@c15t/backend 2.0.0-rc.3 → 2.0.0-rc.5

package/src/middleware/cors/is-origin-trusted.test.ts

@@ -1,164 +0,0 @@
-import { describe, expect, it } from 'vitest';
-import { isOriginTrusted } from './is-origin-trusted';
-
-/**
- * Test suite for CORS utility functions
- */
-describe('CORS utilities', () => {
-	describe('isOriginTrusted', () => {
-		it('should match exact origins', () => {
-			const trustedDomains = ['example.com'];
-			expect(isOriginTrusted('https://example.com', trustedDomains)).toBe(true);
-			expect(isOriginTrusted('https://other.com', trustedDomains)).toBe(false);
-		});
-
-		it('should handle origins with trailing slashes', () => {
-			const trustedDomains = ['example.com'];
-			expect(isOriginTrusted('https://example.com/', trustedDomains)).toBe(
-				true
-			);
-			expect(isOriginTrusted('https://example.com//', trustedDomains)).toBe(
-				true
-			);
-		});
-
-		it('should handle origins with paths', () => {
-			const trustedDomains = ['example.com'];
-			expect(isOriginTrusted('https://example.com/path', trustedDomains)).toBe(
-				true
-			);
-			expect(
-				isOriginTrusted('https://example.com/path/subpath', trustedDomains)
-			).toBe(true);
-		});
-
-		it('should handle multiple trusted domains', () => {
-			const trustedDomains = ['example.com', 'test.com'];
-			expect(isOriginTrusted('https://example.com', trustedDomains)).toBe(true);
-			expect(isOriginTrusted('https://test.com', trustedDomains)).toBe(true);
-			expect(isOriginTrusted('https://other.com', trustedDomains)).toBe(false);
-		});
-
-		it('should handle wildcard subdomains', () => {
-			const trustedDomains = ['*.example.com'];
-			expect(isOriginTrusted('https://sub.example.com', trustedDomains)).toBe(
-				true
-			);
-			expect(
-				isOriginTrusted('https://other.sub.example.com', trustedDomains)
-			).toBe(true);
-			expect(isOriginTrusted('https://example.com', trustedDomains)).toBe(
-				false
-			);
-			expect(isOriginTrusted('https://other.com', trustedDomains)).toBe(false);
-		});
-
-		it('should handle different protocols', () => {
-			const trustedDomains = ['example.com'];
-			expect(isOriginTrusted('http://example.com', trustedDomains)).toBe(true);
-			expect(isOriginTrusted('wss://example.com', trustedDomains)).toBe(true);
-		});
-
-		it('should handle ports in origins', () => {
-			const trustedDomains = ['example.com'];
-			expect(isOriginTrusted('https://example.com:3000', trustedDomains)).toBe(
-				true
-			);
-			expect(isOriginTrusted('http://example.com:8080', trustedDomains)).toBe(
-				true
-			);
-		});
-
-		it('should handle empty trusted domains array', () => {
-			const trustedDomains: string[] = [];
-			expect(isOriginTrusted('https://example.com', trustedDomains)).toBe(
-				false
-			);
-		});
-
-		it('should handle invalid origin formats', () => {
-			const trustedDomains = ['example.com'];
-			expect(isOriginTrusted('invalid-url', trustedDomains)).toBe(false);
-			expect(isOriginTrusted('', trustedDomains)).toBe(false);
-		});
-
-		it('should handle case sensitivity', () => {
-			const trustedDomains = ['EXAMPLE.com'];
-			expect(isOriginTrusted('https://example.com', trustedDomains)).toBe(true);
-			expect(isOriginTrusted('https://EXAMPLE.COM', trustedDomains)).toBe(true);
-		});
-
-		it('should handle subdomain levels with wildcards', () => {
-			const trustedDomains = ['*.example.com'];
-			expect(isOriginTrusted('https://a.b.example.com', trustedDomains)).toBe(
-				true
-			);
-			expect(isOriginTrusted('https://a.example.com', trustedDomains)).toBe(
-				true
-			);
-			expect(isOriginTrusted('https://example.com', trustedDomains)).toBe(
-				false
-			);
-		});
-
-		describe('multiple subdomain levels', () => {
-			it('should match base domain when explicitly listed', () => {
-				const trustedDomains = ['my-site.com'];
-				expect(isOriginTrusted('https://my-site.com', trustedDomains)).toBe(
-					true
-				);
-			});
-
-			it('should match single-level subdomain with wildcard pattern', () => {
-				const trustedDomains = ['*.my-site.com'];
-				expect(
-					isOriginTrusted('https://foobar.my-site.com', trustedDomains)
-				).toBe(true);
-			});
-
-			it('should match multi-level subdomain with wildcard pattern', () => {
-				const trustedDomains = ['*.my-site.com'];
-				expect(
-					isOriginTrusted('https://foo.bar.my-site.com', trustedDomains)
-				).toBe(true);
-			});
-
-			it('should match three-level subdomain with wildcard pattern', () => {
-				const trustedDomains = ['*.my-site.com'];
-				expect(
-					isOriginTrusted('https://a.b.c.my-site.com', trustedDomains)
-				).toBe(true);
-			});
-
-			it('should not match base domain with wildcard pattern', () => {
-				const trustedDomains = ['*.my-site.com'];
-				expect(isOriginTrusted('https://my-site.com', trustedDomains)).toBe(
-					false
-				);
-			});
-
-			it('should not match similar domain that is not a subdomain', () => {
-				const trustedDomains = ['*.my-site.com'];
-				expect(isOriginTrusted('https://notmy-site.com', trustedDomains)).toBe(
-					false
-				);
-				expect(
-					isOriginTrusted('https://foobar-my-site.com', trustedDomains)
-				).toBe(false);
-			});
-
-			it('should match both base domain and subdomains when both are configured', () => {
-				const trustedDomains = ['my-site.com', '*.my-site.com'];
-				expect(isOriginTrusted('https://my-site.com', trustedDomains)).toBe(
-					true
-				);
-				expect(
-					isOriginTrusted('https://foobar.my-site.com', trustedDomains)
-				).toBe(true);
-				expect(
-					isOriginTrusted('https://foo.bar.my-site.com', trustedDomains)
-				).toBe(true);
-			});
-		});
-	});
-});

package/src/middleware/cors/is-origin-trusted.ts

@@ -1,130 +0,0 @@
-/**
- * Origin validation utilities for CORS security
- *
- * @packageDocumentation
- */
-
-import type { Logger } from '@c15t/logger';
-
-/**
- * Regular expression to strip protocol, trailing slashes, and port numbers from URLs
- * Matches:
- * - http:// or https:// protocol
- * - ws:// or wss:// protocol
- * - trailing slashes
- * - port numbers with colon
- *
- * @internal
- */
-export const STRIP_REGEX =
-	/^(?:https?:\/\/)|^(?:wss?:\/\/)|(?:\/+$)|(?::\d+$)/g;
-
-/**
- * Checks if a domain matches a wildcard pattern
- *
- * @param hostname - The hostname to check
- * @param wildcardPattern - The wildcard pattern (e.g. *.example.com)
- * @param logger - Optional logger for debugging
- * @returns true if the hostname matches the wildcard pattern
- *
- * @internal
- */
-function matchesWildcard(
-	hostname: string,
-	wildcardPattern: string,
-	logger?: Logger
-): boolean {
-	const wildcardDomain = wildcardPattern.slice(2); // Remove *. prefix
-
-	// Ensure the hostname is not the base domain and ends with .wildcardDomain
-	// This prevents matching domains like 'foobar-my-site.com' against '*.my-site.com'
-	const isValid =
-		hostname !== wildcardDomain && hostname.endsWith(`.${wildcardDomain}`);
-
-	logger?.debug(
-		`Wildcard match result: ${isValid} ${hostname} ends with .${wildcardDomain}`
-	);
-
-	return isValid;
-}
-
-/**
- * Validates if a given origin matches any of the trusted domain patterns
- *
- * Supports:
- * - Exact domain matches
- * - Wildcard subdomains (e.g. *.example.com)
- * - Protocol-agnostic matching
- * - Case-insensitive comparison
- *
- * @param origin - The origin URL to validate (e.g. https://example.com)
- * @param trustedDomains - Array of trusted domain patterns. Can include wildcards (e.g. *.example.com)
- * @param logger - Optional logger for debugging validation process
- *
- * @returns `true` if the origin matches any trusted domain pattern, `false` otherwise
- *
- * @throws {Error} When trustedDomains array is empty
- * @throws {TypeError} When origin URL is invalid
- *
- * @example
- * ```ts
- * // Simple domain matching
- * isOriginTrusted('https://example.com', ['example.com']); // true
- *
- * // Wildcard subdomain matching
- * isOriginTrusted('https://api.example.com', ['*.example.com']); // true
- *
- * // Allow all origins
- * isOriginTrusted('https://any-domain.com', ['*']); // true
- * ```
- */
-export function isOriginTrusted(
-	origin: string,
-	trustedDomains: string[],
-	logger?: Logger
-): boolean {
-	try {
-		if (trustedDomains.length === 0) {
-			throw new Error('No trusted domains');
-		}
-
-		logger?.debug(
-			`Checking if origin ${origin} is trusted in ${trustedDomains}`
-		);
-
-		// Special case: if "*" is in trusted domains, allow all origins
-		if (trustedDomains.includes('*')) {
-			logger?.debug('Allowing all origins');
-			return true;
-		}
-
-		// Parse the origin URL to get just the hostname
-		const url = new URL(origin);
-		const originHostname = url.hostname.toLowerCase();
-		logger?.debug(`Parsed origin hostname: ${originHostname}`);
-
-		return trustedDomains.some((domain) => {
-			// Handle empty domains (which might come from splitting empty strings)
-			if (!domain || domain.trim() === '') {
-				logger?.debug('Skipping empty domain');
-				return false;
-			}
-
-			const strippedDomain = domain.replace(STRIP_REGEX, '').toLowerCase();
-			logger?.debug(`Checking against stripped domain: ${strippedDomain}`);
-
-			if (strippedDomain.startsWith('*.')) {
-				return matchesWildcard(originHostname, strippedDomain, logger);
-			}
-
-			const isMatch = originHostname === strippedDomain;
-			logger?.debug(
-				`Exact match result: ${isMatch} ${originHostname} === ${strippedDomain}`
-			);
-			return isMatch;
-		});
-	} catch (error) {
-		logger?.error('Error validating origin:', error);
-		return false;
-	}
-}

package/src/middleware/cors/process-cors.ts

@@ -1,91 +0,0 @@
-/**
- * CORS processing middleware for c15t
- * Handles origin validation and context enrichment
- *
- * @packageDocumentation
- */
-
-import type { C15TContext } from '~/types';
-import { isOriginTrusted } from './is-origin-trusted';
-
-/**
- * Result of CORS processing
- * @internal
- */
-interface CORSProcessingResult {
-	/** The origin from the request */
-	origin: string | null;
-	/** Whether the origin is trusted */
-	isTrusted: boolean;
-}
-
-/**
- * Extracts and validates CORS information from a request
- *
- * @param request - The request to process
- * @param trustedOrigins - Array of trusted origins
- * @param logger - Optional logger for debugging
- * @returns CORS processing result
- *
- * @internal
- */
-function extractCORSInfo(
-	request: Request,
-	trustedOrigins?: string[],
-	logger?: C15TContext['logger']
-): CORSProcessingResult {
-	const origin = request.headers.get('origin');
-
-	if (!origin || !trustedOrigins) {
-		return {
-			origin: origin,
-			isTrusted: false,
-		};
-	}
-
-	return {
-		origin,
-		isTrusted: isOriginTrusted(origin, trustedOrigins, logger),
-	};
-}
-
-/**
- * Processes CORS validation for an incoming request and enriches the context
- * with origin information. This middleware function validates the origin against
- * trusted patterns and updates the context with the validation results.
- *
- * @param request - The incoming HTTP request to process
- * @param context - The c15t middleware context to enrich
- * @param trustedOrigins - Array of trusted origin patterns. Can include wildcards ('*')
- *
- * @returns The enriched context with origin validation results
- *
- * @example
- * ```ts
- * const enrichedContext = processCors(
- *   request,
- *   context,
- *   ['https://example.com', '*.trusted-domain.com']
- * );
- * ```
- *
- * @see {@link isOriginTrusted} for origin validation details
- */
-export const processCors = (
-	request: Request,
-	context: C15TContext,
-	trustedOrigins?: string[]
-): C15TContext => {
-	const { origin, isTrusted } = extractCORSInfo(
-		request,
-		trustedOrigins,
-		context.logger
-	);
-
-	if (origin) {
-		context.origin = origin;
-		context.trustedOrigin = isTrusted;
-	}
-
-	return context;
-};

package/src/middleware/openapi/config.ts

@@ -1,29 +0,0 @@
-import type { C15TOptions } from '~/types';
-import { version } from '~/version';
-/**
- * Default OpenAPI configuration
- *
- * Note: specPath and docsPath should NOT include the basePath,
- * as the basePath is stripped from incoming requests before routing.
- */
-export const createOpenAPIConfig = (options: C15TOptions) => {
-	return {
-		enabled: options.advanced?.openapi?.enabled !== false,
-		specPath: '/spec.json',
-		docsPath: '/docs',
-		...(options.advanced?.openapi || {}),
-	};
-};
-
-/**
- * Default OpenAPI options
- */
-export const createDefaultOpenAPIOptions = (options: C15TOptions) => ({
-	info: {
-		title: options.appName || 'c15t API',
-		version,
-		description: 'API for consent management',
-	},
-	servers: [{ url: options.basePath || '/' }],
-	security: [{ bearerAuth: [] }],
-});

package/src/middleware/openapi/handlers.ts

@@ -1,34 +0,0 @@
-import type { C15TOptions } from '~/types';
-import { createOpenAPIConfig } from './config';
-
-/**
- * Generate the default UI for API documentation
- */
-export const createDocsUI = (options: C15TOptions) => {
-	const config = createOpenAPIConfig(options);
-
-	// If a custom template is provided, use it
-	if (config.customUiTemplate) {
-		return config.customUiTemplate;
-	}
-
-	// Otherwise, return the default Scalar UI
-	return `
-    <!doctype html>
-    <html>
-      <head>
-        <title>${options.appName || 'c15t API'} Documentation</title>
-        <meta charset="utf-8" />
-        <meta name="viewport" content="width=device-width, initial-scale=1" />
-        <link rel="icon" type="image/svg+xml" href="https://c15t.com/icon.svg" />
-      </head>
-      <body>
-        <script
-          id="api-reference"
-          data-url="${encodeURI(config.specPath)}">
-        </script>
-        <script src="https://cdn.jsdelivr.net/npm/@scalar/api-reference"></script>
-      </body>
-    </html>
-  `;
-};

package/src/middleware/process-ip/index.test.ts

@@ -1,195 +0,0 @@
-import { describe, expect, it } from 'vitest';
-import type { C15TOptions } from '~/types';
-import { getIpAddress, maskIpAddress } from './index';
-
-describe('maskIpAddress', () => {
-	describe('IPv4 addresses', () => {
-		it('should mask the last octet of a standard IPv4 address', () => {
-			expect(maskIpAddress('192.168.1.100')).toBe('192.168.1.0');
-		});
-
-		it('should mask the last octet of localhost', () => {
-			expect(maskIpAddress('127.0.0.1')).toBe('127.0.0.0');
-		});
-
-		it('should mask the last octet of a public IP', () => {
-			expect(maskIpAddress('8.8.8.8')).toBe('8.8.8.0');
-		});
-
-		it('should handle IP with last octet already zero', () => {
-			expect(maskIpAddress('10.0.0.0')).toBe('10.0.0.0');
-		});
-
-		it('should handle IP with max values', () => {
-			expect(maskIpAddress('255.255.255.255')).toBe('255.255.255.0');
-		});
-	});
-
-	describe('IPv6 addresses', () => {
-		it('should mask the last 80 bits of a full IPv6 address', () => {
-			const result = maskIpAddress('2001:0db8:85a3:0000:0000:8a2e:0370:7334');
-			expect(result).toBe('2001:db8:85a3::');
-		});
-
-		it('should mask a compressed IPv6 address', () => {
-			const result = maskIpAddress('2001:db8:85a3::1');
-			expect(result).toBe('2001:db8:85a3::');
-		});
-
-		it('should handle localhost IPv6', () => {
-			const result = maskIpAddress('::1');
-			expect(result).toBe('::');
-		});
-
-		it('should handle full zeros IPv6', () => {
-			const result = maskIpAddress('::');
-			expect(result).toBe('::');
-		});
-
-		it('should mask IPv6 with leading zeros compressed', () => {
-			const result = maskIpAddress('::ffff:0:0:1');
-			expect(result).toBe('::');
-		});
-	});
-
-	describe('IPv4-mapped IPv6 addresses', () => {
-		it('should mask the IPv4 portion of IPv4-mapped IPv6', () => {
-			const result = maskIpAddress('::ffff:192.168.1.100');
-			expect(result).toBe('::ffff:192.168.1.0');
-		});
-
-		it('should handle IPv4-mapped IPv6 localhost', () => {
-			const result = maskIpAddress('::ffff:127.0.0.1');
-			expect(result).toBe('::ffff:127.0.0.0');
-		});
-	});
-
-	describe('edge cases', () => {
-		it('should return null for null input', () => {
-			expect(maskIpAddress(null)).toBeNull();
-		});
-
-		it('should return null for empty string', () => {
-			expect(maskIpAddress('')).toBeNull();
-		});
-
-		it('should handle malformed IPv4 gracefully', () => {
-			expect(maskIpAddress('192.168.1')).toBe('192.168.1');
-		});
-	});
-});
-
-describe('getIpAddress', () => {
-	const createMockHeaders = (headers: Record<string, string>): Headers => {
-		return new Headers(headers);
-	};
-
-	const createBaseOptions = (
-		ipAddressOverrides?: NonNullable<C15TOptions['advanced']>['ipAddress']
-	): C15TOptions => ({
-		trustedOrigins: ['http://localhost'],
-		adapter: {} as C15TOptions['adapter'],
-		advanced: {
-			ipAddress: ipAddressOverrides,
-		},
-	});
-
-	describe('IP extraction', () => {
-		it('should extract and mask IP from x-forwarded-for header by default', () => {
-			const headers = createMockHeaders({
-				'x-forwarded-for': '192.168.1.100, 10.0.0.1',
-			});
-			const options = createBaseOptions();
-
-			expect(getIpAddress(headers, options)).toBe('192.168.1.0');
-		});
-
-		it('should extract and mask IP from cf-connecting-ip header by default', () => {
-			const headers = createMockHeaders({
-				'cf-connecting-ip': '8.8.8.8',
-			});
-			const options = createBaseOptions();
-
-			expect(getIpAddress(headers, options)).toBe('8.8.8.0');
-		});
-
-		it('should return null when no IP headers present', () => {
-			const headers = createMockHeaders({});
-			const options = createBaseOptions();
-
-			expect(getIpAddress(headers, options)).toBeNull();
-		});
-	});
-
-	describe('IP tracking disabled', () => {
-		it('should return null when IP tracking is disabled', () => {
-			const headers = createMockHeaders({
-				'x-forwarded-for': '192.168.1.100',
-			});
-			const options = createBaseOptions({
-				tracking: false,
-			});
-
-			expect(getIpAddress(headers, options)).toBeNull();
-		});
-	});
-
-	describe('IP masking enabled', () => {
-		it('should mask IPv4 address when masking is enabled', () => {
-			const headers = createMockHeaders({
-				'x-forwarded-for': '192.168.1.100',
-			});
-			const options = createBaseOptions({
-				masking: true,
-			});
-
-			expect(getIpAddress(headers, options)).toBe('192.168.1.0');
-		});
-
-		it('should mask IPv6 address when masking is enabled', () => {
-			const headers = createMockHeaders({
-				'x-forwarded-for': '2001:db8:85a3::8a2e:370:7334',
-			});
-			const options = createBaseOptions({
-				masking: true,
-			});
-
-			expect(getIpAddress(headers, options)).toBe('2001:db8:85a3::');
-		});
-
-		it('should mask by default when masking is not explicitly disabled', () => {
-			const headers = createMockHeaders({
-				'x-forwarded-for': '192.168.1.100',
-			});
-			const options = createBaseOptions();
-
-			expect(getIpAddress(headers, options)).toBe('192.168.1.0');
-		});
-
-		it('should not mask when masking is explicitly false', () => {
-			const headers = createMockHeaders({
-				'x-forwarded-for': '192.168.1.100',
-			});
-			const options = createBaseOptions({
-				masking: false,
-			});
-
-			expect(getIpAddress(headers, options)).toBe('192.168.1.100');
-		});
-	});
-
-	describe('custom headers', () => {
-		it('should use custom IP headers when provided', () => {
-			const headers = createMockHeaders({
-				'x-custom-ip': '10.0.0.1',
-				'x-forwarded-for': '192.168.1.100',
-			});
-			const options = createBaseOptions({
-				ipAddressHeaders: ['x-custom-ip'],
-			});
-
-			// Masking is on by default, so last octet is zeroed
-			expect(getIpAddress(headers, options)).toBe('10.0.0.0');
-		});
-	});
-});