiddleware(configFn) {
       });
       if (result.isLocked) {
         const lockPageUrl = buildLockPageUrl(config.lockPageSlug, request.url);
+        debugFn(`Website is locked - redirecting to ${lockPageUrl.pathname}`);
         if (context.redirect) {
           return context.redirect(
             lockPageUrl.toString(),
@@ -82,13 +94,16 @@ function createAppwardenMiddleware(configFn) {
         }
         return createRedirect(lockPageUrl);
       }
+      debugFn("Website is unlocked");
       const response = await next();
       if (config.contentSecurityPolicy) {
+        debugFn("Applying CSP middleware");
         const cspContext = {
           request,
           response,
-          hostname: new URL(request.url).hostname,
-          waitUntil: (fn) => runtime.ctx.waitUntil(fn)
+          hostname: requestUrl.hostname,
+          waitUntil: (fn) => runtime.ctx.waitUntil(fn),
+          debug: debugFn
         };
         await useContentSecurityPolicy(config.contentSecurityPolicy)(
           cspContext,
@@ -96,8 +111,12 @@ function createAppwardenMiddleware(configFn) {
           }
           // no-op next
         );
+        const elapsed2 = Math.round(getNowMs() - startTime);
+        debugFn(`Middleware executed in ${elapsed2}ms`);
         return cspContext.response;
       }
+      const elapsed = Math.round(getNowMs() - startTime);
+      debugFn(`Middleware executed in ${elapsed}ms`);
       return response;
     } catch (error) {
       if (error instanceof Response) {

package/cloudflare/nextjs.js

@@ -1,14 +1,15 @@
 import {
   validateConfig
-} from "../chunk-7AVYENM2.js";
+} from "../chunk-MNGMTDH3.js";
 import {
   checkLockStatus
-} from "../chunk-PH77FI6C.js";
+} from "../chunk-G5FWKV2Q.js";
 import {
   TEMPORARY_REDIRECT_STATUS,
   buildLockPageUrl,
+  debug,
   isOnLockPage
-} from "../chunk-SUZPTFWY.js";
+} from "../chunk-EPJ4ZVO6.js";
 import {
   UseCSPInputSchema,
   isHTMLRequest
@@ -17,7 +18,7 @@ import {
   AppwardenApiTokenSchema,
   BooleanSchema,
   printMessage
-} from "../chunk-ZBYVJ3HA.js";
+} from "../chunk-GK6JL5NZ.js";
 
 // src/adapters/nextjs-cloudflare.ts
 import {
@@ -51,20 +52,30 @@ var NextJsCloudflareConfigSchema = z.object({
 });
 
 // src/adapters/nextjs-cloudflare.ts
+var getNowMs = () => typeof performance !== "undefined" && typeof performance.now === "function" ? performance.now() : Date.now();
 function createAppwardenMiddleware(configFn) {
   return async (request, _event) => {
+    const startTime = getNowMs();
     try {
       const { getCloudflareContext } = await import("@opennextjs/cloudflare");
       const { env, ctx } = await getCloudflareContext();
-      if (!isHTMLRequest(request)) {
+      const config = configFn({ env, ctx });
+      const debugFn = debug(config.debug ?? false);
+      const requestUrl = new URL(request.url);
+      const isHTML = isHTMLRequest(request);
+      debugFn(
+        `Appwarden middleware invoked for ${requestUrl.pathname}`,
+        `isHTML: ${isHTML}`
+      );
+      if (!isHTML) {
         return NextResponse.next();
       }
-      const config = configFn({ env, ctx });
       const hasError = validateConfig(config, NextJsCloudflareConfigSchema);
       if (hasError) {
         return NextResponse.next();
       }
       if (isOnLockPage(config.lockPageSlug, request.url)) {
+        debugFn("Already on lock page - skipping");
         return NextResponse.next();
       }
       const result = await checkLockStatus({
@@ -77,10 +88,15 @@ function createAppwardenMiddleware(configFn) {
       });
       if (result.isLocked) {
         const lockPageUrl = buildLockPageUrl(config.lockPageSlug, request.url);
+        debugFn(`Website is locked - redirecting to ${lockPageUrl.pathname}`);
         return NextResponse.redirect(lockPageUrl, TEMPORARY_REDIRECT_STATUS);
       }
+      debugFn("Site is unlocked");
       if (config.contentSecurityPolicy && config.contentSecurityPolicy.mode !== "disabled") {
-        const { makeCSPHeader } = await import("../cloudflare-LUT5TVEV.js");
+        debugFn(
+          `Applying CSP headers in ${config.contentSecurityPolicy.mode} mode`
+        );
+        const { makeCSPHeader } = await import("../cloudflare-K5EFFMNI.js");
         const [headerName, headerValue] = makeCSPHeader(
           "",
           config.contentSecurityPolicy.directives,
@@ -88,8 +104,12 @@ function createAppwardenMiddleware(configFn) {
         );
         const response = NextResponse.next();
         response.headers.set(headerName, headerValue);
+        const elapsed2 = Math.round(getNowMs() - startTime);
+        debugFn(`Middleware executed in ${elapsed2}ms`);
         return response;
       }
+      const elapsed = Math.round(getNowMs() - startTime);
+      debugFn(`Middleware executed in ${elapsed}ms`);
       return NextResponse.next();
     } catch (error) {
       console.error(

package/cloudflare/react-router.js

@@ -1,17 +1,18 @@
 import {
   useContentSecurityPolicy
-} from "../chunk-BYRGGUK7.js";
+} from "../chunk-AXWJZE7U.js";
 import {
   validateConfig
-} from "../chunk-7AVYENM2.js";
+} from "../chunk-MNGMTDH3.js";
 import {
   checkLockStatus
-} from "../chunk-PH77FI6C.js";
+} from "../chunk-G5FWKV2Q.js";
 import {
   buildLockPageUrl,
   createRedirect,
+  debug,
   isOnLockPage
-} from "../chunk-SUZPTFWY.js";
+} from "../chunk-EPJ4ZVO6.js";
 import {
   UseCSPInputSchema,
   isHTMLRequest
@@ -20,7 +21,7 @@ import {
   AppwardenApiTokenSchema,
   BooleanSchema,
   printMessage
-} from "../chunk-ZBYVJ3HA.js";
+} from "../chunk-GK6JL5NZ.js";
 
 // src/schemas/react-router-cloudflare.ts
 import { z } from "zod";
@@ -41,6 +42,7 @@ var ReactRouterCloudflareConfigSchema = z.object({
 var cloudflareContextSymbol = /* @__PURE__ */ Symbol.for(
   "@appwarden/middleware:cloudflare"
 );
+var getNowMs = () => typeof performance !== "undefined" && typeof performance.now === "function" ? performance.now() : Date.now();
 function getCloudflareContext(context) {
   if (context?.cloudflare) {
     return context.cloudflare;
@@ -58,6 +60,7 @@ function getCloudflareContext(context) {
 }
 function createAppwardenMiddleware(configFn) {
   return async (args, next) => {
+    const startTime = getNowMs();
     const { request, context } = args;
     try {
       const cloudflare = getCloudflareContext(context);
@@ -69,15 +72,23 @@ function createAppwardenMiddleware(configFn) {
         );
         return next();
       }
-      if (!isHTMLRequest(request)) {
+      const config = configFn(cloudflare);
+      const debugFn = debug(config.debug ?? false);
+      const requestUrl = new URL(request.url);
+      const isHTML = isHTMLRequest(request);
+      debugFn(
+        `Appwarden middleware invoked for ${requestUrl.pathname}`,
+        `isHTML: ${isHTML}`
+      );
+      if (!isHTML) {
         return next();
       }
-      const config = configFn(cloudflare);
       const hasError = validateConfig(config, ReactRouterCloudflareConfigSchema);
       if (hasError) {
         return next();
       }
       if (isOnLockPage(config.lockPageSlug, request.url)) {
+        debugFn("Already on lock page - skipping");
         return next();
       }
       const result = await checkLockStatus({
@@ -90,15 +101,19 @@ function createAppwardenMiddleware(configFn) {
       });
       if (result.isLocked) {
         const lockPageUrl = buildLockPageUrl(config.lockPageSlug, request.url);
+        debugFn(`Website is locked - redirecting to ${lockPageUrl.pathname}`);
         throw createRedirect(lockPageUrl);
       }
+      debugFn("Website is unlocked");
       const response = await next();
       if (config.contentSecurityPolicy && response instanceof Response) {
+        debugFn("Applying CSP middleware");
         const cspContext = {
           request,
           response,
-          hostname: new URL(request.url).hostname,
-          waitUntil: (fn) => cloudflare.ctx.waitUntil(fn)
+          hostname: requestUrl.hostname,
+          waitUntil: (fn) => cloudflare.ctx.waitUntil(fn),
+          debug: debugFn
         };
         await useContentSecurityPolicy(config.contentSecurityPolicy)(
           cspContext,
@@ -106,8 +121,12 @@ function createAppwardenMiddleware(configFn) {
           }
           // no-op next
         );
+        const elapsed2 = Math.round(getNowMs() - startTime);
+        debugFn(`Middleware executed in ${elapsed2}ms`);
         return cspContext.response;
       }
+      const elapsed = Math.round(getNowMs() - startTime);
+      debugFn(`Middleware executed in ${elapsed}ms`);
       return response;
     } catch (error) {
       if (error instanceof Response) {

package/cloudflare/tanstack-start.js

@@ -1,17 +1,18 @@
 import {
   useContentSecurityPolicy
-} from "../chunk-BYRGGUK7.js";
+} from "../chunk-AXWJZE7U.js";
 import {
   validateConfig
-} from "../chunk-7AVYENM2.js";
+} from "../chunk-MNGMTDH3.js";
 import {
   checkLockStatus
-} from "../chunk-PH77FI6C.js";
+} from "../chunk-G5FWKV2Q.js";
 import {
   buildLockPageUrl,
   createRedirect,
+  debug,
   isOnLockPage
-} from "../chunk-SUZPTFWY.js";
+} from "../chunk-EPJ4ZVO6.js";
 import {
   UseCSPInputSchema,
   isHTMLRequest
@@ -20,7 +21,7 @@ import {
   AppwardenApiTokenSchema,
   BooleanSchema,
   printMessage
-} from "../chunk-ZBYVJ3HA.js";
+} from "../chunk-GK6JL5NZ.js";
 
 // src/schemas/tanstack-start-cloudflare.ts
 import { z } from "zod";
@@ -38,8 +39,10 @@ var TanStackStartCloudflareConfigSchema = z.object({
 });
 
 // src/adapters/tanstack-start-cloudflare.ts
+var getNowMs = () => typeof performance !== "undefined" && typeof performance.now === "function" ? performance.now() : Date.now();
 function createAppwardenMiddleware(configFn) {
   return async (args) => {
+    const startTime = getNowMs();
     const { request, next, context } = args;
     try {
       const cloudflare = context.cloudflare;
@@ -51,10 +54,17 @@ function createAppwardenMiddleware(configFn) {
         );
         return next();
       }
-      if (!isHTMLRequest(request)) {
+      const config = configFn(cloudflare);
+      const debugFn = debug(config.debug ?? false);
+      const requestUrl = new URL(request.url);
+      const isHTML = isHTMLRequest(request);
+      debugFn(
+        `Appwarden middleware invoked for ${requestUrl.pathname}`,
+        `isHTML: ${isHTML}`
+      );
+      if (!isHTML) {
         return next();
       }
-      const config = configFn(cloudflare);
       const hasError = validateConfig(
         config,
         TanStackStartCloudflareConfigSchema
@@ -63,6 +73,7 @@ function createAppwardenMiddleware(configFn) {
         return next();
       }
       if (isOnLockPage(config.lockPageSlug, request.url)) {
+        debugFn("Already on lock page - skipping");
         return next();
       }
       const result = await checkLockStatus({
@@ -75,15 +86,19 @@ function createAppwardenMiddleware(configFn) {
       });
       if (result.isLocked) {
         const lockPageUrl = buildLockPageUrl(config.lockPageSlug, request.url);
+        debugFn(`Website is locked - redirecting to ${lockPageUrl.pathname}`);
         throw createRedirect(lockPageUrl);
       }
+      debugFn("Website is unlocked");
       const response = await next();
       if (config.contentSecurityPolicy && response instanceof Response) {
+        debugFn("Applying CSP middleware");
         const cspContext = {
           request,
           response,
-          hostname: new URL(request.url).hostname,
-          waitUntil: (fn) => cloudflare.ctx.waitUntil(fn)
+          hostname: requestUrl.hostname,
+          waitUntil: (fn) => cloudflare.ctx.waitUntil(fn),
+          debug: debugFn
         };
         await useContentSecurityPolicy(config.contentSecurityPolicy)(
           cspContext,
@@ -91,8 +106,12 @@ function createAppwardenMiddleware(configFn) {
           }
           // no-op next
         );
+        const elapsed2 = Math.round(getNowMs() - startTime);
+        debugFn(`Middleware executed in ${elapsed2}ms`);
         return cspContext.response;
       }
+      const elapsed = Math.round(getNowMs() - startTime);
+      debugFn(`Middleware executed in ${elapsed}ms`);
       return response;
     } catch (error) {
       if (error instanceof Response) {

package/{cloudflare-LUT5TVEV.js → cloudflare-K5EFFMNI.js}

@@ -11,7 +11,7 @@ import {
   makeCSPHeader,
   store,
   syncEdgeValue
-} from "./chunk-ZBYVJ3HA.js";
+} from "./chunk-GK6JL5NZ.js";
 export {
   CSP_KEYWORDS,
   autoQuoteCSPDirectiveArray,

package/cloudflare.d.ts

@@ -1,6 +1,6 @@
 import { B as Bindings } from './use-content-security-policy-DUYpyUPy.js';
 import { z } from 'zod';
-export { u as useContentSecurityPolicy } from './use-content-security-policy-CjlLe4yU.js';
+export { u as useContentSecurityPolicy } from './use-content-security-policy-Dvc-oObb.js';
 
 declare const UseAppwardenInputSchema: z.ZodObject<{
     debug: z.ZodDefault<z.ZodEffects<z.ZodOptional<z.ZodUnion<[z.ZodString, z.ZodBoolean]>>, boolean, string | boolean | undefined>>;

package/cloudflare.js

@@ -1,14 +1,15 @@
 import {
   useContentSecurityPolicy
-} from "./chunk-BYRGGUK7.js";
+} from "./chunk-AXWJZE7U.js";
 import {
   checkLockStatus
-} from "./chunk-PH77FI6C.js";
+} from "./chunk-G5FWKV2Q.js";
 import {
   buildLockPageUrl,
   createRedirect,
+  debug,
   isOnLockPage
-} from "./chunk-SUZPTFWY.js";
+} from "./chunk-EPJ4ZVO6.js";
 import {
   APPWARDEN_CACHE_KEY,
   UseCSPInputSchema,
@@ -21,7 +22,7 @@ import {
   insertErrorLogs,
   printMessage,
   store
-} from "./chunk-ZBYVJ3HA.js";
+} from "./chunk-GK6JL5NZ.js";
 
 // src/runners/appwarden-on-cloudflare.ts
 import { ZodError } from "zod";
@@ -106,7 +107,8 @@ var useAppwarden = (input) => async (context, next) => {
       const edgeCache = store.json(
         {
           serviceOrigin: requestUrl.origin,
-          cache: await caches.open("appwarden:lock")
+          cache: await caches.open("appwarden:lock"),
+          debug: context.debug
         },
         keyName
       );
@@ -166,19 +168,29 @@ var useFetchOrigin = () => async (context, next) => {
 var appwardenOnCloudflare = (inputFn) => async (request, env, ctx) => {
   ctx.passThroughOnException();
   const requestUrl = new URL(request.url);
+  const parsedInput = ConfigFnInputSchema.safeParse(inputFn);
+  if (!parsedInput.success) {
+    const tempContext = {
+      request,
+      hostname: requestUrl.hostname,
+      response: new Response("Unhandled response"),
+      waitUntil: (fn) => ctx.waitUntil(fn),
+      debug: () => {
+      }
+      // no-op debug for error case
+    };
+    return insertErrorLogs(tempContext, parsedInput.error);
+  }
+  const input = parsedInput.data({ env, ctx, cf: {} });
   const context = {
     request,
     hostname: requestUrl.hostname,
     response: new Response("Unhandled response"),
     // https://developers.cloudflare.com/workers/observability/errors/#illegal-invocation-errors
-    waitUntil: (fn) => ctx.waitUntil(fn)
+    waitUntil: (fn) => ctx.waitUntil(fn),
+    debug: debug(input.debug ?? false)
   };
-  const parsedInput = ConfigFnInputSchema.safeParse(inputFn);
-  if (!parsedInput.success) {
-    return insertErrorLogs(context, parsedInput.error);
-  }
   try {
-    const input = parsedInput.data({ env, ctx, cf: {} });
     const pipeline = [useAppwarden(input), useFetchOrigin()];
     const cspConfig = input.multidomainConfig?.[requestUrl.hostname]?.contentSecurityPolicy;
     if (cspConfig) {

package/index.d.ts

@@ -1,5 +1,5 @@
 export { B as Bindings, C as CSPDirectivesSchema, a as CSPModeSchema } from './use-content-security-policy-DUYpyUPy.js';
-export { M as Middleware, u as useContentSecurityPolicy } from './use-content-security-policy-CjlLe4yU.js';
+export { M as Middleware, u as useContentSecurityPolicy } from './use-content-security-policy-Dvc-oObb.js';
 import { z } from 'zod';
 
 declare const LOCKDOWN_TEST_EXPIRY_MS: number;

package/index.js

@@ -5,14 +5,14 @@ import {
 } from "./chunk-QEFORWCW.js";
 import {
   useContentSecurityPolicy
-} from "./chunk-BYRGGUK7.js";
+} from "./chunk-AXWJZE7U.js";
 import {
   APPWARDEN_CACHE_KEY,
   CSPDirectivesSchema,
   CSPModeSchema,
   LOCKDOWN_TEST_EXPIRY_MS
 } from "./chunk-HCGLR3Z3.js";
-import "./chunk-ZBYVJ3HA.js";
+import "./chunk-GK6JL5NZ.js";
 export {
   APPWARDEN_CACHE_KEY,
   CSPDirectivesSchema,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@appwarden/middleware",
-  "version": "3.3.0",
+  "version": "3.4.1",
   "description": "Instantly shut off access your app deployed on Cloudflare or Vercel",
   "type": "module",
   "license": "MIT",
@@ -108,7 +108,8 @@
       "devalue@<=5.6.2": ">=5.6.3",
       "minimatch@<10.2.1": ">=10.2.1",
       "tar@<7.5.8": ">=7.5.8",
-      "ajv@>=7.0.0-alpha.0 <8.18.0": ">=8.18.0"
+      "ajv@>=7.0.0-alpha.0 <8.18.0": ">=8.18.0",
+      "rollup@>=4.0.0 <4.59.0": ">=4.59.0"
     }
   }
 }

package/{use-content-security-policy-CjlLe4yU.d.ts → use-content-security-policy-Dvc-oObb.d.ts}

@@ -6,6 +6,7 @@ interface MiddlewareContext {
     request: Request;
     response: Response;
     waitUntil: ExecutionContext["waitUntil"];
+    debug: (...msg: any[]) => void;
 }
 type Middleware = (context: MiddlewareContext, next: () => MiddlewareNextSchemaType) => MiddlewareNextSchemaType;
 declare const MiddlewareNextSchema: z.ZodUnion<[z.ZodVoid, z.ZodNull, z.ZodPromise<z.ZodUnion<[z.ZodVoid, z.ZodNull]>>]>;

package/vercel.d.ts

@@ -4,6 +4,7 @@ declare const AppwardenConfigSchema: z.ZodEffects<z.ZodEffects<z.ZodEffects<z.Zo
     cacheUrl: z.ZodString;
     appwardenApiToken: z.ZodString;
     vercelApiToken: z.ZodOptional<z.ZodString>;
+    debug: z.ZodOptional<z.ZodBoolean>;
     lockPageSlug: z.ZodEffects<z.ZodDefault<z.ZodString>, string, string | undefined>;
     contentSecurityPolicy: z.ZodOptional<z.ZodEffects<z.ZodObject<{
         mode: z.ZodDefault<z.ZodOptional<z.ZodUnion<[z.ZodLiteral<"disabled">, z.ZodLiteral<"report-only">, z.ZodLiteral<"enforced">]>>>;
@@ -376,6 +377,7 @@ declare const AppwardenConfigSchema: z.ZodEffects<z.ZodEffects<z.ZodEffects<z.Zo
     lockPageSlug: string;
     appwardenApiToken: string;
     cacheUrl: string;
+    debug?: boolean | undefined;
     contentSecurityPolicy?: {
         mode: "disabled" | "report-only" | "enforced";
         directives?: {
@@ -411,6 +413,7 @@ declare const AppwardenConfigSchema: z.ZodEffects<z.ZodEffects<z.ZodEffects<z.Zo
 }, {
     appwardenApiToken: string;
     cacheUrl: string;
+    debug?: boolean | undefined;
     lockPageSlug?: string | undefined;
     contentSecurityPolicy?: {
         mode?: "disabled" | "report-only" | "enforced" | undefined;
@@ -448,6 +451,7 @@ declare const AppwardenConfigSchema: z.ZodEffects<z.ZodEffects<z.ZodEffects<z.Zo
     lockPageSlug: string;
     appwardenApiToken: string;
     cacheUrl: string;
+    debug?: boolean | undefined;
     contentSecurityPolicy?: {
         mode: "disabled" | "report-only" | "enforced";
         directives?: {
@@ -483,6 +487,7 @@ declare const AppwardenConfigSchema: z.ZodEffects<z.ZodEffects<z.ZodEffects<z.Zo
 }, {
     appwardenApiToken: string;
     cacheUrl: string;
+    debug?: boolean | undefined;
     lockPageSlug?: string | undefined;
     contentSecurityPolicy?: {
         mode?: "disabled" | "report-only" | "enforced" | undefined;
@@ -520,6 +525,7 @@ declare const AppwardenConfigSchema: z.ZodEffects<z.ZodEffects<z.ZodEffects<z.Zo
     lockPageSlug: string;
     appwardenApiToken: string;
     cacheUrl: string;
+    debug?: boolean | undefined;
     contentSecurityPolicy?: {
         mode: "disabled" | "report-only" | "enforced";
         directives?: {
@@ -555,6 +561,7 @@ declare const AppwardenConfigSchema: z.ZodEffects<z.ZodEffects<z.ZodEffects<z.Zo
 }, {
     appwardenApiToken: string;
     cacheUrl: string;
+    debug?: boolean | undefined;
     lockPageSlug?: string | undefined;
     contentSecurityPolicy?: {
         mode?: "disabled" | "report-only" | "enforced" | undefined;
@@ -592,6 +599,7 @@ declare const AppwardenConfigSchema: z.ZodEffects<z.ZodEffects<z.ZodEffects<z.Zo
     lockPageSlug: string;
     appwardenApiToken: string;
     cacheUrl: string;
+    debug?: boolean | undefined;
     contentSecurityPolicy?: {
         mode: "disabled" | "report-only" | "enforced";
         directives?: {
@@ -627,6 +635,7 @@ declare const AppwardenConfigSchema: z.ZodEffects<z.ZodEffects<z.ZodEffects<z.Zo
 }, {
     appwardenApiToken: string;
     cacheUrl: string;
+    debug?: boolean | undefined;
     lockPageSlug?: string | undefined;
     contentSecurityPolicy?: {
         mode?: "disabled" | "report-only" | "enforced" | undefined;
@@ -664,6 +673,7 @@ declare const AppwardenConfigSchema: z.ZodEffects<z.ZodEffects<z.ZodEffects<z.Zo
     lockPageSlug: string;
     appwardenApiToken: string;
     cacheUrl: string;
+    debug?: boolean | undefined;
     contentSecurityPolicy?: {
         mode: "disabled" | "report-only" | "enforced";
         directives?: {
@@ -699,6 +709,7 @@ declare const AppwardenConfigSchema: z.ZodEffects<z.ZodEffects<z.ZodEffects<z.Zo
 }, {
     appwardenApiToken: string;
     cacheUrl: string;
+    debug?: boolean | undefined;
     lockPageSlug?: string | undefined;
     contentSecurityPolicy?: {
         mode?: "disabled" | "report-only" | "enforced" | undefined;

package/vercel.js

@@ -4,13 +4,14 @@ import {
 } from "./chunk-QEFORWCW.js";
 import {
   validateConfig
-} from "./chunk-7AVYENM2.js";
+} from "./chunk-MNGMTDH3.js";
 import {
   MemoryCache,
   TEMPORARY_REDIRECT_STATUS,
   buildLockPageUrl,
+  debug,
   isOnLockPage
-} from "./chunk-SUZPTFWY.js";
+} from "./chunk-EPJ4ZVO6.js";
 import {
   APPWARDEN_CACHE_KEY,
   CSPDirectivesSchema,
@@ -21,10 +22,9 @@ import {
 } from "./chunk-HCGLR3Z3.js";
 import {
   LockValue,
-  debug,
   makeCSPHeader,
   printMessage
-} from "./chunk-ZBYVJ3HA.js";
+} from "./chunk-GK6JL5NZ.js";
 
 // src/runners/appwarden-on-vercel.ts
 import { waitUntil } from "@vercel/functions";
@@ -106,7 +106,7 @@ var APIError = class extends Error {
   }
 };
 var syncEdgeValue = async (context) => {
-  debug(`syncing with api`);
+  context.debug("syncing with api");
   try {
     const response = await fetch(new URL("/v1/status/check", "https://api.appwarden.io"), {
       method: "POST",
@@ -173,6 +173,7 @@ var BaseNextJsConfigSchema = z.object({
   cacheUrl: z.string(),
   appwardenApiToken: z.string(),
   vercelApiToken: z.string().optional(),
+  debug: z.boolean().optional(),
   lockPageSlug: z.string().default("").transform((val) => val.replace(/^\/?/, "/")),
   contentSecurityPolicy: VercelCSPSchema.optional()
 });
@@ -224,7 +225,6 @@ var AppwardenConfigSchema = BaseNextJsConfigSchema.refine(
 });
 
 // src/runners/appwarden-on-vercel.ts
-debug("Instantiating isolate");
 var memoryCache = new MemoryCache({ maxSize: 1 });
 function safeWaitUntil(promise) {
   try {
@@ -239,6 +239,7 @@ function createAppwardenMiddleware(config) {
       return NextResponse.next();
     }
     const parsedConfig = AppwardenConfigSchema.parse(config);
+    const debugFn = debug(parsedConfig.debug ?? false);
     const applyCspHeaders = (response) => {
       const cspConfig = parsedConfig.contentSecurityPolicy;
       if (cspConfig && ["enforced", "report-only"].includes(cspConfig.mode)) {
@@ -254,26 +255,38 @@ function createAppwardenMiddleware(config) {
     try {
       const requestUrl = new URL(request.url);
       const isHTML = isHTMLRequest(request);
-      debug({ isHTMLRequest: isHTML, url: requestUrl.pathname });
+      debugFn(
+        `Appwarden middleware invoked for ${requestUrl.pathname}`,
+        `isHTML: ${isHTML}`
+      );
       if (!isHTML) {
+        debugFn("Non-HTML request detected - passing through");
         return NextResponse.next();
       }
       if (!parsedConfig.lockPageSlug) {
+        debugFn("No lockPageSlug configured - passing through");
         return NextResponse.next();
       }
       if (isOnLockPage(parsedConfig.lockPageSlug, request.url)) {
+        debugFn("Already on lock page - passing through");
         return NextResponse.next();
       }
       const provider = isCacheUrl.edgeConfig(parsedConfig.cacheUrl) ? "edge-config" : "upstash";
+      debugFn(`Using provider: ${provider}`);
       const cacheValue = memoryCache.get(APPWARDEN_CACHE_KEY);
       const shouldRecheck = MemoryCache.isExpired(cacheValue);
       if (!cacheValue || shouldRecheck) {
+        debugFn(
+          "Memory cache miss or expired - syncing edge value in background",
+          `shouldRecheck=${shouldRecheck}`
+        );
         safeWaitUntil(
           syncEdgeValue({
             requestUrl,
             cacheUrl: parsedConfig.cacheUrl,
             appwardenApiToken: parsedConfig.appwardenApiToken,
-            vercelApiToken: parsedConfig.vercelApiToken
+            vercelApiToken: parsedConfig.vercelApiToken,
+            debug: debugFn
           })
         );
       }
@@ -283,6 +296,9 @@ function createAppwardenMiddleware(config) {
         provider
       })).lockValue;
       if (lockValue?.isLocked) {
+        debugFn(
+          `Website is locked - redirecting to ${parsedConfig.lockPageSlug}`
+        );
         const lockPageUrl = buildLockPageUrl(
           parsedConfig.lockPageSlug,
           request.url
@@ -294,8 +310,13 @@ function createAppwardenMiddleware(config) {
         return applyCspHeaders(redirectResponse);
       }
       const response = NextResponse.next();
+      debugFn("Site is not locked - passing through");
       return applyCspHeaders(response);
     } catch (e) {
+      debugFn(
+        "Error in Appwarden Vercel middleware",
+        e instanceof Error ? e.message : String(e)
+      );
       const message = "Appwarden encountered an unknown error. Please contact Appwarden support at https://appwarden.io/join-community.";
       if (e instanceof Error) {
         if (!globalErrors.includes(e.message)) {