117 lines
3.2 KiB
JavaScript
117 lines
3.2 KiB
JavaScript
#!/usr/bin/env node
|
|
|
|
import fs from 'fs'
|
|
import path from 'path'
|
|
import process from 'process'
|
|
import { pathToFileURL } from 'url'
|
|
|
|
const root = process.cwd()
|
|
const apiDir = path.join(root, 'src', 'app', 'api')
|
|
|
|
export const API_HANDLER_ALLOWLIST = new Set([
|
|
'src/app/api/auth/[...nextauth]/route.ts',
|
|
'src/app/api/files/[...path]/route.ts',
|
|
'src/app/api/system/boot-id/route.ts',
|
|
])
|
|
|
|
export const PUBLIC_ROUTE_ALLOWLIST = new Set([
|
|
'src/app/api/auth/[...nextauth]/route.ts',
|
|
'src/app/api/auth/register/route.ts',
|
|
'src/app/api/cos/image/route.ts',
|
|
'src/app/api/files/[...path]/route.ts',
|
|
'src/app/api/storage/sign/route.ts',
|
|
'src/app/api/system/boot-id/route.ts',
|
|
])
|
|
|
|
const AUTH_CALL_PATTERNS = [
|
|
/\brequireUserAuth\s*\(/,
|
|
/\brequireProjectAuth\s*\(/,
|
|
/\brequireProjectAuthLight\s*\(/,
|
|
]
|
|
|
|
function fail(title, details = []) {
|
|
process.stderr.write(`\n[api-route-contract-guard] ${title}\n`)
|
|
for (const detail of details) {
|
|
process.stderr.write(` - ${detail}\n`)
|
|
}
|
|
process.exit(1)
|
|
}
|
|
|
|
function walk(dir, out = []) {
|
|
if (!fs.existsSync(dir)) return out
|
|
const entries = fs.readdirSync(dir, { withFileTypes: true })
|
|
for (const entry of entries) {
|
|
if (entry.name === '.git' || entry.name === '.next' || entry.name === 'node_modules') continue
|
|
const fullPath = path.join(dir, entry.name)
|
|
if (entry.isDirectory()) {
|
|
walk(fullPath, out)
|
|
continue
|
|
}
|
|
if (entry.name === 'route.ts') out.push(fullPath)
|
|
}
|
|
return out
|
|
}
|
|
|
|
function toRel(fullPath) {
|
|
return path.relative(root, fullPath).split(path.sep).join('/')
|
|
}
|
|
|
|
function hasApiHandlerWrapper(content) {
|
|
return /\bapiHandler\s*\(/.test(content)
|
|
}
|
|
|
|
function hasRequiredAuth(content) {
|
|
return AUTH_CALL_PATTERNS.some((pattern) => pattern.test(content))
|
|
}
|
|
|
|
export function inspectRouteContract(relPath, content) {
|
|
const violations = []
|
|
|
|
if (!API_HANDLER_ALLOWLIST.has(relPath) && !hasApiHandlerWrapper(content)) {
|
|
violations.push(`${relPath} missing apiHandler wrapper`)
|
|
}
|
|
|
|
if (!PUBLIC_ROUTE_ALLOWLIST.has(relPath) && !hasRequiredAuth(content)) {
|
|
violations.push(`${relPath} missing requireUserAuth/requireProjectAuth/requireProjectAuthLight`)
|
|
}
|
|
|
|
return violations
|
|
}
|
|
|
|
export function findApiRouteContractViolations(scanRoot = root) {
|
|
const routesRoot = path.join(scanRoot, 'src', 'app', 'api')
|
|
return walk(routesRoot)
|
|
.map((fullPath) => {
|
|
const relPath = path.relative(scanRoot, fullPath).split(path.sep).join('/')
|
|
const content = fs.readFileSync(fullPath, 'utf8')
|
|
return inspectRouteContract(relPath, content)
|
|
})
|
|
.flat()
|
|
}
|
|
|
|
export function main() {
|
|
if (!fs.existsSync(apiDir)) {
|
|
fail('Missing src/app/api directory')
|
|
}
|
|
|
|
const violations = walk(apiDir)
|
|
.map((fullPath) => {
|
|
const relPath = toRel(fullPath)
|
|
const content = fs.readFileSync(fullPath, 'utf8')
|
|
return inspectRouteContract(relPath, content)
|
|
})
|
|
.flat()
|
|
|
|
if (violations.length > 0) {
|
|
fail('Found API route contract violations', violations)
|
|
}
|
|
|
|
process.stdout.write(
|
|
`[api-route-contract-guard] OK routes=${walk(apiDir).length} public=${PUBLIC_ROUTE_ALLOWLIST.size} apiHandlerExceptions=${API_HANDLER_ALLOWLIST.size}\n`,
|
|
)
|
|
}
|
|
|
|
if (process.argv[1] && import.meta.url === pathToFileURL(process.argv[1]).href) {
|
|
main()
|
|
}
|