@zintrust/core 0.1.40 → 0.1.41

package/src/proxy/ProxySigningConfigResolver.js

@@ -0,0 +1,24 @@
+import { Env } from '../config/env.js';
+import { normalizeSigningCredentials } from './SigningService.js';
+export const resolveProxySigningConfig = (overrides, options) => {
+    const normalizedOverrides = overrides ?? {};
+    const appName = Env.get('APP_NAME', Env.APP_NAME ?? 'ZinTrust');
+    const appKey = Env.get('APP_KEY', Env.APP_KEY ?? '');
+    const envKeyId = Env.get(options.keyIdEnvVar, appName);
+    const envSecret = Env.get(options.secretEnvVar, appKey);
+    const keyIdRaw = normalizedOverrides.keyId ?? (envKeyId.trim() === '' ? appName : envKeyId);
+    const secretRaw = normalizedOverrides.secret ?? (envSecret.trim() === '' ? appKey : envSecret);
+    const secret = secretRaw.trim() === '' ? appKey : secretRaw;
+    const creds = normalizeSigningCredentials({ keyId: keyIdRaw, secret });
+    const requireSigning = normalizedOverrides.requireSigning ??
+        Env.getBool(options.requireEnvVar, options.defaultRequire ?? true);
+    const signingWindowMs = normalizedOverrides.signingWindowMs ??
+        Env.getInt(options.windowEnvVar, options.defaultWindowMs ?? 60000);
+    return {
+        keyId: creds.keyId,
+        secret: creds.secret,
+        requireSigning,
+        signingWindowMs,
+    };
+};
+export default resolveProxySigningConfig;

package/src/proxy/ProxySigningRequest.d.ts

@@ -0,0 +1,12 @@
+import type { IncomingMessage } from '../node-singletons/http';
+import type { ProxySigningConfig } from './ProxyConfig';
+export declare const normalizeHeaderValue: (value: string | string[] | undefined) => string | undefined;
+export declare const extractSigningHeaders: (req: IncomingMessage) => Record<string, string | undefined>;
+export declare const verifyProxySignatureIfNeeded: (req: IncomingMessage, body: string, signing: ProxySigningConfig) => Promise<{
+    ok: boolean;
+    error?: {
+        status: number;
+        message: string;
+    };
+}>;
+//# sourceMappingURL=ProxySigningRequest.d.ts.map

package/src/proxy/ProxySigningRequest.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ProxySigningRequest.d.ts","sourceRoot":"","sources":["../../../src/proxy/ProxySigningRequest.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AAC7D,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AAG7D,eAAO,MAAM,oBAAoB,GAAI,OAAO,MAAM,GAAG,MAAM,EAAE,GAAG,SAAS,KAAG,MAAM,GAAG,SAGpF,CAAC;AAEF,eAAO,MAAM,qBAAqB,GAChC,KAAK,eAAe,KACnB,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,CAMlC,CAAC;AAEH,eAAO,MAAM,4BAA4B,GACvC,KAAK,eAAe,EACpB,MAAM,MAAM,EACZ,SAAS,kBAAkB,KAC1B,OAAO,CAAC;IAAE,EAAE,EAAE,OAAO,CAAC;IAAC,KAAK,CAAC,EAAE;QAAE,MAAM,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,CAAA;KAAE,CAAA;CAAE,CAqBtE,CAAC"}

package/src/proxy/ProxySigningRequest.js

@@ -0,0 +1,31 @@
+import { SigningService } from './SigningService.js';
+export const normalizeHeaderValue = (value) => {
+    if (Array.isArray(value))
+        return value.join(',');
+    return value;
+};
+export const extractSigningHeaders = (req) => ({
+    'x-zt-key-id': normalizeHeaderValue(req.headers['x-zt-key-id']),
+    'x-zt-timestamp': normalizeHeaderValue(req.headers['x-zt-timestamp']),
+    'x-zt-nonce': normalizeHeaderValue(req.headers['x-zt-nonce']),
+    'x-zt-body-sha256': normalizeHeaderValue(req.headers['x-zt-body-sha256']),
+    'x-zt-signature': normalizeHeaderValue(req.headers['x-zt-signature']),
+});
+export const verifyProxySignatureIfNeeded = async (req, body, signing) => {
+    const headers = extractSigningHeaders(req);
+    if (!SigningService.shouldVerify(signing, headers)) {
+        return { ok: true };
+    }
+    const url = new URL(req.url ?? '/', `http://${req.headers.host ?? 'localhost'}`);
+    const verified = await SigningService.verify({
+        method: req.method ?? 'POST',
+        url,
+        body,
+        headers,
+        signing,
+    });
+    if (!verified.ok) {
+        return { ok: false, error: { status: verified.status, message: verified.message } };
+    }
+    return { ok: true };
+};

package/src/proxy/RequestValidator.d.ts

@@ -0,0 +1,15 @@
+export type ValidationError = Readonly<{
+    code: string;
+    message: string;
+}>;
+export declare const RequestValidator: Readonly<{
+    parseJson: (body: string) => {
+        ok: true;
+        value: Record<string, unknown>;
+    } | {
+        ok: false;
+        error: ValidationError;
+    };
+    requirePost: (method: string | undefined) => ValidationError | null;
+}>;
+//# sourceMappingURL=RequestValidator.d.ts.map

package/src/proxy/RequestValidator.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"RequestValidator.d.ts","sourceRoot":"","sources":["../../../src/proxy/RequestValidator.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,eAAe,GAAG,QAAQ,CAAC;IAAE,IAAI,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAAC,CAAC;AA4B1E,eAAO,MAAM,gBAAgB;sBAtBrB,MAAM,KACX;QAAE,EAAE,EAAE,IAAI,CAAC;QAAC,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;KAAE,GAAG;QAAE,EAAE,EAAE,KAAK,CAAC;QAAC,KAAK,EAAE,eAAe,CAAA;KAAE;0BAgB1D,MAAM,GAAG,SAAS,KAAG,eAAe,GAAG,IAAI;EAQtE,CAAC"}

package/src/proxy/RequestValidator.js

@@ -0,0 +1,25 @@
+const isRecord = (value) => typeof value === 'object' && value !== null;
+const parseJson = (body) => {
+    if (body.trim() === '') {
+        return { ok: false, error: { code: 'VALIDATION_ERROR', message: 'Body is required' } };
+    }
+    try {
+        const parsed = JSON.parse(body);
+        if (!isRecord(parsed)) {
+            return { ok: false, error: { code: 'VALIDATION_ERROR', message: 'Body must be an object' } };
+        }
+        return { ok: true, value: parsed };
+    }
+    catch (error) {
+        return { ok: false, error: { code: 'INVALID_JSON', message: String(error) } };
+    }
+};
+const requirePost = (method) => {
+    if (method === 'POST')
+        return null;
+    return { code: 'METHOD_NOT_ALLOWED', message: 'POST only' };
+};
+export const RequestValidator = Object.freeze({
+    parseJson,
+    requirePost,
+});

package/src/proxy/SigningService.d.ts

@@ -0,0 +1,39 @@
+import type { ProxySigningConfig } from './ProxyConfig';
+export type SigningHeaders = Headers | Record<string, string | undefined>;
+export type SigningVerificationResult = {
+    ok: true;
+} | {
+    ok: false;
+    status: number;
+    code: string;
+    message: string;
+};
+export type SigningCredentials = Readonly<{
+    keyId: string;
+    secret: string;
+}>;
+type SigningServiceApi = Readonly<{
+    normalizeConfig: (signing: ProxySigningConfig) => ProxySigningConfig;
+    shouldVerify: (signing: ProxySigningConfig, headers: SigningHeaders) => boolean;
+    verify: (params: {
+        method: string;
+        url: string | URL;
+        body: string | Uint8Array;
+        headers: SigningHeaders;
+        signing: ProxySigningConfig;
+    }) => Promise<SigningVerificationResult>;
+    verifyWithKeyProvider: (params: {
+        method: string;
+        url: string | URL;
+        body: string | Uint8Array;
+        headers: SigningHeaders;
+        windowMs: number;
+        getSecretForKeyId: (keyId: string) => string | undefined | Promise<string | undefined>;
+        verifyNonce?: (keyId: string, nonce: string, ttlMs: number) => Promise<boolean>;
+    }) => Promise<SigningVerificationResult>;
+}>;
+export declare const normalizeSigningConfig: (signing: ProxySigningConfig) => ProxySigningConfig;
+export declare const normalizeSigningCredentials: (input: SigningCredentials) => SigningCredentials;
+export declare const SigningService: SigningServiceApi;
+export {};
+//# sourceMappingURL=SigningService.d.ts.map

package/src/proxy/SigningService.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"SigningService.d.ts","sourceRoot":"","sources":["../../../src/proxy/SigningService.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AAI7D,MAAM,MAAM,cAAc,GAAG,OAAO,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,CAAC,CAAC;AAE1E,MAAM,MAAM,yBAAyB,GACjC;IAAE,EAAE,EAAE,IAAI,CAAA;CAAE,GACZ;IAAE,EAAE,EAAE,KAAK,CAAC;IAAC,MAAM,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAAC;AAEjE,MAAM,MAAM,kBAAkB,GAAG,QAAQ,CAAC;IACxC,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,MAAM,CAAC;CAChB,CAAC,CAAC;AAEH,KAAK,iBAAiB,GAAG,QAAQ,CAAC;IAChC,eAAe,EAAE,CAAC,OAAO,EAAE,kBAAkB,KAAK,kBAAkB,CAAC;IACrE,YAAY,EAAE,CAAC,OAAO,EAAE,kBAAkB,EAAE,OAAO,EAAE,cAAc,KAAK,OAAO,CAAC;IAChF,MAAM,EAAE,CAAC,MAAM,EAAE;QACf,MAAM,EAAE,MAAM,CAAC;QACf,GAAG,EAAE,MAAM,GAAG,GAAG,CAAC;QAClB,IAAI,EAAE,MAAM,GAAG,UAAU,CAAC;QAC1B,OAAO,EAAE,cAAc,CAAC;QACxB,OAAO,EAAE,kBAAkB,CAAC;KAC7B,KAAK,OAAO,CAAC,yBAAyB,CAAC,CAAC;IACzC,qBAAqB,EAAE,CAAC,MAAM,EAAE;QAC9B,MAAM,EAAE,MAAM,CAAC;QACf,GAAG,EAAE,MAAM,GAAG,GAAG,CAAC;QAClB,IAAI,EAAE,MAAM,GAAG,UAAU,CAAC;QAC1B,OAAO,EAAE,cAAc,CAAC;QACxB,QAAQ,EAAE,MAAM,CAAC;QACjB,iBAAiB,EAAE,CAAC,KAAK,EAAE,MAAM,KAAK,MAAM,GAAG,SAAS,GAAG,OAAO,CAAC,MAAM,GAAG,SAAS,CAAC,CAAC;QACvF,WAAW,CAAC,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,KAAK,OAAO,CAAC,OAAO,CAAC,CAAC;KACjF,KAAK,OAAO,CAAC,yBAAyB,CAAC,CAAC;CAC1C,CAAC,CAAC;AAyCH,eAAO,MAAM,sBAAsB,EAAE,CAAC,OAAO,EAAE,kBAAkB,KAAK,kBAErB,CAAC;AAElD,eAAO,MAAM,2BAA2B,EAAE,CAAC,KAAK,EAAE,kBAAkB,KAAK,kBAKvE,CAAC;AA0FH,eAAO,MAAM,cAAc,EAAE,iBAK3B,CAAC"}

package/src/proxy/SigningService.js

@@ -0,0 +1,107 @@
+import { Env } from '../config/env.js';
+import { SignedRequest } from '../security/SignedRequest.js';
+const getHeader = (headers, name) => {
+    if (typeof headers.get === 'function') {
+        const value = headers.get(name);
+        return value ?? undefined;
+    }
+    return headers[name];
+};
+const hasSigningHeaders = (headers) => Boolean((getHeader(headers, 'x-zt-key-id') ?? '') ||
+    (getHeader(headers, 'x-zt-timestamp') ?? '') ||
+    (getHeader(headers, 'x-zt-nonce') ?? '') ||
+    (getHeader(headers, 'x-zt-body-sha256') ?? '') ||
+    getHeader(headers, 'x-zt-signature'));
+const normalizeKeyId = (keyId) => {
+    const trimmed = keyId.trim();
+    if (trimmed !== '')
+        return trimmed.toLowerCase();
+    const appNameRaw = Env.APP_NAME ?? 'zintrust';
+    const normalized = (appNameRaw.trim() === '' ? 'zintrust' : appNameRaw)
+        .toLowerCase()
+        .replaceAll(/\s+/g, '_');
+    return normalized;
+};
+const normalizeSecret = (secret) => {
+    const trimmed = secret.trim();
+    if (trimmed !== '')
+        return trimmed;
+    return Env.APP_KEY ?? '';
+};
+const normalizeConfig = (signing) => ({
+    ...signing,
+    keyId: normalizeKeyId(signing.keyId),
+    secret: normalizeSecret(signing.secret),
+});
+export const normalizeSigningConfig = (signing) => normalizeConfig(signing);
+export const normalizeSigningCredentials = (input) => ({
+    keyId: normalizeKeyId(input.keyId),
+    secret: normalizeSecret(input.secret),
+});
+const shouldVerify = (signing, headers) => {
+    const normalized = normalizeConfig(signing);
+    if (normalized.require)
+        return true;
+    if (normalized.keyId.trim() !== '' &&
+        normalized.secret.trim() !== '' &&
+        hasSigningHeaders(headers)) {
+        return true;
+    }
+    return false;
+};
+const mapVerifyResult = (result) => {
+    if (result.ok)
+        return { ok: true };
+    if (result.code === 'MISSING_HEADER' || result.code === 'INVALID_TIMESTAMP') {
+        return { ok: false, status: 401, code: result.code, message: result.message };
+    }
+    if (result.code === 'EXPIRED') {
+        return { ok: false, status: 401, code: result.code, message: result.message };
+    }
+    if (result.code === 'UNKNOWN_KEY') {
+        return { ok: false, status: 403, code: result.code, message: result.message };
+    }
+    if (result.code === 'REPLAYED') {
+        return { ok: false, status: 409, code: result.code, message: result.message };
+    }
+    return { ok: false, status: 403, code: result.code, message: result.message };
+};
+const verify = async (params) => {
+    const signing = normalizeConfig(params.signing);
+    if (signing.require && (signing.keyId.trim() === '' || signing.secret.trim() === '')) {
+        return {
+            ok: false,
+            status: 500,
+            code: 'SIGNING_REQUIRED',
+            message: 'Proxy signing is required but not configured',
+        };
+    }
+    const result = await SignedRequest.verify({
+        method: params.method,
+        url: params.url,
+        body: params.body,
+        headers: params.headers,
+        // eslint-disable-next-line @typescript-eslint/require-await
+        getSecretForKeyId: async (keyId) => keyId.trim().toLowerCase() === signing.keyId ? signing.secret : undefined,
+        windowMs: signing.windowMs,
+    });
+    return mapVerifyResult(result);
+};
+const verifyWithKeyProvider = async (params) => {
+    const result = await SignedRequest.verify({
+        method: params.method,
+        url: params.url,
+        body: params.body,
+        headers: params.headers,
+        windowMs: params.windowMs,
+        getSecretForKeyId: params.getSecretForKeyId,
+        verifyNonce: params.verifyNonce,
+    });
+    return mapVerifyResult(result);
+};
+export const SigningService = Object.freeze({
+    normalizeConfig,
+    shouldVerify,
+    verify,
+    verifyWithKeyProvider,
+});

package/src/proxy/SqlPayloadValidator.d.ts

@@ -0,0 +1,13 @@
+export type SqlPayloadValidation = {
+    valid: true;
+    sql: string;
+    params: unknown[];
+} | {
+    valid: false;
+    error: {
+        code: string;
+        message: string;
+    };
+};
+export declare const validateSqlPayload: (payload: Record<string, unknown>) => SqlPayloadValidation;
+//# sourceMappingURL=SqlPayloadValidator.d.ts.map

package/src/proxy/SqlPayloadValidator.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"SqlPayloadValidator.d.ts","sourceRoot":"","sources":["../../../src/proxy/SqlPayloadValidator.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,oBAAoB,GAC5B;IACE,KAAK,EAAE,IAAI,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,MAAM,EAAE,OAAO,EAAE,CAAC;CACnB,GACD;IACE,KAAK,EAAE,KAAK,CAAC;IACb,KAAK,EAAE;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,CAAA;KAAE,CAAC;CAC1C,CAAC;AAEN,eAAO,MAAM,kBAAkB,GAAI,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAAG,oBAerE,CAAC"}

package/src/proxy/SqlPayloadValidator.js

@@ -0,0 +1,14 @@
+export const validateSqlPayload = (payload) => {
+    const sql = payload['sql'];
+    const params = Array.isArray(payload['params']) ? payload['params'] : [];
+    if (typeof sql !== 'string') {
+        return {
+            valid: false,
+            error: {
+                code: 'VALIDATION_ERROR',
+                message: 'sql must be a string',
+            },
+        };
+    }
+    return { valid: true, sql, params };
+};

package/src/proxy/d1/ZintrustD1Proxy.d.ts

@@ -0,0 +1,2 @@
+export { _ZINTRUST_CLOUDFLARE_D1_PROXY_BUILD_DATE, _ZINTRUST_CLOUDFLARE_D1_PROXY_VERSION, ZintrustD1Proxy, } from '../../../packages/cloudflare-d1-proxy/src/index.js';
+//# sourceMappingURL=ZintrustD1Proxy.d.ts.map

package/src/proxy/d1/ZintrustD1Proxy.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ZintrustD1Proxy.d.ts","sourceRoot":"","sources":["../../../../src/proxy/d1/ZintrustD1Proxy.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,wCAAwC,EACxC,qCAAqC,EACrC,eAAe,GAChB,MAAM,+BAA+B,CAAC"}

package/src/proxy/d1/ZintrustD1Proxy.js

@@ -0,0 +1 @@
+export { _ZINTRUST_CLOUDFLARE_D1_PROXY_BUILD_DATE, _ZINTRUST_CLOUDFLARE_D1_PROXY_VERSION, ZintrustD1Proxy, } from '../../../packages/cloudflare-d1-proxy/src/index.js';

package/src/proxy/d1/register.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=register.d.ts.map

package/src/proxy/d1/register.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"register.d.ts","sourceRoot":"","sources":["../../../../src/proxy/d1/register.ts"],"names":[],"mappings":""}

package/src/proxy/d1/register.js

@@ -0,0 +1,5 @@
+import { ProxyRegistry } from '../ProxyRegistry.js';
+ProxyRegistry.register({
+    name: 'd1',
+    description: 'Cloudflare D1 Worker proxy endpoint',
+});

package/src/proxy/kv/ZintrustKvProxy.d.ts

@@ -0,0 +1,2 @@
+export { _ZINTRUST_CLOUDFLARE_KV_PROXY_BUILD_DATE, _ZINTRUST_CLOUDFLARE_KV_PROXY_VERSION, ZintrustKvProxy, } from '../../../packages/cloudflare-kv-proxy/src/index.js';
+//# sourceMappingURL=ZintrustKvProxy.d.ts.map

package/src/proxy/kv/ZintrustKvProxy.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ZintrustKvProxy.d.ts","sourceRoot":"","sources":["../../../../src/proxy/kv/ZintrustKvProxy.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,wCAAwC,EACxC,qCAAqC,EACrC,eAAe,GAChB,MAAM,+BAA+B,CAAC"}

package/src/proxy/kv/ZintrustKvProxy.js

@@ -0,0 +1 @@
+export { _ZINTRUST_CLOUDFLARE_KV_PROXY_BUILD_DATE, _ZINTRUST_CLOUDFLARE_KV_PROXY_VERSION, ZintrustKvProxy, } from '../../../packages/cloudflare-kv-proxy/src/index.js';

package/src/proxy/kv/register.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=register.d.ts.map

package/src/proxy/kv/register.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"register.d.ts","sourceRoot":"","sources":["../../../../src/proxy/kv/register.ts"],"names":[],"mappings":""}

package/src/proxy/kv/register.js

@@ -0,0 +1,5 @@
+import { ProxyRegistry } from '../ProxyRegistry.js';
+ProxyRegistry.register({
+    name: 'kv',
+    description: 'Cloudflare KV Worker proxy endpoint',
+});

package/src/proxy/mongodb/MongoDBProxyServer.d.ts

@@ -0,0 +1,33 @@
+type MongoCollectionLike = Record<string, unknown>;
+type MongoDatabaseLike = {
+    collection: (name: string) => MongoCollectionLike;
+};
+type MongoClientLike = {
+    connect: () => Promise<void>;
+    db: (name: string) => MongoDatabaseLike;
+    close: () => Promise<void>;
+};
+type ProxyOverrides = Partial<{
+    host: string;
+    port: number;
+    maxBodyBytes: number;
+    mongoUri: string;
+    mongoDb: string;
+    requireSigning: boolean;
+    keyId: string;
+    secret: string;
+    signingWindowMs: number;
+}>;
+export declare const MongoDBProxyServer: Readonly<{
+    start(overrides?: ProxyOverrides): Promise<{
+        server: Readonly<{
+            start: () => Promise<void>;
+            stop: () => Promise<void>;
+            server: import("node:http").Server;
+        }>;
+        client: MongoClientLike;
+        close(): Promise<void>;
+    }>;
+}>;
+export {};
+//# sourceMappingURL=MongoDBProxyServer.d.ts.map

package/src/proxy/mongodb/MongoDBProxyServer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"MongoDBProxyServer.d.ts","sourceRoot":"","sources":["../../../../src/proxy/mongodb/MongoDBProxyServer.ts"],"names":[],"mappings":"AAYA,KAAK,mBAAmB,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;AACnD,KAAK,iBAAiB,GAAG;IACvB,UAAU,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,mBAAmB,CAAC;CACnD,CAAC;AACF,KAAK,eAAe,GAAG;IACrB,OAAO,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;IAC7B,EAAE,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,iBAAiB,CAAC;IACxC,KAAK,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;CAC5B,CAAC;AAaF,KAAK,cAAc,GAAG,OAAO,CAAC;IAC5B,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,YAAY,EAAE,MAAM,CAAC;IACrB,QAAQ,EAAE,MAAM,CAAC;IACjB,OAAO,EAAE,MAAM,CAAC;IAChB,cAAc,EAAE,OAAO,CAAC;IACxB,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,MAAM,CAAC;IACf,eAAe,EAAE,MAAM,CAAC;CACzB,CAAC,CAAC;AA4PH,eAAO,MAAM,kBAAkB;sBACN,cAAc;;;;;;;;;EA+BrC,CAAC"}

package/src/proxy/mongodb/MongoDBProxyServer.js

@@ -0,0 +1,202 @@
+import { Env } from '../../config/env.js';
+import { Logger } from '../../config/logger.js';
+import { ErrorFactory } from '../../exceptions/ZintrustError.js';
+import { ErrorHandler } from '../ErrorHandler.js';
+import { createProxyServer } from '../ProxyServer.js';
+import { resolveProxySigningConfig } from '../ProxySigningConfigResolver.js';
+import { verifyProxySignatureIfNeeded } from '../ProxySigningRequest.js';
+import { RequestValidator } from '../RequestValidator.js';
+const resolveProxyConfig = (overrides = {}) => {
+    const host = overrides?.host ?? Env.get('MONGODB_PROXY_HOST', Env.HOST ?? '127.0.0.1');
+    const port = overrides.port ?? Env.getInt('MONGODB_PROXY_PORT', Env.PORT ?? 3000);
+    const maxBodyBytes = overrides.maxBodyBytes ?? Env.getInt('MONGODB_PROXY_MAX_BODY_BYTES', Env.MAX_BODY_SIZE ?? 0);
+    return { host, port, maxBodyBytes };
+};
+const resolveMongoConfig = (overrides = {}) => {
+    const uri = overrides.mongoUri ?? Env.get('MONGO_URI', 'mongodb://localhost:27017');
+    const database = overrides.mongoDb ?? Env.get('MONGO_DB', 'zintrust');
+    return { uri, database };
+};
+const resolveSigningConfig = (overrides = {}) => resolveProxySigningConfig(overrides, {
+    keyIdEnvVar: 'MONGODB_PROXY_KEY_ID',
+    secretEnvVar: 'MONGODB_PROXY_SECRET',
+    requireEnvVar: 'MONGODB_PROXY_REQUIRE_SIGNING',
+    windowEnvVar: 'MONGODB_PROXY_SIGNING_WINDOW_MS',
+});
+const resolveConfig = (overrides = {}) => {
+    const proxyConfig = resolveProxyConfig(overrides);
+    const mongoConfig = resolveMongoConfig(overrides);
+    const signingConfig = resolveSigningConfig(overrides);
+    return {
+        host: proxyConfig.host,
+        port: proxyConfig.port,
+        maxBodyBytes: proxyConfig.maxBodyBytes,
+        mongoOptions: mongoConfig,
+        signing: {
+            keyId: signingConfig.keyId,
+            secret: signingConfig.secret,
+            require: signingConfig.requireSigning,
+            windowMs: signingConfig.signingWindowMs,
+        },
+    };
+};
+const validateOperationPayload = (payload) => {
+    const operation = payload['operation'];
+    const collection = payload['collection'];
+    const args = payload['args'];
+    if (typeof operation !== 'string' || operation.trim() === '') {
+        return {
+            valid: false,
+            error: { code: 'VALIDATION_ERROR', message: 'operation is required' },
+        };
+    }
+    if (typeof collection !== 'string' || collection.trim() === '') {
+        return {
+            valid: false,
+            error: { code: 'VALIDATION_ERROR', message: 'collection is required' },
+        };
+    }
+    return {
+        valid: true,
+        operation,
+        collection,
+        args: args ?? {},
+    };
+};
+const getMongoModule = async () => {
+    const mongoModule = (await import('mongodb'));
+    const MongoDBClient = mongoModule.MongoClient;
+    if (typeof MongoDBClient !== 'function') {
+        throw ErrorFactory.createDatabaseError('MongoDB driver is unavailable');
+    }
+    return { MongoClient: MongoDBClient };
+};
+const createMongoClient = async (uri) => {
+    const { MongoClient: MongoDBClient } = await getMongoModule();
+    const client = new MongoDBClient(uri);
+    await client.connect();
+    return client;
+};
+const callMethod = async (coll, methodName, ...params) => {
+    const method = coll[methodName];
+    if (typeof method === 'function') {
+        const result = method(...params);
+        if (result !== null && typeof result === 'object' && 'toArray' in result) {
+            const toArray = result.toArray;
+            if (typeof toArray === 'function') {
+                return toArray();
+            }
+        }
+        return result;
+    }
+    throw ErrorFactory.createDatabaseError(`Method ${methodName} not found on collection`);
+};
+const OPERATION_HANDLERS = Object.freeze({
+    find: async (coll, args) => callMethod(coll, 'find', args['filter'] ?? {}),
+    findOne: async (coll, args) => callMethod(coll, 'findOne', args['filter'] ?? {}),
+    insertOne: async (coll, args) => callMethod(coll, 'insertOne', args['document'] ?? {}),
+    insertMany: async (coll, args) => callMethod(coll, 'insertMany', args['documents'] ?? []),
+    updateOne: async (coll, args) => callMethod(coll, 'updateOne', args['filter'] ?? {}, args['update'] ?? {}),
+    updateMany: async (coll, args) => callMethod(coll, 'updateMany', args['filter'] ?? {}, args['update'] ?? {}),
+    deleteOne: async (coll, args) => callMethod(coll, 'deleteOne', args['filter'] ?? {}),
+    deleteMany: async (coll, args) => callMethod(coll, 'deleteMany', args['filter'] ?? {}),
+    countDocuments: async (coll, args) => callMethod(coll, 'countDocuments', args['filter'] ?? {}),
+    aggregate: async (coll, args) => callMethod(coll, 'aggregate', args['pipeline'] ?? []),
+});
+const executeOperation = async (client, dbName, collectionName, operation, args) => {
+    const db = client.db(dbName);
+    const coll = db.collection(collectionName);
+    if (Object.prototype.hasOwnProperty.call(OPERATION_HANDLERS, operation)) {
+        const handler = OPERATION_HANDLERS[operation];
+        return handler(coll, args);
+    }
+    throw ErrorFactory.createDatabaseError(`Unsupported MongoDB operation: ${String(operation)}`);
+};
+const createBackend = (client, config) => ({
+    name: 'mongodb',
+    handle: async (request) => {
+        const methodError = RequestValidator.requirePost(request.method);
+        if (methodError) {
+            return {
+                status: 405,
+                body: { code: methodError.code, message: methodError.message },
+            };
+        }
+        if (request.path !== '/zin/mongodb/operation') {
+            return { status: 404, body: { code: 'NOT_FOUND', message: 'Unknown endpoint' } };
+        }
+        const parsed = RequestValidator.parseJson(request.body);
+        if (!parsed.ok) {
+            return { status: 400, body: { code: parsed.error.code, message: parsed.error.message } };
+        }
+        const validated = validateOperationPayload(parsed.value);
+        if (!validated.valid) {
+            return {
+                status: 400,
+                body: {
+                    code: validated.error?.code ?? 'VALIDATION_ERROR',
+                    message: validated.error?.message ?? 'Invalid request',
+                },
+            };
+        }
+        try {
+            const result = await executeOperation(client, config.mongoOptions.database, validated.collection ?? '', validated.operation ?? '', validated.args ?? {});
+            return { status: 200, body: { success: true, result } };
+        }
+        catch (error) {
+            Logger.error('MongoDB proxy operation failed', { error });
+            return ErrorHandler.toProxyError(500, 'MONGODB_PROXY_ERROR', String(error));
+        }
+    },
+    health: async () => {
+        try {
+            client.db(config.mongoOptions.database);
+            await Promise.resolve();
+            return { status: 200, body: { status: 'ok' } };
+        }
+        catch (error) {
+            await Promise.resolve();
+            return { status: 503, body: { status: 'unhealthy', error: String(error) } };
+        }
+    },
+    shutdown: async () => {
+        await client.close();
+    },
+});
+const createVerifier = (config) => {
+    return async (req, body) => {
+        const verified = await verifyProxySignatureIfNeeded(req, body, config.signing);
+        if (!verified.ok) {
+            const error = verified.error ?? { status: 401, message: 'Unauthorized' };
+            return { ok: false, status: error.status, message: error.message };
+        }
+        return { ok: true };
+    };
+};
+export const MongoDBProxyServer = Object.freeze({
+    async start(overrides = {}) {
+        const config = resolveConfig(overrides);
+        Logger.info(`Starting MongoDB proxy on ${config.host}:${config.port} → ${config.mongoOptions.uri}`);
+        const client = await createMongoClient(config.mongoOptions.uri);
+        const backend = createBackend(client, config);
+        const verifier = createVerifier(config);
+        const server = createProxyServer({
+            host: config.host,
+            port: config.port,
+            maxBodyBytes: config.maxBodyBytes,
+            backend,
+            verify: verifier,
+        });
+        await server.start();
+        Logger.info(`✓ MongoDB proxy listening on ${config.host}:${config.port}`);
+        return {
+            server,
+            client,
+            async close() {
+                await server.stop();
+                await client.close();
+                Logger.info('MongoDB proxy server closed');
+            },
+        };
+    },
+});

package/src/proxy/mongodb/register.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=register.d.ts.map

package/src/proxy/mongodb/register.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"register.d.ts","sourceRoot":"","sources":["../../../../src/proxy/mongodb/register.ts"],"names":[],"mappings":""}

package/src/proxy/mongodb/register.js

@@ -0,0 +1,5 @@
+import { ProxyRegistry } from '../ProxyRegistry.js';
+ProxyRegistry.register({
+    name: 'mongodb',
+    description: 'MongoDB HTTP proxy',
+});

package/src/proxy/mysql/MySqlProxyServer.d.ts

@@ -0,0 +1,14 @@
+import { type BaseProxyOverrides } from '../ProxyServerUtils';
+type ProxyOverrides = BaseProxyOverrides & Partial<{
+    dbHost: string;
+    dbPort: number;
+    dbName: string;
+    dbUser: string;
+    dbPass: string;
+    connectionLimit: number;
+}>;
+export declare const MySqlProxyServer: Readonly<{
+    start(overrides?: ProxyOverrides): Promise<void>;
+}>;
+export default MySqlProxyServer;
+//# sourceMappingURL=MySqlProxyServer.d.ts.map

package/src/proxy/mysql/MySqlProxyServer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"MySqlProxyServer.d.ts","sourceRoot":"","sources":["../../../../src/proxy/mysql/MySqlProxyServer.ts"],"names":[],"mappings":"AAOA,OAAO,EAIL,KAAK,kBAAkB,EACxB,MAAM,yBAAyB,CAAC;AAajC,KAAK,cAAc,GAAG,kBAAkB,GACtC,OAAO,CAAC;IACN,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,eAAe,EAAE,MAAM,CAAC;CACzB,CAAC,CAAC;AAyJL,eAAO,MAAM,gBAAgB;sBACJ,cAAc,GAAQ,OAAO,CAAC,IAAI,CAAC;EA4C1D,CAAC;AAEH,eAAe,gBAAgB,CAAC"}