insforge 0.3.1

package/functions/server.ts

@@ -0,0 +1,290 @@
+import { Client } from 'https://deno.land/x/postgres@v0.17.0/mod.ts';
+import { join, dirname, fromFileUrl } from 'https://deno.land/std@0.224.0/path/mod.ts';
+
+/* eslint-disable no-console */
+const port = parseInt(Deno.env.get('PORT') ?? '7133');
+
+console.log(`Deno serverless runtime running on port ${port}`);
+
+// Configuration
+const WORKER_TIMEOUT_MS = parseInt(Deno.env.get('WORKER_TIMEOUT_MS') ?? '30000');
+
+// Worker template code - loaded on first use
+let workerTemplateCode: string | null = null;
+
+async function getWorkerTemplateCode(): Promise<string> {
+  if (!workerTemplateCode) {
+    const currentDir = dirname(fromFileUrl(import.meta.url));
+    workerTemplateCode = await Deno.readTextFile(join(currentDir, 'worker-template.js'));
+  }
+  return workerTemplateCode;
+}
+
+// Decrypt function for Deno (compatible with Node.js encryption)
+async function decryptSecret(ciphertext: string, key: string): Promise<string> {
+  try {
+    const parts = ciphertext.split(':');
+    if (parts.length !== 3) {
+      throw new Error('Invalid ciphertext format');
+    }
+
+    // Get the encryption key by hashing the JWT secret
+    const keyData = new TextEncoder().encode(key);
+    const hashBuffer = await crypto.subtle.digest('SHA-256', keyData);
+    const cryptoKey = await crypto.subtle.importKey('raw', hashBuffer, { name: 'AES-GCM' }, false, [
+      'decrypt',
+    ]);
+
+    // Extract IV, auth tag, and encrypted data
+    const iv = Uint8Array.from(parts[0].match(/.{2}/g)!.map((byte) => parseInt(byte, 16)));
+    const authTag = Uint8Array.from(parts[1].match(/.{2}/g)!.map((byte) => parseInt(byte, 16)));
+    const encrypted = Uint8Array.from(parts[2].match(/.{2}/g)!.map((byte) => parseInt(byte, 16)));
+
+    // Combine encrypted data and auth tag (GCM expects them together)
+    const cipherData = new Uint8Array(encrypted.length + authTag.length);
+    cipherData.set(encrypted);
+    cipherData.set(authTag, encrypted.length);
+
+    // Decrypt
+    const decryptedBuffer = await crypto.subtle.decrypt(
+      { name: 'AES-GCM', iv },
+      cryptoKey,
+      cipherData
+    );
+
+    return new TextDecoder().decode(decryptedBuffer);
+  } catch (error) {
+    console.error('Failed to decrypt secret:', error);
+    throw error;
+  }
+}
+
+// Database connection
+const dbConfig = {
+  user: Deno.env.get('POSTGRES_USER') || 'postgres',
+  password: Deno.env.get('POSTGRES_PASSWORD') || 'postgres',
+  database: Deno.env.get('POSTGRES_DB') || 'insforge',
+  hostname: Deno.env.get('POSTGRES_HOST') || 'postgres',
+  port: parseInt(Deno.env.get('POSTGRES_PORT') || '5432', 10),
+};
+
+// Get function code from database
+async function getFunctionCode(slug: string): Promise<string | null> {
+  const client = new Client(dbConfig);
+
+  try {
+    await client.connect();
+
+    const result = await client.queryObject<{ code: string }>`
+      SELECT code FROM _functions 
+      WHERE slug = ${slug} AND status = 'active'
+    `;
+
+    if (result.rows.length === 0) {
+      return null;
+    }
+
+    return result.rows[0].code;
+  } catch (error) {
+    console.error(`Error fetching function ${slug}:`, error);
+    return null;
+  } finally {
+    await client.end();
+  }
+}
+
+// Get all secrets from main secrets table and decrypt them
+async function getFunctionSecrets(): Promise<Record<string, string>> {
+  const client = new Client(dbConfig);
+
+  try {
+    await client.connect();
+
+    // Get the encryption key from environment
+    const encryptionKey = Deno.env.get('ENCRYPTION_KEY') || Deno.env.get('JWT_SECRET');
+    if (!encryptionKey) {
+      console.error('No encryption key available for decrypting secrets');
+      return {};
+    }
+
+    // Fetch all active secrets from _secrets table
+    const result = await client.queryObject<{
+      key: string;
+      value_ciphertext: string;
+    }>`
+      SELECT key, value_ciphertext 
+      FROM _secrets
+      WHERE is_active = true 
+        AND (expires_at IS NULL OR expires_at > NOW())
+    `;
+
+    const secrets: Record<string, string> = {};
+
+    // Decrypt each secret
+    for (const row of result.rows) {
+      try {
+        secrets[row.key] = await decryptSecret(row.value_ciphertext, encryptionKey);
+      } catch (error) {
+        console.error(`Failed to decrypt secret ${row.key}:`, error);
+        // Skip this secret if decryption fails
+      }
+    }
+
+    return secrets;
+  } catch (error) {
+    console.error('Error fetching secrets:', error);
+    return {};
+  } finally {
+    await client.end();
+  }
+}
+
+// Execute function in isolated worker
+async function executeInWorker(code: string, request: Request): Promise<Response> {
+  // Get worker template
+  const template = await getWorkerTemplateCode();
+
+  // Fetch all function secrets
+  const secrets = await getFunctionSecrets();
+
+  // Create blob for worker
+  const workerBlob = new Blob([template], { type: 'application/javascript' });
+  const workerUrl = URL.createObjectURL(workerBlob);
+
+  return new Promise(async (resolve) => {
+    const worker = new Worker(workerUrl, { type: 'module' });
+
+    // Set timeout for worker execution
+    const timeout = setTimeout(() => {
+      worker.terminate();
+      URL.revokeObjectURL(workerUrl);
+      resolve(
+        new Response(JSON.stringify({ error: 'Function timeout' }), {
+          status: 504,
+          headers: { 'Content-Type': 'application/json' },
+        })
+      );
+    }, WORKER_TIMEOUT_MS);
+
+    // Handle worker response
+    worker.onmessage = (e) => {
+      clearTimeout(timeout);
+      worker.terminate();
+      URL.revokeObjectURL(workerUrl);
+
+      if (e.data.success) {
+        const { response } = e.data;
+        // The worker now properly sends null for bodyless responses
+        resolve(
+          new Response(response.body, {
+            status: response.status,
+            statusText: response.statusText,
+            headers: response.headers,
+          })
+        );
+      } else {
+        resolve(
+          new Response(JSON.stringify({ error: e.data.error }), {
+            status: e.data.status || 500,
+            headers: { 'Content-Type': 'application/json' },
+          })
+        );
+      }
+    };
+
+    // Handle worker errors
+    worker.onerror = (error) => {
+      clearTimeout(timeout);
+      worker.terminate();
+      URL.revokeObjectURL(workerUrl);
+      console.error('Worker error:', error);
+      resolve(
+        new Response(JSON.stringify({ error: 'Worker execution error' }), {
+          status: 500,
+          headers: { 'Content-Type': 'application/json' },
+        })
+      );
+    };
+
+    // Prepare request data
+    const body = request.body ? await request.text() : null;
+    const requestData = {
+      url: request.url,
+      method: request.method,
+      headers: Object.fromEntries(request.headers),
+      body,
+    };
+
+    // Send message with code, request data, and secrets
+    worker.postMessage({ code, requestData, secrets });
+  });
+}
+
+Deno.serve({ port }, async (req: Request) => {
+  const url = new URL(req.url);
+  const pathname = url.pathname;
+
+  // Health check
+  if (pathname === '/health') {
+    return new Response(
+      JSON.stringify({
+        status: 'ok',
+        runtime: 'deno',
+        version: Deno.version.deno,
+        typescript: Deno.version.typescript,
+        v8: Deno.version.v8,
+      }),
+      {
+        headers: { 'Content-Type': 'application/json' },
+      }
+    );
+  }
+
+  // Function execution - match ONLY exact slug, no subpaths
+  const slugMatch = pathname.match(/^\/([a-zA-Z0-9_-]+)$/);
+  if (slugMatch) {
+    const slug = slugMatch[1];
+
+    // Get function code from database
+    const code = await getFunctionCode(slug);
+
+    if (!code) {
+      return new Response(JSON.stringify({ error: 'Function not found or not active' }), {
+        status: 404,
+        headers: { 'Content-Type': 'application/json' },
+      });
+    }
+
+    // Execute in worker with original request
+    try {
+      return await executeInWorker(code, req);
+    } catch (error) {
+      console.error(`Failed to execute function ${slug}:`, error);
+      return new Response(JSON.stringify({ error: 'Function execution failed' }), {
+        status: 500,
+        headers: { 'Content-Type': 'application/json' },
+      });
+    }
+  }
+
+  // Runtime info
+  if (pathname === '/info') {
+    return new Response(
+      JSON.stringify({
+        runtime: 'deno',
+        version: Deno.version,
+        env: Deno.env.get('DENO_ENV') || 'production',
+        database: {
+          host: dbConfig.hostname,
+          database: dbConfig.database,
+        },
+      }),
+      {
+        headers: { 'Content-Type': 'application/json' },
+      }
+    );
+  }
+
+  // 404
+  return new Response('Not Found', { status: 404 });
+});

package/functions/worker-template.js

@@ -0,0 +1,126 @@
+/**
+ * Worker Template for Serverless Functions
+ *
+ * This code runs inside a Web Worker environment created by Deno.
+ * Each worker is created fresh for a single request, executes once, and terminates.
+ */
+/* eslint-env worker */
+/* global self, Request, Deno */
+
+// Import SDK at worker level - this will be available to all functions
+import { createClient } from 'npm:@insforge/sdk';
+
+// Handle the single message with code, request data, and secrets
+self.onmessage = async (e) => {
+  const { code, requestData, secrets = {} } = e.data;
+
+  try {
+    /**
+     * MOCK DENO OBJECT EXPLANATION:
+     *
+     * Why we need a mock Deno object:
+     * - Edge functions run in isolated Web Workers (sandboxed environments)
+     * - Web Workers don't have access to the real Deno global object for security
+     * - We need to provide Deno.env functionality so functions can access secrets
+     *
+     * How it works:
+     * 1. The main server (server.ts) fetches all active secrets from the _secrets table
+     * 2. Only active (is_active=true) and non-expired secrets are included
+     * 3. Secrets are decrypted and passed to this worker via the 'secrets' object
+     * 4. We create a mock Deno object that provides Deno.env.get()
+     * 5. When user code calls Deno.env.get('MY_SECRET'), it reads from our secrets object
+     *
+     * This allows edge functions to use familiar Deno.env syntax while maintaining security
+     * Secrets are managed via the /api/secrets endpoint
+     */
+    const mockDeno = {
+      // Mock the Deno.env API - only get() is needed for reading secrets
+      env: {
+        get: (key) => secrets[key] || undefined,
+      },
+    };
+
+    /**
+     * FUNCTION WRAPPING EXPLANATION:
+     *
+     * Here we create a wrapper function that will execute the user's code.
+     * The user's function expects to have access to:
+     * - module.exports (to export their function)
+     * - createClient (the Insforge SDK)
+     * - Deno (for Deno.env.get() etc.)
+     *
+     * We inject our mockDeno as the 'Deno' parameter, so when the user's code
+     * calls Deno.env.get('MY_SECRET'), it's actually calling mockDeno.env.get('MY_SECRET')
+     */
+    const wrapper = new Function('exports', 'module', 'createClient', 'Deno', code);
+    const exports = {};
+    const module = { exports };
+
+    // Execute the wrapper, passing mockDeno as the Deno global
+    // This makes Deno.env.get() available inside the user's function
+    wrapper(exports, module, createClient, mockDeno);
+
+    // Get the exported function
+    const functionHandler = module.exports || exports.default || exports;
+
+    if (typeof functionHandler !== 'function') {
+      throw new Error(
+        'No function exported. Expected: module.exports = async function(req) { ... }'
+      );
+    }
+
+    // Create Request object from data
+    const request = new Request(requestData.url, {
+      method: requestData.method,
+      headers: requestData.headers,
+      body: requestData.body,
+    });
+
+    // Execute the function
+    const response = await functionHandler(request);
+
+    // Serialize and send response
+    // Properly handle responses with no body
+    let body = null;
+
+    // Only read body if response has content
+    // Status codes 204, 205, and 304 should not have a body
+    if (![204, 205, 304].includes(response.status)) {
+      body = await response.text();
+    }
+
+    const responseData = {
+      status: response.status,
+      statusText: response.statusText,
+      headers: Object.fromEntries(response.headers),
+      body: body,
+    };
+
+    self.postMessage({ success: true, response: responseData });
+  } catch (error) {
+    // Check if the error is actually a Response object (thrown by the function)
+    if (error instanceof Response) {
+      // Handle error responses the same way
+      let body = null;
+
+      if (![204, 205, 304].includes(error.status)) {
+        body = await error.text();
+      }
+
+      const responseData = {
+        status: error.status,
+        statusText: error.statusText,
+        headers: Object.fromEntries(error.headers),
+        body: body,
+      };
+      self.postMessage({ success: true, response: responseData });
+    } else {
+      // For actual errors, include status if available
+      self.postMessage({
+        success: false,
+        error: error.message || 'Unknown error',
+        status: error.status || 500,
+      });
+    }
+  }
+};