@tknf/matchbox 0.2.5 → 0.3.0

package/dist/cgi.d.ts

@@ -1,8 +1,9 @@
 import * as hono_types from 'hono/types';
 import { Context, Hono } from 'hono';
 import { HtmlEscapedString } from 'hono/utils/html';
+import { HtaccessConfig } from './htaccess/types.js';
 
-type ConfigObject = Record<string, any>;
+type ConfigObject = Record<string, unknown>;
 /**
  * --- Session Cookie Configuration ---
  */
@@ -49,10 +50,10 @@ interface CgiContext<ConfigType = ConfigObject> {
     $_GET: Record<string, string>;
     $_POST: Record<string, string>;
     $_FILES: Record<string, File | File[]>;
-    $_REQUEST: Record<string, any>;
-    $_SESSION: Record<string, any>;
+    $_REQUEST: Record<string, unknown>;
+    $_SESSION: Record<string, unknown>;
     $_COOKIE: Record<string, string>;
-    $_ENV: Record<string, string | undefined>;
+    $_ENV: Record<string, unknown>;
     $_SERVER: {
         REQUEST_METHOD: string;
         REQUEST_URI: string;
@@ -61,7 +62,7 @@ interface CgiContext<ConfigType = ConfigObject> {
         SCRIPT_NAME: string;
         PATH_INFO: string;
         QUERY_STRING: string;
-        [key: string]: any;
+        [key: string]: unknown;
     };
     config: ConfigType;
     c: Context;
@@ -83,24 +84,12 @@ interface CgiContext<ConfigType = ConfigObject> {
 type Page = {
     urlPath: string;
     dirPath: string | null;
-    component: (context: CgiContext) => any | Promise<any>;
+    component: (context: CgiContext) => unknown | Promise<unknown>;
 };
-type RedirectRule = {
-    type: "redirect";
-    code: string;
-    source: string;
-    target: string;
-};
-type RewriteRule = {
-    type: "rewrite";
-    pattern: string;
-    target: string;
-    flags: string;
-};
-type RewriteMap = Record<string, Array<RedirectRule | RewriteRule>>;
+
 /**
  * --- Matchbox Runtime Engine ---
  */
-declare const createCgiWithPages: (pages: Page[], siteConfig?: ConfigObject, authMap?: Record<string, string>, rewriteMap?: RewriteMap, options?: MatchboxOptions) => Hono<hono_types.BlankEnv, hono_types.BlankSchema, "/">;
+declare const createCgiWithPages: (pages: Page[], siteConfig?: ConfigObject, authMap?: Record<string, string>, htaccessConfig?: HtaccessConfig, options?: MatchboxOptions) => Hono<hono_types.BlankEnv, hono_types.BlankSchema, "/">;
 
-export { type CgiContext, type ConfigObject, type MatchboxOptions, type ModuleInfo, type Page, type RewriteMap, type SessionCookieOptions, createCgiWithPages };
+export { type CgiContext, type ConfigObject, HtaccessConfig, type MatchboxOptions, type ModuleInfo, type Page, type SessionCookieOptions, createCgiWithPages };

package/dist/cgi.js

@@ -1,13 +1,20 @@
 import { Hono } from "hono";
-import { basicAuth } from "hono/basic-auth";
-import { getCookie, setCookie } from "hono/cookie";
+import { getCookie } from "hono/cookie";
 import { generateCgiError, generateCgiInfo } from "./html.js";
+import {
+  applyBasicAuth,
+  applyHtaccessMiddleware,
+  applyErrorDocumentMiddleware,
+  getSessionFromCookie,
+  saveSessionToCookie,
+  applyProtectedFilesMiddleware,
+  applyTrailingSlashMiddleware
+} from "./middleware/index.js";
 const isRedirectObject = (obj) => {
-  return obj && obj.__type === "redirect" && typeof obj.url === "string";
+  return typeof obj === "object" && obj !== null && "__type" in obj && obj.__type === "redirect" && "url" in obj && typeof obj.url === "string";
 };
-const createCgiWithPages = (pages, siteConfig = {}, authMap = {}, rewriteMap = {}, options = {}) => {
+const createCgiWithPages = (pages, siteConfig = {}, authMap = {}, htaccessConfig = {}, options = {}) => {
   const app = new Hono();
-  const SESS_KEY = options.sessionCookie?.name || "_SESSION_ID";
   if (options.middleware && options.middleware.length > 0) {
     for (const mw of options.middleware) {
       app.use("*", async (c, next) => {
@@ -18,66 +25,12 @@ const createCgiWithPages = (pages, siteConfig = {}, authMap = {}, rewriteMap = {
       });
     }
   }
-  const protectedFiles = [".htaccess", ".htpasswd", ".htdigest", ".htgroup"];
-  app.use("*", async (c, next) => {
-    const path = c.req.path;
-    const lastSegment = path.slice(path.lastIndexOf("/") + 1);
-    if (protectedFiles.some((file) => lastSegment === file)) {
-      return c.text("Forbidden", 403);
-    }
-    await next();
-  });
+  applyProtectedFilesMiddleware(app);
   if (options.enforceTrailingSlash) {
-    app.use("*", async (c, next) => {
-      const path = c.req.path;
-      if (!path.endsWith("/") && !path.includes(".")) {
-        return c.redirect(`${path}/`, 301);
-      }
-      await next();
-    });
+    applyTrailingSlashMiddleware(app);
   }
-  Object.entries(rewriteMap).forEach(([dir, rules]) => {
-    const basePath = dir === "/" ? "" : dir.replace(/\/$/, "");
-    app.use(`${basePath}/*`, async (c, next) => {
-      const relPath = c.req.path.replace(basePath, "") || "/";
-      for (const rule of rules) {
-        if (rule.type === "redirect") {
-          if (relPath === rule.source) {
-            return c.redirect(
-              rule.target,
-              Number.parseInt(rule.code, 10) || 302
-            );
-          }
-        } else if (rule.type === "rewrite") {
-          const regex = new RegExp(rule.pattern);
-          if (regex.test(relPath)) {
-            const target = rule.target.startsWith("/") ? rule.target : `${basePath}/${rule.target}`;
-            if (rule.flags.includes("R")) {
-              const code = rule.flags.match(/R=(\d+)/)?.[1] || "302";
-              return c.redirect(target, Number.parseInt(code, 10));
-            }
-          }
-        }
-      }
-      await next();
-    });
-  });
-  Object.entries(authMap).forEach(([dir, content]) => {
-    const credentials = content.split("\n").map((line) => line.trim()).filter((line) => line && !line.startsWith("#")).map((line) => {
-      const [username, password] = line.split(":");
-      return { username, password };
-    });
-    if (credentials.length > 0) {
-      const authPath = dir === "/" ? "*" : `${dir.replace(/\/$/, "")}/*`;
-      app.use(authPath, async (c, next) => {
-        const handler = basicAuth({
-          verifyUser: (u, p) => credentials.some((cred) => cred.username === u && cred.password === p),
-          realm: "Restricted Area"
-        });
-        return handler(c, next);
-      });
-    }
-  });
+  applyHtaccessMiddleware(app, htaccessConfig);
+  applyBasicAuth(app, authMap);
   pages.forEach(({ urlPath, dirPath, component }) => {
     const routes = [urlPath, `${urlPath}/*`];
     if (dirPath) {
@@ -96,7 +49,7 @@ const createCgiWithPages = (pages, siteConfig = {}, authMap = {}, rewriteMap = {
           if (value instanceof File || Array.isArray(value) && value[0] instanceof File) {
             $_FILES[key] = value;
           } else {
-            $_POST[key] = value;
+            $_POST[key] = String(value);
           }
         }
         const $_COOKIE = getCookie(c);
@@ -106,14 +59,10 @@ const createCgiWithPages = (pages, siteConfig = {}, authMap = {}, rewriteMap = {
           ...$_POST
         };
         const $_ENV = typeof process !== "undefined" && process.env ? process.env : c.env || {};
-        let $_SESSION = {};
-        const sRaw = getCookie(c, SESS_KEY);
-        if (sRaw) {
-          try {
-            $_SESSION = JSON.parse(decodeURIComponent(sRaw));
-          } catch {
-          }
-        }
+        let $_SESSION = getSessionFromCookie(
+          c,
+          options.sessionCookie?.name
+        );
         let responseStatus = 200;
         const responseHeaders = {
           "Content-Type": "text/html; charset=utf-8"
@@ -169,7 +118,7 @@ const createCgiWithPages = (pages, siteConfig = {}, authMap = {}, rewriteMap = {
             }
           },
           get_version: () => {
-            return `MatchboxCGI/v${"0.2.5"}`;
+            return `MatchboxCGI/v${"0.3.0"}`;
           },
           /**
            * Returns information about all loaded CGI modules
@@ -184,48 +133,28 @@ const createCgiWithPages = (pages, siteConfig = {}, authMap = {}, rewriteMap = {
         };
         try {
           const result = await component(context);
-          const sessionValue = encodeURIComponent(JSON.stringify($_SESSION));
-          const sessionOptions = {
-            path: options.sessionCookie?.path || "/",
-            httpOnly: true,
-            sameSite: options.sessionCookie?.sameSite || "Lax"
-          };
-          if (options.sessionCookie?.secure !== void 0) {
-            sessionOptions.secure = options.sessionCookie.secure;
-          }
-          if (options.sessionCookie?.domain) {
-            sessionOptions.domain = options.sessionCookie.domain;
-          }
-          if (options.sessionCookie?.maxAge) {
-            sessionOptions.maxAge = options.sessionCookie.maxAge;
-          }
+          saveSessionToCookie(c, $_SESSION, options.sessionCookie);
           if (isRedirectObject(result)) {
-            setCookie(c, SESS_KEY, sessionValue, sessionOptions);
             return c.redirect(result.url, result.status);
           }
           if (result instanceof Response) {
-            setCookie(c, SESS_KEY, sessionValue, sessionOptions);
             return result;
           }
-          setCookie(c, SESS_KEY, sessionValue, sessionOptions);
           Object.entries(responseHeaders).forEach(([key, value]) => {
             c.header(key, value);
           });
           const contentType = responseHeaders["content-type"];
           if (contentType?.includes("application/json")) {
-            return c.json(
-              // biome-ignore lint/suspicious/noExplicitAny: to JSON response
-              result ?? { success: true },
-              responseStatus
-            );
+            return c.json(result ?? { success: true }, responseStatus);
           }
-          return c.html(result, responseStatus);
+          return c.html(String(result ?? ""), responseStatus);
         } catch (error) {
           return c.html(generateCgiError({ error, $_SERVER }), 500);
         }
       });
     });
   });
+  applyErrorDocumentMiddleware(app, htaccessConfig);
   return app;
 };
 export {

package/dist/htaccess/access-control.d.ts

@@ -0,0 +1,9 @@
+import { Context } from 'hono';
+import { AccessControlConfig } from './types.js';
+
+/**
+ * Create middleware for access control (Order/Allow/Deny)
+ */
+declare function createAccessControlMiddleware(config: AccessControlConfig): (c: Context, next: () => Promise<void>) => Promise<Response | void>;
+
+export { createAccessControlMiddleware };

package/dist/htaccess/access-control.js

@@ -0,0 +1,91 @@
+function matchesIP(clientIP, ruleValue) {
+  const ips = Array.isArray(ruleValue) ? ruleValue : [ruleValue];
+  for (const ip of ips) {
+    if (clientIP === ip) return true;
+    if (ip.includes("/")) {
+      const [network, bits] = ip.split("/");
+      const mask = parseInt(bits, 10);
+      if (isSameNetwork(clientIP, network, mask)) return true;
+    }
+  }
+  return false;
+}
+function isSameNetwork(ip1, ip2, maskBits) {
+  const ip1Parts = ip1.split(".").map(Number);
+  const ip2Parts = ip2.split(".").map(Number);
+  let bits = maskBits;
+  for (let i = 0; i < 4; i++) {
+    if (bits <= 0) break;
+    const mask = bits >= 8 ? 255 : 256 - Math.pow(2, 8 - bits);
+    if ((ip1Parts[i] & mask) !== (ip2Parts[i] & mask)) {
+      return false;
+    }
+    bits -= 8;
+  }
+  return true;
+}
+function matchesHost(clientHost, ruleValue) {
+  const hosts = Array.isArray(ruleValue) ? ruleValue : [ruleValue];
+  for (const host of hosts) {
+    if (clientHost === host) return true;
+    if (host.startsWith("*.")) {
+      const domain = host.slice(2);
+      if (clientHost.endsWith(domain)) return true;
+    }
+  }
+  return false;
+}
+function matchesRule(rule, c) {
+  switch (rule.type) {
+    case "all":
+      return true;
+    case "ip": {
+      const clientIP = c.req.header("x-forwarded-for")?.split(",")[0].trim() || c.req.header("x-real-ip") || c.env?.REMOTE_ADDR || "127.0.0.1";
+      return rule.value ? matchesIP(clientIP, rule.value) : false;
+    }
+    case "host": {
+      const clientHost = c.req.header("host") || "";
+      return rule.value ? matchesHost(clientHost, rule.value) : false;
+    }
+    case "env": {
+      if (!rule.value) return false;
+      const envVar = typeof rule.value === "string" ? rule.value : rule.value[0];
+      return c.env?.[envVar] !== void 0;
+    }
+    default:
+      return false;
+  }
+}
+function evaluateAccessControl(config, c) {
+  const order = config.order || "allow,deny";
+  const allowMatches = config.allow.some((rule) => matchesRule(rule, c));
+  const denyMatches = config.deny.some((rule) => matchesRule(rule, c));
+  switch (order) {
+    case "allow,deny":
+      if (denyMatches) return false;
+      if (allowMatches) return true;
+      return false;
+    case "deny,allow":
+      if (allowMatches) return true;
+      if (denyMatches) return false;
+      return true;
+    case "mutual-failure":
+      if (denyMatches) return false;
+      if (allowMatches) return true;
+      return false;
+    default:
+      return false;
+  }
+}
+function createAccessControlMiddleware(config) {
+  return async (c, next) => {
+    const allowed = evaluateAccessControl(config, c);
+    if (!allowed) {
+      return c.text("Forbidden", 403);
+    }
+    await next();
+  };
+}
+export {
+  createAccessControlMiddleware
+};

package/dist/htaccess/error-document.d.ts

@@ -0,0 +1,9 @@
+import { Context } from 'hono';
+import { ErrorDocumentConfig } from './types.js';
+
+/**
+ * Create middleware for error documents
+ */
+declare function createErrorDocumentMiddleware(errorDocs: ErrorDocumentConfig[], _basePath: string): (c: Context, next: () => Promise<void>) => Promise<Response | void>;
+
+export { createErrorDocumentMiddleware };

package/dist/htaccess/error-document.js

@@ -0,0 +1,16 @@
+function createErrorDocumentMiddleware(errorDocs, _basePath) {
+  return async (c, next) => {
+    await next();
+    const status = c.res.status;
+    if (status < 400) return;
+    const errorDoc = errorDocs.find((doc) => doc.statusCode === status);
+    if (!errorDoc) return;
+    if (errorDoc.target.startsWith("http://") || errorDoc.target.startsWith("https://")) {
+      return c.redirect(errorDoc.target);
+    }
+    return c.text(`Error ${status}: See ${errorDoc.target}`, status);
+  };
+}
+export {
+  createErrorDocumentMiddleware
+};

package/dist/htaccess/headers.d.ts

@@ -0,0 +1,32 @@
+import { Context } from 'hono';
+import { HeaderConfig } from './types.js';
+
+/**
+ * Create middleware for header directives
+ */
+declare function createHeaderMiddleware(headers: HeaderConfig[]): (c: Context, next: () => Promise<void>) => Promise<void>;
+/**
+ * Predefined security header helpers
+ */
+declare const securityHeaders: {
+    xFrameOptions: (value: "DENY" | "SAMEORIGIN" | string) => HeaderConfig;
+    xContentTypeOptions: () => HeaderConfig;
+    xssProtection: (enabled?: boolean) => HeaderConfig;
+    hsts: (maxAge?: number, includeSubdomains?: boolean) => HeaderConfig;
+    csp: (policy: string) => HeaderConfig;
+    referrerPolicy: (policy: string) => HeaderConfig;
+    permissionsPolicy: (policy: string) => HeaderConfig;
+};
+/**
+ * CORS (Cross-Origin Resource Sharing) header helpers
+ */
+declare const corsHeaders: {
+    allowOrigin: (origin: string) => HeaderConfig;
+    allowMethods: (methods: string[]) => HeaderConfig;
+    allowHeaders: (headers: string[]) => HeaderConfig;
+    allowCredentials: (allow?: boolean) => HeaderConfig;
+    maxAge: (seconds: number) => HeaderConfig;
+    exposeHeaders: (headers: string[]) => HeaderConfig;
+};
+
+export { corsHeaders, createHeaderMiddleware, securityHeaders };

package/dist/htaccess/headers.js

@@ -0,0 +1,98 @@
+function createHeaderMiddleware(headers) {
+  return async (c, next) => {
+    await next();
+    for (const header of headers) {
+      switch (header.action) {
+        case "set":
+          if (header.value) {
+            c.header(header.name, header.value);
+          }
+          break;
+        case "append":
+          if (header.value) {
+            const existing = c.res.headers.get(header.name);
+            const newValue = existing ? `${existing}, ${header.value}` : header.value;
+            c.header(header.name, newValue);
+          }
+          break;
+        case "unset":
+          c.res.headers.delete(header.name);
+          break;
+      }
+    }
+  };
+}
+const securityHeaders = {
+  xFrameOptions: (value) => ({
+    action: "set",
+    name: "X-Frame-Options",
+    value
+  }),
+  xContentTypeOptions: () => ({
+    action: "set",
+    name: "X-Content-Type-Options",
+    value: "nosniff"
+  }),
+  xssProtection: (enabled = true) => ({
+    action: "set",
+    name: "X-XSS-Protection",
+    value: enabled ? "1; mode=block" : "0"
+  }),
+  hsts: (maxAge = 31536e3, includeSubdomains = true) => ({
+    action: "set",
+    name: "Strict-Transport-Security",
+    value: includeSubdomains ? `max-age=${maxAge}; includeSubDomains` : `max-age=${maxAge}`
+  }),
+  csp: (policy) => ({
+    action: "set",
+    name: "Content-Security-Policy",
+    value: policy
+  }),
+  referrerPolicy: (policy) => ({
+    action: "set",
+    name: "Referrer-Policy",
+    value: policy
+  }),
+  permissionsPolicy: (policy) => ({
+    action: "set",
+    name: "Permissions-Policy",
+    value: policy
+  })
+};
+const corsHeaders = {
+  allowOrigin: (origin) => ({
+    action: "set",
+    name: "Access-Control-Allow-Origin",
+    value: origin
+  }),
+  allowMethods: (methods) => ({
+    action: "set",
+    name: "Access-Control-Allow-Methods",
+    value: methods.join(", ")
+  }),
+  allowHeaders: (headers) => ({
+    action: "set",
+    name: "Access-Control-Allow-Headers",
+    value: headers.join(", ")
+  }),
+  allowCredentials: (allow = true) => ({
+    action: "set",
+    name: "Access-Control-Allow-Credentials",
+    value: allow ? "true" : "false"
+  }),
+  maxAge: (seconds) => ({
+    action: "set",
+    name: "Access-Control-Max-Age",
+    value: String(seconds)
+  }),
+  exposeHeaders: (headers) => ({
+    action: "set",
+    name: "Access-Control-Expose-Headers",
+    value: headers.join(", ")
+  })
+};
+export {
+  corsHeaders,
+  createHeaderMiddleware,
+  securityHeaders
+};

package/dist/htaccess/index.d.ts

@@ -0,0 +1,8 @@
+export { AccessControlConfig, AccessRule, AuthConfig, ConditionFlags, DirectoryConfig, ErrorDocumentConfig, HeaderConfig, HonoContext, HtaccessConfig, RedirectConfig, RequireConfig, RewriteCondition, RewriteFlags, RewriteResult, RewriteRuleConfig, VariableContext } from './types.js';
+export { parseHtaccess } from './parser.js';
+export { createRewriteMiddleware, evaluateConditions } from './rewrite.js';
+export { corsHeaders, createHeaderMiddleware, securityHeaders } from './headers.js';
+export { createErrorDocumentMiddleware } from './error-document.js';
+export { createAccessControlMiddleware } from './access-control.js';
+export { applyRewriteFlags, buildVariableContext, expandVariables } from './utils.js';
+import 'hono';

package/dist/htaccess/index.js

@@ -0,0 +1,20 @@
+export * from "./types.js";
+import { parseHtaccess } from "./parser.js";
+import { createRewriteMiddleware, evaluateConditions } from "./rewrite.js";
+import { createHeaderMiddleware, securityHeaders, corsHeaders } from "./headers.js";
+import { createErrorDocumentMiddleware } from "./error-document.js";
+import { createAccessControlMiddleware } from "./access-control.js";
+import { buildVariableContext, expandVariables, applyRewriteFlags } from "./utils.js";
+export {
+  applyRewriteFlags,
+  buildVariableContext,
+  corsHeaders,
+  createAccessControlMiddleware,
+  createErrorDocumentMiddleware,
+  createHeaderMiddleware,
+  createRewriteMiddleware,
+  evaluateConditions,
+  expandVariables,
+  parseHtaccess,
+  securityHeaders
+};

package/dist/htaccess/parser.d.ts

@@ -0,0 +1,9 @@
+import { DirectoryConfig } from './types.js';
+import 'hono';
+
+/**
+ * Main parser for .htaccess files
+ */
+declare function parseHtaccess(content: string): DirectoryConfig;
+
+export { parseHtaccess };