@hemia/core 0.0.12 → 0.0.14

package/dist/hemia-core.esm.js

@@ -1,12 +1,12 @@
 import 'reflect-metadata';
 import express, { Router } from 'express';
-import { METADATA_KEYS, ParamType, ApiResponse, isRedirectResponse, ControllerRegistry } from '@hemia/common';
+import { METADATA_KEYS, ParamType, ApiResponse, isRedirectResponse, HttpError, ControllerRegistry, CustomHttpError } from '@hemia/common';
 import { TRACE_METADATA_KEY } from '@hemia/trace-manager';
 import { traceMiddleware } from '@hemia/app-context';
 import { plainToInstance } from 'class-transformer';
 import multer from 'multer';
 import { injectable, inject } from 'inversify';
-import { AUTH_SERVICE_ID, AuthService } from '@hemia/auth-sdk';
+import { AUTH_SERVICE_ID, AuthService, OAuthService } from '@hemia/auth-sdk';
 
 class GuardsConsumer {
     /**
@@ -227,7 +227,9 @@ async function registerRoutes(app, container, controllerIdentifiers, onTraceFini
                     console.error(`Error en ${route.method.toUpperCase()} ${basePath}${route.path}:`, error);
                     const status = error.statusCode || error.status || 500;
                     const message = error.message || 'Internal Server Error';
-                    const errorResponse = ApiResponse.error(message, error.stack, status);
+                    const errorDetail = error instanceof HttpError ? error.error : undefined;
+                    const isDev = process.env.NODE_ENV === 'development';
+                    const errorResponse = ApiResponse.error(message, errorDetail || (isDev ? error.stack : undefined), status);
                     const { status: errStatus, ...errorData } = errorResponse;
                     res.status(errStatus).json(errorData);
                 }
@@ -338,9 +340,9 @@ class AppFactory {
             const defaultHeaders = {
                 'Access-Control-Allow-Origin': req.headers.origin || '*',
                 'Access-Control-Allow-Methods': 'GET,POST,PUT,DELETE,PATCH,OPTIONS',
-                'Access-Control-Allow-Headers': 'Content-Type, Authorization, X-Api-Key, Language, X-No-Cookies, x-session',
+                'Access-Control-Allow-Headers': 'Content-Type, Authorization, X-Api-Key, Language, X-No-Cookies, x-session, x-client-id, X-RateLimit-Limit, X-RateLimit-Remaining, Retry-After',
                 'Access-Control-Allow-Credentials': 'true',
-                'Access-Control-Expose-Headers': 'Authorization, X-Correlation-Id, X-Trace-Id, x-session',
+                'Access-Control-Expose-Headers': 'Authorization, X-Correlation-Id, X-Trace-Id, x-session, X-RateLimit-Limit, X-RateLimit-Remaining, Retry-After',
             };
             const headers = { ...defaultHeaders, ...(options.corsHeaders || {}) };
             Object.entries(headers).forEach(([key, value]) => {
@@ -525,4 +527,112 @@ JWTGuard = __decorate([
     __metadata("design:paramtypes", [AuthService])
 ], JWTGuard);
 
-export { ApiKeyGuard, AppFactory, AuthGuard, GuardsConsumer, HemiaExecutionContext, JWTGuard, Reflector, ResponseSerializer, registerRoutes };
+let PublicClientGuard = class PublicClientGuard {
+    constructor(oauthService) {
+        this.oauthService = oauthService;
+    }
+    async canActivate(context) {
+        const request = context.switchToHttp().getRequest();
+        const clientId = request.headers['x-client-id'] || request.body.client_id;
+        if (!clientId) {
+            return false;
+        }
+        const client = await this.oauthService.getByClientId(clientId);
+        if (!client || !client.isActive) {
+            return false;
+        }
+        request.oauthClient = client;
+        return true;
+    }
+};
+PublicClientGuard = __decorate([
+    injectable(),
+    __param(0, inject(OAuthService)),
+    __metadata("design:paramtypes", [OAuthService])
+], PublicClientGuard);
+
+var ThrottleGuard_1;
+let ThrottleGuard = ThrottleGuard_1 = class ThrottleGuard {
+    constructor() {
+        if (!ThrottleGuard_1.cleanupInterval) {
+            ThrottleGuard_1.cleanupInterval = setInterval(() => {
+                this.cleanup();
+            }, 60000);
+            ThrottleGuard_1.cleanupInterval.unref();
+        }
+    }
+    async canActivate(context) {
+        const request = context.switchToHttp().getRequest();
+        const handler = context.getHandler();
+        const options = Reflect.getMetadata(METADATA_KEYS.THROTTLE, handler);
+        if (!options) {
+            return true;
+        }
+        if (options.skipIf && options.skipIf(context)) {
+            return true;
+        }
+        const ip = this.getClientIp(request);
+        const endpointKey = `${context.getClass().name}:${handler.name}`;
+        const key = `throttle:${endpointKey}:${ip}`;
+        const now = Date.now();
+        const ttlMs = options.ttl * 1000;
+        let record = ThrottleGuard_1.storage.get(key);
+        if (!record || record.expiresAt < now) {
+            record = {
+                hits: 0,
+                expiresAt: now + ttlMs
+            };
+        }
+        record.hits++;
+        ThrottleGuard_1.storage.set(key, record);
+        if (record.hits > options.limit) {
+            const response = context.switchToHttp().getResponse();
+            const retryAfter = Math.ceil((record.expiresAt - now) / 1000);
+            this.setHeaders(response, options.limit, 0, retryAfter);
+            throw new CustomHttpError('Too Many Requests', 429, 'rate_limit_exceeded');
+        }
+        const response = context.switchToHttp().getResponse();
+        const remaining = Math.max(0, options.limit - record.hits);
+        this.setHeaders(response, options.limit, remaining, options.ttl);
+        return true;
+    }
+    /**
+     * Limpia las entradas expiradas para evitar fugas de memoria
+     */
+    cleanup() {
+        const now = Date.now();
+        ThrottleGuard_1.storage.forEach((value, key) => {
+            if (value.expiresAt < now) {
+                ThrottleGuard_1.storage.delete(key);
+            }
+        });
+    }
+    getClientIp(request) {
+        const headers = request.headers;
+        if (headers['cf-connecting-ip'])
+            return headers['cf-connecting-ip'];
+        if (headers['x-forwarded-for']) {
+            return headers['x-forwarded-for'].split(',')[0].trim();
+        }
+        if (headers['x-real-ip'])
+            return headers['x-real-ip'];
+        return request.socket?.remoteAddress || request.ip || 'unknown';
+    }
+    setHeaders(res, limit, remaining, resetOrRetry) {
+        if (res && typeof res.setHeader === 'function') {
+            res.setHeader('X-RateLimit-Limit', limit);
+            res.setHeader('X-RateLimit-Remaining', remaining);
+            if (remaining === 0) {
+                res.setHeader('Retry-After', resetOrRetry);
+            }
+        }
+    }
+};
+ThrottleGuard.storage = new Map();
+ThrottleGuard.cleanupInterval = null;
+ThrottleGuard = ThrottleGuard_1 = __decorate([
+    injectable(),
+    __metadata("design:paramtypes", [])
+], ThrottleGuard);
+
+export { ApiKeyGuard, AppFactory, AuthGuard, GuardsConsumer, HemiaExecutionContext, JWTGuard, PublicClientGuard, Reflector, ResponseSerializer, ThrottleGuard, registerRoutes };

package/dist/hemia-core.js

@@ -229,7 +229,9 @@ async function registerRoutes(app, container, controllerIdentifiers, onTraceFini
                     console.error(`Error en ${route.method.toUpperCase()} ${basePath}${route.path}:`, error);
                     const status = error.statusCode || error.status || 500;
                     const message = error.message || 'Internal Server Error';
-                    const errorResponse = common.ApiResponse.error(message, error.stack, status);
+                    const errorDetail = error instanceof common.HttpError ? error.error : undefined;
+                    const isDev = process.env.NODE_ENV === 'development';
+                    const errorResponse = common.ApiResponse.error(message, errorDetail || (isDev ? error.stack : undefined), status);
                     const { status: errStatus, ...errorData } = errorResponse;
                     res.status(errStatus).json(errorData);
                 }
@@ -340,9 +342,9 @@ class AppFactory {
             const defaultHeaders = {
                 'Access-Control-Allow-Origin': req.headers.origin || '*',
                 'Access-Control-Allow-Methods': 'GET,POST,PUT,DELETE,PATCH,OPTIONS',
-                'Access-Control-Allow-Headers': 'Content-Type, Authorization, X-Api-Key, Language, X-No-Cookies, x-session',
+                'Access-Control-Allow-Headers': 'Content-Type, Authorization, X-Api-Key, Language, X-No-Cookies, x-session, x-client-id, X-RateLimit-Limit, X-RateLimit-Remaining, Retry-After',
                 'Access-Control-Allow-Credentials': 'true',
-                'Access-Control-Expose-Headers': 'Authorization, X-Correlation-Id, X-Trace-Id, x-session',
+                'Access-Control-Expose-Headers': 'Authorization, X-Correlation-Id, X-Trace-Id, x-session, X-RateLimit-Limit, X-RateLimit-Remaining, Retry-After',
             };
             const headers = { ...defaultHeaders, ...(options.corsHeaders || {}) };
             Object.entries(headers).forEach(([key, value]) => {
@@ -527,6 +529,114 @@ exports.JWTGuard = __decorate([
     __metadata("design:paramtypes", [authSdk.AuthService])
 ], exports.JWTGuard);
 
+exports.PublicClientGuard = class PublicClientGuard {
+    constructor(oauthService) {
+        this.oauthService = oauthService;
+    }
+    async canActivate(context) {
+        const request = context.switchToHttp().getRequest();
+        const clientId = request.headers['x-client-id'] || request.body.client_id;
+        if (!clientId) {
+            return false;
+        }
+        const client = await this.oauthService.getByClientId(clientId);
+        if (!client || !client.isActive) {
+            return false;
+        }
+        request.oauthClient = client;
+        return true;
+    }
+};
+exports.PublicClientGuard = __decorate([
+    inversify.injectable(),
+    __param(0, inversify.inject(authSdk.OAuthService)),
+    __metadata("design:paramtypes", [authSdk.OAuthService])
+], exports.PublicClientGuard);
+
+var ThrottleGuard_1;
+exports.ThrottleGuard = ThrottleGuard_1 = class ThrottleGuard {
+    constructor() {
+        if (!ThrottleGuard_1.cleanupInterval) {
+            ThrottleGuard_1.cleanupInterval = setInterval(() => {
+                this.cleanup();
+            }, 60000);
+            ThrottleGuard_1.cleanupInterval.unref();
+        }
+    }
+    async canActivate(context) {
+        const request = context.switchToHttp().getRequest();
+        const handler = context.getHandler();
+        const options = Reflect.getMetadata(common.METADATA_KEYS.THROTTLE, handler);
+        if (!options) {
+            return true;
+        }
+        if (options.skipIf && options.skipIf(context)) {
+            return true;
+        }
+        const ip = this.getClientIp(request);
+        const endpointKey = `${context.getClass().name}:${handler.name}`;
+        const key = `throttle:${endpointKey}:${ip}`;
+        const now = Date.now();
+        const ttlMs = options.ttl * 1000;
+        let record = ThrottleGuard_1.storage.get(key);
+        if (!record || record.expiresAt < now) {
+            record = {
+                hits: 0,
+                expiresAt: now + ttlMs
+            };
+        }
+        record.hits++;
+        ThrottleGuard_1.storage.set(key, record);
+        if (record.hits > options.limit) {
+            const response = context.switchToHttp().getResponse();
+            const retryAfter = Math.ceil((record.expiresAt - now) / 1000);
+            this.setHeaders(response, options.limit, 0, retryAfter);
+            throw new common.CustomHttpError('Too Many Requests', 429, 'rate_limit_exceeded');
+        }
+        const response = context.switchToHttp().getResponse();
+        const remaining = Math.max(0, options.limit - record.hits);
+        this.setHeaders(response, options.limit, remaining, options.ttl);
+        return true;
+    }
+    /**
+     * Limpia las entradas expiradas para evitar fugas de memoria
+     */
+    cleanup() {
+        const now = Date.now();
+        ThrottleGuard_1.storage.forEach((value, key) => {
+            if (value.expiresAt < now) {
+                ThrottleGuard_1.storage.delete(key);
+            }
+        });
+    }
+    getClientIp(request) {
+        const headers = request.headers;
+        if (headers['cf-connecting-ip'])
+            return headers['cf-connecting-ip'];
+        if (headers['x-forwarded-for']) {
+            return headers['x-forwarded-for'].split(',')[0].trim();
+        }
+        if (headers['x-real-ip'])
+            return headers['x-real-ip'];
+        return request.socket?.remoteAddress || request.ip || 'unknown';
+    }
+    setHeaders(res, limit, remaining, resetOrRetry) {
+        if (res && typeof res.setHeader === 'function') {
+            res.setHeader('X-RateLimit-Limit', limit);
+            res.setHeader('X-RateLimit-Remaining', remaining);
+            if (remaining === 0) {
+                res.setHeader('Retry-After', resetOrRetry);
+            }
+        }
+    }
+};
+exports.ThrottleGuard.storage = new Map();
+exports.ThrottleGuard.cleanupInterval = null;
+exports.ThrottleGuard = ThrottleGuard_1 = __decorate([
+    inversify.injectable(),
+    __metadata("design:paramtypes", [])
+], exports.ThrottleGuard);
+
 exports.AppFactory = AppFactory;
 exports.GuardsConsumer = GuardsConsumer;
 exports.HemiaExecutionContext = HemiaExecutionContext;

package/dist/types/guards/index.d.ts

@@ -2,3 +2,5 @@ export * from "./auth.guard";
 export * from "./guards-consumer";
 export * from "./api-key.guard";
 export * from "./jwt.guard";
+export * from "./public-client.guard";
+export * from "./throttle.guard";

package/dist/types/guards/public-client.guard.d.ts

@@ -0,0 +1,7 @@
+import { CanActivate, ExecutionContext } from "@hemia/common";
+import { OAuthService } from "@hemia/auth-sdk";
+export declare class PublicClientGuard implements CanActivate {
+    private readonly oauthService;
+    constructor(oauthService: OAuthService);
+    canActivate(context: ExecutionContext): Promise<boolean>;
+}

package/dist/types/guards/throttle.guard.d.ts

@@ -0,0 +1,13 @@
+import { CanActivate, ExecutionContext } from "@hemia/common";
+export declare class ThrottleGuard implements CanActivate {
+    private static storage;
+    private static cleanupInterval;
+    constructor();
+    canActivate(context: ExecutionContext): Promise<boolean>;
+    /**
+     * Limpia las entradas expiradas para evitar fugas de memoria
+     */
+    private cleanup;
+    private getClientIp;
+    private setHeaders;
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@hemia/core",
-  "version": "0.0.12",
+  "version": "0.0.14",
   "description": "Core utilities for Hemia projects",
   "main": "dist/hemia-core.js",
   "module": "dist/hemia-core.esm.js",
@@ -18,10 +18,10 @@
     "@rollup/plugin-commonjs": "^26.0.1",
     "@rollup/plugin-json": "^6.1.0",
     "@rollup/plugin-node-resolve": "^15.2.3",
-    "@hemia/common": "^0.0.15",
+    "@hemia/common": "^0.0.16",
     "@hemia/app-context": "^0.0.6",
     "@hemia/trace-manager": "^0.0.9",
-    "@hemia/auth-sdk": "^0.0.14",
+    "@hemia/auth-sdk": "^0.0.16",
     "@types/express": "^5.0.5",
     "express": "^5.1.0",
     "inversify": "^7.10.4",