react-linear-feedback 0.2.0 → 0.4.0

package/dist/server/index.d.ts

@@ -55,6 +55,11 @@ type FeedbackServerConfig = {
      * "bug" looks for a label named "bug". Labels are resolved by name at request time.
      */
     labels?: Record<string, string>;
+    /**
+     * How long resolved label name→ID lookups are cached (module scope, so warm serverless
+     * invocations reuse them). Default 10 minutes; 0 disables caching.
+     */
+    labelCacheTtlMs?: number;
 };
 type CreatedIssue = {
     id?: string;
@@ -63,26 +68,41 @@ type CreatedIssue = {
 };
 declare function createFeedbackIssue(payload: FeedbackPayload, config: FeedbackServerConfig): Promise<CreatedIssue>;
 
-type NextRouteConfig = FeedbackServerConfig & {
-    /** Restrict to a single site origin (cheap extra; not a hard auth boundary). */
+type WebHandlerConfig = FeedbackServerConfig & {
+    /**
+     * Origins allowed to call this endpoint cross-origin (exact origins, or "*"). Enables
+     * CORS (preflight + response headers) — required when the widget is embedded via the
+     * script tag on a different domain than the handler.
+     */
+    allowedOrigins?: string[];
+    /** @deprecated Use `allowedOrigins`. Restrict to a single site origin. */
     allowedOrigin?: string;
-    /** Return false to reject the request (e.g. a cookie/session check). */
+    /** Return false to reject the request (e.g. a cookie/session/token check). */
     authorize?: (req: Request) => boolean | Promise<boolean>;
 };
-declare function createNextRoute(config: NextRouteConfig): (req: Request) => Promise<Response>;
+declare function createWebHandler(config: WebHandlerConfig): (req: Request) => Promise<Response>;
 /**
  * Authorize helper: allow only requests carrying `name=value` in the Cookie header.
  *
- * Works with BOTH a Web `Request` (Next.js App Router via `createNextRoute`) and a Node
- * `IncomingMessage` (Vercel / Express via `createNodeHandler`). The two runtimes expose
- * headers differently — `headers.get("cookie")` vs the plain `headers.cookie` string — so
- * we feature-detect instead of assuming one shape. (Previously this only handled the Web
- * `Request`, so the documented `createNodeHandler` usage threw `headers.get is not a function`.)
+ * Works with BOTH a Web `Request` (createWebHandler/createNextRoute) and a Node
+ * `IncomingMessage` (createNodeHandler). The two runtimes expose headers differently —
+ * `headers.get("cookie")` vs the plain `headers.cookie` string — so we feature-detect
+ * instead of assuming one shape.
+ *
+ * Same-origin only: the gate cookie is written by `FeedbackGate` on the PAGE's origin, so it
+ * is never sent with cross-origin embed submissions. Gate embedded widgets with `headerGate`.
  */
 declare function cookieGate(name: string, value?: string): (req: Request | IncomingMessage) => boolean;
+/**
+ * Authorize helper for embedded (cross-origin) widgets: allow only requests carrying
+ * `headerName: value`. Pair it with the embed's `token` / `data-token` config, which sends
+ * the token as `x-feedback-token`. The token is visible in the page source — treat it as a
+ * tripwire against drive-by spam, not as authentication.
+ */
+declare function headerGate(value: string, headerName?: string): (req: Request | IncomingMessage) => boolean;
 
-type NodeHandlerConfig = FeedbackServerConfig & {
-    allowedOrigin?: string;
+type NodeHandlerConfig = Omit<WebHandlerConfig, "authorize"> & {
+    /** Return false to reject the request. Receives the original Node `IncomingMessage`. */
     authorize?: (req: IncomingMessage) => boolean | Promise<boolean>;
 };
 type NodeReq = IncomingMessage & {
@@ -90,4 +110,4 @@ type NodeReq = IncomingMessage & {
 };
 declare function createNodeHandler(config: NodeHandlerConfig): (req: NodeReq, res: ServerResponse) => Promise<void>;
 
-export { type CreatedIssue, type FeedbackAnnotation, type FeedbackContext, type FeedbackPayload, type FeedbackRect, type FeedbackServerConfig, type NextRouteConfig, type NodeHandlerConfig, cookieGate, createFeedbackIssue, createNextRoute, createNodeHandler };
+export { type CreatedIssue, type FeedbackAnnotation, type FeedbackContext, type FeedbackPayload, type FeedbackRect, type FeedbackServerConfig, type WebHandlerConfig as NextRouteConfig, type NodeHandlerConfig, type WebHandlerConfig, cookieGate, createFeedbackIssue, createWebHandler as createNextRoute, createNodeHandler, createWebHandler, headerGate };

package/dist/server/index.js

@@ -2,6 +2,12 @@ import { LinearClient } from '@linear/sdk';
 
 // src/server/core.ts
 var MAX_NOTE = 5e3;
+var DEFAULT_LABEL_TTL_MS = 10 * 60 * 1e3;
+var MISS_TTL_MS = 60 * 1e3;
+var labelCache = /* @__PURE__ */ new Map();
+function labelCacheKey(teamId, name) {
+  return `${teamId}:${name.toLowerCase()}`;
+}
 async function createFeedbackIssue(payload, config) {
   const { apiKey, teamId } = config;
   if (!apiKey || !teamId) throw new Error("not_configured");
@@ -34,7 +40,8 @@ async function createFeedbackIssue(payload, config) {
   ].filter(Boolean).join("\n");
   const title = `${typeLabel}: ${note.slice(0, 60)}${note.length > 60 ? "\u2026" : ""}`;
   const labelName = config.labels?.[annotation.type] ?? annotation.type;
-  const labelId = labelName ? await resolveLabelId(linear, labelName, teamId) : null;
+  const ttl = config.labelCacheTtlMs ?? DEFAULT_LABEL_TTL_MS;
+  const labelId = labelName ? await resolveLabelIdCached(linear, labelName, teamId, ttl) : null;
   if (labelName && !labelId) console.warn(`[feedback] label "${labelName}" not found \u2014 creating issue without it`);
   const create = async (ids) => {
     const created = await linear.createIssue({ teamId, title, description, labelIds: ids.length ? ids : void 0 });
@@ -42,6 +49,7 @@ async function createFeedbackIssue(payload, config) {
   };
   const issue = await create(labelId ? [labelId] : []).catch((err) => {
     if (!labelId) throw err;
+    if (labelName) labelCache.delete(labelCacheKey(teamId, labelName));
     console.warn("[feedback] create failed with label, retrying without it", err);
     return create([]);
   });
@@ -50,6 +58,15 @@ async function createFeedbackIssue(payload, config) {
 function capitalize(s) {
   return s.charAt(0).toUpperCase() + s.slice(1);
 }
+async function resolveLabelIdCached(linear, name, teamId, ttlMs) {
+  if (ttlMs <= 0) return resolveLabelId(linear, name, teamId);
+  const key = labelCacheKey(teamId, name);
+  const hit = labelCache.get(key);
+  if (hit && hit.expires > Date.now()) return hit.id;
+  const id = await resolveLabelId(linear, name, teamId);
+  labelCache.set(key, { id, expires: Date.now() + (id ? ttlMs : Math.min(ttlMs, MISS_TTL_MS)) });
+  return id;
+}
 async function resolveLabelId(linear, name, teamId) {
   try {
     const { nodes } = await linear.issueLabels({ filter: { name: { eqIgnoreCase: name } }, first: 50 });
@@ -88,32 +105,51 @@ async function uploadScreenshot(linear, dataUrl) {
   return upload.uploadFile.assetUrl;
 }
 
-// src/server/next.ts
-var BAD_REQUEST = /* @__PURE__ */ new Set(["note_required", "note_too_long", "bad_type", "not_configured"]);
-function json(body, status) {
-  return new Response(JSON.stringify(body), { status, headers: { "content-type": "application/json" } });
+// src/server/web.ts
+var BAD_REQUEST = /* @__PURE__ */ new Set(["note_required", "note_too_long", "bad_type", "bad_json", "not_configured"]);
+function json(body, status, headers = {}) {
+  return new Response(JSON.stringify(body), {
+    status,
+    headers: { "content-type": "application/json", ...headers }
+  });
 }
-function createNextRoute(config) {
-  return async function POST(req) {
-    if (config.authorize && !await config.authorize(req)) return json({ error: "unauthorized" }, 404);
-    if (config.allowedOrigin) {
-      const origin = req.headers.get("origin") ?? "";
-      if (origin && origin !== config.allowedOrigin) return json({ error: "forbidden_origin" }, 403);
-    }
+function corsHeaders(req, allowed) {
+  const origin = req.headers.get("origin");
+  if (!origin || allowed.length === 0) return {};
+  if (!allowed.includes("*") && !allowed.includes(origin)) return {};
+  return {
+    "access-control-allow-origin": allowed.includes("*") ? "*" : origin,
+    vary: "Origin",
+    "access-control-allow-methods": "POST, OPTIONS",
+    "access-control-allow-headers": "content-type, x-feedback-token",
+    "access-control-max-age": "86400"
+  };
+}
+function createWebHandler(config) {
+  const allowed = config.allowedOrigins ?? (config.allowedOrigin ? [config.allowedOrigin] : []);
+  if (!config.apiKey || !config.teamId)
+    console.warn("[feedback] LINEAR apiKey/teamId missing \u2014 submissions will fail with 500 not_configured");
+  return async function handler(req) {
+    const cors = corsHeaders(req, allowed);
+    const origin = req.headers.get("origin");
+    if (origin && allowed.length > 0 && !allowed.includes("*") && !allowed.includes(origin))
+      return json({ error: "forbidden_origin" }, 403);
+    if (req.method === "OPTIONS") return new Response(null, { status: 204, headers: cors });
+    if (config.authorize && !await config.authorize(req)) return json({ error: "unauthorized" }, 404, cors);
     let payload;
     try {
       payload = await req.json();
     } catch {
-      return json({ error: "bad_json" }, 400);
+      return json({ error: "bad_json" }, 400, cors);
     }
     try {
       const issue = await createFeedbackIssue(payload, config);
-      return json({ ok: true, ...issue }, 200);
+      return json({ ok: true, ...issue }, 200, cors);
     } catch (err) {
       const message = err instanceof Error ? err.message : String(err);
-      if (BAD_REQUEST.has(message)) return json({ error: message }, message === "not_configured" ? 500 : 400);
+      if (BAD_REQUEST.has(message)) return json({ error: message }, message === "not_configured" ? 500 : 400, cors);
       console.error("[feedback] issue create failed", err);
-      return json({ error: "issue_create_failed", message }, 502);
+      return json({ error: "issue_create_failed", message }, 502, cors);
     }
   };
 }
@@ -124,43 +160,50 @@ function cookieGate(name, value = "1") {
     return cookie.split(";").map((c) => c.trim()).some((c) => c === `${name}=${value}`);
   };
 }
+function headerGate(value, headerName = "x-feedback-token") {
+  const wanted = headerName.toLowerCase();
+  return (req) => {
+    const { headers } = req;
+    const got = typeof headers.get === "function" ? headers.get(wanted) : headers[wanted];
+    return got === value;
+  };
+}
 
 // src/server/node.ts
-var BAD_REQUEST2 = /* @__PURE__ */ new Set(["note_required", "note_too_long", "bad_type", "bad_json", "not_configured"]);
-function send(res, status, body) {
-  res.statusCode = status;
-  res.setHeader("content-type", "application/json");
-  res.end(JSON.stringify(body));
-}
-async function readJson(req) {
-  const chunks = [];
-  for await (const chunk of req) chunks.push(Buffer.from(chunk));
-  const raw = Buffer.concat(chunks).toString("utf8");
-  if (!raw) throw new Error("bad_json");
-  try {
-    return JSON.parse(raw);
-  } catch {
-    throw new Error("bad_json");
-  }
-}
 function createNodeHandler(config) {
+  const originals = /* @__PURE__ */ new WeakMap();
+  const web = createWebHandler({
+    ...config,
+    authorize: config.authorize ? (request) => config.authorize(originals.get(request)) : void 0
+  });
   return async function handler(req, res) {
-    try {
-      if (config.authorize && !await config.authorize(req)) return send(res, 404, { error: "unauthorized" });
-      if (config.allowedOrigin) {
-        const origin = req.headers.origin ?? "";
-        if (origin && origin !== config.allowedOrigin) return send(res, 403, { error: "forbidden_origin" });
-      }
-      const payload = req.body ?? await readJson(req);
-      const issue = await createFeedbackIssue(payload, config);
-      send(res, 200, { ok: true, ...issue });
-    } catch (err) {
-      const message = err instanceof Error ? err.message : String(err);
-      if (BAD_REQUEST2.has(message)) return send(res, message === "not_configured" ? 500 : 400, { error: message });
-      console.error("[feedback] issue create failed", err);
-      send(res, 502, { error: "issue_create_failed", message });
-    }
+    const request = await toWebRequest(req);
+    originals.set(request, req);
+    const response = await web(request);
+    res.statusCode = response.status;
+    response.headers.forEach((value, key) => res.setHeader(key, value));
+    res.end(await response.text());
   };
 }
+async function toWebRequest(req) {
+  const url = `http://${req.headers.host ?? "localhost"}${req.url ?? "/"}`;
+  const headers = new Headers();
+  for (const [key, value] of Object.entries(req.headers)) {
+    if (value == null) continue;
+    headers.set(key, Array.isArray(value) ? value.join(", ") : value);
+  }
+  const method = req.method ?? "POST";
+  let body;
+  if (method !== "GET" && method !== "HEAD" && method !== "OPTIONS") {
+    if (req.body !== void 0) {
+      body = typeof req.body === "string" ? req.body : JSON.stringify(req.body);
+    } else {
+      const chunks = [];
+      for await (const chunk of req) chunks.push(Buffer.from(chunk));
+      body = Buffer.concat(chunks).toString("utf8");
+    }
+  }
+  return new Request(url, { method, headers, body });
+}
 
-export { cookieGate, createFeedbackIssue, createNextRoute, createNodeHandler };
+export { cookieGate, createFeedbackIssue, createWebHandler as createNextRoute, createNodeHandler, createWebHandler, headerGate };

package/dist/vite/index.cjs

@@ -4,6 +4,12 @@ var sdk = require('@linear/sdk');
 
 // src/server/core.ts
 var MAX_NOTE = 5e3;
+var DEFAULT_LABEL_TTL_MS = 10 * 60 * 1e3;
+var MISS_TTL_MS = 60 * 1e3;
+var labelCache = /* @__PURE__ */ new Map();
+function labelCacheKey(teamId, name) {
+  return `${teamId}:${name.toLowerCase()}`;
+}
 async function createFeedbackIssue(payload, config) {
   const { apiKey, teamId } = config;
   if (!apiKey || !teamId) throw new Error("not_configured");
@@ -36,7 +42,8 @@ async function createFeedbackIssue(payload, config) {
   ].filter(Boolean).join("\n");
   const title = `${typeLabel}: ${note.slice(0, 60)}${note.length > 60 ? "\u2026" : ""}`;
   const labelName = config.labels?.[annotation.type] ?? annotation.type;
-  const labelId = labelName ? await resolveLabelId(linear, labelName, teamId) : null;
+  const ttl = config.labelCacheTtlMs ?? DEFAULT_LABEL_TTL_MS;
+  const labelId = labelName ? await resolveLabelIdCached(linear, labelName, teamId, ttl) : null;
   if (labelName && !labelId) console.warn(`[feedback] label "${labelName}" not found \u2014 creating issue without it`);
   const create = async (ids) => {
     const created = await linear.createIssue({ teamId, title, description, labelIds: ids.length ? ids : void 0 });
@@ -44,6 +51,7 @@ async function createFeedbackIssue(payload, config) {
   };
   const issue = await create(labelId ? [labelId] : []).catch((err) => {
     if (!labelId) throw err;
+    if (labelName) labelCache.delete(labelCacheKey(teamId, labelName));
     console.warn("[feedback] create failed with label, retrying without it", err);
     return create([]);
   });
@@ -52,6 +60,15 @@ async function createFeedbackIssue(payload, config) {
 function capitalize(s) {
   return s.charAt(0).toUpperCase() + s.slice(1);
 }
+async function resolveLabelIdCached(linear, name, teamId, ttlMs) {
+  if (ttlMs <= 0) return resolveLabelId(linear, name, teamId);
+  const key = labelCacheKey(teamId, name);
+  const hit = labelCache.get(key);
+  if (hit && hit.expires > Date.now()) return hit.id;
+  const id = await resolveLabelId(linear, name, teamId);
+  labelCache.set(key, { id, expires: Date.now() + (id ? ttlMs : Math.min(ttlMs, MISS_TTL_MS)) });
+  return id;
+}
 async function resolveLabelId(linear, name, teamId) {
   try {
     const { nodes } = await linear.issueLabels({ filter: { name: { eqIgnoreCase: name } }, first: 50 });
@@ -90,44 +107,92 @@ async function uploadScreenshot(linear, dataUrl) {
   return upload.uploadFile.assetUrl;
 }
 
-// src/server/node.ts
+// src/server/web.ts
 var BAD_REQUEST = /* @__PURE__ */ new Set(["note_required", "note_too_long", "bad_type", "bad_json", "not_configured"]);
-function send(res, status, body) {
-  res.statusCode = status;
-  res.setHeader("content-type", "application/json");
-  res.end(JSON.stringify(body));
+function json(body, status, headers = {}) {
+  return new Response(JSON.stringify(body), {
+    status,
+    headers: { "content-type": "application/json", ...headers }
+  });
 }
-async function readJson(req) {
-  const chunks = [];
-  for await (const chunk of req) chunks.push(Buffer.from(chunk));
-  const raw = Buffer.concat(chunks).toString("utf8");
-  if (!raw) throw new Error("bad_json");
-  try {
-    return JSON.parse(raw);
-  } catch {
-    throw new Error("bad_json");
-  }
+function corsHeaders(req, allowed) {
+  const origin = req.headers.get("origin");
+  if (!origin || allowed.length === 0) return {};
+  if (!allowed.includes("*") && !allowed.includes(origin)) return {};
+  return {
+    "access-control-allow-origin": allowed.includes("*") ? "*" : origin,
+    vary: "Origin",
+    "access-control-allow-methods": "POST, OPTIONS",
+    "access-control-allow-headers": "content-type, x-feedback-token",
+    "access-control-max-age": "86400"
+  };
 }
-function createNodeHandler(config) {
-  return async function handler(req, res) {
+function createWebHandler(config) {
+  const allowed = config.allowedOrigins ?? (config.allowedOrigin ? [config.allowedOrigin] : []);
+  if (!config.apiKey || !config.teamId)
+    console.warn("[feedback] LINEAR apiKey/teamId missing \u2014 submissions will fail with 500 not_configured");
+  return async function handler(req) {
+    const cors = corsHeaders(req, allowed);
+    const origin = req.headers.get("origin");
+    if (origin && allowed.length > 0 && !allowed.includes("*") && !allowed.includes(origin))
+      return json({ error: "forbidden_origin" }, 403);
+    if (req.method === "OPTIONS") return new Response(null, { status: 204, headers: cors });
+    if (config.authorize && !await config.authorize(req)) return json({ error: "unauthorized" }, 404, cors);
+    let payload;
+    try {
+      payload = await req.json();
+    } catch {
+      return json({ error: "bad_json" }, 400, cors);
+    }
     try {
-      if (config.authorize && !await config.authorize(req)) return send(res, 404, { error: "unauthorized" });
-      if (config.allowedOrigin) {
-        const origin = req.headers.origin ?? "";
-        if (origin && origin !== config.allowedOrigin) return send(res, 403, { error: "forbidden_origin" });
-      }
-      const payload = req.body ?? await readJson(req);
       const issue = await createFeedbackIssue(payload, config);
-      send(res, 200, { ok: true, ...issue });
+      return json({ ok: true, ...issue }, 200, cors);
     } catch (err) {
       const message = err instanceof Error ? err.message : String(err);
-      if (BAD_REQUEST.has(message)) return send(res, message === "not_configured" ? 500 : 400, { error: message });
+      if (BAD_REQUEST.has(message)) return json({ error: message }, message === "not_configured" ? 500 : 400, cors);
       console.error("[feedback] issue create failed", err);
-      send(res, 502, { error: "issue_create_failed", message });
+      return json({ error: "issue_create_failed", message }, 502, cors);
     }
   };
 }
 
+// src/server/node.ts
+function createNodeHandler(config) {
+  const originals = /* @__PURE__ */ new WeakMap();
+  const web = createWebHandler({
+    ...config,
+    authorize: config.authorize ? (request) => config.authorize(originals.get(request)) : void 0
+  });
+  return async function handler(req, res) {
+    const request = await toWebRequest(req);
+    originals.set(request, req);
+    const response = await web(request);
+    res.statusCode = response.status;
+    response.headers.forEach((value, key) => res.setHeader(key, value));
+    res.end(await response.text());
+  };
+}
+async function toWebRequest(req) {
+  const url = `http://${req.headers.host ?? "localhost"}${req.url ?? "/"}`;
+  const headers = new Headers();
+  for (const [key, value] of Object.entries(req.headers)) {
+    if (value == null) continue;
+    headers.set(key, Array.isArray(value) ? value.join(", ") : value);
+  }
+  const method = req.method ?? "POST";
+  let body;
+  if (method !== "GET" && method !== "HEAD" && method !== "OPTIONS") {
+    if (req.body !== void 0) {
+      body = typeof req.body === "string" ? req.body : JSON.stringify(req.body);
+    } else {
+      const chunks = [];
+      for await (const chunk of req) chunks.push(Buffer.from(chunk));
+      body = Buffer.concat(chunks).toString("utf8");
+    }
+  }
+  return new Request(url, { method, headers, body });
+}
+
 // src/vite/index.ts
 function linearFeedback(config) {
   const endpoint = config.endpoint ?? "/api/feedback";
@@ -137,7 +202,7 @@ function linearFeedback(config) {
     apply: "serve",
     configureServer(server) {
       server.middlewares.use(endpoint, (req, res, next) => {
-        if (req.method !== "POST") return next();
+        if (req.method !== "POST" && req.method !== "OPTIONS") return next();
         handler(req, res).catch(next);
       });
     }

package/dist/vite/index.d.cts

@@ -11,10 +11,28 @@ type FeedbackServerConfig = {
      * "bug" looks for a label named "bug". Labels are resolved by name at request time.
      */
     labels?: Record<string, string>;
+    /**
+     * How long resolved label name→ID lookups are cached (module scope, so warm serverless
+     * invocations reuse them). Default 10 minutes; 0 disables caching.
+     */
+    labelCacheTtlMs?: number;
 };
 
-type NodeHandlerConfig = FeedbackServerConfig & {
+type WebHandlerConfig = FeedbackServerConfig & {
+    /**
+     * Origins allowed to call this endpoint cross-origin (exact origins, or "*"). Enables
+     * CORS (preflight + response headers) — required when the widget is embedded via the
+     * script tag on a different domain than the handler.
+     */
+    allowedOrigins?: string[];
+    /** @deprecated Use `allowedOrigins`. Restrict to a single site origin. */
     allowedOrigin?: string;
+    /** Return false to reject the request (e.g. a cookie/session/token check). */
+    authorize?: (req: Request) => boolean | Promise<boolean>;
+};
+
+type NodeHandlerConfig = Omit<WebHandlerConfig, "authorize"> & {
+    /** Return false to reject the request. Receives the original Node `IncomingMessage`. */
     authorize?: (req: IncomingMessage) => boolean | Promise<boolean>;
 };
 

package/dist/vite/index.d.ts

@@ -11,10 +11,28 @@ type FeedbackServerConfig = {
      * "bug" looks for a label named "bug". Labels are resolved by name at request time.
      */
     labels?: Record<string, string>;
+    /**
+     * How long resolved label name→ID lookups are cached (module scope, so warm serverless
+     * invocations reuse them). Default 10 minutes; 0 disables caching.
+     */
+    labelCacheTtlMs?: number;
 };
 
-type NodeHandlerConfig = FeedbackServerConfig & {
+type WebHandlerConfig = FeedbackServerConfig & {
+    /**
+     * Origins allowed to call this endpoint cross-origin (exact origins, or "*"). Enables
+     * CORS (preflight + response headers) — required when the widget is embedded via the
+     * script tag on a different domain than the handler.
+     */
+    allowedOrigins?: string[];
+    /** @deprecated Use `allowedOrigins`. Restrict to a single site origin. */
     allowedOrigin?: string;
+    /** Return false to reject the request (e.g. a cookie/session/token check). */
+    authorize?: (req: Request) => boolean | Promise<boolean>;
+};
+
+type NodeHandlerConfig = Omit<WebHandlerConfig, "authorize"> & {
+    /** Return false to reject the request. Receives the original Node `IncomingMessage`. */
     authorize?: (req: IncomingMessage) => boolean | Promise<boolean>;
 };