@just-be/wildcard 0.5.0 → 0.7.0

package/package.json

@@ -1,37 +1,37 @@
 {
   "name": "@just-be/wildcard",
-  "version": "0.5.0",
+  "version": "0.7.0",
   "description": "Portable wildcard subdomain routing with pluggable storage backends",
-  "type": "module",
-  "main": "./src/index.ts",
-  "exports": {
-    ".": "./src/index.ts",
-    "./schemas": "./src/schemas.ts",
-    "./handlers": "./src/handlers/index.ts",
-    "./types": "./src/types.ts"
-  },
-  "files": [
-    "src"
-  ],
   "keywords": [
-    "wildcard",
-    "subdomain",
+    "proxy",
+    "redirect",
     "routing",
     "static-site",
-    "redirect",
-    "proxy"
+    "subdomain",
+    "wildcard"
   ],
-  "author": "Justin Bennett",
   "license": "MIT",
+  "author": "Justin Bennett",
   "repository": {
     "type": "git",
     "url": "git+https://github.com/just-be-dev/just-be.dev.git",
     "directory": "packages/wildcard"
   },
-  "peerDependencies": {
-    "zod": "^4.0.0"
+  "files": [
+    "src"
+  ],
+  "type": "module",
+  "main": "./src/index.ts",
+  "exports": {
+    ".": "./src/index.ts",
+    "./schemas": "./src/schemas.ts",
+    "./handlers": "./src/handlers/index.ts",
+    "./types": "./src/types.ts"
   },
   "publishConfig": {
     "access": "public"
+  },
+  "peerDependencies": {
+    "zod": "^4.0.0"
   }
 }

package/src/handlers/path-rules.ts

@@ -7,7 +7,7 @@ import { matchPath, proxyRequest } from "../utils";
  */
 export async function handlePathRules(
   request: Request,
-  config: StaticConfig
+  config: StaticConfig,
 ): Promise<Response | null> {
   const url = new URL(request.url);
   const pathname = url.pathname;

package/src/handlers/redirect.test.ts

@@ -56,10 +56,10 @@ describe("handleRedirect", () => {
       };
       const response = await handleRedirect(
         makeRequest("https://git.just-be.dev/pds?tab=readme"),
-        config
+        config,
       );
       expect(response.headers.get("location")).toBe(
-        "https://github.com/just-be-dev/pds?tab=readme"
+        "https://github.com/just-be-dev/pds?tab=readme",
       );
     });
 
@@ -90,7 +90,7 @@ describe("handleRedirect", () => {
       };
       const response = await handleRedirect(
         makeRequest("https://sub.just-be.dev/some/path"),
-        config
+        config,
       );
       expect(response.headers.get("location")).toBe("https://example.com");
     });

package/src/handlers/static.ts

@@ -6,7 +6,7 @@ import { handlePathRules } from "./path-rules";
 export const handleStatic: Handler<StaticConfig, { fileLoader: FileLoader }> = async (
   request,
   config,
-  { fileLoader }
+  { fileLoader },
 ) => {
   // Check path-level redirects and rewrites first
   const pathResponse = await handlePathRules(request, config);
@@ -22,14 +22,15 @@ export const handleStatic: Handler<StaticConfig, { fileLoader: FileLoader }> = a
   const basePath = subdomain;
 
   return spa
-    ? handleSpaMode(fileLoader, basePath, url.pathname)
-    : handleStaticMode(fileLoader, basePath, url.pathname, fallback);
+    ? handleSpaMode(fileLoader, basePath, url.pathname, request)
+    : handleStaticMode(fileLoader, basePath, url.pathname, request, fallback);
 };
 
 async function handleSpaMode(
   fileLoader: FileLoader,
   basePath: string,
-  pathname: string
+  pathname: string,
+  request: Request,
 ): Promise<Response> {
   // Sanitize paths to prevent directory traversal
   const sanitizedBase = sanitizePath(basePath);
@@ -53,7 +54,7 @@ async function handleSpaMode(
     const fileObject = await fileLoader.loadFile(key);
 
     if (fileObject) {
-      return buildFileResponse(fileObject, key);
+      return buildFileResponse(fileObject, key, request);
     }
   }
 
@@ -70,14 +71,15 @@ async function handleSpaMode(
     return new Response("File not found", { status: 404 });
   }
 
-  return buildFileResponse(indexFile, indexKey);
+  return buildFileResponse(indexFile, indexKey, request);
 }
 
 async function handleStaticMode(
   fileLoader: FileLoader,
   basePath: string,
   pathname: string,
-  fallback?: string
+  request: Request,
+  fallback?: string,
 ): Promise<Response> {
   // Sanitize paths to prevent directory traversal
   const sanitizedBase = sanitizePath(basePath);
@@ -99,7 +101,7 @@ async function handleStaticMode(
   const fileObject = await fileLoader.loadFile(key);
 
   if (fileObject) {
-    return buildFileResponse(fileObject, key);
+    return buildFileResponse(fileObject, key, request);
   }
 
   // Try fallback if configured
@@ -113,14 +115,14 @@ async function handleStaticMode(
     const fallbackObject = await fileLoader.loadFile(fallbackKey);
 
     if (fallbackObject) {
-      return buildFileResponse(fallbackObject, fallbackKey);
+      return buildFileResponse(fallbackObject, fallbackKey, request);
     }
   }
 
   return new Response("File not found", { status: 404 });
 }
 
-function buildFileResponse(fileObject: FileObject, key: string): Response {
+function buildFileResponse(fileObject: FileObject, key: string, request: Request): Response {
   const headers = new Headers(fileObject.headers);
 
   if (fileObject.etag) {
@@ -143,13 +145,21 @@ function buildFileResponse(fileObject: FileObject, key: string): Response {
   if (!headers.has("Content-Security-Policy")) {
     headers.set(
       "Content-Security-Policy",
-      "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline';"
+      "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline';",
     );
   }
 
   // Cache control with Vary header for cache poisoning prevention
-  headers.set("Cache-Control", "public, max-age=3600");
+  headers.set("Cache-Control", "public, max-age=3600"); // 1 hour browser cache
+  headers.set("CDN-Cache-Control", "public, max-age=604800"); // 7 days edge cache
   headers.set("Vary", "Accept-Encoding");
 
+  // Handle conditional requests (If-None-Match)
+  const ifNoneMatch = request.headers.get("If-None-Match");
+  if (ifNoneMatch && fileObject.etag && ifNoneMatch === fileObject.etag) {
+    // Return 304 Not Modified with headers but no body
+    return new Response(null, { status: 304, headers });
+  }
+
   return new Response(fileObject.body, { headers });
 }

package/src/schemas.ts

@@ -37,6 +37,7 @@ export const StaticConfigSchema = z
     fallback: z.string().optional(), // Fallback file path for non-SPA mode (e.g., "404.html")
     redirects: z.array(PathRedirectSchema).optional(),
     rewrites: z.array(PathRewriteSchema).optional(),
+    password: z.string().optional(), // Name of the Worker secret containing the password for HTTP Basic Auth
   })
   .refine((data) => (data.spa && data.fallback ? false : true), {
     message: "fallback cannot be used with spa mode (spa: true)",
@@ -47,12 +48,14 @@ export const RedirectConfigSchema = z.object({
   url: safeUrl(),
   permanent: z.boolean().optional(),
   preservePath: z.boolean().optional(),
+  password: z.string().optional(),
 });
 
 export const RewriteConfigSchema = z.object({
   type: z.literal("rewrite"),
   url: safeUrl(),
   allowedMethods: z.array(HttpMethod).optional().default(["GET", "HEAD", "OPTIONS"]),
+  password: z.string().optional(),
 });
 
 export const RouteConfigSchema = z.discriminatedUnion("type", [

package/src/utils.test.ts

@@ -6,6 +6,8 @@ import {
   filterSafeHeaders,
   isValidSubdomain,
   matchPath,
+  checkBasicAuth,
+  unauthorizedResponse,
   SAFE_REQUEST_HEADERS,
 } from "./utils";
 
@@ -343,6 +345,68 @@ describe("isValidSubdomain", () => {
   });
 });
 
+describe("checkBasicAuth", () => {
+  function requestWithAuth(username: string, password: string): Request {
+    const encoded = btoa(`${username}:${password}`);
+    return new Request("https://example.com", {
+      headers: { Authorization: `Basic ${encoded}` },
+    });
+  }
+
+  it("should return true for correct password with any username", () => {
+    expect(checkBasicAuth(requestWithAuth("user", "secret"), "secret")).toBe(true);
+    expect(checkBasicAuth(requestWithAuth("admin", "secret"), "secret")).toBe(true);
+    expect(checkBasicAuth(requestWithAuth("", "secret"), "secret")).toBe(true);
+  });
+
+  it("should return false for wrong password", () => {
+    expect(checkBasicAuth(requestWithAuth("user", "wrong"), "secret")).toBe(false);
+  });
+
+  it("should return false when no Authorization header", () => {
+    const request = new Request("https://example.com");
+    expect(checkBasicAuth(request, "secret")).toBe(false);
+  });
+
+  it("should return false for non-Basic auth schemes", () => {
+    const request = new Request("https://example.com", {
+      headers: { Authorization: "Bearer token123" },
+    });
+    expect(checkBasicAuth(request, "secret")).toBe(false);
+  });
+
+  it("should return false for malformed base64", () => {
+    const request = new Request("https://example.com", {
+      headers: { Authorization: "Basic !!!invalid!!!" },
+    });
+    expect(checkBasicAuth(request, "secret")).toBe(false);
+  });
+
+  it("should return false for base64 without colon separator", () => {
+    const encoded = btoa("nocolon");
+    const request = new Request("https://example.com", {
+      headers: { Authorization: `Basic ${encoded}` },
+    });
+    expect(checkBasicAuth(request, "nocolon")).toBe(false);
+  });
+
+  it("should handle passwords containing colons", () => {
+    expect(checkBasicAuth(requestWithAuth("user", "pass:word:here"), "pass:word:here")).toBe(true);
+  });
+});
+
+describe("unauthorizedResponse", () => {
+  it("should return 401 status", () => {
+    const response = unauthorizedResponse();
+    expect(response.status).toBe(401);
+  });
+
+  it("should include WWW-Authenticate header", () => {
+    const response = unauthorizedResponse();
+    expect(response.headers.get("WWW-Authenticate")).toBe('Basic realm="Protected"');
+  });
+});
+
 describe("matchPath", () => {
   describe("exact match patterns", () => {
     it("should match exact paths", () => {

package/src/utils.ts

@@ -236,6 +236,40 @@ export function isValidSubdomain(subdomain: string): boolean {
   return true;
 }
 
+/**
+ * Checks if a request has valid HTTP Basic Auth credentials
+ * Any username is accepted; only the password is validated.
+ */
+export function checkBasicAuth(request: Request, expectedPassword: string): boolean {
+  const authorization = request.headers.get("Authorization");
+  if (!authorization || !authorization.startsWith("Basic ")) {
+    return false;
+  }
+
+  try {
+    const encoded = authorization.slice("Basic ".length);
+    const decoded = atob(encoded);
+    const colonIndex = decoded.indexOf(":");
+    if (colonIndex === -1) {
+      return false;
+    }
+    const password = decoded.slice(colonIndex + 1);
+    return password === expectedPassword;
+  } catch {
+    return false;
+  }
+}
+
+/**
+ * Returns a 401 Unauthorized response that triggers the browser's Basic Auth dialog
+ */
+export function unauthorizedResponse(): Response {
+  return new Response("Unauthorized", {
+    status: 401,
+    headers: { "WWW-Authenticate": 'Basic realm="Protected"' },
+  });
+}
+
 /**
  * Timeout for proxy requests in milliseconds
  */
@@ -248,10 +282,7 @@ const FETCH_TIMEOUT_MS = 5_000;
  * @param targetUrl - The target URL to proxy to
  * @returns Response from the proxied request
  */
-export async function proxyRequest(
-  request: Request,
-  targetUrl: URL
-): Promise<Response> {
+export async function proxyRequest(request: Request, targetUrl: URL): Promise<Response> {
   // Filter headers to only include safe ones (prevents header injection)
   const safeHeaders = filterSafeHeaders(request.headers);