create-apollo-monorepo 0.6.2 → 0.8.0

package/index.mjs

@@ -26,6 +26,7 @@ const BACKEND_REPO_URL = "https://github.com/5Lab-Group-Co-Ltd/apollo-cms.git";
 const BACKEND_BRANCH = "main";
 const BACKEND_PATH = "apps/backend";
 const FRONTEND_PATH = "apps/frontend";
+const PROXY_PATH = "apps/proxy";
 const MIN_NODE_MAJOR = 20;
 
 const COLORS = {
@@ -348,8 +349,19 @@ function writeRootPackageJson(targetDir, dirName) {
       // (production uses Vercel Cron via apps/backend/vercel.json).
       "predev:setup":
         "pnpm cms-plugins:build && pnpm --filter ./apps/backend exec bun run plugins:build",
+      // `pnpm dev` runs FE + BE Next.js dev servers (which watch their own
+      // src/) plus a parallel cms-plugins watcher, so editing
+      // apps/cms-plugins/<slug>/index.ts triggers an esbuild incremental
+      // rebuild and the backend's plugin loader picks up the fresh
+      // dist/server.mjs on next request.
       dev:
-        "pnpm predev:setup && concurrently -k -n FE,BE -c blue,magenta \"pnpm --filter ./apps/frontend dev\" \"pnpm --filter ./apps/backend exec next dev\"",
+        "pnpm predev:setup && concurrently -k -n FE,BE,PL -c blue,magenta,yellow \"pnpm --filter ./apps/frontend dev\" \"pnpm --filter ./apps/backend exec next dev\" \"pnpm cms-plugins:dev\"",
+      // Optional single-origin dev: same as `pnpm dev` but adds a Node.js
+      // reverse proxy on :3030 that fronts FE :3001 + BE :3000. Use it when
+      // you want one URL, shared cookies, and no CORS — without nginx.
+      "dev:rp":
+        "pnpm predev:setup && concurrently -k -n FE,BE,PL,PX -c blue,magenta,yellow,cyan \"pnpm --filter ./apps/frontend dev\" \"pnpm --filter ./apps/backend exec next dev\" \"pnpm cms-plugins:dev\" \"pnpm dev:proxy\"",
+      "dev:proxy": "node apps/proxy/server.mjs",
       "dev:frontend": "pnpm --filter ./apps/frontend dev",
       "dev:backend":
         "pnpm predev:setup && pnpm --filter ./apps/backend exec next dev",
@@ -359,6 +371,8 @@ function writeRootPackageJson(targetDir, dirName) {
         "pnpm cms-plugins:build && pnpm --filter ./apps/backend exec bun run plugins:build && pnpm --filter ./apps/backend build && pnpm --filter ./apps/frontend build",
       "cms-plugins:build":
         "pnpm --filter './apps/cms-plugins/*' --parallel --if-present build",
+      "cms-plugins:dev":
+        "pnpm --filter './apps/cms-plugins/*' --parallel --if-present dev",
       "cms-plugin:new": "node scripts/new-cms-plugin.mjs",
       lint: "pnpm -r lint",
       typecheck: "pnpm -r typecheck",
@@ -480,6 +494,312 @@ server {
   writeFileSync(resolve(targetDir, "nginx.conf.sample"), conf);
 }
 
+// Optional Node.js reverse proxy. Mirrors nginx.conf.sample routing rules
+// but runs in-process — opt in via `pnpm dev:rp`. Zero deps, ~80 LOC.
+function writeProxyApp(targetDir, dirName, adminPrefix) {
+  const dir = resolve(targetDir, PROXY_PATH);
+  mkdirSync(dir, { recursive: true });
+
+  const prefix = adminPrefix || "/admin";
+  const server = `// ${dirName} — single-origin reverse proxy (zero deps).
+// Mirrors ../../nginx.conf.sample. Run via \`pnpm dev:rp\` from the repo root.
+//
+// Routes (in order):
+//   ${prefix}, ${prefix}/*, /uploads/*, /monitoring          → backend
+//   /api/editing-presence/*                                  → backend (SSE)
+//   /api/{auth,v1,cron,email,health,mcp,admin,...}/*         → backend
+//   /__proxy/health                                          → 200 OK (proxy itself)
+//   everything else                                          → frontend
+//
+// Production note: this proxy doesn't terminate TLS. For HTTPS, sit behind a
+// load balancer (Caddy, Cloudflare, ALB) or use \`nginx.conf.sample\` instead.
+
+import http from "node:http";
+import net from "node:net";
+
+const PORT = Number(process.env.PORT ?? 3030);
+const BACKEND = parseTarget(process.env.BACKEND ?? "http://127.0.0.1:3000");
+const FRONTEND = parseTarget(process.env.FRONTEND ?? "http://127.0.0.1:3001");
+
+const ADMIN_PREFIX = process.env.ADMIN_PREFIX ?? "${prefix}";
+// Pipe-separated list of /api/<segment> paths that route to the backend.
+const BACKEND_API_SEGMENTS = (
+  process.env.BACKEND_API_PATHS ??
+  "auth|v1|cron|email|health|mcp|admin|editing-presence"
+).trim();
+const BACKEND_API = new RegExp(\`^/api/(\${BACKEND_API_SEGMENTS})(/|$)\`);
+
+// 50MB matches nginx.conf.sample's client_max_body_size and Next.js's
+// Server Actions body limit. Override via MAX_BODY_BYTES (0 = unlimited).
+const MAX_BODY_BYTES = Number(process.env.MAX_BODY_BYTES ?? 50 * 1024 * 1024);
+const UPSTREAM_TIMEOUT_MS = Number(process.env.UPSTREAM_TIMEOUT_MS ?? 60_000);
+// When false (default), strip incoming X-Forwarded-* before adding our own —
+// prevents header spoofing when the proxy faces the public internet directly.
+// Set TRUST_PROXY=1 only when behind another trusted reverse proxy (CDN, LB).
+const TRUST_PROXY = process.env.TRUST_PROXY === "1";
+
+// Hop-by-hop headers (RFC 7230 §6.1) — must not be forwarded.
+const HOP_BY_HOP = new Set([
+  "connection",
+  "keep-alive",
+  "proxy-authenticate",
+  "proxy-authorization",
+  "te",
+  "trailer",
+  "transfer-encoding",
+  "upgrade",
+]);
+
+// Reuse TCP connections to upstreams — eliminates ~1ms per request.
+const backendAgent = new http.Agent({ keepAlive: true });
+const frontendAgent = new http.Agent({ keepAlive: true });
+
+function pickUpstream(url) {
+  if (url === ADMIN_PREFIX || url.startsWith(\`\${ADMIN_PREFIX}/\`))
+    return { ...BACKEND, agent: backendAgent };
+  if (url.startsWith("/uploads/")) return { ...BACKEND, agent: backendAgent };
+  if (url === "/monitoring") return { ...BACKEND, agent: backendAgent };
+  if (BACKEND_API.test(url)) return { ...BACKEND, agent: backendAgent };
+  return { ...FRONTEND, agent: frontendAgent };
+}
+
+function sanitizeHeaders(req, clientIp) {
+  const out = {};
+  for (const [k, v] of Object.entries(req.headers)) {
+    const lower = k.toLowerCase();
+    if (HOP_BY_HOP.has(lower)) continue;
+    // Strip client-supplied X-Forwarded-* unless TRUST_PROXY is set.
+    if (!TRUST_PROXY && lower.startsWith("x-forwarded-")) continue;
+    out[k] = v;
+  }
+  // Always set X-Forwarded-* with our own values (append client IP).
+  const existingFor = TRUST_PROXY ? req.headers["x-forwarded-for"] : undefined;
+  out["x-forwarded-for"] = existingFor ? \`\${existingFor}, \${clientIp}\` : clientIp;
+  out["x-forwarded-proto"] = TRUST_PROXY
+    ? req.headers["x-forwarded-proto"] ?? "http"
+    : "http";
+  out["x-forwarded-host"] = TRUST_PROXY
+    ? req.headers["x-forwarded-host"] ?? req.headers.host ?? ""
+    : req.headers.host ?? "";
+  return out;
+}
+
+function logError(scope, err, extra) {
+  const ts = new Date().toISOString();
+  const detail = extra ? \` \${JSON.stringify(extra)}\` : "";
+  console.error(\`[\${ts}] proxy:\${scope} \${err.code ?? ""} \${err.message}\${detail}\`);
+}
+
+const server = http.createServer((req, res) => {
+  // Health check (proxy itself, never forwarded).
+  if (req.url === "/__proxy/health") {
+    res.writeHead(200, { "content-type": "application/json" });
+    res.end(JSON.stringify({ status: "ok", uptime: process.uptime() }));
+    return;
+  }
+
+  // Enforce body size limit (DoS protection).
+  if (MAX_BODY_BYTES > 0) {
+    const declared = Number(req.headers["content-length"] ?? 0);
+    if (declared > MAX_BODY_BYTES) {
+      res.writeHead(413, { "content-type": "text/plain" });
+      res.end("Payload Too Large");
+      return;
+    }
+    let received = 0;
+    req.on("data", (chunk) => {
+      received += chunk.length;
+      if (received > MAX_BODY_BYTES) {
+        req.destroy(new Error("Body exceeded MAX_BODY_BYTES"));
+      }
+    });
+  }
+
+  const upstream = pickUpstream(req.url);
+  const proxyReq = http.request(
+    {
+      host: upstream.host,
+      port: upstream.port,
+      method: req.method,
+      path: req.url,
+      headers: sanitizeHeaders(req, req.socket.remoteAddress ?? ""),
+      agent: upstream.agent,
+      timeout: UPSTREAM_TIMEOUT_MS,
+    },
+    (proxyRes) => {
+      // Strip hop-by-hop headers from upstream response too.
+      const safe = {};
+      for (const [k, v] of Object.entries(proxyRes.headers)) {
+        if (!HOP_BY_HOP.has(k.toLowerCase())) safe[k] = v;
+      }
+      res.writeHead(proxyRes.statusCode ?? 502, safe);
+      proxyRes.pipe(res);
+    },
+  );
+  proxyReq.on("timeout", () => {
+    logError("upstream-timeout", new Error("upstream timeout"), { url: req.url });
+    proxyReq.destroy(new Error("Upstream timeout"));
+  });
+  proxyReq.on("error", (err) => {
+    logError("upstream", err, { url: req.url });
+    if (!res.headersSent) {
+      res.writeHead(502, { "content-type": "text/plain" });
+      res.end("Bad Gateway");
+    }
+    if (!req.destroyed) req.destroy();
+  });
+  req.on("error", (err) => {
+    logError("client", err, { url: req.url });
+    if (!proxyReq.destroyed) proxyReq.destroy();
+  });
+  req.pipe(proxyReq);
+});
+
+// WebSocket / HTTP upgrade passthrough — required for Next.js HMR.
+server.on("upgrade", (req, clientSocket, head) => {
+  const upstream = pickUpstream(req.url);
+  const upstreamSocket = net.connect(upstream.port, upstream.host, () => {
+    const headers = sanitizeHeaders(req, req.socket.remoteAddress ?? "");
+    // Re-add Connection: Upgrade & Upgrade headers stripped by sanitizeHeaders.
+    headers["connection"] = "Upgrade";
+    if (req.headers.upgrade) headers["upgrade"] = req.headers.upgrade;
+    const headerLines = [];
+    for (const [k, v] of Object.entries(headers)) {
+      const values = Array.isArray(v) ? v : [v];
+      for (const single of values) {
+        const str = String(single);
+        // Defense-in-depth: reject CRLF in header values (header injection).
+        if (/[\\r\\n]/.test(str)) continue;
+        headerLines.push(\`\${k}: \${str}\`);
+      }
+    }
+    upstreamSocket.write(
+      \`\${req.method} \${req.url} HTTP/\${req.httpVersion}\\r\\n\` +
+        headerLines.join("\\r\\n") +
+        "\\r\\n\\r\\n",
+    );
+    if (head?.length) upstreamSocket.write(head);
+    upstreamSocket.pipe(clientSocket);
+    clientSocket.pipe(upstreamSocket);
+  });
+  upstreamSocket.on("error", (err) => {
+    logError("ws-upstream", err, { url: req.url });
+    clientSocket.destroy();
+  });
+  clientSocket.on("error", (err) => {
+    logError("ws-client", err, { url: req.url });
+    upstreamSocket.destroy();
+  });
+});
+
+server.listen(PORT, () => {
+  console.log(\`apollo-proxy → http://localhost:\${PORT}\`);
+  console.log(\`  \${ADMIN_PREFIX}/*, /uploads/*, /api/*  → \${BACKEND.host}:\${BACKEND.port}\`);
+  console.log(\`  /*  → \${FRONTEND.host}:\${FRONTEND.port}\`);
+  console.log(\`  TRUST_PROXY=\${TRUST_PROXY}  MAX_BODY_BYTES=\${MAX_BODY_BYTES}  UPSTREAM_TIMEOUT_MS=\${UPSTREAM_TIMEOUT_MS}\`);
+});
+
+// Graceful shutdown — let in-flight requests finish, then exit.
+let shuttingDown = false;
+function shutdown(signal) {
+  if (shuttingDown) return;
+  shuttingDown = true;
+  console.log(\`\\napollo-proxy: \${signal} received, draining...\`);
+  server.close(() => {
+    backendAgent.destroy();
+    frontendAgent.destroy();
+    process.exit(0);
+  });
+  // Hard exit after 10s if connections refuse to drain.
+  setTimeout(() => process.exit(1), 10_000).unref();
+}
+process.on("SIGTERM", () => shutdown("SIGTERM"));
+process.on("SIGINT", () => shutdown("SIGINT"));
+
+function parseTarget(input) {
+  const url = new URL(input.startsWith(":") ? \`http://127.0.0.1\${input}\` : input);
+  return { host: url.hostname, port: Number(url.port || 80) };
+}
+`;
+  writeFileSync(resolve(dir, "server.mjs"), server);
+
+  const pkg = {
+    name: `@${dirName}/proxy`,
+    private: true,
+    version: "0.0.0",
+    description: "Optional Node.js reverse proxy fronting frontend + backend on a single origin",
+    type: "module",
+    main: "server.mjs",
+    scripts: {
+      start: "node server.mjs",
+    },
+    engines: { node: ">=20" },
+  };
+  writeFileSync(resolve(dir, "package.json"), JSON.stringify(pkg, null, 2) + "\n");
+
+  const readme = `# @${dirName}/proxy
+
+Optional single-origin reverse proxy. Routes \`${prefix}/*\`, \`/api/*\`, and
+\`/uploads/*\` to the backend; everything else to the frontend. Zero deps.
+
+## When to use
+
+- You want **one URL** for FE + BE locally (shared cookies, no CORS).
+- You don't want to install nginx for local dev.
+
+## Usage
+
+From the repo root:
+
+\`\`\`bash
+pnpm dev:rp        # runs FE :3001 + BE :3000 + plugins watcher + proxy :3030
+\`\`\`
+
+Then open http://localhost:3030.
+
+For best results, set \`NEXT_PUBLIC_SITE_URL=http://localhost:3030\` in your
+\`.env.local\` so Better Auth, OAuth callbacks, and email links all use the
+single-origin URL.
+
+## Configuration
+
+| Env var               | Default                          | Notes                                                          |
+| --------------------- | -------------------------------- | -------------------------------------------------------------- |
+| \`PORT\`                | \`3030\`                            | Public port                                                    |
+| \`BACKEND\`             | \`http://127.0.0.1:3000\`           | apps/backend dev server                                        |
+| \`FRONTEND\`            | \`http://127.0.0.1:3001\`           | apps/frontend dev server                                       |
+| \`ADMIN_PREFIX\`        | \`${prefix}\`                          | Backend admin path prefix                                      |
+| \`BACKEND_API_PATHS\`   | \`auth\\|v1\\|cron\\|email\\|health\\|mcp\\|admin\\|editing-presence\` | Pipe-separated /api/* segments routed to backend |
+| \`MAX_BODY_BYTES\`      | \`52428800\` (50MB)                 | Reject larger bodies. \`0\` = unlimited                          |
+| \`UPSTREAM_TIMEOUT_MS\` | \`60000\`                           | Request timeout to upstream                                    |
+| \`TRUST_PROXY\`         | \`0\`                               | Set \`1\` only if behind another trusted proxy (CDN/LB)          |
+
+## Health check
+
+\`GET /__proxy/health\` returns \`{"status":"ok","uptime":<seconds>}\`. Use it for
+liveness probes; the path is reserved by the proxy and never forwarded.
+
+## Better Auth interaction
+
+Apollo CMS's Better Auth derives the request origin from \`x-forwarded-host\` /
+\`x-forwarded-proto\`. This proxy sets both correctly, so \`trustedOrigins\` keeps
+working through the proxy. The recent fix in \`src/lib/auth/server.ts\` ensures
+the actual request origin (e.g. \`localhost:3030\`) is added to trusted origins
+even when \`NEXT_PUBLIC_SITE_URL\` points elsewhere.
+
+## Production
+
+This proxy doesn't terminate TLS. For HTTPS, either:
+
+- Sit it behind a TLS-terminating load balancer (Caddy, Cloudflare, ALB), **or**
+- Use \`nginx.conf.sample\` at the repo root instead — nginx handles TLS, gzip,
+  and large-scale traffic better.
+
+The Node proxy is intended for dev and small self-hosted deploys.
+`;
+  writeFileSync(resolve(dir, "README.md"), readme);
+}
+
 function writeRootGitignore(targetDir) {
   const ignore = [
     "node_modules",
@@ -741,6 +1061,11 @@ function writeExampleCmsPlugin(targetDir, dirName) {
     },
     scripts: {
       build: "node ./build.mjs",
+      // `dev` is the watcher entry — `pnpm dev` from the monorepo root fans
+      // out to it via `cms-plugins:dev`, so editing index.ts triggers an
+      // incremental rebuild and the backend's plugin loader picks up the new
+      // dist/server.mjs on the next request.
+      dev: "node ./build.mjs --watch",
     },
     devDependencies: {
       esbuild: "^0.24.0",
@@ -749,9 +1074,12 @@ function writeExampleCmsPlugin(targetDir, dirName) {
   writeFileSync(resolve(pluginDir, "package.json"), JSON.stringify(pkg, null, 2) + "\n");
 
   // Tiny zero-config build: bundle index.ts → dist/server.mjs as ESM Node.
-  const buildMjs = `import { build } from "esbuild";
+  // Pass --watch to keep esbuild's context alive and rebuild on file changes.
+  const buildMjs = `import { context, build } from "esbuild";
+
+const watch = process.argv.includes("--watch");
 
-await build({
+const options = {
   entryPoints: ["./index.ts"],
   outfile: "./dist/server.mjs",
   format: "esm",
@@ -762,7 +1090,15 @@ await build({
   // backend at runtime via the loader's dynamic import().
   external: ["@/*", "next", "react", "react-dom"],
   logLevel: "info",
-});
+};
+
+if (watch) {
+  const ctx = await context(options);
+  await ctx.watch();
+  console.log("[cms-plugin] watching index.ts → dist/server.mjs");
+} else {
+  await build(options);
+}
 `;
   writeFileSync(resolve(pluginDir, "build.mjs"), buildMjs);
 
@@ -928,12 +1264,17 @@ paths to the backend so /_next/* doesn't collide:
 The frontend MUST NOT define routes at \`/admin\`, \`/api/auth\`, \`/api/v1\`, etc.
 If you need your own API, namespace it under \`/api/internal/*\` or similar.
 
-### Reverse proxy (nginx)
+### Reverse proxy
 
-A reference \`nginx.conf.sample\` ships at the repo root with the same routing
-baked in (frontend on :3001, backend on :3000). Use it when fronting both apps
-behind a single TLS-terminating proxy outside Vercel — drop in your domain and
-SSL certs.
+Two options ship out of the box:
+
+- **\`apps/proxy\`** (Node.js, zero deps) — opt in with \`pnpm dev:rp\`. Runs FE,
+  BE, plugins watcher, and a reverse proxy on **:3030** so everything sits on
+  one origin (shared cookies, no CORS). Best for local dev and small self-hosted
+  deploys. Configure via \`PORT\`, \`BACKEND\`, \`FRONTEND\`, \`ADMIN_PREFIX\`.
+- **\`nginx.conf.sample\`** (production) — same routing baked in (frontend on
+  :3001, backend on :3000). Use it when fronting both apps behind a single
+  TLS-terminating proxy outside Vercel — drop in your domain and SSL certs.
 
 To **disable** single-origin and run the backend on its own subdomain,
 delete \`APOLLO_ASSET_PREFIX\` from \`apps/backend/.env.local\` and remove the
@@ -984,8 +1325,14 @@ ${dirName}/
 pnpm install
 pnpm backend:setup       # push schema + seed apollo-cms
 pnpm dev                 # runs frontend (3001) + backend (3000) in parallel
+# or:
+pnpm dev:rp              # same + reverse proxy on :3030 (single-origin, shared cookies)
 \`\`\`
 
+When using \`pnpm dev:rp\`, set \`NEXT_PUBLIC_SITE_URL=http://localhost:3030\`
+in your \`.env.local\` so Better Auth, OAuth callbacks, and email links use
+the unified origin.
+
 ${originSection}
 ## Custom plugins
 
@@ -1159,10 +1506,11 @@ async function main() {
   writeRootEnv(targetDir, { dbUrl, siteUrl, locale, authSecret, cronSecret, adminPrefix, backendInternalUrl });
   writeReadme(targetDir, dirName, frontendName, adminPrefix);
   if (adminPrefix) writeNginxSample(targetDir, adminPrefix);
+  writeProxyApp(targetDir, dirName, adminPrefix);
   success(
     `package.json, pnpm-workspace.yaml, .gitignore, .env.local, README.md${
       adminPrefix ? ", nginx.conf.sample" : ""
-    }`,
+    }, apps/proxy`,
   );
 
   // ── Step 4: git init ──

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "create-apollo-monorepo",
-  "version": "0.6.2",
+  "version": "0.8.0",
   "description": "Scaffold a monorepo with a frontend app and Apollo CMS as a git submodule backend (single-origin via Next.js rewrites + assetPrefix)",
   "bin": {
     "create-apollo-monorepo": "index.mjs"