veryfront 0.0.82 → 0.0.84

package/src/proxy/logger.ts

@@ -0,0 +1,329 @@
+// Inline cross-runtime getEnv to avoid dependency on src/platform/compat (not copied in Docker)
+import * as dntShim from "../_dnt.shims.js";
+
+function getEnv(key: string): string | undefined {
+  // Deno
+  if (typeof dntShim.Deno !== "undefined" && dntShim.Deno.env?.get) {
+    return dntShim.Deno.env.get(key);
+  }
+  // Node.js / Bun
+  const nodeProcess = (dntShim.dntGlobalThis as { process?: { env?: Record<string, string> } }).process;
+  return nodeProcess?.env?.[key];
+}
+import { getTraceContext } from "./tracing.js";
+
+export type LogLevel = "debug" | "info" | "warn" | "error";
+
+// Log level configuration
+const MIN_LOG_LEVEL: LogLevel = ((): LogLevel => {
+  const level = getEnv("LOG_LEVEL")?.toLowerCase();
+  if (level === "debug" || level === "info" || level === "warn" || level === "error") {
+    return level;
+  }
+  return "info"; // Default: suppress debug logs
+})();
+
+const TAG_WIDTH = 10;
+
+const LEVEL_GLYPHS: Record<LogLevel, string> = {
+  debug: "·",
+  info: "●",
+  warn: "▲",
+  error: "✖",
+};
+
+const ANSI = {
+  reset: "\u001b[0m",
+  dim: "\u001b[2m",
+  gray: "\u001b[90m",
+  red: "\u001b[31m",
+  green: "\u001b[32m",
+  yellow: "\u001b[33m",
+  cyan: "\u001b[36m",
+};
+
+const LEVEL_COLORS: Record<LogLevel, string> = {
+  debug: ANSI.gray,
+  info: ANSI.green,
+  warn: ANSI.yellow,
+  error: ANSI.red,
+};
+
+function padTag(tag: string): string {
+  if (tag.length >= TAG_WIDTH) return tag.slice(0, TAG_WIDTH);
+  return tag.padEnd(TAG_WIDTH, " ");
+}
+
+function formatTimestamp(date: Date = new Date()): string {
+  const pad = (value: number) => String(value).padStart(2, "0");
+  return `${pad(date.getHours())}:${pad(date.getMinutes())}:${pad(date.getSeconds())}`;
+}
+
+function isTty(): boolean {
+  try {
+    if (typeof dntShim.Deno !== "undefined" && typeof dntShim.Deno.stdout?.isTerminal === "function") {
+      return dntShim.Deno.stdout.isTerminal();
+    }
+  } catch {
+    // ignore
+  }
+
+  const stdout = (dntShim.dntGlobalThis as { process?: { stdout?: { isTTY?: boolean } } }).process?.stdout;
+  return stdout?.isTTY ?? false;
+}
+
+function shouldUseColor(): boolean {
+  const noColor = getEnv("NO_COLOR");
+  const forceColor = getEnv("FORCE_COLOR");
+  const logColor = getEnv("LOG_COLOR");
+  if (forceColor === "0" || logColor === "0") return false;
+  if (noColor !== undefined) return false;
+  if (getEnv("CI") !== undefined) return false;
+  if (forceColor || logColor === "1" || logColor === "true") return true;
+  return isTty();
+}
+
+function colorize(text: string, color: string | undefined, enable: boolean): string {
+  if (!enable || !color) return text;
+  return `${color}${text}${ANSI.reset}`;
+}
+
+function normalizeText(value: string): string {
+  return value.replace(/\s+/g, " ");
+}
+
+function truncateText(value: string, maxLength = 80): string {
+  if (value.length <= maxLength) return value;
+  return `${value.slice(0, maxLength - 1)}…`;
+}
+
+function formatValue(value: unknown): string {
+  if (typeof value === "string") {
+    const trimmed = normalizeText(value);
+    if (/\s/.test(trimmed)) return JSON.stringify(trimmed);
+    return trimmed;
+  }
+  if (typeof value === "number" || typeof value === "boolean") return String(value);
+  if (value === null) return "null";
+  if (value === undefined) return "undefined";
+  let text = "";
+  try {
+    text = JSON.stringify(value) ?? String(value);
+  } catch {
+    text = String(value);
+  }
+  return truncateText(normalizeText(text));
+}
+
+function formatErrorText(error: LogEntry["error"]): string {
+  if (!error) return "";
+  const text = `${error.name}: ${error.message}`;
+  return truncateText(normalizeText(text), 120);
+}
+
+// Prefix width: timestamp(8) + gap(2) + tag(10) + space(1) + glyph(1) + space(1) = 23
+const PREFIX_WIDTH = 23;
+
+function formatContextText(
+  context: Record<string, unknown>,
+  error: LogEntry["error"] | undefined,
+  enableColor: boolean,
+): string {
+  const entries = Object.entries(context).map(([key, value]) => `${key}=${formatValue(value)}`);
+  if (error) {
+    entries.push(`err=${formatErrorText(error)}`);
+  }
+  if (entries.length === 0) return "";
+  const text = entries.join(" ");
+  // Put context on new line, indented to align with message
+  const indent = " ".repeat(PREFIX_WIDTH);
+  return `\n${indent}${colorize(text, ANSI.dim, enableColor)}`;
+}
+
+function formatTextLine(
+  level: LogLevel,
+  message: string,
+  context: Record<string, unknown> | undefined,
+  error: LogEntry["error"] | undefined,
+): string {
+  const enableColor = shouldUseColor();
+  const timestamp = colorize(formatTimestamp(), ANSI.dim, enableColor);
+  const tag = colorize(padTag("PROXY"), ANSI.cyan, enableColor);
+  const glyph = colorize(LEVEL_GLYPHS[level], LEVEL_COLORS[level], enableColor);
+  const contextText = formatContextText(context ?? {}, error, enableColor);
+  return `${timestamp}  ${tag} ${glyph} ${message}${contextText}`;
+}
+
+interface LogEntry {
+  timestamp: string;
+  level: LogLevel;
+  service: string;
+  message: string;
+  traceId?: string;
+  spanId?: string;
+  context?: Record<string, unknown>;
+  error?: {
+    name: string;
+    message: string;
+    stack?: string;
+  };
+}
+
+function isProduction(): boolean {
+  return getEnv("NODE_ENV") === "production";
+}
+
+function getLogFormat(): "json" | "text" {
+  const format = getEnv("LOG_FORMAT");
+  if (format === "json" || format === "text") return format;
+  return isProduction() ? "json" : "text";
+}
+
+const LOG_LEVEL_ORDER: Record<LogLevel, number> = {
+  debug: 0,
+  info: 1,
+  warn: 2,
+  error: 3,
+};
+
+function serializeError(err: unknown): LogEntry["error"] | undefined {
+  if (err instanceof Error) {
+    return { name: err.name, message: err.message, stack: err.stack };
+  }
+  if (err !== undefined && err !== null) {
+    return { name: "UnknownError", message: String(err) };
+  }
+  return undefined;
+}
+
+class ProxyLogger {
+  private format = getLogFormat();
+
+  private log(
+    level: LogLevel,
+    message: string,
+    context?: Record<string, unknown>,
+    error?: unknown,
+  ): void {
+    // Filter by minimum log level
+    if (LOG_LEVEL_ORDER[level] < LOG_LEVEL_ORDER[MIN_LOG_LEVEL]) {
+      return;
+    }
+    if (this.format === "json") {
+      const traceCtx = getTraceContext();
+      const entry: LogEntry = {
+        timestamp: new Date().toISOString(),
+        level,
+        service: "proxy",
+        message,
+        ...(traceCtx.traceId && { traceId: traceCtx.traceId, spanId: traceCtx.spanId }),
+      };
+      if (context && Object.keys(context).length > 0) {
+        entry.context = context;
+      }
+      const serializedError = serializeError(error);
+      if (serializedError) {
+        entry.error = serializedError;
+      }
+      console.log(JSON.stringify(entry));
+    } else {
+      const serializedError = serializeError(error);
+      console.log(formatTextLine(level, message, context, serializedError));
+    }
+  }
+
+  debug(message: string, context?: Record<string, unknown>): void {
+    this.log("debug", message, context);
+  }
+
+  info(message: string, context?: Record<string, unknown>): void {
+    this.log("info", message, context);
+  }
+
+  warn(message: string, context?: Record<string, unknown>): void {
+    this.log("warn", message, context);
+  }
+
+  error(message: string, error?: unknown): void;
+  error(
+    message: string,
+    context: Record<string, unknown>,
+    error?: unknown,
+  ): void;
+  error(
+    message: string,
+    contextOrError?: Record<string, unknown> | unknown,
+    error?: unknown,
+  ): void {
+    if (contextOrError instanceof Error || error !== undefined) {
+      const ctx = contextOrError instanceof Error
+        ? undefined
+        : contextOrError as Record<string, unknown>;
+      const err = contextOrError instanceof Error ? contextOrError : error;
+      this.log("error", message, ctx, err);
+    } else {
+      this.log("error", message, contextOrError as Record<string, unknown>);
+    }
+  }
+
+  /**
+   * Create a child logger with bound context.
+   */
+  child(context: Record<string, unknown>): ChildProxyLogger {
+    return new ChildProxyLogger(this, context);
+  }
+}
+
+class ChildProxyLogger {
+  constructor(
+    private parent: ProxyLogger,
+    private boundContext: Record<string, unknown>,
+  ) {}
+
+  private merge(ctx?: Record<string, unknown>): Record<string, unknown> {
+    return { ...this.boundContext, ...ctx };
+  }
+
+  debug(message: string, context?: Record<string, unknown>): void {
+    this.parent.debug(message, this.merge(context));
+  }
+
+  info(message: string, context?: Record<string, unknown>): void {
+    this.parent.info(message, this.merge(context));
+  }
+
+  warn(message: string, context?: Record<string, unknown>): void {
+    this.parent.warn(message, this.merge(context));
+  }
+
+  error(message: string, error?: unknown): void;
+  error(
+    message: string,
+    context: Record<string, unknown>,
+    error?: unknown,
+  ): void;
+  error(
+    message: string,
+    contextOrError?: Record<string, unknown> | unknown,
+    error?: unknown,
+  ): void {
+    if (contextOrError instanceof Error || error !== undefined) {
+      const ctx = contextOrError instanceof Error
+        ? this.boundContext
+        : this.merge(contextOrError as Record<string, unknown>);
+      const err = contextOrError instanceof Error ? contextOrError : error;
+      this.parent.error(message, ctx, err);
+    } else {
+      this.parent.error(
+        message,
+        this.merge(contextOrError as Record<string, unknown>),
+      );
+    }
+  }
+
+  child(context: Record<string, unknown>): ChildProxyLogger {
+    return new ChildProxyLogger(this.parent, this.merge(context));
+  }
+}
+
+export const proxyLogger = new ProxyLogger();

package/src/proxy/oauth-client.ts

@@ -0,0 +1,91 @@
+/**
+ * OAuth Client for Veryfront API - client credentials flow.
+ */
+import * as dntShim from "../_dnt.shims.js";
+
+
+import { injectContext, ProxySpanNames, withSpan } from "./tracing.js";
+
+const DEFAULT_TIMEOUT_MS = 10000;
+
+export interface TokenResponse {
+  access_token: string;
+  token_type: "Bearer";
+  expires_in?: number;
+}
+
+export interface OAuthTokenConfig {
+  apiBaseUrl: string;
+  clientId: string;
+  clientSecret: string;
+  projectSlug?: string;
+  customDomain?: string;
+  timeoutMs?: number;
+}
+
+export async function fetchOAuthToken(
+  config: OAuthTokenConfig,
+): Promise<TokenResponse> {
+  return await withSpan(
+    ProxySpanNames.OAUTH_TOKEN_REQUEST,
+    async () => {
+      const url = `${config.apiBaseUrl}/auth/token`;
+      const urlObj = new URL(url);
+      const controller = new AbortController();
+      const timeoutId = dntShim.setTimeout(
+        () => controller.abort(),
+        config.timeoutMs ?? DEFAULT_TIMEOUT_MS,
+      );
+
+      try {
+        const headers = new dntShim.Headers({ "Content-Type": "application/json" });
+        injectContext(headers);
+
+        const response = await withSpan(
+          ProxySpanNames.HTTP_CLIENT_FETCH,
+          () =>
+            dntShim.fetch(url, {
+              method: "POST",
+              headers,
+              body: JSON.stringify({
+                grant_type: "client_credentials",
+                client_id: config.clientId,
+                client_secret: config.clientSecret,
+                ...(config.projectSlug && { project_slug: config.projectSlug }),
+                ...(config.customDomain && { custom_domain: config.customDomain }),
+              }),
+              signal: controller.signal,
+            }),
+          {
+            "http.method": "POST",
+            "http.url": url,
+            "http.host": urlObj.host,
+            "oauth.grant_type": "client_credentials",
+          },
+        );
+
+        if (!response.ok) {
+          const errorText = await response.text().catch(() => "Unknown error");
+          throw new Error(
+            `OAuth token request failed: ${response.status} - ${errorText}`,
+          );
+        }
+
+        return response.json();
+      } catch (error) {
+        if (error instanceof Error && error.name === "AbortError") {
+          throw new Error(
+            `OAuth token request timed out after ${config.timeoutMs ?? DEFAULT_TIMEOUT_MS}ms`,
+          );
+        }
+        throw error;
+      } finally {
+        clearTimeout(timeoutId);
+      }
+    },
+    {
+      "oauth.project_slug": config.projectSlug || "",
+      "oauth.custom_domain": config.customDomain || "",
+    },
+  );
+}

package/src/proxy/token-manager.ts

@@ -0,0 +1,174 @@
+/**
+ * Token Manager for OAuth Token Caching
+ *
+ * Manages OAuth tokens with automatic refresh before expiry.
+ * Caches tokens per scope (preview/production) and project.
+ * Supports pluggable cache backends (memory, Redis).
+ */
+
+import { fetchOAuthToken, type TokenResponse } from "./oauth-client.js";
+import type { TokenCache, TokenCacheEntry } from "./cache/types.js";
+import { MemoryCache } from "./cache/memory-cache.js";
+import { ProxySpanNames, withSpan } from "./tracing.js";
+
+export type TokenScope = "preview" | "production";
+
+export interface OAuthConfig {
+  apiBaseUrl: string;
+  clientId: string;
+  clientSecret: string;
+  previewClientId: string;
+  previewClientSecret: string;
+}
+
+export interface TokenManagerOptions {
+  cache?: TokenCache;
+  refreshBuffer?: number; // ms before expiry to trigger refresh
+}
+
+export class TokenManager {
+  private cache: TokenCache;
+  private pendingRequests = new Map<string, Promise<string>>();
+  private refreshBuffer: number;
+
+  constructor(
+    private config: OAuthConfig,
+    options: TokenManagerOptions = {},
+  ) {
+    this.cache = options.cache ?? new MemoryCache();
+    this.refreshBuffer = options.refreshBuffer ?? 2 * 60 * 1000; // 2 minutes before expiry
+  }
+
+  /**
+   * Get a valid token for the given scope and project.
+   * Returns cached token if valid, otherwise fetches a new one.
+   * Can use either projectSlug or customDomain to identify the project.
+   */
+  async getToken(
+    scope: TokenScope,
+    projectSlug?: string,
+    customDomain?: string,
+  ): Promise<string> {
+    return await withSpan(
+      ProxySpanNames.PROXY_TOKEN_FETCH,
+      async () => {
+        const cacheKey = this.getCacheKey(scope, projectSlug || customDomain);
+        const cached = await this.cache.get(cacheKey);
+
+        if (cached && this.isTokenValid(cached)) {
+          return cached.token;
+        }
+
+        // Prevent duplicate concurrent requests for the same token
+        const pending = this.pendingRequests.get(cacheKey);
+        if (pending) {
+          return pending;
+        }
+
+        const tokenPromise = this.fetchAndCacheToken(scope, projectSlug, customDomain);
+        this.pendingRequests.set(cacheKey, tokenPromise);
+
+        try {
+          return await tokenPromise;
+        } finally {
+          this.pendingRequests.delete(cacheKey);
+        }
+      },
+      {
+        "proxy.token_scope": scope,
+        "proxy.project_slug": projectSlug || "",
+        "proxy.custom_domain": customDomain || "",
+        "proxy.cache_key": this.getCacheKey(scope, projectSlug || customDomain),
+      },
+    );
+  }
+
+  /**
+   * Invalidate a cached token, forcing refresh on next request.
+   */
+  async invalidateToken(scope: TokenScope, projectSlug?: string): Promise<void> {
+    const cacheKey = this.getCacheKey(scope, projectSlug);
+    await this.cache.delete(cacheKey);
+  }
+
+  /**
+   * Clear all cached tokens.
+   */
+  async clearCache(): Promise<void> {
+    await this.cache.clear();
+  }
+
+  /**
+   * Get cache statistics.
+   */
+  async getStats(): Promise<{ hits: number; misses: number; size: number; type: string }> {
+    return await this.cache.stats();
+  }
+
+  /**
+   * Close the cache connection (for Redis cleanup).
+   */
+  async close(): Promise<void> {
+    await this.cache.close();
+  }
+
+  private getCacheKey(scope: TokenScope, projectSlug?: string): string {
+    return `${scope}:${projectSlug || "global"}`;
+  }
+
+  private isTokenValid(cached: TokenCacheEntry): boolean {
+    return Date.now() + this.refreshBuffer < cached.expiresAt;
+  }
+
+  private async fetchAndCacheToken(
+    scope: TokenScope,
+    projectSlug?: string,
+    customDomain?: string,
+  ): Promise<string> {
+    const clientId = scope === "preview" ? this.config.previewClientId : this.config.clientId;
+    const clientSecret = scope === "preview"
+      ? this.config.previewClientSecret
+      : this.config.clientSecret;
+
+    const response = await fetchOAuthToken({
+      apiBaseUrl: this.config.apiBaseUrl,
+      clientId,
+      clientSecret,
+      projectSlug,
+      customDomain,
+    });
+
+    const expiresAt = this.calculateExpiresAt(response);
+
+    await this.cache.set(this.getCacheKey(scope, projectSlug || customDomain), {
+      token: response.access_token,
+      expiresAt,
+      scope,
+      projectSlug: projectSlug || customDomain,
+    });
+
+    return response.access_token;
+  }
+
+  private calculateExpiresAt(response: TokenResponse): number {
+    if (response.expires_in) {
+      return Date.now() + response.expires_in * 1000;
+    }
+
+    // Try to decode JWT and get exp claim
+    try {
+      const [, payload] = response.access_token.split(".");
+      if (payload) {
+        const decoded = JSON.parse(atob(payload));
+        if (decoded.exp) {
+          return decoded.exp * 1000;
+        }
+      }
+    } catch {
+      // Fall through to default
+    }
+
+    // Default to 1 hour
+    return Date.now() + 3600 * 1000;
+  }
+}