@effect-app/infra 4.0.0-beta.22 → 4.0.0-beta.220

package/src/api/internal/auth.ts

@@ -1,42 +1,244 @@
-/* eslint-disable @typescript-eslint/no-explicit-any */
-/* eslint-disable unused-imports/no-unused-vars */
-import { Data, Effect } from "effect-app"
+import { Data, Effect, Option } from "effect-app"
 import { HttpHeaders, HttpMiddleware, HttpServerRequest, HttpServerResponse } from "effect-app/http"
-import { auth, InsufficientScopeError, InvalidRequestError, InvalidTokenError, UnauthorizedError } from "express-oauth2-jwt-bearer"
+import { createRemoteJWKSet, jwtVerify } from "jose"
 
-// // Authorization middleware. When used, the Access Token must
-// // exist and be verified against the Auth0 JSON Web Key Set.
+const getHeaders = (error: string, description: string, scopes?: ReadonlyArray<string>) => ({
+  "WWW-Authenticate": `Bearer realm="api", error="${error}", error_description="${description.replace(/"/g, "'")}"${
+    scopes ? `, scope="${scopes.join(" ")}"` : ""
+  }`
+})
 
-// type Errors = InsufficientScopeError | InvalidRequestError | InvalidTokenError | UnauthorizedError
-type Config = Parameters<typeof auth>[0]
-export const checkJWTI = (config: Config) => {
-  const mw = auth(config)
-  return Effect.fnUntraced(function*(headers: HttpHeaders.Headers) {
-    return yield* Effect.callback<
-      void,
-      InsufficientScopeError | InvalidRequestError | InvalidTokenError | UnauthorizedError
-    >(
-      (resume) => {
-        const next = (err?: unknown) => {
-          if (!err) return resume(Effect.void)
-          if (
-            err instanceof InsufficientScopeError
-            || err instanceof InvalidRequestError
-            || err instanceof InvalidTokenError
-            || err instanceof UnauthorizedError
-          ) {
-            return resume(Effect.fail(err))
+export class UnauthorizedError extends Error {
+  readonly status: number = 401
+  readonly statusCode: number = 401
+  headers = { "WWW-Authenticate": "Bearer realm=\"api\"" }
+
+  constructor(message = "Unauthorized") {
+    super(message)
+    this.name = this.constructor.name
+  }
+}
+
+export class InvalidRequestError extends UnauthorizedError {
+  readonly code: string
+  override readonly status = 400
+  override readonly statusCode = 400
+
+  constructor(message = "Invalid Request", useErrorCode = true) {
+    super(message)
+    this.code = useErrorCode ? "invalid_request" : ""
+    if (useErrorCode) {
+      this.headers = getHeaders(this.code, this.message)
+    }
+  }
+}
+
+export class InvalidTokenError extends UnauthorizedError {
+  readonly code = "invalid_token"
+
+  constructor(message = "Invalid Token") {
+    super(message)
+    this.headers = getHeaders(this.code, this.message)
+  }
+}
+
+export class InsufficientScopeError extends UnauthorizedError {
+  readonly code = "insufficient_scope"
+  override readonly status = 403
+  override readonly statusCode = 403
+
+  constructor(scopes?: ReadonlyArray<string>, message = "Insufficient Scope") {
+    super(message)
+    this.headers = getHeaders(this.code, this.message, scopes)
+  }
+}
+
+export interface JwtVerifierOptions {
+  readonly audience?: string | Array<string> | ReadonlyArray<string>
+  readonly clockTolerance?: number
+  readonly issuer?: string
+  readonly issuerBaseURL?: string
+  readonly jwksUri?: string
+  readonly maxTokenAge?: number
+  readonly secret?: string
+  readonly strict?: boolean
+  readonly tokenSigningAlg?: string
+}
+
+export interface AuthOptions extends JwtVerifierOptions {
+  readonly authRequired?: boolean
+}
+
+type Config = AuthOptions
+
+type JwtError = InsufficientScopeError | InvalidRequestError | InvalidTokenError | UnauthorizedError
+
+type ResolvedConfigBase = {
+  readonly audience: string | Array<string> | undefined
+  readonly clockTolerance: number
+  readonly issuer: string | undefined
+  readonly maxTokenAge: number | undefined
+  readonly strict: boolean
+  readonly tokenSigningAlg: string | undefined
+}
+
+type ResolvedConfig =
+  & ResolvedConfigBase
+  & (
+    | {
+      readonly key: ReturnType<typeof createRemoteJWKSet>
+      readonly keyType: "jwks"
+    }
+    | {
+      readonly key: Uint8Array
+      readonly keyType: "secret"
+    }
+  )
+
+const isRecord = (value: unknown): value is Record<string, unknown> => typeof value === "object" && value !== null
+
+const getErrorMessage = (error: unknown) => error instanceof Error ? error.message : String(error)
+
+const normalizeAudience = (audience: Config["audience"]): string | Array<string> | undefined =>
+  Array.isArray(audience) ? Array.from(audience) : audience as string | undefined
+
+const buildDiscoveryUrl = (issuerBaseURL: string) => {
+  const url = new URL(issuerBaseURL)
+  if (!url.pathname.includes("/.well-known/")) {
+    url.pathname = url.pathname.endsWith("/")
+      ? `${url.pathname}.well-known/openid-configuration`
+      : `${url.pathname}/.well-known/openid-configuration`
+  }
+  url.search = ""
+  url.hash = ""
+  return url
+}
+
+const fetchDiscoveryDocumentPromise = async (issuerBaseURL: string) => {
+  const response = await fetch(buildDiscoveryUrl(issuerBaseURL))
+  if (!response.ok) {
+    throw new Error(`Failed to fetch authorization server metadata: ${response.status}`)
+  }
+  const json = await response.json()
+  if (!isRecord(json) || typeof json["issuer"] !== "string" || typeof json["jwks_uri"] !== "string") {
+    throw new Error("Invalid authorization server metadata")
+  }
+  return { issuer: json["issuer"], jwksUri: json["jwks_uri"] }
+}
+
+const getAuthorizationToken = (headers: HttpHeaders.Headers, authRequired: boolean) => {
+  const authorization = HttpHeaders.get(headers, "authorization")
+  if (Option.isNone(authorization)) {
+    return authRequired ? Effect.fail(new UnauthorizedError()) : Effect.succeed(Option.none<string>())
+  }
+
+  const [scheme, token] = authorization.value.split(" ")
+  if (!scheme || !token || scheme.toLowerCase() !== "bearer") {
+    return Effect.fail(new InvalidRequestError("", false))
+  }
+
+  return Effect.succeed(Option.some(token))
+}
+
+const makeResolveConfig = (config: Config) => {
+  let cached: Promise<ResolvedConfig> | undefined
+
+  return Effect.tryPromise({
+    try: () => {
+      if (!cached) {
+        cached = (async (): Promise<ResolvedConfig> => {
+          const discovery = config.issuerBaseURL
+            ? await fetchDiscoveryDocumentPromise(config.issuerBaseURL)
+            : undefined
+
+          const issuer = config.issuer ?? discovery?.issuer
+          const jwksUri = config.jwksUri ?? discovery?.jwksUri
+          const secret = config.secret
+          const base = {
+            audience: normalizeAudience(config.audience),
+            clockTolerance: config.clockTolerance ?? 5,
+            issuer,
+            maxTokenAge: config.maxTokenAge,
+            strict: config.strict ?? false,
+            tokenSigningAlg: config.tokenSigningAlg
+          } satisfies ResolvedConfigBase
+
+          if (!issuer && !secret) {
+            throw new InvalidRequestError("JWT config requires 'issuer', 'issuerBaseURL', or 'secret'")
           }
-          return resume(Effect.die(err))
-        }
-        const r = { headers, query: {}, body: {}, is: () => false, method: "POST" } // is("urlencoded")
-        try {
-          mw(r as any, {} as any, next)
-        } catch (e) {
-          return resume(Effect.die(e))
-        }
+
+          if (!secret) {
+            if (!jwksUri) {
+              throw new InvalidRequestError("JWT config requires 'jwksUri', 'issuerBaseURL', or 'secret'")
+            }
+
+            return {
+              ...base,
+              key: createRemoteJWKSet(new URL(jwksUri)),
+              keyType: "jwks"
+            }
+          }
+
+          return {
+            ...base,
+            key: new TextEncoder().encode(secret),
+            keyType: "secret"
+          }
+        })()
       }
+
+      return cached
+    },
+    catch: (error) =>
+      error instanceof InvalidRequestError || error instanceof InvalidTokenError
+        ? error
+        : new InvalidTokenError(getErrorMessage(error))
+  })
+}
+
+const verifyToken =
+  (resolveConfig: Effect.Effect<ResolvedConfig, InvalidRequestError | InvalidTokenError>) => (token: string) =>
+    resolveConfig.pipe(
+      Effect.flatMap((config) => {
+        const options = {
+          clockTolerance: config.clockTolerance,
+          ...(config.tokenSigningAlg ? { algorithms: [config.tokenSigningAlg] } : {}),
+          ...(config.audience !== undefined ? { audience: config.audience } : {}),
+          ...(config.issuer !== undefined ? { issuer: config.issuer } : {}),
+          ...(config.maxTokenAge !== undefined ? { maxTokenAge: config.maxTokenAge } : {})
+        }
+        const verified = config.keyType === "jwks"
+          ? Effect.tryPromise({
+            try: () => jwtVerify(token, config.key, options).then(({ protectedHeader }) => ({ protectedHeader })),
+            catch: (error) => new InvalidTokenError(getErrorMessage(error))
+          })
+          : Effect.tryPromise({
+            try: () => jwtVerify(token, config.key, options).then(({ protectedHeader }) => ({ protectedHeader })),
+            catch: (error) => new InvalidTokenError(getErrorMessage(error))
+          })
+
+        return verified.pipe(
+          Effect.flatMap(({ protectedHeader }) => {
+            const typ = protectedHeader.typ?.toLowerCase().replace(/^application\//, "")
+            return config.strict && typ !== "at+jwt"
+              ? Effect.fail(new InvalidTokenError("Unexpected 'typ' value"))
+              : Effect.void
+          })
+        )
+      })
     )
+
+export const checkJWTI = (config: Config) => {
+  const resolveConfig = makeResolveConfig(config)
+  const verify = verifyToken(resolveConfig)
+
+  return Effect.fnUntraced(function*(headers: HttpHeaders.Headers) {
+    const token = yield* getAuthorizationToken(headers, config.authRequired !== false)
+    if (Option.isNone(token)) {
+      return
+    }
+
+    yield* verify(token.value)
   })
 }
 
@@ -45,24 +247,24 @@ export const checkJwt = (config: Config) => {
   return HttpMiddleware.make((app) =>
     Effect.gen(function*() {
       const req = yield* HttpServerRequest.HttpServerRequest
-      const response = yield* check(req.headers).pipe(Effect.catch((e) =>
-        HttpServerResponse.json({ message: e.message }, {
-          status: e.status,
-          headers: HttpHeaders.fromInput(e.headers)
-        })
-      ))
+      const response = yield* check(req.headers).pipe(
+        Effect.catch((error: JwtError) =>
+          HttpServerResponse.json({ message: error.message }, {
+            status: error.status,
+            headers: HttpHeaders.fromInput(error.headers)
+          })
+        )
+      )
+
       if (response) {
         return response
       }
+
       return yield* app
     })
   )
 }
 
 export class JWTError extends Data.TaggedClass("JWTError")<{
-  error:
-    | InsufficientScopeError
-    | InvalidRequestError
-    | InvalidTokenError
-    | UnauthorizedError
+  error: JwtError
 }> {}

package/src/api/internal/events.ts

@@ -1,6 +1,7 @@
 import { Duration, Effect, pipe, S, Schedule, Stream } from "effect-app"
 import { HttpHeaders, HttpServerResponse } from "effect-app/http"
 import { reportError } from "../../errorReporter.js"
+import { storeId } from "../../Store/Memory.js"
 import { setupRequestContextFromCurrent } from "../setupRequest.js"
 
 // Tell the client to retry every 10 seconds if connectivity is lost
@@ -9,29 +10,32 @@ const keepAlive = Stream.fromEffectSchedule(Effect.succeed(":keep-alive"), Sched
 
 let connId = BigInt(0)
 
-export const makeSSE = <A extends { id: any }, SI, SR>(
-  schema: S.Codec<A, SI, SR>
+export const makeSSE = <A extends { id: any }, SI, SRD, SRE>(
+  schema: S.Codec<A, SI, SRD, SRE>
 ) =>
 <E, R>(events: Stream.Stream<{ evt: A; namespace: string }, E, R>) =>
   Effect
     .gen(function*() {
       const id = connId++
-      const ctx = yield* Effect.services<R | SR>()
+      const ctx = yield* Effect.context<R | SRD | SRE>()
       const res = HttpServerResponse.stream(
         // workaround for different scoped behaviour for streams in Bun
         // https://discord.com/channels/795981131316985866/1098177242598756412/1389646879675125861
         Effect
           .gen(function*() {
-            yield* Effect.annotateCurrentSpan({ connectionId: id.toString() })
-            yield* Effect.logInfo("$ start listening to events, id: " + id.toString())
-            yield* Effect.addFinalizer(() => Effect.logInfo("$ end listening to events, id: " + id.toString()))
+            const ns = yield* storeId
+            yield* Effect.annotateCurrentSpan({ "network.connection.id": id.toString() })
+            yield* Effect.logInfo("$ start listening to events, id: " + id.toString() + ", ns: " + ns)
+            yield* Effect.addFinalizer(() =>
+              Effect.logInfo("$ end listening to events, id: " + id.toString() + ", ns: " + ns)
+            )
 
             const enc = new TextEncoder()
 
-            const encode = S.encodeEffect(S.fromJsonString(schema))
+            const encode = S.encodeEffect(S.fromJsonString(S.toCodecJson(schema)))
 
             const eventStream = Stream.mapEffect(
-              events,
+              Stream.filter(events, (_) => _.namespace === ns),
               (_) =>
                 encode(_.evt)
                   .pipe(Effect.map((data) => `id: ${_.evt.id}\ndata: ${data}`))
@@ -42,7 +46,7 @@ export const makeSSE = <A extends { id: any }, SI, SR>(
               Stream.merge(keepAlive),
               // Keep this unary so pipe receives a function, not a Stream value.
               (self) => Stream.merge(self, eventStream, { haltStrategy: "either" }),
-              Stream.tapCause((cause) => Effect.logError("SSE error", cause)),
+              Stream.tapCause((cause) => Effect.logError("SSE error, id: " + id.toString() + ", ns: " + ns, cause)),
               Stream.map((_) => enc.encode(_ + "\n\n"))
             )
 

package/src/api/layerUtils.ts

@@ -1,5 +1,5 @@
 /* eslint-disable @typescript-eslint/no-explicit-any */
-import { Effect, type Layer, type NonEmptyReadonlyArray, Option, ServiceMap } from "effect-app"
+import { Context, Effect, type Layer, type NonEmptyReadonlyArray, Option } from "effect-app"
 import { InfraLogger } from "../logger.js"
 
 // TODO: These LayerUtils are flaky, like in dependencies as a readonly array, it breaks when there are two entries
@@ -27,7 +27,7 @@ export namespace LayerUtils {
 }
 
 export type ContextTagWithDefault<Id, A, LayerE, LayerR> =
-  & ServiceMap.Service<Id, A>
+  & Context.Service<Id, A>
   & {
     Default: Layer.Layer<Id, LayerE, LayerR>
   }
@@ -36,29 +36,29 @@ export namespace ContextTagWithDefault {
   export type Base<A> = ContextTagWithDefault<any, A, any, any>
 }
 
-export type GetContext<T> = T extends ServiceMap.ServiceMap<infer Y> ? Y : never
+export type GetContext<T> = T extends Context.Context<infer Y> ? Y : never
 
 export const mergeContexts = Effect.fnUntraced(
   function*<
     T extends readonly {
       maker: any
-      handle: Effect.Effect<ServiceMap.ServiceMap<any> | Option.Option<ServiceMap.ServiceMap<any>>>
+      handle: Effect.Effect<Context.Context<any> | Option.Option<Context.Context<any>>>
     }[]
   >(
     makers: T
   ) {
-    let context = ServiceMap.empty()
+    let context = Context.empty()
     for (const mw of makers) {
       const ctx = yield* mw.handle.pipe(Effect.provide(context))
-      const moreContext = ServiceMap.isServiceMap(ctx) ? Option.some(ctx) : ctx
+      const moreContext = Context.isContext(ctx) ? Option.some(ctx) : ctx
       yield* InfraLogger.logDebug(
         "Built dynamic context for middleware" + (mw.maker.key ?? mw.maker),
         Option.map(moreContext, (c) => (c as any).toJSON().services)
       )
       if (moreContext.value) {
-        context = ServiceMap.merge(context, moreContext.value)
+        context = Context.merge(context, moreContext.value)
       }
     }
-    return context as ServiceMap.ServiceMap<Effect.Success<T[number]["handle"]>>
+    return context as Context.Context<Effect.Success<T[number]["handle"]>>
   }
 )

package/src/api/routing/middleware/RouterMiddleware.ts

@@ -1,13 +1,13 @@
 /* eslint-disable @typescript-eslint/no-unsafe-assignment */
 /* eslint-disable @typescript-eslint/no-unsafe-return */
 /* eslint-disable @typescript-eslint/no-explicit-any */
-import { type Layer, type ServiceMap } from "effect-app"
+import { type Context, type Layer } from "effect-app"
 import { type GetContextConfig, type RpcContextMap } from "effect-app/rpc/RpcContextMap"
 import { type RpcMiddlewareV4 } from "effect-app/rpc/RpcMiddleware"
 // module:
 //
 
-// v4: middleware tags are ServiceMap.Service (not Effect) — they carry the RpcMiddlewareV4 as their service Shape
+// v4: middleware tags are Context.Service (not Effect) — they carry the RpcMiddlewareV4 as their service Shape
 export type RouterMiddleware<
   Self,
   RequestContextMap extends Record<string, RpcContextMap.Any>, // what services will the middlware provide dynamically to the next, or raise errors.
@@ -18,9 +18,9 @@ export type RouterMiddleware<
   _ContextProviderR, // what the context provider requires
   RequestContextId
 > =
-  & ServiceMap.Service<Self, RpcMiddlewareV4<ContextProviderA, ContextProviderE, never>>
+  & Context.Service<Self, RpcMiddlewareV4<ContextProviderA, ContextProviderE, never>>
   & {
     readonly Default: Layer.Layer<Self, MakeMiddlewareE, MakeMiddlewareR>
-    readonly requestContext: ServiceMap.Service<RequestContextId, GetContextConfig<RequestContextMap>>
+    readonly requestContext: Context.Service<RequestContextId, GetContextConfig<RequestContextMap>>
     readonly requestContextMap: RequestContextMap
   }

package/src/api/routing/middleware/middleware.ts

@@ -1,10 +1,14 @@
 /* eslint-disable @typescript-eslint/no-explicit-any */
 import { Cause, Config, Effect, Layer, Schema } from "effect"
 import { ConfigureInterruptibilityMiddleware, DevMode, DevModeMiddleware, LoggerMiddleware, RequestCacheMiddleware } from "effect-app/middleware"
+import { RpcContextMap, type RpcMiddleware } from "effect-app/rpc"
 import { pretty } from "effect-app/utils"
+import * as Array from "effect/Array"
+import * as Context from "effect/Context"
+import { type Rpc } from "effect/unstable/rpc"
 import { logError, reportError } from "../../../errorReporter.js"
 import { InfraLogger } from "../../../logger.js"
-import { determineMethod, isCommand } from "../utils.js"
+import { WithNsTransaction } from "../../../Store/SQL.js"
 
 const logRequestError = logError("Request")
 const reportRequestError = reportError("Request")
@@ -26,22 +30,20 @@ export const RequestCacheMiddlewareLive = Layer.succeed(
 const isOptimisticConcurrencyException = (input: unknown) =>
   typeof input === "object" && input !== null && "_tag" in input && input._tag === "OptimisticConcurrencyException"
 
+export const RequestType = Context.Reference<"command" | "query">(
+  "@effect-app/infra/api/routing/RequestType",
+  { defaultValue: () => "query" }
+)
+
 export const ConfigureInterruptibilityMiddlewareLive = Layer.effect(
   ConfigureInterruptibilityMiddleware,
   Effect.gen(function*() {
-    const cache = new Map()
-    const getCached = (key: string, schema: Schema.Top) => {
-      const existing = cache.get(key)
-      if (existing) return existing
-      const n = determineMethod(key, schema)
-      cache.set(key, n)
-      return n
-    }
     return (effect, { rpc }) => {
-      const method = getCached(rpc._tag, rpc.payloadSchema)
+      const requestType = Context.get(rpc.annotations, RequestType)
+      const isCommand = requestType === "command"
 
-      effect = isCommand(method)
-        ? Effect.retry(Effect.uninterruptible(effect), { times: 1, while: isOptimisticConcurrencyException })
+      effect = isCommand
+        ? Effect.retry(effect, { times: 1, while: isOptimisticConcurrencyException })
         : Effect.interruptible(effect)
 
       return effect
@@ -57,8 +59,8 @@ export const LoggerMiddlewareLive = Layer
       return (effect, { headers, payload, rpc }) =>
         Effect
           .annotateCurrentSpan({
-            "request.name": rpc._tag,
-            "requestInput": typeof payload === "object" && payload !== null
+            "rpc.method": rpc._tag,
+            "rpc.request.payload": typeof payload === "object" && payload !== null
               ? Object.entries(payload).reduce((prev, [key, value]: [string, unknown]) => {
                 prev[key] = key === "password"
                   ? "<redacted>"
@@ -126,3 +128,42 @@ export const DefaultGenericMiddlewaresLive = Layer.mergeAll(
   LoggerMiddlewareLive,
   DevModeMiddlewareLive
 )
+
+/**
+ * Config entry for `RequestContextMap` that controls per-RPC transaction wrapping.
+ * Defaults to `false` (no transaction). Set `requiresTransaction: true` on a route to enable.
+ *
+ * @example
+ * ```ts
+ * class RequestContextMap extends RpcContextMap.makeMap({
+ *   requiresTransaction: requiresTransactionConfig,
+ *   // ...
+ * }) {}
+ * ```
+ */
+export const requiresTransactionConfig = RpcContextMap.makeCustom()(Schema.Never, false)
+
+/**
+ * Creates the middleware Effect for SQL transaction wrapping.
+ * Requires `WithNsTransaction` service.
+ * Reads `requiresTransaction` from the RPC config; defaults to `false`.
+ *
+ * @example
+ * ```ts
+ * const SqlTransactionMiddlewareLive = Layer.effect(
+ *   SqlTransactionMiddleware,
+ *   makeSqlTransactionMiddleware(RequestContextMap)
+ * )
+ * ```
+ */
+export const makeSqlTransactionMiddleware = Effect.fnUntraced(function*(
+  rcm: { getConfig: (rpc: Rpc.AnyWithProps) => { readonly requiresTransaction?: boolean } }
+) {
+  const withTx = yield* WithNsTransaction
+  const mw: RpcMiddleware.RpcMiddlewareV4<never, never, never> = (effect, { rpc }) => {
+    const { requiresTransaction } = rcm.getConfig(rpc)
+    if (requiresTransaction !== true) return effect
+    return withTx(effect)
+  }
+  return mw
+})

package/src/api/routing/middleware.ts

@@ -2,5 +2,3 @@
 export * from "./middleware/middleware.js"
 export * from "./middleware/RouterMiddleware.js"
 // codegen:end
-
-export * as Middleware from "./middleware.js"