npm - @edge-base/server - Versions diffs - 0.1.1 - Mend

@edge-base/server 0.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (309) hide show

package/admin-build/.gitkeep +0 -0
package/admin-build/_app/env.js +1 -0
package/admin-build/_app/immutable/assets/0.Bm6cF078.css +1 -0
package/admin-build/_app/immutable/assets/1.BfW3pUNa.css +1 -0
package/admin-build/_app/immutable/assets/11.CVmQOewb.css +1 -0
package/admin-build/_app/immutable/assets/12.B1EhbRZT.css +1 -0
package/admin-build/_app/immutable/assets/13.BvwYeuwE.css +1 -0
package/admin-build/_app/immutable/assets/14.CdVfcO0R.css +1 -0
package/admin-build/_app/immutable/assets/15.2yeZ66b-.css +1 -0
package/admin-build/_app/immutable/assets/17.BVg0JEVu.css +1 -0
package/admin-build/_app/immutable/assets/18.Rwnl3x_i.css +1 -0
package/admin-build/_app/immutable/assets/20.DsPWA9AV.css +1 -0
package/admin-build/_app/immutable/assets/21.Dz2RJ56c.css +1 -0
package/admin-build/_app/immutable/assets/22.DwNLk5Ai.css +1 -0
package/admin-build/_app/immutable/assets/23.CFpu0gOO.css +1 -0
package/admin-build/_app/immutable/assets/24.Cy5LBeoJ.css +1 -0
package/admin-build/_app/immutable/assets/25.pUyLVf-h.css +1 -0
package/admin-build/_app/immutable/assets/26.DBcGrlXa.css +1 -0
package/admin-build/_app/immutable/assets/27.BswYyAJD.css +1 -0
package/admin-build/_app/immutable/assets/28.B4ueB1Kf.css +1 -0
package/admin-build/_app/immutable/assets/29.B-qU6PdF.css +1 -0
package/admin-build/_app/immutable/assets/3.Dg81Pgmd.css +1 -0
package/admin-build/_app/immutable/assets/30.CsdWum94.css +1 -0
package/admin-build/_app/immutable/assets/31.U6OwIp50.css +1 -0
package/admin-build/_app/immutable/assets/4.CyawCCux.css +1 -0
package/admin-build/_app/immutable/assets/5.C0YO2HTk.css +1 -0
package/admin-build/_app/immutable/assets/8.Br5jd6kD.css +1 -0
package/admin-build/_app/immutable/assets/Badge.EMYLHBxE.css +1 -0
package/admin-build/_app/immutable/assets/Button.DpzMRTjK.css +1 -0
package/admin-build/_app/immutable/assets/ConfirmDialog.DAnaWRRk.css +1 -0
package/admin-build/_app/immutable/assets/EmptyState.CwKsu57Y.css +1 -0
package/admin-build/_app/immutable/assets/Input.BDUSenmU.css +1 -0
package/admin-build/_app/immutable/assets/Modal.Dm5B0Xie.css +1 -0
package/admin-build/_app/immutable/assets/PageShell.CmU-Xh-b.css +1 -0
package/admin-build/_app/immutable/assets/SchemaFieldEditor.g4NsCdno.css +1 -0
package/admin-build/_app/immutable/assets/Select.BW4Keufm.css +1 -0
package/admin-build/_app/immutable/assets/Skeleton.KWUulTKJ.css +1 -0
package/admin-build/_app/immutable/assets/Tabs.CniGYb67.css +1 -0
package/admin-build/_app/immutable/assets/TimeChart.BTCDAvmT.css +1 -0
package/admin-build/_app/immutable/assets/Toggle.Cy_K12OM.css +1 -0
package/admin-build/_app/immutable/assets/TopList.ClFzmPlA.css +1 -0
package/admin-build/_app/immutable/chunks/7B47DvSx.js +1 -0
package/admin-build/_app/immutable/chunks/7f08Id8e.js +1 -0
package/admin-build/_app/immutable/chunks/8wJeQ7LN.js +1 -0
package/admin-build/_app/immutable/chunks/B-h2afW5.js +1 -0
package/admin-build/_app/immutable/chunks/B8vJP3wz.js +1 -0
package/admin-build/_app/immutable/chunks/BR_fL5Yv.js +1 -0
package/admin-build/_app/immutable/chunks/BY92tFS2.js +1 -0
package/admin-build/_app/immutable/chunks/BcR-Rdj9.js +1 -0
package/admin-build/_app/immutable/chunks/BdrwyZv8.js +1 -0
package/admin-build/_app/immutable/chunks/Bh56EfQ_.js +1 -0
package/admin-build/_app/immutable/chunks/BkrCkgYp.js +1 -0
package/admin-build/_app/immutable/chunks/BmRjiP5k.js +1 -0
package/admin-build/_app/immutable/chunks/BsokvhWC.js +1 -0
package/admin-build/_app/immutable/chunks/C4D51vTW.js +1 -0
package/admin-build/_app/immutable/chunks/C6puvcoR.js +2 -0
package/admin-build/_app/immutable/chunks/CCKNu7m7.js +1 -0
package/admin-build/_app/immutable/chunks/CWj6FrbW.js +1 -0
package/admin-build/_app/immutable/chunks/Ce-ngf4p.js +5 -0
package/admin-build/_app/immutable/chunks/Cs0GwzJA.js +1 -0
package/admin-build/_app/immutable/chunks/CwROoZK0.js +1 -0
package/admin-build/_app/immutable/chunks/CxCPv_Ut.js +1 -0
package/admin-build/_app/immutable/chunks/CxbRue-5.js +1 -0
package/admin-build/_app/immutable/chunks/CyqB6g-D.js +1 -0
package/admin-build/_app/immutable/chunks/D5h5A1cc.js +2 -0
package/admin-build/_app/immutable/chunks/DnyL7Zq-.js +1 -0
package/admin-build/_app/immutable/chunks/DoPXzH7F.js +1 -0
package/admin-build/_app/immutable/chunks/DrQSgw-f.js +1 -0
package/admin-build/_app/immutable/chunks/DttM2zNO.js +1 -0
package/admin-build/_app/immutable/chunks/DuXuUBWN.js +1 -0
package/admin-build/_app/immutable/chunks/MdeqaOQx.js +10 -0
package/admin-build/_app/immutable/chunks/NuUjtcO2.js +1 -0
package/admin-build/_app/immutable/chunks/Q2nPFxS6.js +1 -0
package/admin-build/_app/immutable/chunks/R6arueIl.js +1 -0
package/admin-build/_app/immutable/chunks/UUazaC_N.js +1 -0
package/admin-build/_app/immutable/chunks/cOYbrQxx.js +1 -0
package/admin-build/_app/immutable/chunks/eFQHTGwA.js +1 -0
package/admin-build/_app/immutable/chunks/ehbppgYb.js +1 -0
package/admin-build/_app/immutable/chunks/glwixJlP.js +1 -0
package/admin-build/_app/immutable/chunks/vApWTCBs.js +1 -0
package/admin-build/_app/immutable/chunks/w89G9Xpi.js +1 -0
package/admin-build/_app/immutable/chunks/wJsUhbfZ.js +1 -0
package/admin-build/_app/immutable/chunks/zfauFM8P.js +1 -0
package/admin-build/_app/immutable/entry/app.CcO-Uos3.js +2 -0
package/admin-build/_app/immutable/entry/start.COebYq3I.js +1 -0
package/admin-build/_app/immutable/nodes/0.CjtHKU-6.js +1 -0
package/admin-build/_app/immutable/nodes/1.DEisjlM0.js +1 -0
package/admin-build/_app/immutable/nodes/10.CvhdyWVB.js +1 -0
package/admin-build/_app/immutable/nodes/11.DjHqcOvy.js +1 -0
package/admin-build/_app/immutable/nodes/12.mQLz4Mj_.js +1 -0
package/admin-build/_app/immutable/nodes/13.CBonZZyP.js +110 -0
package/admin-build/_app/immutable/nodes/14.d-oiZL0j.js +3 -0
package/admin-build/_app/immutable/nodes/15.CKPQsUYF.js +1 -0
package/admin-build/_app/immutable/nodes/16.wPzAPQGx.js +1 -0
package/admin-build/_app/immutable/nodes/17.DayhKyEZ.js +1 -0
package/admin-build/_app/immutable/nodes/18.DKwS0Ir0.js +1 -0
package/admin-build/_app/immutable/nodes/19.wPzAPQGx.js +1 -0
package/admin-build/_app/immutable/nodes/2.BKoKrw1i.js +1 -0
package/admin-build/_app/immutable/nodes/20.BvIkkkrW.js +1 -0
package/admin-build/_app/immutable/nodes/21.DMaFhdHk.js +128 -0
package/admin-build/_app/immutable/nodes/22.3xdgwuK1.js +1 -0
package/admin-build/_app/immutable/nodes/23.8Bvgjbsl.js +112 -0
package/admin-build/_app/immutable/nodes/24.DzSSzRhG.js +2 -0
package/admin-build/_app/immutable/nodes/25.9KKYBnAE.js +2 -0
package/admin-build/_app/immutable/nodes/26.Bhn9dfhY.js +1 -0
package/admin-build/_app/immutable/nodes/27.kRLiC24G.js +1 -0
package/admin-build/_app/immutable/nodes/28.BVIN1-7N.js +1 -0
package/admin-build/_app/immutable/nodes/29.3yabZWj4.js +1 -0
package/admin-build/_app/immutable/nodes/3.BFtSOkX7.js +2 -0
package/admin-build/_app/immutable/nodes/30.CyCQlwaP.js +1 -0
package/admin-build/_app/immutable/nodes/31.C4LDXjES.js +1 -0
package/admin-build/_app/immutable/nodes/4.CvbiMlCa.js +1 -0
package/admin-build/_app/immutable/nodes/5.C6BLv2eM.js +1 -0
package/admin-build/_app/immutable/nodes/6.BcXvfl2P.js +1 -0
package/admin-build/_app/immutable/nodes/7.CIuqhPiK.js +1 -0
package/admin-build/_app/immutable/nodes/8.BQOR_JfO.js +1 -0
package/admin-build/_app/immutable/nodes/9.NZqXQxPy.js +1 -0
package/admin-build/_app/version.json +1 -0
package/admin-build/favicon.svg +26 -0
package/admin-build/index.html +45 -0
package/openapi.json +19543 -0
package/package.json +66 -0
package/src/__tests__/admin-assets.test.ts +55 -0
package/src/__tests__/admin-data-routes.test.ts +488 -0
package/src/__tests__/admin-db-target.test.ts +103 -0
package/src/__tests__/admin-routing.test.ts +31 -0
package/src/__tests__/admin-user-management.test.ts +311 -0
package/src/__tests__/analytics-query.test.ts +75 -0
package/src/__tests__/auth-d1.test.ts +749 -0
package/src/__tests__/auth-db-adapter.test.ts +73 -0
package/src/__tests__/auth-jwt.test.ts +440 -0
package/src/__tests__/auth-oauth.test.ts +389 -0
package/src/__tests__/auth-password.test.ts +367 -0
package/src/__tests__/auth-redirect.test.ts +87 -0
package/src/__tests__/backup-restore.test.ts +711 -0
package/src/__tests__/broadcast.test.ts +128 -0
package/src/__tests__/cli.test.ts +178 -0
package/src/__tests__/cloudflare-realtime.test.ts +113 -0
package/src/__tests__/config.test.ts +469 -0
package/src/__tests__/cors.test.ts +154 -0
package/src/__tests__/cron.test.ts +302 -0
package/src/__tests__/d1-handler.test.ts +402 -0
package/src/__tests__/d1-sql.test.ts +120 -0
package/src/__tests__/database-live-config.test.ts +42 -0
package/src/__tests__/database-live-emitter.test.ts +56 -0
package/src/__tests__/database-live-filters.test.ts +63 -0
package/src/__tests__/database-live-route.test.ts +113 -0
package/src/__tests__/db-sql.test.ts +163 -0
package/src/__tests__/do-lifecycle.test.ts +263 -0
package/src/__tests__/do-router.test.ts +729 -0
package/src/__tests__/email-provider.test.ts +128 -0
package/src/__tests__/email-templates.test.ts +528 -0
package/src/__tests__/error-format.test.ts +250 -0
package/src/__tests__/field-ops.test.ts +242 -0
package/src/__tests__/functions-context.test.ts +334 -0
package/src/__tests__/functions-d1-proxy.test.ts +229 -0
package/src/__tests__/functions-registry-runtime-config.test.ts +17 -0
package/src/__tests__/functions-route.test.ts +139 -0
package/src/__tests__/internal-request.test.ts +77 -0
package/src/__tests__/log-writer.test.ts +44 -0
package/src/__tests__/logger.test.ts +58 -0
package/src/__tests__/meta-admin-proxy.test.ts +48 -0
package/src/__tests__/meta-export-coverage.test.ts +191 -0
package/src/__tests__/meta-route-registration.test.ts +47 -0
package/src/__tests__/namespace-dump.test.ts +28 -0
package/src/__tests__/oauth-providers.test.ts +337 -0
package/src/__tests__/openapi-coverage.test.ts +144 -0
package/src/__tests__/pagination.test.ts +59 -0
package/src/__tests__/password-policy.test.ts +191 -0
package/src/__tests__/plugin-migrations.test.ts +379 -0
package/src/__tests__/postgres-batch-compat.test.ts +133 -0
package/src/__tests__/postgres-dialect.test.ts +328 -0
package/src/__tests__/postgres-executor.test.ts +79 -0
package/src/__tests__/postgres-field-ops-compat.test.ts +222 -0
package/src/__tests__/postgres-schema-init.test.ts +105 -0
package/src/__tests__/postgres-table-utils.test.ts +107 -0
package/src/__tests__/presence.test.ts +199 -0
package/src/__tests__/provider.test.ts +550 -0
package/src/__tests__/public-user-profile.test.ts +339 -0
package/src/__tests__/push-handlers.test.ts +179 -0
package/src/__tests__/push-provider.test.ts +80 -0
package/src/__tests__/push-token.test.ts +418 -0
package/src/__tests__/query.test.ts +771 -0
package/src/__tests__/rate-limit.test.ts +260 -0
package/src/__tests__/room-access-policy.test.ts +101 -0
package/src/__tests__/room-handler-context.test.ts +130 -0
package/src/__tests__/room-monitoring.test.ts +138 -0
package/src/__tests__/room-runtime-routing.test.ts +222 -0
package/src/__tests__/room.test.ts +254 -0
package/src/__tests__/route-parser.test.ts +490 -0
package/src/__tests__/rules.test.ts +234 -0
package/src/__tests__/runtime-surface-accounting.test.ts +120 -0
package/src/__tests__/scheduled.test.ts +80 -0
package/src/__tests__/schema.test.ts +1273 -0
package/src/__tests__/security-hardening.test.ts +312 -0
package/src/__tests__/server.unit.test.ts +333 -0
package/src/__tests__/service-key-db-proxy.test.ts +650 -0
package/src/__tests__/service-key-provider-bypass.test.ts +138 -0
package/src/__tests__/service-key.test.ts +757 -0
package/src/__tests__/smoke-skip-report.test.ts +72 -0
package/src/__tests__/sms-provider.test.ts +39 -0
package/src/__tests__/sql-route.test.ts +218 -0
package/src/__tests__/storage-hook-context.test.ts +115 -0
package/src/__tests__/totp.test.ts +200 -0
package/src/__tests__/uuid.test.ts +144 -0
package/src/__tests__/validation.test.ts +773 -0
package/src/__tests__/websocket-pending.test.ts +163 -0
package/src/_functions-registry.ts +51 -0
package/src/bench-entry.ts +9 -0
package/src/cloudflare-test.d.ts +1 -0
package/src/durable-objects/auth-do.ts +49 -0
package/src/durable-objects/database-do.ts +2240 -0
package/src/durable-objects/database-live-do.ts +949 -0
package/src/durable-objects/logs-do.ts +1200 -0
package/src/durable-objects/room-runtime-base.ts +1604 -0
package/src/durable-objects/rooms-do.ts +2191 -0
package/src/generated-config.ts +6 -0
package/src/index.ts +382 -0
package/src/lib/admin-assets.ts +54 -0
package/src/lib/admin-db-target.ts +301 -0
package/src/lib/admin-routing.ts +35 -0
package/src/lib/admin-user-management.ts +464 -0
package/src/lib/analytics-adapter.ts +103 -0
package/src/lib/analytics-query.ts +579 -0
package/src/lib/auth-d1-service.ts +1193 -0
package/src/lib/auth-d1.ts +1056 -0
package/src/lib/auth-db-adapter.ts +289 -0
package/src/lib/auth-redirect.ts +116 -0
package/src/lib/cidr.ts +115 -0
package/src/lib/client-ip.ts +51 -0
package/src/lib/cloudflare-realtime.ts +251 -0
package/src/lib/control-db.ts +36 -0
package/src/lib/cron.ts +163 -0
package/src/lib/d1-handler.ts +1425 -0
package/src/lib/d1-schema-init.ts +255 -0
package/src/lib/d1-sql.ts +33 -0
package/src/lib/database-live-config.ts +24 -0
package/src/lib/database-live-emitter.ts +111 -0
package/src/lib/db-sql.ts +66 -0
package/src/lib/do-retry.ts +36 -0
package/src/lib/do-router.ts +270 -0
package/src/lib/do-sql.ts +73 -0
package/src/lib/email-provider.ts +379 -0
package/src/lib/email-templates.ts +285 -0
package/src/lib/email-translations.ts +422 -0
package/src/lib/errors.ts +151 -0
package/src/lib/functions.ts +2091 -0
package/src/lib/hono.ts +56 -0
package/src/lib/internal-request.ts +56 -0
package/src/lib/jwt.ts +354 -0
package/src/lib/log-writer.ts +272 -0
package/src/lib/namespace-dump.ts +125 -0
package/src/lib/oauth-providers.ts +1225 -0
package/src/lib/op-parser.ts +99 -0
package/src/lib/openapi.ts +146 -0
package/src/lib/pagination.ts +19 -0
package/src/lib/password-policy.ts +102 -0
package/src/lib/password.ts +145 -0
package/src/lib/plugin-migrations.ts +612 -0
package/src/lib/postgres-executor.ts +203 -0
package/src/lib/postgres-handler.ts +1102 -0
package/src/lib/postgres-schema-init.ts +341 -0
package/src/lib/postgres-table-utils.ts +87 -0
package/src/lib/public-user-profile.ts +187 -0
package/src/lib/push-provider.ts +409 -0
package/src/lib/push-token.ts +294 -0
package/src/lib/query-engine.ts +768 -0
package/src/lib/room-monitoring.ts +97 -0
package/src/lib/room-runtime.ts +14 -0
package/src/lib/route-parser.ts +434 -0
package/src/lib/schema.ts +538 -0
package/src/lib/schemas.ts +152 -0
package/src/lib/service-key.ts +419 -0
package/src/lib/sms-provider.ts +230 -0
package/src/lib/startup-config.ts +99 -0
package/src/lib/totp.ts +242 -0
package/src/lib/uuid.ts +87 -0
package/src/lib/validation.ts +205 -0
package/src/lib/version.ts +2 -0
package/src/lib/websocket-pending.ts +40 -0
package/src/middleware/auth.ts +169 -0
package/src/middleware/captcha-verify.ts +217 -0
package/src/middleware/cors.ts +159 -0
package/src/middleware/error-handler.ts +54 -0
package/src/middleware/internal-guard.ts +26 -0
package/src/middleware/logger.ts +126 -0
package/src/middleware/rate-limit.ts +283 -0
package/src/middleware/rules.ts +475 -0
package/src/routes/admin-auth.ts +447 -0
package/src/routes/admin.ts +3501 -0
package/src/routes/analytics-api.ts +290 -0
package/src/routes/auth.ts +4222 -0
package/src/routes/backup.ts +1466 -0
package/src/routes/config.ts +53 -0
package/src/routes/d1.ts +109 -0
package/src/routes/database-live.ts +281 -0
package/src/routes/functions.ts +155 -0
package/src/routes/health.ts +32 -0
package/src/routes/kv.ts +167 -0
package/src/routes/oauth.ts +1055 -0
package/src/routes/push.ts +1465 -0
package/src/routes/room.ts +639 -0
package/src/routes/schema-endpoint.ts +76 -0
package/src/routes/sql.ts +176 -0
package/src/routes/storage.ts +1674 -0
package/src/routes/tables.ts +699 -0
package/src/routes/users.ts +21 -0
package/src/routes/vectorize.ts +372 -0
package/src/types.ts +99 -0

package/src/lib/auth-db-adapter.ts ADDED Viewed

@@ -0,0 +1,289 @@
+/**
+ * auth-db-adapter.ts — Abstraction layer for Auth database access.
+ *
+ * Provides a unified interface for D1 (SQLite) and PostgreSQL backends.
+ * All auth-service functions use AuthDb instead of D1Database directly,
+ * enabling transparent provider switching via config.auth.provider.
+ *
+ * Key differences handled by the adapter:
+ * - D1 uses `?` bind params, PostgreSQL uses `$1, $2, ...`
+ * - D1 `db.batch()` is atomic, PostgreSQL uses `BEGIN/COMMIT`
+ * - D1 `.all()` returns `{ results: T[] }`, pg `.query()` returns `{ rows: T[] }`
+ */
+import { Client } from 'pg';
+import { parseConfig } from './do-router.js';
+// ─── Interface ───
+export type AuthDbDialect = 'sqlite' | 'postgres';
+export interface AuthDb {
+  /** The SQL dialect (sqlite for D1, postgres for Neon/PostgreSQL). */
+  readonly dialect: AuthDbDialect;
+  /**
+   * Execute a query and return all matching rows.
+   * SQL uses `?` placeholders — the adapter converts to `$1, $2, ...` for PostgreSQL.
+   */
+  query<T = Record<string, unknown>>(sql: string, params?: unknown[]): Promise<T[]>;
+  /**
+   * Execute a query and return the first row, or null.
+   */
+  first<T = Record<string, unknown>>(sql: string, params?: unknown[]): Promise<T | null>;
+  /**
+   * Execute a statement that doesn't return rows (INSERT, UPDATE, DELETE).
+   */
+  run(sql: string, params?: unknown[]): Promise<void>;
+  /**
+   * Execute multiple statements atomically.
+   * D1: db.batch([...])
+   * PostgreSQL: BEGIN; ...; COMMIT;
+   */
+  batch(statements: { sql: string; params?: unknown[] }[]): Promise<void>;
+}
+// ─── D1 Implementation ───
+export class D1AuthDb implements AuthDb {
+  readonly dialect: AuthDbDialect = 'sqlite';
+  constructor(private readonly db: D1Database) {}
+  async query<T = Record<string, unknown>>(sql: string, params?: unknown[]): Promise<T[]> {
+    const stmt = params && params.length > 0
+      ? this.db.prepare(sql).bind(...params)
+      : this.db.prepare(sql);
+    const result = await stmt.all();
+    return (result.results ?? []) as T[];
+  }
+  async first<T = Record<string, unknown>>(sql: string, params?: unknown[]): Promise<T | null> {
+    const stmt = params && params.length > 0
+      ? this.db.prepare(sql).bind(...params)
+      : this.db.prepare(sql);
+    const row = await stmt.first();
+    return (row ?? null) as T | null;
+  }
+  async run(sql: string, params?: unknown[]): Promise<void> {
+    const stmt = params && params.length > 0
+      ? this.db.prepare(sql).bind(...params)
+      : this.db.prepare(sql);
+    await stmt.run();
+  }
+  async batch(statements: { sql: string; params?: unknown[] }[]): Promise<void> {
+    if (statements.length === 0) return;
+    await this.db.batch(
+      statements.map((s) =>
+        s.params && s.params.length > 0
+          ? this.db.prepare(s.sql).bind(...s.params)
+          : this.db.prepare(s.sql),
+      ),
+    );
+  }
+}
+// ─── PostgreSQL Implementation ───
+/**
+ * Convert `?` placeholders to `$1, $2, ...` for PostgreSQL.
+ * Handles `?` inside single-quoted strings by skipping them.
+ */
+function sqliteToPostgresParams(sql: string): string {
+  let idx = 0;
+  let inString = false;
+  let result = '';
+  for (let i = 0; i < sql.length; i++) {
+    const ch = sql[i];
+    // Track single-quoted strings
+    if (ch === "'") {
+      if (inString && sql[i + 1] === "'") {
+        // Escaped quote ''
+        result += "''";
+        i++;
+        continue;
+      }
+      inString = !inString;
+      result += ch;
+      continue;
+    }
+    if (ch === '?' && !inString) {
+      idx++;
+      result += `$${idx}`;
+    } else {
+      result += ch;
+    }
+  }
+  return result;
+}
+/**
+ * Convert SQLite-specific SQL constructs to PostgreSQL equivalents.
+ * - `INSERT OR IGNORE` → `INSERT ... ON CONFLICT DO NOTHING`
+ * - `INSERT OR REPLACE` → `INSERT ... ON CONFLICT (pk) DO UPDATE SET ...`
+ */
+export function adaptSqlDialect(sql: string): string {
+  // 1. INSERT OR IGNORE → INSERT ... ON CONFLICT DO NOTHING
+  const ignoreAdapted = sql.replace(
+    /INSERT\s+OR\s+IGNORE\s+INTO/gi,
+    'INSERT INTO',
+  );
+  if (ignoreAdapted !== sql) {
+    let result = ignoreAdapted.trimEnd();
+    if (!result.endsWith(';')) {
+      result += ' ON CONFLICT DO NOTHING';
+    }
+    return result;
+  }
+  // 2. INSERT OR REPLACE → INSERT ... ON CONFLICT (pk) DO UPDATE SET ...
+  const replaceAdapted = sql.replace(
+    /INSERT\s+OR\s+REPLACE\s+INTO/gi,
+    'INSERT INTO',
+  );
+  if (replaceAdapted !== sql) {
+    // Extract column names: INSERT INTO "table" ("col1", "col2", ...) VALUES (...)
+    const colMatch = replaceAdapted.match(/INTO\s+"[^"]+"\s*\(([^)]+)\)/i);
+    if (colMatch) {
+      const cols = colMatch[1].split(',').map(c => c.trim().replace(/"/g, ''));
+      // First column is the PK (id, email, token, key, etc.)
+      const pk = cols[0];
+      const updateCols = cols.filter(c => c !== pk);
+      let result = replaceAdapted.trimEnd().replace(/;\s*$/, '');
+      if (updateCols.length > 0) {
+        const setClause = updateCols.map(c => `"${c}" = EXCLUDED."${c}"`).join(', ');
+        result += ` ON CONFLICT ("${pk}") DO UPDATE SET ${setClause}`;
+      } else {
+        result += ' ON CONFLICT DO NOTHING';
+      }
+      return result;
+    }
+    return replaceAdapted;
+  }
+  return sql;
+}
+export class PgAuthDb implements AuthDb {
+  readonly dialect: AuthDbDialect = 'postgres';
+  constructor(private readonly connectionString: string) {}
+  private adaptSql(sql: string): string {
+    return sqliteToPostgresParams(adaptSqlDialect(sql));
+  }
+  private async withClient<T>(fn: (client: Client) => Promise<T>): Promise<T> {
+    const client = new Client({ connectionString: this.connectionString });
+    try {
+      await client.connect();
+      return await fn(client);
+    } finally {
+      await client.end();
+    }
+  }
+  async query<T = Record<string, unknown>>(sql: string, params?: unknown[]): Promise<T[]> {
+    return this.withClient(async (client) => {
+      const result = await client.query(this.adaptSql(sql), params ?? []);
+      return result.rows as T[];
+    });
+  }
+  async first<T = Record<string, unknown>>(sql: string, params?: unknown[]): Promise<T | null> {
+    return this.withClient(async (client) => {
+      const result = await client.query(this.adaptSql(sql), params ?? []);
+      return (result.rows[0] ?? null) as T | null;
+    });
+  }
+  async run(sql: string, params?: unknown[]): Promise<void> {
+    await this.withClient(async (client) => {
+      await client.query(this.adaptSql(sql), params ?? []);
+    });
+  }
+  async batch(statements: { sql: string; params?: unknown[] }[]): Promise<void> {
+    if (statements.length === 0) return;
+    await this.withClient(async (client) => {
+      await client.query('BEGIN');
+      try {
+        for (const stmt of statements) {
+          await client.query(this.adaptSql(stmt.sql), stmt.params ?? []);
+        }
+        await client.query('COMMIT');
+      } catch (err) {
+        await client.query('ROLLBACK');
+        throw err;
+      }
+    });
+  }
+}
+// ─── Factory ───
+/**
+ * Resolve the Hyperdrive binding name for auth PostgreSQL.
+ * Convention: AUTH_POSTGRES
+ * The .env secret key: AUTH_POSTGRES_URL (or user-specified connectionString value)
+ */
+export function getAuthPostgresBindingName(): string {
+  return 'AUTH_POSTGRES';
+}
+/**
+ * Create an AuthDb instance from the environment and config.
+ * - Default / provider='d1' → D1AuthDb using env.AUTH_DB
+ * - provider='neon'|'postgres' → PgAuthDb using Hyperdrive connection string
+ *
+ * When authProvider / connectionStringKey are omitted, the adapter resolves them
+ * from config.auth.provider and config.auth.connectionString.
+ */
+export function resolveAuthDb(env: Record<string, unknown>, authProvider?: string, connectionStringKey?: string): AuthDb {
+  const config = parseConfig(env);
+  const provider = authProvider ?? config.auth?.provider ?? 'd1';
+  const resolvedConnectionStringKey = connectionStringKey ?? config.auth?.connectionString ?? 'AUTH_POSTGRES_URL';
+  if (provider === 'd1') {
+    const d1 = env.AUTH_DB as D1Database | undefined;
+    if (!d1) {
+      throw new Error('AUTH_DB D1 binding is not available in the environment.');
+    }
+    return new D1AuthDb(d1);
+  }
+  if (provider === 'neon' || provider === 'postgres') {
+    // Resolve Hyperdrive connection string
+    const bindingName = getAuthPostgresBindingName();
+    const hyperdrive = env[bindingName] as { connectionString?: string } | undefined;
+    if (hyperdrive?.connectionString) {
+      return new PgAuthDb(hyperdrive.connectionString);
+    }
+    // Fallback: direct connection string from env (local dev)
+    const envKey = resolvedConnectionStringKey;
+    const connStr = env[envKey] as string | undefined;
+    if (connStr) {
+      return new PgAuthDb(connStr);
+    }
+    throw new Error(
+      `Auth provider '${provider}' requires a PostgreSQL connection. ` +
+      `Expected Hyperdrive binding '${bindingName}' or env variable '${envKey}'.`,
+    );
+  }
+  throw new Error(`Unknown auth provider: '${provider}'.`);
+}

package/src/lib/auth-redirect.ts ADDED Viewed

@@ -0,0 +1,116 @@
+import { EdgeBaseError } from '@edge-base/shared';
+import { parseConfig } from './do-router.js';
+import type { Env } from '../types.js';
+export interface ClientRedirectInput {
+  redirectUrl?: string | null;
+  state?: string | null;
+}
+export interface ParsedClientRedirect {
+  redirectUrl: string | null;
+  state: string | null;
+}
+function normalizeUrl(value: string): string {
+  try {
+    return new URL(value).toString();
+  } catch {
+    throw new EdgeBaseError(400, 'Invalid redirect_url.');
+  }
+}
+function isAllowedRedirect(candidate: string, pattern: string): boolean {
+  const trimmed = pattern.trim();
+  if (!trimmed) return false;
+  if (trimmed.endsWith('*')) {
+    return candidate.startsWith(trimmed.slice(0, -1));
+  }
+  let allowedUrl: URL;
+  let candidateUrl: URL;
+  try {
+    allowedUrl = new URL(trimmed);
+    candidateUrl = new URL(candidate);
+  } catch {
+    return false;
+  }
+  // Origin-wide allowlist entry: https://app.example.com
+  if (allowedUrl.pathname === '/' && !allowedUrl.search && !allowedUrl.hash) {
+    return allowedUrl.origin === candidateUrl.origin;
+  }
+  return allowedUrl.toString() === candidateUrl.toString();
+}
+function getAllowedRedirectUrls(env: Env): string[] {
+  const config = parseConfig(env);
+  const entries = config?.auth?.allowedRedirectUrls;
+  if (!Array.isArray(entries)) return [];
+  return entries.filter((entry): entry is string => typeof entry === 'string' && entry.trim().length > 0);
+}
+export function appendRedirectParams(
+  redirectUrl: string,
+  params: Record<string, string | undefined | null>,
+): string {
+  const url = new URL(redirectUrl);
+  const fragmentParams = new URLSearchParams();
+  for (const [key, value] of Object.entries(params)) {
+    if (value !== undefined && value !== null && value !== '') {
+      fragmentParams.set(key, value);
+    }
+  }
+  const fragment = fragmentParams.toString();
+  if (fragment) {
+    url.hash = fragment;
+  }
+  return url.toString();
+}
+export function parseClientRedirectUrl(env: Env, value: string | null | undefined): string | null {
+  if (!value) return null;
+  const normalized = normalizeUrl(value);
+  const allowed = getAllowedRedirectUrls(env);
+  if (allowed.length > 0 && !allowed.some((pattern) => isAllowedRedirect(normalized, pattern))) {
+    throw new EdgeBaseError(400, 'redirect_url is not allowed.');
+  }
+  return normalized;
+}
+export function parseClientRedirectState(value: string | null | undefined): string | null {
+  if (value === undefined || value === null || value === '') return null;
+  if (typeof value !== 'string') {
+    throw new EdgeBaseError(400, 'Invalid state.');
+  }
+  if (value.length > 1024) {
+    throw new EdgeBaseError(400, 'state must not exceed 1024 characters.');
+  }
+  return value;
+}
+export function parseClientRedirectInput(env: Env, input: ClientRedirectInput | null | undefined): ParsedClientRedirect {
+  return {
+    redirectUrl: parseClientRedirectUrl(env, input?.redirectUrl),
+    state: parseClientRedirectState(input?.state),
+  };
+}
+export function buildEmailActionUrl(options: {
+  redirectUrl: string | null;
+  fallbackUrl: string;
+  token: string;
+  type: string;
+  state?: string | null;
+}): string {
+  if (!options.redirectUrl) {
+    return options.fallbackUrl;
+  }
+  return appendRedirectParams(options.redirectUrl, {
+    token: options.token,
+    type: options.type,
+    state: options.state ?? null,
+  });
+}

package/src/lib/cidr.ts ADDED Viewed

@@ -0,0 +1,115 @@
+/**
+ * Pure IPv4/IPv6 CIDR matching utility.
+ * No external dependencies — suitable for Cloudflare Workers runtime.
+ *
+ * @module cidr
+ */
+/**
+ * Check if an IP address falls within a CIDR range.
+ * Supports IPv4 (e.g. '10.0.0.0/8') and IPv6 (e.g. '2001:db8::/32').
+ *
+ * Returns false for invalid inputs (malformed IP or CIDR).
+ */
+export function isIpInCidr(ip: string, cidr: string): boolean {
+  const slashIdx = cidr.indexOf('/');
+  if (slashIdx === -1) return false;
+  const cidrIp = cidr.substring(0, slashIdx);
+  const prefixLen = parseInt(cidr.substring(slashIdx + 1), 10);
+  if (isNaN(prefixLen) || prefixLen < 0) return false;
+  // Determine IP version
+  const isIPv6Input = ip.includes(':');
+  const isIPv6Cidr = cidrIp.includes(':');
+  // Must be same version
+  if (isIPv6Input !== isIPv6Cidr) return false;
+  if (isIPv6Input) {
+    if (prefixLen > 128) return false;
+    const ipBytes = parseIPv6(ip);
+    const cidrBytes = parseIPv6(cidrIp);
+    if (!ipBytes || !cidrBytes) return false;
+    return matchesPrefixBits(ipBytes, cidrBytes, prefixLen);
+  } else {
+    if (prefixLen > 32) return false;
+    const ipBytes = parseIPv4(ip);
+    const cidrBytes = parseIPv4(cidrIp);
+    if (!ipBytes || !cidrBytes) return false;
+    return matchesPrefixBits(ipBytes, cidrBytes, prefixLen);
+  }
+}
+/**
+ * Parse an IPv4 address string to a 4-byte Uint8Array.
+ * Returns null for invalid input.
+ */
+function parseIPv4(ip: string): Uint8Array | null {
+  const parts = ip.split('.');
+  if (parts.length !== 4) return null;
+  const bytes = new Uint8Array(4);
+  for (let i = 0; i < 4; i++) {
+    const n = parseInt(parts[i], 10);
+    if (isNaN(n) || n < 0 || n > 255 || parts[i] !== String(n)) return null;
+    bytes[i] = n;
+  }
+  return bytes;
+}
+/**
+ * Parse an IPv6 address string to a 16-byte Uint8Array.
+ * Handles '::' shorthand expansion.
+ * Returns null for invalid input.
+ */
+function parseIPv6(ip: string): Uint8Array | null {
+  // Handle :: expansion
+  let halves: string[];
+  if (ip.includes('::')) {
+    const [left, right] = ip.split('::');
+    if (ip.indexOf('::', ip.indexOf('::') + 2) !== -1) return null; // multiple ::
+    const leftGroups = left ? left.split(':') : [];
+    const rightGroups = right ? right.split(':') : [];
+    const missing = 8 - leftGroups.length - rightGroups.length;
+    if (missing < 0) return null;
+    halves = [...leftGroups, ...Array(missing).fill('0'), ...rightGroups];
+  } else {
+    halves = ip.split(':');
+  }
+  if (halves.length !== 8) return null;
+  const bytes = new Uint8Array(16);
+  for (let i = 0; i < 8; i++) {
+    const val = parseInt(halves[i], 16);
+    if (isNaN(val) || val < 0 || val > 0xffff) return null;
+    // Validate hex string (no invalid chars)
+    if (!/^[0-9a-fA-F]{1,4}$/.test(halves[i]) && halves[i] !== '0') return null;
+    bytes[i * 2] = (val >> 8) & 0xff;
+    bytes[i * 2 + 1] = val & 0xff;
+  }
+  return bytes;
+}
+/**
+ * Compare the first `prefixLen` bits of two byte arrays.
+ * Returns true if they are identical in the prefix range.
+ */
+function matchesPrefixBits(a: Uint8Array, b: Uint8Array, prefixLen: number): boolean {
+  const fullBytes = Math.floor(prefixLen / 8);
+  const remainBits = prefixLen % 8;
+  // Compare full bytes
+  for (let i = 0; i < fullBytes; i++) {
+    if (a[i] !== b[i]) return false;
+  }
+  // Compare remaining bits with mask
+  if (remainBits > 0 && fullBytes < a.length) {
+    const mask = 0xff << (8 - remainBits);
+    if ((a[fullBytes] & mask) !== (b[fullBytes] & mask)) return false;
+  }
+  return true;
+}

package/src/lib/client-ip.ts ADDED Viewed

@@ -0,0 +1,51 @@
+import { parseConfig } from './do-router.js';
+type HeaderReader = Request | { header: (name: string) => string | undefined; raw?: Request };
+function readHeader(reader: HeaderReader, name: string): string | undefined {
+  if (reader instanceof Request) {
+    return reader.headers.get(name) ?? undefined;
+  }
+  const direct = reader.header(name);
+  if (direct !== undefined) {
+    return direct;
+  }
+  return reader.raw?.headers.get(name) ?? undefined;
+}
+function parseForwardedIp(value: string | undefined): string | undefined {
+  if (!value) return undefined;
+  const first = value.split(',')[0]?.trim();
+  return first && first.length > 0 ? first : undefined;
+}
+function isTrustSelfHostedProxyEnabled(env: unknown): boolean {
+  if (env && typeof env === 'object' && !Array.isArray(env)) {
+    const direct = (env as Record<string, unknown>).trustSelfHostedProxy;
+    if (typeof direct === 'boolean') {
+      return direct;
+    }
+  }
+  return parseConfig(env).trustSelfHostedProxy === true;
+}
+export function getTrustedClientIp(
+  env: unknown,
+  reader?: HeaderReader,
+): string | undefined {
+  if (!reader) return undefined;
+  const cfIp = parseForwardedIp(
+    readHeader(reader, 'cf-connecting-ip') ?? readHeader(reader, 'CF-Connecting-IP'),
+  );
+  if (cfIp) return cfIp;
+  if (!isTrustSelfHostedProxyEnabled(env)) {
+    return undefined;
+  }
+  return parseForwardedIp(
+    readHeader(reader, 'x-forwarded-for') ?? readHeader(reader, 'X-Forwarded-For'),
+  );
+}