dxfl 0.4.2 → 0.5.1

package/CHANGELOG.md

@@ -1,6 +1,15 @@
+# v0.5.1
+
+- Temporary fix for CVE-2026-26278 on fast-xml-parser (@aws-sdk/client-3 → @aws-sdk/core → @aws-sdk/xml-builder@3.972.11 → fast-xml-parser@5.4.1 (pinned))
+
+# v0.5.0
+
+- `deuxfleurs.toml`: Add support for setting headers
+- `deuxfleurs.toml`/`deploy`: Add support for compressing files at upload time
+
 # v0.4.2
 
-- Temporarily disabling CORS configuration
+- `deploy`: Temporarily disable cors to workaround Garage bug
 
 # v0.4.1
 

package/README.md

@@ -101,6 +101,38 @@ status = 301
 # Default value: false
 force = true
 
+# Rules for configuring headers.
+# Multiple rules can be specified. In case of several rules matching
+# the same file, the first rule is applied.
+# Each rule is defined in its own `[[headers]]` block.
+[[headers]]
+# Files that are matched by the rule, using "glob" syntax.
+# (see https://github.com/micromatch/picomatch#globbing-features)
+# This pattern matches all files ending in .jpg in any subdirectory.
+#
+# It is also possible to specify several glob patterns, in this case
+# only one of the pattern needs to match. For example, to match .jpg
+# or .png files:
+# for = ["**/*.jpg", "**/*.png"]
+for = "**/*.jpg"
+# (Optional) Compress uploaded files.
+# Setting this option will compress files matched by the rule when
+# uploading them, and will set the Content-Encoding header to the
+# corresponding value.
+# Currently, the only supported compression setting is "gzip".
+compress = "gzip"
+#
+# Headers to set for files that match this rule.
+#
+# Only the following headers can be configured:
+# Content-Type, Cache-Control, Content-Disposition, Content-Encoding,
+# Content-Language, and Expires.
+[headers.values]
+Cache-Control = "max-age=31536000, no-transform, public"
+# Note: if no Content-Type is manually specified, a default value is
+# computed from the file extension. In most cases this is good enough.
+Content-Type = "image/jpeg"
+
 # Configuration to allow cross-origin requests.
 # Multiple rules can be specified and will be matched in order.
 # Each rule is defined in its own `[[cors]]` block

package/dist/bucket.js

@@ -8,11 +8,11 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
     });
 };
 import fs from "fs/promises";
-import mime from "mime";
 import { DeleteObjectCommand, DeleteObjectsCommand, HeadObjectCommand, ListObjectsV2Command, PutObjectCommand, S3Client, } from "@aws-sdk/client-s3";
 import { PromisePool } from "@supercharge/promise-pool";
 import { apiConfExists, openApiConf } from "./auth.js";
 import { ErrorMsg, wrapS3Call } from "./error.js";
+import { headersFromS3, headersToS3 } from "./headers.js";
 import { GuichetApi } from "./guichet.js";
 import { parseEtag, toChunks, formatBytesHuman } from "./utils.js";
 export function getBucketCredentials(name) {
@@ -100,6 +100,7 @@ export function getBucketFilesDetails(bucket, files) {
                 const resp = yield wrapS3Call(`read metadata of file "${file}"`, [200], () => bucket.client.send(new HeadObjectCommand({ Bucket: bucket.name, Key: file })));
                 res.set(file, {
                     redirect: resp.WebsiteRedirectLocation,
+                    headers: headersFromS3(resp),
                 });
             });
         }
@@ -143,22 +144,15 @@ export function deleteBucketFiles(bucket, files) {
         }));
     });
 }
-export function uploadFile(bucket, s3Path, localPath) {
+export function uploadFile(bucket, s3Path, localPath, headers) {
     return __awaiter(this, void 0, void 0, function* () {
-        var _a;
-        // use `path.posix` because `Key` is a path in a bucket that uses `/` as separator.
-        let ContentType = (_a = mime.getType(localPath)) !== null && _a !== void 0 ? _a : undefined;
-        // add charset=utf-8 by default on text files (TODO: allow the user to override this)
-        if (ContentType && ContentType.startsWith("text/")) {
-            ContentType = ContentType + "; charset=utf-8";
-        }
         // NB: we read the entire file into memory instead of creating a stream from
         // the file (which would allow streaming the data). Indeed, using a stream
         // results in transcient network errors being throwned instead of being
         // retried by the AWS SDK: https://github.com/aws/aws-sdk-js-v3/issues/6770
         // which we want to avoid...
         const Body = yield fs.readFile(localPath);
-        const params = { Bucket: bucket.name, Key: s3Path, Body, ContentType };
+        const params = Object.assign({ Bucket: bucket.name, Key: s3Path, Body }, headersToS3(headers));
         yield wrapS3Call(`upload "${s3Path}"`, [200], () => bucket.client.send(new PutObjectCommand(params)));
     });
 }
@@ -178,3 +172,10 @@ export function putEmptyObjectRedirect(bucket, source, target) {
         yield wrapS3Call(`create redirection source object ${source}`, [200], () => bucket.client.send(new PutObjectCommand(params)));
     });
 }
+export function setObjectHeaders(bucket, s3Path, localPath, headers) {
+    return __awaiter(this, void 0, void 0, function* () {
+        // FIXME: could we be more efficient and use CopyObject to avoid
+        // re-uploading the object?
+        yield uploadFile(bucket, s3Path, localPath, headers);
+    });
+}

package/dist/deploy.js

@@ -10,10 +10,11 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
 import fs from "fs";
 import path from "path";
 import { PromisePool } from "@supercharge/promise-pool";
-import { deleteBucketFile, deleteBucketFiles, getBucketCredentials, getBucket, getBucketFiles, putEmptyObjectRedirect, uploadFile, } from "./bucket.js";
+import { deleteBucketFile, deleteBucketFiles, getBucketCredentials, getBucket, getBucketFiles, putEmptyObjectRedirect, uploadFile, setObjectHeaders, } from "./bucket.js";
 import { ErrorMsg } from "./error.js";
-import { confirmationPrompt, filterMap, formatBytesHuman, formatCount, getFileMd5, sum, } from "./utils.js";
-import { equalBucketRedirect, getBucketConfig, putBucketWebsiteConfig, readConfigFile, } from "./website_config.js";
+import { fileContentType, supportedHeaders, } from "./headers.js";
+import { confirmationPrompt, filterMap, formatBytesHuman, formatCount, getFileMd5, gzipFile, mapEq, mkTmpDir, sum, } from "./utils.js";
+import { evalHeadersRules, equalBucketRedirect, getBucketConfig, putBucketWebsiteConfig, readConfigFile, } from "./website_config.js";
 // Walks through the local directory at path `dir`, and for each file it contains, returns :
 // - `localPath`: its path on the local filesystem (includes `dir`). On windows, this path
 //    will typically use `\` as separator.
@@ -60,6 +61,58 @@ function getLocalFilesWithInfo(localFolder) {
         })));
     });
 }
+// Compute headers-related settings for local files and compress them if required.
+export function compressSelectedLocalFiles(localFiles, localCfg) {
+    return __awaiter(this, void 0, void 0, function* () {
+        const tmpDir = yield mkTmpDir();
+        const localFilesHeaders = yield Promise.all(localFiles.map((f) => __awaiter(this, void 0, void 0, function* () {
+            // evaluate headers rules for this file
+            let headers = evalHeadersRules(localCfg.headers_rules, f.s3Path);
+            // copy headers.values (we may edit it afterwards)
+            headers = { values: new Map(headers.values), compress: headers.compress };
+            // compute a best-effort content type if not explicitly specified in the config
+            if (!headers.values.has("Content-Type")) {
+                headers.values.set("Content-Type", fileContentType(f.localPath));
+            }
+            // if we need compression, compute the compressed file, stored it tmpDir,
+            // and set the localPath, md5, and size to the one of the compressed file
+            let localPath = f.localPath;
+            let md5 = f.md5;
+            let size = f.size;
+            let compressed = false;
+            if (headers.compress) {
+                compressed = true;
+                if (headers.compress == "gzip") {
+                    const compressedPath = path.join(tmpDir, f.s3Path);
+                    yield gzipFile(localPath, compressedPath);
+                    const [stat, compressedMd5] = yield Promise.all([
+                        fs.promises.stat(compressedPath),
+                        getFileMd5(compressedPath),
+                    ]);
+                    localPath = compressedPath;
+                    md5 = compressedMd5;
+                    size = stat.size;
+                }
+                else {
+                    headers.compress;
+                }
+                // set Content-Encoding, unless manually specified by the user
+                if (!headers.values.has("Content-Encoding")) {
+                    headers.values.set("Content-Encoding", headers.compress);
+                }
+            }
+            return {
+                localPath,
+                s3Path: f.s3Path,
+                size,
+                md5,
+                headers: headers.values,
+                compressed,
+            };
+        })));
+        return { localFilesHeaders, tmpDir };
+    });
+}
 function computeDeployPlan(localFiles, remoteFiles, localCfg, remoteCfg) {
     // We raise an error if a file is both present locally and is the source of a
     // redirection.
@@ -118,10 +171,23 @@ function computeDeployPlan(localFiles, remoteFiles, localCfg, remoteCfg) {
     // - are missing on the remote
     // - have a md5 that differs from their remote ETag,
     // - have a local size that differs from its remote size
-    let filesToUpload = localFiles.filter(({ s3Path, size, md5 }) => {
-        const remoteFile = remoteFiles.get(s3Path);
-        return !remoteFile || remoteFile.etag != md5 || remoteFile.size != size;
+    const filesToUpload = localFiles.filter(f => {
+        const remoteFile = remoteFiles.get(f.s3Path);
+        return !remoteFile || remoteFile.etag != f.md5 || remoteFile.size != f.size;
     });
+    // Compute remote files for which headers need to be updated.
+    let modifyHeaders = [];
+    for (const { localPath, s3Path, headers } of localFiles) {
+        const remoteHeaders = remoteCfg.headers.get(s3Path);
+        if (remoteHeaders && !mapEq(headers, remoteHeaders)) {
+            modifyHeaders.push({
+                localPath,
+                s3Path,
+                before: remoteHeaders,
+                after: headers,
+            });
+        }
+    }
     return {
         localFiles,
         remoteFiles,
@@ -138,6 +204,7 @@ function computeDeployPlan(localFiles, remoteFiles, localCfg, remoteCfg) {
             from: remoteCfg.cors_rules,
             to: localCfg.cors_rules,
         },
+        modifyHeaders,
     };
 }
 function diffBucketRedirects(from, to) {
@@ -162,6 +229,7 @@ function diffBucketRedirects(from, to) {
     return { added, updated, deleted };
 }
 function printPlan(plan, details) {
+    var _a, _b;
     function showBucketRedirectTarget(r) {
         const to = r.to.kind == "replace" ? `${r.to.target}` : `${r.to.prefix}*`;
         const proto = r.protocol ? `${r.protocol}://` : "";
@@ -173,12 +241,15 @@ function printPlan(plan, details) {
     function showBucketRedirect(r) {
         return `${r.prefix}* -> ${showBucketRedirectTarget(r)}`;
     }
-    function printSummary(nb, action, bytes) {
+    function printSummary(nb, action, bytes, compressed) {
         if (nb > 0) {
             process.stdout.write(`  ${formatCount(nb, "file")} ${action}`);
             if (bytes) {
                 process.stdout.write(` (${formatBytesHuman(bytes)})`);
             }
+            if (compressed && compressed > 0) {
+                process.stdout.write(` (${compressed} compressed)`);
+            }
             process.stdout.write("\n");
         }
     }
@@ -205,9 +276,11 @@ function printPlan(plan, details) {
             filesUnchanged.delete(f.s3Path);
         }
         const sizeUnchanged = sum([...filesUnchanged.values()]);
-        printSummary(plan.filesToUpload.length, "uploaded", sizeSent);
+        const nbUploadCompressed = plan.filesToUpload.filter(f => f.compressed).length;
+        printSummary(plan.filesToUpload.length, "uploaded", sizeSent, nbUploadCompressed);
         printSummary(plan.filesToDelete.length, "deleted", sizeDeleted);
         printSummary(filesUnchanged.size, "unchanged", sizeUnchanged);
+        printSummary(plan.modifyHeaders.length, "with modified headers", undefined);
         const items = [
             [bredirects.added.size + oredirects_added.length, "added"],
             [bredirects.updated.size + oredirects_updated.length, "modified"],
@@ -231,7 +304,20 @@ function printPlan(plan, details) {
             process.stdout.write(`  Delete ${file.name} (${file.size ? formatBytesHuman(file.size) : "?B"})\n`);
         }
         for (const file of plan.filesToUpload) {
-            process.stdout.write(`  Send ${file.s3Path} (${formatBytesHuman(file.size)})\n`);
+            process.stdout.write(`  Send ${file.s3Path} (${formatBytesHuman(file.size)}${file.compressed ? " compressed" : ""})\n`);
+            // TODO: should we also print the file headers? but this is quite noisy...
+            // (it will print at least Content-Type for each file)
+        }
+        // print modified headers
+        for (const change of plan.modifyHeaders) {
+            process.stdout.write(`  Update headers for ${change.s3Path}:\n`);
+            for (const hdr of supportedHeaders) {
+                if (change.before.get(hdr) !== change.after.get(hdr)) {
+                    const before = (_a = change.before.get(hdr)) !== null && _a !== void 0 ? _a : "<undefined>";
+                    const after = (_b = change.after.get(hdr)) !== null && _b !== void 0 ? _b : "<undefined>";
+                    process.stdout.write(`    - ${hdr}: ${after} (was: ${before})\n`);
+                }
+            }
         }
         // print redirects
         for (const [_, r] of bredirects.added) {
@@ -252,6 +338,7 @@ function printPlan(plan, details) {
         for (const { source, prev_target } of oredirects_deleted) {
             process.stdout.write(`  Delete redirect ${source} -> ${prev_target}\n`);
         }
+        // print new CORS rules
         if (cors_changed) {
             process.stdout.write("  Set CORS rules:\n");
             for (const rule of plan.cors_rules.to) {
@@ -312,7 +399,7 @@ function applyDeployPlan(bucket, plan) {
         })
             .process((f) => __awaiter(this, void 0, void 0, function* () {
             process.stdout.write(`  Send ${f.s3Path} (${formatBytesHuman(f.size)})\n`);
-            yield uploadFile(bucket, f.s3Path, f.localPath);
+            yield uploadFile(bucket, f.s3Path, f.localPath, f.headers);
         }));
         // Apply bucket redirects & global config
         yield putBucketWebsiteConfig(bucket, plan.index_page.to, plan.error_page.to, plan.bucket_redirects.to);
@@ -320,6 +407,16 @@ function applyDeployPlan(bucket, plan) {
         // if (!equalCorsRules(plan.cors_rules.from, plan.cors_rules.to)) {
         // 	await putCorsRules(bucket, plan.cors_rules.to);
         // }
+        // Modify headers
+        yield PromisePool.for(plan.modifyHeaders)
+            .withConcurrency(50)
+            .handleError(err => {
+            throw err;
+        })
+            .process((_a) => __awaiter(this, [_a], void 0, function* ({ localPath, s3Path, after }) {
+            process.stdout.write(`  Update headers of ${s3Path}\n`);
+            yield setObjectHeaders(bucket, s3Path, localPath, after);
+        }));
     });
 }
 export function deploy(website, localFolder, options) {
@@ -344,13 +441,18 @@ export function deploy(website, localFolder, options) {
                 return [bucket, remoteFiles, remoteWebsiteConfig];
             }))(),
         ]);
+        // Compress local files when required by the local configuration.
+        // The temporary directory needs to be removed before exiting.
+        // FIXME: the directory should ideally be also removed if we throw an exception...
+        const { localFilesHeaders, tmpDir } = yield compressSelectedLocalFiles(localFiles, localWebsiteConfig);
         // Compute the deploy plan
-        const plan = computeDeployPlan(localFiles, remoteFiles, localWebsiteConfig, remoteWebsiteConfig);
+        const plan = computeDeployPlan(localFilesHeaders, remoteFiles, localWebsiteConfig, remoteWebsiteConfig);
         // If --dry-run: display the plan and return
         if (options.dryRun) {
             printPlan(plan, "full");
             process.stdout.write("\nSummary:\n");
             printPlan(plan, "summary");
+            fs.promises.rm(tmpDir, { recursive: true });
             return;
         }
         // If not --yes: show the plan summary, ask for confirmation before proceeding
@@ -363,6 +465,7 @@ export function deploy(website, localFolder, options) {
                 printPlan(plan, "full");
             });
             if (!ok) {
+                fs.promises.rm(tmpDir, { recursive: true });
                 return;
             }
         }
@@ -373,5 +476,6 @@ export function deploy(website, localFolder, options) {
             process.stdout.write("\nSummary:\n");
             printPlan(plan, "summary");
         }
+        fs.promises.rm(tmpDir, { recursive: true });
     });
 }

package/dist/headers.js

@@ -0,0 +1,49 @@
+import mime from "mime";
+export const supportedHeaders = [
+    "Content-Type",
+    "Cache-Control",
+    "Content-Disposition",
+    "Content-Encoding",
+    "Content-Language",
+    "Expires",
+];
+export function headersFromS3(s3hdr) {
+    let h = new Map();
+    function setIf(k, v) {
+        if (v !== undefined) {
+            h.set(k, v);
+        }
+    }
+    setIf("Content-Type", s3hdr.ContentType);
+    setIf("Cache-Control", s3hdr.CacheControl);
+    setIf("Content-Disposition", s3hdr.ContentDisposition);
+    setIf("Content-Encoding", s3hdr.ContentEncoding);
+    setIf("Content-Language", s3hdr.ContentLanguage);
+    setIf("Expires", s3hdr.ExpiresString);
+    return h;
+}
+export function headersToS3(m) {
+    return {
+        ContentType: m.get("Content-Type"),
+        CacheControl: m.get("Cache-Control"),
+        ContentDisposition: m.get("Content-Disposition"),
+        ContentEncoding: m.get("Content-Encoding"),
+        ContentLanguage: m.get("Content-Language"),
+        ExpiresString: m.get("Expires"),
+    };
+}
+// best-effort content-type computed from a file contents
+export function fileContentType(localPath) {
+    var _a;
+    let ContentType = (_a = mime.getType(localPath)) !== null && _a !== void 0 ? _a : undefined;
+    // add charset=utf-8 by default on text files
+    if (ContentType && ContentType.startsWith("text/")) {
+        ContentType = ContentType + "; charset=utf-8";
+    }
+    // if no content-type was computed, default to application/octet-stream,
+    // which matches what Garage does if no Content-Type is provided
+    if (ContentType == undefined) {
+        ContentType = "application/octet-stream";
+    }
+    return ContentType;
+}

package/dist/index.js

@@ -6,7 +6,7 @@ import { deploy } from "./deploy.js";
 import { empty } from "./empty.js";
 import { vhostsList } from "./vhosts.js";
 import { inspect } from "./inspect.js";
-program.name("dxfl").description("Deuxfleurs CLI tool").version("0.4.2");
+program.name("dxfl").description("Deuxfleurs CLI tool").version("0.5.1");
 program
     .command("login")
     .description("Link your Deuxfleurs account with this tool.")

package/dist/utils.js

@@ -14,12 +14,16 @@ var __asyncValues = (this && this.__asyncValues) || function (o) {
     function verb(n) { i[n] = o[n] && function (v) { return new Promise(function (resolve, reject) { v = o[n](v), settle(resolve, reject, v.done, v.value); }); }; }
     function settle(resolve, reject, d, v) { Promise.resolve(v).then(function(v) { resolve({ value: v, done: d }); }, reject); }
 };
-import fs from "fs";
-import crypto from "crypto";
-import { stdin, stdout } from "process";
+import crypto from "node:crypto";
+import fs from "node:fs";
+import os from "node:os";
+import path from "node:path";
+import { stdin, stdout } from "node:process";
+import { pipeline } from "node:stream/promises";
+import { styleText } from "node:util";
+import zlib from "node:zlib";
 import readline from "readline/promises";
 import { ErrorMsg } from "./error.js";
-import { styleText } from "node:util";
 export function getFileMd5(file) {
     return __awaiter(this, void 0, void 0, function* () {
         var _a, e_1, _b, _c;
@@ -42,6 +46,18 @@ export function getFileMd5(file) {
         return hash.digest("hex");
     });
 }
+export function gzipFile(inPath, outPath) {
+    return __awaiter(this, void 0, void 0, function* () {
+        const source = fs.createReadStream(inPath);
+        const dest = fs.createWriteStream(outPath);
+        yield pipeline(source, zlib.createGzip(), dest);
+    });
+}
+export function mkTmpDir() {
+    return __awaiter(this, void 0, void 0, function* () {
+        return yield fs.promises.mkdtemp(path.join(os.tmpdir(), "dxfl-"));
+    });
+}
 export function formatBytesHuman(bytes) {
     if (bytes < 1000) {
         return `${bytes}B`;
@@ -130,3 +146,7 @@ export function separator(size = 42) {
     }
     return styleText("gray", dashes);
 }
+export function mapEq(m1, m2) {
+    return (m1.size === m2.size &&
+        Array.from(m1.keys()).every(key => m1.get(key) == m2.get(key)));
+}

package/dist/website_config.js

@@ -10,10 +10,12 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
 import fs from "fs";
 import TOML from "smol-toml";
 import URI from "fast-uri";
+import picomatch from "picomatch";
 import { z as zod } from "zod";
 import { fromError as zodError } from "zod-validation-error";
-import { GetBucketWebsiteCommand, PutBucketWebsiteCommand, PutBucketCorsCommand, } from "@aws-sdk/client-s3";
+import { DeleteBucketCorsCommand, GetBucketWebsiteCommand, PutBucketWebsiteCommand, PutBucketCorsCommand, } from "@aws-sdk/client-s3";
 import { ErrorMsg, withErrorMsg, wrapS3Call } from "./error.js";
+import { supportedHeaders } from "./headers.js";
 import { getBucketFilesDetails } from "./bucket.js";
 ////////////// Utilities
 export function equalBucketRedirect(b1, b2) {
@@ -50,6 +52,16 @@ export function equalCorsRules(c1, c2) {
     }
     return eqArr(eqRule, c1, c2);
 }
+export function evalHeadersRules(rules, path) {
+    for (const rule of rules) {
+        if (rule.for(path)) {
+            // take the first rule that matches
+            return rule.params;
+        }
+    }
+    // return default params
+    return { values: new Map() };
+}
 ////////////// Parsing from a TOML config file
 // Parsing: TOML -> untyped object
 function readConfigFileObject(filename) {
@@ -91,24 +103,39 @@ function readConfigFileObject(filename) {
     });
 }
 // Parsing: untyped object -> RawConfig
-const RawRedirectSchema = zod.object({
+const RawRedirectSchema = zod
+    .object({
     from: zod.string(),
     to: zod.string(),
     force: zod.boolean().optional(),
     status: zod.number().int().positive().optional(),
-});
-const RawCorsSchema = zod.object({
+})
+    .strict();
+const RawCorsSchema = zod
+    .object({
     allowed_origins: zod.union([zod.string(), zod.string().array()]),
     allowed_methods: zod.union([zod.string(), zod.string().array()]).optional(),
     allowed_headers: zod.union([zod.string(), zod.string().array()]).optional(),
     expose_headers: zod.union([zod.string(), zod.string().array()]).optional(),
-});
-const RawConfigSchema = zod.object({
+})
+    .strict();
+const RawHeadersSchema = zod
+    .object({
+    for: zod.union([zod.string(), zod.string().array()]),
+    compress: zod.enum(["gzip"]).optional(),
+    // loose validation, we will validate later the fields against supportedHeaders
+    values: zod.object({}).catchall(zod.string()).passthrough().optional(),
+})
+    .strict();
+const RawConfigSchema = zod
+    .object({
     index_page: zod.string().optional(),
     error_page: zod.string().optional(),
     redirects: zod.array(RawRedirectSchema).optional(),
     cors: zod.array(RawCorsSchema).optional(),
-});
+    headers: zod.array(RawHeadersSchema).optional(),
+})
+    .strict();
 function interpRawConfig(cfg) {
     try {
         return RawConfigSchema.parse(cfg);
@@ -118,7 +145,7 @@ function interpRawConfig(cfg) {
         throw new ErrorMsg(validationError.toString());
     }
 }
-// Parsing: RawConfig -> WebsiteConfig
+// Parsing: RawConfig -> LocalWebsiteConfig
 // Parses the escaping scheme used for 'from' and 'to' paths
 // in redirects. These fields may specify a '*' at the end
 // (in that case they indicate a prefix) or not (then they are
@@ -151,7 +178,7 @@ function unescape(s) {
     }
 }
 function interpConfig(rawcfg) {
-    var _a, _b, _c, _d, _e, _f;
+    var _a, _b, _c, _d, _e, _f, _g, _h;
     function interpRedirect(r) {
         var _a, _b;
         const rfrom = withErrorMsg(() => unescape(r.from), msg => `from: ${msg}`);
@@ -281,6 +308,7 @@ function interpConfig(rawcfg) {
         bucket_redirects: [],
         object_redirects: new Map(),
         cors_rules: [],
+        headers_rules: [],
     };
     for (const [i, raw] of ((_b = rawcfg.redirects) !== null && _b !== void 0 ? _b : []).entries()) {
         // `i+1` is only used for display: start counting redirects from 1 instead of 0
@@ -306,6 +334,29 @@ function interpConfig(rawcfg) {
             expose_headers: interpRawArray((_f = raw.expose_headers) !== null && _f !== void 0 ? _f : []),
         });
     }
+    for (const [_, raw] of ((_g = rawcfg.headers) !== null && _g !== void 0 ? _g : []).entries()) {
+        const glob = picomatch(raw.for, {
+            dot: true, // don't treat dotfiles differently
+            contains: false,
+        });
+        let values = new Map();
+        for (const [k, v] of Object.entries((_h = raw.values) !== null && _h !== void 0 ? _h : {})) {
+            if (supportedHeaders.includes(k)) {
+                values.set(k, v);
+            }
+            else {
+                const hdrs = supportedHeaders.join(", ");
+                throw new ErrorMsg(`Cannot set value for header "${k}" in configuration.\nSupported headers are: ${hdrs}.`);
+            }
+        }
+        cfg.headers_rules.push({
+            for: glob,
+            params: {
+                compress: raw.compress,
+                values,
+            },
+        });
+    }
     return cfg;
 }
 export function readConfigFile(filename) {
@@ -427,12 +478,18 @@ export function getBucketConfig(bucket, files) {
         // 		});
         // 	}
         // }
+        // Interpret headers
+        let headers = new Map();
+        for (const [file, { headers: file_headers }] of details) {
+            headers.set(file, file_headers);
+        }
         return {
             index_page,
             error_page,
             bucket_redirects,
             object_redirects,
             cors_rules,
+            headers,
         };
     });
 }
@@ -496,9 +553,19 @@ export function putCorsRules(bucket, cors_rules) {
                 ExposeHeaders: rule.expose_headers,
             });
         }
-        yield wrapS3Call(`write the bucket CORS config`, [200], () => bucket.client.send(new PutBucketCorsCommand({
-            Bucket: bucket.name,
-            CORSConfiguration: { CORSRules },
-        })));
+        if (CORSRules.length == 0) {
+            // work around a bug in garage when using PutBucketCorsCommand with
+            // empty rules (https://git.deuxfleurs.fr/Deuxfleurs/garage/pulls/1320)
+            // Instead, use DeleteBucketCorsCommand which is equivalent in that case.
+            yield wrapS3Call(`empty the bucket CORS config`, [204], () => bucket.client.send(new DeleteBucketCorsCommand({
+                Bucket: bucket.name,
+            })));
+        }
+        else {
+            yield wrapS3Call(`write the bucket CORS config`, [200], () => bucket.client.send(new PutBucketCorsCommand({
+                Bucket: bucket.name,
+                CORSConfiguration: { CORSRules },
+            })));
+        }
     });
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "dxfl",
-  "version": "0.4.2",
+  "version": "0.5.1",
   "description": "",
   "license": "EUPL-1.2",
   "author": "Deuxfleurs Team <coucou@deuxfleurs.fr>",
@@ -23,14 +23,16 @@
     "prettier-check": "npx prettier . --check"
   },
   "dependencies": {
-    "@aws-sdk/client-s3": "^3.1004.0",
+    "@aws-sdk/client-s3": "^3.1011.0",
     "@commander-js/extra-typings": "^14.0.0",
     "@supercharge/promise-pool": "^3.2.0",
     "@types/node": "^25.2.1",
+    "@types/picomatch": "^4.0.2",
     "commander": "^14.0.3",
     "fast-uri": "^3.1.0",
     "guichet-sdk-ts": "^0.1.0",
     "mime": "^4.1.0",
+    "picomatch": "^4.0.3",
     "read": "^5.0.1",
     "smol-toml": "^1.6.0",
     "typescript": "^5.9.3",
@@ -40,5 +42,10 @@
   "devDependencies": {
     "onchange": "^7.1.0",
     "prettier": "3.5.3"
+  },
+  "overrides": {
+    "@aws-sdk/xml-builder": {
+      "fast-xml-parser": "^5.5.6"
+    }
   }
 }