npm - @floegence/flowersec-core - Versions diffs - 0.19.0 → 0.19.1 - Mend

@floegence/flowersec-core 0.19.0 → 0.19.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/dist/controlplane/request.js +60 -1
package/dist/proxy/cookieJar.d.ts +3 -2
package/dist/proxy/cookieJar.js +68 -20
package/dist/proxy/runtime.js +2 -2
package/dist/proxy/serviceWorker.js +5 -10
package/package.json +1 -1

package/dist/controlplane/request.js CHANGED Viewed

@@ -13,6 +13,13 @@ export class ControlplaneRequestError extends Error {
 }
 export const DEFAULT_CONNECT_ARTIFACT_PATH = "/v1/connect/artifact";
 export const DEFAULT_ENTRY_CONNECT_ARTIFACT_PATH = "/v1/connect/artifact/entry";
+const DEFAULT_MAX_CONTROLPLANE_RESPONSE_BYTES = 1 << 20;
+class ControlplaneResponseTooLargeError extends Error {
+    constructor(maxBytes) {
+        super(`controlplane response exceeded ${maxBytes} bytes`);
+        this.name = "ControlplaneResponseTooLargeError";
+    }
+}
 function resolveFetch(fetchImpl) {
     if (fetchImpl)
         return fetchImpl;
@@ -37,6 +44,46 @@ function parseMaybeJSON(bodyText) {
         return trimmed;
     }
 }
+function parseContentLength(headerValue) {
+    const raw = String(headerValue ?? "").trim();
+    if (raw === "")
+        return null;
+    if (!/^[0-9]+$/.test(raw))
+        return null;
+    const parsed = Number(raw);
+    if (!Number.isSafeInteger(parsed) || parsed < 0)
+        return null;
+    return parsed;
+}
+async function readControlplaneText(response, maxBytes) {
+    const contentLength = parseContentLength(response.headers.get("Content-Length"));
+    if (contentLength !== null && contentLength > maxBytes) {
+        throw new ControlplaneResponseTooLargeError(maxBytes);
+    }
+    if (!response.body) {
+        return "";
+    }
+    const reader = response.body.getReader();
+    const decoder = new TextDecoder();
+    let totalBytes = 0;
+    let text = "";
+    while (true) {
+        const chunk = await reader.read();
+        if (chunk.done)
+            break;
+        totalBytes += chunk.value.byteLength;
+        if (totalBytes > maxBytes) {
+            try {
+                await reader.cancel();
+            }
+            catch { }
+            throw new ControlplaneResponseTooLargeError(maxBytes);
+        }
+        text += decoder.decode(chunk.value, { stream: true });
+    }
+    text += decoder.decode();
+    return text;
+}
 function decodeErrorMessage(status, responseBody) {
     let message = `controlplane request failed: ${status}`;
     let code = "";
@@ -61,7 +108,19 @@ export async function requestControlplaneJSON(url, init) {
         ...init,
         cache: "no-store",
     });
-    const rawBody = await response.text();
+    let rawBody = "";
+    try {
+        rawBody = await readControlplaneText(response, DEFAULT_MAX_CONTROLPLANE_RESPONSE_BYTES);
+    }
+    catch (err) {
+        if (err instanceof ControlplaneResponseTooLargeError && !response.ok) {
+            throw new ControlplaneRequestError({
+                status: response.status,
+                message: err.message,
+            });
+        }
+        throw err;
+    }
     const responseBody = parseMaybeJSON(rawBody);
     if (!response.ok) {
         const error = decodeErrorMessage(response.status, responseBody);

package/dist/proxy/cookieJar.d.ts CHANGED Viewed

@@ -1,6 +1,7 @@
 export declare class CookieJar {
     private readonly cookies;
-    setCookie(setCookieHeader: string): void;
-    updateFromSetCookieHeaders(headers: readonly string[]): void;
+    private nextCreatedAtSeq;
+    setCookie(setCookieHeader: string, requestPath?: string): void;
+    updateFromSetCookieHeaders(headers: readonly string[], requestPath?: string): void;
     getCookieHeader(path: string): string;
 }

package/dist/proxy/cookieJar.js CHANGED Viewed

@@ -11,9 +11,54 @@ function parseCookieNameValue(s) {
         return null;
     return { name, value };
 }
+function cookieStorageKey(name, path) {
+    return `${name}\u0000${path}`;
+}
+function requestPathOnly(path) {
+    const raw = path.trim();
+    if (!raw.startsWith("/"))
+        return "/";
+    const q = raw.indexOf("?");
+    const out = q >= 0 ? raw.slice(0, q) : raw;
+    return out === "" ? "/" : out;
+}
+function defaultCookiePathFromRequestPath(requestPath) {
+    const path = requestPathOnly(requestPath);
+    if (path === "/")
+        return "/";
+    const lastSlash = path.lastIndexOf("/");
+    if (lastSlash <= 0)
+        return "/";
+    return path.slice(0, lastSlash);
+}
+function normalizeCookiePath(pathAttr, requestPath) {
+    const path = pathAttr?.trim() ?? "";
+    if (path === "" || !path.startsWith("/"))
+        return defaultCookiePathFromRequestPath(requestPath);
+    return path;
+}
+function pathMatchesCookiePath(requestPath, cookiePath) {
+    const path = requestPathOnly(requestPath);
+    if (cookiePath === "/")
+        return true;
+    if (path === cookiePath)
+        return true;
+    if (!path.startsWith(cookiePath))
+        return false;
+    if (cookiePath.endsWith("/"))
+        return true;
+    return path.charAt(cookiePath.length) === "/";
+}
+function compareCookiesForHeader(a, b) {
+    const pathLenDiff = b.path.length - a.path.length;
+    if (pathLenDiff !== 0)
+        return pathLenDiff;
+    return a.createdAtSeq - b.createdAtSeq;
+}
 export class CookieJar {
     cookies = new Map();
-    setCookie(setCookieHeader) {
+    nextCreatedAtSeq = 0;
+    setCookie(setCookieHeader, requestPath = "/") {
         const raw = setCookieHeader.trim();
         if (raw === "")
             return;
@@ -23,15 +68,16 @@ export class CookieJar {
         const nv = parseCookieNameValue(parts[0] ?? "");
         if (nv == null)
             return;
-        let path = "/";
+        let pathAttr;
         let expiresAtMs;
+        let maxAgeSeen = false;
         for (let i = 1; i < parts.length; i++) {
             const p = parts[i];
             const lower = p.toLowerCase();
             if (lower.startsWith("path=")) {
                 const v = p.slice("path=".length).trim();
                 if (v !== "")
-                    path = v;
+                    pathAttr = v;
                 continue;
             }
             if (lower.startsWith("max-age=")) {
@@ -39,14 +85,13 @@ export class CookieJar {
                 const n = Number.parseInt(v, 10);
                 if (!Number.isFinite(n))
                     continue;
-                if (n <= 0) {
-                    this.cookies.delete(nv.name);
-                    return;
-                }
-                expiresAtMs = nowMs() + n * 1000;
+                maxAgeSeen = true;
+                expiresAtMs = n <= 0 ? 0 : nowMs() + n * 1000;
                 continue;
             }
             if (lower.startsWith("expires=")) {
+                if (maxAgeSeen)
+                    continue;
                 const v = p.slice("expires=".length).trim();
                 const t = Date.parse(v);
                 if (!Number.isFinite(t))
@@ -55,34 +100,37 @@ export class CookieJar {
                 continue;
             }
         }
-        // Expired via Expires.
+        const path = normalizeCookiePath(pathAttr, requestPath);
+        const key = cookieStorageKey(nv.name, path);
         if (expiresAtMs != null && expiresAtMs <= nowMs()) {
-            this.cookies.delete(nv.name);
+            this.cookies.delete(key);
             return;
         }
+        const createdAtSeq = this.cookies.get(key)?.createdAtSeq ?? this.nextCreatedAtSeq++;
         if (expiresAtMs == null) {
-            this.cookies.set(nv.name, { name: nv.name, value: nv.value, path });
+            this.cookies.set(key, { name: nv.name, value: nv.value, path, createdAtSeq });
         }
         else {
-            this.cookies.set(nv.name, { name: nv.name, value: nv.value, path, expiresAtMs });
+            this.cookies.set(key, { name: nv.name, value: nv.value, path, expiresAtMs, createdAtSeq });
         }
     }
-    updateFromSetCookieHeaders(headers) {
+    updateFromSetCookieHeaders(headers, requestPath = "/") {
         for (const h of headers)
-            this.setCookie(h);
+            this.setCookie(h, requestPath);
     }
     getCookieHeader(path) {
         const now = nowMs();
-        const pairs = [];
-        for (const c of this.cookies.values()) {
+        const matched = [];
+        for (const [key, c] of this.cookies.entries()) {
             if (c.expiresAtMs != null && c.expiresAtMs <= now) {
-                this.cookies.delete(c.name);
+                this.cookies.delete(key);
                 continue;
             }
-            if (c.path !== "/" && !path.startsWith(c.path))
+            if (!pathMatchesCookiePath(path, c.path))
                 continue;
-            pairs.push(`${c.name}=${c.value}`);
+            matched.push(c);
         }
-        return pairs.join("; ");
+        matched.sort(compareCookiesForHeader);
+        return matched.map((c) => `${c.name}=${c.value}`).join("; ");
     }
 }

package/dist/proxy/runtime.js CHANGED Viewed

@@ -102,7 +102,7 @@ export function createProxyRuntime(opts) {
             ctl?.postMessage({ type: "flowersec-proxy:register-runtime" });
         }
         catch {
-            // Best-effort: runtime can still work if SW picks it via matchAll().
+            // Best-effort: controllerchange will retry once the active Service Worker is ready.
         }
     };
     const onMessage = (ev) => {
@@ -168,7 +168,7 @@ export function createProxyRuntime(opts) {
                 const status = Math.max(0, Math.floor(respMeta.status ?? 502));
                 const rawHeaders = Array.isArray(respMeta.headers) ? respMeta.headers : [];
                 const { passthrough, setCookie } = filterResponseHeaders(rawHeaders, { extraAllowed: extraResponseHeaders });
-                cookieJar.updateFromSetCookieHeaders(setCookie);
+                cookieJar.updateFromSetCookieHeaders(setCookie, path);
                 port.postMessage({ type: "flowersec-proxy:response_meta", status, headers: passthrough });
                 const chunks = await readChunkFrames(reader, maxChunkBytes, maxBodyBytes);
                 for await (const chunk of chunks) {

package/dist/proxy/serviceWorker.js CHANGED Viewed

@@ -159,6 +159,7 @@ self.addEventListener("install", (event) => {
 });
 self.addEventListener("activate", (event) => {
+  runtimeClientId = null;
   event.waitUntil(self.clients.claim());
 });
@@ -207,16 +208,10 @@ async function getWindowClient(preferredClientId) {
     return cs.length > 0 ? cs[0] : null;
   }
-  if (runtimeClientId) {
-    const c = await self.clients.get(runtimeClientId);
-    if (c) return c;
-    runtimeClientId = null;
-  }
-  const cs = await self.clients.matchAll({ type: "window", includeUncontrolled: true });
-  if (cs.length > 0) {
-    runtimeClientId = cs[0].id;
-    return cs[0];
-  }
+  if (!runtimeClientId) return null;
+  const c = await self.clients.get(runtimeClientId);
+  if (c) return c;
+  runtimeClientId = null;
   return null;
 }

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@floegence/flowersec-core",
-  "version": "0.19.0",
+  "version": "0.19.1",
   "description": "Flowersec core TypeScript library (browser-friendly E2EE + multiplexing over WebSocket).",
   "license": "MIT",
   "repository": {