webspresso 0.0.74 → 0.0.75

package/plugins/rate-limit/index.js

@@ -0,0 +1,178 @@
+/**
+ * Rate limit plugin — registers named `rateLimit` middleware for file routes + optional global limiter
+ * @module plugins/rate-limit
+ */
+
+const PLUGIN_ONLY_KEYS = new Set(['global', 'globalOverrides', 'globalSkipPaths']);
+
+const DEFAULT_BASE = {
+  windowMs: 60_000,
+  limit: 100,
+  legacyHeaders: false,
+  standardHeaders: 'draft-7',
+  message: { error: 'Too many requests, please try again later.' },
+};
+
+/**
+ * Load express-rate-limit (peer). Throws if missing or too old for ipKeyGenerator.
+ * @returns {{ rateLimit: Function, ipKeyGenerator: Function }}
+ */
+function loadPeer() {
+  let mod;
+  try {
+    // eslint-disable-next-line global-require, import/no-extraneous-dependencies
+    mod = require('express-rate-limit');
+  } catch (e) {
+    const err = new Error(
+      'rate-limit plugin: install peer dependency `express-rate-limit` (npm install express-rate-limit)'
+    );
+    err.cause = e;
+    throw err;
+  }
+  const rateLimit = mod.rateLimit || mod.default;
+  const { ipKeyGenerator } = mod;
+  if (typeof rateLimit !== 'function') {
+    throw new Error('rate-limit plugin: express-rate-limit export rateLimit not found');
+  }
+  if (typeof ipKeyGenerator !== 'function') {
+    throw new Error(
+      'rate-limit plugin: express-rate-limit must be >= 8 (ipKeyGenerator export required)'
+    );
+  }
+  return { rateLimit, ipKeyGenerator };
+}
+
+/**
+ * Strip plugin-only options before passing to express-rate-limit.
+ * @param {Record<string, unknown>} opts
+ */
+function pickLimiterOptions(opts) {
+  const out = { ...opts };
+  for (const k of PLUGIN_ONLY_KEYS) {
+    delete out[k];
+  }
+  return out;
+}
+
+/**
+ * Merge layers into express-rate-limit options. Default key uses ipKeyGenerator(req.ip, subnet).
+ * Custom keyGenerator and top-level ipv6Subnet are mutually exclusive in v8+ validation.
+ *
+ * @param {Function} ipKeyGenerator
+ * @param  {...Record<string, unknown>} layers
+ */
+function resolveLimiterConfig(ipKeyGenerator, ...layers) {
+  /** @type {Record<string, unknown>} */
+  const merged = Object.assign({}, ...layers);
+  const keyGenerator = merged.keyGenerator;
+  const ipv6Subnet = merged.ipv6Subnet;
+  const rest = { ...merged };
+  delete rest.keyGenerator;
+  delete rest.ipv6Subnet;
+
+  if (typeof keyGenerator === 'function') {
+    return { ...rest, keyGenerator };
+  }
+
+  const subnet = ipv6Subnet !== undefined ? ipv6Subnet : 56;
+  return {
+    ...rest,
+    keyGenerator: (req, res) => ipKeyGenerator(req.ip, subnet),
+  };
+}
+
+/**
+ * @param {import('express').RequestHandler|undefined} userSkip
+ * @param {import('express').RequestHandler} builtin
+ */
+function combineSkip(userSkip, builtin) {
+  if (!userSkip) return builtin;
+  return (req, res) => userSkip(req, res) || builtin(req, res);
+}
+
+/**
+ * @param {string[]} extraPathPrefixes
+ * @returns {import('express').RequestHandler}
+ */
+function createDefaultGlobalSkip(extraPathPrefixes = []) {
+  const extras = (Array.isArray(extraPathPrefixes) ? extraPathPrefixes : []).filter(Boolean);
+  /** @type {string[]} */
+  const prefixes = [
+    '/__webspresso/client-runtime',
+    '/_webspresso',
+    ...extras,
+  ];
+  return (req, res) => {
+    const p = req.path || '';
+    if (prefixes.some((x) => p.startsWith(x))) return true;
+    if (p === '/health' || p === '/robots.txt' || p === '/favicon.ico') return true;
+    return false;
+  };
+}
+
+/**
+ * @param {object} [options] — express-rate-limit options plus plugin keys
+ * @param {boolean} [options.global=false] — mount a global limiter on ctx.app
+ * @param {object} [options.globalOverrides] — shallow merge applied only for the global limiter (after factory defaults)
+ * @param {string[]} [options.globalSkipPaths] — extra path prefixes where global limiter skips counting
+ */
+function rateLimitPlugin(options = {}) {
+  const {
+    global: applyGlobal = false,
+    globalOverrides = null,
+    globalSkipPaths = [],
+    ...rest
+  } = options;
+
+  const factoryDefaults = pickLimiterOptions(rest);
+
+  const plugin = {
+    name: 'rate-limit',
+    version: '1.0.0',
+    description: 'Named rateLimit middleware (express-rate-limit) for file routes; optional global limiter',
+    _options: options,
+
+    api: {
+      /**
+       * Build limiter options object (for setupRoutes / tests).
+       * @param {Record<string, unknown>} [routeOpts]
+       */
+      createLimiterOptions(routeOpts = {}) {
+        const { ipKeyGenerator } = loadPeer();
+        const baseDefaults = { ...DEFAULT_BASE, ...factoryDefaults };
+        return resolveLimiterConfig(ipKeyGenerator, baseDefaults, routeOpts);
+      },
+    },
+
+    register(ctx) {
+      const { rateLimit, ipKeyGenerator } = loadPeer();
+
+      const baseDefaults = { ...DEFAULT_BASE, ...factoryDefaults };
+
+      ctx.middlewares.rateLimit = (routeOpts = {}) =>
+        rateLimit(resolveLimiterConfig(ipKeyGenerator, baseDefaults, routeOpts));
+
+      if (applyGlobal) {
+        const globalBuiltins = createDefaultGlobalSkip(globalSkipPaths);
+        const globalResolved = resolveLimiterConfig(
+          ipKeyGenerator,
+          baseDefaults,
+          globalOverrides && typeof globalOverrides === 'object' ? globalOverrides : {}
+        );
+        const UserSkip = globalResolved.skip;
+        const middleware = rateLimit({
+          ...globalResolved,
+          skip: combineSkip(
+            typeof UserSkip === 'function' ? UserSkip : undefined,
+            globalBuiltins
+          ),
+        });
+        ctx.app.use(middleware);
+      }
+    },
+  };
+
+  return plugin;
+}
+
+module.exports = { rateLimitPlugin };

package/plugins/redirect/index.js

@@ -0,0 +1,204 @@
+/**
+ * HTTP redirect plugin — runs in register() before file-based routes.
+ * @module plugins/redirect
+ */
+
+const REDIRECT_STATUSES = new Set([301, 302, 303, 307, 308]);
+
+/**
+ * @param {string} to
+ * @returns {boolean}
+ */
+function isExternalTarget(to) {
+  if (!to || typeof to !== 'string') return false;
+  const t = to.trim();
+  return /^https?:\/\//i.test(t) || t.startsWith('//');
+}
+
+/**
+ * @param {'strip'|'add'|false|undefined} mode
+ * @param {string} path
+ * @returns {string}
+ */
+function normalizePathForTrailingSlash(mode, path) {
+  if (!path || mode === false || mode == null) return path;
+  if (path === '/') return path;
+  if (mode === 'strip') {
+    return path.endsWith('/') ? path.slice(0, -1) || '/' : path;
+  }
+  if (mode === 'add') {
+    return path.endsWith('/') ? path : `${path}/`;
+  }
+  return path;
+}
+
+/**
+ * @param {object} rule
+ * @param {object} pluginOpts
+ * @returns {object|null} compiled rule or null if invalid / disallowed external
+ */
+function compileRule(rule, pluginOpts) {
+  if (!rule || typeof rule.to !== 'string' || rule.to.trim() === '') {
+    console.warn('[redirect] Skipping rule: missing `to`');
+    return null;
+  }
+
+  const to = rule.to.trim();
+  const external = isExternalTarget(to);
+  if (external && !pluginOpts.allowExternal) {
+    console.warn('[redirect] Skipping rule: external `to` requires allowExternal: true', rule.from);
+    return null;
+  }
+
+  let status = rule.status != null ? Number(rule.status) : pluginOpts.defaultStatus;
+  if (!REDIRECT_STATUSES.has(status)) {
+    status = pluginOpts.defaultStatus;
+  }
+
+  let matchAnyMethod = false;
+  /** @type {Set<string>|null} */
+  let methodSet = null;
+  if (rule.methods === '*') {
+    matchAnyMethod = true;
+  } else if (Array.isArray(rule.methods) && rule.methods.length > 0) {
+    methodSet = new Set(rule.methods.map((m) => String(m).toUpperCase()));
+  } else {
+    methodSet = new Set(pluginOpts.defaultMethods.map((m) => String(m).toUpperCase()));
+  }
+
+  const trailing = pluginOpts.trailingSlash;
+
+  if (typeof rule.from === 'string') {
+    const fromRaw = rule.from.trim();
+    const fromNorm = normalizePathForTrailingSlash(trailing, fromRaw);
+    return {
+      kind: 'string',
+      fromNorm,
+      fromRaw,
+      to,
+      status,
+      external,
+      matchAnyMethod,
+      methodSet,
+      trailing,
+    };
+  }
+
+  if (rule.from instanceof RegExp) {
+    return {
+      kind: 'regex',
+      from: rule.from,
+      to,
+      status,
+      external,
+      matchAnyMethod,
+      methodSet,
+      trailing,
+    };
+  }
+
+  console.warn('[redirect] Skipping rule: `from` must be string or RegExp');
+  return null;
+}
+
+/**
+ * @param {object} compiled
+ * @param {string} pathForMatch
+ * @param {string} rawPath
+ * @returns {boolean}
+ */
+function pathMatches(compiled, pathForMatch, rawPath) {
+  if (compiled.kind === 'string') {
+    if (pathForMatch === compiled.fromNorm) return true;
+    if (!compiled.trailing) {
+      const a = rawPath.replace(/\/$/, '') || '/';
+      const b = compiled.fromRaw.replace(/\/$/, '') || '/';
+      if (a === b) return true;
+    }
+    return false;
+  }
+  return compiled.from.test(pathForMatch);
+}
+
+/**
+ * @param {object} compiled
+ * @param {string} method
+ * @returns {boolean}
+ */
+function methodMatches(compiled, method) {
+  const m = method.toUpperCase();
+  if (compiled.matchAnyMethod) return true;
+  if (compiled.methodSet) return compiled.methodSet.has(m);
+  return false;
+}
+
+/**
+ * @param {object} options
+ * @param {Array<{from: string|RegExp, to: string, status?: number, methods?: string[]|'*'}>} [options.rules]
+ * @param {number} [options.defaultStatus=302]
+ * @param {boolean} [options.preserveQuery=true]
+ * @param {boolean} [options.allowExternal=false]
+ * @param {'strip'|'add'|false} [options.trailingSlash=false]
+ * @param {string[]} [options.defaultMethods=['GET','HEAD']]
+ * @returns {{ name: string, version: string, description: string, register: Function }}
+ */
+function redirectPlugin(options = {}) {
+  const {
+    rules = [],
+    defaultStatus = 302,
+    preserveQuery = true,
+    allowExternal = false,
+    trailingSlash = false,
+    defaultMethods = ['GET', 'HEAD'],
+  } = options;
+
+  const pluginOpts = {
+    defaultStatus: REDIRECT_STATUSES.has(Number(defaultStatus)) ? Number(defaultStatus) : 302,
+    preserveQuery,
+    allowExternal,
+    trailingSlash,
+    defaultMethods: Array.isArray(defaultMethods) && defaultMethods.length > 0 ? defaultMethods : ['GET', 'HEAD'],
+  };
+
+  const compiled = [];
+  for (const rule of rules) {
+    const c = compileRule(rule, pluginOpts);
+    if (c) compiled.push(c);
+  }
+
+  function redirectMiddleware(req, res, next) {
+    const rawPath = req.path || '/';
+    const pathForMatch = normalizePathForTrailingSlash(pluginOpts.trailingSlash, rawPath);
+    const method = req.method || 'GET';
+
+    for (const c of compiled) {
+      if (!methodMatches(c, method)) continue;
+      if (!pathMatches(c, pathForMatch, rawPath)) continue;
+
+      let location = c.to;
+      if (pluginOpts.preserveQuery && !location.includes('?')) {
+        const full = req.originalUrl || req.url || '';
+        const qi = full.indexOf('?');
+        if (qi !== -1) {
+          location += full.slice(qi);
+        }
+      }
+      res.redirect(c.status, location);
+      return;
+    }
+    next();
+  }
+
+  return {
+    name: 'redirect',
+    version: '1.0.0',
+    description: 'Configurable HTTP redirects before file-based routes',
+
+    register(ctx) {
+      if (compiled.length === 0) return;
+      ctx.app.use(redirectMiddleware);
+    },
+  };
+}
+
+module.exports = { redirectPlugin };

package/plugins/rest-resources/index.js

@@ -6,6 +6,7 @@
 const { attachDbMiddleware } = require('../../src/app-context');
 const { getAllModels } = require('../../core/orm/model');
 const { omit } = require('../../core/orm/utils');
+const { trimUrlPathSlashes } = require('../../core/url-path-normalize');
 
 const RESERVED_QUERY_KEYS = new Set(['page', 'perPage', 'sort', 'order', 'include', 'trashed']);
 
@@ -150,7 +151,7 @@ function resolveExposedModels(db, opts) {
 }
 
 function normalizeBasePath(p) {
-  return `/${String(p).replace(/^\/+|\/+$/g, '')}`;
+  return `/${trimUrlPathSlashes(p)}`;
 }
 
 function applySoftDeleteScope(query, countQuery, model, trashed) {

package/plugins/swagger.js

@@ -3,6 +3,7 @@
  */
 
 const path = require('path');
+const { trimUrlPathSlashes } = require('../core/url-path-normalize');
 const { buildOpenApiDocument } = require('../core/openapi/build-from-api-routes');
 
 const PKG = require(path.join(__dirname, '..', 'package.json'));
@@ -61,7 +62,7 @@ function swaggerPlugin(options = {}) {
     serverUrl,
   } = options;
 
-  const normalizedBase = `/${String(basePath).replace(/^\/+|\/+$/g, '')}`;
+  const normalizedBase = `/${trimUrlPathSlashes(basePath)}`;
   const jsonPath = `${normalizedBase}/openapi.json`;
   const uiPath = normalizedBase;
 

package/plugins/upload/local-file-provider.js

@@ -6,6 +6,7 @@
 const fs = require('fs/promises');
 const path = require('path');
 const { randomBytes } = require('crypto');
+const { trimUrlPathSlashes } = require('../../core/url-path-normalize');
 
 /**
  * Common MIME → canonical extension (lowercase, with leading dot).
@@ -38,8 +39,11 @@ const MIME_TO_EXT = {
  * @returns {string}
  */
 function normalizePublicBase(publicBasePath) {
-  let p = (publicBasePath == null || publicBasePath === '' ? '/uploads' : String(publicBasePath)).trim();
-  p = p.replace(/\/+$/, '');
+  let p =
+    publicBasePath == null || publicBasePath === ''
+      ? '/uploads'
+      : String(publicBasePath).trim();
+  p = trimUrlPathSlashes(p);
   if (!p.startsWith('/')) {
     p = `/${p}`;
   }