@objectstack/plugin-hono-server 4.0.2 → 4.0.4

package/.turbo/turbo-build.log

@@ -1,5 +1,5 @@
 
-> @objectstack/plugin-hono-server@4.0.2 build /home/runner/work/framework/framework/packages/plugins/plugin-hono-server
+> @objectstack/plugin-hono-server@4.0.4 build /home/runner/work/framework/framework/packages/plugins/plugin-hono-server
 > tsup --config ../../../tsup.config.ts
 
 CLI Building entry: src/index.ts
@@ -10,13 +10,13 @@
 CLI Cleaning output folder
 ESM Build start
 CJS Build start
-ESM dist/index.mjs     14.58 KB
-ESM dist/index.mjs.map 29.19 KB
-ESM ⚡️ Build success in 89ms
-CJS dist/index.js     15.52 KB
-CJS dist/index.js.map 29.18 KB
-CJS ⚡️ Build success in 90ms
+ESM dist/index.mjs     17.42 KB
+ESM dist/index.mjs.map 36.85 KB
+ESM ⚡️ Build success in 102ms
+CJS dist/index.js     18.38 KB
+CJS dist/index.js.map 36.84 KB
+CJS ⚡️ Build success in 104ms
 DTS Build start
-DTS ⚡️ Build success in 18725ms
-DTS dist/index.d.mts 3.29 KB
-DTS dist/index.d.ts  3.29 KB
+DTS ⚡️ Build success in 19746ms
+DTS dist/index.d.mts 3.39 KB
+DTS dist/index.d.ts  3.39 KB

package/CHANGELOG.md

@@ -1,5 +1,20 @@
 # @objectstack/plugin-hono-server
 
+## 4.0.4
+
+### Patch Changes
+
+- Updated dependencies [326b66b]
+  - @objectstack/spec@4.0.4
+  - @objectstack/core@4.0.4
+
+## 4.0.3
+
+### Patch Changes
+
+- @objectstack/spec@4.0.3
+- @objectstack/core@4.0.3
+
 ## 4.0.2
 
 ### Patch Changes

package/README.md

@@ -8,6 +8,7 @@ HTTP Server adapter for ObjectStack using Hono.
 - **Fast**: Built on Hono, a high-performance web framework.
 - **Full Protocol Support**: Automatically provides all ObjectStack Runtime endpoints (Auth, Data, Metadata, etc.).
 - **Middleware**: Supports standard Hono middleware.
+- **Wildcard CORS**: Supports wildcard patterns in CORS origins (compatible with better-auth).
 
 ## Usage
 
@@ -18,7 +19,7 @@ import { HonoServerPlugin } from '@objectstack/plugin-hono-server';
 const kernel = new ObjectKernel();
 
 // Register the server plugin
-kernel.use(new HonoServerPlugin({ 
+kernel.use(new HonoServerPlugin({
   port: 3000,
   restConfig: {
       api: {
@@ -30,6 +31,75 @@ kernel.use(new HonoServerPlugin({
 await kernel.start();
 ```
 
+## CORS Configuration
+
+The Hono server plugin supports flexible CORS configuration with wildcard pattern matching.
+
+### Basic CORS
+
+```typescript
+kernel.use(new HonoServerPlugin({
+  port: 3000,
+  cors: {
+    origins: ['https://app.example.com'],
+    credentials: true
+  }
+}));
+```
+
+### Wildcard Patterns (better-auth compatible)
+
+```typescript
+// Subdomain wildcards
+kernel.use(new HonoServerPlugin({
+  cors: {
+    origins: ['https://*.objectui.org', 'https://*.objectstack.ai'],
+    credentials: true
+  }
+}));
+
+// Port wildcards (useful for development)
+kernel.use(new HonoServerPlugin({
+  cors: {
+    origins: 'http://localhost:*'
+  }
+}));
+
+// Comma-separated patterns
+kernel.use(new HonoServerPlugin({
+  cors: {
+    origins: 'https://*.objectui.org,https://*.objectstack.ai,http://localhost:*'
+  }
+}));
+```
+
+### Environment Variables
+
+CORS can also be configured via environment variables:
+
+```bash
+# Single origin
+CORS_ORIGIN=https://app.example.com
+
+# Wildcard patterns (comma-separated)
+CORS_ORIGIN=https://*.objectui.org,https://*.objectstack.ai
+
+# Disable CORS
+CORS_ENABLED=false
+
+# Additional options
+CORS_CREDENTIALS=true
+CORS_MAX_AGE=86400
+```
+
+### Disable CORS
+
+```typescript
+kernel.use(new HonoServerPlugin({
+  cors: false  // Completely disable CORS
+}));
+```
+
 ## Architecture
 
 This plugin wraps `@objectstack/hono` to provide a turnkey HTTP server solution for the Runtime. It binds the standard `HttpDispatcher` to a Hono application and starts listening on the configured port.

package/dist/index.d.mts

@@ -1,9 +1,44 @@
-import { Plugin, PluginContext, IHttpServer, RouteHandler, Middleware } from '@objectstack/core';
+import { IHttpServer, RouteHandler, Middleware, Plugin, PluginContext } from '@objectstack/core';
 export * from '@objectstack/core';
 import { RestServerConfig } from '@objectstack/spec/api';
 import * as hono_types from 'hono/types';
 import { Hono } from 'hono';
 
+interface HonoCorsOptions {
+    enabled?: boolean;
+    origins?: string | string[];
+    methods?: string[];
+    credentials?: boolean;
+    maxAge?: number;
+}
+/**
+ * Hono Implementation of IHttpServer
+ */
+declare class HonoHttpServer implements IHttpServer {
+    private port;
+    private staticRoot?;
+    private app;
+    private server;
+    private listeningPort;
+    constructor(port?: number, staticRoot?: string | undefined);
+    private wrap;
+    get(path: string, handler: RouteHandler): void;
+    post(path: string, handler: RouteHandler): void;
+    put(path: string, handler: RouteHandler): void;
+    delete(path: string, handler: RouteHandler): void;
+    patch(path: string, handler: RouteHandler): void;
+    use(pathOrHandler: string | Middleware, handler?: Middleware): void;
+    /**
+     * Mount a sub-application or router
+     */
+    mount(path: string, subApp: Hono): void;
+    listen(port: number): Promise<void>;
+    private tryListen;
+    getPort(): number;
+    getRawApp(): Hono<hono_types.BlankEnv, hono_types.BlankSchema, "/">;
+    close(): Promise<void>;
+}
+
 interface StaticMount {
     root: string;
     path?: string;
@@ -38,17 +73,14 @@ interface HonoPluginOptions {
      * @default false
      */
     spaFallback?: boolean;
+    /**
+     * CORS configuration. Set to `false` to disable entirely.
+     * Enabled by default with origin '*'.
+     * Can also be controlled via environment variables:
+     *   CORS_ENABLED, CORS_ORIGIN, CORS_CREDENTIALS, CORS_MAX_AGE
+     */
+    cors?: HonoCorsOptions | false;
 }
-/**
- * Hono Server Plugin
- *
- * Provides HTTP server capabilities using Hono framework.
- * Registers the IHttpServer service so other plugins can register routes.
- *
- * Route registration is handled by plugins:
- * - `@objectstack/rest` → CRUD, metadata, discovery, UI, batch
- * - `createDispatcherPlugin()` → auth, graphql, analytics, packages, etc.
- */
 declare class HonoServerPlugin implements Plugin {
     name: string;
     type: string;
@@ -78,32 +110,4 @@ declare class HonoServerPlugin implements Plugin {
     destroy(): Promise<void>;
 }
 
-/**
- * Hono Implementation of IHttpServer
- */
-declare class HonoHttpServer implements IHttpServer {
-    private port;
-    private staticRoot?;
-    private app;
-    private server;
-    private listeningPort;
-    constructor(port?: number, staticRoot?: string | undefined);
-    private wrap;
-    get(path: string, handler: RouteHandler): void;
-    post(path: string, handler: RouteHandler): void;
-    put(path: string, handler: RouteHandler): void;
-    delete(path: string, handler: RouteHandler): void;
-    patch(path: string, handler: RouteHandler): void;
-    use(pathOrHandler: string | Middleware, handler?: Middleware): void;
-    /**
-     * Mount a sub-application or router
-     */
-    mount(path: string, subApp: Hono): void;
-    listen(port: number): Promise<void>;
-    private tryListen;
-    getPort(): number;
-    getRawApp(): Hono<hono_types.BlankEnv, hono_types.BlankSchema, "/">;
-    close(): Promise<void>;
-}
-
-export { HonoHttpServer, type HonoPluginOptions, HonoServerPlugin, type StaticMount };
+export { type HonoCorsOptions, HonoHttpServer, type HonoPluginOptions, HonoServerPlugin, type StaticMount };

package/dist/index.d.ts

@@ -1,9 +1,44 @@
-import { Plugin, PluginContext, IHttpServer, RouteHandler, Middleware } from '@objectstack/core';
+import { IHttpServer, RouteHandler, Middleware, Plugin, PluginContext } from '@objectstack/core';
 export * from '@objectstack/core';
 import { RestServerConfig } from '@objectstack/spec/api';
 import * as hono_types from 'hono/types';
 import { Hono } from 'hono';
 
+interface HonoCorsOptions {
+    enabled?: boolean;
+    origins?: string | string[];
+    methods?: string[];
+    credentials?: boolean;
+    maxAge?: number;
+}
+/**
+ * Hono Implementation of IHttpServer
+ */
+declare class HonoHttpServer implements IHttpServer {
+    private port;
+    private staticRoot?;
+    private app;
+    private server;
+    private listeningPort;
+    constructor(port?: number, staticRoot?: string | undefined);
+    private wrap;
+    get(path: string, handler: RouteHandler): void;
+    post(path: string, handler: RouteHandler): void;
+    put(path: string, handler: RouteHandler): void;
+    delete(path: string, handler: RouteHandler): void;
+    patch(path: string, handler: RouteHandler): void;
+    use(pathOrHandler: string | Middleware, handler?: Middleware): void;
+    /**
+     * Mount a sub-application or router
+     */
+    mount(path: string, subApp: Hono): void;
+    listen(port: number): Promise<void>;
+    private tryListen;
+    getPort(): number;
+    getRawApp(): Hono<hono_types.BlankEnv, hono_types.BlankSchema, "/">;
+    close(): Promise<void>;
+}
+
 interface StaticMount {
     root: string;
     path?: string;
@@ -38,17 +73,14 @@ interface HonoPluginOptions {
      * @default false
      */
     spaFallback?: boolean;
+    /**
+     * CORS configuration. Set to `false` to disable entirely.
+     * Enabled by default with origin '*'.
+     * Can also be controlled via environment variables:
+     *   CORS_ENABLED, CORS_ORIGIN, CORS_CREDENTIALS, CORS_MAX_AGE
+     */
+    cors?: HonoCorsOptions | false;
 }
-/**
- * Hono Server Plugin
- *
- * Provides HTTP server capabilities using Hono framework.
- * Registers the IHttpServer service so other plugins can register routes.
- *
- * Route registration is handled by plugins:
- * - `@objectstack/rest` → CRUD, metadata, discovery, UI, batch
- * - `createDispatcherPlugin()` → auth, graphql, analytics, packages, etc.
- */
 declare class HonoServerPlugin implements Plugin {
     name: string;
     type: string;
@@ -78,32 +110,4 @@ declare class HonoServerPlugin implements Plugin {
     destroy(): Promise<void>;
 }
 
-/**
- * Hono Implementation of IHttpServer
- */
-declare class HonoHttpServer implements IHttpServer {
-    private port;
-    private staticRoot?;
-    private app;
-    private server;
-    private listeningPort;
-    constructor(port?: number, staticRoot?: string | undefined);
-    private wrap;
-    get(path: string, handler: RouteHandler): void;
-    post(path: string, handler: RouteHandler): void;
-    put(path: string, handler: RouteHandler): void;
-    delete(path: string, handler: RouteHandler): void;
-    patch(path: string, handler: RouteHandler): void;
-    use(pathOrHandler: string | Middleware, handler?: Middleware): void;
-    /**
-     * Mount a sub-application or router
-     */
-    mount(path: string, subApp: Hono): void;
-    listen(port: number): Promise<void>;
-    private tryListen;
-    getPort(): number;
-    getRawApp(): Hono<hono_types.BlankEnv, hono_types.BlankSchema, "/">;
-    close(): Promise<void>;
-}
-
-export { HonoHttpServer, type HonoPluginOptions, HonoServerPlugin, type StaticMount };
+export { type HonoCorsOptions, HonoHttpServer, type HonoPluginOptions, HonoServerPlugin, type StaticMount };

package/dist/index.js

@@ -49,8 +49,8 @@ var import_node_server = require("@hono/node-server");
 var import_serve_static = require("@hono/node-server/serve-static");
 var HonoHttpServer = class {
   constructor(port = 3e3, staticRoot) {
-    this.port = port;
-    this.staticRoot = staticRoot;
+    __publicField(this, "port", port);
+    __publicField(this, "staticRoot", staticRoot);
     __publicField(this, "app");
     __publicField(this, "server");
     __publicField(this, "listeningPort");
@@ -229,9 +229,33 @@ var HonoHttpServer = class {
 };
 
 // src/hono-plugin.ts
+var import_cors = require("hono/cors");
 var import_serve_static2 = require("@hono/node-server/serve-static");
 var fs = __toESM(require("fs"));
 var path = __toESM(require("path"));
+function matchOriginPattern(origin, pattern) {
+  if (pattern === "*") return true;
+  if (pattern === origin) return true;
+  const regexPattern = pattern.replace(/[.+?^${}()|[\]\\]/g, "\\$&").replace(/\*/g, ".*");
+  const regex = new RegExp(`^${regexPattern}$`);
+  return regex.test(origin);
+}
+function createOriginMatcher(patterns) {
+  let patternList;
+  if (typeof patterns === "string") {
+    patternList = patterns.includes(",") ? patterns.split(",").map((s) => s.trim()).filter(Boolean) : [patterns];
+  } else {
+    patternList = patterns;
+  }
+  return (requestOrigin) => {
+    for (const pattern of patternList) {
+      if (matchOriginPattern(requestOrigin, pattern)) {
+        return requestOrigin;
+      }
+    }
+    return null;
+  };
+}
 var HonoServerPlugin = class {
   constructor(options = {}) {
     __publicField(this, "name", "com.objectstack.server.hono");
@@ -250,6 +274,46 @@ var HonoServerPlugin = class {
       ctx.registerService("http.server", this.server);
       ctx.registerService("http-server", this.server);
       ctx.logger.debug("HTTP server service registered", { serviceName: "http.server" });
+      const corsDisabledByEnv = process.env.CORS_ENABLED === "false";
+      if (this.options.cors !== false && !corsDisabledByEnv) {
+        const corsOpts = typeof this.options.cors === "object" ? this.options.cors : {};
+        const enabled = corsOpts.enabled ?? true;
+        if (enabled) {
+          let configuredOrigin;
+          if (corsOpts.origins) {
+            configuredOrigin = corsOpts.origins;
+          } else if (process.env.CORS_ORIGIN) {
+            const envOrigin = process.env.CORS_ORIGIN.trim();
+            configuredOrigin = envOrigin.includes(",") ? envOrigin.split(",").map((s) => s.trim()) : envOrigin;
+          } else {
+            configuredOrigin = "*";
+          }
+          const credentials = corsOpts.credentials ?? process.env.CORS_CREDENTIALS !== "false";
+          const maxAge = corsOpts.maxAge ?? (process.env.CORS_MAX_AGE ? parseInt(process.env.CORS_MAX_AGE, 10) : 86400);
+          let origin;
+          const hasWildcard = (patterns) => {
+            const list = Array.isArray(patterns) ? patterns : [patterns];
+            return list.some((p) => p.includes("*"));
+          };
+          if (configuredOrigin === "*" && credentials) {
+            origin = (requestOrigin) => requestOrigin || "*";
+          } else if (hasWildcard(configuredOrigin)) {
+            origin = createOriginMatcher(configuredOrigin);
+          } else {
+            origin = configuredOrigin;
+          }
+          const rawApp = this.server.getRawApp();
+          rawApp.use("*", (0, import_cors.cors)({
+            origin,
+            allowMethods: corsOpts.methods || ["GET", "POST", "PUT", "DELETE", "PATCH", "HEAD", "OPTIONS"],
+            allowHeaders: ["Content-Type", "Authorization", "X-Requested-With"],
+            exposeHeaders: [],
+            credentials,
+            maxAge
+          }));
+          ctx.logger.debug("CORS middleware enabled", { origin: configuredOrigin, credentials });
+        }
+      }
     });
     /**
      * Start phase - Configure static files and start listening
@@ -399,30 +463,34 @@ var HonoServerPlugin = class {
     rawApp.get("/.well-known/objectstack", (c) => c.redirect(`${prefix}/discovery`));
     rawApp.get(`${prefix}/discovery`, (c) => c.json({ data: discovery }));
     ctx.logger.info("Registered discovery endpoints", { prefix });
-    const getBroker = () => ctx.getKernel().broker;
+    const getObjectQL = () => ctx.getService("objectql");
     rawApp.post(`${prefix}/data/:object`, async (c) => {
-      const broker = getBroker();
-      if (!broker) return c.json({ error: "Broker not available" }, 500);
+      const ql = getObjectQL();
+      if (!ql) return c.json({ error: "Data service not available" }, 503);
       const object = c.req.param("object");
       const data = await c.req.json().catch(() => ({}));
-      const result = await broker.call("data.create", { object, data }, {});
-      return c.json(result);
+      const res = await ql.insert(object, data);
+      const record = { ...data, ...res };
+      return c.json({ object, id: record.id, record });
     });
     rawApp.get(`${prefix}/data/:object/:id`, async (c) => {
-      const broker = getBroker();
-      if (!broker) return c.json({ error: "Broker not available" }, 500);
+      const ql = getObjectQL();
+      if (!ql) return c.json({ error: "Data service not available" }, 503);
       const object = c.req.param("object");
       const id = c.req.param("id");
-      const result = await broker.call("data.get", { object, id }, {});
-      return result ? c.json(result) : c.json({ error: "Not found" }, 404);
+      let all = await ql.find(object);
+      if (!all) all = [];
+      const match = all.find((i) => i.id === id);
+      return match ? c.json({ object, id, record: match }) : c.json({ error: "Not found" }, 404);
     });
     rawApp.get(`${prefix}/data/:object`, async (c) => {
-      const broker = getBroker();
-      if (!broker) return c.json({ error: "Broker not available" }, 500);
+      const ql = getObjectQL();
+      if (!ql) return c.json({ error: "Data service not available" }, 503);
       const object = c.req.param("object");
-      const filters = c.req.query();
-      const result = await broker.call("data.find", { object, filters }, {});
-      return c.json(result);
+      let all = await ql.find(object);
+      if (!Array.isArray(all) && all && all.value) all = all.value;
+      if (!all) all = [];
+      return c.json({ object, records: all, total: all.length });
     });
     ctx.logger.debug("Registered standard CRUD data endpoints", { prefix });
   }