headroom-cms 0.1.10 → 0.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +11 -6
- package/admin/.well-known/headroom.json +9 -0
- package/admin/assets/{AdminsPage-BIWASote.js → AdminsPage-DUMTsCEp.js} +1 -1
- package/admin/assets/{AllContentPage-1gXe2OC7.js → AllContentPage-D5ey5AOV.js} +1 -1
- package/admin/assets/{ApiKeysPage-BBW4ATBx.js → ApiKeysPage-CzUOSoz_.js} +1 -1
- package/admin/assets/{AuditPage-B5GGFWGG.js → AuditPage-CYAg4dbI.js} +1 -1
- package/admin/assets/BackupsPage-04_oMy3v.js +1 -0
- package/admin/assets/{BlockEditor-ClskiZoX.js → BlockEditor-s0CRZsjy.js} +3 -3
- package/admin/assets/BlockTypeEditPage-D1OFIlJZ.js +1 -0
- package/admin/assets/{BlockTypesPage-D8Me6OeX.js → BlockTypesPage-cJNR25fN.js} +1 -1
- package/admin/assets/{BulkActionBar--35xjnOP.js → BulkActionBar-BWysX7Wo.js} +1 -1
- package/admin/assets/CollectionEditPage-DRmCA_73.js +1 -0
- package/admin/assets/{CollectionsPage-BQmGXpvW.js → CollectionsPage-CeQB5e9u.js} +1 -1
- package/admin/assets/{ContentCreatePage-DlgxamOe.js → ContentCreatePage-Cq8Pi8EF.js} +1 -1
- package/admin/assets/ContentEditPage-CEJ7I3WH.js +1 -0
- package/admin/assets/{ContentField-D04Uo1Ov.js → ContentField-BZT4OUfI.js} +1 -1
- package/admin/assets/ContentListPage-BCEQrYVs.js +1 -0
- package/admin/assets/{CustomBlockPreview-Cs9bFDh4.js → CustomBlockPreview-Kc6bb3oq.js} +1 -1
- package/admin/assets/FieldRenderer-CT-DgCbC.js +2 -0
- package/admin/assets/FileTypeIcon-CNHtffHC.js +1 -0
- package/admin/assets/FloatingComposerController-D4uLQfUX-0_Y8mkGU.js +1 -0
- package/admin/assets/IconPicker-BpPlHJO0.js +3 -0
- package/admin/assets/{LoginPage-Bi7TBzK4.js → LoginPage-Dya8sF_P.js} +1 -1
- package/admin/assets/MediaField-C3qFf3g5.js +1 -0
- package/admin/assets/MediaPage-BNxc0wLq.js +1 -0
- package/admin/assets/{Pagination-CuHwUPHi.js → Pagination-Dx8h11Rn.js} +1 -1
- package/admin/assets/{RelationshipPicker-Dv7GaLcU.js → RelationshipPicker-C2MTxrhl.js} +1 -1
- package/admin/assets/{SiteSettingsPage-nBT7NzkA.js → SiteSettingsPage-BDZaUBmf.js} +1 -1
- package/admin/assets/{SiteUserEditPage-DroUTii9.js → SiteUserEditPage-MfzhPW7v.js} +1 -1
- package/admin/assets/{SiteUsersPage-iVXPCBPe.js → SiteUsersPage-CrYugXpx.js} +1 -1
- package/admin/assets/{SitesPage-BefZeWuJ.js → SitesPage-Cl8V3Hb7.js} +1 -1
- package/admin/assets/SubmissionDetailPage-BnVlsGb-.js +1 -0
- package/admin/assets/SubmissionEditPage-B0Kq52fb.js +1 -0
- package/admin/assets/SubmissionListPage-K665VwMp.js +1 -0
- package/admin/assets/{TagInput-d-Hw1fkL.js → TagInput-C6tcB5Xw.js} +1 -1
- package/admin/assets/{TagsPage-BZzDvcKa.js → TagsPage-BONR6bSu.js} +1 -1
- package/admin/assets/{UsersPage-CnQAOOGF.js → UsersPage-C2iCy0UR.js} +1 -1
- package/admin/assets/{WebhookEditPage-KeS8hmdW.js → WebhookEditPage-DjZFxT72.js} +1 -1
- package/admin/assets/{WebhooksPage-CASjmlPN.js → WebhooksPage-g_a224a4.js} +1 -1
- package/admin/assets/{card-CZTHR2Qa.js → card-DlfsF8lU.js} +1 -1
- package/admin/assets/{checkbox-DEgzM8H9.js → checkbox-BX8EcGFf.js} +1 -1
- package/admin/assets/{command-CdzYw11U.js → command-DaTsImUa.js} +1 -1
- package/admin/assets/{contentStatus-CkPi9Dh6.js → contentStatus-WXGfd7vX.js} +1 -1
- package/admin/assets/format-BRcflvs9.js +1 -0
- package/admin/assets/index-9sbb3-yI.css +1 -0
- package/admin/assets/{index-BA3y7HJs.js → index-DC1UyCW2.js} +10 -10
- package/admin/assets/listCellValue-CBqXAwce.js +1 -0
- package/admin/assets/media-url-DdCoIedP.js +1 -0
- package/admin/assets/{popover-BFw_h3j6.js → popover-BA-47SRI.js} +1 -1
- package/admin/assets/{select-dX9e6VDt.js → select-waaVyoQ5.js} +1 -1
- package/admin/assets/serializeToText-CjHhyvXp.js +2 -0
- package/admin/assets/{table-Dk7eeOt2.js → table-Br-QgtTL.js} +1 -1
- package/admin/assets/{textarea-CpDSUg2s.js → textarea-BILv1DQB.js} +1 -1
- package/admin/assets/useAdminResolver-CbDzGoDp.js +1 -0
- package/admin/assets/useContent-Bp4f9qe0.js +1 -0
- package/admin/assets/{useContentSearch-_bwacEth.js → useContentSearch-DbiA8aG-.js} +1 -1
- package/admin/assets/{usePageTitle-DYvuJQp6.js → usePageTitle-DOEFrHbj.js} +1 -1
- package/admin/assets/{useSiteUsers-CKtC_8Jc.js → useSiteUsers-BFYAbJNT.js} +1 -1
- package/admin/assets/{useTags-ybsMbCst.js → useTags-DJlXwDyc.js} +1 -1
- package/admin/assets/{useWebhooks-BAB-3sLa.js → useWebhooks-BkpJKNLN.js} +1 -1
- package/admin/favicon-16x16.png +0 -0
- package/admin/favicon-32x32.png +0 -0
- package/admin/icons/icon-180x180.png +0 -0
- package/admin/icons/icon-192x192.png +0 -0
- package/admin/icons/icon-512x512.png +0 -0
- package/admin/icons/maskable-icon-512x512.png +0 -0
- package/admin/index.html +2 -2
- package/admin/sw.js +1 -1
- package/admin/workbox-362996ec.js +1 -0
- package/dist/admin-site.d.ts +4 -2
- package/dist/admin-site.d.ts.map +1 -1
- package/dist/admin-site.js +49 -6
- package/dist/admin-site.js.map +1 -1
- package/dist/api.d.ts +2 -0
- package/dist/api.d.ts.map +1 -1
- package/dist/api.js +57 -5
- package/dist/api.js.map +1 -1
- package/dist/backup.d.ts +29 -0
- package/dist/backup.d.ts.map +1 -0
- package/dist/backup.js +95 -0
- package/dist/backup.js.map +1 -0
- package/dist/cdn-api.d.ts +25 -0
- package/dist/cdn-api.d.ts.map +1 -0
- package/dist/{cdn.js → cdn-api.js} +27 -158
- package/dist/cdn-api.js.map +1 -0
- package/dist/cdn-media.d.ts +26 -0
- package/dist/cdn-media.d.ts.map +1 -0
- package/dist/cdn-media.js +202 -0
- package/dist/cdn-media.js.map +1 -0
- package/dist/image.d.ts +8 -1
- package/dist/image.d.ts.map +1 -1
- package/dist/image.js +26 -6
- package/dist/image.js.map +1 -1
- package/dist/index.d.ts +18 -3
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +52 -10
- package/dist/index.js.map +1 -1
- package/dist/storage.d.ts +1 -0
- package/dist/storage.d.ts.map +1 -1
- package/dist/storage.js +21 -0
- package/dist/storage.js.map +1 -1
- package/dist/webhooks.d.ts +4 -3
- package/dist/webhooks.d.ts.map +1 -1
- package/dist/webhooks.js +22 -35
- package/dist/webhooks.js.map +1 -1
- package/lambda/api/bootstrap +0 -0
- package/lambda/backup-worker/bootstrap +0 -0
- package/lambda/image-lambda/index.mjs +30 -6
- package/lambda/image-lambda/node_modules/.package-lock.json +3 -3
- package/lambda/image-lambda/node_modules/semver/README.md +19 -4
- package/lambda/image-lambda/node_modules/semver/bin/semver.js +14 -10
- package/lambda/image-lambda/node_modules/semver/classes/range.js +7 -0
- package/lambda/image-lambda/node_modules/semver/functions/truncate.js +48 -0
- package/lambda/image-lambda/node_modules/semver/index.js +2 -0
- package/lambda/image-lambda/node_modules/semver/internal/re.js +1 -1
- package/lambda/image-lambda/node_modules/semver/package.json +3 -3
- package/lambda/image-lambda/node_modules/semver/range.bnf +5 -4
- package/lambda/image-lambda/node_modules/semver/ranges/subset.js +2 -2
- package/lambda/webhook-worker/bootstrap +0 -0
- package/package.json +1 -1
- package/src/admin-site.ts +53 -8
- package/src/api.ts +58 -5
- package/src/backup.ts +114 -0
- package/src/{cdn.ts → cdn-api.ts} +28 -183
- package/src/cdn-media.ts +250 -0
- package/src/image.ts +30 -6
- package/src/index.ts +71 -12
- package/src/sst-env.d.ts +4 -0
- package/src/storage.ts +22 -0
- package/src/webhooks.ts +22 -39
- package/admin/assets/BlockTypeEditPage-CY0gCPei.js +0 -1
- package/admin/assets/CollectionEditPage-y8t0ZO89.js +0 -1
- package/admin/assets/ContentEditPage-WkSbCnnG.js +0 -1
- package/admin/assets/ContentListPage-BDMx7pWb.js +0 -1
- package/admin/assets/FieldRenderer-wE-mtqZB.js +0 -2
- package/admin/assets/FilterBar-kFcOLffg.js +0 -1
- package/admin/assets/FloatingComposerController-D4uLQfUX-C0Lhbmda.js +0 -1
- package/admin/assets/IconPicker-BrgSAsa_.js +0 -3
- package/admin/assets/MediaField-B-Cz8TlK.js +0 -1
- package/admin/assets/MediaPage-C84p9d1U.js +0 -1
- package/admin/assets/SubmissionDetailPage-ktmzzOE1.js +0 -1
- package/admin/assets/SubmissionEditPage-C-ykTI2t.js +0 -1
- package/admin/assets/SubmissionListPage-DA-8deUy.js +0 -1
- package/admin/assets/format-C88SDH8g.js +0 -1
- package/admin/assets/index-c7UygSvP.css +0 -1
- package/admin/assets/media-url-DIg_vSyf.js +0 -1
- package/admin/assets/serializeToText-Zin3gYPm.js +0 -2
- package/admin/assets/useAdminResolver-Bljb4XGQ.js +0 -1
- package/admin/assets/useContent-CW0tm0FY.js +0 -1
- package/admin/assets/useMedia-Cu5N4rY8.js +0 -1
- package/admin/workbox-7d58179f.js +0 -1
- package/dist/cdn.d.ts +0 -27
- package/dist/cdn.d.ts.map +0 -1
- package/dist/cdn.js.map +0 -1
package/dist/webhooks.d.ts
CHANGED
|
@@ -1,8 +1,9 @@
|
|
|
1
1
|
/**
|
|
2
2
|
* Webhook Infrastructure
|
|
3
3
|
*
|
|
4
|
-
* 2 DynamoDB tables +
|
|
5
|
-
*
|
|
4
|
+
* 2 DynamoDB tables + webhook worker Lambda (async-invoked by the API) + DLQ
|
|
5
|
+
* (Lambda async on-failure destination). The API directly invokes the worker
|
|
6
|
+
* via lambda:InvokeFunction; there is no SQS queue between them.
|
|
6
7
|
*/
|
|
7
8
|
import type { StorageResources } from "./storage.js";
|
|
8
9
|
export interface WebhookArgs {
|
|
@@ -16,7 +17,7 @@ export interface WebhookArgs {
|
|
|
16
17
|
export declare function createWebhooks(name: string, args: WebhookArgs): {
|
|
17
18
|
webhooks: sst.aws.Dynamo;
|
|
18
19
|
webhookDeliveries: sst.aws.Dynamo;
|
|
19
|
-
|
|
20
|
+
webhookWorker: sst.aws.Function;
|
|
20
21
|
webhookDeliveryDLQ: sst.aws.Queue;
|
|
21
22
|
};
|
|
22
23
|
export type WebhookResources = ReturnType<typeof createWebhooks>;
|
package/dist/webhooks.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"webhooks.d.ts","sourceRoot":"","sources":["../src/webhooks.ts"],"names":[],"mappings":"AAAA
|
|
1
|
+
{"version":3,"file":"webhooks.d.ts","sourceRoot":"","sources":["../src/webhooks.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAGH,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAErD,MAAM,WAAW,WAAW;IAC1B,KAAK,EAAE,gBAAgB,CAAC,OAAO,CAAC,CAAC;IACjC,OAAO,EAAE,MAAM,CAAC;IAChB,GAAG,CAAC,EAAE;QACJ,qDAAqD;QACrD,OAAO,EAAE,MAAM,CAAC;KACjB,CAAC;CACH;AAED,wBAAgB,cAAc,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,WAAW;;;;;EA0E7D;AAED,MAAM,MAAM,gBAAgB,GAAG,UAAU,CAAC,OAAO,cAAc,CAAC,CAAC"}
|
package/dist/webhooks.js
CHANGED
|
@@ -1,8 +1,9 @@
|
|
|
1
1
|
/**
|
|
2
2
|
* Webhook Infrastructure
|
|
3
3
|
*
|
|
4
|
-
* 2 DynamoDB tables +
|
|
5
|
-
*
|
|
4
|
+
* 2 DynamoDB tables + webhook worker Lambda (async-invoked by the API) + DLQ
|
|
5
|
+
* (Lambda async on-failure destination). The API directly invokes the worker
|
|
6
|
+
* via lambda:InvokeFunction; there is no SQS queue between them.
|
|
6
7
|
*/
|
|
7
8
|
import path from "path";
|
|
8
9
|
export function createWebhooks(name, args) {
|
|
@@ -21,6 +22,9 @@ export function createWebhooks(name, args) {
|
|
|
21
22
|
primaryIndex: { hashKey: "pk", rangeKey: "sk" },
|
|
22
23
|
ttl: "ttl",
|
|
23
24
|
});
|
|
25
|
+
// DLQ retained as Lambda async OnFailure destination. Lambda writes a
|
|
26
|
+
// failure envelope (not the original payload verbatim) when retries are
|
|
27
|
+
// exhausted. No consumer polls this queue — it's a sink only.
|
|
24
28
|
const webhookDeliveryDLQ = new sst.aws.Queue(`${name}WebhookDeliveryDLQ`, {
|
|
25
29
|
transform: {
|
|
26
30
|
queue: (queueArgs) => {
|
|
@@ -28,22 +32,6 @@ export function createWebhooks(name, args) {
|
|
|
28
32
|
},
|
|
29
33
|
},
|
|
30
34
|
});
|
|
31
|
-
const webhookDeliveryQueue = new sst.aws.Queue(`${name}WebhookDeliveryQueue`, {
|
|
32
|
-
dlq: {
|
|
33
|
-
queue: webhookDeliveryDLQ.arn,
|
|
34
|
-
retry: 5,
|
|
35
|
-
},
|
|
36
|
-
transform: {
|
|
37
|
-
queue: (queueArgs) => {
|
|
38
|
-
queueArgs.visibilityTimeoutSeconds = 60;
|
|
39
|
-
queueArgs.messageRetentionSeconds = 4 * 24 * 60 * 60; // 4 days
|
|
40
|
-
},
|
|
41
|
-
},
|
|
42
|
-
});
|
|
43
|
-
// Webhook worker Lambda: processes SQS messages and delivers webhooks.
|
|
44
|
-
// Note: We use a manual Function + EventSourceMapping instead of
|
|
45
|
-
// queue.subscribe() to avoid a duplicate LambdaEncryptionKey issue
|
|
46
|
-
// caused by SST's dynamic import creating a separate Function class instance.
|
|
47
35
|
const workerConfig = args.dev
|
|
48
36
|
? {
|
|
49
37
|
handler: args.dev.handler,
|
|
@@ -61,30 +49,29 @@ export function createWebhooks(name, args) {
|
|
|
61
49
|
timeout: "30 seconds",
|
|
62
50
|
environment: {
|
|
63
51
|
WEBHOOK_DELIVERIES_TABLE: webhookDeliveries.name,
|
|
64
|
-
WEBHOOKS_TABLE: webhooks.name,
|
|
65
|
-
SITES_TABLE: args.sites.name,
|
|
66
52
|
},
|
|
67
|
-
|
|
68
|
-
|
|
69
|
-
|
|
70
|
-
|
|
71
|
-
|
|
72
|
-
|
|
73
|
-
"sqs:GetQueueAttributes",
|
|
74
|
-
],
|
|
75
|
-
resources: [webhookDeliveryQueue.arn],
|
|
76
|
-
},
|
|
77
|
-
],
|
|
53
|
+
// webhookDeliveryDLQ is linked so SST auto-grants sqs:SendMessage on the
|
|
54
|
+
// worker's execution role. Lambda async OnFailure delivery uses the
|
|
55
|
+
// function's own role to write the failure envelope to the DLQ — without
|
|
56
|
+
// this grant, AWS accepts the FunctionEventInvokeConfig at deploy time but
|
|
57
|
+
// silently drops failure envelopes at runtime.
|
|
58
|
+
link: [webhookDeliveries, webhookDeliveryDLQ],
|
|
78
59
|
});
|
|
79
|
-
|
|
80
|
-
|
|
60
|
+
// Lambda async retry + DLQ on terminal failure. MaximumRetryAttempts is
|
|
61
|
+
// 0–2 (industry standard for webhook delivery — Stripe/GitHub publish
|
|
62
|
+
// similar caps). Total attempts = initial + 2 retries = 3.
|
|
63
|
+
new aws.lambda.FunctionEventInvokeConfig(`${name}WebhookWorkerAsyncConfig`, {
|
|
81
64
|
functionName: webhookWorker.name,
|
|
82
|
-
|
|
65
|
+
maximumRetryAttempts: 2,
|
|
66
|
+
maximumEventAgeInSeconds: 6 * 60 * 60, // 6 hours
|
|
67
|
+
destinationConfig: {
|
|
68
|
+
onFailure: { destination: webhookDeliveryDLQ.arn },
|
|
69
|
+
},
|
|
83
70
|
});
|
|
84
71
|
return {
|
|
85
72
|
webhooks,
|
|
86
73
|
webhookDeliveries,
|
|
87
|
-
|
|
74
|
+
webhookWorker,
|
|
88
75
|
webhookDeliveryDLQ,
|
|
89
76
|
};
|
|
90
77
|
}
|
package/dist/webhooks.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"webhooks.js","sourceRoot":"","sources":["../src/webhooks.ts"],"names":[],"mappings":"AAAA
|
|
1
|
+
{"version":3,"file":"webhooks.js","sourceRoot":"","sources":["../src/webhooks.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,IAAI,MAAM,MAAM,CAAC;AAYxB,MAAM,UAAU,cAAc,CAAC,IAAY,EAAE,IAAiB;IAC5D,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,MAAM,CAAC,GAAG,IAAI,UAAU,EAAE;QACrD,MAAM,EAAE;YACN,EAAE,EAAE,QAAQ;YACZ,EAAE,EAAE,QAAQ;SACb;QACD,YAAY,EAAE,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE;KAChD,CAAC,CAAC;IAEH,MAAM,iBAAiB,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,MAAM,CAAC,GAAG,IAAI,mBAAmB,EAAE;QACvE,MAAM,EAAE;YACN,EAAE,EAAE,QAAQ;YACZ,EAAE,EAAE,QAAQ;SACb;QACD,YAAY,EAAE,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE;QAC/C,GAAG,EAAE,KAAK;KACX,CAAC,CAAC;IAEH,sEAAsE;IACtE,wEAAwE;IACxE,8DAA8D;IAC9D,MAAM,kBAAkB,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,IAAI,oBAAoB,EAAE;QACxE,SAAS,EAAE;YACT,KAAK,EAAE,CAAC,SAAc,EAAE,EAAE;gBACxB,SAAS,CAAC,uBAAuB,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC,CAAC,UAAU;YACnE,CAAC;SACF;KACF,CAAC,CAAC;IAEH,MAAM,YAAY,GAAG,IAAI,CAAC,GAAG;QAC3B,CAAC,CAAC;YACE,OAAO,EAAE,IAAI,CAAC,GAAG,CAAC,OAAO;YACzB,OAAO,EAAE,IAAa;SACvB;QACH,CAAC,CAAC;YACE,MAAM,EAAE,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,uBAAuB,CAAC;YACxD,OAAO,EAAE,WAAW;YACpB,OAAO,EAAE,iBAA0B;YACnC,YAAY,EAAE,OAAgB;SAC/B,CAAC;IAEN,MAAM,aAAa,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,GAAG,IAAI,eAAe,EAAE;QACjE,GAAG,YAAY;QACf,MAAM,EAAE,QAAQ;QAChB,OAAO,EAAE,YAAY;QACrB,WAAW,EAAE;YACX,wBAAwB,EAAE,iBAAiB,CAAC,IAAI;SACjD;QACD,yEAAyE;QACzE,oEAAoE;QACpE,yEAAyE;QACzE,2EAA2E;QAC3E,+CAA+C;QAC/C,IAAI,EAAE,CAAC,iBAAiB,EAAE,kBAAkB,CAAC;KAC9C,CAAC,CAAC;IAEH,wEAAwE;IACxE,sEAAsE;IACtE,2DAA2D;IAC3D,IAAI,GAAG,CAAC,MAAM,CAAC,yBAAyB,CAAC,GAAG,IAAI,0BAA0B,EAAE;QAC1E,YAAY,EAAE,aAAa,CAAC,IAAI;QAChC,oBAAoB,EAAE,CAAC;QACvB,wBAAwB,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,UAAU;QACjD,iBAAiB,EAAE;YACjB,SAAS,EAAE,EAAE,WAAW,EAAE,kBAAkB,CAAC,GAAG,EAAE;SACnD;KACF,CAAC,CAAC;IAEH,OAAO;QACL,QAAQ;QACR,iBAAiB;QACjB,aAAa;QACb,kBAAkB;KACnB,CAAC;AACJ,CAAC"}
|
package/lambda/api/bootstrap
CHANGED
|
Binary file
|
|
Binary file
|
|
@@ -4,7 +4,17 @@ import { S3Client, GetObjectCommand, PutObjectCommand } from "@aws-sdk/client-s3
|
|
|
4
4
|
import { createHmac, timingSafeEqual } from "crypto";
|
|
5
5
|
var s3 = new S3Client({});
|
|
6
6
|
var BUCKET = process.env.CONTENT_BUCKET;
|
|
7
|
-
var
|
|
7
|
+
var MASTER_SECRET = process.env.IMAGE_SIGNING_MASTER_SECRET;
|
|
8
|
+
var MASTER_SECRET_OLD = process.env.IMAGE_SIGNING_MASTER_SECRET_OLD;
|
|
9
|
+
var _timingSafeEqualCallCount = { count: 0 };
|
|
10
|
+
function _timingSafeEqual(a, b) {
|
|
11
|
+
_timingSafeEqualCallCount.count++;
|
|
12
|
+
return timingSafeEqual(a, b);
|
|
13
|
+
}
|
|
14
|
+
function deriveSiteSecret(master, siteHost) {
|
|
15
|
+
if (!master) return null;
|
|
16
|
+
return createHmac("sha256", master).update(siteHost).digest("hex").substring(0, 32);
|
|
17
|
+
}
|
|
8
18
|
var MAX_WIDTH = 2048;
|
|
9
19
|
var MAX_HEIGHT = 2048;
|
|
10
20
|
var MAX_PIXELS = 4e6;
|
|
@@ -31,6 +41,11 @@ async function handler(event) {
|
|
|
31
41
|
if (!match) {
|
|
32
42
|
return { statusCode: 400, body: "Invalid image path" };
|
|
33
43
|
}
|
|
44
|
+
const [, site, mediaId, ext] = match;
|
|
45
|
+
const sitePrimary = deriveSiteSecret(MASTER_SECRET, site);
|
|
46
|
+
if (!sitePrimary) {
|
|
47
|
+
return { statusCode: 503, body: "Image transforms not configured" };
|
|
48
|
+
}
|
|
34
49
|
const params = new URLSearchParams(rawQuery);
|
|
35
50
|
const sig = params.get("sig");
|
|
36
51
|
if (!sig) {
|
|
@@ -44,11 +59,18 @@ async function handler(event) {
|
|
|
44
59
|
if (!hasTransform) {
|
|
45
60
|
return { statusCode: 400, body: "No transform requested. Use /media/ path for originals." };
|
|
46
61
|
}
|
|
47
|
-
const
|
|
48
|
-
|
|
62
|
+
const siteOld = deriveSiteSecret(MASTER_SECRET_OLD, site);
|
|
63
|
+
const sigBuf = Buffer.from(sig);
|
|
64
|
+
const expectedPrimary = computeSignature(rawPath, params, sitePrimary);
|
|
65
|
+
const primaryMatch = _timingSafeEqual(sigBuf, Buffer.from(expectedPrimary));
|
|
66
|
+
let oldMatch = false;
|
|
67
|
+
if (siteOld) {
|
|
68
|
+
const expectedOld = computeSignature(rawPath, params, siteOld);
|
|
69
|
+
oldMatch = _timingSafeEqual(sigBuf, Buffer.from(expectedOld));
|
|
70
|
+
}
|
|
71
|
+
if (!primaryMatch && !oldMatch) {
|
|
49
72
|
return { statusCode: 403, body: "Invalid signature" };
|
|
50
73
|
}
|
|
51
|
-
const [, site, mediaId, ext] = match;
|
|
52
74
|
const s3Key = `sites/${site}/media/${mediaId}/original${ext}`;
|
|
53
75
|
const w = clamp(parseInt(params.get("w")) || null, 1, MAX_WIDTH);
|
|
54
76
|
const h = clamp(parseInt(params.get("h")) || null, 1, MAX_HEIGHT);
|
|
@@ -139,11 +161,11 @@ async function handler(event) {
|
|
|
139
161
|
return { statusCode: 500, body: "Image processing failed" };
|
|
140
162
|
}
|
|
141
163
|
}
|
|
142
|
-
function computeSignature(path, params) {
|
|
164
|
+
function computeSignature(path, params, key) {
|
|
143
165
|
const sorted = new URLSearchParams([...params.entries()].sort());
|
|
144
166
|
const qs = sorted.toString();
|
|
145
167
|
const canonical = qs ? `${path}?${qs}` : path;
|
|
146
|
-
return createHmac("sha256",
|
|
168
|
+
return createHmac("sha256", key).update(canonical).digest("hex").substring(0, 32);
|
|
147
169
|
}
|
|
148
170
|
function clamp(val, min, max) {
|
|
149
171
|
if (val == null) return null;
|
|
@@ -180,8 +202,10 @@ export {
|
|
|
180
202
|
MAX_WIDTH,
|
|
181
203
|
PATH_REGEX,
|
|
182
204
|
SHARP_MIME_TYPES,
|
|
205
|
+
_timingSafeEqualCallCount,
|
|
183
206
|
clamp,
|
|
184
207
|
computeSignature,
|
|
208
|
+
deriveSiteSecret,
|
|
185
209
|
extToFormat,
|
|
186
210
|
formatToMime,
|
|
187
211
|
handler
|
|
@@ -97,9 +97,9 @@
|
|
|
97
97
|
"license": "MIT"
|
|
98
98
|
},
|
|
99
99
|
"node_modules/semver": {
|
|
100
|
-
"version": "7.
|
|
101
|
-
"resolved": "https://registry.npmjs.org/semver/-/semver-7.
|
|
102
|
-
"integrity": "sha512-
|
|
100
|
+
"version": "7.8.1",
|
|
101
|
+
"resolved": "https://registry.npmjs.org/semver/-/semver-7.8.1.tgz",
|
|
102
|
+
"integrity": "sha512-rkVq3IXh+4FDGch+KwzX3aV9W3kO54GyEgpvBzSyctDA6Xtd7RJQV1xmXbeQp5v7+VzLOfVqiutSE6GICgPFvg==",
|
|
103
103
|
"license": "ISC",
|
|
104
104
|
"bin": {
|
|
105
105
|
"semver": "bin/semver.js"
|
|
@@ -56,6 +56,7 @@ const semverCompareLoose = require('semver/functions/compare-loose')
|
|
|
56
56
|
const semverCompareBuild = require('semver/functions/compare-build')
|
|
57
57
|
const semverSort = require('semver/functions/sort')
|
|
58
58
|
const semverRsort = require('semver/functions/rsort')
|
|
59
|
+
const semverTruncate = require('semver/functions/truncate')
|
|
59
60
|
|
|
60
61
|
// low-level comparators between versions
|
|
61
62
|
const semverGt = require('semver/functions/gt')
|
|
@@ -399,12 +400,19 @@ nr ::= '0' | ['1'-'9'] ( ['0'-'9'] ) *
|
|
|
399
400
|
tilde ::= '~' partial
|
|
400
401
|
caret ::= '^' partial
|
|
401
402
|
qualifier ::= ( '-' pre )? ( '+' build )?
|
|
402
|
-
pre ::=
|
|
403
|
-
|
|
404
|
-
|
|
405
|
-
|
|
403
|
+
pre ::= prepart ( '.' prepart ) *
|
|
404
|
+
prepart ::= nr | alphanumid
|
|
405
|
+
build ::= buildid ( '.' buildid ) *
|
|
406
|
+
alphanumid ::= ( ['0'-'9'] ) * [-A-Za-z] [-0-9A-Za-z] *
|
|
407
|
+
buildid ::= [-0-9A-Za-z]+
|
|
406
408
|
```
|
|
407
409
|
|
|
410
|
+
Note: Prerelease identifiers (`pre`) use `nr` for numeric parts, which
|
|
411
|
+
disallows leading zeros (e.g., `1.2.3-00` is invalid). Build metadata
|
|
412
|
+
identifiers (`build`) allow any alphanumeric string including leading
|
|
413
|
+
zeros (e.g., `1.2.3+00` is valid). This matches the
|
|
414
|
+
[SemVer 2.0.0 specification](https://semver.org/#spec-item-9).
|
|
415
|
+
|
|
408
416
|
## Functions
|
|
409
417
|
|
|
410
418
|
All methods and classes take a final `options` object argument. All
|
|
@@ -449,6 +457,12 @@ strings that they parse.
|
|
|
449
457
|
or comparators intersect.
|
|
450
458
|
* `parse(v)`: Attempt to parse a string as a semantic version, returning either
|
|
451
459
|
a `SemVer` object or `null`.
|
|
460
|
+
* `truncate(v, releaseType)`: Return the version with components _lower_
|
|
461
|
+
than `releaseType` dropped off, e.g.:
|
|
462
|
+
* `major` removes build & prerelease info and sets minor & patch to 0.
|
|
463
|
+
* `minor` removes build & prerelease info, and sets patch to 0
|
|
464
|
+
* `patch` removes build & prerelease info
|
|
465
|
+
* All prerelease types remove build info only
|
|
452
466
|
|
|
453
467
|
### Comparison
|
|
454
468
|
|
|
@@ -650,6 +664,7 @@ The following modules are available:
|
|
|
650
664
|
* `require('semver/functions/rsort')`
|
|
651
665
|
* `require('semver/functions/satisfies')`
|
|
652
666
|
* `require('semver/functions/sort')`
|
|
667
|
+
* `require('semver/functions/truncate')`
|
|
653
668
|
* `require('semver/functions/valid')`
|
|
654
669
|
* `require('semver/ranges/gtr')`
|
|
655
670
|
* `require('semver/ranges/intersects')`
|
|
@@ -46,6 +46,7 @@ const main = () => {
|
|
|
46
46
|
a = a.slice(0, indexOfEqualSign)
|
|
47
47
|
argv.unshift(value)
|
|
48
48
|
}
|
|
49
|
+
|
|
49
50
|
switch (a) {
|
|
50
51
|
case '-rv': case '-rev': case '--rev': case '--reverse':
|
|
51
52
|
reverse = true
|
|
@@ -60,15 +61,10 @@ const main = () => {
|
|
|
60
61
|
versions.push(argv.shift())
|
|
61
62
|
break
|
|
62
63
|
case '-i': case '--inc': case '--increment':
|
|
63
|
-
|
|
64
|
-
|
|
65
|
-
|
|
66
|
-
|
|
67
|
-
inc = argv.shift()
|
|
68
|
-
break
|
|
69
|
-
default:
|
|
70
|
-
inc = 'patch'
|
|
71
|
-
break
|
|
64
|
+
if (semver.RELEASE_TYPES.includes(argv[0]) || (argv[0] === 'release')) {
|
|
65
|
+
inc = { value: argv.shift(), maybeErrantValue: null, option: a }
|
|
66
|
+
} else {
|
|
67
|
+
inc = { value: 'patch', maybeErrantValue: argv[0], option: a }
|
|
72
68
|
}
|
|
73
69
|
break
|
|
74
70
|
case '--preid':
|
|
@@ -102,6 +98,14 @@ const main = () => {
|
|
|
102
98
|
|
|
103
99
|
options = parseOptions({ loose, includePrerelease, rtl })
|
|
104
100
|
|
|
101
|
+
if (
|
|
102
|
+
inc &&
|
|
103
|
+
versions.includes(inc.maybeErrantValue) &&
|
|
104
|
+
!semver.valid(inc.maybeErrantValue, options)
|
|
105
|
+
) {
|
|
106
|
+
console.warn(`Invalid value for ${inc.option}; defaulting to 'patch'. This may become a failure in future major versions.`)
|
|
107
|
+
}
|
|
108
|
+
|
|
105
109
|
versions = versions.map((v) => {
|
|
106
110
|
return coerce ? (semver.coerce(v, options) || { version: v }).version : v
|
|
107
111
|
}).filter((v) => {
|
|
@@ -125,7 +129,7 @@ const main = () => {
|
|
|
125
129
|
versions
|
|
126
130
|
.sort((a, b) => semver[reverse ? 'rcompare' : 'compare'](a, b, options))
|
|
127
131
|
.map(v => semver.clean(v, options))
|
|
128
|
-
.map(v => inc ? semver.inc(v, inc, options, identifier, identifierBase) : v)
|
|
132
|
+
.map(v => inc ? semver.inc(v, inc.value, options, identifier, identifierBase) : v)
|
|
129
133
|
.forEach(v => console.log(v))
|
|
130
134
|
}
|
|
131
135
|
|
|
@@ -98,6 +98,9 @@ class Range {
|
|
|
98
98
|
}
|
|
99
99
|
|
|
100
100
|
parseRange (range) {
|
|
101
|
+
// strip build metadata so it can't bleed into the version
|
|
102
|
+
range = range.replace(BUILDSTRIPRE, '')
|
|
103
|
+
|
|
101
104
|
// memoize range parsing for performance.
|
|
102
105
|
// this is a very hot path, and fully deterministic.
|
|
103
106
|
const memoOpts =
|
|
@@ -223,6 +226,7 @@ const debug = require('../internal/debug')
|
|
|
223
226
|
const SemVer = require('./semver')
|
|
224
227
|
const {
|
|
225
228
|
safeRe: re,
|
|
229
|
+
src,
|
|
226
230
|
t,
|
|
227
231
|
comparatorTrimReplace,
|
|
228
232
|
tildeTrimReplace,
|
|
@@ -230,6 +234,9 @@ const {
|
|
|
230
234
|
} = require('../internal/re')
|
|
231
235
|
const { FLAG_INCLUDE_PRERELEASE, FLAG_LOOSE } = require('../internal/constants')
|
|
232
236
|
|
|
237
|
+
// unbounded global build-metadata stripper used by parseRange
|
|
238
|
+
const BUILDSTRIPRE = new RegExp(src[t.BUILD], 'g')
|
|
239
|
+
|
|
233
240
|
const isNullSet = c => c.value === '<0.0.0-0'
|
|
234
241
|
const isAny = c => c.value === ''
|
|
235
242
|
|
|
@@ -0,0 +1,48 @@
|
|
|
1
|
+
'use strict'
|
|
2
|
+
|
|
3
|
+
const parse = require('./parse')
|
|
4
|
+
const constants = require('../internal/constants')
|
|
5
|
+
const SemVer = require('../classes/semver')
|
|
6
|
+
|
|
7
|
+
const truncate = (version, truncation, options) => {
|
|
8
|
+
if (!constants.RELEASE_TYPES.includes(truncation)) {
|
|
9
|
+
return null
|
|
10
|
+
}
|
|
11
|
+
|
|
12
|
+
const clonedVersion = cloneInputVersion(version, options)
|
|
13
|
+
return clonedVersion && doTruncation(clonedVersion, truncation)
|
|
14
|
+
}
|
|
15
|
+
|
|
16
|
+
const cloneInputVersion = (version, options) => {
|
|
17
|
+
const versionStringToParse = (
|
|
18
|
+
version instanceof SemVer ? version.version : version
|
|
19
|
+
)
|
|
20
|
+
|
|
21
|
+
return parse(versionStringToParse, options)
|
|
22
|
+
}
|
|
23
|
+
|
|
24
|
+
const doTruncation = (version, truncation) => {
|
|
25
|
+
if (isPrerelease(truncation)) {
|
|
26
|
+
return version.version
|
|
27
|
+
}
|
|
28
|
+
|
|
29
|
+
version.prerelease = []
|
|
30
|
+
|
|
31
|
+
switch (truncation) {
|
|
32
|
+
case 'major':
|
|
33
|
+
version.minor = 0
|
|
34
|
+
version.patch = 0
|
|
35
|
+
break
|
|
36
|
+
case 'minor':
|
|
37
|
+
version.patch = 0
|
|
38
|
+
break
|
|
39
|
+
}
|
|
40
|
+
|
|
41
|
+
return version.format()
|
|
42
|
+
}
|
|
43
|
+
|
|
44
|
+
const isPrerelease = (type) => {
|
|
45
|
+
return type.startsWith('pre')
|
|
46
|
+
}
|
|
47
|
+
|
|
48
|
+
module.exports = truncate
|
|
@@ -28,6 +28,7 @@ const gte = require('./functions/gte')
|
|
|
28
28
|
const lte = require('./functions/lte')
|
|
29
29
|
const cmp = require('./functions/cmp')
|
|
30
30
|
const coerce = require('./functions/coerce')
|
|
31
|
+
const truncate = require('./functions/truncate')
|
|
31
32
|
const Comparator = require('./classes/comparator')
|
|
32
33
|
const Range = require('./classes/range')
|
|
33
34
|
const satisfies = require('./functions/satisfies')
|
|
@@ -66,6 +67,7 @@ module.exports = {
|
|
|
66
67
|
lte,
|
|
67
68
|
cmp,
|
|
68
69
|
coerce,
|
|
70
|
+
truncate,
|
|
69
71
|
Comparator,
|
|
70
72
|
Range,
|
|
71
73
|
satisfies,
|
|
@@ -136,7 +136,7 @@ createToken('LOOSE', `^${src[t.LOOSEPLAIN]}$`)
|
|
|
136
136
|
createToken('GTLT', '((?:<|>)?=?)')
|
|
137
137
|
|
|
138
138
|
// Something like "2.*" or "1.2.x".
|
|
139
|
-
// Note that "x.x" is a valid xRange
|
|
139
|
+
// Note that "x.x" is a valid xRange identifier, meaning "any version"
|
|
140
140
|
// Only the first item is strictly required.
|
|
141
141
|
createToken('XRANGEIDENTIFIERLOOSE', `${src[t.NUMERICIDENTIFIERLOOSE]}|x|X|\\*`)
|
|
142
142
|
createToken('XRANGEIDENTIFIER', `${src[t.NUMERICIDENTIFIER]}|x|X|\\*`)
|
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "semver",
|
|
3
|
-
"version": "7.
|
|
3
|
+
"version": "7.8.1",
|
|
4
4
|
"description": "The semantic version parser used by npm.",
|
|
5
5
|
"main": "index.js",
|
|
6
6
|
"scripts": {
|
|
@@ -15,7 +15,7 @@
|
|
|
15
15
|
},
|
|
16
16
|
"devDependencies": {
|
|
17
17
|
"@npmcli/eslint-config": "^6.0.0",
|
|
18
|
-
"@npmcli/template-oss": "
|
|
18
|
+
"@npmcli/template-oss": "5.0.0",
|
|
19
19
|
"benchmark": "^2.1.4",
|
|
20
20
|
"tap": "^16.0.0"
|
|
21
21
|
},
|
|
@@ -52,7 +52,7 @@
|
|
|
52
52
|
"author": "GitHub Inc.",
|
|
53
53
|
"templateOSS": {
|
|
54
54
|
"//@npmcli/template-oss": "This file is partially managed by @npmcli/template-oss. Edits may be overwritten.",
|
|
55
|
-
"version": "
|
|
55
|
+
"version": "5.0.0",
|
|
56
56
|
"engines": ">=10",
|
|
57
57
|
"distPaths": [
|
|
58
58
|
"classes/",
|
|
@@ -10,7 +10,8 @@ nr ::= '0' | [1-9] ( [0-9] ) *
|
|
|
10
10
|
tilde ::= '~' partial
|
|
11
11
|
caret ::= '^' partial
|
|
12
12
|
qualifier ::= ( '-' pre )? ( '+' build )?
|
|
13
|
-
pre ::=
|
|
14
|
-
|
|
15
|
-
|
|
16
|
-
|
|
13
|
+
pre ::= prepart ( '.' prepart ) *
|
|
14
|
+
prepart ::= nr | alphanumid
|
|
15
|
+
build ::= buildid ( '.' buildid ) *
|
|
16
|
+
alphanumid ::= ( [0-9] ) * [A-Za-z-] [-0-9A-Za-z] *
|
|
17
|
+
buildid ::= [-0-9A-Za-z]+
|
|
@@ -174,7 +174,7 @@ const simpleSubset = (sub, dom, options) => {
|
|
|
174
174
|
if (higher === c && higher !== gt) {
|
|
175
175
|
return false
|
|
176
176
|
}
|
|
177
|
-
} else if (gt.operator === '>=' && !
|
|
177
|
+
} else if (gt.operator === '>=' && !c.test(gt.semver)) {
|
|
178
178
|
return false
|
|
179
179
|
}
|
|
180
180
|
}
|
|
@@ -192,7 +192,7 @@ const simpleSubset = (sub, dom, options) => {
|
|
|
192
192
|
if (lower === c && lower !== lt) {
|
|
193
193
|
return false
|
|
194
194
|
}
|
|
195
|
-
} else if (lt.operator === '<=' && !
|
|
195
|
+
} else if (lt.operator === '<=' && !c.test(lt.semver)) {
|
|
196
196
|
return false
|
|
197
197
|
}
|
|
198
198
|
}
|
|
Binary file
|
package/package.json
CHANGED
package/src/admin-site.ts
CHANGED
|
@@ -9,13 +9,15 @@
|
|
|
9
9
|
import fs from "fs";
|
|
10
10
|
import path from "path";
|
|
11
11
|
import type { ApiResources } from "./api.js";
|
|
12
|
-
import type {
|
|
12
|
+
import type { ApiCdnResources } from "./cdn-api.js";
|
|
13
|
+
import type { MediaCdnResources } from "./cdn-media.js";
|
|
13
14
|
import type { AuthResources } from "./auth.js";
|
|
14
15
|
import type { CollaborationResources } from "./collaboration.js";
|
|
15
16
|
|
|
16
17
|
export interface AdminSiteArgs {
|
|
17
18
|
api: ApiResources;
|
|
18
|
-
|
|
19
|
+
apiCdn: ApiCdnResources;
|
|
20
|
+
mediaCdn: MediaCdnResources;
|
|
19
21
|
auth: AuthResources;
|
|
20
22
|
collab: CollaborationResources;
|
|
21
23
|
pkgRoot: string;
|
|
@@ -40,7 +42,7 @@ export interface AdminSiteArgs {
|
|
|
40
42
|
}
|
|
41
43
|
|
|
42
44
|
export function createAdminSite(name: string, args: AdminSiteArgs) {
|
|
43
|
-
const { api,
|
|
45
|
+
const { api, mediaCdn, auth, collab } = args;
|
|
44
46
|
// Default ON for backward compat — only emit "false" when explicitly
|
|
45
47
|
// disabled so existing stages without the flag set don't change behaviour.
|
|
46
48
|
const collabEnabledStr = args.collabEnabled === false ? "false" : "true";
|
|
@@ -53,7 +55,18 @@ export function createAdminSite(name: string, args: AdminSiteArgs) {
|
|
|
53
55
|
: undefined;
|
|
54
56
|
|
|
55
57
|
if (args.dev) {
|
|
56
|
-
// Dev mode: standard StaticSite with Vite build
|
|
58
|
+
// Dev mode: standard StaticSite with Vite build.
|
|
59
|
+
//
|
|
60
|
+
// VITE_ADMIN_URL is set from the configured custom domain when present
|
|
61
|
+
// (we know it before the StaticSite is constructed). Without a custom
|
|
62
|
+
// domain the admin URL is only known *after* the StaticSite resolves —
|
|
63
|
+
// which would be circular at the `environment` map. In that case we
|
|
64
|
+
// leave VITE_ADMIN_URL empty; the discovery doc emits adminUrl: "" and
|
|
65
|
+
// the CLI tolerates the empty value. See:
|
|
66
|
+
// steering/CLI_BOOSTRAP_DESIGN.md §1.2 (env-injection circularity)
|
|
67
|
+
const viteAdminUrl = args.domain
|
|
68
|
+
? `https://${args.domain.name}`
|
|
69
|
+
: "";
|
|
57
70
|
const site = new sst.aws.StaticSite(`${name}Admin`, {
|
|
58
71
|
path: args.dev.adminPath,
|
|
59
72
|
dev: {
|
|
@@ -65,12 +78,13 @@ export function createAdminSite(name: string, args: AdminSiteArgs) {
|
|
|
65
78
|
},
|
|
66
79
|
environment: {
|
|
67
80
|
VITE_API_URL: api.api.url,
|
|
68
|
-
|
|
81
|
+
VITE_MEDIA_URL: mediaCdn.url,
|
|
69
82
|
VITE_USER_POOL_ID: auth.userPool.id,
|
|
70
83
|
VITE_USER_POOL_CLIENT_ID: auth.userPoolClient.id,
|
|
71
84
|
VITE_AWS_REGION: aws.getRegionOutput().name,
|
|
72
85
|
VITE_COLLAB_WS_URL: collab.wsUrl,
|
|
73
86
|
VITE_COLLAB_ENABLED: collabEnabledStr,
|
|
87
|
+
VITE_ADMIN_URL: viteAdminUrl,
|
|
74
88
|
},
|
|
75
89
|
domain: domainConfig,
|
|
76
90
|
});
|
|
@@ -88,27 +102,45 @@ export function createAdminSite(name: string, args: AdminSiteArgs) {
|
|
|
88
102
|
fs.mkdirSync(workDir, { recursive: true });
|
|
89
103
|
fs.cpSync(adminSrc, workDir, { recursive: true });
|
|
90
104
|
|
|
105
|
+
// Compute the admin URL for placeholder substitution. When a custom domain
|
|
106
|
+
// is configured, use it directly; otherwise fall back to the CloudFront-
|
|
107
|
+
// distribution URL the StaticSite resolves to. Using `$interpolate` keeps
|
|
108
|
+
// the value as an SST Output until deploy time, where it's safely inlined
|
|
109
|
+
// into the node script via the existing $-interpolated template.
|
|
110
|
+
const adminUrlForSubstitution = args.domain
|
|
111
|
+
? `https://${args.domain.name}`
|
|
112
|
+
: "";
|
|
91
113
|
const site = new sst.aws.StaticSite(`${name}Admin`, {
|
|
92
114
|
path: workDir,
|
|
93
115
|
build: {
|
|
94
|
-
// Replace placeholder env vars in the pre-built JS/HTML files
|
|
116
|
+
// Replace placeholder env vars in the pre-built JS/HTML/discovery files.
|
|
117
|
+
//
|
|
118
|
+
// The walk filter intentionally only matches the exact path
|
|
119
|
+
// `.well-known/headroom.json` (not any *.json) so we don't touch
|
|
120
|
+
// manifest.webmanifest, asset manifests, or other runtime JSON files.
|
|
95
121
|
command: $interpolate`node -e "
|
|
96
122
|
const fs = require('fs');
|
|
97
123
|
const path = require('path');
|
|
98
124
|
const replacements = {
|
|
99
125
|
'__HEADROOM_API_URL__': '${api.api.url}',
|
|
100
|
-
'
|
|
126
|
+
'__HEADROOM_MEDIA_URL__': '${mediaCdn.url}',
|
|
101
127
|
'__HEADROOM_USER_POOL_ID__': '${auth.userPool.id}',
|
|
102
128
|
'__HEADROOM_USER_POOL_CLIENT_ID__': '${auth.userPoolClient.id}',
|
|
103
129
|
'__HEADROOM_AWS_REGION__': '${aws.getRegionOutput().name}',
|
|
104
130
|
'__HEADROOM_COLLAB_WS_URL__': '${collab.wsUrl}',
|
|
105
131
|
'__HEADROOM_COLLAB_ENABLED__': '${collabEnabledStr}',
|
|
132
|
+
'__HEADROOM_ADMIN_URL__': '${adminUrlForSubstitution}',
|
|
106
133
|
};
|
|
134
|
+
const discoveryFile = path.join('.well-known', 'headroom.json');
|
|
107
135
|
function walk(d) {
|
|
108
136
|
for (const f of fs.readdirSync(d)) {
|
|
109
137
|
const full = path.join(d, f);
|
|
110
138
|
if (fs.statSync(full).isDirectory()) walk(full);
|
|
111
|
-
else
|
|
139
|
+
else {
|
|
140
|
+
const isSubstitutable = f.endsWith('.js')
|
|
141
|
+
|| f.endsWith('.html')
|
|
142
|
+
|| full.endsWith(discoveryFile);
|
|
143
|
+
if (!isSubstitutable) continue;
|
|
112
144
|
let content = fs.readFileSync(full, 'utf8');
|
|
113
145
|
for (const [k, v] of Object.entries(replacements)) {
|
|
114
146
|
content = content.replaceAll(k, v);
|
|
@@ -118,6 +150,19 @@ export function createAdminSite(name: string, args: AdminSiteArgs) {
|
|
|
118
150
|
}
|
|
119
151
|
}
|
|
120
152
|
walk('.');
|
|
153
|
+
// Regression guard: the discovery doc must have all placeholders
|
|
154
|
+
// substituted by now. A surviving __HEADROOM_*__ would indicate a
|
|
155
|
+
// mismatch between the Vite-emitted file and the replacements map.
|
|
156
|
+
try {
|
|
157
|
+
const body = fs.readFileSync(discoveryFile, 'utf8');
|
|
158
|
+
if (/__HEADROOM_[A-Z_]+__/.test(body)) {
|
|
159
|
+
console.error('headroom: unsubstituted placeholders survive in ' + discoveryFile);
|
|
160
|
+
console.error(body);
|
|
161
|
+
process.exit(1);
|
|
162
|
+
}
|
|
163
|
+
} catch (e) {
|
|
164
|
+
if (e && e.code !== 'ENOENT') throw e;
|
|
165
|
+
}
|
|
121
166
|
"`,
|
|
122
167
|
output: ".",
|
|
123
168
|
},
|