qhttpx 1.8.0

package/src/middleware/compression.ts

@@ -0,0 +1,147 @@
+import { QHTTPXMiddleware } from '../core/types';
+import zlib from 'zlib';
+
+export type CompressionOptions = {
+  threshold?: number; // Minimum size in bytes to compress
+  level?: number; // Zlib compression level
+};
+
+export function createCompressionMiddleware(options: CompressionOptions = {}): QHTTPXMiddleware {
+  const threshold = options.threshold ?? 1024;
+  const level = options.level ?? zlib.constants.Z_DEFAULT_COMPRESSION;
+
+  return async (ctx, next) => {
+    const req = ctx.req;
+    const res = ctx.res;
+    const acceptEncoding = req.headers['accept-encoding'] || '';
+
+    let stream: zlib.Gzip | zlib.BrotliCompress | zlib.Deflate | undefined;
+    let encoding = '';
+
+    if (/\bbr\b/.test(acceptEncoding as string)) {
+      stream = zlib.createBrotliCompress({
+        params: {
+          [zlib.constants.BROTLI_PARAM_QUALITY]: level,
+        },
+      });
+      encoding = 'br';
+    } else if (/\bgzip\b/.test(acceptEncoding as string)) {
+      stream = zlib.createGzip({ level });
+      encoding = 'gzip';
+    } else if (/\bdeflate\b/.test(acceptEncoding as string)) {
+      stream = zlib.createDeflate({ level });
+      encoding = 'deflate';
+    }
+
+    if (!stream) {
+      await next();
+      return;
+    }
+
+    const originalWrite = res.write;
+    const originalEnd = res.end;
+    // const originalSetHeader = res.setHeader;
+
+    // We need to defer compression decision until we know the content type/length
+    // But since we are streaming, we might just start compressing if headers are sent?
+    // Actually, we can hook into write/end.
+
+    let headersSent = false;
+    let compress = false;
+
+    // Helper to check if we should compress based on content-type
+    const shouldCompress = () => {
+      const contentType = res.getHeader('content-type');
+      if (!contentType) return true; // Assume yes if unknown? Or no? Usually text/json is compressed.
+      const type = String(contentType).toLowerCase();
+      
+      if (type.includes('text/event-stream')) {
+        return false;
+      }
+
+      return (
+        type.includes('text') ||
+        type.includes('json') ||
+        type.includes('xml') ||
+        type.includes('javascript') ||
+        type.includes('svg')
+      );
+    };
+
+    // Override write
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    res.write = function (chunk: any, ...args: any[]): boolean {
+      if (!headersSent) {
+        if (shouldCompress()) {
+          compress = true;
+          // Disable auto-end because we handle the stream asynchronously
+          ctx.disableAutoEnd = true;
+          res.setHeader('Content-Encoding', encoding);
+          res.removeHeader('Content-Length');
+          res.setHeader('Vary', 'Accept-Encoding');
+          
+          stream!.on('data', (data) => {
+            // eslint-disable-next-line @typescript-eslint/no-explicit-any
+            (originalWrite as any).call(res, data);
+          });
+          stream!.on('end', () => {
+            // eslint-disable-next-line @typescript-eslint/no-explicit-any
+            (originalEnd as any).call(res);
+          });
+        } else {
+          compress = false;
+        }
+        headersSent = true;
+      }
+
+      if (compress && stream) {
+        return stream.write(chunk, ...(args as [BufferEncoding, (error: Error | null | undefined) => void]));
+      } else {
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any
+        return (originalWrite as any).apply(res, [chunk, ...args]);
+      }
+    };
+
+    // Override end
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    res.end = function (chunk?: any, ...args: any[]): any {
+      if (!headersSent) {
+        const len = chunk ? Buffer.byteLength(chunk) : 0;
+
+        if (shouldCompress() && len >= threshold) {
+          compress = true;
+          // Disable auto-end because we handle the stream asynchronously
+          ctx.disableAutoEnd = true;
+          res.setHeader('Content-Encoding', encoding);
+          res.removeHeader('Content-Length');
+          res.setHeader('Vary', 'Accept-Encoding');
+          // eslint-disable-next-line @typescript-eslint/no-explicit-any
+          stream!.on('data', (data) => (originalWrite as any).call(res, data));
+          // eslint-disable-next-line @typescript-eslint/no-explicit-any
+          stream!.on('end', () => (originalEnd as any).call(res));
+        } else {
+          compress = false;
+        }
+        headersSent = true;
+      }
+
+      if (compress && stream) {
+        if (chunk) stream.write(chunk);
+        stream.end();
+      } else {
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any
+        return (originalEnd as any).apply(res, [chunk, ...args]);
+      }
+      return res;
+    };
+
+    // Fix for the pipe issue:
+    // If we set compress=true, we should pipe stream to res ONCE.
+    // If we use { end: false }, we must manually end res.
+    // If we use { end: true }, stream.end() will end res.
+    
+    // Let's refine the logic.
+
+    await next();
+  };
+}

package/src/middleware/cors.ts

@@ -0,0 +1,98 @@
+import { QHTTPXMiddleware } from '../core/types';
+
+export type CorsOrigin =
+  | string
+  | string[]
+  | ((origin: string | undefined) => string | null | undefined);
+
+export type CorsOptions = {
+  origin?: CorsOrigin;
+  methods?: string[];
+  allowedHeaders?: string[];
+  exposedHeaders?: string[];
+  credentials?: boolean;
+  maxAgeSeconds?: number;
+};
+
+function resolveOrigin(origin: CorsOrigin | undefined, requestOrigin: string | undefined): string | null | undefined {
+  if (!origin) {
+    return '*';
+  }
+  if (typeof origin === 'string') {
+    return origin;
+  }
+  if (Array.isArray(origin)) {
+    if (!requestOrigin) {
+      return null;
+    }
+    if (origin.includes(requestOrigin)) {
+      return requestOrigin;
+    }
+    return null;
+  }
+  return origin(requestOrigin);
+}
+
+export function createCorsMiddleware(options: CorsOptions = {}): QHTTPXMiddleware {
+  const methodsHeader =
+    options.methods && options.methods.length > 0
+      ? options.methods.join(', ')
+      : 'GET,HEAD,PUT,PATCH,POST,DELETE,OPTIONS';
+
+  const allowedHeadersHeader =
+    options.allowedHeaders && options.allowedHeaders.length > 0
+      ? options.allowedHeaders.join(', ')
+      : undefined;
+
+  const exposedHeadersHeader =
+    options.exposedHeaders && options.exposedHeaders.length > 0
+      ? options.exposedHeaders.join(', ')
+      : undefined;
+
+  const maxAgeHeader =
+    typeof options.maxAgeSeconds === 'number'
+      ? String(options.maxAgeSeconds)
+      : undefined;
+
+  const allowCredentials = options.credentials ?? false;
+
+  return async (ctx, next) => {
+    const requestOriginHeader = ctx.req.headers.origin;
+    const resolvedOrigin = resolveOrigin(options.origin, requestOriginHeader);
+
+    if (resolvedOrigin) {
+      ctx.res.setHeader('access-control-allow-origin', resolvedOrigin);
+      if (allowCredentials) {
+        ctx.res.setHeader('access-control-allow-credentials', 'true');
+      }
+      if (exposedHeadersHeader) {
+        ctx.res.setHeader('access-control-expose-headers', exposedHeadersHeader);
+      }
+    }
+
+    if (ctx.req.method === 'OPTIONS') {
+      ctx.res.statusCode = 204;
+      ctx.res.setHeader('access-control-allow-methods', methodsHeader);
+
+      const requestHeaders =
+        typeof ctx.req.headers['access-control-request-headers'] === 'string'
+          ? ctx.req.headers['access-control-request-headers']
+          : undefined;
+
+      const headersValue = allowedHeadersHeader || requestHeaders;
+      if (headersValue) {
+        ctx.res.setHeader('access-control-allow-headers', headersValue);
+      }
+
+      if (maxAgeHeader) {
+        ctx.res.setHeader('access-control-max-age', maxAgeHeader);
+      }
+
+      ctx.res.end();
+      return;
+    }
+
+    await next();
+  };
+}
+

package/src/middleware/presets.ts

@@ -0,0 +1,50 @@
+import { QHTTPXMiddleware } from '../core/types';
+import { createSecureDefaults, SecureDefaultsOptions } from './security';
+import { createLoggerMiddleware, LoggerOptions } from '../utils/logger';
+import { createStaticMiddleware, StaticOptions } from './static';
+
+export type ApiPresetOptions = {
+  security?: SecureDefaultsOptions;
+  logging?: LoggerOptions | boolean;
+};
+
+export function createApiPreset(options: ApiPresetOptions = {}): QHTTPXMiddleware[] {
+  const middlewares: QHTTPXMiddleware[] = [];
+
+  // 1. Security (CORS, Headers)
+  middlewares.push(...createSecureDefaults(options.security));
+
+  // 2. Logging
+  if (options.logging !== false) {
+    const loggerOptions = typeof options.logging === 'object' ? options.logging : {};
+    middlewares.push(createLoggerMiddleware(loggerOptions));
+  }
+
+  return middlewares;
+}
+
+export type StaticAppPresetOptions = ApiPresetOptions & {
+  static: StaticOptions;
+};
+
+export function createStaticAppPreset(
+  options: StaticAppPresetOptions,
+): QHTTPXMiddleware[] {
+  const middlewares: QHTTPXMiddleware[] = [];
+
+  // 1. Security
+  middlewares.push(...createSecureDefaults(options.security));
+
+  // 2. Logging
+  if (options.logging !== false) {
+    const loggerOptions = typeof options.logging === 'object' ? options.logging : {};
+    middlewares.push(createLoggerMiddleware(loggerOptions));
+  }
+
+  // 3. Static Files
+  // We force fallthrough to true so API routes can handle non-static requests
+  const staticOptions = { ...options.static, fallthrough: true };
+  middlewares.push(createStaticMiddleware(staticOptions));
+
+  return middlewares;
+}

package/src/middleware/rate-limit.ts

@@ -0,0 +1,106 @@
+import type { QHTTPXContext, QHTTPXMiddleware } from '../core/types';
+
+export interface RateLimitStore {
+  increment(key: string, windowMs: number): Promise<{ total: number; resetTime: number }>;
+  decrement(key: string): Promise<void>;
+  reset(key: string): Promise<void>;
+}
+
+export class MemoryStore implements RateLimitStore {
+  private hits = new Map<string, { count: number; resetTime: number }>();
+  private interval?: NodeJS.Timeout;
+
+  constructor(clearPeriodMs = 60000) {
+    // Cleanup expired entries periodically
+    if (clearPeriodMs > 0) {
+      this.interval = setInterval(() => this.cleanup(), clearPeriodMs);
+      this.interval.unref(); // Don't hold process open
+    }
+  }
+
+  async increment(key: string, windowMs: number): Promise<{ total: number; resetTime: number }> {
+    const now = Date.now();
+    let record = this.hits.get(key);
+
+    if (!record || now > record.resetTime) {
+      record = { count: 1, resetTime: now + windowMs };
+      this.hits.set(key, record);
+    } else {
+      record.count++;
+    }
+
+    return { total: record.count, resetTime: record.resetTime };
+  }
+
+  async decrement(key: string): Promise<void> {
+    const record = this.hits.get(key);
+    if (record && record.count > 0) {
+      record.count--;
+    }
+  }
+
+  async reset(key: string): Promise<void> {
+    this.hits.delete(key);
+  }
+
+  private cleanup() {
+    const now = Date.now();
+    for (const [key, record] of this.hits.entries()) {
+      if (now > record.resetTime) {
+        this.hits.delete(key);
+      }
+    }
+  }
+}
+
+export interface RateLimitOptions {
+  windowMs?: number; // Time window in milliseconds
+  max?: number; // Max requests per window
+  message?: string | object; // Response message
+  statusCode?: number; // Status code (default 429)
+  headers?: boolean; // Send X-RateLimit headers
+  keyGenerator?: (ctx: QHTTPXContext) => string; // Custom key generator
+  skip?: (ctx: QHTTPXContext) => boolean; // Skip limiter
+  store?: RateLimitStore; // Storage backend
+}
+
+export const rateLimit = (options: RateLimitOptions = {}): QHTTPXMiddleware => {
+  const windowMs = options.windowMs ?? 60000; // 1 minute default
+  const max = options.max ?? 100; // 100 requests default
+  const message = options.message ?? 'Too many requests, please try again later.';
+  const statusCode = options.statusCode ?? 429;
+  const headers = options.headers ?? true;
+  const store = options.store ?? new MemoryStore();
+  
+  const keyGenerator = options.keyGenerator ?? ((ctx: QHTTPXContext) => {
+    return ctx.req.socket.remoteAddress || 'unknown';
+  });
+
+  return async (ctx, next) => {
+    if (options.skip?.(ctx)) {
+      return next();
+    }
+
+    const key = keyGenerator(ctx);
+    const { total, resetTime } = await store.increment(key, windowMs);
+
+    const remaining = Math.max(0, max - total);
+    const resetSeconds = Math.ceil((resetTime - Date.now()) / 1000);
+
+    if (headers) {
+      ctx.res.setHeader('X-RateLimit-Limit', max);
+      ctx.res.setHeader('X-RateLimit-Remaining', remaining);
+      ctx.res.setHeader('X-RateLimit-Reset', resetSeconds);
+    }
+
+    if (total > max) {
+      if (headers) {
+        ctx.res.setHeader('Retry-After', resetSeconds);
+      }
+      ctx.json(typeof message === 'string' ? { error: message } : message, statusCode);
+      return;
+    }
+
+    await next();
+  };
+};

package/src/middleware/security.ts

@@ -0,0 +1,109 @@
+import { QHTTPXContext, QHTTPXMiddleware } from '../core/types';
+import { CorsOptions, createCorsMiddleware } from './cors';
+
+export type SecurityHeadersOptions = {
+  contentSecurityPolicy?: string | null;
+  referrerPolicy?: string | null;
+  xFrameOptions?: 'DENY' | 'SAMEORIGIN' | null;
+  xContentTypeOptions?: 'nosniff' | null;
+  xXssProtection?: '0' | '1; mode=block' | null;
+  strictTransportSecurity?: string | null;
+};
+
+export function createSecurityHeadersMiddleware(
+  options: SecurityHeadersOptions = {},
+): QHTTPXMiddleware {
+  const {
+    contentSecurityPolicy = "default-src 'self'",
+    referrerPolicy = 'no-referrer',
+    xFrameOptions = 'SAMEORIGIN',
+    xContentTypeOptions = 'nosniff',
+    xXssProtection = '1; mode=block',
+    strictTransportSecurity,
+  } = options;
+
+  return async (ctx, next) => {
+    if (contentSecurityPolicy) {
+      ctx.res.setHeader('content-security-policy', contentSecurityPolicy);
+    }
+    if (referrerPolicy) {
+      ctx.res.setHeader('referrer-policy', referrerPolicy);
+    }
+    if (xFrameOptions) {
+      ctx.res.setHeader('x-frame-options', xFrameOptions);
+    }
+    if (xContentTypeOptions) {
+      ctx.res.setHeader('x-content-type-options', xContentTypeOptions);
+    }
+    if (xXssProtection) {
+      ctx.res.setHeader('x-xss-protection', xXssProtection);
+    }
+    if (strictTransportSecurity) {
+      ctx.res.setHeader('strict-transport-security', strictTransportSecurity);
+    }
+
+    await next();
+  };
+}
+
+export type SecureDefaultsOptions = {
+  cors?: CorsOptions;
+  securityHeaders?: SecurityHeadersOptions;
+};
+
+export function createSecureDefaults(
+  options: SecureDefaultsOptions = {},
+): QHTTPXMiddleware[] {
+  const middlewares: QHTTPXMiddleware[] = [];
+  middlewares.push(createCorsMiddleware(options.cors));
+  middlewares.push(createSecurityHeadersMiddleware(options.securityHeaders));
+  return middlewares;
+}
+
+export type RateLimitOptions = {
+  maxRequests: number;
+  windowMs: number;
+  keyGenerator?: (ctx: QHTTPXContext) => string;
+};
+
+export function createRateLimitMiddleware(
+  options: RateLimitOptions,
+): QHTTPXMiddleware {
+  const maxRequests = options.maxRequests;
+  const windowMs = options.windowMs;
+  const keyGenerator =
+    options.keyGenerator ??
+    ((ctx: QHTTPXContext) => {
+      const addr = ctx.req.socket.remoteAddress;
+      return addr || 'anonymous';
+    });
+
+  const buckets = new Map<string, { count: number; resetAt: number }>();
+
+  return async (ctx, next) => {
+    const now = Date.now();
+    const key = keyGenerator(ctx);
+    const existing = buckets.get(key);
+
+    let bucket = existing;
+    if (!bucket || bucket.resetAt <= now) {
+      bucket = {
+        count: 0,
+        resetAt: now + windowMs,
+      };
+      buckets.set(key, bucket);
+    }
+
+    bucket.count += 1;
+    if (bucket.count > maxRequests) {
+      if (!ctx.res.headersSent) {
+        ctx.res.statusCode = 429;
+        ctx.res.setHeader('content-type', 'text/plain; charset=utf-8');
+      }
+      ctx.res.end('Too Many Requests');
+      return;
+    }
+
+    await next();
+  };
+}