@usethink/cf-core 0.3.0

package/package.json

@@ -0,0 +1,202 @@
+{
+  "name": "@usethink/cf-core",
+  "version": "0.3.0",
+  "description": "Cloudflare Workers 共享内核 — Hono + Turso + Drizzle 标准化基础设施",
+  "type": "module",
+  "main": "dist/src/index.js",
+  "types": "dist/src/index.d.ts",
+  "files": [
+    "dist/src",
+    "dist/features",
+    "src",
+    "features",
+    "README.md"
+  ],
+  "publishConfig": {
+    "access": "public",
+    "registry": "https://registry.npmjs.org/"
+  },
+  "exports": {
+    ".": {
+      "types": "./dist/src/index.d.ts",
+      "import": {
+        "development": "./src/index.ts",
+        "default": "./dist/src/index.js"
+      }
+    },
+    "./types": {
+      "types": "./dist/src/types.d.ts",
+      "import": {
+        "development": "./src/types.ts",
+        "default": "./dist/src/types.js"
+      }
+    },
+    "./http": {
+      "types": "./dist/src/http.d.ts",
+      "import": {
+        "development": "./src/http.ts",
+        "default": "./dist/src/http.js"
+      }
+    },
+    "./security": {
+      "types": "./dist/src/security.d.ts",
+      "import": {
+        "development": "./src/security.ts",
+        "default": "./dist/src/security.js"
+      }
+    },
+    "./rate-limit": {
+      "types": "./dist/src/rate-limit.d.ts",
+      "import": {
+        "development": "./src/rate-limit.ts",
+        "default": "./dist/src/rate-limit.js"
+      }
+    },
+    "./cache": {
+      "types": "./dist/src/cache.d.ts",
+      "import": {
+        "development": "./src/cache.ts",
+        "default": "./dist/src/cache.js"
+      }
+    },
+    "./idempotency": {
+      "types": "./dist/src/idempotency.d.ts",
+      "import": {
+        "development": "./src/idempotency.ts",
+        "default": "./dist/src/idempotency.js"
+      }
+    },
+    "./audit": {
+      "types": "./dist/src/audit.d.ts",
+      "import": {
+        "development": "./src/audit.ts",
+        "default": "./dist/src/audit.js"
+      }
+    },
+    "./config": {
+      "types": "./dist/src/config.d.ts",
+      "import": {
+        "development": "./src/config.ts",
+        "default": "./dist/src/config.js"
+      }
+    },
+    "./bootstrap": {
+      "types": "./dist/src/bootstrap.d.ts",
+      "import": {
+        "development": "./src/bootstrap.ts",
+        "default": "./dist/src/bootstrap.js"
+      }
+    },
+    "./error": {
+      "types": "./dist/src/error.d.ts",
+      "import": {
+        "development": "./src/error.ts",
+        "default": "./dist/src/error.js"
+      }
+    },
+    "./logger": {
+      "types": "./dist/src/logger.d.ts",
+      "import": {
+        "development": "./src/logger.ts",
+        "default": "./dist/src/logger.js"
+      }
+    },
+    "./crypto": {
+      "types": "./dist/src/crypto.d.ts",
+      "import": {
+        "development": "./src/crypto.ts",
+        "default": "./dist/src/crypto.js"
+      }
+    },
+    "./db": {
+      "types": "./dist/src/db/index.d.ts",
+      "import": {
+        "development": "./src/db/index.ts",
+        "default": "./dist/src/db/index.js"
+      }
+    },
+    "./db/schema": {
+      "types": "./dist/src/db/schema.d.ts",
+      "import": {
+        "development": "./src/db/schema.ts",
+        "default": "./dist/src/db/schema.js"
+      }
+    },
+    "./auth/jwt": {
+      "types": "./dist/src/auth/jwt.d.ts",
+      "import": {
+        "development": "./src/auth/jwt.ts",
+        "default": "./dist/src/auth/jwt.js"
+      }
+    },
+    "./auth/password": {
+      "types": "./dist/src/auth/password.d.ts",
+      "import": {
+        "development": "./src/auth/password.ts",
+        "default": "./dist/src/auth/password.js"
+      }
+    },
+    "./middleware": {
+      "types": "./dist/src/middleware/index.d.ts",
+      "import": {
+        "development": "./src/middleware/index.ts",
+        "default": "./dist/src/middleware/index.js"
+      }
+    },
+    "./features/payment": {
+      "types": "./dist/features/payment/index.d.ts",
+      "import": {
+        "development": "./features/payment/index.ts",
+        "default": "./dist/features/payment/index.js"
+      }
+    },
+    "./features/email": {
+      "types": "./dist/features/email/index.d.ts",
+      "import": {
+        "development": "./features/email/index.ts",
+        "default": "./dist/features/email/index.js"
+      }
+    },
+    "./features/webhook": {
+      "types": "./dist/features/webhook/index.d.ts",
+      "import": {
+        "development": "./features/webhook/index.ts",
+        "default": "./dist/features/webhook/index.js"
+      }
+    },
+    "./features/thompson-router": {
+      "types": "./dist/features/thompson-router/index.d.ts",
+      "import": {
+        "development": "./features/thompson-router/index.ts",
+        "default": "./dist/features/thompson-router/index.js"
+      }
+    },
+    "./features/anti-abuse": {
+      "types": "./dist/features/anti-abuse/index.d.ts",
+      "import": {
+        "development": "./features/anti-abuse/index.ts",
+        "default": "./dist/features/anti-abuse/index.js"
+      }
+    }
+  },
+  "scripts": {
+    "build": "tsc -p tsconfig.build.json",
+    "type-check": "tsc --noEmit",
+    "test": "vitest run",
+    "test:watch": "vitest",
+    "prepublishOnly": "npm run type-check && npm test",
+    "prepack": "npm run build"
+  },
+  "dependencies": {
+    "@libsql/client": "^0.14.0",
+    "drizzle-orm": "^0.45.2",
+    "drizzle-zod": "^0.7.0",
+    "hono": "^4.12.22",
+    "zod": "^3.23.0"
+  },
+  "devDependencies": {
+    "@cloudflare/workers-types": "^4.20260524.1",
+    "typescript": "^5.7.0",
+    "vitest": "^2.1.0"
+  }
+}

package/src/audit.ts

@@ -0,0 +1,70 @@
+/**
+ * 审计日志模块
+ *
+ * 提供管理员操作审计和通用事件日志。
+ * 设计为 fire-and-forget：写入失败不阻塞主流程。
+ * 内置 5% 概率自动清理旧日志，避免数据无限增长。
+ *
+ * 来源：eshop/vcode audit-service.ts 合并
+ */
+
+import { adminAuditLogs } from "./db/schema";
+
+/**
+ * 通用 Drizzle 数据库接口（仅约束审计模块需要的方法）
+ */
+interface AuditDbLike {
+  insert: (table: typeof adminAuditLogs) => {
+    values: (data: {
+      id: string;
+      action: string;
+      targetType: string;
+      targetId: string;
+      metadataJson: string;
+      ipHash: string;
+      createdAt: string;
+    }) => Promise<unknown>;
+  };
+  $client?: {
+    execute: (sql: string) => Promise<unknown>;
+  };
+}
+
+export interface AuditInput {
+  action: string;
+  targetType?: string;
+  targetId?: string;
+  metadata?: unknown;
+  ipHash?: string;
+}
+
+/**
+ * 写入管理员审计日志
+ *
+ * fire-and-forget 模式：调用方应使用 ctx.waitUntil() 或直接 await。
+ * 写入失败仅打印 warn，不抛异常。
+ */
+export async function writeAdminAudit(db: AuditDbLike, input: AuditInput): Promise<void> {
+  try {
+    await db.insert(adminAuditLogs).values({
+      id: crypto.randomUUID(),
+      action: input.action,
+      targetType: input.targetType || "",
+      targetId: input.targetId || "",
+      metadataJson: JSON.stringify(input.metadata || {}),
+      ipHash: input.ipHash || "",
+      createdAt: new Date().toISOString(),
+    });
+
+    // 5% 概率清理超过 90 天的旧日志
+    if (Math.random() < 0.05) {
+      try {
+        db.$client?.execute(
+          `DELETE FROM admin_audit_logs WHERE created_at < datetime('now', '-90 days')`,
+        ).catch(() => {});
+      } catch { /* mock DB may not have execute */ }
+    }
+  } catch (err) {
+    console.warn("[audit] writeAdminAudit failed:", err instanceof Error ? err.message : String(err));
+  }
+}

package/src/auth/jwt.ts

@@ -0,0 +1,114 @@
+/**
+ * JWT 签发与验证（HMAC-SHA256）
+ *
+ * 纯 Web Crypto API 实现，零外部依赖。
+ * Workers 原生支持，性能优异。
+ *
+ * 来源：xtools src/lib/auth.ts
+ */
+
+export interface JwtPayload {
+  sub: string;
+  email: string;
+  iat: number;
+  exp: number;
+}
+
+const DEFAULT_EXPIRY = 24 * 60 * 60; // 24 小时
+
+function base64UrlEncode(data: Uint8Array | string): string {
+  const bytes = typeof data === "string" ? new TextEncoder().encode(data) : data;
+  let binary = "";
+  for (const b of bytes) binary += String.fromCharCode(b);
+  return btoa(binary).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+
+function base64UrlDecode(str: string): Uint8Array {
+  let base64 = str.replace(/-/g, "+").replace(/_/g, "/");
+  const padding = 4 - (base64.length % 4);
+  if (padding !== 4) base64 += "=".repeat(padding);
+  const binary = atob(base64);
+  const bytes = new Uint8Array(binary.length);
+  for (let i = 0; i < binary.length; i++) bytes[i] = binary.charCodeAt(i);
+  return bytes;
+}
+
+async function importHmacKey(secret: string): Promise<CryptoKey> {
+  return crypto.subtle.importKey(
+    "raw",
+    new TextEncoder().encode(secret),
+    { name: "HMAC", hash: "SHA-256" },
+    false,
+    ["sign", "verify"],
+  );
+}
+
+/**
+ * 签发 JWT
+ */
+export async function signJwt(
+  userId: string,
+  email: string,
+  secret: string,
+  expirySeconds = DEFAULT_EXPIRY,
+): Promise<string> {
+  const now = Math.floor(Date.now() / 1000);
+  const payload: JwtPayload = { sub: userId, email, iat: now, exp: now + expirySeconds };
+
+  const header = base64UrlEncode(JSON.stringify({ alg: "HS256", typ: "JWT" }));
+  const body = base64UrlEncode(JSON.stringify(payload));
+  const signingInput = `${header}.${body}`;
+
+  const key = await importHmacKey(secret);
+  const signature = await crypto.subtle.sign("HMAC", key, new TextEncoder().encode(signingInput));
+
+  return `${signingInput}.${base64UrlEncode(new Uint8Array(signature))}`;
+}
+
+/**
+ * 验证并解析 JWT — 验证失败返回 null
+ */
+export async function verifyJwt(token: string, secret: string): Promise<JwtPayload | null> {
+  try {
+    const parts = token.split(".");
+    if (parts.length !== 3) return null;
+
+    const [header, body, signature] = parts;
+    const signingInput = `${header}.${body}`;
+
+    const key = await importHmacKey(secret);
+    const valid = await crypto.subtle.verify(
+      "HMAC",
+      key,
+      base64UrlDecode(signature),
+      new TextEncoder().encode(signingInput),
+    );
+    if (!valid) return null;
+
+    const payload = JSON.parse(new TextDecoder().decode(base64UrlDecode(body))) as JwtPayload;
+    if (payload.exp < Math.floor(Date.now() / 1000)) return null;
+
+    return payload;
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * 从请求中提取 JWT Token
+ *
+ * 优先级：Authorization: Bearer > Cookie: token=
+ */
+export function extractJwt(c: { req: { header: (name: string) => string | undefined } }): string | null {
+  const auth = c.req.header("Authorization");
+  if (auth?.startsWith("Bearer ")) {
+    const token = auth.slice(7).trim();
+    if (token.split(".").length === 3) return token;
+  }
+  const cookie = c.req.header("Cookie");
+  if (cookie) {
+    const match = cookie.match(/(?:^|;\s*)token=([^;]+)/);
+    if (match) return decodeURIComponent(match[1]);
+  }
+  return null;
+}

package/src/auth/password.ts

@@ -0,0 +1,75 @@
+/**
+ * 密码哈希模块（PBKDF2-HMAC-SHA256）
+ *
+ * 纯 Web Crypto API 实现，零外部依赖。
+ * - 100,000 次迭代（OWASP 推荐最低值）
+ * - 16 字节随机 salt
+ * - 32 字节（256 bit）哈希输出
+ *
+ * 来源：xtools src/lib/auth.ts
+ */
+
+const ITERATIONS = 100_000;
+const SALT_LENGTH = 16;
+const HASH_LENGTH = 32;
+
+function toHex(bytes: Uint8Array): string {
+  return Array.from(bytes).map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+
+function fromHex(hex: string): Uint8Array {
+  const bytes = new Uint8Array(hex.length / 2);
+  for (let i = 0; i < hex.length; i += 2) {
+    bytes[i / 2] = parseInt(hex.substring(i, i + 2), 16);
+  }
+  return bytes;
+}
+
+/**
+ * 哈希密码
+ *
+ * @param password - 明文密码
+ * @param saltHex - 盐值 hex（可选，不提供则自动生成）
+ * @returns { hash, salt } — 均为 hex 字符串
+ */
+export async function hashPassword(
+  password: string,
+  saltHex?: string,
+): Promise<{ hash: string; salt: string }> {
+  const salt = saltHex
+    ? fromHex(saltHex)
+    : crypto.getRandomValues(new Uint8Array(SALT_LENGTH));
+
+  const keyMaterial = await crypto.subtle.importKey(
+    "raw",
+    new TextEncoder().encode(password),
+    "PBKDF2",
+    false,
+    ["deriveBits"],
+  );
+
+  const hashBuffer = await crypto.subtle.deriveBits(
+    { name: "PBKDF2", salt, iterations: ITERATIONS, hash: "SHA-256" },
+    keyMaterial,
+    HASH_LENGTH * 8,
+  );
+
+  return { hash: toHex(new Uint8Array(hashBuffer)), salt: toHex(salt) };
+}
+
+/**
+ * 验证密码 — 恒定时间比较（防 timing attack）
+ */
+export async function verifyPassword(
+  password: string,
+  hashHex: string,
+  saltHex: string,
+): Promise<boolean> {
+  const result = await hashPassword(password, saltHex);
+  if (result.hash.length !== hashHex.length) return false;
+  let diff = 0;
+  for (let i = 0; i < result.hash.length; i++) {
+    diff |= result.hash.charCodeAt(i) ^ hashHex.charCodeAt(i);
+  }
+  return diff === 0;
+}