@eldrin-project/eldrin-app-core 0.0.2 → 0.0.3

package/dist/index.cjs

@@ -957,14 +957,220 @@ function requireAllPermissions(request, permissions) {
   return auth;
 }
 
+// src/middleware/matcher.ts
+function compileRoutes(routes, apiPrefix) {
+  return routes.map((route) => {
+    const methods = new Set(
+      Array.isArray(route.method) ? route.method.map((m) => m.toUpperCase()) : [route.method.toUpperCase()]
+    );
+    const fullPath = `${apiPrefix}${route.path}`;
+    const paramNames = [];
+    let regexPattern = fullPath.replace(/[.+?^${}()|[\]\\]/g, "\\$&").replace(/:([a-zA-Z_][a-zA-Z0-9_]*)/g, (_, name) => {
+      paramNames.push(name);
+      return "([^/]+)";
+    }).replace(/\*/g, "[^/]+");
+    const pattern = new RegExp(`^${regexPattern}$`);
+    let permission = null;
+    if (route.permission) {
+      const colonIndex = route.permission.indexOf(":");
+      if (colonIndex > 0) {
+        permission = {
+          resource: route.permission.substring(0, colonIndex),
+          action: route.permission.substring(colonIndex + 1)
+        };
+      }
+    }
+    return {
+      methods,
+      pattern,
+      paramNames,
+      permission,
+      originalPath: route.path
+    };
+  });
+}
+function matchRoute(method, pathname, compiledRoutes) {
+  const upperMethod = method.toUpperCase();
+  for (const route of compiledRoutes) {
+    if (!route.methods.has(upperMethod)) continue;
+    const match = pathname.match(route.pattern);
+    if (match) {
+      const params = {};
+      route.paramNames.forEach((name, index) => {
+        params[name] = match[index + 1];
+      });
+      return { route, params };
+    }
+  }
+  return null;
+}
+function isPublicRoute(pathname, publicRoutes, apiPrefix) {
+  for (const publicPath of publicRoutes) {
+    const fullPath = `${apiPrefix}${publicPath}`;
+    if (pathname === fullPath) return true;
+    if (publicPath.endsWith("/*")) {
+      const prefix = `${apiPrefix}${publicPath.slice(0, -2)}`;
+      if (pathname.startsWith(prefix + "/")) return true;
+    }
+  }
+  return false;
+}
+
+// src/middleware/index.ts
+function createPermissionMiddleware(config) {
+  const apiPrefix = config.apiPrefix ?? "/api";
+  const manifest = config.manifest;
+  const api = manifest.api;
+  const compiledRoutes = api?.routes ? compileRoutes(api.routes, apiPrefix) : [];
+  const defaultPolicy = api?.defaultPolicy ?? "deny";
+  const publicRoutes = api?.publicRoutes ?? [];
+  const emptyAuth = {
+    userId: "",
+    email: "",
+    name: "",
+    platformRoles: [],
+    permissions: []
+  };
+  function createCorsHeaders() {
+    if (!config.cors) return {};
+    return {
+      "Access-Control-Allow-Origin": config.cors.allowOrigin,
+      "Access-Control-Allow-Methods": config.cors.allowMethods,
+      "Access-Control-Allow-Headers": config.cors.allowHeaders
+    };
+  }
+  function withCors(response) {
+    if (!config.cors) return response;
+    const newHeaders = new Headers(response.headers);
+    Object.entries(createCorsHeaders()).forEach(([key, value]) => {
+      newHeaders.set(key, value);
+    });
+    return new Response(response.body, {
+      status: response.status,
+      statusText: response.statusText,
+      headers: newHeaders
+    });
+  }
+  function errorResponse(error) {
+    if (config.onError) {
+      return withCors(config.onError(error));
+    }
+    switch (error.type) {
+      case "unauthorized":
+        return withCors(
+          Response.json(
+            { error: "Unauthorized", message: error.message },
+            { status: 401 }
+          )
+        );
+      case "forbidden":
+        return withCors(
+          Response.json(
+            {
+              error: "Forbidden",
+              message: error.message,
+              permission: error.permission
+            },
+            { status: 403 }
+          )
+        );
+      case "route_not_found":
+        return withCors(
+          Response.json(
+            { error: "Not Found", message: error.message },
+            { status: 404 }
+          )
+        );
+    }
+  }
+  async function verifyAndGetAuth(request, env) {
+    const jwtOptions = {
+      secret: config.getSecret(env),
+      appId: manifest.id,
+      developerId: manifest.developer_id
+    };
+    const result = await verifyJWT(request, jwtOptions);
+    if (!result.success) {
+      return errorResponse({
+        type: "unauthorized",
+        message: result.error
+      });
+    }
+    return result.auth;
+  }
+  return {
+    async handle(request, env) {
+      const url = new URL(request.url);
+      const method = request.method;
+      const pathname = url.pathname;
+      if (config.skipRoutes) {
+        for (const skipPattern of config.skipRoutes) {
+          if (pathname.startsWith(skipPattern)) {
+            return { auth: emptyAuth, url, params: {} };
+          }
+        }
+      }
+      if (method === "OPTIONS") {
+        return {
+          response: new Response(null, {
+            status: 204,
+            headers: createCorsHeaders()
+          })
+        };
+      }
+      if (!pathname.startsWith(apiPrefix)) {
+        return { auth: emptyAuth, url, params: {} };
+      }
+      if (isPublicRoute(pathname, publicRoutes, apiPrefix)) {
+        return { auth: emptyAuth, url, params: {} };
+      }
+      const match = matchRoute(method, pathname, compiledRoutes);
+      if (!match) {
+        if (defaultPolicy === "allow") {
+          return { auth: emptyAuth, url, params: {} };
+        }
+        const authResult2 = await verifyAndGetAuth(request, env);
+        if (authResult2 instanceof Response) {
+          return { response: authResult2 };
+        }
+        return { auth: authResult2, url, params: {} };
+      }
+      if (match.route.permission === null) {
+        return { auth: emptyAuth, url, params: match.params };
+      }
+      const authResult = await verifyAndGetAuth(request, env);
+      if (authResult instanceof Response) {
+        return { response: authResult };
+      }
+      const auth = authResult;
+      if (isPlatformAdmin(auth)) {
+        return { auth, url, params: match.params };
+      }
+      const { resource, action } = match.route.permission;
+      if (!hasPermission(auth, resource, action)) {
+        return {
+          response: errorResponse({
+            type: "forbidden",
+            message: `Missing permission: ${resource}:${action}`,
+            permission: `${resource}:${action}`
+          })
+        };
+      }
+      return { auth, url, params: match.params };
+    }
+  };
+}
+
 exports.AUTH_HEADERS = AUTH_HEADERS;
 exports.CHECKSUM_PREFIX = CHECKSUM_PREFIX;
 exports.DatabaseProvider = DatabaseProvider;
 exports.EldrinEventClient = EldrinEventClient;
 exports.calculateChecksum = calculateChecksum;
 exports.calculatePrefixedChecksum = calculatePrefixedChecksum;
+exports.compileRoutes = compileRoutes;
 exports.createApp = createApp;
 exports.createEventClient = createEventClient;
+exports.createPermissionMiddleware = createPermissionMiddleware;
 exports.extractTimestamp = extractTimestamp;
 exports.generateMigrationManifest = generateMigrationManifest;
 exports.getAuthContext = getAuthContext;
@@ -974,8 +1180,10 @@ exports.getRollbackFilename = getRollbackFilename;
 exports.hasPermission = hasPermission;
 exports.hasPlatformRole = hasPlatformRole;
 exports.isPlatformAdmin = isPlatformAdmin;
+exports.isPublicRoute = isPublicRoute;
 exports.isValidMigrationFilename = isValidMigrationFilename;
 exports.isValidRollbackFilename = isValidRollbackFilename;
+exports.matchRoute = matchRoute;
 exports.parseSQLStatements = parseSQLStatements;
 exports.requireAllPermissions = requireAllPermissions;
 exports.requireAnyPermission = requireAnyPermission;