@lastshotlabs/bunshot 0.0.6 → 0.0.8

package/dist/lib/mongo.js

@@ -0,0 +1,73 @@
+import mongoose from "mongoose";
+import { log } from "./logger";
+const isProd = process.env.NODE_ENV === "production";
+function buildUri(user, password, host, db) {
+    const [hostPart, queryPart] = host.split("?");
+    return `mongodb+srv://${user}:${password}@${hostPart.replace(/\/$/, "")}/${db}${queryPart ? `?${queryPart}` : ""}`;
+}
+/**
+ * Named connection used exclusively for auth data (AuthUser model).
+ * Connected via connectAuthMongo() or connectMongo() (backward compat).
+ */
+export const authConnection = mongoose.createConnection();
+/**
+ * Named connection for app/tenant data.
+ * Connected via connectAppMongo() or connectMongo() (backward compat).
+ * Use this when registering your own models: appConnection.model("Product", schema).
+ */
+export const appConnection = mongoose.createConnection();
+/**
+ * Connect the auth connection to its dedicated MongoDB server.
+ * Uses MONGO_AUTH_USER_*, MONGO_AUTH_PW_*, MONGO_AUTH_HOST_*, MONGO_AUTH_DB_* env vars.
+ */
+export const connectAuthMongo = async () => {
+    const user = isProd ? process.env.MONGO_AUTH_USER_PROD : process.env.MONGO_AUTH_USER_DEV;
+    const password = isProd ? process.env.MONGO_AUTH_PW_PROD : process.env.MONGO_AUTH_PW_DEV;
+    const host = isProd ? process.env.MONGO_AUTH_HOST_PROD : process.env.MONGO_AUTH_HOST_DEV;
+    const db = isProd ? process.env.MONGO_AUTH_DB_PROD : process.env.MONGO_AUTH_DB_DEV;
+    const uri = buildUri(user, password, host, db);
+    await authConnection.openUri(uri);
+    log(`[mongo] auth connected to ${host} as ${user}`);
+};
+/**
+ * Connect the app connection to its MongoDB server.
+ * Uses MONGO_USER_*, MONGO_PW_*, MONGO_HOST_*, MONGO_DB_* env vars.
+ */
+export const connectAppMongo = async () => {
+    const user = isProd ? process.env.MONGO_USER_PROD : process.env.MONGO_USER_DEV;
+    const password = isProd ? process.env.MONGO_PW_PROD : process.env.MONGO_PW_DEV;
+    const host = isProd ? process.env.MONGO_HOST_PROD : process.env.MONGO_HOST_DEV;
+    const db = isProd ? process.env.MONGO_DB_PROD : process.env.MONGO_DB_DEV;
+    const uri = buildUri(user, password, host, db);
+    await appConnection.openUri(uri);
+    log(`[mongo] app connected to ${host} as ${user}`);
+};
+/**
+ * Connect both auth and app connections to the same MongoDB server.
+ * Backward-compatible shorthand for single-DB setups.
+ * Uses MONGO_USER_*, MONGO_PW_*, MONGO_HOST_*, MONGO_DB_* env vars.
+ */
+export const connectMongo = async () => {
+    const user = isProd ? process.env.MONGO_USER_PROD : process.env.MONGO_USER_DEV;
+    const password = isProd ? process.env.MONGO_PW_PROD : process.env.MONGO_PW_DEV;
+    const host = isProd ? process.env.MONGO_HOST_PROD : process.env.MONGO_HOST_DEV;
+    const db = isProd ? process.env.MONGO_DB_PROD : process.env.MONGO_DB_DEV;
+    const uri = buildUri(user, password, host, db);
+    await Promise.all([
+        authConnection.openUri(uri),
+        appConnection.openUri(uri),
+    ]);
+    log(`[mongo] connected to ${host} as ${user}`);
+};
+/**
+ * Close both auth and app Mongo connections.
+ * Useful for one-off scripts that need a clean exit.
+ */
+export const disconnectMongo = async () => {
+    await Promise.all([
+        authConnection.readyState !== 0 ? authConnection.close() : Promise.resolve(),
+        appConnection.readyState !== 0 ? appConnection.close() : Promise.resolve(),
+    ]);
+    log("[mongo] disconnected");
+};
+export { mongoose };

package/dist/lib/oauth.js

@@ -0,0 +1,82 @@
+import { Google, Apple, generateState, generateCodeVerifier } from "arctic";
+import { getRedis } from "./redis";
+import { appConnection } from "./mongo";
+import { getAppName } from "./appConfig";
+import { Schema } from "mongoose";
+import { sqliteStoreOAuthState, sqliteConsumeOAuthState } from "../adapters/sqliteAuth";
+import { memoryStoreOAuthState, memoryConsumeOAuthState } from "../adapters/memoryAuth";
+let _providers = {};
+export const initOAuthProviders = (config) => {
+    if (config.google) {
+        const { clientId, clientSecret, redirectUri } = config.google;
+        _providers.google = new Google(clientId, clientSecret, redirectUri);
+    }
+    if (config.apple) {
+        const { clientId, teamId, keyId, privateKey, redirectUri } = config.apple;
+        _providers.apple = new Apple(clientId, teamId, keyId, new TextEncoder().encode(privateKey), redirectUri);
+    }
+};
+export const getGoogle = () => {
+    if (!_providers.google)
+        throw new Error("Google OAuth not configured");
+    return _providers.google;
+};
+export const getApple = () => {
+    if (!_providers.apple)
+        throw new Error("Apple OAuth not configured");
+    return _providers.apple;
+};
+export const getConfiguredOAuthProviders = () => Object.entries(_providers)
+    .filter(([, v]) => v != null)
+    .map(([k]) => k);
+const oauthStateSchema = new Schema({
+    state: { type: String, required: true, unique: true },
+    codeVerifier: { type: String },
+    linkUserId: { type: String },
+    expiresAt: { type: Date, required: true, index: { expireAfterSeconds: 0 } },
+}, { collection: "oauth_states" });
+function getOAuthStateModel() {
+    return appConnection.models["OAuthState"] ??
+        appConnection.model("OAuthState", oauthStateSchema);
+}
+let _oauthStore = "redis";
+export const setOAuthStateStore = (store) => { _oauthStore = store; };
+// ---------------------------------------------------------------------------
+// State helpers
+// ---------------------------------------------------------------------------
+const STATE_TTL = 300; // 5 minutes
+export const storeOAuthState = async (state, codeVerifier, linkUserId) => {
+    if (_oauthStore === "memory") {
+        memoryStoreOAuthState(state, codeVerifier, linkUserId);
+        return;
+    }
+    if (_oauthStore === "sqlite") {
+        sqliteStoreOAuthState(state, codeVerifier, linkUserId);
+        return;
+    }
+    if (_oauthStore === "mongo") {
+        const expiresAt = new Date(Date.now() + STATE_TTL * 1000);
+        await getOAuthStateModel().create({ state, codeVerifier, linkUserId, expiresAt });
+        return;
+    }
+    await getRedis().set(`oauth:${getAppName()}:state:${state}`, JSON.stringify({ codeVerifier, linkUserId }), "EX", STATE_TTL);
+};
+export const consumeOAuthState = async (state) => {
+    if (_oauthStore === "memory")
+        return memoryConsumeOAuthState(state);
+    if (_oauthStore === "sqlite")
+        return sqliteConsumeOAuthState(state);
+    if (_oauthStore === "mongo") {
+        const doc = await getOAuthStateModel()
+            .findOneAndDelete({ state, expiresAt: { $gt: new Date() } })
+            .lean();
+        return doc ? { codeVerifier: doc.codeVerifier, linkUserId: doc.linkUserId } : null;
+    }
+    const key = `oauth:${getAppName()}:state:${state}`;
+    const value = await getRedis().get(key);
+    if (!value)
+        return null;
+    await getRedis().del(key);
+    return JSON.parse(value);
+};
+export { generateState, generateCodeVerifier };

package/dist/lib/queue.js

@@ -0,0 +1,4 @@
+import { Queue, Worker } from "bullmq";
+import { getRedisConnectionOptions } from "./redis";
+export const createQueue = (name, options) => new Queue(name, { connection: getRedisConnectionOptions(), ...options });
+export const createWorker = (name, processor, options) => new Worker(name, processor, { connection: getRedisConnectionOptions(), ...options });

package/dist/lib/redis.js

@@ -0,0 +1,50 @@
+import Redis from "ioredis";
+import { log } from "./logger";
+const isProd = process.env.NODE_ENV === "production";
+export const getRedisConnectionOptions = () => {
+    const host_port = isProd ? process.env.REDIS_HOST_PROD : process.env.REDIS_HOST_DEV;
+    if (!host_port)
+        throw new Error(`Missing env var: ${isProd ? "REDIS_HOST_PROD" : "REDIS_HOST_DEV"}`);
+    const [host, port] = host_port.split(":");
+    if (!host || !port)
+        throw new Error(`Invalid Redis host format — expected "host:port", got "${host_port}"`);
+    const username = isProd ? process.env.REDIS_USER_PROD : process.env.REDIS_USER_DEV;
+    const password = isProd ? process.env.REDIS_PW_PROD : process.env.REDIS_PW_DEV;
+    return {
+        host,
+        port: Number(port),
+        ...(username && { username }),
+        ...(password && { password }),
+    };
+};
+let client = null;
+const createClient = () => {
+    const redis = new Redis(getRedisConnectionOptions());
+    redis.on("error", (err) => log(`[redis] error: ${err.message}`));
+    return redis;
+};
+export const connectRedis = () => {
+    if (client)
+        return Promise.resolve();
+    client = createClient();
+    return new Promise((resolve, reject) => {
+        client.once("ready", () => { log(`[redis] connected to ${getRedisConnectionOptions().host}:${getRedisConnectionOptions().port} as ${getRedisConnectionOptions().username || "default user"}`); resolve(); });
+        client.once("error", reject);
+    });
+};
+/**
+ * Gracefully close the Redis connection.
+ * Useful for one-off scripts that need a clean exit.
+ */
+export const disconnectRedis = async () => {
+    if (!client)
+        return;
+    await client.quit();
+    client = null;
+    log("[redis] disconnected");
+};
+export const getRedis = () => {
+    if (!client)
+        throw new Error("Redis not connected — call connectRedis() first");
+    return client;
+};

package/dist/lib/roles.js

@@ -0,0 +1,22 @@
+import { getAuthAdapter } from "./authAdapter";
+const requireMethod = (method) => {
+    throw new Error(`Auth adapter does not implement ${method} — add it to your adapter to manage roles`);
+};
+export const setUserRoles = async (userId, roles) => {
+    const adapter = getAuthAdapter();
+    if (!adapter.setRoles)
+        requireMethod("setRoles");
+    await adapter.setRoles(userId, roles);
+};
+export const addUserRole = async (userId, role) => {
+    const adapter = getAuthAdapter();
+    if (!adapter.addRole)
+        requireMethod("addRole");
+    await adapter.addRole(userId, role);
+};
+export const removeUserRole = async (userId, role) => {
+    const adapter = getAuthAdapter();
+    if (!adapter.removeRole)
+        requireMethod("removeRole");
+    await adapter.removeRole(userId, role);
+};

package/dist/lib/session.js

@@ -0,0 +1,68 @@
+import { getRedis } from "./redis";
+import { appConnection } from "./mongo";
+import { getAppName } from "./appConfig";
+import { Schema } from "mongoose";
+import { sqliteCreateSession, sqliteGetSession, sqliteDeleteSession } from "../adapters/sqliteAuth";
+import { memoryCreateSession, memoryGetSession, memoryDeleteSession } from "../adapters/memoryAuth";
+const sessionSchema = new Schema({
+    userId: { type: String, required: true, unique: true },
+    token: { type: String, required: true },
+    expiresAt: { type: Date, required: true, index: { expireAfterSeconds: 0 } },
+}, { collection: "sessions" });
+function getSessionModel() {
+    return appConnection.models["Session"] ??
+        appConnection.model("Session", sessionSchema);
+}
+let _store = "redis";
+export const setSessionStore = (store) => { _store = store; };
+// ---------------------------------------------------------------------------
+// TTL
+// ---------------------------------------------------------------------------
+const TTL_SECONDS = 60 * 60 * 24 * 7; // 7 days
+// ---------------------------------------------------------------------------
+// Public API
+// ---------------------------------------------------------------------------
+export const createSession = async (userId, token) => {
+    if (_store === "memory") {
+        memoryCreateSession(userId, token);
+        return;
+    }
+    if (_store === "sqlite") {
+        sqliteCreateSession(userId, token);
+        return;
+    }
+    if (_store === "mongo") {
+        const expiresAt = new Date(Date.now() + TTL_SECONDS * 1000);
+        await getSessionModel().updateOne({ userId }, { $set: { token, expiresAt } }, { upsert: true });
+        return;
+    }
+    await getRedis().set(`session:${getAppName()}:${userId}`, token, "EX", TTL_SECONDS);
+};
+export const getSession = async (userId) => {
+    if (_store === "memory")
+        return memoryGetSession(userId);
+    if (_store === "sqlite")
+        return sqliteGetSession(userId);
+    if (_store === "mongo") {
+        const doc = await getSessionModel()
+            .findOne({ userId, expiresAt: { $gt: new Date() } }, "token")
+            .lean();
+        return doc ? doc.token : null;
+    }
+    return getRedis().get(`session:${getAppName()}:${userId}`);
+};
+export const deleteSession = async (userId) => {
+    if (_store === "memory") {
+        memoryDeleteSession(userId);
+        return;
+    }
+    if (_store === "sqlite") {
+        sqliteDeleteSession(userId);
+        return;
+    }
+    if (_store === "mongo") {
+        await getSessionModel().deleteOne({ userId });
+        return;
+    }
+    await getRedis().del(`session:${getAppName()}:${userId}`);
+};

package/dist/lib/validate.js

@@ -0,0 +1,14 @@
+import { z } from "zod";
+import { HttpError } from "./HttpError";
+export const validate = async (schema, req) => {
+    try {
+        const body = await req.json();
+        return schema.parse(body);
+    }
+    catch (err) {
+        if (err instanceof z.ZodError) {
+            throw new HttpError(400, err.issues.map((i) => i.message).join(", "));
+        }
+        throw err;
+    }
+};

package/dist/lib/ws.js

@@ -0,0 +1,64 @@
+// eslint-disable-next-line @typescript-eslint/no-explicit-any
+let _server = null;
+// eslint-disable-next-line @typescript-eslint/no-explicit-any
+export const setWsServer = (server) => { _server = server; };
+export const publish = (topic, data) => {
+    _server?.publish(topic, JSON.stringify(data));
+};
+/** room → Set of socket IDs */
+const _roomRegistry = new Map();
+/** All rooms that currently have at least one subscriber */
+export const getRooms = () => [..._roomRegistry.keys()];
+/** Socket IDs subscribed to a given room */
+export const getRoomSubscribers = (room) => [...(_roomRegistry.get(room) ?? [])];
+export const handleRoomActions = async (ws, message, onSubscribe) => {
+    try {
+        const data = JSON.parse(typeof message === "string" ? message : Buffer.from(message).toString());
+        if (data.action === "subscribe" && typeof data.room === "string") {
+            if (onSubscribe && !(await onSubscribe(ws, data.room))) {
+                ws.send(JSON.stringify({ event: "subscribe_denied", room: data.room }));
+            }
+            else {
+                subscribe(ws, data.room);
+                ws.send(JSON.stringify({ event: "subscribed", room: data.room }));
+            }
+            return true;
+        }
+        if (data.action === "unsubscribe" && typeof data.room === "string") {
+            unsubscribe(ws, data.room);
+            ws.send(JSON.stringify({ event: "unsubscribed", room: data.room }));
+            return true;
+        }
+    }
+    catch { /* not JSON */ }
+    return false;
+};
+export const subscribe = (ws, room) => {
+    ws.subscribe(room);
+    ws.data.rooms.add(room);
+    if (!_roomRegistry.has(room))
+        _roomRegistry.set(room, new Set());
+    _roomRegistry.get(room).add(ws.data.id);
+};
+export const unsubscribe = (ws, room) => {
+    ws.unsubscribe(room);
+    ws.data.rooms.delete(room);
+    const ids = _roomRegistry.get(room);
+    if (ids) {
+        ids.delete(ws.data.id);
+        if (ids.size === 0)
+            _roomRegistry.delete(room);
+    }
+};
+export const getSubscriptions = (ws) => [...ws.data.rooms];
+/** Called on socket close to prune the registry. Internal use only. */
+export const cleanupSocket = (socketId, rooms) => {
+    for (const room of rooms) {
+        const ids = _roomRegistry.get(room);
+        if (ids) {
+            ids.delete(socketId);
+            if (ids.size === 0)
+                _roomRegistry.delete(room);
+        }
+    }
+};

package/dist/middleware/bearerAuth.js

@@ -0,0 +1,10 @@
+const isProd = process.env.NODE_ENV === "production";
+const validToken = isProd ? process.env.BEARER_TOKEN_PROD : process.env.BEARER_TOKEN_DEV;
+export const bearerAuth = async (c, next) => {
+    const header = c.req.header("Authorization");
+    const token = header?.startsWith("Bearer ") ? header.slice(7) : null;
+    if (!token || token !== validToken) {
+        return c.json({ error: "Unauthorized" }, 401);
+    }
+    await next();
+};

package/dist/middleware/botProtection.js

@@ -0,0 +1,50 @@
+// ---------------------------------------------------------------------------
+// CIDR helpers (IPv4 only; IPv6 exact-match supported)
+// ---------------------------------------------------------------------------
+function ipv4ToUint32(ip) {
+    const parts = ip.split(".").map(Number);
+    return (((parts[0] << 24) | (parts[1] << 16) | (parts[2] << 8) | parts[3]) >>>
+        0);
+}
+function cidrMatchesIpv4(cidr, ip) {
+    const slash = cidr.indexOf("/");
+    const network = slash === -1 ? cidr : cidr.slice(0, slash);
+    const prefixLen = slash === -1 ? 32 : parseInt(cidr.slice(slash + 1), 10);
+    const mask = prefixLen === 0 ? 0 : (~0 << (32 - prefixLen)) >>> 0;
+    return (ipv4ToUint32(network) & mask) === (ipv4ToUint32(ip) & mask);
+}
+const IPV4_RE = /^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/;
+function normalizeIp(ip) {
+    // Strip IPv4-mapped IPv6 prefix (::ffff:1.2.3.4)
+    if (ip.startsWith("::ffff:"))
+        return ip.slice(7);
+    return ip;
+}
+function isBlocked(ip, blockList) {
+    const normalized = normalizeIp(ip);
+    const isV4 = IPV4_RE.test(normalized);
+    for (const entry of blockList) {
+        if (isV4) {
+            if (cidrMatchesIpv4(entry, normalized))
+                return true;
+        }
+        else {
+            // IPv6: exact match only (CIDR support is v2)
+            if (entry === normalized)
+                return true;
+        }
+    }
+    return false;
+}
+export const botProtection = ({ blockList = [], }) => {
+    if (blockList.length === 0)
+        return (_c, next) => next();
+    return async (c, next) => {
+        const raw = c.req.header("x-forwarded-for") ?? "";
+        const ip = raw.split(",")[0]?.trim() ?? "unknown";
+        if (ip !== "unknown" && isBlocked(ip, blockList)) {
+            return c.json({ error: "Forbidden" }, 403);
+        }
+        await next();
+    };
+};

package/dist/middleware/cacheResponse.js

@@ -0,0 +1,158 @@
+import { getRedis } from "../lib/redis";
+import { getAppName } from "../lib/appConfig";
+import { appConnection } from "../lib/mongo";
+import { Schema } from "mongoose";
+import { isSqliteReady, sqliteGetCache, sqliteSetCache, sqliteDelCache, sqliteDelCachePattern } from "../adapters/sqliteAuth";
+import { memoryGetCache, memorySetCache, memoryDelCache, memoryDelCachePattern } from "../adapters/memoryAuth";
+const cacheSchema = new Schema({
+    key: { type: String, required: true, unique: true },
+    value: { type: String, required: true },
+    expiresAt: { type: Date, index: { expireAfterSeconds: 0 } },
+}, { collection: "cache_entries" });
+function getCacheModel() {
+    return appConnection.models["CacheEntry"] ??
+        appConnection.model("CacheEntry", cacheSchema);
+}
+function isMongoReady() {
+    return appConnection.readyState === 1;
+}
+function isRedisReady() {
+    try {
+        getRedis();
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+let _defaultCacheStore = "redis";
+export const setCacheStore = (store) => { _defaultCacheStore = store; };
+async function storeGet(store, cacheKey) {
+    if (store === "memory")
+        return memoryGetCache(cacheKey);
+    if (store === "sqlite") {
+        if (!isSqliteReady())
+            throw new Error(`cacheResponse: store is "sqlite" but SQLite is not initialized. Call setSqliteDb(path) or pass sqliteDb to createServer.`);
+        return sqliteGetCache(cacheKey);
+    }
+    if (store === "mongo") {
+        if (!isMongoReady())
+            throw new Error(`cacheResponse: store is "mongo" but appConnection is not connected. Ensure connectMongo() or connectAppMongo() is called before handling requests.`);
+        const doc = await getCacheModel().findOne({ key: cacheKey }, "value").lean();
+        return doc ? doc.value : null;
+    }
+    return getRedis().get(cacheKey);
+}
+async function storeSet(store, cacheKey, value, ttl) {
+    if (store === "memory") {
+        memorySetCache(cacheKey, value, ttl);
+        return;
+    }
+    if (store === "sqlite") {
+        if (!isSqliteReady())
+            throw new Error(`cacheResponse: store is "sqlite" but SQLite is not initialized. Call setSqliteDb(path) or pass sqliteDb to createServer.`);
+        sqliteSetCache(cacheKey, value, ttl);
+        return;
+    }
+    if (store === "mongo") {
+        if (!isMongoReady())
+            throw new Error(`cacheResponse: store is "mongo" but appConnection is not connected. Ensure connectMongo() or connectAppMongo() is called before handling requests.`);
+        const expiresAt = ttl ? new Date(Date.now() + ttl * 1000) : undefined;
+        await getCacheModel().updateOne({ key: cacheKey }, { $set: { value, ...(expiresAt ? { expiresAt } : {}) } }, { upsert: true });
+        return;
+    }
+    if (ttl) {
+        await getRedis().setex(cacheKey, ttl, value);
+    }
+    else {
+        await getRedis().set(cacheKey, value);
+    }
+}
+async function storeDel(store, cacheKey) {
+    if (store === "memory") {
+        memoryDelCache(cacheKey);
+        return;
+    }
+    if (store === "sqlite") {
+        if (!isSqliteReady())
+            return;
+        sqliteDelCache(cacheKey);
+        return;
+    }
+    if (store === "mongo") {
+        if (!isMongoReady())
+            return;
+        await getCacheModel().deleteOne({ key: cacheKey });
+        return;
+    }
+    if (!isRedisReady())
+        return;
+    await getRedis().del(cacheKey);
+}
+async function storeDelPattern(store, fullPattern) {
+    if (store === "memory") {
+        memoryDelCachePattern(fullPattern);
+        return;
+    }
+    if (store === "sqlite") {
+        if (!isSqliteReady())
+            return;
+        sqliteDelCachePattern(fullPattern);
+        return;
+    }
+    if (store === "mongo") {
+        if (!isMongoReady())
+            return;
+        const regex = new RegExp("^" + fullPattern.replace(/\*/g, ".*") + "$");
+        await getCacheModel().deleteMany({ key: regex });
+        return;
+    }
+    if (!isRedisReady())
+        return;
+    const redis = getRedis();
+    let cursor = "0";
+    do {
+        const [next, keys] = await redis.scan(cursor, "MATCH", fullPattern, "COUNT", 100);
+        cursor = next;
+        if (keys.length > 0)
+            await redis.del(...keys);
+    } while (cursor !== "0");
+}
+// ---------------------------------------------------------------------------
+// Public API
+// ---------------------------------------------------------------------------
+export const bustCache = async (key) => {
+    const cacheKey = `cache:${getAppName()}:${key}`;
+    await Promise.all([storeDel("redis", cacheKey), storeDel("mongo", cacheKey), storeDel("sqlite", cacheKey), storeDel("memory", cacheKey)]);
+};
+export const bustCachePattern = async (pattern) => {
+    const fullPattern = `cache:${getAppName()}:${pattern}`;
+    await Promise.all([storeDelPattern("redis", fullPattern), storeDelPattern("mongo", fullPattern), storeDelPattern("sqlite", fullPattern), storeDelPattern("memory", fullPattern)]);
+};
+export const cacheResponse = ({ ttl, key, store = _defaultCacheStore }) => {
+    return async (c, next) => {
+        const appName = getAppName();
+        const rawKey = typeof key === "function" ? key(c) : key;
+        const cacheKey = `cache:${appName}:${rawKey}`;
+        const cached = await storeGet(store, cacheKey);
+        if (cached) {
+            const { status, headers, body } = JSON.parse(cached);
+            return new Response(body, {
+                status,
+                headers: { ...headers, "x-cache": "HIT" },
+            });
+        }
+        await next();
+        const res = c.res;
+        if (res.status >= 200 && res.status < 300) {
+            const body = await res.text();
+            const headers = {};
+            res.headers.forEach((value, name) => { headers[name] = value; });
+            await storeSet(store, cacheKey, JSON.stringify({ status: res.status, headers, body }), ttl);
+            c.res = new Response(body, {
+                status: res.status,
+                headers: { ...headers, "x-cache": "MISS" },
+            });
+        }
+    };
+};

package/dist/middleware/cors.js

@@ -0,0 +1,17 @@
+export const cors = async (req, next) => {
+    if (req.method === "OPTIONS") {
+        return new Response(null, { status: 204, headers: corsHeaders() });
+    }
+    const res = await next(req);
+    const headers = new Headers(res.headers);
+    for (const [k, v] of Object.entries(corsHeaders()))
+        headers.set(k, v);
+    return new Response(res.body, { status: res.status, headers });
+};
+const corsHeaders = () => {
+    return {
+        "Access-Control-Allow-Origin": "*",
+        "Access-Control-Allow-Methods": "GET, POST, PUT, DELETE, OPTIONS",
+        "Access-Control-Allow-Headers": "Content-Type, Authorization",
+    };
+};

package/dist/middleware/errorHandler.js

@@ -0,0 +1,13 @@
+import { HttpError } from "../lib/HttpError";
+export const errorHandler = async (req, next) => {
+    try {
+        return await next(req);
+    }
+    catch (err) {
+        console.error(err);
+        if (err instanceof HttpError) {
+            return Response.json({ error: err.message }, { status: err.status });
+        }
+        return Response.json({ error: "Internal Server Error" }, { status: 500 });
+    }
+};

package/dist/middleware/identify.js

@@ -0,0 +1,33 @@
+import { getCookie } from "hono/cookie";
+import { verifyToken } from "../lib/jwt";
+import { getSession } from "../lib/session";
+import { COOKIE_TOKEN, HEADER_USER_TOKEN } from "../lib/constants";
+import { log } from "../lib/logger";
+export const identify = async (c, next) => {
+    c.set("authUserId", null);
+    c.set("roles", null);
+    // cookie for browsers, x-user-token header for non-browser clients
+    const token = getCookie(c, COOKIE_TOKEN) ?? c.req.header(HEADER_USER_TOKEN) ?? null;
+    log(`[identify] token=${token ? "present" : "absent"}`);
+    if (token) {
+        try {
+            const payload = await verifyToken(token);
+            const stored = await getSession(payload.sub);
+            log(`[identify] token for authUserId=${payload.sub} verified, checking session...`);
+            if (stored === token) {
+                c.set("authUserId", payload.sub);
+                log(`[identify] authUserId=${payload.sub}`);
+            }
+            else {
+                log("[identify] token/session mismatch — unauthenticated");
+            }
+        }
+        catch {
+            log("[identify] invalid token — unauthenticated");
+        }
+    }
+    else {
+        log("[identify] no token — unauthenticated");
+    }
+    await next();
+};

package/dist/middleware/index.js

@@ -0,0 +1 @@
+export const applyMiddleware = (handler, ...middleware) => middleware.reduceRight((next, mw) => (req) => mw(req, next), handler);