@donotdev/functions 0.0.10 → 0.0.11

package/src/vercel/api/crud/update.ts

@@ -19,10 +19,8 @@ import {
   transformFirestoreData,
 } from '../../../shared/index.js';
 import { updateMetadata } from '../../../shared/index.js';
-import {
-  validateDocument,
-  assertAuthenticated,
-} from '../../../shared/utils.js';
+import { validateCollectionName, validateDocument } from '../../../shared/utils.js';
+import { verifyAuthToken } from '../../../shared/utils/internal/auth.js';
 
 import type { NextApiRequest, NextApiResponse } from 'next';
 
@@ -35,15 +33,18 @@ export default async function handler(
   }
 
   try {
-    // Verify authentication
-    const uid = assertAuthenticated(req.headers.authorization);
+    // C1: verify JWT — previously only checked header presence.
+    const uid = await verifyAuthToken(req);
 
     const { schema, id, payload } = req.body as UpdateEntityData<any>;
 
     if (!schema || !id || !payload) {
-      throw handleError(new Error('Missing schema, id, or payload'));
+      handleError(new Error('Missing schema, id, or payload'));
     }
 
+    // W22: Validate collection name from client-supplied schema
+    validateCollectionName(schema.metadata.collection);
+
     const db = getFirebaseAdminFirestore();
 
     // Get current document to merge with payload for status check
@@ -53,7 +54,7 @@ export default async function handler(
       .get();
 
     if (!currentDoc.exists) {
-      throw handleError(new Error('Document not found'));
+      handleError(new Error('Document not found'));
     }
 
     // Merge current data with payload to determine resulting status
@@ -84,7 +85,7 @@ export default async function handler(
     const doc = await db.collection(schema.metadata.collection).doc(id).get();
 
     if (!doc.exists) {
-      throw handleError(new Error('Document not found'));
+      handleError(new Error('Document not found'));
     }
 
     // Transform the document data back to the application format
@@ -95,6 +96,11 @@ export default async function handler(
 
     return res.status(200).json(result);
   } catch (error) {
-    throw handleError(error);
+    try {
+      handleError(error);
+    } catch (handledError: any) {
+      const status = handledError.code === 'invalid-argument' ? 400 : 500;
+      return res.status(status).json({ error: handledError.message, code: handledError.code });
+    }
   }
 }

package/src/vercel/api/oauth/check-github-access.ts

@@ -36,11 +36,8 @@ async function checkGitHubAccessLogic(
   data: CheckGitHubAccessRequest,
   context: { uid: string }
 ) {
-  const { userId, githubUsername, repoConfig } = data;
-
-  if (!userId) {
-    throw new Error('User ID is required');
-  }
+  const { githubUsername, repoConfig } = data;
+  const userId = context.uid;
 
   if (!githubUsername) {
     throw new Error('GitHub username is required');

package/src/vercel/api/oauth/grant-github-access.ts

@@ -37,16 +37,12 @@ async function grantGitHubAccessLogic(
   context: { uid: string }
 ) {
   const {
-    userId,
     githubUsername,
     repoConfig,
     permission = 'push',
     customClaims,
   } = data;
-
-  if (!userId) {
-    throw new Error('User ID is required');
-  }
+  const userId = context.uid;
 
   if (!githubUsername) {
     throw new Error('GitHub username is required');

package/src/vercel/api/oauth/revoke-github-access.ts

@@ -19,7 +19,7 @@ import { getFirebaseAdminAuth } from '@donotdev/firebase/server';
 
 import { handleError } from '../../../shared/errorHandling.js';
 import { GitHubApiService } from '../../../shared/index.js';
-import { assertAuthenticated } from '../../../shared/utils.js';
+import { verifyAuthToken } from '../../../shared/utils/internal/auth.js';
 
 import type { NextApiRequest, NextApiResponse } from 'next';
 
@@ -33,8 +33,8 @@ export default async function handler(
   }
 
   try {
-    // Verify authentication
-    const uid = assertAuthenticated(req.headers.authorization);
+    // C1: verify JWT — previously only checked header presence.
+    const uid = await verifyAuthToken(req);
 
     // Use provided schema or default to framework schema
     const schema = customSchema || revokeGitHubAccessSchema;
@@ -47,15 +47,14 @@ export default async function handler(
       });
     }
 
-    const { userId, githubUsername, repoConfig } = validationResult.output as {
-      userId: string;
+    const { githubUsername, repoConfig } = validationResult.output as {
+      userId?: string;
       githubUsername: string;
       repoConfig: { owner: string; repo: string };
     };
 
-    if (!userId) {
-      throw handleError(new Error('User ID is required'));
-    }
+    // C1/IDOR: Always use verified uid from token — ignore client-supplied userId.
+    const userId = uid;
 
     if (!githubUsername) {
       throw handleError(new Error('GitHub username is required'));

package/src/vercel/api/utils/cors.ts

@@ -12,18 +12,29 @@
 import type { NextApiRequest, NextApiResponse } from 'next';
 
 /**
- * CORS configuration for Vercel functions
+ * CORS configuration for Vercel functions.
+ *
+ * **Architecture decision — CORS wildcard (`*`) as framework default:**
+ * The wildcard origin is an intentional development-convenience default, not a
+ * security oversight. Consumer apps MUST override `allowedOrigins` in their
+ * deployment configuration for production environments. The framework provides
+ * `configureCors({ allowedOrigins: ['https://myapp.example'] })` for this purpose.
+ *
+ * C2: Allow-Credentials:true is incompatible with wildcard origin per the Fetch spec.
+ * Credentialed requests require an explicit origin. Removed Allow-Credentials header so
+ * the wildcard origin remains valid. Consumers that need credentialed cross-origin requests
+ * must replace '*' with their specific origin and re-add Allow-Credentials:true.
  *
  * @version 0.0.1
  * @since 0.0.1
  * @author AMBROISE PARK Consulting
  */
 export const corsHeaders = {
+  // Framework default — consumers override via configureCors({ allowedOrigins }) in production
   'Access-Control-Allow-Origin': '*',
   'Access-Control-Allow-Methods': 'GET, POST, PUT, DELETE, OPTIONS',
   'Access-Control-Allow-Headers':
     'Content-Type, Authorization, X-Requested-With',
-  'Access-Control-Allow-Credentials': 'true',
   'Access-Control-Max-Age': '86400',
 };
 

package/src/vercel/baseFunction.ts

@@ -17,8 +17,10 @@ import {
   checkRateLimitWithFirestore,
   DEFAULT_RATE_LIMITS,
 } from '../shared/utils/internal/rateLimiter.js';
-import { assertAuthenticated } from '../shared/utils.js';
+import { verifyAuthToken } from '../shared/utils/internal/auth.js';
+import type { SecurityContext } from '@donotdev/core';
 
+import type { AuthProvider } from '../shared/utils/internal/auth.js';
 import type { NextApiRequest, NextApiResponse } from 'next';
 
 /**
@@ -40,7 +42,10 @@ export function createVercelBaseFunction<TRequest, TResponse>(
     context: {
       uid: string;
     }
-  ) => Promise<TResponse>
+  ) => Promise<TResponse>,
+  security?: SecurityContext,
+  /** Auth provider for token verification. Auto-detects via provider registry if omitted. */
+  provider?: AuthProvider
 ) {
   return async (
     req: NextApiRequest,
@@ -64,8 +69,8 @@ export function createVercelBaseFunction<TRequest, TResponse>(
 
       const validatedData = validationResult.output;
 
-      // Verify authentication
-      const uid = assertAuthenticated(req.headers.authorization);
+      // Verify authentication — extracts Bearer token and verifies via configured provider
+      const uid = await verifyAuthToken(req, provider);
 
       // Rate limiting
       const rateLimitKey = `${operation}_${uid}`;
@@ -77,6 +82,11 @@ export function createVercelBaseFunction<TRequest, TResponse>(
       );
 
       if (!rateLimitResult.allowed) {
+        security?.audit({
+          type: 'rate_limit.exceeded',
+          userId: uid,
+          metadata: { operation, remaining: 0 },
+        });
         return res.status(429).json({
           error: `Rate limit exceeded. Try again in ${rateLimitResult.blockRemainingSeconds} seconds.`,
           retryAfter: rateLimitResult.blockRemainingSeconds,
@@ -86,30 +96,35 @@ export function createVercelBaseFunction<TRequest, TResponse>(
       // Call user's business logic
       const result = await businessLogic(req, res, validatedData, { uid });
 
-      // Record metrics
-      await recordPaymentMetrics({
-        operation,
-        userId: uid,
-        status: 'success',
-        timestamp: new Date().toISOString(),
-        metadata: {
-          requestId: (req.headers['x-request-id'] as string) || 'unknown',
-        },
-      });
+      // W3: Only record metrics when explicitly enabled — avoids unconditional
+      // Firestore writes on every request.
+      if (process.env.ENABLE_METRICS === 'true') {
+        await recordPaymentMetrics({
+          operation,
+          userId: uid,
+          status: 'success',
+          timestamp: new Date().toISOString(),
+          metadata: {
+            requestId: (req.headers['x-request-id'] as string) || 'unknown',
+          },
+        });
+      }
 
       return result;
     } catch (error) {
-      // Record error metrics
-      await recordPaymentMetrics({
-        operation,
-        userId: req.headers.authorization ? 'authenticated' : 'anonymous',
-        status: 'failed' as const,
-        timestamp: new Date().toISOString(),
-        metadata: {
-          error: error instanceof Error ? error.message : 'Unknown error',
-          requestId: (req.headers['x-request-id'] as string) || 'unknown',
-        },
-      });
+      // W3: Only record error metrics when enabled.
+      if (process.env.ENABLE_METRICS === 'true') {
+        await recordPaymentMetrics({
+          operation,
+          userId: req.headers.authorization ? 'authenticated' : 'anonymous',
+          status: 'failed' as const,
+          timestamp: new Date().toISOString(),
+          metadata: {
+            error: error instanceof Error ? error.message : 'Unknown error',
+            requestId: (req.headers['x-request-id'] as string) || 'unknown',
+          },
+        });
+      }
 
       // Handle error and return appropriate response
       const errorResponse = handleVercelError(error);