@objectstack/plugin-hono-server 4.0.4 → 4.0.5

package/README.md

@@ -100,6 +100,28 @@ kernel.use(new HonoServerPlugin({
 }));
 ```
 
+### Bearer token auth (`set-auth-token`)
+
+The CORS middleware always includes `set-auth-token` in `Access-Control-Expose-Headers`
+so that `@objectstack/plugin-auth`'s `bearer()` plugin can deliver rotated session
+tokens to cross-origin and mobile clients. `Authorization` is included in
+`Access-Control-Allow-Headers` by default so `Authorization: Bearer <token>`
+requests succeed preflight.
+
+You can contribute additional exposed / allowed headers — `exposeHeaders`
+entries you supply are **merged** with the `set-auth-token` default:
+
+```typescript
+kernel.use(new HonoServerPlugin({
+  cors: {
+    origins: ['https://app.example.com'],
+    credentials: true,
+    exposeHeaders: ['X-Request-Id'],           // in addition to set-auth-token
+    allowHeaders: ['Content-Type', 'Authorization', 'X-Tenant-Id'],
+  },
+}));
+```
+
 ## Architecture
 
 This plugin wraps `@objectstack/hono` to provide a turnkey HTTP server solution for the Runtime. It binds the standard `HttpDispatcher` to a Hono application and starts listening on the configured port.

package/dist/index.d.mts

@@ -8,6 +8,22 @@ interface HonoCorsOptions {
     enabled?: boolean;
     origins?: string | string[];
     methods?: string[];
+    /**
+     * Request headers allowed on preflight (`Access-Control-Allow-Headers`).
+     *
+     * Defaults to `['Content-Type', 'Authorization', 'X-Requested-With']`,
+     * which is sufficient for cookie and bearer-token auth.
+     */
+    allowHeaders?: string[];
+    /**
+     * Response headers exposed to JS (`Access-Control-Expose-Headers`).
+     *
+     * Defaults to `['set-auth-token']` so that better-auth's `bearer()` plugin
+     * can hand rotated session tokens to cross-origin clients. User-supplied
+     * values are merged with this default — `set-auth-token` is always
+     * exposed unless CORS is disabled entirely.
+     */
+    exposeHeaders?: string[];
     credentials?: boolean;
     maxAge?: number;
 }
@@ -81,6 +97,16 @@ interface HonoPluginOptions {
      */
     cors?: HonoCorsOptions | false;
 }
+/**
+ * Hono Server Plugin
+ *
+ * Provides HTTP server capabilities using Hono framework.
+ * Registers the IHttpServer service so other plugins can register routes.
+ *
+ * Route registration is handled by plugins:
+ * - `@objectstack/rest` → CRUD, metadata, discovery, UI, batch
+ * - `createDispatcherPlugin()` → auth, graphql, analytics, packages, etc.
+ */
 declare class HonoServerPlugin implements Plugin {
     name: string;
     type: string;
@@ -110,4 +136,65 @@ declare class HonoServerPlugin implements Plugin {
     destroy(): Promise<void>;
 }
 
-export { type HonoCorsOptions, HonoHttpServer, type HonoPluginOptions, HonoServerPlugin, type StaticMount };
+/**
+ * CORS origin pattern matching utilities.
+ *
+ * Supports the same wildcard syntax as better-auth's `trustedOrigins`:
+ * - `*`                         → matches any origin
+ * - `https://*.example.com`     → matches any subdomain
+ * - `http://localhost:*`        → matches any port
+ * - Comma-separated list of the above
+ *
+ * These helpers are shared between the Hono plugin's CORS middleware and
+ * consumers that need to apply CORS headers outside the Hono request
+ * pipeline (e.g., the Vercel serverless entrypoint's preflight
+ * short-circuit in `apps/objectos`). Keeping a single implementation
+ * ensures both paths stay consistent — divergence caused bug where
+ * wildcard `CORS_ORIGIN` values worked locally but produced browser
+ * CORS errors on Vercel.
+ */
+/**
+ * Returns true when the origin points to localhost (any port, http or https).
+ *
+ * Matches:
+ * - `http://localhost`
+ * - `http://localhost:3000`
+ * - `https://localhost:8443`
+ * - `http://127.0.0.1:5173`
+ * - `http://[::1]:3000`
+ */
+declare function isLocalhostOrigin(origin: string): boolean;
+/**
+ * Check if an origin matches a pattern with wildcards.
+ *
+ * Localhost origins (`http(s)://localhost:<any-port>`, `127.0.0.1`, `[::1]`)
+ * are **always allowed** regardless of the pattern — this removes the need to
+ * enumerate every development port in `CORS_ORIGIN`.
+ *
+ * @param origin The origin to check (e.g., `https://app.example.com`)
+ * @param pattern The pattern to match against (supports `*` wildcard)
+ * @returns true if origin matches the pattern
+ */
+declare function matchOriginPattern(origin: string, pattern: string): boolean;
+/**
+ * Normalize a single string / comma-separated string / array into a
+ * trimmed array of non-empty patterns.
+ */
+declare function normalizeOriginPatterns(patterns: string | string[]): string[];
+/**
+ * Create a CORS origin matcher function that supports wildcard patterns.
+ *
+ * The returned function follows Hono's `cors({ origin })` contract:
+ * given the request's `Origin` header, it returns the origin to echo
+ * back in `Access-Control-Allow-Origin`, or `null` if the origin is not
+ * allowed.
+ *
+ * @param patterns Single pattern, array of patterns, or comma-separated patterns
+ */
+declare function createOriginMatcher(patterns: string | string[]): (origin: string) => string | null;
+/**
+ * True if any pattern in the given list contains a `*` wildcard.
+ */
+declare function hasWildcardPattern(patterns: string | string[]): boolean;
+
+export { type HonoCorsOptions, HonoHttpServer, type HonoPluginOptions, HonoServerPlugin, type StaticMount, createOriginMatcher, hasWildcardPattern, isLocalhostOrigin, matchOriginPattern, normalizeOriginPatterns };

package/dist/index.d.ts

@@ -8,6 +8,22 @@ interface HonoCorsOptions {
     enabled?: boolean;
     origins?: string | string[];
     methods?: string[];
+    /**
+     * Request headers allowed on preflight (`Access-Control-Allow-Headers`).
+     *
+     * Defaults to `['Content-Type', 'Authorization', 'X-Requested-With']`,
+     * which is sufficient for cookie and bearer-token auth.
+     */
+    allowHeaders?: string[];
+    /**
+     * Response headers exposed to JS (`Access-Control-Expose-Headers`).
+     *
+     * Defaults to `['set-auth-token']` so that better-auth's `bearer()` plugin
+     * can hand rotated session tokens to cross-origin clients. User-supplied
+     * values are merged with this default — `set-auth-token` is always
+     * exposed unless CORS is disabled entirely.
+     */
+    exposeHeaders?: string[];
     credentials?: boolean;
     maxAge?: number;
 }
@@ -81,6 +97,16 @@ interface HonoPluginOptions {
      */
     cors?: HonoCorsOptions | false;
 }
+/**
+ * Hono Server Plugin
+ *
+ * Provides HTTP server capabilities using Hono framework.
+ * Registers the IHttpServer service so other plugins can register routes.
+ *
+ * Route registration is handled by plugins:
+ * - `@objectstack/rest` → CRUD, metadata, discovery, UI, batch
+ * - `createDispatcherPlugin()` → auth, graphql, analytics, packages, etc.
+ */
 declare class HonoServerPlugin implements Plugin {
     name: string;
     type: string;
@@ -110,4 +136,65 @@ declare class HonoServerPlugin implements Plugin {
     destroy(): Promise<void>;
 }
 
-export { type HonoCorsOptions, HonoHttpServer, type HonoPluginOptions, HonoServerPlugin, type StaticMount };
+/**
+ * CORS origin pattern matching utilities.
+ *
+ * Supports the same wildcard syntax as better-auth's `trustedOrigins`:
+ * - `*`                         → matches any origin
+ * - `https://*.example.com`     → matches any subdomain
+ * - `http://localhost:*`        → matches any port
+ * - Comma-separated list of the above
+ *
+ * These helpers are shared between the Hono plugin's CORS middleware and
+ * consumers that need to apply CORS headers outside the Hono request
+ * pipeline (e.g., the Vercel serverless entrypoint's preflight
+ * short-circuit in `apps/objectos`). Keeping a single implementation
+ * ensures both paths stay consistent — divergence caused bug where
+ * wildcard `CORS_ORIGIN` values worked locally but produced browser
+ * CORS errors on Vercel.
+ */
+/**
+ * Returns true when the origin points to localhost (any port, http or https).
+ *
+ * Matches:
+ * - `http://localhost`
+ * - `http://localhost:3000`
+ * - `https://localhost:8443`
+ * - `http://127.0.0.1:5173`
+ * - `http://[::1]:3000`
+ */
+declare function isLocalhostOrigin(origin: string): boolean;
+/**
+ * Check if an origin matches a pattern with wildcards.
+ *
+ * Localhost origins (`http(s)://localhost:<any-port>`, `127.0.0.1`, `[::1]`)
+ * are **always allowed** regardless of the pattern — this removes the need to
+ * enumerate every development port in `CORS_ORIGIN`.
+ *
+ * @param origin The origin to check (e.g., `https://app.example.com`)
+ * @param pattern The pattern to match against (supports `*` wildcard)
+ * @returns true if origin matches the pattern
+ */
+declare function matchOriginPattern(origin: string, pattern: string): boolean;
+/**
+ * Normalize a single string / comma-separated string / array into a
+ * trimmed array of non-empty patterns.
+ */
+declare function normalizeOriginPatterns(patterns: string | string[]): string[];
+/**
+ * Create a CORS origin matcher function that supports wildcard patterns.
+ *
+ * The returned function follows Hono's `cors({ origin })` contract:
+ * given the request's `Origin` header, it returns the origin to echo
+ * back in `Access-Control-Allow-Origin`, or `null` if the origin is not
+ * allowed.
+ *
+ * @param patterns Single pattern, array of patterns, or comma-separated patterns
+ */
+declare function createOriginMatcher(patterns: string | string[]): (origin: string) => string | null;
+/**
+ * True if any pattern in the given list contains a `*` wildcard.
+ */
+declare function hasWildcardPattern(patterns: string | string[]): boolean;
+
+export { type HonoCorsOptions, HonoHttpServer, type HonoPluginOptions, HonoServerPlugin, type StaticMount, createOriginMatcher, hasWildcardPattern, isLocalhostOrigin, matchOriginPattern, normalizeOriginPatterns };

package/dist/index.js

@@ -34,7 +34,12 @@ var __publicField = (obj, key, value) => __defNormalProp(obj, typeof key !== "sy
 var index_exports = {};
 __export(index_exports, {
   HonoHttpServer: () => HonoHttpServer,
-  HonoServerPlugin: () => HonoServerPlugin
+  HonoServerPlugin: () => HonoServerPlugin,
+  createOriginMatcher: () => createOriginMatcher,
+  hasWildcardPattern: () => hasWildcardPattern,
+  isLocalhostOrigin: () => isLocalhostOrigin,
+  matchOriginPattern: () => matchOriginPattern,
+  normalizeOriginPatterns: () => normalizeOriginPatterns
 });
 module.exports = __toCommonJS(index_exports);
 
@@ -60,7 +65,9 @@ var HonoHttpServer = class {
   wrap(handler) {
     return async (c) => {
       let body = {};
-      if (c.req.header("content-type")?.includes("application/json")) {
+      const contentType = c.req.header("content-type") ?? "";
+      const isOctetStream = contentType.includes("application/octet-stream");
+      if (contentType.includes("application/json")) {
         try {
           body = await c.req.json();
         } catch (e) {
@@ -69,19 +76,31 @@ var HonoHttpServer = class {
           } catch (e2) {
           }
         }
-      } else {
+      } else if (!isOctetStream) {
         try {
           body = await c.req.parseBody();
         } catch (e) {
         }
       }
+      const rawHeaders = c.req.header();
+      if (!rawHeaders.host) {
+        try {
+          const u = new URL(c.req.url);
+          if (u.host) rawHeaders.host = u.host;
+        } catch {
+        }
+      }
       const req = {
         params: c.req.param(),
         query: c.req.query(),
         body,
-        headers: c.req.header(),
+        headers: rawHeaders,
         method: c.req.method,
-        path: c.req.path
+        path: c.req.path,
+        rawBody: async () => {
+          const ab = await c.req.arrayBuffer();
+          return Buffer.from(ab);
+        }
       };
       let capturedResponse;
       let streamController = null;
@@ -136,13 +155,13 @@ var HonoHttpServer = class {
             streamController?.close();
             resolve2(null);
           }
-        }).catch(() => {
+        }).catch((err) => {
           streamController?.close();
           resolve2(null);
         });
       });
       const streamResponse = await streamPromise;
-      return streamResponse ?? capturedResponse;
+      return streamResponse ?? capturedResponse ?? c.json({ error: "No response from handler" }, 500);
     };
   }
   get(path2, handler) {
@@ -163,11 +182,23 @@ var HonoHttpServer = class {
   use(pathOrHandler, handler) {
     if (typeof pathOrHandler === "string" && handler) {
       this.app.use(pathOrHandler, async (c, next) => {
-        await handler({}, {}, next);
+        let nextCalled = false;
+        const wrappedNext = () => {
+          nextCalled = true;
+          return next();
+        };
+        await handler({}, {}, wrappedNext);
+        if (!nextCalled) await next();
       });
     } else if (typeof pathOrHandler === "function") {
       this.app.use("*", async (c, next) => {
-        await pathOrHandler({}, {}, next);
+        let nextCalled = false;
+        const wrappedNext = () => {
+          nextCalled = true;
+          return next();
+        };
+        await pathOrHandler({}, {}, wrappedNext);
+        if (!nextCalled) await next();
       });
     }
   }
@@ -222,9 +253,13 @@ var HonoHttpServer = class {
     return this.app;
   }
   async close() {
-    if (this.server && typeof this.server.close === "function") {
-      this.server.close();
+    if (!this.server) return;
+    if (typeof this.server.closeAllConnections === "function") {
+      this.server.closeAllConnections();
     }
+    await new Promise((resolve2, reject) => {
+      this.server.close((err) => err ? reject(err) : resolve2());
+    });
   }
 };
 
@@ -233,21 +268,29 @@ var import_cors = require("hono/cors");
 var import_serve_static2 = require("@hono/node-server/serve-static");
 var fs = __toESM(require("fs"));
 var path = __toESM(require("path"));
+
+// src/pattern-matcher.ts
+function isLocalhostOrigin(origin) {
+  return /^https?:\/\/(localhost|127\.0\.0\.1|\[::1\])(:\d+)?$/.test(origin);
+}
 function matchOriginPattern(origin, pattern) {
+  if (isLocalhostOrigin(origin)) return true;
   if (pattern === "*") return true;
   if (pattern === origin) return true;
   const regexPattern = pattern.replace(/[.+?^${}()|[\]\\]/g, "\\$&").replace(/\*/g, ".*");
   const regex = new RegExp(`^${regexPattern}$`);
   return regex.test(origin);
 }
-function createOriginMatcher(patterns) {
-  let patternList;
-  if (typeof patterns === "string") {
-    patternList = patterns.includes(",") ? patterns.split(",").map((s) => s.trim()).filter(Boolean) : [patterns];
-  } else {
-    patternList = patterns;
+function normalizeOriginPatterns(patterns) {
+  if (Array.isArray(patterns)) {
+    return patterns.map((p) => p.trim()).filter(Boolean);
   }
+  return patterns.includes(",") ? patterns.split(",").map((s) => s.trim()).filter(Boolean) : [patterns.trim()].filter(Boolean);
+}
+function createOriginMatcher(patterns) {
+  const patternList = normalizeOriginPatterns(patterns);
   return (requestOrigin) => {
+    if (!requestOrigin) return null;
     for (const pattern of patternList) {
       if (matchOriginPattern(requestOrigin, pattern)) {
         return requestOrigin;
@@ -256,6 +299,12 @@ function createOriginMatcher(patterns) {
     return null;
   };
 }
+function hasWildcardPattern(patterns) {
+  const list = Array.isArray(patterns) ? patterns : [patterns];
+  return list.some((p) => p.includes("*"));
+}
+
+// src/hono-plugin.ts
 var HonoServerPlugin = class {
   constructor(options = {}) {
     __publicField(this, "name", "com.objectstack.server.hono");
@@ -291,23 +340,27 @@ var HonoServerPlugin = class {
           const credentials = corsOpts.credentials ?? process.env.CORS_CREDENTIALS !== "false";
           const maxAge = corsOpts.maxAge ?? (process.env.CORS_MAX_AGE ? parseInt(process.env.CORS_MAX_AGE, 10) : 86400);
           let origin;
-          const hasWildcard = (patterns) => {
-            const list = Array.isArray(patterns) ? patterns : [patterns];
-            return list.some((p) => p.includes("*"));
-          };
           if (configuredOrigin === "*" && credentials) {
             origin = (requestOrigin) => requestOrigin || "*";
-          } else if (hasWildcard(configuredOrigin)) {
+          } else if (hasWildcardPattern(configuredOrigin)) {
             origin = createOriginMatcher(configuredOrigin);
           } else {
-            origin = configuredOrigin;
+            const matcher = createOriginMatcher(configuredOrigin);
+            origin = (requestOrigin) => matcher(requestOrigin);
           }
           const rawApp = this.server.getRawApp();
+          const defaultAllowHeaders = ["Content-Type", "Authorization", "X-Requested-With", "X-Tenant-ID", "X-Project-Id"];
+          const defaultExposeHeaders = ["set-auth-token"];
+          const allowHeaders = corsOpts.allowHeaders ?? defaultAllowHeaders;
+          const exposeHeaders = Array.from(/* @__PURE__ */ new Set([
+            ...defaultExposeHeaders,
+            ...corsOpts.exposeHeaders ?? []
+          ]));
           rawApp.use("*", (0, import_cors.cors)({
             origin,
             allowMethods: corsOpts.methods || ["GET", "POST", "PUT", "DELETE", "PATCH", "HEAD", "OPTIONS"],
-            allowHeaders: ["Content-Type", "Authorization", "X-Requested-With"],
-            exposeHeaders: [],
+            allowHeaders,
+            exposeHeaders,
             credentials,
             maxAge
           }));
@@ -408,6 +461,10 @@ var HonoServerPlugin = class {
           });
         }
       }
+      const rawAppForNotFound = this.server.getRawApp();
+      if (typeof rawAppForNotFound.notFound === "function") {
+        rawAppForNotFound.notFound((c) => c.json({ error: "Not found" }, 404));
+      }
       ctx.hook("kernel:ready", async () => {
         if (this.options.registerStandardEndpoints) {
           this.registerDiscoveryAndCrudEndpoints(ctx);
@@ -464,33 +521,124 @@ var HonoServerPlugin = class {
     rawApp.get(`${prefix}/discovery`, (c) => c.json({ data: discovery }));
     ctx.logger.info("Registered discovery endpoints", { prefix });
     const getObjectQL = () => ctx.getService("objectql");
+    const resolveCtx = async (c) => {
+      try {
+        const authService = ctx.getService("auth");
+        if (!authService) return void 0;
+        let api = authService.api;
+        if (!api && typeof authService.getApi === "function") {
+          api = await authService.getApi();
+        }
+        if (!api?.getSession) return void 0;
+        const session = await api.getSession({ headers: c.req.raw.headers });
+        if (!session?.user?.id) return void 0;
+        const userId = session.user.id;
+        const tenantId = session.session?.activeOrganizationId ?? void 0;
+        const permissions = [];
+        const roles = [];
+        try {
+          const ql = getObjectQL();
+          const sysCtx = { context: { isSystem: true } };
+          const memberRows = await ql?.find?.(
+            "sys_member",
+            {
+              where: tenantId ? { user_id: userId, organization_id: tenantId } : { user_id: userId },
+              limit: 50,
+              ...sysCtx
+            }
+          ).catch(() => []);
+          for (const m of memberRows ?? []) {
+            if (typeof m.role === "string") {
+              for (const r of m.role.split(",").map((s) => s.trim()).filter(Boolean)) {
+                if (!roles.includes(r)) roles.push(r);
+              }
+            }
+          }
+          const upsRows = await ql?.find?.(
+            "sys_user_permission_set",
+            { where: { user_id: userId }, limit: 100, ...sysCtx }
+          ).catch(() => []);
+          const psIds = /* @__PURE__ */ new Set();
+          for (const r of upsRows ?? []) {
+            const orgScope = r.organization_id ?? null;
+            if (!orgScope || tenantId && orgScope === tenantId) {
+              const pid = r.permission_set_id ?? r.permissionSetId;
+              if (pid) psIds.add(pid);
+            }
+          }
+          if (psIds.size > 0) {
+            const psRows = await ql?.find?.(
+              "sys_permission_set",
+              { where: { id: { $in: Array.from(psIds) } }, limit: 500, ...sysCtx }
+            ).catch(() => []);
+            for (const ps of psRows ?? []) {
+              if (ps.name && !permissions.includes(ps.name)) permissions.push(ps.name);
+            }
+          }
+        } catch {
+        }
+        return {
+          userId,
+          tenantId,
+          roles,
+          permissions,
+          isSystem: false
+        };
+      } catch {
+        return void 0;
+      }
+    };
     rawApp.post(`${prefix}/data/:object`, async (c) => {
       const ql = getObjectQL();
       if (!ql) return c.json({ error: "Data service not available" }, 503);
       const object = c.req.param("object");
       const data = await c.req.json().catch(() => ({}));
-      const res = await ql.insert(object, data);
-      const record = { ...data, ...res };
-      return c.json({ object, id: record.id, record });
+      const execCtx = await resolveCtx(c);
+      try {
+        const res = await ql.insert(object, data, { context: execCtx });
+        const record = { ...data, ...res };
+        return c.json({ object, id: record.id, record });
+      } catch (err) {
+        if (err?.code === "PERMISSION_DENIED" || err?.name === "PermissionDeniedError") {
+          return c.json({ error: err.message ?? "Forbidden" }, 403);
+        }
+        throw err;
+      }
     });
     rawApp.get(`${prefix}/data/:object/:id`, async (c) => {
       const ql = getObjectQL();
       if (!ql) return c.json({ error: "Data service not available" }, 503);
       const object = c.req.param("object");
       const id = c.req.param("id");
-      let all = await ql.find(object);
-      if (!all) all = [];
-      const match = all.find((i) => i.id === id);
-      return match ? c.json({ object, id, record: match }) : c.json({ error: "Not found" }, 404);
+      const execCtx = await resolveCtx(c);
+      try {
+        let all = await ql.find(object, { context: execCtx });
+        if (!all) all = [];
+        const match = all.find((i) => i.id === id);
+        return match ? c.json({ object, id, record: match }) : c.json({ error: "Not found" }, 404);
+      } catch (err) {
+        if (err?.code === "PERMISSION_DENIED" || err?.name === "PermissionDeniedError") {
+          return c.json({ error: err.message ?? "Forbidden" }, 403);
+        }
+        throw err;
+      }
     });
     rawApp.get(`${prefix}/data/:object`, async (c) => {
       const ql = getObjectQL();
       if (!ql) return c.json({ error: "Data service not available" }, 503);
       const object = c.req.param("object");
-      let all = await ql.find(object);
-      if (!Array.isArray(all) && all && all.value) all = all.value;
-      if (!all) all = [];
-      return c.json({ object, records: all, total: all.length });
+      const execCtx = await resolveCtx(c);
+      try {
+        let all = await ql.find(object, { context: execCtx });
+        if (!Array.isArray(all) && all && all.value) all = all.value;
+        if (!all) all = [];
+        return c.json({ object, records: all, total: all.length });
+      } catch (err) {
+        if (err?.code === "PERMISSION_DENIED" || err?.name === "PermissionDeniedError") {
+          return c.json({ error: err.message ?? "Forbidden" }, 403);
+        }
+        throw err;
+      }
     });
     ctx.logger.debug("Registered standard CRUD data endpoints", { prefix });
   }
@@ -512,6 +660,11 @@ __reExport(index_exports, adapter_exports, module.exports);
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
   HonoHttpServer,
-  HonoServerPlugin
+  HonoServerPlugin,
+  createOriginMatcher,
+  hasWildcardPattern,
+  isLocalhostOrigin,
+  matchOriginPattern,
+  normalizeOriginPatterns
 });
 //# sourceMappingURL=index.js.map