@syncular/server-hono 0.0.6-171 → 0.0.6-177

package/src/__tests__/create-server.test.ts

@@ -12,7 +12,10 @@ import { defineWebSocketHelper, WSContext, type WSEvents } from 'hono/ws';
 import { type Kysely, sql } from 'kysely';
 import { createSyncServer } from '../create-server';
 import { getSyncWebSocketConnectionManager } from '../routes';
-import type { WebSocketConnection } from '../ws';
+import {
+  createWebSocketConnectionOwnerKey,
+  type WebSocketConnection,
+} from '../ws';
 
 interface TasksTable {
   id: string;
@@ -92,6 +95,11 @@ describe('createSyncServer console configuration', () => {
     return {
       actorId: args.actorId,
       clientId: args.clientId,
+      ownerKey: createWebSocketConnectionOwnerKey({
+        partitionId: 'default',
+        actorId: args.actorId,
+        clientId: args.clientId,
+      }),
       transportPath: 'direct',
       get isOpen() {
         return true;
@@ -132,15 +140,18 @@ describe('createSyncServer console configuration', () => {
   function createPushRequest(args?: {
     requestId?: string;
     title?: string;
+    clientId?: string;
+    headers?: Record<string, string>;
   }): Request {
     return new Request('http://localhost/sync', {
       method: 'POST',
       headers: {
         'content-type': 'application/json',
         ...(args?.requestId ? { 'x-request-id': args.requestId } : {}),
+        ...args?.headers,
       },
       body: JSON.stringify({
-        clientId: 'client-1',
+        clientId: args?.clientId ?? 'client-1',
         push: {
           clientCommitId: 'commit-1',
           schemaVersion: 1,
@@ -162,6 +173,34 @@ describe('createSyncServer console configuration', () => {
     });
   }
 
+  function createPullRequest(args: {
+    clientId: string;
+    userId: string;
+    subscriptionUserId: string;
+  }): Request {
+    return new Request('http://localhost/sync', {
+      method: 'POST',
+      headers: {
+        'content-type': 'application/json',
+        'x-user-id': args.userId,
+      },
+      body: JSON.stringify({
+        clientId: args.clientId,
+        pull: {
+          limitCommits: 10,
+          subscriptions: [
+            {
+              id: 'tasks-sub',
+              table: 'tasks',
+              scopes: { user_id: args.subscriptionUserId },
+              cursor: -1,
+            },
+          ],
+        },
+      }),
+    });
+  }
+
   function parseSnapshotValue(value: unknown): unknown {
     if (typeof value !== 'string') {
       return value;
@@ -428,6 +467,152 @@ describe('createSyncServer console configuration', () => {
     });
   });
 
+  it('allows same-origin realtime websocket upgrades when allowedOrigins is unset', async () => {
+    const options = createOptions();
+    let capturedEvents: WSEvents | null = null;
+    const upgradeWebSocket = defineWebSocketHelper(async (_c, events) => {
+      capturedEvents = events;
+      return new Response(null, { status: 200 });
+    });
+
+    const server = createSyncServer({
+      ...options,
+      upgradeWebSocket,
+    });
+
+    const app = new Hono();
+    app.route('/sync', server.syncRoutes);
+
+    const response = await app.request(
+      'http://localhost/sync/realtime?clientId=client-origin-default',
+      {
+        headers: {
+          Origin: 'http://localhost',
+        },
+      }
+    );
+
+    expect(response.status).toBe(200);
+    expect(capturedEvents).not.toBeNull();
+  });
+
+  it('rejects realtime hijack attempts before websocket upgrade', async () => {
+    const options = createOptions();
+    let capturedEvents: WSEvents | null = null;
+    const upgradeWebSocket = defineWebSocketHelper(async (_c, events) => {
+      capturedEvents = events;
+      return new Response(null, { status: 200 });
+    });
+
+    const server = createSyncServer({
+      ...options,
+      upgradeWebSocket,
+      sync: {
+        ...options.sync,
+        authenticate: async (request) => {
+          const actorId = request.headers.get('x-user-id');
+          return actorId ? { actorId } : null;
+        },
+      },
+    });
+
+    const app = new Hono();
+    app.route('/sync', server.syncRoutes);
+
+    const seedResponse = await app.request(
+      createPushRequest({
+        clientId: 'shared-client',
+        headers: {
+          'x-user-id': 'u1',
+        },
+      })
+    );
+    expect(seedResponse.status).toBe(200);
+
+    const hijackResponse = await app.request(
+      'http://localhost/sync/realtime?clientId=shared-client',
+      {
+        headers: {
+          'x-user-id': 'u2',
+          Origin: 'http://localhost',
+        },
+      }
+    );
+
+    expect(hijackResponse.status).toBe(400);
+    expect(await hijackResponse.json()).toEqual({
+      error: 'INVALID_CLIENT_ID',
+      message: 'clientId is already bound to a different actor',
+    });
+    expect(capturedEvents).toBeNull();
+  });
+
+  it('allows stale-scope rebinding after a fully revoked pull', async () => {
+    const options = createOptions();
+    const server = createSyncServer({
+      ...options,
+      sync: {
+        ...options.sync,
+        authenticate: async (request) => {
+          const actorId = request.headers.get('x-user-id');
+          return actorId ? { actorId } : null;
+        },
+      },
+    });
+
+    const app = new Hono();
+    app.route('/sync', server.syncRoutes);
+
+    const initialPull = await app.request(
+      createPullRequest({
+        clientId: 'shared-client',
+        userId: 'u1',
+        subscriptionUserId: 'u1',
+      })
+    );
+    expect(initialPull.status).toBe(200);
+
+    const revokedPull = await app.request(
+      createPullRequest({
+        clientId: 'shared-client',
+        userId: 'u2',
+        subscriptionUserId: 'u1',
+      })
+    );
+    expect(revokedPull.status).toBe(200);
+    expect(await revokedPull.json()).toMatchObject({
+      ok: true,
+      pull: {
+        subscriptions: [
+          {
+            id: 'tasks-sub',
+            status: 'revoked',
+          },
+        ],
+      },
+    });
+
+    const reboundPull = await app.request(
+      createPullRequest({
+        clientId: 'shared-client',
+        userId: 'u2',
+        subscriptionUserId: 'u2',
+      })
+    );
+    expect(reboundPull.status).toBe(200);
+    expect(await reboundPull.json()).toMatchObject({
+      ok: true,
+      pull: {
+        subscriptions: [
+          {
+            id: 'tasks-sub',
+            status: 'active',
+          },
+        ],
+      },
+    });
+  });
+
   it('forwards websocket allowedOrigins from factory to console live route', async () => {
     const options = createOptions();
     const upgradeWebSocket = defineWebSocketHelper(async () => {});

package/src/__tests__/pull-chunk-storage.test.ts

@@ -430,7 +430,7 @@ describe('createSyncRoutes chunkStorage wiring', () => {
         },
       })
     );
-    expect(noScopesResponse.status).toBe(200);
+    expect(noScopesResponse.status).toBe(400);
 
     const wrongScopesResponse = await app.request(
       new Request(`http://localhost/sync/snapshot-chunks/${chunkId}`, {
@@ -458,6 +458,119 @@ describe('createSyncRoutes chunkStorage wiring', () => {
     ]);
   });
 
+  it('rejects reusing a client id from another actor', async () => {
+    const tasksHandler = createServerHandler<ServerDb, ClientDb, 'tasks'>({
+      table: 'tasks',
+      scopes: ['user:{user_id}'],
+      resolveScopes: async (ctx) => ({ user_id: [ctx.actorId] }),
+      apply: async ({ tx }, change) => {
+        if (change.op !== 'upsert' || !change.row_json) {
+          return { ok: true };
+        }
+
+        const row = change.row_json;
+        if (
+          typeof row !== 'object' ||
+          row === null ||
+          typeof row.id !== 'string' ||
+          typeof row.user_id !== 'string' ||
+          typeof row.title !== 'string' ||
+          typeof row.server_version !== 'number'
+        ) {
+          throw new Error('Unexpected task payload');
+        }
+
+        await tx
+          .insertInto('tasks')
+          .values({
+            id: row.id,
+            user_id: row.user_id,
+            title: row.title,
+            server_version: row.server_version,
+          })
+          .execute();
+
+        return { ok: true };
+      },
+    });
+
+    const routes = createSyncRoutes({
+      db,
+      dialect,
+      handlers: [tasksHandler],
+      authenticate: async (c) => {
+        const actorId = c.req.header('x-user-id');
+        return actorId ? { actorId } : null;
+      },
+    });
+
+    const app = new Hono();
+    app.route('/sync', routes);
+
+    const firstResponse = await app.request(
+      new Request('http://localhost/sync', {
+        method: 'POST',
+        headers: {
+          'content-type': 'application/json',
+          'x-user-id': 'u1',
+        },
+        body: JSON.stringify({
+          clientId: 'shared-client',
+          push: {
+            clientCommitId: 'commit-u1',
+            schemaVersion: 1,
+            operations: [
+              {
+                table: 'tasks',
+                row_id: 'task-shared',
+                op: 'upsert',
+                base_version: null,
+                payload: {
+                  id: 'task-shared',
+                  user_id: 'u1',
+                  title: 'Owned by u1',
+                  server_version: 0,
+                },
+              },
+            ],
+          },
+        }),
+      })
+    );
+
+    expect(firstResponse.status).toBe(200);
+
+    const reusedClientResponse = await app.request(
+      new Request('http://localhost/sync', {
+        method: 'POST',
+        headers: {
+          'content-type': 'application/json',
+          'x-user-id': 'u2',
+        },
+        body: JSON.stringify({
+          clientId: 'shared-client',
+          pull: {
+            limitCommits: 10,
+            subscriptions: [
+              {
+                id: 'sub-1',
+                table: 'tasks',
+                scopes: { user_id: 'u2' },
+                cursor: -1,
+              },
+            ],
+          },
+        }),
+      })
+    );
+
+    expect(reusedClientResponse.status).toBe(400);
+    expect(await reusedClientResponse.json()).toEqual({
+      error: 'INVALID_CLIENT_ID',
+      message: 'clientId is already bound to a different actor',
+    });
+  });
+
   it('bundles multiple snapshot pages into one stored chunk', async () => {
     await db
       .insertInto('tasks')

package/src/__tests__/websocket-origin.test.ts

@@ -0,0 +1,55 @@
+import { describe, expect, it } from 'bun:test';
+import { isRequestOriginAllowed } from '../websocket-origin';
+
+describe('websocket origin policy', () => {
+  it('allows same-origin browser upgrades by default', () => {
+    expect(
+      isRequestOriginAllowed({
+        requestUrl: 'http://localhost/sync/realtime?clientId=client-1',
+        originHeader: 'http://localhost',
+      })
+    ).toBe(true);
+  });
+
+  it('rejects cross-origin browser upgrades by default', () => {
+    expect(
+      isRequestOriginAllowed({
+        requestUrl: 'http://localhost/sync/realtime?clientId=client-1',
+        originHeader: 'https://evil.syncular.test',
+      })
+    ).toBe(false);
+  });
+
+  it('allows origin-less non-browser requests by default', () => {
+    expect(
+      isRequestOriginAllowed({
+        requestUrl: 'http://localhost/sync/realtime?clientId=client-1',
+      })
+    ).toBe(true);
+  });
+
+  it('requires an exact match when allowedOrigins is configured', () => {
+    expect(
+      isRequestOriginAllowed({
+        requestUrl: 'http://localhost/sync/realtime?clientId=client-1',
+        originHeader: 'https://app.syncular.test',
+        allowedOrigins: ['https://app.syncular.test'],
+      })
+    ).toBe(true);
+
+    expect(
+      isRequestOriginAllowed({
+        requestUrl: 'http://localhost/sync/realtime?clientId=client-1',
+        originHeader: 'https://evil.syncular.test',
+        allowedOrigins: ['https://app.syncular.test'],
+      })
+    ).toBe(false);
+
+    expect(
+      isRequestOriginAllowed({
+        requestUrl: 'http://localhost/sync/realtime?clientId=client-1',
+        allowedOrigins: ['https://app.syncular.test'],
+      })
+    ).toBe(false);
+  });
+});

package/src/__tests__/ws-connection-manager.test.ts

@@ -1,5 +1,9 @@
 import { describe, expect, it } from 'bun:test';
-import { type WebSocketConnection, WebSocketConnectionManager } from '../ws';
+import {
+  createWebSocketConnectionOwnerKey,
+  type WebSocketConnection,
+  WebSocketConnectionManager,
+} from '../ws';
 
 function createConn(args: {
   actorId: string;
@@ -14,6 +18,11 @@ function createConn(args: {
     },
     actorId: args.actorId,
     clientId: args.clientId,
+    ownerKey: createWebSocketConnectionOwnerKey({
+      partitionId: 'default',
+      actorId: args.actorId,
+      clientId: args.clientId,
+    }),
     transportPath: 'direct',
     sendSync(cursor) {
       if (!open) return;
@@ -66,7 +75,7 @@ describe('WebSocketConnectionManager (scopes)', () => {
     mgr.register(c1, ['project:p1']);
     mgr.notifyScopeKeys(['project:p1'], 1);
 
-    mgr.updateClientScopeKeys('c1', ['project:p2']);
+    mgr.updateConnectionScopeKeys(c1.ownerKey, ['project:p2']);
     mgr.notifyScopeKeys(['project:p1'], 2);
     mgr.notifyScopeKeys(['project:p2'], 3);
 
@@ -140,11 +149,15 @@ describe('WebSocketConnectionManager (scopes)', () => {
 
     mgr.register(c1, ['user:u1']);
 
-    const denied = mgr.joinPresence('c1', 'user:u2', { status: 'denied' });
+    const denied = mgr.joinPresence(c1.ownerKey, 'user:u2', {
+      status: 'denied',
+    });
     expect(denied).toBe(false);
     expect(mgr.getPresence('user:u2')).toEqual([]);
 
-    const allowed = mgr.joinPresence('c1', 'user:u1', { status: 'ok' });
+    const allowed = mgr.joinPresence(c1.ownerKey, 'user:u1', {
+      status: 'ok',
+    });
     expect(allowed).toBe(true);
     expect(mgr.getPresence('user:u1')).toHaveLength(1);
   });
@@ -158,14 +171,16 @@ describe('WebSocketConnectionManager (scopes)', () => {
     });
 
     mgr.register(c1, ['user:u1']);
-    expect(mgr.joinPresence('c1', 'user:u1', { status: 'initial' })).toBe(true);
+    expect(
+      mgr.joinPresence(c1.ownerKey, 'user:u1', { status: 'initial' })
+    ).toBe(true);
 
-    const denied = mgr.updatePresenceMetadata('c1', 'user:u2', {
+    const denied = mgr.updatePresenceMetadata(c1.ownerKey, 'user:u2', {
       status: 'denied',
     });
     expect(denied).toBe(false);
 
-    const allowed = mgr.updatePresenceMetadata('c1', 'user:u1', {
+    const allowed = mgr.updatePresenceMetadata(c1.ownerKey, 'user:u1', {
       status: 'updated',
     });
     expect(allowed).toBe(true);

package/src/console/gateway.ts

@@ -4,6 +4,7 @@ import { cors } from 'hono/cors';
 import type { UpgradeWebSocket } from 'hono/ws';
 import { resolver, validator as zValidator } from 'hono-openapi';
 import { z } from 'zod';
+import { isWebSocketOriginAllowed } from '../websocket-origin';
 import {
   closeUnauthenticatedSocket,
   parseBearerToken,
@@ -91,6 +92,11 @@ export interface CreateConsoleGatewayRoutesOptions {
     maxMessageBytes?: number;
     maxMessagesPerWindow?: number;
     messageRateWindowMs?: number;
+    /**
+     * - undefined: allow same-origin browser upgrades and origin-less non-browser clients
+     * - '*': allow all origins
+     * - string[]: exact origin match (scheme + host + port)
+     */
     allowedOrigins?: string[] | '*';
   };
 }
@@ -3009,24 +3015,6 @@ export function createConsoleGatewayRoutes(
   return routes;
 }
 
-function isWebSocketOriginAllowed(
-  c: Context,
-  allowedOrigins?: string[] | '*'
-): boolean {
-  if (!allowedOrigins) return true;
-  if (allowedOrigins === '*') return true;
-
-  const origin = c.req.header('origin');
-  if (!origin) return false;
-
-  try {
-    const normalizedOrigin = new URL(origin).origin;
-    return allowedOrigins.includes(normalizedOrigin);
-  } catch {
-    return false;
-  }
-}
-
 function measureWebSocketMessageBytes(data: unknown): number {
   if (typeof data === 'string') {
     return new TextEncoder().encode(data).byteLength;

package/src/console/routes.ts

@@ -20,9 +20,9 @@ import type { SqlFamily, SyncCoreDb, SyncServerAuth } from '@syncular/server';
 import {
   coerceNumber,
   compactChanges,
-  computePruneWatermarkCommitSeq,
   notifyExternalDataChange,
   parseJsonValue,
+  previewPruneSync,
   pruneSync,
   readSyncStats,
 } from '@syncular/server';
@@ -32,6 +32,7 @@ import { cors } from 'hono/cors';
 import { resolver, validator as zValidator } from 'hono-openapi';
 import { type Generated, type Kysely, type Selectable, sql } from 'kysely';
 import { z } from 'zod';
+import { isWebSocketOriginAllowed } from '../websocket-origin';
 import {
   closeUnauthenticatedSocket,
   parseBearerToken,
@@ -2072,19 +2073,15 @@ export function createConsoleRoutes<
       },
     }),
     async (c) => {
-      const watermarkCommitSeq = await computePruneWatermarkCommitSeq(
-        options.db,
-        options.prune
+      const previews = await previewPruneSync(options.db, options.prune);
+      const watermarkCommitSeq = previews.reduce(
+        (max, preview) => Math.max(max, preview.watermarkCommitSeq),
+        0
+      );
+      const commitsToDelete = previews.reduce(
+        (total, preview) => total + preview.commitsToDelete,
+        0
       );
-
-      // Count commits that would be deleted
-      const countRow = await db
-        .selectFrom('sync_commits')
-        .select(({ fn }) => fn.countAll().as('count'))
-        .where('commit_seq', '<=', watermarkCommitSeq)
-        .executeTakeFirst();
-
-      const commitsToDelete = coerceNumber(countRow?.count) ?? 0;
 
       const preview: ConsolePrunePreview = {
         watermarkCommitSeq,
@@ -2119,15 +2116,19 @@ export function createConsoleRoutes<
       },
     }),
     async (c) => {
-      const watermarkCommitSeq = await computePruneWatermarkCommitSeq(
-        options.db,
-        options.prune
+      const previews = await previewPruneSync(options.db, options.prune);
+      const watermarkCommitSeq = previews.reduce(
+        (max, preview) => Math.max(max, preview.watermarkCommitSeq),
+        0
       );
-
-      const deletedCommits = await pruneSync(options.db, {
-        watermarkCommitSeq,
-        keepNewestCommits: options.prune?.keepNewestCommits,
-      });
+      let deletedCommits = 0;
+      for (const preview of previews) {
+        deletedCommits += await pruneSync(options.db, {
+          partitionId: preview.partitionId,
+          watermarkCommitSeq: preview.watermarkCommitSeq,
+          keepNewestCommits: options.prune?.keepNewestCommits,
+        });
+      }
 
       logSyncEvent({
         event: 'console.prune',
@@ -3780,24 +3781,6 @@ export function createConsoleRoutes<
   return routes;
 }
 
-function isWebSocketOriginAllowed(
-  c: Context,
-  allowedOrigins?: string[] | '*'
-): boolean {
-  if (!allowedOrigins) return true;
-  if (allowedOrigins === '*') return true;
-
-  const origin = c.req.header('origin');
-  if (!origin) return false;
-
-  try {
-    const normalizedOrigin = new URL(origin).origin;
-    return allowedOrigins.includes(normalizedOrigin);
-  } catch {
-    return false;
-  }
-}
-
 function measureWebSocketMessageBytes(data: unknown): number {
   if (typeof data === 'string') {
     return new TextEncoder().encode(data).byteLength;

package/src/console/types.ts

@@ -203,7 +203,7 @@ export interface CreateConsoleRoutesOptions<
     messageRateWindowMs?: number;
     /**
      * Optional list of allowed websocket origins.
-     * - undefined: allow all origins
+     * - undefined: allow same-origin browser upgrades and origin-less non-browser clients
      * - '*': allow all origins
      * - string[]: exact origin match (scheme + host + port)
      */

package/src/proxy/routes.ts

@@ -20,6 +20,7 @@ import type { Context } from 'hono';
 import { Hono } from 'hono';
 import type { UpgradeWebSocket, WSContext } from 'hono/ws';
 import type { Kysely } from 'kysely';
+import { isWebSocketOriginAllowed } from '../websocket-origin';
 import { ProxyConnectionManager } from './connection-manager';
 
 /**
@@ -65,7 +66,9 @@ interface CreateProxyRoutesConfig<DB extends SyncCoreDb = SyncCoreDb> {
   maxMessageBytes?: number;
   /**
    * Optional list of allowed websocket origins.
-   * Use '*' to allow all origins.
+   * - undefined: allow same-origin browser upgrades and origin-less non-browser clients
+   * - '*': allow all origins
+   * - string[]: exact origin match (scheme + host + port)
    */
   allowedOrigins?: string[] | '*';
 }
@@ -233,24 +236,6 @@ export function createProxyRoutes<DB extends SyncCoreDb>(
   return app;
 }
 
-function isWebSocketOriginAllowed(
-  c: Context,
-  allowedOrigins?: string[] | '*'
-): boolean {
-  if (!allowedOrigins) return true;
-  if (allowedOrigins === '*') return true;
-
-  const origin = c.req.header('origin');
-  if (!origin) return false;
-
-  try {
-    const normalizedOrigin = new URL(origin).origin;
-    return allowedOrigins.includes(normalizedOrigin);
-  } catch {
-    return false;
-  }
-}
-
 function measureWebSocketMessageBytes(data: unknown): number {
   if (typeof data === 'string') {
     return new TextEncoder().encode(data).byteLength;