cpeak 2.5.0 → 2.7.0

package/lib/internal/compression.ts

@@ -0,0 +1,180 @@
+import zlib from "node:zlib";
+import { Readable } from "node:stream";
+import { Buffer } from "node:buffer";
+import { pipeline } from "node:stream/promises";
+import type { Transform } from "node:stream";
+import type { ServerResponse } from "node:http";
+import type { CompressionOptions, ResolvedCompressionConfig } from "./types";
+
+type Encoding = "br" | "gzip" | "deflate";
+
+const COMPRESSIBLE_TYPE = /text|json|javascript|css|xml|svg/i;
+const NO_TRANSFORM = /(?:^|,)\s*no-transform\s*(?:,|$)/i;
+
+// Parse Accept-Encoding and pick a compression algorithm the server supports.
+// Handles q=0 to disable an algorithm. Cpeak preference is fixed: br > gzip > deflate.
+function pickEncoding(header: string): Encoding | null {
+  if (!header) return null;
+
+  const accepted: Record<string, number> = {};
+  let wildcard: number | undefined;
+
+  for (const part of header.split(",")) {
+    const [rawName, ...params] = part.trim().split(";");
+    const name = rawName.trim().toLowerCase();
+    if (!name) continue;
+
+    let q = 1;
+    for (const p of params) {
+      const m = p.trim().match(/^q=([\d.]+)$/i);
+      if (m) q = Number(m[1]);
+    }
+    if (Number.isNaN(q)) q = 0;
+
+    if (name === "*") wildcard = q;
+    else accepted[name] = q;
+  }
+
+  const tryPick = (enc: Encoding): boolean => {
+    const q = enc in accepted ? accepted[enc] : wildcard;
+    return q !== undefined && q > 0;
+  };
+
+  if (tryPick("br")) return "br";
+  if (tryPick("gzip")) return "gzip";
+  if (tryPick("deflate")) return "deflate";
+  return null;
+}
+
+// Handling the Vary HTTP header
+function appendVary(res: ServerResponse, value: string) {
+  const existing = res.getHeader("Vary");
+  if (!existing) return res.setHeader("Vary", value);
+  const current = String(existing)
+    .split(",")
+    .map((s) => s.trim())
+    .filter(Boolean);
+  if (
+    current.includes("*") ||
+    current.some((v) => v.toLowerCase() === value.toLowerCase())
+  )
+    return;
+  res.setHeader("Vary", [...current, value].join(", "));
+}
+
+// Brotli options. Zlib uses 11 (max), which is really slow for live
+// responses. We go with 4 unless the developer specifies otherwise.
+function brotliOptsFor(config: ResolvedCompressionConfig): zlib.BrotliOptions {
+  const userBrotli = config.brotli || {};
+  return {
+    ...userBrotli,
+    params: {
+      [zlib.constants.BROTLI_PARAM_QUALITY]: 4,
+      ...(userBrotli.params || {})
+    }
+  };
+}
+
+function createCompressorStream(
+  encoding: Encoding,
+  config: ResolvedCompressionConfig
+): Transform {
+  if (encoding === "br")
+    return zlib.createBrotliCompress(brotliOptsFor(config));
+  if (encoding === "gzip") return zlib.createGzip(config.gzip);
+  return zlib.createDeflate(config.deflate);
+}
+
+// Decides what to do with this response
+function negotiate(
+  res: ServerResponse,
+  mime: string,
+  size: number,
+  config: ResolvedCompressionConfig
+): { encoding: Encoding | null; eligible: boolean } {
+  // Whether this content type is worth trying to compress at all.
+  // Some types are already compressed and don't compress well.
+  if (!COMPRESSIBLE_TYPE.test(mime)) return { encoding: null, eligible: false };
+
+  if (res.req?.method === "HEAD") return { encoding: null, eligible: false };
+
+  // RFC specification: don't transform responses that ask not to be transformed.
+  const cc = res.getHeader("Cache-Control");
+  if (cc && NO_TRANSFORM.test(String(cc)))
+    return { encoding: null, eligible: false };
+
+  const existing = res.getHeader("Content-Encoding");
+  if (existing && existing !== "identity")
+    return { encoding: null, eligible: false };
+
+  if (size < config.threshold) return { encoding: null, eligible: true };
+
+  const encoding = pickEncoding(
+    String(res.req?.headers["accept-encoding"] || "")
+  );
+  return { encoding, eligible: true };
+}
+
+// Converts into a Readable stream
+function bodyAsReadable(body: Buffer | string | Readable): Readable {
+  if (Buffer.isBuffer(body)) return Readable.from([body]);
+  if (typeof body === "string") return Readable.from([Buffer.from(body)]);
+  return body;
+}
+
+// Resolves compression options (or 'true' for defaults) into a
+// complete config. Called once at Cpeak construction.
+export function resolveCompressionOptions(
+  input: true | CompressionOptions
+): ResolvedCompressionConfig {
+  const options: CompressionOptions = input === true ? {} : input;
+  return {
+    threshold: options.threshold ?? 1024,
+    brotli: options.brotli ?? {},
+    gzip: options.gzip ?? {},
+    deflate: options.deflate ?? {}
+  };
+}
+
+// The final point used by res.compress, res.json, res.sendFile and res.render
+// when compression is enabled by the developer.
+//
+// Compression always goes through createGzip/createBrotliCompress/createDeflate
+// streams which are async and run on libuv's thread pool.
+export async function compressAndSend(
+  res: ServerResponse,
+  mime: string,
+  body: Buffer | string | Readable,
+  config: ResolvedCompressionConfig,
+  size?: number
+): Promise<void> {
+  res.setHeader("Content-Type", mime);
+
+  const knownSize: number = Buffer.isBuffer(body)
+    ? body.length
+    : typeof body === "string"
+      ? Buffer.byteLength(body)
+      : (size ?? Infinity);
+
+  const { encoding, eligible } = negotiate(res, mime, knownSize, config);
+
+  if (!encoding) {
+    if (eligible) appendVary(res, "Accept-Encoding");
+    if (Buffer.isBuffer(body) || typeof body === "string") {
+      res.setHeader("Content-Length", String(knownSize));
+      res.end(body);
+      return;
+    }
+    if (size !== undefined) res.setHeader("Content-Length", String(size));
+    await pipeline(body, res);
+    return;
+  }
+
+  res.setHeader("Content-Encoding", encoding);
+  appendVary(res, "Accept-Encoding");
+  await pipeline(
+    bodyAsReadable(body),
+    createCompressorStream(encoding, config),
+    res
+  );
+}

package/lib/internal/types.ts

@@ -0,0 +1,10 @@
+export interface CompressionOptions {
+  // Responses with a Content-Length below this many bytes are sent uncompressed.
+  // Below ~1KB, TCP/TLS framing overhead can outweigh the savings.
+  threshold?: number;
+  brotli?: import("node:zlib").BrotliOptions;
+  gzip?: import("node:zlib").ZlibOptions;
+  deflate?: import("node:zlib").ZlibOptions;
+}
+
+export type ResolvedCompressionConfig = Required<CompressionOptions>;

package/lib/types.ts

@@ -1,7 +1,14 @@
 import { IncomingMessage, ServerResponse } from "node:http";
-import cpeak from "./index";
+import type { Readable } from "node:stream";
+import type { Buffer } from "node:buffer";
+import type { CompressionOptions } from "./internal/types";
 
-export type Cpeak = ReturnType<typeof cpeak>;
+export type { Cpeak } from "./index";
+
+// For constructor options passed to `cpeak()`
+export interface CpeakOptions {
+  compression?: boolean | CompressionOptions;
+}
 
 // Extending Node.js's Request and Response objects to add our custom properties
 export type StringMap = Record<string, string>;
@@ -12,16 +19,24 @@ export interface CpeakRequest<
 > extends IncomingMessage {
   params: StringMap;
   query: ReqQueries;
-  // vars?: StringMap;
   body?: ReqBody;
+  cookies?: StringMap;
+  signedCookies?: Record<string, string | false>;
   [key: string]: any; // allow developers to add their onw extensions (e.g. req.test)
 }
 
 export interface CpeakResponse extends ServerResponse {
   sendFile: (path: string, mime: string) => Promise<void>;
   status: (code: number) => CpeakResponse;
-  redirect: (location: string) => CpeakResponse;
-  json: (data: any) => void;
+  attachment: (filename?: string) => CpeakResponse;
+  cookie: (name: string, value: string, options?: any) => CpeakResponse;
+  redirect: (location: string) => void;
+  json: (data: any) => void | Promise<void>; // sync when compression is off, async when enabled
+  compress: (
+    mime: string,
+    body: Buffer | string | Readable,
+    size?: number
+  ) => Promise<void>;
   [key: string]: any; // allow developers to add their onw extensions (e.g. res.test)
 }
 

package/lib/utils/auth.ts

@@ -0,0 +1,148 @@
+import { randomBytes, pbkdf2, createHmac, timingSafeEqual } from "node:crypto";
+import { promisify } from "node:util";
+import type { Middleware } from "../types";
+import { frameworkError, ErrorCode } from "../index";
+import type { AuthOptions, PbkdfOptions } from "./types";
+
+const pbkdf2Async = promisify(pbkdf2);
+
+const DEFAULTS = {
+  iterations: 210_000,
+  keylen: 64,
+  digest: "sha512",
+  saltSize: 32,
+  hmacAlgorithm: "sha256",
+  tokenIdSize: 20,
+  tokenExpiry: 7 * 24 * 60 * 60 * 1000 // 7 days in ms
+} as const;
+
+export async function hashPassword(
+  password: string,
+  options?: PbkdfOptions
+): Promise<string> {
+  const iterations = options?.iterations ?? DEFAULTS.iterations;
+  const keylen = options?.keylen ?? DEFAULTS.keylen;
+  const digest = options?.digest ?? DEFAULTS.digest;
+  const saltSize = options?.saltSize ?? DEFAULTS.saltSize;
+  const salt = randomBytes(saltSize);
+  const hash = await pbkdf2Async(password, salt, iterations, keylen, digest);
+  return `pbkdf2:${iterations}:${keylen}:${digest}:${salt.toString("hex")}:${hash.toString("hex")}`;
+}
+
+export async function verifyPassword(
+  password: string,
+  stored: string
+): Promise<boolean> {
+  // When argon2 is added, dispatch on the prefix here.
+  const withoutPrefix = stored.slice(stored.indexOf(":") + 1);
+  const parts = withoutPrefix.split(":");
+  if (parts.length !== 5) return false;
+  const [itersStr, keylenStr, digest, saltHex, hashHex] = parts;
+  const iterations = parseInt(itersStr, 10);
+  const keylen = parseInt(keylenStr, 10);
+  if (!digest || !saltHex || !hashHex || isNaN(iterations) || isNaN(keylen))
+    return false;
+  const salt = Buffer.from(saltHex, "hex");
+  const hash = await pbkdf2Async(password, salt, iterations, keylen, digest);
+  const storedHash = Buffer.from(hashHex, "hex");
+  if (storedHash.length !== hash.length) return false;
+  return timingSafeEqual(hash, storedHash);
+}
+
+function signToken(tokenId: string, secret: string, algorithm: string): string {
+  const sig = createHmac(algorithm, secret).update(tokenId).digest("hex");
+  return `${tokenId}.${sig}`;
+}
+
+function extractTokenId(
+  token: string,
+  secret: string,
+  algorithm: string
+): string | null {
+  const dot = token.indexOf(".");
+  if (dot === -1) return null;
+  const tokenId = token.slice(0, dot);
+  const sig = token.slice(dot + 1);
+  const expected = createHmac(algorithm, secret).update(tokenId).digest("hex");
+  const expectedBuf = Buffer.from(expected, "hex");
+  const actualBuf = Buffer.from(sig, "hex");
+  if (expectedBuf.length !== actualBuf.length) return null;
+  if (!timingSafeEqual(expectedBuf, actualBuf)) return null;
+  return tokenId;
+}
+
+export function auth(options: AuthOptions): Middleware {
+  if (!options.secret || options.secret.length < 32) {
+    throw frameworkError(
+      "Secret must be at least 32 characters. HMAC security is only as strong as the key.",
+      auth,
+      ErrorCode.WEAK_SECRET
+    );
+  }
+
+  const {
+    secret,
+    saveToken,
+    findToken,
+    revokeToken,
+    tokenExpiry = DEFAULTS.tokenExpiry,
+    hmacAlgorithm = DEFAULTS.hmacAlgorithm,
+    tokenIdSize = DEFAULTS.tokenIdSize
+  } = options;
+
+  const pbkdfOpts: PbkdfOptions = {
+    iterations: options.iterations,
+    keylen: options.keylen,
+    digest: options.digest,
+    saltSize: options.saltSize
+  };
+
+  const _hashPassword = ({ password }: { password: string }) =>
+    hashPassword(password, pbkdfOpts);
+
+  const login = async ({
+    password,
+    hashedPassword,
+    userId
+  }: {
+    password: string;
+    hashedPassword: string;
+    userId: string;
+  }): Promise<string | null> => {
+    const isMatch = await verifyPassword(password, hashedPassword);
+    if (!isMatch) return null;
+    const tokenId = randomBytes(tokenIdSize).toString("hex");
+    const token = signToken(tokenId, secret, hmacAlgorithm);
+    await saveToken(tokenId, userId, new Date(Date.now() + tokenExpiry));
+    return token;
+  };
+
+  const verifyToken = async (
+    token: string
+  ): Promise<{ userId: string } | null> => {
+    if (!token) return null;
+    const tokenId = extractTokenId(token, secret, hmacAlgorithm);
+    if (!tokenId) return null;
+    const record = await findToken(tokenId);
+    if (!record) return null;
+    if (new Date(record.expiresAt) < new Date()) return null;
+    return { userId: record.userId };
+  };
+
+  const logout = revokeToken
+    ? async (token: string): Promise<boolean> => {
+        const tokenId = extractTokenId(token, secret, hmacAlgorithm);
+        if (!tokenId) return false;
+        await revokeToken(tokenId);
+        return true;
+      }
+    : undefined;
+
+  return (req, _res, next) => {
+    req.hashPassword = _hashPassword;
+    req.login = login;
+    req.verifyToken = verifyToken;
+    if (logout) req.logout = logout;
+    next();
+  };
+}

package/lib/utils/cookieParser.ts

@@ -0,0 +1,179 @@
+import { createHmac, timingSafeEqual } from "node:crypto";
+import type { CpeakRequest, CpeakResponse, Next } from "../types";
+import { frameworkError, ErrorCode } from "../index";
+import type { CookieOptions } from "./types";
+
+// This will sign the cookie value with HMAC with the secret.
+// Ideal for data like user IDs or session IDs, where you want to ensure the integrity of the cookie value without encryption.
+// So this way, imagine you save a user ID in the cookie. By signing it, you can detect if the client has tampered with the cookie value
+// (e.g., changing the user ID to impersonate another user).
+// However, since it's not encrypted, the actual user ID is still visible  to the client.
+// This is a common approach for session cookies where you want to prevent tampering but don't mind if the value is visible.
+function sign(value: string, secret: string): string {
+  const sig = createHmac("sha256", secret).update(value).digest("base64url");
+  return `s:${value}.${sig}`;
+}
+
+function unsign(signed: string, secret: string): string | false {
+  if (!signed.startsWith("s:")) return false;
+  const withoutPrefix = signed.slice(2);
+  const lastDot = withoutPrefix.lastIndexOf(".");
+  if (lastDot === -1) return false;
+  const value = withoutPrefix.slice(0, lastDot);
+  const sig = withoutPrefix.slice(lastDot + 1);
+  const expected = createHmac("sha256", secret)
+    .update(value)
+    .digest("base64url");
+  const expectedBuf = Buffer.from(expected);
+  const actualBuf = Buffer.from(sig);
+  if (expectedBuf.length !== actualBuf.length) return false;
+  if (!timingSafeEqual(expectedBuf, actualBuf)) return false;
+  return value;
+}
+
+// Parses the raw value of an HTTP `Cookie` request header into a name->value
+// This should be compatible with the RFC 6265 HTTP specification
+function parseRawCookies(header: string): Record<string, string> {
+  // Use a null-prototype object to prevent prototype pollution attacks when assigning cookie names like "__proto__" or "constructor".
+  const cookies: Record<string, string> = Object.create(null);
+  if (!header) return cookies;
+
+  const pairs = header.split(";");
+
+  for (let i = 0; i < pairs.length; i++) {
+    const pair = pairs[i];
+    const equalSignIndex = pair.indexOf("=");
+
+    // RFC 6265: cookie-pair requires '='. Pairs without one (e.g. a
+    // bare flag like `Cookie: foo`) are not valid cookie-pairs and we skip them.
+    // Note we use the FIRST '=' only. So values like base64 padding (`token=YWJjPT0=`) must keep trailing '='s.
+    if (equalSignIndex === -1) continue;
+
+    const key = pair.slice(0, equalSignIndex).trim();
+    // Drop empty names and honour the FIRST occurrence on duplicates (Specs say servers SHOULD NOT rely on order.
+    // We pick first-wins for stability).
+    if (!key || cookies[key] !== undefined) continue;
+
+    let val = pair.slice(equalSignIndex + 1).trim();
+
+    // Cookie values are sometimes sent wrapped in double quotes (like name="hello world"), so we strip the outer "
+    // characters to get the actual value hello world.
+    // The val.length > 1 guard handles the edge case where the value is literally just a single " — without it, that one
+    // character would match both the "starts with quote" and "ends with quote" checks, and slice(1, -1) would wipe it out
+    // to an empty string.
+    if (val.length > 1 && val[0] === '"' && val[val.length - 1] === '"') {
+      val = val.slice(1, -1);
+    }
+
+    // Percent-decoding cookie values is a server-side convention (not part of
+    // RFC 6265 itself), but it's what Express and most ecosystem libraries do,
+    // so we follow suit for compatibility. Skip the decode entirely when there's no
+    // '%' to save work on the common case, and fall back to the raw value if
+    // decodeURIComponent throws on malformed input rather than crashing the
+    // whole request.
+    try {
+      cookies[key] = val.indexOf("%") !== -1 ? decodeURIComponent(val) : val;
+    } catch (e) {
+      cookies[key] = val;
+    }
+  }
+  return cookies;
+}
+
+// One example output: "session=abc123; Path=/dashboard; Domain=example.com; Max-Age=86400; Expires=Thu, 31 Dec 2026 00:00:00 GMT; HttpOnly; Secure; SameSite=Strict"
+function buildSetCookieHeader(
+  name: string,
+  value: string,
+  options: CookieOptions
+): string {
+  const parts: string[] = [`${name}=${encodeURIComponent(value)}`];
+  const path = options.path ?? "/";
+  parts.push(`Path=${path}`);
+  if (options.domain) parts.push(`Domain=${options.domain}`);
+  if (options.maxAge !== undefined)
+    parts.push(`Max-Age=${Math.floor(options.maxAge / 1000)}`);
+  if (options.expires) parts.push(`Expires=${options.expires.toUTCString()}`);
+  if (options.httpOnly) parts.push("HttpOnly");
+  if (options.secure) parts.push("Secure");
+  if (options.sameSite) parts.push(`SameSite=${options.sameSite}`);
+  return parts.join("; ");
+}
+
+// Without this helper, calling res.cookie("a", "1") then res.cookie("b", "2") would overwrite the first cookie instead
+// of sending both.
+function appendSetCookie(res: CpeakResponse, header: string) {
+  const existing = res.getHeader("Set-Cookie");
+  if (!existing) {
+    res.setHeader("Set-Cookie", [header]);
+  } else if (Array.isArray(existing)) {
+    res.setHeader("Set-Cookie", [...existing, header]);
+  } else {
+    res.setHeader("Set-Cookie", [String(existing), header]);
+  }
+}
+
+export function cookieParser(options: { secret?: string } = {}) {
+  const { secret } = options;
+
+  if (secret !== undefined && secret.length < 32) {
+    throw frameworkError(
+      "Secret must be at least 32 characters. HMAC security is only as strong as the key.",
+      cookieParser,
+      ErrorCode.WEAK_SECRET
+    );
+  }
+
+  return (req: CpeakRequest, res: CpeakResponse, next: Next) => {
+    const rawHeader = req.headers["cookie"] || "";
+    const raw = parseRawCookies(rawHeader);
+
+    // Mirror parseRawCookies and use null-prototype maps here too. If we used
+    // a regular `{}`, the assignment below would invoke Object.prototype's
+    // __proto__ setter (no-op for string values), silently dropping any
+    // cookie literally named __proto__ — undoing the fix in parseRawCookies.
+    const cookies: Record<string, string> = Object.create(null);
+    const signedCookies: Record<string, string | false> = Object.create(null);
+
+    for (const [key, val] of Object.entries(raw)) {
+      // The "s:" prefix is the marker we add in `sign()` for HMAC-signed
+      // cookies. Route those through unsign so the handler sees the original
+      // value (or `false` if the signature didn't verify).
+      if (val.startsWith("s:") && secret) {
+        signedCookies[key] = unsign(val, secret);
+      } else {
+        cookies[key] = val;
+      }
+    }
+
+    // The separation is intentional signal: "these were signed and verified, trust them more."
+    req.cookies = cookies;
+    req.signedCookies = signedCookies;
+
+    res.cookie = (name: string, value: string, options: CookieOptions = {}) => {
+      let finalValue = value;
+      if (options.signed) {
+        if (!secret)
+          throw new Error(
+            "cookieParser: secret is required to use signed cookies"
+          );
+        finalValue = sign(value, secret);
+      }
+      appendSetCookie(res, buildSetCookieHeader(name, finalValue, options));
+      return res;
+    };
+
+    res.clearCookie = (name: string, options: CookieOptions = {}) => {
+      appendSetCookie(
+        res,
+        buildSetCookieHeader(name, "", {
+          ...options,
+          maxAge: 0,
+          expires: new Date(0)
+        })
+      );
+      return res;
+    };
+
+    next();
+  };
+}

package/lib/utils/cors.ts

@@ -0,0 +1,109 @@
+import type { CpeakRequest, CpeakResponse, Next } from "../types";
+import type { CorsOptions, OriginInput } from "./types";
+
+// Append a value to an existing header without overwriting prior entries
+// (e.g. compression already sets `Vary: Accept-Encoding`).
+function appendVary(res: CpeakResponse, value: string) {
+  const existing = res.getHeader("Vary");
+  if (!existing) return res.setHeader("Vary", value);
+  const current = String(existing)
+    .split(",")
+    .map((s) => s.trim())
+    .filter(Boolean);
+  if (current.includes("*") || current.includes(value)) return;
+  res.setHeader("Vary", [...current, value].join(", "));
+}
+
+// Determine if the given origin is allowed based on the rule.
+// Examples of what developers can specify for the rule:
+// - `true` or `*`: allow all origins
+// - `false`: disallow all origins
+// - `"https://example.com"`: allow only this origin
+// - `["https://example.com", "https://foo.com"]`: allow these origins
+// - `/\.example\.com$/`: allow origins that match this regex
+// - `(origin) => origin === "https://example.com"`: custom function to determine if the origin is allowed
+async function isAllowed(
+  origin: string | undefined,
+  rule: OriginInput
+): Promise<boolean> {
+  if (rule === true || rule === "*") return true;
+  if (rule === false || !origin) return false;
+  if (typeof rule === "string") return rule === origin;
+  if (Array.isArray(rule)) return rule.includes(origin);
+  if (rule instanceof RegExp) return rule.test(origin);
+  if (typeof rule === "function") return await rule(origin);
+  return false;
+}
+
+const cors = (options: CorsOptions = {}) => {
+  const {
+    origin = "*",
+    methods = "GET,HEAD,PUT,PATCH,POST,DELETE",
+    allowedHeaders,
+    exposedHeaders,
+    credentials = false,
+    maxAge = 86400,
+    preflightContinue = false,
+    optionsSuccessStatus = 204
+  } = options;
+
+  const methodsStr = Array.isArray(methods) ? methods.join(",") : methods;
+  const allowedHeadersStr = Array.isArray(allowedHeaders)
+    ? allowedHeaders.join(",")
+    : allowedHeaders;
+  const exposedHeadersStr = Array.isArray(exposedHeaders)
+    ? exposedHeaders.join(",")
+    : exposedHeaders;
+
+  return async (req: CpeakRequest, res: CpeakResponse, next: Next) => {
+    const requestOrigin = req.headers.origin;
+
+    // Not a CORS request, nothing to do.
+    if (!requestOrigin) return next();
+
+    const allowed = await isAllowed(requestOrigin, origin);
+    if (!allowed) return next();
+
+    // We cannot combine Access-Control-Allow-Origin: * with
+    // Access-Control-Allow-Credentials: true. Browsers will flat-out reject it.
+    // Instead we'll reflect the origin.
+    const allowOriginValue =
+      origin === "*" && !credentials ? "*" : requestOrigin;
+    res.setHeader("Access-Control-Allow-Origin", allowOriginValue);
+    if (allowOriginValue !== "*") appendVary(res, "Origin");
+
+    if (credentials) res.setHeader("Access-Control-Allow-Credentials", "true");
+    if (exposedHeadersStr)
+      res.setHeader("Access-Control-Expose-Headers", exposedHeadersStr);
+
+    const isPreflight =
+      req.method === "OPTIONS" &&
+      req.headers["access-control-request-method"] !== undefined;
+
+    if (!isPreflight) return next();
+
+    res.setHeader("Access-Control-Allow-Methods", methodsStr);
+
+    if (allowedHeadersStr) {
+      res.setHeader("Access-Control-Allow-Headers", allowedHeadersStr);
+    } else if (origin === "*") {
+      // If origin is *, just act like an echo chamber for requested headers. Give back whatever the browser asks for.
+      const requested = req.headers["access-control-request-headers"];
+      if (requested) res.setHeader("Access-Control-Allow-Headers", requested);
+    } else {
+      res.setHeader(
+        "Access-Control-Allow-Headers",
+        "Content-Type, Authorization"
+      );
+    }
+
+    res.setHeader("Access-Control-Max-Age", String(maxAge));
+
+    if (preflightContinue) return next();
+
+    res.statusCode = optionsSuccessStatus;
+    res.end();
+  };
+};
+
+export { cors };

package/lib/utils/index.ts

@@ -1,5 +1,19 @@
 import { parseJSON } from "./parseJSON";
 import { serveStatic } from "./serveStatic";
 import { render } from "./render";
+import { swagger } from "./swagger";
+import { auth, hashPassword, verifyPassword } from "./auth";
+import { cookieParser } from "./cookieParser";
+import { cors } from "./cors";
 
-export { serveStatic, parseJSON, render };
+export {
+  serveStatic,
+  parseJSON,
+  render,
+  swagger,
+  auth,
+  hashPassword,
+  verifyPassword,
+  cookieParser,
+  cors
+};