@sinch/functions-runtime 0.3.9 → 0.4.1

package/dist/index.js

@@ -934,6 +934,31 @@ function setupJsonParsing(app, options = {}) {
   return app;
 }
 
+// ../runtime-shared/dist/auth/basic-auth.js
+import { timingSafeEqual } from "crypto";
+function validateBasicAuth(authHeader, expectedKey, expectedSecret) {
+  if (!authHeader) {
+    return false;
+  }
+  if (!authHeader.toLowerCase().startsWith("basic ")) {
+    return false;
+  }
+  const decoded = Buffer.from(authHeader.slice(6), "base64").toString("utf-8");
+  const colonIndex = decoded.indexOf(":");
+  if (colonIndex === -1) {
+    return false;
+  }
+  const providedKey = decoded.slice(0, colonIndex);
+  const providedSecret = decoded.slice(colonIndex + 1);
+  const expectedKeyBuf = Buffer.from(expectedKey);
+  const providedKeyBuf = Buffer.from(providedKey);
+  const expectedSecretBuf = Buffer.from(expectedSecret);
+  const providedSecretBuf = Buffer.from(providedSecret);
+  const keyMatch = expectedKeyBuf.length === providedKeyBuf.length && timingSafeEqual(expectedKeyBuf, providedKeyBuf);
+  const secretMatch = expectedSecretBuf.length === providedSecretBuf.length && timingSafeEqual(expectedSecretBuf, providedSecretBuf);
+  return keyMatch && secretMatch;
+}
+
 // ../runtime-shared/dist/host/app.js
 import { createRequire as createRequire2 } from "module";
 import { pathToFileURL } from "url";
@@ -1021,11 +1046,11 @@ function isVoiceCallback(functionName) {
 function isNotificationEvent(functionName) {
   return NOTIFICATION_EVENTS.includes(functionName);
 }
-function extractFunctionName(path5, body) {
+function extractFunctionName(path6, body) {
   if (body?.event && isVoiceCallback(body.event)) {
     return body.event;
   }
-  const pathname = path5.split("?")[0];
+  const pathname = path6.split("?")[0];
   const segments = pathname.split("/").filter((s) => s && s !== "*");
   if (segments.length === 1 && isVoiceCallback(segments[0])) {
     return segments[0];
@@ -1042,10 +1067,10 @@ function generateRequestId() {
   return `req_${Date.now()}_${Math.random().toString(36).substring(7)}`;
 }
 function findFunctionPath() {
-  const fs4 = requireCjs2("fs");
+  const fs5 = requireCjs2("fs");
   const distPath = nodePath.join(process.cwd(), "dist", "function.js");
   const rootPath = nodePath.join(process.cwd(), "function.js");
-  if (fs4.existsSync(distPath)) {
+  if (fs5.existsSync(distPath)) {
     return distPath;
   }
   return rootPath;
@@ -1123,6 +1148,15 @@ var noOpCache = {
   keys: async () => [],
   getMany: async () => ({})
 };
+var noOpStorage = {
+  write: async () => {
+  },
+  read: async () => Buffer.alloc(0),
+  list: async () => [],
+  exists: async () => false,
+  delete: async () => {
+  }
+};
 function buildBaseContext(req, config = {}) {
   return {
     requestId: req.headers["x-request-id"] || generateRequestId(),
@@ -1135,6 +1169,8 @@ function buildBaseContext(req, config = {}) {
       variables: config.variables
     },
     cache: noOpCache,
+    storage: noOpStorage,
+    database: "",
     assets: (filename) => {
       const filePath = nodePath.join(process.cwd(), "assets", filename);
       return nodeFs.promises.readFile(filePath, "utf-8");
@@ -1225,7 +1261,7 @@ function setupRequestHandler(app, options = {}) {
     const functionUrl = pathToFileURL(functionPath).href;
     const module = await import(functionUrl);
     return module.default || module;
-  }, buildContext = buildBaseContext, logger = console.log, landingPageEnabled = true, onRequestStart = () => {
+  }, buildContext = buildBaseContext, logger = console.log, landingPageEnabled = true, authConfig, authKey, authSecret, onRequestStart = () => {
   }, onRequestEnd = () => {
   } } = options;
   app.use("/{*splat}", async (req, res) => {
@@ -1253,6 +1289,17 @@ function setupRequestHandler(app, options = {}) {
     try {
       const functionName = extractFunctionName(req.originalUrl, req.body);
       logger(`[${(/* @__PURE__ */ new Date()).toISOString()}] ${req.method} ${req.path} -> ${functionName}`);
+      if (authConfig && authKey && authSecret) {
+        const needsAuth = authConfig === "*" || Array.isArray(authConfig) && authConfig.includes(functionName);
+        if (needsAuth) {
+          const isValid = validateBasicAuth(req.headers.authorization, authKey, authSecret);
+          if (!isValid) {
+            logger(`[AUTH] Rejected unauthorized request to ${functionName}`);
+            res.status(401).set("WWW-Authenticate", 'Basic realm="sinch-function"').json({ error: "Unauthorized" });
+            return;
+          }
+        }
+      }
       onRequestStart({ functionName, req });
       const context = buildContext(req);
       const userFunction = await Promise.resolve(loadUserFunction());
@@ -2440,12 +2487,82 @@ function createCacheClient(_projectId, _functionName) {
   return new LocalCache();
 }
 
+// src/storage/local.ts
+import * as fs3 from "fs/promises";
+import * as path4 from "path";
+var LocalStorage = class {
+  baseDir;
+  constructor(baseDir) {
+    this.baseDir = baseDir ?? path4.join(process.cwd(), ".sinch", "storage");
+  }
+  resolvePath(key) {
+    const sanitized = key.replace(/^\/+/, "").replace(/\.\./g, "_");
+    return path4.join(this.baseDir, sanitized);
+  }
+  async write(key, data) {
+    const filePath = this.resolvePath(key);
+    await fs3.mkdir(path4.dirname(filePath), { recursive: true });
+    await fs3.writeFile(filePath, data);
+  }
+  async read(key) {
+    const filePath = this.resolvePath(key);
+    return fs3.readFile(filePath);
+  }
+  async list(prefix) {
+    const results = [];
+    await this.walkDir(this.baseDir, "", results);
+    if (prefix) {
+      return results.filter((f) => f.startsWith(prefix));
+    }
+    return results;
+  }
+  async exists(key) {
+    const filePath = this.resolvePath(key);
+    try {
+      await fs3.access(filePath);
+      return true;
+    } catch {
+      return false;
+    }
+  }
+  async delete(key) {
+    const filePath = this.resolvePath(key);
+    await fs3.rm(filePath, { force: true });
+  }
+  async walkDir(dir, relative, results) {
+    let entries;
+    try {
+      entries = await fs3.readdir(dir, { withFileTypes: true });
+    } catch {
+      return;
+    }
+    for (const entry of entries) {
+      const rel = relative ? `${relative}/${entry.name}` : entry.name;
+      if (entry.isDirectory()) {
+        await this.walkDir(path4.join(dir, entry.name), rel, results);
+      } else {
+        results.push(rel);
+      }
+    }
+  }
+};
+function createStorageClient(baseDir) {
+  return new LocalStorage(baseDir);
+}
+
 // src/tunnel/index.ts
 import WebSocket from "ws";
 import axios from "axios";
 
 // src/tunnel/webhook-config.ts
 import { SinchClient as SinchClient2 } from "@sinch/sdk-core";
+var SINCH_FN_URL_PATTERN = /\.fn(-\w+)?\.sinch\.com/;
+function isOurWebhook(target) {
+  return !!target && SINCH_FN_URL_PATTERN.test(target);
+}
+function isTunnelUrl(target) {
+  return !!target && target.includes("tunnel.fn");
+}
 async function configureConversationWebhooks(tunnelUrl, config) {
   try {
     const conversationAppId = process.env.CONVERSATION_APP_ID;
@@ -2467,24 +2584,23 @@ async function configureConversationWebhooks(tunnelUrl, config) {
       app_id: conversationAppId
     });
     const existingWebhooks = webhooksResult.webhooks || [];
-    const tunnelWebhooks = existingWebhooks.filter((w) => w.target?.includes("/api/ingress/"));
-    for (const staleWebhook of tunnelWebhooks) {
-      try {
-        await sinchClient.conversation.webhooks.delete({ webhook_id: staleWebhook.id });
-        console.log(`\u{1F9F9} Cleaned up stale tunnel webhook: ${staleWebhook.id}`);
-      } catch (err) {
-      }
+    const deployedWebhook = existingWebhooks.find(
+      (w) => isOurWebhook(w.target)
+    );
+    if (!deployedWebhook || !deployedWebhook.id) {
+      console.log("\u26A0\uFE0F No deployed webhook found \u2014 deploy first");
+      return;
     }
-    const createResult = await sinchClient.conversation.webhooks.create({
-      webhookCreateRequestBody: {
-        app_id: conversationAppId,
-        target: webhookUrl,
-        target_type: "HTTP",
-        triggers: ["MESSAGE_INBOUND"]
-      }
+    config.conversationWebhookId = deployedWebhook.id;
+    config.originalTarget = deployedWebhook.target;
+    await sinchClient.conversation.webhooks.update({
+      webhook_id: deployedWebhook.id,
+      webhookUpdateRequestBody: {
+        target: webhookUrl
+      },
+      update_mask: ["target"]
     });
-    config.conversationWebhookId = createResult.id;
-    console.log(`\u2705 Created Conversation webhook: ${webhookUrl}`);
+    console.log(`\u2705 Updated Conversation webhook to tunnel: ${webhookUrl}`);
     console.log("\u{1F4AC} Send a message to your Conversation app to test!");
   } catch (error) {
     console.log("\u26A0\uFE0F Could not configure Conversation webhooks:", error.message);
@@ -2503,10 +2619,29 @@ async function cleanupConversationWebhook(config) {
       keyId,
       keySecret
     });
-    await sinchClient.conversation.webhooks.delete({ webhook_id: config.conversationWebhookId });
-    console.log("\u{1F9F9} Cleaned up tunnel webhook");
+    let restoreTarget = config.originalTarget;
+    if (!restoreTarget || isTunnelUrl(restoreTarget)) {
+      const functionName = process.env.FUNCTION_NAME || process.env.FUNCTION_ID;
+      if (functionName) {
+        restoreTarget = `https://${functionName}.fn-dev.sinch.com/webhook/conversation`;
+        console.log(`\u{1F527} Derived restore target from env: ${restoreTarget}`);
+      } else {
+        console.log("\u26A0\uFE0F Cannot restore webhook \u2014 no FUNCTION_NAME or FUNCTION_ID available");
+        return;
+      }
+    }
+    await sinchClient.conversation.webhooks.update({
+      webhook_id: config.conversationWebhookId,
+      webhookUpdateRequestBody: {
+        target: restoreTarget
+      },
+      update_mask: ["target"]
+    });
+    console.log(`\u{1F504} Restored webhook target to: ${restoreTarget}`);
     config.conversationWebhookId = void 0;
+    config.originalTarget = void 0;
   } catch (error) {
+    console.log("\u26A0\uFE0F Could not restore Conversation webhook:", error.message);
   }
 }
 async function configureElevenLabs() {
@@ -2831,9 +2966,242 @@ function getTunnelClient(localPort = 3e3) {
 }
 
 // src/secrets/index.ts
-import fs3 from "fs";
-import path4 from "path";
+import fs4 from "fs";
+import path5 from "path";
 import os from "os";
+
+// src/secrets/keychain.ts
+import { execFile, spawn } from "child_process";
+import { promisify } from "util";
+var execFileAsync = promisify(execFile);
+function b64(value) {
+  return Buffer.from(value, "utf8").toString("base64");
+}
+function psParam(name, value) {
+  return `$${name} = [System.Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('${b64(value)}'));`;
+}
+var WIN32_CRED_READ_SCRIPT = `
+Add-Type -TypeDefinition @'
+using System;
+using System.Runtime.InteropServices;
+public class CredManager {
+  [StructLayout(LayoutKind.Sequential, CharSet=CharSet.Unicode)]
+  private struct CREDENTIAL {
+    public int Flags;
+    public int Type;
+    public IntPtr TargetName;
+    public IntPtr Comment;
+    public long LastWritten;
+    public int CredentialBlobSize;
+    public IntPtr CredentialBlob;
+    public int Persist;
+    public int AttributeCount;
+    public IntPtr Attributes;
+    public IntPtr TargetAlias;
+    public IntPtr UserName;
+  }
+  [DllImport("advapi32.dll", SetLastError=true, CharSet=CharSet.Unicode)]
+  private static extern bool CredReadW(string target, int type, int flags, out IntPtr cred);
+  [DllImport("advapi32.dll")]
+  private static extern void CredFree(IntPtr cred);
+  public static string Read(string target) {
+    IntPtr credPtr;
+    if (!CredReadW(target, 1, 0, out credPtr)) return null;
+    try {
+      CREDENTIAL c = (CREDENTIAL)Marshal.PtrToStructure(credPtr, typeof(CREDENTIAL));
+      if (c.CredentialBlobSize > 0 && c.CredentialBlob != IntPtr.Zero)
+        return Marshal.PtrToStringUni(c.CredentialBlob, c.CredentialBlobSize / 2);
+      return "";
+    } finally { CredFree(credPtr); }
+  }
+}
+'@
+$r = [CredManager]::Read($target)
+if ($r -ne $null) { [Console]::Write($r) }
+else { exit 1 }
+`;
+var WIN32_CRED_WRITE_SCRIPT = `
+Add-Type -TypeDefinition @'
+using System;
+using System.Runtime.InteropServices;
+using System.Text;
+public class CredWriter {
+  [StructLayout(LayoutKind.Sequential, CharSet=CharSet.Unicode)]
+  private struct CREDENTIAL {
+    public int Flags;
+    public int Type;
+    public string TargetName;
+    public string Comment;
+    public long LastWritten;
+    public int CredentialBlobSize;
+    public IntPtr CredentialBlob;
+    public int Persist;
+    public int AttributeCount;
+    public IntPtr Attributes;
+    public string TargetAlias;
+    public string UserName;
+  }
+  [DllImport("advapi32.dll", SetLastError=true, CharSet=CharSet.Unicode)]
+  private static extern bool CredWriteW(ref CREDENTIAL cred, int flags);
+  public static bool Write(string target, string password) {
+    byte[] blob = Encoding.Unicode.GetBytes(password);
+    CREDENTIAL c = new CREDENTIAL();
+    c.Type = 1;
+    c.TargetName = target;
+    c.CredentialBlobSize = blob.Length;
+    c.CredentialBlob = Marshal.AllocHGlobal(blob.Length);
+    Marshal.Copy(blob, 0, c.CredentialBlob, blob.Length);
+    c.Persist = 2;
+    try { return CredWriteW(ref c, 0); }
+    finally { Marshal.FreeHGlobal(c.CredentialBlob); }
+  }
+}
+'@
+if (-not [CredWriter]::Write($target, $password)) { exit 1 }
+`;
+var WIN32_CRED_DELETE_SCRIPT = `
+Add-Type -TypeDefinition @'
+using System;
+using System.Runtime.InteropServices;
+public class CredDeleter {
+  [DllImport("advapi32.dll", SetLastError=true, CharSet=CharSet.Unicode)]
+  private static extern bool CredDeleteW(string target, int type, int flags);
+  public static bool Delete(string target) { return CredDeleteW(target, 1, 0); }
+}
+'@
+if (-not [CredDeleter]::Delete($target)) { exit 1 }
+`;
+function winTarget(service, account) {
+  return `${service}/${account}`;
+}
+var windowsKeychain = {
+  async getPassword(service, account) {
+    try {
+      const params = psParam("target", winTarget(service, account));
+      const { stdout } = await execFileAsync(
+        "powershell.exe",
+        ["-NoProfile", "-NonInteractive", "-Command", params + WIN32_CRED_READ_SCRIPT],
+        { timeout: 15e3, windowsHide: true }
+      );
+      return stdout;
+    } catch {
+      return null;
+    }
+  },
+  async setPassword(service, account, password) {
+    const params = psParam("target", winTarget(service, account)) + psParam("password", password);
+    await execFileAsync(
+      "powershell.exe",
+      ["-NoProfile", "-NonInteractive", "-Command", params + WIN32_CRED_WRITE_SCRIPT],
+      { timeout: 15e3, windowsHide: true }
+    );
+  },
+  async deletePassword(service, account) {
+    try {
+      const params = psParam("target", winTarget(service, account));
+      await execFileAsync(
+        "powershell.exe",
+        ["-NoProfile", "-NonInteractive", "-Command", params + WIN32_CRED_DELETE_SCRIPT],
+        { timeout: 15e3, windowsHide: true }
+      );
+      return true;
+    } catch {
+      return false;
+    }
+  }
+};
+var macKeychain = {
+  async getPassword(service, account) {
+    try {
+      const { stdout } = await execFileAsync(
+        "security",
+        ["find-generic-password", "-s", service, "-a", account, "-w"],
+        { timeout: 15e3 }
+      );
+      return stdout.trimEnd();
+    } catch {
+      return null;
+    }
+  },
+  async setPassword(service, account, password) {
+    await execFileAsync(
+      "security",
+      ["add-generic-password", "-U", "-s", service, "-a", account, "-w", password],
+      { timeout: 15e3 }
+    );
+  },
+  async deletePassword(service, account) {
+    try {
+      await execFileAsync(
+        "security",
+        ["delete-generic-password", "-s", service, "-a", account],
+        { timeout: 15e3 }
+      );
+      return true;
+    } catch {
+      return false;
+    }
+  }
+};
+var linuxKeychain = {
+  async getPassword(service, account) {
+    try {
+      const { stdout } = await execFileAsync(
+        "secret-tool",
+        ["lookup", "service", service, "account", account],
+        { timeout: 15e3 }
+      );
+      return stdout.trimEnd();
+    } catch {
+      return null;
+    }
+  },
+  // secret-tool reads password from stdin (avoids exposing it in process args)
+  async setPassword(service, account, password) {
+    const child = spawn(
+      "secret-tool",
+      ["store", "--label", `${service}/${account}`, "service", service, "account", account],
+      { stdio: ["pipe", "pipe", "pipe"] }
+    );
+    child.stdin.write(password);
+    child.stdin.end();
+    await new Promise((resolve, reject) => {
+      child.on(
+        "close",
+        (code) => code === 0 ? resolve() : reject(new Error("secret-tool store failed"))
+      );
+      child.on("error", reject);
+    });
+  },
+  async deletePassword(service, account) {
+    try {
+      await execFileAsync(
+        "secret-tool",
+        ["clear", "service", service, "account", account],
+        { timeout: 15e3 }
+      );
+      return true;
+    } catch {
+      return false;
+    }
+  }
+};
+function getBackend() {
+  switch (process.platform) {
+    case "win32":
+      return windowsKeychain;
+    case "darwin":
+      return macKeychain;
+    default:
+      return linuxKeychain;
+  }
+}
+var backend = getBackend();
+async function getPassword(service, account) {
+  return backend.getPassword(service, account);
+}
+
+// src/secrets/index.ts
 var SecretsLoader = class {
   // Same service name as CLI uses
   SERVICE_NAME = "sinch-functions-cli";
@@ -2847,24 +3215,12 @@ var SecretsLoader = class {
       return false;
     }
     try {
-      let keytar;
-      try {
-        keytar = await import("keytar");
-      } catch (error) {
-        if (error.code === "MODULE_NOT_FOUND" || error.code === "ERR_MODULE_NOT_FOUND") {
-          console.debug("[Secrets] Keytar not available - secrets not loaded");
-          return false;
-        } else {
-          console.error("[Secrets] Error loading keytar:", error.message);
-        }
-        return false;
-      }
-      const envPath = path4.join(process.cwd(), ".env");
-      if (!fs3.existsSync(envPath)) {
+      const envPath = path5.join(process.cwd(), ".env");
+      if (!fs4.existsSync(envPath)) {
         console.debug("[Secrets] No .env file found, skipping keychain load");
         return false;
       }
-      const envContent = fs3.readFileSync(envPath, "utf8");
+      const envContent = fs4.readFileSync(envPath, "utf8");
       const envLines = envContent.replace(/\r\n/g, "\n").split("\n");
       const secretsToLoad = [];
       envLines.forEach((line) => {
@@ -2886,7 +3242,7 @@ var SecretsLoader = class {
       }
       let secretsLoaded = 0;
       if (secretsToLoad.includes("PROJECT_ID_API_SECRET")) {
-        const apiSecret = await keytar.getPassword(this.SERVICE_NAME, `${this.username}-keySecret`);
+        const apiSecret = await getPassword(this.SERVICE_NAME, `${this.username}-keySecret`);
         if (apiSecret) {
           process.env.PROJECT_ID_API_SECRET = apiSecret;
           console.log("\u2705 Loaded PROJECT_ID_API_SECRET from secure storage");
@@ -2896,7 +3252,7 @@ var SecretsLoader = class {
       if (secretsToLoad.includes("VOICE_APPLICATION_SECRET")) {
         const applicationKey = process.env.VOICE_APPLICATION_KEY || this.getApplicationKeyFromConfig();
         if (applicationKey) {
-          const appSecret = await keytar.getPassword(this.SERVICE_NAME, applicationKey);
+          const appSecret = await getPassword(this.SERVICE_NAME, applicationKey);
           if (appSecret) {
             process.env.VOICE_APPLICATION_SECRET = appSecret;
             console.log("\u2705 Loaded VOICE_APPLICATION_SECRET from secure storage");
@@ -2910,7 +3266,7 @@ var SecretsLoader = class {
           continue;
         }
         if (functionName) {
-          const value = await keytar.getPassword(
+          const value = await getPassword(
             this.SERVICE_NAME,
             `${functionName}-${secretName}`
           );
@@ -2938,9 +3294,9 @@ var SecretsLoader = class {
    */
   getApplicationKeyFromConfig() {
     try {
-      const sinchJsonPath = path4.join(process.cwd(), "sinch.json");
-      if (fs3.existsSync(sinchJsonPath)) {
-        const sinchConfig = JSON.parse(fs3.readFileSync(sinchJsonPath, "utf8"));
+      const sinchJsonPath = path5.join(process.cwd(), "sinch.json");
+      if (fs4.existsSync(sinchJsonPath)) {
+        const sinchConfig = JSON.parse(fs4.readFileSync(sinchJsonPath, "utf8"));
         return sinchConfig.voiceAppId || sinchConfig.applicationKey || null;
       }
     } catch (error) {
@@ -2953,9 +3309,9 @@ var SecretsLoader = class {
    */
   getFunctionNameFromConfig() {
     try {
-      const sinchJsonPath = path4.join(process.cwd(), "sinch.json");
-      if (fs3.existsSync(sinchJsonPath)) {
-        const sinchConfig = JSON.parse(fs3.readFileSync(sinchJsonPath, "utf8"));
+      const sinchJsonPath = path5.join(process.cwd(), "sinch.json");
+      if (fs4.existsSync(sinchJsonPath)) {
+        const sinchConfig = JSON.parse(fs4.readFileSync(sinchJsonPath, "utf8"));
         return sinchConfig.name || null;
       }
     } catch (error) {
@@ -2969,14 +3325,13 @@ var SecretsLoader = class {
   async loadCustomSecrets(secretNames = []) {
     const secrets = {};
     try {
-      const keytar = await import("keytar");
       const functionName = this.getFunctionNameFromConfig();
       if (!functionName) {
         console.debug("[Secrets] Could not determine function name for custom secrets");
         return secrets;
       }
       for (const secretName of secretNames) {
-        const value = await keytar.getPassword(this.SERVICE_NAME, `${functionName}-${secretName}`);
+        const value = await getPassword(this.SERVICE_NAME, `${functionName}-${secretName}`);
         if (value) {
           secrets[secretName] = value;
           process.env[secretName] = value;
@@ -2988,15 +3343,13 @@ var SecretsLoader = class {
     return secrets;
   }
   /**
-   * Check if keytar is available
+   * Check if the native keychain is available.
+   * Always true — no native npm deps required. The underlying OS tool
+   * (secret-tool, security, CredManager) may still be absent, in which
+   * case getPassword() silently returns null per credential.
    */
   async isAvailable() {
-    try {
-      await import("keytar");
-      return true;
-    } catch {
-      return false;
-    }
+    return true;
   }
 };
 var secretsLoader = new SecretsLoader();
@@ -3012,6 +3365,7 @@ export {
   ElevenLabsState,
   IceSvamlBuilder,
   LocalCache,
+  LocalStorage,
   MenuBuilder,
   MenuTemplates,
   NOTIFICATION_EVENTS,
@@ -3042,6 +3396,7 @@ export {
   createResponse,
   createSimpleMenu,
   createSms,
+  createStorageClient,
   createUniversalConfig,
   createWhatsApp,
   extractCallerNumber,