@syncular/server-hono 0.0.6-171 → 0.0.6-178

package/src/routes.ts

@@ -52,12 +52,7 @@ import { Hono } from 'hono';
 
 import type { UpgradeWebSocket } from 'hono/ws';
 import { describeRoute, resolver, validator as zValidator } from 'hono-openapi';
-import {
-  type Kysely,
-  type SelectQueryBuilder,
-  type SqlBool,
-  sql,
-} from 'kysely';
+import { type Kysely, sql } from 'kysely';
 import { z } from 'zod';
 import { isBenignConsoleSchemaError } from './console/schema-errors';
 import {
@@ -65,8 +60,10 @@ import {
   DEFAULT_SYNC_RATE_LIMITS,
   type SyncRateLimitConfig,
 } from './rate-limit';
+import { isWebSocketOriginAllowed } from './websocket-origin';
 import {
   createWebSocketConnection,
+  createWebSocketConnectionOwnerKey,
   type WebSocketConnection,
   WebSocketConnectionManager,
 } from './ws';
@@ -119,7 +116,9 @@ export interface SyncWebSocketConfig {
   messageRateWindowMs?: number;
   /**
    * Optional list of allowed websocket origins.
-   * Use '*' to allow all origins.
+   * - undefined: allow same-origin browser upgrades and origin-less non-browser clients
+   * - '*': allow all origins
+   * - string[]: exact origin match (scheme + host + port)
    */
   allowedOrigins?: string[] | '*';
 }
@@ -1414,6 +1413,55 @@ export function createSyncRoutes<
       const clientId = body.clientId;
       const requestId = readRequestId(c);
       const traceContext = readTraceContext(c);
+      const connectionOwnerKey = createWebSocketConnectionOwnerKey({
+        partitionId,
+        actorId: auth.actorId,
+        clientId,
+      });
+
+      const clientState = await readClientState(
+        options.db,
+        partitionId,
+        clientId
+      );
+      let allowStaleScopeRebind = false;
+      if (
+        body.pull &&
+        !body.push &&
+        clientState.ownerActorId !== null &&
+        clientState.ownerActorId !== auth.actorId
+      ) {
+        const resolved = await resolveEffectiveScopesForSubscriptions({
+          db: options.db,
+          auth,
+          subscriptions: body.pull.subscriptions,
+          handlers: handlerRegistry,
+          scopeCache: options.scopeCache,
+        });
+        allowStaleScopeRebind = resolved.every(
+          (subscription) => subscription.status === 'revoked'
+        );
+      }
+
+      if (
+        !allowStaleScopeRebind &&
+        (clientState.hasConflict || clientState.ownerActorId !== null)
+      ) {
+        if (
+          clientState.ownerActorId !== auth.actorId ||
+          clientState.hasConflict
+        ) {
+          return c.json(
+            {
+              error: 'INVALID_CLIENT_ID',
+              message: clientState.hasConflict
+                ? 'clientId has conflicting ownership history'
+                : 'clientId is already bound to a different actor',
+            },
+            400
+          );
+        }
+      }
 
       let pushResponse:
         | undefined
@@ -1527,34 +1575,32 @@ export function createSyncRoutes<
           throw err;
         }
 
-        // Fire-and-forget bookkeeping
-        void recordClientCursor(options.db, options.dialect, {
-          partitionId,
-          clientId,
-          actorId: auth.actorId,
-          cursor: pullResult.clientCursor,
-          effectiveScopes: pullResult.effectiveScopes,
-        })
-          .then(() => {
-            emitConsoleLiveEvent(consoleLiveEmitter, 'client_update', () => ({
-              action: 'cursor_recorded',
-              partitionId,
-              actorId: auth.actorId,
-              clientId,
-              cursor: pullResult.clientCursor,
-            }));
-          })
-          .catch((error) => {
-            logAsyncFailureOnce('sync.client_cursor_record_failed', {
-              event: 'sync.client_cursor_record_failed',
-              userId: auth.actorId,
-              clientId,
-              error: error instanceof Error ? error.message : String(error),
-            });
+        try {
+          await recordClientCursor(options.db, options.dialect, {
+            partitionId,
+            clientId,
+            actorId: auth.actorId,
+            cursor: pullResult.clientCursor,
+            effectiveScopes: pullResult.effectiveScopes,
+          });
+          emitConsoleLiveEvent(consoleLiveEmitter, 'client_update', () => ({
+            action: 'cursor_recorded',
+            partitionId,
+            actorId: auth.actorId,
+            clientId,
+            cursor: pullResult.clientCursor,
+          }));
+        } catch (error) {
+          logAsyncFailureOnce('sync.client_cursor_record_failed', {
+            event: 'sync.client_cursor_record_failed',
+            userId: auth.actorId,
+            clientId,
+            error: error instanceof Error ? error.message : String(error),
           });
+        }
 
-        wsConnectionManager?.updateClientScopeKeys(
-          clientId,
+        wsConnectionManager?.updateConnectionScopeKeys(
+          connectionOwnerKey,
           applyPartitionToScopeKeys(
             partitionId,
             scopeValuesToScopeKeys(pullResult.effectiveScopes)
@@ -1726,39 +1772,47 @@ export function createSyncRoutes<
         return c.json({ error: 'NOT_FOUND' }, 404);
       }
 
-      if (requestedChunkScopes) {
-        try {
-          const resolved = await resolveEffectiveScopesForSubscriptions({
-            db: options.db,
-            auth,
-            subscriptions: [
-              {
-                id: 'snapshot-chunk-authz',
-                table: chunk.scope,
-                scopes: requestedChunkScopes,
-                cursor: 0,
-              },
-            ],
-            handlers: handlerRegistry,
-            scopeCache: options.scopeCache,
-          });
-          const scopeAuth = resolved[0];
-          if (!scopeAuth || scopeAuth.status !== 'active') {
-            return c.json({ error: 'FORBIDDEN' }, 403);
-          }
+      if (!requestedChunkScopes) {
+        return c.json(
+          {
+            error: 'INVALID_REQUEST',
+            message: 'Snapshot chunk scope values are required',
+          },
+          400
+        );
+      }
 
-          const scopeKey = `${partitionId}:${await scopesToSnapshotChunkScopeKey(
-            scopeAuth.scopes
-          )}`;
-          if (scopeKey !== chunk.scopeKey) {
-            return c.json({ error: 'FORBIDDEN' }, 403);
-          }
-        } catch (error) {
-          if (error instanceof InvalidSubscriptionScopeError) {
-            return c.json({ error: 'FORBIDDEN' }, 403);
-          }
-          throw error;
+      try {
+        const resolved = await resolveEffectiveScopesForSubscriptions({
+          db: options.db,
+          auth,
+          subscriptions: [
+            {
+              id: 'snapshot-chunk-authz',
+              table: chunk.scope,
+              scopes: requestedChunkScopes,
+              cursor: 0,
+            },
+          ],
+          handlers: handlerRegistry,
+          scopeCache: options.scopeCache,
+        });
+        const scopeAuth = resolved[0];
+        if (!scopeAuth || scopeAuth.status !== 'active') {
+          return c.json({ error: 'FORBIDDEN' }, 403);
         }
+
+        const scopeKey = `${partitionId}:${await scopesToSnapshotChunkScopeKey(
+          scopeAuth.scopes
+        )}`;
+        if (scopeKey !== chunk.scopeKey) {
+          return c.json({ error: 'FORBIDDEN' }, 403);
+        }
+      } catch (error) {
+        if (error instanceof InvalidSubscriptionScopeError) {
+          return c.json({ error: 'FORBIDDEN' }, 403);
+        }
+        throw error;
       }
 
       const etag = `"sha256:${chunk.sha256}"`;
@@ -1769,7 +1823,7 @@ export function createSyncRoutes<
           headers: {
             ETag: etag,
             'Cache-Control': 'private, max-age=0',
-            Vary: 'Authorization',
+            Vary: 'Authorization, X-Syncular-Snapshot-Scopes',
           },
         });
       }
@@ -1782,7 +1836,7 @@ export function createSyncRoutes<
           'Content-Length': String(chunk.byteLength),
           ETag: etag,
           'Cache-Control': 'private, max-age=0',
-          Vary: 'Authorization',
+          Vary: 'Authorization, X-Syncular-Snapshot-Scopes',
           'X-Sync-Chunk-Id': chunk.chunkId,
           'X-Sync-Chunk-Sha256': chunk.sha256,
           'X-Sync-Chunk-Encoding': chunk.encoding,
@@ -1819,31 +1873,39 @@ export function createSyncRoutes<
         c,
         c.req.query('transportPath')
       );
+      const connectionOwnerKey = createWebSocketConnectionOwnerKey({
+        partitionId,
+        actorId: auth.actorId,
+        clientId,
+      });
 
       // Load last-known effective scopes for this client (best-effort).
       // Keeps /realtime lightweight and avoids sending large subscription payloads over the URL.
       let initialScopeKeys: string[] = [];
       try {
-        const cursorsQ = options.db.selectFrom(
-          'sync_client_cursors'
-        ) as SelectQueryBuilder<
-          DB,
-          'sync_client_cursors',
-          // biome-ignore lint/complexity/noBannedTypes: Kysely uses `{}` as the initial "no selected columns yet" marker.
-          {}
-        >;
-
-        const row = await cursorsQ
-          .selectAll()
-          .where(sql<SqlBool>`partition_id = ${partitionId}`)
-          .where(sql<SqlBool>`client_id = ${clientId}`)
-          .executeTakeFirst();
-
-        if (row && row.actor_id !== auth.actorId) {
-          return c.json({ error: 'FORBIDDEN' }, 403);
+        const clientState = await readClientState(
+          options.db,
+          partitionId,
+          clientId
+        );
+        if (clientState.hasConflict || clientState.ownerActorId !== null) {
+          if (
+            clientState.ownerActorId !== auth.actorId ||
+            clientState.hasConflict
+          ) {
+            return c.json(
+              {
+                error: 'INVALID_CLIENT_ID',
+                message: clientState.hasConflict
+                  ? 'clientId has conflicting ownership history'
+                  : 'clientId is already bound to a different actor',
+              },
+              400
+            );
+          }
         }
 
-        const raw = row?.effective_scopes;
+        const raw = clientState.effectiveScopes;
         let parsed: unknown = raw;
         if (typeof raw === 'string') {
           try {
@@ -1884,7 +1946,7 @@ export function createSyncRoutes<
 
       if (
         maxConnectionsPerClient > 0 &&
-        wsConnectionManager.getConnectionCount(clientId) >=
+        wsConnectionManager.getScopedConnectionCount(connectionOwnerKey) >=
           maxConnectionsPerClient
       ) {
         logSyncEvent({
@@ -1900,7 +1962,7 @@ export function createSyncRoutes<
       let unregister: (() => void) | null = null;
       let connRef: ReturnType<typeof createWebSocketConnection> | null = null;
       const connectionCountBeforeUpgrade =
-        wsConnectionManager.getConnectionCount(clientId);
+        wsConnectionManager.getScopedConnectionCount(connectionOwnerKey);
       let sessionStartedAtMs: number | null = null;
       let sessionEnded = false;
 
@@ -1965,6 +2027,7 @@ export function createSyncRoutes<
           const conn = createWebSocketConnection(ws, {
             actorId: auth.actorId,
             clientId,
+            ownerKey: connectionOwnerKey,
             transportPath: realtimeTransportPath,
           });
           connRef = conn;
@@ -2052,7 +2115,7 @@ export function createSyncRoutes<
               case 'join':
                 if (
                   !wsConnectionManager.joinPresence(
-                    clientId,
+                    connectionOwnerKey,
                     scopeKey,
                     msg.metadata
                   )
@@ -2071,17 +2134,17 @@ export function createSyncRoutes<
                 }
                 break;
               case 'leave':
-                wsConnectionManager.leavePresence(clientId, scopeKey);
+                wsConnectionManager.leavePresence(connectionOwnerKey, scopeKey);
                 break;
               case 'update':
                 if (
                   !wsConnectionManager.updatePresenceMetadata(
-                    clientId,
+                    connectionOwnerKey,
                     scopeKey,
                     msg.metadata ?? {}
                   ) &&
-                  !wsConnectionManager.isClientSubscribedToScopeKey(
-                    clientId,
+                  !wsConnectionManager.isConnectionSubscribedToScopeKey(
+                    connectionOwnerKey,
                     scopeKey
                   )
                 ) {
@@ -2360,24 +2423,6 @@ function clampInt(value: number, min: number, max: number): number {
   return Math.max(min, Math.min(max, value));
 }
 
-function isWebSocketOriginAllowed(
-  c: Context,
-  allowedOrigins?: string[] | '*'
-): boolean {
-  if (!allowedOrigins) return true;
-  if (allowedOrigins === '*') return true;
-
-  const origin = c.req.header('origin');
-  if (!origin) return false;
-
-  try {
-    const normalizedOrigin = new URL(origin).origin;
-    return allowedOrigins.includes(normalizedOrigin);
-  } catch {
-    return false;
-  }
-}
-
 function measureWebSocketMessageBytes(data: unknown): number {
   if (typeof data === 'string') {
     return new TextEncoder().encode(data).byteLength;
@@ -2501,3 +2546,41 @@ async function readCommitScopeKeys<DB extends SyncCoreDb>(
 
   return Array.from(scopeKeys);
 }
+
+async function readClientState<DB extends SyncCoreDb>(
+  db: Kysely<DB>,
+  partitionId: string,
+  clientId: string
+): Promise<{
+  ownerActorId: string | null;
+  effectiveScopes: unknown;
+  hasConflict: boolean;
+}> {
+  const [cursorResult, latestCommitResult] = await Promise.all([
+    sql<{ actor_id: string | null; effective_scopes: unknown }>`
+      SELECT actor_id, effective_scopes
+      FROM sync_client_cursors
+      WHERE partition_id = ${partitionId} AND client_id = ${clientId}
+      LIMIT 1
+    `.execute(db),
+    sql<{ actor_id: string | null }>`
+      SELECT actor_id
+      FROM sync_commits
+      WHERE partition_id = ${partitionId} AND client_id = ${clientId}
+      ORDER BY commit_seq DESC
+      LIMIT 1
+    `.execute(db),
+  ]);
+  const cursorRow = cursorResult.rows[0];
+  const latestCommitRow = latestCommitResult.rows[0];
+
+  // Cursor state reflects the current authenticated owner for a clientId.
+  // Commit history is only used to seed ownership before the first pull.
+  const ownerActorId = cursorRow?.actor_id ?? latestCommitRow?.actor_id ?? null;
+
+  return {
+    ownerActorId,
+    effectiveScopes: cursorRow?.effective_scopes ?? null,
+    hasConflict: false,
+  };
+}

package/src/websocket-origin.ts

@@ -0,0 +1,54 @@
+import type { Context } from 'hono';
+
+function normalizeOrigin(origin: string): string | null {
+  try {
+    return new URL(origin).origin;
+  } catch {
+    return null;
+  }
+}
+
+export function isRequestOriginAllowed(args: {
+  requestUrl: string;
+  originHeader?: string | null;
+  allowedOrigins?: string[] | '*';
+}): boolean {
+  if (args.allowedOrigins === '*') {
+    return true;
+  }
+
+  const origin = args.originHeader;
+  if (Array.isArray(args.allowedOrigins)) {
+    if (!origin) return false;
+    const normalizedOrigin = normalizeOrigin(origin);
+    return normalizedOrigin
+      ? args.allowedOrigins.includes(normalizedOrigin)
+      : false;
+  }
+
+  if (!origin) {
+    return true;
+  }
+
+  const normalizedOrigin = normalizeOrigin(origin);
+  if (!normalizedOrigin) {
+    return false;
+  }
+
+  try {
+    return normalizedOrigin === new URL(args.requestUrl).origin;
+  } catch {
+    return false;
+  }
+}
+
+export function isWebSocketOriginAllowed(
+  c: Context,
+  allowedOrigins?: string[] | '*'
+): boolean {
+  return isRequestOriginAllowed({
+    requestUrl: c.req.url,
+    originHeader: c.req.header('origin'),
+    allowedOrigins,
+  });
+}