@blamejs/blamejs-shop 0.0.44

package/lib/vendor/blamejs/lib/middleware/request-log.js

@@ -0,0 +1,205 @@
+"use strict";
+/**
+ * request-log — HTTP access-log middleware. Captures method, path,
+ * status, duration, response bytes, requestId, actor IP, user-agent
+ * and emits one structured log entry per request via b.log.
+ *
+ *   router.use(b.middleware.requestLog({
+ *     logger:        b.log.boot("http"),     // any b.log instance
+ *     skipPaths:     ["/healthz", /^\/static/],
+ *     trustProxy:    true,                   // honors X-Forwarded-For
+ *     levelFn:       function (status) {     // default: 5xx=error, 4xx=warn, else info
+ *       return status >= 500 ? "error" : status >= 400 ? "warn" : "info";
+ *     },
+ *     fields:        ["method", "path", "status", "durationMs",
+ *                     "actorIp", "userAgent", "requestId", "bytes"],
+ *   }));
+ *
+ * The middleware adopts `b.requestHelpers.captureResponseStatus` to
+ * read the final status reliably (handlers that call `res.writeHead`
+ * vs `res.statusCode = ...` vs `res.status(...).send(...)` all work).
+ *
+ * trustProxy gates X-Forwarded-For consumption — same boundary as the
+ * rest of the framework. Default false; operators behind a sanitizing
+ * reverse proxy opt in.
+ *
+ * Emits at log-level keyed off response status by default. Operators
+ * who want one-level-fits-all pass a static string for `level` (e.g.
+ * "debug" to keep access logs out of production stdout) or a function
+ * for fully custom logic (e.g. "warn" only on slow-path requests).
+ */
+var C = require("../constants");
+var requestHelpers = require("../request-helpers");
+var validateOpts = require("../validate-opts");
+
+var DEFAULT_FIELDS = [
+  "method", "path", "status", "durationMs", "bytes",
+  "actorIp", "userAgent", "requestId",
+];
+
+function _defaultLevel(status) {
+  if (status >= 500) return "error";
+  if (status >= 400) return "warn";
+  return "info";
+}
+
+/**
+ * @primitive b.middleware.requestLog
+ * @signature b.middleware.requestLog(req, res, next)
+ * @since     0.1.0
+ * @related   b.middleware.requestId, b.middleware.traceLogCorrelation
+ *
+ * HTTP access-log middleware. Constructed via
+ * `b.middleware.requestLog(opts)`; the resulting middleware has the
+ * `(req, res, next)` shape shown above. Emits one structured log entry per
+ * request via the operator-supplied `b.log` instance, capturing
+ * method / path / status / durationMs / bytes / actorIp / userAgent
+ * / requestId. Reads the final status via
+ * `b.requestHelpers.captureResponseStatus` so handlers using any
+ * shape (`writeHead` / `statusCode =` / fluent `status(...).send`)
+ * report correctly. `levelFn(status)` defaults to 5xx=error,
+ * 4xx=warn, else info; pass a string `level` or custom function for
+ * different policies. `trustProxy` gates `X-Forwarded-For`
+ * consumption.
+ *
+ * @opts
+ *   {
+ *     logger:     object,                       // required b.log instance
+ *     skipPaths:  Array<string|RegExp>,
+ *     trustProxy: boolean|number,
+ *     level:      string,
+ *     levelFn:    function(status): string,
+ *     fields:     string[],
+ *   }
+ *
+ * @example
+ *   var b = require("@blamejs/core");
+ *   var app = b.router.create();
+ *   app.use(b.middleware.requestLog({
+ *     logger:    b.log.boot("http"),
+ *     skipPaths: ["/healthz"],
+ *   }));
+ */
+function create(opts) {
+  opts = opts || {};
+  validateOpts(opts, [
+    "logger", "skipPaths", "trustProxy", "level", "levelFn", "fields",
+  ], "middleware.requestLog");
+  var logger = opts.logger;
+  if (!logger || typeof logger.info !== "function") {
+    throw new Error("middleware.requestLog: opts.logger must be a b.log instance " +
+      "(call b.log.boot(...) or b.log.create({...}))");
+  }
+  var skipPaths = Array.isArray(opts.skipPaths) ? opts.skipPaths.slice() : [];
+  for (var i = 0; i < skipPaths.length; i++) {
+    if (typeof skipPaths[i] !== "string" && !(skipPaths[i] instanceof RegExp)) {
+      throw new Error("middleware.requestLog: skipPaths[" + i + "] must be a string prefix or RegExp");
+    }
+  }
+  var trustProxy = opts.trustProxy === true || typeof opts.trustProxy === "number"
+    ? opts.trustProxy : false;
+  var levelFn;
+  if (typeof opts.levelFn === "function") {
+    levelFn = opts.levelFn;
+  } else if (typeof opts.level === "string") {
+    var fixedLevel = opts.level;
+    levelFn = function () { return fixedLevel; };
+  } else {
+    levelFn = _defaultLevel;
+  }
+  var fields = Array.isArray(opts.fields) && opts.fields.length > 0
+    ? opts.fields.slice()
+    : DEFAULT_FIELDS;
+
+  function _shouldSkip(req) {
+    var path = req.pathname || (req.url || "").split("?")[0];
+    for (var i = 0; i < skipPaths.length; i++) {
+      var entry = skipPaths[i];
+      if (typeof entry === "string") { if (path.indexOf(entry) === 0) return true; }
+      else if (entry.test(path)) return true;
+    }
+    return false;
+  }
+
+  return function requestLog(req, res, next) {
+    if (_shouldSkip(req)) return next();
+    var startedAt = process.hrtime ? process.hrtime() : null;
+    var startedMs = Date.now();
+    var bytes = 0;
+    var statusFromWriteHead = null;
+    var emitted = false;
+
+    // Tally bytes off res.write / res.end and read the final status
+    // when end fires. Inlined here (rather than composing
+    // captureResponseStatus + a separate byte-counter) so the log
+    // entry sees the fully-populated bytes counter — wrap order
+    // matters: bytes must be incremented BEFORE the log emit.
+    var origWrite     = res.write;
+    var origEnd       = res.end;
+    var origWriteHead = res.writeHead;
+    res.writeHead = function (s) {
+      statusFromWriteHead = s;
+      return origWriteHead.apply(res, arguments);
+    };
+    res.write = function (chunk, enc, cb) {
+      if (chunk != null) {
+        var len = Buffer.isBuffer(chunk) ? chunk.length : Buffer.byteLength(String(chunk), enc || "utf8");
+        bytes += len;
+      }
+      return origWrite.call(res, chunk, enc, cb);
+    };
+    res.end = function (chunk, enc, cb) {
+      if (chunk != null) {
+        var len = Buffer.isBuffer(chunk) ? chunk.length : Buffer.byteLength(String(chunk), enc || "utf8");
+        bytes += len;
+      }
+      _emit();
+      return origEnd.call(res, chunk, enc, cb);
+    };
+
+    function _emit() {
+      if (emitted) return;
+      emitted = true;
+      var statusCode = statusFromWriteHead != null
+        ? statusFromWriteHead
+        : (typeof res.statusCode === "number" ? res.statusCode : requestHelpers.HTTP_STATUS.OK);
+      var durationMs;
+      if (startedAt && process.hrtime) {
+        var d = process.hrtime(startedAt);
+        durationMs = C.TIME.seconds(d[0]) + (d[1] / 1e6);
+      } else {
+        durationMs = Date.now() - startedMs;
+      }
+      var entry = {};
+      var actor = requestHelpers.extractActorContext(req, {
+        ip: requestHelpers.clientIp(req, { trustProxy: trustProxy }),
+      });
+      var src = {
+        method:     req.method,
+        path:       req.pathname || (req.url || "").split("?")[0],
+        status:     statusCode,
+        durationMs: Math.round(durationMs * 100) / 100,
+        bytes:      bytes,
+        actorIp:    actor.ip,
+        userAgent:  actor.userAgent,
+        requestId:  actor.requestId,
+        sessionId:  actor.sessionId,
+        userId:     actor.userId,
+        route:      actor.route,
+      };
+      for (var fi = 0; fi < fields.length; fi++) {
+        var f = fields[fi];
+        if (Object.prototype.hasOwnProperty.call(src, f)) entry[f] = src[f];
+      }
+      var level = levelFn(statusCode, req, res);
+      var fn = typeof logger[level] === "function" ? logger[level] : logger.info;
+      try { fn.call(logger, "http", entry); } catch (_e) { /* never let log-emit failure crash the response */ }
+    }
+
+    return next();
+  };
+}
+
+module.exports = {
+  create: create,
+};

package/lib/vendor/blamejs/lib/middleware/require-aal.js

@@ -0,0 +1,138 @@
+"use strict";
+/**
+ * require-aal middleware — gate routes by NIST SP 800-63-4 AAL band.
+ *
+ *   var stepUp = b.middleware.requireAal({ minimum: "AAL2" });
+ *   router.use("/admin", stepUp);
+ *
+ * Reads the AAL band from `req.user.aal` by default. Operators with a
+ * different shape pass `getAal(req)` returning the band string.
+ *
+ * On failure the middleware writes 401 with
+ * `WWW-Authenticate: AAL-StepUp realm="<X>", required="<minimum>"`
+ * — the bespoke scheme name signals to the operator's frontend that a
+ * step-up flow should be triggered (re-prompt for TOTP / passkey).
+ *
+ * Audit:
+ *   auth.aal.granted — request passed (carries the actual band)
+ *   auth.aal.denied  — request below the required minimum
+ */
+
+var lazyRequire = require("../lazy-require");
+var requestHelpers = require("../request-helpers");
+var validateOpts = require("../validate-opts");
+var { AuthError } = require("../framework-error");
+
+var aal = lazyRequire(function () { return require("../auth/aal"); });
+var audit = lazyRequire(function () { return require("../audit"); });
+
+function _writeUnauthorized(res, requiredBand, actualBand, realm) {
+  if (res.headersSent) return;
+  var body = JSON.stringify({
+    error:             "step_up_required",
+    error_description: "AAL " + requiredBand + " is required for this resource",
+    required_aal:      requiredBand,
+    actual_aal:        actualBand || null,
+  });
+  var realmStr = realm ? ' realm="' + realm + '"' : "";
+  var challenge = "AAL-StepUp" + realmStr + ', required="' + requiredBand + '"';
+  res.writeHead(401, {                                                             // allow:raw-byte-literal — HTTP 401 status
+    "Content-Type":     "application/json; charset=utf-8",
+    "Content-Length":   Buffer.byteLength(body),
+    "WWW-Authenticate": challenge,
+    // RFC 9111 §5.2.2.5 — auth-gated 401 must not be cached.
+    "Cache-Control":    "no-store",
+  });
+  res.end(body);
+}
+
+/**
+ * @primitive b.middleware.requireAal
+ * @signature b.middleware.requireAal(opts)
+ * @since     0.1.0
+ * @related   b.middleware.requireStepUp, b.middleware.requireAuth
+ *
+ * Gates routes by NIST SP 800-63-4 Authenticator Assurance Level
+ * (AAL1 / AAL2 / AAL3). Reads the actual band from `req.user.aal`
+ * by default; operators with a different shape pass `getAal(req)`.
+ * Refuses below-minimum requests with HTTP 401 +
+ * `WWW-Authenticate: AAL-StepUp realm="<X>", required="<minimum>"`
+ * — the bespoke scheme name signals the frontend to trigger a
+ * step-up flow (re-prompt for TOTP / passkey). Throws at create()
+ * on an invalid `minimum` band. Emits `auth.aal.granted` /
+ * `auth.aal.denied` audit events.
+ *
+ * @opts
+ *   {
+ *     minimum: "AAL1"|"AAL2"|"AAL3",   // required
+ *     getAal:  function(req): string,
+ *     realm:   string,
+ *     audit:   boolean,                // default true
+ *   }
+ *
+ * @example
+ *   var b = require("@blamejs/core");
+ *   var app = b.router.create();
+ *   app.use("/admin", b.middleware.requireAal({ minimum: "AAL2" }));
+ */
+function create(opts) {
+  opts = opts || {};
+  validateOpts(opts, [
+    "minimum", "getAal", "audit", "realm",
+  ], "middleware.requireAal");
+
+  var minimum = opts.minimum;
+  if (!aal().isValidBand(minimum)) {
+    throw new AuthError("auth-aal/bad-minimum",
+      "middleware.requireAal: opts.minimum must be one of " +
+      aal().BANDS.join(", ") + " (got " + JSON.stringify(minimum) + ")");
+  }
+  validateOpts.optionalFunction(opts.getAal,
+    "middleware.requireAal: getAal", AuthError, "auth-aal/bad-opt");
+
+  var auditOn = opts.audit !== false;
+  var realm = (typeof opts.realm === "string" && opts.realm.length > 0) ? opts.realm : null;
+
+  return function requireAalMiddleware(req, res, next) {
+    var actual = null;
+    if (typeof opts.getAal === "function") {
+      try { actual = opts.getAal(req); } catch (_e) { actual = null; }
+    } else if (req.user && typeof req.user.aal === "string") {
+      actual = req.user.aal;
+    }
+
+    if (!aal().meets(actual, minimum)) {
+      if (auditOn) {
+        try {
+          audit().safeEmit({
+            action:  "auth.aal.denied",
+            actor:   { clientIp: requestHelpers.clientIp(req), userId: req.user && req.user.id },
+            outcome: "denied",
+            metadata: {
+              required: minimum,
+              actual:   actual || null,
+              route:    req.url,
+            },
+          });
+        } catch (_ignored) { /* drop-silent */ }
+      }
+      return _writeUnauthorized(res, minimum, actual, realm);
+    }
+
+    if (auditOn) {
+      try {
+        audit().safeEmit({
+          action:  "auth.aal.granted",
+          actor:   { clientIp: requestHelpers.clientIp(req), userId: req.user && req.user.id },
+          outcome: "success",
+          metadata: { aal: actual, required: minimum, route: req.url },
+        });
+      } catch (_ignored) { /* drop-silent */ }
+    }
+    return next();
+  };
+}
+
+module.exports = {
+  create: create,
+};

package/lib/vendor/blamejs/lib/middleware/require-auth.js

@@ -0,0 +1,144 @@
+"use strict";
+/**
+ * require-auth middleware — gates routes that require an authenticated
+ * user. Mount AFTER attachUser; this middleware reads `req.user` and
+ * either lets the request through or rejects it.
+ *
+ * Rejection shape:
+ *   - JSON-preferring caller (Accept includes application/json, or
+ *     X-Requested-With: XMLHttpRequest):
+ *     401 application/json with { error: "Authentication required." }
+ *   - Browser-preferring caller, when opts.redirectTo is set:
+ *     302 with Location header
+ *   - Otherwise:
+ *     401 text/plain
+ *
+ * Note: the Content-Type of the REQUEST is intentionally NOT a signal.
+ * A server-to-server POST with `Content-Type: application/json` and no
+ * `Accept` header should get the same response shape as any other
+ * unauthenticated request — Content-Type describes what the client
+ * SENT, not what they want back. Operators with a non-default
+ * preference contract supply opts.prefersJson.
+ *
+ * Always emits `auth.required.denied` audit event on rejection (when
+ * opts.audit !== false). The event records request method + path +
+ * client IP — keys-only, no body content.
+ *
+ * Options:
+ *   {
+ *     redirectTo:    null         (optional URL for browser redirects;
+ *                                   when set, prefersJson()=false rejections
+ *                                   produce 302 instead of 401 text/plain)
+ *     prefersJson:   function     (optional override; defaults to checking
+ *                                   Accept / X-Requested-With / Content-Type)
+ *     errorMessage:  'Authentication required.'
+ *     audit:         true         (emit auth.required.denied on reject)
+ *   }
+ */
+var lazyRequire = require("../lazy-require");
+var requestHelpers = require("../request-helpers");
+var validateOpts = require("../validate-opts");
+var audit = lazyRequire(function () { return require("../audit"); });
+
+function _defaultPrefersJson(req) {
+  var h = req.headers || {};
+  if (typeof h.accept === "string" && h.accept.indexOf("application/json") !== -1) return true;
+  if (h["x-requested-with"] === "XMLHttpRequest") return true;
+  return false;
+}
+
+/**
+ * @primitive b.middleware.requireAuth
+ * @signature b.middleware.requireAuth(req, res, next)
+ * @since     0.1.0
+ * @related   b.middleware.attachUser, b.middleware.bearerAuth, b.middleware.requireAal
+ *
+ * Gates routes that require an authenticated user. Constructed via
+ * `b.middleware.requireAuth(opts)`; the resulting middleware has
+ * the `(req, res, next)` shape shown above. Mount AFTER
+ * `attachUser`; this middleware reads `req.user` and either passes
+ * the request or rejects. JSON-preferring callers (Accept includes
+ * `application/json` or `X-Requested-With: XMLHttpRequest`) get 401
+ * `application/json`; browser-preferring with `redirectTo` get 302
+ * Location; otherwise 401 `text/plain`. The REQUEST Content-Type
+ * is intentionally NOT a signal — what the client SENT is not
+ * what they want BACK. Always emits `auth.required.denied` audit
+ * (method + path + client IP, no body content).
+ *
+ * @opts
+ *   {
+ *     redirectTo:   string,                            // 302 location for browser
+ *     prefersJson:  function(req): boolean,
+ *     errorMessage: string,                            // default "Authentication required."
+ *     audit:        boolean,                           // default true
+ *   }
+ *
+ * @example
+ *   var b = require("@blamejs/core");
+ *   var app = b.router.create();
+ *   app.use(b.middleware.attachUser({ userLoader: async function () { return { id: 1 }; } }));
+ *   app.use(b.middleware.requireAuth({ redirectTo: "/login" }));
+ */
+function create(opts) {
+  opts = opts || {};
+  validateOpts(opts, [
+    "redirectTo", "prefersJson", "errorMessage", "audit",
+  ], "middleware.requireAuth");
+  var redirectTo  = opts.redirectTo  || null;
+  var prefersJson = typeof opts.prefersJson === "function"
+    ? opts.prefersJson
+    : _defaultPrefersJson;
+  var msg     = opts.errorMessage || "Authentication required.";
+  var auditOn = opts.audit !== false;
+
+  return function requireAuth(req, res, next) {
+    if (req.user) return next();
+
+    if (auditOn) {
+      try {
+        audit().emit({
+          action:   "auth.required.denied",
+          outcome:  "denied",
+          actor:    requestHelpers.extractActorContext(req),
+          reason:   "no authenticated user on request",
+          metadata: { method: req.method, path: req.pathname || (req.url || "").split("?")[0] },
+        });
+      } catch (_e) { /* audit best-effort */ }
+    }
+
+    // RFC 9111 §5.2.2.5 — auth-gated paths SHOULD emit
+    // Cache-Control: no-store so a shared cache (or browser
+    // back-button cache) can't replay a 401 / redirect / payload
+    // intended for an unauthenticated context to a different user.
+    // Pre-v0.8.70 the framework's auth middlewares emitted no
+    // cache directive, leaving the operator to set it themselves;
+    // forgetting it under a CDN that respects Cache-Control was
+    // a routine misconfiguration.
+    if (prefersJson(req)) {
+      if (typeof res.writeHead === "function") {
+        res.writeHead(requestHelpers.HTTP_STATUS.UNAUTHORIZED,
+          { "Content-Type": "application/json", "Cache-Control": "no-store" });
+        res.end(JSON.stringify({ error: msg }));
+      }
+      return;
+    }
+    if (redirectTo) {
+      if (typeof res.writeHead === "function") {
+        // 302 Found — RFC 7231 §6.4.3. Not in HTTP_STATUS table.
+        res.writeHead(302, { "Location": redirectTo, "Cache-Control": "no-store" });
+        res.end();
+      }
+      return;
+    }
+    if (typeof res.writeHead === "function") {
+      res.writeHead(requestHelpers.HTTP_STATUS.UNAUTHORIZED,
+        { "Content-Type": "text/plain", "Cache-Control": "no-store" });
+      res.end(msg);
+    }
+  };
+}
+
+module.exports = {
+  create:               create,
+  _defaultPrefersJson:  _defaultPrefersJson,
+};