@dytsou/github-readme-stats 1.0.1

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2020 Anurag Hazra
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/api/gist.js

@@ -0,0 +1,98 @@
+// @ts-check
+
+import { renderGistCard } from "../src/cards/gist.js";
+import { guardAccess } from "../src/common/access.js";
+import {
+  createValidatedColorOptions,
+  handleApiError,
+  setSvgContentType,
+} from "../src/common/api-utils.js";
+import {
+  CACHE_TTL,
+  resolveCacheSeconds,
+  setCacheHeaders,
+} from "../src/common/cache.js";
+import { parseBoolean } from "../src/common/ops.js";
+import { fetchGist } from "../src/fetchers/gist.js";
+import { isLocaleAvailable } from "../src/translations.js";
+
+// @ts-ignore
+export default async (req, res) => {
+  const {
+    id,
+    title_color,
+    icon_color,
+    text_color,
+    bg_color,
+    theme,
+    cache_seconds,
+    locale: rawLocale,
+    border_radius,
+    border_color,
+    show_owner,
+    hide_border,
+  } = req.query;
+
+  // Only allow supported locales - validate and sanitize to prevent XSS
+  const locale =
+    typeof rawLocale === "string" && isLocaleAvailable(rawLocale)
+      ? rawLocale.toLowerCase()
+      : undefined;
+
+  setSvgContentType(res);
+
+  // Create validated color options once for reuse
+  const colorOptions = createValidatedColorOptions({
+    title_color,
+    text_color,
+    bg_color,
+    border_color,
+    theme,
+  });
+
+  const access = guardAccess({
+    res,
+    id,
+    type: "gist",
+    colors: colorOptions,
+  });
+  if (!access.isPassed) {
+    return access.result;
+  }
+
+  try {
+    const gistData = await fetchGist(id);
+    const cacheSeconds = resolveCacheSeconds({
+      requested: parseInt(cache_seconds, 10),
+      def: CACHE_TTL.GIST_CARD.DEFAULT,
+      min: CACHE_TTL.GIST_CARD.MIN,
+      max: CACHE_TTL.GIST_CARD.MAX,
+    });
+
+    setCacheHeaders(res, cacheSeconds);
+
+    return res.send(
+      renderGistCard(gistData, {
+        title_color,
+        icon_color,
+        text_color,
+        bg_color,
+        theme,
+        border_radius: (() => {
+          // Validate border_radius: must be a finite number between 0 and 50
+          const num = parseFloat(border_radius);
+          if (isNaN(num) || !isFinite(num) || num < 0 || num > 50) {
+            return undefined; // Let card use its default
+          }
+          return num;
+        })(),
+        border_color,
+        locale,
+        show_owner: parseBoolean(show_owner),
+        hide_border: parseBoolean(hide_border),
+      }),
+    );
+  } catch (err) {
+    return handleApiError({ res, error: err, colorOptions });
+  }
+};

package/api/index.js

@@ -0,0 +1,146 @@
+// @ts-check
+
+import { renderStatsCard } from "../src/cards/stats.js";
+import { guardAccess } from "../src/common/access.js";
+import {
+  createValidatedColorOptions,
+  handleApiError,
+  setSvgContentType,
+} from "../src/common/api-utils.js";
+import {
+  CACHE_TTL,
+  resolveCacheSeconds,
+  setCacheHeaders,
+} from "../src/common/cache.js";
+import { parseArray, parseBoolean } from "../src/common/ops.js";
+import { clampValue } from "../src/common/ops.js";
+import { fetchStats } from "../src/fetchers/stats.js";
+import { isLocaleAvailable } from "../src/translations.js";
+
+// @ts-ignore
+export default async (req, res) => {
+  const {
+    username,
+    hide,
+    hide_title,
+    hide_border,
+    card_width,
+    hide_rank,
+    show_icons,
+    include_all_commits,
+    commits_year,
+    line_height,
+    title_color,
+    ring_color,
+    icon_color,
+    text_color,
+    text_bold,
+    bg_color,
+    theme,
+    cache_seconds,
+    exclude_repo,
+    custom_title,
+    locale: rawLocale,
+    disable_animations,
+    border_radius,
+    number_format,
+    number_precision,
+    border_color,
+    rank_icon,
+    show,
+  } = req.query;
+
+  // Only allow supported locales - validate and sanitize to prevent XSS
+  const locale =
+    typeof rawLocale === "string" && isLocaleAvailable(rawLocale)
+      ? rawLocale.toLowerCase()
+      : undefined;
+
+  setSvgContentType(res);
+
+  // Create validated color options once for reuse
+  const colorOptions = createValidatedColorOptions({
+    title_color,
+    text_color,
+    bg_color,
+    border_color,
+    theme,
+  });
+
+  const access = guardAccess({
+    res,
+    id: username,
+    type: "username",
+    colors: colorOptions,
+  });
+  if (!access.isPassed) {
+    return access.result;
+  }
+
+  try {
+    const showStats = parseArray(show);
+    const stats = await fetchStats(
+      username,
+      parseBoolean(include_all_commits),
+      parseArray(exclude_repo),
+      showStats.includes("prs_merged") ||
+        showStats.includes("prs_merged_percentage"),
+      showStats.includes("discussions_started"),
+      showStats.includes("discussions_answered"),
+      parseInt(commits_year, 10),
+    );
+    const cacheSeconds = resolveCacheSeconds({
+      requested: parseInt(cache_seconds, 10),
+      def: CACHE_TTL.STATS_CARD.DEFAULT,
+      min: CACHE_TTL.STATS_CARD.MIN,
+      max: CACHE_TTL.STATS_CARD.MAX,
+    });
+
+    setCacheHeaders(res, cacheSeconds);
+
+    // Sanitize border_radius: parse, clamp, only include if valid
+    const borderRadiusNum = Number(border_radius);
+    const sanitizedBorderRadius =
+      Number.isFinite(borderRadiusNum) && border_radius !== undefined
+        ? clampValue(borderRadiusNum, 0, 50)
+        : undefined;
+
+    const renderOptions = {
+      hide: parseArray(hide),
+      show_icons: parseBoolean(show_icons),
+      hide_title: parseBoolean(hide_title),
+      hide_border: parseBoolean(hide_border),
+      card_width: parseInt(card_width, 10),
+      hide_rank: parseBoolean(hide_rank),
+      include_all_commits: parseBoolean(include_all_commits),
+      commits_year: parseInt(commits_year, 10),
+      line_height,
+      title_color,
+      ring_color,
+      icon_color,
+      text_color,
+      text_bold: parseBoolean(text_bold),
+      bg_color,
+      theme,
+      // Validate custom_title is a string (prevents array from duplicate query params)
+      // Card.js handles HTML encoding internally
+      custom_title: typeof custom_title === "string" ? custom_title : undefined,
+      border_color,
+      number_format,
+      number_precision: parseInt(number_precision, 10),
+      locale,
+      disable_animations: parseBoolean(disable_animations),
+      rank_icon,
+      show: showStats,
+    };
+
+    // Only include border_radius if it's valid, otherwise let Card use default
+    if (sanitizedBorderRadius !== undefined) {
+      renderOptions.border_radius = sanitizedBorderRadius;
+    }
+
+    return res.send(renderStatsCard(stats, renderOptions));
+  } catch (err) {
+    return handleApiError({ res, error: err, colorOptions });
+  }
+};

package/api/pin.js

@@ -0,0 +1,114 @@
+// @ts-check
+
+import { renderRepoCard } from "../src/cards/repo.js";
+import { guardAccess } from "../src/common/access.js";
+import {
+  createValidatedColorOptions,
+  handleApiError,
+  setSvgContentType,
+} from "../src/common/api-utils.js";
+import {
+  CACHE_TTL,
+  resolveCacheSeconds,
+  setCacheHeaders,
+} from "../src/common/cache.js";
+import { clampValue, parseBoolean } from "../src/common/ops.js";
+import { fetchRepo } from "../src/fetchers/repo.js";
+import { isLocaleAvailable } from "../src/translations.js";
+
+// @ts-ignore
+export default async (req, res) => {
+  const {
+    username,
+    repo,
+    hide_border,
+    title_color,
+    icon_color,
+    text_color,
+    bg_color,
+    theme,
+    show_owner,
+    cache_seconds,
+    locale: rawLocale,
+    border_radius: rawBorderRadius,
+    border_color,
+    description_lines_count,
+  } = req.query;
+
+  // Only allow supported locales - validate and sanitize to prevent XSS
+  // Validate and sanitize border_radius to prevent XSS
+  const border_radius = (() => {
+    const br = parseFloat(rawBorderRadius);
+    if (isNaN(br)) {
+      return 4.5;
+    }
+    // Clamp to reasonable range; SVG border radius shouldn't exceed half width/height.
+    return Math.max(0, Math.min(br, 50));
+  })();
+  const locale =
+    typeof rawLocale === "string" && isLocaleAvailable(rawLocale)
+      ? rawLocale.toLowerCase()
+      : undefined;
+
+  setSvgContentType(res);
+
+  // Create validated color options once for reuse
+  const colorOptions = createValidatedColorOptions({
+    title_color,
+    text_color,
+    bg_color,
+    border_color,
+    theme,
+  });
+
+  const access = guardAccess({
+    res,
+    id: username,
+    type: "username",
+    colors: colorOptions,
+  });
+  if (!access.isPassed) {
+    return access.result;
+  }
+
+  try {
+    const repoData = await fetchRepo(username, repo);
+    const cacheSeconds = resolveCacheSeconds({
+      requested: parseInt(cache_seconds, 10),
+      def: CACHE_TTL.PIN_CARD.DEFAULT,
+      min: CACHE_TTL.PIN_CARD.MIN,
+      max: CACHE_TTL.PIN_CARD.MAX,
+    });
+
+    setCacheHeaders(res, cacheSeconds);
+
+    // Sanitize border_radius: parse, clamp, only include if valid
+    const borderRadiusNum = Number(border_radius);
+    const sanitizedBorderRadius =
+      Number.isFinite(borderRadiusNum) && border_radius !== undefined
+        ? clampValue(borderRadiusNum, 0, 50)
+        : undefined;
+
+    const renderOptions = {
+      hide_border: parseBoolean(hide_border),
+      title_color,
+      icon_color,
+      text_color,
+      bg_color,
+      theme,
+      border_color,
+      show_owner: parseBoolean(show_owner),
+      locale,
+      description_lines_count,
+    };
+
+    // Only include border_radius if it's valid, otherwise let Card use default
+    if (sanitizedBorderRadius !== undefined) {
+      renderOptions.border_radius = sanitizedBorderRadius;
+    }
+
+    return res.send(renderRepoCard(repoData, renderOptions));
+  } catch (err) {
+    return handleApiError({ res, error: err, colorOptions });
+  }
+};

package/api/status/pat-info.js

@@ -0,0 +1,193 @@
+// @ts-check
+
+/**
+ * @file Contains a simple cloud function that can be used to check which PATs are no
+ * longer working. It returns a list of valid PATs, expired PATs and PATs with errors.
+ *
+ * @description This function is currently rate limited to 1 request per 5 minutes.
+ */
+
+import { request } from "../../src/common/http.js";
+import { logger } from "../../src/common/log.js";
+import { dateDiff } from "../../src/common/ops.js";
+import { encodeHTML } from "../../src/common/html.js";
+import { setJsonContentType } from "../../src/common/api-utils.js";
+
+export const RATE_LIMIT_SECONDS = 60 * 5; // 1 request per 5 minutes
+
+/**
+ * Simple uptime check fetcher for the PATs.
+ *
+ * @param {Record<string, unknown>} variables Fetcher variables.
+ * @param {string} token GitHub token.
+ * @returns {Promise<import('axios').AxiosResponse>} The response.
+ */
+const uptimeFetcher = (variables, token) => {
+  return request(
+    {
+      query: `
+        query {
+          rateLimit {
+            remaining
+            resetAt
+          },
+        }`,
+      variables,
+    },
+    {
+      Authorization: `bearer ${token}`,
+    },
+  );
+};
+
+/**
+ * Retrieves all PAT environment variable keys.
+ *
+ * @returns {string[]} Array of PAT environment variable names.
+ */
+const getAllPATs = () => {
+  return Object.keys(process.env).filter((key) => /PAT_\d*$/.exec(key));
+};
+
+/**
+ * @typedef {(variables: Record<string, unknown>, token: string) => Promise<import('axios').AxiosResponse>} Fetcher
+ */
+
+/**
+ * @typedef {Object} PATDetails
+ * @property {string} status - The PAT status.
+ * @property {number} [remaining] - Remaining API calls.
+ * @property {string} [resetIn] - Time until rate limit reset.
+ * @property {{ type: string, message: string }} [error] - Error details.
+ */
+
+/**
+ * @typedef {Object} PATInfo
+ * @property {string[]} validPATs - List of valid PATs.
+ * @property {string[]} expiredPATs - List of expired PATs.
+ * @property {string[]} exhaustedPATs - List of rate-limited PATs.
+ * @property {string[]} suspendedPATs - List of suspended PATs.
+ * @property {string[]} errorPATs - List of PATs with errors.
+ * @property {Record<string, PATDetails>} details - Detailed status of each PAT.
+ */
+
+/**
+ * Check whether any of the PATs is expired.
+ *
+ * @param {Fetcher} fetcher The fetcher function.
+ * @param {Record<string, unknown>} variables Fetcher variables.
+ * @returns {Promise<PATInfo>} The response.
+ */
+const getPATInfo = async (fetcher, variables) => {
+  /** @type {Record<string, PATDetails>} */
+  const details = {};
+  const PATs = getAllPATs();
+
+  for (const pat of PATs) {
+    try {
+      const token = process.env[pat];
+      if (!token) {
+        continue;
+      }
+
+      const response = await fetcher(variables, token);
+      const errors = response.data.errors;
+      const hasErrors = Boolean(errors);
+      const errorType = errors?.[0]?.type;
+      const isRateLimited =
+        (hasErrors && errorType === "RATE_LIMITED") ||
+        response.data.data?.rateLimit?.remaining === 0;
+
+      // Store PATs with errors
+      if (hasErrors && errorType !== "RATE_LIMITED") {
+        details[pat] = {
+          status: "error",
+          error: {
+            type: errors[0].type,
+            message: errors[0].message,
+          },
+        };
+        continue;
+      }
+
+      if (isRateLimited) {
+        const now = new Date();
+        const resetAt = new Date(response.data?.data?.rateLimit?.resetAt);
+        details[pat] = {
+          status: "exhausted",
+          remaining: 0,
+          resetIn: dateDiff(resetAt, now) + " minutes",
+        };
+      } else {
+        details[pat] = {
+          status: "valid",
+          remaining: response.data.data.rateLimit.remaining,
+        };
+      }
+    } catch (err) {
+      // Handle known error responses
+      const errorMessage = err?.response?.data?.message?.toLowerCase();
+      if (errorMessage === "bad credentials") {
+        details[pat] = { status: "expired" };
+      } else if (errorMessage === "sorry. your account was suspended.") {
+        details[pat] = { status: "suspended" };
+      } else {
+        throw err;
+      }
+    }
+  }
+
+  /**
+   * Filters PATs by status.
+   * @param {string} status - The status to filter by.
+   * @returns {string[]} PATs with the specified status.
+   */
+  const filterPATsByStatus = (status) => {
+    return Object.keys(details).filter((pat) => details[pat].status === status);
+  };
+
+  // Sort details by key for consistent output
+  const sortedDetails = Object.keys(details)
+    .sort()
+    .reduce((obj, key) => {
+      obj[key] = details[key];
+      return obj;
+    }, /** @type {Record<string, PATDetails>} */ ({}));
+
+  return {
+    validPATs: filterPATsByStatus("valid"),
+    expiredPATs: filterPATsByStatus("expired"),
+    exhaustedPATs: filterPATsByStatus("exhausted"),
+    suspendedPATs: filterPATsByStatus("suspended"),
+    errorPATs: filterPATsByStatus("error"),
+    details: sortedDetails,
+  };
+};
+
+/**
+ * Cloud function that returns information about the used PATs.
+ *
+ * @param {unknown} _req The request (unused).
+ * @param {import('express').Response} res The response.
+ * @returns {Promise<void>} The response.
+ */
+export default async (_req, res) => {
+  setJsonContentType(res);
+
+  try {
+    const PATsInfo = await getPATInfo(uptimeFetcher, {});
+    if (PATsInfo) {
+      res.setHeader(
+        "Cache-Control",
+        `max-age=0, s-maxage=${RATE_LIMIT_SECONDS}`,
+      );
+    }
+    res.send(JSON.stringify(PATsInfo, null, 2));
+  } catch (err) {
+    logger.error(err);
+    res.setHeader("Cache-Control", "no-store");
+    const errorMessage = err instanceof Error ? err.message : "Unknown error";
+    const safeMessage = encodeHTML(errorMessage);
+    res.send("Something went wrong: " + safeMessage);
+  }
+};

package/api/status/up.js

@@ -0,0 +1,129 @@
+// @ts-check
+
+/**
+ * @file Contains a simple cloud function that can be used to check if the PATs are still
+ * functional.
+ *
+ * @description This function is currently rate limited to 1 request per 5 minutes.
+ */
+
+import { request } from "../../src/common/http.js";
+import retryer from "../../src/common/retryer.js";
+import { logger } from "../../src/common/log.js";
+import { encodeHTML } from "../../src/common/html.js";
+import { setJsonContentType } from "../../src/common/api-utils.js";
+
+export const RATE_LIMIT_SECONDS = 60 * 5; // 1 request per 5 minutes
+
+/**
+ * Simple uptime check fetcher for the PATs.
+ *
+ * @param {Record<string, unknown>} variables Fetcher variables.
+ * @param {string} token GitHub token.
+ * @returns {Promise<import('axios').AxiosResponse>} The response.
+ */
+const uptimeFetcher = (variables, token) => {
+  return request(
+    {
+      query: `
+        query {
+          rateLimit {
+              remaining
+          }
+        }
+        `,
+      variables,
+    },
+    {
+      Authorization: `bearer ${token}`,
+    },
+  );
+};
+
+/**
+ * @typedef {Object} ShieldsResponse
+ * @property {number} schemaVersion - Shields.io schema version.
+ * @property {string} label - Badge label.
+ * @property {"up" | "down"} message - Status message.
+ * @property {"brightgreen" | "red"} color - Badge color.
+ * @property {boolean} isError - Whether this is an error state.
+ */
+
+/**
+ * Creates JSON response for shields.io dynamic card generation.
+ *
+ * @param {boolean} up Whether the PATs are up or not.
+ * @returns {ShieldsResponse} Dynamic shields.io JSON response object.
+ * @see https://shields.io/endpoint
+ */
+const shieldsUptimeBadge = (up) => ({
+  schemaVersion: 1,
+  label: "Public Instance",
+  message: up ? "up" : "down",
+  color: up ? "brightgreen" : "red",
+  isError: true,
+});
+
+/**
+ * Validates and normalizes the response type parameter.
+ *
+ * @param {string|undefined} type - The type parameter from query.
+ * @returns {"shields" | "json" | "boolean"} Normalized type value.
+ */
+const normalizeResponseType = (type) => {
+  const normalized = typeof type === "string" ? type.toLowerCase() : "boolean";
+  if (normalized === "shields" || normalized === "json") {
+    return normalized;
+  }
+  return "boolean";
+};
+
+/**
+ * Cloud function that returns whether the PATs are still functional.
+ *
+ * @param {import('express').Request} req The request.
+ * @param {import('express').Response} res The response.
+ * @returns {Promise<void>} Nothing.
+ */
+export default async (req, res) => {
+  const responseType = normalizeResponseType(req.query.type);
+
+  setJsonContentType(res);
+
+  try {
+    let PATsValid = true;
+    try {
+      await retryer(uptimeFetcher, {});
+    } catch {
+      // PAT validation failed - mark as invalid
+      PATsValid = false;
+    }
+
+    if (PATsValid) {
+      res.setHeader(
+        "Cache-Control",
+        `max-age=0, s-maxage=${RATE_LIMIT_SECONDS}`,
+      );
+    } else {
+      res.setHeader("Cache-Control", "no-store");
+    }
+
+    switch (responseType) {
+      case "shields":
+        res.send(shieldsUptimeBadge(PATsValid));
+        break;
+      case "json":
+        res.send({ up: PATsValid });
+        break;
+      default:
+        res.send(PATsValid);
+        break;
+    }
+  } catch (err) {
+    logger.error(err);
+    res.setHeader("Cache-Control", "no-store");
+    const errorMessage = err instanceof Error ? err.message : "Unknown error";
+    const safeMessage = encodeHTML(errorMessage);
+    res.send("Something went wrong: " + safeMessage);
+  }
+};