@zintrust/core 0.4.34 → 0.4.36

package/src/proxy/kv/ZintrustKvProxy.js

@@ -1,104 +1,9 @@
 import { isObject, isString } from '../../helper/index.js';
-import { ErrorHandler } from '../ErrorHandler.js';
+import { getEnvInt, json, normalizeBindingName, readAndVerifyJson, toErrorResponse, } from '../CloudflareProxyShared.js';
 import { RequestValidator } from '../RequestValidator.js';
-import { SigningService } from '../SigningService.js';
 const DEFAULT_SIGNING_WINDOW_MS = 60_000;
 const DEFAULT_MAX_BODY_BYTES = 128 * 1024;
 const DEFAULT_LIST_LIMIT = 100;
-const json = (status, body) => {
-    return new Response(JSON.stringify(body), {
-        status,
-        headers: {
-            'Content-Type': 'application/json; charset=utf-8',
-            'Cache-Control': 'no-store',
-        },
-    });
-};
-const toErrorResponse = (status, code, message) => {
-    const error = ErrorHandler.toProxyError(status, code, message);
-    return json(error.status, error.body);
-};
-const getEnvInt = (env, name, fallback) => {
-    const raw = env[name];
-    if (!isString(raw))
-        return fallback;
-    const parsed = Number.parseInt(raw, 10);
-    return Number.isFinite(parsed) ? parsed : fallback;
-};
-const normalizeBindingName = (value) => {
-    if (!isString(value))
-        return null;
-    const trimmed = value.trim();
-    return trimmed === '' ? null : trimmed;
-};
-const readBodyBytes = async (request, maxBytes) => {
-    const buf = await request.arrayBuffer();
-    if (buf.byteLength > maxBytes) {
-        return {
-            ok: false,
-            response: toErrorResponse(413, 'PAYLOAD_TOO_LARGE', 'Body too large'),
-        };
-    }
-    const bytes = new Uint8Array(buf);
-    const text = new TextDecoder().decode(bytes);
-    return { ok: true, bytes, text };
-};
-const parseOptionalJson = (text) => {
-    if (text.trim() === '')
-        return { ok: true, payload: null };
-    const parsed = RequestValidator.parseJson(text);
-    if (!parsed.ok) {
-        let message = parsed.error.message;
-        if (parsed.error.code === 'INVALID_JSON') {
-            message = 'Invalid JSON body';
-        }
-        else if (parsed.error.code === 'VALIDATION_ERROR') {
-            message = 'Invalid body';
-        }
-        return { ok: false, response: toErrorResponse(400, parsed.error.code, message) };
-    }
-    return { ok: true, payload: parsed.value };
-};
-const loadSigningSecret = (env) => {
-    const direct = isString(env.KV_REMOTE_SECRET) ? env.KV_REMOTE_SECRET.trim() : '';
-    if (direct !== '')
-        return direct;
-    const fallback = isString(env.APP_KEY) ? env.APP_KEY.trim() : '';
-    if (fallback !== '')
-        return fallback;
-    return null;
-};
-const verifyNonceKv = async (kv, keyId, nonce, ttlMs) => {
-    const ttlSeconds = Math.max(1, Math.ceil(ttlMs / 1000));
-    const storageKey = `nonce:${keyId}:${nonce}`;
-    const existing = await kv.get(storageKey);
-    if (existing !== null)
-        return false;
-    await kv.put(storageKey, '1', { expirationTtl: ttlSeconds });
-    return true;
-};
-const verifySignedRequest = async (request, env, bodyBytes) => {
-    const secret = loadSigningSecret(env);
-    if (secret === null) {
-        return toErrorResponse(500, 'CONFIG_ERROR', 'Missing signing secret (KV_REMOTE_SECRET or APP_KEY)');
-    }
-    const windowMs = getEnvInt(env, 'ZT_PROXY_SIGNING_WINDOW_MS', DEFAULT_SIGNING_WINDOW_MS);
-    const verifyResult = await SigningService.verifyWithKeyProvider({
-        method: request.method,
-        url: request.url,
-        body: bodyBytes,
-        headers: request.headers,
-        windowMs,
-        getSecretForKeyId: (_keyId) => secret,
-        verifyNonce: env.ZT_NONCES === undefined
-            ? undefined
-            : async (keyId, nonce, ttlMs) => verifyNonceKv(env.ZT_NONCES, keyId, nonce, ttlMs),
-    });
-    if (!verifyResult.ok) {
-        return toErrorResponse(verifyResult.status, verifyResult.code, verifyResult.message);
-    }
-    return { ok: true };
-};
 const requireCache = (env) => {
     if (env.CACHE !== undefined && env.CACHE !== null)
         return env.CACHE;
@@ -128,18 +33,20 @@ const buildStorageKey = (env, params) => {
     parts.push(params.key);
     return parts.join(':');
 };
-const readAndVerifyJson = async (request, env) => {
-    const maxBodyBytes = getEnvInt(env, 'ZT_MAX_BODY_BYTES', DEFAULT_MAX_BODY_BYTES);
-    const bodyResult = await readBodyBytes(request, maxBodyBytes);
-    if (!bodyResult.ok)
-        return { ok: false, response: bodyResult.response };
-    const auth = await verifySignedRequest(request, env, bodyResult.bytes);
-    if (auth instanceof Response)
-        return { ok: false, response: auth };
-    const parsed = parseOptionalJson(bodyResult.text);
-    if (!parsed.ok)
-        return { ok: false, response: parsed.response };
-    return { ok: true, payload: parsed.payload, bodyBytes: bodyResult.bytes };
+const resolveCacheRequest = async (request, env) => {
+    const check = await readAndVerifyJson(request, env, {
+        secretEnvVar: 'KV_REMOTE_SECRET',
+        missingSecretStatus: 500,
+        missingSecretMessage: 'Missing signing secret (KV_REMOTE_SECRET or APP_KEY)',
+        defaultSigningWindowMs: DEFAULT_SIGNING_WINDOW_MS,
+        defaultMaxBodyBytes: DEFAULT_MAX_BODY_BYTES,
+    });
+    if (!check.ok)
+        return { ok: false, response: check.response };
+    const cache = requireCache(env);
+    if (cache instanceof Response)
+        return { ok: false, response: cache };
+    return { ok: true, cache, payload: check.payload };
 };
 const parseGetPayload = (payload) => {
     if (!isObject(payload)) {
@@ -154,25 +61,22 @@ const parseGetPayload = (payload) => {
     return { ok: true, namespace: normalizeNamespace(payload['namespace']), key, type: typeValue };
 };
 const handleGet = async (request, env) => {
-    const check = await readAndVerifyJson(request, env);
-    if (!check.ok)
-        return check.response;
-    const cache = requireCache(env);
-    if (cache instanceof Response)
-        return cache;
-    const parsed = parseGetPayload(check.payload);
+    const resolved = await resolveCacheRequest(request, env);
+    if (!resolved.ok)
+        return resolved.response;
+    const parsed = parseGetPayload(resolved.payload);
     if (!parsed.ok)
         return parsed.response;
     const storageKey = buildStorageKey(env, { namespace: parsed.namespace, key: parsed.key });
     if (parsed.type === 'json') {
-        const value = await cache.get(storageKey, 'json');
+        const value = await resolved.cache.get(storageKey, 'json');
         return json(200, { value: value ?? null });
     }
     if (parsed.type === 'arrayBuffer') {
-        const value = await cache.get(storageKey, 'arrayBuffer');
+        const value = await resolved.cache.get(storageKey, 'arrayBuffer');
         return json(200, { value: value ?? null });
     }
-    const value = await cache.get(storageKey);
+    const value = await resolved.cache.get(storageKey);
     return json(200, { value: value ?? null });
 };
 const parsePutPayload = (payload) => {
@@ -196,13 +100,10 @@ const parsePutPayload = (payload) => {
     };
 };
 const handlePut = async (request, env) => {
-    const check = await readAndVerifyJson(request, env);
-    if (!check.ok)
-        return check.response;
-    const cache = requireCache(env);
-    if (cache instanceof Response)
-        return cache;
-    const parsed = parsePutPayload(check.payload);
+    const resolved = await resolveCacheRequest(request, env);
+    if (!resolved.ok)
+        return resolved.response;
+    const parsed = parsePutPayload(resolved.payload);
     if (!parsed.ok)
         return parsed.response;
     const storageKey = buildStorageKey(env, { namespace: parsed.namespace, key: parsed.key });
@@ -211,7 +112,7 @@ const handlePut = async (request, env) => {
     if (parsed.ttlSeconds !== undefined) {
         options.expirationTtl = Math.floor(parsed.ttlSeconds);
     }
-    await cache.put(storageKey, value, options);
+    await resolved.cache.put(storageKey, value, options);
     return json(200, { ok: true });
 };
 const parseDeletePayload = (payload) => {
@@ -225,17 +126,14 @@ const parseDeletePayload = (payload) => {
     return { ok: true, namespace: normalizeNamespace(payload['namespace']), key };
 };
 const handleDelete = async (request, env) => {
-    const check = await readAndVerifyJson(request, env);
-    if (!check.ok)
-        return check.response;
-    const cache = requireCache(env);
-    if (cache instanceof Response)
-        return cache;
-    const parsed = parseDeletePayload(check.payload);
+    const resolved = await resolveCacheRequest(request, env);
+    if (!resolved.ok)
+        return resolved.response;
+    const parsed = parseDeletePayload(resolved.payload);
     if (!parsed.ok)
         return parsed.response;
     const storageKey = buildStorageKey(env, { namespace: parsed.namespace, key: parsed.key });
-    await cache.delete(storageKey);
+    await resolved.cache.delete(storageKey);
     return json(200, { ok: true });
 };
 const parseListPayload = (payload) => {
@@ -252,13 +150,10 @@ const parseListPayload = (payload) => {
     return { ok: true, params: { namespace, prefix, cursor, limit: limitParsed } };
 };
 const handleList = async (request, env) => {
-    const check = await readAndVerifyJson(request, env);
-    if (!check.ok)
-        return check.response;
-    const cache = requireCache(env);
-    if (cache instanceof Response)
-        return cache;
-    const parsed = parseListPayload(check.payload);
+    const resolved = await resolveCacheRequest(request, env);
+    if (!resolved.ok)
+        return resolved.response;
+    const parsed = parseListPayload(resolved.payload);
     if (!parsed.ok)
         return parsed.response;
     const envLimit = getEnvInt(env, 'ZT_KV_LIST_LIMIT', DEFAULT_LIST_LIMIT);
@@ -268,7 +163,11 @@ const handleList = async (request, env) => {
     const namespacePrefix = normalizeNamespace(parsed.params.namespace);
     const basePrefix = buildStorageKey(env, { namespace: namespacePrefix, key: '' });
     const fullPrefix = prefixKey === undefined ? basePrefix : `${basePrefix}${prefixKey}`;
-    const out = await cache.list({ prefix: fullPrefix, limit, cursor: parsed.params.cursor });
+    const out = await resolved.cache.list({
+        prefix: fullPrefix,
+        limit,
+        cursor: parsed.params.cursor,
+    });
     return json(200, {
         keys: out.keys.map((key) => key.name),
         cursor: out.cursor,

package/src/security/CsrfTokenManager.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"CsrfTokenManager.d.ts","sourceRoot":"","sources":["../../../src/security/CsrfTokenManager.ts"],"names":[],"mappings":"AACA;;;GAGG;AAQH,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,SAAS,CAAC;AAErC,MAAM,WAAW,aAAa;IAC5B,KAAK,EAAE,MAAM,CAAC;IACd,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,IAAI,CAAC;IAChB,SAAS,EAAE,IAAI,CAAC;CACjB;AAED,MAAM,WAAW,iBAAiB;IAChC,aAAa,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IAClD,aAAa,CAAC,SAAS,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;IAClE,eAAe,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAClD,YAAY,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,GAAG,IAAI,CAAC,CAAC;IAC/D,YAAY,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;IACxD,OAAO,IAAI,OAAO,CAAC,MAAM,CAAC,CAAC;IAC3B,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;IACvB,aAAa,IAAI,OAAO,CAAC,MAAM,CAAC,CAAC;CAClC;AAED,MAAM,WAAW,oBAAoB;IACnC,MAAM,CAAC,OAAO,CAAC,EAAE,uBAAuB,GAAG,iBAAiB,CAAC;CAC9D;AAED,MAAM,MAAM,aAAa,GAAG,QAAQ,GAAG,OAAO,CAAC;AAE/C,MAAM,MAAM,uBAAuB,GAAG;IACpC,KAAK,CAAC,EAAE,aAAa,CAAC;IACtB,KAAK,CAAC,EAAE,KAAK,CAAC;IACd,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB,CAAC;AAyVF;;GAEG;AACH,eAAO,MAAM,gBAAgB,EAAE,oBAE7B,CAAC"}
+{"version":3,"file":"CsrfTokenManager.d.ts","sourceRoot":"","sources":["../../../src/security/CsrfTokenManager.ts"],"names":[],"mappings":"AACA;;;GAGG;AAQH,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,SAAS,CAAC;AAErC,MAAM,WAAW,aAAa;IAC5B,KAAK,EAAE,MAAM,CAAC;IACd,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,IAAI,CAAC;IAChB,SAAS,EAAE,IAAI,CAAC;CACjB;AAED,MAAM,WAAW,iBAAiB;IAChC,aAAa,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IAClD,aAAa,CAAC,SAAS,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;IAClE,eAAe,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAClD,YAAY,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,GAAG,IAAI,CAAC,CAAC;IAC/D,YAAY,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;IACxD,OAAO,IAAI,OAAO,CAAC,MAAM,CAAC,CAAC;IAC3B,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;IACvB,aAAa,IAAI,OAAO,CAAC,MAAM,CAAC,CAAC;CAClC;AAED,MAAM,WAAW,oBAAoB;IACnC,MAAM,CAAC,OAAO,CAAC,EAAE,uBAAuB,GAAG,iBAAiB,CAAC;CAC9D;AAED,MAAM,MAAM,aAAa,GAAG,QAAQ,GAAG,OAAO,CAAC;AAE/C,MAAM,MAAM,uBAAuB,GAAG;IACpC,KAAK,CAAC,EAAE,aAAa,CAAC;IACtB,KAAK,CAAC,EAAE,KAAK,CAAC;IACd,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB,CAAC;AA6VF;;GAEG;AACH,eAAO,MAAM,gBAAgB,EAAE,oBAE7B,CAAC"}

package/src/security/CsrfTokenManager.js

@@ -117,7 +117,7 @@ const createRedisClientFactory = (options) => {
             port: Env.getInt('REDIS_PORT', ZintrustLang.REDIS_DEFAULT_PORT),
             password: Env.get('REDIS_PASSWORD'),
             db: database,
-        });
+        }, 3, { subsystem: 'csrf' });
         return redisClient;
     };
 };

package/src/security/JwtSessions.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"JwtSessions.d.ts","sourceRoot":"","sources":["../../../src/security/JwtSessions.ts"],"names":[],"mappings":"AAUA,MAAM,MAAM,qBAAqB,GAAG,UAAU,GAAG,QAAQ,GAAG,OAAO,GAAG,IAAI,GAAG,WAAW,CAAC;AAEzF,MAAM,MAAM,mBAAmB,GAAG,MAAM,GAAG,MAAM,EAAE,GAAG,SAAS,CAAC;AAqnBhE,eAAO,MAAM,WAAW;oBACA,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;oBAKtB,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;mBAM1B,mBAAmB,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;mBAU5C,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;iBAQ9B,qBAAqB;sBAIhB,IAAI;EAItB,CAAC;AAEH,eAAe,WAAW,CAAC"}
+{"version":3,"file":"JwtSessions.d.ts","sourceRoot":"","sources":["../../../src/security/JwtSessions.ts"],"names":[],"mappings":"AAUA,MAAM,MAAM,qBAAqB,GAAG,UAAU,GAAG,QAAQ,GAAG,OAAO,GAAG,IAAI,GAAG,WAAW,CAAC;AAEzF,MAAM,MAAM,mBAAmB,GAAG,MAAM,GAAG,MAAM,EAAE,GAAG,SAAS,CAAC;AAynBhE,eAAO,MAAM,WAAW;oBACA,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;oBAKtB,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;mBAM1B,mBAAmB,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;mBAU5C,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;iBAQ9B,qBAAqB;sBAIhB,IAAI;EAItB,CAAC;AAEH,eAAe,WAAW,CAAC"}

package/src/security/JwtSessions.js

@@ -246,7 +246,7 @@ const createRedisStore = (params) => {
         port: Env.REDIS_PORT,
         password: Env.REDIS_PASSWORD,
         db: Env.getInt('JWT_REVOCATION_REDIS_DB', Env.REDIS_DB),
-    });
+    }, 3, { subsystem: 'jwt-sessions' });
     const indexGet = async (sub) => {
         const value = await client.get(encodeSubIndexKey(params.keyPrefix, sub));
         if (value === null)

package/src/security/TokenRevocation.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"TokenRevocation.d.ts","sourceRoot":"","sources":["../../../src/security/TokenRevocation.ts"],"names":[],"mappings":"AAUA,KAAK,mBAAmB,GAAG,MAAM,GAAG,MAAM,EAAE,GAAG,SAAS,CAAC;AAEzD,MAAM,MAAM,yBAAyB,GAAG,UAAU,GAAG,QAAQ,GAAG,OAAO,GAAG,IAAI,GAAG,WAAW,CAAC;AAysB7F,eAAO,MAAM,eAAe;IAC1B;;;;OAIG;mBACkB,mBAAmB,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IAUjE;;OAEG;qBACoB,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAMhD;;OAEG;iBACU,yBAAyB;IAItC;;OAEG;sBACe,IAAI;EAItB,CAAC;AAEH,eAAe,eAAe,CAAC"}
+{"version":3,"file":"TokenRevocation.d.ts","sourceRoot":"","sources":["../../../src/security/TokenRevocation.ts"],"names":[],"mappings":"AAUA,KAAK,mBAAmB,GAAG,MAAM,GAAG,MAAM,EAAE,GAAG,SAAS,CAAC;AAEzD,MAAM,MAAM,yBAAyB,GAAG,UAAU,GAAG,QAAQ,GAAG,OAAO,GAAG,IAAI,GAAG,WAAW,CAAC;AA6sB7F,eAAO,MAAM,eAAe;IAC1B;;;;OAIG;mBACkB,mBAAmB,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IAUjE;;OAEG;qBACoB,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAMhD;;OAEG;iBACU,yBAAyB;IAItC;;OAEG;sBACe,IAAI;EAItB,CAAC;AAEH,eAAe,eAAe,CAAC"}

package/src/security/TokenRevocation.js

@@ -203,7 +203,7 @@ const createRedisStore = (params) => {
         port: Env.REDIS_PORT,
         password: Env.REDIS_PASSWORD,
         db: Env.getInt('JWT_REVOCATION_REDIS_DB', Env.REDIS_DB),
-    });
+    }, 3, { subsystem: 'jwt-revocation' });
     return {
         async revoke(key) {
             const ttlMs = Math.max(0, key.expiresAtMs - Date.now());

package/src/tools/queue/LockProvider.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"LockProvider.d.ts","sourceRoot":"","sources":["../../../../src/tools/queue/LockProvider.ts"],"names":[],"mappings":"AACA;;;GAGG;AAGH,OAAO,KAAK,EAGV,YAAY,EACZ,kBAAkB,EAEnB,MAAM,eAAe,CAAC;AAwBvB;;GAEG;AACH,wBAAsB,iBAAiB,IAAI,OAAO,CAAC,IAAI,CAAC,CAUvD;AAkJD;;GAEG;AACH,wBAAgB,uBAAuB,CAAC,MAAM,EAAE,kBAAkB,GAAG,YAAY,CAWhF;AAYD,wBAAgB,wBAAwB,CAAC,MAAM,EAAE,kBAAkB,GAAG,YAAY,CA4FjF;AAOD,wBAAgB,oBAAoB,CAAC,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,YAAY,GAAG,IAAI,CAG/E;AACD,wBAAgB,eAAe,CAAC,IAAI,EAAE,MAAM,GAAG,YAAY,GAAG,SAAS,CAEtE;AAED;;;GAGG;AACH,wBAAgB,kBAAkB,IAAI,IAAI,CAEzC;AAED;;GAEG;AACH,wBAAgB,kBAAkB,CAAC,MAAM,EAAE,kBAAkB,GAAG,YAAY,CAS3E"}
+{"version":3,"file":"LockProvider.d.ts","sourceRoot":"","sources":["../../../../src/tools/queue/LockProvider.ts"],"names":[],"mappings":"AACA;;;GAGG;AAGH,OAAO,KAAK,EAGV,YAAY,EACZ,kBAAkB,EAEnB,MAAM,eAAe,CAAC;AA4BvB;;GAEG;AACH,wBAAsB,iBAAiB,IAAI,OAAO,CAAC,IAAI,CAAC,CAUvD;AAkJD;;GAEG;AACH,wBAAgB,uBAAuB,CAAC,MAAM,EAAE,kBAAkB,GAAG,YAAY,CAWhF;AAYD,wBAAgB,wBAAwB,CAAC,MAAM,EAAE,kBAAkB,GAAG,YAAY,CA4FjF;AAOD,wBAAgB,oBAAoB,CAAC,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,YAAY,GAAG,IAAI,CAG/E;AACD,wBAAgB,eAAe,CAAC,IAAI,EAAE,MAAM,GAAG,YAAY,GAAG,SAAS,CAEtE;AAED;;;GAGG;AACH,wBAAgB,kBAAkB,IAAI,IAAI,CAEzC;AAED;;GAEG;AACH,wBAAgB,kBAAkB,CAAC,MAAM,EAAE,kBAAkB,GAAG,YAAY,CAS3E"}

package/src/tools/queue/LockProvider.js

@@ -19,7 +19,7 @@ function getRedisClient() {
             port: redisConfig.port,
             password: redisConfig.password,
             db: redisConfig.database,
-        });
+        }, 3, { subsystem: 'lock-provider' });
     }
     return redisClient;
 }

package/src/tools/redis/RedisTransport.d.ts

@@ -0,0 +1,34 @@
+import type { RedisConfig } from '../../config/type';
+export type RedisTransportMode = 'direct' | 'proxy';
+export type RedisTransportOptions = Readonly<{
+    subsystem?: string;
+    requireDirect?: boolean;
+}>;
+type RedisProxyConnection = {
+    status: 'ready';
+    connect: () => Promise<void>;
+    quit: () => Promise<'OK'>;
+    disconnect: () => void;
+    on: (event: string, handler: (...args: unknown[]) => void) => RedisProxyConnection;
+    once: (event: string, handler: (...args: unknown[]) => void) => RedisProxyConnection;
+    off: (event: string, handler: (...args: unknown[]) => void) => RedisProxyConnection;
+    removeListener: (event: string, handler: (...args: unknown[]) => void) => RedisProxyConnection;
+    call: (command: string, ...args: unknown[]) => Promise<unknown>;
+    pipeline: () => {
+        exec: () => Promise<Array<[Error | null, unknown]>>;
+        [key: string]: unknown;
+    };
+    scanStream: (options?: {
+        match?: string;
+        count?: number;
+    }) => {
+        on: (event: string, handler: (...args: unknown[]) => void) => unknown;
+        once: (event: string, handler: (...args: unknown[]) => void) => unknown;
+        off: (event: string, handler: (...args: unknown[]) => void) => unknown;
+    };
+};
+export declare const resolveRedisTransportMode: () => RedisTransportMode;
+export declare const createRedisProxyConnection: (config: RedisConfig, options?: RedisTransportOptions) => RedisProxyConnection;
+export declare const ensureRedisTransportMode: (config: RedisConfig, options?: RedisTransportOptions) => RedisTransportMode;
+export {};
+//# sourceMappingURL=RedisTransport.d.ts.map

package/src/tools/redis/RedisTransport.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"RedisTransport.d.ts","sourceRoot":"","sources":["../../../../src/tools/redis/RedisTransport.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,cAAc,CAAC;AAIhD,MAAM,MAAM,kBAAkB,GAAG,QAAQ,GAAG,OAAO,CAAC;AAEpD,MAAM,MAAM,qBAAqB,GAAG,QAAQ,CAAC;IAC3C,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,aAAa,CAAC,EAAE,OAAO,CAAC;CACzB,CAAC,CAAC;AASH,KAAK,oBAAoB,GAAG;IAC1B,MAAM,EAAE,OAAO,CAAC;IAChB,OAAO,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;IAC7B,IAAI,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;IAC1B,UAAU,EAAE,MAAM,IAAI,CAAC;IACvB,EAAE,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC,GAAG,IAAI,EAAE,OAAO,EAAE,KAAK,IAAI,KAAK,oBAAoB,CAAC;IACnF,IAAI,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC,GAAG,IAAI,EAAE,OAAO,EAAE,KAAK,IAAI,KAAK,oBAAoB,CAAC;IACrF,GAAG,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC,GAAG,IAAI,EAAE,OAAO,EAAE,KAAK,IAAI,KAAK,oBAAoB,CAAC;IACpF,cAAc,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC,GAAG,IAAI,EAAE,OAAO,EAAE,KAAK,IAAI,KAAK,oBAAoB,CAAC;IAC/F,IAAI,EAAE,CAAC,OAAO,EAAE,MAAM,EAAE,GAAG,IAAI,EAAE,OAAO,EAAE,KAAK,OAAO,CAAC,OAAO,CAAC,CAAC;IAChE,QAAQ,EAAE,MAAM;QACd,IAAI,EAAE,MAAM,OAAO,CAAC,KAAK,CAAC,CAAC,KAAK,GAAG,IAAI,EAAE,OAAO,CAAC,CAAC,CAAC,CAAC;QACpD,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;KACxB,CAAC;IACF,UAAU,EAAE,CAAC,OAAO,CAAC,EAAE;QAAE,KAAK,CAAC,EAAE,MAAM,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAA;KAAE,KAAK;QAC5D,EAAE,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC,GAAG,IAAI,EAAE,OAAO,EAAE,KAAK,IAAI,KAAK,OAAO,CAAC;QACtE,IAAI,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC,GAAG,IAAI,EAAE,OAAO,EAAE,KAAK,IAAI,KAAK,OAAO,CAAC;QACxE,GAAG,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC,GAAG,IAAI,EAAE,OAAO,EAAE,KAAK,IAAI,KAAK,OAAO,CAAC;KACxE,CAAC;CACH,CAAC;AA0PF,eAAO,MAAM,yBAAyB,QAAO,kBAE5C,CAAC;AAEF,eAAO,MAAM,0BAA0B,GACrC,QAAQ,WAAW,EACnB,UAAU,qBAAqB,KAC9B,oBAoCF,CAAC;AAEF,eAAO,MAAM,wBAAwB,GACnC,QAAQ,WAAW,EACnB,UAAU,qBAAqB,KAC9B,kBAaF,CAAC"}

package/src/tools/redis/RedisTransport.js

@@ -0,0 +1,251 @@
+import { Env } from '../../config/env.js';
+import { Logger } from '../../config/logger.js';
+import { ErrorFactory } from '../../exceptions/ZintrustError.js';
+import { SignedRequest } from '../../security/SignedRequest.js';
+const loggedSelections = new Set();
+const resolveSigningPrefix = (baseUrl) => {
+    try {
+        const parsed = new URL(baseUrl);
+        const path = parsed.pathname.endsWith('/') ? parsed.pathname.slice(0, -1) : parsed.pathname;
+        if (path === '' || path === '/')
+            return undefined;
+        return path;
+    }
+    catch {
+        return undefined;
+    }
+};
+const buildRequestUrl = (baseUrl, requestPath) => {
+    const url = new URL(baseUrl);
+    const basePath = url.pathname.endsWith('/') ? url.pathname.slice(0, -1) : url.pathname;
+    const normalizedPath = requestPath.startsWith('/') ? requestPath : `/${requestPath}`;
+    url.pathname = `${basePath}${normalizedPath}`;
+    return url;
+};
+const buildSigningUrl = (requestUrl, baseUrl) => {
+    const prefix = resolveSigningPrefix(baseUrl);
+    if (prefix === undefined)
+        return requestUrl;
+    if (requestUrl.pathname === prefix || requestUrl.pathname.startsWith(`${prefix}/`)) {
+        const signingUrl = new URL(requestUrl.toString());
+        const stripped = requestUrl.pathname.slice(prefix.length);
+        signingUrl.pathname = stripped.startsWith('/') ? stripped : `/${stripped}`;
+        return signingUrl;
+    }
+    return requestUrl;
+};
+const resolveProxyBaseUrl = () => {
+    const explicit = Env.REDIS_PROXY_URL.trim();
+    if (explicit !== '')
+        return explicit;
+    return `http://${Env.REDIS_PROXY_HOST}:${Env.REDIS_PROXY_PORT}`;
+};
+const resolveProxySettings = () => ({
+    baseUrl: resolveProxyBaseUrl(),
+    keyId: Env.REDIS_PROXY_KEY_ID.trim() === '' ? undefined : Env.REDIS_PROXY_KEY_ID,
+    secret: Env.REDIS_PROXY_SECRET.trim() === '' ? undefined : Env.REDIS_PROXY_SECRET,
+    timeoutMs: Env.REDIS_PROXY_TIMEOUT_MS,
+});
+const buildHeaders = async (settings, requestUrl, body) => {
+    const headers = {
+        'Content-Type': 'application/json',
+    };
+    if (settings.keyId !== undefined && settings.secret !== undefined) {
+        const signingUrl = buildSigningUrl(requestUrl, settings.baseUrl);
+        const signed = await SignedRequest.createHeaders({
+            method: 'POST',
+            url: signingUrl,
+            body,
+            keyId: settings.keyId,
+            secret: settings.secret,
+        });
+        Object.assign(headers, signed);
+    }
+    return headers;
+};
+const requestProxyCommand = async (settings, command, args) => {
+    if (settings.baseUrl.trim() === '') {
+        throw ErrorFactory.createConfigError('Redis proxy URL is missing (REDIS_PROXY_URL)');
+    }
+    const body = JSON.stringify({ command, args });
+    const requestUrl = buildRequestUrl(settings.baseUrl, '/zin/redis/command');
+    const headers = await buildHeaders(settings, requestUrl, body);
+    const signal = typeof AbortSignal !== 'undefined' && 'timeout' in AbortSignal
+        ? AbortSignal.timeout(settings.timeoutMs)
+        : undefined;
+    const response = await fetch(requestUrl.toString(), {
+        method: 'POST',
+        headers,
+        body,
+        signal,
+    });
+    if (!response.ok) {
+        const text = await response.text();
+        throw ErrorFactory.createTryCatchError(`Redis proxy request failed (${response.status})`, text);
+    }
+    const parsed = (await response.json());
+    return parsed.result;
+};
+const logTransportSelection = (mode, config, options) => {
+    const rawSubsystem = options?.subsystem?.trim();
+    const subsystem = rawSubsystem === undefined || rawSubsystem === '' ? 'redis' : rawSubsystem;
+    const cacheKey = `${subsystem}:${mode}:${config.db}`;
+    if (loggedSelections.has(cacheKey)) {
+        return;
+    }
+    loggedSelections.add(cacheKey);
+    Logger.info('[redis][transport] resolved transport', {
+        subsystem,
+        mode,
+        db: config.db,
+        host: mode === 'direct' ? config.host : undefined,
+        port: mode === 'direct' ? config.port : undefined,
+        proxyUrl: mode === 'proxy' ? resolveProxyBaseUrl() : undefined,
+    });
+};
+const normalizeScanResponse = (value) => {
+    if (!Array.isArray(value) || value.length < 2) {
+        return ['0', []];
+    }
+    const cursor = typeof value[0] === 'string' ? value[0] : String(value[0] ?? '0');
+    const batch = Array.isArray(value[1])
+        ? value[1].filter((entry) => typeof entry === 'string')
+        : [];
+    return [cursor, batch];
+};
+const createScanStream = (settings, options) => {
+    const handlers = new Map();
+    const stream = {
+        on(event, handler) {
+            const current = handlers.get(event) ?? new Set();
+            current.add(handler);
+            handlers.set(event, current);
+            return stream;
+        },
+        once(event, handler) {
+            const wrapped = (...args) => {
+                stream.off(event, wrapped);
+                handler(...args);
+            };
+            return stream.on(event, wrapped);
+        },
+        off(event, handler) {
+            handlers.get(event)?.delete(handler);
+            return stream;
+        },
+    };
+    const emit = (event, ...args) => {
+        for (const handler of handlers.get(event) ?? []) {
+            handler(...args);
+        }
+    };
+    queueMicrotask(() => {
+        void (async () => {
+            try {
+                let cursor = '0';
+                do {
+                    // eslint-disable-next-line no-await-in-loop
+                    const result = await requestProxyCommand(settings, 'SCAN', [
+                        cursor,
+                        'MATCH',
+                        options?.match ?? '*',
+                        'COUNT',
+                        String(options?.count ?? 200),
+                    ]);
+                    const [nextCursor, batch] = normalizeScanResponse(result);
+                    cursor = nextCursor;
+                    if (batch.length > 0) {
+                        emit('data', batch);
+                    }
+                } while (cursor !== '0');
+                emit('end');
+            }
+            catch (error) {
+                emit('error', error);
+            }
+        })();
+    });
+    return stream;
+};
+const createPipeline = (settings) => {
+    const commands = [];
+    const target = {
+        async exec() {
+            const results = [];
+            for (const entry of commands) {
+                try {
+                    // eslint-disable-next-line no-await-in-loop
+                    const result = await requestProxyCommand(settings, entry.command, entry.args);
+                    results.push([null, result]);
+                }
+                catch (error) {
+                    results.push([
+                        error instanceof Error
+                            ? error
+                            : ErrorFactory.createTryCatchError('Redis pipeline command failed', error),
+                        null,
+                    ]);
+                }
+            }
+            return results;
+        },
+    };
+    const pipeline = new Proxy(target, {
+        get(obj, prop) {
+            if (typeof prop !== 'string')
+                return Reflect.get(obj, prop);
+            if (prop in obj)
+                return Reflect.get(obj, prop);
+            return (...args) => {
+                commands.push({ command: prop.toUpperCase(), args });
+                return pipeline;
+            };
+        },
+    });
+    return pipeline;
+};
+export const resolveRedisTransportMode = () => {
+    return Env.USE_REDIS_PROXY || Env.REDIS_PROXY_URL.trim() !== '' ? 'proxy' : 'direct';
+};
+export const createRedisProxyConnection = (config, options) => {
+    const settings = resolveProxySettings();
+    logTransportSelection('proxy', config, options);
+    const target = {
+        status: 'ready',
+        connect: async () => { },
+        // eslint-disable-next-line @typescript-eslint/require-await
+        quit: async () => 'OK',
+        disconnect: () => undefined,
+        on: (_event, _handler) => client,
+        once: (_event, _handler) => client,
+        off: (_event, _handler) => client,
+        removeListener: (_event, _handler) => client,
+        call: async (command, ...args) => {
+            return requestProxyCommand(settings, command, args);
+        },
+        pipeline: () => createPipeline(settings),
+        scanStream: (scanOptions) => createScanStream(settings, scanOptions),
+    };
+    const client = new Proxy(target, {
+        get(obj, prop) {
+            if (typeof prop !== 'string')
+                return Reflect.get(obj, prop);
+            if (prop === 'then')
+                return undefined;
+            if (prop in obj)
+                return Reflect.get(obj, prop);
+            return async (...args) => requestProxyCommand(settings, prop.toUpperCase(), args);
+        },
+    });
+    return client;
+};
+export const ensureRedisTransportMode = (config, options) => {
+    const mode = resolveRedisTransportMode();
+    if (mode === 'proxy' && options?.requireDirect === true) {
+        throw ErrorFactory.createConfigError(`Redis subsystem '${options.subsystem ?? 'redis'}' requires a direct Redis connection, but proxy mode is enabled.`);
+    }
+    if (mode === 'direct') {
+        logTransportSelection(mode, config, options);
+    }
+    return mode;
+};