@c15t/backend 1.2.0-canary.13 → 1.2.0-canary.2

package/src/middleware/cors/cors.test.ts

@@ -1,419 +0,0 @@
-import { setupServer } from 'msw/node';
-import { afterAll, afterEach, beforeAll, describe, expect, it } from 'vitest';
-import { c15tInstance } from '../../core';
-
-// Create MSW server instance
-const server = setupServer();
-
-// Setup and teardown
-beforeAll(() => server.listen());
-afterEach(() => server.resetHandlers());
-afterAll(() => server.close());
-
-describe('C15T CORS Configuration', () => {
-	const baseUrl = 'https://api.example.com';
-	const testEndpoint = '/show-consent-banner';
-
-	// Helper function to create a test request
-	const createTestRequest = (origin?: string, method = 'GET') => {
-		const headers: Record<string, string> = {
-			'content-type': 'application/json',
-		};
-		if (origin) {
-			headers.origin = origin;
-		}
-		return new Request(`${baseUrl}${testEndpoint}`, {
-			method,
-			headers,
-		});
-	};
-
-	// Helper function to create a test instance
-	const createTestInstance = (trustedOrigins?: string[]) => {
-		return c15tInstance({
-			trustedOrigins,
-			appName: 'Test App',
-		});
-	};
-
-	describe('Wildcard Origin Configuration', () => {
-		it('should allow any origin when trustedOrigins includes "*"', async () => {
-			const c15t = createTestInstance(['*']);
-			const request = createTestRequest('http://localhost:3002');
-
-			const response = await c15t.handler(request);
-			expect(response.status).toBe(200);
-			expect(response.headers.get('Access-Control-Allow-Origin')).toBe(
-				'http://localhost:3002'
-			);
-		});
-
-		it('should handle requests without origin header', async () => {
-			const c15t = createTestInstance(['*']);
-			const request = createTestRequest();
-
-			const response = await c15t.handler(request);
-			expect(response.status).toBe(200);
-			expect(response.headers.get('Access-Control-Allow-Origin')).toBe('*');
-		});
-	});
-
-	describe('Specific Origin Configuration', () => {
-		it('should allow requests from trusted origins', async () => {
-			const c15t = createTestInstance(['http://localhost:3002']);
-			const request = createTestRequest('http://localhost:3002');
-
-			const response = await c15t.handler(request);
-			expect(response.status).toBe(200);
-			expect(response.headers.get('Access-Control-Allow-Origin')).toBe(
-				'http://localhost:3002'
-			);
-		});
-
-		it('should deny requests from untrusted origins', async () => {
-			const c15t = createTestInstance(['http://localhost:3002']);
-			const request = createTestRequest('http://malicious-site.com');
-
-			const response = await c15t.handler(request);
-			expect(response.status).toBe(200);
-			expect(response.headers.get('Access-Control-Allow-Origin')).toBe(null);
-		});
-	});
-
-	describe('Default Configuration', () => {
-		it('should use default CORS settings when no trustedOrigins specified', async () => {
-			const c15t = createTestInstance();
-			const request = createTestRequest('http://localhost:3002');
-
-			const response = await c15t.handler(request);
-			expect(response.status).toBe(200);
-			expect(response.headers.get('Access-Control-Allow-Origin')).toBe(
-				'http://localhost:3002'
-			);
-		});
-
-		it('should handle undefined trustedOrigins gracefully', async () => {
-			const c15t = createTestInstance(undefined);
-			const request = createTestRequest('http://localhost:3002');
-
-			const response = await c15t.handler(request);
-			expect(response.status).toBe(200);
-			expect(response.headers.get('Access-Control-Allow-Origin')).toBe(
-				'http://localhost:3002'
-			);
-			expect(response.headers.get('Access-Control-Allow-Credentials')).toBe(
-				'true'
-			);
-		});
-	});
-
-	describe('Preflight Requests', () => {
-		it('should handle OPTIONS requests correctly', async () => {
-			const c15t = createTestInstance(['http://localhost:3002']);
-			const request = createTestRequest('http://localhost:3002', 'OPTIONS');
-
-			const response = await c15t.handler(request);
-			expect(response.status).toBe(204);
-			expect(response.headers.get('Access-Control-Allow-Origin')).toBe(
-				'http://localhost:3002'
-			);
-			expect(response.headers.get('Access-Control-Allow-Methods')).toContain(
-				'GET'
-			);
-		});
-
-		it('should handle preflight requests with undefined trustedOrigins', async () => {
-			const c15t = createTestInstance(undefined);
-			const request = createTestRequest('http://localhost:3002', 'OPTIONS');
-
-			const response = await c15t.handler(request);
-			expect(response.status).toBe(204);
-			expect(response.headers.get('Access-Control-Allow-Origin')).toBe(
-				'http://localhost:3002'
-			);
-			expect(response.headers.get('Access-Control-Allow-Methods')).toBe(
-				'GET, HEAD, PUT, POST, DELETE, PATCH'
-			);
-			expect(response.headers.get('Access-Control-Allow-Headers')).toBe(
-				'Content-Type, Authorization, x-request-id'
-			);
-			expect(response.headers.get('Access-Control-Max-Age')).toBe('600');
-			expect(response.headers.get('Access-Control-Allow-Credentials')).toBe(
-				'true'
-			);
-		});
-
-		it('should handle preflight requests without origin header when trustedOrigins is undefined', async () => {
-			const c15t = createTestInstance(undefined);
-			const request = createTestRequest(undefined, 'OPTIONS');
-
-			const response = await c15t.handler(request);
-			expect(response.status).toBe(204);
-			expect(response.headers.get('Access-Control-Allow-Origin')).toBe('*');
-			expect(response.headers.get('Access-Control-Allow-Methods')).toBe(
-				'GET, HEAD, PUT, POST, DELETE, PATCH'
-			);
-			expect(response.headers.get('Access-Control-Allow-Headers')).toBe(
-				'Content-Type, Authorization, x-request-id'
-			);
-			expect(response.headers.get('Access-Control-Max-Age')).toBe('600');
-			expect(response.headers.get('Access-Control-Allow-Credentials')).toBe(
-				'true'
-			);
-		});
-	});
-
-	describe('Method Support', () => {
-		it('should support all required HTTP methods', async () => {
-			const c15t = createTestInstance(['http://localhost:3002']);
-			const methods = ['GET', 'POST', 'PUT', 'DELETE', 'PATCH'] as const;
-
-			for (const method of methods) {
-				const request = createTestRequest('http://localhost:3002', method);
-				const response = await c15t.handler(request);
-
-				// For methods other than GET, we expect 404 since we only defined GET endpoints
-				const expectedStatus = method === 'GET' ? 200 : 404;
-				expect(response.status).toBe(expectedStatus);
-			}
-		});
-	});
-
-	describe('CORS Blocking Scenarios', () => {
-		it('should block preflight requests from untrusted origins', async () => {
-			const c15t = createTestInstance(['http://localhost:3001']);
-			const request = createTestRequest('http://localhost:3002', 'OPTIONS');
-
-			const response = await c15t.handler(request);
-			expect(response.status).toBe(204);
-			expect(response.headers.get('Access-Control-Allow-Origin')).toBe(null);
-			expect(response.headers.get('Access-Control-Allow-Methods')).toBe(
-				'GET, HEAD, PUT, POST, DELETE, PATCH'
-			);
-		});
-
-		it('should block actual requests from untrusted origins', async () => {
-			const c15t = createTestInstance(['http://localhost:3001']);
-			const request = createTestRequest('http://localhost:3002', 'POST');
-
-			const response = await c15t.handler(request);
-			expect(response.status).toBe(404);
-			expect(response.headers.get('Access-Control-Allow-Origin')).toBe(null);
-			expect(response.headers.get('Access-Control-Allow-Credentials')).toBe(
-				null
-			);
-		});
-
-		it('should handle preflight requests with missing origin header', async () => {
-			const c15t = createTestInstance(['http://localhost:3001']);
-			const request = createTestRequest(undefined, 'OPTIONS');
-
-			const response = await c15t.handler(request);
-			expect(response.status).toBe(204);
-			expect(response.headers.get('Access-Control-Allow-Origin')).toBe('*');
-			expect(response.headers.get('Access-Control-Allow-Methods')).toContain(
-				'GET'
-			);
-		});
-	});
-
-	describe('CORS Header Requirements', () => {
-		it('should include all required CORS headers for preflight requests from trusted origins', async () => {
-			const c15t = createTestInstance(['http://localhost:3002']);
-			const request = createTestRequest('http://localhost:3002', 'OPTIONS');
-			const response = await c15t.handler(request);
-			expect(response.status).toBe(204);
-			expect(response.headers.get('Access-Control-Allow-Origin')).toBe(
-				'http://localhost:3002'
-			);
-			expect(response.headers.get('Access-Control-Allow-Methods')).toContain(
-				'GET'
-			);
-			expect(response.headers.get('Access-Control-Allow-Headers')).toContain(
-				'Content-Type'
-			);
-			expect(response.headers.get('Access-Control-Allow-Headers')).toContain(
-				'Authorization'
-			);
-			expect(response.headers.get('Access-Control-Max-Age')).toBe('600');
-		});
-
-		it('should NOT include CORS headers for preflight requests from untrusted origins', async () => {
-			const c15t = createTestInstance(['http://localhost:3001']);
-			const request = createTestRequest('http://localhost:3002', 'OPTIONS');
-			const response = await c15t.handler(request);
-			expect(response.status).toBe(204);
-			expect(response.headers.get('Access-Control-Allow-Origin')).toBe(null);
-			expect(response.headers.get('Access-Control-Allow-Methods')).toBe(
-				'GET, HEAD, PUT, POST, DELETE, PATCH'
-			);
-			expect(response.headers.get('Access-Control-Allow-Headers')).toBe(
-				'Content-Type, Authorization, x-request-id'
-			);
-			expect(response.headers.get('Access-Control-Max-Age')).toBe('600');
-		});
-
-		it('should include all required CORS headers for actual requests from trusted origins', async () => {
-			const c15t = createTestInstance(['http://localhost:3002']);
-			const request = createTestRequest('http://localhost:3002', 'GET');
-			const response = await c15t.handler(request);
-			expect(response.status).toBe(200);
-			expect(response.headers.get('Access-Control-Allow-Origin')).toBe(
-				'http://localhost:3002'
-			);
-			expect(response.headers.get('Access-Control-Allow-Credentials')).toBe(
-				'true'
-			);
-		});
-
-		it('should NOT include Access-Control-Allow-Origin for actual requests from untrusted origins', async () => {
-			const c15t = createTestInstance(['http://localhost:3001']);
-			const request = createTestRequest('http://localhost:3002', 'GET');
-			const response = await c15t.handler(request);
-			expect(response.status).toBe(200);
-			expect(response.headers.get('Vary')).toBe('origin');
-			expect(response.headers.get('Access-Control-Allow-Credentials')).toBe(
-				'true'
-			);
-		});
-	});
-
-	describe('C15T CORS www/non-www Origin Handling', () => {
-		const baseUrl = 'https://api.example.com';
-		const testEndpoint = '/show-consent-banner';
-		const wwwOrigin = 'http://www.c15t.com';
-		const nonWwwOrigin = 'http://c15t.com';
-
-		const createTestRequest = (origin?: string, method = 'GET') => {
-			const headers: Record<string, string> = {
-				'content-type': 'application/json',
-			};
-			if (origin) {
-				headers.origin = origin;
-			}
-			return new Request(`${baseUrl}${testEndpoint}`, { method, headers });
-		};
-
-		it('should allow www origin if non-www is trusted', async () => {
-			const c15t = c15tInstance({
-				trustedOrigins: [nonWwwOrigin],
-				appName: 'Test App',
-			});
-			const request = createTestRequest(wwwOrigin);
-			const response = await c15t.handler(request);
-			expect(response.status).toBe(200);
-			expect(response.headers.get('Access-Control-Allow-Origin')).toBe(
-				wwwOrigin
-			);
-		});
-
-		it('should allow non-www origin if www is trusted', async () => {
-			const c15t = c15tInstance({
-				trustedOrigins: [wwwOrigin],
-				appName: 'Test App',
-			});
-			const request = createTestRequest(nonWwwOrigin);
-			const response = await c15t.handler(request);
-			expect(response.status).toBe(200);
-			expect(response.headers.get('Access-Control-Allow-Origin')).toBe(
-				nonWwwOrigin
-			);
-		});
-
-		it('should allow both www and non-www origins if both are trusted', async () => {
-			const c15t = c15tInstance({
-				trustedOrigins: [wwwOrigin, nonWwwOrigin],
-				appName: 'Test App',
-			});
-			const requestWww = createTestRequest(wwwOrigin);
-			const requestNonWww = createTestRequest(nonWwwOrigin);
-			const responseWww = await c15t.handler(requestWww);
-			const responseNonWww = await c15t.handler(requestNonWww);
-			expect(responseWww.status).toBe(200);
-			expect(responseWww.headers.get('Access-Control-Allow-Origin')).toBe(
-				wwwOrigin
-			);
-			expect(responseNonWww.status).toBe(200);
-			expect(responseNonWww.headers.get('Access-Control-Allow-Origin')).toBe(
-				nonWwwOrigin
-			);
-		});
-
-		it('should deny unrelated origins', async () => {
-			const c15t = c15tInstance({
-				trustedOrigins: [nonWwwOrigin],
-				appName: 'Test App',
-			});
-			const unrelatedOrigin = 'http://malicious.com';
-			const request = createTestRequest(unrelatedOrigin);
-			const response = await c15t.handler(request);
-			expect(response.status).toBe(200);
-			expect(response.headers.get('Access-Control-Allow-Origin')).toBe(null);
-		});
-	});
-
-	describe('CORS trustedOrigins normalization and matching', () => {
-		const baseUrl = 'https://api.example.com';
-		const testEndpoint = '/show-consent-banner';
-
-		const createTestRequest = (origin?: string, method = 'GET') => {
-			const headers: Record<string, string> = {
-				'content-type': 'application/json',
-			};
-			if (origin) {
-				headers.origin = origin;
-			}
-			return new Request(`${baseUrl}${testEndpoint}`, { method, headers });
-		};
-
-		it('should match http and https with and without www', async () => {
-			const c15t = createTestInstance(['localhost:3002', 'example.com']);
-			// Should match both http and https, with and without www
-			const origins = [
-				'http://localhost:3002',
-				'https://localhost:3002',
-				'http://www.example.com',
-				'https://example.com',
-			];
-			for (const origin of origins) {
-				const request = createTestRequest(origin, 'OPTIONS');
-				const response = await c15t.handler(request);
-				expect(response.headers.get('Access-Control-Allow-Origin')).toBe(
-					origin
-				);
-			}
-		});
-
-		it('should not match unrelated origins', async () => {
-			const c15t = createTestInstance(['localhost:3002']);
-			const request = createTestRequest('http://malicious.com', 'OPTIONS');
-			const response = await c15t.handler(request);
-			expect(response.headers.get('Access-Control-Allow-Origin')).toBe(null);
-		});
-
-		it('should match wildcard *', async () => {
-			const c15t = createTestInstance(['*']);
-			const request = createTestRequest('http://any-origin.com', 'OPTIONS');
-			const response = await c15t.handler(request);
-			expect(response.headers.get('Access-Control-Allow-Origin')).toBe(
-				'http://any-origin.com'
-			);
-		});
-
-		it('should match with port', async () => {
-			const c15t = createTestInstance(['localhost:3002']);
-			const request = createTestRequest('http://localhost:3002', 'OPTIONS');
-			const response = await c15t.handler(request);
-			expect(response.headers.get('Access-Control-Allow-Origin')).toBe(
-				'http://localhost:3002'
-			);
-		});
-
-		it('should not match if port is different', async () => {
-			const c15t = createTestInstance(['localhost:3002']);
-			const request = createTestRequest('http://localhost:4000', 'OPTIONS');
-			const response = await c15t.handler(request);
-			expect(response.headers.get('Access-Control-Allow-Origin')).toBe(null);
-		});
-	});
-});

package/src/middleware/cors/cors.ts

@@ -1,192 +0,0 @@
-/**
- * CORS middleware utility for c15t that handles origin validation and CORS headers
- *
- * @packageDocumentation
- */
-
-/** Regular expression to match www prefix in domain names */
-const WWW_REGEX = /^www\./;
-
-/** Regular expression to match protocol and www prefix in URLs */
-const PROTOCOL_WWW_REGEX = /^https?:\/\/(www\.)?/;
-
-/**
- * Supported HTTP methods for CORS
- */
-const SUPPORTED_METHODS = [
-	'GET',
-	'POST',
-	'PUT',
-	'DELETE',
-	'PATCH',
-	'OPTIONS',
-] as const;
-
-/**
- * Supported headers for CORS requests
- */
-const SUPPORTED_HEADERS = [
-	'Content-Type',
-	'Authorization',
-	'x-request-id',
-] as const;
-
-/**
- * CORS configuration options type
- */
-export interface CORSConfig {
-	/** Origin validation function */
-	origin: (origin: string) => Promise<string | null>;
-	/** Whether to allow credentials */
-	credentials: boolean;
-	/** Allowed headers */
-	allowHeaders: readonly string[];
-	/** Max age for preflight requests */
-	maxAge: number;
-	/** Allowed HTTP methods */
-	methods: readonly string[];
-}
-
-/**
- * Default CORS configuration for unrestricted access
- */
-const DEFAULT_CORS_CONFIG: CORSConfig = {
-	origin: async (origin: string) => {
-		// For default config, always return the origin if it exists, or '*' if it doesn't
-		return await Promise.resolve(origin || '*');
-	},
-	credentials: true,
-	allowHeaders: SUPPORTED_HEADERS,
-	maxAge: 600,
-	methods: SUPPORTED_METHODS,
-} as const;
-
-/**
- * Creates CORS options configuration for the c15t middleware
- *
- * @param trustedOrigins - Array of allowed origin patterns or single string. Can include wildcards ('*').
- * If undefined, defaults to allowing all origins without credentials.
- *
- * @returns CORS configuration object with origin validation function and header settings
- *
- * @example
- * ```ts
- * const corsOptions = createCORSOptions(['http://localhost:3000', 'https://example.com']);
- * ```
- *
- * @throws {TypeError} When URL parsing fails in origin validation
- */
-export function createCORSOptions(
-	trustedOrigins?: string[] | string
-): CORSConfig {
-	// If trustedOrigins is undefined or empty, return default config that allows all origins
-	if (!trustedOrigins) {
-		return DEFAULT_CORS_CONFIG;
-	}
-
-	// Convert string to array if needed
-	const origins = Array.isArray(trustedOrigins)
-		? trustedOrigins
-		: [trustedOrigins];
-	if (origins.length === 0) {
-		return DEFAULT_CORS_CONFIG;
-	}
-
-	/**
-	 * Normalizes an origin string by removing protocol and www prefix
-	 *
-	 * @param origin - The origin URL to normalize
-	 * @returns Normalized origin string without protocol and www prefix
-	 *
-	 * @internal
-	 */
-	function normalizeOrigin(origin: string): string {
-		try {
-			// Handle bare domains like 'localhost' or 'example.com'
-			if (
-				!origin.includes('://') &&
-				!origin.includes(':') &&
-				!origin.includes('/')
-			) {
-				return origin.toLowerCase();
-			}
-			// Add protocol if missing
-			const originWithProtocol =
-				origin.startsWith('http://') ||
-				origin.startsWith('https://') ||
-				origin.startsWith('ws://') ||
-				origin.startsWith('wss://')
-					? origin
-					: `http://${origin}`;
-			const url = new URL(originWithProtocol);
-			const hostname = url.hostname.replace(WWW_REGEX, '');
-			// Return without protocol to match both http and https
-			return `${hostname}${url.port ? `:${url.port}` : ''}`;
-		} catch {
-			// Fallback: remove www manually and protocol
-			return origin.replace(PROTOCOL_WWW_REGEX, '').replace(WWW_REGEX, '');
-		}
-	}
-
-	/**
-	 * Expands a list of origins to include www variants
-	 *
-	 * @param origins - Array of origin strings to expand
-	 * @returns Array of origins including www variants
-	 *
-	 * @internal
-	 */
-	function expandWithWWW(origins: string[]): string[] {
-		const expanded = new Set<string>();
-		for (const origin of origins) {
-			if (origin === '*') {
-				expanded.add('*');
-				continue;
-			}
-			const normalized = normalizeOrigin(origin);
-			expanded.add(normalized);
-			// Add www version if not already present
-			if (!normalized.includes('www.')) {
-				expanded.add(`www.${normalized}`);
-			}
-		}
-		return Array.from(expanded);
-	}
-
-	const expandedTrusted = expandWithWWW(origins);
-
-	const returnConfig = {
-		origin: async (origin: string) => {
-			if (!origin) {
-				return '*';
-			}
-			const normalizedOrigin = normalizeOrigin(origin);
-			if (expandedTrusted.includes('*')) {
-				return origin;
-			}
-			// Check if the origin matches any trusted origin
-			const isTrusted = expandedTrusted.some((trusted) => {
-				const normalizedTrusted = normalizeOrigin(trusted);
-				// For localhost, match both with and without port
-				if (normalizedTrusted === 'localhost') {
-					return (
-						normalizedOrigin === 'localhost' ||
-						normalizedOrigin.startsWith('localhost:') ||
-						normalizedOrigin === '127.0.0.1' ||
-						normalizedOrigin.startsWith('127.0.0.1:') ||
-						normalizedOrigin === '[::1]' ||
-						normalizedOrigin.startsWith('[::1]:')
-					);
-				}
-				return normalizedTrusted === normalizedOrigin;
-			});
-			return isTrusted ? origin : null;
-		},
-		credentials: true,
-		allowHeaders: SUPPORTED_HEADERS,
-		maxAge: 600,
-		methods: SUPPORTED_METHODS,
-	};
-
-	return returnConfig;
-}

package/src/middleware/cors/index.ts

@@ -1,30 +0,0 @@
-/**
- * CORS middleware for c15t
- *
- * This module provides comprehensive CORS (Cross-Origin Resource Sharing) functionality including:
- * - Origin validation with support for wildcards and subdomains
- * - Flexible CORS options configuration
- * - Context processing and enrichment
- * - Protocol-agnostic matching
- * - Support for www and non-www variants
- *
- * @example
- * ```ts
- * import { createCORSOptions, isOriginTrusted, processCors } from '@c15t/backend/middleware/cors';
- *
- * // Create CORS options with trusted origins
- * const corsOptions = createCORSOptions(['https://example.com', '*.trusted-domain.com']);
- *
- * // Process CORS for a request
- * const enrichedContext = processCors(request, context, trustedOrigins);
- *
- * // Validate an origin directly
- * const isTrusted = isOriginTrusted('https://api.trusted-domain.com', trustedOrigins);
- * ```
- *
- * @packageDocumentation
- */
-
-export { createCORSOptions } from './cors';
-export { isOriginTrusted } from './is-origin-trusted';
-export { processCors } from './process-cors';