nextjs-secure 0.7.0 → 0.8.0

package/dist/api.cjs

@@ -0,0 +1,1707 @@
+'use strict';
+
+// src/middleware/api/types.ts
+var API_PROTECTION_PRESETS = {
+  /** Basic: Only timestamp and versioning */
+  basic: {
+    signing: false,
+    replay: false,
+    timestamp: {
+      maxAge: 600,
+      // 10 minutes
+      required: false
+    },
+    versioning: false,
+    idempotency: false
+  },
+  /** Standard: Timestamp, replay prevention, versioning */
+  standard: {
+    signing: false,
+    replay: {
+      ttl: 3e5,
+      // 5 minutes
+      required: true
+    },
+    timestamp: {
+      maxAge: 300,
+      // 5 minutes
+      required: true
+    },
+    versioning: false,
+    idempotency: {
+      required: false
+    }
+  },
+  /** Strict: All protections enabled */
+  strict: {
+    signing: {
+      secret: "",
+      // Must be provided
+      algorithm: "sha256",
+      timestampTolerance: 300
+    },
+    replay: {
+      ttl: 3e5,
+      required: true,
+      minLength: 32
+    },
+    timestamp: {
+      maxAge: 300,
+      required: true,
+      allowFuture: false
+    },
+    versioning: false,
+    idempotency: {
+      required: true,
+      methods: ["POST", "PUT", "PATCH", "DELETE"]
+    }
+  },
+  /** Financial: Maximum security for financial APIs */
+  financial: {
+    signing: {
+      secret: "",
+      // Must be provided
+      algorithm: "sha512",
+      timestampTolerance: 60,
+      // 1 minute
+      components: {
+        method: true,
+        path: true,
+        query: true,
+        body: true,
+        timestamp: true,
+        nonce: true
+      }
+    },
+    replay: {
+      ttl: 864e5,
+      // 24 hours
+      required: true,
+      minLength: 64
+    },
+    timestamp: {
+      maxAge: 60,
+      // 1 minute
+      required: true,
+      allowFuture: false,
+      maxFuture: 10
+    },
+    versioning: false,
+    idempotency: {
+      required: true,
+      ttl: 6048e5,
+      // 7 days
+      methods: ["POST", "PUT", "PATCH", "DELETE"],
+      hashRequestBody: true
+    }
+  }
+};
+
+// src/middleware/api/signing.ts
+var DEFAULT_SIGNING_OPTIONS = {
+  algorithm: "sha256",
+  encoding: "hex",
+  signatureHeader: "x-signature",
+  timestampHeader: "x-timestamp",
+  nonceHeader: "x-nonce",
+  components: {
+    method: true,
+    path: true,
+    query: true,
+    body: true,
+    headers: [],
+    timestamp: true,
+    nonce: false
+  },
+  timestampTolerance: 300
+  // 5 minutes
+};
+async function createHMAC(data, secret, algorithm = "sha256", encoding = "hex") {
+  const encoder = new TextEncoder();
+  const keyData = encoder.encode(secret);
+  const messageData = encoder.encode(data);
+  const hashName = {
+    sha1: "SHA-1",
+    sha256: "SHA-256",
+    sha384: "SHA-384",
+    sha512: "SHA-512"
+  }[algorithm];
+  const key = await crypto.subtle.importKey(
+    "raw",
+    keyData,
+    { name: "HMAC", hash: hashName },
+    false,
+    ["sign"]
+  );
+  const signature = await crypto.subtle.sign("HMAC", key, messageData);
+  return encodeSignature(new Uint8Array(signature), encoding);
+}
+function encodeSignature(bytes, encoding) {
+  switch (encoding) {
+    case "hex":
+      return Array.from(bytes).map((b) => b.toString(16).padStart(2, "0")).join("");
+    case "base64":
+      return btoa(String.fromCharCode(...bytes));
+    case "base64url":
+      return btoa(String.fromCharCode(...bytes)).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+    default:
+      return Array.from(bytes).map((b) => b.toString(16).padStart(2, "0")).join("");
+  }
+}
+function timingSafeEqual(a, b) {
+  if (a.length !== b.length) {
+    return false;
+  }
+  let result = 0;
+  for (let i = 0; i < a.length; i++) {
+    result |= a.charCodeAt(i) ^ b.charCodeAt(i);
+  }
+  return result === 0;
+}
+async function buildCanonicalString(req, components, options = {}) {
+  const parts = [];
+  if (components.method) {
+    parts.push(req.method.toUpperCase());
+  }
+  if (components.path) {
+    const url = new URL(req.url);
+    parts.push(url.pathname);
+  }
+  if (components.query) {
+    const url = new URL(req.url);
+    const params = new URLSearchParams(url.search);
+    const sortedParams = Array.from(params.entries()).sort((a, b) => a[0].localeCompare(b[0])).map(([k, v]) => `${k}=${v}`).join("&");
+    parts.push(sortedParams);
+  }
+  if (components.body) {
+    try {
+      const cloned = req.clone();
+      const body = await cloned.text();
+      if (body) {
+        parts.push(body);
+      }
+    } catch {
+    }
+  }
+  if (components.headers && components.headers.length > 0) {
+    const headerParts = components.headers.map((h) => h.toLowerCase()).sort().map((h) => `${h}:${req.headers.get(h) || ""}`);
+    parts.push(headerParts.join("\n"));
+  }
+  if (components.timestamp) {
+    const timestampHeader = options.timestampHeader || "x-timestamp";
+    const timestamp = req.headers.get(timestampHeader) || "";
+    parts.push(timestamp);
+  }
+  if (components.nonce) {
+    const nonceHeader = options.nonceHeader || "x-nonce";
+    const nonce = req.headers.get(nonceHeader) || "";
+    parts.push(nonce);
+  }
+  return parts.join("\n");
+}
+async function generateSignature(req, options) {
+  const {
+    secret,
+    algorithm = DEFAULT_SIGNING_OPTIONS.algorithm,
+    encoding = DEFAULT_SIGNING_OPTIONS.encoding,
+    components = DEFAULT_SIGNING_OPTIONS.components,
+    timestampHeader = DEFAULT_SIGNING_OPTIONS.timestampHeader,
+    nonceHeader = DEFAULT_SIGNING_OPTIONS.nonceHeader,
+    canonicalBuilder
+  } = options;
+  const canonical = canonicalBuilder ? await canonicalBuilder(req, components) : await buildCanonicalString(req, components, { timestampHeader, nonceHeader });
+  return createHMAC(canonical, secret, algorithm, encoding);
+}
+async function generateSignatureHeaders(method, url, body, options) {
+  const {
+    secret,
+    algorithm = DEFAULT_SIGNING_OPTIONS.algorithm,
+    encoding = DEFAULT_SIGNING_OPTIONS.encoding,
+    components = DEFAULT_SIGNING_OPTIONS.components,
+    signatureHeader = DEFAULT_SIGNING_OPTIONS.signatureHeader,
+    timestampHeader = DEFAULT_SIGNING_OPTIONS.timestampHeader,
+    nonceHeader = DEFAULT_SIGNING_OPTIONS.nonceHeader,
+    includeTimestamp = true,
+    includeNonce = false
+  } = options;
+  const headers = {};
+  const parts = [];
+  if (components.method) {
+    parts.push(method.toUpperCase());
+  }
+  if (components.path) {
+    const parsedUrl = new URL(url);
+    parts.push(parsedUrl.pathname);
+  }
+  if (components.query) {
+    const parsedUrl = new URL(url);
+    const params = new URLSearchParams(parsedUrl.search);
+    const sortedParams = Array.from(params.entries()).sort((a, b) => a[0].localeCompare(b[0])).map(([k, v]) => `${k}=${v}`).join("&");
+    parts.push(sortedParams);
+  }
+  if (components.body && body) {
+    parts.push(body);
+  }
+  if (components.timestamp && includeTimestamp) {
+    const timestamp = Math.floor(Date.now() / 1e3).toString();
+    headers[timestampHeader] = timestamp;
+    parts.push(timestamp);
+  }
+  if (components.nonce && includeNonce) {
+    const nonce = generateNonce();
+    headers[nonceHeader] = nonce;
+    parts.push(nonce);
+  }
+  const canonical = parts.join("\n");
+  const signature = await createHMAC(canonical, secret, algorithm, encoding);
+  headers[signatureHeader] = signature;
+  return headers;
+}
+function generateNonce(length = 32) {
+  const bytes = new Uint8Array(length);
+  crypto.getRandomValues(bytes);
+  return Array.from(bytes).map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+async function verifySignature(req, options) {
+  const {
+    secret,
+    algorithm = DEFAULT_SIGNING_OPTIONS.algorithm,
+    encoding = DEFAULT_SIGNING_OPTIONS.encoding,
+    signatureHeader = DEFAULT_SIGNING_OPTIONS.signatureHeader,
+    timestampHeader = DEFAULT_SIGNING_OPTIONS.timestampHeader,
+    nonceHeader = DEFAULT_SIGNING_OPTIONS.nonceHeader,
+    components = DEFAULT_SIGNING_OPTIONS.components,
+    timestampTolerance = DEFAULT_SIGNING_OPTIONS.timestampTolerance,
+    canonicalBuilder
+  } = options;
+  const providedSignature = req.headers.get(signatureHeader);
+  if (!providedSignature) {
+    return {
+      valid: false,
+      reason: "Missing signature header"
+    };
+  }
+  if (components.timestamp) {
+    const timestamp = req.headers.get(timestampHeader);
+    if (!timestamp) {
+      return {
+        valid: false,
+        reason: "Missing timestamp header"
+      };
+    }
+    const timestampNum = parseInt(timestamp, 10);
+    if (isNaN(timestampNum)) {
+      return {
+        valid: false,
+        reason: "Invalid timestamp format"
+      };
+    }
+    const now = Math.floor(Date.now() / 1e3);
+    const age = Math.abs(now - timestampNum);
+    if (age > timestampTolerance) {
+      return {
+        valid: false,
+        reason: `Timestamp too old or too far in future (age: ${age}s, max: ${timestampTolerance}s)`
+      };
+    }
+  }
+  const canonical = canonicalBuilder ? await canonicalBuilder(req, components) : await buildCanonicalString(req, components, { timestampHeader, nonceHeader });
+  const computedSignature = await createHMAC(canonical, secret, algorithm, encoding);
+  const valid = timingSafeEqual(providedSignature, computedSignature);
+  return {
+    valid,
+    reason: valid ? void 0 : "Signature mismatch",
+    computed: computedSignature,
+    provided: providedSignature,
+    canonical
+  };
+}
+function defaultInvalidResponse(reason) {
+  return new Response(
+    JSON.stringify({
+      error: "Unauthorized",
+      message: reason,
+      code: "INVALID_SIGNATURE"
+    }),
+    {
+      status: 401,
+      headers: { "Content-Type": "application/json" }
+    }
+  );
+}
+function withRequestSigning(handler, options) {
+  return async (req, ctx) => {
+    if (options.skip && await options.skip(req)) {
+      return handler(req, ctx);
+    }
+    const result = await verifySignature(req, options);
+    if (!result.valid) {
+      const onInvalid = options.onInvalid || defaultInvalidResponse;
+      return onInvalid(result.reason || "Invalid signature");
+    }
+    return handler(req, ctx);
+  };
+}
+
+// src/middleware/api/replay.ts
+var DEFAULT_REPLAY_OPTIONS = {
+  nonceHeader: "x-nonce",
+  nonceQuery: "",
+  ttl: 3e5,
+  // 5 minutes
+  required: true,
+  minLength: 16,
+  maxLength: 128
+};
+var MemoryNonceStore = class {
+  nonces = /* @__PURE__ */ new Map();
+  maxSize;
+  cleanupInterval = null;
+  constructor(options = {}) {
+    const { maxSize = 1e5, autoCleanup = true, cleanupIntervalMs = 6e4 } = options;
+    this.maxSize = maxSize;
+    if (autoCleanup) {
+      this.cleanupInterval = setInterval(() => {
+        this.cleanup();
+      }, cleanupIntervalMs);
+      if (this.cleanupInterval.unref) {
+        this.cleanupInterval.unref();
+      }
+    }
+  }
+  async exists(nonce) {
+    const entry = this.nonces.get(nonce);
+    if (!entry) {
+      return false;
+    }
+    if (Date.now() > entry.expiresAt) {
+      this.nonces.delete(nonce);
+      return false;
+    }
+    return true;
+  }
+  async set(nonce, ttl) {
+    if (this.nonces.size >= this.maxSize) {
+      this.evictOldest();
+    }
+    const now = Date.now();
+    this.nonces.set(nonce, {
+      timestamp: now,
+      expiresAt: now + ttl
+    });
+  }
+  async cleanup() {
+    const now = Date.now();
+    for (const [nonce, entry] of this.nonces.entries()) {
+      if (now > entry.expiresAt) {
+        this.nonces.delete(nonce);
+      }
+    }
+  }
+  getStats() {
+    let oldestTimestamp;
+    for (const entry of this.nonces.values()) {
+      if (!oldestTimestamp || entry.timestamp < oldestTimestamp) {
+        oldestTimestamp = entry.timestamp;
+      }
+    }
+    return {
+      size: this.nonces.size,
+      oldestTimestamp
+    };
+  }
+  evictOldest() {
+    const toRemove = Math.ceil(this.maxSize * 0.1);
+    const entries = Array.from(this.nonces.entries()).sort((a, b) => a[1].timestamp - b[1].timestamp).slice(0, toRemove);
+    for (const [nonce] of entries) {
+      this.nonces.delete(nonce);
+    }
+  }
+  /**
+   * Clear all nonces
+   */
+  clear() {
+    this.nonces.clear();
+  }
+  /**
+   * Stop auto cleanup
+   */
+  destroy() {
+    if (this.cleanupInterval) {
+      clearInterval(this.cleanupInterval);
+      this.cleanupInterval = null;
+    }
+  }
+};
+var globalNonceStore = null;
+function getGlobalNonceStore() {
+  if (!globalNonceStore) {
+    globalNonceStore = new MemoryNonceStore();
+  }
+  return globalNonceStore;
+}
+function generateNonce2(length = 32) {
+  const bytes = new Uint8Array(length);
+  crypto.getRandomValues(bytes);
+  return Array.from(bytes).map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+function isValidNonceFormat(nonce, minLength = 16, maxLength = 128) {
+  if (!nonce || typeof nonce !== "string") {
+    return false;
+  }
+  if (nonce.length < minLength || nonce.length > maxLength) {
+    return false;
+  }
+  return /^[a-zA-Z0-9_-]+$/.test(nonce);
+}
+function extractNonce(req, options = {}) {
+  const {
+    nonceHeader = DEFAULT_REPLAY_OPTIONS.nonceHeader,
+    nonceQuery = DEFAULT_REPLAY_OPTIONS.nonceQuery
+  } = options;
+  const headerNonce = req.headers.get(nonceHeader);
+  if (headerNonce) {
+    return headerNonce;
+  }
+  if (nonceQuery) {
+    const url = new URL(req.url);
+    const queryNonce = url.searchParams.get(nonceQuery);
+    if (queryNonce) {
+      return queryNonce;
+    }
+  }
+  return null;
+}
+async function checkReplay(req, options = {}) {
+  const {
+    store = getGlobalNonceStore(),
+    nonceHeader = DEFAULT_REPLAY_OPTIONS.nonceHeader,
+    nonceQuery = DEFAULT_REPLAY_OPTIONS.nonceQuery,
+    ttl = DEFAULT_REPLAY_OPTIONS.ttl,
+    required = DEFAULT_REPLAY_OPTIONS.required,
+    minLength = DEFAULT_REPLAY_OPTIONS.minLength,
+    maxLength = DEFAULT_REPLAY_OPTIONS.maxLength,
+    validate
+  } = options;
+  const nonce = extractNonce(req, { nonceHeader, nonceQuery });
+  if (!nonce) {
+    if (required) {
+      return {
+        isReplay: false,
+        // Not a replay, but missing
+        nonce: null,
+        reason: "Missing nonce"
+      };
+    }
+    return {
+      isReplay: false
+    };
+  }
+  if (!isValidNonceFormat(nonce, minLength, maxLength)) {
+    return {
+      isReplay: false,
+      nonce,
+      reason: `Invalid nonce format (length must be ${minLength}-${maxLength}, alphanumeric)`
+    };
+  }
+  if (validate) {
+    const isValid = await validate(nonce);
+    if (!isValid) {
+      return {
+        isReplay: false,
+        nonce,
+        reason: "Nonce failed custom validation"
+      };
+    }
+  }
+  const exists = await store.exists(nonce);
+  if (exists) {
+    return {
+      isReplay: true,
+      nonce,
+      reason: "Nonce has already been used"
+    };
+  }
+  await store.set(nonce, ttl);
+  return {
+    isReplay: false,
+    nonce
+  };
+}
+function defaultReplayResponse(nonce) {
+  return new Response(
+    JSON.stringify({
+      error: "Forbidden",
+      message: "Request replay detected",
+      code: "REPLAY_DETECTED",
+      nonce
+    }),
+    {
+      status: 403,
+      headers: { "Content-Type": "application/json" }
+    }
+  );
+}
+function defaultMissingNonceResponse(reason) {
+  return new Response(
+    JSON.stringify({
+      error: "Bad Request",
+      message: reason,
+      code: "INVALID_NONCE"
+    }),
+    {
+      status: 400,
+      headers: { "Content-Type": "application/json" }
+    }
+  );
+}
+function withReplayPrevention(handler, options = {}) {
+  return async (req, ctx) => {
+    if (options.skip && await options.skip(req)) {
+      return handler(req, ctx);
+    }
+    const result = await checkReplay(req, options);
+    if (result.isReplay) {
+      const onReplay = options.onReplay || defaultReplayResponse;
+      return onReplay(result.nonce);
+    }
+    if (result.reason && options.required !== false) {
+      return defaultMissingNonceResponse(result.reason);
+    }
+    return handler(req, ctx);
+  };
+}
+function addNonceHeader(headers = {}, options = {}) {
+  const { headerName = "x-nonce", length = 32 } = options;
+  return {
+    ...headers,
+    [headerName]: generateNonce2(length)
+  };
+}
+
+// src/middleware/api/timestamp.ts
+var DEFAULT_TIMESTAMP_OPTIONS = {
+  timestampHeader: "x-timestamp",
+  format: "unix",
+  maxAge: 300,
+  // 5 minutes
+  allowFuture: false,
+  maxFuture: 60,
+  // 1 minute
+  required: true
+};
+function parseTimestamp(value, format = "unix") {
+  if (!value || typeof value !== "string") {
+    return null;
+  }
+  try {
+    switch (format) {
+      case "unix": {
+        const num = parseInt(value, 10);
+        if (isNaN(num) || num <= 0) {
+          return null;
+        }
+        return num;
+      }
+      case "unix-ms": {
+        const num = parseInt(value, 10);
+        if (isNaN(num) || num <= 0) {
+          return null;
+        }
+        return Math.floor(num / 1e3);
+      }
+      case "iso8601": {
+        const date = new Date(value);
+        if (isNaN(date.getTime())) {
+          return null;
+        }
+        return Math.floor(date.getTime() / 1e3);
+      }
+      default:
+        return null;
+    }
+  } catch {
+    return null;
+  }
+}
+function formatTimestamp(format = "unix") {
+  const now = Date.now();
+  switch (format) {
+    case "unix":
+      return Math.floor(now / 1e3).toString();
+    case "unix-ms":
+      return now.toString();
+    case "iso8601":
+      return new Date(now).toISOString();
+    default:
+      return Math.floor(now / 1e3).toString();
+  }
+}
+function extractTimestamp(req, options = {}) {
+  const {
+    timestampHeader = DEFAULT_TIMESTAMP_OPTIONS.timestampHeader,
+    timestampQuery
+  } = options;
+  const headerTimestamp = req.headers.get(timestampHeader);
+  if (headerTimestamp) {
+    return headerTimestamp;
+  }
+  if (timestampQuery) {
+    const url = new URL(req.url);
+    const queryTimestamp = url.searchParams.get(timestampQuery);
+    if (queryTimestamp) {
+      return queryTimestamp;
+    }
+  }
+  return null;
+}
+function validateTimestamp(req, options = {}) {
+  const {
+    timestampHeader = DEFAULT_TIMESTAMP_OPTIONS.timestampHeader,
+    timestampQuery,
+    format = DEFAULT_TIMESTAMP_OPTIONS.format,
+    maxAge = DEFAULT_TIMESTAMP_OPTIONS.maxAge,
+    allowFuture = DEFAULT_TIMESTAMP_OPTIONS.allowFuture,
+    maxFuture = DEFAULT_TIMESTAMP_OPTIONS.maxFuture,
+    required = DEFAULT_TIMESTAMP_OPTIONS.required
+  } = options;
+  const timestampStr = extractTimestamp(req, { timestampHeader, timestampQuery });
+  if (!timestampStr) {
+    if (required) {
+      return {
+        valid: false,
+        reason: "Missing timestamp"
+      };
+    }
+    return {
+      valid: true
+    };
+  }
+  const timestamp = parseTimestamp(timestampStr, format);
+  if (timestamp === null) {
+    return {
+      valid: false,
+      reason: `Invalid timestamp format (expected: ${format})`
+    };
+  }
+  const now = Math.floor(Date.now() / 1e3);
+  const age = now - timestamp;
+  if (age > maxAge) {
+    return {
+      valid: false,
+      timestamp,
+      age,
+      reason: `Timestamp too old (age: ${age}s, max: ${maxAge}s)`
+    };
+  }
+  if (age < 0) {
+    if (!allowFuture) {
+      return {
+        valid: false,
+        timestamp,
+        age,
+        reason: "Timestamp is in the future"
+      };
+    }
+    const futureAge = Math.abs(age);
+    if (futureAge > maxFuture) {
+      return {
+        valid: false,
+        timestamp,
+        age,
+        reason: `Timestamp too far in future (${futureAge}s, max: ${maxFuture}s)`
+      };
+    }
+  }
+  return {
+    valid: true,
+    timestamp,
+    age
+  };
+}
+function isTimestampValid(timestampStr, options = {}) {
+  const {
+    format = "unix",
+    maxAge = 300,
+    allowFuture = false,
+    maxFuture = 60
+  } = options;
+  const timestamp = parseTimestamp(timestampStr, format);
+  if (timestamp === null) {
+    return false;
+  }
+  const now = Math.floor(Date.now() / 1e3);
+  const age = now - timestamp;
+  if (age > maxAge) {
+    return false;
+  }
+  if (age < 0) {
+    if (!allowFuture) {
+      return false;
+    }
+    if (Math.abs(age) > maxFuture) {
+      return false;
+    }
+  }
+  return true;
+}
+function defaultInvalidResponse2(reason) {
+  return new Response(
+    JSON.stringify({
+      error: "Bad Request",
+      message: reason,
+      code: "INVALID_TIMESTAMP"
+    }),
+    {
+      status: 400,
+      headers: { "Content-Type": "application/json" }
+    }
+  );
+}
+function withTimestamp(handler, options = {}) {
+  return async (req, ctx) => {
+    if (options.skip && await options.skip(req)) {
+      return handler(req, ctx);
+    }
+    const result = validateTimestamp(req, options);
+    if (!result.valid) {
+      const onInvalid = options.onInvalid || defaultInvalidResponse2;
+      return onInvalid(result.reason || "Invalid timestamp");
+    }
+    return handler(req, ctx);
+  };
+}
+function addTimestampHeader(headers = {}, options = {}) {
+  const { headerName = "x-timestamp", format = "unix" } = options;
+  return {
+    ...headers,
+    [headerName]: formatTimestamp(format)
+  };
+}
+function getRequestAge(req, options = {}) {
+  const timestampStr = extractTimestamp(req, options);
+  if (!timestampStr) {
+    return null;
+  }
+  const timestamp = parseTimestamp(timestampStr, options.format);
+  if (timestamp === null) {
+    return null;
+  }
+  const now = Math.floor(Date.now() / 1e3);
+  return now - timestamp;
+}
+
+// src/middleware/api/versioning.ts
+var DEFAULT_VERSIONING_OPTIONS = {
+  source: "header",
+  versionHeader: "x-api-version",
+  versionQuery: "version",
+  addDeprecationHeaders: true
+};
+function extractFromHeader(req, headerName) {
+  return req.headers.get(headerName);
+}
+function extractFromQuery(req, queryParam) {
+  const url = new URL(req.url);
+  return url.searchParams.get(queryParam);
+}
+function extractFromPath(req, pattern) {
+  if (!pattern) {
+    pattern = /\/v(\d+(?:\.\d+)?)\//;
+  }
+  const url = new URL(req.url);
+  const match = url.pathname.match(pattern);
+  if (match && match[1]) {
+    return match[1];
+  }
+  return null;
+}
+function extractFromAccept(req, pattern) {
+  const accept = req.headers.get("accept");
+  if (!accept) {
+    return null;
+  }
+  if (!pattern) {
+    pattern = /version=(\d+(?:\.\d+)?)/;
+  }
+  const match = accept.match(pattern);
+  if (match && match[1]) {
+    return match[1];
+  }
+  return null;
+}
+function extractVersion(req, options) {
+  const {
+    source = DEFAULT_VERSIONING_OPTIONS.source,
+    versionHeader = DEFAULT_VERSIONING_OPTIONS.versionHeader,
+    versionQuery = DEFAULT_VERSIONING_OPTIONS.versionQuery,
+    pathPattern,
+    acceptPattern,
+    parseVersion
+  } = options;
+  let version = null;
+  let extractedSource = null;
+  switch (source) {
+    case "header":
+      version = extractFromHeader(req, versionHeader);
+      extractedSource = version ? "header" : null;
+      break;
+    case "query":
+      version = extractFromQuery(req, versionQuery);
+      extractedSource = version ? "query" : null;
+      break;
+    case "path":
+      version = extractFromPath(req, pathPattern);
+      extractedSource = version ? "path" : null;
+      break;
+    case "accept":
+      version = extractFromAccept(req, acceptPattern);
+      extractedSource = version ? "accept" : null;
+      break;
+  }
+  if (version && parseVersion) {
+    version = parseVersion(version);
+  }
+  return { version, source: extractedSource };
+}
+function extractVersionMultiSource(req, options, sources = ["header", "query", "path", "accept"]) {
+  for (const source of sources) {
+    const result = extractVersion(req, { ...options, source });
+    if (result.version) {
+      return result;
+    }
+  }
+  return { version: null, source: null };
+}
+function getVersionStatus(version, options) {
+  const { current, supported, deprecated = [], sunset = [] } = options;
+  if (version === current) {
+    return "current";
+  }
+  if (sunset.includes(version)) {
+    return "sunset";
+  }
+  if (deprecated.includes(version)) {
+    return "deprecated";
+  }
+  if (supported.includes(version)) {
+    return "supported";
+  }
+  return null;
+}
+function isVersionSupported(version, options) {
+  const status = getVersionStatus(version, options);
+  return status === "current" || status === "supported" || status === "deprecated";
+}
+function validateVersion(req, options) {
+  const { current, supported, deprecated = [], sunset = [], sunsetDates = {} } = options;
+  const { version, source } = extractVersion(req, options);
+  if (!version) {
+    return {
+      version: current,
+      source: null,
+      status: "current",
+      valid: true
+    };
+  }
+  if (sunset.includes(version)) {
+    const sunsetDate = sunsetDates[version];
+    return {
+      version,
+      source,
+      status: "sunset",
+      valid: false,
+      reason: `API version ${version} has been sunset${sunsetDate ? ` on ${sunsetDate.toISOString()}` : ""}`,
+      sunsetDate
+    };
+  }
+  if (deprecated.includes(version)) {
+    const sunsetDate = sunsetDates[version];
+    return {
+      version,
+      source,
+      status: "deprecated",
+      valid: true,
+      sunsetDate
+    };
+  }
+  if (version === current) {
+    return {
+      version,
+      source,
+      status: "current",
+      valid: true
+    };
+  }
+  if (supported.includes(version)) {
+    return {
+      version,
+      source,
+      status: "supported",
+      valid: true
+    };
+  }
+  return {
+    version,
+    source,
+    status: null,
+    valid: false,
+    reason: `Unsupported API version: ${version}. Supported versions: ${[current, ...supported].join(", ")}`
+  };
+}
+function addDeprecationHeaders(response, version, sunsetDate) {
+  const headers = new Headers(response.headers);
+  headers.set("Deprecation", "true");
+  if (sunsetDate) {
+    headers.set("Sunset", sunsetDate.toUTCString());
+  }
+  headers.set(
+    "Warning",
+    `299 - "API version ${version} is deprecated${sunsetDate ? ` and will be removed on ${sunsetDate.toISOString().split("T")[0]}` : ""}"`
+  );
+  return new Response(response.body, {
+    status: response.status,
+    statusText: response.statusText,
+    headers
+  });
+}
+function defaultUnsupportedResponse(version, supportedVersions) {
+  return new Response(
+    JSON.stringify({
+      error: "Bad Request",
+      message: `Unsupported API version: ${version}`,
+      code: "UNSUPPORTED_VERSION",
+      supportedVersions
+    }),
+    {
+      status: 400,
+      headers: { "Content-Type": "application/json" }
+    }
+  );
+}
+function defaultSunsetResponse(version, sunsetDate) {
+  return new Response(
+    JSON.stringify({
+      error: "Gone",
+      message: `API version ${version} is no longer available${sunsetDate ? `. It was sunset on ${sunsetDate.toISOString().split("T")[0]}` : ""}`,
+      code: "VERSION_SUNSET"
+    }),
+    {
+      status: 410,
+      headers: { "Content-Type": "application/json" }
+    }
+  );
+}
+function withAPIVersion(handler, options) {
+  return async (req, ctx) => {
+    if (options.skip && await options.skip(req)) {
+      return handler(req, ctx);
+    }
+    const result = validateVersion(req, options);
+    if (result.status === "sunset") {
+      return defaultSunsetResponse(result.version, result.sunsetDate);
+    }
+    if (!result.valid) {
+      const onUnsupported = options.onUnsupported || ((v) => defaultUnsupportedResponse(v, [options.current, ...options.supported]));
+      return onUnsupported(result.version);
+    }
+    let response = await handler(req, ctx);
+    if (result.status === "deprecated") {
+      if (options.onDeprecated) {
+        options.onDeprecated(result.version, result.sunsetDate);
+      }
+      if (options.addDeprecationHeaders !== false) {
+        response = addDeprecationHeaders(response, result.version, result.sunsetDate);
+      }
+    }
+    return response;
+  };
+}
+function createVersionRouter(handlers, options) {
+  const versions = Object.keys(handlers);
+  const defaultVersion = options.default || versions[versions.length - 1];
+  return async (req, ctx) => {
+    const { version } = extractVersion(req, {
+      ...options});
+    const targetVersion = version || defaultVersion;
+    const handler = handlers[targetVersion];
+    if (!handler) {
+      return defaultUnsupportedResponse(targetVersion, versions);
+    }
+    return handler(req, ctx);
+  };
+}
+function compareVersions(a, b) {
+  const partsA = a.split(".").map(Number);
+  const partsB = b.split(".").map(Number);
+  const maxLength = Math.max(partsA.length, partsB.length);
+  for (let i = 0; i < maxLength; i++) {
+    const numA = partsA[i] || 0;
+    const numB = partsB[i] || 0;
+    if (numA > numB) return 1;
+    if (numA < numB) return -1;
+  }
+  return 0;
+}
+function isVersionAtLeast(version, minimum) {
+  return compareVersions(version, minimum) >= 0;
+}
+function normalizeVersion(version) {
+  version = version.replace(/^v/i, "");
+  const parts = version.split(".");
+  while (parts.length < 2) {
+    parts.push("0");
+  }
+  return parts.join(".");
+}
+
+// src/middleware/api/idempotency.ts
+var DEFAULT_IDEMPOTENCY_OPTIONS = {
+  keyHeader: "idempotency-key",
+  ttl: 864e5,
+  // 24 hours
+  required: false,
+  methods: ["POST", "PUT", "PATCH"],
+  minKeyLength: 16,
+  maxKeyLength: 256,
+  hashRequestBody: true,
+  lockTimeout: 3e4,
+  // 30 seconds
+  waitForLock: true,
+  maxWaitTime: 1e4
+  // 10 seconds
+};
+var MemoryIdempotencyStore = class {
+  cache = /* @__PURE__ */ new Map();
+  processing = /* @__PURE__ */ new Map();
+  maxSize;
+  cleanupInterval = null;
+  constructor(options = {}) {
+    const { maxSize = 1e4, autoCleanup = true, cleanupIntervalMs = 6e4 } = options;
+    this.maxSize = maxSize;
+    if (autoCleanup) {
+      this.cleanupInterval = setInterval(() => {
+        this.cleanup();
+      }, cleanupIntervalMs);
+      if (this.cleanupInterval.unref) {
+        this.cleanupInterval.unref();
+      }
+    }
+  }
+  async get(key) {
+    const entry = this.cache.get(key);
+    if (!entry) {
+      return null;
+    }
+    if (Date.now() > entry.expiresAt) {
+      this.cache.delete(key);
+      return null;
+    }
+    return entry.response;
+  }
+  async set(key, response, ttl) {
+    if (this.cache.size >= this.maxSize) {
+      this.evictOldest();
+    }
+    this.cache.set(key, {
+      response,
+      expiresAt: Date.now() + ttl
+    });
+  }
+  async isProcessing(key) {
+    const entry = this.processing.get(key);
+    if (!entry) {
+      return false;
+    }
+    if (Date.now() > entry.expiresAt) {
+      this.processing.delete(key);
+      return false;
+    }
+    return true;
+  }
+  async startProcessing(key, timeout) {
+    if (await this.isProcessing(key)) {
+      return false;
+    }
+    const now = Date.now();
+    this.processing.set(key, {
+      startedAt: now,
+      expiresAt: now + timeout
+    });
+    return true;
+  }
+  async endProcessing(key) {
+    this.processing.delete(key);
+  }
+  async delete(key) {
+    this.cache.delete(key);
+    this.processing.delete(key);
+  }
+  async cleanup() {
+    const now = Date.now();
+    for (const [key, entry] of this.cache.entries()) {
+      if (now > entry.expiresAt) {
+        this.cache.delete(key);
+      }
+    }
+    for (const [key, entry] of this.processing.entries()) {
+      if (now > entry.expiresAt) {
+        this.processing.delete(key);
+      }
+    }
+  }
+  getStats() {
+    return {
+      cacheSize: this.cache.size,
+      processingSize: this.processing.size
+    };
+  }
+  evictOldest() {
+    const toRemove = Math.ceil(this.maxSize * 0.1);
+    const entries = Array.from(this.cache.entries()).sort((a, b) => a[1].response.cachedAt - b[1].response.cachedAt).slice(0, toRemove);
+    for (const [key] of entries) {
+      this.cache.delete(key);
+    }
+  }
+  /**
+   * Clear all entries
+   */
+  clear() {
+    this.cache.clear();
+    this.processing.clear();
+  }
+  /**
+   * Stop auto cleanup
+   */
+  destroy() {
+    if (this.cleanupInterval) {
+      clearInterval(this.cleanupInterval);
+      this.cleanupInterval = null;
+    }
+  }
+};
+var globalIdempotencyStore = null;
+function getGlobalIdempotencyStore() {
+  if (!globalIdempotencyStore) {
+    globalIdempotencyStore = new MemoryIdempotencyStore();
+  }
+  return globalIdempotencyStore;
+}
+function generateIdempotencyKey(length = 32) {
+  const bytes = new Uint8Array(length);
+  crypto.getRandomValues(bytes);
+  return Array.from(bytes).map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+async function hashRequestBody(body) {
+  const encoder = new TextEncoder();
+  const data = encoder.encode(body);
+  const hashBuffer = await crypto.subtle.digest("SHA-256", data);
+  const hashArray = new Uint8Array(hashBuffer);
+  return Array.from(hashArray).map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+function isValidIdempotencyKey(key, minLength = 16, maxLength = 256) {
+  if (!key || typeof key !== "string") {
+    return false;
+  }
+  if (key.length < minLength || key.length > maxLength) {
+    return false;
+  }
+  return /^[a-zA-Z0-9_-]+$/.test(key);
+}
+async function createCacheKey(idempotencyKey, req, hashBody = true) {
+  const parts = [idempotencyKey, req.method, new URL(req.url).pathname];
+  if (hashBody) {
+    try {
+      const cloned = req.clone();
+      const body = await cloned.text();
+      if (body) {
+        const bodyHash = await hashRequestBody(body);
+        parts.push(bodyHash);
+      }
+    } catch {
+    }
+  }
+  return parts.join(":");
+}
+function extractIdempotencyKey(req, options = {}) {
+  const { keyHeader = DEFAULT_IDEMPOTENCY_OPTIONS.keyHeader } = options;
+  return req.headers.get(keyHeader);
+}
+async function checkIdempotency(req, options = {}) {
+  const {
+    store = getGlobalIdempotencyStore(),
+    keyHeader = DEFAULT_IDEMPOTENCY_OPTIONS.keyHeader,
+    required = DEFAULT_IDEMPOTENCY_OPTIONS.required,
+    methods = DEFAULT_IDEMPOTENCY_OPTIONS.methods,
+    minKeyLength = DEFAULT_IDEMPOTENCY_OPTIONS.minKeyLength,
+    maxKeyLength = DEFAULT_IDEMPOTENCY_OPTIONS.maxKeyLength,
+    hashRequestBody: hashBody = DEFAULT_IDEMPOTENCY_OPTIONS.hashRequestBody,
+    validateKey
+  } = options;
+  const method = req.method.toUpperCase();
+  if (!methods.includes(method)) {
+    return {
+      key: null,
+      fromCache: false,
+      isProcessing: false
+    };
+  }
+  const key = req.headers.get(keyHeader);
+  if (!key) {
+    if (required) {
+      return {
+        key: null,
+        fromCache: false,
+        isProcessing: false,
+        reason: "Missing idempotency key"
+      };
+    }
+    return {
+      key: null,
+      fromCache: false,
+      isProcessing: false
+    };
+  }
+  if (!isValidIdempotencyKey(key, minKeyLength, maxKeyLength)) {
+    return {
+      key,
+      fromCache: false,
+      isProcessing: false,
+      reason: `Invalid idempotency key format (length must be ${minKeyLength}-${maxKeyLength}, alphanumeric)`
+    };
+  }
+  if (validateKey) {
+    const isValid = await validateKey(key);
+    if (!isValid) {
+      return {
+        key,
+        fromCache: false,
+        isProcessing: false,
+        reason: "Idempotency key failed custom validation"
+      };
+    }
+  }
+  const cacheKey = await createCacheKey(key, req, hashBody);
+  const cached = await store.get(cacheKey);
+  if (cached) {
+    return {
+      key,
+      fromCache: true,
+      cachedResponse: cached,
+      isProcessing: false
+    };
+  }
+  const isProcessing = await store.isProcessing(cacheKey);
+  return {
+    key,
+    fromCache: false,
+    isProcessing,
+    reason: isProcessing ? "Request is currently being processed" : void 0
+  };
+}
+async function cacheResponse(key, req, response, options = {}) {
+  const {
+    store = getGlobalIdempotencyStore(),
+    ttl = DEFAULT_IDEMPOTENCY_OPTIONS.ttl,
+    hashRequestBody: hashBody = DEFAULT_IDEMPOTENCY_OPTIONS.hashRequestBody
+  } = options;
+  const cacheKey = await createCacheKey(key, req, hashBody);
+  const cloned = response.clone();
+  const body = await cloned.text();
+  const headers = {};
+  response.headers.forEach((value, name) => {
+    headers[name] = value;
+  });
+  const cachedResponse = {
+    status: response.status,
+    headers,
+    body,
+    cachedAt: Date.now()
+  };
+  await store.set(cacheKey, cachedResponse, ttl);
+  await store.endProcessing(cacheKey);
+}
+function createResponseFromCache(cached) {
+  const headers = new Headers(cached.headers);
+  headers.set("x-idempotency-replayed", "true");
+  headers.set("x-idempotency-cached-at", new Date(cached.cachedAt).toISOString());
+  return new Response(cached.body, {
+    status: cached.status,
+    headers
+  });
+}
+function defaultErrorResponse(reason) {
+  return new Response(
+    JSON.stringify({
+      error: "Bad Request",
+      message: reason,
+      code: "IDEMPOTENCY_ERROR"
+    }),
+    {
+      status: 400,
+      headers: { "Content-Type": "application/json" }
+    }
+  );
+}
+async function waitForLock(store, cacheKey, maxWaitTime, pollInterval = 100) {
+  const startTime = Date.now();
+  while (Date.now() - startTime < maxWaitTime) {
+    const cached = await store.get(cacheKey);
+    if (cached) {
+      return cached;
+    }
+    const isProcessing = await store.isProcessing(cacheKey);
+    if (!isProcessing) {
+      return null;
+    }
+    await new Promise((resolve) => setTimeout(resolve, pollInterval));
+  }
+  return null;
+}
+function withIdempotency(handler, options = {}) {
+  return async (req, ctx) => {
+    if (options.skip && await options.skip(req)) {
+      return handler(req, ctx);
+    }
+    const {
+      store = getGlobalIdempotencyStore(),
+      methods = DEFAULT_IDEMPOTENCY_OPTIONS.methods,
+      hashRequestBody: hashBody = DEFAULT_IDEMPOTENCY_OPTIONS.hashRequestBody,
+      lockTimeout = DEFAULT_IDEMPOTENCY_OPTIONS.lockTimeout,
+      waitForLock: shouldWait = DEFAULT_IDEMPOTENCY_OPTIONS.waitForLock,
+      maxWaitTime = DEFAULT_IDEMPOTENCY_OPTIONS.maxWaitTime,
+      onError,
+      onCacheHit
+    } = options;
+    const method = req.method.toUpperCase();
+    if (!methods.includes(method)) {
+      return handler(req, ctx);
+    }
+    const result = await checkIdempotency(req, options);
+    if (result.reason && !result.isProcessing) {
+      const errorHandler = onError || defaultErrorResponse;
+      return errorHandler(result.reason);
+    }
+    if (result.fromCache && result.cachedResponse) {
+      if (onCacheHit) {
+        onCacheHit(result.key, result.cachedResponse);
+      }
+      return createResponseFromCache(result.cachedResponse);
+    }
+    if (!result.key) {
+      return handler(req, ctx);
+    }
+    const cacheKey = await createCacheKey(result.key, req, hashBody);
+    if (result.isProcessing) {
+      if (shouldWait) {
+        const cached = await waitForLock(store, cacheKey, maxWaitTime);
+        if (cached) {
+          if (onCacheHit) {
+            onCacheHit(result.key, cached);
+          }
+          return createResponseFromCache(cached);
+        }
+      }
+      return new Response(
+        JSON.stringify({
+          error: "Conflict",
+          message: "Request with this idempotency key is currently being processed",
+          code: "IDEMPOTENCY_CONFLICT"
+        }),
+        {
+          status: 409,
+          headers: { "Content-Type": "application/json" }
+        }
+      );
+    }
+    const acquired = await store.startProcessing(cacheKey, lockTimeout);
+    if (!acquired) {
+      if (shouldWait) {
+        const cached = await waitForLock(store, cacheKey, maxWaitTime);
+        if (cached) {
+          if (onCacheHit) {
+            onCacheHit(result.key, cached);
+          }
+          return createResponseFromCache(cached);
+        }
+      }
+      return new Response(
+        JSON.stringify({
+          error: "Conflict",
+          message: "Request with this idempotency key is currently being processed",
+          code: "IDEMPOTENCY_CONFLICT"
+        }),
+        {
+          status: 409,
+          headers: { "Content-Type": "application/json" }
+        }
+      );
+    }
+    try {
+      const response = await handler(req, ctx);
+      if (response.status >= 200 && response.status < 300) {
+        await cacheResponse(result.key, req, response, options);
+      } else {
+        await store.endProcessing(cacheKey);
+      }
+      return response;
+    } catch (error) {
+      await store.endProcessing(cacheKey);
+      throw error;
+    }
+  };
+}
+function addIdempotencyHeader(headers = {}, options = {}) {
+  const { headerName = "idempotency-key", key = generateIdempotencyKey() } = options;
+  return {
+    ...headers,
+    [headerName]: key
+  };
+}
+
+// src/middleware/api/middleware.ts
+async function checkAPIProtection(req, options) {
+  const result = {
+    passed: true
+  };
+  if (options.timestamp !== false) {
+    const timestampResult = validateTimestamp(req, options.timestamp);
+    result.timestamp = timestampResult;
+    if (!timestampResult.valid) {
+      result.passed = false;
+      result.error = {
+        type: "timestamp",
+        message: timestampResult.reason || "Invalid timestamp"
+      };
+      return result;
+    }
+  }
+  if (options.replay !== false) {
+    const replayOpts = options.replay;
+    const replayResult = await checkReplay(req, {
+      ...replayOpts,
+      store: replayOpts.store || getGlobalNonceStore()
+    });
+    result.replay = replayResult;
+    if (replayResult.isReplay) {
+      result.passed = false;
+      result.error = {
+        type: "replay",
+        message: "Request replay detected",
+        details: { nonce: replayResult.nonce }
+      };
+      return result;
+    }
+    if (replayResult.reason && replayOpts.required !== false) {
+      result.passed = false;
+      result.error = {
+        type: "replay",
+        message: replayResult.reason
+      };
+      return result;
+    }
+  }
+  if (options.signing !== false) {
+    const signingOpts = options.signing;
+    const signingResult = await verifySignature(req, signingOpts);
+    result.signing = signingResult;
+    if (!signingResult.valid) {
+      result.passed = false;
+      result.error = {
+        type: "signing",
+        message: signingResult.reason || "Invalid signature"
+      };
+      return result;
+    }
+  }
+  if (options.versioning !== false) {
+    const versioningOpts = options.versioning;
+    const versionResult = validateVersion(req, versioningOpts);
+    result.version = versionResult;
+    if (!versionResult.valid) {
+      result.passed = false;
+      result.error = {
+        type: "versioning",
+        message: versionResult.reason || "Unsupported version",
+        details: { version: versionResult.version }
+      };
+      return result;
+    }
+  }
+  if (options.idempotency !== false) {
+    const idempotencyOpts = options.idempotency;
+    const idempotencyResult = await checkIdempotency(req, {
+      ...idempotencyOpts,
+      store: idempotencyOpts.store || getGlobalIdempotencyStore()
+    });
+    result.idempotency = idempotencyResult;
+    if (idempotencyResult.reason && !idempotencyResult.isProcessing && !idempotencyResult.fromCache) {
+      if (idempotencyOpts.required) {
+        result.passed = false;
+        result.error = {
+          type: "idempotency",
+          message: idempotencyResult.reason,
+          details: { key: idempotencyResult.key }
+        };
+        return result;
+      }
+    }
+  }
+  return result;
+}
+function defaultErrorResponse2(error) {
+  const statusMap = {
+    signing: 401,
+    replay: 403,
+    timestamp: 400,
+    versioning: 400,
+    idempotency: 400
+  };
+  const codeMap = {
+    signing: "INVALID_SIGNATURE",
+    replay: "REPLAY_DETECTED",
+    timestamp: "INVALID_TIMESTAMP",
+    versioning: "UNSUPPORTED_VERSION",
+    idempotency: "IDEMPOTENCY_ERROR"
+  };
+  return new Response(
+    JSON.stringify({
+      error: error.type === "signing" ? "Unauthorized" : error.type === "replay" ? "Forbidden" : "Bad Request",
+      message: error.message,
+      code: codeMap[error.type],
+      ...error.details || {}
+    }),
+    {
+      status: statusMap[error.type],
+      headers: { "Content-Type": "application/json" }
+    }
+  );
+}
+function withAPIProtection(handler, options) {
+  return async (req, ctx) => {
+    if (options.skip && await options.skip(req)) {
+      return handler(req, ctx);
+    }
+    const result = await checkAPIProtection(req, options);
+    if (!result.passed && result.error) {
+      const onError = options.onError || defaultErrorResponse2;
+      return onError(result.error);
+    }
+    if (result.idempotency?.fromCache && result.idempotency.cachedResponse) {
+      const idempotencyOpts = options.idempotency;
+      if (idempotencyOpts.onCacheHit) {
+        idempotencyOpts.onCacheHit(result.idempotency.key, result.idempotency.cachedResponse);
+      }
+      return createResponseFromCache(result.idempotency.cachedResponse);
+    }
+    if (result.idempotency?.isProcessing) {
+      return new Response(
+        JSON.stringify({
+          error: "Conflict",
+          message: "Request with this idempotency key is currently being processed",
+          code: "IDEMPOTENCY_CONFLICT"
+        }),
+        {
+          status: 409,
+          headers: { "Content-Type": "application/json" }
+        }
+      );
+    }
+    let response = await handler(req, ctx);
+    if (result.version?.status === "deprecated") {
+      const versioningOpts = options.versioning;
+      if (versioningOpts.addDeprecationHeaders !== false) {
+        response = addDeprecationHeaders(response, result.version.version, result.version.sunsetDate);
+      }
+      if (versioningOpts.onDeprecated) {
+        versioningOpts.onDeprecated(result.version.version, result.version.sunsetDate);
+      }
+    }
+    if (result.idempotency?.key && options.idempotency !== false) {
+      const idempotencyOpts = options.idempotency;
+      if (response.status >= 200 && response.status < 300) {
+        await cacheResponse(result.idempotency.key, req, response, idempotencyOpts);
+      }
+    }
+    return response;
+  };
+}
+function withAPIProtectionPreset(handler, preset, overrides = {}) {
+  const presetConfig = API_PROTECTION_PRESETS[preset];
+  const mergedOptions = {
+    ...presetConfig,
+    ...overrides
+  };
+  if (presetConfig.signing && typeof presetConfig.signing === "object" && overrides.signing && typeof overrides.signing === "object") {
+    mergedOptions.signing = { ...presetConfig.signing, ...overrides.signing };
+  }
+  if (presetConfig.replay && typeof presetConfig.replay === "object" && overrides.replay && typeof overrides.replay === "object") {
+    mergedOptions.replay = { ...presetConfig.replay, ...overrides.replay };
+  }
+  if (presetConfig.timestamp && typeof presetConfig.timestamp === "object" && overrides.timestamp && typeof overrides.timestamp === "object") {
+    mergedOptions.timestamp = { ...presetConfig.timestamp, ...overrides.timestamp };
+  }
+  if (presetConfig.idempotency && typeof presetConfig.idempotency === "object" && overrides.idempotency && typeof overrides.idempotency === "object") {
+    mergedOptions.idempotency = { ...presetConfig.idempotency, ...overrides.idempotency };
+  }
+  return withAPIProtection(handler, mergedOptions);
+}
+
+exports.API_PROTECTION_PRESETS = API_PROTECTION_PRESETS;
+exports.DEFAULT_IDEMPOTENCY_OPTIONS = DEFAULT_IDEMPOTENCY_OPTIONS;
+exports.DEFAULT_REPLAY_OPTIONS = DEFAULT_REPLAY_OPTIONS;
+exports.DEFAULT_SIGNING_OPTIONS = DEFAULT_SIGNING_OPTIONS;
+exports.DEFAULT_TIMESTAMP_OPTIONS = DEFAULT_TIMESTAMP_OPTIONS;
+exports.DEFAULT_VERSIONING_OPTIONS = DEFAULT_VERSIONING_OPTIONS;
+exports.MemoryIdempotencyStore = MemoryIdempotencyStore;
+exports.MemoryNonceStore = MemoryNonceStore;
+exports.addDeprecationHeaders = addDeprecationHeaders;
+exports.addIdempotencyHeader = addIdempotencyHeader;
+exports.addNonceHeader = addNonceHeader;
+exports.addTimestampHeader = addTimestampHeader;
+exports.buildCanonicalString = buildCanonicalString;
+exports.cacheResponse = cacheResponse;
+exports.checkAPIProtection = checkAPIProtection;
+exports.checkIdempotency = checkIdempotency;
+exports.checkReplay = checkReplay;
+exports.compareVersions = compareVersions;
+exports.createCacheKey = createCacheKey;
+exports.createHMAC = createHMAC;
+exports.createNonce = generateNonce;
+exports.createResponseFromCache = createResponseFromCache;
+exports.createVersionRouter = createVersionRouter;
+exports.extractIdempotencyKey = extractIdempotencyKey;
+exports.extractNonce = extractNonce;
+exports.extractTimestamp = extractTimestamp;
+exports.extractVersion = extractVersion;
+exports.extractVersionMultiSource = extractVersionMultiSource;
+exports.formatTimestamp = formatTimestamp;
+exports.generateIdempotencyKey = generateIdempotencyKey;
+exports.generateNonce = generateNonce2;
+exports.generateSignature = generateSignature;
+exports.generateSignatureHeaders = generateSignatureHeaders;
+exports.getGlobalIdempotencyStore = getGlobalIdempotencyStore;
+exports.getGlobalNonceStore = getGlobalNonceStore;
+exports.getRequestAge = getRequestAge;
+exports.getVersionStatus = getVersionStatus;
+exports.hashRequestBody = hashRequestBody;
+exports.isTimestampValid = isTimestampValid;
+exports.isValidIdempotencyKey = isValidIdempotencyKey;
+exports.isValidNonceFormat = isValidNonceFormat;
+exports.isVersionAtLeast = isVersionAtLeast;
+exports.isVersionSupported = isVersionSupported;
+exports.normalizeVersion = normalizeVersion;
+exports.parseTimestamp = parseTimestamp;
+exports.timingSafeEqual = timingSafeEqual;
+exports.validateTimestamp = validateTimestamp;
+exports.validateVersion = validateVersion;
+exports.verifySignature = verifySignature;
+exports.withAPIProtection = withAPIProtection;
+exports.withAPIProtectionPreset = withAPIProtectionPreset;
+exports.withAPIVersion = withAPIVersion;
+exports.withIdempotency = withIdempotency;
+exports.withReplayPrevention = withReplayPrevention;
+exports.withRequestSigning = withRequestSigning;
+exports.withTimestamp = withTimestamp;
+//# sourceMappingURL=api.cjs.map
+//# sourceMappingURL=api.cjs.map