@decocms/runtime 1.0.0-alpha.39 → 1.0.0-alpha.41

package/package.json

@@ -1,9 +1,10 @@
 {
   "name": "@decocms/runtime",
-  "version": "1.0.0-alpha.39",
+  "version": "1.0.0-alpha.41",
   "type": "module",
   "scripts": {
-    "check": "tsc --noEmit"
+    "check": "tsc --noEmit",
+    "test": "bun test"
   },
   "dependencies": {
     "@cloudflare/workers-types": "^4.20250617.0",
@@ -25,6 +26,7 @@
     "./tools": "./src/tools.ts"
   },
   "devDependencies": {
+    "@types/bun": "^1.3.5",
     "@types/mime-db": "^1.43.6",
     "ts-json-schema-generator": "^2.4.0"
   },

package/src/asset-server/index.test.ts

@@ -0,0 +1,306 @@
+import { describe, expect, test, beforeAll, afterAll } from "bun:test";
+import {
+  isPathWithinDirectory,
+  resolveAssetPathWithTraversalCheck,
+  createAssetHandler,
+} from "./index";
+import { resolve } from "path";
+import { mkdirSync, writeFileSync, rmSync } from "fs";
+
+describe("isPathWithinDirectory", () => {
+  const baseDir = "/app/client";
+
+  describe("safe paths", () => {
+    test("allows file directly in base directory", () => {
+      expect(isPathWithinDirectory("/app/client/index.html", baseDir)).toBe(
+        true,
+      );
+    });
+
+    test("allows file in subdirectory", () => {
+      expect(
+        isPathWithinDirectory("/app/client/assets/style.css", baseDir),
+      ).toBe(true);
+    });
+
+    test("allows deeply nested file", () => {
+      expect(
+        isPathWithinDirectory("/app/client/assets/images/logo.png", baseDir),
+      ).toBe(true);
+    });
+
+    test("allows base directory itself", () => {
+      expect(isPathWithinDirectory("/app/client", baseDir)).toBe(true);
+    });
+
+    test("allows file with spaces in name", () => {
+      expect(
+        isPathWithinDirectory("/app/client/logos/deco logo.svg", baseDir),
+      ).toBe(true);
+    });
+  });
+
+  describe("path traversal attacks - BLOCKED", () => {
+    test("blocks simple traversal to parent", () => {
+      expect(isPathWithinDirectory("/app/style.css", baseDir)).toBe(false);
+    });
+
+    test("blocks traversal to root", () => {
+      expect(isPathWithinDirectory("/etc/passwd", baseDir)).toBe(false);
+    });
+
+    test("blocks traversal with ../ sequence", () => {
+      const traversalPath = resolve(baseDir, "../../../etc/passwd");
+      expect(isPathWithinDirectory(traversalPath, baseDir)).toBe(false);
+    });
+
+    test("blocks traversal to sibling directory", () => {
+      expect(isPathWithinDirectory("/app/server/secrets.json", baseDir)).toBe(
+        false,
+      );
+    });
+
+    test("blocks path that starts with baseDir but is actually sibling", () => {
+      // /app/client-secrets is NOT within /app/client
+      expect(isPathWithinDirectory("/app/client-secrets/key", baseDir)).toBe(
+        false,
+      );
+    });
+
+    test("blocks absolute path outside base", () => {
+      expect(isPathWithinDirectory("/var/log/system.log", baseDir)).toBe(false);
+    });
+  });
+});
+
+describe("resolveAssetPathWithTraversalCheck", () => {
+  const clientDir = "/app/dist/client";
+
+  // Helper to reduce boilerplate
+  const resolvePath = (requestPath: string) =>
+    resolveAssetPathWithTraversalCheck({ requestPath, clientDir });
+
+  describe("valid paths", () => {
+    test("resolves root to clientDir", () => {
+      expect(resolvePath("/")).toBe(clientDir);
+    });
+
+    test("resolves CSS file", () => {
+      expect(resolvePath("/style.css")).toBe("/app/dist/client/style.css");
+    });
+
+    test("resolves nested path", () => {
+      expect(resolvePath("/assets/app.js")).toBe(
+        "/app/dist/client/assets/app.js",
+      );
+    });
+
+    test("resolves path without extension", () => {
+      expect(resolvePath("/dashboard")).toBe("/app/dist/client/dashboard");
+    });
+
+    test("resolves path with dots (SPA route)", () => {
+      expect(resolvePath("/user/john.doe")).toBe(
+        "/app/dist/client/user/john.doe",
+      );
+    });
+
+    test("resolves file with spaces", () => {
+      expect(resolvePath("/logos/deco logo.svg")).toBe(
+        "/app/dist/client/logos/deco logo.svg",
+      );
+    });
+  });
+
+  describe("path traversal attacks - BLOCKED", () => {
+    test("blocks /../../../etc/passwd", () => {
+      expect(resolvePath("/../../../etc/passwd")).toBeNull();
+    });
+
+    test("blocks /assets/../../../etc/passwd", () => {
+      expect(resolvePath("/assets/../../../etc/passwd")).toBeNull();
+    });
+
+    test("blocks /./../../etc/passwd", () => {
+      expect(resolvePath("/./../../etc/passwd")).toBeNull();
+    });
+
+    test("blocks /../etc/passwd", () => {
+      expect(resolvePath("/../etc/passwd")).toBeNull();
+    });
+
+    test("allows backslash paths (treated as literal on Unix)", () => {
+      // On Unix, backslashes are literal characters - path stays in clientDir
+      expect(resolvePath("/..\\..\\etc\\passwd")).not.toBeNull();
+    });
+
+    test("blocks /assets/../../package.json", () => {
+      expect(resolvePath("/assets/../../package.json")).toBeNull();
+    });
+
+    test("blocks //etc/passwd (resolves to absolute path)", () => {
+      // Double slash after stripping leading / becomes /etc/passwd (absolute)
+      expect(resolvePath("//etc/passwd")).toBeNull();
+    });
+
+    test("blocks /valid/../../../etc/passwd", () => {
+      expect(resolvePath("/valid/../../../etc/passwd")).toBeNull();
+    });
+  });
+});
+
+describe("createAssetHandler", () => {
+  // Temp directory for tests that need real files
+  const tempDir = resolve(import.meta.dir, ".test-temp-client");
+  const indexContent = "<!DOCTYPE html><html><body>SPA</body></html>";
+  const cssContent = "body { color: red; }";
+
+  beforeAll(() => {
+    // Create temp directory with test files
+    mkdirSync(resolve(tempDir, "assets"), { recursive: true });
+    writeFileSync(resolve(tempDir, "index.html"), indexContent);
+    writeFileSync(resolve(tempDir, "assets/style.css"), cssContent);
+  });
+
+  afterAll(() => {
+    // Clean up temp directory
+    rmSync(tempDir, { recursive: true, force: true });
+  });
+
+  describe("malformed URL encoding", () => {
+    test("handles malformed percent-encoded sequences gracefully", async () => {
+      // Create handler in production mode to test the decodeURIComponent path
+      const handler = createAssetHandler({
+        env: "production",
+        clientDir: "/app/dist/client",
+      });
+
+      // %E0%A4%A is an incomplete UTF-8 sequence that causes decodeURIComponent to throw
+      const malformedUrl = "http://localhost:3000/%E0%A4%A";
+      const request = new Request(malformedUrl);
+
+      // Should return null (graceful fallback) instead of throwing
+      const result = await handler(request);
+      expect(result).toBeNull();
+    });
+
+    test("handles %FF (invalid UTF-8 byte) gracefully", async () => {
+      const handler = createAssetHandler({
+        env: "production",
+        clientDir: "/app/dist/client",
+      });
+
+      // %FF is not valid in UTF-8
+      const malformedUrl = "http://localhost:3000/%FF";
+      const request = new Request(malformedUrl);
+
+      const result = await handler(request);
+      expect(result).toBeNull();
+    });
+
+    test("handles truncated multi-byte sequence gracefully", async () => {
+      const handler = createAssetHandler({
+        env: "production",
+        clientDir: "/app/dist/client",
+      });
+
+      // %C2 expects a continuation byte but is truncated
+      const malformedUrl = "http://localhost:3000/file%C2.txt";
+      const request = new Request(malformedUrl);
+
+      const result = await handler(request);
+      expect(result).toBeNull();
+    });
+  });
+
+  describe("SPA fallback for routes with dots", () => {
+    test("serves index.html for /user/john.doe (non-existent path with dot)", async () => {
+      const handler = createAssetHandler({
+        env: "production",
+        clientDir: tempDir,
+      });
+
+      const request = new Request("http://localhost:3000/user/john.doe");
+      const result = await handler(request);
+
+      expect(result).not.toBeNull();
+      expect(result?.status).toBe(200);
+      const text = await result?.text();
+      expect(text).toBe(indexContent);
+    });
+
+    test("serves index.html for /page/v2.0 (version-like route)", async () => {
+      const handler = createAssetHandler({
+        env: "production",
+        clientDir: tempDir,
+      });
+
+      const request = new Request("http://localhost:3000/page/v2.0");
+      const result = await handler(request);
+
+      expect(result).not.toBeNull();
+      const text = await result?.text();
+      expect(text).toBe(indexContent);
+    });
+
+    test("serves index.html for /files/report.2024 (date-like route)", async () => {
+      const handler = createAssetHandler({
+        env: "production",
+        clientDir: tempDir,
+      });
+
+      const request = new Request("http://localhost:3000/files/report.2024");
+      const result = await handler(request);
+
+      expect(result).not.toBeNull();
+      const text = await result?.text();
+      expect(text).toBe(indexContent);
+    });
+
+    test("serves actual file when it exists", async () => {
+      const handler = createAssetHandler({
+        env: "production",
+        clientDir: tempDir,
+      });
+
+      const request = new Request("http://localhost:3000/assets/style.css");
+      const result = await handler(request);
+
+      expect(result).not.toBeNull();
+      expect(result?.status).toBe(200);
+      const text = await result?.text();
+      expect(text).toBe(cssContent);
+    });
+
+    test("serves index.html for non-existent .css file", async () => {
+      const handler = createAssetHandler({
+        env: "production",
+        clientDir: tempDir,
+      });
+
+      // This CSS file doesn't exist, so it should fall back to index.html
+      const request = new Request(
+        "http://localhost:3000/assets/nonexistent.css",
+      );
+      const result = await handler(request);
+
+      expect(result).not.toBeNull();
+      const text = await result?.text();
+      expect(text).toBe(indexContent);
+    });
+
+    test("serves index.html for route without dots", async () => {
+      const handler = createAssetHandler({
+        env: "production",
+        clientDir: tempDir,
+      });
+
+      const request = new Request("http://localhost:3000/dashboard");
+      const result = await handler(request);
+
+      expect(result).not.toBeNull();
+      const text = await result?.text();
+      expect(text).toBe(indexContent);
+    });
+  });
+});

package/src/asset-server/index.ts

@@ -1,56 +1,227 @@
-import { serveStatic } from "hono/bun";
-import { Hono } from "hono";
 import { devServerProxy } from "./dev-server-proxy";
-import { Handler } from "hono/types";
+import { resolve, dirname } from "path";
 
-interface AssetServerConfig {
-  env: "development" | "production" | "test";
-  localDevProxyUrl?: string | URL;
+export interface AssetServerConfig {
   /**
-   * The prefix to use for serving the assets.
-   * Default: "/assets/*"
+   * Environment mode. Determines whether to proxy to dev server or serve static files.
+   * @default process.env.NODE_ENV || "development"
    */
-  assetsMiddlewarePath?: string;
+  env?: "development" | "production" | "test";
+
+  /**
+   * URL of the Vite dev server for development mode.
+   * @default "http://localhost:4000"
+   */
+  devServerUrl?: string | URL;
+
+  /**
+   * Directory containing the built client assets.
+   * For production bundles, use `resolveClientDir()` to get the correct path.
+   * @default "./dist/client"
+   */
+  clientDir?: string;
+
   /**
-   * The directory to serve the assets from.
-   * Default: "./dist/client"
+   * Function to check if a path should be handled by the API server.
+   * Return true for API routes, false for static files.
+   * If not provided, defaults to serving everything as static.
    */
-  assetsDirectory?: string;
+  isServerPath?: (path: string) => boolean;
 }
 
-const DEFAULT_LOCAL_DEV_PROXY_URL = "http://localhost:4000";
-const DEFAULT_ASSETS_DIRECTORY = "./dist/client";
-const DEFAULT_ASSETS_MIDDLEWARE_PATH = "/assets/*";
+const DEFAULT_DEV_SERVER_URL = "http://localhost:4000";
+const DEFAULT_CLIENT_DIR = "./dist/client";
+
+/**
+ * Check if a resolved file path is safely within the allowed base directory.
+ * Prevents path traversal attacks (e.g., /../../../etc/passwd).
+ *
+ * @param filePath - The resolved absolute file path
+ * @param baseDir - The base directory that files must be within
+ * @returns true if the path is safe, false if it's a traversal attempt
+ *
+ * @example
+ * ```ts
+ * isPathWithinDirectory("/app/client/style.css", "/app/client") // true
+ * isPathWithinDirectory("/etc/passwd", "/app/client") // false
+ * ```
+ */
+export function isPathWithinDirectory(
+  filePath: string,
+  baseDir: string,
+): boolean {
+  const resolvedBase = resolve(baseDir);
+  const resolvedPath = resolve(filePath);
+  return (
+    resolvedPath === resolvedBase || resolvedPath.startsWith(resolvedBase + "/")
+  );
+}
+
+export interface ResolveAssetPathOptions {
+  /** The decoded URL pathname (e.g., "/assets/style.css") */
+  requestPath: string;
+  /** The base directory containing static files */
+  clientDir: string;
+}
+
+/**
+ * Resolve a URL pathname to a file path, with path traversal protection.
+ * Returns null if the path is a traversal attempt.
+ *
+ * @returns File path, or null if unsafe
+ *
+ * @example
+ * ```ts
+ * resolveAssetPathWithTraversalCheck({ requestPath: "/style.css", clientDir: "/app/client" })
+ * // "/app/client/style.css"
+ *
+ * resolveAssetPathWithTraversalCheck({ requestPath: "/../../../etc/passwd", clientDir: "/app/client" })
+ * // null (blocked)
+ * ```
+ */
+export function resolveAssetPathWithTraversalCheck({
+  requestPath,
+  clientDir,
+}: ResolveAssetPathOptions): string | null {
+  const relativePath = requestPath.startsWith("/")
+    ? requestPath.slice(1)
+    : requestPath;
+  const filePath = resolve(clientDir, relativePath);
+
+  // Security: block path traversal attempts
+  if (!isPathWithinDirectory(filePath, clientDir)) {
+    return null;
+  }
+
+  return filePath;
+}
 
-interface HonoApp {
-  use: (path: string, handler: Handler) => void;
-  get: (path: string, handler: Handler) => void;
+/**
+ * Resolve the client directory path relative to the running script.
+ * Use this for production bundles where the script location differs from CWD.
+ *
+ * @param importMetaUrl - Pass `import.meta.url` from the calling module
+ * @param relativePath - Path relative to the script (default: "../client")
+ * @returns Absolute path to the client directory
+ *
+ * @example
+ * ```ts
+ * const clientDir = resolveClientDir(import.meta.url, "../client");
+ * ```
+ */
+export function resolveClientDir(
+  importMetaUrl: string,
+  relativePath = "../client",
+): string {
+  const scriptUrl = new URL(importMetaUrl);
+  const scriptDir = dirname(scriptUrl.pathname);
+  return resolve(scriptDir, relativePath);
 }
 
-export const applyAssetServerRoutes = (
-  app: HonoApp,
-  config: AssetServerConfig,
-) => {
-  const environment = config.env;
-  const localDevProxyUrl =
-    config.localDevProxyUrl ?? DEFAULT_LOCAL_DEV_PROXY_URL;
-  const assetsDirectory = config.assetsDirectory ?? DEFAULT_ASSETS_DIRECTORY;
-  const assetsMiddlewarePath =
-    config.assetsMiddlewarePath ?? DEFAULT_ASSETS_MIDDLEWARE_PATH;
-
-  if (environment === "development") {
-    app.use("*", devServerProxy(localDevProxyUrl));
-  } else if (environment === "production") {
-    app.use(assetsMiddlewarePath, serveStatic({ root: assetsDirectory }));
-    app.get("*", serveStatic({ path: `${assetsDirectory}/index.html` }));
+/**
+ * TODO(@camudo): make "modes" so we can for example try to serve the asset then fallback to api on miss
+ * or try to serve the api call then fallback to asset or index.html on 404
+ */
+
+/**
+ * Create an asset handler that works with Bun.serve.
+ *
+ * In development: Proxies requests to Vite dev server
+ * In production: Serves static files with SPA fallback
+ *
+ * @example
+ * ```ts
+ * const handleAssets = createAssetHandler({
+ *   env: process.env.NODE_ENV as "development" | "production",
+ *   clientDir: resolveClientDir(import.meta.url),
+ *   isServerPath: (path) => path.startsWith("/api/") || path.startsWith("/mcp/"),
+ * });
+ *
+ * Bun.serve({
+ *   fetch: async (request) => {
+ *     return await handleAssets(request) ?? app.fetch(request);
+ *   },
+ * });
+ * ```
+ */
+export function createAssetHandler(config: AssetServerConfig = {}) {
+  const {
+    env = (process.env.NODE_ENV as "development" | "production" | "test") ||
+      "development",
+    devServerUrl = DEFAULT_DEV_SERVER_URL,
+    clientDir = DEFAULT_CLIENT_DIR,
+    isServerPath = () => false,
+  } = config;
+
+  // Development: Create a proxy handler
+  if (env === "development") {
+    const proxyHandler = devServerProxy(devServerUrl);
+
+    return async function handleAssets(
+      request: Request,
+    ): Promise<Response | null> {
+      // In dev, proxy everything except server paths
+      const url = new URL(request.url);
+      if (isServerPath(url.pathname)) {
+        return null;
+      }
+
+      // Create a minimal Hono context for the proxy
+      const fakeContext = {
+        req: { raw: request, url: request.url },
+      };
+      return proxyHandler(fakeContext as any);
+    };
   }
-};
 
-export const createAssetServer = (config: AssetServerConfig) => {
-  const app = new Hono();
-  applyAssetServerRoutes(app, config);
-  return app;
-};
+  // Production: Serve static files
+  return async function handleAssets(
+    request: Request,
+  ): Promise<Response | null> {
+    // Only handle GET requests
+    if (request.method !== "GET") {
+      return null;
+    }
 
-export const createAssetServerFetcher = (config: AssetServerConfig) =>
-  createAssetServer(config).fetch;
+    const requestUrl = new URL(request.url);
+
+    // Decode the pathname to handle URL-encoded characters (e.g., %20 -> space)
+    // decodeURIComponent can throw URIError for malformed sequences (e.g., %E0%A4%A)
+    let path: string;
+    try {
+      path = decodeURIComponent(requestUrl.pathname);
+    } catch {
+      // Malformed URL encoding - return null to let API server handle or return 400
+      return null;
+    }
+
+    // Let API server handle its routes
+    if (isServerPath(path)) {
+      return null;
+    }
+
+    // Resolve path with traversal check
+    const filePath = resolveAssetPathWithTraversalCheck({
+      requestPath: path,
+      clientDir,
+    });
+    if (!filePath) {
+      return null; // Path traversal attempt blocked
+    }
+
+    // Try to serve the requested file, fall back to index.html for SPA routing
+    const indexPath = resolve(clientDir, "index.html");
+    for (const pathToTry of [filePath, indexPath]) {
+      try {
+        const file = Bun.file(pathToTry);
+        if (await file.exists()) {
+          return new Response(file);
+        }
+      } catch {
+        // Continue to next path
+      }
+    }
+
+    return null;
+  };
+}

package/src/oauth.ts

@@ -480,11 +480,7 @@ export function createOAuthHandlers(oauth: OAuthConfig) {
   /**
    * Check if request has authentication token
    */
-  const hasAuth = (req: Request): boolean => {
-    const authHeader = req.headers.get("Authorization");
-    const meshToken = req.headers.get("x-mesh-token");
-    return !!(authHeader || meshToken);
-  };
+  const hasAuth = (req: Request) => req.headers.has("Authorization");
 
   return {
     handleProtectedResourceMetadata,

package/tsconfig.json

@@ -1,7 +1,7 @@
 {
   "extends": "../../tsconfig.json",
   "compilerOptions": {
-    "types": ["@cloudflare/workers-types", "@types/node"]
+    "types": ["@cloudflare/workers-types", "@types/node", "bun"]
   },
   "include": ["src/**/*"],
   "exclude": ["node_modules", "dist", "scripts/**/*"]