docs: Add examples for auth, open-telemetry, and request logging

aklinker1 · aklinker1 · commit 4e55f4de9df0 · 2026-02-01T08:54:34.000-06:00
diff --git a/bun.lock b/bun.lock
diff --git a/docs/templates/base.html b/docs/templates/base.html
@@ -57,6 +57,13 @@
           <span>Testing</span>
         </a>
         <div class="spacer"></div>
+        <a
+          href="https://github.com/aklinker1/zeta/tree/main/examples"
+          target="_blank"
+        >
+          <span>Examples</span>
+          {{ macros::icon(name="i-lucide-square-arrow-out-up-right") }}
+        </a>
         <a href="https://jsr.io/@aklinker1/zeta/doc" target="_blank">
           <span>API Reference</span>
           {{ macros::icon(name="i-lucide-square-arrow-out-up-right") }}
diff --git a/examples/README.md b/examples/README.md
@@ -0,0 +1,7 @@
+# Zeta Examples
+
+To run an example, clone the repo and run the `examples/{name}/main.ts` file with Bun:
+
+```sh
+bun examples/request-logger/main.ts
+```
diff --git a/examples/cookie-auth/main.ts b/examples/cookie-auth/main.ts
@@ -0,0 +1,239 @@
+import {
+  createApp,
+  ErrorResponse,
+  ForbiddenHttpError,
+  HttpStatus,
+  NoResponse,
+  UnauthorizedHttpError,
+} from "@aklinker1/zeta";
+import * as cookie from "cookie";
+import z from "zod";
+import type { Setter } from "../../src/types";
+
+// Models
+
+enum UserPermission {
+  ListUsers,
+}
+
+const User = z.object({
+  id: z.string(),
+  username: z.string().min(2).max(100),
+  permissions: z.array(z.enum(UserPermission)),
+});
+type User = z.infer<typeof User>;
+
+// Hard-code a list of users for the example
+
+const USERS: (User & { password: string })[] = [
+  {
+    id: "1",
+    username: "aaron",
+    permissions: [UserPermission.ListUsers],
+    password: "aarons-password",
+  },
+  {
+    id: "2",
+    username: "tom",
+    permissions: [],
+    password: "toms-password",
+  },
+];
+
+// Auth plugin
+
+/**
+ * Personally, I'm not a fan of classes in JS, but since this will be created
+ * every request, it's a better choice compared to a factory function.
+ *
+ * In JS, creating class instances is faster than calling a factory function
+ * that creates an object.
+ */
+class Auth {
+  // Store session tokens in memory for the example
+  private static sessionIdUserMap: Record<string, User> = Object.create(null);
+
+  private SESSION_COOKIE_NAME = "example_session";
+
+  private _sessionId: string | undefined | null = null;
+
+  constructor(private ctx: { request: Request; set: Setter }) {}
+
+  /**
+   * The session ID provided in the cookie. `undefined` if not provided.
+   */
+  get sessionId(): string | undefined {
+    if (this._sessionId !== null) return this._sessionId;
+
+    const cookieString = this.ctx.request.headers.get("Cookie");
+    if (!cookieString) return;
+
+    return (this._sessionId =
+      cookie.parse(cookieString)[this.SESSION_COOKIE_NAME]);
+  }
+
+  /**
+   * Returns the user if logged in via cookies.
+   */
+  getUser(): User | undefined {
+    if (!this.sessionId) return;
+    return Auth.sessionIdUserMap[this.sessionId];
+  }
+
+  /**
+   * Require the request be authenticated and return the user. Throws a
+   * {@link UnauthorizedHttpError} if the session cookie is missing or invalid.
+   */
+  requireUser(): User {
+    if (!this.sessionId) throw new UnauthorizedHttpError("Session missing");
+
+    const user = Auth.sessionIdUserMap[this.sessionId];
+    if (!user) {
+      this.clearSession();
+      throw new UnauthorizedHttpError("Invalid session");
+    }
+
+    return user;
+  }
+
+  /**
+   * Require the request be authenticated AND the authenticated user have the
+   * required permission.
+   */
+  requirePermission(permission: UserPermission): User {
+    const user = this.requireUser();
+    if (!user.permissions.includes(permission)) throw new ForbiddenHttpError();
+
+    return user;
+  }
+
+  /**
+   * Create a session, adds the cookie, and returns the session ID.
+   */
+  createSession(user: User): string {
+    const sessionId = crypto.randomUUID();
+    Auth.sessionIdUserMap[sessionId] = user;
+
+    this.ctx.set.headers["Set-Cookie"] = cookie.serialize(
+      this.SESSION_COOKIE_NAME,
+      sessionId,
+      {
+        httpOnly: true,
+        secure: true,
+        sameSite: "strict",
+        maxAge: 60 * 60 * 24 * 7, // 7 days
+      },
+    );
+
+    return sessionId;
+  }
+
+  clearSession(): void {
+    if (!this.sessionId) return;
+
+    delete Auth.sessionIdUserMap[this.sessionId];
+    this.ctx.set.headers["Set-Cookie"] = cookie.serialize(
+      this.SESSION_COOKIE_NAME,
+      "",
+      {
+        httpOnly: true,
+        secure: true,
+        sameSite: "strict",
+        maxAge: 0,
+      },
+    );
+  }
+}
+
+const authPlugin = createApp()
+  .onTransform((ctx) => ({
+    // Create an auth object for every request containing helper functions for
+    // ensuring the request is authorized.
+    auth: new Auth(ctx),
+  }))
+  .export();
+
+const app = createApp()
+  .use(authPlugin)
+  .get(
+    "/",
+    {
+      responses: User,
+    },
+    ({ auth }) => auth.requireUser(),
+  )
+  .get(
+    "/users",
+    {
+      responses: {
+        [HttpStatus.Ok]: User.array(),
+        [HttpStatus.Forbidden]: ErrorResponse,
+        [HttpStatus.Unauthorized]: ErrorResponse,
+      },
+    },
+    ({ auth, status }) => {
+      auth.requirePermission(UserPermission.ListUsers);
+      return status(HttpStatus.Ok, USERS);
+    },
+  )
+  .get(
+    "/login",
+    {
+      query: z.object({
+        username: z.string(),
+        password: z.string(),
+      }),
+      responses: {
+        [HttpStatus.Found]: NoResponse,
+        [HttpStatus.Unauthorized]: ErrorResponse,
+      },
+    },
+    ({ query, set, status, auth }) => {
+      const user = USERS.find((user) => user.username === query.username);
+
+      if (!user) throw new UnauthorizedHttpError("Username not found");
+      if (user.password !== query.password)
+        throw new UnauthorizedHttpError("Incorrect password");
+
+      auth.createSession(user);
+      set.headers["Location"] = "/";
+      return status(HttpStatus.Found, undefined);
+    },
+  )
+  .get(
+    "/logout",
+    {
+      responses: {
+        [HttpStatus.Found]: NoResponse,
+      },
+    },
+    ({ auth, set, status }) => {
+      auth.clearSession();
+      set.headers["Location"] = "/";
+      return status(HttpStatus.Found, undefined);
+    },
+  );
+
+app.listen(3000, () => {
+  console.log("Example server started!");
+  console.log("");
+  console.log("Try out using cookies for auth:");
+  console.log(
+    "1. Visit http://localhost:3000 and get a 401 since you're not logged in.",
+  );
+  console.log(
+    "2. Log in with tom and you will be redirected to the homepage to see the user details: http://localhost:3000/login?username=tom&password=toms-password",
+  );
+  console.log(
+    "3. Try to get the list of users, but see you get a 403 because tom is missing the required permission: http://localhost:3000/users",
+  );
+  console.log(
+    "4. Log out of Tom's account at http://localhost:3000/logout - You will be redirected back to the homepage with a 401",
+  );
+  console.log(
+    "5. Log in as aaron: http://localhost:3000/login?username=aaron&password=aarons-password",
+  );
+  console.log(
+    "6. Now you can access the list of users: http://localhost:3000/users",
+  );
+});
diff --git a/examples/open-telemetry/main.ts b/examples/open-telemetry/main.ts
@@ -0,0 +1,48 @@
+import { createApp } from "@aklinker1/zeta";
+import { trace } from "@opentelemetry/api";
+import { resourceFromAttributes } from "@opentelemetry/resources";
+import { NodeSDK } from "@opentelemetry/sdk-node";
+import { ConsoleSpanExporter } from "@opentelemetry/sdk-trace-node";
+import {
+  ATTR_SERVICE_NAME,
+  ATTR_SERVICE_VERSION,
+} from "@opentelemetry/semantic-conventions";
+
+// Initialize you SDK: https://opentelemetry.io/docs/languages/js/instrumentation
+const sdk = new NodeSDK({
+  resource: resourceFromAttributes({
+    [ATTR_SERVICE_NAME]: "example",
+    [ATTR_SERVICE_VERSION]: "1.0",
+  }),
+  traceExporter: new ConsoleSpanExporter(),
+});
+sdk.start();
+
+// Create a tracer for request times
+const tracer = trace.getTracer("zeta");
+
+// Use a plugin to hook into when every request starts and finishes for tracing.
+const openTelemetryPlugin = createApp()
+  .onGlobalRequest(({ method, path }) => {
+    const requestId = crypto.randomUUID();
+    const requestSpan = tracer.startSpan("request", {
+      attributes: { requestId, method, path },
+    });
+    return { requestSpan };
+  })
+  .onGlobalAfterResponse(({ requestSpan }) => {
+    requestSpan.end();
+  })
+  .export();
+
+const app = createApp()
+  .use(openTelemetryPlugin)
+  .get("/", () => "OK");
+
+app.listen(3000, () => {
+  console.log("Open telemetry example started.");
+  console.log("");
+  console.log(
+    "Open http://localhost:3000. It might take a few seconds after opening the URL to see the span in the console.",
+  );
+});
diff --git a/examples/request-logger/main.ts b/examples/request-logger/main.ts
@@ -0,0 +1,61 @@
+import { createApp } from "@aklinker1/zeta";
+
+// For an overview of when each hook is called, see:
+// https://zeta.aklinker1.io/server/hooks
+
+const requestLoggerPlugin = createApp()
+  // Log when the request is made and decorate the request context with some
+  // values used in later hooks.
+  .onGlobalRequest(({ method, path, url }) => {
+    const startTime = performance.now(); // Or Date.now()
+    const requestId = crypto.randomUUID();
+    console.log("Request START", { requestId, method, path, url: String(url) });
+
+    // Return values available in subsequent hooks
+    return {
+      startTime,
+      requestId,
+    };
+  })
+
+  // onTransform runs after the "route" is matched
+  //
+  // Route vs path:
+  // - Route: The endpoint string ("/api/users/{id}")
+  // - Path: The pathname of the URL ("/api/user/123")
+  //
+  .onTransform(({ requestId, route }) => {
+    console.log("Route matched", { requestId, route });
+  })
+
+  // If there was an error thrown, log the error.
+  .onGlobalError(({ requestId, error }) => {
+    console.log("Request ERROR", { requestId, error });
+  })
+
+  // Regardless of if there was an error, log that the request ended with it's
+  // duration and status.
+  .onGlobalAfterResponse(({ requestId, startTime, response }) => {
+    console.log("Request END", {
+      requestId,
+      duration: performance.now() - startTime,
+      status: response.status,
+    });
+  })
+
+  // Finally, export the app to make it a plugin and provide the decorated
+  // variables to other Zeta apps that might need them.
+  .export();
+
+const app = createApp()
+  .use(requestLoggerPlugin)
+  .get("/", () => "OK")
+  .get("/example", () => "OK");
+
+app.listen(3000, () => {
+  console.log("Request logger example started!");
+  console.log("");
+  console.log("Visit the URLs below to see the request logs:");
+  console.log("  - http://localhost:3000");
+  console.log("  - http://localhost:3000/example");
+});
diff --git a/package.json b/package.json
@@ -53,9 +53,15 @@
   },
   "devDependencies": {
     "@aklinker1/check": "^2.2.0",
+    "@opentelemetry/api": "^1.9.0",
+    "@opentelemetry/resources": "^2.5.0",
+    "@opentelemetry/sdk-node": "^0.211.0",
+    "@opentelemetry/sdk-trace-node": "^2.5.0",
+    "@opentelemetry/semantic-conventions": "^1.39.0",
     "@types/bun": "latest",
     "@typescript/native-preview": "^7.0.0-dev.20251114.1",
     "changelogen": "^0.6.2",
+    "cookie": "^1.1.1",
     "elysia": "^1.4.19",
     "expect-type": "^1.2.1",
     "hono": "^4.11.2",
