@extend-therapy/elysia-db-ratelimiter 0.0.6 → 0.0.8

package/CHANGELOG.md

@@ -0,0 +1,23 @@
+# Changelog for @extend-therapy/elysia-db-ratelimiter
+
+## 0.0.8
+
+- simplify package.json
+- add more tests
+- add encryption to cookie
+- make encryption or hashing optional and called cookieObfuscation strategy
+- add alwaysCheckCookieValue option to check if the cookie value matches the IP address (set to true for `none` strategy)
+- add cookie and ratelimit key transfer on IP change
+- add cookie and ratelimit key transfer on invalid cookie value (if cookie is invalid, we generate a new key and transfer the cookie and ratelimit key to the new key)
+
+## 0.0.7
+
+- add declarationDir to tsconfig.json and types to package.json
+
+## 0.0.6
+
+- return false if failOpen is false and we can't get an IP
+
+## 0.0.5
+
+- don't return true on failure to get IP

package/README.md

@@ -37,7 +37,7 @@ const app = new Elysia()
 
 ### Using Redis
 
-Inject your Redis client directly into the options.
+Inject your Redis client directly into the options. Or use a global redis client for all instances of dbRateLimiter.
 
 ```typescript
 import { Elysia } from 'elysia';
@@ -75,6 +75,57 @@ const app = new Elysia()
 | `message` | `string` | `'Too many requests'` | Response body on limit exceed. |
 | `seed` | `string` | `undefined` | Optional seed for ID generation. |
 | `loggerOptions` | `LoggerOptions` | `undefined` | Custom Pino logger configuration. |
+| `cookieObfuscation` | `'aes-gcm' \| 'hash' \| 'none'` | `'aes-gcm'` | Cookie value obfuscation strategy. |
+| `alwaysCheckCookieValue` | `boolean` | `false` (except `none`) | Verifies cookie matches IP. Transfers count if mismatch. |
+
+## IP Privacy & Cookie Obfuscation
+
+The plugin uses a cookie-based identification system to track rate limits. To protect user privacy, the `rateLimitCookie` value is obfuscated using one of three strategies:
+
+### Obfuscation Strategies
+
+| Strategy | Description | Use Case |
+| :--- | :--- | :--- |
+| `aes-gcm` (Default) | AES-256-GCM encryption. Reversible and most secure. | Production (recommended) |
+| `hash` | SHA-256 hashing. One-way function, cannot retrieve original value. | When you don't need to recover the original IP |
+| `none` | No obfuscation. Plaintext storage. | Development/testing only |
+
+### Configuration of Cookie Obfuscation
+
+```typescript
+app.use(dbRateLimiter({
+    cookieObfuscation: 'hash', // Use hashing instead of encryption
+    limit: 100,
+    window: 60 * 1000
+}));
+```
+
+### Cookie Verification (`alwaysCheckCookieValue`)
+
+When enabled, the plugin verifies that the cookie value matches the current IP address. This is especially important for the `none` strategy (where it defaults to `true`) to prevent users from tampering with their cookies since it is easy to know the value and meaning of their cookie.
+
+**Behavior when cookie doesn't match IP (and `alwaysCheckCookieValue` is true):**
+
+1. The rate limit count is transferred from the old cookie to a new one
+2. A new cookie is set with the current IP's processed value
+3. The user continues with their existing count (not reset to zero)
+
+```typescript
+app.use(dbRateLimiter({
+    cookieObfuscation: 'none',
+    alwaysCheckCookieValue: true, // Defaults to true for 'none' strategy
+    limit: 100,
+    window: 60 * 1000
+}));
+```
+
+### Environment Variables
+
+When using `hash` strategy, you should set environment variable to ensure cookies remain valid across server restarts:
+
+- **`DB_RATE_LIMIT_HASH_PADDING`** (for `hash`): Set to any string value used as padding before hashing. If not provided, a random 16-byte to 32-byte padding is generated and cookies will be invalidated on restart.
+
+**Security Note**: If this environment variable is not set, the plugin generates random transient values. This ensures security but means all existing rate limit cookies will be invalidated whenever the server restarts.
 
 ## Identification Patterns (`pattern`)
 

package/dist/index.js

@@ -1,5 +1,6 @@
 export * from './src/dbRateLimiter';
 export * from './src/dbRateLimitHandler';
+export * from './src/dbRateLimitEncrypt';
 export * from './src/defaults';
 export * from './src/helpers/redisStore';
 export * from './src/helpers/sqliteStore';

package/dist/src/dbRateLimitEncrypt.js

@@ -0,0 +1,97 @@
+import { CryptoHasher } from "bun";
+// No top-level guard here to allow for lazy-loaded fallback key if env is missing
+// Lazy load the hash padding
+let _hashPadding = null;
+const getHashPadding = () => {
+    if (!_hashPadding) {
+        const envPadding = Bun.env.DB_RATE_LIMIT_HASH_PADDING;
+        if (envPadding) {
+            _hashPadding = envPadding;
+        }
+        else {
+            // Generate a random padding if not provided
+            console.info("INFO: DB_RATE_LIMIT_HASH_PADDING environment variable is not set. Using transient random padding. Hashed cookies will be invalidated on server restart.");
+            const randomSize = Math.floor(Math.random() * (32 - 16)) + 16;
+            _hashPadding = Buffer.from(crypto.getRandomValues(new Uint8Array(randomSize))).toString("base64");
+        }
+    }
+    return _hashPadding;
+};
+export const resetKey = () => {
+    _hashPadding = null;
+};
+/**
+ * Hash a value using CryptoHasher("sha512-256") with padding
+ * This is a one-way function - the original value cannot be retrieved
+ */
+export const dbRateLimitHash = async (value) => {
+    const padding = getHashPadding();
+    // Prepend padding to the value before hashing
+    const hasher = new CryptoHasher("sha512-256");
+    hasher.update(padding + value);
+    return hasher.digest("base64");
+};
+/**
+ * Process a cookie value based on the obfuscation strategy
+ * @param value - The value to process
+ * @param strategy - The obfuscation strategy to use
+ * @returns The processed value (always base64 encoded)
+ */
+export const processCookieValue = async (value, strategy) => {
+    switch (strategy) {
+        case "none":
+            return Buffer.from(value).toString("base64");
+        case "hash":
+        default: {
+            return dbRateLimitHash(value);
+        }
+    }
+};
+/**
+ * Validate that a value is valid base64 without extracting/decoding it
+ * @param value - The value to validate
+ * @returns Whether the value is valid base64
+ */
+export const isValidBase64 = (value) => {
+    try {
+        // Check if it's valid base64 by attempting to create a buffer
+        // This will throw if the string is not valid base64
+        const buffer = Buffer.from(value, "base64");
+        // Verify round-trip to ensure it's actually valid base64
+        return buffer.toString("base64") === value;
+    }
+    catch {
+        return false;
+    }
+};
+/**
+ * Verify that a cookie value matches the provided IP address
+ * @param cookieValue - The value from the cookie (base64 encoded)
+ * @param ip - The IP address to verify against
+ * @param strategy - The obfuscation strategy used
+ * @returns Whether the cookie value is valid for this IP
+ */
+export const verifyCookieValue = async (cookieValue, ip, strategy) => {
+    switch (strategy) {
+        case "none": {
+            try {
+                const decoded = Buffer.from(cookieValue, "base64").toString("utf8");
+                return decoded === ip;
+            }
+            catch {
+                return false;
+            }
+        }
+        case "hash":
+        default: {
+            try {
+                const expectedHash = await dbRateLimitHash(ip);
+                return cookieValue === expectedHash;
+            }
+            catch {
+                // Verification failed, cookie is invalid
+                return false;
+            }
+        }
+    }
+};

package/dist/src/dbRateLimitHandler.js

@@ -1,7 +1,11 @@
 import { InternalServerError } from "elysia";
 import { getIP } from "elysia-ip";
+import { isValidBase64, processCookieValue, verifyCookieValue } from "./dbRateLimitEncrypt";
 export const dbRateLimitHandler = (options) => {
     return async ({ cookie, log, path, request, set, query, ..._rest }) => {
+        const cookieObfuscation = options.cookieObfuscation || "hash";
+        // Default to true for 'none' strategy, false for others if alwaysCheckCookieValue is not explicitly set
+        const alwaysCheckCookieValue = options.alwaysCheckCookieValue ?? cookieObfuscation === "none";
         let currentLimit = options.limit;
         let currentWindow = options.window;
         let currentPattern = options.pattern;
@@ -33,48 +37,143 @@ export const dbRateLimitHandler = (options) => {
                     currentPattern = pathConfig.pattern;
             }
         }
-        let baseId = cookie.rateLimitCookie?.value;
-        if (!baseId) {
+        let cookieValue = cookie.rateLimitCookie?.value;
+        let oldCookieValue;
+        // Helper function to get IP lazily
+        const getClientIP = () => {
             const ip = getIP(request.headers);
-            if (!ip) {
-                // In test environment, use a default IP address to avoid log noise
-                const isTest = process.env.NODE_ENV === "test" || process.env.isTest === "true";
-                if (isTest) {
-                    baseId = "127.0.0.1";
-                    log.debug("Using default test IP for rate limiting");
+            if (ip)
+                return ip;
+            // In test environment, use a default IP address to avoid log noise
+            const isTest = Bun.env.NODE_ENV === "test" || Bun.env.isTest === "true";
+            if (isTest) {
+                log.warn("Using default test IP for rate limiting");
+                return "127.0.0.1";
+            }
+            const errorMsg = "Could not get IP address for rate limiting";
+            log.error(errorMsg);
+            if (options.failOpen === false) {
+                throw new InternalServerError(errorMsg);
+            }
+            // create a random id for their cookie and we'll try to use that if it's there
+            return Bun.randomUUIDv7("base64url").replaceAll("-", "");
+        };
+        // The rate limit identifier is always the cookie value itself
+        // For 'hash': the cookie contains the hash, which IS the identifier
+        // For 'none': the cookie contains base64(IP), which IS the identifier
+        let rateLimitIdentifier;
+        if (!cookieValue) {
+            // No cookie exists - get IP and create new identifier
+            const ip = getClientIP();
+            rateLimitIdentifier = await processCookieValue(ip, cookieObfuscation);
+        }
+        else {
+            // Cookie exists - validate it and use it directly as the identifier
+            let isValid = false;
+            if (cookieObfuscation === "hash") {
+                // For hash, verify by hashing current IP and comparing (if alwaysCheckCookieValue)
+                // Otherwise trust the cookie value
+                if (alwaysCheckCookieValue) {
+                    const ip = getClientIP();
+                    isValid = await verifyCookieValue(cookieValue, ip, cookieObfuscation);
+                    if (!isValid) {
+                        oldCookieValue = cookieValue;
+                        rateLimitIdentifier = await processCookieValue(ip, cookieObfuscation);
+                    }
+                    else {
+                        rateLimitIdentifier = cookieValue;
+                    }
                 }
                 else {
-                    const errorMsg = "Could not get IP address for rate limiting";
-                    log.error(errorMsg);
-                    if (options.failOpen === false) {
-                        throw new InternalServerError(errorMsg);
-                    }
-                    return;
+                    isValid = true;
+                    rateLimitIdentifier = cookieValue;
                 }
             }
             else {
-                baseId = ip;
+                // For 'none' obfuscation
+                // First validate it's valid base64
+                isValid = isValidBase64(cookieValue);
+                if (isValid) {
+                    if (alwaysCheckCookieValue) {
+                        const ip = getClientIP();
+                        const expectedValue = await processCookieValue(ip, cookieObfuscation);
+                        if (cookieValue !== expectedValue) {
+                            oldCookieValue = cookieValue;
+                            rateLimitIdentifier = expectedValue;
+                        }
+                        else {
+                            rateLimitIdentifier = cookieValue;
+                        }
+                    }
+                    else {
+                        rateLimitIdentifier = cookieValue;
+                    }
+                }
+                else {
+                    // Invalid base64 - treat as new cookie
+                    oldCookieValue = cookieValue;
+                    const ip = getClientIP();
+                    rateLimitIdentifier = await processCookieValue(ip, cookieObfuscation);
+                }
+            }
+        }
+        // Set the new cookie value (which is the rate limit identifier)
+        if (cookie.rateLimitCookie) {
+            cookie.rateLimitCookie.value = rateLimitIdentifier;
+        }
+        // If we have an old cookie value, transfer the rate limit to the new identifier
+        if (oldCookieValue && options.rateLimitStore) {
+            try {
+                const queryStr = new URLSearchParams(query).toString();
+                // Build the old rate limit ID (using old identifier)
+                const oldRateLimitId = `${oldCookieValue}:${path}${queryStr ? "?" + queryStr : ""}`;
+                const oldRateLimit = await options.rateLimitStore.get(oldRateLimitId);
+                if (oldRateLimit) {
+                    // Build the new rate limit ID
+                    let newRateLimitId;
+                    switch (currentPattern) {
+                        case "IP":
+                            newRateLimitId = rateLimitIdentifier;
+                            break;
+                        case "Route":
+                            newRateLimitId = path;
+                            break;
+                        case "IPRouteNoParams":
+                            newRateLimitId = `${rateLimitIdentifier}:${path}`;
+                            break;
+                        case "IPFullRoute":
+                        default:
+                            newRateLimitId = `${rateLimitIdentifier}:${path}${queryStr ? "?" + queryStr : ""}`;
+                    }
+                    // Transfer the rate limit count and reset time
+                    const now = Date.now();
+                    await options.rateLimitStore.set(newRateLimitId, {
+                        count: oldRateLimit.count,
+                        resetTime: oldRateLimit.resetTime,
+                    }, Math.ceil((oldRateLimit.resetTime - now) / 1000));
+                    log.debug(`Transferred rate limit from ${oldCookieValue} to new identifier`);
+                }
             }
-            if (cookie.rateLimitCookie && baseId) {
-                cookie.rateLimitCookie.value = baseId;
+            catch (e) {
+                log.warn(`Failed to transfer rate limit from old cookie: ${e}`);
             }
         }
+        // Build the final rate limit ID using the consistent identifier
         let finalRateLimitId;
-        const safeBaseId = baseId;
         switch (currentPattern) {
             case "IP":
-                finalRateLimitId = safeBaseId;
+                finalRateLimitId = rateLimitIdentifier;
                 break;
             case "Route":
                 finalRateLimitId = path;
                 break;
             case "IPRouteNoParams":
-                finalRateLimitId = `${safeBaseId}:${path}`;
+                finalRateLimitId = `${rateLimitIdentifier}:${path}`;
                 break;
             case "IPFullRoute":
             default: {
                 const queryStr = new URLSearchParams(query).toString();
-                finalRateLimitId = `${safeBaseId}:${path}${queryStr ? "?" + queryStr : ""}`;
+                finalRateLimitId = `${rateLimitIdentifier}:${path}${queryStr ? "?" + queryStr : ""}`;
                 break;
             }
         }

package/dist/src/defaults.js

@@ -11,4 +11,5 @@ export const defaultOptions = {
     window: 60 * 1000, // 1 minute
     failOpen: true,
     whitelistMode: false,
+    cookieObfuscation: "hash",
 };

package/dist/src/encryption.test.js

@@ -0,0 +1,78 @@
+import { beforeEach, describe, expect, it } from "bun:test";
+import { dbRateLimitHash, isValidBase64, processCookieValue, resetKey, } from "./dbRateLimitEncrypt";
+describe("dbRateLimitEncrypt", () => {
+    beforeEach(() => {
+        resetKey();
+    });
+    describe("dbRateLimitHash", () => {
+        it("should produce consistent hashes for the same input", async () => {
+            Bun.env.DB_RATE_LIMIT_HASH_PADDING = "test-padding-value";
+            const value = "127.0.0.1";
+            const hash1 = await dbRateLimitHash(value);
+            const hash2 = await dbRateLimitHash(value);
+            expect(hash1).toBe(hash2);
+            expect(typeof hash1).toBe("string");
+            expect(hash1.length).toBeGreaterThan(0);
+            delete Bun.env.DB_RATE_LIMIT_HASH_PADDING;
+        });
+        it("should produce different hashes for different inputs", async () => {
+            Bun.env.DB_RATE_LIMIT_HASH_PADDING = "test-padding-value";
+            const hash1 = await dbRateLimitHash("127.0.0.1");
+            const hash2 = await dbRateLimitHash("127.0.0.2");
+            expect(hash1).not.toBe(hash2);
+            delete Bun.env.DB_RATE_LIMIT_HASH_PADDING;
+        });
+        it("should use DB_RATE_LIMIT_HASH_PADDING when provided", async () => {
+            Bun.env.DB_RATE_LIMIT_HASH_PADDING = "my-secret-padding";
+            const value = "127.0.0.1";
+            const hash = await dbRateLimitHash(value);
+            // Reset and use same padding again
+            resetKey();
+            Bun.env.DB_RATE_LIMIT_HASH_PADDING = "my-secret-padding";
+            const hash2 = await dbRateLimitHash(value);
+            expect(hash).toBe(hash2);
+            // Different padding should produce different hash
+            resetKey();
+            Bun.env.DB_RATE_LIMIT_HASH_PADDING = "different-padding";
+            const hash3 = await dbRateLimitHash(value);
+            expect(hash).not.toBe(hash3);
+            delete Bun.env.DB_RATE_LIMIT_HASH_PADDING;
+        });
+    });
+    describe("processCookieValue", () => {
+        it("should return base64 encoded value for 'none' strategy", async () => {
+            const value = "127.0.0.1";
+            const result = await processCookieValue(value, "none");
+            expect(result).toBe(Buffer.from(value).toString("base64"));
+        });
+        it("should hash value for 'hash' strategy", async () => {
+            Bun.env.DB_RATE_LIMIT_HASH_PADDING = "test-padding";
+            const value = "127.0.0.1";
+            const result = await processCookieValue(value, "hash");
+            expect(result).not.toBe(value);
+            // Hash should be consistent
+            const result2 = await processCookieValue(value, "hash");
+            expect(result).toBe(result2);
+            delete Bun.env.DB_RATE_LIMIT_HASH_PADDING;
+        });
+    });
+    describe("isValidBase64", () => {
+        it("should return true for valid base64 strings", () => {
+            const value = "127.0.0.1";
+            const encoded = Buffer.from(value).toString("base64");
+            expect(isValidBase64(encoded)).toBe(true);
+        });
+        it("should return false for invalid base64 strings", () => {
+            expect(isValidBase64("not-valid-base64!!!")).toBe(false);
+            expect(isValidBase64("hello world")).toBe(false);
+        });
+        it("should return true for empty base64 string", () => {
+            expect(isValidBase64("")).toBe(true);
+        });
+        it("should return true for base64 encoded binary data", () => {
+            const binary = Buffer.from([0x00, 0x01, 0x02, 0x03]);
+            const encoded = binary.toString("base64");
+            expect(isValidBase64(encoded)).toBe(true);
+        });
+    });
+});

package/dist/src/helpers/redisStore.js

@@ -17,7 +17,7 @@ export class RedisRateLimitStore {
     async set(key, value, ttlSeconds) {
         if (!this.client)
             return;
-        await this.client.set(`rl:${key}`, JSON.stringify(value), 'EX', ttlSeconds);
+        await this.client.set(`rl:${key}`, JSON.stringify(value), "EX", ttlSeconds);
     }
     /**
      * Clears all rate limit data from Redis by deleting keys with rl: prefix
@@ -25,7 +25,7 @@ export class RedisRateLimitStore {
     async reset() {
         if (!this.client)
             return;
-        const keys = await this.client.keys('rl:*');
+        const keys = await this.client.keys("rl:*");
         if (keys && keys.length > 0) {
             await this.client.del(...keys);
         }

package/dist/{index.d.ts → types/index.d.ts}

@@ -1,5 +1,6 @@
 export * from './src/dbRateLimiter';
 export * from './src/dbRateLimitHandler';
+export * from './src/dbRateLimitEncrypt';
 export * from './src/defaults';
 export * from './src/helpers/redisStore';
 export * from './src/helpers/sqliteStore';

package/dist/types/src/dbRateLimitEncrypt.d.ts

@@ -0,0 +1,28 @@
+import type { DBRLCookieObfuscation } from "./types";
+export declare const resetKey: () => void;
+/**
+ * Hash a value using CryptoHasher("sha512-256") with padding
+ * This is a one-way function - the original value cannot be retrieved
+ */
+export declare const dbRateLimitHash: (value: string) => Promise<string>;
+/**
+ * Process a cookie value based on the obfuscation strategy
+ * @param value - The value to process
+ * @param strategy - The obfuscation strategy to use
+ * @returns The processed value (always base64 encoded)
+ */
+export declare const processCookieValue: (value: string, strategy: DBRLCookieObfuscation) => Promise<string>;
+/**
+ * Validate that a value is valid base64 without extracting/decoding it
+ * @param value - The value to validate
+ * @returns Whether the value is valid base64
+ */
+export declare const isValidBase64: (value: string) => boolean;
+/**
+ * Verify that a cookie value matches the provided IP address
+ * @param cookieValue - The value from the cookie (base64 encoded)
+ * @param ip - The IP address to verify against
+ * @param strategy - The obfuscation strategy used
+ * @returns Whether the cookie value is valid for this IP
+ */
+export declare const verifyCookieValue: (cookieValue: string, ip: string, strategy: DBRLCookieObfuscation) => Promise<boolean>;

package/dist/types/src/encryption.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/{src → types/src}/helpers/redisStore.d.ts

@@ -1,4 +1,4 @@
-import type { RateLimitStore, RateLimitStoreValue } from '../types';
+import type { RateLimitStore, RateLimitStoreValue } from "../types";
 export declare class RedisRateLimitStore implements RateLimitStore<Bun.RedisClient> {
     client: Bun.RedisClient;
     constructor(client: Bun.RedisClient);

package/dist/{src → types/src}/types.d.ts

@@ -23,6 +23,12 @@ export type DBRLPattern = "IPFullRoute" | "IPRouteNoParams" | "IP" | "Route";
  * - 'auto': Try Redis first, fallback to SQLite (default behavior)
  */
 export type DBRLBackingDb = "redis" | "sqlite" | "auto";
+/**
+ * Strategy for cookie value obfuscation (encryption/hashing).
+ * - 'hash': Hash the cookie value using sha512-256 (one-way, cannot retrieve original value)
+ * - 'none': Store cookie value as base64 encoded IP (reversible, not recommended for production)
+ */
+export type DBRLCookieObfuscation = "hash" | "none";
 /**
  * Data structure stored in the rate limit store.
  */
@@ -106,9 +112,20 @@ export type DBRLOptions = {
      */
     whitelistMode?: boolean;
     /**
-     * Whether to allow the request if the rate limiter encounters an internal error (Default: true).
-
-   * Set to false for a more strict security posture.
-   */
+     * Cookie obfuscation strategy (Default: 'hash').
+     * - 'hash': Hash using sha512-256 (one-way, cannot retrieve original value)
+     * - 'none': No obfuscation (base64 encoded IP, not recommended for production)
+     */
+    cookieObfuscation?: DBRLCookieObfuscation;
+    /**
+     * Whether to verify the cookie value matches the current IP address (Default: false for 'hash', true for 'none').
+     * When true and the cookie value doesn't match the IP, the rate limit count is transferred to a new cookie.
+     */
+    alwaysCheckCookieValue?: boolean;
+    /**
+       * Whether to allow the request if the rate limiter encounters an internal error (Default: true).
+  
+     * Set to false for a more strict security posture.
+     */
     failOpen?: boolean;
 };

package/package.json

@@ -6,29 +6,29 @@
   },
   "private": false,
   "type": "module",
-  "version": "0.0.6",
+  "version": "0.0.8",
   "author": "Eli Selkin <eli@extendtherapy.com>",
   "license": "MIT",
   "main": "dist/index.js",
+  "types": "dist/types/index.d.ts",
   "devDependencies": {
-    "@types/bun": "latest"
+    "@types/bun": "^1.3.9",
+    "typescript": "^5"
   },
   "scripts": {
     "prepublishOnly": "rm -rf dist || true && bunx tsc"
   },
   "peerDependencies": {
-    "@types/bun": "^1.3.0",
-    "typescript": "^5",
     "elysia": "^1.4.22",
     "pino": "^10.0.0",
     "elysia-ip": "^1.0.0"
   },
   "files": [
     "dist/**/*",
-    "AGENTS.md",
     "README.md",
     "package.json",
-    "LICENSE"
+    "LICENSE",
+    "CHANGELOG.md"
   ],
   "engines": {
     "bun": ">=1.3.0"

package/AGENTS.md

@@ -1,51 +0,0 @@
-# About the project
-
-- This is a Bun project so ALWAYS use `bun` or `bunx` instead of `node`, `npm`, or `npx`!
-- This is an [Elysia](https://elysiajs.com/) [plugin](https://elysiajs.com/essential/plugin.html).
-- All Elysia methods (like `derive` or `macro` or `use`) should be chained and not separated into a declaration or assignment and then applied to the variable.
-  For example:
-
-  Do **NOT** do this:
-
-  ```ts
-  const elysiaplugin = new Elysia();
-  elysiaplugin.use(someplugin);
-  elysiaplugin.resolve((ctx) => {
-    return { something: "abc" };
-  });
-  ```
-
-  **DO THIS** instead:
-
-  ```ts
-  const elysiaplugin = new Elysia().use(someplugin).resolve((ctx) => {
-    return { somethiong: "abc" };
-  });
-  ```
-
-## Commands
-
-- Use `bun test` instead of `jest` or `vitest`
-- Use `bun install` instead of `npm install` or `yarn install` or `pnpm install`
-- Use `bun run <script>` instead of `npm run <script>` or `yarn run <script>` or `pnpm run <script>`
-- Bun automatically loads .env, so don't use dotenv.
-
-## APIs
-
-- `bun:sqlite` for SQLite. Don't use `better-sqlite3`.
-- `Bun.redis` for Redis. Don't use `ioredis`.
-- `Bun.sql` for Postgres. Don't use `pg` or `postgres.js`.
-- Prefer `Bun.file` over `node:fs`'s readFile/writeFile
-- Bun.$`ls` instead of execa.
-
-## Testing
-
-Use `bun test` to run tests.
-
-```ts#index.test.ts
-import { test, expect } from "bun:test";
-
-test("hello world", () => {
-  expect(1).toBe(1);
-});
-```