@everystack/server 0.2.26 → 0.2.27

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. package/package.json +10 -10
  2. package/src/image.ts +66 -1
  3. package/src/plugin.ts +30 -0
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@everystack/server",
3
- "version": "0.2.26",
3
+ "version": "0.2.27",
4
4
  "description": "Server runtime primitives for Lambda — event adapters, routing, SSR, image processing",
5
5
  "license": "AGPL-3.0-only",
6
6
  "author": "Scalable Technology, Inc. <licensing@scalable.technology>",
@@ -74,6 +74,11 @@
74
74
  "default": "./src/media.ts"
75
75
  }
76
76
  },
77
+ "scripts": {
78
+ "test": "jest",
79
+ "build": "tsc --build",
80
+ "lint": "tsc --noEmit"
81
+ },
77
82
  "peerDependencies": {
78
83
  "esbuild": ">=0.20.0",
79
84
  "@aws-sdk/client-cloudfront-keyvaluestore": ">=3.1053.0",
@@ -123,6 +128,8 @@
123
128
  "devDependencies": {
124
129
  "@aws-sdk/client-cloudfront-keyvaluestore": "3.1053.0",
125
130
  "@aws-sdk/signature-v4a": "3.1063.0",
131
+ "@everystack/auth": "workspace:*",
132
+ "@everystack/cli": "workspace:*",
126
133
  "@types/aws-lambda": "8.10.161",
127
134
  "@types/jest": "29.5.14",
128
135
  "@types/node": "22.19.18",
@@ -132,13 +139,6 @@
132
139
  "postgres": "3.4.9",
133
140
  "sst": "4.13.1",
134
141
  "ts-jest": "29.4.9",
135
- "typescript": "5.9.3",
136
- "@everystack/auth": "0.2.6",
137
- "@everystack/cli": "0.2.39"
138
- },
139
- "scripts": {
140
- "test": "jest",
141
- "build": "tsc --build",
142
- "lint": "tsc --noEmit"
142
+ "typescript": "5.9.3"
143
143
  }
144
- }
144
+ }
package/src/image.ts CHANGED
@@ -155,6 +155,63 @@ export function parseParams(query: Record<string, string | undefined>): Transfor
155
155
  return params;
156
156
  }
157
157
 
158
+ /**
159
+ * ISOBMFF `ftyp` brands that mean "HEVC-coded HEIF" — i.e. a HEIC still image
160
+ * (iPhones shoot these by default). Sharp reports all of these as format
161
+ * `'heif'`, and our HEIC rescue path (heic-decode) can decode them.
162
+ */
163
+ const HEIC_BRANDS = new Set([
164
+ 'heic', 'heix', 'heim', 'heis', 'hevc', 'hevx', 'hevm', 'hevs', 'mif1', 'msf1',
165
+ ]);
166
+ const AVIF_BRANDS = new Set(['avif', 'avis']);
167
+
168
+ /**
169
+ * Identify an image format from its magic bytes, independently of Sharp.
170
+ *
171
+ * Sharp builds without libheif cannot even *identify* a HEIF container —
172
+ * `sharp(buf).metadata()` throws, format detection yields `undefined`, and a
173
+ * real HEIC photo is misrouted down the non-image passthrough path (413 when
174
+ * over the passthrough cap, or raw `image/heic` bytes that only Safari renders).
175
+ * Trusting the bytes instead of Sharp makes HEIC detection build-independent and
176
+ * lets the existing `heif` rescue path fire.
177
+ *
178
+ * Returns a Sharp-compatible format string (`jpeg`, `png`, `gif`, `webp`,
179
+ * `heif`, `avif`) or `undefined` when the bytes aren't a recognized image.
180
+ */
181
+ export function sniffImageFormat(data: Buffer): string | undefined {
182
+ if (data.length < 3) return undefined;
183
+
184
+ // JPEG: FF D8 FF
185
+ if (data[0] === 0xff && data[1] === 0xd8 && data[2] === 0xff) return 'jpeg';
186
+ // PNG: 89 50 4E 47 0D 0A 1A 0A
187
+ if (
188
+ data[0] === 0x89 && data[1] === 0x50 && data[2] === 0x4e && data[3] === 0x47 &&
189
+ data[4] === 0x0d && data[5] === 0x0a && data[6] === 0x1a && data[7] === 0x0a
190
+ ) return 'png';
191
+ // GIF: "GIF87a" / "GIF89a"
192
+ if (data.toString('ascii', 0, 3) === 'GIF') return 'gif';
193
+ // WebP: "RIFF"...."WEBP"
194
+ if (data.toString('ascii', 0, 4) === 'RIFF' && data.toString('ascii', 8, 12) === 'WEBP') return 'webp';
195
+ // TIFF: "II*\0" / "MM\0*"
196
+ if (
197
+ (data[0] === 0x49 && data[1] === 0x49 && data[2] === 0x2a && data[3] === 0x00) ||
198
+ (data[0] === 0x4d && data[1] === 0x4d && data[2] === 0x00 && data[3] === 0x2a)
199
+ ) return 'tiff';
200
+
201
+ // ISOBMFF (HEIC/HEIF/AVIF): [4-byte size]["ftyp"][major brand][minor][compatible…]
202
+ if (data.toString('ascii', 4, 8) === 'ftyp') {
203
+ const boxSize = Math.min(data.readUInt32BE(0) || data.length, data.length);
204
+ const brands: string[] = [data.toString('ascii', 8, 12)];
205
+ for (let off = 16; off + 4 <= boxSize; off += 4) {
206
+ brands.push(data.toString('ascii', off, off + 4));
207
+ }
208
+ if (brands.some((b) => HEIC_BRANDS.has(b))) return 'heif';
209
+ if (brands.some((b) => AVIF_BRANDS.has(b))) return 'avif';
210
+ }
211
+
212
+ return undefined;
213
+ }
214
+
158
215
  function isNotFound(error: any): boolean {
159
216
  return (
160
217
  error.name === 'NotFound' ||
@@ -367,7 +424,15 @@ export function createImageHandler(
367
424
  const meta = await sharp(originalData).metadata();
368
425
  detectedFormat = meta.format; // jpeg, png, webp, gif, tiff, heif, etc.
369
426
  } catch {
370
- // Sharp can't parse it — not an image
427
+ // Sharp can't parse it — not an image, OR a HEIF container this Sharp
428
+ // build has no libheif to identify. Fall through to the magic-byte sniff.
429
+ }
430
+
431
+ // A Sharp build without libheif throws on HEIF and leaves detectedFormat
432
+ // undefined, misrouting real HEIC photos to the non-image passthrough
433
+ // below. Sniff the bytes so `heif` is detected and the rescue path fires.
434
+ if (!detectedFormat) {
435
+ detectedFormat = sniffImageFormat(originalData);
371
436
  }
372
437
 
373
438
  if (!detectedFormat) {
package/src/plugin.ts CHANGED
@@ -582,6 +582,36 @@ export function dbPlugin(options: DbPluginOptions): Plugin {
582
582
  }
583
583
  };
584
584
 
585
+ // --- db:authz:probe — the authorization red-team's execution path ---
586
+ // Runs the CLI-built probe SQL (SET ROLE + attempt per role/table/command, each in
587
+ // its own savepoint) inside ONE transaction that ALWAYS rolls back, then returns the
588
+ // outcome rows. Unlike db:query this permits writes — they are required to test
589
+ // INSERT/UPDATE/DELETE privileges — but the forced rollback guarantees nothing
590
+ // persists. IAM-gated like every action. The CLI owns the SQL (authz-redteam.ts);
591
+ // this is the thin, transactional, self-reverting runner it needs.
592
+ actions['db:authz:probe'] = async (payload, _ctx) => {
593
+ const { setup, read } = (payload ?? {}) as { setup?: string; read?: string };
594
+ if (!setup || !read) {
595
+ return { error: 'db:authz:probe requires { setup, read } SQL strings' };
596
+ }
597
+ const { sql } = await import('drizzle-orm');
598
+ const PROBE_ROLLBACK = Symbol('authz_probe_rollback');
599
+ let rows: any[] = [];
600
+ try {
601
+ await opsDb.transaction(async (tx: any) => {
602
+ await tx.execute(sql.raw(setup));
603
+ const result: any = await tx.execute(sql.raw(read));
604
+ rows = Array.isArray(result) ? result : result?.rows ?? [];
605
+ throw PROBE_ROLLBACK; // discard every probe write
606
+ });
607
+ } catch (err: unknown) {
608
+ if (err !== PROBE_ROLLBACK) {
609
+ return { error: (err as any)?.message || String(err) };
610
+ }
611
+ }
612
+ return { rows };
613
+ };
614
+
585
615
  // --- db:doctor — "is my database actually secure?" ---
586
616
  // Probes the api connection (createDb / DATABASE_URL) and the operator connection
587
617
  // (opsDb / ADMIN_DATABASE_URL) from inside the VPC and reports whether the api path