@tuturuuu/utils 0.0.3 → 0.6.0

package/src/request-emoji-limit.ts

@@ -0,0 +1,335 @@
+import { type NextRequest, NextResponse } from 'next/server';
+
+export const MAX_EMOJIS_PER_FIELD = 10;
+export const MAX_SHORT_TEXT_FIELD_GRAPHEMES = 280;
+/** Form description, task description, etc. Allow up to 100k to match database limits. */
+export const MAX_DESCRIPTION_FIELD_GRAPHEMES = 100_000;
+
+export type RequestContentViolation = {
+  code: 'EMOJI_LIMIT_EXCEEDED' | 'TEXT_BOMB_DETECTED';
+  count: number;
+  limit: number;
+  message: string;
+  path: string;
+};
+
+type FindRequestContentViolationOptions = {
+  skipValidationForFields?: string[];
+  skipEmojiCheckForFields?: string[];
+  skipShortTextLengthCheckForFields?: string[];
+};
+
+const BODY_METHODS = new Set(['POST', 'PUT', 'PATCH', 'DELETE']);
+const EXTENDED_PICTOGRAPHIC_RE = /\p{Extended_Pictographic}/u;
+const FLAG_RE = /^(?:\p{Regional_Indicator}{2})$/u;
+const KEYCAP_RE = /^(?:[#*0-9]\uFE0F?\u20E3)$/u;
+const DESCRIPTION_FIELD_NAMES = new Set(['description']);
+const SHORT_TEXT_FIELD_NAMES = new Set([
+  'alias',
+  'category',
+  'displayName',
+  'display_name',
+  'fullName',
+  'full_name',
+  'icon',
+  'label',
+  'name',
+  'slug',
+  'subject',
+  'summary',
+  'tag',
+  'title',
+  'walletName',
+  'wallet_name',
+]);
+const graphemeSegmenter =
+  typeof Intl !== 'undefined' && 'Segmenter' in Intl
+    ? new Intl.Segmenter(undefined, { granularity: 'grapheme' })
+    : null;
+
+function hasJsonContentType(contentType: string | null): boolean {
+  if (!contentType) return false;
+
+  const normalized = contentType.split(';', 1)[0]?.trim().toLowerCase();
+  return normalized === 'application/json' || !!normalized?.endsWith('+json');
+}
+
+function getTrustedBypassTokens(): string[] {
+  return [
+    process.env.CRON_SECRET,
+    process.env.VERCEL_CRON_SECRET,
+    process.env.SUPABASE_SERVICE_ROLE_KEY,
+  ]
+    .map((token) => token?.trim())
+    .filter((token): token is string => Boolean(token));
+}
+
+function getGraphemeSegments(value: string): string[] {
+  if (!graphemeSegmenter) {
+    return Array.from(value);
+  }
+
+  return Array.from(graphemeSegmenter.segment(value), ({ segment }) => segment);
+}
+
+export function countEmojisInString(value: string): number {
+  let emojiCount = 0;
+
+  for (const segment of getGraphemeSegments(value)) {
+    if (
+      EXTENDED_PICTOGRAPHIC_RE.test(segment) ||
+      FLAG_RE.test(segment) ||
+      KEYCAP_RE.test(segment)
+    ) {
+      emojiCount += 1;
+    }
+  }
+
+  return emojiCount;
+}
+
+function getLastFieldName(path: string): string | null {
+  const withoutIndexes = path.replace(/\[\d+\]/g, '');
+  const segments = withoutIndexes.split('.');
+  const lastSegment = segments.at(-1);
+  return lastSegment && lastSegment !== 'body' ? lastSegment : null;
+}
+
+function isShortTextFieldPath(path: string): boolean {
+  const fieldName = getLastFieldName(path);
+  return fieldName ? SHORT_TEXT_FIELD_NAMES.has(fieldName) : false;
+}
+
+function isDescriptionFieldPath(path: string): boolean {
+  const fieldName = getLastFieldName(path);
+  return fieldName ? DESCRIPTION_FIELD_NAMES.has(fieldName) : false;
+}
+
+function getStringContentViolation(
+  value: string,
+  path: string,
+  options?: FindRequestContentViolationOptions
+): RequestContentViolation | null {
+  const lastFieldName = getLastFieldName(path);
+  const shouldSkipValidationForField =
+    !!lastFieldName &&
+    (options?.skipValidationForFields ?? []).includes(lastFieldName);
+
+  if (shouldSkipValidationForField) {
+    return null;
+  }
+
+  const shouldSkipEmojiLimitForField =
+    !!lastFieldName &&
+    (options?.skipEmojiCheckForFields ?? []).includes(lastFieldName);
+
+  if (!shouldSkipEmojiLimitForField) {
+    const emojiCount = countEmojisInString(value);
+    if (emojiCount > MAX_EMOJIS_PER_FIELD) {
+      return {
+        code: 'EMOJI_LIMIT_EXCEEDED',
+        count: emojiCount,
+        limit: MAX_EMOJIS_PER_FIELD,
+        message: `Field "${path}" cannot contain more than ${MAX_EMOJIS_PER_FIELD} emojis`,
+        path,
+      };
+    }
+  }
+
+  const graphemes = getGraphemeSegments(value);
+  if (isDescriptionFieldPath(path)) {
+    if (graphemes.length > MAX_DESCRIPTION_FIELD_GRAPHEMES) {
+      return {
+        code: 'TEXT_BOMB_DETECTED',
+        count: graphemes.length,
+        limit: MAX_DESCRIPTION_FIELD_GRAPHEMES,
+        message: `Field "${path}" exceeds the maximum description length`,
+        path,
+      };
+    }
+  } else if (
+    isShortTextFieldPath(path) &&
+    !(
+      !!lastFieldName &&
+      (options?.skipShortTextLengthCheckForFields ?? []).includes(lastFieldName)
+    ) &&
+    graphemes.length > MAX_SHORT_TEXT_FIELD_GRAPHEMES
+  ) {
+    return {
+      code: 'TEXT_BOMB_DETECTED',
+      count: graphemes.length,
+      limit: MAX_SHORT_TEXT_FIELD_GRAPHEMES,
+      message: `Field "${path}" exceeds the maximum short-field length`,
+      path,
+    };
+  }
+
+  return null;
+}
+
+export function findRequestContentViolation(
+  value: unknown,
+  path = 'body',
+  options?: FindRequestContentViolationOptions
+): RequestContentViolation | null {
+  if (typeof value === 'string') {
+    return getStringContentViolation(value, path, options);
+  }
+
+  if (Array.isArray(value)) {
+    for (const [index, item] of value.entries()) {
+      const violation = findRequestContentViolation(
+        item,
+        `${path}[${index}]`,
+        options
+      );
+      if (violation) {
+        return violation;
+      }
+    }
+
+    return null;
+  }
+
+  if (value && typeof value === 'object') {
+    for (const [key, item] of Object.entries(value)) {
+      const violation = findRequestContentViolation(
+        item,
+        `${path}.${key}`,
+        options
+      );
+      if (violation) {
+        return violation;
+      }
+    }
+  }
+
+  return null;
+}
+
+export function shouldValidateEmojiLimit(
+  request: Pick<NextRequest, 'method' | 'headers'>
+): boolean {
+  return (
+    BODY_METHODS.has(request.method.toUpperCase()) &&
+    hasJsonContentType(request.headers.get('content-type'))
+  );
+}
+
+export function isTrustedEmojiBypassRequest(
+  request: Pick<NextRequest, 'headers'>
+): boolean {
+  const authorization = request.headers.get('authorization')?.trim();
+  if (!authorization) {
+    return false;
+  }
+
+  const match = /^Bearer\s+(.+)$/i.exec(authorization);
+  if (!match) {
+    return false;
+  }
+
+  const token = match[1]?.trim();
+  return token ? getTrustedBypassTokens().includes(token) : false;
+}
+
+export async function getRequestContentViolationForRequest(
+  request: NextRequest,
+  options?: {
+    allowDescriptionYjsState?: boolean;
+    skipValidationForFields?: string[];
+  }
+): Promise<RequestContentViolation | null> {
+  if (
+    !shouldValidateEmojiLimit(request) ||
+    isTrustedEmojiBypassRequest(request)
+  ) {
+    return null;
+  }
+
+  let rawBody = '';
+  try {
+    rawBody = await request.clone().text();
+  } catch {
+    return null;
+  }
+
+  if (!rawBody.trim()) {
+    return null;
+  }
+
+  try {
+    const parsedBody = JSON.parse(rawBody);
+
+    if (
+      options?.allowDescriptionYjsState === true &&
+      parsedBody &&
+      typeof parsedBody === 'object' &&
+      'description_yjs_state' in parsedBody &&
+      typeof (parsedBody as { description?: unknown }).description === 'string'
+    ) {
+      const {
+        description,
+        // Explicitly strip description_yjs_state from validation when allowed
+        // so Yjs payloads do not trigger short-field or emoji limits.
+        // eslint-disable-next-line @typescript-eslint/no-unused-vars
+        description_yjs_state,
+        ...rest
+      } = parsedBody as {
+        description: string;
+        description_yjs_state?: unknown;
+        [key: string]: unknown;
+      };
+
+      return findRequestContentViolation(
+        {
+          ...rest,
+          description,
+        },
+        'body',
+        {
+          skipValidationForFields: options?.skipValidationForFields,
+          skipEmojiCheckForFields: ['description'],
+          skipShortTextLengthCheckForFields: ['description'],
+        }
+      );
+    }
+
+    return findRequestContentViolation(parsedBody, 'body', {
+      skipValidationForFields: options?.skipValidationForFields,
+    });
+  } catch {
+    // Let route handlers keep their own invalid JSON behavior.
+    return null;
+  }
+}
+
+export function createRequestContentViolationResponse(
+  violation: RequestContentViolation
+): NextResponse {
+  return NextResponse.json(
+    {
+      error: 'Bad Request',
+      message: violation.message,
+      code: violation.code,
+      field: violation.path,
+      count: violation.count,
+      limit: violation.limit,
+    },
+    { status: 400 }
+  );
+}
+
+export async function validateRequestEmojiLimit(
+  request: NextRequest,
+  options?: {
+    allowDescriptionYjsState?: boolean;
+    skipValidationForFields?: string[];
+  }
+): Promise<NextResponse | null> {
+  const violation = await getRequestContentViolationForRequest(
+    request,
+    options
+  );
+  return violation ? createRequestContentViolationResponse(violation) : null;
+}

package/src/search-helper.ts

@@ -0,0 +1,18 @@
+/**
+ * Sanitizes a search query by trimming it and removing control characters.
+ * @param value The search query to sanitize
+ * @returns The sanitized search query or null if empty
+ */
+export const sanitizeSearchQuery = (value?: string | null): string | null => {
+  if (!value) return null;
+  const sanitized = value.replace(/\p{Cc}/gu, '').trim();
+  return sanitized.length > 0 ? sanitized : null;
+};
+
+/**
+ * Escapes special characters in a string for use in a SQL LIKE pattern.
+ * @param value The string to escape
+ * @returns The escaped string
+ */
+export const escapeLikePattern = (value: string): string =>
+  value.replace(/\\/g, '\\\\').replace(/%/g, '\\%').replace(/_/g, '\\_');

package/src/search.test.ts

@@ -0,0 +1,89 @@
+import { describe, expect, it } from 'vitest';
+import {
+  compactIntentText,
+  getIntentAcronym,
+  normalizeIntentText,
+  searchIntent,
+} from './search';
+
+type TestItem = {
+  aliases?: string[];
+  id: string;
+  title: string;
+};
+
+const items: TestItem[] = [
+  { id: 'alpha', title: 'Alpha Workspace' },
+  { id: 'acme', title: 'Acme Finance Operations' },
+  { id: 'banana', title: 'Banana Lab' },
+  { id: 'data', title: 'Data Science Team', aliases: ['DST'] },
+  { id: 'viet', title: 'Tiếng Việt Của Tôi' },
+  { id: 'qr', title: 'QR Generator', aliases: ['Quick Response'] },
+];
+
+describe('intent search', () => {
+  it('normalizes accents, punctuation, spacing, and Vietnamese d variants', () => {
+    expect(normalizeIntentText('  Tiếng---Việt Đẹp  ')).toBe('tieng viet dep');
+    expect(compactIntentText('Alpha_Workspace')).toBe('alphaworkspace');
+  });
+
+  it('builds acronyms from normalized words', () => {
+    expect(getIntentAcronym('Acme Finance Operations')).toBe('afo');
+  });
+
+  it('matches close workspace names with bounded typos', () => {
+    const [result] = searchIntent(items, 'alhpa workspace');
+
+    expect(result?.item.id).toBe('alpha');
+    expect(result?.reason).toBe('typo');
+  });
+
+  it('matches punctuation and spacing insensitive queries', () => {
+    const [result] = searchIntent(items, 'alpha-work space');
+
+    expect(result?.item.id).toBe('alpha');
+    expect(result?.reason).toBe('compact');
+  });
+
+  it('matches acronyms and aliases', () => {
+    expect(searchIntent(items, 'afo')[0]?.item.id).toBe('acme');
+    expect(searchIntent(items, 'dst')[0]?.item.id).toBe('data');
+  });
+
+  it('matches words in query order independent of target word order', () => {
+    const [result] = searchIntent(items, 'team data');
+
+    expect(result?.item.id).toBe('data');
+    expect(result?.reason).toBe('word-order');
+  });
+
+  it('matches Vietnamese accents with unaccented input', () => {
+    const [result] = searchIntent(items, 'tieng viet');
+
+    expect(result?.item.id).toBe('viet');
+  });
+
+  it('limits short-query noise to strong matches', () => {
+    const results = searchIntent(items, 'ba');
+
+    expect(results.map((result) => result.item.id)).toEqual(['banana']);
+  });
+
+  it('keeps result ordering stable for equal scores', () => {
+    const stableItems = [
+      { id: 'one', title: 'Alpha Team' },
+      { id: 'two', title: 'Alpha Squad' },
+    ];
+
+    expect(
+      searchIntent(stableItems, 'alpha').map((result) => result.item.id)
+    ).toEqual(['one', 'two']);
+  });
+
+  it('uses ordered fuzzy matching for intentional abbreviations', () => {
+    const [result] = searchIntent(items, 'qgn');
+
+    expect(result?.item.id).toBe('qr');
+    expect(result?.reason).toBe('fuzzy');
+  });
+});