npm - @zintrust/core - Versions diffs - 0.1.42 → 0.1.44 - Mend

@zintrust/core 0.1.42 → 0.1.44

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (381) hide show

package/packages/cloudflare-d1-proxy/src/index.js ADDED Viewed

@@ -0,0 +1,387 @@
+import { ErrorHandler, RequestValidator, SigningService } from '../../../src/proxy.js';
+const DEFAULT_SIGNING_WINDOW_MS = 60_000;
+const DEFAULT_MAX_BODY_BYTES = 128 * 1024;
+const DEFAULT_MAX_SQL_BYTES = 32 * 1024;
+const DEFAULT_MAX_PARAMS = 256;
+const json = (status, body) => new Response(JSON.stringify(body), {
+    status,
+    headers: {
+        'Content-Type': 'application/json; charset=utf-8',
+        'Cache-Control': 'no-store',
+    },
+});
+const toErrorResponse = (status, code, message) => {
+    const error = ErrorHandler.toProxyError(status, code, message);
+    return json(error.status, error.body);
+};
+const getEnvInt = (env, name, fallback) => {
+    const raw = env[name];
+    if (typeof raw !== 'string')
+        return fallback;
+    const parsed = Number.parseInt(raw, 10);
+    return Number.isFinite(parsed) ? parsed : fallback;
+};
+const isRecord = (value) => typeof value === 'object' && value !== null;
+const isString = (value) => typeof value === 'string';
+const isArray = (value) => Array.isArray(value);
+const isDebugEnabled = (env) => {
+    const raw = env.ZT_PROXY_DEBUG;
+    if (typeof raw !== 'string')
+        return false;
+    const normalized = raw.trim().toLowerCase();
+    return normalized === 'true' || normalized === '1' || normalized === 'yes';
+};
+const safeErrorMessage = (error) => {
+    if (error instanceof Error)
+        return error.message;
+    if (typeof error === 'string')
+        return error;
+    try {
+        return JSON.stringify(error);
+    }
+    catch {
+        return 'Unknown D1 error';
+    }
+};
+const logProxyError = (env, context, error) => {
+    if (!isDebugEnabled(env))
+        return;
+    try {
+        // eslint-disable-next-line no-console
+        console.error('[ZintrustD1Proxy] error', {
+            ...context,
+            message: safeErrorMessage(error).slice(0, 800),
+        });
+    }
+    catch {
+        // ignore logging failures
+    }
+};
+const normalizeBindingName = (value) => {
+    if (typeof value !== 'string')
+        return null;
+    const trimmed = value.trim();
+    return trimmed === '' ? null : trimmed;
+};
+const resolveD1Binding = (env) => {
+    const candidates = ['DB', 'zintrust_db', normalizeBindingName(env.D1_BINDING)].filter((v, idx, arr) => typeof v === 'string' && v.trim() !== '' && arr.indexOf(v) === idx);
+    const record = env;
+    for (const name of candidates) {
+        const binding = record[name];
+        if (binding !== undefined && binding !== null && typeof binding.prepare === 'function')
+            return binding;
+    }
+    return null;
+};
+const readBodyBytes = async (request, maxBytes) => {
+    const buf = await request.arrayBuffer();
+    if (buf.byteLength > maxBytes) {
+        return {
+            ok: false,
+            response: toErrorResponse(413, 'PAYLOAD_TOO_LARGE', 'Body too large'),
+        };
+    }
+    const bytes = new Uint8Array(buf);
+    const text = new TextDecoder().decode(bytes);
+    return { ok: true, bytes, text };
+};
+const parseOptionalJson = (text) => {
+    if (text.trim() === '')
+        return { ok: true, payload: null };
+    const parsed = RequestValidator.parseJson(text);
+    if (!parsed.ok) {
+        // Type guard: we know parsed has 'error' property when ok is false
+        const errorResult = parsed;
+        let message = errorResult.error.message;
+        if (errorResult.error.code === 'INVALID_JSON') {
+            message = 'Invalid JSON body';
+        }
+        else if (errorResult.error.code === 'VALIDATION_ERROR') {
+            message = 'Invalid body';
+        }
+        return { ok: false, response: toErrorResponse(400, errorResult.error.code, message) };
+    }
+    // Type guard: we know parsed has 'value' property when ok is true
+    const successResult = parsed;
+    return { ok: true, payload: successResult.value };
+};
+const loadSigningSecret = (env) => {
+    const direct = typeof env.D1_REMOTE_SECRET === 'string' ? env.D1_REMOTE_SECRET.trim() : '';
+    if (direct !== '')
+        return direct;
+    const fallback = typeof env.APP_KEY === 'string' ? env.APP_KEY.trim() : '';
+    if (fallback !== '')
+        return fallback;
+    return null;
+};
+const loadStatements = (env) => {
+    const raw = env.ZT_D1_STATEMENTS_JSON;
+    if (typeof raw !== 'string' || raw.trim() === '')
+        return null;
+    try {
+        const parsed = JSON.parse(raw);
+        if (!isRecord(parsed))
+            return null;
+        return parsed;
+    }
+    catch {
+        return null;
+    }
+};
+const isMutatingSql = (sql) => {
+    const s = sql.trimStart().toLowerCase();
+    return (s.startsWith('insert') ||
+        s.startsWith('update') ||
+        s.startsWith('delete') ||
+        s.startsWith('create') ||
+        s.startsWith('drop') ||
+        s.startsWith('alter') ||
+        s.startsWith('replace'));
+};
+const verifyNonceKv = async (kv, keyId, nonce, ttlMs) => {
+    const ttlSeconds = Math.max(1, Math.ceil(ttlMs / 1000));
+    const storageKey = `nonce:${keyId}:${nonce}`;
+    const existing = await kv.get(storageKey);
+    if (existing !== null)
+        return false;
+    await kv.put(storageKey, '1', { expirationTtl: ttlSeconds });
+    return true;
+};
+const verifySignedRequest = async (request, env, bodyBytes) => {
+    const secret = loadSigningSecret(env);
+    if (secret === null) {
+        return toErrorResponse(401, 'CONFIG_ERROR', 'Missing signing secret (D1_REMOTE_SECRET or APP_KEY)');
+    }
+    const windowMs = getEnvInt(env, 'ZT_PROXY_SIGNING_WINDOW_MS', DEFAULT_SIGNING_WINDOW_MS);
+    const verifyResult = await SigningService.verifyWithKeyProvider({
+        method: request.method,
+        url: request.url,
+        body: bodyBytes,
+        headers: request.headers,
+        windowMs,
+        getSecretForKeyId: async (_keyId) => secret,
+        verifyNonce: env.ZT_NONCES === undefined
+            ? undefined
+            : async (keyId, nonce, ttlMs) => verifyNonceKv(env.ZT_NONCES, keyId, nonce, ttlMs),
+    });
+    if (verifyResult.ok === false) {
+        return toErrorResponse(verifyResult.status, verifyResult.code, verifyResult.message);
+    }
+    return { ok: true };
+};
+const requireDb = (env) => {
+    const db = resolveD1Binding(env);
+    if (db === null) {
+        return toErrorResponse(400, 'CONFIG_ERROR', 'Missing D1 binding (DB) or binding name via D1_BINDING');
+    }
+    return db;
+};
+const toD1ExceptionResponse = (error) => {
+    let message;
+    if (error instanceof Error) {
+        message = error.message;
+    }
+    else if (typeof error === 'string') {
+        message = error;
+    }
+    else {
+        message = 'Unknown D1 error';
+    }
+    return toErrorResponse(500, 'D1_ERROR', message);
+};
+const parseSqlPayload = (payload) => {
+    if (!isRecord(payload)) {
+        return {
+            ok: false,
+            response: toErrorResponse(400, 'VALIDATION_ERROR', 'Invalid body'),
+        };
+    }
+    const sql = payload['sql'];
+    const params = payload['params'];
+    if (!isString(sql)) {
+        return {
+            ok: false,
+            response: toErrorResponse(400, 'VALIDATION_ERROR', 'sql must be a string'),
+        };
+    }
+    return { ok: true, sql, params: isArray(params) ? params : [] };
+};
+const enforceSqlLimits = (env, sql, params) => {
+    const maxSqlBytes = getEnvInt(env, 'ZT_MAX_SQL_BYTES', DEFAULT_MAX_SQL_BYTES);
+    const maxParams = getEnvInt(env, 'ZT_MAX_PARAMS', DEFAULT_MAX_PARAMS);
+    if (new TextEncoder().encode(sql).byteLength > maxSqlBytes) {
+        return toErrorResponse(413, 'PAYLOAD_TOO_LARGE', 'SQL too large');
+    }
+    if (params.length > maxParams) {
+        return toErrorResponse(400, 'VALIDATION_ERROR', 'Too many params');
+    }
+    return null;
+};
+const readAndVerifyJson = async (request, env) => {
+    const maxBodyBytes = getEnvInt(env, 'ZT_MAX_BODY_BYTES', DEFAULT_MAX_BODY_BYTES);
+    const bodyResult = await readBodyBytes(request, maxBodyBytes);
+    if (bodyResult.ok === false)
+        return { ok: false, response: bodyResult.response };
+    const auth = await verifySignedRequest(request, env, bodyResult.bytes);
+    if (auth instanceof Response)
+        return { ok: false, response: auth };
+    const parsed = parseOptionalJson(bodyResult.text);
+    if (parsed.ok === false)
+        return { ok: false, response: parsed.response };
+    return { ok: true, payload: parsed.payload, bodyBytes: bodyResult.bytes };
+};
+const handleQuery = async (request, env) => {
+    try {
+        const check = await readAndVerifyJson(request, env);
+        if (check.ok === false)
+            return check.response;
+        const db = requireDb(env);
+        if (db instanceof Response)
+            return db;
+        const parsed = parseSqlPayload(check.payload);
+        if (parsed.ok === false)
+            return parsed.response;
+        const limit = enforceSqlLimits(env, parsed.sql, parsed.params);
+        if (limit !== null)
+            return limit;
+        const result = await db
+            .prepare(parsed.sql)
+            .bind(...parsed.params)
+            .all();
+        const rows = result.results ?? [];
+        return json(200, { rows, rowCount: rows.length });
+    }
+    catch (error) {
+        logProxyError(env, { op: 'query', path: '/zin/d1/query' }, error);
+        return toD1ExceptionResponse(error);
+    }
+};
+const handleQueryOne = async (request, env) => {
+    try {
+        const check = await readAndVerifyJson(request, env);
+        if (check.ok === false)
+            return check.response;
+        const db = requireDb(env);
+        if (db instanceof Response)
+            return db;
+        const parsed = parseSqlPayload(check.payload);
+        if (parsed.ok === false)
+            return parsed.response;
+        const limit = enforceSqlLimits(env, parsed.sql, parsed.params);
+        if (limit !== null)
+            return limit;
+        const row = await db
+            .prepare(parsed.sql)
+            .bind(...parsed.params)
+            .first();
+        return json(200, { row: row ?? null });
+    }
+    catch (error) {
+        logProxyError(env, { op: 'queryOne', path: '/zin/d1/queryOne' }, error);
+        return toD1ExceptionResponse(error);
+    }
+};
+const handleExec = async (request, env) => {
+    try {
+        const check = await readAndVerifyJson(request, env);
+        if (check.ok === false)
+            return check.response;
+        const db = requireDb(env);
+        if (db instanceof Response)
+            return db;
+        const parsed = parseSqlPayload(check.payload);
+        if (parsed.ok === false)
+            return parsed.response;
+        const limit = enforceSqlLimits(env, parsed.sql, parsed.params);
+        if (limit !== null)
+            return limit;
+        const out = await db
+            .prepare(parsed.sql)
+            .bind(...parsed.params)
+            .run();
+        return json(200, { ok: true, meta: out.meta });
+    }
+    catch (error) {
+        logProxyError(env, { op: 'exec', path: '/zin/d1/exec' }, error);
+        return toD1ExceptionResponse(error);
+    }
+};
+const parseStatementPayload = (payload) => {
+    if (!isRecord(payload)) {
+        return {
+            ok: false,
+            response: toErrorResponse(400, 'VALIDATION_ERROR', 'Invalid body'),
+        };
+    }
+    const statementId = payload['statementId'];
+    const params = payload['params'];
+    if (!isString(statementId) || statementId.trim() === '') {
+        return {
+            ok: false,
+            response: toErrorResponse(400, 'VALIDATION_ERROR', 'statementId must be a string'),
+        };
+    }
+    return { ok: true, statementId, params: isArray(params) ? params : [] };
+};
+const handleStatement = async (request, env) => {
+    try {
+        const check = await readAndVerifyJson(request, env);
+        if (check.ok === false)
+            return check.response;
+        const db = requireDb(env);
+        if (db instanceof Response)
+            return db;
+        const statements = loadStatements(env);
+        if (statements === null) {
+            return toErrorResponse(400, 'CONFIG_ERROR', 'Missing or invalid ZT_D1_STATEMENTS_JSON');
+        }
+        const parsed = parseStatementPayload(check.payload);
+        if (parsed.ok === false)
+            return parsed.response;
+        const sql = statements[parsed.statementId];
+        if (!isString(sql) || sql.trim() === '') {
+            return toErrorResponse(404, 'NOT_FOUND', 'Unknown statementId');
+        }
+        if (isMutatingSql(sql)) {
+            const out = await db
+                .prepare(sql)
+                .bind(...parsed.params)
+                .run();
+            return json(200, { ok: true, meta: out.meta });
+        }
+        const out = await db
+            .prepare(sql)
+            .bind(...parsed.params)
+            .all();
+        const rows = out.results ?? [];
+        return json(200, { rows, rowCount: rows.length });
+    }
+    catch (error) {
+        logProxyError(env, { op: 'statement', path: '/zin/d1/statement' }, error);
+        return toD1ExceptionResponse(error);
+    }
+};
+export const ZintrustD1Proxy = Object.freeze({
+    _ZINTRUST_CLOUDFLARE_D1_PROXY_VERSION: '0.1.15',
+    _ZINTRUST_CLOUDFLARE_D1_PROXY_BUILD_DATE: '__BUILD_DATE__',
+    async fetch(request, env) {
+        const url = new URL(request.url);
+        const methodError = RequestValidator.requirePost(request.method);
+        if (methodError !== null) {
+            return toErrorResponse(405, methodError.code, 'Method not allowed');
+        }
+        switch (url.pathname) {
+            case '/zin/d1/query':
+                return handleQuery(request, env);
+            case '/zin/d1/queryOne':
+                return handleQueryOne(request, env);
+            case '/zin/d1/exec':
+                return handleExec(request, env);
+            case '/zin/d1/statement':
+                return handleStatement(request, env);
+            default:
+                return toErrorResponse(404, 'NOT_FOUND', 'Not found');
+        }
+    },
+});
+export default ZintrustD1Proxy;

package/packages/cloudflare-kv-proxy/src/index.d.ts ADDED Viewed

@@ -0,0 +1,44 @@
+type KVNamespacePutOptions = {
+    expirationTtl?: number;
+};
+type KvGetType = 'text' | 'json' | 'arrayBuffer';
+type KVListResult = {
+    keys: Array<{
+        name: string;
+    }>;
+    cursor: string;
+    list_complete: boolean;
+};
+type KVNamespace = {
+    get: {
+        (key: string): Promise<string | null>;
+        (key: string, type: 'json'): Promise<unknown | null>;
+        (key: string, type: 'arrayBuffer'): Promise<ArrayBuffer | null>;
+        (key: string, type: KvGetType): Promise<unknown | ArrayBuffer | string | null>;
+    };
+    put: (key: string, value: string, options?: KVNamespacePutOptions) => Promise<void>;
+    delete: (key: string) => Promise<void>;
+    list: (options: {
+        prefix?: string;
+        limit?: number;
+        cursor?: string;
+    }) => Promise<KVListResult>;
+};
+type KvEnv = {
+    CACHE?: KVNamespace;
+    KV_NAMESPACE?: string;
+    APP_KEY?: string;
+    KV_REMOTE_SECRET?: string;
+    ZT_PROXY_SIGNING_WINDOW_MS?: string;
+    ZT_NONCES?: KVNamespace;
+    ZT_MAX_BODY_BYTES?: string;
+    ZT_KV_PREFIX?: string;
+    ZT_KV_LIST_LIMIT?: string;
+};
+export declare const ZintrustKvProxy: Readonly<{
+    _ZINTRUST_CLOUDFLARE_KV_PROXY_VERSION: "0.1.15";
+    _ZINTRUST_CLOUDFLARE_KV_PROXY_BUILD_DATE: "__BUILD_DATE__";
+    fetch(request: Request, env: KvEnv): Promise<Response>;
+}>;
+export default ZintrustKvProxy;
+//# sourceMappingURL=index.d.ts.map

package/packages/cloudflare-kv-proxy/src/index.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../packages/cloudflare-kv-proxy/src/index.ts"],"names":[],"mappings":"AAEA,KAAK,qBAAqB,GAAG;IAC3B,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB,CAAC;AAEF,KAAK,SAAS,GAAG,MAAM,GAAG,MAAM,GAAG,aAAa,CAAC;AAEjD,KAAK,YAAY,GAAG;IAClB,IAAI,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAC9B,MAAM,EAAE,MAAM,CAAC;IACf,aAAa,EAAE,OAAO,CAAC;CACxB,CAAC;AAEF,KAAK,WAAW,GAAG;IACjB,GAAG,EAAE;QACH,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;QACtC,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,GAAG,IAAI,CAAC,CAAC;QACrD,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,aAAa,GAAG,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC,CAAC;QAChE,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,SAAS,GAAG,OAAO,CAAC,OAAO,GAAG,WAAW,GAAG,MAAM,GAAG,IAAI,CAAC,CAAC;KAChF,CAAC;IACF,GAAG,EAAE,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,qBAAqB,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IACpF,MAAM,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IACvC,IAAI,EAAE,CAAC,OAAO,EAAE;QAAE,MAAM,CAAC,EAAE,MAAM,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAC;QAAC,MAAM,CAAC,EAAE,MAAM,CAAA;KAAE,KAAK,OAAO,CAAC,YAAY,CAAC,CAAC;CAChG,CAAC;AAEF,KAAK,KAAK,GAAG;IACX,KAAK,CAAC,EAAE,WAAW,CAAC;IACpB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,0BAA0B,CAAC,EAAE,MAAM,CAAC;IACpC,SAAS,CAAC,EAAE,WAAW,CAAC;IACxB,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,gBAAgB,CAAC,EAAE,MAAM,CAAC;CAC3B,CAAC;AAyYF,eAAO,MAAM,eAAe;;;mBAGL,OAAO,OAAO,KAAK,GAAG,OAAO,CAAC,QAAQ,CAAC;EAqB5D,CAAC;AAEH,eAAe,eAAe,CAAC"}