npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@kura-iam/bff-kit

v0.1.0

Published

Hono BFF foundation for services protected by Internal Auth IDP.

Readme

@kura-iam/bff-kit

Fundacao Hono para BFFs que ficam na frente de APIs protegidas pelo Internal Auth IDP.

O pacote usa @kura-iam/service-sdk por baixo e entrega uma estrutura pequena:

  • createBffApp: Hono app com secure headers, CORS opcional, request id e contexto auth;
  • createAuthMiddleware: valida Authorization: Bearer <token> e opcionalmente uma permissao;
  • createOriginGuard: bloqueia mutacoes vindas de origins nao confiaveis;
  • createServiceProxy: proxy para upstreams usando client_credentials.

Requisitos

  • Node.js 20 ou superior.
  • Hono.
  • Um client service cadastrado no IdP para o BFF chamar APIs internas.
  • Resource servers cadastrados com audiences especificas por API.

Exemplo

import {
  createBffApp,
  createOriginGuard,
  createServiceProxy,
} from "@kura-iam/bff-kit"

const app = createBffApp({
  trustedOrigins: ["https://app.example.com"],
})

app.use(
  "/api/*",
  createOriginGuard({
    allowedOrigins: ["https://app.example.com"],
  }),
)

app.all(
  "/api/orders/*",
  createServiceProxy({
    pathPrefix: "/api/orders",
    upstreamBaseUrl: "https://orders.internal.example.com",
    serviceClient: {
      issuer: process.env.AUTH_ISSUER!,
      audience: "https://orders.internal.example.com",
      clientId: process.env.AUTH_CLIENT_ID!,
      clientSecret: process.env.AUTH_CLIENT_SECRET!,
    },
  }),
)

export default app

Uma chamada para /api/orders/v1/orders?status=open sera encaminhada para https://orders.internal.example.com/v1/orders?status=open com um token client_credentials do BFF.

Rotas protegidas por bearer

Quando o BFF receber bearer tokens diretamente, use o middleware de autenticacao:

import { createAuthMiddleware, createBffApp } from "@kura-iam/bff-kit"

const app = createBffApp()

app.use(
  "/api/me/*",
  createAuthMiddleware({
    issuer: process.env.AUTH_ISSUER!,
    audience: process.env.AUTH_AUDIENCE!,
    requiredPermission: "profile:read",
  }),
)

app.get("/api/me/profile", (c) => {
  return c.json({ subject: c.get("auth") })
})

Politica de seguranca

  • createOriginGuard deve ser aplicado em rotas chamadas por browser antes de handlers mutaveis.
  • Cada proxy deve usar uma audience especifica do upstream.
  • Nao reutilize o mesmo client secret entre BFFs diferentes.
  • Propague x-request-id para facilitar tracing entre BFF e APIs.

Escopo atual

Esta versao nao implementa sessao de browser, refresh token rotation, cookie vault ou CSRF token stateful. Esses pontos dependem da decisao de produto sobre como o BFF deve representar sessoes de usuario.

Quando essa politica for fechada, o proximo pacote/modulo deve adicionar:

  • armazenamento server-side de sessao ou cookie criptografado;
  • troca OAuth Authorization Code + PKCE para login browser;
  • refresh token rotation;
  • CSRF token pareado com cookie/session;
  • logout coordenado entre BFF e IdP.

Publicacao

O publish deve acontecer via GitHub Actions com npm Trusted Publishing/OIDC, sem NPM_TOKEN. Configure o Trusted Publisher no npm com:

  • provider: GitHub Actions;
  • owner/repo: GabrielAlvesSantis/kura;
  • workflow file: release.yml;
  • environment: npm;
  • access: public.

Antes de publicar:

pnpm --filter @kura-iam/bff-kit test
pnpm --filter @kura-iam/bff-kit check-types
pnpm --filter @kura-iam/bff-kit build
pnpm --filter @kura-iam/bff-kit pack --dry-run

Para publicar uma nova versao do BFF kit, faca merge na main, atualize a versao e crie uma tag de pacote:

git checkout main
git pull origin main
pnpm --filter @kura-iam/bff-kit version patch --no-git-tag-version
pnpm install --lockfile-only
git add packages/bff-kit/package.json pnpm-lock.yaml
git commit -m "chore: release bff-kit"
git tag bff-kit-v$(node -p "require('./packages/bff-kit/package.json').version")
git push origin main --tags

O workflow release.yml publica somente quando uma tag service-sdk-v*.*.*, bff-kit-v*.*.* ou packages-v*.*.* e enviada.