@zintrust/core 0.4.30 → 0.4.32

package/src/proxy/kv/ZintrustKvProxy.js

@@ -1,38 +1,301 @@
-import { isUndefinedOrNull } from '../../helper/index.js';
-import { Logger } from '../../config/logger.js';
-const MODULE_ID = '@zintrust/cloudflare-kv-proxy';
-let cached = null;
-const load = async () => {
-    if (cached !== null)
-        return cached;
-    try {
-        // Non-literal specifier to avoid tsconfig path alias rewriting in dist builds.
-        cached = (await import(MODULE_ID));
-        return cached;
-    }
-    catch (error) {
-        Logger.error(`Optional dependency not installed: ${MODULE_ID}. Install it to use ZintrustKvProxy.`, { error: error instanceof Error ? error.message : String(error) });
-    }
-    return undefined;
-};
-export const ZintrustKvProxy = new Proxy({}, {
-    get(_target, prop) {
-        if (prop === Symbol.toStringTag)
-            return 'ZintrustKvProxy';
-        return async (...args) => {
-            const mod = await load();
-            if (isUndefinedOrNull(mod) || typeof mod !== 'object')
-                return undefined;
-            const target = mod.ZintrustKvProxy ?? mod.default;
-            if (!target || typeof target !== 'object') {
-                Logger.error(`Invalid module export from ${MODULE_ID}: missing ZintrustKvProxy`);
-                return undefined;
-            }
-            const value = target[prop];
-            if (typeof value !== 'function')
-                return value;
-            return value(...args);
+import { isObject, isString } from '../../helper/index.js';
+import { ErrorHandler } from '../ErrorHandler.js';
+import { RequestValidator } from '../RequestValidator.js';
+import { SigningService } from '../SigningService.js';
+const DEFAULT_SIGNING_WINDOW_MS = 60_000;
+const DEFAULT_MAX_BODY_BYTES = 128 * 1024;
+const DEFAULT_LIST_LIMIT = 100;
+const json = (status, body) => {
+    return new Response(JSON.stringify(body), {
+        status,
+        headers: {
+            'Content-Type': 'application/json; charset=utf-8',
+            'Cache-Control': 'no-store',
+        },
+    });
+};
+const toErrorResponse = (status, code, message) => {
+    const error = ErrorHandler.toProxyError(status, code, message);
+    return json(error.status, error.body);
+};
+const getEnvInt = (env, name, fallback) => {
+    const raw = env[name];
+    if (!isString(raw))
+        return fallback;
+    const parsed = Number.parseInt(raw, 10);
+    return Number.isFinite(parsed) ? parsed : fallback;
+};
+const normalizeBindingName = (value) => {
+    if (!isString(value))
+        return null;
+    const trimmed = value.trim();
+    return trimmed === '' ? null : trimmed;
+};
+const readBodyBytes = async (request, maxBytes) => {
+    const buf = await request.arrayBuffer();
+    if (buf.byteLength > maxBytes) {
+        return {
+            ok: false,
+            response: toErrorResponse(413, 'PAYLOAD_TOO_LARGE', 'Body too large'),
         };
+    }
+    const bytes = new Uint8Array(buf);
+    const text = new TextDecoder().decode(bytes);
+    return { ok: true, bytes, text };
+};
+const parseOptionalJson = (text) => {
+    if (text.trim() === '')
+        return { ok: true, payload: null };
+    const parsed = RequestValidator.parseJson(text);
+    if (!parsed.ok) {
+        let message = parsed.error.message;
+        if (parsed.error.code === 'INVALID_JSON') {
+            message = 'Invalid JSON body';
+        }
+        else if (parsed.error.code === 'VALIDATION_ERROR') {
+            message = 'Invalid body';
+        }
+        return { ok: false, response: toErrorResponse(400, parsed.error.code, message) };
+    }
+    return { ok: true, payload: parsed.value };
+};
+const loadSigningSecret = (env) => {
+    const direct = isString(env.KV_REMOTE_SECRET) ? env.KV_REMOTE_SECRET.trim() : '';
+    if (direct !== '')
+        return direct;
+    const fallback = isString(env.APP_KEY) ? env.APP_KEY.trim() : '';
+    if (fallback !== '')
+        return fallback;
+    return null;
+};
+const verifyNonceKv = async (kv, keyId, nonce, ttlMs) => {
+    const ttlSeconds = Math.max(1, Math.ceil(ttlMs / 1000));
+    const storageKey = `nonce:${keyId}:${nonce}`;
+    const existing = await kv.get(storageKey);
+    if (existing !== null)
+        return false;
+    await kv.put(storageKey, '1', { expirationTtl: ttlSeconds });
+    return true;
+};
+const verifySignedRequest = async (request, env, bodyBytes) => {
+    const secret = loadSigningSecret(env);
+    if (secret === null) {
+        return toErrorResponse(500, 'CONFIG_ERROR', 'Missing signing secret (KV_REMOTE_SECRET or APP_KEY)');
+    }
+    const windowMs = getEnvInt(env, 'ZT_PROXY_SIGNING_WINDOW_MS', DEFAULT_SIGNING_WINDOW_MS);
+    const verifyResult = await SigningService.verifyWithKeyProvider({
+        method: request.method,
+        url: request.url,
+        body: bodyBytes,
+        headers: request.headers,
+        windowMs,
+        getSecretForKeyId: (_keyId) => secret,
+        verifyNonce: env.ZT_NONCES === undefined
+            ? undefined
+            : async (keyId, nonce, ttlMs) => verifyNonceKv(env.ZT_NONCES, keyId, nonce, ttlMs),
+    });
+    if (!verifyResult.ok) {
+        return toErrorResponse(verifyResult.status, verifyResult.code, verifyResult.message);
+    }
+    return { ok: true };
+};
+const requireCache = (env) => {
+    if (env.CACHE !== undefined && env.CACHE !== null)
+        return env.CACHE;
+    const bindingName = normalizeBindingName(env.KV_NAMESPACE);
+    if (bindingName !== null) {
+        const record = env;
+        const kv = record[bindingName];
+        if (kv !== undefined && kv !== null)
+            return kv;
+    }
+    return toErrorResponse(500, 'CONFIG_ERROR', 'Missing KV binding (CACHE)');
+};
+const normalizeNamespace = (value) => {
+    if (!isString(value))
+        return undefined;
+    const trimmed = value.trim();
+    return trimmed === '' ? undefined : trimmed;
+};
+const buildStorageKey = (env, params) => {
+    const prefix = isString(env.ZT_KV_PREFIX) ? env.ZT_KV_PREFIX : '';
+    const namespace = normalizeNamespace(params.namespace);
+    const parts = [];
+    if (prefix.trim() !== '')
+        parts.push(prefix.trim());
+    if (namespace !== undefined)
+        parts.push(namespace);
+    parts.push(params.key);
+    return parts.join(':');
+};
+const readAndVerifyJson = async (request, env) => {
+    const maxBodyBytes = getEnvInt(env, 'ZT_MAX_BODY_BYTES', DEFAULT_MAX_BODY_BYTES);
+    const bodyResult = await readBodyBytes(request, maxBodyBytes);
+    if (!bodyResult.ok)
+        return { ok: false, response: bodyResult.response };
+    const auth = await verifySignedRequest(request, env, bodyResult.bytes);
+    if (auth instanceof Response)
+        return { ok: false, response: auth };
+    const parsed = parseOptionalJson(bodyResult.text);
+    if (!parsed.ok)
+        return { ok: false, response: parsed.response };
+    return { ok: true, payload: parsed.payload, bodyBytes: bodyResult.bytes };
+};
+const parseGetPayload = (payload) => {
+    if (!isObject(payload)) {
+        return { ok: false, response: toErrorResponse(400, 'VALIDATION_ERROR', 'Invalid body') };
+    }
+    const key = payload['key'];
+    const type = payload['type'];
+    if (!isString(key) || key.trim() === '') {
+        return { ok: false, response: toErrorResponse(400, 'VALIDATION_ERROR', 'key is required') };
+    }
+    const typeValue = type === 'text' || type === 'arrayBuffer' || type === 'json' ? type : 'text';
+    return { ok: true, namespace: normalizeNamespace(payload['namespace']), key, type: typeValue };
+};
+const handleGet = async (request, env) => {
+    const check = await readAndVerifyJson(request, env);
+    if (!check.ok)
+        return check.response;
+    const cache = requireCache(env);
+    if (cache instanceof Response)
+        return cache;
+    const parsed = parseGetPayload(check.payload);
+    if (!parsed.ok)
+        return parsed.response;
+    const storageKey = buildStorageKey(env, { namespace: parsed.namespace, key: parsed.key });
+    if (parsed.type === 'json') {
+        const value = await cache.get(storageKey, 'json');
+        return json(200, { value: value ?? null });
+    }
+    if (parsed.type === 'arrayBuffer') {
+        const value = await cache.get(storageKey, 'arrayBuffer');
+        return json(200, { value: value ?? null });
+    }
+    const value = await cache.get(storageKey);
+    return json(200, { value: value ?? null });
+};
+const parsePutPayload = (payload) => {
+    if (!isObject(payload)) {
+        return { ok: false, response: toErrorResponse(400, 'VALIDATION_ERROR', 'Invalid body') };
+    }
+    const key = payload['key'];
+    if (!isString(key) || key.trim() === '') {
+        return { ok: false, response: toErrorResponse(400, 'VALIDATION_ERROR', 'key is required') };
+    }
+    const ttlSeconds = payload['ttlSeconds'];
+    const ttl = typeof ttlSeconds === 'number' && Number.isFinite(ttlSeconds) && ttlSeconds > 0
+        ? ttlSeconds
+        : undefined;
+    return {
+        ok: true,
+        namespace: normalizeNamespace(payload['namespace']),
+        key,
+        value: payload['value'],
+        ttlSeconds: ttl,
+    };
+};
+const handlePut = async (request, env) => {
+    const check = await readAndVerifyJson(request, env);
+    if (!check.ok)
+        return check.response;
+    const cache = requireCache(env);
+    if (cache instanceof Response)
+        return cache;
+    const parsed = parsePutPayload(check.payload);
+    if (!parsed.ok)
+        return parsed.response;
+    const storageKey = buildStorageKey(env, { namespace: parsed.namespace, key: parsed.key });
+    const value = JSON.stringify(parsed.value);
+    const options = {};
+    if (parsed.ttlSeconds !== undefined) {
+        options.expirationTtl = Math.floor(parsed.ttlSeconds);
+    }
+    await cache.put(storageKey, value, options);
+    return json(200, { ok: true });
+};
+const parseDeletePayload = (payload) => {
+    if (!isObject(payload)) {
+        return { ok: false, response: toErrorResponse(400, 'VALIDATION_ERROR', 'Invalid body') };
+    }
+    const key = payload['key'];
+    if (!isString(key) || key.trim() === '') {
+        return { ok: false, response: toErrorResponse(400, 'VALIDATION_ERROR', 'key is required') };
+    }
+    return { ok: true, namespace: normalizeNamespace(payload['namespace']), key };
+};
+const handleDelete = async (request, env) => {
+    const check = await readAndVerifyJson(request, env);
+    if (!check.ok)
+        return check.response;
+    const cache = requireCache(env);
+    if (cache instanceof Response)
+        return cache;
+    const parsed = parseDeletePayload(check.payload);
+    if (!parsed.ok)
+        return parsed.response;
+    const storageKey = buildStorageKey(env, { namespace: parsed.namespace, key: parsed.key });
+    await cache.delete(storageKey);
+    return json(200, { ok: true });
+};
+const parseListPayload = (payload) => {
+    if (payload === null)
+        return { ok: true, params: {} };
+    if (!isObject(payload)) {
+        return { ok: false, response: toErrorResponse(400, 'VALIDATION_ERROR', 'Invalid body') };
+    }
+    const namespace = normalizeNamespace(payload['namespace']);
+    const prefix = isString(payload['prefix']) ? payload['prefix'] : undefined;
+    const cursor = isString(payload['cursor']) ? payload['cursor'] : undefined;
+    const limitRaw = payload['limit'];
+    const limitParsed = typeof limitRaw === 'number' && Number.isFinite(limitRaw) ? Math.floor(limitRaw) : undefined;
+    return { ok: true, params: { namespace, prefix, cursor, limit: limitParsed } };
+};
+const handleList = async (request, env) => {
+    const check = await readAndVerifyJson(request, env);
+    if (!check.ok)
+        return check.response;
+    const cache = requireCache(env);
+    if (cache instanceof Response)
+        return cache;
+    const parsed = parseListPayload(check.payload);
+    if (!parsed.ok)
+        return parsed.response;
+    const envLimit = getEnvInt(env, 'ZT_KV_LIST_LIMIT', DEFAULT_LIST_LIMIT);
+    const requested = parsed.params.limit ?? envLimit;
+    const limit = Math.max(1, Math.min(requested, envLimit));
+    const prefixKey = parsed.params.prefix;
+    const namespacePrefix = normalizeNamespace(parsed.params.namespace);
+    const basePrefix = buildStorageKey(env, { namespace: namespacePrefix, key: '' });
+    const fullPrefix = prefixKey === undefined ? basePrefix : `${basePrefix}${prefixKey}`;
+    const out = await cache.list({ prefix: fullPrefix, limit, cursor: parsed.params.cursor });
+    return json(200, {
+        keys: out.keys.map((key) => key.name),
+        cursor: out.cursor,
+        listComplete: out.list_complete,
+    });
+};
+export const ZintrustKvProxy = Object.freeze({
+    _ZINTRUST_CLOUDFLARE_KV_PROXY_VERSION: '0.1.15',
+    _ZINTRUST_CLOUDFLARE_KV_PROXY_BUILD_DATE: '__BUILD_DATE__',
+    async fetch(request, env) {
+        const url = new URL(request.url);
+        const methodError = RequestValidator.requirePost(request.method);
+        if (methodError !== null) {
+            return toErrorResponse(405, methodError.code, 'Method not allowed');
+        }
+        switch (url.pathname) {
+            case '/zin/kv/get':
+                return handleGet(request, env);
+            case '/zin/kv/put':
+                return handlePut(request, env);
+            case '/zin/kv/delete':
+                return handleDelete(request, env);
+            case '/zin/kv/list':
+                return handleList(request, env);
+            default:
+                return toErrorResponse(404, 'NOT_FOUND', 'Not found');
+        }
     },
 });
 export default ZintrustKvProxy;

package/src/templates/project/basic/src/boot/bootstrap.ts.tpl

@@ -0,0 +1,3 @@
+import '@zintrust/core/boot';
+
+export {};