s3broker 0.0.1 → 0.4.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. package/README.md +87 -0
  2. package/package.json +8 -4
  3. package/src/index.ts +3 -11
package/README.md ADDED
@@ -0,0 +1,87 @@
1
+ # S3Broker
2
+
3
+ [![npm version](https://img.shields.io/npm/v/s3broker.svg)](https://www.npmjs.com/package/s3broker)
4
+ [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
5
+
6
+ A Cloudflare Workers library for building S3 proxies with guardrails.
7
+
8
+ This is a work in progress. More guardrails and features would be added soon.
9
+
10
+ ## Overview
11
+
12
+ S3Broker is a TypeScript library for building proxies and guardrails for S3-compatible storage. The library is intended to be used on Cloudflare Workers.
13
+
14
+ When you have an S3 secret key with read/write access, any client using that key can perform destructive operations. Your data is vulnerable to:
15
+
16
+ - **Accidental deletion** by users or misconfigured tools
17
+ - **Ransomware attacks** that encrypt or delete your files
18
+
19
+ S3Broker acts as a protective layer between your clients and the upstream S3 endpoint. Instead of giving clients direct access to your upstream key (Key B), you give them a different key (Key A). S3Broker validates every request against configurable guardrails and blocks dangerous operations before they reach your storage.
20
+
21
+ ```
22
+ ========== ============ ============
23
+ ||Client|| -- Key A --> ||S3Broker|| -- Key B --> ||Upstream||
24
+ ========== ============ ============
25
+ ```
26
+
27
+ ## Installation
28
+
29
+ ```bash
30
+ npm install s3broker
31
+ ```
32
+
33
+ ## Quick Start
34
+
35
+ ```typescript
36
+ import { handle } from 's3broker';
37
+
38
+ export default {
39
+ async fetch(request, env, ctx) {
40
+ return handle(request, {
41
+ s3Endpoint: env.S3_ENDPOINT,
42
+ clientAccessKeyId: env.CLIENT_ACCESS_KEY_ID,
43
+ clientSecretAccessKey: env.CLIENT_SECRET_ACCESS_KEY,
44
+ upstreamAccessKeyId: env.UPSTREAM_ACCESS_KEY_ID,
45
+ upstreamSecretAccessKey: env.UPSTREAM_SECRET_ACCESS_KEY,
46
+ });
47
+ },
48
+ };
49
+ ```
50
+
51
+ ## With Custom Guardrails
52
+
53
+ ```typescript
54
+ import { handle } from 's3broker';
55
+
56
+ export default {
57
+ async fetch(request, env, ctx) {
58
+ return handle(request, {
59
+ s3Endpoint: env.S3_ENDPOINT,
60
+ clientAccessKeyId: env.CLIENT_ACCESS_KEY_ID,
61
+ clientSecretAccessKey: env.CLIENT_SECRET_ACCESS_KEY,
62
+ upstreamAccessKeyId: env.UPSTREAM_ACCESS_KEY_ID,
63
+ upstreamSecretAccessKey: env.UPSTREAM_SECRET_ACCESS_KEY,
64
+ guardrailConfig: {
65
+ noDeleteOld: [
66
+ {
67
+ pattern: '/protected/.*',
68
+ config: { noDeleteBeforeSeconds: 3600 }, // Files older than 1h in /protected/ could not be deleted
69
+ },
70
+ ],
71
+ },
72
+ });
73
+ },
74
+ };
75
+ ```
76
+
77
+ ## Limitations
78
+
79
+ - **`STREAMING-AWS4-HMAC-SHA256-PAYLOAD`** payload signing method is not supported.
80
+
81
+ ## Documentation
82
+
83
+ For full documentation, see the [GitHub repository](https://github.com/tsunrise/s3broker).
84
+
85
+ ## License
86
+
87
+ MIT
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "s3broker",
3
- "version": "0.0.1",
3
+ "version": "0.4.3",
4
4
  "description": "S3 proxy library with SigV4 verification and configurable guardrails policies",
5
5
  "main": "src/index.ts",
6
6
  "types": "src/index.ts",
@@ -21,8 +21,12 @@
21
21
  "zod": "^4.2.1"
22
22
  },
23
23
  "devDependencies": {
24
- "@cloudflare/workers-types": "^4.20241230.0",
25
- "typescript": "^5.5.2"
24
+ "typescript": "^5.5.2",
25
+ "@cloudflare/workers-types": "^4.1.1"
26
26
  },
27
- "author": "Tom Shen"
27
+ "author": "Tom Shen",
28
+ "repository": {
29
+ "type": "git",
30
+ "url": "https://github.com/tsunrise/s3broker"
31
+ }
28
32
  }
package/src/index.ts CHANGED
@@ -1,14 +1,11 @@
1
1
  /**
2
- * S3Broker - S3 Proxy Library with SigV4 Verification and Guardrails
2
+ * S3Broker - S3 Proxy Library for Cloudflare Workers
3
3
  *
4
4
  * ========== =========== ============
5
5
  * ||Client|| -- Key A --> ||S3Broker|| -- Key B --> ||Upstream||
6
6
  * ========== =========== ============
7
7
  *
8
- * S3Broker is a library for building secure S3-compatible proxies. It can be used in:
9
- * - Cloudflare Workers
10
- * - Any other serverless platforms (Vercel, Netlify, etc.)
11
- * - Any JavaScript/TypeScript runtime with fetch API support
8
+ * S3Broker is a Cloudflare Workers library for building secure S3-compatible proxies.
12
9
  *
13
10
  * Features:
14
11
  * 1. Verifies incoming requests signed with Key A (client credentials)
@@ -97,7 +94,6 @@ export const defaultGuardrailConfig: GuardrailConfig = {
97
94
  * Handle an incoming S3 request with signature verification, guardrails, and proxying.
98
95
  *
99
96
  * @param request - The incoming HTTP request (must be a valid S3 API request)
100
- * @param _ctx - Execution context (unused, reserved for future use)
101
97
  * @param options - S3Broker configuration options including credentials and guardrails
102
98
  * @returns Response from the upstream S3 service, or an error response if validation fails
103
99
  *
@@ -114,11 +110,7 @@ export const defaultGuardrailConfig: GuardrailConfig = {
114
110
  * });
115
111
  * ```
116
112
  */
117
- export async function handle(
118
- request: Request<unknown, IncomingRequestCfProperties>,
119
- _ctx: ExecutionContext,
120
- options: S3BrokerOptions,
121
- ): Promise<Response> {
113
+ export async function handle(request: Request<unknown, IncomingRequestCfProperties>, options: S3BrokerOptions): Promise<Response> {
122
114
  const currentTimestamp = Date.now();
123
115
 
124
116
  // Verify the incoming request signature (Client Key)