@arcjet/node 1.0.0-beta.1 → 1.0.0-beta.11

package/README.md

@@ -25,6 +25,9 @@ This is the [Arcjet][arcjet] SDK for [Node.js][node-js].
 **Looking for our Next.js framework SDK?** Check out the
 [`@arcjet/next`][alt-sdk] package.
 
+- [npm package (`@arcjet/node`)](https://www.npmjs.com/package/@arcjet/node)
+- [GitHub source code (`arcjet-node/` in `arcjet/arcjet-js`)](https://github.com/arcjet/arcjet-js/tree/main/arcjet-node)
+
 ## Getting started
 
 Visit the [quick start guide][quick-start] to get started.
@@ -34,111 +37,83 @@ Visit the [quick start guide][quick-start] to get started.
 Try an Arcjet protected app live at [https://example.arcjet.com][example-url]
 ([source code][example-source]).
 
-## Installation
-
-```shell
-npm install -S @arcjet/node
-```
-
-## Rate limit example
-
-The example below applies a token bucket rate limit rule to a route where we
-identify the user based on their ID e.g. if they are logged in. The bucket is
-configured with a maximum capacity of 10 tokens and refills by 5 tokens every 10
-seconds. Each request consumes 5 tokens.
+## What is this?
 
-Bot detection is also enabled to block requests from known bots.
+This is our adapter to integrate Arcjet into Node.js.
+Arcjet helps you secure your Node server.
+This package exists so that we can provide the best possible experience to
+Node users.
 
-```ts
-import arcjet, { tokenBucket, detectBot } from "@arcjet/node";
-import http from "node:http";
+## When should I use this?
 
-const aj = arcjet({
-  key: process.env.ARCJET_KEY!, // Get your site key from https://app.arcjet.com
-  characteristics: ["userId"], // track requests by a custom user ID
-  rules: [
-    // Create a token bucket rate limit. Other algorithms are supported.
-    tokenBucket({
-      mode: "LIVE", // will block requests. Use "DRY_RUN" to log only
-      refillRate: 5, // refill 5 tokens per interval
-      interval: 10, // refill every 10 seconds
-      capacity: 10, // bucket maximum capacity of 10 tokens
-    }),
-    detectBot({
-      mode: "LIVE", // will block requests. Use "DRY_RUN" to log only
-      // configured with a list of bots to allow from
-      // https://arcjet.com/bot-list
-      allow: [], // "allow none" will block all detected bots
-    }),
-  ],
-});
+You can use this if you are using Node.js.
+See our [_Get started_ guide][arcjet-get-started] for other supported
+frameworks and runtimes.
 
-const server = http.createServer(async function (
-  req: http.IncomingMessage,
-  res: http.ServerResponse,
-) {
-  const userId = "user123"; // Replace with your authenticated user ID
-  const decision = await aj.protect(req, { userId, requested: 5 }); // Deduct 5 tokens from the bucket
-  console.log("Arcjet decision", decision);
+## Install
 
-  if (decision.isDenied()) {
-    res.writeHead(403, { "Content-Type": "application/json" });
-    res.end(JSON.stringify({ error: "Forbidden" }));
-  } else {
-    res.writeHead(200, { "Content-Type": "application/json" });
-    res.end(JSON.stringify({ message: "Hello world" }));
-  }
-});
+This package is ESM only.
+Install with npm in Node.js:
 
-server.listen(8000);
+```sh
+npm install @arcjet/node
 ```
 
-## Shield example
-
-[Arcjet Shield][shield-concepts-docs] protects your application against common
-attacks, including the OWASP Top 10. You can run Shield on every request with
-negligible performance impact.
+## Use
 
 ```ts
-import arcjet, { shield } from "@arcjet/node";
 import http from "node:http";
+import arcjet, { shield } from "@arcjet/node";
+
+// Get your Arcjet key at <https://app.arcjet.com>.
+// Set it as an environment variable instead of hard coding it.
+const arcjetKey = process.env.ARCJET_KEY;
+
+if (!arcjetKey) {
+  throw new Error("Cannot find `ARCJET_KEY` environment variable");
+}
 
 const aj = arcjet({
-  key: process.env.ARCJET_KEY!, // Get your site key from https://app.arcjet.com
+  key: arcjetKey,
   rules: [
-    shield({
-      mode: "LIVE", // will block requests. Use "DRY_RUN" to log only
-    }),
+    // Shield protects your app from common attacks.
+    // Use `DRY_RUN` instead of `LIVE` to only log.
+    shield({ mode: "LIVE" }),
   ],
 });
 
 const server = http.createServer(async function (
-  req: http.IncomingMessage,
-  res: http.ServerResponse,
+  request: http.IncomingMessage,
+  response: http.ServerResponse,
 ) {
-  const decision = await aj.protect(req);
+  const decision = await aj.protect(request);
 
   if (decision.isDenied()) {
-    res.writeHead(403, { "Content-Type": "application/json" });
-    res.end(JSON.stringify({ error: "Forbidden" }));
-  } else {
-    res.writeHead(200, { "Content-Type": "application/json" });
-    res.end(JSON.stringify({ message: "Hello world" }));
+    response.writeHead(403, { "Content-Type": "application/json" });
+    response.end(JSON.stringify({ message: "Forbidden" }));
+    return;
   }
+
+  response.writeHead(200, { "Content-Type": "application/json" });
+  response.end(JSON.stringify({ message: "Hello world" }));
 });
 
 server.listen(8000);
 ```
 
+For more on how to configure Arcjet with Node.js and how to protect Node,
+see the [Arcjet Node.js SDK reference][arcjet-reference-node] on our website.
+
 ## License
 
-Licensed under the [Apache License, Version 2.0][apache-license].
+[Apache License, Version 2.0][apache-license] © [Arcjet Labs, Inc.][arcjet]
 
+[arcjet-get-started]: https://docs.arcjet.com/get-started
+[arcjet-reference-node]: https://docs.arcjet.com/reference/nodejs
 [arcjet]: https://arcjet.com
 [node-js]: https://nodejs.org/
 [alt-sdk]: https://www.npmjs.com/package/@arcjet/next
 [example-url]: https://example.arcjet.com
 [quick-start]: https://docs.arcjet.com/get-started/nodejs
 [example-source]: https://github.com/arcjet/arcjet-js-example
-[shield-concepts-docs]: https://docs.arcjet.com/shield/concepts
 [apache-license]: http://www.apache.org/licenses/LICENSE-2.0

package/index.d.ts

@@ -10,66 +10,168 @@ type WithoutCustomProps = {
 type PlainObject = {
     [key: string]: unknown;
 };
+/**
+ * Configuration for {@linkcode createRemoteClient}.
+ */
 export type RemoteClientOptions = {
+    /**
+     * Base URI for HTTP requests to Decide API (optional).
+     *
+     * Defaults to the environment variable `ARCJET_BASE_URL` (if that value
+     * is known and allowed) and the standard production API otherwise.
+     */
     baseUrl?: string;
+    /**
+     * Timeout in milliseconds for the Decide API (optional).
+     *
+     * Defaults to `500` in production and `1000` in development.
+     */
     timeout?: number;
 };
+/**
+ * Create a remote client.
+ *
+ * @param options
+ *   Configuration (optional).
+ * @returns
+ *   Client.
+ */
 export declare function createRemoteClient(options?: RemoteClientOptions): import("@arcjet/protocol/client.js").Client;
 type EventHandlerLike = (event: string, listener: (...args: any[]) => void) => void;
+/**
+ * Request for the Node.js integration of Arcjet.
+ *
+ * This is the minimum interface similar to `http.IncomingMessage`.
+ */
 export interface ArcjetNodeRequest {
+    /**
+     * Headers of the request.
+     */
     headers?: Record<string, string | string[] | undefined>;
+    /**
+     * `net.Socket` object associated with the connection.
+     *
+     * See <https://nodejs.org/api/http.html#messagesocket>.
+     */
     socket?: Partial<{
         remoteAddress: string;
         encrypted: boolean;
     }>;
+    /**
+     * HTTP method of the request.
+     */
     method?: string;
+    /**
+     * HTTP version sent by the client.
+     *
+     * See <https://nodejs.org/api/http.html#messagehttpversion>.
+     */
     httpVersion?: string;
+    /**
+     * URL.
+     */
     url?: string;
+    /**
+     * Request body.
+     */
     body?: unknown;
+    /**
+     * Add event handlers.
+     *
+     * This field is available through `stream.Readable` from `EventEmitter`.
+     *
+     * See <https://nodejs.org/api/events.html#emitteroneventname-listener>.
+     */
     on?: EventHandlerLike;
+    /**
+     * Remove event handlers.
+     *
+     * This field is available through `stream.Readable` from `EventEmitter`.
+     *
+     * See <https://nodejs.org/api/events.html#emitterremovelistenereventname-listener>.
+     */
     removeListener?: EventHandlerLike;
+    /**
+     * Whether the readable stream is readable.
+     *
+     * This field is available from `stream.Readable`.
+     *
+     * See <https://nodejs.org/api/stream.html#readablereadable>.
+     */
     readable?: boolean;
 }
 /**
- * The options used to configure an {@link ArcjetNode} client.
+ * Configuration for the Node.js integration of Arcjet.
+ *
+ * @template Rules
+ *   List of rules.
+ * @template Characteristics
+ *   Characteristics to track a user by.
  */
 export type ArcjetOptions<Rules extends [...Array<Primitive | Product>], Characteristics extends readonly string[]> = Simplify<CoreOptions<Rules, Characteristics> & {
     /**
-     * One or more IP Address of trusted proxies in front of the application.
-     * These addresses will be excluded when Arcjet detects a public IP address.
+     * IP addresses and CIDR ranges of trusted load balancers and proxies
+     * (optional, example: `["100.100.100.100", "100.100.100.0/24"]`).
      */
     proxies?: Array<string>;
 }>;
 /**
- * The ArcjetNode client provides a public `protect()` method to
- * make a decision about how a Node.js request should be handled.
+ * Instance of the Node.js integration of Arcjet.
+ *
+ * Primarily has a `protect()` method to make a decision about how a Node request
+ * should be handled.
+ *
+ * @template Props
+ *   Configuration.
  */
 export interface ArcjetNode<Props extends PlainObject> {
     /**
-     * Runs a request through the configured protections. The request is
-     * analyzed and then a decision made on whether to allow, deny, or challenge
-     * the request.
+     * Make a decision about how to handle a request.
+     *
+     * This will analyze the request locally where possible and otherwise call
+     * the Arcjet decision API.
      *
-     * @param req - An `IncomingMessage` provided to the request handler.
-     * @param props - Additonal properties required for running rules against a request.
-     * @returns An {@link ArcjetDecision} indicating Arcjet's decision about the request.
+     * @param request
+     *   Details about the {@linkcode ArcjetNodeRequest} that Arcjet needs to make a
+     *   decision.
+     * @param props
+     *   Additional properties required for running rules against a request.
+     * @returns
+     *   Promise that resolves to an {@linkcode ArcjetDecision} indicating
+     *   Arcjet’s decision about the request.
      */
     protect(request: ArcjetNodeRequest, ...props: Props extends WithoutCustomProps ? [] : [Props]): Promise<ArcjetDecision>;
     /**
-     * Augments the client with another rule. Useful for varying rules based on
-     * criteria in your handler—e.g. different rate limit for logged in users.
+     * Augment the client with another rule.
      *
-     * @param rule The rule to add to this execution.
-     * @returns An augmented {@link ArcjetNode} client.
+     * Useful for varying rules based on criteria in your handler such as
+     * different rate limit for logged in users.
+     *
+     * @template Rule
+     *   Type of rule.
+     * @param rule
+     *   Rule to add to Arcjet.
+     * @returns
+     *   Arcjet instance augmented with the given rule.
      */
     withRule<Rule extends Primitive | Product>(rule: Rule): ArcjetNode<Simplify<Props & ExtraProps<Rule>>>;
 }
 /**
- * Create a new {@link ArcjetNode} client. Always build your initial client
- * outside of a request handler so it persists across requests. If you need to
- * augment a client inside a handler, call the `withRule()` function on the base
- * client.
+ * Create a new Node.js integration of Arcjet.
+ *
+ * > 👉 **Tip**:
+ * > build your initial base client with as many rules as possible outside of a
+ * > request handler;
+ * > if you need more rules inside handlers later then you can call `withRule()`
+ * > on that base client.
  *
- * @param options - Arcjet configuration options to apply to all requests.
+ * @template Rules
+ *   List of rules.
+ * @template Characteristics
+ *   Characteristics to track a user by.
+ * @param options
+ *   Configuration.
+ * @returns
+ *   Node.js integration of Arcjet.
  */
 export default function arcjet<const Rules extends (Primitive | Product)[], const Characteristics extends readonly string[]>(options: ArcjetOptions<Rules, Characteristics>): ArcjetNode<Simplify<ExtraProps<Rules> & CharacteristicProps<Characteristics>>>;

package/index.js

@@ -1,13 +1,45 @@
 import core__default from 'arcjet';
 export * from 'arcjet';
-import findIP from '@arcjet/ip';
-import ArcjetHeaders from '@arcjet/headers';
-import { logLevel, baseUrl, isDevelopment, platform } from '@arcjet/env';
+import findIp, { parseProxy } from '@arcjet/ip';
+import { ArcjetHeaders } from '@arcjet/headers';
+import { logLevel, isDevelopment, baseUrl, platform } from '@arcjet/env';
 import { Logger } from '@arcjet/logger';
 import { createClient } from '@arcjet/protocol/client.js';
 import { createTransport } from '@arcjet/transport';
 import { readBody } from '@arcjet/body';
 
+// An object with getters that access the `process.env.SOMEVAR` values directly.
+// This allows bundlers to replace the dot-notation access with string literals
+// while still allowing dynamic access in runtime environments.
+const env = {
+    get FLY_APP_NAME() {
+        return process.env.FLY_APP_NAME;
+    },
+    get VERCEL() {
+        return process.env.VERCEL;
+    },
+    get RENDER() {
+        return process.env.RENDER;
+    },
+    get MODE() {
+        return process.env.MODE;
+    },
+    get NODE_ENV() {
+        return process.env.NODE_ENV;
+    },
+    get ARCJET_KEY() {
+        return process.env.ARCJET_KEY;
+    },
+    get ARCJET_ENV() {
+        return process.env.ARCJET_ENV;
+    },
+    get ARCJET_LOG_LEVEL() {
+        return process.env.ARCJET_LOG_LEVEL;
+    },
+    get ARCJET_BASE_URL() {
+        return process.env.ARCJET_BASE_URL;
+    },
+};
 // TODO: Deduplicate with other packages
 function errorMessage(err) {
     if (err) {
@@ -22,17 +54,21 @@ function errorMessage(err) {
     }
     return "Unknown problem";
 }
+/**
+ * Create a remote client.
+ *
+ * @param options
+ *   Configuration (optional).
+ * @returns
+ *   Client.
+ */
 function createRemoteClient(options) {
-    // The base URL for the Arcjet API. Will default to the standard production
-    // API unless environment variable `ARCJET_BASE_URL` is set.
-    const url = options?.baseUrl ?? baseUrl(process.env);
-    // The timeout for the Arcjet API in milliseconds. This is set to a low value
-    // in production so calls fail open.
-    const timeout = options?.timeout ?? (isDevelopment(process.env) ? 1000 : 500);
+    const url = options?.baseUrl ?? baseUrl(env);
+    const timeout = options?.timeout ?? (isDevelopment(env) ? 1000 : 500);
     // Transport is the HTTP client that the client uses to make requests.
     const transport = createTransport(url);
     const sdkStack = "NODEJS";
-    const sdkVersion = "1.0.0-beta.1";
+    const sdkVersion = "1.0.0-beta.11";
     return createClient({
         transport,
         baseUrl: url,
@@ -52,34 +88,49 @@ function cookiesToString(cookies) {
     return cookies;
 }
 /**
- * Create a new {@link ArcjetNode} client. Always build your initial client
- * outside of a request handler so it persists across requests. If you need to
- * augment a client inside a handler, call the `withRule()` function on the base
- * client.
+ * Create a new Node.js integration of Arcjet.
  *
- * @param options - Arcjet configuration options to apply to all requests.
+ * > 👉 **Tip**:
+ * > build your initial base client with as many rules as possible outside of a
+ * > request handler;
+ * > if you need more rules inside handlers later then you can call `withRule()`
+ * > on that base client.
+ *
+ * @template Rules
+ *   List of rules.
+ * @template Characteristics
+ *   Characteristics to track a user by.
+ * @param options
+ *   Configuration.
+ * @returns
+ *   Node.js integration of Arcjet.
  */
 function arcjet(options) {
     const client = options.client ?? createRemoteClient();
     const log = options.log
         ? options.log
         : new Logger({
-            level: logLevel(process.env),
+            level: logLevel(env),
         });
+    const proxies = Array.isArray(options.proxies)
+        ? options.proxies.map(parseProxy)
+        : undefined;
+    if (isDevelopment(env)) {
+        log.warn("Arcjet will use 127.0.0.1 when missing public IP address in development mode");
+    }
     function toArcjetRequest(request, props) {
         // We pull the cookies from the request before wrapping them in ArcjetHeaders
         const cookies = cookiesToString(request.headers?.cookie);
         // We construct an ArcjetHeaders to normalize over Headers
         const headers = new ArcjetHeaders(request.headers);
-        let ip = findIP({
+        let ip = findIp({
             socket: request.socket,
             headers,
-        }, { platform: platform(process.env), proxies: options.proxies });
+        }, { platform: platform(env), proxies });
         if (ip === "") {
             // If the `ip` is empty but we're in development mode, we default the IP
             // so the request doesn't fail.
-            if (isDevelopment(process.env)) {
-                log.warn("Using 127.0.0.1 as IP address in development mode");
+            if (isDevelopment(env)) {
                 ip = "127.0.0.1";
             }
             else {

package/package.json

@@ -1,7 +1,19 @@
 {
   "name": "@arcjet/node",
-  "version": "1.0.0-beta.1",
+  "version": "1.0.0-beta.11",
   "description": "Arcjet SDK for Node.js",
+  "keywords": [
+    "analyze",
+    "arcjet",
+    "attack",
+    "limit",
+    "nodejs",
+    "node",
+    "protect",
+    "secure",
+    "security",
+    "verify"
+  ],
   "license": "Apache-2.0",
   "homepage": "https://arcjet.com",
   "repository": {
@@ -25,37 +37,32 @@
   "main": "./index.js",
   "types": "./index.d.ts",
   "files": [
-    "LICENSE",
-    "README.md",
-    "*.js",
-    "*.d.ts",
-    "!*.config.js"
+    "index.d.ts",
+    "index.js"
   ],
   "scripts": {
-    "prepublishOnly": "npm run build",
     "build": "rollup --config rollup.config.js",
     "lint": "eslint .",
-    "pretest": "npm run build",
-    "test": "node --test --experimental-test-coverage"
+    "prepublishOnly": "npm run build",
+    "test": "npm run build && npm run lint"
   },
   "dependencies": {
-    "@arcjet/env": "1.0.0-beta.1",
-    "@arcjet/headers": "1.0.0-beta.1",
-    "@arcjet/ip": "1.0.0-beta.1",
-    "@arcjet/logger": "1.0.0-beta.1",
-    "@arcjet/protocol": "1.0.0-beta.1",
-    "@arcjet/transport": "1.0.0-beta.1",
-    "@arcjet/body": "1.0.0-beta.1",
-    "arcjet": "1.0.0-beta.1"
+    "@arcjet/env": "1.0.0-beta.11",
+    "@arcjet/headers": "1.0.0-beta.11",
+    "@arcjet/ip": "1.0.0-beta.11",
+    "@arcjet/logger": "1.0.0-beta.11",
+    "@arcjet/protocol": "1.0.0-beta.11",
+    "@arcjet/transport": "1.0.0-beta.11",
+    "@arcjet/body": "1.0.0-beta.11",
+    "arcjet": "1.0.0-beta.11"
   },
   "devDependencies": {
-    "@arcjet/eslint-config": "1.0.0-beta.1",
-    "@arcjet/rollup-config": "1.0.0-beta.1",
-    "@arcjet/tsconfig": "1.0.0-beta.1",
-    "@types/node": "18.18.0",
-    "@rollup/wasm-node": "4.30.1",
-    "expect": "29.7.0",
-    "typescript": "5.7.3"
+    "@arcjet/eslint-config": "1.0.0-beta.11",
+    "@arcjet/rollup-config": "1.0.0-beta.11",
+    "@types/node": "24.3.0",
+    "@rollup/wasm-node": "4.50.0",
+    "eslint": "9.34.0",
+    "typescript": "5.9.2"
   },
   "publishConfig": {
     "access": "public",