@zintrust/core 0.1.39 → 0.1.41

package/src/proxy/redis/RedisProxyServer.js

@@ -0,0 +1,192 @@
+import { Env } from '../../config/env.js';
+import { Logger } from '../../config/logger.js';
+import { ErrorFactory } from '../../exceptions/ZintrustError.js';
+import { ErrorHandler } from '../ErrorHandler.js';
+import { createProxyServer } from '../ProxyServer.js';
+import { resolveBaseConfig, resolveBaseSigningConfig, verifyRequestSignature, } from '../ProxyServerUtils.js';
+import { RequestValidator } from '../RequestValidator.js';
+const resolveRedisConfig = (overrides = {}) => {
+    const host = overrides.redisHost ?? Env.get('REDIS_PROXY_TARGET_HOST', Env.get('REDIS_HOST', '127.0.0.1'));
+    const port = overrides.redisPort ?? Env.getInt('REDIS_PROXY_TARGET_PORT', Env.getInt('REDIS_PORT', 6379));
+    const password = overrides.redisPassword ??
+        Env.get('REDIS_PROXY_TARGET_PASSWORD', Env.get('REDIS_PASSWORD', ''));
+    const db = overrides.redisDb ?? Env.getInt('REDIS_PROXY_TARGET_DB', Env.getInt('REDIS_DB', 0));
+    return { host, port, password, db };
+};
+const resolveConfig = (overrides = {}) => {
+    const proxyConfig = resolveBaseConfig(overrides, 'REDIS');
+    const redisConfig = resolveRedisConfig(overrides);
+    const signingConfig = resolveBaseSigningConfig(overrides, 'REDIS');
+    return {
+        host: proxyConfig.host,
+        port: proxyConfig.port,
+        maxBodyBytes: proxyConfig.maxBodyBytes,
+        redis: redisConfig,
+        signing: {
+            keyId: signingConfig.keyId,
+            secret: signingConfig.secret,
+            require: signingConfig.requireSigning,
+            windowMs: signingConfig.signingWindowMs,
+        },
+    };
+};
+const validateCommandPayload = (payload) => {
+    const command = payload['command'];
+    const args = Array.isArray(payload['args']) ? payload['args'] : [];
+    if (typeof command !== 'string' || command.trim() === '') {
+        return { valid: false, error: { code: 'VALIDATION_ERROR', message: 'command is required' } };
+    }
+    return { valid: true, command, args };
+};
+const getRedisModule = async () => {
+    const mod = await import('ioredis');
+    return mod;
+};
+const createClient = async (config) => {
+    const module = (await getRedisModule());
+    const moduleDefault = module['default'];
+    const candidates = [
+        module['Redis'],
+        module['default'],
+        moduleDefault?.['Redis'],
+        moduleDefault?.['default'],
+        module,
+    ];
+    const RedisCtor = candidates.find((candidate) => typeof candidate === 'function');
+    if (typeof RedisCtor !== 'function') {
+        throw ErrorFactory.createConfigError("Redis proxy could not resolve a Redis constructor from 'ioredis'.");
+    }
+    const maxReconnectRetries = Math.max(0, Env.getInt('REDIS_PROXY_CONNECT_MAX_RETRIES', 3));
+    const reconnectBaseMs = Math.max(50, Env.getInt('REDIS_PROXY_CONNECT_RETRY_BASE_MS', 200));
+    const reconnectCapMs = Math.max(reconnectBaseMs, Env.getInt('REDIS_PROXY_CONNECT_RETRY_CAP_MS', 2000));
+    const client = new RedisCtor({
+        host: config.redis.host,
+        port: config.redis.port,
+        password: config.redis.password,
+        db: config.redis.db,
+        maxRetriesPerRequest: 1,
+        enableOfflineQueue: false,
+        lazyConnect: true,
+        reconnectOnError: () => false,
+        retryStrategy: (times) => {
+            if (times > maxReconnectRetries) {
+                return null;
+            }
+            return Math.min(times * reconnectBaseMs, reconnectCapMs);
+        },
+    });
+    let lastErrorLogAt = 0;
+    client.on('error', (error) => {
+        const now = Date.now();
+        if (now - lastErrorLogAt < 5000) {
+            return;
+        }
+        lastErrorLogAt = now;
+        Logger.warn('[RedisProxyServer] redis client error', error);
+    });
+    if (typeof client.connect === 'function') {
+        await client.connect();
+    }
+    return client;
+};
+const executeCommand = async (client, command, args) => {
+    const trimmed = command.trim();
+    const lower = trimmed.toLowerCase();
+    const candidate = client[lower];
+    if (typeof candidate === 'function') {
+        return candidate.apply(client, args);
+    }
+    if (typeof client.call === 'function') {
+        return client.call(trimmed, ...args);
+    }
+    throw ErrorFactory.createValidationError(`Unsupported Redis command: ${trimmed}`);
+};
+const createBackend = (config) => ({
+    name: 'redis',
+    handle: async (request) => {
+        const methodError = RequestValidator.requirePost(request.method);
+        if (methodError) {
+            return {
+                status: 405,
+                body: { code: methodError.code, message: methodError.message },
+            };
+        }
+        if (request.path !== '/zin/redis/command') {
+            return { status: 404, body: { code: 'NOT_FOUND', message: 'Unknown endpoint' } };
+        }
+        const parsed = RequestValidator.parseJson(request.body);
+        if (!parsed.ok) {
+            return { status: 400, body: { code: parsed.error.code, message: parsed.error.message } };
+        }
+        const validated = validateCommandPayload(parsed.value);
+        if (!validated.valid) {
+            return {
+                status: 400,
+                body: {
+                    code: validated.error?.code ?? 'VALIDATION_ERROR',
+                    message: validated.error?.message ?? 'Invalid request',
+                },
+            };
+        }
+        const command = validated.command ?? '';
+        if (command.trim() === '') {
+            return {
+                status: 400,
+                body: { code: 'VALIDATION_ERROR', message: 'command is required' },
+            };
+        }
+        try {
+            const client = await createClient(config);
+            try {
+                const result = await executeCommand(client, command, validated.args ?? []);
+                return { status: 200, body: { result } };
+            }
+            finally {
+                await client.quit();
+            }
+        }
+        catch (error) {
+            return ErrorHandler.toProxyError(500, 'REDIS_PROXY_ERROR', String(error));
+        }
+    },
+    health: async () => {
+        try {
+            const client = await createClient(config);
+            const pingFn = client.ping;
+            if (typeof pingFn === 'function') {
+                await pingFn.apply(client);
+            }
+            else {
+                await executeCommand(client, 'PING', []);
+            }
+            await client.quit();
+            return { status: 200, body: { status: 'healthy' } };
+        }
+        catch (error) {
+            Logger.warn('[RedisProxyServer] health check failed', error);
+            return { status: 503, body: { status: 'unhealthy', error: String(error) } };
+        }
+    },
+});
+export const RedisProxyServer = Object.freeze({
+    async start(overrides = {}) {
+        const config = resolveConfig(overrides);
+        const backend = createBackend(config);
+        const server = createProxyServer({
+            host: config.host,
+            port: config.port,
+            maxBodyBytes: config.maxBodyBytes,
+            backend,
+            verify: async (req, body) => {
+                const verified = await verifyRequestSignature(req, body, config, 'RedisProxyServer');
+                if (!verified.ok && verified.error) {
+                    return { ok: false, status: verified.error.status, message: verified.error.message };
+                }
+                return { ok: true };
+            },
+        });
+        await server.start();
+        Logger.info(`[redis-proxy] Listening on http://${config.host}:${config.port}`);
+    },
+});
+export default RedisProxyServer;

package/src/proxy/redis/register.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=register.d.ts.map

package/src/proxy/redis/register.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"register.d.ts","sourceRoot":"","sources":["../../../../src/proxy/redis/register.ts"],"names":[],"mappings":""}

package/src/proxy/redis/register.js

@@ -0,0 +1,5 @@
+import { ProxyRegistry } from '../ProxyRegistry.js';
+ProxyRegistry.register({
+    name: 'redis',
+    description: 'Redis HTTP proxy server',
+});

package/src/proxy/smtp/SmtpProxyServer.d.ts

@@ -0,0 +1,19 @@
+type ProxyOverrides = Partial<{
+    host: string;
+    port: number;
+    maxBodyBytes: number;
+    smtpHost: string;
+    smtpPort: number;
+    smtpUsername: string;
+    smtpPassword: string;
+    smtpSecure: boolean | string;
+    requireSigning: boolean;
+    keyId: string;
+    secret: string;
+    signingWindowMs: number;
+}>;
+export declare const SmtpProxyServer: Readonly<{
+    start(overrides?: ProxyOverrides): Promise<void>;
+}>;
+export default SmtpProxyServer;
+//# sourceMappingURL=SmtpProxyServer.d.ts.map

package/src/proxy/smtp/SmtpProxyServer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"SmtpProxyServer.d.ts","sourceRoot":"","sources":["../../../../src/proxy/smtp/SmtpProxyServer.ts"],"names":[],"mappings":"AA2BA,KAAK,cAAc,GAAG,OAAO,CAAC;IAC5B,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,YAAY,EAAE,MAAM,CAAC;IACrB,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;IACjB,YAAY,EAAE,MAAM,CAAC;IACrB,YAAY,EAAE,MAAM,CAAC;IACrB,UAAU,EAAE,OAAO,GAAG,MAAM,CAAC;IAC7B,cAAc,EAAE,OAAO,CAAC;IACxB,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,MAAM,CAAC;IACf,eAAe,EAAE,MAAM,CAAC;CACzB,CAAC,CAAC;AAqUH,eAAO,MAAM,eAAe;sBACH,cAAc,GAAQ,OAAO,CAAC,IAAI,CAAC;EA2B1D,CAAC;AAEH,eAAe,eAAe,CAAC"}

package/src/proxy/smtp/SmtpProxyServer.js

@@ -0,0 +1,289 @@
+import { Env } from '../../config/env.js';
+import { Logger } from '../../config/logger.js';
+import { ErrorFactory } from '../../exceptions/ZintrustError.js';
+import { SmtpDriver, } from '../../tools/mail/drivers/Smtp.js';
+import { ErrorHandler } from '../ErrorHandler.js';
+import { createProxyServer } from '../ProxyServer.js';
+import { resolveProxySigningConfig } from '../ProxySigningConfigResolver.js';
+import { extractSigningHeaders, verifyProxySignatureIfNeeded } from '../ProxySigningRequest.js';
+import { RequestValidator } from '../RequestValidator.js';
+import { SigningService } from '../SigningService.js';
+const normalizeSecure = (value) => {
+    if (value === true || value === false)
+        return value;
+    if (typeof value === 'string') {
+        const raw = value.trim().toLowerCase();
+        if (raw === '')
+            return undefined;
+        if (raw === 'starttls')
+            return 'starttls';
+        if (['tls', 'ssl', 'smtps', 'implicit', 'true', '1', 'yes', 'y'].includes(raw))
+            return true;
+        if (['false', '0', 'no', 'n'].includes(raw))
+            return false;
+    }
+    return undefined;
+};
+const resolveProxyConfig = (overrides = {}) => {
+    const host = overrides.host ?? Env.get('SMTP_PROXY_HOST', Env.HOST ?? '127.0.0.1');
+    const port = overrides.port ?? Env.getInt('SMTP_PROXY_PORT', Env.PORT ?? 8794);
+    const maxBodyBytes = overrides.maxBodyBytes ?? Env.getInt('SMTP_PROXY_MAX_BODY_BYTES', Env.MAX_BODY_SIZE ?? 131072);
+    return { host, port, maxBodyBytes };
+};
+const resolveSmtpConfig = (overrides = {}) => {
+    const host = overrides.smtpHost ?? Env.get('MAIL_HOST', '');
+    const port = overrides.smtpPort ?? Env.getInt('MAIL_PORT', 587);
+    const username = overrides.smtpUsername ?? Env.get('MAIL_USERNAME', '');
+    const password = overrides.smtpPassword ?? Env.get('MAIL_PASSWORD', '');
+    const secureRaw = overrides.smtpSecure ?? Env.get('MAIL_SECURE', '');
+    const secure = normalizeSecure(secureRaw) ?? false;
+    return { host, port, username, password, secure };
+};
+const resolveSigningConfig = (overrides = {}) => resolveProxySigningConfig(overrides, {
+    keyIdEnvVar: 'SMTP_PROXY_KEY_ID',
+    secretEnvVar: 'SMTP_PROXY_SECRET',
+    requireEnvVar: 'SMTP_PROXY_REQUIRE_SIGNING',
+    windowEnvVar: 'SMTP_PROXY_SIGNING_WINDOW_MS',
+});
+const resolveConfig = (overrides = {}) => {
+    const proxyConfig = resolveProxyConfig(overrides);
+    const smtpConfig = resolveSmtpConfig(overrides);
+    const signingConfig = resolveSigningConfig(overrides);
+    return {
+        host: proxyConfig.host,
+        port: proxyConfig.port,
+        maxBodyBytes: proxyConfig.maxBodyBytes,
+        smtp: smtpConfig,
+        signing: {
+            keyId: signingConfig.keyId,
+            secret: signingConfig.secret,
+            require: signingConfig.requireSigning,
+            windowMs: signingConfig.signingWindowMs,
+        },
+    };
+};
+const validateSmtpConfig = (config) => {
+    if (config.host.trim() === '') {
+        throw ErrorFactory.createConfigError('SMTP proxy missing MAIL_HOST');
+    }
+    if (!Number.isFinite(config.port) || config.port <= 0) {
+        throw ErrorFactory.createConfigError('SMTP proxy MAIL_PORT must be a positive integer');
+    }
+    const username = config.username ?? '';
+    const password = config.password ?? '';
+    if ((username.trim() !== '' && password.trim() === '') ||
+        (username.trim() === '' && password.trim() !== '')) {
+        throw ErrorFactory.createConfigError('SMTP proxy requires both MAIL_USERNAME and MAIL_PASSWORD');
+    }
+};
+const verifySignatureIfNeeded = async (req, body, config) => {
+    const headers = extractSigningHeaders(req);
+    if (SigningService.shouldVerify(config.signing, headers)) {
+        const verified = await verifyProxySignatureIfNeeded(req, body, config.signing);
+        if (!verified.ok) {
+            const normalizedSigning = typeof SigningService['normalizeConfig'] === 'function'
+                ? SigningService['normalizeConfig'](config.signing)
+                : config.signing;
+            Logger.warn('[SmtpProxy] Signing verification failed', {
+                code: 'INVALID_SIGNATURE',
+                message: verified.error?.message ?? 'Invalid signature',
+                keyId: headers['x-zt-key-id'],
+                expectedKeyId: normalizedSigning.keyId,
+                requireSigning: normalizedSigning.require,
+            });
+            return {
+                ok: false,
+                error: {
+                    status: verified.error?.status ?? 401,
+                    message: verified.error?.message ?? 'Unauthorized',
+                },
+            };
+        }
+    }
+    return { ok: true };
+};
+const isRecord = (value) => typeof value === 'object' && value !== null;
+const parseAttachment = (value) => {
+    if (!isRecord(value)) {
+        return {
+            ok: false,
+            error: { code: 'VALIDATION_ERROR', message: 'attachments must be objects' },
+        };
+    }
+    const filename = value['filename'];
+    const contentBase64 = value['contentBase64'];
+    if (typeof filename !== 'string' || filename.trim() === '') {
+        return {
+            ok: false,
+            error: { code: 'VALIDATION_ERROR', message: 'attachment filename is required' },
+        };
+    }
+    if (typeof contentBase64 !== 'string' || contentBase64.trim() === '') {
+        return {
+            ok: false,
+            error: { code: 'VALIDATION_ERROR', message: 'attachment contentBase64 is required' },
+        };
+    }
+    const content = Buffer.from(contentBase64, 'base64');
+    return { ok: true, value: { filename, content } };
+};
+const parseTo = (value) => {
+    if (typeof value === 'string' || Array.isArray(value)) {
+        return { ok: true, value: value };
+    }
+    return {
+        ok: false,
+        error: { code: 'VALIDATION_ERROR', message: 'to must be a string or array' },
+    };
+};
+const parseFrom = (value) => {
+    if (!isRecord(value)) {
+        return { ok: false, error: { code: 'VALIDATION_ERROR', message: 'from is required' } };
+    }
+    const email = value['email'];
+    const name = value['name'];
+    if (typeof email !== 'string' || email.trim() === '') {
+        return { ok: false, error: { code: 'VALIDATION_ERROR', message: 'from.email is required' } };
+    }
+    return {
+        ok: true,
+        value: {
+            email,
+            name: typeof name === 'string' && name.trim() !== '' ? name : undefined,
+        },
+    };
+};
+const parseHtml = (value) => {
+    if (value === undefined)
+        return { ok: true, value: undefined };
+    if (typeof value === 'string')
+        return { ok: true, value };
+    return { ok: false, error: { code: 'VALIDATION_ERROR', message: 'html must be a string' } };
+};
+const parseAttachments = (value) => {
+    if (value === undefined)
+        return { ok: true, value: undefined };
+    if (!Array.isArray(value)) {
+        return {
+            ok: false,
+            error: { code: 'VALIDATION_ERROR', message: 'attachments must be an array' },
+        };
+    }
+    const attachments = [];
+    for (const entry of value) {
+        const parsed = parseAttachment(entry);
+        if (!parsed.ok)
+            return parsed;
+        attachments.push(parsed.value);
+    }
+    return { ok: true, value: attachments };
+};
+const parseMessagePayload = (payload) => {
+    const messageRaw = payload['message'];
+    if (!isRecord(messageRaw)) {
+        return { ok: false, error: { code: 'VALIDATION_ERROR', message: 'message is required' } };
+    }
+    const toParsed = parseTo(messageRaw['to']);
+    if (!toParsed.ok)
+        return toParsed;
+    const fromParsed = parseFrom(messageRaw['from']);
+    if (!fromParsed.ok)
+        return fromParsed;
+    const subject = messageRaw['subject'];
+    if (typeof subject !== 'string' || subject.trim() === '') {
+        return { ok: false, error: { code: 'VALIDATION_ERROR', message: 'subject is required' } };
+    }
+    const text = messageRaw['text'];
+    if (typeof text !== 'string' || text.trim() === '') {
+        return { ok: false, error: { code: 'VALIDATION_ERROR', message: 'text is required' } };
+    }
+    const htmlParsed = parseHtml(messageRaw['html']);
+    if (!htmlParsed.ok)
+        return htmlParsed;
+    const attachmentsParsed = parseAttachments(messageRaw['attachments']);
+    if (!attachmentsParsed.ok)
+        return attachmentsParsed;
+    return {
+        ok: true,
+        value: {
+            to: toParsed.value,
+            from: fromParsed.value,
+            subject,
+            text,
+            html: htmlParsed.value,
+            attachments: attachmentsParsed.value,
+        },
+    };
+};
+const createBackend = (config) => ({
+    name: 'smtp',
+    handle: async (request) => {
+        const methodError = RequestValidator.requirePost(request.method);
+        Logger.info('[SmtpProxy] Received request', { path: request.path, method: request.method });
+        if (methodError) {
+            return ErrorHandler.toProxyError(405, methodError.code, methodError.message);
+        }
+        if (request.path !== '/zin/smtp/send') {
+            Logger.warn('[SmtpProxy] 404 Not Found', { path: request.path });
+            return ErrorHandler.toProxyError(404, 'NOT_FOUND', 'Unknown endpoint');
+        }
+        const parsed = RequestValidator.parseJson(request.body);
+        if (!parsed.ok) {
+            return ErrorHandler.toProxyError(400, parsed.error.code, parsed.error.message);
+        }
+        const messageValidation = parseMessagePayload(parsed.value);
+        if (!messageValidation.ok) {
+            return ErrorHandler.toProxyError(400, messageValidation.error.code, messageValidation.error.message);
+        }
+        try {
+            Logger.info('[SmtpProxy] Sending email via SmtpDriver', { to: messageValidation.value.to });
+            await SmtpDriver.send(config.smtp, messageValidation.value);
+            Logger.info('[SmtpProxy] Email sent successfully');
+            return { status: 200, body: { ok: true } };
+        }
+        catch (error) {
+            Logger.error('[SmtpProxy] Failed to send email', error);
+            return ErrorHandler.toProxyError(500, 'SMTP_PROXY_ERROR', String(error));
+        }
+    },
+    async health() {
+        try {
+            validateSmtpConfig(config.smtp);
+            await Promise.resolve();
+            return { status: 200, body: { status: 'healthy' } };
+        }
+        catch (error) {
+            return ErrorHandler.toProxyError(503, 'UNHEALTHY', String(error));
+        }
+    },
+});
+const createVerifier = (config) => async (req, body) => {
+    const verified = await verifySignatureIfNeeded(req, body, config);
+    if (!verified.ok && verified.error) {
+        return { ok: false, status: verified.error.status, message: verified.error.message };
+    }
+    return { ok: true };
+};
+export const SmtpProxyServer = Object.freeze({
+    async start(overrides = {}) {
+        const config = resolveConfig(overrides);
+        validateSmtpConfig(config.smtp);
+        try {
+            Logger.info(`SMTP proxy config: proxyHost=${config.host} proxyPort=${config.port} smtpHost=${String(config.smtp.host)} smtpPort=${String(config.smtp.port)} smtpUser=${String(config.smtp.username ?? '')}`);
+        }
+        catch {
+            // noop
+        }
+        const backend = createBackend(config);
+        const server = createProxyServer({
+            host: config.host,
+            port: config.port,
+            maxBodyBytes: config.maxBodyBytes,
+            backend,
+            verify: createVerifier(config),
+        });
+        await server.start();
+        Logger.info(`SMTP proxy listening on http://${config.host}:${config.port}`);
+    },
+});
+export default SmtpProxyServer;

package/src/proxy/smtp/register.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=register.d.ts.map

package/src/proxy/smtp/register.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"register.d.ts","sourceRoot":"","sources":["../../../../src/proxy/smtp/register.ts"],"names":[],"mappings":""}

package/src/proxy/smtp/register.js

@@ -0,0 +1,5 @@
+import { ProxyRegistry } from '../ProxyRegistry.js';
+ProxyRegistry.register({
+    name: 'smtp',
+    description: 'SMTP HTTP proxy server',
+});

package/src/proxy/sqlserver/SqlServerProxyServer.d.ts

@@ -0,0 +1,14 @@
+import { type BaseProxyOverrides } from '../ProxyServerUtils';
+type ProxyOverrides = BaseProxyOverrides & Partial<{
+    dbHost: string;
+    dbPort: number;
+    dbName: string;
+    dbUser: string;
+    dbPass: string;
+    connectionLimit: number;
+}>;
+export declare const SqlServerProxyServer: Readonly<{
+    start(overrides?: ProxyOverrides): Promise<void>;
+}>;
+export {};
+//# sourceMappingURL=SqlServerProxyServer.d.ts.map

package/src/proxy/sqlserver/SqlServerProxyServer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"SqlServerProxyServer.d.ts","sourceRoot":"","sources":["../../../../src/proxy/sqlserver/SqlServerProxyServer.ts"],"names":[],"mappings":"AAMA,OAAO,EAIL,KAAK,kBAAkB,EACxB,MAAM,yBAAyB,CAAC;AAejC,KAAK,cAAc,GAAG,kBAAkB,GACtC,OAAO,CAAC;IACN,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,eAAe,EAAE,MAAM,CAAC;CACzB,CAAC,CAAC;AA+KL,eAAO,MAAM,oBAAoB;sBACR,cAAc,GAAQ,OAAO,CAAC,IAAI,CAAC;EAmC1D,CAAC"}