@arcote.tech/arc-host 0.3.4 → 0.4.1

package/src/arc-host.ts

@@ -1,858 +0,0 @@
-import type { ArcRouteAny } from "@arcote.tech/arc";
-import { liveQuery } from "@arcote.tech/arc";
-import type { Server, ServerWebSocket } from "bun";
-import jwt from "jsonwebtoken";
-import { ConnectionManager } from "./connection-manager";
-import { ContextHandler } from "./context-handler";
-import { filterEventsForToken } from "./event-auth";
-import type {
-  ArcHostConfig,
-  ClientToHostMessage,
-  HostToClientMessage,
-  TokenPayload,
-} from "./types";
-
-type WebSocketData = {
-  clientId: string;
-  token: TokenPayload | null;
-  rawToken: string | null;
-};
-
-/**
- * Active SSE stream connection
- */
-interface StreamConnection {
-  id: string;
-  controller: ReadableStreamDefaultController<Uint8Array>;
-  unsubscribe: () => void;
-}
-
-/**
- * Arc Host - WebSocket server for real-time event sync
- */
-export class ArcHost {
-  private server!: Server<WebSocketData>;
-  private connectionManager = new ConnectionManager();
-  private contextHandler!: ContextHandler;
-  private streamConnections = new Map<string, StreamConnection>();
-  private jwtSecret: string;
-  private port: number;
-  private streamIdCounter = 0;
-
-  constructor(private config: ArcHostConfig) {
-    this.jwtSecret =
-      config.jwtSecret ||
-      process.env.JWT_SECRET ||
-      "arc-host-secret-change-in-production";
-    this.port = config.port || 5005;
-  }
-
-  /**
-   * Start the host server
-   */
-  async start(): Promise<void> {
-    // Initialize context handler
-    const dbAdapter = this.config.dbAdapterFactory(this.config.context);
-    this.contextHandler = new ContextHandler(this.config.context, dbAdapter);
-    await this.contextHandler.init();
-
-    this.setupServer();
-  }
-
-  /**
-   * Verify JWT token
-   * Supports both standard JWT (jsonwebtoken) and Arc's custom JWT format
-   */
-  private verifyToken(token: string): TokenPayload | null {
-    try {
-      // Try standard JWT first
-      const decoded = jwt.verify(token, this.jwtSecret) as any;
-
-      // Handle Arc's custom JWT format (tokenName -> tokenType)
-      if (decoded.tokenName && !decoded.tokenType) {
-        return {
-          tokenType: decoded.tokenName,
-          params: decoded.params || {},
-          iat: decoded.iat,
-          exp: decoded.exp,
-        };
-      }
-
-      return decoded as TokenPayload;
-    } catch {
-      // Try Arc's custom JWT format (base64 encoded, custom signature)
-      try {
-        const parts = token.split(".");
-        if (parts.length !== 3) return null;
-
-        const payload = JSON.parse(atob(parts[1]));
-
-        // TODO: Verify signature with context's token secret
-        // For now, just decode and trust (signature verification should be added)
-
-        return {
-          tokenType: payload.tokenName,
-          params: payload.params || {},
-          iat: payload.iat,
-          exp: payload.exp,
-        };
-      } catch {
-        return null;
-      }
-    }
-  }
-
-  /**
-   * Handle WebSocket message
-   */
-  private async handleMessage(
-    ws: ServerWebSocket<WebSocketData>,
-    message: ClientToHostMessage,
-  ): Promise<void> {
-    const client = this.connectionManager.getClientByWs(ws);
-    if (!client) {
-      this.sendError(ws, "Client not found");
-      return;
-    }
-
-    switch (message.type) {
-      case "sync-events":
-        await this.handleSyncEvents(client.id, message, client.token);
-        break;
-
-      case "request-sync":
-        await this.handleRequestSync(client.id, message, client.token);
-        break;
-
-      case "execute-command":
-        await this.handleExecuteCommand(client.id, message, client.rawToken);
-        break;
-
-      default:
-        this.sendError(ws, `Unknown message type: ${(message as any).type}`);
-    }
-  }
-
-  /**
-   * Handle sync-events message
-   */
-  private async handleSyncEvents(
-    clientId: string,
-    message: Extract<ClientToHostMessage, { type: "sync-events" }>,
-    token: TokenPayload | null,
-  ): Promise<void> {
-    // Persist events
-    const persistedEvents = await this.contextHandler.persistEvents(
-      message.events,
-      clientId,
-      token,
-    );
-
-    if (persistedEvents.length === 0) {
-      return;
-    }
-
-    // Broadcast to other authorized clients
-    const clients = this.connectionManager.getAllClients();
-
-    for (const client of clients) {
-      if (client.id === clientId) continue;
-
-      // Filter events for this client's token
-      const authorizedEvents = filterEventsForToken(
-        client.token,
-        persistedEvents,
-        this.contextHandler.getEventDefinitions(),
-      );
-
-      if (authorizedEvents.length > 0) {
-        this.connectionManager.sendToClient(client.id, {
-          type: "events",
-          events: authorizedEvents,
-        });
-      }
-    }
-
-    // Update sender's last synced ID
-    const lastEvent = persistedEvents[persistedEvents.length - 1];
-    this.connectionManager.updateLastSyncedEventId(clientId, lastEvent.hostId);
-
-    // Confirm sync to sender
-    this.connectionManager.sendToClient(clientId, {
-      type: "sync-complete",
-      lastHostEventId: lastEvent.hostId,
-    });
-  }
-
-  /**
-   * Handle request-sync message (initial sync or catch-up)
-   */
-  private async handleRequestSync(
-    clientId: string,
-    message: Extract<ClientToHostMessage, { type: "request-sync" }>,
-    token: TokenPayload | null,
-  ): Promise<void> {
-    const events = await this.contextHandler.getEventsSince(
-      message.lastHostEventId,
-      token,
-    );
-
-    this.connectionManager.sendToClient(clientId, {
-      type: "events",
-      events,
-    });
-
-    if (events.length > 0) {
-      const lastEvent = events[events.length - 1];
-      this.connectionManager.updateLastSyncedEventId(
-        clientId,
-        lastEvent.hostId,
-      );
-
-      this.connectionManager.sendToClient(clientId, {
-        type: "sync-complete",
-        lastHostEventId: lastEvent.hostId,
-      });
-    } else {
-      this.connectionManager.sendToClient(clientId, {
-        type: "sync-complete",
-        lastHostEventId: message.lastHostEventId || "",
-      });
-    }
-  }
-
-  /**
-   * Handle execute-command message
-   */
-  private async handleExecuteCommand(
-    clientId: string,
-    message: Extract<ClientToHostMessage, { type: "execute-command" }>,
-    rawToken: string | null,
-  ): Promise<void> {
-    try {
-      const result = await this.contextHandler.executeCommand(
-        message.commandName,
-        message.params,
-        rawToken,
-      );
-
-      this.connectionManager.sendToClient(clientId, {
-        type: "command-result",
-        requestId: message.requestId,
-        result,
-      });
-    } catch (error) {
-      this.connectionManager.sendToClient(clientId, {
-        type: "command-result",
-        requestId: message.requestId,
-        error: (error as Error).message,
-      });
-    }
-  }
-
-  /**
-   * Send error to WebSocket
-   */
-  private sendError(ws: ServerWebSocket<WebSocketData>, message: string): void {
-    ws.send(JSON.stringify({ type: "error", message } as HostToClientMessage));
-  }
-
-  /**
-   * Setup Bun server
-   */
-  private setupServer(): void {
-    const self = this;
-
-    this.server = Bun.serve<WebSocketData>({
-      port: this.port,
-      idleTimeout: 255,
-
-      fetch(req, server) {
-        const url = new URL(req.url);
-
-        // CORS headers
-        const corsHeaders = {
-          "Access-Control-Allow-Origin": "*",
-          "Access-Control-Allow-Methods": "GET, POST, OPTIONS",
-          "Access-Control-Allow-Headers": "Content-Type, Authorization",
-        };
-
-        // Handle preflight
-        if (req.method === "OPTIONS") {
-          return new Response(null, { headers: corsHeaders });
-        }
-
-        // Extract token
-        const authHeader = req.headers.get("Authorization");
-        const token =
-          authHeader?.replace("Bearer ", "") || url.searchParams.get("token");
-
-        // Verify token
-        let tokenPayload: TokenPayload | null = null;
-        if (token) {
-          tokenPayload = self.verifyToken(token);
-        }
-
-        // WebSocket upgrade for /ws
-        if (
-          url.pathname === "/ws" &&
-          req.headers.get("Upgrade") === "websocket"
-        ) {
-          // Pass token to WebSocket data
-          if (
-            server.upgrade(req, {
-              data: {
-                clientId: "",
-                token: tokenPayload,
-                rawToken: token,
-              },
-            })
-          ) {
-            // Connection will be set up in websocket.open
-            return undefined;
-          }
-          return new Response("WebSocket upgrade failed", {
-            status: 500,
-            headers: corsHeaders,
-          });
-        }
-
-        // Health check
-        if (url.pathname === "/health") {
-          return new Response(
-            JSON.stringify({
-              status: "ok",
-              clients: self.connectionManager.clientCount,
-            }),
-            {
-              headers: { ...corsHeaders, "Content-Type": "application/json" },
-            },
-          );
-        }
-
-        // HTTP command endpoint: POST /command/:commandName
-        if (url.pathname.startsWith("/command/") && req.method === "POST") {
-          return self.handleHttpCommand(req, url, corsHeaders, token);
-        }
-
-        // HTTP query endpoint: POST /query/:viewName
-        if (url.pathname.startsWith("/query/") && req.method === "POST") {
-          return self.handleHttpQuery(
-            req,
-            url,
-            tokenPayload,
-            corsHeaders,
-            token,
-          );
-        }
-
-        // SSE stream endpoint: GET /stream/:viewName
-        if (url.pathname.startsWith("/stream/") && req.method === "GET") {
-          return self.handleHttpStream(
-            req,
-            url,
-            tokenPayload,
-            corsHeaders,
-            token,
-          );
-        }
-
-        // HTTP event sync endpoint: POST /sync/events
-        if (url.pathname === "/sync/events" && req.method === "POST") {
-          return self.handleHttpEventSync(req, tokenPayload, corsHeaders);
-        }
-
-        // Route endpoints: /route/*
-        if (url.pathname.startsWith("/route/")) {
-          return self.handleHttpRoute(
-            req,
-            url,
-            tokenPayload,
-            corsHeaders,
-            token,
-          );
-        }
-
-        return new Response("Not Found", { status: 404, headers: corsHeaders });
-      },
-
-      websocket: {
-        open(ws) {
-          // Get token from upgrade data
-          const tokenPayload = ws.data?.token || null;
-          const rawToken = ws.data?.rawToken || null;
-
-          // Add client to connection manager
-          const client = self.connectionManager.addClient(
-            ws,
-            tokenPayload,
-            rawToken,
-          );
-
-          console.log(`Client connected: ${client.id}`);
-        },
-
-        message(ws, messageStr) {
-          try {
-            const message = JSON.parse(
-              messageStr as string,
-            ) as ClientToHostMessage;
-            self.handleMessage(ws, message);
-          } catch (error) {
-            console.error("Failed to parse message:", error);
-            self.sendError(ws, "Invalid message format");
-          }
-        },
-
-        close(ws) {
-          const client = self.connectionManager.getClientByWs(ws);
-          if (client) {
-            console.log(`Client disconnected: ${client.id}`);
-            self.connectionManager.removeClient(client.id);
-          }
-        },
-      },
-    });
-
-    console.log(`✅ Arc Host running on http://localhost:${this.port}`);
-  }
-
-  /**
-   * Handle HTTP command request
-   * Supports both JSON and FormData (for file uploads)
-   */
-  private async handleHttpCommand(
-    req: Request,
-    url: URL,
-    corsHeaders: Record<string, string>,
-    rawToken: string | null,
-  ): Promise<Response> {
-    const commandName = url.pathname.split("/command/")[1];
-    if (!commandName) {
-      return new Response("Invalid command path", {
-        status: 400,
-        headers: corsHeaders,
-      });
-    }
-
-    try {
-      const params = await this.parseCommandParams(req);
-      const result = await this.contextHandler.executeCommand(
-        commandName,
-        params,
-        rawToken,
-      );
-
-      return new Response(JSON.stringify(result ?? { success: true }), {
-        headers: { ...corsHeaders, "Content-Type": "application/json" },
-      });
-    } catch (error) {
-      console.error(`[ARC HTTP] Command '${commandName}' error:`, error);
-      if (error instanceof Error && error.stack) {
-        console.error(`[ARC HTTP] Stack trace:`, error.stack);
-      }
-      return new Response(JSON.stringify({ error: (error as Error).message }), {
-        status: 500,
-        headers: { ...corsHeaders, "Content-Type": "application/json" },
-      });
-    }
-  }
-
-  /**
-   * Parse command parameters from request body
-   * Handles both JSON and FormData (multipart/form-data for file uploads)
-   */
-  private async parseCommandParams(req: Request): Promise<any> {
-    const contentType = req.headers.get("Content-Type") || "";
-
-    if (contentType.includes("multipart/form-data")) {
-      // Parse FormData - files stay as File objects, other values are JSON-parsed
-      const formData = await req.formData();
-      const params: Record<string, any> = {};
-
-      for (const [key, value] of formData.entries()) {
-        if (
-          typeof value === "object" &&
-          value !== null &&
-          "name" in value &&
-          "size" in value
-        ) {
-          // Keep File objects as-is
-          params[key] = value;
-        } else {
-          // Try to parse as JSON (non-file values are JSON-stringified by client)
-          try {
-            params[key] = JSON.parse(value as string);
-          } catch {
-            // If not valid JSON, use as plain string
-            params[key] = value;
-          }
-        }
-      }
-
-      return params;
-    }
-
-    // Default: parse as JSON
-    return await req.json();
-  }
-
-  /**
-   * Handle HTTP query request
-   * Uses view.queryContext() to apply protections consistently with liveQuery
-   */
-  private async handleHttpQuery(
-    req: Request,
-    url: URL,
-    _token: TokenPayload | null,
-    corsHeaders: Record<string, string>,
-    rawToken: string | null,
-  ): Promise<Response> {
-    const viewName = url.pathname.split("/query/")[1];
-    if (!viewName) {
-      return new Response("Invalid query path", {
-        status: 400,
-        headers: corsHeaders,
-      });
-    }
-
-    try {
-      const params = await req.json();
-
-      // Get view element
-      const viewElement = this.contextHandler
-        .getModel()
-        .context.get(viewName) as any;
-
-      if (!viewElement || !viewElement.queryContext) {
-        return new Response(JSON.stringify({ error: "View not found" }), {
-          status: 404,
-          headers: { ...corsHeaders, "Content-Type": "application/json" },
-        });
-      }
-
-      // Set auth token so view.queryContext() can apply protections
-      this.contextHandler.setAuthToken(rawToken);
-
-      // Use view's queryContext which applies protections automatically
-      const model = this.contextHandler.getModel();
-      const adapters = model.getAdapters();
-      const queryCtx = viewElement.queryContext(adapters);
-
-      // Execute query through view's queryContext (protections applied)
-      const result = await queryCtx.find(params);
-
-      return new Response(JSON.stringify(result), {
-        headers: { ...corsHeaders, "Content-Type": "application/json" },
-      });
-    } catch (error) {
-      return new Response(JSON.stringify({ error: (error as Error).message }), {
-        status: 500,
-        headers: { ...corsHeaders, "Content-Type": "application/json" },
-      });
-    }
-  }
-
-  /**
-   * Handle HTTP stream (SSE) request for live queries
-   */
-  private handleHttpStream(
-    _req: Request,
-    url: URL,
-    token: TokenPayload | null,
-    corsHeaders: Record<string, string>,
-    rawToken: string | null,
-  ): Response {
-    const viewName = url.pathname.split("/stream/")[1];
-    if (!viewName) {
-      return new Response("Invalid stream path", {
-        status: 400,
-        headers: corsHeaders,
-      });
-    }
-
-    // Parse query options from URL params
-    const findOptions: any = {};
-    const whereParam = url.searchParams.get("where");
-    if (whereParam) {
-      try {
-        findOptions.where = JSON.parse(whereParam);
-      } catch {
-        return new Response("Invalid 'where' parameter", {
-          status: 400,
-          headers: corsHeaders,
-        });
-      }
-    }
-
-    const orderByParam = url.searchParams.get("orderBy");
-    if (orderByParam) {
-      try {
-        findOptions.orderBy = JSON.parse(orderByParam);
-      } catch {
-        return new Response("Invalid 'orderBy' parameter", {
-          status: 400,
-          headers: corsHeaders,
-        });
-      }
-    }
-
-    const limitParam = url.searchParams.get("limit");
-    if (limitParam) {
-      findOptions.limit = parseInt(limitParam, 10);
-    }
-
-    // Create SSE stream
-    const streamId = `stream_${++this.streamIdCounter}_${Date.now()}`;
-    const self = this;
-
-    const stream = new ReadableStream<Uint8Array>({
-      start(controller) {
-        // Set up live query
-        const model = self.contextHandler.getModel();
-
-        // Set the token on the auth adapter so view protection is applied
-        self.contextHandler.setAuthToken(rawToken);
-
-        const { unsubscribe } = liveQuery(
-          model,
-          async (q: any) => {
-            const view = q[viewName];
-            if (!view) {
-              throw new Error(`View '${viewName}' not found`);
-            }
-            return view.find(findOptions);
-          },
-          (data: any[]) => {
-            // Send SSE event
-            const event = `data: ${JSON.stringify({ type: "data", data })}\n\n`;
-            try {
-              controller.enqueue(new TextEncoder().encode(event));
-            } catch {
-              // Stream closed
-              unsubscribe();
-            }
-          },
-        );
-
-        // Store connection for cleanup
-        self.streamConnections.set(streamId, {
-          id: streamId,
-          controller,
-          unsubscribe,
-        });
-
-        // Send initial connection event
-        const connectEvent = `data: ${JSON.stringify({ type: "connected", streamId })}\n\n`;
-        controller.enqueue(new TextEncoder().encode(connectEvent));
-      },
-
-      cancel() {
-        // Clean up on client disconnect
-        const conn = self.streamConnections.get(streamId);
-        if (conn) {
-          conn.unsubscribe();
-          self.streamConnections.delete(streamId);
-        }
-      },
-    });
-
-    return new Response(stream, {
-      headers: {
-        ...corsHeaders,
-        "Content-Type": "text/event-stream",
-        "Cache-Control": "no-cache",
-        Connection: "keep-alive",
-      },
-    });
-  }
-
-  /**
-   * Handle HTTP event sync request
-   */
-  private async handleHttpEventSync(
-    req: Request,
-    token: TokenPayload | null,
-    corsHeaders: Record<string, string>,
-  ): Promise<Response> {
-    try {
-      const body = await req.json();
-      const events = body.events || [];
-
-      // Persist events via context handler
-      const persistedEvents = await this.contextHandler.persistEvents(
-        events.map((e: any) => ({
-          localId: e.localId,
-          type: e.type,
-          payload: e.payload,
-          createdAt: e.createdAt,
-        })),
-        "http-sync",
-        token,
-      );
-
-      return new Response(
-        JSON.stringify({
-          success: true,
-          syncedIds: persistedEvents.map((e) => e.localId),
-        }),
-        {
-          headers: { ...corsHeaders, "Content-Type": "application/json" },
-        },
-      );
-    } catch (error) {
-      return new Response(
-        JSON.stringify({
-          success: false,
-          error: (error as Error).message,
-        }),
-        {
-          status: 500,
-          headers: { ...corsHeaders, "Content-Type": "application/json" },
-        },
-      );
-    }
-  }
-
-  /**
-   * Handle HTTP route request
-   * Matches path against registered routes and executes handler
-   */
-  private async handleHttpRoute(
-    req: Request,
-    url: URL,
-    tokenPayload: TokenPayload | null,
-    corsHeaders: Record<string, string>,
-    rawToken: string | null,
-  ): Promise<Response> {
-    const method = req.method as "GET" | "POST" | "PUT" | "DELETE" | "PATCH";
-
-    // Find matching route in context
-    const context = this.contextHandler.getModel().context;
-    let matchedRoute: ArcRouteAny | null = null;
-    let routeParams: Record<string, string> = {};
-
-    for (const element of context.elements) {
-      // Check if element is a route (has matchesPath method)
-      if (element && typeof (element as any).matchesPath === "function") {
-        const route = element as ArcRouteAny;
-        const match = route.matchesPath(url.pathname);
-        if (match.matches) {
-          matchedRoute = route;
-          routeParams = match.params;
-          break;
-        }
-      }
-    }
-
-    if (!matchedRoute) {
-      return new Response(JSON.stringify({ error: "Route not found" }), {
-        status: 404,
-        headers: { ...corsHeaders, "Content-Type": "application/json" },
-      });
-    }
-
-    // Get handler for this method
-    const handler = matchedRoute.getHandler(method);
-    if (!handler) {
-      return new Response(
-        JSON.stringify({ error: `Method ${method} not allowed` }),
-        {
-          status: 405,
-          headers: { ...corsHeaders, "Content-Type": "application/json" },
-        },
-      );
-    }
-
-    // Check protection
-    if (!matchedRoute.isPublic && matchedRoute.hasProtections) {
-      if (!tokenPayload) {
-        return new Response(JSON.stringify({ error: "Unauthorized" }), {
-          status: 401,
-          headers: { ...corsHeaders, "Content-Type": "application/json" },
-        });
-      }
-
-      // Set auth token for protection check
-      this.contextHandler.setAuthToken(rawToken);
-
-      // Check if token type matches any protection
-      let isAuthorized = false;
-      for (const protection of matchedRoute.protections) {
-        if (protection.token.name === tokenPayload.tokenType) {
-          // Create a mock token instance for the check
-          const mockTokenInstance = {
-            params: tokenPayload.params,
-            getTokenDefinition: () => protection.token,
-          };
-          const allowed = await protection.check(mockTokenInstance as any);
-          if (allowed) {
-            isAuthorized = true;
-            break;
-          }
-        }
-      }
-
-      if (!isAuthorized) {
-        return new Response(JSON.stringify({ error: "Forbidden" }), {
-          status: 403,
-          headers: { ...corsHeaders, "Content-Type": "application/json" },
-        });
-      }
-    } else if (!matchedRoute.isPublic && !matchedRoute.hasProtections) {
-      // Route is not public and has no protections - require any valid token
-      if (!tokenPayload) {
-        return new Response(JSON.stringify({ error: "Unauthorized" }), {
-          status: 401,
-          headers: { ...corsHeaders, "Content-Type": "application/json" },
-        });
-      }
-    }
-
-    // Build route context
-    this.contextHandler.setAuthToken(rawToken);
-    const model = this.contextHandler.getModel();
-    const adapters = model.getAdapters();
-
-    const authParams = tokenPayload
-      ? { params: tokenPayload.params, tokenName: tokenPayload.tokenType }
-      : undefined;
-
-    const routeContext = matchedRoute.buildContext(adapters, authParams);
-
-    try {
-      // Execute handler
-      const response = await handler(routeContext, req, routeParams, url);
-
-      // Add CORS headers to response
-      const newHeaders = new Headers(response.headers);
-      for (const [key, value] of Object.entries(corsHeaders)) {
-        newHeaders.set(key, value);
-      }
-
-      return new Response(response.body, {
-        status: response.status,
-        statusText: response.statusText,
-        headers: newHeaders,
-      });
-    } catch (error) {
-      return new Response(JSON.stringify({ error: (error as Error).message }), {
-        status: 500,
-        headers: { ...corsHeaders, "Content-Type": "application/json" },
-      });
-    }
-  }
-
-  /**
-   * Stop the server
-   */
-  stop(): void {
-    // Clean up all stream connections
-    for (const conn of this.streamConnections.values()) {
-      conn.unsubscribe();
-    }
-    this.streamConnections.clear();
-
-    this.server?.stop();
-  }
-}