@pyreon/zero 0.24.5 → 0.24.6

package/src/og-image.ts

@@ -1,378 +0,0 @@
-/**
- * OG Image generation plugin.
- *
- * Generates Open Graph images at build time from templates with
- * text overlays. Supports locale-specific text for i18n apps.
- * Uses sharp for image processing (same optional dep as favicon/image plugins).
- *
- * @example
- * ```ts
- * // vite.config.ts
- * import { ogImagePlugin } from "@pyreon/zero/og-image"
- *
- * export default {
- *   plugins: [
- *     ogImagePlugin({
- *       locales: ["en", "de", "cs"],
- *       templates: [{
- *         name: "default",
- *         background: "./src/assets/og-bg.jpg",
- *         layers: [{
- *           text: { en: "Build faster", de: "Schneller bauen", cs: "Stavte rychleji" },
- *           y: "40%",
- *           fontSize: 72,
- *         }],
- *       }],
- *     }),
- *   ],
- * }
- * ```
- */
-import { existsSync } from 'node:fs'
-import { join } from 'node:path'
-import type { Plugin } from 'vite'
-
-let sharpWarned = false
-function warnSharpMissing() {
-  if (sharpWarned) return
-  sharpWarned = true
-  // oxlint-disable-next-line no-console
-  console.warn(
-    '\n[Pyreon] sharp not installed — OG images will not be generated. Install for full support: bun add -D sharp\n',
-  )
-}
-
-// ─── Types ──────────────────────────────────────────────────────────────────
-
-export interface OgImageLayer {
-  /**
-   * Text content. Can be:
-   * - A string (same for all locales)
-   * - A record mapping locale → text
-   * - A function receiving locale and returning text
-   */
-  text: string | Record<string, string> | ((locale: string) => string)
-  /** X position — number (px) or string with % (e.g. "50%"). Default: "50%" */
-  x?: number | string
-  /** Y position — number (px) or string with % (e.g. "40%"). Default: "50%" */
-  y?: number | string
-  /** Font size in px. Default: 64 */
-  fontSize?: number
-  /** Font family. Default: "sans-serif" */
-  fontFamily?: string
-  /** Font weight. Default: "bold" */
-  fontWeight?: string
-  /** Text color. Default: "#ffffff" */
-  color?: string
-  /** Text anchor (alignment). Default: "middle" */
-  textAnchor?: 'start' | 'middle' | 'end'
-  /** Max width in px before wrapping. Default: 80% of image width. */
-  maxWidth?: number
-}
-
-export interface OgImageTemplate {
-  /** Template name — used for output file naming. */
-  name: string
-  /**
-   * Background: path to an image file, or a solid color config.
-   *
-   * @example "./src/assets/og-bg.jpg"
-   * @example { color: "#0066ff", width: 1200, height: 630 }
-   */
-  background: string | { color: string; width?: number; height?: number }
-  /** Output width. Default: 1200 */
-  width?: number
-  /** Output height. Default: 630 */
-  height?: number
-  /** Output format. Default: "png" */
-  format?: 'png' | 'jpeg'
-  /** JPEG quality (1-100). Default: 90 */
-  quality?: number
-  /** Text layers to overlay on the background. */
-  layers?: OgImageLayer[]
-}
-
-export interface OgImagePluginConfig {
-  /** Templates to generate. */
-  templates: OgImageTemplate[]
-  /** Locales to generate for. When omitted, generates a single image per template. */
-  locales?: string[]
-  /** Output directory prefix. Default: "og" */
-  outDir?: string
-}
-
-// ─── Helpers ────────────────────────────────────────────────────────────────
-
-function resolvePosition(value: number | string | undefined, dimension: number, fallback = '50%'): number {
-  if (value === undefined) value = fallback
-  if (typeof value === 'number') return value
-  if (value.endsWith('%')) return Math.round((Number.parseFloat(value) / 100) * dimension)
-  return Number.parseInt(value, 10) || 0
-}
-
-function resolveLayerText(layer: OgImageLayer, locale: string): string {
-  if (typeof layer.text === 'string') return layer.text
-  if (typeof layer.text === 'function') return layer.text(locale)
-  return layer.text[locale] ?? layer.text[Object.keys(layer.text)[0] ?? ''] ?? ''
-}
-
-function escapeXml(str: string): string {
-  return str
-    .replace(/&/g, '&amp;')
-    .replace(/</g, '&lt;')
-    .replace(/>/g, '&gt;')
-    .replace(/"/g, '&quot;')
-    .replace(/'/g, '&apos;')
-}
-
-/**
- * Build an SVG overlay with text layers.
- * @internal Exported for testing.
- */
-export function buildTextOverlaySvg(
-  layers: OgImageLayer[],
-  width: number,
-  height: number,
-  locale: string,
-): string {
-  const textElements = layers.map((layer) => {
-    const text = resolveLayerText(layer, locale)
-    const x = resolvePosition(layer.x, width, '50%')
-    const y = resolvePosition(layer.y, height, '50%')
-    const fontSize = layer.fontSize ?? 64
-    const fontFamily = layer.fontFamily ?? 'sans-serif'
-    const fontWeight = layer.fontWeight ?? 'bold'
-    const color = layer.color ?? '#ffffff'
-    const anchor = layer.textAnchor ?? 'middle'
-    const maxWidth = layer.maxWidth ?? Math.round(width * 0.8)
-
-    // Word wrapping via tspan elements.
-    // Width estimation: Latin chars ~0.55em, CJK chars ~1.0em, narrow chars ~0.35em.
-    const words = text.split(' ')
-    const lines: string[] = []
-    let currentLine = ''
-
-    const estimateWidth = (s: string): number => {
-      let w = 0
-      for (let i = 0; i < s.length; i++) {
-        const code = s.charCodeAt(i)
-        if (code >= 0x3000 && code <= 0x9FFF) {
-          // CJK characters — full width
-          w += fontSize * 1.0
-        } else if (code <= 0x7E && 'iljft!|:;.,\''.includes(s[i]!)) {
-          // Narrow Latin characters
-          w += fontSize * 0.35
-        } else {
-          // Regular Latin characters
-          w += fontSize * 0.55
-        }
-      }
-      return w
-    }
-
-    for (const word of words) {
-      const testLine = currentLine ? `${currentLine} ${word}` : word
-      if (estimateWidth(testLine) > maxWidth && currentLine) {
-        lines.push(currentLine)
-        currentLine = word
-      } else {
-        currentLine = testLine
-      }
-    }
-    if (currentLine) lines.push(currentLine)
-
-    const tspans = lines
-      .map((line, i) => {
-        const dy = i === 0 ? '0' : `${fontSize * 1.2}`
-        return `<tspan x="${x}" dy="${dy}">${escapeXml(line)}</tspan>`
-      })
-      .join('')
-
-    return `<text x="${x}" y="${y}" font-size="${fontSize}" font-family="${escapeXml(fontFamily)}" font-weight="${fontWeight}" fill="${color}" text-anchor="${anchor}" dominant-baseline="middle">${tspans}</text>`
-  })
-
-  return `<svg width="${width}" height="${height}" xmlns="http://www.w3.org/2000/svg">${textElements.join('')}</svg>`
-}
-
-/**
- * Render an OG image from a template for a specific locale.
- * @internal Exported for testing.
- */
-export async function renderOgImage(
-  template: OgImageTemplate,
-  locale: string,
-  rootDir: string,
-): Promise<Uint8Array | null> {
-  try {
-    const sharp = await import('sharp').then((m) => m.default ?? m)
-    const width = template.width ?? 1200
-    const height = template.height ?? 630
-
-    let pipeline: any
-    if (typeof template.background === 'string') {
-      const bgPath = join(rootDir, template.background)
-      pipeline = sharp(bgPath).resize(width, height, { fit: 'cover' })
-    } else {
-      pipeline = (sharp as any)({
-        create: {
-          width,
-          height,
-          channels: 4,
-          background: template.background.color,
-        },
-      })
-    }
-
-    // Overlay text layers if any
-    if (template.layers && template.layers.length > 0) {
-      const svgOverlay = buildTextOverlaySvg(template.layers, width, height, locale)
-      pipeline = pipeline.composite([{
-        input: Buffer.from(svgOverlay),
-        top: 0,
-        left: 0,
-      }])
-    }
-
-    if (template.format === 'jpeg') {
-      return await pipeline.jpeg({ quality: template.quality ?? 90 }).toBuffer()
-    }
-    return await pipeline.png().toBuffer()
-  } catch {
-    warnSharpMissing()
-    return null
-  }
-}
-
-// ─── Path utility ───────────────────────────────────────────────────────────
-
-/**
- * Compute the OG image path for a template and locale.
- *
- * @example
- * ```ts
- * ogImagePath("default", "de")      // → "/og/default-de.png"
- * ogImagePath("default")            // → "/og/default.png"
- * ogImagePath("hero", "en", "images") // → "/images/hero-en.png"
- * ```
- */
-export function ogImagePath(
-  templateName: string,
-  locale?: string,
-  outDir = 'og',
-  format: 'png' | 'jpeg' = 'png',
-): string {
-  const ext = format === 'jpeg' ? 'jpg' : 'png'
-  const suffix = locale ? `-${locale}` : ''
-  return `/${outDir}/${templateName}${suffix}.${ext}`
-}
-
-// ─── Vite plugin ────────────────────────────────────────────────────────────
-
-/**
- * OG image generation Vite plugin.
- *
- * Generates Open Graph images at build time. In dev, generates on-demand.
- * Requires `sharp` as an optional dependency.
- *
- * @example
- * ```ts
- * // vite.config.ts
- * import { ogImagePlugin } from "@pyreon/zero/og-image"
- *
- * export default {
- *   plugins: [
- *     ogImagePlugin({
- *       locales: ["en", "de"],
- *       templates: [{
- *         name: "default",
- *         background: { color: "#0066ff" },
- *         layers: [{ text: { en: "Hello", de: "Hallo" }, fontSize: 72 }],
- *       }],
- *     }),
- *   ],
- * }
- * ```
- */
-export function ogImagePlugin(config: OgImagePluginConfig): Plugin {
-  const outDir = config.outDir ?? 'og'
-  let root = ''
-  let isBuild = false
-
-  return {
-    name: 'pyreon-zero-og-image',
-    enforce: 'pre',
-
-    configResolved(resolvedConfig) {
-      root = resolvedConfig.root
-      isBuild = resolvedConfig.command === 'build'
-    },
-
-    // Dev: generate on-demand
-    configureServer(server) {
-      const devCache = new Map<string, Uint8Array>()
-
-      server.middlewares.use(async (req, res, next) => {
-        const url = req.url ?? ''
-        if (!url.startsWith(`/${outDir}/`)) return next()
-
-        // Parse: /og/default-en.png → template=default, locale=en
-        const fileName = url.slice(outDir.length + 2) // strip /{outDir}/
-        const match = fileName.match(/^(.+?)(?:-([a-z]{2,5}))?\.(png|jpe?g)$/)
-        if (!match) return next()
-
-        const [, templateName, locale, ext] = match
-        const template = config.templates.find((t) => t.name === templateName)
-        if (!template) return next()
-
-        const resolvedLocale = locale ?? config.locales?.[0] ?? 'en'
-        const cacheKey = `${templateName}:${resolvedLocale}`
-
-        let buffer = devCache.get(cacheKey)
-        if (!buffer) {
-          const result = await renderOgImage(template, resolvedLocale, root)
-          if (!result) return next()
-          buffer = result
-          devCache.set(cacheKey, result)
-        }
-
-        const contentType = ext === 'jpg' || ext === 'jpeg' ? 'image/jpeg' : 'image/png'
-        res.setHeader('Content-Type', contentType)
-        res.setHeader('Cache-Control', 'no-cache')
-        res.end(Buffer.from(buffer))
-      })
-    },
-
-    // Build: generate all variants
-    async generateBundle() {
-      if (!isBuild) return
-
-      for (const template of config.templates) {
-        const locales = config.locales ?? [undefined]
-        const format = template.format ?? 'png'
-        const ext = format === 'jpeg' ? 'jpg' : 'png'
-
-        for (const locale of locales) {
-          // Validate background exists if it's a file path
-          if (typeof template.background === 'string') {
-            const bgPath = join(root, template.background)
-            if (!existsSync(bgPath)) {
-              // oxlint-disable-next-line no-console
-              console.warn(`[Pyreon] Background not found: ${bgPath}`)
-              continue
-            }
-          }
-
-          const buffer = await renderOgImage(template, locale ?? 'en', root)
-          if (!buffer) continue
-
-          const suffix = locale ? `-${locale}` : ''
-          this.emitFile({
-            type: 'asset',
-            fileName: `${outDir}/${template.name}${suffix}.${ext}`,
-            source: buffer,
-          })
-        }
-      }
-    },
-  }
-}

package/src/rate-limit.ts

@@ -1,140 +0,0 @@
-import type { Middleware, MiddlewareContext } from '@pyreon/server'
-
-// ─── Rate limiting middleware ───────────────────────────────────────────────
-
-export interface RateLimitConfig {
-  /** Maximum requests per window. Default: `100` */
-  max?: number
-  /** Time window in seconds. Default: `60` */
-  window?: number
-  /** Function to extract the client identifier. Default: IP from headers. */
-  keyFn?: (ctx: MiddlewareContext) => string
-  /** Custom response when rate limited. */
-  onLimit?: (ctx: MiddlewareContext) => Response
-  /** URL patterns to rate limit (glob-style). Default: all paths. */
-  include?: string[]
-  /** URL patterns to exclude from rate limiting. */
-  exclude?: string[]
-}
-
-interface RateLimitEntry {
-  count: number
-  resetAt: number
-}
-
-/**
- * Rate limiting middleware — limits requests per client within a time window.
- * Uses an in-memory store (suitable for single-instance deployments).
- *
- * @example
- * import { rateLimitMiddleware } from "@pyreon/zero/rate-limit"
- *
- * // 100 requests per minute (default)
- * rateLimitMiddleware()
- *
- * // Strict API rate limiting
- * rateLimitMiddleware({
- *   max: 20,
- *   window: 60,
- *   include: ["/api/*"],
- * })
- */
-export function rateLimitMiddleware(config: RateLimitConfig = {}): Middleware {
-  const {
-    max = 100,
-    window: windowSec = 60,
-    keyFn = defaultKeyFn,
-    onLimit,
-    include,
-    exclude,
-  } = config
-
-  const windowMs = windowSec * 1000
-  const store = new Map<string, RateLimitEntry>()
-  const MAX_STORE_SIZE = 10000
-  let lastCleanup = Date.now()
-
-  // Inline cleanup — runs during request processing, no setInterval needed.
-  // Evicts expired entries when store exceeds half capacity or on window boundary.
-  function cleanupIfNeeded(now: number) {
-    if (store.size < MAX_STORE_SIZE / 2 && now - lastCleanup < windowMs) return
-    lastCleanup = now
-    for (const [key, entry] of store) {
-      if (entry.resetAt <= now) store.delete(key)
-    }
-    // HARD cap. The expired-sweep above only removes entries whose
-    // window has elapsed. An attacker flooding unique keys WITHIN one
-    // window (spoofed `X-Forwarded-For` / proxy header — `defaultKeyFn`
-    // trusts request headers) produces only fresh entries, so the sweep
-    // frees nothing and `store.set` grows the Map without bound — an
-    // unauthenticated memory-exhaustion DoS. `MAX_STORE_SIZE` was a
-    // declared constant used ONLY as a sweep trigger, never enforced.
-    // Map preserves insertion order, so evicting from the front drops
-    // the oldest trackers first (acceptable: an evicted attacker key
-    // simply gets a fresh window — no bypass of legitimate limits since
-    // a real client re-inserts and is immediately re-tracked).
-    while (store.size > MAX_STORE_SIZE) {
-      const oldest = store.keys().next().value
-      if (oldest === undefined) break
-      store.delete(oldest)
-    }
-  }
-
-  return (ctx: MiddlewareContext) => {
-    // Check include/exclude patterns
-    if (include && !include.some((p) => matchSimpleGlob(p, ctx.path))) return
-    if (exclude?.some((p) => matchSimpleGlob(p, ctx.path))) return
-
-    const key = keyFn(ctx)
-    const now = Date.now()
-
-    cleanupIfNeeded(now)
-
-    let entry = store.get(key)
-
-    if (!entry || entry.resetAt <= now) {
-      entry = { count: 0, resetAt: now + windowMs }
-      store.set(key, entry)
-    }
-
-    entry.count++
-    const remaining = Math.max(0, max - entry.count)
-    const resetSeconds = Math.ceil((entry.resetAt - now) / 1000)
-
-    // Set rate limit headers on all responses
-    ctx.headers.set('X-RateLimit-Limit', String(max))
-    ctx.headers.set('X-RateLimit-Remaining', String(remaining))
-    ctx.headers.set('X-RateLimit-Reset', String(resetSeconds))
-
-    if (entry.count > max) {
-      if (onLimit) return onLimit(ctx)
-
-      return new Response(JSON.stringify({ error: 'Too many requests' }), {
-        status: 429,
-        headers: {
-          'Content-Type': 'application/json',
-          'Retry-After': String(resetSeconds),
-          'X-RateLimit-Limit': String(max),
-          'X-RateLimit-Remaining': '0',
-          'X-RateLimit-Reset': String(resetSeconds),
-        },
-      })
-    }
-  }
-}
-
-function defaultKeyFn(ctx: MiddlewareContext): string {
-  return (
-    ctx.req.headers.get('x-forwarded-for')?.split(',')[0]?.trim() ??
-    ctx.req.headers.get('x-real-ip') ??
-    'unknown'
-  )
-}
-
-/** Simple glob matching for path patterns. Supports trailing `*`. */
-function matchSimpleGlob(pattern: string, path: string): boolean {
-  if (pattern.endsWith('/*')) {
-    return path.startsWith(pattern.slice(0, -1))
-  }
-  return pattern === path
-}