npm - @marvalt/digivalt-core - Versions diffs - 0.1.0 → 0.1.1 - Mend

@marvalt/digivalt-core 0.1.0 → 0.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (12) hide show

package/bin/init.cjs +42 -0
package/dist/index.cjs +4 -0
package/dist/index.cjs.map +1 -1
package/dist/index.esm.js +4 -0
package/dist/index.esm.js.map +1 -1
package/package.json +7 -2
package/template/.dev.vars.example +11 -0
package/template/functions/api/fetch-with-access.ts +41 -0
package/template/functions/api/gravity-forms-submit.ts +291 -0
package/template/functions/api/mautic-submit.ts +19 -0
package/template/functions/api/webhook.js +78 -0
package/template/wrangler.toml +3 -0

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@marvalt/digivalt-core",
-  "version": "0.1.0",
+  "version": "0.1.1",
   "description": "Core glue logic and shared context for DigiVAlt frontend applications",
   "license": "GPL-3.0-or-later",
   "main": "dist/index.cjs",
@@ -13,11 +13,16 @@
       "require": "./dist/index.cjs"
     }
   },
+  "bin": {
+    "digivalt-init": "./bin/init.cjs"
+  },
   "files": [
     "dist",
     "README.md",
     "LICENSE",
-    "CHANGELOG.md"
+    "CHANGELOG.md",
+    "bin",
+    "template"
   ],
   "type": "module",
   "sideEffects": false,

package/template/.dev.vars.example ADDED Viewed

@@ -0,0 +1,11 @@
+# DigiVAlt Cloudflare Worker Secrets
+# Copy this to .dev.vars and populate for local testing via Wrangler
+# Add the specific API keys needed by your functions/ proxy layers
+MAUTIC_USERNAME=
+MAUTIC_PASSWORD=
+SUITECRM_CLIENT_ID=
+SUITECRM_CLIENT_SECRET=
+GRAVITY_FORMS_CONSUMER_KEY=
+GRAVITY_FORMS_CONSUMER_SECRET=
+WP_APPLICATION_PASSWORD=

package/template/functions/api/fetch-with-access.ts ADDED Viewed

@@ -0,0 +1,41 @@
+export async function onRequest(context: any) {
+  const { request, env } = context;
+  try {
+    const url = new URL(request.url);
+    const target = url.searchParams.get('target');
+    if (!target) return new Response('Missing target', { status: 400 });
+    // Server-side secrets (do NOT expose to browser). Prefer non-VITE names.
+    const clientId = env.CF_ACCESS_CLIENT_ID || env.VITE_CF_ACCESS_CLIENT_ID;
+    const clientSecret = env.CF_ACCESS_CLIENT_SECRET || env.VITE_CF_ACCESS_CLIENT_SECRET;
+    if (!clientId || !clientSecret) {
+      return new Response('Access credentials not configured', { status: 500 });
+    }
+    const method = request.method;
+    const incomingHeaders = new Headers(request.headers);
+    // Strip hop-by-hop and sensitive headers
+    ['host', 'origin', 'referer', 'cookie', 'authorization'].forEach((h) => incomingHeaders.delete(h));
+    // Inject Cloudflare Access service token headers
+    incomingHeaders.set('CF-Access-Client-Id', clientId);
+    incomingHeaders.set('CF-Access-Client-Secret', clientSecret);
+    const init: RequestInit = { method, headers: incomingHeaders };
+    if (method !== 'GET' && method !== 'HEAD') {
+      init.body = await request.arrayBuffer();
+    }
+    const resp = await fetch(target, init);
+    const respHeaders = new Headers(resp.headers);
+    ['set-cookie', 'cf-ray', 'server'].forEach((h) => respHeaders.delete(h));
+    return new Response(resp.body, { status: resp.status, headers: respHeaders });
+  } catch (e: any) {
+    return new Response(`fetch-with-access error: ${e?.message || 'unknown'}`, { status: 500 });
+  }
+}

package/template/functions/api/gravity-forms-submit.ts ADDED Viewed

@@ -0,0 +1,291 @@
+/**
+ * Cloudflare Pages Function for Gravity Forms API proxy
+ *
+ * This function handles WordPress Basic Auth server-side to keep credentials secure.
+ * It provides the same security layers as the Mautic proxy.
+ *
+ * Required environment variables:
+ * - VITE_WORDPRESS_API_URL or WORDPRESS_API_URL: WordPress instance URL
+ * - VITE_WP_API_USERNAME or WP_API_USERNAME: WordPress username
+ * - VITE_WP_APP_PASSWORD or WP_APP_PASSWORD: WordPress application password
+ * - VITE_CF_ACCESS_CLIENT_ID or CF_ACCESS_CLIENT_ID: (Optional) Cloudflare Access client ID
+ * - VITE_CF_ACCESS_CLIENT_SECRET or CF_ACCESS_CLIENT_SECRET: (Optional) Cloudflare Access client secret
+ * - ALLOWED_ORIGINS or VITE_ALLOWED_ORIGINS: Comma-separated list of allowed origins
+ * - TURNSTILE_SECRET_KEY or VITE_TURNSTILE_SECRET_KEY: (Optional) Cloudflare Turnstile secret key
+ */
+/**
+ * Verifies a Cloudflare Turnstile token server-side.
+ */
+async function verifyTurnstile(token: string, secretKey: string): Promise<boolean> {
+  const response = await fetch('https://challenges.cloudflare.com/turnstile/v0/siteverify', {
+    method: 'POST',
+    headers: {
+      'Content-Type': 'application/x-www-form-urlencoded',
+    },
+    body: `secret=${encodeURIComponent(secretKey)}&response=${encodeURIComponent(token)}`,
+  });
+  const data = await response.json();
+  return data.success;
+}
+export async function onRequest(context: any) {
+  const { request, env } = context;
+  try {
+    const url = new URL(request.url);
+    const endpoint = url.searchParams.get('endpoint');
+    // ============================================
+    // CORS Headers - Always include for OPTIONS preflight
+    // ============================================
+    const origin = request.headers.get('Origin');
+    const referer = request.headers.get('Referer');
+    const allowedOriginsStr = env.ALLOWED_ORIGINS || env.VITE_ALLOWED_ORIGINS || '';
+    const allowedOrigins = allowedOriginsStr
+      .split(',')
+      .map((o: string) => o.trim())
+      .filter(Boolean);
+    if (allowedOrigins.length === 0) {
+      allowedOrigins.push('http://localhost:8080', 'http://localhost:5173');
+      console.log('⚠️  No ALLOWED_ORIGINS configured, defaulting to localhost');
+    }
+    // Check if origin is in allowed list OR is localhost (development)
+    const isLocalhost = origin && (origin.includes('localhost') || origin.includes('127.0.0.1'));
+    const isAllowedOrigin = allowedOrigins.some((allowed: string) =>
+      origin?.startsWith(allowed) || referer?.startsWith(allowed)
+    ) || isLocalhost; // Allow localhost in development
+    // Build CORS headers - always include these
+    const corsHeaders: Record<string, string> = {
+      'Access-Control-Allow-Methods': 'GET, POST, OPTIONS',
+      'Access-Control-Allow-Headers': 'Content-Type, Authorization, CF-Access-Client-Id, CF-Access-Client-Secret',
+      'Access-Control-Max-Age': '86400',
+    };
+    // Determine the origin to allow
+    let allowedOrigin: string | null = null;
+    if (origin && isAllowedOrigin) {
+      allowedOrigin = origin;
+      if (isLocalhost) {
+        console.log('🔓 Allowing localhost origin in development:', origin);
+      }
+    } else if (referer && isAllowedOrigin) {
+      // Fallback to referer if origin is not present
+      try {
+        allowedOrigin = new URL(referer).origin;
+      } catch (e) {
+        // Invalid referer URL, ignore
+      }
+    } else if (!origin && !referer) {
+      // Allow if no origin/referer (same-origin or direct request)
+      allowedOrigin = '*';
+    }
+    // Set Access-Control-Allow-Origin header
+    if (allowedOrigin) {
+      corsHeaders['Access-Control-Allow-Origin'] = allowedOrigin;
+    }
+    // Handle OPTIONS preflight request
+    if (request.method === 'OPTIONS') {
+      return new Response(null, {
+        status: 204,
+        headers: corsHeaders,
+      });
+    }
+    if (!endpoint) {
+      return new Response('Missing endpoint parameter', {
+        status: 400,
+        headers: corsHeaders,
+      });
+    }
+    // Validate origin for non-OPTIONS requests (use the same check that includes localhost)
+    if ((origin || referer) && !isAllowedOrigin) {
+      console.warn('🚫 Blocked request from unauthorized origin:', origin || referer);
+      return new Response(JSON.stringify({
+        error: 'Forbidden origin',
+        message: 'This endpoint can only be accessed from authorized domains'
+      }), {
+        status: 403,
+        headers: {
+          'Content-Type': 'application/json',
+          ...corsHeaders,
+        }
+      });
+    }
+    // ============================================
+    // SECURITY LAYER 2: Endpoint Whitelisting
+    // ============================================
+    const allowedPatterns = [
+      /^\/forms\/\d+\/submit$/,        // Form submissions only
+    ];
+    const isAllowedEndpoint = allowedPatterns.some(pattern => pattern.test(endpoint));
+    if (!isAllowedEndpoint) {
+      console.warn('🚫 Blocked unauthorized endpoint:', endpoint);
+      return new Response(JSON.stringify({
+        error: 'Forbidden endpoint',
+        message: 'Only form submission endpoints are allowed'
+      }), {
+        status: 403,
+        headers: { 'Content-Type': 'application/json' }
+      });
+    }
+    // ============================================
+    // SECURITY LAYER 3: Turnstile Verification
+    // ============================================
+    const turnstileSecretKey = env.TURNSTILE_SECRET_KEY || env.VITE_TURNSTILE_SECRET_KEY;
+    const turnstileToken = request.headers.get('cf-turnstile-response');
+    // Only verify Turnstile if:
+    // 1. Secret key is configured AND
+    // 2. Request is POST AND
+    // 3. Client sent a token (indicating Turnstile is enabled on the form)
+    if (turnstileSecretKey && request.method === 'POST' && turnstileToken) {
+      const isValid = await verifyTurnstile(turnstileToken, turnstileSecretKey);
+      if (!isValid) {
+        console.warn('🚫 Invalid Turnstile token');
+        return new Response(JSON.stringify({
+          error: 'Verification failed',
+          message: 'Bot verification failed'
+        }), {
+          status: 403,
+          headers: { 'Content-Type': 'application/json' }
+        });
+      }
+      console.log('✅ Turnstile verification passed');
+    } else if (turnstileSecretKey && request.method === 'POST' && !turnstileToken) {
+      // Warn but allow (Turnstile is optional for Gravity Forms)
+      console.warn('⚠️  Turnstile secret key configured but no token provided - allowing request');
+    }
+    // ============================================
+    // SECURITY LAYER 4: WordPress Basic Auth
+    // ============================================
+    const wpUrl = env.VITE_WORDPRESS_API_URL || env.WORDPRESS_API_URL;
+    const username = env.VITE_WP_API_USERNAME || env.WP_API_USERNAME;
+    const password = env.VITE_WP_APP_PASSWORD || env.WP_APP_PASSWORD;
+    if (!wpUrl || !username || !password) {
+      console.error('❌ WordPress credentials not configured', {
+        wpUrl: !!wpUrl,
+        username: !!username,
+        password: !!password
+      });
+      return new Response('WordPress credentials not configured', { status: 500 });
+    }
+    // Create Basic Auth header
+    const authHeader = 'Basic ' + btoa(`${username}:${password}`);
+    const headers: Record<string, string> = {
+      'Authorization': authHeader,
+    };
+    // Preserve Content-Type from original request
+    const contentType = request.headers.get('Content-Type');
+    if (contentType) {
+      headers['Content-Type'] = contentType;
+    }
+    // ============================================
+    // SECURITY LAYER 5: CF Access (Optional)
+    // ============================================
+    const cfAccessClientId = env.CF_ACCESS_CLIENT_ID || env.VITE_CF_ACCESS_CLIENT_ID;
+    const cfAccessClientSecret = env.CF_ACCESS_CLIENT_SECRET || env.VITE_CF_ACCESS_CLIENT_SECRET;
+    if (cfAccessClientId && cfAccessClientSecret) {
+      headers['CF-Access-Client-Id'] = cfAccessClientId;
+      headers['CF-Access-Client-Secret'] = cfAccessClientSecret;
+      console.log('🔐 Added CF Access headers to WordPress request');
+    }
+    // Build target URL
+    const targetUrl = `${wpUrl}/wp-json/gf-api/v1${endpoint}`;
+    const init: RequestInit = {
+      method: request.method,
+      headers,
+    };
+    if (request.method !== 'GET' && request.method !== 'HEAD') {
+      init.body = await request.text();
+    }
+    console.log(`📤 Proxying ${request.method} request to WordPress:`, {
+      endpoint,
+      targetUrl,
+      bodyPreview: init.body ? init.body.substring(0, 200) : 'no body'
+    });
+    const response = await fetch(targetUrl, init);
+    const responseBody = await response.text();
+    console.log(`📥 WordPress response: ${response.status} ${response.statusText}`, {
+      bodyPreview: responseBody.substring(0, 500)
+    });
+    return new Response(responseBody, {
+      status: response.status,
+      statusText: response.statusText,
+      headers: {
+        'Content-Type': response.headers.get('Content-Type') || 'application/json',
+        ...corsHeaders,
+      },
+    });
+  } catch (error: any) {
+    console.error('❌ Gravity Forms proxy error:', error);
+    // Build CORS headers for error response (reuse logic from above)
+    const errorCorsHeaders: Record<string, string> = {
+      'Access-Control-Allow-Methods': 'GET, POST, OPTIONS',
+      'Access-Control-Allow-Headers': 'Content-Type, Authorization, CF-Access-Client-Id, CF-Access-Client-Secret',
+      'Access-Control-Max-Age': '86400',
+    };
+    const errorOrigin = request.headers.get('Origin');
+    const errorReferer = request.headers.get('Referer');
+    const errorAllowedOriginsStr = env.ALLOWED_ORIGINS || env.VITE_ALLOWED_ORIGINS || '';
+    const errorAllowedOrigins = errorAllowedOriginsStr
+      .split(',')
+      .map((o: string) => o.trim())
+      .filter(Boolean);
+    if (errorAllowedOrigins.length === 0) {
+      errorAllowedOrigins.push('http://localhost:8080', 'http://localhost:5173');
+    }
+    const isErrorAllowedOrigin = errorAllowedOrigins.some((allowed: string) =>
+      errorOrigin?.startsWith(allowed) || errorReferer?.startsWith(allowed)
+    );
+    if (errorOrigin && isErrorAllowedOrigin) {
+      errorCorsHeaders['Access-Control-Allow-Origin'] = errorOrigin;
+    } else if (errorReferer && isErrorAllowedOrigin) {
+      const errorRefererOrigin = new URL(errorReferer).origin;
+      errorCorsHeaders['Access-Control-Allow-Origin'] = errorRefererOrigin;
+    } else if (!errorOrigin && !errorReferer) {
+      errorCorsHeaders['Access-Control-Allow-Origin'] = '*';
+    }
+    return new Response(JSON.stringify({
+      success: false,
+      error: error?.message || 'Unknown error',
+    }), {
+      status: 500,
+      headers: {
+        'Content-Type': 'application/json',
+        ...errorCorsHeaders,
+      },
+    });
+  }
+}

package/template/functions/api/mautic-submit.ts ADDED Viewed

@@ -0,0 +1,19 @@
+/**
+ * Cloudflare Pages Function for Mautic API proxy
+ * Auto-generated by @marvalt/madapter
+ *
+ * This function handles OAuth2 authentication server-side to keep credentials secure.
+ * It is automatically installed when you install @marvalt/madapter.
+ *
+ * Required environment variables (in .env.local):
+ * - VITE_MAUTIC_URL: Your Mautic instance URL
+ * - VITE_MAUTIC_API_PUBLIC_KEY: OAuth2 client ID
+ * - VITE_MAUTIC_API_SECRET_KEY: OAuth2 client secret
+ * - VITE_CF_ACCESS_CLIENT_ID: (Optional) Cloudflare Access client ID
+ * - VITE_CF_ACCESS_CLIENT_SECRET: (Optional) Cloudflare Access client secret
+ */
+import { handleMauticProxy } from '@marvalt/madapter/server';
+export const onRequest = handleMauticProxy;

package/template/functions/api/webhook.js ADDED Viewed

@@ -0,0 +1,78 @@
+export async function onRequestPost(context) {
+  const { request, env } = context;
+  try {
+    console.log('Webhook received:', {
+      method: request.method,
+      url: request.url,
+      headers: Object.fromEntries(request.headers.entries())
+    });
+    // Verify authentication using VITE_FRONTEND_SECRET
+    const authHeader = request.headers.get('Authorization');
+    const expectedSecret = env.VITE_FRONTEND_SECRET;
+    if (!authHeader || !expectedSecret) {
+      console.log('Missing authentication:', {
+        hasAuthHeader: !!authHeader,
+        hasExpectedSecret: !!expectedSecret
+      });
+      return new Response('Unauthorized', { status: 401 });
+    }
+    // Check if the Authorization header matches the expected secret
+    if (authHeader !== `Bearer ${expectedSecret}`) {
+      console.log('Invalid authentication token');
+      return new Response('Unauthorized', { status: 401 });
+    }
+    // Parse the webhook payload
+    const payload = await request.json();
+    console.log('Webhook payload:', payload);
+    // Validate required fields
+    if (!payload.frontend_id || !payload.post_id || !payload.post_type) {
+      console.log('Missing required fields:', payload);
+      return new Response('Bad Request - Missing required fields', { status: 400 });
+    }
+    // Log the webhook details
+    console.log('Webhook processed successfully:', {
+      frontend_id: payload.frontend_id,
+      post_id: payload.post_id,
+      post_type: payload.post_type,
+      action: payload.action || 'update',
+      timestamp: new Date().toISOString()
+    });
+    // For now, we'll just log the webhook
+    // In the future, this could trigger a rebuild or cache invalidation
+    // For Cloudflare Pages, you might want to trigger a deployment webhook
+    return new Response(JSON.stringify({
+      success: true,
+      message: 'Webhook processed successfully',
+      timestamp: new Date().toISOString()
+    }), {
+      status: 200,
+      headers: {
+        'Content-Type': 'application/json'
+      }
+    });
+  } catch (error) {
+    console.error('Webhook error:', error);
+    return new Response(JSON.stringify({
+      success: false,
+      error: error.message
+    }), {
+      status: 500,
+      headers: {
+        'Content-Type': 'application/json'
+      }
+    });
+  }
+}

package/template/wrangler.toml ADDED Viewed

@@ -0,0 +1,3 @@
+name = "digivalt-landing-api"
+pages_build_output_dir = "dist"
+compatibility_date = "2024-03-20"