@pierre/storage 0.0.5 → 0.0.7

package/dist/index.js

@@ -1,16 +1,261 @@
 import { importPKCS8, SignJWT } from 'jose';
+import snakecaseKeys from 'snakecase-keys';
+
+// src/index.ts
+
+// src/fetch.ts
+var ApiFetcher = class {
+  constructor(API_BASE_URL2, version) {
+    this.API_BASE_URL = API_BASE_URL2;
+    this.version = version;
+    console.log("api fetcher created", API_BASE_URL2, version);
+  }
+  getBaseUrl() {
+    return `${this.API_BASE_URL}/api/v${this.version}`;
+  }
+  getRequestUrl(path) {
+    if (typeof path === "string") {
+      return `${this.getBaseUrl()}/${path}`;
+    } else if (path.params) {
+      const paramStr = new URLSearchParams(path.params).toString();
+      return `${this.getBaseUrl()}/${path.path}${paramStr ? `?${paramStr}` : ""}`;
+    } else {
+      return `${this.getBaseUrl()}/${path.path}`;
+    }
+  }
+  async fetch(path, method, jwt, options) {
+    const requestUrl = this.getRequestUrl(path);
+    const requestOptions = {
+      method,
+      headers: {
+        Authorization: `Bearer ${jwt}`,
+        "Content-Type": "application/json"
+      }
+    };
+    if (method !== "GET" && typeof path !== "string" && path.body) {
+      requestOptions.body = JSON.stringify(path.body);
+    }
+    const response = await fetch(requestUrl, requestOptions);
+    if (!response.ok) {
+      const allowed = options?.allowedStatus ?? [];
+      if (!allowed.includes(response.status)) {
+        throw new Error(`Failed to fetch ${method} ${requestUrl}: ${response.statusText}`);
+      }
+    }
+    return response;
+  }
+  async get(path, jwt, options) {
+    return this.fetch(path, "GET", jwt, options);
+  }
+  async post(path, jwt, options) {
+    return this.fetch(path, "POST", jwt, options);
+  }
+  async put(path, jwt, options) {
+    return this.fetch(path, "PUT", jwt, options);
+  }
+  async delete(path, jwt, options) {
+    return this.fetch(path, "DELETE", jwt, options);
+  }
+};
+
+// src/util.ts
+function timingSafeEqual(a, b) {
+  const bufferA = typeof a === "string" ? new TextEncoder().encode(a) : a;
+  const bufferB = typeof b === "string" ? new TextEncoder().encode(b) : b;
+  if (bufferA.length !== bufferB.length) return false;
+  let result = 0;
+  for (let i = 0; i < bufferA.length; i++) {
+    result |= bufferA[i] ^ bufferB[i];
+  }
+  return result === 0;
+}
+async function getEnvironmentCrypto() {
+  if (!globalThis.crypto) {
+    const { webcrypto } = await import('crypto');
+    return webcrypto;
+  }
+  return globalThis.crypto;
+}
+async function createHmac(algorithm, secret, data) {
+  if (!secret || secret.length === 0) {
+    throw new Error("Secret is required");
+  }
+  const crypto2 = await getEnvironmentCrypto();
+  const encoder = new TextEncoder();
+  const key = await crypto2.subtle.importKey(
+    "raw",
+    encoder.encode(secret),
+    { name: "HMAC", hash: "SHA-256" },
+    false,
+    ["sign"]
+  );
+  const signature = await crypto2.subtle.sign("HMAC", key, encoder.encode(data));
+  return Array.from(new Uint8Array(signature)).map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+
+// src/webhook.ts
+var DEFAULT_MAX_AGE_SECONDS = 300;
+function parseSignatureHeader(header) {
+  if (!header || typeof header !== "string") {
+    return null;
+  }
+  let timestamp = "";
+  let signature = "";
+  const elements = header.split(",");
+  for (const element of elements) {
+    const trimmedElement = element.trim();
+    const parts = trimmedElement.split("=", 2);
+    if (parts.length !== 2) {
+      continue;
+    }
+    const [key, value] = parts;
+    switch (key) {
+      case "t":
+        timestamp = value;
+        break;
+      case "sha256":
+        signature = value;
+        break;
+    }
+  }
+  if (!timestamp || !signature) {
+    return null;
+  }
+  return { timestamp, signature };
+}
+async function validateWebhookSignature(payload, signatureHeader, secret, options = {}) {
+  if (!secret || secret.length === 0) {
+    return {
+      valid: false,
+      error: "Empty secret is not allowed"
+    };
+  }
+  const parsed = parseSignatureHeader(signatureHeader);
+  if (!parsed) {
+    return {
+      valid: false,
+      error: "Invalid signature header format"
+    };
+  }
+  const timestamp = Number.parseInt(parsed.timestamp, 10);
+  if (isNaN(timestamp)) {
+    return {
+      valid: false,
+      error: "Invalid timestamp in signature"
+    };
+  }
+  const maxAge = options.maxAgeSeconds ?? DEFAULT_MAX_AGE_SECONDS;
+  if (maxAge > 0) {
+    const now = Math.floor(Date.now() / 1e3);
+    const age = now - timestamp;
+    if (age > maxAge) {
+      return {
+        valid: false,
+        error: `Webhook timestamp too old (${age} seconds)`,
+        timestamp
+      };
+    }
+    if (age < -60) {
+      return {
+        valid: false,
+        error: "Webhook timestamp is in the future",
+        timestamp
+      };
+    }
+  }
+  const payloadStr = typeof payload === "string" ? payload : payload.toString("utf8");
+  const signedData = `${parsed.timestamp}.${payloadStr}`;
+  const expectedSignature = await createHmac("sha256", secret, signedData);
+  const expectedBuffer = Buffer.from(expectedSignature);
+  const actualBuffer = Buffer.from(parsed.signature);
+  if (expectedBuffer.length !== actualBuffer.length) {
+    return {
+      valid: false,
+      error: "Invalid signature",
+      timestamp
+    };
+  }
+  const signaturesMatch = timingSafeEqual(expectedBuffer, actualBuffer);
+  if (!signaturesMatch) {
+    return {
+      valid: false,
+      error: "Invalid signature",
+      timestamp
+    };
+  }
+  return {
+    valid: true,
+    timestamp
+  };
+}
+async function validateWebhook(payload, headers, secret, options = {}) {
+  const signatureHeader = headers["x-pierre-signature"] || headers["X-Pierre-Signature"];
+  if (!signatureHeader || Array.isArray(signatureHeader)) {
+    return {
+      valid: false,
+      error: "Missing or invalid X-Pierre-Signature header"
+    };
+  }
+  const eventType = headers["x-pierre-event"] || headers["X-Pierre-Event"];
+  if (!eventType || Array.isArray(eventType)) {
+    return {
+      valid: false,
+      error: "Missing or invalid X-Pierre-Event header"
+    };
+  }
+  const validationResult = await validateWebhookSignature(
+    payload,
+    signatureHeader,
+    secret,
+    options
+  );
+  if (!validationResult.valid) {
+    return validationResult;
+  }
+  const payloadStr = typeof payload === "string" ? payload : payload.toString("utf8");
+  let parsedPayload;
+  try {
+    parsedPayload = JSON.parse(payloadStr);
+  } catch {
+    return {
+      valid: false,
+      error: "Invalid JSON payload",
+      timestamp: validationResult.timestamp
+    };
+  }
+  return {
+    valid: true,
+    eventType,
+    timestamp: validationResult.timestamp,
+    payload: parsedPayload
+  };
+}
 
 // src/index.ts
 var API_BASE_URL = "https://api.git.storage";
 var STORAGE_BASE_URL = "git.storage";
+var API_VERSION = 1;
+var apiInstanceMap = /* @__PURE__ */ new Map();
+function getApiInstance(baseUrl, version) {
+  if (!apiInstanceMap.has(`${baseUrl}--${version}`)) {
+    apiInstanceMap.set(`${baseUrl}--${version}`, new ApiFetcher(baseUrl, version));
+  }
+  return apiInstanceMap.get(`${baseUrl}--${version}`);
+}
 var RepoImpl = class {
   constructor(id, options, generateJWT) {
     this.id = id;
     this.options = options;
     this.generateJWT = generateJWT;
+    this.api = getApiInstance(
+      this.options.apiBaseUrl ?? API_BASE_URL,
+      this.options.apiVersion ?? API_VERSION
+    );
   }
+  api;
   async getRemoteURL(urlOptions) {
-    const url = new URL(`https://${this.options.name}.${STORAGE_BASE_URL}/${this.id}.git`);
+    const storageBaseUrl = this.options.storageBaseUrl ?? STORAGE_BASE_URL;
+    const url = new URL(`https://${this.options.name}.${storageBaseUrl}/${this.id}.git`);
     url.username = `t`;
     url.password = await this.generateJWT(this.id, urlOptions);
     return url.toString();
@@ -18,161 +263,130 @@ var RepoImpl = class {
   async getFile(options) {
     const jwt = await this.generateJWT(this.id, {
       permissions: ["git:read"],
-      ttl: 1 * 60 * 60
+      ttl: options?.ttl ?? 1 * 60 * 60
       // 1hr in seconds
     });
-    const url = new URL(`${API_BASE_URL}/api/v1/repos/file`);
-    url.searchParams.set("path", options.path);
+    const params = {
+      path: options.path
+    };
     if (options.ref) {
-      url.searchParams.set("ref", options.ref);
-    }
-    const response = await fetch(url.toString(), {
-      method: "GET",
-      headers: {
-        Authorization: `Bearer ${jwt}`
-      }
-    });
-    if (!response.ok) {
-      throw new Error(`Failed to get file: ${response.statusText}`);
+      params.ref = options.ref;
     }
+    const response = await this.api.get({ path: "repos/file", params }, jwt);
     return await response.json();
   }
   async listFiles(options) {
     const jwt = await this.generateJWT(this.id, {
       permissions: ["git:read"],
-      ttl: 1 * 60 * 60
+      ttl: options?.ttl ?? 1 * 60 * 60
       // 1hr in seconds
     });
-    const url = new URL(`${API_BASE_URL}/api/v1/repos/files`);
-    if (options?.ref) {
-      url.searchParams.set("ref", options.ref);
-    }
-    const response = await fetch(url.toString(), {
-      method: "GET",
-      headers: {
-        Authorization: `Bearer ${jwt}`
-      }
-    });
-    if (!response.ok) {
-      throw new Error(`Failed to list files: ${response.statusText}`);
-    }
+    const params = options?.ref ? { ref: options.ref } : void 0;
+    const response = await this.api.get({ path: "repos/files", params }, jwt);
     return await response.json();
   }
   async listBranches(options) {
     const jwt = await this.generateJWT(this.id, {
       permissions: ["git:read"],
-      ttl: 1 * 60 * 60
+      ttl: options?.ttl ?? 1 * 60 * 60
       // 1hr in seconds
     });
-    const url = new URL(`${API_BASE_URL}/api/v1/repos/branches`);
-    if (options?.cursor) {
-      url.searchParams.set("cursor", options.cursor);
-    }
-    if (options?.limit) {
-      url.searchParams.set("limit", options.limit.toString());
-    }
-    const response = await fetch(url.toString(), {
-      method: "GET",
-      headers: {
-        Authorization: `Bearer ${jwt}`
+    let params;
+    if (options?.cursor || !options?.limit) {
+      params = {};
+      if (options?.cursor) {
+        params.cursor = options.cursor;
+      }
+      if (typeof options?.limit == "number") {
+        params.limit = options.limit.toString();
       }
-    });
-    if (!response.ok) {
-      throw new Error(`Failed to list branches: ${response.statusText}`);
     }
+    const response = await this.api.get({ path: "repos/branches", params }, jwt);
     return await response.json();
   }
   async listCommits(options) {
     const jwt = await this.generateJWT(this.id, {
       permissions: ["git:read"],
-      ttl: 1 * 60 * 60
+      ttl: options?.ttl ?? 1 * 60 * 60
       // 1hr in seconds
     });
-    const url = new URL(`${API_BASE_URL}/api/v1/repos/commits`);
-    if (options?.branch) {
-      url.searchParams.set("branch", options.branch);
-    }
-    if (options?.cursor) {
-      url.searchParams.set("cursor", options.cursor);
-    }
-    if (options?.limit) {
-      url.searchParams.set("limit", options.limit.toString());
-    }
-    const response = await fetch(url.toString(), {
-      method: "GET",
-      headers: {
-        Authorization: `Bearer ${jwt}`
+    let params;
+    if (options?.branch || options?.cursor || options?.limit) {
+      params = {};
+      if (options?.branch) {
+        params.branch = options.branch;
+      }
+      if (options?.cursor) {
+        params.cursor = options.cursor;
+      }
+      if (typeof options?.limit == "number") {
+        params.limit = options.limit.toString();
       }
-    });
-    if (!response.ok) {
-      throw new Error(`Failed to list commits: ${response.statusText}`);
     }
+    const response = await this.api.get({ path: "repos/commits", params }, jwt);
     return await response.json();
   }
   async getBranchDiff(options) {
     const jwt = await this.generateJWT(this.id, {
       permissions: ["git:read"],
-      ttl: 1 * 60 * 60
+      ttl: options?.ttl ?? 1 * 60 * 60
       // 1hr in seconds
     });
-    const url = new URL(`${API_BASE_URL}/api/v1/repos/branches/diff`);
-    url.searchParams.set("branch", options.branch);
+    const params = {
+      branch: options.branch
+    };
     if (options.base) {
-      url.searchParams.set("base", options.base);
-    }
-    const response = await fetch(url.toString(), {
-      method: "GET",
-      headers: {
-        Authorization: `Bearer ${jwt}`
-      }
-    });
-    if (!response.ok) {
-      throw new Error(`Failed to get branch diff: ${response.statusText}`);
+      params.base = options.base;
     }
+    const response = await this.api.get({ path: "repos/branches/diff", params }, jwt);
     return await response.json();
   }
   async getCommitDiff(options) {
     const jwt = await this.generateJWT(this.id, {
       permissions: ["git:read"],
-      ttl: 1 * 60 * 60
+      ttl: options?.ttl ?? 1 * 60 * 60
       // 1hr in seconds
     });
-    const url = new URL(`${API_BASE_URL}/api/v1/repos/diff`);
-    url.searchParams.set("sha", options.sha);
-    const response = await fetch(url.toString(), {
-      method: "GET",
-      headers: {
-        Authorization: `Bearer ${jwt}`
-      }
-    });
-    if (!response.ok) {
-      throw new Error(`Failed to get commit diff: ${response.statusText}`);
-    }
+    const params = {
+      sha: options.sha
+    };
+    const response = await this.api.get({ path: "repos/diff", params }, jwt);
     return await response.json();
   }
   async getCommit(options) {
     const jwt = await this.generateJWT(this.id, {
       permissions: ["git:read"],
-      ttl: 1 * 60 * 60
+      ttl: options?.ttl ?? 1 * 60 * 60
       // 1hr in seconds
     });
-    const url = new URL(`${API_BASE_URL}/commit`);
-    url.searchParams.set("repo", this.id);
-    url.searchParams.set("sha", options.sha);
-    const response = await fetch(url.toString(), {
-      method: "GET",
-      headers: {
-        Authorization: `Bearer ${jwt}`
-      }
+    const params = {
+      repo: this.id,
+      sha: options.sha
+    };
+    const response = await this.api.get({ path: "commit", params }, jwt);
+    return await response.json();
+  }
+  async repull(options) {
+    const jwt = await this.generateJWT(this.id, {
+      permissions: ["git:write"],
+      ttl: options?.ttl ?? 1 * 60 * 60
+      // 1hr in seconds
     });
-    if (!response.ok) {
-      throw new Error(`Failed to get commit: ${response.statusText}`);
+    const body = {};
+    if (options.ref) {
+      body.ref = options.ref;
     }
-    return await response.json();
+    const response = await this.api.post({ path: "repos/repull", body }, jwt);
+    if (response.status !== 202) {
+      throw new Error(`Repull failed: ${response.status} ${await response.text()}`);
+    }
+    return;
   }
 };
-var GitStorage = class {
+var GitStorage = class _GitStorage {
+  static overrides = {};
   options;
+  api;
   constructor(options) {
     if (!options || options.name === void 0 || options.key === void 0 || options.name === null || options.key === null) {
       throw new Error(
@@ -185,11 +399,21 @@ var GitStorage = class {
     if (typeof options.key !== "string" || options.key.trim() === "") {
       throw new Error("GitStorage key must be a non-empty string.");
     }
+    const resolvedApiBaseUrl = options.apiBaseUrl ?? _GitStorage.overrides.apiBaseUrl ?? API_BASE_URL;
+    const resolvedApiVersion = options.apiVersion ?? _GitStorage.overrides.apiVersion ?? API_VERSION;
+    const resolvedStorageBaseUrl = options.storageBaseUrl ?? _GitStorage.overrides.storageBaseUrl ?? STORAGE_BASE_URL;
+    this.api = getApiInstance(resolvedApiBaseUrl, resolvedApiVersion);
     this.options = {
       key: options.key,
-      name: options.name
+      name: options.name,
+      apiBaseUrl: resolvedApiBaseUrl,
+      apiVersion: resolvedApiVersion,
+      storageBaseUrl: resolvedStorageBaseUrl
     };
   }
+  static override(options) {
+    this.overrides = Object.assign({}, this.overrides, options);
+  }
   /**
    * Create a new repository
    * @returns The created repository
@@ -198,17 +422,24 @@ var GitStorage = class {
     const repoId = options?.id || crypto.randomUUID();
     const jwt = await this.generateJWT(repoId, {
       permissions: ["repo:write"],
-      ttl: 1 * 60 * 60
+      ttl: options?.ttl ?? 1 * 60 * 60
       // 1hr in seconds
     });
-    const response = await fetch(`${API_BASE_URL}/api/v1/repos`, {
-      method: "POST",
-      headers: {
-        Authorization: `Bearer ${jwt}`
+    const baseRepoOptions = options?.baseRepo ? {
+      provider: "github",
+      ...snakecaseKeys(options.baseRepo)
+    } : null;
+    const defaultBranch = options?.defaultBranch ?? "main";
+    const createRepoPath = baseRepoOptions || defaultBranch ? {
+      path: "repos",
+      body: {
+        ...baseRepoOptions && { base_repo: baseRepoOptions },
+        default_branch: defaultBranch
       }
-    });
-    if (!response.ok) {
-      throw new Error(`Failed to create repository: ${response.statusText}`);
+    } : "repos";
+    const resp = await this.api.post(createRepoPath, jwt, { allowedStatus: [409] });
+    if (resp.status === 409) {
+      throw new Error("Repository already exists");
     }
     return new RepoImpl(repoId, this.options, this.generateJWT.bind(this));
   }
@@ -218,6 +449,14 @@ var GitStorage = class {
    * @returns The found repository
    */
   async findOne(options) {
+    const jwt = await this.generateJWT(options.id, {
+      permissions: ["git:read"],
+      ttl: 1 * 60 * 60
+    });
+    const resp = await this.api.get("repo", jwt, { allowedStatus: [404] });
+    if (resp.status === 404) {
+      return null;
+    }
     return new RepoImpl(options.id, this.options, this.generateJWT.bind(this));
   }
   /**
@@ -252,6 +491,6 @@ function createClient(options) {
   return new GitStorage(options);
 }
 
-export { GitStorage, createClient };
+export { GitStorage, createClient, parseSignatureHeader, validateWebhook, validateWebhookSignature };
 //# sourceMappingURL=index.js.map
 //# sourceMappingURL=index.js.map