@strav/http 0.1.0

package/src/index.ts

@@ -0,0 +1,7 @@
+export * from './http/index.ts'
+export * from './view/index.ts'
+export * from './session/index.ts'
+export * from './validation/index.ts'
+export * from './policy/index.ts'
+export * from './auth/index.ts'
+export * from './providers/index.ts'

package/src/middleware/http_cache.ts

@@ -0,0 +1,106 @@
+import type Context from '../http/context.ts'
+import type { Middleware } from '../http/middleware.ts'
+// Moved from @stravigor/kernel/cache — depends on http types
+
+export interface HttpCacheOptions {
+  /** Cache-Control max-age in seconds. @default 0 */
+  maxAge?: number
+
+  /** Cache-Control s-maxage for shared caches (CDN). */
+  sMaxAge?: number
+
+  /** Cache-Control directives. @default ['public'] */
+  directives?: CacheDirective[]
+
+  /** Add weak ETag header based on response body hash. @default false */
+  etag?: boolean
+
+  /** Vary header values. @default ['Accept-Encoding'] */
+  vary?: string[]
+
+  /** Skip cache headers for certain requests. */
+  skip?: (ctx: Context) => boolean
+}
+
+export type CacheDirective =
+  | 'public'
+  | 'private'
+  | 'no-cache'
+  | 'no-store'
+  | 'must-revalidate'
+  | 'immutable'
+
+/**
+ * HTTP cache middleware — sets Cache-Control, ETag, and Vary headers.
+ *
+ * Only applies to GET and HEAD requests. Browser/CDN does the actual caching.
+ * When `etag` is enabled and the request includes a matching `If-None-Match`
+ * header, responds with 304 Not Modified.
+ *
+ * @example
+ * router.group({ middleware: [httpCache({ maxAge: 300, etag: true })] }, r => {
+ *   r.get('/api/categories', listCategories)
+ * })
+ */
+export function httpCache(options: HttpCacheOptions = {}): Middleware {
+  const {
+    maxAge = 0,
+    sMaxAge,
+    directives = ['public'],
+    etag: enableEtag = false,
+    vary = ['Accept-Encoding'],
+    skip,
+  } = options
+
+  const cacheControl = buildCacheControl(directives, maxAge, sMaxAge)
+
+  return async (ctx, next) => {
+    // Only cache GET and HEAD responses
+    if (ctx.method !== 'GET' && ctx.method !== 'HEAD') return next()
+
+    if (skip?.(ctx)) return next()
+
+    const response = await next()
+
+    const headers = new Headers(response.headers)
+    headers.set('Cache-Control', cacheControl)
+
+    if (vary.length > 0) {
+      const existing = headers.get('Vary')
+      const merged = existing ? `${existing}, ${vary.join(', ')}` : vary.join(', ')
+      headers.set('Vary', merged)
+    }
+
+    if (enableEtag) {
+      const body = await response.clone().arrayBuffer()
+      const hash = new Bun.CryptoHasher('md5').update(body).digest('hex')
+      const tag = `W/"${hash}"`
+
+      headers.set('ETag', tag)
+
+      const ifNoneMatch = ctx.header('if-none-match')
+      if (ifNoneMatch === tag) {
+        return new Response(null, { status: 304, headers })
+      }
+
+      return new Response(body, {
+        status: response.status,
+        statusText: response.statusText,
+        headers,
+      })
+    }
+
+    return new Response(response.body, {
+      status: response.status,
+      statusText: response.statusText,
+      headers,
+    })
+  }
+}
+
+function buildCacheControl(directives: CacheDirective[], maxAge: number, sMaxAge?: number): string {
+  const parts = [...directives]
+  if (maxAge > 0) parts.push(`max-age=${maxAge}` as CacheDirective)
+  if (sMaxAge != null) parts.push(`s-maxage=${sMaxAge}` as CacheDirective)
+  return parts.join(', ')
+}

package/src/middleware/i18n.ts

@@ -0,0 +1,84 @@
+import type Context from '../http/context.ts'
+import type { Next } from '../http/middleware.ts'
+import type { Middleware } from '../http/middleware.ts'
+import I18nManager from '@stravigor/kernel/i18n/i18n_manager'
+import { localeStorage } from '@stravigor/kernel/i18n/helpers'
+
+/**
+ * i18n middleware — detects the request locale and sets it for the
+ * duration of the request via `AsyncLocalStorage`.
+ *
+ * Detection strategies are tried in the order configured in `config/i18n.ts`.
+ *
+ * @example
+ * import { i18n } from '@stravigor/http/middleware/i18n'
+ * router.use(i18n())
+ */
+export function i18n(): Middleware {
+  return (ctx: Context, next: Next) => {
+    const detected = detectLocale(ctx)
+    return localeStorage.run(detected, () => next())
+  }
+}
+
+/**
+ * Detect locale from the request using configured strategies.
+ * Falls back to the default locale if no strategy matches.
+ */
+function detectLocale(ctx: Context): string {
+  const config = I18nManager.config
+  const supported = config.supported
+
+  for (const strategy of config.detect) {
+    switch (strategy) {
+      case 'query': {
+        const lang = ctx.query.get('lang') ?? ctx.query.get('locale')
+        if (lang && supported.includes(lang)) return lang
+        break
+      }
+      case 'cookie': {
+        const cookie = ctx.cookie('locale')
+        if (cookie && supported.includes(cookie)) return cookie
+        break
+      }
+      case 'header': {
+        const match = parseAcceptLanguage(ctx.headers.get('accept-language'), supported)
+        if (match) return match
+        break
+      }
+    }
+  }
+
+  return config.default
+}
+
+/**
+ * Parse the Accept-Language header and return the best match
+ * against supported locales.
+ *
+ * @example
+ * parseAcceptLanguage('fr-FR,fr;q=0.9,en;q=0.8', ['en', 'fr'])  // 'fr'
+ */
+export function parseAcceptLanguage(header: string | null, supported: string[]): string | null {
+  if (!header) return null
+
+  // Parse entries like "fr-FR,fr;q=0.9,en-US;q=0.8,en;q=0.7"
+  const entries = header
+    .split(',')
+    .map(part => {
+      const [tag = '', ...rest] = part.trim().split(';')
+      const qPart = rest.find(r => r.trim().startsWith('q='))
+      const q = qPart ? parseFloat(qPart.trim().slice(2)) : 1.0
+      return { tag: tag.trim().toLowerCase(), q: Number.isNaN(q) ? 0 : q }
+    })
+    .sort((a, b) => b.q - a.q)
+
+  // Try exact match first, then base language (e.g. 'fr-FR' → 'fr')
+  for (const { tag } of entries) {
+    if (supported.includes(tag)) return tag
+    const base = tag.split('-')[0]!
+    if (supported.includes(base)) return base
+  }
+
+  return null
+}

package/src/middleware/request_logger.ts

@@ -0,0 +1,19 @@
+import type { Middleware } from '../http/middleware.ts'
+import type Logger from '@stravigor/kernel/logger/logger'
+
+export function requestLogger(logger: Logger): Middleware {
+  return async (ctx, next) => {
+    const start = performance.now()
+    const response = await next()
+    const duration = Math.round(performance.now() - start)
+
+    logger.info(`${ctx.method} ${ctx.path} ${response.status} ${duration}ms`, {
+      method: ctx.method,
+      path: ctx.path,
+      status: response.status,
+      duration,
+    })
+
+    return response
+  }
+}

package/src/policy/authorize.ts

@@ -0,0 +1,44 @@
+import type { Middleware } from '../http/middleware.ts'
+import type { PolicyResult } from './policy_result.ts'
+
+type PolicyReturn = PolicyResult | Promise<PolicyResult>
+
+export function authorize(
+  policy: Record<string, (...args: any[]) => PolicyReturn>,
+  method: string,
+  loadResource?: (ctx: import('../http/context.ts').default) => Promise<unknown>
+): Middleware {
+  return async (ctx, next) => {
+    const user = ctx.get('user')
+    if (!user) {
+      return new Response(JSON.stringify({ error: 'Unauthorized' }), {
+        status: 401,
+        headers: { 'Content-Type': 'application/json' },
+      })
+    }
+
+    let resource: unknown
+    if (loadResource) {
+      resource = await loadResource(ctx)
+      ctx.set('resource', resource)
+    }
+
+    const policyMethod = policy[method]
+    if (!policyMethod) {
+      return new Response(JSON.stringify({ error: 'Forbidden' }), {
+        status: 403,
+        headers: { 'Content-Type': 'application/json' },
+      })
+    }
+
+    const access = await policyMethod(user, resource)
+    if (!access.allowed) {
+      return new Response(JSON.stringify({ error: access.reason }), {
+        status: access.status,
+        headers: { 'Content-Type': 'application/json' },
+      })
+    }
+
+    return next()
+  }
+}

package/src/policy/index.ts

@@ -0,0 +1,3 @@
+export { authorize } from './authorize.ts'
+export { allow, deny } from './policy_result.ts'
+export type { PolicyResult } from './policy_result.ts'

package/src/policy/policy_result.ts

@@ -0,0 +1,13 @@
+export type PolicyResult = {
+  allowed: boolean
+  status: number
+  reason: string
+}
+
+export function allow(): PolicyResult {
+  return { allowed: true, status: 200, reason: '' }
+}
+
+export function deny(status = 403, reason = 'Action forbidden'): PolicyResult {
+  return { allowed: false, status, reason }
+}

package/src/providers/auth_provider.ts

@@ -0,0 +1,35 @@
+import ServiceProvider from '@stravigor/kernel/core/service_provider'
+import type Application from '@stravigor/kernel/core/application'
+import Auth from '../auth/auth.ts'
+
+export interface AuthProviderOptions {
+  /** Function to load a user by ID. Required for auth middleware. */
+  resolver?: (id: string | number) => Promise<unknown>
+  /** Whether to auto-create the access_tokens table. Default: `true` */
+  ensureTables?: boolean
+}
+
+export default class AuthProvider extends ServiceProvider {
+  readonly name = 'auth'
+  override readonly dependencies = ['database']
+
+  constructor(private options?: AuthProviderOptions) {
+    super()
+  }
+
+  override register(app: Application): void {
+    app.singleton(Auth)
+  }
+
+  override async boot(app: Application): Promise<void> {
+    app.resolve(Auth)
+
+    if (this.options?.resolver) {
+      Auth.useResolver(this.options.resolver)
+    }
+
+    if (this.options?.ensureTables !== false) {
+      await Auth.ensureTables()
+    }
+  }
+}

package/src/providers/http_provider.ts

@@ -0,0 +1,27 @@
+import ServiceProvider from '@stravigor/kernel/core/service_provider'
+import type Application from '@stravigor/kernel/core/application'
+import Server from '../http/server.ts'
+import Router from '../http/router.ts'
+
+export default class HttpProvider extends ServiceProvider {
+  readonly name = 'http'
+  override readonly dependencies = ['config']
+
+  private server: Server | null = null
+
+  override register(app: Application): void {
+    if (!app.has(Router)) app.singleton(Router)
+    app.singleton(Server)
+  }
+
+  override boot(app: Application): void {
+    const router = app.resolve(Router)
+    this.server = app.resolve(Server)
+    this.server.start(router)
+  }
+
+  override shutdown(): void {
+    this.server?.stop()
+    this.server = null
+  }
+}

package/src/providers/index.ts

@@ -0,0 +1,7 @@
+export { default as HttpProvider } from './http_provider.ts'
+export { default as AuthProvider } from './auth_provider.ts'
+export { default as SessionProvider } from './session_provider.ts'
+export { default as ViewProvider } from './view_provider.ts'
+
+export type { AuthProviderOptions } from './auth_provider.ts'
+export type { SessionProviderOptions } from './session_provider.ts'

package/src/providers/session_provider.ts

@@ -0,0 +1,29 @@
+import ServiceProvider from '@stravigor/kernel/core/service_provider'
+import type Application from '@stravigor/kernel/core/application'
+import SessionManager from '../session/session_manager.ts'
+
+export interface SessionProviderOptions {
+  /** Whether to auto-create the sessions table. Default: `true` */
+  ensureTable?: boolean
+}
+
+export default class SessionProvider extends ServiceProvider {
+  readonly name = 'session'
+  override readonly dependencies = ['database']
+
+  constructor(private options?: SessionProviderOptions) {
+    super()
+  }
+
+  override register(app: Application): void {
+    app.singleton(SessionManager)
+  }
+
+  override async boot(app: Application): Promise<void> {
+    app.resolve(SessionManager)
+
+    if (this.options?.ensureTable !== false) {
+      await SessionManager.ensureTable()
+    }
+  }
+}

package/src/providers/view_provider.ts

@@ -0,0 +1,18 @@
+import ServiceProvider from '@stravigor/kernel/core/service_provider'
+import type Application from '@stravigor/kernel/core/application'
+import { ViewEngine } from '@stravigor/view'
+import Context from '../http/context.ts'
+
+export default class ViewProvider extends ServiceProvider {
+  readonly name = 'view'
+  override readonly dependencies = ['config']
+
+  override register(app: Application): void {
+    app.singleton(ViewEngine)
+  }
+
+  override boot(app: Application): void {
+    const engine = app.resolve(ViewEngine)
+    Context.setViewEngine(engine)
+  }
+}

package/src/session/index.ts

@@ -0,0 +1,4 @@
+export { default as Session } from './session.ts'
+export { default as SessionManager } from './session_manager.ts'
+export { session } from './middleware.ts'
+export type { SessionConfig } from './session_manager.ts'

package/src/session/middleware.ts

@@ -0,0 +1,46 @@
+import type { Middleware } from '../http/middleware.ts'
+import { withCookie } from '../http/cookie.ts'
+import Session from './session.ts'
+import SessionManager from './session_manager.ts'
+
+/**
+ * Session middleware — attaches a Session to every request.
+ *
+ * 1. Reads the session cookie and loads the session from DB
+ * 2. Creates a new anonymous session if absent or expired
+ * 3. Ages flash data so previous-request flash is readable
+ * 4. Sets `ctx.get('session')` and `ctx.get('csrfToken')`
+ * 5. After the handler: saves dirty data and refreshes the cookie
+ *
+ * @example
+ * import { session } from '@stravigor/http/session'
+ * router.use(session())
+ */
+export function session(): Middleware {
+  return async (ctx, next) => {
+    let sess = await Session.fromRequest(ctx)
+
+    if (!sess || sess.isExpired()) {
+      sess = Session.create(ctx)
+    }
+
+    sess.ageFlash()
+
+    ctx.set('session', sess)
+    ctx.set('csrfToken', sess.csrfToken)
+
+    const response = await next()
+
+    await sess.save()
+
+    // Refresh cookie (sliding expiration)
+    const cfg = SessionManager.config
+    return withCookie(response, cfg.cookie, sess.id, {
+      httpOnly: cfg.httpOnly,
+      secure: cfg.secure,
+      sameSite: cfg.sameSite,
+      maxAge: cfg.lifetime * 60,
+      path: '/',
+    })
+  }
+}