blockrate-server 0.1.0

package/src/dashboard.ts

@@ -0,0 +1,82 @@
+export const dashboardHtml = /* html */ `<!doctype html>
+<html lang="en">
+<head>
+<meta charset="utf-8">
+<title>blockrate dashboard</title>
+<style>
+  :root { color-scheme: light dark; }
+  body { font: 14px/1.5 ui-sans-serif, system-ui, sans-serif; max-width: 900px; margin: 2rem auto; padding: 0 1rem; }
+  h1 { margin-bottom: 0.25rem; }
+  .muted { color: #888; }
+  form { display: flex; gap: 0.5rem; margin: 1rem 0; flex-wrap: wrap; }
+  input, select, button { padding: 0.4rem 0.6rem; font: inherit; }
+  table { width: 100%; border-collapse: collapse; margin-top: 1rem; }
+  th, td { text-align: left; padding: 0.5rem 0.6rem; border-bottom: 1px solid #8884; }
+  th { background: #8881; }
+  .bar { position: relative; height: 8px; background: #8883; border-radius: 4px; overflow: hidden; }
+  .bar > div { position: absolute; inset: 0; width: var(--w); background: linear-gradient(90deg, #f59e0b, #ef4444); }
+  .err { color: #ef4444; }
+</style>
+</head>
+<body>
+<h1>blockrate</h1>
+<p class="muted">Per-provider block rate across your services.</p>
+<form id="f">
+  <input name="key" type="password" placeholder="API key" required>
+  <input name="service" placeholder="service (optional)">
+  <select name="since">
+    <option value="1">last 24h</option>
+    <option value="7" selected>last 7 days</option>
+    <option value="30">last 30 days</option>
+  </select>
+  <button type="submit">Load</button>
+</form>
+<div id="out"></div>
+<script>
+const f = document.getElementById("f");
+const out = document.getElementById("out");
+const stored = localStorage.getItem("br_key");
+if (stored) f.key.value = stored;
+f.addEventListener("submit", async (e) => {
+  e.preventDefault();
+  const key = f.key.value.trim();
+  localStorage.setItem("br_key", key);
+  const params = new URLSearchParams({ since: f.since.value });
+  if (f.service.value) params.set("service", f.service.value);
+  out.innerHTML = "Loading...";
+  try {
+    const res = await fetch("/stats?" + params, {
+      headers: { "x-blockrate-key": key },
+    });
+    if (!res.ok) throw new Error(await res.text());
+    const data = await res.json();
+    if (!data.stats.length) {
+      out.innerHTML = "<p class='muted'>No data yet.</p>";
+      return;
+    }
+    const rows = data.stats
+      .sort((a, b) => b.blockRate - a.blockRate)
+      .map((s) => {
+        const pct = (s.blockRate * 100).toFixed(1);
+        return \`<tr>
+          <td>\${s.provider}</td>
+          <td>\${s.total.toLocaleString()}</td>
+          <td>\${pct}%</td>
+          <td><div class="bar"><div style="--w:\${pct}%"></div></div></td>
+          <td>\${s.avgLatency}ms</td>
+        </tr>\`;
+      })
+      .join("");
+    out.innerHTML = \`
+      <p class="muted">Tenant: <b>\${data.tenant}</b> · \${data.service ?? "all services"} · last \${data.sinceDays}d</p>
+      <table>
+        <thead><tr><th>Provider</th><th>Checks</th><th>Block rate</th><th></th><th>Avg latency</th></tr></thead>
+        <tbody>\${rows}</tbody>
+      </table>\`;
+  } catch (err) {
+    out.innerHTML = "<p class='err'>" + err.message + "</p>";
+  }
+});
+</script>
+</body>
+</html>`;

package/src/handlers.ts

@@ -0,0 +1,80 @@
+import { blockRatePayloadSchema } from "./validate";
+import { truncateUserAgent } from "./ua";
+import type { BlockRateStore, StoredTenant } from "./store";
+
+export async function authenticate(
+  store: BlockRateStore,
+  request: Request,
+): Promise<StoredTenant | null> {
+  const key =
+    request.headers.get("x-blockrate-key") ||
+    request.headers.get("authorization")?.replace(/^Bearer\s+/i, "") ||
+    null;
+  if (!key) return null;
+  return store.findTenantByApiKey(key);
+}
+
+export async function handleIngest(
+  store: BlockRateStore,
+  request: Request,
+  tenant: StoredTenant,
+): Promise<Response> {
+  let body: unknown;
+  try {
+    body = await request.json();
+  } catch {
+    return json({ error: "invalid json" }, 400);
+  }
+  const parsed = blockRatePayloadSchema.safeParse(body);
+  if (!parsed.success) {
+    return json({ error: "invalid payload", issues: parsed.error.issues }, 400);
+  }
+  const { timestamp, url, userAgent, service, providers } = parsed.data;
+  const truncatedUa = truncateUserAgent(userAgent);
+  const ts = new Date(timestamp);
+  await store.insertEvents(
+    providers.map((p) => ({
+      tenantId: tenant.id,
+      service: service ?? "default",
+      timestamp: ts,
+      url,
+      userAgent: truncatedUa,
+      provider: p.name,
+      status: p.status,
+      latency: p.latency,
+    })),
+  );
+  return new Response(null, { status: 204 });
+}
+
+export async function handleStats(
+  store: BlockRateStore,
+  request: Request,
+  tenant: StoredTenant,
+): Promise<Response> {
+  const url = new URL(request.url);
+  const service = url.searchParams.get("service") ?? undefined;
+  const sinceParam = url.searchParams.get("since");
+  const sinceDays = sinceParam ? Math.max(1, parseInt(sinceParam, 10)) : 7;
+  const since = new Date(Date.now() - sinceDays * 24 * 60 * 60 * 1000);
+
+  const stats = await store.getStats({
+    tenantId: tenant.id,
+    service,
+    since,
+  });
+
+  return json({
+    tenant: tenant.name,
+    service: service ?? null,
+    sinceDays,
+    stats,
+  });
+}
+
+export function json(data: unknown, status = 200): Response {
+  return new Response(JSON.stringify(data), {
+    status,
+    headers: { "Content-Type": "application/json" },
+  });
+}

package/src/index.ts

@@ -0,0 +1,32 @@
+// Server
+export { createServer } from "./server";
+export type { ServerOptions } from "./server";
+
+// Stores
+export { createStore, SqliteStore, PostgresStore } from "./stores";
+export type {
+  BlockRateStore,
+  StoredTenant,
+  NewStoredEvent,
+  StatsRow,
+  StatsQuery,
+  Dialect,
+  CreateStoreOptions,
+} from "./store";
+
+// Schemas (both dialects exposed for users who want raw drizzle access)
+export * as sqliteSchema from "./schema.sqlite";
+export * as postgresSchema from "./schema.postgres";
+
+// Validation
+export { blockRatePayloadSchema } from "./validate";
+export type { BlockRatePayload } from "./validate";
+
+// User-agent truncation (used by both self-hosted and hosted)
+export { truncateUserAgent } from "./ua";
+
+// Tenant management
+export { createTenant, listTenants, deleteTenant, rotateTenantKey, generateApiKey } from "./tenant";
+
+// Rate limiter (reusable in other contexts like blockrate.app)
+export { TokenBucketLimiter } from "./rate-limit";

package/src/rate-limit.ts

@@ -0,0 +1,30 @@
+interface Bucket {
+  tokens: number;
+  updatedAt: number;
+}
+
+export class TokenBucketLimiter {
+  private buckets = new Map<string, Bucket>();
+  constructor(
+    private capacity: number,
+    private refillPerSecond: number,
+  ) {}
+
+  take(key: string): boolean {
+    const now = Date.now();
+    const b = this.buckets.get(key) ?? {
+      tokens: this.capacity,
+      updatedAt: now,
+    };
+    const elapsed = (now - b.updatedAt) / 1000;
+    b.tokens = Math.min(this.capacity, b.tokens + elapsed * this.refillPerSecond);
+    b.updatedAt = now;
+    if (b.tokens < 1) {
+      this.buckets.set(key, b);
+      return false;
+    }
+    b.tokens -= 1;
+    this.buckets.set(key, b);
+    return true;
+  }
+}

package/src/schema.postgres.ts

@@ -0,0 +1,38 @@
+import { sql } from "drizzle-orm";
+import { pgTable, serial, text, integer, timestamp, index, pgEnum } from "drizzle-orm/pg-core";
+
+export const statusEnum = pgEnum("block_rate_status", ["loaded", "blocked"]);
+
+export const tenants = pgTable("tenants", {
+  id: serial("id").primaryKey(),
+  name: text("name").notNull(),
+  apiKey: text("api_key").notNull().unique(),
+  createdAt: timestamp("created_at", { withTimezone: true })
+    .notNull()
+    .default(sql`now()`),
+});
+
+export const events = pgTable(
+  "events",
+  {
+    id: serial("id").primaryKey(),
+    tenantId: integer("tenant_id")
+      .notNull()
+      .references(() => tenants.id, { onDelete: "cascade" }),
+    service: text("service").notNull().default("default"),
+    timestamp: timestamp("timestamp", { withTimezone: true }).notNull(),
+    url: text("url").notNull(),
+    userAgent: text("user_agent").notNull(),
+    provider: text("provider").notNull(),
+    status: statusEnum("status").notNull(),
+    latency: integer("latency").notNull(),
+  },
+  (t) => ({
+    byTenantService: index("idx_events_tenant_service").on(t.tenantId, t.service, t.timestamp),
+    byProvider: index("idx_events_provider").on(t.provider),
+  }),
+);
+
+export type Tenant = typeof tenants.$inferSelect;
+export type Event = typeof events.$inferSelect;
+export type NewEvent = typeof events.$inferInsert;

package/src/schema.sqlite.ts

@@ -0,0 +1,36 @@
+import { sql } from "drizzle-orm";
+import { sqliteTable, text, integer, index } from "drizzle-orm/sqlite-core";
+
+export const tenants = sqliteTable("tenants", {
+  id: integer("id").primaryKey({ autoIncrement: true }),
+  name: text("name").notNull(),
+  apiKey: text("api_key").notNull().unique(),
+  createdAt: integer("created_at", { mode: "timestamp" })
+    .notNull()
+    .default(sql`(unixepoch())`),
+});
+
+export const events = sqliteTable(
+  "events",
+  {
+    id: integer("id").primaryKey({ autoIncrement: true }),
+    tenantId: integer("tenant_id")
+      .notNull()
+      .references(() => tenants.id, { onDelete: "cascade" }),
+    service: text("service").notNull().default("default"),
+    timestamp: integer("timestamp", { mode: "timestamp" }).notNull(),
+    url: text("url").notNull(),
+    userAgent: text("user_agent").notNull(),
+    provider: text("provider").notNull(),
+    status: text("status", { enum: ["loaded", "blocked"] }).notNull(),
+    latency: integer("latency").notNull(),
+  },
+  (t) => ({
+    byTenantService: index("idx_events_tenant_service").on(t.tenantId, t.service, t.timestamp),
+    byProvider: index("idx_events_provider").on(t.provider),
+  }),
+);
+
+export type Tenant = typeof tenants.$inferSelect;
+export type Event = typeof events.$inferSelect;
+export type NewEvent = typeof events.$inferInsert;

package/src/server.ts

@@ -0,0 +1,103 @@
+import { createStore } from "./stores";
+import { authenticate, handleIngest, handleStats, json } from "./handlers";
+import { TokenBucketLimiter } from "./rate-limit";
+import { dashboardHtml } from "./dashboard";
+import { generateApiKey } from "./tenant";
+import type { BlockRateStore, Dialect } from "./store";
+
+export interface ServerOptions {
+  port?: number;
+  /** SQLite file path or Postgres connection string. */
+  dbPath?: string;
+  /** Storage backend. Default "sqlite". */
+  dialect?: Dialect;
+  /** Requests/second per api key. Default 10. */
+  rateLimit?: number;
+  /** Burst capacity per api key. Default 60. */
+  rateLimitBurst?: number;
+  /** CORS allowed origin. Default "*". */
+  corsOrigin?: string;
+  /** Inject a pre-built store (e.g. for tests). */
+  store?: BlockRateStore;
+}
+
+const CORS_HEADERS = (origin: string) => ({
+  "Access-Control-Allow-Origin": origin,
+  "Access-Control-Allow-Methods": "POST, GET, OPTIONS",
+  "Access-Control-Allow-Headers": "content-type, x-blockrate-key, authorization",
+  "Access-Control-Max-Age": "86400",
+});
+
+export async function createServer(options: ServerOptions = {}) {
+  const store =
+    options.store ??
+    (await createStore({
+      dialect: options.dialect,
+      url: options.dbPath,
+    }));
+  const corsOrigin = options.corsOrigin ?? "*";
+  const limiter = new TokenBucketLimiter(options.rateLimitBurst ?? 60, options.rateLimit ?? 10);
+
+  await ensureBootstrapTenant(store);
+
+  return {
+    store,
+    async fetch(request: Request): Promise<Response> {
+      const url = new URL(request.url);
+      const cors = CORS_HEADERS(corsOrigin);
+
+      if (request.method === "OPTIONS") {
+        return new Response(null, { status: 204, headers: cors });
+      }
+
+      const withCors = (res: Response) => {
+        for (const [k, v] of Object.entries(cors)) res.headers.set(k, v);
+        return res;
+      };
+
+      if (url.pathname === "/health") {
+        return withCors(json({ ok: true }));
+      }
+      if (url.pathname === "/" || url.pathname === "/dashboard") {
+        return new Response(dashboardHtml, {
+          headers: { "Content-Type": "text/html; charset=utf-8" },
+        });
+      }
+
+      const needsAuth = url.pathname === "/ingest" || url.pathname === "/stats";
+      if (!needsAuth) {
+        return withCors(json({ error: "not found" }, 404));
+      }
+
+      const tenant = await authenticate(store, request);
+      if (!tenant) {
+        return withCors(json({ error: "unauthorized" }, 401));
+      }
+
+      if (!limiter.take(`tenant:${tenant.id}`)) {
+        return withCors(json({ error: "rate limited" }, 429));
+      }
+
+      if (url.pathname === "/ingest" && request.method === "POST") {
+        return withCors(await handleIngest(store, request, tenant));
+      }
+      if (url.pathname === "/stats" && request.method === "GET") {
+        return withCors(await handleStats(store, request, tenant));
+      }
+
+      return withCors(json({ error: "method not allowed" }, 405));
+    },
+  };
+}
+
+async function ensureBootstrapTenant(store: BlockRateStore): Promise<void> {
+  const existing = await store.listTenants();
+  if (existing.length > 0) return;
+  const apiKey = process.env.BLOCK_RATE_BOOTSTRAP_KEY || generateApiKey();
+  await store.createTenant({
+    name: process.env.BLOCK_RATE_BOOTSTRAP_NAME || "default",
+    apiKey,
+  });
+  console.log(`[blockrate-server] Bootstrapped default tenant. API key: ${apiKey}`);
+  console.log("[blockrate-server] Store this securely — it will not be shown again.");
+}

package/src/store.ts

@@ -0,0 +1,63 @@
+/**
+ * Framework-agnostic data layer for blockrate-server. Both SQLite (self-hosted
+ * default) and Postgres (for users with an existing Postgres) implement this
+ * interface. Handlers talk to `BlockRateStore` — never to Drizzle directly.
+ */
+
+export interface StoredTenant {
+  id: number;
+  name: string;
+  apiKey: string;
+  createdAt: Date;
+}
+
+export interface NewStoredEvent {
+  tenantId: number;
+  service: string;
+  timestamp: Date;
+  url: string;
+  /** Truncated to browser family + major version — never the raw UA. */
+  userAgent: string;
+  provider: string;
+  status: "loaded" | "blocked";
+  latency: number;
+}
+
+export interface StatsRow {
+  provider: string;
+  total: number;
+  blocked: number;
+  blockRate: number;
+  avgLatency: number;
+}
+
+export interface StatsQuery {
+  tenantId: number;
+  service?: string;
+  since: Date;
+}
+
+export interface BlockRateStore {
+  // tenant management
+  findTenantByApiKey(apiKey: string): Promise<StoredTenant | null>;
+  findTenantByName(name: string): Promise<StoredTenant | null>;
+  createTenant(input: { name: string; apiKey: string }): Promise<StoredTenant>;
+  listTenants(): Promise<StoredTenant[]>;
+  deleteTenant(name: string): Promise<boolean>;
+  updateTenantApiKey(name: string, apiKey: string): Promise<boolean>;
+
+  // events
+  insertEvents(rows: NewStoredEvent[]): Promise<void>;
+  getStats(query: StatsQuery): Promise<StatsRow[]>;
+
+  /** Close the underlying connection. */
+  close(): void;
+}
+
+export type Dialect = "sqlite" | "postgres";
+
+export interface CreateStoreOptions {
+  dialect?: Dialect;
+  /** SQLite path or Postgres connection string. */
+  url?: string;
+}

package/src/stores/index.ts

@@ -0,0 +1,27 @@
+import type { BlockRateStore, CreateStoreOptions } from "../store";
+import { SqliteStore } from "./sqlite";
+import { PostgresStore } from "./postgres";
+
+/**
+ * Build a store from a dialect + URL. SQLite is the default for self-hosters;
+ * Postgres is available for users with existing PG infrastructure.
+ *
+ *   createStore({ dialect: "sqlite", url: "./blockrate.db" })
+ *   createStore({ dialect: "postgres", url: "postgres://..." })
+ */
+export async function createStore(options: CreateStoreOptions = {}): Promise<BlockRateStore> {
+  const dialect = options.dialect ?? "sqlite";
+  if (dialect === "sqlite") {
+    return new SqliteStore(options.url ?? "./blockrate.db");
+  }
+  if (dialect === "postgres") {
+    if (!options.url) {
+      throw new Error("postgres dialect requires a connection URL");
+    }
+    return PostgresStore.fromUrl(options.url);
+  }
+  throw new Error(`unknown dialect: ${dialect}`);
+}
+
+export { SqliteStore } from "./sqlite";
+export { PostgresStore } from "./postgres";

package/src/stores/postgres.ts

@@ -0,0 +1,162 @@
+import { and, eq, gte, sql } from "drizzle-orm";
+import { drizzle as drizzlePostgres } from "drizzle-orm/postgres-js";
+import { drizzle as drizzlePglite } from "drizzle-orm/pglite";
+import postgres from "postgres";
+import { PGlite } from "@electric-sql/pglite";
+import { readdirSync, readFileSync } from "node:fs";
+import { dirname, join } from "node:path";
+import { fileURLToPath } from "node:url";
+import { tenants, events } from "../schema.postgres";
+import type { BlockRateStore, NewStoredEvent, StatsQuery, StatsRow, StoredTenant } from "../store";
+
+/**
+ * Supports both production postgres-js connections and in-process PGlite
+ * (used by tests). Both speak the same SQL — we just inject the drizzle
+ * db and a raw-exec function for migrations.
+ */
+export class PostgresStore implements BlockRateStore {
+  constructor(
+    private db: any,
+    private execRaw: (sql: string) => Promise<void>,
+    private closeFn: () => void | Promise<void>,
+  ) {}
+
+  static async fromUrl(url: string): Promise<PostgresStore> {
+    const client = postgres(url);
+    const db = drizzlePostgres(client, { schema: { tenants, events } });
+    const exec = async (s: string) => {
+      await client.unsafe(s);
+    };
+    const close = async () => {
+      await client.end({ timeout: 2 });
+    };
+    const store = new PostgresStore(db, exec, close);
+    await store.runMigrations();
+    return store;
+  }
+
+  static async fromPglite(dataDir?: string): Promise<PostgresStore> {
+    const client = dataDir ? new PGlite(dataDir) : new PGlite();
+    await client.waitReady;
+    const db = drizzlePglite(client, { schema: { tenants, events } });
+    const exec = async (s: string) => {
+      await client.exec(s);
+    };
+    const close = () => {
+      void client.close();
+    };
+    const store = new PostgresStore(db, exec, close);
+    await store.runMigrations();
+    return store;
+  }
+
+  private async runMigrations() {
+    const here = dirname(fileURLToPath(import.meta.url));
+    const migrationsDir = join(here, "..", "..", "drizzle-postgres");
+    let files: string[];
+    try {
+      files = readdirSync(migrationsDir)
+        .filter((f) => f.endsWith(".sql"))
+        .sort();
+    } catch {
+      return;
+    }
+
+    await this.execRaw(
+      `CREATE TABLE IF NOT EXISTS __migrations (
+         name TEXT PRIMARY KEY,
+         applied_at TIMESTAMPTZ NOT NULL DEFAULT now()
+       );`,
+    );
+    const appliedRows = await this.db.execute(sql`SELECT name FROM __migrations`);
+    const applied = new Set(
+      (appliedRows as any).rows
+        ? (appliedRows as any).rows.map((r: any) => r.name as string)
+        : (appliedRows as any).map((r: any) => r.name as string),
+    );
+
+    for (const file of files) {
+      if (applied.has(file)) continue;
+      const migrationSql = readFileSync(join(migrationsDir, file), "utf8");
+      for (const stmt of migrationSql.split("--> statement-breakpoint")) {
+        const trimmed = stmt.trim();
+        if (trimmed) await this.execRaw(trimmed);
+      }
+      await this.db.execute(sql`INSERT INTO __migrations (name) VALUES (${file})`);
+    }
+  }
+
+  async findTenantByApiKey(apiKey: string): Promise<StoredTenant | null> {
+    const rows = await this.db.select().from(tenants).where(eq(tenants.apiKey, apiKey)).limit(1);
+    return rows[0] ?? null;
+  }
+
+  async findTenantByName(name: string): Promise<StoredTenant | null> {
+    const rows = await this.db.select().from(tenants).where(eq(tenants.name, name)).limit(1);
+    return rows[0] ?? null;
+  }
+
+  async createTenant(input: { name: string; apiKey: string }): Promise<StoredTenant> {
+    const rows = await this.db.insert(tenants).values(input).returning();
+    return rows[0];
+  }
+
+  async listTenants(): Promise<StoredTenant[]> {
+    return await this.db.select().from(tenants);
+  }
+
+  async deleteTenant(name: string): Promise<boolean> {
+    const row = await this.findTenantByName(name);
+    if (!row) return false;
+    await this.db.delete(events).where(eq(events.tenantId, row.id));
+    await this.db.delete(tenants).where(eq(tenants.id, row.id));
+    return true;
+  }
+
+  async updateTenantApiKey(name: string, apiKey: string): Promise<boolean> {
+    const row = await this.findTenantByName(name);
+    if (!row) return false;
+    await this.db.update(tenants).set({ apiKey }).where(eq(tenants.id, row.id));
+    return true;
+  }
+
+  async insertEvents(rows: NewStoredEvent[]): Promise<void> {
+    if (rows.length === 0) return;
+    await this.db.insert(events).values(rows);
+  }
+
+  async getStats(query: StatsQuery): Promise<StatsRow[]> {
+    const where = query.service
+      ? and(
+          eq(events.tenantId, query.tenantId),
+          eq(events.service, query.service),
+          gte(events.timestamp, query.since),
+        )
+      : and(eq(events.tenantId, query.tenantId), gte(events.timestamp, query.since));
+
+    const rows = await this.db
+      .select({
+        provider: events.provider,
+        total: sql<number>`COUNT(*)`.as("total"),
+        blocked: sql<number>`SUM(CASE WHEN ${events.status} = 'blocked' THEN 1 ELSE 0 END)`.as(
+          "blocked",
+        ),
+        avgLatency: sql<number>`AVG(${events.latency})`.as("avg_latency"),
+      })
+      .from(events)
+      .where(where)
+      .groupBy(events.provider);
+
+    return rows.map((r: any) => ({
+      provider: r.provider,
+      total: Number(r.total),
+      blocked: Number(r.blocked),
+      blockRate: Number(r.total) > 0 ? Number(r.blocked) / Number(r.total) : 0,
+      avgLatency: Math.round(Number(r.avgLatency) || 0),
+    }));
+  }
+
+  close(): void {
+    void this.closeFn();
+  }
+}