@vltpkg/vsr 0.0.0-27 → 0.0.0-28

package/src/utils/response.ts

@@ -0,0 +1,125 @@
+import type { HonoContext, ApiError } from '../../types.ts'
+
+/**
+ * JSON response handler middleware that formats JSON based on Accept headers
+ * @returns {Function} Hono middleware function
+ */
+export function jsonResponseHandler() {
+  return async (c: any, next: any) => {
+    // Override the json method to handle formatting
+    // eslint-disable-next-line @typescript-eslint/no-unsafe-assignment, @typescript-eslint/no-unsafe-call, @typescript-eslint/no-unsafe-member-access
+    const originalJson = c.json.bind(c)
+
+    // eslint-disable-next-line @typescript-eslint/no-unsafe-member-access
+    c.json = (data: any, status?: number) => {
+      // eslint-disable-next-line @typescript-eslint/no-unsafe-assignment, @typescript-eslint/no-unsafe-call, @typescript-eslint/no-unsafe-member-access
+      const acceptHeader = c.req.header('accept') || ''
+
+      // If the client accepts the npm install format, return minimal JSON
+
+      if (
+        // eslint-disable-next-line @typescript-eslint/no-unsafe-call, @typescript-eslint/no-unsafe-member-access
+        acceptHeader.includes('application/vnd.npm.install-v1+json')
+      ) {
+        // Use original json method for minimal output
+        // eslint-disable-next-line @typescript-eslint/no-unsafe-return, @typescript-eslint/no-unsafe-call
+        return originalJson(data, status)
+      }
+
+      // For other requests, return pretty-printed JSON
+      // Preserve existing headers that were set via c.header()
+      // eslint-disable-next-line @typescript-eslint/no-unsafe-member-access, @typescript-eslint/no-unsafe-argument
+      const existingHeaders = new Headers(c.res?.headers || {})
+      existingHeaders.set(
+        'Content-Type',
+        'application/json; charset=UTF-8',
+      )
+
+      // eslint-disable-next-line @typescript-eslint/no-unsafe-member-access
+      c.res = new Response(JSON.stringify(data, null, 2), {
+        status: status || 200,
+        headers: existingHeaders,
+      })
+      // eslint-disable-next-line @typescript-eslint/no-unsafe-return, @typescript-eslint/no-unsafe-member-access
+      return c.res
+    }
+
+    // eslint-disable-next-line @typescript-eslint/no-unsafe-call
+    await next()
+  }
+}
+
+/**
+ * Creates a standardized JSON error response
+ * @param {HonoContext} c - The Hono context
+ * @param {string | ApiError} error - Error message or object
+ * @param {number} [status] - HTTP status code
+ * @returns {any} JSON error response
+ */
+export function jsonError(
+  c: HonoContext,
+  error: string | ApiError,
+  status = 400,
+) {
+  const errorObj: ApiError =
+    typeof error === 'string' ? { error } : error
+
+  return c.json(errorObj, status as any)
+}
+
+/**
+ * Creates a standardized JSON success response
+ * @param {HonoContext} c - The Hono context
+ * @param {any} data - Response data
+ * @param {number} [status] - HTTP status code
+ * @returns {any} JSON success response
+ */
+export function jsonSuccess(c: HonoContext, data: any, status = 200) {
+  return c.json(data, status as any)
+}
+
+/**
+ * Creates a 404 Not Found response
+ * @param {HonoContext} c - The Hono context
+ * @param {string} [message] - Optional custom message
+ * @returns {any} 404 JSON response
+ */
+export function notFound(c: HonoContext, message = 'Not Found') {
+  return jsonError(c, { error: message }, 404)
+}
+
+/**
+ * Creates a 401 Unauthorized response
+ * @param {HonoContext} c - The Hono context
+ * @param {string} [message] - Optional custom message
+ * @returns {any} 401 JSON response
+ */
+export function unauthorized(
+  c: HonoContext,
+  message = 'Unauthorized',
+) {
+  return jsonError(c, { error: message }, 401)
+}
+
+/**
+ * Creates a 403 Forbidden response
+ * @param {HonoContext} c - The Hono context
+ * @param {string} [message] - Optional custom message
+ * @returns {any} 403 JSON response
+ */
+export function forbidden(c: HonoContext, message = 'Forbidden') {
+  return jsonError(c, { error: message }, 403)
+}
+
+/**
+ * Creates a 500 Internal Server Error response
+ * @param {HonoContext} c - The Hono context
+ * @param {string} [message] - Optional custom message
+ * @returns {any} 500 JSON response
+ */
+export function internalServerError(
+  c: HonoContext,
+  message = 'Internal Server Error',
+) {
+  return jsonError(c, { error: message }, 500)
+}

package/src/utils/routes.ts

@@ -0,0 +1,64 @@
+import type { HonoContext } from '../../types.ts'
+
+// Public / Static Assets
+export function requiresToken(c: HonoContext): boolean {
+  const { path } = c.req
+  const publicRoutes = [
+    '/images',
+    '/styles',
+    '/-/auth/*',
+    '/-/ping',
+    '/-/docs',
+    '/',
+  ]
+
+  // Check for upstream utility routes that are public (ping and docs only)
+  const upstreamPublicPattern = /^\/[^/]+\/-\/(ping|docs)$/
+  if (upstreamPublicPattern.test(path)) {
+    return false // These are public, no token required
+  }
+
+  // Check standard public routes
+  const isStandardPublicRoute = publicRoutes.some(route => {
+    if (route.endsWith('/*')) {
+      return path.startsWith(route.slice(0, -2))
+    }
+    return path === route || path.startsWith(route)
+  })
+
+  if (isStandardPublicRoute) {
+    return false // No token required
+  }
+
+  // Package routes should be public for downloads
+  // This includes hash-based routes, upstream routes, and legacy redirects
+  const isPackageRoute =
+    path.startsWith('/*/') || // Hash-based routes (literal asterisk)
+    /^\/[^-/][^/]*\/[^/]/.test(path) || // Upstream or package routes
+    /^\/[^-/][^/]*$/.test(path) || // Root package routes
+    /^\/@[^/]+\/[^/]+/.test(path) // Scoped packages
+
+  // Exclude PUT requests (publishing) from being public
+  const isPutRequest = c.req.method === 'PUT'
+  const isPublicPackageRoute = isPackageRoute && !isPutRequest
+
+  if (isPublicPackageRoute) {
+    return false // No token required
+  }
+
+  // All other routes require authentication
+  return true
+}
+
+// Catch-all for non-GET methods
+export function catchAll(c: HonoContext) {
+  return c.json({ error: 'Method not allowed' }, 405)
+}
+
+export function notFound(c: HonoContext) {
+  return c.json({ error: 'Not found' }, 404)
+}
+
+export function isOK(c: HonoContext) {
+  return c.json({}, 200)
+}

package/src/utils/spa.ts

@@ -0,0 +1,52 @@
+// This function now takes the ASSETS environment binding as a parameter
+// to avoid the circular dependency issue
+export const getApp = async (
+  assetsBinding?: any,
+): Promise<string> => {
+  if (assetsBinding) {
+    try {
+      // Use the ASSETS binding to fetch the index.html file
+      // eslint-disable-next-line @typescript-eslint/no-unsafe-call, @typescript-eslint/no-unsafe-member-access
+      const response = (await assetsBinding.fetch(
+        new Request('http://localhost/public/index.html'),
+      )) as Response
+      if (response.ok) {
+        const html = await response.text()
+        return changeSourceReferences(html)
+      }
+    } catch (error) {
+      // eslint-disable-next-line no-console
+      console.error('Failed to load index.html from assets:', error)
+    }
+  }
+
+  // Fallback: provide a simple HTML page
+  return `<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="utf-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+  <title>vlt | Explorer</title>
+  <style>
+    body { font-family: system-ui, sans-serif; padding: 2rem; text-align: center; }
+    .error { color: #dc2626; margin: 1rem 0; }
+  </style>
+</head>
+<body>
+  <h1>vlt | Explorer</h1>
+  <div class="error">Unable to load the application assets.</div>
+  <p>Please check that the server is running correctly and assets are available.</p>
+</body>
+</html>`
+}
+
+export const changeSourceReferences = (html: string): string => {
+  html = html.replace('href="/main.css', 'href="/public/main.css')
+  html = html.replace(
+    'href="/favicon.ico"',
+    'href="/public/favicon.ico"',
+  )
+  html = html.replace('href="/fonts/', 'href="/public/fonts/')
+  html = html.replace('src="/index.js"', 'src="/public/index.js"')
+  return html
+}

package/src/utils/tracing.ts

@@ -0,0 +1,52 @@
+/**
+ * Simple tracing utility for debugging and monitoring
+ */
+
+/**
+ * Logs a trace message with timestamp
+ * @param {string} _message - The message to log
+ * @param {any} _data - Optional additional data to log
+ */
+export function trace(_message: string, _data?: any): void {
+  // Tracing disabled for production
+}
+
+/**
+ * Measures execution time of a function
+ * @param {string} name - Name of the operation being measured
+ * @param {() => Promise<any>} fn - Function to measure
+ * @returns {Promise<any>} Result of the function
+ */
+export async function measureTime<T>(
+  name: string,
+  fn: () => Promise<T>,
+): Promise<T> {
+  const start = performance.now()
+  try {
+    const result = await fn()
+    const duration = performance.now() - start
+    trace(`${name} completed in ${duration.toFixed(2)}ms`)
+    return result
+  } catch (error) {
+    const duration = performance.now() - start
+    trace(`${name} failed after ${duration.toFixed(2)}ms`, error)
+    throw error
+  }
+}
+
+/**
+ * Session monitoring middleware for tracking requests
+ * @param {any} _c - The Hono context
+ * @param {() => Promise<void>} next - The next middleware function
+ * @returns {Promise<void>} Result of next middleware
+ */
+export function sessionMonitor(
+  _c: any,
+  next: () => Promise<void>,
+): Promise<void> {
+  // Session monitoring is currently disabled
+  // This middleware can be extended to add session tracking functionality
+  trace('Session monitoring middleware called')
+
+  return next()
+}

package/src/utils/upstream.ts

@@ -0,0 +1,172 @@
+import { ORIGIN_CONFIG, RESERVED_ROUTES } from '../../config.ts'
+import type {
+  UpstreamConfig,
+  ParsedPackageInfo,
+} from '../../types.ts'
+
+/**
+ * Validates if an upstream name is allowed (not reserved)
+ * @param {string} upstreamName - The upstream name to validate
+ * @returns {boolean} True if valid, false if reserved
+ */
+export function isValidUpstreamName(upstreamName: string): boolean {
+  return !RESERVED_ROUTES.includes(upstreamName)
+}
+
+/**
+ * Gets the upstream configuration by name
+ * @param {string} upstreamName - The upstream name
+ * @returns {UpstreamConfig | null} The upstream config or null if not found
+ */
+export function getUpstreamConfig(
+  upstreamName: string,
+): UpstreamConfig | null {
+  return ORIGIN_CONFIG.upstreams[upstreamName] ?? null
+}
+
+/**
+ * Gets the default upstream name
+ * @returns {string} The default upstream name
+ */
+export function getDefaultUpstream(): string {
+  return ORIGIN_CONFIG.default
+}
+
+/**
+ * Generates a cache key for upstream package data
+ * @param {string} upstreamName - The upstream name
+ * @param {string} packageName - The package name
+ * @param {string} [version] - The package version (optional)
+ * @returns {string} A deterministic hash ID
+ */
+export function generateCacheKey(
+  upstreamName: string,
+  packageName: string,
+  version?: string,
+): string {
+  const key =
+    version ?
+      `${upstreamName}:${packageName}:${version}`
+    : `${upstreamName}:${packageName}`
+
+  // Use TextEncoder for cross-platform compatibility
+  const encoder = new TextEncoder()
+  const data = encoder.encode(key)
+
+  // Convert to base64 using btoa
+  const base64 = btoa(String.fromCharCode(...data))
+
+  // Convert base64 to base64url format (replace + with -, / with _, remove =)
+  return base64
+    .replace(/\+/g, '-')
+    .replace(/\//g, '_')
+    .replace(/=/g, '')
+}
+
+/**
+ * Parses a request path to extract package information
+ * @param {string} path - The request path
+ * @returns {ParsedPackageInfo} Parsed package info
+ */
+export function parsePackageSpec(path: string): ParsedPackageInfo {
+  // Remove leading slash and split by '/'
+  const segments = path.replace(/^\/+/, '').split('/')
+
+  // Handle different path patterns
+  if (segments.length === 0) {
+    return { packageName: '', segments }
+  }
+
+  // Check if first segment is an upstream name
+  const firstSegment = segments[0]
+  if (firstSegment && ORIGIN_CONFIG.upstreams[firstSegment]) {
+    // Path starts with upstream name: /upstream/package/version
+    const upstream = firstSegment
+    const packageSegments = segments.slice(1)
+
+    if (packageSegments.length === 0) {
+      return { upstream, packageName: '', segments: packageSegments }
+    }
+
+    // Handle scoped packages: @scope/package
+    if (
+      packageSegments[0]?.startsWith('@') &&
+      packageSegments.length > 1
+    ) {
+      const packageName = `${packageSegments[0]}/${packageSegments[1]}`
+      const version = packageSegments[2]
+      const remainingSegments = packageSegments.slice(2)
+      return {
+        upstream,
+        packageName,
+        version,
+        segments: remainingSegments,
+      }
+    }
+
+    // Handle regular packages
+    const packageName = packageSegments[0] || ''
+    const version = packageSegments[1]
+    const remainingSegments = packageSegments.slice(1)
+    return {
+      upstream,
+      packageName,
+      version,
+      segments: remainingSegments,
+    }
+  }
+
+  // No upstream in path, treat as package name
+  if (firstSegment?.startsWith('@') && segments.length > 1) {
+    // Scoped package: @scope/package/version
+    const packageName = `${segments[0]}/${segments[1] || ''}`
+    const version = segments[2]
+    const remainingSegments = segments.slice(2)
+    return { packageName, version, segments: remainingSegments }
+  }
+
+  // Regular package: package/version
+  const packageName = segments[0] || ''
+  const version = segments[1]
+  const remainingSegments = segments.slice(1)
+  return { packageName, version, segments: remainingSegments }
+}
+
+/**
+ * Constructs the upstream URL for a package request
+ * @param {UpstreamConfig} upstreamConfig - The upstream configuration
+ * @param {string} packageName - The package name
+ * @param {string} [path] - Additional path segments
+ * @returns {string} The full upstream URL
+ */
+export function buildUpstreamUrl(
+  upstreamConfig: UpstreamConfig,
+  packageName: string,
+  path = '',
+): string {
+  const baseUrl = upstreamConfig.url.replace(/\/$/, '')
+  const encodedPackage = encodeURIComponent(packageName)
+
+  switch (upstreamConfig.type) {
+    case 'npm':
+    case 'vsr':
+      return `${baseUrl}/${encodedPackage}${path ? `/${path}` : ''}`
+    case 'jsr':
+      // JSR has a different URL structure
+      return `${baseUrl}/${encodedPackage}${path ? `/${path}` : ''}`
+    case 'local':
+      return `${baseUrl}/${encodedPackage}${path ? `/${path}` : ''}`
+    default:
+      return `${baseUrl}/${encodedPackage}${path ? `/${path}` : ''}`
+  }
+}
+
+/**
+ * Checks if proxying is enabled for an upstream
+ * @param {string} upstreamName - The upstream name
+ * @returns {boolean} True if proxying is enabled
+ */
+export function isProxyEnabled(upstreamName: string): boolean {
+  const config = getUpstreamConfig(upstreamName)
+  return config !== null && config.type !== 'local'
+}

package/tsconfig.json

@@ -0,0 +1,16 @@
+{
+  "extends": "../../tsconfig.json",
+  "compilerOptions": {
+    "target": "es2022",
+    "module": "esnext",
+    "moduleResolution": "bundler",
+    "esModuleInterop": true,
+    "allowSyntheticDefaultImports": true,
+    "resolveJsonModule": true,
+    "declaration": false,
+    "declarationMap": false,
+    "sourceMap": true,
+    "noEmit": true
+  },
+  "include": ["src/**/*", "config.ts", "types.ts"]
+}

package/tsconfig.worker.json

@@ -0,0 +1,3 @@
+{
+  "extends": "./tsconfig.json"
+}

package/typedoc.mjs

@@ -0,0 +1,2 @@
+import config from '../../www/docs/typedoc.workspace.mjs'
+export default config(import.meta.dirname)