export-runtime 0.0.13 → 0.0.15

package/bin/generate-types.mjs

@@ -42,6 +42,11 @@ const r2Bindings = cloudflareConfig.r2 || [];
 const kvBindings = cloudflareConfig.kv || [];
 const authConfig = cloudflareConfig.auth || null;
 
+// Optional: Security configuration
+const securityConfig = pkg.security || {};
+const accessConfig = securityConfig.access || {};
+const allowedOrigins = accessConfig.origin || []; // empty = allow all (default Workers behavior)
+
 // Auth requires a D1 database for better-auth
 const allD1Bindings = [...d1Bindings];
 if (authConfig && !allD1Bindings.includes("AUTH_DB")) {
@@ -81,11 +86,11 @@ function discoverModules(dir, base = "") {
   const modules = [];
   if (!fs.existsSync(dir)) return modules;
   for (const entry of fs.readdirSync(dir, { withFileTypes: true })) {
-    if (entry.name.startsWith("_") || entry.name.startsWith(".")) continue;
+    if (entry.name.startsWith("_") || entry.name.startsWith(".") || entry.name === "node_modules") continue;
     const fullPath = path.join(dir, entry.name);
     if (entry.isDirectory()) {
       modules.push(...discoverModules(fullPath, base ? `${base}/${entry.name}` : entry.name));
-    } else if (EXTENSIONS.includes(path.extname(entry.name))) {
+    } else if (EXTENSIONS.includes(path.extname(entry.name)) && !entry.name.endsWith(".d.ts")) {
       const nameWithoutExt = entry.name.replace(/\.(ts|tsx|js|jsx)$/, "");
       const routePath = nameWithoutExt === "index"
         ? base  // index.ts → directory path ("" for root)
@@ -391,16 +396,21 @@ const wranglerLines = [
   ``,
 ];
 
-// Add static assets configuration if main is specified
+// Add static assets configuration if main is specified and directory exists
 if (assetsDir) {
   const normalizedAssetsDir = assetsDir.startsWith("./") ? assetsDir : `./${assetsDir}`;
-  wranglerLines.push(
-    `[assets]`,
-    `directory = "${normalizedAssetsDir}"`,
-    `binding = "ASSETS"`,
-    `run_worker_first = true`,
-    ``,
-  );
+  const absoluteAssetsDir = path.resolve(cwd, normalizedAssetsDir);
+  if (fs.existsSync(absoluteAssetsDir)) {
+    wranglerLines.push(
+      `[assets]`,
+      `directory = "${normalizedAssetsDir}"`,
+      `binding = "ASSETS"`,
+      `run_worker_first = true`,
+      ``,
+    );
+  } else {
+    console.log(`Note: Assets directory "${normalizedAssetsDir}" not found. Run "vite build" first to enable static assets.`);
+  }
 }
 
 // Add Durable Objects for shared state
@@ -465,16 +475,252 @@ export const d1Bindings = ${JSON.stringify(allD1Bindings)};
 export const r2Bindings = ${JSON.stringify(r2Bindings)};
 export const kvBindings = ${JSON.stringify(kvBindings)};
 export const authConfig = ${JSON.stringify(authConfig)};
+export const securityConfig = ${JSON.stringify({ access: { origin: allowedOrigins } })};
 `;
 fs.writeFileSync(configPath, configContent);
 
 const wranglerPath = path.join(cwd, "wrangler.toml");
 fs.writeFileSync(wranglerPath, wranglerLines.join("\n"));
 
+// --- Generate .export-client.d.ts ---
+
+const clientDtsLines = [
+  `// Auto-generated client type definitions. Do not edit manually.`,
+  ``,
+  `/** D1 query result from tagged template literal */`,
+  `export interface ExportD1Query<T = Record<string, unknown>> {`,
+  `  /** Execute query and return all results */`,
+  `  all(): Promise<{ results: T[]; success: boolean; meta: object }>;`,
+  `  /** Execute query and return first result */`,
+  `  first<K extends keyof T>(colName?: K): Promise<K extends keyof T ? T[K] : T | null>;`,
+  `  /** Execute query without returning results */`,
+  `  run(): Promise<{ success: boolean; meta: object }>;`,
+  `  /** Execute query and return raw array results */`,
+  `  raw<K extends keyof T = keyof T>(): Promise<K extends keyof T ? T[K][] : unknown[][]>;`,
+  `  /** Thenable - defaults to .all() */`,
+  `  then<TResult = { results: T[]; success: boolean; meta: object }>(`,
+  `    onfulfilled?: (value: { results: T[]; success: boolean; meta: object }) => TResult | PromiseLike<TResult>,`,
+  `    onrejected?: (reason: any) => TResult | PromiseLike<TResult>`,
+  `  ): Promise<TResult>;`,
+  `}`,
+  ``,
+  `/** D1 database proxy - use as tagged template literal */`,
+  `export interface ExportD1Proxy {`,
+  `  <T = Record<string, unknown>>(strings: TemplateStringsArray, ...values: unknown[]): ExportD1Query<T>;`,
+  `}`,
+  ``,
+  `/** R2 object metadata */`,
+  `export interface ExportR2ObjectMeta {`,
+  `  key: string;`,
+  `  size: number;`,
+  `  etag: string;`,
+  `  httpEtag: string;`,
+  `  uploaded: Date;`,
+  `  httpMetadata?: Record<string, string>;`,
+  `  customMetadata?: Record<string, string>;`,
+  `}`,
+  ``,
+  `/** R2 object with body */`,
+  `export interface ExportR2Object extends ExportR2ObjectMeta {`,
+  `  body: ReadableStream<Uint8Array>;`,
+  `  bodyUsed: boolean;`,
+  `  arrayBuffer(): Promise<ArrayBuffer>;`,
+  `  text(): Promise<string>;`,
+  `  json<T = unknown>(): Promise<T>;`,
+  `  blob(): Promise<Blob>;`,
+  `}`,
+  ``,
+  `/** R2 list result */`,
+  `export interface ExportR2ListResult {`,
+  `  objects: ExportR2ObjectMeta[];`,
+  `  truncated: boolean;`,
+  `  cursor?: string;`,
+  `  delimitedPrefixes: string[];`,
+  `}`,
+  ``,
+  `/** R2 bucket proxy */`,
+  `export interface ExportR2Proxy {`,
+  `  get(key: string, options?: { type?: "arrayBuffer" | "text" | "json" | "stream" }): Promise<ExportR2Object | null>;`,
+  `  put(key: string, value: string | ArrayBuffer | ReadableStream | Blob, options?: {`,
+  `    httpMetadata?: Record<string, string>;`,
+  `    customMetadata?: Record<string, string>;`,
+  `  }): Promise<ExportR2ObjectMeta>;`,
+  `  delete(key: string | string[]): Promise<void>;`,
+  `  list(options?: {`,
+  `    prefix?: string;`,
+  `    limit?: number;`,
+  `    cursor?: string;`,
+  `    delimiter?: string;`,
+  `    include?: ("httpMetadata" | "customMetadata")[];`,
+  `  }): Promise<ExportR2ListResult>;`,
+  `  head(key: string): Promise<ExportR2ObjectMeta | null>;`,
+  `}`,
+  ``,
+  `/** KV list result */`,
+  `export interface ExportKVListResult {`,
+  `  keys: { name: string; expiration?: number; metadata?: unknown }[];`,
+  `  list_complete: boolean;`,
+  `  cursor?: string;`,
+  `}`,
+  ``,
+  `/** KV namespace proxy */`,
+  `export interface ExportKVProxy {`,
+  `  get<T = string>(key: string, options?: { type?: "text" | "json" | "arrayBuffer" | "stream"; cacheTtl?: number }): Promise<T | null>;`,
+  `  put(key: string, value: string | ArrayBuffer | ReadableStream, options?: {`,
+  `    expiration?: number;`,
+  `    expirationTtl?: number;`,
+  `    metadata?: unknown;`,
+  `  }): Promise<void>;`,
+  `  delete(key: string): Promise<void>;`,
+  `  list(options?: {`,
+  `    prefix?: string;`,
+  `    limit?: number;`,
+  `    cursor?: string;`,
+  `  }): Promise<ExportKVListResult>;`,
+  `  getWithMetadata<T = string, M = unknown>(key: string, options?: { type?: "text" | "json" | "arrayBuffer" | "stream"; cacheTtl?: number }): Promise<{`,
+  `    value: T | null;`,
+  `    metadata: M | null;`,
+  `  }>;`,
+  `}`,
+  ``,
+  `/** Auth sign-in methods */`,
+  `export interface ExportAuthSignIn {`,
+  `  /** Sign in with OAuth provider */`,
+  `  social(provider: string, options?: { callbackURL?: string; scopes?: string[] }): Promise<{ redirectUrl?: string; token?: string; user?: object }>;`,
+  `  /** Sign in with email and password */`,
+  `  email(email: string, password: string, options?: object): Promise<{ success: boolean; token?: string; user?: object; error?: string }>;`,
+  `}`,
+  ``,
+  `/** Auth sign-up methods */`,
+  `export interface ExportAuthSignUp {`,
+  `  /** Sign up with email, password, and name */`,
+  `  email(email: string, password: string, name?: string, options?: object): Promise<{ success: boolean; token?: string; user?: object; error?: string }>;`,
+  `}`,
+  ``,
+  `/** Auth session */`,
+  `export interface ExportAuthSession {`,
+  `  token: string;`,
+  `  userId: string;`,
+  `  expiresAt: Date;`,
+  `}`,
+  ``,
+  `/** Auth user */`,
+  `export interface ExportAuthUser {`,
+  `  id: string;`,
+  `  email: string;`,
+  `  name?: string;`,
+  `  image?: string;`,
+  `  emailVerified: boolean;`,
+  `  createdAt: Date;`,
+  `  updatedAt: Date;`,
+  `}`,
+  ``,
+  `/** Auth client proxy */`,
+  `export interface ExportAuthProxy {`,
+  `  signIn: ExportAuthSignIn;`,
+  `  signUp: ExportAuthSignUp;`,
+  `  signOut(): Promise<{ success: boolean }>;`,
+  `  getSession(): Promise<ExportAuthSession | null>;`,
+  `  getUser(): Promise<ExportAuthUser | null>;`,
+  `  setToken(token: string): Promise<{ success: boolean }>;`,
+  `  readonly isAuthenticated: boolean;`,
+  `}`,
+  ``,
+];
+
+// Generate D1 type mapping
+if (allD1Bindings.length > 0) {
+  clientDtsLines.push(`/** D1 database bindings */`);
+  clientDtsLines.push(`export interface ExportD1Bindings {`);
+  for (const name of allD1Bindings) {
+    clientDtsLines.push(`  ${name}: ExportD1Proxy;`);
+  }
+  clientDtsLines.push(`}`);
+  clientDtsLines.push(``);
+} else {
+  clientDtsLines.push(`export interface ExportD1Bindings {}`);
+  clientDtsLines.push(``);
+}
+
+// Generate R2 type mapping
+if (r2Bindings.length > 0) {
+  clientDtsLines.push(`/** R2 bucket bindings */`);
+  clientDtsLines.push(`export interface ExportR2Bindings {`);
+  for (const name of r2Bindings) {
+    clientDtsLines.push(`  ${name}: ExportR2Proxy;`);
+  }
+  clientDtsLines.push(`}`);
+  clientDtsLines.push(``);
+} else {
+  clientDtsLines.push(`export interface ExportR2Bindings {}`);
+  clientDtsLines.push(``);
+}
+
+// Generate KV type mapping
+if (kvBindings.length > 0) {
+  clientDtsLines.push(`/** KV namespace bindings */`);
+  clientDtsLines.push(`export interface ExportKVBindings {`);
+  for (const name of kvBindings) {
+    clientDtsLines.push(`  ${name}: ExportKVProxy;`);
+  }
+  clientDtsLines.push(`}`);
+  clientDtsLines.push(``);
+} else {
+  clientDtsLines.push(`export interface ExportKVBindings {}`);
+  clientDtsLines.push(``);
+}
+
+// Generate main client interface
+clientDtsLines.push(`/** Export client with typed storage bindings */`);
+clientDtsLines.push(`export interface ExportClient {`);
+clientDtsLines.push(`  d1: ExportD1Bindings;`);
+clientDtsLines.push(`  r2: ExportR2Bindings;`);
+clientDtsLines.push(`  kv: ExportKVBindings;`);
+clientDtsLines.push(`  auth: ${authConfig ? 'ExportAuthProxy' : 'null'};`);
+clientDtsLines.push(`}`);
+clientDtsLines.push(``);
+clientDtsLines.push(`declare const client: ExportClient;`);
+clientDtsLines.push(`export default client;`);
+clientDtsLines.push(``);
+
+const clientDtsPath = path.join(cwd, ".export-client.d.ts");
+fs.writeFileSync(clientDtsPath, clientDtsLines.join("\n"));
+
+// --- Generate export.d.ts (module declaration helper) ---
+
+const moduleDtsLines = [
+  `// Type declarations for your export worker.`,
+  `// Update the URL to match your deployed worker or local dev server.`,
+  `//`,
+  `// Usage in your client code:`,
+  `//   import client, { myFunction } from "https://my-worker.workers.dev";`,
+  `//   const result = await client.d1.MY_DB\`SELECT * FROM users\`;`,
+  ``,
+  `declare module "http://localhost:8787" {`,
+  `  export * from "./.export-client";`,
+  `  export { default } from "./.export-client";`,
+  `}`,
+  ``,
+  `// Add more module declarations for your deployed URLs:`,
+  `// declare module "https://my-worker.workers.dev" {`,
+  `//   export * from "./.export-client";`,
+  `//   export { default } from "./.export-client";`,
+  `// }`,
+  ``,
+];
+
+const moduleDtsPath = path.join(cwd, "export.d.ts");
+// Only write if it doesn't exist (user may have customized it)
+if (!fs.existsSync(moduleDtsPath)) {
+  fs.writeFileSync(moduleDtsPath, moduleDtsLines.join("\n"));
+  console.log("Generated module declarations →", moduleDtsPath);
+}
+
 // --- Output summary ---
 
 console.log(`Discovered ${modules.length} module(s): ${modules.map(m => m.routePath || "/").join(", ")}`);
 console.log("Generated type definitions + minified core →", outPath);
 console.log("Generated module map →", moduleMapPath);
 console.log("Generated shared import module →", sharedModulePath);
+console.log("Generated client types →", clientDtsPath);
 console.log("Generated wrangler.toml →", wranglerPath);

package/handler.js

@@ -5,14 +5,14 @@ import { handleAuthRoute, getSessionFromRequest, verifySession } from "./auth.js
 
 const JS = "application/javascript; charset=utf-8";
 const TS = "application/typescript; charset=utf-8";
-const CORS = { "Access-Control-Allow-Origin": "*" };
 const IMMUTABLE = "public, max-age=31536000, immutable";
 
-const jsResponse = (body, extra = {}) =>
-  new Response(body, { headers: { "Content-Type": JS, ...CORS, ...extra } });
-
-const tsResponse = (body, status = 200) =>
-  new Response(body, { status, headers: { "Content-Type": TS, ...CORS, "Cache-Control": "no-cache" } });
+const createResponseHelpers = (corsHeaders) => ({
+  jsResponse: (body, extra = {}) =>
+    new Response(body, { headers: { "Content-Type": JS, ...corsHeaders, ...extra } }),
+  tsResponse: (body, status = 200) =>
+    new Response(body, { status, headers: { "Content-Type": TS, ...corsHeaders, "Cache-Control": "no-cache" } }),
+});
 
 export const createHandler = (moduleMap, generatedTypes, minifiedCore, coreId, minifiedSharedCore, exportConfig = {}) => {
   // moduleMap: { routePath: moduleNamespace, ... }
@@ -28,7 +28,33 @@ export const createHandler = (moduleMap, generatedTypes, minifiedCore, coreId, m
   }
 
   // Export configuration
-  const { d1Bindings = [], r2Bindings = [], kvBindings = [], authConfig = null } = exportConfig;
+  const { d1Bindings = [], r2Bindings = [], kvBindings = [], authConfig = null, securityConfig = {} } = exportConfig;
+
+  // Security: allowed origins (empty array = allow all)
+  const allowedOrigins = securityConfig?.access?.origin || [];
+  const hasOriginRestriction = allowedOrigins.length > 0;
+
+  // Check if origin is allowed
+  const isOriginAllowed = (origin) => {
+    if (!hasOriginRestriction) return true;
+    if (!origin) return false;
+    return allowedOrigins.includes(origin);
+  };
+
+  // Get CORS headers for a request
+  const getCorsHeaders = (request) => {
+    const origin = request.headers.get("Origin");
+    if (!hasOriginRestriction) {
+      return { "Access-Control-Allow-Origin": "*" };
+    }
+    if (origin && isOriginAllowed(origin)) {
+      return {
+        "Access-Control-Allow-Origin": origin,
+        "Vary": "Origin",
+      };
+    }
+    return {};
+  };
   const hasClient = d1Bindings.length > 0 || r2Bindings.length > 0 || kvBindings.length > 0 || authConfig;
 
   // Generate core code with config
@@ -331,9 +357,24 @@ export const createHandler = (moduleMap, generatedTypes, minifiedCore, coreId, m
     async fetch(request, env) {
       const url = new URL(request.url);
       const isShared = url.searchParams.has("shared");
+      const origin = request.headers.get("Origin");
+
+      // --- Origin check ---
+      if (hasOriginRestriction && origin && !isOriginAllowed(origin)) {
+        return new Response("Forbidden: Origin not allowed", { status: 403 });
+      }
+
+      // Get CORS headers for this request
+      const corsHeaders = getCorsHeaders(request);
+      const { jsResponse, tsResponse } = createResponseHelpers(corsHeaders);
 
       // --- WebSocket upgrade ---
       if (request.headers.get("Upgrade") === "websocket") {
+        // Origin check for WebSocket (browsers send Origin header)
+        if (hasOriginRestriction && origin && !isOriginAllowed(origin)) {
+          return new Response("Forbidden: Origin not allowed", { status: 403 });
+        }
+
         const pair = new WebSocketPair();
         const [client, server] = Object.values(pair);
         server.accept();
@@ -393,7 +434,7 @@ export const createHandler = (moduleMap, generatedTypes, minifiedCore, coreId, m
         if (env?.ASSETS) {
           return env.ASSETS.fetch(request);
         }
-        return new Response("Not found", { status: 404 });
+        return new Response("Not found", { status: 404, headers: corsHeaders });
       }
 
       const { route, exportName } = resolved;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "export-runtime",
-  "version": "0.0.13",
+  "version": "0.0.15",
   "description": "Cloudflare Workers ESM Export Framework Runtime",
   "keywords": [
     "cloudflare",