@pikku/core 0.12.0 → 0.12.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (290) hide show
  1. package/CHANGELOG.md +40 -0
  2. package/dist/errors/errors.d.ts +6 -0
  3. package/dist/errors/errors.js +10 -0
  4. package/dist/errors/index.d.ts +1 -0
  5. package/dist/errors/index.js +1 -0
  6. package/dist/function/function-runner.d.ts +3 -3
  7. package/dist/function/function-runner.js +66 -44
  8. package/dist/function/functions.types.d.ts +1 -0
  9. package/dist/handle-error.d.ts +2 -2
  10. package/dist/handle-error.js +2 -2
  11. package/dist/index.d.ts +5 -3
  12. package/dist/index.js +2 -1
  13. package/dist/internal.d.ts +3 -0
  14. package/dist/internal.js +2 -0
  15. package/dist/middleware/auth-bearer.d.ts +1 -1
  16. package/dist/middleware/auth-bearer.js +1 -1
  17. package/dist/middleware/auth-cookie.d.ts +2 -2
  18. package/dist/middleware/auth-cookie.js +1 -1
  19. package/dist/middleware/cors.d.ts +2 -2
  20. package/dist/middleware/cors.js +45 -37
  21. package/dist/middleware-runner.d.ts +1 -1
  22. package/dist/middleware-runner.js +1 -0
  23. package/dist/permissions.d.ts +2 -2
  24. package/dist/permissions.js +1 -0
  25. package/dist/pikku-state.d.ts +9 -8
  26. package/dist/pikku-state.js +34 -17
  27. package/dist/schema.d.ts +4 -4
  28. package/dist/schema.js +9 -5
  29. package/dist/services/ai-agent-runner-service.d.ts +22 -3
  30. package/dist/services/ai-run-state-service.d.ts +1 -1
  31. package/dist/services/ai-storage-service.d.ts +1 -1
  32. package/dist/services/content-service.d.ts +6 -0
  33. package/dist/services/gateway-service.d.ts +19 -0
  34. package/dist/services/gopass-secrets.d.ts +1 -1
  35. package/dist/services/gopass-secrets.js +3 -0
  36. package/dist/services/in-memory-ai-run-state-service.d.ts +15 -0
  37. package/dist/services/in-memory-ai-run-state-service.js +44 -0
  38. package/dist/services/in-memory-trigger-service.d.ts +0 -1
  39. package/dist/services/in-memory-trigger-service.js +6 -8
  40. package/dist/services/index.d.ts +5 -2
  41. package/dist/services/index.js +2 -0
  42. package/dist/services/local-content.d.ts +2 -1
  43. package/dist/services/local-content.js +6 -1
  44. package/dist/services/local-gateway-service.d.ts +22 -0
  45. package/dist/services/local-gateway-service.js +51 -0
  46. package/dist/services/local-secrets.d.ts +2 -2
  47. package/dist/services/local-variables.d.ts +1 -1
  48. package/dist/services/logger-console.d.ts +2 -1
  49. package/dist/services/scheduler-service.d.ts +0 -12
  50. package/dist/services/scheduler-service.js +0 -6
  51. package/dist/services/scoped-secret-service.d.ts +1 -1
  52. package/dist/services/trigger-service.d.ts +0 -7
  53. package/dist/services/user-session-service.d.ts +3 -3
  54. package/dist/services/workflow-service.d.ts +2 -3
  55. package/dist/types/core.types.d.ts +27 -19
  56. package/dist/types/state.types.d.ts +22 -15
  57. package/dist/utils.d.ts +5 -5
  58. package/dist/utils.js +12 -9
  59. package/dist/wirings/ai-agent/ai-agent-assistant-ui.d.ts +5 -0
  60. package/dist/wirings/ai-agent/ai-agent-assistant-ui.js +168 -0
  61. package/dist/wirings/ai-agent/ai-agent-helpers.d.ts +28 -0
  62. package/dist/wirings/ai-agent/ai-agent-helpers.js +40 -0
  63. package/dist/wirings/ai-agent/ai-agent-memory.js +13 -2
  64. package/dist/wirings/ai-agent/ai-agent-prepare.d.ts +4 -5
  65. package/dist/wirings/ai-agent/ai-agent-prepare.js +80 -31
  66. package/dist/wirings/ai-agent/ai-agent-registry.d.ts +1 -1
  67. package/dist/wirings/ai-agent/ai-agent-runner.js +107 -8
  68. package/dist/wirings/ai-agent/ai-agent-stream.d.ts +2 -1
  69. package/dist/wirings/ai-agent/ai-agent-stream.js +263 -89
  70. package/dist/wirings/ai-agent/ai-agent.types.d.ts +96 -4
  71. package/dist/wirings/ai-agent/index.d.ts +3 -1
  72. package/dist/wirings/ai-agent/index.js +2 -0
  73. package/dist/wirings/channel/channel-common.d.ts +2 -2
  74. package/dist/wirings/channel/channel-handler.d.ts +7 -4
  75. package/dist/wirings/channel/channel-handler.js +15 -5
  76. package/dist/wirings/channel/channel-middleware-runner.js +1 -0
  77. package/dist/wirings/channel/channel-runner.d.ts +5 -5
  78. package/dist/wirings/channel/channel-runner.js +3 -2
  79. package/dist/wirings/channel/channel-store.d.ts +1 -1
  80. package/dist/wirings/channel/channel.types.d.ts +10 -6
  81. package/dist/wirings/channel/index.d.ts +1 -1
  82. package/dist/wirings/channel/local/local-channel-handler.d.ts +7 -0
  83. package/dist/wirings/channel/local/local-channel-handler.js +17 -0
  84. package/dist/wirings/channel/local/local-channel-runner.d.ts +7 -2
  85. package/dist/wirings/channel/local/local-channel-runner.js +18 -4
  86. package/dist/wirings/channel/local/local-eventhub-service.d.ts +2 -2
  87. package/dist/wirings/channel/log-channels.d.ts +1 -1
  88. package/dist/wirings/channel/pikku-abstract-channel-handler.d.ts +2 -1
  89. package/dist/wirings/channel/pikku-abstract-channel-handler.js +1 -0
  90. package/dist/wirings/channel/serverless/serverless-channel-runner.d.ts +4 -4
  91. package/dist/wirings/channel/serverless/serverless-channel-runner.js +26 -20
  92. package/dist/wirings/cli/channel/cli-channel-runner.d.ts +1 -1
  93. package/dist/wirings/cli/cli-runner.d.ts +2 -2
  94. package/dist/wirings/cli/cli-runner.js +3 -0
  95. package/dist/wirings/cli/cli.types.d.ts +3 -3
  96. package/dist/wirings/cli/command-parser.d.ts +1 -1
  97. package/dist/wirings/gateway/gateway-runner.d.ts +24 -0
  98. package/dist/wirings/gateway/gateway-runner.js +325 -0
  99. package/dist/wirings/gateway/gateway.types.d.ts +127 -0
  100. package/dist/wirings/gateway/index.d.ts +2 -0
  101. package/dist/wirings/gateway/index.js +1 -0
  102. package/dist/wirings/http/http-runner.d.ts +9 -9
  103. package/dist/wirings/http/http-runner.js +36 -14
  104. package/dist/wirings/http/http.types.d.ts +2 -6
  105. package/dist/wirings/http/log-http-routes.d.ts +1 -1
  106. package/dist/wirings/http/pikku-fetch-http-request.d.ts +1 -1
  107. package/dist/wirings/http/pikku-fetch-http-response.d.ts +2 -2
  108. package/dist/wirings/http/pikku-fetch-http-response.js +6 -1
  109. package/dist/wirings/http/routers/http-router.d.ts +1 -1
  110. package/dist/wirings/http/routers/path-to-regex.d.ts +2 -2
  111. package/dist/wirings/mcp/mcp-endpoint-registry.d.ts +1 -1
  112. package/dist/wirings/mcp/mcp-runner.d.ts +0 -3
  113. package/dist/wirings/mcp/mcp-runner.js +4 -2
  114. package/dist/wirings/mcp/mcp.types.d.ts +2 -2
  115. package/dist/wirings/oauth2/oauth2-client.d.ts +3 -3
  116. package/dist/wirings/oauth2/wire-oauth2-credential.d.ts +1 -1
  117. package/dist/wirings/queue/index.d.ts +1 -1
  118. package/dist/wirings/queue/index.js +1 -1
  119. package/dist/wirings/queue/queue-runner.d.ts +1 -12
  120. package/dist/wirings/queue/queue-runner.js +4 -12
  121. package/dist/wirings/queue/queue.types.d.ts +3 -9
  122. package/dist/wirings/queue/register-queue-helper.d.ts +2 -2
  123. package/dist/wirings/queue/register-queue-helper.js +1 -1
  124. package/dist/wirings/queue/validate-worker-config.d.ts +1 -1
  125. package/dist/wirings/rpc/index.d.ts +2 -0
  126. package/dist/wirings/rpc/index.js +1 -0
  127. package/dist/wirings/rpc/rpc-runner.d.ts +36 -14
  128. package/dist/wirings/rpc/rpc-runner.js +56 -28
  129. package/dist/wirings/rpc/rpc-types.d.ts +14 -2
  130. package/dist/wirings/rpc/wire-addon.d.ts +10 -0
  131. package/dist/wirings/rpc/wire-addon.js +9 -0
  132. package/dist/wirings/scheduler/index.d.ts +1 -1
  133. package/dist/wirings/scheduler/index.js +1 -1
  134. package/dist/wirings/scheduler/log-schedulers.d.ts +1 -1
  135. package/dist/wirings/scheduler/scheduler-runner.d.ts +3 -10
  136. package/dist/wirings/scheduler/scheduler-runner.js +4 -25
  137. package/dist/wirings/scheduler/scheduler.types.d.ts +2 -2
  138. package/dist/wirings/trigger/pikku-trigger-service.d.ts +2 -6
  139. package/dist/wirings/trigger/pikku-trigger-service.js +11 -16
  140. package/dist/wirings/trigger/trigger-runner.d.ts +1 -5
  141. package/dist/wirings/trigger/trigger-runner.js +4 -3
  142. package/dist/wirings/workflow/pikku-workflow-service.d.ts +2 -6
  143. package/dist/wirings/workflow/pikku-workflow-service.js +20 -29
  144. package/dist/wirings/workflow/workflow.types.d.ts +2 -2
  145. package/package.json +4 -2
  146. package/src/crypto-utils.test.ts +116 -0
  147. package/src/errors/error.test.ts +143 -2
  148. package/src/errors/errors.ts +10 -0
  149. package/src/errors/index.ts +1 -0
  150. package/src/function/function-runner.test.ts +2 -2
  151. package/src/function/function-runner.ts +72 -49
  152. package/src/function/functions.types.ts +1 -0
  153. package/src/handle-error.test.ts +361 -0
  154. package/src/handle-error.ts +4 -4
  155. package/src/index.ts +3 -10
  156. package/src/internal.ts +6 -0
  157. package/src/middleware/auth-apikey.test.ts +1 -1
  158. package/src/middleware/auth-bearer.test.ts +1 -1
  159. package/src/middleware/auth-bearer.ts +2 -5
  160. package/src/middleware/auth-cookie.test.ts +1 -1
  161. package/src/middleware/auth-cookie.ts +3 -5
  162. package/src/middleware/cors.test.ts +424 -0
  163. package/src/middleware/cors.ts +14 -6
  164. package/src/middleware/remote-auth.test.ts +488 -0
  165. package/src/middleware-runner.test.ts +1 -1
  166. package/src/middleware-runner.ts +2 -1
  167. package/src/permissions.test.ts +2 -2
  168. package/src/permissions.ts +3 -2
  169. package/src/pikku-state.test.ts +224 -0
  170. package/src/pikku-state.ts +45 -28
  171. package/src/schema.test.ts +198 -6
  172. package/src/schema.ts +11 -7
  173. package/src/services/ai-agent-runner-service.ts +15 -3
  174. package/src/services/ai-run-state-service.ts +1 -1
  175. package/src/services/ai-storage-service.ts +1 -1
  176. package/src/services/content-service.ts +7 -0
  177. package/src/services/gateway-service.ts +20 -0
  178. package/src/services/gopass-secrets.ts +4 -1
  179. package/src/services/in-memory-ai-run-state-service.ts +73 -0
  180. package/src/services/in-memory-trigger-service.ts +6 -10
  181. package/src/services/in-memory-workflow-service.test.ts +351 -0
  182. package/src/services/index.ts +4 -1
  183. package/src/services/local-content.ts +9 -3
  184. package/src/services/local-gateway-service.ts +62 -0
  185. package/src/services/local-secrets.test.ts +80 -0
  186. package/src/services/local-secrets.ts +2 -2
  187. package/src/services/local-variables.test.ts +61 -0
  188. package/src/services/local-variables.ts +1 -1
  189. package/src/services/logger-console.test.ts +118 -0
  190. package/src/services/logger-console.ts +2 -1
  191. package/src/services/scheduler-service.ts +0 -18
  192. package/src/services/scoped-secret-service.test.ts +74 -0
  193. package/src/services/scoped-secret-service.ts +1 -1
  194. package/src/services/trigger-service.ts +0 -21
  195. package/src/services/typed-secret-service.test.ts +93 -0
  196. package/src/services/typed-variables-service.test.ts +73 -0
  197. package/src/services/user-session-service.test.ts +113 -0
  198. package/src/services/user-session-service.ts +3 -3
  199. package/src/services/workflow-service.ts +2 -12
  200. package/src/time-utils.test.ts +1 -1
  201. package/src/types/core.types.ts +28 -19
  202. package/src/types/state.types.ts +32 -15
  203. package/src/utils.test.ts +350 -0
  204. package/src/utils.ts +14 -13
  205. package/src/wirings/ai-agent/ai-agent-assistant-ui.test.ts +363 -0
  206. package/src/wirings/ai-agent/ai-agent-assistant-ui.ts +238 -0
  207. package/src/wirings/ai-agent/ai-agent-helpers.test.ts +152 -0
  208. package/src/wirings/ai-agent/ai-agent-helpers.ts +76 -0
  209. package/src/wirings/ai-agent/ai-agent-memory.ts +10 -1
  210. package/src/wirings/ai-agent/ai-agent-model-config.test.ts +115 -0
  211. package/src/wirings/ai-agent/ai-agent-prepare.ts +98 -46
  212. package/src/wirings/ai-agent/ai-agent-registry.ts +1 -1
  213. package/src/wirings/ai-agent/ai-agent-runner.test.ts +245 -3
  214. package/src/wirings/ai-agent/ai-agent-runner.ts +121 -7
  215. package/src/wirings/ai-agent/ai-agent-stream.test.ts +430 -24
  216. package/src/wirings/ai-agent/ai-agent-stream.ts +390 -104
  217. package/src/wirings/ai-agent/ai-agent.types.ts +91 -4
  218. package/src/wirings/ai-agent/index.ts +13 -0
  219. package/src/wirings/channel/channel-common.ts +2 -2
  220. package/src/wirings/channel/channel-handler.ts +43 -11
  221. package/src/wirings/channel/channel-middleware-runner.ts +1 -0
  222. package/src/wirings/channel/channel-runner.ts +6 -6
  223. package/src/wirings/channel/channel-store.ts +1 -1
  224. package/src/wirings/channel/channel.types.ts +15 -8
  225. package/src/wirings/channel/index.ts +1 -0
  226. package/src/wirings/channel/local/local-channel-handler.ts +26 -0
  227. package/src/wirings/channel/local/local-channel-runner.test.ts +19 -12
  228. package/src/wirings/channel/local/local-channel-runner.ts +33 -14
  229. package/src/wirings/channel/local/local-eventhub-service.test.ts +2 -2
  230. package/src/wirings/channel/local/local-eventhub-service.ts +2 -2
  231. package/src/wirings/channel/log-channels.ts +1 -1
  232. package/src/wirings/channel/pikku-abstract-channel-handler.test.ts +2 -0
  233. package/src/wirings/channel/pikku-abstract-channel-handler.ts +8 -1
  234. package/src/wirings/channel/serverless/serverless-channel-runner.ts +38 -33
  235. package/src/wirings/cli/channel/cli-channel-runner.ts +1 -1
  236. package/src/wirings/cli/cli-runner.test.ts +1 -1
  237. package/src/wirings/cli/cli-runner.ts +14 -4
  238. package/src/wirings/cli/cli.types.ts +3 -3
  239. package/src/wirings/cli/command-parser.test.ts +1 -1
  240. package/src/wirings/cli/command-parser.ts +1 -1
  241. package/src/wirings/gateway/gateway-runner.test.ts +474 -0
  242. package/src/wirings/gateway/gateway-runner.ts +411 -0
  243. package/src/wirings/gateway/gateway.types.ts +149 -0
  244. package/src/wirings/gateway/index.ts +13 -0
  245. package/src/wirings/http/http-routes.test.ts +1 -1
  246. package/src/wirings/http/http-runner.test.ts +9 -17
  247. package/src/wirings/http/http-runner.ts +46 -27
  248. package/src/wirings/http/http.types.ts +1 -14
  249. package/src/wirings/http/log-http-routes.ts +1 -1
  250. package/src/wirings/http/pikku-fetch-http-request.ts +1 -1
  251. package/src/wirings/http/pikku-fetch-http-response.ts +12 -5
  252. package/src/wirings/http/routers/http-router.ts +1 -1
  253. package/src/wirings/http/routers/path-to-regex.test.ts +1 -1
  254. package/src/wirings/http/routers/path-to-regex.ts +4 -3
  255. package/src/wirings/mcp/mcp-endpoint-registry.ts +5 -1
  256. package/src/wirings/mcp/mcp-runner.ts +9 -15
  257. package/src/wirings/mcp/mcp.types.ts +2 -2
  258. package/src/wirings/oauth2/oauth2-client.ts +3 -3
  259. package/src/wirings/oauth2/wire-oauth2-credential.ts +1 -1
  260. package/src/wirings/queue/index.ts +0 -1
  261. package/src/wirings/queue/queue-runner.test.ts +52 -25
  262. package/src/wirings/queue/queue-runner.ts +8 -30
  263. package/src/wirings/queue/queue.types.ts +3 -13
  264. package/src/wirings/queue/register-queue-helper.ts +3 -5
  265. package/src/wirings/queue/validate-worker-config.test.ts +108 -0
  266. package/src/wirings/queue/validate-worker-config.ts +4 -1
  267. package/src/wirings/rpc/index.ts +2 -0
  268. package/src/wirings/rpc/rpc-runner.ts +92 -49
  269. package/src/wirings/rpc/rpc-types.ts +17 -2
  270. package/src/wirings/rpc/wire-addon.ts +20 -0
  271. package/src/wirings/scheduler/index.ts +0 -1
  272. package/src/wirings/scheduler/log-schedulers.ts +1 -1
  273. package/src/wirings/scheduler/scheduler-runner.test.ts +49 -60
  274. package/src/wirings/scheduler/scheduler-runner.ts +9 -56
  275. package/src/wirings/scheduler/scheduler.types.ts +2 -2
  276. package/src/wirings/secret/validate-secret-definitions.test.ts +140 -0
  277. package/src/wirings/trigger/pikku-trigger-service.ts +17 -39
  278. package/src/wirings/trigger/trigger-runner.test.ts +79 -0
  279. package/src/wirings/trigger/trigger-runner.ts +8 -11
  280. package/src/wirings/variable/validate-variable-definitions.test.ts +91 -0
  281. package/src/wirings/workflow/graph/graph-runner.test.ts +14 -22
  282. package/src/wirings/workflow/graph/template.test.ts +49 -0
  283. package/src/wirings/workflow/pikku-workflow-service.test.ts +15 -27
  284. package/src/wirings/workflow/pikku-workflow-service.ts +29 -45
  285. package/src/wirings/workflow/workflow-helpers.test.ts +129 -0
  286. package/src/wirings/workflow/workflow.types.ts +2 -2
  287. package/tsconfig.tsbuildinfo +1 -1
  288. package/src/wirings/workflow/workflow-utils.ts +0 -0
  289. /package/dist/{wirings/workflow/workflow-utils.d.ts → services/gateway-service.js} +0 -0
  290. /package/dist/wirings/{workflow/workflow-utils.js → gateway/gateway.types.js} +0 -0
@@ -1,9 +1,7 @@
1
- import { SerializeOptions } from 'cookie'
1
+ import type { SerializeOptions } from 'cookie'
2
2
  import { pikkuMiddleware, pikkuMiddlewareFactory } from '../types/core.types.js'
3
- import {
4
- getRelativeTimeOffsetFromNow,
5
- RelativeTimeInput,
6
- } from '../time-utils.js'
3
+ import type { RelativeTimeInput } from '../time-utils.js'
4
+ import { getRelativeTimeOffsetFromNow } from '../time-utils.js'
7
5
 
8
6
  /**
9
7
  * Cookie-based session middleware that uses JWT for encoding/decoding session data.
@@ -0,0 +1,424 @@
1
+ import { describe, test, beforeEach } from 'node:test'
2
+ import assert from 'node:assert'
3
+ import { cors } from './cors.js'
4
+ import { resetPikkuState } from '../pikku-state.js'
5
+
6
+ beforeEach(() => {
7
+ resetPikkuState()
8
+ })
9
+
10
+ const createMockRequest = (method = 'get', origin?: string) => ({
11
+ method: () => method,
12
+ header: (name: string) => {
13
+ if (name === 'origin') return origin
14
+ return undefined
15
+ },
16
+ })
17
+
18
+ const createMockResponse = () => {
19
+ const headers: Record<string, string> = {}
20
+ let statusCode: number | undefined
21
+ let jsonBody: any
22
+ return {
23
+ header: (name: string, value: string) => {
24
+ headers[name] = value
25
+ },
26
+ status: (code: number) => {
27
+ statusCode = code
28
+ return {
29
+ json: (body: any) => {
30
+ jsonBody = body
31
+ },
32
+ }
33
+ },
34
+ json: (body: any) => {
35
+ jsonBody = body
36
+ },
37
+ _headers: headers,
38
+ _getStatus: () => statusCode,
39
+ _getJson: () => jsonBody,
40
+ }
41
+ }
42
+
43
+ describe('cors', () => {
44
+ describe('configuration validation', () => {
45
+ test('should throw when wildcard origin used with credentials', () => {
46
+ assert.throws(() => cors({ origin: '*', credentials: true }), {
47
+ message:
48
+ 'CORS misconfiguration: wildcard origin (*) cannot be used with credentials: true',
49
+ })
50
+ })
51
+
52
+ test('should not throw with wildcard origin and no credentials', () => {
53
+ const middleware = cors({ origin: '*' })
54
+ assert.ok(middleware)
55
+ })
56
+
57
+ test('should not throw with specific origin and credentials', () => {
58
+ const middleware = cors({
59
+ origin: 'https://example.com',
60
+ credentials: true,
61
+ })
62
+ assert.ok(middleware)
63
+ })
64
+
65
+ test('should not throw with default options', () => {
66
+ const middleware = cors()
67
+ assert.ok(middleware)
68
+ })
69
+ })
70
+
71
+ describe('wildcard origin', () => {
72
+ test('should set Access-Control-Allow-Origin to * by default', async () => {
73
+ const middleware = cors()
74
+ const request = createMockRequest()
75
+ const response = createMockResponse()
76
+ let nextCalled = false
77
+
78
+ await middleware(
79
+ {} as any,
80
+ { http: { request, response } } as any,
81
+ async () => {
82
+ nextCalled = true
83
+ }
84
+ )
85
+
86
+ assert.strictEqual(response._headers['Access-Control-Allow-Origin'], '*')
87
+ assert.strictEqual(nextCalled, true)
88
+ })
89
+ })
90
+
91
+ describe('single origin', () => {
92
+ test('should set Access-Control-Allow-Origin to specified origin', async () => {
93
+ const middleware = cors({ origin: 'https://example.com' })
94
+ const request = createMockRequest()
95
+ const response = createMockResponse()
96
+
97
+ await middleware(
98
+ {} as any,
99
+ { http: { request, response } } as any,
100
+ async () => {}
101
+ )
102
+
103
+ assert.strictEqual(
104
+ response._headers['Access-Control-Allow-Origin'],
105
+ 'https://example.com'
106
+ )
107
+ })
108
+ })
109
+
110
+ describe('array of origins', () => {
111
+ test('should use request origin when it matches array', async () => {
112
+ const middleware = cors({ origin: ['https://a.com', 'https://b.com'] })
113
+ const request = createMockRequest('get', 'https://b.com')
114
+ const response = createMockResponse()
115
+
116
+ await middleware(
117
+ {} as any,
118
+ { http: { request, response } } as any,
119
+ async () => {}
120
+ )
121
+
122
+ assert.strictEqual(
123
+ response._headers['Access-Control-Allow-Origin'],
124
+ 'https://b.com'
125
+ )
126
+ })
127
+
128
+ test('should use first origin when request origin not in array', async () => {
129
+ const middleware = cors({ origin: ['https://a.com', 'https://b.com'] })
130
+ const request = createMockRequest('get', 'https://unknown.com')
131
+ const response = createMockResponse()
132
+
133
+ await middleware(
134
+ {} as any,
135
+ { http: { request, response } } as any,
136
+ async () => {}
137
+ )
138
+
139
+ assert.strictEqual(
140
+ response._headers['Access-Control-Allow-Origin'],
141
+ 'https://a.com'
142
+ )
143
+ })
144
+
145
+ test('should use first origin when no request origin header', async () => {
146
+ const middleware = cors({ origin: ['https://a.com', 'https://b.com'] })
147
+ const request = createMockRequest('get')
148
+ const response = createMockResponse()
149
+
150
+ await middleware(
151
+ {} as any,
152
+ { http: { request, response } } as any,
153
+ async () => {}
154
+ )
155
+
156
+ assert.strictEqual(
157
+ response._headers['Access-Control-Allow-Origin'],
158
+ 'https://a.com'
159
+ )
160
+ })
161
+
162
+ test('should set Vary: Origin header when origin is array', async () => {
163
+ const middleware = cors({ origin: ['https://a.com', 'https://b.com'] })
164
+ const request = createMockRequest()
165
+ const response = createMockResponse()
166
+
167
+ await middleware(
168
+ {} as any,
169
+ { http: { request, response } } as any,
170
+ async () => {}
171
+ )
172
+
173
+ assert.strictEqual(response._headers['Vary'], 'Origin')
174
+ })
175
+ })
176
+
177
+ describe('headers', () => {
178
+ test('should set default allowed methods', async () => {
179
+ const middleware = cors()
180
+ const request = createMockRequest()
181
+ const response = createMockResponse()
182
+
183
+ await middleware(
184
+ {} as any,
185
+ { http: { request, response } } as any,
186
+ async () => {}
187
+ )
188
+
189
+ assert.strictEqual(
190
+ response._headers['Access-Control-Allow-Methods'],
191
+ 'GET, POST, PUT, PATCH, DELETE, OPTIONS'
192
+ )
193
+ })
194
+
195
+ test('should set default allowed headers', async () => {
196
+ const middleware = cors()
197
+ const request = createMockRequest()
198
+ const response = createMockResponse()
199
+
200
+ await middleware(
201
+ {} as any,
202
+ { http: { request, response } } as any,
203
+ async () => {}
204
+ )
205
+
206
+ assert.strictEqual(
207
+ response._headers['Access-Control-Allow-Headers'],
208
+ 'Content-Type, Authorization, x-api-key'
209
+ )
210
+ })
211
+
212
+ test('should set custom methods', async () => {
213
+ const middleware = cors({ methods: ['GET', 'POST'] })
214
+ const request = createMockRequest()
215
+ const response = createMockResponse()
216
+
217
+ await middleware(
218
+ {} as any,
219
+ { http: { request, response } } as any,
220
+ async () => {}
221
+ )
222
+
223
+ assert.strictEqual(
224
+ response._headers['Access-Control-Allow-Methods'],
225
+ 'GET, POST'
226
+ )
227
+ })
228
+
229
+ test('should set custom headers', async () => {
230
+ const middleware = cors({ headers: ['X-Custom'] })
231
+ const request = createMockRequest()
232
+ const response = createMockResponse()
233
+
234
+ await middleware(
235
+ {} as any,
236
+ { http: { request, response } } as any,
237
+ async () => {}
238
+ )
239
+
240
+ assert.strictEqual(
241
+ response._headers['Access-Control-Allow-Headers'],
242
+ 'X-Custom'
243
+ )
244
+ })
245
+
246
+ test('should not set Vary when origin is string', async () => {
247
+ const middleware = cors({ origin: 'https://example.com' })
248
+ const request = createMockRequest()
249
+ const response = createMockResponse()
250
+
251
+ await middleware(
252
+ {} as any,
253
+ { http: { request, response } } as any,
254
+ async () => {}
255
+ )
256
+
257
+ assert.strictEqual(response._headers['Vary'], undefined)
258
+ })
259
+ })
260
+
261
+ describe('credentials', () => {
262
+ test('should set Access-Control-Allow-Credentials when enabled', async () => {
263
+ const middleware = cors({
264
+ origin: 'https://example.com',
265
+ credentials: true,
266
+ })
267
+ const request = createMockRequest()
268
+ const response = createMockResponse()
269
+
270
+ await middleware(
271
+ {} as any,
272
+ { http: { request, response } } as any,
273
+ async () => {}
274
+ )
275
+
276
+ assert.strictEqual(
277
+ response._headers['Access-Control-Allow-Credentials'],
278
+ 'true'
279
+ )
280
+ })
281
+
282
+ test('should not set credentials header when disabled', async () => {
283
+ const middleware = cors({ credentials: false })
284
+ const request = createMockRequest()
285
+ const response = createMockResponse()
286
+
287
+ await middleware(
288
+ {} as any,
289
+ { http: { request, response } } as any,
290
+ async () => {}
291
+ )
292
+
293
+ assert.strictEqual(
294
+ response._headers['Access-Control-Allow-Credentials'],
295
+ undefined
296
+ )
297
+ })
298
+ })
299
+
300
+ describe('OPTIONS preflight', () => {
301
+ test('should return 204 for OPTIONS requests', async () => {
302
+ const middleware = cors()
303
+ const request = createMockRequest('options')
304
+ const response = createMockResponse()
305
+ let nextCalled = false
306
+
307
+ await middleware(
308
+ {} as any,
309
+ { http: { request, response } } as any,
310
+ async () => {
311
+ nextCalled = true
312
+ }
313
+ )
314
+
315
+ assert.strictEqual(response._getStatus(), 204)
316
+ assert.strictEqual(nextCalled, false)
317
+ })
318
+
319
+ test('should set Access-Control-Max-Age for OPTIONS', async () => {
320
+ const middleware = cors({ maxAge: 3600 })
321
+ const request = createMockRequest('options')
322
+ const response = createMockResponse()
323
+
324
+ await middleware(
325
+ {} as any,
326
+ { http: { request, response } } as any,
327
+ async () => {}
328
+ )
329
+
330
+ assert.strictEqual(response._headers['Access-Control-Max-Age'], '3600')
331
+ })
332
+
333
+ test('should use default maxAge of 86400', async () => {
334
+ const middleware = cors()
335
+ const request = createMockRequest('options')
336
+ const response = createMockResponse()
337
+
338
+ await middleware(
339
+ {} as any,
340
+ { http: { request, response } } as any,
341
+ async () => {}
342
+ )
343
+
344
+ assert.strictEqual(response._headers['Access-Control-Max-Age'], '86400')
345
+ })
346
+
347
+ test('should call next for non-OPTIONS requests', async () => {
348
+ const middleware = cors()
349
+ const request = createMockRequest('get')
350
+ const response = createMockResponse()
351
+ let nextCalled = false
352
+
353
+ await middleware(
354
+ {} as any,
355
+ { http: { request, response } } as any,
356
+ async () => {
357
+ nextCalled = true
358
+ }
359
+ )
360
+
361
+ assert.strictEqual(nextCalled, true)
362
+ })
363
+
364
+ test('should call next for POST requests', async () => {
365
+ const middleware = cors()
366
+ const request = createMockRequest('post')
367
+ const response = createMockResponse()
368
+ let nextCalled = false
369
+
370
+ await middleware(
371
+ {} as any,
372
+ { http: { request, response } } as any,
373
+ async () => {
374
+ nextCalled = true
375
+ }
376
+ )
377
+
378
+ assert.strictEqual(nextCalled, true)
379
+ })
380
+ })
381
+
382
+ describe('missing http', () => {
383
+ test('should call next when no request', async () => {
384
+ const middleware = cors()
385
+ let nextCalled = false
386
+
387
+ await middleware(
388
+ {} as any,
389
+ { http: { response: createMockResponse() } } as any,
390
+ async () => {
391
+ nextCalled = true
392
+ }
393
+ )
394
+
395
+ assert.strictEqual(nextCalled, true)
396
+ })
397
+
398
+ test('should call next when no response', async () => {
399
+ const middleware = cors()
400
+ let nextCalled = false
401
+
402
+ await middleware(
403
+ {} as any,
404
+ { http: { request: createMockRequest() } } as any,
405
+ async () => {
406
+ nextCalled = true
407
+ }
408
+ )
409
+
410
+ assert.strictEqual(nextCalled, true)
411
+ })
412
+
413
+ test('should call next when no http', async () => {
414
+ const middleware = cors()
415
+ let nextCalled = false
416
+
417
+ await middleware({} as any, {} as any, async () => {
418
+ nextCalled = true
419
+ })
420
+
421
+ assert.strictEqual(nextCalled, true)
422
+ })
423
+ })
424
+ })
@@ -6,7 +6,7 @@ import { pikkuMiddleware, pikkuMiddlewareFactory } from '../types/core.types.js'
6
6
  * Sets appropriate CORS headers on all responses and short-circuits OPTIONS
7
7
  * preflight requests with a 204 No Content response.
8
8
  *
9
- * @param options.origin - Allowed origin(s). Use `'*'` for any origin, a string for a single origin, or an array for multiple origins. Defaults to `'*'`.
9
+ * @param options.origin - Allowed origin(s). Use `'*'` for any origin, `true` to reflect the request origin, a string for a single origin, or an array for multiple origins. Defaults to `'*'`.
10
10
  * @param options.methods - Allowed HTTP methods. Defaults to common methods.
11
11
  * @param options.headers - Allowed request headers. Defaults to common headers.
12
12
  * @param options.credentials - Whether to allow credentials. Defaults to `false`.
@@ -36,7 +36,7 @@ import { pikkuMiddleware, pikkuMiddlewareFactory } from '../types/core.types.js'
36
36
  * ```
37
37
  */
38
38
  export const cors = pikkuMiddlewareFactory<{
39
- origin?: string | string[]
39
+ origin?: string | string[] | true
40
40
  methods?: string[]
41
41
  headers?: string[]
42
42
  credentials?: boolean
@@ -48,8 +48,13 @@ export const cors = pikkuMiddlewareFactory<{
48
48
  headers = ['Content-Type', 'Authorization', 'x-api-key'],
49
49
  credentials = false,
50
50
  maxAge = 86400,
51
- } = {}) =>
52
- pikkuMiddleware({
51
+ } = {}) => {
52
+ if (origin === '*' && credentials) {
53
+ throw new Error(
54
+ 'CORS misconfiguration: wildcard origin (*) cannot be used with credentials: true'
55
+ )
56
+ }
57
+ return pikkuMiddleware({
53
58
  name: 'CORS',
54
59
  description: 'Handles cross-origin requests including OPTIONS preflight',
55
60
  func: async (_services, wires, next) => {
@@ -63,7 +68,9 @@ export const cors = pikkuMiddlewareFactory<{
63
68
  const requestOrigin = request.header('origin')
64
69
 
65
70
  let allowedOrigin: string
66
- if (Array.isArray(origin)) {
71
+ if (origin === true) {
72
+ allowedOrigin = requestOrigin || '*'
73
+ } else if (Array.isArray(origin)) {
67
74
  allowedOrigin =
68
75
  requestOrigin && origin.includes(requestOrigin)
69
76
  ? requestOrigin
@@ -80,7 +87,7 @@ export const cors = pikkuMiddlewareFactory<{
80
87
  response.header('Access-Control-Allow-Credentials', 'true')
81
88
  }
82
89
 
83
- if (Array.isArray(origin)) {
90
+ if (origin === true || Array.isArray(origin)) {
84
91
  response.header('Vary', 'Origin')
85
92
  }
86
93
 
@@ -93,4 +100,5 @@ export const cors = pikkuMiddlewareFactory<{
93
100
  return next()
94
101
  },
95
102
  })
103
+ }
96
104
  )