npm - @sekyuriti/attest - Versions diffs - 0.2.6 → 0.4.0 - Mend

@sekyuriti/attest 0.2.6 → 0.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (14) hide show

package/bin/attest.js CHANGED Viewed

@@ -17,6 +17,7 @@ const c = {
   black: "\x1b[30m",
   white: "\x1b[37m",
   gray: "\x1b[90m",
+  green: "\x1b[32m",
   inverse: "\x1b[7m",
 };
@@ -208,7 +209,7 @@ function printHeader() {
   logBold("  █▀▀ █▀▀ █▄▀ █▄█ █ █ █▀█ █ ▀█▀ █");
   logBold("  ▄▄█ ██▄ █ █  █  █▄█ █▀▄ █  █  █");
   log("");
-  logDim("  ATTEST CLI v0.2.3");
+  logDim("  ATTEST CLI v0.3.0");
   log("");
 }

package/dist/index.d.mts CHANGED Viewed

@@ -18,6 +18,21 @@ interface AttestConfig {
      * @default "open"
      */
     failMode?: "open" | "closed";
+    /**
+     * Timeout in milliseconds for verification requests.
+     * @default 5000
+     */
+    timeout?: number;
+    /**
+     * Skip verification for localhost requests (for development).
+     * @default true
+     */
+    allowLocalhost?: boolean;
+    /**
+     * Enable debug logging.
+     * @default false
+     */
+    debug?: boolean;
 }
 interface AttestResult {
     /** Whether the request passed verification */
@@ -36,7 +51,12 @@ interface AttestResult {
         limit: number;
         percent: number;
     };
+    /** Whether this was a bypass (localhost, etc.) */
+    bypass?: boolean;
+    /** Error code for programmatic handling */
+    errorCode?: AttestErrorCode;
 }
+type AttestErrorCode = "MISSING_HEADERS" | "INVALID_TIMESTAMP" | "INVALID_SIGNATURE" | "EXPIRED_TIMESTAMP" | "SERVICE_ERROR" | "SERVICE_TIMEOUT" | "SERVICE_UNAVAILABLE" | "RATE_LIMITED" | "INVALID_PROJECT" | "INVALID_API_KEY";
 interface AttestHeaders {
     timestamp: string | null;
     signature: string | null;
@@ -61,7 +81,7 @@ declare function hasAttestHeaders(request: Request): boolean;
  * export async function POST(request: Request) {
  *   const result = await verifyAttest(request, {
  *     projectId: process.env.ATTEST_PROJECT_ID!,
- *     apiKey: process.env.ATTEST_API_KEY!,
+ *     apiKey: process.env.ATTEST_SECRET_KEY!,
  *   });
  *
  *   if (!result.attested) {
@@ -82,7 +102,7 @@ declare function verifyAttest(request: Request, config: AttestConfig): Promise<A
  *
  * const verify = createAttestVerifier({
  *   projectId: process.env.ATTEST_PROJECT_ID!,
- *   apiKey: process.env.ATTEST_API_KEY!,
+ *   apiKey: process.env.ATTEST_SECRET_KEY!,
  * });
  *
  * export async function POST(request: Request) {
@@ -95,5 +115,12 @@ declare function verifyAttest(request: Request, config: AttestConfig): Promise<A
  * ```
  */
 declare function createAttestVerifier(config: AttestConfig): (request: Request) => Promise<AttestResult>;
+/**
+ * Quick check if request should be verified
+ * Use this for early bailout in middleware
+ */
+declare function shouldVerify(request: Request, config?: {
+    allowLocalhost?: boolean;
+}): boolean;
-export { type AttestConfig, type AttestHeaders, type AttestResult, createAttestVerifier, getAttestHeaders, hasAttestHeaders, verifyAttest };
+export { type AttestConfig, type AttestErrorCode, type AttestHeaders, type AttestResult, createAttestVerifier, getAttestHeaders, hasAttestHeaders, shouldVerify, verifyAttest };

package/dist/index.d.ts CHANGED Viewed

@@ -18,6 +18,21 @@ interface AttestConfig {
      * @default "open"
      */
     failMode?: "open" | "closed";
+    /**
+     * Timeout in milliseconds for verification requests.
+     * @default 5000
+     */
+    timeout?: number;
+    /**
+     * Skip verification for localhost requests (for development).
+     * @default true
+     */
+    allowLocalhost?: boolean;
+    /**
+     * Enable debug logging.
+     * @default false
+     */
+    debug?: boolean;
 }
 interface AttestResult {
     /** Whether the request passed verification */
@@ -36,7 +51,12 @@ interface AttestResult {
         limit: number;
         percent: number;
     };
+    /** Whether this was a bypass (localhost, etc.) */
+    bypass?: boolean;
+    /** Error code for programmatic handling */
+    errorCode?: AttestErrorCode;
 }
+type AttestErrorCode = "MISSING_HEADERS" | "INVALID_TIMESTAMP" | "INVALID_SIGNATURE" | "EXPIRED_TIMESTAMP" | "SERVICE_ERROR" | "SERVICE_TIMEOUT" | "SERVICE_UNAVAILABLE" | "RATE_LIMITED" | "INVALID_PROJECT" | "INVALID_API_KEY";
 interface AttestHeaders {
     timestamp: string | null;
     signature: string | null;
@@ -61,7 +81,7 @@ declare function hasAttestHeaders(request: Request): boolean;
  * export async function POST(request: Request) {
  *   const result = await verifyAttest(request, {
  *     projectId: process.env.ATTEST_PROJECT_ID!,
- *     apiKey: process.env.ATTEST_API_KEY!,
+ *     apiKey: process.env.ATTEST_SECRET_KEY!,
  *   });
  *
  *   if (!result.attested) {
@@ -82,7 +102,7 @@ declare function verifyAttest(request: Request, config: AttestConfig): Promise<A
  *
  * const verify = createAttestVerifier({
  *   projectId: process.env.ATTEST_PROJECT_ID!,
- *   apiKey: process.env.ATTEST_API_KEY!,
+ *   apiKey: process.env.ATTEST_SECRET_KEY!,
  * });
  *
  * export async function POST(request: Request) {
@@ -95,5 +115,12 @@ declare function verifyAttest(request: Request, config: AttestConfig): Promise<A
  * ```
  */
 declare function createAttestVerifier(config: AttestConfig): (request: Request) => Promise<AttestResult>;
+/**
+ * Quick check if request should be verified
+ * Use this for early bailout in middleware
+ */
+declare function shouldVerify(request: Request, config?: {
+    allowLocalhost?: boolean;
+}): boolean;
-export { type AttestConfig, type AttestHeaders, type AttestResult, createAttestVerifier, getAttestHeaders, hasAttestHeaders, verifyAttest };
+export { type AttestConfig, type AttestErrorCode, type AttestHeaders, type AttestResult, createAttestVerifier, getAttestHeaders, hasAttestHeaders, shouldVerify, verifyAttest };

package/dist/index.js CHANGED Viewed

@@ -23,10 +23,18 @@ __export(src_exports, {
   createAttestVerifier: () => createAttestVerifier,
   getAttestHeaders: () => getAttestHeaders,
   hasAttestHeaders: () => hasAttestHeaders,
+  shouldVerify: () => shouldVerify,
   verifyAttest: () => verifyAttest
 });
 module.exports = __toCommonJS(src_exports);
 var ATTEST_VERIFY_URL = "https://attest.sekyuriti.build/verify";
+var DEFAULT_TIMEOUT_MS = 5e3;
+var LOCALHOST_IPS = [
+  "127.0.0.1",
+  "::1",
+  "localhost",
+  "::ffff:127.0.0.1"
+];
 function getAttestHeaders(request) {
   return {
     timestamp: request.headers.get("x-attest-timestamp"),
@@ -39,58 +47,177 @@ function hasAttestHeaders(request) {
   const headers = getAttestHeaders(request);
   return !!(headers.timestamp && headers.signature && headers.fingerprint);
 }
+function getClientIP(request) {
+  const forwardedFor = request.headers.get("x-forwarded-for");
+  if (forwardedFor) {
+    return forwardedFor.split(",")[0].trim();
+  }
+  const realIP = request.headers.get("x-real-ip");
+  if (realIP) return realIP;
+  const cfIP = request.headers.get("cf-connecting-ip");
+  if (cfIP) return cfIP;
+  const vercelIP = request.headers.get("x-vercel-forwarded-for");
+  if (vercelIP) return vercelIP.split(",")[0].trim();
+  return null;
+}
+function isLocalhostIP(ip) {
+  if (!ip) return false;
+  return LOCALHOST_IPS.includes(ip);
+}
+async function fetchWithTimeout(url, options, timeoutMs) {
+  const controller = new AbortController();
+  const timeoutId = setTimeout(() => controller.abort(), timeoutMs);
+  try {
+    const response = await fetch(url, {
+      ...options,
+      signal: controller.signal
+    });
+    return response;
+  } finally {
+    clearTimeout(timeoutId);
+  }
+}
 async function verifyAttest(request, config) {
+  const {
+    projectId,
+    apiKey,
+    verifyUrl = ATTEST_VERIFY_URL,
+    failMode = "open",
+    timeout = DEFAULT_TIMEOUT_MS,
+    allowLocalhost = true,
+    debug = false
+  } = config;
+  const log = debug ? console.log.bind(console, "[@sekyuriti/attest]") : () => {
+  };
+  if (allowLocalhost) {
+    const clientIP = getClientIP(request);
+    if (isLocalhostIP(clientIP)) {
+      log("Bypassing verification for localhost IP:", clientIP);
+      return {
+        attested: true,
+        reason: "Localhost bypass",
+        bypass: true
+      };
+    }
+  }
   const headers = getAttestHeaders(request);
   if (!headers.timestamp || !headers.signature || !headers.fingerprint) {
+    log("Missing ATTEST headers");
     return {
       attested: false,
-      reason: "Missing ATTEST headers"
+      reason: "Missing ATTEST headers",
+      errorCode: "MISSING_HEADERS"
+    };
+  }
+  const timestamp = parseInt(headers.timestamp, 10);
+  if (isNaN(timestamp)) {
+    log("Invalid timestamp format");
+    return {
+      attested: false,
+      reason: "Invalid timestamp format",
+      errorCode: "INVALID_TIMESTAMP"
+    };
+  }
+  const now = Date.now();
+  const maxAge = 5 * 60 * 1e3;
+  if (now - timestamp > maxAge) {
+    log("Timestamp expired:", { timestamp, now, diff: now - timestamp });
+    return {
+      attested: false,
+      reason: "Request timestamp expired",
+      errorCode: "EXPIRED_TIMESTAMP"
     };
   }
   try {
-    const response = await fetch(config.verifyUrl || ATTEST_VERIFY_URL, {
-      method: "POST",
-      headers: {
-        "Content-Type": "application/json"
+    log("Verifying with service...");
+    const response = await fetchWithTimeout(
+      verifyUrl,
+      {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json"
+        },
+        body: JSON.stringify({
+          project_id: projectId,
+          api_key: apiKey,
+          method: request.method,
+          url: request.url,
+          timestamp,
+          signature: headers.signature,
+          fingerprint: headers.fingerprint
+        })
       },
-      body: JSON.stringify({
-        project_id: config.projectId,
-        api_key: config.apiKey,
-        timestamp: parseInt(headers.timestamp, 10),
-        signature: headers.signature,
-        fingerprint: headers.fingerprint
-      })
-    });
+      timeout
+    );
     if (!response.ok) {
-      return {
-        attested: false,
-        reason: `Verification service error: ${response.status}`
-      };
+      const errorCode = mapHttpStatusToErrorCode(response.status);
+      log("Service returned error:", response.status, errorCode);
+      if (response.status === 401 || response.status === 403) {
+        return {
+          attested: false,
+          reason: `Verification failed: ${response.status}`,
+          errorCode
+        };
+      }
+      return handleServiceError(failMode, `Service error: ${response.status}`, errorCode);
     }
-    return await response.json();
+    const result = await response.json();
+    log("Verification result:", result.attested);
+    return result;
   } catch (error) {
-    console.error("[@sekyuriti/attest] Verification failed:", error);
-    const failMode = config.failMode || "open";
-    if (failMode === "closed") {
-      return {
-        attested: false,
-        reason: "Verification service unavailable (fail-closed mode)"
-      };
+    if (error instanceof Error && error.name === "AbortError") {
+      log("Verification timed out");
+      return handleServiceError(failMode, "Verification timed out", "SERVICE_TIMEOUT");
     }
+    console.error("[@sekyuriti/attest] Verification failed:", error);
+    return handleServiceError(failMode, "Verification service unavailable", "SERVICE_UNAVAILABLE");
+  }
+}
+function mapHttpStatusToErrorCode(status) {
+  switch (status) {
+    case 401:
+      return "INVALID_API_KEY";
+    case 403:
+      return "INVALID_PROJECT";
+    case 429:
+      return "RATE_LIMITED";
+    default:
+      return "SERVICE_ERROR";
+  }
+}
+function handleServiceError(failMode, reason, errorCode) {
+  if (failMode === "closed") {
     return {
-      attested: true,
-      reason: "Verification service unavailable (fail-open mode)"
+      attested: false,
+      reason: `${reason} (fail-closed mode)`,
+      errorCode
     };
   }
+  return {
+    attested: true,
+    reason: `${reason} (fail-open mode)`,
+    bypass: true,
+    errorCode
+  };
 }
 function createAttestVerifier(config) {
   return (request) => verifyAttest(request, config);
 }
+function shouldVerify(request, config) {
+  if (config?.allowLocalhost !== false) {
+    const clientIP = getClientIP(request);
+    if (isLocalhostIP(clientIP)) {
+      return false;
+    }
+  }
+  return hasAttestHeaders(request);
+}
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
   createAttestVerifier,
   getAttestHeaders,
   hasAttestHeaders,
+  shouldVerify,
   verifyAttest
 });
 //# sourceMappingURL=index.js.map

package/dist/index.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"sources":["../src/index.ts"],"sourcesContent":["/*\n @sekyuriti/attest\n \n API protection for Next.js applications.\n * Verify that requests come from real browsers, not bots or scripts.\n /\n\nconst ATTEST_VERIFY_URL = \"https://attest.sekyuriti.build/verify\";\n\nexport interface AttestConfig {\n /* Your ATTEST project ID (starts with ATST_) /\n projectId: string;\n /* Your ATTEST API key (keep this secret, server-side only) /\n apiKey: string;\n /* Custom verify URL (optional, for self-hosted) /\n verifyUrl?: string;\n /\n Behavior when verification service is unavailable.\n * - \"open\": Allow requests through (default, maintains availability)\n * - \"closed\": Block requests (stricter security, may cause outages)\n * @default \"open\"\n /\n failMode?: \"open\" \| \"closed\";\n}\n\nexport interface AttestResult {\n /* Whether the request passed verification /\n attested: boolean;\n /* Browser fingerprint (if attested) /\n fingerprint?: string;\n /* Verification timestamp /\n timestamp?: number;\n /* Reason for failure (if not attested) /\n reason?: string;\n /* Warning message (e.g., approaching rate limit) /\n warning?: string;\n /* Current usage stats /\n usage?: {\n used: number;\n limit: number;\n percent: number;\n };\n}\n\nexport interface AttestHeaders {\n timestamp: string \| null;\n signature: string \| null;\n fingerprint: string \| null;\n project: string \| null;\n}\n\n/\n Extract ATTEST headers from a request\n /\nexport function getAttestHeaders(request: Request): AttestHeaders {\n return {\n timestamp: request.headers.get(\"x-attest-timestamp\"),\n signature: request.headers.get(\"x-attest-signature\"),\n fingerprint: request.headers.get(\"x-attest-fingerprint\"),\n project: request.headers.get(\"x-attest-project\"),\n };\n}\n\n/\n Check if a request has ATTEST headers\n /\nexport function hasAttestHeaders(request: Request): boolean {\n const headers = getAttestHeaders(request);\n return !!(headers.timestamp && headers.signature && headers.fingerprint);\n}\n\n/\n Verify a request with ATTEST\n \n @example\n * ```ts\n * import { verifyAttest } from \"@sekyuriti/attest\";\n \n export async function POST(request: Request) {\n * const result = await verifyAttest(request, {\n * projectId: process.env.ATTEST_PROJECT_ID!,\n * apiKey: process.env.ATTEST_API_KEY!,\n * });\n \n if (!result.attested) {\n * return Response.json({ error: \"Not attested\" }, { status: 403 });\n * }\n \n // ... handle request\n * }\n * ```\n /\nexport async function verifyAttest(\n request: Request,\n config: AttestConfig\n): Promise<AttestResult> {\n const headers = getAttestHeaders(request);\n\n // If no ATTEST headers, request is not attested\n if (!headers.timestamp \|\| !headers.signature \|\| !headers.fingerprint) {\n return {\n attested: false,\n reason: \"Missing ATTEST headers\",\n };\n }\n\n try {\n const response = await fetch(config.verifyUrl \|\| ATTEST_VERIFY_URL, {\n method: \"POST\",\n headers: {\n \"Content-Type\": \"application/json\",\n },\n body: JSON.stringify({\n project_id: config.projectId,\n api_key: config.apiKey,\n timestamp: parseInt(headers.timestamp, 10),\n signature: headers.signature,\n fingerprint: headers.fingerprint,\n }),\n });\n\n if (!response.ok) {\n return {\n attested: false,\n reason: `Verification service error: ${response.status}`,\n };\n }\n\n return (await response.json()) as AttestResult;\n } catch (error) {\n console.error(\"[@sekyuriti/attest] Verification failed:\", error);\n\n // Configurable fail mode\n const failMode = config.failMode \|\| \"open\";\n\n if (failMode === \"closed\") {\n // Fail closed - block requests when service is unavailable (stricter security)\n return {\n attested: false,\n reason: \"Verification service unavailable (fail-closed mode)\",\n };\n }\n\n // Fail open - allow requests through (default, maintains availability)\n return {\n attested: true,\n reason: \"Verification service unavailable (fail-open mode)\",\n };\n }\n}\n\n/\n Create a configured verifier function\n \n @example\n * ```ts\n * import { createAttestVerifier } from \"@sekyuriti/attest\";\n \n const verify = createAttestVerifier({\n * projectId: process.env.ATTEST_PROJECT_ID!,\n * apiKey: process.env.ATTEST_API_KEY!,\n * });\n \n export async function POST(request: Request) {\n * const result = await verify(request);\n * if (!result.attested) {\n * return Response.json({ error: \"Not attested\" }, { status: 403 });\n * }\n * // ...\n * }\n * ```\n */\nexport function createAttestVerifier(config: AttestConfig) {\n return (request: Request) => verifyAttest(request, config);\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAOA,IAAM,oBAAoB;AA+CnB,SAAS,iBAAiB,SAAiC;AAChE,SAAO;AAAA,IACL,WAAW,QAAQ,QAAQ,IAAI,oBAAoB;AAAA,IACnD,WAAW,QAAQ,QAAQ,IAAI,oBAAoB;AAAA,IACnD,aAAa,QAAQ,QAAQ,IAAI,sBAAsB;AAAA,IACvD,SAAS,QAAQ,QAAQ,IAAI,kBAAkB;AAAA,EACjD;AACF;AAKO,SAAS,iBAAiB,SAA2B;AAC1D,QAAM,UAAU,iBAAiB,OAAO;AACxC,SAAO,CAAC,EAAE,QAAQ,aAAa,QAAQ,aAAa,QAAQ;AAC9D;AAuBA,eAAsB,aACpB,SACA,QACuB;AACvB,QAAM,UAAU,iBAAiB,OAAO;AAGxC,MAAI,CAAC,QAAQ,aAAa,CAAC,QAAQ,aAAa,CAAC,QAAQ,aAAa;AACpE,WAAO;AAAA,MACL,UAAU;AAAA,MACV,QAAQ;AAAA,IACV;AAAA,EACF;AAEA,MAAI;AACF,UAAM,WAAW,MAAM,MAAM,OAAO,aAAa,mBAAmB;AAAA,MAClE,QAAQ;AAAA,MACR,SAAS;AAAA,QACP,gBAAgB;AAAA,MAClB;AAAA,MACA,MAAM,KAAK,UAAU;AAAA,QACnB,YAAY,OAAO;AAAA,QACnB,SAAS,OAAO;AAAA,QAChB,WAAW,SAAS,QAAQ,WAAW,EAAE;AAAA,QACzC,WAAW,QAAQ;AAAA,QACnB,aAAa,QAAQ;AAAA,MACvB,CAAC;AAAA,IACH,CAAC;AAED,QAAI,CAAC,SAAS,IAAI;AAChB,aAAO;AAAA,QACL,UAAU;AAAA,QACV,QAAQ,+BAA+B,SAAS,MAAM;AAAA,MACxD;AAAA,IACF;AAEA,WAAQ,MAAM,SAAS,KAAK;AAAA,EAC9B,SAAS,OAAO;AACd,YAAQ,MAAM,4CAA4C,KAAK;AAG/D,UAAM,WAAW,OAAO,YAAY;AAEpC,QAAI,aAAa,UAAU;AAEzB,aAAO;AAAA,QACL,UAAU;AAAA,QACV,QAAQ;AAAA,MACV;AAAA,IACF;AAGA,WAAO;AAAA,MACL,UAAU;AAAA,MACV,QAAQ;AAAA,IACV;AAAA,EACF;AACF;AAuBO,SAAS,qBAAqB,QAAsB;AACzD,SAAO,CAAC,YAAqB,aAAa,SAAS,MAAM;AAC3D;","names":[]}
1	+ {"version":3,"sources":["../src/index.ts"],"sourcesContent":["/*\n @sekyuriti/attest\n \n API protection for Next.js applications.\n * Verify that requests come from real browsers, not bots or scripts.\n /\n\nconst ATTEST_VERIFY_URL = \"https://attest.sekyuriti.build/verify\";\n\n// Default timeout for verification requests (5 seconds)\nconst DEFAULT_TIMEOUT_MS = 5000;\n\n// Localhost IPs that bypass verification in dev mode\nconst LOCALHOST_IPS = [\n \"127.0.0.1\",\n \"::1\",\n \"localhost\",\n \"::ffff:127.0.0.1\",\n];\n\nexport interface AttestConfig {\n /* Your ATTEST project ID (starts with ATST_) /\n projectId: string;\n /* Your ATTEST API key (keep this secret, server-side only) /\n apiKey: string;\n /* Custom verify URL (optional, for self-hosted) /\n verifyUrl?: string;\n /\n Behavior when verification service is unavailable.\n * - \"open\": Allow requests through (default, maintains availability)\n * - \"closed\": Block requests (stricter security, may cause outages)\n * @default \"open\"\n /\n failMode?: \"open\" \| \"closed\";\n /\n Timeout in milliseconds for verification requests.\n * @default 5000\n /\n timeout?: number;\n /\n Skip verification for localhost requests (for development).\n * @default true\n /\n allowLocalhost?: boolean;\n /\n Enable debug logging.\n * @default false\n /\n debug?: boolean;\n}\n\nexport interface AttestResult {\n /* Whether the request passed verification /\n attested: boolean;\n /* Browser fingerprint (if attested) /\n fingerprint?: string;\n /* Verification timestamp /\n timestamp?: number;\n /* Reason for failure (if not attested) /\n reason?: string;\n /* Warning message (e.g., approaching rate limit) /\n warning?: string;\n /* Current usage stats /\n usage?: {\n used: number;\n limit: number;\n percent: number;\n };\n /* Whether this was a bypass (localhost, etc.) /\n bypass?: boolean;\n /* Error code for programmatic handling /\n errorCode?: AttestErrorCode;\n}\n\nexport type AttestErrorCode =\n \| \"MISSING_HEADERS\"\n \| \"INVALID_TIMESTAMP\"\n \| \"INVALID_SIGNATURE\"\n \| \"EXPIRED_TIMESTAMP\"\n \| \"SERVICE_ERROR\"\n \| \"SERVICE_TIMEOUT\"\n \| \"SERVICE_UNAVAILABLE\"\n \| \"RATE_LIMITED\"\n \| \"INVALID_PROJECT\"\n \| \"INVALID_API_KEY\";\n\nexport interface AttestHeaders {\n timestamp: string \| null;\n signature: string \| null;\n fingerprint: string \| null;\n project: string \| null;\n}\n\n/\n Extract ATTEST headers from a request\n /\nexport function getAttestHeaders(request: Request): AttestHeaders {\n return {\n timestamp: request.headers.get(\"x-attest-timestamp\"),\n signature: request.headers.get(\"x-attest-signature\"),\n fingerprint: request.headers.get(\"x-attest-fingerprint\"),\n project: request.headers.get(\"x-attest-project\"),\n };\n}\n\n/\n Check if a request has ATTEST headers\n /\nexport function hasAttestHeaders(request: Request): boolean {\n const headers = getAttestHeaders(request);\n return !!(headers.timestamp && headers.signature && headers.fingerprint);\n}\n\n/\n Get client IP from request headers\n /\nfunction getClientIP(request: Request): string \| null {\n // Try common headers (in order of preference)\n const forwardedFor = request.headers.get(\"x-forwarded-for\");\n if (forwardedFor) {\n return forwardedFor.split(\",\")[0].trim();\n }\n\n const realIP = request.headers.get(\"x-real-ip\");\n if (realIP) return realIP;\n\n // Cloudflare\n const cfIP = request.headers.get(\"cf-connecting-ip\");\n if (cfIP) return cfIP;\n\n // Vercel\n const vercelIP = request.headers.get(\"x-vercel-forwarded-for\");\n if (vercelIP) return vercelIP.split(\",\")[0].trim();\n\n return null;\n}\n\n/\n Check if IP is localhost\n /\nfunction isLocalhostIP(ip: string \| null): boolean {\n if (!ip) return false;\n return LOCALHOST_IPS.includes(ip);\n}\n\n/\n Fetch with timeout\n /\nasync function fetchWithTimeout(\n url: string,\n options: RequestInit,\n timeoutMs: number\n): Promise<Response> {\n const controller = new AbortController();\n const timeoutId = setTimeout(() => controller.abort(), timeoutMs);\n\n try {\n const response = await fetch(url, {\n ...options,\n signal: controller.signal,\n });\n return response;\n } finally {\n clearTimeout(timeoutId);\n }\n}\n\n/\n Verify a request with ATTEST\n \n @example\n * ```ts\n * import { verifyAttest } from \"@sekyuriti/attest\";\n \n export async function POST(request: Request) {\n * const result = await verifyAttest(request, {\n * projectId: process.env.ATTEST_PROJECT_ID!,\n * apiKey: process.env.ATTEST_SECRET_KEY!,\n * });\n \n if (!result.attested) {\n * return Response.json({ error: \"Not attested\" }, { status: 403 });\n * }\n \n // ... handle request\n * }\n * ```\n /\nexport async function verifyAttest(\n request: Request,\n config: AttestConfig\n): Promise<AttestResult> {\n const {\n projectId,\n apiKey,\n verifyUrl = ATTEST_VERIFY_URL,\n failMode = \"open\",\n timeout = DEFAULT_TIMEOUT_MS,\n allowLocalhost = true,\n debug = false,\n } = config;\n\n const log = debug ? console.log.bind(console, \"[@sekyuriti/attest]\") : () => {};\n\n // Check for localhost bypass\n if (allowLocalhost) {\n const clientIP = getClientIP(request);\n if (isLocalhostIP(clientIP)) {\n log(\"Bypassing verification for localhost IP:\", clientIP);\n return {\n attested: true,\n reason: \"Localhost bypass\",\n bypass: true,\n };\n }\n }\n\n const headers = getAttestHeaders(request);\n\n // If no ATTEST headers, request is not attested\n if (!headers.timestamp \|\| !headers.signature \|\| !headers.fingerprint) {\n log(\"Missing ATTEST headers\");\n return {\n attested: false,\n reason: \"Missing ATTEST headers\",\n errorCode: \"MISSING_HEADERS\",\n };\n }\n\n // Validate timestamp is a number and not too old (prevent replay attacks)\n const timestamp = parseInt(headers.timestamp, 10);\n if (isNaN(timestamp)) {\n log(\"Invalid timestamp format\");\n return {\n attested: false,\n reason: \"Invalid timestamp format\",\n errorCode: \"INVALID_TIMESTAMP\",\n };\n }\n\n // Check if timestamp is within reasonable range (5 minutes)\n const now = Date.now();\n const maxAge = 5 60 * 1000; // 5 minutes\n if (now - timestamp > maxAge) {\n log(\"Timestamp expired:\", { timestamp, now, diff: now - timestamp });\n return {\n attested: false,\n reason: \"Request timestamp expired\",\n errorCode: \"EXPIRED_TIMESTAMP\",\n };\n }\n\n try {\n log(\"Verifying with service...\");\n\n const response = await fetchWithTimeout(\n verifyUrl,\n {\n method: \"POST\",\n headers: {\n \"Content-Type\": \"application/json\",\n },\n body: JSON.stringify({\n project_id: projectId,\n api_key: apiKey,\n method: request.method,\n url: request.url,\n timestamp,\n signature: headers.signature,\n fingerprint: headers.fingerprint,\n }),\n },\n timeout\n );\n\n if (!response.ok) {\n const errorCode = mapHttpStatusToErrorCode(response.status);\n log(\"Service returned error:\", response.status, errorCode);\n\n // For auth errors, always fail (don't use failMode)\n if (response.status === 401 \|\| response.status === 403) {\n return {\n attested: false,\n reason: `Verification failed: ${response.status}`,\n errorCode,\n };\n }\n\n // For other errors, use failMode\n return handleServiceError(failMode, `Service error: ${response.status}`, errorCode);\n }\n\n const result = (await response.json()) as AttestResult;\n log(\"Verification result:\", result.attested);\n return result;\n } catch (error) {\n // Handle timeout specifically\n if (error instanceof Error && error.name === \"AbortError\") {\n log(\"Verification timed out\");\n return handleServiceError(failMode, \"Verification timed out\", \"SERVICE_TIMEOUT\");\n }\n\n // Handle network errors\n console.error(\"[@sekyuriti/attest] Verification failed:\", error);\n return handleServiceError(failMode, \"Verification service unavailable\", \"SERVICE_UNAVAILABLE\");\n }\n}\n\n/*\n Map HTTP status to error code\n /\nfunction mapHttpStatusToErrorCode(status: number): AttestErrorCode {\n switch (status) {\n case 401:\n return \"INVALID_API_KEY\";\n case 403:\n return \"INVALID_PROJECT\";\n case 429:\n return \"RATE_LIMITED\";\n default:\n return \"SERVICE_ERROR\";\n }\n}\n\n/\n Handle service errors based on failMode\n /\nfunction handleServiceError(\n failMode: \"open\" \| \"closed\",\n reason: string,\n errorCode: AttestErrorCode\n): AttestResult {\n if (failMode === \"closed\") {\n return {\n attested: false,\n reason: `${reason} (fail-closed mode)`,\n errorCode,\n };\n }\n\n // Fail open - allow through but mark as bypass\n return {\n attested: true,\n reason: `${reason} (fail-open mode)`,\n bypass: true,\n errorCode,\n };\n}\n\n/\n Create a configured verifier function\n \n @example\n * ```ts\n * import { createAttestVerifier } from \"@sekyuriti/attest\";\n \n const verify = createAttestVerifier({\n * projectId: process.env.ATTEST_PROJECT_ID!,\n * apiKey: process.env.ATTEST_SECRET_KEY!,\n * });\n \n export async function POST(request: Request) {\n * const result = await verify(request);\n * if (!result.attested) {\n * return Response.json({ error: \"Not attested\" }, { status: 403 });\n * }\n * // ...\n * }\n * ```\n /\nexport function createAttestVerifier(config: AttestConfig) {\n return (request: Request) => verifyAttest(request, config);\n}\n\n/\n Quick check if request should be verified\n * Use this for early bailout in middleware\n */\nexport function shouldVerify(request: Request, config?: { allowLocalhost?: boolean }): boolean {\n // Check localhost bypass\n if (config?.allowLocalhost !== false) {\n const clientIP = getClientIP(request);\n if (isLocalhostIP(clientIP)) {\n return false;\n }\n }\n\n // Check if has headers\n return hasAttestHeaders(request);\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAOA,IAAM,oBAAoB;AAG1B,IAAM,qBAAqB;AAG3B,IAAM,gBAAgB;AAAA,EACpB;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF;AA8EO,SAAS,iBAAiB,SAAiC;AAChE,SAAO;AAAA,IACL,WAAW,QAAQ,QAAQ,IAAI,oBAAoB;AAAA,IACnD,WAAW,QAAQ,QAAQ,IAAI,oBAAoB;AAAA,IACnD,aAAa,QAAQ,QAAQ,IAAI,sBAAsB;AAAA,IACvD,SAAS,QAAQ,QAAQ,IAAI,kBAAkB;AAAA,EACjD;AACF;AAKO,SAAS,iBAAiB,SAA2B;AAC1D,QAAM,UAAU,iBAAiB,OAAO;AACxC,SAAO,CAAC,EAAE,QAAQ,aAAa,QAAQ,aAAa,QAAQ;AAC9D;AAKA,SAAS,YAAY,SAAiC;AAEpD,QAAM,eAAe,QAAQ,QAAQ,IAAI,iBAAiB;AAC1D,MAAI,cAAc;AAChB,WAAO,aAAa,MAAM,GAAG,EAAE,CAAC,EAAE,KAAK;AAAA,EACzC;AAEA,QAAM,SAAS,QAAQ,QAAQ,IAAI,WAAW;AAC9C,MAAI,OAAQ,QAAO;AAGnB,QAAM,OAAO,QAAQ,QAAQ,IAAI,kBAAkB;AACnD,MAAI,KAAM,QAAO;AAGjB,QAAM,WAAW,QAAQ,QAAQ,IAAI,wBAAwB;AAC7D,MAAI,SAAU,QAAO,SAAS,MAAM,GAAG,EAAE,CAAC,EAAE,KAAK;AAEjD,SAAO;AACT;AAKA,SAAS,cAAc,IAA4B;AACjD,MAAI,CAAC,GAAI,QAAO;AAChB,SAAO,cAAc,SAAS,EAAE;AAClC;AAKA,eAAe,iBACb,KACA,SACA,WACmB;AACnB,QAAM,aAAa,IAAI,gBAAgB;AACvC,QAAM,YAAY,WAAW,MAAM,WAAW,MAAM,GAAG,SAAS;AAEhE,MAAI;AACF,UAAM,WAAW,MAAM,MAAM,KAAK;AAAA,MAChC,GAAG;AAAA,MACH,QAAQ,WAAW;AAAA,IACrB,CAAC;AACD,WAAO;AAAA,EACT,UAAE;AACA,iBAAa,SAAS;AAAA,EACxB;AACF;AAuBA,eAAsB,aACpB,SACA,QACuB;AACvB,QAAM;AAAA,IACJ;AAAA,IACA;AAAA,IACA,YAAY;AAAA,IACZ,WAAW;AAAA,IACX,UAAU;AAAA,IACV,iBAAiB;AAAA,IACjB,QAAQ;AAAA,EACV,IAAI;AAEJ,QAAM,MAAM,QAAQ,QAAQ,IAAI,KAAK,SAAS,qBAAqB,IAAI,MAAM;AAAA,EAAC;AAG9E,MAAI,gBAAgB;AAClB,UAAM,WAAW,YAAY,OAAO;AACpC,QAAI,cAAc,QAAQ,GAAG;AAC3B,UAAI,4CAA4C,QAAQ;AACxD,aAAO;AAAA,QACL,UAAU;AAAA,QACV,QAAQ;AAAA,QACR,QAAQ;AAAA,MACV;AAAA,IACF;AAAA,EACF;AAEA,QAAM,UAAU,iBAAiB,OAAO;AAGxC,MAAI,CAAC,QAAQ,aAAa,CAAC,QAAQ,aAAa,CAAC,QAAQ,aAAa;AACpE,QAAI,wBAAwB;AAC5B,WAAO;AAAA,MACL,UAAU;AAAA,MACV,QAAQ;AAAA,MACR,WAAW;AAAA,IACb;AAAA,EACF;AAGA,QAAM,YAAY,SAAS,QAAQ,WAAW,EAAE;AAChD,MAAI,MAAM,SAAS,GAAG;AACpB,QAAI,0BAA0B;AAC9B,WAAO;AAAA,MACL,UAAU;AAAA,MACV,QAAQ;AAAA,MACR,WAAW;AAAA,IACb;AAAA,EACF;AAGA,QAAM,MAAM,KAAK,IAAI;AACrB,QAAM,SAAS,IAAI,KAAK;AACxB,MAAI,MAAM,YAAY,QAAQ;AAC5B,QAAI,sBAAsB,EAAE,WAAW,KAAK,MAAM,MAAM,UAAU,CAAC;AACnE,WAAO;AAAA,MACL,UAAU;AAAA,MACV,QAAQ;AAAA,MACR,WAAW;AAAA,IACb;AAAA,EACF;AAEA,MAAI;AACF,QAAI,2BAA2B;AAE/B,UAAM,WAAW,MAAM;AAAA,MACrB;AAAA,MACA;AAAA,QACE,QAAQ;AAAA,QACR,SAAS;AAAA,UACP,gBAAgB;AAAA,QAClB;AAAA,QACA,MAAM,KAAK,UAAU;AAAA,UACnB,YAAY;AAAA,UACZ,SAAS;AAAA,UACT,QAAQ,QAAQ;AAAA,UAChB,KAAK,QAAQ;AAAA,UACb;AAAA,UACA,WAAW,QAAQ;AAAA,UACnB,aAAa,QAAQ;AAAA,QACvB,CAAC;AAAA,MACH;AAAA,MACA;AAAA,IACF;AAEA,QAAI,CAAC,SAAS,IAAI;AAChB,YAAM,YAAY,yBAAyB,SAAS,MAAM;AAC1D,UAAI,2BAA2B,SAAS,QAAQ,SAAS;AAGzD,UAAI,SAAS,WAAW,OAAO,SAAS,WAAW,KAAK;AACtD,eAAO;AAAA,UACL,UAAU;AAAA,UACV,QAAQ,wBAAwB,SAAS,MAAM;AAAA,UAC/C;AAAA,QACF;AAAA,MACF;AAGA,aAAO,mBAAmB,UAAU,kBAAkB,SAAS,MAAM,IAAI,SAAS;AAAA,IACpF;AAEA,UAAM,SAAU,MAAM,SAAS,KAAK;AACpC,QAAI,wBAAwB,OAAO,QAAQ;AAC3C,WAAO;AAAA,EACT,SAAS,OAAO;AAEd,QAAI,iBAAiB,SAAS,MAAM,SAAS,cAAc;AACzD,UAAI,wBAAwB;AAC5B,aAAO,mBAAmB,UAAU,0BAA0B,iBAAiB;AAAA,IACjF;AAGA,YAAQ,MAAM,4CAA4C,KAAK;AAC/D,WAAO,mBAAmB,UAAU,oCAAoC,qBAAqB;AAAA,EAC/F;AACF;AAKA,SAAS,yBAAyB,QAAiC;AACjE,UAAQ,QAAQ;AAAA,IACd,KAAK;AACH,aAAO;AAAA,IACT,KAAK;AACH,aAAO;AAAA,IACT,KAAK;AACH,aAAO;AAAA,IACT;AACE,aAAO;AAAA,EACX;AACF;AAKA,SAAS,mBACP,UACA,QACA,WACc;AACd,MAAI,aAAa,UAAU;AACzB,WAAO;AAAA,MACL,UAAU;AAAA,MACV,QAAQ,GAAG,MAAM;AAAA,MACjB;AAAA,IACF;AAAA,EACF;AAGA,SAAO;AAAA,IACL,UAAU;AAAA,IACV,QAAQ,GAAG,MAAM;AAAA,IACjB,QAAQ;AAAA,IACR;AAAA,EACF;AACF;AAuBO,SAAS,qBAAqB,QAAsB;AACzD,SAAO,CAAC,YAAqB,aAAa,SAAS,MAAM;AAC3D;AAMO,SAAS,aAAa,SAAkB,QAAgD;AAE7F,MAAI,QAAQ,mBAAmB,OAAO;AACpC,UAAM,WAAW,YAAY,OAAO;AACpC,QAAI,cAAc,QAAQ,GAAG;AAC3B,aAAO;AAAA,IACT;AAAA,EACF;AAGA,SAAO,iBAAiB,OAAO;AACjC;","names":[]}

package/dist/index.mjs CHANGED Viewed

@@ -1,5 +1,12 @@
 // src/index.ts
 var ATTEST_VERIFY_URL = "https://attest.sekyuriti.build/verify";
+var DEFAULT_TIMEOUT_MS = 5e3;
+var LOCALHOST_IPS = [
+  "127.0.0.1",
+  "::1",
+  "localhost",
+  "::ffff:127.0.0.1"
+];
 function getAttestHeaders(request) {
   return {
     timestamp: request.headers.get("x-attest-timestamp"),
@@ -12,57 +19,176 @@ function hasAttestHeaders(request) {
   const headers = getAttestHeaders(request);
   return !!(headers.timestamp && headers.signature && headers.fingerprint);
 }
+function getClientIP(request) {
+  const forwardedFor = request.headers.get("x-forwarded-for");
+  if (forwardedFor) {
+    return forwardedFor.split(",")[0].trim();
+  }
+  const realIP = request.headers.get("x-real-ip");
+  if (realIP) return realIP;
+  const cfIP = request.headers.get("cf-connecting-ip");
+  if (cfIP) return cfIP;
+  const vercelIP = request.headers.get("x-vercel-forwarded-for");
+  if (vercelIP) return vercelIP.split(",")[0].trim();
+  return null;
+}
+function isLocalhostIP(ip) {
+  if (!ip) return false;
+  return LOCALHOST_IPS.includes(ip);
+}
+async function fetchWithTimeout(url, options, timeoutMs) {
+  const controller = new AbortController();
+  const timeoutId = setTimeout(() => controller.abort(), timeoutMs);
+  try {
+    const response = await fetch(url, {
+      ...options,
+      signal: controller.signal
+    });
+    return response;
+  } finally {
+    clearTimeout(timeoutId);
+  }
+}
 async function verifyAttest(request, config) {
+  const {
+    projectId,
+    apiKey,
+    verifyUrl = ATTEST_VERIFY_URL,
+    failMode = "open",
+    timeout = DEFAULT_TIMEOUT_MS,
+    allowLocalhost = true,
+    debug = false
+  } = config;
+  const log = debug ? console.log.bind(console, "[@sekyuriti/attest]") : () => {
+  };
+  if (allowLocalhost) {
+    const clientIP = getClientIP(request);
+    if (isLocalhostIP(clientIP)) {
+      log("Bypassing verification for localhost IP:", clientIP);
+      return {
+        attested: true,
+        reason: "Localhost bypass",
+        bypass: true
+      };
+    }
+  }
   const headers = getAttestHeaders(request);
   if (!headers.timestamp || !headers.signature || !headers.fingerprint) {
+    log("Missing ATTEST headers");
     return {
       attested: false,
-      reason: "Missing ATTEST headers"
+      reason: "Missing ATTEST headers",
+      errorCode: "MISSING_HEADERS"
+    };
+  }
+  const timestamp = parseInt(headers.timestamp, 10);
+  if (isNaN(timestamp)) {
+    log("Invalid timestamp format");
+    return {
+      attested: false,
+      reason: "Invalid timestamp format",
+      errorCode: "INVALID_TIMESTAMP"
+    };
+  }
+  const now = Date.now();
+  const maxAge = 5 * 60 * 1e3;
+  if (now - timestamp > maxAge) {
+    log("Timestamp expired:", { timestamp, now, diff: now - timestamp });
+    return {
+      attested: false,
+      reason: "Request timestamp expired",
+      errorCode: "EXPIRED_TIMESTAMP"
     };
   }
   try {
-    const response = await fetch(config.verifyUrl || ATTEST_VERIFY_URL, {
-      method: "POST",
-      headers: {
-        "Content-Type": "application/json"
+    log("Verifying with service...");
+    const response = await fetchWithTimeout(
+      verifyUrl,
+      {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json"
+        },
+        body: JSON.stringify({
+          project_id: projectId,
+          api_key: apiKey,
+          method: request.method,
+          url: request.url,
+          timestamp,
+          signature: headers.signature,
+          fingerprint: headers.fingerprint
+        })
       },
-      body: JSON.stringify({
-        project_id: config.projectId,
-        api_key: config.apiKey,
-        timestamp: parseInt(headers.timestamp, 10),
-        signature: headers.signature,
-        fingerprint: headers.fingerprint
-      })
-    });
+      timeout
+    );
     if (!response.ok) {
-      return {
-        attested: false,
-        reason: `Verification service error: ${response.status}`
-      };
+      const errorCode = mapHttpStatusToErrorCode(response.status);
+      log("Service returned error:", response.status, errorCode);
+      if (response.status === 401 || response.status === 403) {
+        return {
+          attested: false,
+          reason: `Verification failed: ${response.status}`,
+          errorCode
+        };
+      }
+      return handleServiceError(failMode, `Service error: ${response.status}`, errorCode);
     }
-    return await response.json();
+    const result = await response.json();
+    log("Verification result:", result.attested);
+    return result;
   } catch (error) {
-    console.error("[@sekyuriti/attest] Verification failed:", error);
-    const failMode = config.failMode || "open";
-    if (failMode === "closed") {
-      return {
-        attested: false,
-        reason: "Verification service unavailable (fail-closed mode)"
-      };
+    if (error instanceof Error && error.name === "AbortError") {
+      log("Verification timed out");
+      return handleServiceError(failMode, "Verification timed out", "SERVICE_TIMEOUT");
     }
+    console.error("[@sekyuriti/attest] Verification failed:", error);
+    return handleServiceError(failMode, "Verification service unavailable", "SERVICE_UNAVAILABLE");
+  }
+}
+function mapHttpStatusToErrorCode(status) {
+  switch (status) {
+    case 401:
+      return "INVALID_API_KEY";
+    case 403:
+      return "INVALID_PROJECT";
+    case 429:
+      return "RATE_LIMITED";
+    default:
+      return "SERVICE_ERROR";
+  }
+}
+function handleServiceError(failMode, reason, errorCode) {
+  if (failMode === "closed") {
     return {
-      attested: true,
-      reason: "Verification service unavailable (fail-open mode)"
+      attested: false,
+      reason: `${reason} (fail-closed mode)`,
+      errorCode
     };
   }
+  return {
+    attested: true,
+    reason: `${reason} (fail-open mode)`,
+    bypass: true,
+    errorCode
+  };
 }
 function createAttestVerifier(config) {
   return (request) => verifyAttest(request, config);
 }
+function shouldVerify(request, config) {
+  if (config?.allowLocalhost !== false) {
+    const clientIP = getClientIP(request);
+    if (isLocalhostIP(clientIP)) {
+      return false;
+    }
+  }
+  return hasAttestHeaders(request);
+}
 export {
   createAttestVerifier,
   getAttestHeaders,
   hasAttestHeaders,
+  shouldVerify,
   verifyAttest
 };
 //# sourceMappingURL=index.mjs.map