@objectstack/plugin-hono-server 4.0.4 → 4.1.0

package/dist/index.mjs

@@ -22,7 +22,12 @@ var __publicField = (obj, key, value) => __defNormalProp(obj, typeof key !== "sy
 var index_exports = {};
 __export(index_exports, {
   HonoHttpServer: () => HonoHttpServer,
-  HonoServerPlugin: () => HonoServerPlugin
+  HonoServerPlugin: () => HonoServerPlugin,
+  createOriginMatcher: () => createOriginMatcher,
+  hasWildcardPattern: () => hasWildcardPattern,
+  isLocalhostOrigin: () => isLocalhostOrigin,
+  matchOriginPattern: () => matchOriginPattern,
+  normalizeOriginPatterns: () => normalizeOriginPatterns
 });
 
 // src/adapter.ts
@@ -48,7 +53,9 @@ var HonoHttpServer = class {
   wrap(handler) {
     return async (c) => {
       let body = {};
-      if (c.req.header("content-type")?.includes("application/json")) {
+      const contentType = c.req.header("content-type") ?? "";
+      const isOctetStream = contentType.includes("application/octet-stream");
+      if (contentType.includes("application/json")) {
         try {
           body = await c.req.json();
         } catch (e) {
@@ -57,19 +64,31 @@ var HonoHttpServer = class {
           } catch (e2) {
           }
         }
-      } else {
+      } else if (!isOctetStream) {
         try {
           body = await c.req.parseBody();
         } catch (e) {
         }
       }
+      const rawHeaders = c.req.header();
+      if (!rawHeaders.host) {
+        try {
+          const u = new URL(c.req.url);
+          if (u.host) rawHeaders.host = u.host;
+        } catch {
+        }
+      }
       const req = {
         params: c.req.param(),
         query: c.req.query(),
         body,
-        headers: c.req.header(),
+        headers: rawHeaders,
         method: c.req.method,
-        path: c.req.path
+        path: c.req.path,
+        rawBody: async () => {
+          const ab = await c.req.arrayBuffer();
+          return Buffer.from(ab);
+        }
       };
       let capturedResponse;
       let streamController = null;
@@ -124,13 +143,13 @@ var HonoHttpServer = class {
             streamController?.close();
             resolve2(null);
           }
-        }).catch(() => {
+        }).catch((err) => {
           streamController?.close();
           resolve2(null);
         });
       });
       const streamResponse = await streamPromise;
-      return streamResponse ?? capturedResponse;
+      return streamResponse ?? capturedResponse ?? c.json({ error: "No response from handler" }, 500);
     };
   }
   get(path2, handler) {
@@ -151,11 +170,23 @@ var HonoHttpServer = class {
   use(pathOrHandler, handler) {
     if (typeof pathOrHandler === "string" && handler) {
       this.app.use(pathOrHandler, async (c, next) => {
-        await handler({}, {}, next);
+        let nextCalled = false;
+        const wrappedNext = () => {
+          nextCalled = true;
+          return next();
+        };
+        await handler({}, {}, wrappedNext);
+        if (!nextCalled) await next();
       });
     } else if (typeof pathOrHandler === "function") {
       this.app.use("*", async (c, next) => {
-        await pathOrHandler({}, {}, next);
+        let nextCalled = false;
+        const wrappedNext = () => {
+          nextCalled = true;
+          return next();
+        };
+        await pathOrHandler({}, {}, wrappedNext);
+        if (!nextCalled) await next();
       });
     }
   }
@@ -210,9 +241,13 @@ var HonoHttpServer = class {
     return this.app;
   }
   async close() {
-    if (this.server && typeof this.server.close === "function") {
-      this.server.close();
+    if (!this.server) return;
+    if (typeof this.server.closeAllConnections === "function") {
+      this.server.closeAllConnections();
     }
+    await new Promise((resolve2, reject) => {
+      this.server.close((err) => err ? reject(err) : resolve2());
+    });
   }
 };
 
@@ -221,21 +256,29 @@ import { cors } from "hono/cors";
 import { serveStatic as serveStatic2 } from "@hono/node-server/serve-static";
 import * as fs from "fs";
 import * as path from "path";
+
+// src/pattern-matcher.ts
+function isLocalhostOrigin(origin) {
+  return /^https?:\/\/(localhost|127\.0\.0\.1|\[::1\])(:\d+)?$/.test(origin);
+}
 function matchOriginPattern(origin, pattern) {
+  if (isLocalhostOrigin(origin)) return true;
   if (pattern === "*") return true;
   if (pattern === origin) return true;
   const regexPattern = pattern.replace(/[.+?^${}()|[\]\\]/g, "\\$&").replace(/\*/g, ".*");
   const regex = new RegExp(`^${regexPattern}$`);
   return regex.test(origin);
 }
-function createOriginMatcher(patterns) {
-  let patternList;
-  if (typeof patterns === "string") {
-    patternList = patterns.includes(",") ? patterns.split(",").map((s) => s.trim()).filter(Boolean) : [patterns];
-  } else {
-    patternList = patterns;
+function normalizeOriginPatterns(patterns) {
+  if (Array.isArray(patterns)) {
+    return patterns.map((p) => p.trim()).filter(Boolean);
   }
+  return patterns.includes(",") ? patterns.split(",").map((s) => s.trim()).filter(Boolean) : [patterns.trim()].filter(Boolean);
+}
+function createOriginMatcher(patterns) {
+  const patternList = normalizeOriginPatterns(patterns);
   return (requestOrigin) => {
+    if (!requestOrigin) return null;
     for (const pattern of patternList) {
       if (matchOriginPattern(requestOrigin, pattern)) {
         return requestOrigin;
@@ -244,6 +287,12 @@ function createOriginMatcher(patterns) {
     return null;
   };
 }
+function hasWildcardPattern(patterns) {
+  const list = Array.isArray(patterns) ? patterns : [patterns];
+  return list.some((p) => p.includes("*"));
+}
+
+// src/hono-plugin.ts
 var HonoServerPlugin = class {
   constructor(options = {}) {
     __publicField(this, "name", "com.objectstack.server.hono");
@@ -279,23 +328,27 @@ var HonoServerPlugin = class {
           const credentials = corsOpts.credentials ?? process.env.CORS_CREDENTIALS !== "false";
           const maxAge = corsOpts.maxAge ?? (process.env.CORS_MAX_AGE ? parseInt(process.env.CORS_MAX_AGE, 10) : 86400);
           let origin;
-          const hasWildcard = (patterns) => {
-            const list = Array.isArray(patterns) ? patterns : [patterns];
-            return list.some((p) => p.includes("*"));
-          };
           if (configuredOrigin === "*" && credentials) {
             origin = (requestOrigin) => requestOrigin || "*";
-          } else if (hasWildcard(configuredOrigin)) {
+          } else if (hasWildcardPattern(configuredOrigin)) {
             origin = createOriginMatcher(configuredOrigin);
           } else {
-            origin = configuredOrigin;
+            const matcher = createOriginMatcher(configuredOrigin);
+            origin = (requestOrigin) => matcher(requestOrigin);
           }
           const rawApp = this.server.getRawApp();
+          const defaultAllowHeaders = ["Content-Type", "Authorization", "X-Requested-With", "X-Tenant-ID", "X-Project-Id"];
+          const defaultExposeHeaders = ["set-auth-token"];
+          const allowHeaders = corsOpts.allowHeaders ?? defaultAllowHeaders;
+          const exposeHeaders = Array.from(/* @__PURE__ */ new Set([
+            ...defaultExposeHeaders,
+            ...corsOpts.exposeHeaders ?? []
+          ]));
           rawApp.use("*", cors({
             origin,
             allowMethods: corsOpts.methods || ["GET", "POST", "PUT", "DELETE", "PATCH", "HEAD", "OPTIONS"],
-            allowHeaders: ["Content-Type", "Authorization", "X-Requested-With"],
-            exposeHeaders: [],
+            allowHeaders,
+            exposeHeaders,
             credentials,
             maxAge
           }));
@@ -396,10 +449,16 @@ var HonoServerPlugin = class {
           });
         }
       }
-      ctx.hook("kernel:ready", async () => {
-        if (this.options.registerStandardEndpoints) {
+      const rawAppForNotFound = this.server.getRawApp();
+      if (typeof rawAppForNotFound.notFound === "function") {
+        rawAppForNotFound.notFound((c) => c.json({ error: "Not found" }, 404));
+      }
+      if (this.options.registerStandardEndpoints) {
+        ctx.hook("kernel:ready", async () => {
           this.registerDiscoveryAndCrudEndpoints(ctx);
-        }
+        });
+      }
+      ctx.hook("kernel:listening", async () => {
         const port = this.options.port ?? 3e3;
         ctx.logger.debug("Starting HTTP server", { port });
         await this.server.listen(port);
@@ -452,33 +511,228 @@ var HonoServerPlugin = class {
     rawApp.get(`${prefix}/discovery`, (c) => c.json({ data: discovery }));
     ctx.logger.info("Registered discovery endpoints", { prefix });
     const getObjectQL = () => ctx.getService("objectql");
+    const resolveCtx = async (c) => {
+      try {
+        const authService = ctx.getService("auth");
+        if (!authService) return void 0;
+        let api = authService.api;
+        if (!api && typeof authService.getApi === "function") {
+          api = await authService.getApi();
+        }
+        if (!api?.getSession) return void 0;
+        const session = await api.getSession({ headers: c.req.raw.headers });
+        if (!session?.user?.id) return void 0;
+        const userId = session.user.id;
+        const tenantId = session.session?.activeOrganizationId ?? void 0;
+        const permissions = [];
+        const roles = [];
+        try {
+          const ql = getObjectQL();
+          const sysCtx = { context: { isSystem: true } };
+          const memberRows = await ql?.find?.(
+            "sys_member",
+            {
+              where: tenantId ? { user_id: userId, organization_id: tenantId } : { user_id: userId },
+              limit: 50,
+              ...sysCtx
+            }
+          ).catch(() => []);
+          for (const m of memberRows ?? []) {
+            if (typeof m.role === "string") {
+              for (const r of m.role.split(",").map((s) => s.trim()).filter(Boolean)) {
+                if (!roles.includes(r)) roles.push(r);
+              }
+            }
+          }
+          const upsRows = await ql?.find?.(
+            "sys_user_permission_set",
+            { where: { user_id: userId }, limit: 100, ...sysCtx }
+          ).catch(() => []);
+          const psIds = /* @__PURE__ */ new Set();
+          for (const r of upsRows ?? []) {
+            const orgScope = r.organization_id ?? null;
+            if (!orgScope || tenantId && orgScope === tenantId) {
+              const pid = r.permission_set_id ?? r.permissionSetId;
+              if (pid) psIds.add(pid);
+            }
+          }
+          if (psIds.size > 0) {
+            const psRows = await ql?.find?.(
+              "sys_permission_set",
+              { where: { id: { $in: Array.from(psIds) } }, limit: 500, ...sysCtx }
+            ).catch(() => []);
+            for (const ps of psRows ?? []) {
+              if (ps.name && !permissions.includes(ps.name)) permissions.push(ps.name);
+            }
+          }
+        } catch {
+        }
+        return {
+          userId,
+          tenantId,
+          roles,
+          permissions,
+          isSystem: false
+        };
+      } catch {
+        return void 0;
+      }
+    };
     rawApp.post(`${prefix}/data/:object`, async (c) => {
       const ql = getObjectQL();
       if (!ql) return c.json({ error: "Data service not available" }, 503);
       const object = c.req.param("object");
       const data = await c.req.json().catch(() => ({}));
-      const res = await ql.insert(object, data);
-      const record = { ...data, ...res };
-      return c.json({ object, id: record.id, record });
+      const execCtx = await resolveCtx(c);
+      try {
+        const res = await ql.insert(object, data, { context: execCtx });
+        const record = { ...data, ...res };
+        return c.json({ object, id: record.id, record });
+      } catch (err) {
+        if (err?.code === "PERMISSION_DENIED" || err?.name === "PermissionDeniedError") {
+          return c.json({ error: err.message ?? "Forbidden" }, 403);
+        }
+        throw err;
+      }
     });
     rawApp.get(`${prefix}/data/:object/:id`, async (c) => {
       const ql = getObjectQL();
       if (!ql) return c.json({ error: "Data service not available" }, 503);
       const object = c.req.param("object");
       const id = c.req.param("id");
-      let all = await ql.find(object);
-      if (!all) all = [];
-      const match = all.find((i) => i.id === id);
-      return match ? c.json({ object, id, record: match }) : c.json({ error: "Not found" }, 404);
+      const execCtx = await resolveCtx(c);
+      try {
+        let all = await ql.find(object, { context: execCtx });
+        if (!all) all = [];
+        const match = all.find((i) => i.id === id);
+        return match ? c.json({ object, id, record: match }) : c.json({ error: "Not found" }, 404);
+      } catch (err) {
+        if (err?.code === "PERMISSION_DENIED" || err?.name === "PermissionDeniedError") {
+          return c.json({ error: err.message ?? "Forbidden" }, 403);
+        }
+        throw err;
+      }
     });
     rawApp.get(`${prefix}/data/:object`, async (c) => {
       const ql = getObjectQL();
       if (!ql) return c.json({ error: "Data service not available" }, 503);
       const object = c.req.param("object");
-      let all = await ql.find(object);
-      if (!Array.isArray(all) && all && all.value) all = all.value;
-      if (!all) all = [];
-      return c.json({ object, records: all, total: all.length });
+      const execCtx = await resolveCtx(c);
+      try {
+        let all = await ql.find(object, { context: execCtx });
+        if (!Array.isArray(all) && all && all.value) all = all.value;
+        if (!all) all = [];
+        return c.json({ object, records: all, total: all.length });
+      } catch (err) {
+        if (err?.code === "PERMISSION_DENIED" || err?.name === "PermissionDeniedError") {
+          return c.json({ error: err.message ?? "Forbidden" }, 403);
+        }
+        throw err;
+      }
+    });
+    rawApp.get(`${prefix}/auth/me/permissions`, async (c) => {
+      const execCtx = await resolveCtx(c);
+      if (!execCtx?.userId) {
+        return c.json({ authenticated: false });
+      }
+      try {
+        const metadata = ctx.getService("metadata");
+        const evaluator = ctx.getService("security.permissions");
+        const bootstrap = (() => {
+          try {
+            return ctx.getService("security.bootstrapPermissionSets") ?? [];
+          } catch {
+            return [];
+          }
+        })();
+        const fallbackName = (() => {
+          try {
+            return ctx.getService("security.fallbackPermissionSet") ?? "member_default";
+          } catch {
+            return "member_default";
+          }
+        })();
+        const ql = (() => {
+          try {
+            return ctx.getService("objectql");
+          } catch {
+            return null;
+          }
+        })();
+        const dbLoader = ql ? async (names) => {
+          let rows;
+          try {
+            rows = await ql.find(
+              "sys_permission_set",
+              { where: { name: { $in: names } }, limit: names.length },
+              { context: { isSystem: true } }
+            );
+          } catch {
+            rows = [];
+          }
+          const list = Array.isArray(rows) ? rows : rows?.records ?? [];
+          return list.map((r) => ({
+            name: r.name,
+            label: r.label,
+            objects: typeof r.object_permissions === "string" ? JSON.parse(r.object_permissions || "{}") : r.object_permissions ?? {},
+            fields: typeof r.field_permissions === "string" ? JSON.parse(r.field_permissions || "{}") : r.field_permissions ?? {}
+          }));
+        } : void 0;
+        if (!evaluator || !metadata) {
+          return c.json({
+            authenticated: true,
+            userId: execCtx.userId,
+            tenantId: execCtx.tenantId ?? null,
+            roles: execCtx.roles ?? [],
+            permissionSets: execCtx.permissions ?? [],
+            objects: {},
+            fields: {}
+          });
+        }
+        const requested = [
+          ...execCtx.roles ?? [],
+          ...execCtx.permissions ?? []
+        ];
+        let resolved = await evaluator.resolvePermissionSets(requested, metadata, bootstrap, dbLoader).catch(() => []);
+        if (resolved.length === 0 && fallbackName) {
+          resolved = await evaluator.resolvePermissionSets([fallbackName], metadata, bootstrap, dbLoader).catch(() => []);
+        }
+        const objects = {};
+        const fields = {};
+        for (const ps of resolved) {
+          if (ps?.objects) {
+            for (const [obj, perm] of Object.entries(ps.objects)) {
+              const acc = objects[obj] ?? {};
+              for (const [k, v] of Object.entries(perm)) {
+                if (v === true) acc[k] = true;
+                else if (acc[k] === void 0) acc[k] = v;
+              }
+              objects[obj] = acc;
+            }
+          }
+          if (ps?.fields) {
+            for (const [key, perm] of Object.entries(ps.fields)) {
+              const acc = fields[key] ?? { readable: false, editable: false };
+              const p = perm;
+              if (p.readable) acc.readable = true;
+              if (p.editable) acc.editable = true;
+              fields[key] = acc;
+            }
+          }
+        }
+        return c.json({
+          authenticated: true,
+          userId: execCtx.userId,
+          tenantId: execCtx.tenantId ?? null,
+          roles: execCtx.roles ?? [],
+          permissionSets: resolved.map((p) => p?.name).filter(Boolean),
+          objects,
+          fields
+        });
+      } catch (err) {
+        ctx.logger.warn("[hono] /auth/me/permissions failed", { err: err?.message });
+        return c.json({ authenticated: true, userId: execCtx.userId, objects: {}, fields: {} });
+      }
     });
     ctx.logger.debug("Registered standard CRUD data endpoints", { prefix });
   }
@@ -499,6 +753,11 @@ __publicField(HonoServerPlugin, "DISCOVERY_ENDPOINT_PRIORITY", 900);
 __reExport(index_exports, adapter_exports);
 export {
   HonoHttpServer,
-  HonoServerPlugin
+  HonoServerPlugin,
+  createOriginMatcher,
+  hasWildcardPattern,
+  isLocalhostOrigin,
+  matchOriginPattern,
+  normalizeOriginPatterns
 };
 //# sourceMappingURL=index.mjs.map