@marvalt/digivalt-core 0.1.0 → 0.1.2

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@marvalt/digivalt-core",
-  "version": "0.1.0",
+  "version": "0.1.2",
   "description": "Core glue logic and shared context for DigiVAlt frontend applications",
   "license": "GPL-3.0-or-later",
   "main": "dist/index.cjs",
@@ -13,11 +13,16 @@
       "require": "./dist/index.cjs"
     }
   },
+  "bin": {
+    "digivalt-init": "./bin/init.cjs"
+  },
   "files": [
     "dist",
     "README.md",
     "LICENSE",
-    "CHANGELOG.md"
+    "CHANGELOG.md",
+    "bin",
+    "template"
   ],
   "type": "module",
   "sideEffects": false,

package/template/.dev.vars.example

@@ -0,0 +1,11 @@
+# DigiVAlt Cloudflare Worker Secrets
+# Copy this to .dev.vars and populate for local testing via Wrangler
+
+# Add the specific API keys needed by your functions/ proxy layers
+MAUTIC_USERNAME=
+MAUTIC_PASSWORD=
+SUITECRM_CLIENT_ID=
+SUITECRM_CLIENT_SECRET=
+GRAVITY_FORMS_CONSUMER_KEY=
+GRAVITY_FORMS_CONSUMER_SECRET=
+WP_APPLICATION_PASSWORD=

package/template/functions/api/fetch-with-access.ts

@@ -0,0 +1,41 @@
+export async function onRequest(context: any) {
+  const { request, env } = context;
+
+  try {
+    const url = new URL(request.url);
+    const target = url.searchParams.get('target');
+    if (!target) return new Response('Missing target', { status: 400 });
+
+    // Server-side secrets (do NOT expose to browser). Prefer non-VITE names.
+    const clientId = env.CF_ACCESS_CLIENT_ID || env.VITE_CF_ACCESS_CLIENT_ID;
+    const clientSecret = env.CF_ACCESS_CLIENT_SECRET || env.VITE_CF_ACCESS_CLIENT_SECRET;
+
+    if (!clientId || !clientSecret) {
+      return new Response('Access credentials not configured', { status: 500 });
+    }
+
+    const method = request.method;
+    const incomingHeaders = new Headers(request.headers);
+    // Strip hop-by-hop and sensitive headers
+    ['host', 'origin', 'referer', 'cookie', 'authorization'].forEach((h) => incomingHeaders.delete(h));
+
+    // Inject Cloudflare Access service token headers
+    incomingHeaders.set('CF-Access-Client-Id', clientId);
+    incomingHeaders.set('CF-Access-Client-Secret', clientSecret);
+
+    const init: RequestInit = { method, headers: incomingHeaders };
+    if (method !== 'GET' && method !== 'HEAD') {
+      init.body = await request.arrayBuffer();
+    }
+
+    const resp = await fetch(target, init);
+    const respHeaders = new Headers(resp.headers);
+    ['set-cookie', 'cf-ray', 'server'].forEach((h) => respHeaders.delete(h));
+
+    return new Response(resp.body, { status: resp.status, headers: respHeaders });
+  } catch (e: any) {
+    return new Response(`fetch-with-access error: ${e?.message || 'unknown'}`, { status: 500 });
+  }
+}
+
+

package/template/functions/api/gravity-forms-submit.ts

@@ -0,0 +1,291 @@
+/**
+ * Cloudflare Pages Function for Gravity Forms API proxy
+ * 
+ * This function handles WordPress Basic Auth server-side to keep credentials secure.
+ * It provides the same security layers as the Mautic proxy.
+ * 
+ * Required environment variables:
+ * - VITE_WORDPRESS_API_URL or WORDPRESS_API_URL: WordPress instance URL
+ * - VITE_WP_API_USERNAME or WP_API_USERNAME: WordPress username
+ * - VITE_WP_APP_PASSWORD or WP_APP_PASSWORD: WordPress application password
+ * - VITE_CF_ACCESS_CLIENT_ID or CF_ACCESS_CLIENT_ID: (Optional) Cloudflare Access client ID
+ * - VITE_CF_ACCESS_CLIENT_SECRET or CF_ACCESS_CLIENT_SECRET: (Optional) Cloudflare Access client secret
+ * - ALLOWED_ORIGINS or VITE_ALLOWED_ORIGINS: Comma-separated list of allowed origins
+ * - TURNSTILE_SECRET_KEY or VITE_TURNSTILE_SECRET_KEY: (Optional) Cloudflare Turnstile secret key
+ */
+
+/**
+ * Verifies a Cloudflare Turnstile token server-side.
+ */
+async function verifyTurnstile(token: string, secretKey: string): Promise<boolean> {
+  const response = await fetch('https://challenges.cloudflare.com/turnstile/v0/siteverify', {
+    method: 'POST',
+    headers: {
+      'Content-Type': 'application/x-www-form-urlencoded',
+    },
+    body: `secret=${encodeURIComponent(secretKey)}&response=${encodeURIComponent(token)}`,
+  });
+
+  const data = await response.json();
+  return data.success;
+}
+
+export async function onRequest(context: any) {
+  const { request, env } = context;
+
+  try {
+    const url = new URL(request.url);
+    const endpoint = url.searchParams.get('endpoint');
+    
+    // ============================================
+    // CORS Headers - Always include for OPTIONS preflight
+    // ============================================
+    const origin = request.headers.get('Origin');
+    const referer = request.headers.get('Referer');
+    
+    const allowedOriginsStr = env.ALLOWED_ORIGINS || env.VITE_ALLOWED_ORIGINS || '';
+    const allowedOrigins = allowedOriginsStr
+      .split(',')
+      .map((o: string) => o.trim())
+      .filter(Boolean);
+    
+    if (allowedOrigins.length === 0) {
+      allowedOrigins.push('http://localhost:8080', 'http://localhost:5173');
+      console.log('⚠️  No ALLOWED_ORIGINS configured, defaulting to localhost');
+    }
+    
+    // Check if origin is in allowed list OR is localhost (development)
+    const isLocalhost = origin && (origin.includes('localhost') || origin.includes('127.0.0.1'));
+    const isAllowedOrigin = allowedOrigins.some((allowed: string) => 
+      origin?.startsWith(allowed) || referer?.startsWith(allowed)
+    ) || isLocalhost; // Allow localhost in development
+    
+    // Build CORS headers - always include these
+    const corsHeaders: Record<string, string> = {
+      'Access-Control-Allow-Methods': 'GET, POST, OPTIONS',
+      'Access-Control-Allow-Headers': 'Content-Type, Authorization, CF-Access-Client-Id, CF-Access-Client-Secret',
+      'Access-Control-Max-Age': '86400',
+    };
+    
+    // Determine the origin to allow
+    let allowedOrigin: string | null = null;
+    if (origin && isAllowedOrigin) {
+      allowedOrigin = origin;
+      if (isLocalhost) {
+        console.log('🔓 Allowing localhost origin in development:', origin);
+      }
+    } else if (referer && isAllowedOrigin) {
+      // Fallback to referer if origin is not present
+      try {
+        allowedOrigin = new URL(referer).origin;
+      } catch (e) {
+        // Invalid referer URL, ignore
+      }
+    } else if (!origin && !referer) {
+      // Allow if no origin/referer (same-origin or direct request)
+      allowedOrigin = '*';
+    }
+    
+    // Set Access-Control-Allow-Origin header
+    if (allowedOrigin) {
+      corsHeaders['Access-Control-Allow-Origin'] = allowedOrigin;
+    }
+    
+    // Handle OPTIONS preflight request
+    if (request.method === 'OPTIONS') {
+      return new Response(null, {
+        status: 204,
+        headers: corsHeaders,
+      });
+    }
+    
+    if (!endpoint) {
+      return new Response('Missing endpoint parameter', { 
+        status: 400,
+        headers: corsHeaders,
+      });
+    }
+    
+    // Validate origin for non-OPTIONS requests (use the same check that includes localhost)
+    if ((origin || referer) && !isAllowedOrigin) {
+      console.warn('🚫 Blocked request from unauthorized origin:', origin || referer);
+      return new Response(JSON.stringify({ 
+        error: 'Forbidden origin',
+        message: 'This endpoint can only be accessed from authorized domains'
+      }), { 
+        status: 403,
+        headers: { 
+          'Content-Type': 'application/json',
+          ...corsHeaders,
+        }
+      });
+    }
+
+    // ============================================
+    // SECURITY LAYER 2: Endpoint Whitelisting
+    // ============================================
+    const allowedPatterns = [
+      /^\/forms\/\d+\/submit$/,        // Form submissions only
+    ];
+    
+    const isAllowedEndpoint = allowedPatterns.some(pattern => pattern.test(endpoint));
+    
+    if (!isAllowedEndpoint) {
+      console.warn('🚫 Blocked unauthorized endpoint:', endpoint);
+      return new Response(JSON.stringify({ 
+        error: 'Forbidden endpoint',
+        message: 'Only form submission endpoints are allowed'
+      }), { 
+        status: 403,
+        headers: { 'Content-Type': 'application/json' }
+      });
+    }
+
+    // ============================================
+    // SECURITY LAYER 3: Turnstile Verification
+    // ============================================
+    const turnstileSecretKey = env.TURNSTILE_SECRET_KEY || env.VITE_TURNSTILE_SECRET_KEY;
+    const turnstileToken = request.headers.get('cf-turnstile-response');
+    
+    // Only verify Turnstile if:
+    // 1. Secret key is configured AND
+    // 2. Request is POST AND
+    // 3. Client sent a token (indicating Turnstile is enabled on the form)
+    if (turnstileSecretKey && request.method === 'POST' && turnstileToken) {
+      const isValid = await verifyTurnstile(turnstileToken, turnstileSecretKey);
+      
+      if (!isValid) {
+        console.warn('🚫 Invalid Turnstile token');
+        return new Response(JSON.stringify({ 
+          error: 'Verification failed',
+          message: 'Bot verification failed'
+        }), { 
+          status: 403,
+          headers: { 'Content-Type': 'application/json' }
+        });
+      }
+      
+      console.log('✅ Turnstile verification passed');
+    } else if (turnstileSecretKey && request.method === 'POST' && !turnstileToken) {
+      // Warn but allow (Turnstile is optional for Gravity Forms)
+      console.warn('⚠️  Turnstile secret key configured but no token provided - allowing request');
+    }
+
+    // ============================================
+    // SECURITY LAYER 4: WordPress Basic Auth
+    // ============================================
+    const wpUrl = env.VITE_WORDPRESS_API_URL || env.WORDPRESS_API_URL;
+    const username = env.VITE_WP_API_USERNAME || env.WP_API_USERNAME;
+    const password = env.VITE_WP_APP_PASSWORD || env.WP_APP_PASSWORD;
+
+    if (!wpUrl || !username || !password) {
+      console.error('❌ WordPress credentials not configured', { 
+        wpUrl: !!wpUrl, 
+        username: !!username, 
+        password: !!password 
+      });
+      return new Response('WordPress credentials not configured', { status: 500 });
+    }
+
+    // Create Basic Auth header
+    const authHeader = 'Basic ' + btoa(`${username}:${password}`);
+
+    const headers: Record<string, string> = {
+      'Authorization': authHeader,
+    };
+
+    // Preserve Content-Type from original request
+    const contentType = request.headers.get('Content-Type');
+    if (contentType) {
+      headers['Content-Type'] = contentType;
+    }
+
+    // ============================================
+    // SECURITY LAYER 5: CF Access (Optional)
+    // ============================================
+    const cfAccessClientId = env.CF_ACCESS_CLIENT_ID || env.VITE_CF_ACCESS_CLIENT_ID;
+    const cfAccessClientSecret = env.CF_ACCESS_CLIENT_SECRET || env.VITE_CF_ACCESS_CLIENT_SECRET;
+
+    if (cfAccessClientId && cfAccessClientSecret) {
+      headers['CF-Access-Client-Id'] = cfAccessClientId;
+      headers['CF-Access-Client-Secret'] = cfAccessClientSecret;
+      console.log('🔐 Added CF Access headers to WordPress request');
+    }
+
+    // Build target URL
+    const targetUrl = `${wpUrl}/wp-json/gf-api/v1${endpoint}`;
+
+    const init: RequestInit = {
+      method: request.method,
+      headers,
+    };
+
+    if (request.method !== 'GET' && request.method !== 'HEAD') {
+      init.body = await request.text();
+    }
+
+    console.log(`📤 Proxying ${request.method} request to WordPress:`, { 
+      endpoint, 
+      targetUrl,
+      bodyPreview: init.body ? init.body.substring(0, 200) : 'no body'
+    });
+
+    const response = await fetch(targetUrl, init);
+
+    const responseBody = await response.text();
+    console.log(`📥 WordPress response: ${response.status} ${response.statusText}`, {
+      bodyPreview: responseBody.substring(0, 500)
+    });
+
+    return new Response(responseBody, {
+      status: response.status,
+      statusText: response.statusText,
+      headers: {
+        'Content-Type': response.headers.get('Content-Type') || 'application/json',
+        ...corsHeaders,
+      },
+    });
+
+  } catch (error: any) {
+    console.error('❌ Gravity Forms proxy error:', error);
+    // Build CORS headers for error response (reuse logic from above)
+    const errorCorsHeaders: Record<string, string> = {
+      'Access-Control-Allow-Methods': 'GET, POST, OPTIONS',
+      'Access-Control-Allow-Headers': 'Content-Type, Authorization, CF-Access-Client-Id, CF-Access-Client-Secret',
+      'Access-Control-Max-Age': '86400',
+    };
+    const errorOrigin = request.headers.get('Origin');
+    const errorReferer = request.headers.get('Referer');
+    const errorAllowedOriginsStr = env.ALLOWED_ORIGINS || env.VITE_ALLOWED_ORIGINS || '';
+    const errorAllowedOrigins = errorAllowedOriginsStr
+      .split(',')
+      .map((o: string) => o.trim())
+      .filter(Boolean);
+    if (errorAllowedOrigins.length === 0) {
+      errorAllowedOrigins.push('http://localhost:8080', 'http://localhost:5173');
+    }
+    const isErrorAllowedOrigin = errorAllowedOrigins.some((allowed: string) => 
+      errorOrigin?.startsWith(allowed) || errorReferer?.startsWith(allowed)
+    );
+    if (errorOrigin && isErrorAllowedOrigin) {
+      errorCorsHeaders['Access-Control-Allow-Origin'] = errorOrigin;
+    } else if (errorReferer && isErrorAllowedOrigin) {
+      const errorRefererOrigin = new URL(errorReferer).origin;
+      errorCorsHeaders['Access-Control-Allow-Origin'] = errorRefererOrigin;
+    } else if (!errorOrigin && !errorReferer) {
+      errorCorsHeaders['Access-Control-Allow-Origin'] = '*';
+    }
+    
+    return new Response(JSON.stringify({
+      success: false,
+      error: error?.message || 'Unknown error',
+    }), {
+      status: 500,
+      headers: { 
+        'Content-Type': 'application/json',
+        ...errorCorsHeaders,
+      },
+    });
+  }
+}
+

package/template/functions/api/mautic-submit.ts

@@ -0,0 +1,19 @@
+/**
+ * Cloudflare Pages Function for Mautic API proxy
+ * Auto-generated by @marvalt/madapter
+ * 
+ * This function handles OAuth2 authentication server-side to keep credentials secure.
+ * It is automatically installed when you install @marvalt/madapter.
+ * 
+ * Required environment variables (in .env.local):
+ * - VITE_MAUTIC_URL: Your Mautic instance URL
+ * - VITE_MAUTIC_API_PUBLIC_KEY: OAuth2 client ID
+ * - VITE_MAUTIC_API_SECRET_KEY: OAuth2 client secret
+ * - VITE_CF_ACCESS_CLIENT_ID: (Optional) Cloudflare Access client ID
+ * - VITE_CF_ACCESS_CLIENT_SECRET: (Optional) Cloudflare Access client secret
+ */
+
+import { handleMauticProxy } from '@marvalt/madapter/server';
+
+export const onRequest = handleMauticProxy;
+

package/template/functions/api/webhook.js

@@ -0,0 +1,78 @@
+export async function onRequestPost(context) {
+  const { request, env } = context;
+  
+  try {
+    console.log('Webhook received:', {
+      method: request.method,
+      url: request.url,
+      headers: Object.fromEntries(request.headers.entries())
+    });
+    
+    // Verify authentication using VITE_FRONTEND_SECRET
+    const authHeader = request.headers.get('Authorization');
+    const expectedSecret = env.VITE_FRONTEND_SECRET;
+    
+    if (!authHeader || !expectedSecret) {
+      console.log('Missing authentication:', {
+        hasAuthHeader: !!authHeader,
+        hasExpectedSecret: !!expectedSecret
+      });
+      return new Response('Unauthorized', { status: 401 });
+    }
+    
+    // Check if the Authorization header matches the expected secret
+    if (authHeader !== `Bearer ${expectedSecret}`) {
+      console.log('Invalid authentication token');
+      return new Response('Unauthorized', { status: 401 });
+    }
+    
+    // Parse the webhook payload
+    const payload = await request.json();
+    console.log('Webhook payload:', payload);
+    
+    // Validate required fields
+    if (!payload.frontend_id || !payload.post_id || !payload.post_type) {
+      console.log('Missing required fields:', payload);
+      return new Response('Bad Request - Missing required fields', { status: 400 });
+    }
+    
+    // Log the webhook details
+    console.log('Webhook processed successfully:', {
+      frontend_id: payload.frontend_id,
+      post_id: payload.post_id,
+      post_type: payload.post_type,
+      action: payload.action || 'update',
+      timestamp: new Date().toISOString()
+    });
+    
+    // For now, we'll just log the webhook
+    // In the future, this could trigger a rebuild or cache invalidation
+    // For Cloudflare Pages, you might want to trigger a deployment webhook
+    
+    return new Response(JSON.stringify({
+      success: true,
+      message: 'Webhook processed successfully',
+      timestamp: new Date().toISOString()
+    }), {
+      status: 200,
+      headers: {
+        'Content-Type': 'application/json'
+      }
+    });
+    
+  } catch (error) {
+    console.error('Webhook error:', error);
+    return new Response(JSON.stringify({
+      success: false,
+      error: error.message
+    }), {
+      status: 500,
+      headers: {
+        'Content-Type': 'application/json'
+      }
+    });
+  }
+}
+
+
+

package/template/scripts/deploy-secrets.js

@@ -0,0 +1,85 @@
+import fs from 'fs';
+import path from 'path';
+import { execSync } from 'child_process';
+
+/**
+ * 🚀 DigiVAlt Cloudflare Secrets Deployer
+ * 
+ * Automates the synchronization of local .env.local variables 
+ * securely straight into your Cloudflare Pages environment 
+ * using Wrangler bulk secret injection.
+ */
+
+const envPath = path.resolve(process.cwd(), '.env.local');
+
+if (!fs.existsSync(envPath)) {
+  console.error("❌ No .env.local file found in the root directory!");
+  console.log("👉 Please create a .env.local file with your production secrets.");
+  process.exit(1);
+}
+
+console.log("🔍 Parsing .env.local secrets...");
+const rawEnv = fs.readFileSync(envPath, 'utf8');
+const secrets = {};
+
+rawEnv.split('\n').forEach(line => {
+  const trimmed = line.trim();
+  // Ignore comments and empty lines
+  if (!trimmed || trimmed.startsWith('#')) return;
+  
+  const match = trimmed.match(/^([^=]+)=(.*)$/);
+  if (match) {
+    const key = match[1].trim();
+    let value = match[2].trim();
+    
+    // Strip surrounding quotes if present
+    if (value.startsWith('"') && value.endsWith('"')) value = value.slice(1, -1);
+    if (value.startsWith("'") && value.endsWith("'")) value = value.slice(1, -1);
+    
+    secrets[key] = value;
+  }
+});
+
+const secretCount = Object.keys(secrets).length;
+if (secretCount === 0) {
+  console.log("⚠️ No valid SECRETS found in .env.local. Exiting.");
+  process.exit(0);
+}
+
+const tmpJsonPath = path.resolve(process.cwd(), '.tmp-cloudflare-secrets.json');
+fs.writeFileSync(tmpJsonPath, JSON.stringify(secrets, null, 2));
+
+try {
+  console.log(`🚀 Uploading ${secretCount} secrets to Cloudflare Pages...`);
+  
+  // Try to read the Cloudflare project name from wrangler.toml
+  const tomlPath = path.resolve(process.cwd(), 'wrangler.toml');
+  let projectName = '';
+  
+  if (fs.existsSync(tomlPath)) {
+    const tomlContent = fs.readFileSync(tomlPath, 'utf8');
+    const nameMatch = tomlContent.match(/^name\s*=\s*"([^"]+)"/m);
+    if (nameMatch) {
+      projectName = nameMatch[1];
+      console.log(`📦 Targeted Cloudflare Project: ${projectName}`);
+    }
+  }
+  
+  const cmd = projectName 
+    ? `npx wrangler pages secret bulk .tmp-cloudflare-secrets.json --project-name ${projectName}`
+    : `npx wrangler pages secret bulk .tmp-cloudflare-secrets.json`;
+    
+  // Execute Wrangler natively
+  execSync(cmd, { stdio: 'inherit' });
+  console.log("✅ All secrets deployed successfully to Cloudflare!");
+  
+} catch (error) {
+  console.error("❌ Failed to push secrets to Cloudflare.");
+  console.error("Ensure you are logged into Wrangler (`npx wrangler login`) and the project exists.");
+} finally {
+  // Always rigorously clean up the temporary plaintext JSON file for security
+  if (fs.existsSync(tmpJsonPath)) {
+    fs.unlinkSync(tmpJsonPath);
+    console.log("🧹 Cleaned up temporary credentials payload.");
+  }
+}

package/template/wrangler.toml

@@ -0,0 +1,3 @@
+name = "digivalt-landing-api"
+pages_build_output_dir = "dist"
+compatibility_date = "2024-03-20"