npm - export-runtime - Versions diffs - 0.0.14 → 0.0.16 - Mend

export-runtime 0.0.14 → 0.0.16

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/bin/generate-types.mjs CHANGED Viewed

@@ -42,6 +42,11 @@ const r2Bindings = cloudflareConfig.r2 || [];
 const kvBindings = cloudflareConfig.kv || [];
 const authConfig = cloudflareConfig.auth || null;
+// Optional: Security configuration
+const securityConfig = pkg.security || {};
+const accessConfig = securityConfig.access || {};
+const allowedOrigins = accessConfig.origin || []; // empty = allow all (default Workers behavior)
 // Auth requires a D1 database for better-auth
 const allD1Bindings = [...d1Bindings];
 if (authConfig && !allD1Bindings.includes("AUTH_DB")) {
@@ -81,11 +86,11 @@ function discoverModules(dir, base = "") {
   const modules = [];
   if (!fs.existsSync(dir)) return modules;
   for (const entry of fs.readdirSync(dir, { withFileTypes: true })) {
-    if (entry.name.startsWith("_") || entry.name.startsWith(".")) continue;
+    if (entry.name.startsWith("_") || entry.name.startsWith(".") || entry.name === "node_modules") continue;
     const fullPath = path.join(dir, entry.name);
     if (entry.isDirectory()) {
       modules.push(...discoverModules(fullPath, base ? `${base}/${entry.name}` : entry.name));
-    } else if (EXTENSIONS.includes(path.extname(entry.name))) {
+    } else if (EXTENSIONS.includes(path.extname(entry.name)) && !entry.name.endsWith(".d.ts")) {
       const nameWithoutExt = entry.name.replace(/\.(ts|tsx|js|jsx)$/, "");
       const routePath = nameWithoutExt === "index"
         ? base  // index.ts → directory path ("" for root)
@@ -391,16 +396,21 @@ const wranglerLines = [
   ``,
 ];
-// Add static assets configuration if main is specified
+// Add static assets configuration if main is specified and directory exists
 if (assetsDir) {
   const normalizedAssetsDir = assetsDir.startsWith("./") ? assetsDir : `./${assetsDir}`;
-  wranglerLines.push(
-    `[assets]`,
-    `directory = "${normalizedAssetsDir}"`,
-    `binding = "ASSETS"`,
-    `run_worker_first = true`,
-    ``,
-  );
+  const absoluteAssetsDir = path.resolve(cwd, normalizedAssetsDir);
+  if (fs.existsSync(absoluteAssetsDir)) {
+    wranglerLines.push(
+      `[assets]`,
+      `directory = "${normalizedAssetsDir}"`,
+      `binding = "ASSETS"`,
+      `run_worker_first = true`,
+      ``,
+    );
+  } else {
+    console.log(`Note: Assets directory "${normalizedAssetsDir}" not found. Run "vite build" first to enable static assets.`);
+  }
 }
 // Add Durable Objects for shared state
@@ -465,6 +475,7 @@ export const d1Bindings = ${JSON.stringify(allD1Bindings)};
 export const r2Bindings = ${JSON.stringify(r2Bindings)};
 export const kvBindings = ${JSON.stringify(kvBindings)};
 export const authConfig = ${JSON.stringify(authConfig)};
+export const securityConfig = ${JSON.stringify({ access: { origin: allowedOrigins } })};
 `;
 fs.writeFileSync(configPath, configContent);

package/handler.js CHANGED Viewed

@@ -5,14 +5,14 @@ import { handleAuthRoute, getSessionFromRequest, verifySession } from "./auth.js
 const JS = "application/javascript; charset=utf-8";
 const TS = "application/typescript; charset=utf-8";
-const CORS = { "Access-Control-Allow-Origin": "*" };
 const IMMUTABLE = "public, max-age=31536000, immutable";
-const jsResponse = (body, extra = {}) =>
-  new Response(body, { headers: { "Content-Type": JS, ...CORS, ...extra } });
-const tsResponse = (body, status = 200) =>
-  new Response(body, { status, headers: { "Content-Type": TS, ...CORS, "Cache-Control": "no-cache" } });
+const createResponseHelpers = (corsHeaders) => ({
+  jsResponse: (body, extra = {}) =>
+    new Response(body, { headers: { "Content-Type": JS, ...corsHeaders, ...extra } }),
+  tsResponse: (body, status = 200) =>
+    new Response(body, { status, headers: { "Content-Type": TS, ...corsHeaders, "Cache-Control": "no-cache" } }),
+});
 export const createHandler = (moduleMap, generatedTypes, minifiedCore, coreId, minifiedSharedCore, exportConfig = {}) => {
   // moduleMap: { routePath: moduleNamespace, ... }
@@ -28,7 +28,33 @@ export const createHandler = (moduleMap, generatedTypes, minifiedCore, coreId, m
   }
   // Export configuration
-  const { d1Bindings = [], r2Bindings = [], kvBindings = [], authConfig = null } = exportConfig;
+  const { d1Bindings = [], r2Bindings = [], kvBindings = [], authConfig = null, securityConfig = {} } = exportConfig;
+  // Security: allowed origins (empty array = allow all)
+  const allowedOrigins = securityConfig?.access?.origin || [];
+  const hasOriginRestriction = allowedOrigins.length > 0;
+  // Check if origin is allowed
+  const isOriginAllowed = (origin) => {
+    if (!hasOriginRestriction) return true;
+    if (!origin) return false;
+    return allowedOrigins.includes(origin);
+  };
+  // Get CORS headers for a request
+  const getCorsHeaders = (request) => {
+    const origin = request.headers.get("Origin");
+    if (!hasOriginRestriction) {
+      return { "Access-Control-Allow-Origin": "*" };
+    }
+    if (origin && isOriginAllowed(origin)) {
+      return {
+        "Access-Control-Allow-Origin": origin,
+        "Vary": "Origin",
+      };
+    }
+    return {};
+  };
   const hasClient = d1Bindings.length > 0 || r2Bindings.length > 0 || kvBindings.length > 0 || authConfig;
   // Generate core code with config
@@ -70,9 +96,8 @@ export const createHandler = (moduleMap, generatedTypes, minifiedCore, coreId, m
     const namedExports = keys
       .map((key) => `export const ${key} = createProxy([${JSON.stringify(route)}, ${JSON.stringify(key)}]);`)
       .join("\n");
-    // Include default export (client) if configured
-    const defaultExport = hasClient ? `\nexport { default } from ".${cpath}";` : "";
-    return `import { createProxy } from ".${cpath}";\n${namedExports}${defaultExport}`;
+    // Always include default export (client) - it will be null if no bindings configured
+    return `import { createProxy } from ".${cpath}";\nexport { default } from ".${cpath}";\n${namedExports}`;
   };
   const buildExportModule = (cpath, route, name) =>
@@ -331,9 +356,24 @@ export const createHandler = (moduleMap, generatedTypes, minifiedCore, coreId, m
     async fetch(request, env) {
       const url = new URL(request.url);
       const isShared = url.searchParams.has("shared");
+      const origin = request.headers.get("Origin");
+      // --- Origin check ---
+      if (hasOriginRestriction && origin && !isOriginAllowed(origin)) {
+        return new Response("Forbidden: Origin not allowed", { status: 403 });
+      }
+      // Get CORS headers for this request
+      const corsHeaders = getCorsHeaders(request);
+      const { jsResponse, tsResponse } = createResponseHelpers(corsHeaders);
       // --- WebSocket upgrade ---
       if (request.headers.get("Upgrade") === "websocket") {
+        // Origin check for WebSocket (browsers send Origin header)
+        if (hasOriginRestriction && origin && !isOriginAllowed(origin)) {
+          return new Response("Forbidden: Origin not allowed", { status: 403 });
+        }
         const pair = new WebSocketPair();
         const [client, server] = Object.values(pair);
         server.accept();
@@ -393,7 +433,7 @@ export const createHandler = (moduleMap, generatedTypes, minifiedCore, coreId, m
         if (env?.ASSETS) {
           return env.ASSETS.fetch(request);
         }
-        return new Response("Not found", { status: 404 });
+        return new Response("Not found", { status: 404, headers: corsHeaders });
       }
       const { route, exportName } = resolved;

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "export-runtime",
-  "version": "0.0.14",
+  "version": "0.0.16",
   "description": "Cloudflare Workers ESM Export Framework Runtime",
   "keywords": [
     "cloudflare",