radiant-docs 0.1.62 → 0.1.63

package/template/src/lib/dev-playground-proxy.mjs

@@ -0,0 +1,597 @@
+import dns from "node:dns/promises";
+import net from "node:net";
+import path from "node:path";
+import { Readable } from "node:stream";
+import {
+  buildAllowedOrigins,
+  normalizeAllowedOrigin,
+} from "./proxy-allowed-origins.mjs";
+
+const PROXY_PATHNAME = "/_platform/proxy";
+const POLICY_CACHE_TTL_MS = 30_000;
+const MAX_REQUEST_BODY_BYTES = 10 * 1024 * 1024;
+const PROXY_TIMEOUT_MS = 30_000;
+const MAX_REDIRECTS = 5;
+
+const DROP_REQUEST_HEADERS = new Set([
+  "accept-encoding",
+  "connection",
+  "cookie",
+  "cf-connecting-ip",
+  "cf-worker",
+  "host",
+  "keep-alive",
+  "origin",
+  "proxy-connection",
+  "referer",
+  "sec-fetch-dest",
+  "sec-fetch-mode",
+  "sec-fetch-site",
+  "sec-fetch-user",
+  "te",
+  "trailer",
+  "transfer-encoding",
+  "upgrade",
+  "x-forwarded-for",
+  "x-proxy-cookie",
+  "x-proxy-url",
+  "x-real-ip",
+]);
+
+const DROP_RESPONSE_HEADERS = new Set([
+  "connection",
+  "content-encoding",
+  "content-length",
+  "keep-alive",
+  "proxy-authenticate",
+  "proxy-authorization",
+  "proxy-connection",
+  "set-cookie",
+  "set-cookie2",
+  "te",
+  "trailer",
+  "transfer-encoding",
+  "upgrade",
+]);
+
+const REDIRECT_STATUSES = new Set([301, 302, 303, 307, 308]);
+
+class ProxyRequestError extends Error {
+  constructor(status, message) {
+    super(message);
+    this.status = status;
+  }
+}
+
+function normalizePathname(pathname) {
+  const normalized = pathname.replace(/\/{2,}/g, "/").replace(/\/+$/, "");
+  return normalized || "/";
+}
+
+function stripBasePath(pathname, basePath) {
+  const normalizedBase = normalizePathname(basePath || "/");
+  if (normalizedBase === "/") {
+    return pathname;
+  }
+
+  if (pathname === normalizedBase) {
+    return "/";
+  }
+
+  if (pathname.startsWith(`${normalizedBase}/`)) {
+    return pathname.slice(normalizedBase.length) || "/";
+  }
+
+  return pathname;
+}
+
+function normalizeHostname(hostname) {
+  return hostname
+    .trim()
+    .toLowerCase()
+    .replace(/^\[/, "")
+    .replace(/\]$/, "")
+    .replace(/\.$/, "");
+}
+
+function parseIpv4Address(address) {
+  const parts = address.split(".");
+  if (parts.length !== 4) {
+    return null;
+  }
+
+  const bytes = [];
+  for (const part of parts) {
+    if (!/^\d+$/.test(part)) {
+      return null;
+    }
+
+    const byte = Number(part);
+    if (!Number.isInteger(byte) || byte < 0 || byte > 255) {
+      return null;
+    }
+    bytes.push(byte);
+  }
+
+  return bytes;
+}
+
+function isPrivateIpv4Address(address) {
+  const bytes = parseIpv4Address(address);
+  if (!bytes) {
+    return false;
+  }
+
+  const [a, b] = bytes;
+  return (
+    a === 0 ||
+    a === 10 ||
+    a === 127 ||
+    (a === 100 && b >= 64 && b <= 127) ||
+    (a === 169 && b === 254) ||
+    (a === 172 && b >= 16 && b <= 31) ||
+    (a === 192 && b === 168) ||
+    (a === 198 && (b === 18 || b === 19)) ||
+    a >= 224
+  );
+}
+
+function isBlockedIpv6Address(address) {
+  const normalized = normalizeHostname(address);
+  if (
+    normalized === "::" ||
+    normalized === "::1" ||
+    normalized.startsWith("fe80:") ||
+    normalized.startsWith("fe90:") ||
+    normalized.startsWith("fea0:") ||
+    normalized.startsWith("feb0:") ||
+    normalized.startsWith("fc") ||
+    normalized.startsWith("fd")
+  ) {
+    return true;
+  }
+
+  const mappedIpv4 = normalized.match(/^::ffff:(\d+\.\d+\.\d+\.\d+)$/);
+  return mappedIpv4 ? isPrivateIpv4Address(mappedIpv4[1]) : false;
+}
+
+function isLocalHostname(hostname) {
+  const normalized = normalizeHostname(hostname);
+  return (
+    normalized === "localhost" ||
+    normalized.endsWith(".localhost") ||
+    normalized.endsWith(".local")
+  );
+}
+
+function isPrivateOrLocalHostname(hostname) {
+  const normalized = normalizeHostname(hostname);
+  if (isLocalHostname(normalized)) {
+    return true;
+  }
+
+  const ipType = net.isIP(normalized);
+  if (ipType === 4) {
+    return isPrivateIpv4Address(normalized);
+  }
+  if (ipType === 6) {
+    return isBlockedIpv6Address(normalized);
+  }
+
+  return false;
+}
+
+async function hostnameResolvesToPrivateAddress(hostname) {
+  const normalized = normalizeHostname(hostname);
+  if (net.isIP(normalized)) {
+    return isPrivateOrLocalHostname(normalized);
+  }
+
+  const addresses = await dns.lookup(normalized, {
+    all: true,
+    verbatim: true,
+  });
+
+  return addresses.some(({ address }) => isPrivateOrLocalHostname(address));
+}
+
+function isLoopbackAddress(address) {
+  if (!address) {
+    return false;
+  }
+
+  const normalized = normalizeHostname(address);
+  if (normalized === "::1") {
+    return true;
+  }
+
+  if (normalized.startsWith("::ffff:")) {
+    return isLoopbackAddress(normalized.slice("::ffff:".length));
+  }
+
+  return normalized.startsWith("127.");
+}
+
+function isLocalOrigin(origin) {
+  try {
+    const parsed = new URL(origin);
+    const hostname = normalizeHostname(parsed.hostname);
+    return (
+      hostname === "localhost" ||
+      hostname === "::1" ||
+      hostname === "127.0.0.1" ||
+      hostname.endsWith(".localhost")
+    );
+  } catch {
+    return false;
+  }
+}
+
+function getRequestHeader(request, name) {
+  const value = request.headers[name.toLowerCase()];
+  if (Array.isArray(value)) {
+    return value[0] ?? null;
+  }
+  return typeof value === "string" ? value : null;
+}
+
+function buildCorsHeaders(request) {
+  const origin = getRequestHeader(request, "origin");
+  if (!origin || !isLocalOrigin(origin)) {
+    return {};
+  }
+
+  return {
+    "Access-Control-Allow-Headers":
+      "Content-Type, Authorization, x-proxy-url, x-proxy-cookie",
+    "Access-Control-Allow-Methods": "GET, HEAD, POST, PUT, PATCH, DELETE, OPTIONS",
+    "Access-Control-Allow-Origin": origin,
+    "Access-Control-Max-Age": "600",
+    Vary: "Origin",
+  };
+}
+
+function writeTextResponse(response, status, message, headers = {}) {
+  response.writeHead(status, {
+    "Cache-Control": "no-store",
+    "Content-Type": "text/plain; charset=utf-8",
+    ...headers,
+  });
+  response.end(message);
+}
+
+function isAllowedIncomingRequest(request) {
+  if (!isLoopbackAddress(request.socket.remoteAddress)) {
+    return false;
+  }
+
+  const origin = getRequestHeader(request, "origin");
+  return !origin || isLocalOrigin(origin);
+}
+
+function readRequestBody(request) {
+  return new Promise((resolve, reject) => {
+    const chunks = [];
+    let totalBytes = 0;
+
+    request.on("data", (chunk) => {
+      totalBytes += chunk.length;
+      if (totalBytes > MAX_REQUEST_BODY_BYTES) {
+        reject(new ProxyRequestError(413, "Request body is too large"));
+        request.destroy();
+        return;
+      }
+      chunks.push(chunk);
+    });
+
+    request.on("end", () => {
+      resolve(Buffer.concat(chunks));
+    });
+
+    request.on("error", reject);
+  });
+}
+
+function buildForwardedHeaders(request) {
+  const headers = new Headers();
+
+  for (const [name, value] of Object.entries(request.headers)) {
+    const lowerName = name.toLowerCase();
+    if (DROP_REQUEST_HEADERS.has(lowerName)) {
+      continue;
+    }
+
+    if (lowerName.startsWith("sec-")) {
+      continue;
+    }
+
+    if (Array.isArray(value)) {
+      for (const item of value) {
+        headers.append(name, item);
+      }
+    } else if (typeof value === "string") {
+      headers.set(name, value);
+    }
+  }
+
+  const proxyCookieHeader = getRequestHeader(request, "x-proxy-cookie");
+  if (proxyCookieHeader) {
+    headers.set("cookie", proxyCookieHeader);
+  }
+
+  return headers;
+}
+
+async function getTargetPolicyError(target, allowedOrigins) {
+  if (target.protocol !== "https:") {
+    return "Only HTTPS proxy targets are allowed";
+  }
+
+  if (!target.hostname || target.username || target.password) {
+    return "Proxy target is invalid";
+  }
+
+  const normalizedTargetOrigin = normalizeAllowedOrigin(target.origin);
+  if (!normalizedTargetOrigin || !allowedOrigins.includes(normalizedTargetOrigin)) {
+    return "Proxy target origin is not allowed for this site";
+  }
+
+  if (isPrivateOrLocalHostname(target.hostname)) {
+    return "Proxy target is blocked";
+  }
+
+  try {
+    if (await hostnameResolvesToPrivateAddress(target.hostname)) {
+      return "Proxy target resolves to a blocked address";
+    }
+  } catch {
+    return "Proxy target hostname could not be verified";
+  }
+
+  return null;
+}
+
+async function fetchWithVerifiedRedirects(initialTarget, init, allowedOrigins) {
+  let target = initialTarget;
+  let method = init.method;
+  let body = init.body;
+  const headers = new Headers(init.headers);
+
+  for (let redirectCount = 0; redirectCount <= MAX_REDIRECTS; redirectCount += 1) {
+    const response = await fetch(target, {
+      body: ["GET", "HEAD"].includes(method) ? undefined : body,
+      headers,
+      method,
+      redirect: "manual",
+      signal: init.signal,
+    });
+
+    if (!REDIRECT_STATUSES.has(response.status)) {
+      return response;
+    }
+
+    const location = response.headers.get("location");
+    if (!location) {
+      return response;
+    }
+
+    const nextTarget = new URL(location, target);
+    const policyError = await getTargetPolicyError(nextTarget, allowedOrigins);
+    if (policyError) {
+      throw new ProxyRequestError(403, `Redirect target blocked: ${policyError}`);
+    }
+
+    if (response.status === 303 || ([301, 302].includes(response.status) && method === "POST")) {
+      method = "GET";
+      body = undefined;
+      headers.delete("content-type");
+    }
+
+    target = nextTarget;
+  }
+
+  throw new ProxyRequestError(508, "Too many redirects");
+}
+
+function writeProxyResponse(response, upstreamResponse, request) {
+  const headers = {};
+  const corsHeaders = buildCorsHeaders(request);
+
+  for (const [key, value] of upstreamResponse.headers) {
+    if (DROP_RESPONSE_HEADERS.has(key.toLowerCase())) {
+      continue;
+    }
+    headers[key] = value;
+  }
+
+  Object.assign(headers, corsHeaders, {
+    "Cache-Control": "no-store",
+  });
+
+  response.writeHead(upstreamResponse.status, headers);
+
+  if (!upstreamResponse.body) {
+    response.end();
+    return;
+  }
+
+  Readable.fromWeb(upstreamResponse.body).pipe(response);
+}
+
+function isContentDocsPath(filePath, docsDir) {
+  const relativePath = path.relative(docsDir, filePath);
+  return Boolean(relativePath) && !relativePath.startsWith("..");
+}
+
+export function createDevPlaygroundProxyPlugin({ basePath = "/" } = {}) {
+  const cwd = process.cwd();
+  const docsDir = path.join(cwd, "src/content/docs");
+  let allowedOriginsCache = null;
+  let allowedOriginsCacheTime = 0;
+  let allowedOriginsPromise = null;
+
+  function clearAllowedOriginsCache(filePath) {
+    if (typeof filePath === "string" && !isContentDocsPath(filePath, docsDir)) {
+      return;
+    }
+
+    allowedOriginsCache = null;
+    allowedOriginsCacheTime = 0;
+    allowedOriginsPromise = null;
+  }
+
+  async function getAllowedOrigins() {
+    const now = Date.now();
+    if (
+      allowedOriginsCache &&
+      now - allowedOriginsCacheTime < POLICY_CACHE_TTL_MS
+    ) {
+      return allowedOriginsCache;
+    }
+
+    if (!allowedOriginsPromise) {
+      allowedOriginsPromise = buildAllowedOrigins({
+        cwd,
+        onSourceError(source, error) {
+          console.warn(
+            `⚠️ Failed to extract OpenAPI server origins from "${source}":`,
+            error instanceof Error ? error.message : String(error),
+          );
+        },
+      });
+    }
+
+    try {
+      allowedOriginsCache = await allowedOriginsPromise;
+      allowedOriginsCacheTime = Date.now();
+      return allowedOriginsCache;
+    } finally {
+      allowedOriginsPromise = null;
+    }
+  }
+
+  async function handleProxyRequest(request, response) {
+    const requestUrl = new URL(request.url || "/", "http://localhost");
+    const routedPathname = stripBasePath(requestUrl.pathname, basePath);
+    if (routedPathname !== PROXY_PATHNAME) {
+      return false;
+    }
+
+    const corsHeaders = buildCorsHeaders(request);
+
+    if (!isAllowedIncomingRequest(request)) {
+      writeTextResponse(response, 403, "Proxy request is blocked", corsHeaders);
+      return true;
+    }
+
+    if (request.method === "OPTIONS") {
+      response.writeHead(204, corsHeaders);
+      response.end();
+      return true;
+    }
+
+    const method = (request.method || "GET").toUpperCase();
+    if (!["GET", "HEAD", "POST", "PUT", "PATCH", "DELETE"].includes(method)) {
+      writeTextResponse(response, 405, "Method not allowed", corsHeaders);
+      return true;
+    }
+
+    const targetUrl = getRequestHeader(request, "x-proxy-url");
+    if (!targetUrl) {
+      writeTextResponse(response, 400, "Missing x-proxy-url header", corsHeaders);
+      return true;
+    }
+
+    let target;
+    try {
+      target = new URL(targetUrl);
+    } catch {
+      writeTextResponse(response, 400, "Invalid x-proxy-url value", corsHeaders);
+      return true;
+    }
+
+    const allowedOrigins = await getAllowedOrigins();
+    if (allowedOrigins.length === 0) {
+      writeTextResponse(
+        response,
+        403,
+        "No allowed proxy origins are configured for this site",
+        corsHeaders,
+      );
+      return true;
+    }
+
+    const policyError = await getTargetPolicyError(target, allowedOrigins);
+    if (policyError) {
+      writeTextResponse(response, 403, policyError, corsHeaders);
+      return true;
+    }
+
+    const forwardedHeaders = buildForwardedHeaders(request);
+    let body;
+    try {
+      body = ["GET", "HEAD"].includes(method)
+        ? undefined
+        : await readRequestBody(request);
+    } catch (error) {
+      if (error instanceof ProxyRequestError) {
+        writeTextResponse(response, error.status, error.message, corsHeaders);
+      } else {
+        writeTextResponse(response, 400, "Failed to read request body", corsHeaders);
+      }
+      return true;
+    }
+
+    const controller = new AbortController();
+    const timeout = setTimeout(() => controller.abort(), PROXY_TIMEOUT_MS);
+
+    try {
+      const upstreamResponse = await fetchWithVerifiedRedirects(
+        target,
+        {
+          body,
+          headers: forwardedHeaders,
+          method,
+          signal: controller.signal,
+        },
+        allowedOrigins,
+      );
+      writeProxyResponse(response, upstreamResponse, request);
+    } catch (error) {
+      if (error instanceof ProxyRequestError) {
+        writeTextResponse(response, error.status, error.message, corsHeaders);
+      } else if (error?.name === "AbortError") {
+        writeTextResponse(response, 504, "Upstream request timed out", corsHeaders);
+      } else {
+        console.error("Local playground proxy request failed:", error);
+        writeTextResponse(response, 502, "Upstream request failed", corsHeaders);
+      }
+    } finally {
+      clearTimeout(timeout);
+    }
+
+    return true;
+  }
+
+  return {
+    name: "radiant-dev-playground-proxy",
+    configureServer(server) {
+      server.watcher.on("add", clearAllowedOriginsCache);
+      server.watcher.on("change", clearAllowedOriginsCache);
+      server.watcher.on("unlink", clearAllowedOriginsCache);
+
+      server.middlewares.use((request, response, next) => {
+        handleProxyRequest(request, response)
+          .then((handled) => {
+            if (!handled) {
+              next();
+            }
+          })
+          .catch((error) => {
+            console.error("Local playground proxy failed:", error);
+            writeTextResponse(response, 500, "Local proxy failed");
+          });
+      });
+    },
+  };
+}