@syncular/server-hono 0.0.6-159 → 0.0.6-165

package/dist/console/gateway.js

@@ -1,8 +1,9 @@
 import { Hono } from 'hono';
 import { cors } from 'hono/cors';
-import { describeRoute, resolver, validator as zValidator } from 'hono-openapi';
+import { resolver, validator as zValidator } from 'hono-openapi';
 import { z } from 'zod';
 import { closeUnauthenticatedSocket, parseBearerToken, parseWebSocketAuthToken, } from './live-auth.js';
+import { describeConsoleGatewayRoute } from './route-descriptor.js';
 import { ApiKeyTypeSchema, ConsoleApiKeyBulkRevokeRequestSchema, ConsoleApiKeyBulkRevokeResponseSchema, ConsoleApiKeyCreateRequestSchema, ConsoleApiKeyCreateResponseSchema, ConsoleApiKeyRevokeResponseSchema, ConsoleApiKeySchema, ConsoleClearEventsResultSchema, ConsoleClientSchema, ConsoleCommitDetailSchema, ConsoleCommitListItemSchema, ConsoleCompactResultSchema, ConsoleEvictResultSchema, ConsoleHandlerSchema, ConsoleOperationEventSchema, ConsoleOperationsQuerySchema, ConsolePaginatedResponseSchema, ConsolePaginationQuerySchema, ConsolePartitionedPaginationQuerySchema, ConsolePartitionQuerySchema, ConsolePruneEventsResultSchema, ConsolePrunePreviewSchema, ConsolePruneResultSchema, ConsoleRequestEventSchema, ConsoleRequestPayloadSchema, ConsoleTimelineItemSchema, ConsoleTimelineQuerySchema, LatencyQuerySchema, LatencyStatsResponseSchema, SyncStatsSchema, TimeseriesQuerySchema, TimeseriesStatsResponseSchema, } from './schemas.js';
 const GatewayFailureSchema = z.object({
     instanceId: z.string(),
@@ -817,8 +818,7 @@ export function createConsoleGatewayRoutes(options) {
             failedInstances,
         };
     };
-    routes.get('/instances', describeRoute({
-        tags: ['console-gateway'],
+    routes.get('/instances', describeConsoleGatewayRoute({
         summary: 'List configured downstream console instances',
         responses: {
             200: {
@@ -850,8 +850,7 @@ export function createConsoleGatewayRoutes(options) {
             });
         });
     });
-    routes.get('/instances/health', describeRoute({
-        tags: ['console-gateway'],
+    routes.get('/instances/health', describeConsoleGatewayRoute({
         summary: 'Probe downstream console health by instance',
         responses: {
             200: {
@@ -897,8 +896,7 @@ export function createConsoleGatewayRoutes(options) {
             });
         });
     });
-    routes.get('/handlers', describeRoute({
-        tags: ['console-gateway'],
+    routes.get('/handlers', describeConsoleGatewayRoute({
         summary: 'List handlers for a single target instance (requires instance selection)',
         responses: {
             200: {
@@ -922,8 +920,7 @@ export function createConsoleGatewayRoutes(options) {
             });
         });
     });
-    routes.post('/prune/preview', describeRoute({
-        tags: ['console-gateway'],
+    routes.post('/prune/preview', describeConsoleGatewayRoute({
         summary: 'Preview prune on a single target instance (requires instance selection)',
         responses: {
             200: {
@@ -947,8 +944,7 @@ export function createConsoleGatewayRoutes(options) {
             });
         });
     });
-    routes.post('/prune', describeRoute({
-        tags: ['console-gateway'],
+    routes.post('/prune', describeConsoleGatewayRoute({
         summary: 'Trigger prune on a single target instance (requires instance selection)',
         responses: {
             200: {
@@ -972,8 +968,7 @@ export function createConsoleGatewayRoutes(options) {
             });
         });
     });
-    routes.post('/compact', describeRoute({
-        tags: ['console-gateway'],
+    routes.post('/compact', describeConsoleGatewayRoute({
         summary: 'Trigger compaction on a single target instance (requires instance selection)',
         responses: {
             200: {
@@ -997,8 +992,7 @@ export function createConsoleGatewayRoutes(options) {
             });
         });
     });
-    routes.post('/notify-data-change', describeRoute({
-        tags: ['console-gateway'],
+    routes.post('/notify-data-change', describeConsoleGatewayRoute({
         summary: 'Notify data change on a single target instance (requires instance selection)',
         responses: {
             200: {
@@ -1024,8 +1018,7 @@ export function createConsoleGatewayRoutes(options) {
             });
         });
     });
-    routes.delete('/clients/:id', describeRoute({
-        tags: ['console-gateway'],
+    routes.delete('/clients/:id', describeConsoleGatewayRoute({
         summary: 'Evict client on a single target instance (requires instance selection)',
         responses: {
             200: {
@@ -1050,8 +1043,7 @@ export function createConsoleGatewayRoutes(options) {
             });
         });
     });
-    routes.delete('/events', describeRoute({
-        tags: ['console-gateway'],
+    routes.delete('/events', describeConsoleGatewayRoute({
         summary: 'Clear request events on a single target instance (requires instance selection)',
         responses: {
             200: {
@@ -1075,8 +1067,7 @@ export function createConsoleGatewayRoutes(options) {
             });
         });
     });
-    routes.post('/events/prune', describeRoute({
-        tags: ['console-gateway'],
+    routes.post('/events/prune', describeConsoleGatewayRoute({
         summary: 'Prune request events on a single target instance (requires instance selection)',
         responses: {
             200: {
@@ -1100,8 +1091,7 @@ export function createConsoleGatewayRoutes(options) {
             });
         });
     });
-    routes.get('/api-keys', describeRoute({
-        tags: ['console-gateway'],
+    routes.get('/api-keys', describeConsoleGatewayRoute({
         summary: 'List API keys for a single target instance (requires instance selection)',
         responses: {
             200: {
@@ -1125,8 +1115,7 @@ export function createConsoleGatewayRoutes(options) {
             });
         });
     });
-    routes.post('/api-keys', describeRoute({
-        tags: ['console-gateway'],
+    routes.post('/api-keys', describeConsoleGatewayRoute({
         summary: 'Create API key on a single target instance (requires instance selection)',
         responses: {
             201: {
@@ -1152,8 +1141,7 @@ export function createConsoleGatewayRoutes(options) {
             });
         });
     });
-    routes.get('/api-keys/:id', describeRoute({
-        tags: ['console-gateway'],
+    routes.get('/api-keys/:id', describeConsoleGatewayRoute({
         summary: 'Get API key from a single target instance (requires instance selection)',
         responses: {
             200: {
@@ -1178,8 +1166,7 @@ export function createConsoleGatewayRoutes(options) {
             });
         });
     });
-    routes.delete('/api-keys/:id', describeRoute({
-        tags: ['console-gateway'],
+    routes.delete('/api-keys/:id', describeConsoleGatewayRoute({
         summary: 'Revoke API key on a single target instance (requires instance selection)',
         responses: {
             200: {
@@ -1204,8 +1191,7 @@ export function createConsoleGatewayRoutes(options) {
             });
         });
     });
-    routes.post('/api-keys/bulk-revoke', describeRoute({
-        tags: ['console-gateway'],
+    routes.post('/api-keys/bulk-revoke', describeConsoleGatewayRoute({
         summary: 'Bulk revoke API keys on a single target instance (requires instance selection)',
         responses: {
             200: {
@@ -1231,8 +1217,7 @@ export function createConsoleGatewayRoutes(options) {
             });
         });
     });
-    routes.post('/api-keys/:id/rotate/stage', describeRoute({
-        tags: ['console-gateway'],
+    routes.post('/api-keys/:id/rotate/stage', describeConsoleGatewayRoute({
         summary: 'Stage-rotate API key on a single target instance (requires instance selection)',
         responses: {
             200: {
@@ -1257,8 +1242,7 @@ export function createConsoleGatewayRoutes(options) {
             });
         });
     });
-    routes.post('/api-keys/:id/rotate', describeRoute({
-        tags: ['console-gateway'],
+    routes.post('/api-keys/:id/rotate', describeConsoleGatewayRoute({
         summary: 'Rotate API key on a single target instance (requires instance selection)',
         responses: {
             200: {
@@ -1283,8 +1267,7 @@ export function createConsoleGatewayRoutes(options) {
             });
         });
     });
-    routes.get('/stats', describeRoute({
-        tags: ['console-gateway'],
+    routes.get('/stats', describeConsoleGatewayRoute({
         summary: 'Get merged sync stats across instances',
         responses: {
             200: {
@@ -1342,8 +1325,7 @@ export function createConsoleGatewayRoutes(options) {
             });
         });
     });
-    routes.get('/stats/timeseries', describeRoute({
-        tags: ['console-gateway'],
+    routes.get('/stats/timeseries', describeConsoleGatewayRoute({
         summary: 'Get merged time-series stats across instances',
         responses: {
             200: {
@@ -1382,8 +1364,7 @@ export function createConsoleGatewayRoutes(options) {
             });
         });
     });
-    routes.get('/stats/latency', describeRoute({
-        tags: ['console-gateway'],
+    routes.get('/stats/latency', describeConsoleGatewayRoute({
         summary: 'Get merged latency stats across instances',
         responses: {
             200: {
@@ -1422,8 +1403,7 @@ export function createConsoleGatewayRoutes(options) {
             });
         });
     });
-    routes.get('/commits', describeRoute({
-        tags: ['console-gateway'],
+    routes.get('/commits', describeConsoleGatewayRoute({
         summary: 'List merged commits across instances',
         responses: {
             200: {
@@ -1483,8 +1463,7 @@ export function createConsoleGatewayRoutes(options) {
             });
         });
     });
-    routes.get('/commits/:seq', describeRoute({
-        tags: ['console-gateway'],
+    routes.get('/commits/:seq', describeConsoleGatewayRoute({
         summary: 'Get merged commit detail by federated id',
         responses: {
             200: {
@@ -1533,8 +1512,7 @@ export function createConsoleGatewayRoutes(options) {
             });
         });
     });
-    routes.get('/clients', describeRoute({
-        tags: ['console-gateway'],
+    routes.get('/clients', describeConsoleGatewayRoute({
         summary: 'List merged clients across instances',
         responses: {
             200: {
@@ -1594,8 +1572,7 @@ export function createConsoleGatewayRoutes(options) {
             });
         });
     });
-    routes.get('/timeline', describeRoute({
-        tags: ['console-gateway'],
+    routes.get('/timeline', describeConsoleGatewayRoute({
         summary: 'List merged timeline items across instances',
         responses: {
             200: {
@@ -1668,8 +1645,7 @@ export function createConsoleGatewayRoutes(options) {
             });
         });
     });
-    routes.get('/operations', describeRoute({
-        tags: ['console-gateway'],
+    routes.get('/operations', describeConsoleGatewayRoute({
         summary: 'List merged operation events across instances',
         responses: {
             200: {
@@ -1730,8 +1706,7 @@ export function createConsoleGatewayRoutes(options) {
             });
         });
     });
-    routes.get('/events', describeRoute({
-        tags: ['console-gateway'],
+    routes.get('/events', describeConsoleGatewayRoute({
         summary: 'List merged request events across instances',
         responses: {
             200: {
@@ -1796,10 +1771,13 @@ export function createConsoleGatewayRoutes(options) {
         options.websocket?.upgradeWebSocket !== undefined) {
         const upgradeWebSocket = options.websocket.upgradeWebSocket;
         const heartbeatIntervalMs = options.websocket.heartbeatIntervalMs ?? 30000;
+        const maxMessageBytes = options.websocket.maxMessageBytes ?? 1024 * 1024;
+        const maxMessagesPerWindow = options.websocket.maxMessagesPerWindow ?? 120;
+        const messageRateWindowMs = options.websocket.messageRateWindowMs ?? 10000;
         const createDownstreamSocket = options.websocket.createWebSocket ??
             ((url) => new WebSocket(url));
         const liveState = new WeakMap();
-        routes.get('/events/live', upgradeWebSocket(async (c) => {
+        const liveEventsWebSocketRoute = upgradeWebSocket(async (c) => {
             const initialAuth = await options.authenticate(c);
             const partitionId = c.req.query('partitionId')?.trim() || undefined;
             const replaySince = c.req.query('since')?.trim() || undefined;
@@ -1866,6 +1844,8 @@ export function createConsoleGatewayRoutes(options) {
                         authTimeout: null,
                         isAuthenticated: false,
                         startAuthenticatedSession: null,
+                        messageRateWindowStart: Date.now(),
+                        messageRateWindowCount: 0,
                     };
                     liveState.set(ws, state);
                     const startAuthenticatedSession = (upstreamBearerToken) => {
@@ -1985,7 +1965,29 @@ export function createConsoleGatewayRoutes(options) {
                 },
                 async onMessage(event, ws) {
                     const state = liveState.get(ws);
-                    if (!state || state.isAuthenticated) {
+                    if (!state) {
+                        return;
+                    }
+                    const messageBytes = measureWebSocketMessageBytes(event.data);
+                    if (messageBytes > maxMessageBytes) {
+                        ws.close(1009, 'message too large');
+                        cleanup(ws);
+                        return;
+                    }
+                    if (maxMessagesPerWindow > 0 && messageRateWindowMs > 0) {
+                        const nowMs = Date.now();
+                        if (nowMs - state.messageRateWindowStart >= messageRateWindowMs) {
+                            state.messageRateWindowStart = nowMs;
+                            state.messageRateWindowCount = 0;
+                        }
+                        state.messageRateWindowCount += 1;
+                        if (state.messageRateWindowCount > maxMessagesPerWindow) {
+                            ws.close(1008, 'message rate exceeded');
+                            cleanup(ws);
+                            return;
+                        }
+                    }
+                    if (state.isAuthenticated) {
                         return;
                     }
                     if (typeof event.data !== 'string') {
@@ -2018,10 +2020,15 @@ export function createConsoleGatewayRoutes(options) {
                     cleanup(ws);
                 },
             };
-        }));
+        });
+        routes.get('/events/live', async (c, next) => {
+            if (!isWebSocketOriginAllowed(c, options.websocket?.allowedOrigins)) {
+                return c.json({ error: 'FORBIDDEN_ORIGIN' }, 403);
+            }
+            return liveEventsWebSocketRoute(c, next);
+        });
     }
-    routes.get('/events/:id', describeRoute({
-        tags: ['console-gateway'],
+    routes.get('/events/:id', describeConsoleGatewayRoute({
         summary: 'Get merged event detail by federated id',
         responses: {
             200: {
@@ -2074,8 +2081,7 @@ export function createConsoleGatewayRoutes(options) {
             });
         });
     });
-    routes.get('/events/:id/payload', describeRoute({
-        tags: ['console-gateway'],
+    routes.get('/events/:id/payload', describeConsoleGatewayRoute({
         summary: 'Get merged event payload by federated id',
         responses: {
             200: {
@@ -2130,4 +2136,35 @@ export function createConsoleGatewayRoutes(options) {
     });
     return routes;
 }
+function isWebSocketOriginAllowed(c, allowedOrigins) {
+    if (!allowedOrigins)
+        return true;
+    if (allowedOrigins === '*')
+        return true;
+    const origin = c.req.header('origin');
+    if (!origin)
+        return false;
+    try {
+        const normalizedOrigin = new URL(origin).origin;
+        return allowedOrigins.includes(normalizedOrigin);
+    }
+    catch {
+        return false;
+    }
+}
+function measureWebSocketMessageBytes(data) {
+    if (typeof data === 'string') {
+        return new TextEncoder().encode(data).byteLength;
+    }
+    if (data instanceof ArrayBuffer) {
+        return data.byteLength;
+    }
+    if (ArrayBuffer.isView(data)) {
+        return data.byteLength;
+    }
+    if (typeof Blob !== 'undefined' && data instanceof Blob) {
+        return data.size;
+    }
+    return new TextEncoder().encode(String(data)).byteLength;
+}
 //# sourceMappingURL=gateway.js.map