@zintrust/core 0.4.30 → 0.4.32

package/src/proxy/d1/ZintrustD1Proxy.js

@@ -1,39 +1,364 @@
-import { isUndefinedOrNull } from '../../helper/index.js';
 import { Logger } from '../../config/logger.js';
-let cached = null;
-const load = async () => {
-    if (cached !== null)
-        return cached;
+import { isArray, isObject, isString } from '../../helper/index.js';
+import { ErrorHandler } from '../ErrorHandler.js';
+import { RequestValidator } from '../RequestValidator.js';
+import { SigningService } from '../SigningService.js';
+const DEFAULT_SIGNING_WINDOW_MS = 60_000;
+const DEFAULT_MAX_BODY_BYTES = 128 * 1024;
+const DEFAULT_MAX_SQL_BYTES = 32 * 1024;
+const DEFAULT_MAX_PARAMS = 256;
+const json = (status, body) => new Response(JSON.stringify(body), {
+    status,
+    headers: {
+        'Content-Type': 'application/json; charset=utf-8',
+        'Cache-Control': 'no-store',
+    },
+});
+const toErrorResponse = (status, code, message) => {
+    const error = ErrorHandler.toProxyError(status, code, message);
+    return json(error.status, error.body);
+};
+const getEnvInt = (env, name, fallback) => {
+    const raw = env[name];
+    if (!isString(raw))
+        return fallback;
+    const parsed = Number.parseInt(raw, 10);
+    return Number.isFinite(parsed) ? parsed : fallback;
+};
+const isDebugEnabled = (env) => {
+    const raw = env.ZT_PROXY_DEBUG;
+    if (!isString(raw))
+        return false;
+    const normalized = raw.trim().toLowerCase();
+    return normalized === 'true' || normalized === '1' || normalized === 'yes';
+};
+const safeErrorMessage = (error) => {
+    if (error instanceof Error)
+        return error.message;
+    if (isString(error))
+        return error;
+    try {
+        return JSON.stringify(error);
+    }
+    catch {
+        return 'Unknown D1 error';
+    }
+};
+const logProxyError = (env, context, error) => {
+    if (!isDebugEnabled(env))
+        return;
+    Logger.error('[ZintrustD1Proxy] error', {
+        ...context,
+        message: safeErrorMessage(error).slice(0, 800),
+    });
+};
+const normalizeBindingName = (value) => {
+    if (!isString(value))
+        return null;
+    const trimmed = value.trim();
+    return trimmed === '' ? null : trimmed;
+};
+const resolveD1Binding = (env) => {
+    const candidates = ['DB', 'zintrust_db', normalizeBindingName(env.D1_BINDING)].filter((value, index, values) => isString(value) && value.trim() !== '' && values.indexOf(value) === index);
+    const record = env;
+    for (const name of candidates) {
+        const binding = record[name];
+        if (binding !== undefined && binding !== null && typeof binding.prepare === 'function') {
+            return binding;
+        }
+    }
+    return null;
+};
+const readBodyBytes = async (request, maxBytes) => {
+    const buf = await request.arrayBuffer();
+    if (buf.byteLength > maxBytes) {
+        return {
+            ok: false,
+            response: toErrorResponse(413, 'PAYLOAD_TOO_LARGE', 'Body too large'),
+        };
+    }
+    const bytes = new Uint8Array(buf);
+    const text = new TextDecoder().decode(bytes);
+    return { ok: true, bytes, text };
+};
+const parseOptionalJson = (text) => {
+    if (text.trim() === '')
+        return { ok: true, payload: null };
+    const parsed = RequestValidator.parseJson(text);
+    if (!parsed.ok) {
+        let message = parsed.error.message;
+        if (parsed.error.code === 'INVALID_JSON') {
+            message = 'Invalid JSON body';
+        }
+        else if (parsed.error.code === 'VALIDATION_ERROR') {
+            message = 'Invalid body';
+        }
+        return { ok: false, response: toErrorResponse(400, parsed.error.code, message) };
+    }
+    return { ok: true, payload: parsed.value };
+};
+const loadSigningSecret = (env) => {
+    const direct = isString(env.D1_REMOTE_SECRET) ? env.D1_REMOTE_SECRET.trim() : '';
+    if (direct !== '')
+        return direct;
+    const fallback = isString(env.APP_KEY) ? env.APP_KEY.trim() : '';
+    if (fallback !== '')
+        return fallback;
+    return null;
+};
+const loadStatements = (env) => {
+    const raw = env.ZT_D1_STATEMENTS_JSON;
+    if (!isString(raw) || raw.trim() === '')
+        return null;
     try {
-        // Non-literal specifier to avoid tsconfig path alias rewriting in dist builds.
-        const pkgName = '@zintrust/cloudflare-d1-proxy';
-        cached = (await import(pkgName));
-        return cached;
+        const parsed = JSON.parse(raw);
+        if (!isObject(parsed))
+            return null;
+        return parsed;
+    }
+    catch {
+        return null;
+    }
+};
+const isMutatingSql = (sql) => {
+    const normalized = sql.trimStart().toLowerCase();
+    return (normalized.startsWith('insert') ||
+        normalized.startsWith('update') ||
+        normalized.startsWith('delete') ||
+        normalized.startsWith('create') ||
+        normalized.startsWith('drop') ||
+        normalized.startsWith('alter') ||
+        normalized.startsWith('replace'));
+};
+const verifyNonceKv = async (kv, keyId, nonce, ttlMs) => {
+    const ttlSeconds = Math.max(1, Math.ceil(ttlMs / 1000));
+    const storageKey = `nonce:${keyId}:${nonce}`;
+    const existing = await kv.get(storageKey);
+    if (existing !== null)
+        return false;
+    await kv.put(storageKey, '1', { expirationTtl: ttlSeconds });
+    return true;
+};
+const verifySignedRequest = async (request, env, bodyBytes) => {
+    const secret = loadSigningSecret(env);
+    if (secret === null) {
+        return toErrorResponse(401, 'CONFIG_ERROR', 'Missing signing secret (D1_REMOTE_SECRET or APP_KEY)');
+    }
+    const windowMs = getEnvInt(env, 'ZT_PROXY_SIGNING_WINDOW_MS', DEFAULT_SIGNING_WINDOW_MS);
+    const verifyResult = await SigningService.verifyWithKeyProvider({
+        method: request.method,
+        url: request.url,
+        body: bodyBytes,
+        headers: request.headers,
+        windowMs,
+        getSecretForKeyId: (_keyId) => secret,
+        verifyNonce: env.ZT_NONCES === undefined
+            ? undefined
+            : async (keyId, nonce, ttlMs) => verifyNonceKv(env.ZT_NONCES, keyId, nonce, ttlMs),
+    });
+    if (!verifyResult.ok) {
+        return toErrorResponse(verifyResult.status, verifyResult.code, verifyResult.message);
+    }
+    return { ok: true };
+};
+const requireDb = (env) => {
+    const db = resolveD1Binding(env);
+    if (db === null) {
+        return toErrorResponse(400, 'CONFIG_ERROR', 'Missing D1 binding (DB) or binding name via D1_BINDING');
+    }
+    return db;
+};
+const toD1ExceptionResponse = (error) => {
+    const message = safeErrorMessage(error);
+    return toErrorResponse(500, 'D1_ERROR', message);
+};
+const parseSqlPayload = (payload) => {
+    if (!isObject(payload)) {
+        return { ok: false, response: toErrorResponse(400, 'VALIDATION_ERROR', 'Invalid body') };
+    }
+    const sql = payload['sql'];
+    const params = payload['params'];
+    if (!isString(sql)) {
+        return {
+            ok: false,
+            response: toErrorResponse(400, 'VALIDATION_ERROR', 'sql must be a string'),
+        };
+    }
+    return { ok: true, sql, params: isArray(params) ? params : [] };
+};
+const enforceSqlLimits = (env, sql, params) => {
+    const maxSqlBytes = getEnvInt(env, 'ZT_MAX_SQL_BYTES', DEFAULT_MAX_SQL_BYTES);
+    const maxParams = getEnvInt(env, 'ZT_MAX_PARAMS', DEFAULT_MAX_PARAMS);
+    if (new TextEncoder().encode(sql).byteLength > maxSqlBytes) {
+        return toErrorResponse(413, 'PAYLOAD_TOO_LARGE', 'SQL too large');
+    }
+    if (params.length > maxParams) {
+        return toErrorResponse(400, 'VALIDATION_ERROR', 'Too many params');
+    }
+    return null;
+};
+const readAndVerifyJson = async (request, env) => {
+    const maxBodyBytes = getEnvInt(env, 'ZT_MAX_BODY_BYTES', DEFAULT_MAX_BODY_BYTES);
+    const bodyResult = await readBodyBytes(request, maxBodyBytes);
+    if (!bodyResult.ok)
+        return { ok: false, response: bodyResult.response };
+    const auth = await verifySignedRequest(request, env, bodyResult.bytes);
+    if (auth instanceof Response)
+        return { ok: false, response: auth };
+    const parsed = parseOptionalJson(bodyResult.text);
+    if (!parsed.ok)
+        return { ok: false, response: parsed.response };
+    return { ok: true, payload: parsed.payload, bodyBytes: bodyResult.bytes };
+};
+const handleQuery = async (request, env) => {
+    try {
+        const check = await readAndVerifyJson(request, env);
+        if (!check.ok)
+            return check.response;
+        const db = requireDb(env);
+        if (db instanceof Response)
+            return db;
+        const parsed = parseSqlPayload(check.payload);
+        if (!parsed.ok)
+            return parsed.response;
+        const limit = enforceSqlLimits(env, parsed.sql, parsed.params);
+        if (limit !== null)
+            return limit;
+        const result = await db
+            .prepare(parsed.sql)
+            .bind(...parsed.params)
+            .all();
+        const rows = result.results ?? [];
+        return json(200, { rows, rowCount: rows.length });
     }
     catch (error) {
-        Logger.error(`Optional dependency not installed: @zintrust/cloudflare-d1-proxy. Install it to use ZintrustD1Proxy.`, { error: error instanceof Error ? error.message : String(error) });
-    }
-    return undefined;
-};
-// Proxy surface that defers loading until first usage.
-export const ZintrustD1Proxy = new Proxy({}, {
-    get(_target, prop) {
-        if (prop === Symbol.toStringTag)
-            return 'ZintrustD1Proxy';
-        return async (...args) => {
-            const mod = await load();
-            if (isUndefinedOrNull(mod) || typeof mod !== 'object')
-                return undefined;
-            const target = mod.ZintrustD1Proxy ?? mod.default;
-            if (!target || typeof target !== 'object') {
-                Logger.error(`Invalid module export from @zintrust/cloudflare-d1-proxy: missing ZintrustD1Proxy`);
-                return undefined;
-            }
-            const value = target[prop];
-            if (typeof value !== 'function')
-                return value;
-            return value(...args);
+        logProxyError(env, { op: 'query', path: '/zin/d1/query' }, error);
+        return toD1ExceptionResponse(error);
+    }
+};
+const handleQueryOne = async (request, env) => {
+    try {
+        const check = await readAndVerifyJson(request, env);
+        if (!check.ok)
+            return check.response;
+        const db = requireDb(env);
+        if (db instanceof Response)
+            return db;
+        const parsed = parseSqlPayload(check.payload);
+        if (!parsed.ok)
+            return parsed.response;
+        const limit = enforceSqlLimits(env, parsed.sql, parsed.params);
+        if (limit !== null)
+            return limit;
+        const row = await db
+            .prepare(parsed.sql)
+            .bind(...parsed.params)
+            .first();
+        return json(200, { row: row ?? null });
+    }
+    catch (error) {
+        logProxyError(env, { op: 'queryOne', path: '/zin/d1/queryOne' }, error);
+        return toD1ExceptionResponse(error);
+    }
+};
+const handleExec = async (request, env) => {
+    try {
+        const check = await readAndVerifyJson(request, env);
+        if (!check.ok)
+            return check.response;
+        const db = requireDb(env);
+        if (db instanceof Response)
+            return db;
+        const parsed = parseSqlPayload(check.payload);
+        if (!parsed.ok)
+            return parsed.response;
+        const limit = enforceSqlLimits(env, parsed.sql, parsed.params);
+        if (limit !== null)
+            return limit;
+        const out = await db
+            .prepare(parsed.sql)
+            .bind(...parsed.params)
+            .run();
+        return json(200, { ok: true, meta: out.meta });
+    }
+    catch (error) {
+        logProxyError(env, { op: 'exec', path: '/zin/d1/exec' }, error);
+        return toD1ExceptionResponse(error);
+    }
+};
+const parseStatementPayload = (payload) => {
+    if (!isObject(payload)) {
+        return { ok: false, response: toErrorResponse(400, 'VALIDATION_ERROR', 'Invalid body') };
+    }
+    const statementId = payload['statementId'];
+    const params = payload['params'];
+    if (!isString(statementId) || statementId.trim() === '') {
+        return {
+            ok: false,
+            response: toErrorResponse(400, 'VALIDATION_ERROR', 'statementId must be a string'),
         };
+    }
+    return { ok: true, statementId, params: isArray(params) ? params : [] };
+};
+const handleStatement = async (request, env) => {
+    try {
+        const check = await readAndVerifyJson(request, env);
+        if (!check.ok)
+            return check.response;
+        const db = requireDb(env);
+        if (db instanceof Response)
+            return db;
+        const statements = loadStatements(env);
+        if (statements === null) {
+            return toErrorResponse(400, 'CONFIG_ERROR', 'Missing or invalid ZT_D1_STATEMENTS_JSON');
+        }
+        const parsed = parseStatementPayload(check.payload);
+        if (!parsed.ok)
+            return parsed.response;
+        const sql = statements[parsed.statementId];
+        if (!isString(sql) || sql.trim() === '') {
+            return toErrorResponse(404, 'NOT_FOUND', 'Unknown statementId');
+        }
+        if (isMutatingSql(sql)) {
+            const out = await db
+                .prepare(sql)
+                .bind(...parsed.params)
+                .run();
+            return json(200, { ok: true, meta: out.meta });
+        }
+        const out = await db
+            .prepare(sql)
+            .bind(...parsed.params)
+            .all();
+        const rows = out.results ?? [];
+        return json(200, { rows, rowCount: rows.length });
+    }
+    catch (error) {
+        logProxyError(env, { op: 'statement', path: '/zin/d1/statement' }, error);
+        return toD1ExceptionResponse(error);
+    }
+};
+export const ZintrustD1Proxy = Object.freeze({
+    _ZINTRUST_CLOUDFLARE_D1_PROXY_VERSION: '0.1.15',
+    _ZINTRUST_CLOUDFLARE_D1_PROXY_BUILD_DATE: '__BUILD_DATE__',
+    async fetch(request, env) {
+        const url = new URL(request.url);
+        const methodError = RequestValidator.requirePost(request.method);
+        if (methodError !== null) {
+            return toErrorResponse(405, methodError.code, 'Method not allowed');
+        }
+        switch (url.pathname) {
+            case '/zin/d1/query':
+                return handleQuery(request, env);
+            case '/zin/d1/queryOne':
+                return handleQueryOne(request, env);
+            case '/zin/d1/exec':
+                return handleExec(request, env);
+            case '/zin/d1/statement':
+                return handleStatement(request, env);
+            default:
+                return toErrorResponse(404, 'NOT_FOUND', 'Not found');
+        }
     },
 });
 export default ZintrustD1Proxy;

package/src/proxy/kv/ZintrustKvProxy.d.ts

@@ -1,3 +1,44 @@
-export declare const ZintrustKvProxy: Record<string, unknown>;
+type KVNamespacePutOptions = {
+    expirationTtl?: number;
+};
+type KvGetType = 'text' | 'json' | 'arrayBuffer';
+type KVListResult = {
+    keys: Array<{
+        name: string;
+    }>;
+    cursor: string;
+    list_complete: boolean;
+};
+type KVNamespace = {
+    get: {
+        (key: string): Promise<string | null>;
+        (key: string, type: 'json'): Promise<Record<string, unknown> | null>;
+        (key: string, type: 'arrayBuffer'): Promise<ArrayBuffer | null>;
+        (key: string, type: KvGetType): Promise<Record<string, unknown> | ArrayBuffer | string | null>;
+    };
+    put: (key: string, value: string, options?: KVNamespacePutOptions) => Promise<void>;
+    delete: (key: string) => Promise<void>;
+    list: (options: {
+        prefix?: string;
+        limit?: number;
+        cursor?: string;
+    }) => Promise<KVListResult>;
+};
+type KvEnv = {
+    CACHE?: KVNamespace;
+    KV_NAMESPACE?: string;
+    APP_KEY?: string;
+    KV_REMOTE_SECRET?: string;
+    ZT_PROXY_SIGNING_WINDOW_MS?: string;
+    ZT_NONCES?: KVNamespace;
+    ZT_MAX_BODY_BYTES?: string;
+    ZT_KV_PREFIX?: string;
+    ZT_KV_LIST_LIMIT?: string;
+};
+export declare const ZintrustKvProxy: Readonly<{
+    _ZINTRUST_CLOUDFLARE_KV_PROXY_VERSION: "0.1.15";
+    _ZINTRUST_CLOUDFLARE_KV_PROXY_BUILD_DATE: "__BUILD_DATE__";
+    fetch(request: Request, env: KvEnv): Promise<Response>;
+}>;
 export default ZintrustKvProxy;
 //# sourceMappingURL=ZintrustKvProxy.d.ts.map

package/src/proxy/kv/ZintrustKvProxy.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"ZintrustKvProxy.d.ts","sourceRoot":"","sources":["../../../../src/proxy/kv/ZintrustKvProxy.ts"],"names":[],"mappings":"AA2BA,eAAO,MAAM,eAAe,EAuBZ,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;AAExC,eAAe,eAAe,CAAC"}
+{"version":3,"file":"ZintrustKvProxy.d.ts","sourceRoot":"","sources":["../../../../src/proxy/kv/ZintrustKvProxy.ts"],"names":[],"mappings":"AAKA,KAAK,qBAAqB,GAAG;IAC3B,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB,CAAC;AAEF,KAAK,SAAS,GAAG,MAAM,GAAG,MAAM,GAAG,aAAa,CAAC;AAEjD,KAAK,YAAY,GAAG;IAClB,IAAI,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAC9B,MAAM,EAAE,MAAM,CAAC;IACf,aAAa,EAAE,OAAO,CAAC;CACxB,CAAC;AAEF,KAAK,WAAW,GAAG;IACjB,GAAG,EAAE;QACH,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;QACtC,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAC,CAAC;QACrE,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,aAAa,GAAG,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC,CAAC;QAChE,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,SAAS,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,WAAW,GAAG,MAAM,GAAG,IAAI,CAAC,CAAC;KAChG,CAAC;IACF,GAAG,EAAE,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,qBAAqB,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IACpF,MAAM,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IACvC,IAAI,EAAE,CAAC,OAAO,EAAE;QAAE,MAAM,CAAC,EAAE,MAAM,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAC;QAAC,MAAM,CAAC,EAAE,MAAM,CAAA;KAAE,KAAK,OAAO,CAAC,YAAY,CAAC,CAAC;CAChG,CAAC;AAEF,KAAK,KAAK,GAAG;IACX,KAAK,CAAC,EAAE,WAAW,CAAC;IACpB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,0BAA0B,CAAC,EAAE,MAAM,CAAC;IACpC,SAAS,CAAC,EAAE,WAAW,CAAC;IACxB,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,gBAAgB,CAAC,EAAE,MAAM,CAAC;CAC3B,CAAC;AA0WF,eAAO,MAAM,eAAe;;;mBAGL,OAAO,OAAO,KAAK,GAAG,OAAO,CAAC,QAAQ,CAAC;EAqB5D,CAAC;AAEH,eAAe,eAAe,CAAC"}