@appwarden/middleware 3.8.0 → 3.9.0

package/README.md

@@ -4,7 +4,7 @@
 [![GitHub](https://img.shields.io/badge/GitHub-appwarden%2Fmiddleware-181717?logo=github&logoColor=white)](https://github.com/appwarden/middleware)
 [![npm version](https://img.shields.io/npm/v/@appwarden/middleware.svg)](https://www.npmjs.com/package/@appwarden/middleware)
 [![npm provenance](https://img.shields.io/badge/npm-provenance-green)](https://docs.npmjs.com/generating-provenance-statements)
-![Test Coverage](https://img.shields.io/badge/coverage-92%25-brightgreen)
+![Test Coverage](https://img.shields.io/badge/coverage-92.72%25-brightgreen)
 [![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](https://opensource.org/licenses/MIT)
 
 ## Core Features
@@ -39,11 +39,13 @@ The path or route (for example, `/maintenance`) to redirect users to when the do
 This should be a working page on your site, such as a maintenance or status page, that
 explains why the website is temporarily unavailable.
 
-### `contentSecurityPolicy`
+### `contentSecurityPolicy` (optional)
 
-Controls the [Content Security Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) headers that Appwarden adds.
+Controls the [Content Security Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) headers that Appwarden adds. This configuration is optional—if not provided, no CSP header will be applied.
 
-- `mode` (optional) controls how the CSP is applied:
+When provided, both `mode` and `directives` are required:
+
+- `mode` controls how the CSP is applied:
   - `"disabled"` – no CSP header is sent.
   - `"report-only"` – sends the `Content-Security-Policy-Report-Only` header so violations are
     reported (for example in the browser console) but not blocked.
@@ -52,7 +54,7 @@ Controls the [Content Security Policy](https://developer.mozilla.org/en-US/docs/
   When developing or iterating on your CSP, we recommend starting with `"report-only"` so you can
   identify and fix violations before switching to `"enforced"`.
 
-- `directives` (optional) is an object whose keys are CSP directive names and whose values are
+- `directives` is an object whose keys are CSP directive names and whose values are
   arrays of allowed sources. For example:
 
   ```ts
@@ -60,6 +62,7 @@ Controls the [Content Security Policy](https://developer.mozilla.org/en-US/docs/
     mode: "enforced",
     directives: {
       "script-src": ["'self'", "{{nonce}}"],
+      "style-src": ["'self'", "{{nonce}}"],
     },
   }
   ```
@@ -108,7 +111,7 @@ The **Universal Middleware** (`@appwarden/middleware/cloudflare`) is the recomme
 import { createAppwardenMiddleware } from "@appwarden/middleware/cloudflare"
 
 const appwardenHandler = createAppwardenMiddleware((cloudflare) => ({
-  debug: cloudflare.env.DEBUG === "true",
+  debug: cloudflare.env.DEBUG,
   lockPageSlug: cloudflare.env.LOCK_PAGE_SLUG,
   appwardenApiToken: cloudflare.env.APPWARDEN_API_TOKEN,
   contentSecurityPolicy: {
@@ -142,12 +145,12 @@ import { createAppwardenMiddleware } from "@appwarden/middleware/cloudflare/astr
 const appwarden = createAppwardenMiddleware((cloudflare) => ({
   lockPageSlug: cloudflare.env.APPWARDEN_LOCK_PAGE_SLUG,
   appwardenApiToken: cloudflare.env.APPWARDEN_API_TOKEN,
-  debug: cloudflare.env.APPWARDEN_DEBUG === "true",
+  debug: cloudflare.env.DEBUG,
   contentSecurityPolicy: {
-    mode: "enforced",
+    // See Configuration > contentSecurityPolicy section for details
+    mode: "report-only",
     directives: {
-      "script-src": ["'self'", "{{nonce}}"],
-      "style-src": ["'self'", "{{nonce}}"],
+      "default-src": ["'self'"],
     },
   },
 }))
@@ -159,55 +162,59 @@ See the [Astro + Cloudflare guide](https://appwarden.io/docs/guides/astro-cloudf
 
 ##### React Router on Cloudflare
 
+- Set `future.v8_middleware: true` in your `react-router.config.ts` file
+
 ```ts
 // app/root.tsx
+import { env } from "cloudflare:workers"
 import { createAppwardenMiddleware } from "@appwarden/middleware/cloudflare/react-router"
 
-export const unstable_middleware = [
-  createAppwardenMiddleware(({ env }) => ({
+export const middleware = [
+  createAppwardenMiddleware(() => ({
     lockPageSlug: env.APPWARDEN_LOCK_PAGE_SLUG,
     appwardenApiToken: env.APPWARDEN_API_TOKEN,
     // "debug" can be a string or boolean; the schema will normalize it
-    debug: env.APPWARDEN_DEBUG,
+    debug: env.DEBUG,
     // "directives" can be a JSON string or an object; the schema will parse it
     contentSecurityPolicy: {
-      mode: "enforced",
-      directives: env.APPWARDEN_CSP_DIRECTIVES,
+      // See Configuration > contentSecurityPolicy section for details
+      mode: "report-only",
+      directives: {
+        "default-src": ["'self'"],
+      },
     },
   })),
 ]
 ```
 
-See the [React Router + Cloudflare guide](https://appwarden.io/docs/guides/react-router-cloudflare) for full usage and context setup.
+See the [React Router + Cloudflare guide](https://appwarden.io/docs/guides/react-router-cloudflare) for more details.
 
 ##### TanStack Start on Cloudflare
 
 ```ts
 // start.ts
 import { createMiddleware } from "@tanstack/start"
-import { env, waitUntil } from "cloudflare:workers"
+import { env } from "cloudflare:workers"
 import { createAppwardenMiddleware } from "@appwarden/middleware/cloudflare/tanstack-start"
 
-const appwardenMiddleware = createAppwardenMiddleware(({ env }) => ({
-  lockPageSlug: env.APPWARDEN_LOCK_PAGE_SLUG,
-  appwardenApiToken: env.APPWARDEN_API_TOKEN,
-  debug: env.APPWARDEN_DEBUG, // Accepts string or boolean
-  contentSecurityPolicy: {
-    mode: "enforced",
-    directives: {
-      "script-src": ["'self'", "{{nonce}}"],
-      "style-src": ["'self'", "{{nonce}}"],
+const appwardenMiddleware = createMiddleware().server(
+  createAppwardenMiddleware(() => ({
+    lockPageSlug: env.APPWARDEN_LOCK_PAGE_SLUG,
+    appwardenApiToken: env.APPWARDEN_API_TOKEN,
+    debug: env.DEBUG, // Accepts string or boolean
+    contentSecurityPolicy: {
+      // See Configuration > contentSecurityPolicy section for details
+      mode: "report-only",
+      directives: {
+        "default-src": ["'self'"],
+      },
     },
-  },
-}))
+  })),
+)
 
-export default createMiddleware().server(async ({ next, request }) => {
-  return await appwardenMiddleware({
-    request,
-    next,
-    context: { env, waitUntil },
-  })
-})
+export const startInstance = createStart(() => ({
+  requestMiddleware: [appwardenMiddleware],
+}))
 ```
 
 See the [TanStack Start + Cloudflare guide](https://appwarden.io/docs/guides/tanstack-start-cloudflare) for more details.
@@ -225,13 +232,13 @@ export const config = {
 export default createAppwardenMiddleware((cloudflare) => ({
   lockPageSlug: cloudflare.env.APPWARDEN_LOCK_PAGE_SLUG,
   appwardenApiToken: cloudflare.env.APPWARDEN_API_TOKEN,
-  debug: cloudflare.env.APPWARDEN_DEBUG === "true",
+  debug: cloudflare.env.DEBUG,
   // Headers-only CSP (no HTML rewriting, no nonce support; do not use `{{nonce}}` here)
   contentSecurityPolicy: {
-    mode: "report-only",
+    // See Configuration > contentSecurityPolicy section for details
+    mode: "enforced",
     directives: {
-      "script-src": ["'self'"],
-      "style-src": ["'self'", "'unsafe-inline'"],
+      "default-src": ["'self'"],
     },
   },
 }))
@@ -246,25 +253,22 @@ To use Appwarden as Vercel Edge Middleware, use the `@appwarden/middleware/verce
 ```ts
 // middleware.ts (Next.js app on Vercel)
 import { createAppwardenMiddleware } from "@appwarden/middleware/vercel"
-import type { VercelMiddlewareFunction } from "@appwarden/middleware/vercel"
-
-const appwardenMiddleware: VercelMiddlewareFunction = createAppwardenMiddleware(
-  {
-    // Edge Config or Upstash KV URL
-    cacheUrl: process.env.APPWARDEN_CACHE_URL!,
-    // Required when using Vercel Edge Config
-    vercelApiToken: process.env.APPWARDEN_VERCEL_API_TOKEN!,
-    appwardenApiToken: process.env.APPWARDEN_API_TOKEN!,
-    lockPageSlug: "/maintenance",
-    contentSecurityPolicy: {
-      mode: "report-only",
-      directives: {
-        "script-src": ["'self'"],
-        "style-src": ["'self'", "'unsafe-inline'"],
-      },
+
+const appwardenMiddleware = createAppwardenMiddleware({
+  // Edge Config or Upstash KV URL
+  cacheUrl: process.env.APPWARDEN_CACHE_URL!,
+  // Required when using Vercel Edge Config
+  vercelApiToken: process.env.APPWARDEN_VERCEL_API_TOKEN!,
+  appwardenApiToken: process.env.APPWARDEN_API_TOKEN!,
+  lockPageSlug: "/maintenance",
+  contentSecurityPolicy: {
+    // See Configuration > contentSecurityPolicy section for details
+    mode: "report-only",
+    directives: {
+      "default-src": ["'self'"],
     },
   },
-)
+})
 
 export default appwardenMiddleware
 ```
@@ -293,7 +297,6 @@ Contributions are welcome! Please feel free to submit a Pull Request.
      - `fix: resolve issue with X`
      - `docs: update README`
      - `chore: update dependencies`
-     - `refactor: improve code structure`
      - `test: add tests for feature X`
 4. Push to the branch (`git push origin feature/amazing-feature`)
 5. Open a Pull Request

package/{chunk-G5FWKV2Q.js → chunk-MYIKUPTR.js}

@@ -1,17 +1,17 @@
 import {
   MemoryCache,
   debug
-} from "./chunk-EPJ4ZVO6.js";
+} from "./chunk-Z7FIMIZS.js";
 import {
   APPWARDEN_CACHE_KEY,
   APPWARDEN_TEST_ROUTE
-} from "./chunk-HCGLR3Z3.js";
+} from "./chunk-UIIYORBW.js";
 import {
   deleteEdgeValue,
   getLockValue,
   store,
   syncEdgeValue
-} from "./chunk-GK6JL5NZ.js";
+} from "./chunk-QGXPAVOA.js";
 
 // src/core/check-lock-status.ts
 var createContext = async (config) => {

package/{chunk-GK6JL5NZ.js → chunk-QGXPAVOA.js}

@@ -116,8 +116,7 @@ var AppwardenApiTokenSchema = z.string().refine((val) => !!val, { message: "appw
 var LockValue = z.object({
   isLocked: z.number(),
   isLockedTest: z.number(),
-  lastCheck: z.number(),
-  code: z.string()
+  lastCheck: z.number()
 });
 
 // src/utils/errors.ts
@@ -160,8 +159,7 @@ var getLockValue = async (context) => {
     let cacheResponse, lockValue = {
       isLocked: 0,
       isLockedTest: 0,
-      lastCheck: Date.now(),
-      code: ""
+      lastCheck: Date.now()
     };
     switch (context.provider) {
       case "cloudflare-cache": {
@@ -259,7 +257,7 @@ var syncEdgeValue = async (context) => {
   const apiHostname = context.appwardenApiHostname ?? DEFAULT_API_HOSTNAME;
   context.debug(`GET ${apiHostname}`);
   try {
-    const response = await fetch(new URL("/v1/status/check", apiHostname), {
+    const response = await fetch(new URL("/v1/appwarden/status", apiHostname), {
       method: "POST",
       headers: { "content-type": "application/json" },
       body: JSON.stringify({

package/{chunk-HCGLR3Z3.js → chunk-UIIYORBW.js}

@@ -57,10 +57,10 @@ var CSPModeSchema = z2.union([
   z2.literal("disabled"),
   z2.literal("report-only"),
   z2.literal("enforced")
-]).optional().default("disabled");
+]);
 var UseCSPInputSchema = z2.object({
   mode: CSPModeSchema,
-  directives: CSPDirectivesSchema.optional().refine(
+  directives: CSPDirectivesSchema.refine(
     (val) => {
       try {
         if (typeof val === "string") {
@@ -75,13 +75,7 @@ var UseCSPInputSchema = z2.object({
   ).transform(
     (val) => typeof val === "string" ? JSON.parse(val) : val
   )
-}).refine(
-  (values) => (
-    // validate that directives are provided when the mode is "report-only" or "enforced"
-    ["report-only", "enforced"].includes(values.mode) ? !!values.directives : true
-  ),
-  { path: ["directives"], message: "DirectivesRequired" /* DirectivesRequired */ }
-);
+});
 
 export {
   LOCKDOWN_TEST_EXPIRY_MS,

package/{chunk-52NBQDQT.js → chunk-VSCXTBP6.js}

@@ -1,10 +1,10 @@
 import {
   UseCSPInputSchema,
   isHTMLResponse
-} from "./chunk-HCGLR3Z3.js";
+} from "./chunk-UIIYORBW.js";
 import {
   makeCSPHeader
-} from "./chunk-GK6JL5NZ.js";
+} from "./chunk-QGXPAVOA.js";
 
 // src/middlewares/use-content-security-policy.ts
 var AppendAttribute = (attribute, nonce) => ({

package/{chunk-EPJ4ZVO6.js → chunk-Z7FIMIZS.js}

@@ -1,9 +1,9 @@
 import {
   LOCKDOWN_TEST_EXPIRY_MS
-} from "./chunk-HCGLR3Z3.js";
+} from "./chunk-UIIYORBW.js";
 import {
   printMessage
-} from "./chunk-GK6JL5NZ.js";
+} from "./chunk-QGXPAVOA.js";
 
 // src/utils/build-lock-page-url.ts
 function normalizeLockPageSlug(lockPageSlug) {