@voyant-travel/hono 0.117.2 → 0.118.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/anonymous-paths.d.ts.map +1 -1
- package/dist/anonymous-paths.js +20 -0
- package/dist/app.d.ts.map +1 -1
- package/dist/app.js +4 -20
- package/dist/lazy-routes.d.ts +1 -1
- package/dist/module.d.ts +18 -10
- package/dist/module.d.ts.map +1 -1
- package/dist/public-document-delivery.d.ts +4 -4
- package/package.json +7 -7
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"anonymous-paths.d.ts","sourceRoot":"","sources":["../src/anonymous-paths.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"anonymous-paths.d.ts","sourceRoot":"","sources":["../src/anonymous-paths.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,aAAa,EAAE,UAAU,EAAE,MAAM,aAAa,CAAA;AAG5D;;;;;;;;;;;GAWG;AACH,wBAAgB,sBAAsB,CACpC,OAAO,EAAE,SAAS,UAAU,EAAE,EAC9B,UAAU,EAAE,SAAS,aAAa,EAAE,EACpC,QAAQ,GAAE,SAAS,MAAM,EAAO,GAC/B,MAAM,EAAE,CA0CV"}
|
package/dist/anonymous-paths.js
CHANGED
|
@@ -25,11 +25,31 @@ export function assembleAnonymousPaths(modules, extensions, explicit = []) {
|
|
|
25
25
|
paths.add(trimmed ? `${mount}/${trimmed}` : mount);
|
|
26
26
|
}
|
|
27
27
|
};
|
|
28
|
+
// Inbound webhook routes are unauthenticated by construction (the handler
|
|
29
|
+
// verifies the provider signature), so their concrete absolute paths are
|
|
30
|
+
// auto-added to the allow-list — no per-deployment `publicPaths` entry. Mounted
|
|
31
|
+
// at `/v1/{name}`, matching the mount in `app.ts`. Parameterized/wildcard paths
|
|
32
|
+
// are skipped (the literal `matchesPublicPath` matcher can't match them) and
|
|
33
|
+
// must be declared via `anonymous` if ever needed.
|
|
34
|
+
// biome-ignore lint/suspicious/noExplicitAny: Hono sub-apps have varied env generics -- owner: hono; mirrors the HonoModule.webhookRoutes suppression.
|
|
35
|
+
const addWebhooks = (name, routes) => {
|
|
36
|
+
if (!routes)
|
|
37
|
+
return;
|
|
38
|
+
for (const route of routes.routes) {
|
|
39
|
+
const path = route.path;
|
|
40
|
+
if (path.includes(":") || path.includes("*"))
|
|
41
|
+
continue;
|
|
42
|
+
const trimmed = path.replace(/\/+$/g, "");
|
|
43
|
+
paths.add(`/v1/${name}${trimmed === "/" ? "" : trimmed}`);
|
|
44
|
+
}
|
|
45
|
+
};
|
|
28
46
|
for (const m of modules) {
|
|
29
47
|
add(resolveSurfaceMountPath("/v1/public", m.publicPath, m.module.name), m.anonymous);
|
|
48
|
+
addWebhooks(m.module.name, m.webhookRoutes);
|
|
30
49
|
}
|
|
31
50
|
for (const e of extensions) {
|
|
32
51
|
add(resolveSurfaceMountPath("/v1/public", e.publicPath, e.extension.module), e.anonymous);
|
|
52
|
+
addWebhooks(e.extension.module, e.webhookRoutes);
|
|
33
53
|
}
|
|
34
54
|
return [...paths].sort();
|
|
35
55
|
}
|
package/dist/app.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"app.d.ts","sourceRoot":"","sources":["../src/app.ts"],"names":[],"mappings":"AAYA,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,MAAM,CAAA;AAQhC,OAAO,EAAE,KAAK,gBAAgB,EAA0C,MAAM,kBAAkB,CAAA;AA8BhG,OAAO,KAAK,EAAE,eAAe,EAAE,cAAc,EAAY,eAAe,EAAE,MAAM,YAAY,CAAA;AAI5F,4EAA4E;AAC5E,KAAK,QAAQ,CAAC,SAAS,SAAS,cAAc,IAAI;IAChD,QAAQ,EAAE,SAAS,CAAA;IACnB,SAAS,EAAE,eAAe,CAAA;CAC3B,CAAA;AAuBD;;;;;GAKG;AACH,MAAM,WAAW,SAAS;IACxB,yEAAyE;IACzE,MAAM,EAAE,MAAM,CAAA;IACd,IAAI,EAAE,gBAAgB,CAAA;CACvB;AAED;;;;;;;;;;GAUG;AACH,MAAM,WAAW,mBAAmB,CAAC,SAAS,GAAG,OAAO;IACtD;;;;;;;;;;;OAWG;IACH,KAAK,CAAC,QAAQ,CAAC,EAAE,SAAS,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;IAC1C;;;;;;;;OAQG;IACH,QAAQ,EAAE,OAAO,qBAAqB,EAAE,QAAQ,CAAA;IAChD;;;;;OAKG;IACH,UAAU,EAAE,SAAS,EAAE,CAAA;CACxB;AAED;;;;;;GAMG;AACH,wBAAgB,QAAQ,CAAC,SAAS,SAAS,cAAc,EACvD,MAAM,EAAE,eAAe,CAAC,SAAS,CAAC,GACjC,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,GAAG,mBAAmB,CAAC,SAAS,CAAC,
|
|
1
|
+
{"version":3,"file":"app.d.ts","sourceRoot":"","sources":["../src/app.ts"],"names":[],"mappings":"AAYA,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,MAAM,CAAA;AAQhC,OAAO,EAAE,KAAK,gBAAgB,EAA0C,MAAM,kBAAkB,CAAA;AA8BhG,OAAO,KAAK,EAAE,eAAe,EAAE,cAAc,EAAY,eAAe,EAAE,MAAM,YAAY,CAAA;AAI5F,4EAA4E;AAC5E,KAAK,QAAQ,CAAC,SAAS,SAAS,cAAc,IAAI;IAChD,QAAQ,EAAE,SAAS,CAAA;IACnB,SAAS,EAAE,eAAe,CAAA;CAC3B,CAAA;AAuBD;;;;;GAKG;AACH,MAAM,WAAW,SAAS;IACxB,yEAAyE;IACzE,MAAM,EAAE,MAAM,CAAA;IACd,IAAI,EAAE,gBAAgB,CAAA;CACvB;AAED;;;;;;;;;;GAUG;AACH,MAAM,WAAW,mBAAmB,CAAC,SAAS,GAAG,OAAO;IACtD;;;;;;;;;;;OAWG;IACH,KAAK,CAAC,QAAQ,CAAC,EAAE,SAAS,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;IAC1C;;;;;;;;OAQG;IACH,QAAQ,EAAE,OAAO,qBAAqB,EAAE,QAAQ,CAAA;IAChD;;;;;OAKG;IACH,UAAU,EAAE,SAAS,EAAE,CAAA;CACxB;AAED;;;;;;GAMG;AACH,wBAAgB,QAAQ,CAAC,SAAS,SAAS,cAAc,EACvD,MAAM,EAAE,eAAe,CAAC,SAAS,CAAC,GACjC,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,GAAG,mBAAmB,CAAC,SAAS,CAAC,CA2e5D"}
|
package/dist/app.js
CHANGED
|
@@ -389,22 +389,6 @@ export function mountApp(config) {
|
|
|
389
389
|
const actorOptions = { basePath: config.basePath };
|
|
390
390
|
app.use("/v1/admin/*", requireActor(actorOptions, "staff"));
|
|
391
391
|
app.use("/v1/public/*", requireActor(actorOptions, "customer", "partner", "supplier"));
|
|
392
|
-
const requireLegacyActor = requireActor(actorOptions, "staff");
|
|
393
|
-
app.use("/v1/*", (c, next) => {
|
|
394
|
-
const pathname = normalizePathname(new URL(c.req.url).pathname, { basePath: config.basePath });
|
|
395
|
-
if (pathname.startsWith("/v1/admin/") || pathname.startsWith("/v1/public/")) {
|
|
396
|
-
return next();
|
|
397
|
-
}
|
|
398
|
-
// Anonymous legacy/webhook routes (ADR-0008) — e.g. a bundle-declared
|
|
399
|
-
// payment-processor callback at `/v1/finance/...`. `requireAuth` already
|
|
400
|
-
// skipped credential resolution for these, but it only stamps an actor on
|
|
401
|
-
// `/v1/public/*`, so without this skip the fail-closed staff guard would 401
|
|
402
|
-
// a route that is meant to be reachable without a session.
|
|
403
|
-
if (matchesPublicPath(pathname, anonymousPaths)) {
|
|
404
|
-
return next();
|
|
405
|
-
}
|
|
406
|
-
return requireLegacyActor(c, next);
|
|
407
|
-
});
|
|
408
392
|
// Admin capability discovery — GET /v1/admin/_meta/capabilities. A built-in
|
|
409
393
|
// framework route (like /health), mounted only when the deployment supplies
|
|
410
394
|
// the operation catalogue via `config.adminMeta` (from
|
|
@@ -450,8 +434,8 @@ export function mountApp(config) {
|
|
|
450
434
|
mountLazyRoutePaths(app, mod.lazyRoutes.paths, mod.lazyRoutes.load);
|
|
451
435
|
lazyMounts.push({ prefix: "/", load: mod.lazyRoutes.load });
|
|
452
436
|
}
|
|
453
|
-
if (mod.
|
|
454
|
-
app.route(`/v1/${mod.module.name}`, mod.
|
|
437
|
+
if (mod.webhookRoutes) {
|
|
438
|
+
app.route(`/v1/${mod.module.name}`, mod.webhookRoutes);
|
|
455
439
|
}
|
|
456
440
|
}
|
|
457
441
|
// Mount extension routes
|
|
@@ -476,8 +460,8 @@ export function mountApp(config) {
|
|
|
476
460
|
mountLazyRoutePaths(app, ext.lazyRoutes.paths, ext.lazyRoutes.load);
|
|
477
461
|
lazyMounts.push({ prefix: "/", load: ext.lazyRoutes.load });
|
|
478
462
|
}
|
|
479
|
-
if (ext.
|
|
480
|
-
app.route(`/v1/${ext.extension.module}`, ext.
|
|
463
|
+
if (ext.webhookRoutes) {
|
|
464
|
+
app.route(`/v1/${ext.extension.module}`, ext.webhookRoutes);
|
|
481
465
|
}
|
|
482
466
|
}
|
|
483
467
|
// Additional routes
|
package/dist/lazy-routes.d.ts
CHANGED
|
@@ -8,7 +8,7 @@
|
|
|
8
8
|
* route families don't inflate the main bundle or the Worker cold start.
|
|
9
9
|
*
|
|
10
10
|
* For deployment-local families that span MULTIPLE absolute path prefixes (e.g.
|
|
11
|
-
* an operator bundle exposing `/v1/uploads
|
|
11
|
+
* an operator bundle exposing `/v1/admin/uploads` and `/v1/admin/media/*`),
|
|
12
12
|
* the single-surface loaders don't fit. Such families declare `lazyRoutes`:
|
|
13
13
|
* `{ paths, load }` where `load` returns a sub-app whose routes are ABSOLUTE and
|
|
14
14
|
* `paths` are the explicit matchers the framework installs up front. This is the
|
package/dist/module.d.ts
CHANGED
|
@@ -3,18 +3,23 @@ import type { Hono } from "hono";
|
|
|
3
3
|
import type { LazyHonoRoutes, LazyRoutesLoader } from "./lazy-routes.js";
|
|
4
4
|
export interface HonoModule {
|
|
5
5
|
module: Module;
|
|
6
|
-
/**
|
|
7
|
-
* Legacy routes — mounted at `/v1/{module.name}`. Gated by the caller's
|
|
8
|
-
* `requireAuth` configuration. Use `adminRoutes` / `publicRoutes` for new
|
|
9
|
-
* modules that participate in the admin/public API split.
|
|
10
|
-
*
|
|
11
|
-
* @deprecated Prefer `adminRoutes` or `publicRoutes`.
|
|
12
|
-
*/
|
|
13
|
-
routes?: Hono<any>;
|
|
14
6
|
/** Staff-facing routes — mounted at `/v1/admin/{module.name}`. */
|
|
15
7
|
adminRoutes?: Hono<any>;
|
|
16
8
|
/** Customer/partner/supplier-facing routes — mounted at `/v1/public/{module.name}`. */
|
|
17
9
|
publicRoutes?: Hono<any>;
|
|
10
|
+
/**
|
|
11
|
+
* Inbound webhook routes — e.g. a payment-processor callback POSTed by an
|
|
12
|
+
* external system with no session. Mounted at `/v1/{module.name}` (so existing
|
|
13
|
+
* processor-registered callback URLs are preserved), and their concrete paths
|
|
14
|
+
* are AUTOMATICALLY added to the anonymous allow-list (ADR-0008) — no
|
|
15
|
+
* `anonymous` declaration or `publicPaths` entry needed. The handler is
|
|
16
|
+
* responsible for verifying the provider signature. Distinct from `routes`
|
|
17
|
+
* (deprecated catch-all) and from `publicRoutes` (session-bearing customer
|
|
18
|
+
* surface): a webhook is unauthenticated by construction and verified in-band.
|
|
19
|
+
* Only concrete paths are auto-allow-listed; parameterized/wildcard webhook
|
|
20
|
+
* paths must additionally be declared via `anonymous`.
|
|
21
|
+
*/
|
|
22
|
+
webhookRoutes?: Hono<any>;
|
|
18
23
|
/**
|
|
19
24
|
* Lazy variant of `adminRoutes` — the route bundle is dynamically imported on
|
|
20
25
|
* first request and cached per isolate. Mounted at `/v1/admin/{module.name}`
|
|
@@ -66,12 +71,15 @@ export interface HonoModule {
|
|
|
66
71
|
}
|
|
67
72
|
export interface HonoExtension {
|
|
68
73
|
extension: Extension;
|
|
69
|
-
/** @deprecated Prefer `adminRoutes` or `publicRoutes`. */
|
|
70
|
-
routes?: Hono<any>;
|
|
71
74
|
/** Staff-facing routes — mounted at `/v1/admin/{extension.module}`. */
|
|
72
75
|
adminRoutes?: Hono<any>;
|
|
73
76
|
/** Customer/partner/supplier-facing routes — mounted at `/v1/public/{extension.module}`. */
|
|
74
77
|
publicRoutes?: Hono<any>;
|
|
78
|
+
/**
|
|
79
|
+
* Inbound webhook routes — mounted at `/v1/{extension.module}`, concrete paths
|
|
80
|
+
* auto-added to the anonymous allow-list (ADR-0008). See `HonoModule.webhookRoutes`.
|
|
81
|
+
*/
|
|
82
|
+
webhookRoutes?: Hono<any>;
|
|
75
83
|
/** Lazy variant of `adminRoutes` — mounted at `/v1/admin/{extension.module}` (see HonoModule). */
|
|
76
84
|
lazyAdminRoutes?: LazyRoutesLoader;
|
|
77
85
|
/** Lazy variant of `publicRoutes` — mounted at `/v1/public/{publicPath ?? extension.module}`. */
|
package/dist/module.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"module.d.ts","sourceRoot":"","sources":["../src/module.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,EAAE,MAAM,qBAAqB,CAAA;AAC5D,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,MAAM,CAAA;AAEhC,OAAO,KAAK,EAAE,cAAc,EAAE,gBAAgB,EAAE,MAAM,kBAAkB,CAAA;AAExE,MAAM,WAAW,UAAU;IACzB,MAAM,EAAE,MAAM,CAAA;IACd
|
|
1
|
+
{"version":3,"file":"module.d.ts","sourceRoot":"","sources":["../src/module.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,EAAE,MAAM,qBAAqB,CAAA;AAC5D,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,MAAM,CAAA;AAEhC,OAAO,KAAK,EAAE,cAAc,EAAE,gBAAgB,EAAE,MAAM,kBAAkB,CAAA;AAExE,MAAM,WAAW,UAAU;IACzB,MAAM,EAAE,MAAM,CAAA;IACd,kEAAkE;IAElE,WAAW,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,CAAA;IACvB,uFAAuF;IAEvF,YAAY,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,CAAA;IACxB;;;;;;;;;;;OAWG;IAEH,aAAa,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,CAAA;IACzB;;;;;OAKG;IACH,eAAe,CAAC,EAAE,gBAAgB,CAAA;IAClC,4FAA4F;IAC5F,gBAAgB,CAAC,EAAE,gBAAgB,CAAA;IACnC;;;;;OAKG;IACH,UAAU,CAAC,EAAE,cAAc,CAAA;IAC3B;;;;;OAKG;IACH,UAAU,CAAC,EAAE,MAAM,CAAA;IACnB;;;;;;;;;;;OAWG;IACH,SAAS,CAAC,EAAE,OAAO,GAAG,SAAS,MAAM,EAAE,CAAA;IACvC;;;;;;;;;;OAUG;IACH,kBAAkB,CAAC,EAAE,SAAS,MAAM,EAAE,CAAA;CACvC;AAED,MAAM,WAAW,aAAa;IAC5B,SAAS,EAAE,SAAS,CAAA;IACpB,uEAAuE;IAEvE,WAAW,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,CAAA;IACvB,4FAA4F;IAE5F,YAAY,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,CAAA;IACxB;;;OAGG;IAEH,aAAa,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,CAAA;IACzB,kGAAkG;IAClG,eAAe,CAAC,EAAE,gBAAgB,CAAA;IAClC,iGAAiG;IACjG,gBAAgB,CAAC,EAAE,gBAAgB,CAAA;IACnC,gFAAgF;IAChF,UAAU,CAAC,EAAE,cAAc,CAAA;IAC3B;;;;;OAKG;IACH,UAAU,CAAC,EAAE,MAAM,CAAA;IACnB;;;;OAIG;IACH,SAAS,CAAC,EAAE,OAAO,GAAG,SAAS,MAAM,EAAE,CAAA;IACvC;;;OAGG;IACH,kBAAkB,CAAC,EAAE,SAAS,MAAM,EAAE,CAAA;CACvC"}
|
|
@@ -71,25 +71,25 @@ export declare function createDrizzlePublicDocumentDeliveryGrantStore(db: Postgr
|
|
|
71
71
|
export declare function createPublicDocumentDeliveryGrant(store: PublicDocumentDeliveryGrantStore, input: CreatePublicDocumentDeliveryInput): Promise<PublicDocumentDeliveryEnvelope>;
|
|
72
72
|
export declare function resolvePublicDocumentDeliveryGrant(store: PublicDocumentDeliveryGrantStore, token: string, now?: Date): Promise<PublicDocumentDeliveryResolution>;
|
|
73
73
|
export declare function revokePublicDocumentDeliveryGrant(store: PublicDocumentDeliveryGrantStore, input: RevokePublicDocumentDeliveryGrantInput): Promise<{
|
|
74
|
-
metadata: unknown;
|
|
75
74
|
id: string;
|
|
76
75
|
createdAt: Date;
|
|
77
76
|
expiresAt: Date;
|
|
78
|
-
|
|
79
|
-
tokenHash: string;
|
|
80
|
-
createdBy: string | null;
|
|
77
|
+
metadata: unknown;
|
|
81
78
|
filename: string | null;
|
|
79
|
+
tokenHash: string;
|
|
82
80
|
storageKey: string;
|
|
83
81
|
storageProvider: string | null;
|
|
84
82
|
contentType: string;
|
|
85
83
|
sourceModule: string | null;
|
|
86
84
|
sourceEntity: string | null;
|
|
87
85
|
sourceId: string | null;
|
|
86
|
+
createdBy: string | null;
|
|
88
87
|
createdByType: string | null;
|
|
89
88
|
accessCount: number;
|
|
90
89
|
lastAccessedAt: Date | null;
|
|
91
90
|
lastAccessedIp: string | null;
|
|
92
91
|
lastAccessedUserAgent: string | null;
|
|
92
|
+
revokedAt: Date | null;
|
|
93
93
|
revokedBy: string | null;
|
|
94
94
|
} | null>;
|
|
95
95
|
export declare function createPublicDocumentDeliveryRoutes<TBindings extends object = Record<string, unknown>>(options?: PublicDocumentDeliveryRouteOptions<TBindings>): import("hono/hono-base").HonoBase<Env<TBindings>, {
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@voyant-travel/hono",
|
|
3
|
-
"version": "0.
|
|
3
|
+
"version": "0.118.0",
|
|
4
4
|
"license": "Apache-2.0",
|
|
5
5
|
"type": "module",
|
|
6
6
|
"exports": {
|
|
@@ -137,17 +137,17 @@
|
|
|
137
137
|
"zod": "^4.3.6",
|
|
138
138
|
"@voyant-travel/core": "^0.111.0",
|
|
139
139
|
"@voyant-travel/db": "^0.109.4",
|
|
140
|
-
"@voyant-travel/storage": "^0.
|
|
140
|
+
"@voyant-travel/storage": "^0.106.0",
|
|
141
141
|
"@voyant-travel/types": "^0.106.0",
|
|
142
|
-
"@voyant-travel/
|
|
143
|
-
"@voyant-travel/
|
|
142
|
+
"@voyant-travel/utils": "^0.105.4",
|
|
143
|
+
"@voyant-travel/workflows": "^0.111.10"
|
|
144
144
|
},
|
|
145
145
|
"devDependencies": {
|
|
146
146
|
"@cloudflare/workers-types": "^4.20260426.1",
|
|
147
147
|
"typescript": "^6.0.2",
|
|
148
148
|
"vitest": "^4.1.2",
|
|
149
149
|
"@voyant-travel/voyant-typescript-config": "^0.1.0",
|
|
150
|
-
"@voyant-travel/workflows-orchestrator": "^0.111.
|
|
150
|
+
"@voyant-travel/workflows-orchestrator": "^0.111.10"
|
|
151
151
|
},
|
|
152
152
|
"files": [
|
|
153
153
|
"dist"
|
|
@@ -161,10 +161,10 @@
|
|
|
161
161
|
"directory": "packages/hono"
|
|
162
162
|
},
|
|
163
163
|
"scripts": {
|
|
164
|
-
"typecheck": "tsc
|
|
164
|
+
"typecheck": "tsc -p tsconfig.typecheck.json",
|
|
165
165
|
"lint": "biome check src/",
|
|
166
166
|
"test": "vitest run",
|
|
167
|
-
"build": "tsc -p tsconfig.json",
|
|
167
|
+
"build": "tsc -p tsconfig.build.json",
|
|
168
168
|
"clean": "rm -rf dist tsconfig.tsbuildinfo"
|
|
169
169
|
},
|
|
170
170
|
"main": "./dist/index.js",
|