npm - @vltpkg/vsr - Versions diffs - 0.0.0-26 - Mend

@vltpkg/vsr 0.0.0-26

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (93) hide show

package/DEPLOY.md +163 -0
package/LICENSE +119 -0
package/README.md +314 -0
package/config.ts +221 -0
package/drizzle.config.js +40 -0
package/info/COMPARISONS.md +37 -0
package/info/CONFIGURATION.md +143 -0
package/info/CONTRIBUTING.md +32 -0
package/info/DATABASE_SETUP.md +108 -0
package/info/GRANULAR_ACCESS_TOKENS.md +160 -0
package/info/PROJECT_STRUCTURE.md +291 -0
package/info/ROADMAP.md +27 -0
package/info/SUPPORT.md +39 -0
package/info/TESTING.md +301 -0
package/info/USER_SUPPORT.md +31 -0
package/package.json +77 -0
package/scripts/build-assets.js +31 -0
package/scripts/build-bin.js +62 -0
package/scripts/prepack.js +27 -0
package/src/assets/public/images/bg.png +0 -0
package/src/assets/public/images/clients/logo-bun.png +0 -0
package/src/assets/public/images/clients/logo-deno.png +0 -0
package/src/assets/public/images/clients/logo-npm.png +0 -0
package/src/assets/public/images/clients/logo-pnpm.png +0 -0
package/src/assets/public/images/clients/logo-vlt.png +0 -0
package/src/assets/public/images/clients/logo-yarn.png +0 -0
package/src/assets/public/images/favicon/apple-touch-icon.png +0 -0
package/src/assets/public/images/favicon/favicon-96x96.png +0 -0
package/src/assets/public/images/favicon/favicon.ico +0 -0
package/src/assets/public/images/favicon/favicon.svg +3 -0
package/src/assets/public/images/favicon/site.webmanifest +21 -0
package/src/assets/public/images/favicon/web-app-manifest-192x192.png +0 -0
package/src/assets/public/images/favicon/web-app-manifest-512x512.png +0 -0
package/src/assets/public/styles/styles.css +231 -0
package/src/bin/demo/package.json +6 -0
package/src/bin/demo/vlt.json +1 -0
package/src/bin/vsr.ts +484 -0
package/src/db/client.ts +590 -0
package/src/db/migrations/0000_faulty_ricochet.sql +14 -0
package/src/db/migrations/0000_initial.sql +29 -0
package/src/db/migrations/0001_uuid_validation.sql +35 -0
package/src/db/migrations/0001_wealthy_magdalene.sql +7 -0
package/src/db/migrations/drop.sql +3 -0
package/src/db/migrations/meta/0000_snapshot.json +104 -0
package/src/db/migrations/meta/0001_snapshot.json +155 -0
package/src/db/migrations/meta/_journal.json +20 -0
package/src/db/schema.ts +43 -0
package/src/index.ts +434 -0
package/src/middleware/config.ts +79 -0
package/src/middleware/telemetry.ts +43 -0
package/src/queue/index.ts +97 -0
package/src/routes/access.ts +852 -0
package/src/routes/docs.ts +63 -0
package/src/routes/misc.ts +469 -0
package/src/routes/packages.ts +2823 -0
package/src/routes/ping.ts +39 -0
package/src/routes/search.ts +131 -0
package/src/routes/static.ts +74 -0
package/src/routes/tokens.ts +259 -0
package/src/routes/users.ts +68 -0
package/src/utils/auth.ts +202 -0
package/src/utils/cache.ts +587 -0
package/src/utils/config.ts +50 -0
package/src/utils/database.ts +69 -0
package/src/utils/docs.ts +146 -0
package/src/utils/packages.ts +453 -0
package/src/utils/response.ts +125 -0
package/src/utils/routes.ts +64 -0
package/src/utils/spa.ts +52 -0
package/src/utils/tracing.ts +52 -0
package/src/utils/upstream.ts +172 -0
package/test/access.test.ts +705 -0
package/test/audit.test.ts +828 -0
package/test/dashboard.test.ts +693 -0
package/test/dist-tags.test.ts +678 -0
package/test/manifest.test.ts +436 -0
package/test/packument.test.ts +530 -0
package/test/ping.test.ts +41 -0
package/test/search.test.ts +472 -0
package/test/setup.ts +130 -0
package/test/static.test.ts +646 -0
package/test/tokens.test.ts +389 -0
package/test/utils/auth.test.ts +214 -0
package/test/utils/packages.test.ts +235 -0
package/test/utils/response.test.ts +184 -0
package/test/whoami.test.ts +119 -0
package/tsconfig.json +16 -0
package/tsconfig.worker.json +3 -0
package/typedoc.mjs +2 -0
package/types.ts +598 -0
package/vitest.config.ts +25 -0
package/vlt.json.example +56 -0
package/wrangler.json +65 -0

package/test/access.test.ts ADDED Viewed

@@ -0,0 +1,705 @@
+import { describe, it, expect } from 'vitest'
+import { env } from 'cloudflare:test'
+import { app } from '../src/index.ts'
+describe('Access Control Endpoints', () => {
+  describe('Package Access Status', () => {
+    describe('Unscoped Packages', () => {
+      it('should get access status for unscoped packages', async () => {
+        const res = await app.request(
+          '/-/package/lodash/access',
+          {},
+          env,
+        )
+        expect([200, 400, 401, 404, 500].includes(res.status)).toBe(
+          true,
+        )
+        // Content-type depends on response status
+        if (res.status === 200) {
+          expect(res.headers.get('content-type')).toContain(
+            'application/json',
+          )
+        } else if (res.status === 500) {
+          expect(res.headers.get('content-type')).toContain(
+            'text/plain',
+          )
+        }
+      })
+      it('should set access status for unscoped packages', async () => {
+        const res = await app.request(
+          '/-/package/lodash/access',
+          {
+            method: 'POST',
+            headers: {
+              'Content-Type': 'application/json',
+            },
+            body: JSON.stringify({
+              access: 'public',
+            }),
+          },
+          env,
+        )
+        expect([200, 400, 401, 404, 500].includes(res.status)).toBe(
+          true,
+        )
+      })
+      it('should handle private access setting', async () => {
+        const res = await app.request(
+          '/-/package/my-private-package/access',
+          {
+            method: 'POST',
+            headers: {
+              'Content-Type': 'application/json',
+            },
+            body: JSON.stringify({
+              access: 'restricted',
+            }),
+          },
+          env,
+        )
+        expect([200, 400, 401, 404, 500].includes(res.status)).toBe(
+          true,
+        )
+      })
+    })
+    describe('Scoped Packages', () => {
+      it('should get access status for scoped packages', async () => {
+        const res = await app.request(
+          '/-/package/@types%2Fnode/access',
+          {},
+          env,
+        )
+        expect([200, 400, 401, 404, 500].includes(res.status)).toBe(
+          true,
+        )
+        // Content-type depends on response status
+        if (res.status === 200) {
+          expect(res.headers.get('content-type')).toContain(
+            'application/json',
+          )
+        } else if (res.status === 500) {
+          expect(res.headers.get('content-type')).toContain(
+            'text/plain',
+          )
+        }
+      })
+      it('should set access status for scoped packages', async () => {
+        const res = await app.request(
+          '/-/package/@myorg%2Fmypackage/access',
+          {
+            method: 'POST',
+            headers: {
+              'Content-Type': 'application/json',
+            },
+            body: JSON.stringify({
+              access: 'public',
+            }),
+          },
+          env,
+        )
+        expect([200, 400, 401, 404, 500].includes(res.status)).toBe(
+          true,
+        )
+      })
+      it('should handle URL-encoded scoped package names', async () => {
+        const res = await app.request(
+          '/-/package/@scope%2Fpackage/access',
+          {},
+          env,
+        )
+        expect([200, 400, 401, 404, 500].includes(res.status)).toBe(
+          true,
+        )
+      })
+    })
+    describe('Access Status Response Structure', () => {
+      it('should return proper JSON structure for access status', async () => {
+        const res = await app.request(
+          '/-/package/lodash/access',
+          {},
+          env,
+        )
+        if (res.status === 200) {
+          const data = (await res.json()) as any
+          expect(data).toBeDefined()
+          // Access status structure would be validated based on implementation
+        }
+      })
+      it('should include access level in response', async () => {
+        const res = await app.request(
+          '/-/package/lodash/access',
+          {},
+          env,
+        )
+        if (res.status === 200) {
+          const data = (await res.json()) as any
+          expect(data).toBeDefined()
+          // Would validate access field based on implementation
+        }
+      })
+    })
+  })
+  describe('Package Collaborators', () => {
+    describe('Unscoped Package Collaborators', () => {
+      it('should grant access to unscoped package collaborators', async () => {
+        const res = await app.request(
+          '/-/package/lodash/collaborators/testuser',
+          {
+            method: 'PUT',
+            headers: {
+              'Content-Type': 'application/json',
+            },
+            body: JSON.stringify({
+              permissions: ['read', 'write'],
+            }),
+          },
+          env,
+        )
+        expect([200, 400, 401, 404, 500].includes(res.status)).toBe(
+          true,
+        )
+      })
+      it('should revoke access from unscoped package collaborators', async () => {
+        const res = await app.request(
+          '/-/package/lodash/collaborators/testuser',
+          {
+            method: 'DELETE',
+          },
+          env,
+        )
+        expect([200, 400, 401, 404, 500].includes(res.status)).toBe(
+          true,
+        )
+      })
+      it('should handle different permission levels', async () => {
+        const res = await app.request(
+          '/-/package/lodash/collaborators/testuser',
+          {
+            method: 'PUT',
+            headers: {
+              'Content-Type': 'application/json',
+            },
+            body: JSON.stringify({
+              permissions: ['read'],
+            }),
+          },
+          env,
+        )
+        expect([200, 400, 401, 404, 500].includes(res.status)).toBe(
+          true,
+        )
+      })
+    })
+    describe('Scoped Package Collaborators', () => {
+      it('should grant access to scoped package collaborators', async () => {
+        const res = await app.request(
+          '/-/package/@myorg%2Fmypackage/collaborators/testuser',
+          {
+            method: 'PUT',
+            headers: {
+              'Content-Type': 'application/json',
+            },
+            body: JSON.stringify({
+              permissions: ['read', 'write'],
+            }),
+          },
+          env,
+        )
+        expect([200, 400, 401, 404, 500].includes(res.status)).toBe(
+          true,
+        )
+      })
+      it('should revoke access from scoped package collaborators', async () => {
+        const res = await app.request(
+          '/-/package/@myorg%2Fmypackage/collaborators/testuser',
+          {
+            method: 'DELETE',
+          },
+          env,
+        )
+        expect([200, 400, 401, 404, 500].includes(res.status)).toBe(
+          true,
+        )
+      })
+      it('should handle multiple collaborators for scoped packages', async () => {
+        const res = await app.request(
+          '/-/package/@myorg%2Fmypackage/collaborators/user1',
+          {
+            method: 'PUT',
+            headers: {
+              'Content-Type': 'application/json',
+            },
+            body: JSON.stringify({
+              permissions: ['read', 'write', 'admin'],
+            }),
+          },
+          env,
+        )
+        expect([200, 400, 401, 404, 500].includes(res.status)).toBe(
+          true,
+        )
+      })
+    })
+    describe('Collaborator Management', () => {
+      it('should handle admin permissions for collaborators', async () => {
+        const res = await app.request(
+          '/-/package/mypackage/collaborators/admin',
+          {
+            method: 'PUT',
+            headers: {
+              'Content-Type': 'application/json',
+            },
+            body: JSON.stringify({
+              permissions: ['read', 'write', 'admin'],
+            }),
+          },
+          env,
+        )
+        expect([200, 400, 401, 404, 500].includes(res.status)).toBe(
+          true,
+        )
+      })
+      it('should validate permission types', async () => {
+        const res = await app.request(
+          '/-/package/mypackage/collaborators/testuser',
+          {
+            method: 'PUT',
+            headers: {
+              'Content-Type': 'application/json',
+            },
+            body: JSON.stringify({
+              permissions: ['invalid-permission'],
+            }),
+          },
+          env,
+        )
+        expect([400, 401, 404, 500].includes(res.status)).toBe(true)
+      })
+      it('should handle empty permissions array', async () => {
+        const res = await app.request(
+          '/-/package/mypackage/collaborators/testuser',
+          {
+            method: 'PUT',
+            headers: {
+              'Content-Type': 'application/json',
+            },
+            body: JSON.stringify({
+              permissions: [],
+            }),
+          },
+          env,
+        )
+        expect([200, 400, 401, 404, 500].includes(res.status)).toBe(
+          true,
+        )
+      })
+    })
+  })
+  describe('Package List Access', () => {
+    describe('List All Packages', () => {
+      it('should list packages with access information', async () => {
+        const res = await app.request('/-/package/list', {}, env)
+        expect([200, 400, 401, 404, 500].includes(res.status)).toBe(
+          true,
+        )
+        // Content-type depends on response status
+        if (res.status === 200) {
+          expect(res.headers.get('content-type')).toContain(
+            'application/json',
+          )
+        } else if (res.status === 500) {
+          expect(res.headers.get('content-type')).toContain(
+            'text/plain',
+          )
+        }
+      })
+      it('should handle authenticated package listing', async () => {
+        const res = await app.request(
+          '/-/package/list',
+          {
+            headers: {
+              Authorization: 'Bearer test-admin-token-12345',
+            },
+          },
+          env,
+        )
+        expect([200, 400, 401, 404, 500].includes(res.status)).toBe(
+          true,
+        )
+      })
+      it('should return proper structure for package list', async () => {
+        const res = await app.request('/-/package/list', {}, env)
+        if (res.status === 200) {
+          const data = (await res.json()) as any
+          expect(data).toBeDefined()
+          // Package list structure would be validated based on implementation
+        }
+      })
+    })
+    describe('Filtered Package Lists', () => {
+      it('should handle package list filtering by access level', async () => {
+        const res = await app.request(
+          '/-/package/list?access=public',
+          {},
+          env,
+        )
+        expect([200, 400, 401, 404, 500].includes(res.status)).toBe(
+          true,
+        )
+      })
+      it('should handle package list filtering by user', async () => {
+        const res = await app.request(
+          '/-/package/list?user=testuser',
+          {},
+          env,
+        )
+        expect([200, 400, 401, 404, 500].includes(res.status)).toBe(
+          true,
+        )
+      })
+      it('should handle pagination for package lists', async () => {
+        const res = await app.request(
+          '/-/package/list?limit=10&offset=0',
+          {},
+          env,
+        )
+        expect([200, 400, 401, 404, 500].includes(res.status)).toBe(
+          true,
+        )
+      })
+    })
+  })
+  describe('Authentication and Authorization', () => {
+    describe('Authentication Requirements', () => {
+      it('should require authentication for access modification', async () => {
+        const res = await app.request(
+          '/-/package/mypackage/access',
+          {
+            method: 'POST',
+            headers: {
+              'Content-Type': 'application/json',
+            },
+            body: JSON.stringify({
+              access: 'public',
+            }),
+          },
+          env,
+        )
+        expect([200, 400, 401, 404, 500].includes(res.status)).toBe(
+          true,
+        )
+      })
+      it('should require authentication for collaborator management', async () => {
+        const res = await app.request(
+          '/-/package/mypackage/collaborators/testuser',
+          {
+            method: 'PUT',
+            headers: {
+              'Content-Type': 'application/json',
+            },
+            body: JSON.stringify({
+              permissions: ['read'],
+            }),
+          },
+          env,
+        )
+        expect([200, 400, 401, 404, 500].includes(res.status)).toBe(
+          true,
+        )
+      })
+      it('should handle valid authentication tokens', async () => {
+        const res = await app.request(
+          '/-/package/mypackage/access',
+          {
+            method: 'POST',
+            headers: {
+              Authorization: 'Bearer test-admin-token-12345',
+              'Content-Type': 'application/json',
+            },
+            body: JSON.stringify({
+              access: 'public',
+            }),
+          },
+          env,
+        )
+        expect([200, 400, 401, 404, 500].includes(res.status)).toBe(
+          true,
+        )
+      })
+    })
+    describe('Authorization Levels', () => {
+      it('should check package ownership for access changes', async () => {
+        const res = await app.request(
+          '/-/package/someone-elses-package/access',
+          {
+            method: 'POST',
+            headers: {
+              Authorization: 'Bearer test-admin-token-12345',
+              'Content-Type': 'application/json',
+            },
+            body: JSON.stringify({
+              access: 'public',
+            }),
+          },
+          env,
+        )
+        expect(
+          [200, 400, 401, 403, 404, 500].includes(res.status),
+        ).toBe(true)
+      })
+      it('should check admin permissions for collaborator management', async () => {
+        const res = await app.request(
+          '/-/package/mypackage/collaborators/testuser',
+          {
+            method: 'PUT',
+            headers: {
+              Authorization: 'Bearer test-admin-token-12345',
+              'Content-Type': 'application/json',
+            },
+            body: JSON.stringify({
+              permissions: ['read'],
+            }),
+          },
+          env,
+        )
+        expect(
+          [200, 400, 401, 403, 404, 500].includes(res.status),
+        ).toBe(true)
+      })
+    })
+  })
+  describe('Error Handling', () => {
+    describe('Invalid Package Names', () => {
+      it('should handle invalid package names in access requests', async () => {
+        const res = await app.request(
+          '/-/package/invalid..package/access',
+          env,
+        )
+        expect([400, 404, 500].includes(res.status)).toBe(true)
+      })
+      it('should handle malformed scoped package names', async () => {
+        const res = await app.request(
+          '/-/package/@invalid/access',
+          {},
+          env,
+        )
+        expect([400, 404, 500].includes(res.status)).toBe(true)
+      })
+      it('should handle packages starting with dots', async () => {
+        const res = await app.request(
+          '/-/package/.hidden-package/access',
+          env,
+        )
+        expect([400, 404, 500].includes(res.status)).toBe(true)
+      })
+    })
+    describe('Invalid Request Bodies', () => {
+      it('should handle malformed JSON in access requests', async () => {
+        const res = await app.request(
+          '/-/package/mypackage/access',
+          {
+            method: 'POST',
+            headers: {
+              'Content-Type': 'application/json',
+            },
+            body: 'invalid-json',
+          },
+          env,
+        )
+        expect([400, 401, 500].includes(res.status)).toBe(true)
+      })
+      it('should handle missing required fields', async () => {
+        const res = await app.request(
+          '/-/package/mypackage/access',
+          {
+            method: 'POST',
+            headers: {
+              'Content-Type': 'application/json',
+            },
+            body: JSON.stringify({}),
+          },
+          env,
+        )
+        expect([400, 401, 500].includes(res.status)).toBe(true)
+      })
+      it('should handle invalid access levels', async () => {
+        const res = await app.request(
+          '/-/package/mypackage/access',
+          {
+            method: 'POST',
+            headers: {
+              'Content-Type': 'application/json',
+            },
+            body: JSON.stringify({
+              access: 'invalid-access-level',
+            }),
+          },
+          env,
+        )
+        expect([400, 401, 500].includes(res.status)).toBe(true)
+      })
+    })
+    describe('Non-existent Resources', () => {
+      it('should handle non-existent packages', async () => {
+        const res = await app.request(
+          '/-/package/nonexistent-package-12345/access',
+          {},
+          env,
+        )
+        console.log(res.status)
+        expect([400, 404, 401, 500].includes(res.status)).toBe(true)
+      })
+      it('should handle non-existent users in collaborator requests', async () => {
+        const res = await app.request(
+          '/-/package/mypackage/collaborators/nonexistent-user',
+          {
+            method: 'PUT',
+            headers: {
+              'Content-Type': 'application/json',
+            },
+            body: JSON.stringify({
+              permissions: ['read'],
+            }),
+          },
+          env,
+        )
+        expect([400, 401, 404, 500].includes(res.status)).toBe(true)
+      })
+    })
+  })
+  describe('Response Headers and Security', () => {
+    describe('Content-Type Headers', () => {
+      it('should set appropriate content-type headers', async () => {
+        const res = await app.request(
+          '/-/package/lodash/access',
+          {},
+          env,
+        )
+        if (res.status === 200) {
+          expect(res.headers.get('content-type')).toContain(
+            'application/json',
+          )
+        }
+      })
+    })
+    describe('Security Headers', () => {
+      it('should include security headers in access responses', async () => {
+        const res = await app.request(
+          '/-/package/lodash/access',
+          {},
+          env,
+        )
+        // Security headers would be validated based on implementation
+        expect(res.status).toBeDefined()
+      })
+    })
+    describe('CORS Headers', () => {
+      it('should handle CORS headers for access requests', async () => {
+        const res = await app.request(
+          '/-/package/lodash/access',
+          {
+            headers: {
+              Origin: 'https://example.com',
+            },
+          },
+          env,
+        )
+        // CORS headers would be validated based on implementation
+        expect(res.status).toBeDefined()
+      })
+    })
+  })
+  describe('Special Access Cases', () => {
+    describe('Organization Packages', () => {
+      it('should handle organization-scoped packages', async () => {
+        const res = await app.request(
+          '/-/package/@myorg%2Fpackage/access',
+          {},
+          env,
+        )
+        expect([200, 400, 401, 404, 500].includes(res.status)).toBe(
+          true,
+        )
+      })
+      it('should handle organization member permissions', async () => {
+        const res = await app.request(
+          '/-/package/@myorg%2Fpackage/collaborators/orgmember',
+          {
+            method: 'PUT',
+            headers: {
+              'Content-Type': 'application/json',
+            },
+            body: JSON.stringify({
+              permissions: ['read', 'write'],
+            }),
+          },
+          env,
+        )
+        expect([200, 400, 401, 404, 500].includes(res.status)).toBe(
+          true,
+        )
+      })
+    })
+    describe('Team-based Access', () => {
+      it('should handle team-based access control', async () => {
+        const res = await app.request(
+          '/-/package/mypackage/collaborators/team:developers',
+          {
+            method: 'PUT',
+            headers: {
+              'Content-Type': 'application/json',
+            },
+            body: JSON.stringify({
+              permissions: ['read', 'write'],
+            }),
+          },
+          env,
+        )
+        expect([200, 400, 401, 404, 500].includes(res.status)).toBe(
+          true,
+        )
+      })
+    })
+  })
+})