@mpen/routekit 0.1.0 → 0.1.2

package/src/router/middleware/cors.ts

@@ -1,490 +0,0 @@
-import { CommonHeaders, HttpStatus, HttpMethod } from '@mpen/http'
-import type {
-    AnyContext,
-    HandlerFinalResult,
-    HandlerYield,
-    MaybePromise,
-    OneOrMany,
-    RequestContext,
-} from '../types'
-import { isLocalhost } from '../lib/host'
-import type { RouterBodyInit } from '../fetch-types'
-import {
-    headers as headersDirective,
-    isChunkDirective,
-    isHeadersDirective,
-    isHeadDirective,
-    isResponseBodyInit,
-    isRoutekitResponse,
-    isStreamDirective,
-    response,
-} from '../response'
-import { empty } from '../response/formats/content'
-import { defineMiddleware, type DeclaredMiddleware } from './define'
-
-type CorsOriginResolver<Ctx extends object> = (
-    origin: string | null,
-    ctx: RequestContext<Ctx>,
-) => MaybePromise<string | null | undefined | false>
-
-type CorsMethodsResolver<Ctx extends object> = (
-    origin: string | null,
-    ctx: RequestContext<Ctx>,
-) => MaybePromise<OneOrMany<string>>
-
-type AllowedOriginEntry =
-    | { kind: 'origin'; value: string }
-    | { kind: 'host'; value: string }
-    | { kind: 'regex'; value: RegExp }
-    | { kind: 'null' }
-
-export interface CorsOptions<Ctx extends object = AnyContext> {
-    /**
-     * Allowed origin(s) for cross-origin requests.
-     * Use `'*'` to allow all origins.
-     */
-    origin: OneOrMany<string | URL | RegExp> | CorsOriginResolver<Ctx>
-    /**
-     * Allowed methods to echo in preflight responses.
-     */
-    allowMethods?: OneOrMany<string> | CorsMethodsResolver<Ctx>
-    /**
-     * Allowed headers to echo in preflight responses.
-     */
-    allowHeaders?: OneOrMany<string>
-    /**
-     * Response headers that should be exposed to the browser.
-     */
-    exposeHeaders?: OneOrMany<string>
-    /**
-     * Max age (seconds) for caching preflight responses.
-     */
-    maxAge?: number
-    /**
-     * Whether to set Access-Control-Allow-Credentials.
-     */
-    credentials?: boolean
-    /**
-     * Allow localhost and loopback origins for local development.
-     */
-    allowLocalhost?: boolean
-    /**
-     * Convenience flag that enables localhost allowances.
-     */
-    dev?: boolean
-    /**
-     * HTTP status to use for preflight responses.
-     */
-    preflightStatus?: number
-}
-
-const headerOrigin = CommonHeaders.ORIGIN
-const headerVary = CommonHeaders.VARY
-const headerAccessControlRequestMethod = CommonHeaders.ACCESS_CONTROL_REQUEST_METHOD
-const headerAccessControlRequestHeaders = CommonHeaders.ACCESS_CONTROL_REQUEST_HEADERS
-const headerAllowOrigin = CommonHeaders.ACCESS_CONTROL_ALLOW_ORIGIN
-const headerAllowMethods = CommonHeaders.ACCESS_CONTROL_ALLOW_METHODS
-const headerAllowHeaders = CommonHeaders.ACCESS_CONTROL_ALLOW_HEADERS
-const headerAllowCredentials = CommonHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS
-const headerExposeHeaders = CommonHeaders.ACCESS_CONTROL_EXPOSE_HEADERS
-const headerMaxAge = CommonHeaders.ACCESS_CONTROL_MAX_AGE
-
-const defaultAllowedMethods: OneOrMany<string> = [
-    HttpMethod.GET,
-    HttpMethod.HEAD,
-    HttpMethod.PUT,
-    HttpMethod.POST,
-    HttpMethod.DELETE,
-    HttpMethod.PATCH,
-]
-
-function normalizeHeaderValue(value: string | null): string | null {
-    if (!value) return null
-    const trimmed = value.trim()
-    return trimmed ? trimmed : null
-}
-
-function normalizeOriginHeader(value: string | null): string | null {
-    return normalizeHeaderValue(value)
-}
-
-function parseOrigin(originHeader: string | null): URL | null {
-    if (!originHeader || originHeader === 'null') return null
-    try {
-        return new URL(originHeader)
-    } catch {
-        return null
-    }
-}
-
-function normalizeList(value?: OneOrMany<string>): string[] {
-    if (!value) return []
-    const list = Array.isArray(value) ? value : [value]
-    return list.map((entry) => entry.trim()).filter(Boolean)
-}
-
-function normalizeMethods(value?: OneOrMany<string>): string[] {
-    return normalizeList(value).map((entry) => entry.toUpperCase())
-}
-
-function formatHeaderList(value?: OneOrMany<string>): string | null {
-    const list = normalizeList(value)
-    if (!list.length) return null
-    return list.join(', ')
-}
-
-function formatMethodList(value?: OneOrMany<string>): string | null {
-    const list = normalizeMethods(value)
-    if (!list.length) return null
-    return list.join(', ')
-}
-
-function normalizeAllowedOrigins(value?: OneOrMany<string | URL | RegExp>): AllowedOriginEntry[] {
-    if (!value) return []
-    const list = Array.isArray(value) ? value : [value]
-    const normalized: AllowedOriginEntry[] = []
-    for (const entry of list) {
-        if (entry instanceof RegExp) {
-            normalized.push({ kind: 'regex', value: entry })
-            continue
-        }
-        if (entry instanceof URL) {
-            normalized.push({ kind: 'origin', value: entry.origin })
-            continue
-        }
-        const trimmed = entry.trim()
-        if (!trimmed) continue
-        if (trimmed === 'null') {
-            normalized.push({ kind: 'null' })
-            continue
-        }
-        if (trimmed.includes('://')) {
-            try {
-                normalized.push({ kind: 'origin', value: new URL(trimmed).origin })
-            } catch {
-                continue
-            }
-        } else {
-            normalized.push({ kind: 'host', value: trimmed.replace(/\/+$/, '') })
-        }
-    }
-    return normalized
-}
-
-function hasWildcardOrigin(value?: OneOrMany<string | URL | RegExp>): boolean {
-    if (!value) return false
-    if (!Array.isArray(value)) {
-        return typeof value === 'string' && value.trim() === '*'
-    }
-    return value.some((entry) => typeof entry === 'string' && entry.trim() === '*')
-}
-
-function isOriginAllowed(
-    originHeader: string | null,
-    originUrl: URL | null,
-    allowlist: AllowedOriginEntry[],
-    allowLocalhost: boolean,
-): boolean {
-    if (!originHeader) return false
-    if (originHeader === 'null') {
-        return allowlist.some((entry) => entry.kind === 'null')
-    }
-    if (originUrl && allowLocalhost && isLocalhost(originUrl.hostname)) return true
-    for (const entry of allowlist) {
-        if (entry.kind === 'regex') {
-            if (entry.value.test(originHeader)) return true
-            continue
-        }
-        if (!originUrl) continue
-        if (entry.kind === 'origin') {
-            if (originUrl.origin === entry.value) return true
-            continue
-        }
-        if (entry.kind === 'host') {
-            if (entry.value.includes(':')) {
-                if (originUrl.host === entry.value) return true
-            } else if (originUrl.hostname === entry.value) {
-                return true
-            }
-        }
-    }
-    return false
-}
-
-function addVaryHeader(headers: Headers, value: string): void {
-    const current = headers.get(headerVary)
-    if (!current) {
-        headers.set(headerVary, value)
-        return
-    }
-    const existing = current.split(',').map((entry) => entry.trim().toLowerCase())
-    if (existing.includes(value.toLowerCase())) return
-    headers.set(headerVary, `${current}, ${value}`)
-}
-
-function applyCorsHeaders(
-    headers: Headers,
-    allowOrigin: string,
-    allowCredentials: boolean,
-    exposeHeaders?: OneOrMany<string>,
-    varyOrigin?: boolean,
-): void {
-    headers.set(headerAllowOrigin, allowOrigin)
-    if (allowCredentials) {
-        headers.set(headerAllowCredentials, 'true')
-    }
-    const expose = formatHeaderList(exposeHeaders)
-    if (expose) {
-        headers.set(headerExposeHeaders, expose)
-    }
-    if (varyOrigin) {
-        addVaryHeader(headers, 'Origin')
-    }
-}
-
-function isAsyncGenerator(
-    value: unknown,
-): value is AsyncGenerator<HandlerYield, HandlerFinalResult> {
-    return (
-        !!value &&
-        typeof (value as AsyncGenerator<HandlerYield, HandlerFinalResult>)[Symbol.asyncIterator] ===
-            'function'
-    )
-}
-
-function wrapGeneratorWithCors(
-    generator: AsyncGenerator<HandlerYield, HandlerFinalResult>,
-    allowOrigin: string,
-    allowCredentials: boolean,
-    exposeHeaders: OneOrMany<string> | undefined,
-    varyOrigin: boolean,
-): AsyncGenerator<HandlerYield, HandlerFinalResult> {
-    const apply = (headers: Headers) => {
-        applyCorsHeaders(headers, allowOrigin, allowCredentials, exposeHeaders, varyOrigin)
-    }
-
-    async function* wrapped(): AsyncGenerator<HandlerYield, HandlerFinalResult> {
-        let headersInjected = false
-        while (true) {
-            const next = await generator.next()
-            if (next.done) {
-                if (!headersInjected) {
-                    const headers = new Headers()
-                    apply(headers)
-                    yield headersDirective(headers)
-                }
-                return next.value
-            }
-            const value = next.value
-            if (isHeadersDirective(value)) {
-                const headers = new Headers(value.headers)
-                apply(headers)
-                headersInjected = true
-                yield headersDirective(headers)
-                continue
-            }
-            if (isHeadDirective(value)) {
-                const headers = new Headers(value.headers)
-                apply(headers)
-                headersInjected = true
-                yield { ...value, headers }
-                continue
-            }
-            if (isStreamDirective(value)) {
-                const headers = new Headers(value.headers)
-                apply(headers)
-                headersInjected = true
-                yield { ...value, headers }
-                continue
-            }
-            if (!headersInjected && isChunkDirective(value)) {
-                const headers = new Headers()
-                apply(headers)
-                headersInjected = true
-                yield headersDirective(headers)
-            }
-            yield value
-        }
-    }
-
-    return wrapped()
-}
-
-/**
- * Attach CORS response headers and handle OPTIONS preflight requests.
- *
- * @example
- * ```ts
- * router.use(cors({origin: '*'}))
- * router.use(cors({origin: ['https://app.example.com'], credentials: true}))
- * router.use(cors({origin: 'https://app.example.com', dev: true}))
- * ```
- *
- * @param options - Configuration for origin, preflight, and header behavior.
- * @returns Middleware that applies CORS headers to matching requests.
- */
-export function cors<Ctx extends object = AnyContext>(
-    options: CorsOptions<Ctx>,
-): DeclaredMiddleware<{}, Ctx> {
-    const allowCredentials = options.credentials ?? false
-    const allowLocalhost = options.allowLocalhost ?? options.dev ?? false
-    const originOption = options.origin
-    const originResolver = typeof originOption === 'function' ? originOption : undefined
-    const originList = originResolver
-        ? undefined
-        : (originOption as OneOrMany<string | URL | RegExp>)
-    const allowlist = originList ? normalizeAllowedOrigins(originList) : []
-    const hasWildcard = originList ? hasWildcardOrigin(originList) : false
-    const preflightStatus = options.preflightStatus ?? HttpStatus.NO_CONTENT
-
-    return defineMiddleware({
-        responses: {
-            [preflightStatus]: {
-                schema: { type: 'null' },
-                parse(value: unknown): undefined {
-                    if (value !== undefined) {
-                        throw new TypeError('CORS preflight responses must not contain a body.')
-                    }
-                    return undefined
-                },
-            },
-        },
-        schemaAppliesTo: ({ method }) =>
-            Array.isArray(method)
-                ? method.includes(HttpMethod.OPTIONS)
-                : method === HttpMethod.OPTIONS,
-        async run(ctx, { next, forward, respond }) {
-            const originHeader = normalizeOriginHeader(ctx.request.headers.get(headerOrigin))
-            const originUrl = parseOrigin(originHeader)
-
-            let allowOrigin: string | null = null
-            let varyOrigin = false
-
-            if (originResolver) {
-                const resolved = await originResolver(originHeader, ctx)
-                if (resolved) {
-                    const normalized = String(resolved).trim()
-                    if (normalized === '*') {
-                        if (allowCredentials && originHeader) {
-                            allowOrigin = originUrl?.origin ?? originHeader
-                            varyOrigin = true
-                        } else if (!allowCredentials) {
-                            allowOrigin = '*'
-                        }
-                    } else if (normalized) {
-                        allowOrigin = normalized
-                        varyOrigin = Boolean(originHeader)
-                    }
-                }
-            } else if (hasWildcard) {
-                if (allowCredentials && originHeader) {
-                    allowOrigin = originUrl?.origin ?? originHeader
-                    varyOrigin = true
-                } else if (!allowCredentials) {
-                    allowOrigin = '*'
-                }
-            } else if (
-                originHeader &&
-                isOriginAllowed(originHeader, originUrl, allowlist, allowLocalhost)
-            ) {
-                allowOrigin = originUrl?.origin ?? originHeader
-                varyOrigin = true
-            }
-
-            const isPreflight =
-                ctx.request.method.toUpperCase() === 'OPTIONS' &&
-                ctx.request.headers.has(headerAccessControlRequestMethod)
-
-            if (isPreflight) {
-                if (!allowOrigin) {
-                    return respond(empty(preflightStatus))
-                }
-                const headers = new Headers()
-                applyCorsHeaders(headers, allowOrigin, allowCredentials, undefined, varyOrigin)
-
-                const allowMethods =
-                    typeof options.allowMethods === 'function'
-                        ? await options.allowMethods(originHeader, ctx)
-                        : (options.allowMethods ?? defaultAllowedMethods)
-                const allowMethodsValue = formatMethodList(allowMethods)
-                if (allowMethodsValue) {
-                    headers.set(headerAllowMethods, allowMethodsValue)
-                }
-
-                const requestHeaders = normalizeHeaderValue(
-                    ctx.request.headers.get(headerAccessControlRequestHeaders),
-                )
-                const allowHeadersValue = formatHeaderList(
-                    options.allowHeaders ?? requestHeaders ?? undefined,
-                )
-                if (allowHeadersValue) {
-                    headers.set(headerAllowHeaders, allowHeadersValue)
-                }
-
-                if (options.maxAge != null) {
-                    headers.set(headerMaxAge, String(options.maxAge))
-                }
-                return respond(empty(preflightStatus, { headers }))
-            }
-
-            const result = await next()
-            if (!allowOrigin) return forward(result)
-
-            if (result instanceof Response) {
-                applyCorsHeaders(
-                    result.headers,
-                    allowOrigin,
-                    allowCredentials,
-                    options.exposeHeaders,
-                    varyOrigin,
-                )
-                return forward(result)
-            }
-
-            if (isRoutekitResponse(result)) {
-                applyCorsHeaders(
-                    result.headers,
-                    allowOrigin,
-                    allowCredentials,
-                    options.exposeHeaders,
-                    varyOrigin,
-                )
-                return forward(result)
-            }
-
-            if (isAsyncGenerator(result)) {
-                return forward(
-                    wrapGeneratorWithCors(
-                        result,
-                        allowOrigin,
-                        allowCredentials,
-                        options.exposeHeaders,
-                        varyOrigin,
-                    ),
-                )
-            }
-
-            if (result != null && isResponseBodyInit(result)) {
-                const headers = new Headers()
-                applyCorsHeaders(
-                    headers,
-                    allowOrigin,
-                    allowCredentials,
-                    options.exposeHeaders,
-                    varyOrigin,
-                )
-                return forward(new Response(result as RouterBodyInit, { headers }))
-            }
-
-            const headers = new Headers()
-            applyCorsHeaders(
-                headers,
-                allowOrigin,
-                allowCredentials,
-                options.exposeHeaders,
-                varyOrigin,
-            )
-            return forward(response(result, { headers }))
-        },
-    })
-}

package/src/router/middleware/csrf.test.ts

@@ -1,106 +0,0 @@
-#!/usr/bin/env -S bun test
-import { describe, expect, it } from 'bun:test'
-import { HttpMethod, HttpStatus } from '@mpen/http'
-import { Router } from '../router'
-import { csrf } from './csrf'
-
-describe(csrf.name, () => {
-    it('allows same-site fetch requests by default', async () => {
-        const router = new Router()
-        router.use(csrf())
-        router.add({
-            method: HttpMethod.POST,
-            path: '/submit',
-            handler: () => new Response('ok'),
-        })
-
-        const request = new Request('https://api.example.com/submit', {
-            method: HttpMethod.POST,
-            headers: {
-                origin: 'https://app.example.com',
-                'sec-fetch-dest': 'empty',
-                'sec-fetch-mode': 'cors',
-                'sec-fetch-site': 'same-site',
-            },
-        })
-
-        const response = await router.fetch(request)
-
-        expect(response.status).toBe(HttpStatus.OK)
-    })
-
-    it('rejects cross-site origins by default', async () => {
-        const router = new Router()
-        router.use(csrf())
-        router.add({
-            method: HttpMethod.POST,
-            path: '/submit',
-            handler: () => new Response('ok'),
-        })
-
-        const request = new Request('https://api.example.com/submit', {
-            method: HttpMethod.POST,
-            headers: {
-                origin: 'https://evil.example',
-                'sec-fetch-dest': 'empty',
-                'sec-fetch-mode': 'cors',
-                'sec-fetch-site': 'cross-site',
-            },
-        })
-
-        const response = await router.fetch(request)
-
-        expect(response.status).toBe(HttpStatus.FORBIDDEN)
-    })
-
-    it('allows whitelisted origins even when cross-site', async () => {
-        const router = new Router()
-        router.use(csrf({ allowedOrigins: ['https://evil.example'] }))
-        router.add({
-            method: HttpMethod.POST,
-            path: '/submit',
-            handler: () => new Response('ok'),
-        })
-
-        const request = new Request('https://api.example.com/submit', {
-            method: HttpMethod.POST,
-            headers: {
-                origin: 'https://evil.example',
-                'sec-fetch-dest': 'empty',
-                'sec-fetch-mode': 'cors',
-                'sec-fetch-site': 'cross-site',
-            },
-        })
-
-        const response = await router.fetch(request)
-
-        expect(response.status).toBe(HttpStatus.OK)
-    })
-
-    it('allows local dev requests without fetch metadata or origin when dev is enabled', async () => {
-        const router = new Router()
-        router.use(csrf({ dev: true }))
-        router.add({
-            method: HttpMethod.POST,
-            path: '/submit',
-            handler: () => new Response('ok'),
-        })
-
-        const request = new Request('http://localhost:8787/submit', {
-            method: HttpMethod.POST,
-        })
-
-        const response = await router.fetch(request)
-
-        expect(response.status).toBe(HttpStatus.OK)
-    })
-
-    it('declares its rejection response on affected routes', () => {
-        const router = new Router().use(csrf())
-        router.add({ method: HttpMethod.POST, path: '/submit', handler: () => new Response() })
-
-        expect(router.getRoutes()[0]?.schema?.response?.body).toEqual({
-            [HttpStatus.FORBIDDEN]: { type: 'string' },
-        })
-    })
-})