@gjsify/fetch 0.0.4 → 0.1.0

package/lib/utils/referrer.js

@@ -0,0 +1,283 @@
+import { URL } from '@gjsify/url';
+import { isIP } from 'node:net';
+/**
+ * @external URL
+ * @see {@link https://developer.mozilla.org/en-US/docs/Web/API/URL URL}
+ */
+/**
+ * @module utils/referrer
+ * @private
+ */
+/**
+ * @see {@link https://w3c.github.io/webappsec-referrer-policy/#strip-url Referrer Policy §8.4. Strip url for use as a referrer}
+ * @param url
+ * @param originOnly
+ */
+export function stripURLForUseAsAReferrer(url, originOnly = false) {
+    // 1. If url is null, return no referrer.
+    if (url == null || url === "no-referrer") { // eslint-disable-line no-eq-null, eqeqeq
+        return 'no-referrer';
+    }
+    const u = new URL(url);
+    // 2. If url's scheme is a local scheme, then return no referrer.
+    if (/^(about|blob|data):$/.test(u.protocol)) {
+        return 'no-referrer';
+    }
+    // 3. Set url's username to the empty string.
+    u.username = '';
+    // 4. Set url's password to null.
+    // Note: `null` appears to be a mistake as this actually results in the password being `"null"`.
+    u.password = '';
+    // 5. Set url's fragment to null.
+    // Note: `null` appears to be a mistake as this actually results in the fragment being `"#null"`.
+    u.hash = '';
+    // 6. If the origin-only flag is true, then:
+    if (originOnly) {
+        // 6.1. Set url's path to null.
+        // Note: `null` appears to be a mistake as this actually results in the path being `"/null"`.
+        u.pathname = '';
+        // 6.2. Set url's query to null.
+        // Note: `null` appears to be a mistake as this actually results in the query being `"?null"`.
+        u.search = '';
+    }
+    // 7. Return url.
+    return u;
+}
+/**
+ * @see {@link https://w3c.github.io/webappsec-referrer-policy/#enumdef-referrerpolicy enum ReferrerPolicy}
+ */
+export const ReferrerPolicy = new Set([
+    '',
+    'no-referrer',
+    'no-referrer-when-downgrade',
+    'same-origin',
+    'origin',
+    'strict-origin',
+    'origin-when-cross-origin',
+    'strict-origin-when-cross-origin',
+    'unsafe-url'
+]);
+/**
+ * @see {@link https://w3c.github.io/webappsec-referrer-policy/#default-referrer-policy default referrer policy}
+ */
+export const DEFAULT_REFERRER_POLICY = 'strict-origin-when-cross-origin';
+/**
+ * @see {@link https://w3c.github.io/webappsec-referrer-policy/#referrer-policies Referrer Policy §3. Referrer Policies}
+ * @param referrerPolicy
+ * @returns referrerPolicy
+ */
+export function validateReferrerPolicy(referrerPolicy) {
+    if (!ReferrerPolicy.has(referrerPolicy)) {
+        throw new TypeError(`Invalid referrerPolicy: ${referrerPolicy}`);
+    }
+    return referrerPolicy;
+}
+/**
+ * @see {@link https://w3c.github.io/webappsec-secure-contexts/#is-origin-trustworthy Referrer Policy §3.2. Is origin potentially trustworthy?}
+ * @param url
+ * @returns `true`: "Potentially Trustworthy", `false`: "Not Trustworthy"
+ */
+export function isOriginPotentiallyTrustworthy(url) {
+    // 1. If origin is an opaque origin, return "Not Trustworthy".
+    // Not applicable
+    // 2. Assert: origin is a tuple origin.
+    // Not for implementations
+    // 3. If origin's scheme is either "https" or "wss", return "Potentially Trustworthy".
+    if (/^(http|ws)s:$/.test(url.protocol)) {
+        return true;
+    }
+    // 4. If origin's host component matches one of the CIDR notations 127.0.0.0/8 or ::1/128 [RFC4632], return "Potentially Trustworthy".
+    const hostIp = url.host.replace(/(^\[)|(]$)/g, '');
+    const hostIPVersion = isIP(hostIp);
+    if (hostIPVersion === 4 && /^127\./.test(hostIp)) {
+        return true;
+    }
+    if (hostIPVersion === 6 && /^(((0+:){7})|(::(0+:){0,6}))0*1$/.test(hostIp)) {
+        return true;
+    }
+    // 5. If origin's host component is "localhost" or falls within ".localhost", and the user agent conforms to the name resolution rules in [let-localhost-be-localhost], return "Potentially Trustworthy".
+    // We are returning FALSE here because we cannot ensure conformance to
+    // let-localhost-be-loalhost (https://tools.ietf.org/html/draft-west-let-localhost-be-localhost)
+    if (url.host === 'localhost' || url.host.endsWith('.localhost')) {
+        return false;
+    }
+    // 6. If origin's scheme component is file, return "Potentially Trustworthy".
+    if (url.protocol === 'file:') {
+        return true;
+    }
+    // 7. If origin's scheme component is one which the user agent considers to be authenticated, return "Potentially Trustworthy".
+    // Not supported
+    // 8. If origin has been configured as a trustworthy origin, return "Potentially Trustworthy".
+    // Not supported
+    // 9. Return "Not Trustworthy".
+    return false;
+}
+/**
+ * @see {@link https://w3c.github.io/webappsec-secure-contexts/#is-url-trustworthy Referrer Policy §3.3. Is url potentially trustworthy?}
+ * @param url
+ * @returns `true`: "Potentially Trustworthy", `false`: "Not Trustworthy"
+ */
+export function isUrlPotentiallyTrustworthy(url) {
+    // 1. If url is "about:blank" or "about:srcdoc", return "Potentially Trustworthy".
+    if (/^about:(blank|srcdoc)$/.test(url.toString())) {
+        return true;
+    }
+    if (typeof url === 'string') {
+        url = new URL(url);
+    }
+    // 2. If url's scheme is "data", return "Potentially Trustworthy".
+    if (url.protocol === 'data:') {
+        return true;
+    }
+    // Note: The origin of blob: and filesystem: URLs is the origin of the context in which they were
+    // created. Therefore, blobs created in a trustworthy origin will themselves be potentially
+    // trustworthy.
+    if (/^(blob|filesystem):$/.test(url.protocol)) {
+        return true;
+    }
+    // 3. Return the result of executing §3.2 Is origin potentially trustworthy? on url's origin.
+    return isOriginPotentiallyTrustworthy(url);
+}
+/**
+ * Modifies the referrerURL to enforce any extra security policy considerations.
+ * @see {@link https://w3c.github.io/webappsec-referrer-policy/#determine-requests-referrer Referrer Policy §8.3. Determine request's Referrer}, step 7
+ * @callback module:utils/referrer~referrerURLCallback
+ * @param {external:URL} referrerURL
+ * @returns {external:URL} modified referrerURL
+ */
+/**
+ * Modifies the referrerOrigin to enforce any extra security policy considerations.
+ * @see {@link https://w3c.github.io/webappsec-referrer-policy/#determine-requests-referrer Referrer Policy §8.3. Determine request's Referrer}, step 7
+ * @callback module:utils/referrer~referrerOriginCallback
+ * @param {external:URL} referrerOrigin
+ * @returns {external:URL} modified referrerOrigin
+ */
+/**
+ * @see {@link https://w3c.github.io/webappsec-referrer-policy/#determine-requests-referrer Referrer Policy §8.3. Determine request's Referrer}
+ * @param request
+ * @param {object} o
+ * @param {module:utils/referrer~referrerURLCallback} o.referrerURLCallback
+ * @param {module:utils/referrer~referrerOriginCallback} o.referrerOriginCallback
+ * @returns {external:URL} Request's referrer
+ */
+export function determineRequestsReferrer(request, obj = {}) {
+    const { referrerURLCallback, referrerOriginCallback } = obj;
+    // There are 2 notes in the specification about invalid pre-conditions.  We return null, here, for
+    // these cases:
+    // > Note: If request's referrer is "no-referrer", Fetch will not call into this algorithm.
+    // > Note: If request's referrer policy is the empty string, Fetch will not call into this
+    // > algorithm.
+    if (request.referrer === 'no-referrer' || request.referrerPolicy === '') {
+        return null;
+    }
+    // 1. Let policy be request's associated referrer policy.
+    const policy = request.referrerPolicy;
+    // 2. Let environment be request's client.
+    // not applicable to node.js
+    // 3. Switch on request's referrer:
+    if (request.referrer === 'about:client') {
+        return 'no-referrer';
+    }
+    // "a URL": Let referrerSource be request's referrer.
+    const referrerSource = new URL(request.referrer);
+    // 4. Let request's referrerURL be the result of stripping referrerSource for use as a referrer.
+    let referrerURL = stripURLForUseAsAReferrer(referrerSource);
+    // 5. Let referrerOrigin be the result of stripping referrerSource for use as a referrer, with the
+    //    origin-only flag set to true.
+    let referrerOrigin = stripURLForUseAsAReferrer(referrerSource, true);
+    // 6. If the result of serializing referrerURL is a string whose length is greater than 4096, set
+    //    referrerURL to referrerOrigin.
+    if (referrerURL.toString().length > 4096) {
+        referrerURL = referrerOrigin;
+    }
+    // 7. The user agent MAY alter referrerURL or referrerOrigin at this point to enforce arbitrary
+    //    policy considerations in the interests of minimizing data leakage. For example, the user
+    //    agent could strip the URL down to an origin, modify its host, replace it with an empty
+    //    string, etc.
+    if (referrerURLCallback) {
+        referrerURL = referrerURLCallback(referrerURL);
+    }
+    if (referrerOriginCallback) {
+        referrerOrigin = referrerOriginCallback(referrerOrigin);
+    }
+    // 8.Execute the statements corresponding to the value of policy:
+    const currentURL = new URL(request.url);
+    switch (policy) {
+        case 'no-referrer':
+            return 'no-referrer';
+        case 'origin':
+            return referrerOrigin;
+        case 'unsafe-url':
+            return referrerURL;
+        case 'strict-origin':
+            // 1. If referrerURL is a potentially trustworthy URL and request's current URL is not a
+            //    potentially trustworthy URL, then return no referrer.
+            if (isUrlPotentiallyTrustworthy(referrerURL) && !isUrlPotentiallyTrustworthy(currentURL)) {
+                return 'no-referrer';
+            }
+            // 2. Return referrerOrigin.
+            return referrerOrigin.toString();
+        case 'strict-origin-when-cross-origin':
+            // 1. If the origin of referrerURL and the origin of request's current URL are the same, then
+            //    return referrerURL.
+            if (referrerURL.origin === currentURL.origin) {
+                return referrerURL;
+            }
+            // 2. If referrerURL is a potentially trustworthy URL and request's current URL is not a
+            //    potentially trustworthy URL, then return no referrer.
+            if (isUrlPotentiallyTrustworthy(referrerURL) && !isUrlPotentiallyTrustworthy(currentURL)) {
+                return 'no-referrer';
+            }
+            // 3. Return referrerOrigin.
+            return referrerOrigin;
+        case 'same-origin':
+            // 1. If the origin of referrerURL and the origin of request's current URL are the same, then
+            //    return referrerURL.
+            if (referrerURL.origin === currentURL.origin) {
+                return referrerURL;
+            }
+            // 2. Return no referrer.
+            return 'no-referrer';
+        case 'origin-when-cross-origin':
+            // 1. If the origin of referrerURL and the origin of request's current URL are the same, then
+            //    return referrerURL.
+            if (referrerURL.origin === currentURL.origin) {
+                return referrerURL;
+            }
+            // Return referrerOrigin.
+            return referrerOrigin;
+        case 'no-referrer-when-downgrade':
+            // 1. If referrerURL is a potentially trustworthy URL and request's current URL is not a
+            //    potentially trustworthy URL, then return no referrer.
+            if (isUrlPotentiallyTrustworthy(referrerURL) && !isUrlPotentiallyTrustworthy(currentURL)) {
+                return 'no-referrer';
+            }
+            // 2. Return referrerURL.
+            return referrerURL;
+        default:
+            throw new TypeError(`Invalid referrerPolicy: ${policy}`);
+    }
+}
+/**
+ * @see {@link https://w3c.github.io/webappsec-referrer-policy/#parse-referrer-policy-from-header|Referrer Policy §8.1. Parse a referrer policy from a Referrer-Policy header}
+ * @param {Headers} headers Response headers
+ * @returns {string} policy
+ */
+export function parseReferrerPolicyFromHeader(headers) {
+    // 1. Let policy-tokens be the result of extracting header list values given `Referrer-Policy`
+    //    and response’s header list.
+    const policyTokens = (headers.get('referrer-policy') || '').split(/[,\s]+/);
+    // 2. Let policy be the empty string.
+    let policy = '';
+    // 3. For each token in policy-tokens, if token is a referrer policy and token is not the empty
+    //    string, then set policy to token.
+    // Note: This algorithm loops over multiple policy values to allow deployment of new policy
+    // values with fallbacks for older user agents, as described in § 11.1 Unknown Policy Values.
+    for (const token of policyTokens) {
+        if (token && ReferrerPolicy.has(token)) {
+            policy = token;
+        }
+    }
+    // 4. Return policy.
+    return policy;
+}

package/lib/utils/soup-helpers.d.ts

@@ -0,0 +1,12 @@
+import Gio from '@girs/gio-2.0';
+import Soup from '@girs/soup-3.0';
+import { Readable } from 'node:stream';
+import type { ReadableOptions } from 'node:stream';
+/**
+ * Promise wrapper around `Soup.Session.send_async` / `send_finish`.
+ */
+export declare function soupSendAsync(session: Soup.Session, msg: Soup.Message, ioPriority?: number, cancellable?: Gio.Cancellable | null): Promise<Gio.InputStream>;
+/**
+ * Converts a `Gio.InputStream` to a Node.js `Readable` stream.
+ */
+export declare function inputStreamToReadable(inputStream: Gio.InputStream, options?: ReadableOptions): Readable;

package/lib/utils/soup-helpers.js

@@ -0,0 +1,25 @@
+import GLib from '@girs/glib-2.0';
+import { Readable } from 'node:stream';
+import { inputStreamAsyncIterator } from '@gjsify/utils';
+/**
+ * Promise wrapper around `Soup.Session.send_async` / `send_finish`.
+ */
+export async function soupSendAsync(session, msg, ioPriority = GLib.PRIORITY_DEFAULT, cancellable = null) {
+    return new Promise((resolve, reject) => {
+        session.send_async(msg, ioPriority, cancellable, (_self, asyncRes) => {
+            try {
+                const inputStream = session.send_finish(asyncRes);
+                resolve(inputStream);
+            }
+            catch (error) {
+                reject(error);
+            }
+        });
+    });
+}
+/**
+ * Converts a `Gio.InputStream` to a Node.js `Readable` stream.
+ */
+export function inputStreamToReadable(inputStream, options = {}) {
+    return Readable.from(inputStreamAsyncIterator(inputStream), options);
+}

package/package.json

@@ -1,32 +1,27 @@
 {
   "name": "@gjsify/fetch",
-  "version": "0.0.4",
+  "version": "0.1.0",
   "description": "Web and Node.js fetch module for Gjs",
-  "main": "lib/cjs/index.js",
   "module": "lib/esm/index.js",
+  "types": "lib/types/index.d.ts",
   "type": "module",
   "exports": {
     ".": {
-      "import": {
-        "types": "./lib/types/index.d.ts",
-        "default": "./lib/esm/index.js"
-      },
-      "require": {
-        "types": "./lib/types/index.d.ts",
-        "default": "./lib/cjs/index.js"
-      }
-    }
+      "types": "./lib/types/index.d.ts",
+      "default": "./lib/esm/index.js"
+    },
+    "./globals": "./globals.mjs"
   },
   "scripts": {
-    "clear": "rm -rf lib tsconfig.tsbuildinfo tsconfig.types.tsbuildinfo || exit 0",
-    "print:name": "echo '@gjsify/fetch'",
-    "build": "yarn print:name && yarn build:gjsify",
+    "clear": "rm -rf lib tsconfig.tsbuildinfo tsconfig.types.tsbuildinfo test.gjs.mjs test.node.mjs || exit 0",
+    "check": "tsc --noEmit",
+    "build": "yarn build:gjsify && yarn build:types",
     "build:gjsify": "gjsify build --library 'src/**/*.{ts,js}' --exclude 'src/**/*.spec.{mts,ts}' 'src/test.{mts,ts}'",
-    "build:types": "tsc --project tsconfig.types.json",
+    "build:types": "tsc",
     "build:test": "yarn build:test:gjs && yarn build:test:node",
     "build:test:gjs": "gjsify build src/test.mts --app gjs --outfile test.gjs.mjs",
     "build:test:node": "gjsify build src/test.mts --app node --outfile test.node.mjs",
-    "test": "yarn print:name && yarn build:gjsify && yarn build:test && yarn test:node && yarn test:gjs",
+    "test": "yarn build:gjsify && yarn build:test:node && yarn test:node",
     "test:gjs": "gjs -m test.gjs.mjs",
     "test:node": "node test.node.mjs"
   },
@@ -36,18 +31,19 @@
     "fetch"
   ],
   "devDependencies": {
-    "@gjsify/cli": "^0.0.4",
-    "@gjsify/http": "^0.0.4",
-    "@gjsify/unit": "^0.0.4",
-    "@types/node": "^20.10.5"
+    "@gjsify/cli": "^0.1.0",
+    "@gjsify/unit": "^0.1.0",
+    "@types/node": "^25.5.0",
+    "typescript": "^6.0.2"
   },
   "dependencies": {
-    "@gjsify/deno-runtime": "^0.0.4",
-    "@gjsify/gio-2.0": "^0.0.4",
-    "@gjsify/soup-3.0": "^0.0.4",
-    "@types/node-fetch": "^2.6.10",
-    "data-uri-to-buffer": "^6.0.1",
-    "formdata-polyfill": "^4.0.10",
-    "node-fetch": "^3.3.2"
+    "@girs/gio-2.0": "^2.88.0-4.0.0-beta.42",
+    "@girs/gjs": "^4.0.0-beta.42",
+    "@girs/glib-2.0": "^2.88.0-4.0.0-beta.42",
+    "@girs/soup-3.0": "^3.6.6-4.0.0-beta.42",
+    "@gjsify/formdata": "^0.1.0",
+    "@gjsify/http": "^0.1.0",
+    "@gjsify/url": "^0.1.0",
+    "@gjsify/utils": "^0.1.0"
   }
 }