@sinch/functions-runtime 0.4.0 → 0.4.1

package/dist/index.d.ts

@@ -1292,6 +1292,12 @@ export declare function createLenientJsonParser(options?: JsonParsingOptions): (
  * @internal
  */
 export declare function setupJsonParsing(app: Express, options?: JsonParsingOptions): Express;
+/**
+ * Declarative auth configuration exported by user functions.
+ * - string[] — protect specific handler names
+ * - '*' — protect all handlers
+ */
+export type AuthConfig = string[] | "*";
 /**
  * Get the landing page HTML content
  * Exported so production runtime can also use it
@@ -1329,6 +1335,12 @@ export interface RequestHandlerOptions {
 	logger?: (...args: unknown[]) => void;
 	/** Enable landing page for browser requests at root (default: true) */
 	landingPageEnabled?: boolean;
+	/** Declarative auth config from user module (string[] or '*') */
+	authConfig?: AuthConfig;
+	/** API key for Basic Auth validation */
+	authKey?: string;
+	/** API secret for Basic Auth validation */
+	authSecret?: string;
 	/** Called when request starts */
 	onRequestStart?: (data: {
 		functionName: string;

package/dist/index.js

@@ -934,6 +934,31 @@ function setupJsonParsing(app, options = {}) {
   return app;
 }
 
+// ../runtime-shared/dist/auth/basic-auth.js
+import { timingSafeEqual } from "crypto";
+function validateBasicAuth(authHeader, expectedKey, expectedSecret) {
+  if (!authHeader) {
+    return false;
+  }
+  if (!authHeader.toLowerCase().startsWith("basic ")) {
+    return false;
+  }
+  const decoded = Buffer.from(authHeader.slice(6), "base64").toString("utf-8");
+  const colonIndex = decoded.indexOf(":");
+  if (colonIndex === -1) {
+    return false;
+  }
+  const providedKey = decoded.slice(0, colonIndex);
+  const providedSecret = decoded.slice(colonIndex + 1);
+  const expectedKeyBuf = Buffer.from(expectedKey);
+  const providedKeyBuf = Buffer.from(providedKey);
+  const expectedSecretBuf = Buffer.from(expectedSecret);
+  const providedSecretBuf = Buffer.from(providedSecret);
+  const keyMatch = expectedKeyBuf.length === providedKeyBuf.length && timingSafeEqual(expectedKeyBuf, providedKeyBuf);
+  const secretMatch = expectedSecretBuf.length === providedSecretBuf.length && timingSafeEqual(expectedSecretBuf, providedSecretBuf);
+  return keyMatch && secretMatch;
+}
+
 // ../runtime-shared/dist/host/app.js
 import { createRequire as createRequire2 } from "module";
 import { pathToFileURL } from "url";
@@ -1236,7 +1261,7 @@ function setupRequestHandler(app, options = {}) {
     const functionUrl = pathToFileURL(functionPath).href;
     const module = await import(functionUrl);
     return module.default || module;
-  }, buildContext = buildBaseContext, logger = console.log, landingPageEnabled = true, onRequestStart = () => {
+  }, buildContext = buildBaseContext, logger = console.log, landingPageEnabled = true, authConfig, authKey, authSecret, onRequestStart = () => {
   }, onRequestEnd = () => {
   } } = options;
   app.use("/{*splat}", async (req, res) => {
@@ -1264,6 +1289,17 @@ function setupRequestHandler(app, options = {}) {
     try {
       const functionName = extractFunctionName(req.originalUrl, req.body);
       logger(`[${(/* @__PURE__ */ new Date()).toISOString()}] ${req.method} ${req.path} -> ${functionName}`);
+      if (authConfig && authKey && authSecret) {
+        const needsAuth = authConfig === "*" || Array.isArray(authConfig) && authConfig.includes(functionName);
+        if (needsAuth) {
+          const isValid = validateBasicAuth(req.headers.authorization, authKey, authSecret);
+          if (!isValid) {
+            logger(`[AUTH] Rejected unauthorized request to ${functionName}`);
+            res.status(401).set("WWW-Authenticate", 'Basic realm="sinch-function"').json({ error: "Unauthorized" });
+            return;
+          }
+        }
+      }
       onRequestStart({ functionName, req });
       const context = buildContext(req);
       const userFunction = await Promise.resolve(loadUserFunction());
@@ -2457,7 +2493,7 @@ import * as path4 from "path";
 var LocalStorage = class {
   baseDir;
   constructor(baseDir) {
-    this.baseDir = baseDir ?? path4.join(process.cwd(), "storage");
+    this.baseDir = baseDir ?? path4.join(process.cwd(), ".sinch", "storage");
   }
   resolvePath(key) {
     const sanitized = key.replace(/^\/+/, "").replace(/\.\./g, "_");
@@ -2520,6 +2556,13 @@ import axios from "axios";
 
 // src/tunnel/webhook-config.ts
 import { SinchClient as SinchClient2 } from "@sinch/sdk-core";
+var SINCH_FN_URL_PATTERN = /\.fn(-\w+)?\.sinch\.com/;
+function isOurWebhook(target) {
+  return !!target && SINCH_FN_URL_PATTERN.test(target);
+}
+function isTunnelUrl(target) {
+  return !!target && target.includes("tunnel.fn");
+}
 async function configureConversationWebhooks(tunnelUrl, config) {
   try {
     const conversationAppId = process.env.CONVERSATION_APP_ID;
@@ -2541,24 +2584,23 @@ async function configureConversationWebhooks(tunnelUrl, config) {
       app_id: conversationAppId
     });
     const existingWebhooks = webhooksResult.webhooks || [];
-    const tunnelWebhooks = existingWebhooks.filter((w) => w.target?.includes("/api/ingress/"));
-    for (const staleWebhook of tunnelWebhooks) {
-      try {
-        await sinchClient.conversation.webhooks.delete({ webhook_id: staleWebhook.id });
-        console.log(`\u{1F9F9} Cleaned up stale tunnel webhook: ${staleWebhook.id}`);
-      } catch (err) {
-      }
+    const deployedWebhook = existingWebhooks.find(
+      (w) => isOurWebhook(w.target)
+    );
+    if (!deployedWebhook || !deployedWebhook.id) {
+      console.log("\u26A0\uFE0F No deployed webhook found \u2014 deploy first");
+      return;
     }
-    const createResult = await sinchClient.conversation.webhooks.create({
-      webhookCreateRequestBody: {
-        app_id: conversationAppId,
-        target: webhookUrl,
-        target_type: "HTTP",
-        triggers: ["MESSAGE_INBOUND"]
-      }
+    config.conversationWebhookId = deployedWebhook.id;
+    config.originalTarget = deployedWebhook.target;
+    await sinchClient.conversation.webhooks.update({
+      webhook_id: deployedWebhook.id,
+      webhookUpdateRequestBody: {
+        target: webhookUrl
+      },
+      update_mask: ["target"]
     });
-    config.conversationWebhookId = createResult.id;
-    console.log(`\u2705 Created Conversation webhook: ${webhookUrl}`);
+    console.log(`\u2705 Updated Conversation webhook to tunnel: ${webhookUrl}`);
     console.log("\u{1F4AC} Send a message to your Conversation app to test!");
   } catch (error) {
     console.log("\u26A0\uFE0F Could not configure Conversation webhooks:", error.message);
@@ -2577,10 +2619,29 @@ async function cleanupConversationWebhook(config) {
       keyId,
       keySecret
     });
-    await sinchClient.conversation.webhooks.delete({ webhook_id: config.conversationWebhookId });
-    console.log("\u{1F9F9} Cleaned up tunnel webhook");
+    let restoreTarget = config.originalTarget;
+    if (!restoreTarget || isTunnelUrl(restoreTarget)) {
+      const functionName = process.env.FUNCTION_NAME || process.env.FUNCTION_ID;
+      if (functionName) {
+        restoreTarget = `https://${functionName}.fn-dev.sinch.com/webhook/conversation`;
+        console.log(`\u{1F527} Derived restore target from env: ${restoreTarget}`);
+      } else {
+        console.log("\u26A0\uFE0F Cannot restore webhook \u2014 no FUNCTION_NAME or FUNCTION_ID available");
+        return;
+      }
+    }
+    await sinchClient.conversation.webhooks.update({
+      webhook_id: config.conversationWebhookId,
+      webhookUpdateRequestBody: {
+        target: restoreTarget
+      },
+      update_mask: ["target"]
+    });
+    console.log(`\u{1F504} Restored webhook target to: ${restoreTarget}`);
     config.conversationWebhookId = void 0;
+    config.originalTarget = void 0;
   } catch (error) {
+    console.log("\u26A0\uFE0F Could not restore Conversation webhook:", error.message);
   }
 }
 async function configureElevenLabs() {