@syncular/server-hono 0.0.4-26 → 0.0.6-100

package/package.json

@@ -1,8 +1,8 @@
 {
   "name": "@syncular/server-hono",
-  "version": "0.0.4-26",
+  "version": "0.0.6-100",
   "description": "Hono adapter for the Syncular server with OpenAPI support",
-  "license": "MIT",
+  "license": "Apache-2.0",
   "author": "Benjamin Kniffler",
   "homepage": "https://syncular.dev",
   "repository": {
@@ -34,6 +34,20 @@
         "types": "./dist/index.d.ts",
         "default": "./dist/index.js"
       }
+    },
+    "./blobs": {
+      "bun": "./src/blobs.ts",
+      "import": {
+        "types": "./dist/blobs.d.ts",
+        "default": "./dist/blobs.js"
+      }
+    },
+    "./create-server": {
+      "bun": "./src/create-server.ts",
+      "import": {
+        "types": "./dist/create-server.d.ts",
+        "default": "./dist/create-server.js"
+      }
     }
   },
   "scripts": {
@@ -48,17 +62,17 @@
     "@hono/standard-validator": "^0.2.2",
     "@standard-community/standard-json": "^0.3.5",
     "@standard-community/standard-openapi": "^0.2.9",
-    "@syncular/console": "0.0.4-26",
-    "@syncular/core": "0.0.4-26",
-    "@syncular/server": "0.0.4-26",
+    "@syncular/console": "0.0.6-100",
+    "@syncular/core": "0.0.6-100",
+    "@syncular/server": "0.0.6-100",
     "@types/json-schema": "^7.0.15",
     "hono-openapi": "^1.2.0",
     "openapi-types": "^12.1.3"
   },
   "devDependencies": {
     "@syncular/config": "0.0.0",
-    "@syncular/dialect-pglite": "0.0.4-26",
-    "@syncular/server-dialect-postgres": "0.0.4-26",
+    "@syncular/dialect-pglite": "0.0.6-100",
+    "@syncular/server-dialect-postgres": "0.0.6-100",
     "kysely": "*",
     "zod": "*"
   },

package/src/__tests__/blob-routes.test.ts

@@ -0,0 +1,424 @@
+import { afterEach, beforeEach, describe, expect, it } from 'bun:test';
+import type { BlobStorageAdapter } from '@syncular/core';
+import { createDatabase } from '@syncular/core';
+import {
+  type BlobTokenSigner,
+  createBlobManager,
+  createDatabaseBlobStorageAdapter,
+  createHmacTokenSigner,
+  ensureBlobStorageSchemaSqlite,
+  type SyncBlobDb,
+} from '@syncular/server';
+import { Hono } from 'hono';
+import type { Kysely } from 'kysely';
+import { createBunSqliteDialect } from '../../../dialect-bun-sqlite/src';
+import { createBlobRoutes } from '../blobs';
+
+interface UploadInitResponse {
+  exists: boolean;
+  uploadUrl?: string;
+  uploadMethod?: 'PUT' | 'POST';
+}
+
+interface UrlResponse {
+  url: string;
+}
+
+interface CompleteResponse {
+  ok: boolean;
+  error?: string;
+}
+
+const ACTOR_HEADER = 'x-user-id';
+const ACTOR_ID = 'user-1';
+const INVALID_HASH = 'invalid-hash';
+
+function toHex(bytes: Uint8Array): string {
+  return Array.from(bytes)
+    .map((value) => value.toString(16).padStart(2, '0'))
+    .join('');
+}
+
+async function createHash(bytes: Uint8Array): Promise<string> {
+  const digest = await crypto.subtle.digest('SHA-256', bytes);
+  return `sha256:${toHex(new Uint8Array(digest))}`;
+}
+
+async function signBlobToken(args: {
+  signer: BlobTokenSigner;
+  hash: string;
+  action: 'upload' | 'download';
+}): Promise<string> {
+  return args.signer.sign(
+    {
+      hash: args.hash,
+      action: args.action,
+      expiresAt: Date.now() + 60_000,
+    },
+    60
+  );
+}
+
+function createDefaultAdapter(
+  db: Kysely<SyncBlobDb>,
+  tokenSigner: BlobTokenSigner
+): BlobStorageAdapter {
+  return createDatabaseBlobStorageAdapter({
+    db,
+    baseUrl: 'http://localhost/sync',
+    tokenSigner,
+  });
+}
+
+function createFallbackAdapter(
+  db: Kysely<SyncBlobDb>,
+  tokenSigner: BlobTokenSigner
+): BlobStorageAdapter {
+  const adapter = createDefaultAdapter(db, tokenSigner);
+  return {
+    name: 'database-fallback',
+    signUpload: adapter.signUpload,
+    signDownload: adapter.signDownload,
+    exists: adapter.exists,
+    delete: adapter.delete,
+    getMetadata: adapter.getMetadata,
+  };
+}
+
+function buildApp(args: {
+  db: Kysely<SyncBlobDb>;
+  tokenSigner: BlobTokenSigner;
+  adapter: BlobStorageAdapter;
+  authenticate?: (
+    c: Parameters<typeof createBlobRoutes>[0]['authenticate']
+  ) => ReturnType<Parameters<typeof createBlobRoutes>[0]['authenticate']>;
+  canAccessBlob?: Parameters<typeof createBlobRoutes>[0]['canAccessBlob'];
+}): Hono {
+  const blobManager = createBlobManager({
+    db: args.db,
+    adapter: args.adapter,
+  });
+
+  const app = new Hono();
+  app.route(
+    '/sync',
+    createBlobRoutes({
+      blobManager,
+      authenticate: async (c) => {
+        if (args.authenticate) {
+          return args.authenticate(c);
+        }
+        const actorId = c.req.header(ACTOR_HEADER);
+        return actorId ? { actorId } : null;
+      },
+      tokenSigner: args.tokenSigner,
+      db: args.db,
+      canAccessBlob: args.canAccessBlob,
+    })
+  );
+  return app;
+}
+
+async function initiateUpload(args: {
+  app: Hono;
+  hash: string;
+  size: number;
+  mimeType?: string;
+}): Promise<UploadInitResponse> {
+  const response = await args.app.request(
+    'http://localhost/sync/blobs/upload',
+    {
+      method: 'POST',
+      headers: {
+        'content-type': 'application/json',
+        [ACTOR_HEADER]: ACTOR_ID,
+      },
+      body: JSON.stringify({
+        hash: args.hash,
+        size: args.size,
+        mimeType: args.mimeType ?? 'application/octet-stream',
+      }),
+    }
+  );
+
+  expect(response.status).toBe(200);
+  return (await response.json()) as UploadInitResponse;
+}
+
+describe('createBlobRoutes', () => {
+  let db: Kysely<SyncBlobDb>;
+  let tokenSigner: BlobTokenSigner;
+
+  beforeEach(async () => {
+    db = createDatabase<SyncBlobDb>({
+      dialect: createBunSqliteDialect({ path: ':memory:' }),
+      family: 'sqlite',
+    });
+    await ensureBlobStorageSchemaSqlite(db);
+    tokenSigner = createHmacTokenSigner('blob-route-test-secret');
+  });
+
+  afterEach(async () => {
+    await db.destroy();
+  });
+
+  it('rejects unauthenticated upload initiation', async () => {
+    const app = buildApp({
+      db,
+      tokenSigner,
+      adapter: createDefaultAdapter(db, tokenSigner),
+      authenticate: async () => null,
+    });
+
+    const hash = await createHash(new Uint8Array([1, 2, 3]));
+    const response = await app.request('http://localhost/sync/blobs/upload', {
+      method: 'POST',
+      headers: { 'content-type': 'application/json' },
+      body: JSON.stringify({
+        hash,
+        size: 3,
+        mimeType: 'application/octet-stream',
+      }),
+    });
+
+    expect(response.status).toBe(401);
+    expect(await response.json()).toEqual({ error: 'UNAUTHENTICATED' });
+  });
+
+  it('rejects invalid direct-upload tokens', async () => {
+    const app = buildApp({
+      db,
+      tokenSigner,
+      adapter: createDefaultAdapter(db, tokenSigner),
+    });
+
+    const response = await app.request(
+      `http://localhost/sync/blobs/${encodeURIComponent(`sha256:${'a'.repeat(64)}`)}/upload?token=invalid-token`,
+      {
+        method: 'PUT',
+        body: new Uint8Array([1, 2, 3]),
+      }
+    );
+
+    expect(response.status).toBe(401);
+    expect(await response.json()).toEqual({ error: 'INVALID_TOKEN' });
+  });
+
+  it('rejects direct upload when body size does not match metadata', async () => {
+    const app = buildApp({
+      db,
+      tokenSigner,
+      adapter: createDefaultAdapter(db, tokenSigner),
+    });
+
+    const content = new Uint8Array([1, 2, 3, 4]);
+    const hash = await createHash(content);
+    const init = await initiateUpload({
+      app,
+      hash,
+      size: content.length,
+    });
+
+    const firstUpload = await app.request(init.uploadUrl!, {
+      method: init.uploadMethod ?? 'PUT',
+      body: content,
+    });
+    expect(firstUpload.status).toBe(200);
+
+    const complete = await app.request(
+      `http://localhost/sync/blobs/${encodeURIComponent(hash)}/complete`,
+      {
+        method: 'POST',
+        headers: { [ACTOR_HEADER]: ACTOR_ID },
+      }
+    );
+    expect(complete.status).toBe(200);
+
+    const token = await signBlobToken({
+      signer: tokenSigner,
+      hash,
+      action: 'upload',
+    });
+
+    const response = await app.request(
+      `http://localhost/sync/blobs/${encodeURIComponent(hash)}/upload?token=${encodeURIComponent(token)}`,
+      {
+        method: 'PUT',
+        body: new Uint8Array([1, 2, 3]),
+      }
+    );
+
+    expect(response.status).toBe(400);
+    const payload = (await response.json()) as { error: string };
+    expect(payload.error).toBe('SIZE_MISMATCH');
+  });
+
+  it('rejects direct upload when body hash does not match route hash', async () => {
+    const app = buildApp({
+      db,
+      tokenSigner,
+      adapter: createDefaultAdapter(db, tokenSigner),
+    });
+
+    const expected = new Uint8Array([1, 2, 3, 4]);
+    const hash = await createHash(expected);
+    await initiateUpload({
+      app,
+      hash,
+      size: expected.length,
+    });
+
+    const token = await signBlobToken({
+      signer: tokenSigner,
+      hash,
+      action: 'upload',
+    });
+
+    const response = await app.request(
+      `http://localhost/sync/blobs/${encodeURIComponent(hash)}/upload?token=${encodeURIComponent(token)}`,
+      {
+        method: 'PUT',
+        body: new Uint8Array([9, 9, 9, 9]),
+      }
+    );
+
+    expect(response.status).toBe(400);
+    const payload = (await response.json()) as { error: string };
+    expect(payload.error).toBe('HASH_MISMATCH');
+  });
+
+  it('returns 404 for invalid hash format and 403 for forbidden actor access', async () => {
+    const app = buildApp({
+      db,
+      tokenSigner,
+      adapter: createDefaultAdapter(db, tokenSigner),
+      canAccessBlob: async () => false,
+    });
+
+    const invalidHashResponse = await app.request(
+      `http://localhost/sync/blobs/${INVALID_HASH}/url`,
+      {
+        headers: { [ACTOR_HEADER]: ACTOR_ID },
+      }
+    );
+    expect(invalidHashResponse.status).toBe(404);
+    expect(await invalidHashResponse.json()).toEqual({ error: 'NOT_FOUND' });
+
+    const validHash = `sha256:${'b'.repeat(64)}`;
+    const forbiddenResponse = await app.request(
+      `http://localhost/sync/blobs/${encodeURIComponent(validHash)}/url`,
+      {
+        headers: { [ACTOR_HEADER]: ACTOR_ID },
+      }
+    );
+    expect(forbiddenResponse.status).toBe(403);
+    expect(await forbiddenResponse.json()).toEqual({ error: 'FORBIDDEN' });
+  });
+
+  it('uploads and downloads blobs through adapter put/get branches', async () => {
+    const app = buildApp({
+      db,
+      tokenSigner,
+      adapter: createDefaultAdapter(db, tokenSigner),
+    });
+
+    const content = new TextEncoder().encode('adapter-route-content');
+    const hash = await createHash(content);
+    const init = await initiateUpload({
+      app,
+      hash,
+      size: content.length,
+      mimeType: 'text/plain',
+    });
+
+    expect(init.exists).toBe(false);
+    expect(typeof init.uploadUrl).toBe('string');
+
+    const uploadResponse = await app.request(init.uploadUrl!, {
+      method: init.uploadMethod ?? 'PUT',
+      headers: { 'content-type': 'text/plain' },
+      body: content,
+    });
+    expect(uploadResponse.status).toBe(200);
+
+    const completeResponse = await app.request(
+      `http://localhost/sync/blobs/${encodeURIComponent(hash)}/complete`,
+      {
+        method: 'POST',
+        headers: { [ACTOR_HEADER]: ACTOR_ID },
+      }
+    );
+    expect(completeResponse.status).toBe(200);
+    expect((await completeResponse.json()) as CompleteResponse).toEqual({
+      ok: true,
+      metadata: expect.anything(),
+    });
+
+    const downloadUrlResponse = await app.request(
+      `http://localhost/sync/blobs/${encodeURIComponent(hash)}/url`,
+      {
+        headers: { [ACTOR_HEADER]: ACTOR_ID },
+      }
+    );
+    expect(downloadUrlResponse.status).toBe(200);
+    const { url } = (await downloadUrlResponse.json()) as UrlResponse;
+
+    const downloadResponse = await app.request(url);
+    expect(downloadResponse.status).toBe(200);
+    expect(new Uint8Array(await downloadResponse.arrayBuffer())).toEqual(
+      content
+    );
+  });
+
+  it('uploads and downloads blobs through DB fallback branches when adapter lacks put/get', async () => {
+    const app = buildApp({
+      db,
+      tokenSigner,
+      adapter: createFallbackAdapter(db, tokenSigner),
+    });
+
+    const content = new TextEncoder().encode('database-fallback-content');
+    const hash = await createHash(content);
+    const init = await initiateUpload({
+      app,
+      hash,
+      size: content.length,
+      mimeType: 'text/plain',
+    });
+
+    const uploadResponse = await app.request(init.uploadUrl!, {
+      method: init.uploadMethod ?? 'PUT',
+      headers: { 'content-type': 'text/plain' },
+      body: content,
+    });
+    expect(uploadResponse.status).toBe(200);
+
+    const completeResponse = await app.request(
+      `http://localhost/sync/blobs/${encodeURIComponent(hash)}/complete`,
+      {
+        method: 'POST',
+        headers: { [ACTOR_HEADER]: ACTOR_ID },
+      }
+    );
+    expect(completeResponse.status).toBe(200);
+    expect((await completeResponse.json()) as CompleteResponse).toEqual({
+      ok: true,
+      metadata: expect.anything(),
+    });
+
+    const urlResponse = await app.request(
+      `http://localhost/sync/blobs/${encodeURIComponent(hash)}/url`,
+      {
+        headers: { [ACTOR_HEADER]: ACTOR_ID },
+      }
+    );
+    expect(urlResponse.status).toBe(200);
+    const payload = (await urlResponse.json()) as UrlResponse;
+
+    const downloadResponse = await app.request(payload.url);
+    expect(downloadResponse.status).toBe(200);
+    expect(new Uint8Array(await downloadResponse.arrayBuffer())).toEqual(
+      content
+    );
+  });
+});

package/src/__tests__/console-gateway-live-routes.test.ts

@@ -11,14 +11,20 @@ function isRecord(value: unknown): value is Record<string, unknown> {
 
 class MockDownstreamSocket {
   url: string;
+  onopen: ((event: Event) => void) | null = null;
   onmessage: ((event: MessageEvent) => void) | null = null;
   onerror: ((event: Event) => void) | null = null;
   closeCalls = 0;
+  sent: string[] = [];
 
   constructor(url: string) {
     this.url = url;
   }
 
+  emitOpen() {
+    this.onopen?.(new Event('open'));
+  }
+
   emitJson(payload: Record<string, unknown>) {
     this.onmessage?.(
       new MessageEvent('message', { data: JSON.stringify(payload) })
@@ -32,6 +38,10 @@ class MockDownstreamSocket {
   close() {
     this.closeCalls += 1;
   }
+
+  send(data: string) {
+    this.sent.push(data);
+  }
 }
 
 function createGatewayLiveHarness() {
@@ -151,10 +161,19 @@ describe('createConsoleGatewayRoutes live fan-in', () => {
 
     const alphaUrl = new URL(alphaSocket.url);
     expect(alphaUrl.pathname).toBe('/api/alpha/console/events/live');
-    expect(alphaUrl.searchParams.get('token')).toBe(CONSOLE_TOKEN);
+    expect(alphaUrl.searchParams.get('token')).toBeNull();
     expect(alphaUrl.searchParams.get('partitionId')).toBe('tenant-a');
     expect(alphaUrl.searchParams.get('replayLimit')).toBe('42');
 
+    alphaSocket.emitOpen();
+    betaSocket.emitOpen();
+    expect(alphaSocket.sent[0]).toBe(
+      JSON.stringify({ type: 'auth', token: CONSOLE_TOKEN })
+    );
+    expect(betaSocket.sent[0]).toBe(
+      JSON.stringify({ type: 'auth', token: CONSOLE_TOKEN })
+    );
+
     const connectedEvent = upstream.messages.find(
       (message) => message.type === 'connected'
     );
@@ -191,19 +210,51 @@ describe('createConsoleGatewayRoutes live fan-in', () => {
     );
   });
 
-  it('closes the upstream socket when auth is missing', async () => {
+  it('accepts auth over first websocket message when headers are missing', async () => {
     const { app, downstreamSockets, getEvents } = createGatewayLiveHarness();
 
     const response = await app.request('http://localhost/console/events/live');
     expect(response.status).toBe(200);
 
     const events = getEvents();
-    if (!events?.onOpen) {
+    if (!events?.onOpen || !events.onMessage) {
       throw new Error('Expected websocket onOpen handler to be captured.');
     }
 
     const upstream = createUpstreamSocketHarness();
     events.onOpen(new Event('open'), upstream.ws);
+    expect(downstreamSockets).toHaveLength(0);
+
+    await events.onMessage(
+      new MessageEvent('message', {
+        data: JSON.stringify({ type: 'auth', token: CONSOLE_TOKEN }),
+      }),
+      upstream.ws
+    );
+
+    expect(upstream.messages[0]?.type).toBe('connected');
+    expect(downstreamSockets).toHaveLength(2);
+  });
+
+  it('closes the upstream socket when websocket auth token is invalid', async () => {
+    const { app, downstreamSockets, getEvents } = createGatewayLiveHarness();
+
+    const response = await app.request('http://localhost/console/events/live');
+    expect(response.status).toBe(200);
+
+    const events = getEvents();
+    if (!events?.onOpen || !events.onMessage) {
+      throw new Error('Expected websocket handlers to be captured.');
+    }
+
+    const upstream = createUpstreamSocketHarness();
+    events.onOpen(new Event('open'), upstream.ws);
+    await events.onMessage(
+      new MessageEvent('message', {
+        data: JSON.stringify({ type: 'auth', token: 'bad-token' }),
+      }),
+      upstream.ws
+    );
 
     const errorEvent = upstream.messages[0];
     expect(errorEvent?.type).toBe('error');