webpeel 0.12.0 → 0.12.2

package/dist/server/job-queue.js

@@ -0,0 +1,144 @@
+/**
+ * Job queue for async operations
+ *
+ * Factory creates PostgreSQL-backed queue in production or in-memory queue for local dev.
+ * Tracks crawl, batch scrape, and extraction jobs with progress updates.
+ */
+import { randomUUID } from 'crypto';
+import { PostgresJobQueue } from './pg-job-queue.js';
+/**
+ * In-memory job queue for local development
+ */
+export class InMemoryJobQueue {
+    jobs = new Map();
+    cleanupInterval;
+    constructor() {
+        // Clean expired jobs every hour
+        this.cleanupInterval = setInterval(() => {
+            this.cleanExpired();
+        }, 60 * 60 * 1000);
+    }
+    /**
+     * Create a new job
+     */
+    createJob(type, webhook, ownerId) {
+        const now = new Date().toISOString();
+        const job = {
+            id: randomUUID(),
+            type,
+            status: 'queued',
+            progress: 0,
+            total: 0,
+            completed: 0,
+            creditsUsed: 0,
+            data: [],
+            webhook,
+            ownerId,
+            createdAt: now,
+            updatedAt: now,
+            expiresAt: new Date(Date.now() + 25 * 60 * 60 * 1000).toISOString(), // 25h from now (updated on completion)
+        };
+        this.jobs.set(job.id, job);
+        return job;
+    }
+    /**
+     * Get a job by ID
+     */
+    getJob(id) {
+        return this.jobs.get(id) || null;
+    }
+    /**
+     * Update a job
+     */
+    updateJob(id, update) {
+        const job = this.jobs.get(id);
+        if (!job)
+            return;
+        Object.assign(job, update, {
+            updatedAt: new Date().toISOString(),
+        });
+        // When job completes/fails, set expiration to 24h from now
+        if (update.status === 'completed' || update.status === 'failed') {
+            job.expiresAt = new Date(Date.now() + 24 * 60 * 60 * 1000).toISOString();
+        }
+        // Update progress percentage
+        if (job.total > 0) {
+            job.progress = Math.round((job.completed / job.total) * 100);
+        }
+        this.jobs.set(id, job);
+    }
+    /**
+     * Cancel a job
+     */
+    cancelJob(id) {
+        const job = this.jobs.get(id);
+        if (!job)
+            return false;
+        // Can only cancel queued or processing jobs
+        if (job.status !== 'queued' && job.status !== 'processing') {
+            return false;
+        }
+        this.updateJob(id, {
+            status: 'cancelled',
+            expiresAt: new Date(Date.now() + 24 * 60 * 60 * 1000).toISOString(),
+        });
+        return true;
+    }
+    /**
+     * List jobs with optional filters
+     */
+    listJobs(options) {
+        let jobs = Array.from(this.jobs.values());
+        if (options?.ownerId) {
+            jobs = jobs.filter(j => j.ownerId === options.ownerId);
+        }
+        if (options?.type) {
+            jobs = jobs.filter(j => j.type === options.type);
+        }
+        if (options?.status) {
+            jobs = jobs.filter(j => j.status === options.status);
+        }
+        // Sort by creation time (newest first)
+        jobs.sort((a, b) => new Date(b.createdAt).getTime() - new Date(a.createdAt).getTime());
+        if (options?.limit) {
+            jobs = jobs.slice(0, options.limit);
+        }
+        return jobs;
+    }
+    /**
+     * Remove expired jobs
+     */
+    cleanExpired() {
+        const now = Date.now();
+        for (const [id, job] of this.jobs.entries()) {
+            if (new Date(job.expiresAt).getTime() < now) {
+                this.jobs.delete(id);
+            }
+        }
+    }
+    /**
+     * Clean up interval on shutdown
+     */
+    destroy() {
+        clearInterval(this.cleanupInterval);
+    }
+}
+/**
+ * Create job queue based on environment
+ * - Uses PostgreSQL if DATABASE_URL is set
+ * - Falls back to in-memory for local development
+ */
+export function createJobQueue() {
+    if (process.env.DATABASE_URL) {
+        console.log('Using PostgreSQL job queue');
+        return new PostgresJobQueue();
+    }
+    else {
+        console.log('Using in-memory job queue');
+        return new InMemoryJobQueue();
+    }
+}
+// Legacy global instance for backwards compatibility (deprecated)
+// @deprecated Use createJobQueue() instead
+export const jobQueue = new InMemoryJobQueue();
+//# sourceMappingURL=job-queue.js.map

package/dist/server/job-queue.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"job-queue.js","sourceRoot":"","sources":["../../src/server/job-queue.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,UAAU,EAAE,MAAM,QAAQ,CAAC;AACpC,OAAO,EAAE,gBAAgB,EAAE,MAAM,mBAAmB,CAAC;AAsCrD;;GAEG;AACH,MAAM,OAAO,gBAAgB;IACnB,IAAI,GAAqB,IAAI,GAAG,EAAE,CAAC;IACnC,eAAe,CAAiB;IAExC;QACE,gCAAgC;QAChC,IAAI,CAAC,eAAe,GAAG,WAAW,CAAC,GAAG,EAAE;YACtC,IAAI,CAAC,YAAY,EAAE,CAAC;QACtB,CAAC,EAAE,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IACrB,CAAC;IAED;;OAEG;IACH,SAAS,CAAC,IAAiB,EAAE,OAAuB,EAAE,OAAgB;QACpE,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;QACrC,MAAM,GAAG,GAAQ;YACf,EAAE,EAAE,UAAU,EAAE;YAChB,IAAI;YACJ,MAAM,EAAE,QAAQ;YAChB,QAAQ,EAAE,CAAC;YACX,KAAK,EAAE,CAAC;YACR,SAAS,EAAE,CAAC;YACZ,WAAW,EAAE,CAAC;YACd,IAAI,EAAE,EAAE;YACR,OAAO;YACP,OAAO;YACP,SAAS,EAAE,GAAG;YACd,SAAS,EAAE,GAAG;YACd,SAAS,EAAE,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,WAAW,EAAE,EAAE,uCAAuC;SAC7G,CAAC;QAEF,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,EAAE,GAAG,CAAC,CAAC;QAC3B,OAAO,GAAG,CAAC;IACb,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,EAAU;QACf,OAAO,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,IAAI,CAAC;IACnC,CAAC;IAED;;OAEG;IACH,SAAS,CAAC,EAAU,EAAE,MAAoB;QACxC,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAC9B,IAAI,CAAC,GAAG;YAAE,OAAO;QAEjB,MAAM,CAAC,MAAM,CAAC,GAAG,EAAE,MAAM,EAAE;YACzB,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;SACpC,CAAC,CAAC;QAEH,2DAA2D;QAC3D,IAAI,MAAM,CAAC,MAAM,KAAK,WAAW,IAAI,MAAM,CAAC,MAAM,KAAK,QAAQ,EAAE,CAAC;YAChE,GAAG,CAAC,SAAS,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC;QAC3E,CAAC;QAED,6BAA6B;QAC7B,IAAI,GAAG,CAAC,KAAK,GAAG,CAAC,EAAE,CAAC;YAClB,GAAG,CAAC,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,SAAS,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,GAAG,CAAC,CAAC;QAC/D,CAAC;QAED,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,GAAG,CAAC,CAAC;IACzB,CAAC;IAED;;OAEG;IACH,SAAS,CAAC,EAAU;QAClB,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAC9B,IAAI,CAAC,GAAG;YAAE,OAAO,KAAK,CAAC;QAEvB,4CAA4C;QAC5C,IAAI,GAAG,CAAC,MAAM,KAAK,QAAQ,IAAI,GAAG,CAAC,MAAM,KAAK,YAAY,EAAE,CAAC;YAC3D,OAAO,KAAK,CAAC;QACf,CAAC;QAED,IAAI,CAAC,SAAS,CAAC,EAAE,EAAE;YACjB,MAAM,EAAE,WAAW;YACnB,SAAS,EAAE,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,WAAW,EAAE;SACpE,CAAC,CAAC;QAEH,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;OAEG;IACH,QAAQ,CAAC,OAKR;QACC,IAAI,IAAI,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC;QAE1C,IAAI,OAAO,EAAE,OAAO,EAAE,CAAC;YACrB,IAAI,GAAG,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,KAAK,OAAO,CAAC,OAAO,CAAC,CAAC;QACzD,CAAC;QAED,IAAI,OAAO,EAAE,IAAI,EAAE,CAAC;YAClB,IAAI,GAAG,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;QACnD,CAAC;QAED,IAAI,OAAO,EAAE,MAAM,EAAE,CAAC;YACpB,IAAI,GAAG,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC;QACvD,CAAC;QAED,uCAAuC;QACvC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,IAAI,IAAI,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE,GAAG,IAAI,IAAI,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC;QAEvF,IAAI,OAAO,EAAE,KAAK,EAAE,CAAC;YACnB,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC;QACtC,CAAC;QAED,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;OAEG;IACH,YAAY;QACV,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,KAAK,MAAM,CAAC,EAAE,EAAE,GAAG,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,EAAE,CAAC;YAC5C,IAAI,IAAI,IAAI,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE,GAAG,GAAG,EAAE,CAAC;gBAC5C,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;YACvB,CAAC;QACH,CAAC;IACH,CAAC;IAED;;OAEG;IACH,OAAO;QACL,aAAa,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;IACtC,CAAC;CACF;AAED;;;;GAIG;AACH,MAAM,UAAU,cAAc;IAC5B,IAAI,OAAO,CAAC,GAAG,CAAC,YAAY,EAAE,CAAC;QAC7B,OAAO,CAAC,GAAG,CAAC,4BAA4B,CAAC,CAAC;QAC1C,OAAO,IAAI,gBAAgB,EAAE,CAAC;IAChC,CAAC;SAAM,CAAC;QACN,OAAO,CAAC,GAAG,CAAC,2BAA2B,CAAC,CAAC;QACzC,OAAO,IAAI,gBAAgB,EAAE,CAAC;IAChC,CAAC;AACH,CAAC;AAED,kEAAkE;AAClE,2CAA2C;AAC3C,MAAM,CAAC,MAAM,QAAQ,GAAG,IAAI,gBAAgB,EAAE,CAAC"}

package/dist/server/middleware/auth.d.ts

@@ -0,0 +1,28 @@
+/**
+ * API key authentication middleware with SOFT LIMIT enforcement
+ *
+ * Philosophy: Never fully block users. When weekly limits are exceeded,
+ * degrade to HTTP-only mode instead of returning 429.
+ * BURST limits (hourly) are HARD limits and return 429.
+ *
+ * Dual auth: Accepts both API keys AND JWT session tokens.
+ * API keys are validated via the auth store; JWTs are verified with JWT_SECRET.
+ * Dashboard pages use JWT tokens; CLI/SDK users use API keys.
+ */
+import { Request, Response, NextFunction } from 'express';
+import { AuthStore, ApiKeyInfo } from '../auth-store.js';
+declare global {
+    namespace Express {
+        interface Request {
+            auth?: {
+                keyInfo: ApiKeyInfo | null;
+                tier: 'free' | 'starter' | 'pro' | 'enterprise' | 'max';
+                rateLimit: number;
+                softLimited: boolean;
+                extraUsageAvailable: boolean;
+            };
+        }
+    }
+}
+export declare function createAuthMiddleware(authStore: AuthStore): (req: Request, res: Response, next: NextFunction) => Promise<void>;
+//# sourceMappingURL=auth.d.ts.map

package/dist/server/middleware/auth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../../src/server/middleware/auth.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAE1D,OAAO,EAAE,SAAS,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAGzD,OAAO,CAAC,MAAM,CAAC;IACb,UAAU,OAAO,CAAC;QAChB,UAAU,OAAO;YACf,IAAI,CAAC,EAAE;gBACL,OAAO,EAAE,UAAU,GAAG,IAAI,CAAC;gBAC3B,IAAI,EAAE,MAAM,GAAG,SAAS,GAAG,KAAK,GAAG,YAAY,GAAG,KAAK,CAAC;gBACxD,SAAS,EAAE,MAAM,CAAC;gBAClB,WAAW,EAAE,OAAO,CAAC;gBACrB,mBAAmB,EAAE,OAAO,CAAC;aAC9B,CAAC;SACH;KACF;CACF;AAED,wBAAgB,oBAAoB,CAAC,SAAS,EAAE,SAAS,IACzC,KAAK,OAAO,EAAE,KAAK,QAAQ,EAAE,MAAM,YAAY,mBAiM9D"}

package/dist/server/middleware/auth.js

@@ -0,0 +1,183 @@
+/**
+ * API key authentication middleware with SOFT LIMIT enforcement
+ *
+ * Philosophy: Never fully block users. When weekly limits are exceeded,
+ * degrade to HTTP-only mode instead of returning 429.
+ * BURST limits (hourly) are HARD limits and return 429.
+ *
+ * Dual auth: Accepts both API keys AND JWT session tokens.
+ * API keys are validated via the auth store; JWTs are verified with JWT_SECRET.
+ * Dashboard pages use JWT tokens; CLI/SDK users use API keys.
+ */
+import jwt from 'jsonwebtoken';
+import { PostgresAuthStore } from '../pg-auth-store.js';
+export function createAuthMiddleware(authStore) {
+    return async (req, res, next) => {
+        try {
+            // Extract API key from Authorization header or X-API-Key header
+            const authHeader = req.headers.authorization;
+            const apiKeyHeader = req.headers['x-api-key'];
+            // SECURITY: Skip API key auth for public/JWT-protected endpoints
+            // These routes either need no auth or use their own JWT middleware
+            const isPublicEndpoint = req.path === '/health' ||
+                req.path.startsWith('/v1/auth/') ||
+                req.path === '/v1/webhooks/stripe' ||
+                req.path === '/v1/me' ||
+                req.path.startsWith('/v1/keys') ||
+                req.path === '/v1/usage' ||
+                req.path.startsWith('/v1/extra-usage');
+            if (isPublicEndpoint) {
+                req.auth = {
+                    keyInfo: null,
+                    tier: 'free',
+                    rateLimit: 10,
+                    softLimited: false,
+                    extraUsageAvailable: false,
+                };
+                return next();
+            }
+            let apiKey = null;
+            if (authHeader?.startsWith('Bearer ')) {
+                apiKey = authHeader.slice(7);
+            }
+            else if (apiKeyHeader && typeof apiKeyHeader === 'string') {
+                apiKey = apiKeyHeader;
+            }
+            if (!apiKey) {
+                // Allow anonymous free-tier access (125/week, 25/hr burst)
+                // This enables the playground and basic usage without signup
+                req.auth = {
+                    keyInfo: null,
+                    tier: 'free',
+                    rateLimit: 25, // requests per minute for anonymous
+                    softLimited: false,
+                    extraUsageAvailable: false,
+                };
+                return next();
+            }
+            // Validate API key if provided
+            let keyInfo = null;
+            let softLimited = false;
+            let extraUsageAvailable = false;
+            if (apiKey) {
+                keyInfo = await authStore.validateKey(apiKey);
+                if (!keyInfo) {
+                    // API key not found — try JWT session token as fallback.
+                    // Dashboard uses JWT tokens (from /v1/auth/login or /v1/auth/oauth),
+                    // while CLI/SDK users use API keys. Support both seamlessly.
+                    const jwtSecret = process.env.JWT_SECRET;
+                    if (jwtSecret) {
+                        try {
+                            const payload = jwt.verify(apiKey, jwtSecret);
+                            if (payload.userId) {
+                                // Valid JWT — treat as authenticated session user.
+                                // Set req.auth with null keyInfo (no API key) and attach
+                                // the JWT payload so routes can use req.user.userId.
+                                req.auth = {
+                                    keyInfo: null,
+                                    tier: payload.tier || 'free',
+                                    rateLimit: 25,
+                                    softLimited: false,
+                                    extraUsageAvailable: false,
+                                };
+                                req.user = payload;
+                                return next();
+                            }
+                        }
+                        catch {
+                            // Not a valid JWT either — fall through to 401
+                        }
+                    }
+                    res.status(401).json({
+                        error: 'invalid_key',
+                        message: 'Invalid or expired API key. Check your key at https://app.webpeel.dev/keys or generate a new one.',
+                        docs: 'https://webpeel.dev/docs/api-reference#authentication',
+                    });
+                    return;
+                }
+                // Check limits (only for PostgresAuthStore)
+                if (authStore instanceof PostgresAuthStore) {
+                    // HARD LIMIT: Check burst limit first (per-hour cap)
+                    const { allowed: burstAllowed, burst } = await authStore.checkBurstLimit(apiKey);
+                    if (!burstAllowed) {
+                        // Burst limit exceeded - HARD 429 with Retry-After
+                        const retryAfterSeconds = 60 * parseInt(burst.resetsIn.match(/\d+/)?.[0] || '1', 10);
+                        res.setHeader('Retry-After', retryAfterSeconds.toString());
+                        res.setHeader('X-Burst-Limit', burst.limit.toString());
+                        res.setHeader('X-Burst-Used', burst.count.toString());
+                        const tier = keyInfo?.tier || 'free';
+                        const upgradeHint = tier === 'free'
+                            ? ' Upgrade to Pro ($9/mo) for 100/hr → https://webpeel.dev/#pricing'
+                            : tier === 'pro'
+                                ? ' Upgrade to Max ($29/mo) for 500/hr → https://webpeel.dev/#pricing'
+                                : '';
+                        res.status(429).json({
+                            error: 'burst_limit_exceeded',
+                            message: `Hourly burst limit exceeded (${burst.count}/${burst.limit} on ${tier} plan). Resets in ${burst.resetsIn}.${upgradeHint}`,
+                            retryAfter: burst.resetsIn,
+                            plan: tier,
+                            docs: 'https://webpeel.dev/docs/api-reference#rate-limits',
+                        });
+                        return;
+                    }
+                    // Add burst headers
+                    res.setHeader('X-Burst-Limit', burst.limit.toString());
+                    res.setHeader('X-Burst-Used', burst.count.toString());
+                    res.setHeader('X-Burst-Remaining', burst.remaining.toString());
+                    // SOFT LIMIT: Check weekly usage
+                    const { allowed, usage } = await authStore.checkLimit(apiKey);
+                    // Check if extra usage is available
+                    if (!allowed) {
+                        extraUsageAvailable = await authStore.canUseExtraUsage(apiKey);
+                        if (!extraUsageAvailable) {
+                            // Over weekly quota, no extra usage — SOFT LIMIT (degrade to HTTP-only)
+                            softLimited = true;
+                            res.setHeader('X-Soft-Limited', 'true');
+                            res.setHeader('X-Soft-Limit-Reason', 'Weekly quota exceeded. Requests degraded to HTTP-only mode.');
+                            res.setHeader('X-Upgrade-URL', 'https://webpeel.dev/#pricing');
+                        }
+                    }
+                    // Add weekly usage headers
+                    if (usage) {
+                        res.setHeader('X-Weekly-Limit', usage.totalAvailable.toString());
+                        res.setHeader('X-Weekly-Used', usage.totalUsed.toString());
+                        res.setHeader('X-Weekly-Remaining', Math.max(0, usage.remaining).toString());
+                        res.setHeader('X-Weekly-Percent', usage.percentUsed.toString());
+                        res.setHeader('X-Weekly-Resets-At', usage.resetsAt);
+                        // Warn if over 80% usage and not using extra usage
+                        if (usage.percentUsed >= 80 && !softLimited && !extraUsageAvailable) {
+                            res.setHeader('X-Usage-Warning', `You've used ${usage.percentUsed}% of your weekly quota. Consider upgrading at https://webpeel.dev/#pricing`);
+                        }
+                    }
+                    // Add extra usage headers if available
+                    const extraInfo = await authStore.getExtraUsageInfo(apiKey);
+                    if (extraInfo) {
+                        res.setHeader('X-Extra-Usage-Enabled', extraInfo.enabled ? 'true' : 'false');
+                        res.setHeader('X-Extra-Usage-Balance', extraInfo.balance.toFixed(2));
+                        if (extraInfo.enabled) {
+                            res.setHeader('X-Extra-Usage-Spent', extraInfo.spent.toFixed(2));
+                            res.setHeader('X-Extra-Usage-Limit', extraInfo.spendingLimit.toFixed(2));
+                        }
+                    }
+                }
+            }
+            // Set auth context on request
+            req.auth = {
+                keyInfo,
+                tier: keyInfo?.tier || 'free',
+                rateLimit: keyInfo?.rateLimit || 10,
+                softLimited,
+                extraUsageAvailable,
+            };
+            next();
+        }
+        catch (error) {
+            const err = error;
+            res.status(500).json({
+                error: 'auth_error',
+                message: err.message || 'Authentication failed',
+            });
+        }
+    };
+}
+//# sourceMappingURL=auth.js.map

package/dist/server/middleware/auth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.js","sourceRoot":"","sources":["../../../src/server/middleware/auth.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAGH,OAAO,GAAG,MAAM,cAAc,CAAC;AAE/B,OAAO,EAAE,iBAAiB,EAAE,MAAM,qBAAqB,CAAC;AAgBxD,MAAM,UAAU,oBAAoB,CAAC,SAAoB;IACvD,OAAO,KAAK,EAAE,GAAY,EAAE,GAAa,EAAE,IAAkB,EAAE,EAAE;QAC/D,IAAI,CAAC;YACH,gEAAgE;YAChE,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO,CAAC,aAAa,CAAC;YAC7C,MAAM,YAAY,GAAG,GAAG,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC;YAE9C,iEAAiE;YACjE,mEAAmE;YACnE,MAAM,gBAAgB,GACpB,GAAG,CAAC,IAAI,KAAK,SAAS;gBACtB,GAAG,CAAC,IAAI,CAAC,UAAU,CAAC,WAAW,CAAC;gBAChC,GAAG,CAAC,IAAI,KAAK,qBAAqB;gBAClC,GAAG,CAAC,IAAI,KAAK,QAAQ;gBACrB,GAAG,CAAC,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC;gBAC/B,GAAG,CAAC,IAAI,KAAK,WAAW;gBACxB,GAAG,CAAC,IAAI,CAAC,UAAU,CAAC,iBAAiB,CAAC,CAAC;YAEzC,IAAI,gBAAgB,EAAE,CAAC;gBACrB,GAAG,CAAC,IAAI,GAAG;oBACT,OAAO,EAAE,IAAI;oBACb,IAAI,EAAE,MAAM;oBACZ,SAAS,EAAE,EAAE;oBACb,WAAW,EAAE,KAAK;oBAClB,mBAAmB,EAAE,KAAK;iBAC3B,CAAC;gBACF,OAAO,IAAI,EAAE,CAAC;YAChB,CAAC;YAED,IAAI,MAAM,GAAkB,IAAI,CAAC;YAEjC,IAAI,UAAU,EAAE,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;gBACtC,MAAM,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;YAC/B,CAAC;iBAAM,IAAI,YAAY,IAAI,OAAO,YAAY,KAAK,QAAQ,EAAE,CAAC;gBAC5D,MAAM,GAAG,YAAY,CAAC;YACxB,CAAC;YAED,IAAI,CAAC,MAAM,EAAE,CAAC;gBACZ,2DAA2D;gBAC3D,6DAA6D;gBAC7D,GAAG,CAAC,IAAI,GAAG;oBACT,OAAO,EAAE,IAAI;oBACb,IAAI,EAAE,MAAM;oBACZ,SAAS,EAAE,EAAE,EAAG,oCAAoC;oBACpD,WAAW,EAAE,KAAK;oBAClB,mBAAmB,EAAE,KAAK;iBAC3B,CAAC;gBACF,OAAO,IAAI,EAAE,CAAC;YAChB,CAAC;YAED,+BAA+B;YAC/B,IAAI,OAAO,GAAsB,IAAI,CAAC;YACtC,IAAI,WAAW,GAAG,KAAK,CAAC;YACxB,IAAI,mBAAmB,GAAG,KAAK,CAAC;YAEhC,IAAI,MAAM,EAAE,CAAC;gBACX,OAAO,GAAG,MAAM,SAAS,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC;gBAC9C,IAAI,CAAC,OAAO,EAAE,CAAC;oBACb,yDAAyD;oBACzD,qEAAqE;oBACrE,6DAA6D;oBAC7D,MAAM,SAAS,GAAG,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC;oBACzC,IAAI,SAAS,EAAE,CAAC;wBACd,IAAI,CAAC;4BACH,MAAM,OAAO,GAAG,GAAG,CAAC,MAAM,CAAC,MAAM,EAAE,SAAS,CAI3C,CAAC;4BACF,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;gCACnB,mDAAmD;gCACnD,yDAAyD;gCACzD,qDAAqD;gCACrD,GAAG,CAAC,IAAI,GAAG;oCACT,OAAO,EAAE,IAAI;oCACb,IAAI,EAAG,OAAO,CAAC,IAAY,IAAI,MAAM;oCACrC,SAAS,EAAE,EAAE;oCACb,WAAW,EAAE,KAAK;oCAClB,mBAAmB,EAAE,KAAK;iCAC3B,CAAC;gCACD,GAAW,CAAC,IAAI,GAAG,OAAO,CAAC;gCAC5B,OAAO,IAAI,EAAE,CAAC;4BAChB,CAAC;wBACH,CAAC;wBAAC,MAAM,CAAC;4BACP,+CAA+C;wBACjD,CAAC;oBACH,CAAC;oBAED,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;wBACnB,KAAK,EAAE,aAAa;wBACpB,OAAO,EAAE,mGAAmG;wBAC5G,IAAI,EAAE,uDAAuD;qBAC9D,CAAC,CAAC;oBACH,OAAO;gBACT,CAAC;gBAED,4CAA4C;gBAC5C,IAAI,SAAS,YAAY,iBAAiB,EAAE,CAAC;oBAC3C,qDAAqD;oBACrD,MAAM,EAAE,OAAO,EAAE,YAAY,EAAE,KAAK,EAAE,GAAG,MAAM,SAAS,CAAC,eAAe,CAAC,MAAM,CAAC,CAAC;oBAEjF,IAAI,CAAC,YAAY,EAAE,CAAC;wBAClB,mDAAmD;wBACnD,MAAM,iBAAiB,GAAG,EAAE,GAAG,QAAQ,CAAC,KAAK,CAAC,QAAQ,CAAC,KAAK,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,GAAG,EAAE,EAAE,CAAC,CAAC;wBACrF,GAAG,CAAC,SAAS,CAAC,aAAa,EAAE,iBAAiB,CAAC,QAAQ,EAAE,CAAC,CAAC;wBAC3D,GAAG,CAAC,SAAS,CAAC,eAAe,EAAE,KAAK,CAAC,KAAK,CAAC,QAAQ,EAAE,CAAC,CAAC;wBACvD,GAAG,CAAC,SAAS,CAAC,cAAc,EAAE,KAAK,CAAC,KAAK,CAAC,QAAQ,EAAE,CAAC,CAAC;wBAEtD,MAAM,IAAI,GAAG,OAAO,EAAE,IAAI,IAAI,MAAM,CAAC;wBACrC,MAAM,WAAW,GAAG,IAAI,KAAK,MAAM;4BACjC,CAAC,CAAC,mEAAmE;4BACrE,CAAC,CAAC,IAAI,KAAK,KAAK;gCAChB,CAAC,CAAC,oEAAoE;gCACtE,CAAC,CAAC,EAAE,CAAC;wBACP,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;4BACnB,KAAK,EAAE,sBAAsB;4BAC7B,OAAO,EAAE,gCAAgC,KAAK,CAAC,KAAK,IAAI,KAAK,CAAC,KAAK,OAAO,IAAI,qBAAqB,KAAK,CAAC,QAAQ,IAAI,WAAW,EAAE;4BAClI,UAAU,EAAE,KAAK,CAAC,QAAQ;4BAC1B,IAAI,EAAE,IAAI;4BACV,IAAI,EAAE,oDAAoD;yBAC3D,CAAC,CAAC;wBACH,OAAO;oBACT,CAAC;oBAED,oBAAoB;oBACpB,GAAG,CAAC,SAAS,CAAC,eAAe,EAAE,KAAK,CAAC,KAAK,CAAC,QAAQ,EAAE,CAAC,CAAC;oBACvD,GAAG,CAAC,SAAS,CAAC,cAAc,EAAE,KAAK,CAAC,KAAK,CAAC,QAAQ,EAAE,CAAC,CAAC;oBACtD,GAAG,CAAC,SAAS,CAAC,mBAAmB,EAAE,KAAK,CAAC,SAAS,CAAC,QAAQ,EAAE,CAAC,CAAC;oBAE/D,iCAAiC;oBACjC,MAAM,EAAE,OAAO,EAAE,KAAK,EAAE,GAAG,MAAM,SAAS,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC;oBAE9D,oCAAoC;oBACpC,IAAI,CAAC,OAAO,EAAE,CAAC;wBACb,mBAAmB,GAAG,MAAM,SAAS,CAAC,gBAAgB,CAAC,MAAM,CAAC,CAAC;wBAE/D,IAAI,CAAC,mBAAmB,EAAE,CAAC;4BACzB,wEAAwE;4BACxE,WAAW,GAAG,IAAI,CAAC;4BACnB,GAAG,CAAC,SAAS,CAAC,gBAAgB,EAAE,MAAM,CAAC,CAAC;4BACxC,GAAG,CAAC,SAAS,CAAC,qBAAqB,EAAE,6DAA6D,CAAC,CAAC;4BACpG,GAAG,CAAC,SAAS,CAAC,eAAe,EAAE,8BAA8B,CAAC,CAAC;wBACjE,CAAC;oBACH,CAAC;oBAED,2BAA2B;oBAC3B,IAAI,KAAK,EAAE,CAAC;wBACV,GAAG,CAAC,SAAS,CAAC,gBAAgB,EAAE,KAAK,CAAC,cAAc,CAAC,QAAQ,EAAE,CAAC,CAAC;wBACjE,GAAG,CAAC,SAAS,CAAC,eAAe,EAAE,KAAK,CAAC,SAAS,CAAC,QAAQ,EAAE,CAAC,CAAC;wBAC3D,GAAG,CAAC,SAAS,CAAC,oBAAoB,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC,QAAQ,EAAE,CAAC,CAAC;wBAC7E,GAAG,CAAC,SAAS,CAAC,kBAAkB,EAAE,KAAK,CAAC,WAAW,CAAC,QAAQ,EAAE,CAAC,CAAC;wBAChE,GAAG,CAAC,SAAS,CAAC,oBAAoB,EAAE,KAAK,CAAC,QAAQ,CAAC,CAAC;wBAEpD,mDAAmD;wBACnD,IAAI,KAAK,CAAC,WAAW,IAAI,EAAE,IAAI,CAAC,WAAW,IAAI,CAAC,mBAAmB,EAAE,CAAC;4BACpE,GAAG,CAAC,SAAS,CACX,iBAAiB,EACjB,eAAe,KAAK,CAAC,WAAW,4EAA4E,CAC7G,CAAC;wBACJ,CAAC;oBACH,CAAC;oBAED,uCAAuC;oBACvC,MAAM,SAAS,GAAG,MAAM,SAAS,CAAC,iBAAiB,CAAC,MAAM,CAAC,CAAC;oBAC5D,IAAI,SAAS,EAAE,CAAC;wBACd,GAAG,CAAC,SAAS,CAAC,uBAAuB,EAAE,SAAS,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC;wBAC7E,GAAG,CAAC,SAAS,CAAC,uBAAuB,EAAE,SAAS,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC;wBAErE,IAAI,SAAS,CAAC,OAAO,EAAE,CAAC;4BACtB,GAAG,CAAC,SAAS,CAAC,qBAAqB,EAAE,SAAS,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC;4BACjE,GAAG,CAAC,SAAS,CAAC,qBAAqB,EAAE,SAAS,CAAC,aAAa,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC;wBAC3E,CAAC;oBACH,CAAC;gBACH,CAAC;YACH,CAAC;YAED,8BAA8B;YAC9B,GAAG,CAAC,IAAI,GAAG;gBACT,OAAO;gBACP,IAAI,EAAE,OAAO,EAAE,IAAI,IAAI,MAAM;gBAC7B,SAAS,EAAE,OAAO,EAAE,SAAS,IAAI,EAAE;gBACnC,WAAW;gBACX,mBAAmB;aACpB,CAAC;YAEF,IAAI,EAAE,CAAC;QACT,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,GAAG,GAAG,KAAc,CAAC;YAC3B,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBACnB,KAAK,EAAE,YAAY;gBACnB,OAAO,EAAE,GAAG,CAAC,OAAO,IAAI,uBAAuB;aAChD,CAAC,CAAC;QACL,CAAC;IACH,CAAC,CAAC;AACJ,CAAC"}

package/dist/server/middleware/rate-limit.d.ts

@@ -0,0 +1,23 @@
+/**
+ * Sliding window rate limiting middleware
+ */
+import { Request, Response, NextFunction } from 'express';
+export declare class RateLimiter {
+    private store;
+    private windowMs;
+    constructor(windowMs?: number);
+    /**
+     * Check if request is allowed under rate limit
+     */
+    checkLimit(identifier: string, limit: number): {
+        allowed: boolean;
+        remaining: number;
+        retryAfter?: number;
+    };
+    /**
+     * Clean up old entries (call periodically)
+     */
+    cleanup(): void;
+}
+export declare function createRateLimitMiddleware(limiter: RateLimiter): (req: Request, res: Response, next: NextFunction) => void;
+//# sourceMappingURL=rate-limit.d.ts.map

package/dist/server/middleware/rate-limit.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"rate-limit.d.ts","sourceRoot":"","sources":["../../../src/server/middleware/rate-limit.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAM1D,qBAAa,WAAW;IACtB,OAAO,CAAC,KAAK,CAAqC;IAClD,OAAO,CAAC,QAAQ,CAAS;gBAEb,QAAQ,GAAE,MAAc;IAIpC;;OAEG;IACH,UAAU,CAAC,UAAU,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG;QAC7C,OAAO,EAAE,OAAO,CAAC;QACjB,SAAS,EAAE,MAAM,CAAC;QAClB,UAAU,CAAC,EAAE,MAAM,CAAC;KACrB;IAmCD;;OAEG;IACH,OAAO,IAAI,IAAI;CAWhB;AAeD,wBAAgB,yBAAyB,CAAC,OAAO,EAAE,WAAW,IACpD,KAAK,OAAO,EAAE,KAAK,QAAQ,EAAE,MAAM,YAAY,KAAG,IAAI,CAgE/D"}

package/dist/server/middleware/rate-limit.js

@@ -0,0 +1,126 @@
+/**
+ * Sliding window rate limiting middleware
+ */
+export class RateLimiter {
+    store = new Map();
+    windowMs;
+    constructor(windowMs = 60000) {
+        this.windowMs = windowMs;
+    }
+    /**
+     * Check if request is allowed under rate limit
+     */
+    checkLimit(identifier, limit) {
+        const now = Date.now();
+        const windowStart = now - this.windowMs;
+        // Get or create entry
+        let entry = this.store.get(identifier);
+        if (!entry) {
+            entry = { timestamps: [] };
+            this.store.set(identifier, entry);
+        }
+        // Remove timestamps outside the window
+        entry.timestamps = entry.timestamps.filter(ts => ts > windowStart);
+        // Check if limit exceeded
+        if (entry.timestamps.length >= limit) {
+            const oldestTimestamp = entry.timestamps[0];
+            const retryAfter = Math.ceil((oldestTimestamp + this.windowMs - now) / 1000);
+            return {
+                allowed: false,
+                remaining: 0,
+                retryAfter,
+            };
+        }
+        // Add current timestamp
+        entry.timestamps.push(now);
+        return {
+            allowed: true,
+            remaining: limit - entry.timestamps.length,
+        };
+    }
+    /**
+     * Clean up old entries (call periodically)
+     */
+    cleanup() {
+        const now = Date.now();
+        const windowStart = now - this.windowMs;
+        for (const [identifier, entry] of this.store.entries()) {
+            entry.timestamps = entry.timestamps.filter(ts => ts > windowStart);
+            if (entry.timestamps.length === 0) {
+                this.store.delete(identifier);
+            }
+        }
+    }
+}
+/**
+ * Hourly burst limits per tier.
+ * These are the hard caps enforced by the in-memory sliding window.
+ * Free: 25/hr, Pro: 100/hr, Max: 500/hr (matches pricing page).
+ */
+const TIER_BURST_LIMITS = {
+    free: 25,
+    starter: 50,
+    pro: 100,
+    enterprise: 250,
+    max: 500,
+};
+export function createRateLimitMiddleware(limiter) {
+    return (req, res, next) => {
+        try {
+            // Use API key or real client IP as identifier.
+            // Prefer Cloudflare CF-Connecting-IP, then x-forwarded-for first
+            // entry (real client), then x-real-ip, then req.ip.
+            const forwardedFor = req.headers['x-forwarded-for'];
+            const firstForwardedIp = typeof forwardedFor === 'string'
+                ? forwardedFor.split(',')[0].trim()
+                : Array.isArray(forwardedFor) ? forwardedFor[0] : undefined;
+            const clientIp = req.headers['cf-connecting-ip']
+                || firstForwardedIp
+                || req.headers['x-real-ip']
+                || req.ip
+                || 'unknown';
+            const identifier = req.auth?.keyInfo?.key || clientIp;
+            // Use tier-based hourly burst limits (matches the 1-hour sliding window)
+            const limit = TIER_BURST_LIMITS[req.auth?.tier || 'free'] || 25;
+            const result = limiter.checkLimit(identifier, limit);
+            // Calculate reset timestamp
+            const now = Date.now();
+            const resetTimestamp = Math.ceil((now + limiter['windowMs']) / 1000);
+            // Set rate limit headers on ALL responses
+            res.setHeader('X-RateLimit-Limit', limit.toString());
+            res.setHeader('X-RateLimit-Remaining', Math.max(0, result.remaining).toString());
+            res.setHeader('X-RateLimit-Reset', resetTimestamp.toString());
+            // Add plan header if authenticated
+            if (req.auth?.tier) {
+                res.setHeader('X-WebPeel-Plan', req.auth.tier);
+            }
+            if (!result.allowed) {
+                res.setHeader('Retry-After', result.retryAfter.toString());
+                const tier = req.auth?.tier || 'free';
+                const upgradeHint = tier === 'free'
+                    ? ' Upgrade to Pro ($9/mo) for 100/hr burst limit → https://webpeel.dev/#pricing'
+                    : tier === 'pro'
+                        ? ' Upgrade to Max ($29/mo) for 500/hr burst limit → https://webpeel.dev/#pricing'
+                        : '';
+                res.status(429).json({
+                    error: 'rate_limited',
+                    message: `Hourly rate limit exceeded (${limit} requests/hr on ${tier} plan). Try again in ${result.retryAfter}s.${upgradeHint}`,
+                    retryAfter: result.retryAfter,
+                    limit,
+                    plan: tier,
+                    docs: 'https://webpeel.dev/docs/api-reference#rate-limits',
+                });
+                return; // Stop processing - rate limit exceeded
+            }
+            next();
+        }
+        catch (error) {
+            const err = error;
+            res.status(500).json({
+                error: 'rate_limit_error',
+                message: err.message || 'Rate limiting failed',
+            });
+        }
+    };
+}
+//# sourceMappingURL=rate-limit.js.map

package/dist/server/middleware/rate-limit.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"rate-limit.js","sourceRoot":"","sources":["../../../src/server/middleware/rate-limit.ts"],"names":[],"mappings":"AAAA;;GAEG;AAQH,MAAM,OAAO,WAAW;IACd,KAAK,GAAG,IAAI,GAAG,EAA0B,CAAC;IAC1C,QAAQ,CAAS;IAEzB,YAAY,WAAmB,KAAK;QAClC,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAC;IAC3B,CAAC;IAED;;OAEG;IACH,UAAU,CAAC,UAAkB,EAAE,KAAa;QAK1C,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,MAAM,WAAW,GAAG,GAAG,GAAG,IAAI,CAAC,QAAQ,CAAC;QAExC,sBAAsB;QACtB,IAAI,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;QACvC,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,KAAK,GAAG,EAAE,UAAU,EAAE,EAAE,EAAE,CAAC;YAC3B,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,UAAU,EAAE,KAAK,CAAC,CAAC;QACpC,CAAC;QAED,uCAAuC;QACvC,KAAK,CAAC,UAAU,GAAG,KAAK,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,GAAG,WAAW,CAAC,CAAC;QAEnE,0BAA0B;QAC1B,IAAI,KAAK,CAAC,UAAU,CAAC,MAAM,IAAI,KAAK,EAAE,CAAC;YACrC,MAAM,eAAe,GAAG,KAAK,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;YAC5C,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,eAAe,GAAG,IAAI,CAAC,QAAQ,GAAG,GAAG,CAAC,GAAG,IAAI,CAAC,CAAC;YAE7E,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,SAAS,EAAE,CAAC;gBACZ,UAAU;aACX,CAAC;QACJ,CAAC;QAED,wBAAwB;QACxB,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAE3B,OAAO;YACL,OAAO,EAAE,IAAI;YACb,SAAS,EAAE,KAAK,GAAG,KAAK,CAAC,UAAU,CAAC,MAAM;SAC3C,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,OAAO;QACL,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,MAAM,WAAW,GAAG,GAAG,GAAG,IAAI,CAAC,QAAQ,CAAC;QAExC,KAAK,MAAM,CAAC,UAAU,EAAE,KAAK,CAAC,IAAI,IAAI,CAAC,KAAK,CAAC,OAAO,EAAE,EAAE,CAAC;YACvD,KAAK,CAAC,UAAU,GAAG,KAAK,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,GAAG,WAAW,CAAC,CAAC;YACnE,IAAI,KAAK,CAAC,UAAU,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBAClC,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;YAChC,CAAC;QACH,CAAC;IACH,CAAC;CACF;AAED;;;;GAIG;AACH,MAAM,iBAAiB,GAA2B;IAChD,IAAI,EAAE,EAAE;IACR,OAAO,EAAE,EAAE;IACX,GAAG,EAAE,GAAG;IACR,UAAU,EAAE,GAAG;IACf,GAAG,EAAE,GAAG;CACT,CAAC;AAEF,MAAM,UAAU,yBAAyB,CAAC,OAAoB;IAC5D,OAAO,CAAC,GAAY,EAAE,GAAa,EAAE,IAAkB,EAAQ,EAAE;QAC/D,IAAI,CAAC;YACH,+CAA+C;YAC/C,iEAAiE;YACjE,oDAAoD;YACpD,MAAM,YAAY,GAAG,GAAG,CAAC,OAAO,CAAC,iBAAiB,CAAC,CAAC;YACpD,MAAM,gBAAgB,GAAG,OAAO,YAAY,KAAK,QAAQ;gBACvD,CAAC,CAAC,YAAY,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE;gBACnC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;YAE9D,MAAM,QAAQ,GAAI,GAAG,CAAC,OAAO,CAAC,kBAAkB,CAAY;mBACvD,gBAAgB;mBACf,GAAG,CAAC,OAAO,CAAC,WAAW,CAAY;mBACpC,GAAG,CAAC,EAAE;mBACN,SAAS,CAAC;YACf,MAAM,UAAU,GAAG,GAAG,CAAC,IAAI,EAAE,OAAO,EAAE,GAAG,IAAI,QAAQ,CAAC;YAEtD,yEAAyE;YACzE,MAAM,KAAK,GAAG,iBAAiB,CAAC,GAAG,CAAC,IAAI,EAAE,IAAI,IAAI,MAAM,CAAC,IAAI,EAAE,CAAC;YAEhE,MAAM,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC,UAAU,EAAE,KAAK,CAAC,CAAC;YAErD,4BAA4B;YAC5B,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;YACvB,MAAM,cAAc,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,GAAG,GAAG,OAAO,CAAC,UAAU,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC;YAErE,0CAA0C;YAC1C,GAAG,CAAC,SAAS,CAAC,mBAAmB,EAAE,KAAK,CAAC,QAAQ,EAAE,CAAC,CAAC;YACrD,GAAG,CAAC,SAAS,CAAC,uBAAuB,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,MAAM,CAAC,SAAS,CAAC,CAAC,QAAQ,EAAE,CAAC,CAAC;YACjF,GAAG,CAAC,SAAS,CAAC,mBAAmB,EAAE,cAAc,CAAC,QAAQ,EAAE,CAAC,CAAC;YAE9D,mCAAmC;YACnC,IAAI,GAAG,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC;gBACnB,GAAG,CAAC,SAAS,CAAC,gBAAgB,EAAE,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACjD,CAAC;YAED,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;gBACpB,GAAG,CAAC,SAAS,CAAC,aAAa,EAAE,MAAM,CAAC,UAAW,CAAC,QAAQ,EAAE,CAAC,CAAC;gBAC5D,MAAM,IAAI,GAAG,GAAG,CAAC,IAAI,EAAE,IAAI,IAAI,MAAM,CAAC;gBACtC,MAAM,WAAW,GAAG,IAAI,KAAK,MAAM;oBACjC,CAAC,CAAC,+EAA+E;oBACjF,CAAC,CAAC,IAAI,KAAK,KAAK;wBAChB,CAAC,CAAC,gFAAgF;wBAClF,CAAC,CAAC,EAAE,CAAC;gBACP,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;oBACnB,KAAK,EAAE,cAAc;oBACrB,OAAO,EAAE,+BAA+B,KAAK,mBAAmB,IAAI,wBAAwB,MAAM,CAAC,UAAU,KAAK,WAAW,EAAE;oBAC/H,UAAU,EAAE,MAAM,CAAC,UAAU;oBAC7B,KAAK;oBACL,IAAI,EAAE,IAAI;oBACV,IAAI,EAAE,oDAAoD;iBAC3D,CAAC,CAAC;gBACH,OAAO,CAAC,wCAAwC;YAClD,CAAC;YAED,IAAI,EAAE,CAAC;QACT,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,GAAG,GAAG,KAAc,CAAC;YAC3B,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBACnB,KAAK,EAAE,kBAAkB;gBACzB,OAAO,EAAE,GAAG,CAAC,OAAO,IAAI,sBAAsB;aAC/C,CAAC,CAAC;QACL,CAAC;IACH,CAAC,CAAC;AACJ,CAAC"}

package/dist/server/middleware/url-validator.d.ts

@@ -0,0 +1,16 @@
+/**
+ * URL validation middleware to prevent SSRF attacks
+ * Validates URLs BEFORE any network request is made
+ */
+/**
+ * Validate URL to prevent SSRF attacks
+ * Blocks localhost, private IPs, link-local addresses, and non-HTTP(S) protocols
+ */
+export declare function validateUrlForSSRF(urlString: string): void;
+/**
+ * SSRF Error class
+ */
+export declare class SSRFError extends Error {
+    constructor(message: string);
+}
+//# sourceMappingURL=url-validator.d.ts.map

package/dist/server/middleware/url-validator.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"url-validator.d.ts","sourceRoot":"","sources":["../../../src/server/middleware/url-validator.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH;;;GAGG;AACH,wBAAgB,kBAAkB,CAAC,SAAS,EAAE,MAAM,GAAG,IAAI,CAgC1D;AAED;;GAEG;AACH,qBAAa,SAAU,SAAQ,KAAK;gBACtB,OAAO,EAAE,MAAM;CAI5B"}