chore: start working on 1.0.0

.all-contributorsrc

@@ -0,0 +1,15 @@
+{
+  "files": [
+    "README.md"
+  ],
+  "imageSize": 100,
+  "commit": false,
+  "contributors": [],
+  "contributorsPerLine": 7,
+  "projectName": "rc",
+  "projectOwner": "NodeSecure",
+  "repoType": "database",
+  "repoHost": "https://github.com",
+  "skipCi": true,
+  "commitConvention": "angular"
+}

.editorconfig

@@ -0,0 +1,14 @@
+# Editor configuration, see https://editorconfig.org
+root = true
+
+[*]
+charset = utf-8
+indent_style = space
+indent_size = 2
+insert_final_newline = true
+trim_trailing_whitespace = true
+end_of_line = lf
+
+[*.md]
+max_line_length = off
+trim_trailing_whitespace = false

.gitignore

@@ -102,3 +102,5 @@ dist
 
 # TernJS port file
 .tern-port
+
+temp/

.npmrc

@@ -0,0 +1 @@
+package-lock=false

CONTRIBUTING.md

@@ -0,0 +1,46 @@
+# Contributing to NodeSecure
+
+Contributions to NodeSecure include code, documentation, answering user questions and
+running the project's infrastructure
+
+The NodeSecure project welcomes all contributions from anyone willing to work in
+good faith with other contributors and the community. No contribution is too
+small and all contributions are valued.
+
+This guide explains the process for contributing to the NodeSecure project's.
+
+## [Code of Conduct](https://github.com/NodeSecure/Governance/blob/main/CODE_OF_CONDUCT.md)
+
+The NodeSecure project has a
+[Code of Conduct](https://github.com/NodeSecure/Governance/blob/main/CODE_OF_CONDUCT.md)
+that *all* contributors are expected to follow. This code describes the
+*minimum* behavior expectations for all contributors.
+
+See [details on our policy on Code of Conduct](https://github.com/NodeSecure/Governance/blob/main/COC_POLICY.md).
+
+<a id="developers-certificate-of-origin"></a>
+## Developer's Certificate of Origin 1.1
+
+By making a contribution to this project, I certify that:
+
+* (a) The contribution was created in whole or in part by me and I
+  have the right to submit it under the open source license
+  indicated in the file; or
+
+* (b) The contribution is based upon previous work that, to the best
+  of my knowledge, is covered under an appropriate open source
+  license and I have the right under that license to submit that
+  work with modifications, whether created in whole or in part
+  by me, under the same open source license (unless I am
+  permitted to submit under a different license), as indicated
+  in the file; or
+
+* (c) The contribution was provided directly to me by some other
+  person who certified (a), (b) or (c) and I have not modified
+  it.
+
+* (d) I understand and agree that this project and the contribution
+  are public and that a record of the contribution (including all
+  personal information I submit with it, including my sign-off) is
+  maintained indefinitely and may be redistributed consistent with
+  this project or the open source license(s) involved.

README.md

@@ -1,2 +1,25 @@
 # database
 NodeSecure Security Database
+
+## Contributors ✨
+
+<!-- ALL-CONTRIBUTORS-BADGE:START - Do not remove or modify this section -->
+[![All Contributors](https://img.shields.io/badge/all_contributors-4-orange.svg?style=flat-square)](#contributors-)
+<!-- ALL-CONTRIBUTORS-BADGE:END -->
+
+Thanks goes to these wonderful people ([emoji key](https://allcontributors.org/docs/en/emoji-key)):
+
+<!-- ALL-CONTRIBUTORS-LIST:START - Do not remove or modify this section -->
+<!-- prettier-ignore-start -->
+<!-- markdownlint-disable -->
+
+
+<!-- markdownlint-restore -->
+<!-- prettier-ignore-end -->
+
+<!-- ALL-CONTRIBUTORS-LIST:END -->
+
+## License
+
+MIT
+

SECURITY.md

@@ -0,0 +1,5 @@
+# Reporting Security Issues
+
+To report a security issue, please [publish a private security advisory](https://github.com/NodeSecure/rc/database/advisories) with a description of the issue, the steps you took to create the issue, affected versions, and, if known, mitigations for the issue.
+
+Our vulnerability management team will respond within one week. If the issue is confirmed as a vulnerability, we will open a Security Advisory and acknowledge your contributions as part of it. This project follows a 90 day disclosure timeline.

package.json

@@ -0,0 +1,42 @@
+{
+  "name": "@nodesecure/database",
+  "version": "1.0.0",
+  "description": "NodeSecure Security Database",
+  "main": "index.js",
+  "type": "module",
+  "scripts": {
+    "build": "tsc",
+    "start:http": "node --env-file=.env ./dist/api/server.js",
+    "test": "glob -c \"tsx --test\" \"./test/**/*.spec.ts\"",
+    "coverage": "c8 -r html npm test"
+  },
+  "engines": {
+    "node": "=>20"
+  },
+  "keywords": [
+    "database",
+    "npm",
+    "registry",
+    "secure",
+    "security"
+  ],
+  "author": "GENTILHOMME Thomas <[email protected]>",
+  "license": "MIT",
+  "devDependencies": {
+    "@nodesecure/eslint-config": "^1.9.0",
+    "@types/node": "^20.12.11",
+    "c8": "^9.1.0",
+    "eslint": "^8.57.0",
+    "glob": "^10.3.12",
+    "tsx": "^4.9.3",
+    "typescript": "^5.4.5"
+  },
+  "dependencies": {
+    "@nodesecure/npm-registry-sdk": "^2.1.1",
+    "fastify": "^4.27.0",
+    "fastify-plugin": "^4.5.1",
+    "pino": "^9.0.0",
+    "pino-pretty": "^11.0.0",
+    "zod": "^3.23.8"
+  }
+}

src/api/app.ts

@@ -0,0 +1,37 @@
+// Import Third-party Dependencies
+import fastify, { FastifyInstance } from "fastify";
+
+// Import Internal Dependencies
+import * as endpoints from "./endpoints/index.js";
+
+// Import Plugins
+import { npmAuthenticationPlugin } from "./plugins/npmAuthentication.js";
+import { standardRegistryPlugin } from "./plugins/registry.js";
+
+export function createServer(): FastifyInstance {
+  const server = fastify({
+    logger: {
+      transport: {
+        target: "pino-pretty"
+      }
+    }
+  });
+  server.register(npmRegistryEndpoints);
+
+  return server;
+}
+
+/**
+ * @see https://github.com/npm/registry/blob/main/docs/REGISTRY-API.md#endpoints
+ */
+async function npmRegistryEndpoints(
+  server: FastifyInstance
+) {
+  server.register(standardRegistryPlugin);
+  server.register(npmAuthenticationPlugin);
+
+  server.get("/", endpoints.metadata);
+  server.get("/:package", endpoints.packument);
+  server.get("/:package/:version", endpoints.packumentVersion);
+  server.get("/-/v1/search", endpoints.search);
+}

src/api/endpoints/index.ts

@@ -0,0 +1,4 @@
+export * from "./metadata.js";
+export * from "./package.js";
+export * from "./packageWithVersion.js";
+export * from "./search.js";

src/api/endpoints/metadata.ts

@@ -0,0 +1,23 @@
+// Import Third-party Dependencies
+import { NpmRegistryMetadata } from "@nodesecure/npm-registry-sdk";
+
+/**
+ * TODO: rework this with real metadata
+ * - Maybe return a Partial<NpmRegistryMetadata>
+ *   and remove useless keys! (not sure what's the impact).
+ */
+export async function metadata(): Promise<NpmRegistryMetadata> {
+  return {
+    db_name: "nodesecure_db",
+    doc_count: 0,
+    doc_del_count: 0,
+    update_seq: 0,
+    purge_seq: 0,
+    compact_running: false,
+    disk_size: 0,
+    data_size: 0,
+    instance_start_time: process.uptime().toString(),
+    disk_format_version: 6,
+    committed_update_seq: 0
+  }
+}

src/api/endpoints/package.ts

@@ -0,0 +1,19 @@
+// Import Third-party Dependencies
+import { FastifyRequest } from "fastify";
+
+interface PackumentEndpoint {
+  Params: {
+    package: string;
+  }
+}
+
+export async function packument(
+  request: FastifyRequest<PackumentEndpoint>
+) {
+  const data = await request.server.registry.package(
+    request.params.package,
+    request.npmAuthenticationOptions
+  );
+
+  return data;
+}

src/api/endpoints/packageWithVersion.ts

@@ -0,0 +1,21 @@
+// Import Third-party Dependencies
+import { FastifyRequest } from "fastify";
+
+interface PackumentVersionEndpoint {
+  Params: {
+    package: string;
+    version: string;
+  }
+}
+
+export async function packumentVersion(
+  request: FastifyRequest<PackumentVersionEndpoint>
+) {
+  const data = await request.server.registry.packageWithVersion(
+    request.params.package,
+    request.params.version,
+    request.npmAuthenticationOptions
+  );
+
+  return data;
+}

src/api/endpoints/search.ts

@@ -0,0 +1,18 @@
+// Import Third-party Dependencies
+import { FastifyRequest } from "fastify";
+import { SearchCriteria } from "@nodesecure/npm-registry-sdk";
+
+interface SearchEndpoint {
+  Querystring: SearchCriteria;
+}
+
+export async function search(
+  request: FastifyRequest<SearchEndpoint>
+) {
+  const data = await request.server.registry.search(
+    request.query,
+    request.npmAuthenticationOptions
+  );
+
+  return data;
+}

src/api/plugins/npmAuthentication.ts

@@ -0,0 +1,41 @@
+// Import Third-party Dependencies
+import {
+  FastifyInstance,
+  FastifyRequest,
+  FastifyPluginAsync
+} from "fastify";
+import fp from "fastify-plugin";
+
+// Import Internal Dependencies
+import { NpmAuthenticationOptions } from "../services/NpmRegistry.js";
+
+// CONSTANTS
+const kNpmTokenHeaderName = "x-npm-token";
+
+async function npmAuthenticationPrehandler(
+  request: FastifyRequest
+) {
+  const token = request.headers[kNpmTokenHeaderName];
+  if (typeof token === "string") {
+    request.npmAuthenticationOptions = {
+      token
+    };
+  }
+}
+
+async function authentication(
+  server: FastifyInstance
+) {
+  server.addHook("preHandler", npmAuthenticationPrehandler);
+}
+
+export const npmAuthenticationPlugin: FastifyPluginAsync = fp(
+  authentication,
+  { name: "npmAuthentication" }
+);
+
+declare module "fastify" {
+  interface FastifyRequest {
+    npmAuthenticationOptions?: NpmAuthenticationOptions;
+  }
+}

src/api/plugins/registry.ts

@@ -0,0 +1,22 @@
+// Import Third-party Dependencies
+import {
+  FastifyInstance,
+  FastifyPluginAsync
+} from "fastify";
+import fp from "fastify-plugin";
+
+// Import Internal Dependencies
+import { StandardRegistry, NpmRegistry } from "../services/NpmRegistry.js";
+
+export const standardRegistryPlugin: FastifyPluginAsync = fp(
+  async function(server: FastifyInstance) {
+    server.decorate("registry", new NpmRegistry());
+  },
+  { name: "registry" }
+);
+
+declare module "fastify" {
+  interface FastifyInstance {
+    registry: StandardRegistry;
+  }
+}

src/api/server.ts

@@ -0,0 +1,23 @@
+// Import Third-party Dependencies
+import z from "zod";
+
+// Import Internal Dependencies
+import { createServer } from "./app.js";
+
+// CONSTANTS
+const kServerEnvSchema = z.object({
+  host: z.string().optional(),
+  port: z.coerce.number().optional().default(0)
+});
+
+const env = kServerEnvSchema.parse(process.env);
+const server = createServer();
+
+server.listen(env, function httpListeningCallback(err, addr) {
+  if (err) {
+    server.log.error(err);
+    process.exit(1);
+  }
+
+  server.log.info(`Server listening on ${addr}`);
+});