@vltpkg/vsr 0.2.0

package/src/utils/packages.ts

@@ -0,0 +1,337 @@
+import { Buffer } from 'node:buffer'
+import * as semver from 'semver'
+import validate from 'validate-npm-package-name'
+import type {
+  HonoContext,
+  PackageSpec,
+  PackageManifest,
+  SlimmedManifest,
+  RequestContext,
+  ValidationResult,
+  FileInfo
+} from '../../types.ts'
+
+/**
+ * Extracts package.json from a tarball buffer
+ * @param tarballBuffer - The tarball as a Buffer
+ * @returns The parsed package.json content
+ */
+export async function extractPackageJSON(tarballBuffer: Buffer): Promise<PackageManifest | null> {
+  try {
+    // This would need to be implemented with a tarball extraction library
+    // For now, return null as a placeholder
+    console.log('[PACKAGES] Extracting package.json from tarball')
+    return null
+  } catch (error) {
+    console.error(`[ERROR] Failed to extract package.json: ${(error as Error).message}`)
+    return null
+  }
+}
+
+/**
+ * Extracts package specification from context
+ * @param c - The Hono context
+ * @returns Package specification object
+ */
+export function packageSpec(c: HonoContext): PackageSpec {
+  const { scope, pkg } = c.req.param()
+
+  if (scope && pkg) {
+    // Scoped package
+    const name = scope.startsWith('@') ? `${scope}/${pkg}` : `@${scope}/${pkg}`
+    return { name, scope, pkg }
+  } else if (scope) {
+    // Unscoped package (scope is actually the package name)
+    return { name: scope, pkg: scope }
+  }
+
+  return {}
+}
+
+/**
+ * Creates a file path for a package tarball
+ * @param options - Object with pkg and version
+ * @returns Tarball file path
+ */
+export function createFile({ pkg, version }: { pkg: string; version: string }): string {
+  try {
+    if (!pkg || !version) {
+      throw new Error('Missing required parameters')
+    }
+    // Generate the tarball path similar to npm registry format
+    const packageName = pkg.split('/').pop() || pkg
+    return `${pkg}/-/${packageName}-${version}.tgz`
+  } catch (err) {
+    console.error(`[ERROR] Failed to create file path for ${pkg}@${version}: ${(err as Error).message}`)
+    throw new Error('Failed to generate tarball path')
+  }
+}
+
+/**
+ * Creates a version specification string
+ * @param packageName - The package name
+ * @param version - The version
+ * @returns Version specification string
+ */
+export function createVersionSpec(packageName: string, version: string): string {
+  return `${packageName}@${version}`
+}
+
+/**
+ * Creates a full version object with proper manifest structure
+ * @param options - Object with pkg, version, and manifest
+ * @returns The manifest with proper name, version, and dist fields
+ */
+export function createVersion({ pkg, version, manifest }: { pkg: string; version: string; manifest: any }): any {
+  // If manifest is a string, parse it
+  let parsedManifest: any
+  if (typeof manifest === 'string') {
+    try {
+      parsedManifest = JSON.parse(manifest)
+    } catch (e) {
+      parsedManifest = {}
+    }
+  } else {
+    parsedManifest = manifest || {}
+  }
+
+  // Create the final manifest with proper structure
+  const result = {
+    ...parsedManifest,
+    name: pkg,
+    version: version,
+    dist: {
+      ...(parsedManifest.dist || {}),
+      tarball: parsedManifest.dist?.tarball || `https://registry.npmjs.org/${pkg}/-/${pkg.split('/').pop()}-${version}.tgz`
+    }
+  }
+
+  return result
+}
+
+/**
+ * Creates a slimmed down version of a package manifest
+ * Removes sensitive or unnecessary fields for public consumption
+ * @param manifest - The full package manifest
+ * @param context - Optional context for URL rewriting
+ * @returns Slimmed manifest
+ */
+export function slimManifest(manifest: any, context?: any): any {
+  if (!manifest) return {}
+
+  try {
+    // Parse manifest if it's a string
+    let parsed: any
+    if (typeof manifest === 'string') {
+      try {
+        parsed = JSON.parse(manifest)
+      } catch (e) {
+        // If parsing fails, use the original
+        parsed = manifest
+      }
+    } else {
+      parsed = manifest
+    }
+
+    // Create a new object with only the fields we want to keep
+    const slimmed: any = {
+      name: parsed.name,
+      version: parsed.version,
+      description: parsed.description,
+      keywords: parsed.keywords,
+      homepage: parsed.homepage,
+      bugs: parsed.bugs,
+      license: parsed.license,
+      author: parsed.author,
+      contributors: parsed.contributors,
+      funding: parsed.funding,
+      files: parsed.files,
+      main: parsed.main,
+      browser: parsed.browser,
+      bin: parsed.bin || {},
+      man: parsed.man,
+      directories: parsed.directories,
+      repository: parsed.repository,
+      scripts: parsed.scripts,
+      dependencies: parsed.dependencies || {},
+      devDependencies: parsed.devDependencies || {},
+      peerDependencies: parsed.peerDependencies || {},
+      optionalDependencies: parsed.optionalDependencies || {},
+      bundledDependencies: parsed.bundledDependencies,
+      peerDependenciesMeta: parsed.peerDependenciesMeta || {},
+      engines: parsed.engines || {},
+      os: parsed.os || [],
+      cpu: parsed.cpu || [],
+      types: parsed.types,
+      typings: parsed.typings,
+      module: parsed.module,
+      exports: parsed.exports,
+      imports: parsed.imports,
+      type: parsed.type,
+      dist: {
+        ...(parsed.dist || {}),
+        tarball: rewriteTarballUrlIfNeeded(parsed.dist?.tarball || '', parsed.name, parsed.version, context),
+        integrity: parsed.dist?.integrity || '',
+        shasum: parsed.dist?.shasum || ''
+      }
+    }
+
+    // Only include fields that were actually in the original manifest
+    // to avoid empty objects cluttering the response
+    Object.keys(slimmed).forEach(key => {
+      if (key !== 'dist' && slimmed[key] === undefined) {
+        delete slimmed[key]
+      }
+    })
+
+    return slimmed
+  } catch (err) {
+    console.error(`[ERROR] Failed to slim manifest: ${(err as Error).message}`)
+    return manifest || {} // Return the original if slimming fails
+  }
+}
+
+/**
+ * Validates a package name using npm validation rules
+ * @param packageName - The package name to validate
+ * @returns Validation result
+ */
+export function validatePackageName(packageName: string): ValidationResult {
+  const result = validate(packageName)
+  return {
+    valid: result.validForNewPackages || result.validForOldPackages,
+    errors: result.errors || []
+  }
+}
+
+/**
+ * Validates a semver version string
+ * @param version - The version to validate
+ * @returns True if valid semver
+ */
+export function validateVersion(version: string): boolean {
+  return semver.valid(version) !== null
+}
+
+/**
+ * Parses a version range and returns the best matching version from a list
+ * @param range - The semver range
+ * @param versions - Available versions
+ * @returns Best matching version or null
+ */
+export function getBestMatchingVersion(range: string, versions: string[]): string | null {
+  try {
+    return semver.maxSatisfying(versions, range)
+  } catch (error) {
+    console.error(`[ERROR] Invalid semver range: ${range}`)
+    return null
+  }
+}
+
+/**
+ * Extracts the package name from a scoped or unscoped package identifier
+ * @param identifier - Package identifier (e.g., "@scope/package" or "package")
+ * @returns Package name components
+ */
+export function parsePackageIdentifier(identifier: string): { scope?: string; name: string; fullName: string } {
+  if (identifier.startsWith('@')) {
+    const parts = identifier.split('/')
+    if (parts.length >= 2) {
+      return {
+        scope: parts[0],
+        name: parts.slice(1).join('/'),
+        fullName: identifier
+      }
+    }
+  }
+
+  return {
+    name: identifier,
+    fullName: identifier
+  }
+}
+
+/**
+ * Generates a tarball filename for a package version
+ * @param packageName - The package name
+ * @param version - The package version
+ * @returns Tarball filename
+ */
+export function generateTarballFilename(packageName: string, version: string): string {
+  const name = packageName.split('/').pop() || packageName
+  return `${name}-${version}.tgz`
+}
+
+/**
+ * Rewrite tarball URLs to point to our registry instead of the original registry
+ * Only rewrite if context is provided, otherwise return original URL
+ * @param originalUrl - The original tarball URL
+ * @param packageName - The package name
+ * @param version - The package version
+ * @param context - Context containing request info (host, upstream, etc.)
+ * @returns The rewritten or original tarball URL
+ */
+function rewriteTarballUrlIfNeeded(
+  originalUrl: string,
+  packageName: string,
+  version: string,
+  context?: any
+): string {
+  // Only rewrite if we have context indicating this is a proxied request
+  if (!context?.upstream || !originalUrl || !packageName || !version) {
+    return originalUrl
+  }
+
+  try {
+    // Extract the protocol and host from the context or use defaults
+    const protocol = context.protocol || 'http'
+    const host = context.host || 'localhost:1337'
+    const upstream = context.upstream
+
+    // Create the new tarball URL pointing to our registry
+    const filename = generateTarballFilename(packageName, version)
+    const newUrl = `${protocol}://${host}/${upstream}/${packageName}/-/${filename}`
+
+    console.log(`[TARBALL_REWRITE] ${originalUrl} -> ${newUrl}`)
+    return newUrl
+  } catch (err) {
+    console.error(`[ERROR] Failed to rewrite tarball URL: ${(err as Error).message}`)
+    return originalUrl
+  }
+}
+
+/**
+ * Checks if a package version satisfies a given semver range
+ * @param version - The version to check
+ * @param range - The semver range
+ * @returns True if version satisfies range
+ */
+export function satisfiesRange(version: string, range: string): boolean {
+  try {
+    return semver.satisfies(version, range)
+  } catch (error) {
+    console.error(`[ERROR] Invalid semver comparison: ${version} vs ${range}`)
+    return false
+  }
+}
+
+/**
+ * Sorts versions in descending order (newest first)
+ * @param versions - Array of version strings
+ * @returns Sorted versions array
+ */
+export function sortVersionsDescending(versions: string[]): string[] {
+  return versions.sort((a, b) => semver.rcompare(a, b))
+}
+
+/**
+ * Gets the latest version from an array of versions
+ * @param versions - Array of version strings
+ * @returns Latest version or null if no valid versions
+ */
+export function getLatestVersion(versions: string[]): string | null {
+  const validVersions = versions.filter(v => semver.valid(v))
+  if (validVersions.length === 0) return null
+
+  return semver.maxSatisfying(validVersions, '*')
+}

package/src/utils/response.ts

@@ -0,0 +1,100 @@
+import type { HonoContext, ApiError } from '../../types.ts'
+
+/**
+ * JSON response handler middleware that formats JSON based on Accept headers
+ * @returns Hono middleware function
+ */
+export function jsonResponseHandler() {
+  return async (c: any, next: any) => {
+    // Override the json method to handle formatting
+    const originalJson = c.json.bind(c)
+
+    c.json = (data: any, status?: number) => {
+      const acceptHeader = c.req.header('accept') || ''
+
+      // If the client accepts the npm install format, return minimal JSON
+      if (acceptHeader.includes('application/vnd.npm.install-v1+json')) {
+        // Use original json method for minimal output
+        return originalJson(data, status)
+      }
+
+      // For other requests, return pretty-printed JSON
+      const prettyJson = JSON.stringify(data, null, 2)
+      c.res = new Response(prettyJson, {
+        status: status || 200,
+        headers: {
+          'Content-Type': 'application/json; charset=UTF-8',
+        },
+      })
+      return c.res
+    }
+
+    await next()
+  }
+}
+
+/**
+ * Creates a standardized JSON error response
+ * @param c - The Hono context
+ * @param error - Error message or object
+ * @param status - HTTP status code
+ * @returns JSON error response
+ */
+export function jsonError(c: HonoContext, error: string | ApiError, status: number = 400) {
+  const errorObj: ApiError = typeof error === 'string'
+    ? { error }
+    : error
+
+  return c.json(errorObj, status as any)
+}
+
+/**
+ * Creates a standardized JSON success response
+ * @param c - The Hono context
+ * @param data - Response data
+ * @param status - HTTP status code
+ * @returns JSON success response
+ */
+export function jsonSuccess(c: HonoContext, data: any, status: number = 200) {
+  return c.json(data, status as any)
+}
+
+/**
+ * Creates a 404 Not Found response
+ * @param c - The Hono context
+ * @param message - Optional custom message
+ * @returns 404 JSON response
+ */
+export function notFound(c: HonoContext, message: string = 'Not Found') {
+  return jsonError(c, { error: message }, 404)
+}
+
+/**
+ * Creates a 401 Unauthorized response
+ * @param c - The Hono context
+ * @param message - Optional custom message
+ * @returns 401 JSON response
+ */
+export function unauthorized(c: HonoContext, message: string = 'Unauthorized') {
+  return jsonError(c, { error: message }, 401)
+}
+
+/**
+ * Creates a 403 Forbidden response
+ * @param c - The Hono context
+ * @param message - Optional custom message
+ * @returns 403 JSON response
+ */
+export function forbidden(c: HonoContext, message: string = 'Forbidden') {
+  return jsonError(c, { error: message }, 403)
+}
+
+/**
+ * Creates a 500 Internal Server Error response
+ * @param c - The Hono context
+ * @param message - Optional custom message
+ * @returns 500 JSON response
+ */
+export function internalServerError(c: HonoContext, message: string = 'Internal Server Error') {
+  return jsonError(c, { error: message }, 500)
+}

package/src/utils/routes.ts

@@ -0,0 +1,47 @@
+import type { HonoContext } from '../../types.ts'
+
+// Public / Static Assets
+export function requiresToken(c: HonoContext): boolean {
+  const { path } = c.req
+  const publicRoutes = [
+    '/images',
+    '/styles',
+    '/-/auth/*',
+    '/-/ping',
+    '/-/docs',
+    '/'
+  ]
+
+  // Package routes should be public for downloads
+  // This includes hash-based routes, upstream routes, and legacy redirects
+  const isPackageRoute = (
+    path.startsWith('/*/') ||                   // Hash-based routes (literal asterisk)
+    /^\/[^-/][^/]*\/[^/]/.test(path) ||        // Upstream or package routes
+    /^\/[^-/][^/]*$/.test(path) ||             // Root package routes
+    /^\/@[^/]+\/[^/]+/.test(path)              // Scoped packages
+  )
+
+  // Exclude PUT requests (publishing) from being public
+  const isPutRequest = c.req.method === 'PUT'
+  const isPublicPackageRoute = isPackageRoute && !isPutRequest
+
+  return publicRoutes.some(route => {
+    if (route.endsWith('/*')) {
+      return path.startsWith(route.slice(0, -2))
+    }
+    return path === route || path.startsWith(route)
+  }) || isPublicPackageRoute
+}
+
+// Catch-all for non-GET methods
+export function catchAll(c: HonoContext) {
+  return c.json({ error: 'Method not allowed' }, 405)
+}
+
+export function notFound(c: HonoContext) {
+  return c.json({ error: 'Not found' }, 404)
+}
+
+export function isOK(c: HonoContext) {
+  return c.json({ ok: true }, 200)
+}

package/src/utils/spa.ts

@@ -0,0 +1,14 @@
+import { DOMAIN } from '../../config.ts'
+
+export const getApp = async (): Promise<string> => {
+  const app = await fetch(`${DOMAIN}/public/dist/index.html`)
+  return changeSourceReferences(await app.text())
+}
+
+export const changeSourceReferences = (html: string): string => {
+  html = html.replace('href="/main.css', 'href="/public/dist/main.css')
+  html = html.replace('href="/favicon.ico"', 'href="/public/dist/favicon.ico"')
+  html = html.replace('href="/fonts/', 'href="/public/dist/fonts/')
+  html = html.replace('src="/index.js"', 'src="/public/dist/index.js"')
+  return html
+}

package/src/utils/tracing.ts

@@ -0,0 +1,63 @@
+/**
+ * Simple tracing utility for debugging and monitoring
+ */
+
+/**
+ * Logs a trace message with timestamp
+ * @param message - The message to log
+ * @param data - Optional additional data to log
+ */
+export function trace(message: string, data?: any): void {
+  const timestamp = new Date().toISOString()
+  if (data) {
+    console.log(`[TRACE ${timestamp}] ${message}`, data)
+  } else {
+    console.log(`[TRACE ${timestamp}] ${message}`)
+  }
+}
+
+/**
+ * Measures execution time of a function
+ * @param name - Name of the operation being measured
+ * @param fn - Function to measure
+ * @returns Result of the function
+ */
+export async function measureTime<T>(name: string, fn: () => Promise<T>): Promise<T> {
+  const start = performance.now()
+  try {
+    const result = await fn()
+    const duration = performance.now() - start
+    trace(`${name} completed in ${duration.toFixed(2)}ms`)
+    return result
+  } catch (error) {
+    const duration = performance.now() - start
+    trace(`${name} failed after ${duration.toFixed(2)}ms`, error)
+    throw error
+  }
+}
+
+/**
+ * Session monitoring middleware for tracking requests with Sentry integration
+ * @param c - The Hono context
+ * @param next - The next middleware function
+ */
+export function sessionMonitor(c: any, next: any) {
+  // Import Sentry dynamically to avoid issues if not available
+  try {
+    const Sentry = require('@sentry/cloudflare')
+
+    if (c.session?.user) {
+      Sentry.setUser({
+        email: c.session.user.email,
+      })
+    }
+    if (c.session?.projectId) {
+      Sentry.setTag('project_id', c.session.projectId)
+    }
+  } catch (error) {
+    // Sentry not available, continue without it
+    trace('Sentry not available for session monitoring')
+  }
+
+  return next()
+}

package/src/utils/upstream.ts

@@ -0,0 +1,131 @@
+import { ORIGIN_CONFIG, RESERVED_ROUTES } from '../../config.ts'
+import type { UpstreamConfig, ParsedPackageInfo } from '../../types.ts'
+
+/**
+ * Validates if an upstream name is allowed (not reserved)
+ * @param upstreamName - The upstream name to validate
+ * @returns True if valid, false if reserved
+ */
+export function isValidUpstreamName(upstreamName: string): boolean {
+  return !RESERVED_ROUTES.includes(upstreamName)
+}
+
+/**
+ * Gets the upstream configuration by name
+ * @param upstreamName - The upstream name
+ * @returns The upstream config or null if not found
+ */
+export function getUpstreamConfig(upstreamName: string): UpstreamConfig | null {
+  return ORIGIN_CONFIG.upstreams[upstreamName] || null
+}
+
+/**
+ * Gets the default upstream name
+ * @returns The default upstream name
+ */
+export function getDefaultUpstream(): string {
+  return ORIGIN_CONFIG.default
+}
+
+/**
+ * Generates a cache key for upstream package data
+ * @param upstreamName - The upstream name
+ * @param packageName - The package name
+ * @param version - The package version (optional)
+ * @returns A deterministic hash ID
+ */
+export function generateCacheKey(upstreamName: string, packageName: string, version?: string): string {
+  const key = version ? `${upstreamName}:${packageName}:${version}` : `${upstreamName}:${packageName}`
+  return Buffer.from(key).toString('base64url')
+}
+
+/**
+ * Parses a request path to extract package information
+ * @param path - The request path
+ * @returns Parsed package info
+ */
+export function parsePackageSpec(path: string): ParsedPackageInfo {
+  // Remove leading slash and split by '/'
+  const segments = path.replace(/^\/+/, '').split('/')
+
+  // Handle different path patterns
+  if (segments.length === 0) {
+    return { packageName: '', segments }
+  }
+
+  // Check if first segment is an upstream name
+  const firstSegment = segments[0]
+  if (ORIGIN_CONFIG.upstreams[firstSegment]) {
+    // Path starts with upstream name: /upstream/package/version
+    const upstream = firstSegment
+    const packageSegments = segments.slice(1)
+
+    if (packageSegments.length === 0) {
+      return { upstream, packageName: '', segments: packageSegments }
+    }
+
+    // Handle scoped packages: @scope/package
+    if (packageSegments[0]?.startsWith('@') && packageSegments.length > 1) {
+      const packageName = `${packageSegments[0]}/${packageSegments[1]}`
+      const version = packageSegments[2]
+      const remainingSegments = packageSegments.slice(2)
+      return { upstream, packageName, version, segments: remainingSegments }
+    }
+
+    // Handle regular packages
+    const packageName = packageSegments[0]
+    const version = packageSegments[1]
+    const remainingSegments = packageSegments.slice(1)
+    return { upstream, packageName, version, segments: remainingSegments }
+  }
+
+  // No upstream in path, treat as package name
+  if (firstSegment?.startsWith('@') && segments.length > 1) {
+    // Scoped package: @scope/package/version
+    const packageName = `${segments[0]}/${segments[1]}`
+    const version = segments[2]
+    const remainingSegments = segments.slice(2)
+    return { packageName, version, segments: remainingSegments }
+  }
+
+  // Regular package: package/version
+  const packageName = segments[0]
+  const version = segments[1]
+  const remainingSegments = segments.slice(1)
+  return { packageName, version, segments: remainingSegments }
+}
+
+/**
+ * Constructs the upstream URL for a package request
+ * @param upstreamConfig - The upstream configuration
+ * @param packageName - The package name
+ * @param path - Additional path segments
+ * @returns The full upstream URL
+ */
+export function buildUpstreamUrl(upstreamConfig: UpstreamConfig, packageName: string, path: string = ''): string {
+  const baseUrl = upstreamConfig.url.replace(/\/$/, '')
+  const encodedPackage = encodeURIComponent(packageName)
+
+  switch (upstreamConfig.type) {
+    case 'npm':
+    case 'vsr':
+      return `${baseUrl}/${encodedPackage}${path ? `/${path}` : ''}`
+    case 'jsr':
+      // JSR has a different URL structure
+      return `${baseUrl}/${encodedPackage}${path ? `/${path}` : ''}`
+    case 'local':
+      return `${baseUrl}/${encodedPackage}${path ? `/${path}` : ''}`
+    default:
+      return `${baseUrl}/${encodedPackage}${path ? `/${path}` : ''}`
+  }
+}
+
+/**
+ * Checks if proxying is enabled for an upstream
+ * @param upstreamName - The upstream name
+ * @returns True if proxying is enabled
+ */
+export function isProxyEnabled(upstreamName: string): boolean {
+  const config = getUpstreamConfig(upstreamName)
+  return config !== null && config.type !== 'local'
+}