npm - @c15t/backend - Versions diffs - 1.2.0-canary.13 → 1.2.0-canary.2 - Mend

@c15t/backend 1.2.0-canary.13 → 1.2.0-canary.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (222) hide show

package/src/core.ts CHANGED Viewed

@@ -1,19 +1,16 @@
-import { createLogger } from '@doubletie/logger';
+import { type Logger, createLogger } from '@doubletie/logger';
+import { OpenAPIGenerator } from '@orpc/openapi';
 import { OpenAPIHandler } from '@orpc/openapi/fetch';
 import { CORSPlugin } from '@orpc/server/plugins';
+import { ZodToJsonSchemaConverter } from '@orpc/zod';
 import { DoubleTieError, ERROR_CODES } from '~/pkgs/results';
 import type { C15TContext, C15TOptions, C15TPlugin } from '~/types';
+import packageJson from '../package.json';
 import { init } from './init';
-import { createCORSOptions, processCors } from './middleware/cors';
-import {
-	createDocsUI,
-	createOpenAPIConfig,
-	createOpenAPISpec,
-} from './middleware/openapi';
 import { withRequestSpan } from './pkgs/api-router/telemetry';
+import { isOriginTrusted } from './pkgs/api-router/utils/cors';
 import { getIp } from './pkgs/api-router/utils/ip';
 import { router } from './router';
 /**
  * Type representing an API route
  */
@@ -95,6 +92,22 @@ export interface C15TInstance<PluginTypes extends C15TPlugin[] = C15TPlugin[]> {
 	getDocsUI: () => string;
 }
+// Define middleware context interface
+interface MiddlewareContext {
+	logger?: Logger;
+	adapter: unknown;
+	registry: unknown;
+	generateId: unknown;
+	ipAddress?: string;
+	origin?: string;
+	trustedOrigin?: boolean;
+	path?: string;
+	method?: string;
+	headers?: Headers;
+	userAgent?: string;
+	[key: string]: unknown;
+}
 /**
  * Creates a new c15t consent management instance.
  *
@@ -106,22 +119,91 @@ export const c15tInstance = <PluginTypes extends C15TPlugin[] = C15TPlugin[]>(
 	// Initialize context
 	const contextPromise = init(options);
-	// Replace the inline corsOptions with the imported one
-	const corsOptions = createCORSOptions(options.trustedOrigins);
+	const corsOptions = options.trustedOrigins
+		? {
+				// When specific origins are configured
+				origin: options.trustedOrigins.includes('*')
+					? (origin: string) => origin // Return the actual origin
+					: options.trustedOrigins, // Otherwise use the specific list
+				credentials: true, // Allow cookies/auth headers
+				methods: ['GET', 'POST', 'PUT', 'DELETE', 'OPTIONS', 'PATCH'],
+				allowedHeaders: ['Content-Type', 'Authorization', 'X-Request-ID'],
+				maxAge: 86400,
+			}
+		: {
+				// Default configuration when no origins specified
+				origin: '*', // Allow all origins
+				credentials: false, // Can't use credentials with wildcard origin
+				methods: ['GET', 'POST', 'PUT', 'DELETE', 'OPTIONS', 'PATCH'],
+				allowedHeaders: ['Content-Type', 'Authorization', 'X-Request-ID'],
+				maxAge: 86400,
+			};
 	// Create the oRPC handler with plugins
 	const rpcHandler = new OpenAPIHandler(router, {
-		plugins: [new CORSPlugin(corsOptions)],
+		plugins: [
+			new CORSPlugin({
+				...corsOptions,
+				// Ensure these headers are always set
+				origin: (origin: string) => {
+					// If no origin, return null to deny the request
+					if (!origin) { return null; }
+					// If wildcard is allowed, return the actual origin
+					if (options.trustedOrigins?.includes('*')) {
+						return origin;
+					}
+					// If origin is in trusted list, return it
+					if (options.trustedOrigins?.includes(origin)) {
+						return origin;
+					}
+					// Deny all other origins
+					return null;
+				},
+				credentials: true,
+				exposeHeaders: ['Content-Type', 'Authorization', 'X-Request-ID'],
+			}),
+		],
+	});
+	// Initialize OpenAPI generator with schema converters
+	const openAPIGenerator = new OpenAPIGenerator({
+		schemaConverters: [new ZodToJsonSchemaConverter()],
 	});
-	// Set up OpenAPI configuration
-	const openApiConfig = createOpenAPIConfig(options);
-	const getDocsUI = () => createDocsUI(options);
+	// Set up OpenAPI configuration with defaults
+	const openApiConfig = {
+		enabled: true,
+		specPath: '/spec.json',
+		docsPath: '/docs',
+		...(options.openapi || {}),
+	};
+	// Default OpenAPI options
+	const defaultOpenApiOptions = {
+		info: {
+			title: options.appName || 'c15t API',
+			version: packageJson.version,
+			description: 'API for consent management',
+		},
+		servers: [{ url: '/' }],
+		security: [{ bearerAuth: [] }],
+		// components: {
+		// 	securitySchemes: {
+		// 		bearerAuth: {
+		// 			type: 'http',
+		// 			scheme: 'bearer',
+		// 		},
+		// 	},
+		// },
+	};
 	/**
 	 * Process IP tracking and add it to the context
 	 */
-	const processIp = (request: Request, context: C15TContext) => {
+	const processIp = (request: Request, context: MiddlewareContext) => {
 		const ip = getIp(request, options);
 		if (ip) {
 			context.ipAddress = ip;
@@ -129,10 +211,28 @@ export const c15tInstance = <PluginTypes extends C15TPlugin[] = C15TPlugin[]>(
 		return context;
 	};
+	/**
+	 * Process CORS validation and add it to the context
+	 */
+	const processCors = (request: Request, context: MiddlewareContext) => {
+		const origin = request.headers.get('origin');
+		if (origin && options.trustedOrigins) {
+			const trusted = isOriginTrusted(
+				origin,
+				options.trustedOrigins,
+				context.logger
+			);
+			context.origin = origin;
+			context.trustedOrigin = trusted;
+		}
+		return context;
+	};
 	/**
 	 * Add telemetry tracking to the context
 	 */
-	const processTelemetry = (request: Request, context: C15TContext) => {
+	const processTelemetry = (request: Request, context: MiddlewareContext) => {
 		const url = new URL(request.url);
 		const path = url.pathname;
 		const method = request.method;
@@ -158,6 +258,81 @@ export const c15tInstance = <PluginTypes extends C15TPlugin[] = C15TPlugin[]>(
 		return context;
 	};
+	/**
+	 * Generate the OpenAPI specification document
+	 */
+	const getOpenAPISpec = (async (): Promise<Record<string, unknown>> => {
+		// Memoise once per process
+		if (getOpenAPISpec.cached) {
+			return getOpenAPISpec.cached;
+		}
+		// Start with our defaults
+		const mergedOptions = { ...defaultOpenApiOptions };
+		// If user provided options, merge them with defaults
+		if (openApiConfig.options) {
+			// biome-ignore lint: OpenAPI options are dynamically merged
+			const userOptions = openApiConfig.options as Record<string, any>;
+			// Handle nested info object (title, description, version) specially
+			if (userOptions.info) {
+				mergedOptions.info = {
+					...defaultOpenApiOptions.info,
+					...userOptions.info,
+				};
+			}
+			// For all other top-level properties, override defaults with user settings
+			for (const [key, value] of Object.entries(userOptions)) {
+				if (key !== 'info') {
+					(mergedOptions as Record<string, unknown>)[key] = value;
+				}
+			}
+		}
+		// We need to cast to the expected type due to incompatibilities between the types
+		// This is safe as we control the options format and it's compatible with what the generator expects
+		const spec = await openAPIGenerator.generate(
+			router,
+			mergedOptions as Record<string, unknown>
+		);
+		getOpenAPISpec.cached = spec;
+		return spec;
+	}) as (() => Promise<Record<string, unknown>>) & {
+		cached?: Record<string, unknown>;
+	};
+	/**
+	 * Generate the default UI for API documentation
+	 */
+	const getDocsUI = () => {
+		// If a custom template is provided, use it
+		if (openApiConfig.customUiTemplate) {
+			return openApiConfig.customUiTemplate;
+		}
+		// Otherwise, return the default Scalar UI
+		return `
+    <!doctype html>
+    <html>
+      <head>
+        <title>${options.appName || 'c15t API'} Documentation</title>
+        <meta charset="utf-8" />
+        <meta name="viewport" content="width=device-width, initial-scale=1" />
+        <link rel="icon" type="image/svg+xml" href="https://orpc.unnoq.com/icon.svg" />
+      </head>
+      <body>
+        <script
+          id="api-reference"
+          data-url="${encodeURI(openApiConfig.specPath)}">
+        </script>
+        <script src="https://cdn.jsdelivr.net/npm/@scalar/api-reference"></script>
+      </body>
+    </html>
+    `;
+	};
 	/**
 	 * Handle OpenAPI spec requests
 	 */
@@ -165,24 +340,6 @@ export const c15tInstance = <PluginTypes extends C15TPlugin[] = C15TPlugin[]>(
 		url: URL
 	): Promise<Response | null> => {
 		if (openApiConfig.enabled && url.pathname === openApiConfig.specPath) {
-			const ctxResult = await contextPromise;
-			if (!ctxResult.isOk()) {
-				throw ctxResult.error;
-			}
-			const ctx = ctxResult.value;
-			const orpcContext = {
-				adapter: ctx.adapter,
-				registry: ctx.registry,
-				logger: ctx.logger,
-				generateId: ctx.generateId,
-				headers: new Headers(),
-				appName: options.appName || 'c15t',
-				options,
-				trustedOrigins: options.trustedOrigins || [],
-				baseURL: options.baseURL || '/',
-				tables: ctx.tables,
-			};
-			const getOpenAPISpec = createOpenAPISpec(orpcContext, options);
 			const spec = await getOpenAPISpec();
 			return new Response(JSON.stringify(spec), {
 				status: 200,
@@ -275,52 +432,32 @@ export const c15tInstance = <PluginTypes extends C15TPlugin[] = C15TPlugin[]>(
 		ctx: C15TContext
 	): Promise<Response> => {
 		// Create context for the handler with c15t specifics
-		const orpcContext = {
+		const orpcContext: MiddlewareContext = {
 			adapter: ctx.adapter,
 			registry: ctx.registry,
 			logger: ctx.logger,
 			generateId: ctx.generateId,
 			headers: request.headers,
 			userAgent: request.headers.get('user-agent') || undefined,
-			appName: options.appName || 'c15t',
-			options,
-			trustedOrigins: options.trustedOrigins || [],
-			baseURL: options.baseURL || '/',
-			tables: ctx.tables,
 		};
 		// Apply middleware processing to enrich the context
 		processIp(request, orpcContext);
-		processCors(request, orpcContext, options.trustedOrigins);
+		processCors(request, orpcContext);
 		processTelemetry(request, orpcContext);
 		// Use oRPC handler to handle the request with our enhanced context
 		const handlerContext = orpcContext as Record<string, unknown>;
-		orpcContext.logger.debug?.('Handling prefix', {
-			prefix: (options.basePath as `/${string}`) || '/',
-		});
 		const { matched, response } = await rpcHandler.handle(request, {
-			prefix: (options.basePath as `/${string}`) || '/',
+			prefix: '/',
 			context: handlerContext,
 		});
 		// Return the response if handler matched
 		if (matched && response) {
-			orpcContext.logger.debug('Handler matched', {
-				request,
-				matched,
-				response,
-			});
 			return response;
 		}
-		orpcContext.logger.debug('No handler matched', {
-			request,
-			matched,
-			response,
-		});
 		// If no handler matched, return 404
 		return new Response('Not Found', { status: 404 });
 	};
@@ -331,11 +468,6 @@ export const c15tInstance = <PluginTypes extends C15TPlugin[] = C15TPlugin[]>(
 	const handler = async (request: Request): Promise<Response> => {
 		try {
 			const url = new URL(request.url);
-			// Add this debug log:
-			createLogger(options.logger)?.debug?.('Incoming request', {
-				method: request.method,
-				pathname: url.pathname,
-			});
 			// Check for OpenAPI spec or docs UI requests
 			const openApiResponse = await handleOpenApiSpecRequest(url);
@@ -355,19 +487,6 @@ export const c15tInstance = <PluginTypes extends C15TPlugin[] = C15TPlugin[]>(
 			}
 			const ctx = ctxResult.value;
-			// After options/baseURL/basePath is set/used
-			const basePath = options.basePath || options.baseURL || '/';
-			createLogger(options.logger)?.debug?.('[c15t] Using basePath/baseURL', {
-				basePath,
-			});
-			// Add this debug log:
-			createLogger(options.logger)?.debug?.('[c15t] Routing request', {
-				method: request.method,
-				url: request.url,
-				prefix: basePath,
-			});
 			// Handle API request
 			return await handleApiRequest(request, ctx);
 		} catch (error) {
@@ -423,27 +542,7 @@ export const c15tInstance = <PluginTypes extends C15TPlugin[] = C15TPlugin[]>(
 		...createNextHandlers(),
 		// OpenAPI functionality
-		getOpenAPISpec: async () => {
-			const ctxResult = await contextPromise;
-			if (!ctxResult.isOk()) {
-				throw ctxResult.error;
-			}
-			const ctx = ctxResult.value;
-			const orpcContext = {
-				adapter: ctx.adapter,
-				registry: ctx.registry,
-				logger: ctx.logger,
-				generateId: ctx.generateId,
-				headers: new Headers(),
-				appName: options.appName || 'c15t',
-				options,
-				trustedOrigins: options.trustedOrigins || [],
-				baseURL: options.baseURL || '/',
-				tables: ctx.tables,
-			};
-			const getOpenAPISpec = createOpenAPISpec(orpcContext, options);
-			return getOpenAPISpec();
-		},
+		getOpenAPISpec,
 		getDocsUI,
 	};
 };

package/src/handlers/consent/show-banner.handler.test.ts CHANGED Viewed

@@ -119,7 +119,7 @@ describe('Show Consent Banner Handler', () => {
 				createMockContext({ 'cf-ipcountry': 'US' })
 			);
-			expect(result.showConsentBanner).toBe(true);
+			expect(result.showConsentBanner).toBe(false);
 			expect(result.jurisdiction.code).toBe('NONE');
 			expect(result.jurisdiction.message).toBe(JurisdictionMessages.NONE);
 		});

package/src/handlers/consent/show-banner.handler.ts CHANGED Viewed

@@ -110,7 +110,7 @@ export function checkJurisdiction(countryCode: string | null) {
 	};
 	// Default to no jurisdiction
-	const showConsentBanner = true;
+	let showConsentBanner = false;
 	let jurisdictionCode: JurisdictionCode = 'NONE';
 	// Check country code against jurisdiction sets
@@ -132,6 +132,7 @@ export function checkJurisdiction(countryCode: string | null) {
 		// Find matching jurisdiction
 		for (const { sets, code } of jurisdictionMap) {
 			if (sets.some((set) => set.has(countryCode))) {
+				showConsentBanner = true;
 				jurisdictionCode = code;
 				break;
 			}

package/src/{middleware/cors/is-origin-trusted.test.ts → pkgs/api-router/utils/core.test.ts} RENAMED Viewed

@@ -1,5 +1,5 @@
 import { describe, expect, it } from 'vitest';
-import { isOriginTrusted } from './is-origin-trusted';
+import { isOriginTrusted } from './cors';
 /**
  * Test suite for CORS utility functions

package/src/pkgs/api-router/utils/cors.ts ADDED Viewed

@@ -0,0 +1,73 @@
+import type { Logger } from '@doubletie/logger';
+/**
+ * Regex to strip protocol, trailing slashes, and port numbers from URLs
+ */
+export const STRIP_REGEX = /^(https?:\/\/)|(wss?:\/\/)|(\/+$)|:\d+/g;
+/**
+ * Validates if a given origin matches a trusted domain pattern
+ *
+ * @param origin - The origin to validate
+ * @param trustedDomains - Array of trusted domain patterns (can include wildcard)
+ * @returns boolean indicating if the origin is trusted
+ */
+export function isOriginTrusted(
+	origin: string,
+	trustedDomains: string[],
+	logger?: Logger
+): boolean {
+	try {
+		if (trustedDomains.length === 0) {
+			throw new Error('No trusted domains');
+		}
+		logger?.debug(
+			`Checking if origin ${origin} is trusted in ${trustedDomains}`
+		);
+		// Special case: if "*" is in trusted domains, allow all origins
+		if (trustedDomains.includes('*')) {
+			logger?.debug('Allowing all origins');
+			return true;
+		}
+		// Parse the origin URL to get just the hostname
+		const url = new URL(origin);
+		const originHostname = url.hostname.toLowerCase();
+		logger?.debug(`Parsed origin hostname: ${originHostname}`);
+		return trustedDomains.some((domain) => {
+			// Handle empty domains (which might come from splitting empty strings)
+			if (!domain || domain.trim() === '') {
+				logger?.debug('Skipping empty domain');
+				return false;
+			}
+			const strippedDomain = domain.replace(STRIP_REGEX, '').toLowerCase();
+			logger?.debug(`Checking against stripped domain: ${strippedDomain}`);
+			if (strippedDomain.startsWith('*.')) {
+				// For wildcard domains, ensure there is at least one subdomain
+				const wildcardDomain = strippedDomain.slice(2); // Remove *. prefix
+				const parts = originHostname.split('.');
+				const isValid =
+					parts.length > 2 && originHostname.endsWith(wildcardDomain);
+				logger?.debug(
+					`Wildcard match result: ${isValid} ${originHostname} ends with ${wildcardDomain} ${parts.length > 2} ${originHostname.endsWith(wildcardDomain)}`
+				);
+				return isValid;
+			}
+			const isMatch = originHostname === strippedDomain;
+			logger?.debug(
+				`Exact match result: ${isMatch} ${originHostname} === ${strippedDomain}`
+			);
+			return isMatch;
+		});
+	} catch (error) {
+		logger?.error('Error validating origin:', error);
+		return false;
+	}
+}

package/src/schema/consent-policy/registry.ts CHANGED Viewed

@@ -1,7 +1,10 @@
+import { createHash } from 'node:crypto';
 import { getWithHooks } from '~/pkgs/data-model';
 import type { Where } from '~/pkgs/db-adapters';
-import { DoubleTieError, ERROR_CODES } from '~/pkgs/results';
 import type { GenericEndpointContext, RegistryContext } from '~/pkgs/types';
+import { DoubleTieError, ERROR_CODES } from '~/pkgs/results';
 import { validateEntityOutput } from '../definition';
 import type { ConsentPolicy, PolicyType } from './schema';
@@ -28,26 +31,9 @@ import type { ConsentPolicy, PolicyType } from './schema';
  *
  * @internal Used by findOrCreatePolicy to initialize placeholder content
  */
-async function generatePolicyPlaceholder(name: string, date: Date) {
+function generatePolicyPlaceholder(name: string, date: Date) {
 	const content = `[PLACEHOLDER] This is an automatically generated version of the ${name} policy.\n\nThis placeholder content should be replaced with actual policy terms before being presented to users.\n\nGenerated on: ${date.toISOString()}`;
-	let contentHash: string;
-	try {
-		// Use Web Crypto API which is available in both browsers and edge environments
-		const encoder = new TextEncoder();
-		const data = encoder.encode(content);
-		const hashBuffer = await crypto.subtle.digest('SHA-256', data);
-		contentHash = Array.from(new Uint8Array(hashBuffer))
-			.map((b) => b.toString(16).padStart(2, '0'))
-			.join('');
-	} catch (error) {
-		throw new DoubleTieError('Failed to generate policy content hash', {
-			code: ERROR_CODES.INTERNAL_SERVER_ERROR,
-			status: 500,
-			cause: error instanceof Error ? error : new Error(String(error)),
-		});
-	}
+	const contentHash = createHash('sha256').update(content).digest('hex');
 	return { content, contentHash };
 }
@@ -280,69 +266,57 @@ export function policyRegistry({ adapter, ...ctx }: RegistryContext) {
 		 */
 		findOrCreatePolicy: async (type: PolicyType) => {
 			// Use a transaction to prevent race conditions
-			return await adapter.transaction({
+			return adapter.transaction({
 				callback: async (txAdapter) => {
-					try {
-						const now = new Date();
-						const txRegistry = policyRegistry({
-							adapter: txAdapter,
-							...ctx,
-						});
+					const now = new Date();
+					const txRegistry = policyRegistry({
+						adapter: txAdapter,
+						...ctx,
+					});
-						// Find latest policy with exact name match directly from database
-						const rawLatestPolicy = await txAdapter.findOne({
-							model: 'consentPolicy',
-							where: [
-								{ field: 'isActive', value: true },
-								{
-									field: 'type',
-									value: type,
-								},
-							],
-							sortBy: {
-								field: 'effectiveDate',
-								direction: 'desc',
+					// Find latest policy with exact name match directly from database
+					const rawLatestPolicy = await txAdapter.findOne({
+						model: 'consentPolicy',
+						where: [
+							{ field: 'isActive', value: true },
+							{
+								field: 'type',
+								value: type,
 							},
-						});
-						const latestPolicy = rawLatestPolicy
-							? validateEntityOutput(
-									'consentPolicy',
-									rawLatestPolicy,
-									ctx.options
-								)
-							: null;
+						],
+						sortBy: {
+							field: 'effectiveDate',
+							direction: 'desc',
+						},
+					});
-						if (latestPolicy) {
-							return latestPolicy;
-						}
+					const latestPolicy = rawLatestPolicy
+						? validateEntityOutput(
+								'consentPolicy',
+								rawLatestPolicy,
+								ctx.options
+							)
+						: null;
-						// Generate policy content and hash
-						const { content: defaultContent, contentHash } =
-							await generatePolicyPlaceholder(type, now);
+					if (latestPolicy) {
+						return latestPolicy;
+					}
-						return txRegistry.createConsentPolicy({
-							version: '1.0.0',
-							type,
-							name: type,
-							effectiveDate: now,
-							content: defaultContent,
-							contentHash,
-							isActive: true,
-							updatedAt: now,
-							expirationDate: null,
-						});
-					} catch (error) {
-						// Log the error for debugging purposes
-						ctx.logger.error('Error in findOrCreatePolicy transaction:', error);
+					// Generate policy content and hash
+					const { content: defaultContent, contentHash } =
+						generatePolicyPlaceholder(type, now);
-						// Rethrow as a DoubleTieError with appropriate context
-						throw new DoubleTieError('Failed to find or create policy', {
-							code: ERROR_CODES.INTERNAL_SERVER_ERROR,
-							status: 500,
-							cause: error instanceof Error ? error : new Error(String(error)),
-						});
-					}
+					return txRegistry.createConsentPolicy({
+						version: '1.0.0',
+						type,
+						name: type,
+						effectiveDate: now,
+						content: defaultContent,
+						contentHash,
+						isActive: true,
+						updatedAt: now,
+						expirationDate: null,
+					});
 				},
 			});
 		},

package/src/server.ts CHANGED Viewed

@@ -11,7 +11,11 @@ const logger = getLogger({
 // Create the c15t instance with our configuration
 const instance = c15tInstance({
-	trustedOrigins: ['*'], // Allow all origins for development
+	advanced: {
+		cors: {
+			allowedOrigins: ['*'], // Allow all origins for development
+		},
+	},
 	// Add OpenAPI configuration
 	openapi: {
 		enabled: true, // Set to true to enable docs

package/dist/__tests__/server.test.d.ts DELETED Viewed

	@@ -1,2 +0,0 @@
1	- export {};
2	- //# sourceMappingURL=server.test.d.ts.map

package/dist/__tests__/server.test.d.ts.map DELETED Viewed

	@@ -1 +0,0 @@
1	- {"version":3,"file":"server.test.d.ts","sourceRoot":"","sources":["../../src/__tests__/server.test.ts"],"names":[],"mappings":""}