feat: add batch denylist check (#166)

Send an array of CID strings to check if they are on the denylist.
Response is the subset of the array that is on the denylist.

```http
POST /
Content-Type: application/json

["cid1","cid2"]
```

This will be used by e-ipfs to check a batch of cids at once, see:
elastic-ipfs/bitswap-peer#215

License: MIT

---------

Signed-off-by: Oli Evans <oli@protocol.ai>

packages/denylist/src/denylist.js

@@ -47,3 +47,44 @@ export const denylistGet = async function (request, env) {
   })
   return response
 }
+
+/**
+ * Batch denylist check. POST an Array of cid strings.
+ * Returns the subset of the Array that are on the deny list.
+ * @param {Request} request
+ * @param {import('./env').Env} env
+ */
+export async function denylistPost (request, env) {
+  const contentType = request.headers.get('Content-Type')
+  if (contentType) {
+    const type = contentType.split(';').at(0)?.trim().toLowerCase()
+    if (type !== 'application/json') {
+      return new Response('Unsupported Media Type', { status: 415 })
+    }
+  }
+
+  let checklist
+  try {
+    checklist = await request.json()
+  } catch (err) {
+    return new Response('Invalid JSON', { status: 400, statusText: 'Bad Request' })
+  }
+
+  if (!Array.isArray(checklist)) {
+    return new Response('Expected an array', { status: 400, statusText: 'Bad Request' })
+  }
+
+  if (checklist.length > 1000) {
+    return new Response('Too many items. Max 1000', { status: 400, statusText: 'Bad Request' })
+  }
+
+  const body = []
+  for (const item of checklist) {
+    const res = await getFromDenyList(item, env)
+    if (res) {
+      body.push(item)
+    }
+  }
+
+  return new JSONResponse(body)
+}

packages/denylist/src/index.js

@@ -2,7 +2,7 @@
 
 import { Router } from 'itty-router'
 
-import { denylistGet } from './denylist.js'
+import { denylistGet, denylistPost } from './denylist.js'
 import { versionGet } from './version.js'
 
 import { addCorsHeaders, withCorsHeaders } from './cors.js'
@@ -19,6 +19,7 @@ router
   .all('*', envAll)
   .get('/version', withCorsHeaders(versionGet))
   .get('/:cid', withCdnCache(withCorsHeaders(denylistGet)))
+  .post('/', withCorsHeaders(denylistPost))
 
 /**
  * @param {Error} error

packages/denylist/test/denylist.spec.js

@@ -73,3 +73,52 @@ test('GET / caches response', async (t) => {
   })
   t.is(res2.status, 200)
 })
+
+test('POST / batch', async t => {
+  const { mf } = t.context
+  const cid = await createTestCid('CID CACHE TEST')
+  const denylistKv = await mf.getKVNamespace('DENYLIST')
+  await denylistKv.put(await toDenyListAnchor(cid), JSON.stringify({ status: 410, reason: 'blocked for testing the cache' }))
+
+  const checklist = ['QmSDeYAe9mga6NdTozAZuyGL3Q1XjsLtvX28XFxJH8oPjq', cid]
+  let res = await mf.dispatchFetch('http://localhost:8787/', {
+    method: 'POST',
+    headers: {
+      'content-type': 'application/json'
+    },
+    body: JSON.stringify(checklist)
+  })
+  t.is(res.status, 200)
+  const denylist = await res.json()
+  t.is(denylist.length, 1)
+  t.is(denylist[0], cid)
+
+  // not really cids, but we're checking that a max length limit is applied here
+  const tooLong = [...Array(1001).keys()]
+  res = await mf.dispatchFetch('http://localhost:8787/', {
+    method: 'POST',
+    headers: {
+      'content-type': 'application/json'
+    },
+    body: JSON.stringify(tooLong)
+  })
+  t.is(res.status, 400)
+
+  res = await mf.dispatchFetch('http://localhost:8787/', {
+    method: 'POST',
+    headers: {
+      'content-type': 'application/JSON'
+    },
+    body: JSON.stringify(checklist).slice(0, -1)
+  })
+  t.is(res.status, 400)
+
+  res = await mf.dispatchFetch('http://localhost:8787/', {
+    method: 'POST',
+    headers: {
+      'content-type': 'application/jsonp'
+    },
+    body: JSON.stringify(checklist)
+  })
+  t.is(res.status, 415, 'should error when content-type not json')
+})