0http-bun 1.2.2 → 1.3.0

package/lib/middleware/cors.js

@@ -28,8 +28,8 @@ function createCORS(options = {}) {
     const allowedOrigin = getAllowedOrigin(origin, requestOrigin, req)
 
     const addCorsHeaders = (response) => {
-      // Add Vary header for dynamic origins (regardless of whether origin is allowed)
-      if (typeof origin === 'function' || Array.isArray(origin)) {
+      // Add Vary header for non-wildcard origins to prevent CDN cache poisoning
+      if (origin !== '*') {
         const existingVary = response.headers.get('Vary')
         if (existingVary) {
           if (!existingVary.includes('Origin')) {
@@ -42,32 +42,51 @@ function createCORS(options = {}) {
 
       if (allowedOrigin !== false) {
         response.headers.set('Access-Control-Allow-Origin', allowedOrigin)
-      }
 
-      // Don't allow wildcard origin with credentials
-      if (credentials && allowedOrigin !== '*') {
-        response.headers.set('Access-Control-Allow-Credentials', 'true')
-      }
+        // Don't allow wildcard origin with credentials
+        if (credentials && allowedOrigin !== '*') {
+          response.headers.set('Access-Control-Allow-Credentials', 'true')
+        }
 
-      // Handle exposedHeaders (can be string or array)
-      const exposedHeadersList = Array.isArray(exposedHeaders)
-        ? exposedHeaders
-        : typeof exposedHeaders === 'string'
-          ? [exposedHeaders]
-          : []
-      if (exposedHeadersList.length > 0) {
+        // Handle exposedHeaders (can be string or array)
+        const exposedHeadersList = Array.isArray(exposedHeaders)
+          ? exposedHeaders
+          : typeof exposedHeaders === 'string'
+            ? [exposedHeaders]
+            : []
+        if (exposedHeadersList.length > 0) {
+          response.headers.set(
+            'Access-Control-Expose-Headers',
+            exposedHeadersList.join(', '),
+          )
+        }
+
+        // Add method and header info
+        response.headers.set(
+          'Access-Control-Allow-Methods',
+          (Array.isArray(methods) ? methods : [methods]).join(', '),
+        )
+
+        const resolvedAllowedHeaders =
+          typeof allowedHeaders === 'function'
+            ? allowedHeaders(req)
+            : allowedHeaders
+        const allowedHeadersList = Array.isArray(resolvedAllowedHeaders)
+          ? resolvedAllowedHeaders
+          : typeof resolvedAllowedHeaders === 'string'
+            ? [resolvedAllowedHeaders]
+            : []
         response.headers.set(
-          'Access-Control-Expose-Headers',
-          exposedHeadersList.join(', '),
+          'Access-Control-Allow-Headers',
+          allowedHeadersList.join(', '),
         )
       }
 
-      // Add method and header info for all requests (not just OPTIONS)
-      response.headers.set(
-        'Access-Control-Allow-Methods',
-        (Array.isArray(methods) ? methods : [methods]).join(', '),
-      )
+      return response
+    }
 
+    if (req.method === 'OPTIONS') {
+      // I-2: Resolve allowedHeaders once for the entire preflight handling
       const resolvedAllowedHeaders =
         typeof allowedHeaders === 'function'
           ? allowedHeaders(req)
@@ -77,15 +96,7 @@ function createCORS(options = {}) {
         : typeof resolvedAllowedHeaders === 'string'
           ? [resolvedAllowedHeaders]
           : []
-      response.headers.set(
-        'Access-Control-Allow-Headers',
-        allowedHeadersList.join(', '),
-      )
 
-      return response
-    }
-
-    if (req.method === 'OPTIONS') {
       // Handle preflight request
       const requestMethod = req.headers.get('access-control-request-method')
       const requestHeaders = req.headers.get('access-control-request-headers')
@@ -98,13 +109,6 @@ function createCORS(options = {}) {
       // Check if requested headers are allowed
       if (requestHeaders) {
         const requestedHeaders = requestHeaders.split(',').map((h) => h.trim())
-        const resolvedAllowedHeaders =
-          typeof allowedHeaders === 'function'
-            ? allowedHeaders(req)
-            : allowedHeaders
-        const allowedHeadersList = Array.isArray(resolvedAllowedHeaders)
-          ? resolvedAllowedHeaders
-          : []
 
         const hasDisallowedHeaders = requestedHeaders.some(
           (header) =>
@@ -127,31 +131,24 @@ function createCORS(options = {}) {
         if (typeof origin === 'function' || Array.isArray(origin)) {
           response.headers.set('Vary', 'Origin')
         }
-      }
 
-      // Don't allow wildcard origin with credentials
-      if (credentials && allowedOrigin !== '*') {
-        response.headers.set('Access-Control-Allow-Credentials', 'true')
-      }
+        // Don't allow wildcard origin with credentials
+        if (credentials && allowedOrigin !== '*') {
+          response.headers.set('Access-Control-Allow-Credentials', 'true')
+        }
 
-      response.headers.set(
-        'Access-Control-Allow-Methods',
-        (Array.isArray(methods) ? methods : [methods]).join(', '),
-      )
+        response.headers.set(
+          'Access-Control-Allow-Methods',
+          (Array.isArray(methods) ? methods : [methods]).join(', '),
+        )
 
-      const resolvedAllowedHeaders =
-        typeof allowedHeaders === 'function'
-          ? allowedHeaders(req)
-          : allowedHeaders
-      const allowedHeadersList = Array.isArray(resolvedAllowedHeaders)
-        ? resolvedAllowedHeaders
-        : []
-      response.headers.set(
-        'Access-Control-Allow-Headers',
-        allowedHeadersList.join(', '),
-      )
+        response.headers.set(
+          'Access-Control-Allow-Headers',
+          allowedHeadersList.join(', '),
+        )
 
-      response.headers.set('Access-Control-Max-Age', maxAge.toString())
+        response.headers.set('Access-Control-Max-Age', maxAge.toString())
+      }
 
       if (preflightContinue) {
         const result = next()
@@ -193,10 +190,13 @@ function getAllowedOrigin(origin, requestOrigin, req) {
   }
 
   if (Array.isArray(origin)) {
+    if (!requestOrigin || requestOrigin === 'null') return false
     return origin.includes(requestOrigin) ? requestOrigin : false
   }
 
   if (typeof origin === 'function') {
+    // Reject null/missing origins to prevent bypass via sandboxed iframes
+    if (!requestOrigin || requestOrigin === 'null') return false
     const result = origin(requestOrigin)
     return result === true ? requestOrigin : result || false
   }

package/lib/middleware/index.d.ts

@@ -65,6 +65,8 @@ export interface JWTAuthOptions {
   audience?: string | string[]
   issuer?: string
   algorithms?: string[]
+  // Token type validation
+  requiredTokenType?: string
   // Custom response and error handling
   unauthorizedResponse?:
     | Response
@@ -95,29 +97,14 @@ export interface TokenExtractionOptions {
 export function createJWTAuth(options?: JWTAuthOptions): RequestHandler
 export function createAPIKeyAuth(options: APIKeyAuthOptions): RequestHandler
 export function extractTokenFromHeader(req: ZeroRequest): string | null
-export function extractToken(
-  req: ZeroRequest,
-  options?: TokenExtractionOptions,
-): string | null
-export function validateApiKeyInternal(
-  apiKey: string,
-  apiKeys: JWTAuthOptions['apiKeys'],
-  apiKeyValidator: JWTAuthOptions['apiKeyValidator'],
-  req: ZeroRequest,
-): Promise<boolean | any>
-export function handleAuthError(
-  error: Error,
-  handlers: {
-    unauthorizedResponse?: JWTAuthOptions['unauthorizedResponse']
-    onError?: JWTAuthOptions['onError']
-  },
-  req: ZeroRequest,
-): Response
+export const API_KEY_SYMBOL: symbol
+export function maskApiKey(key: string): string
 
 // Rate limiting middleware types
 export interface RateLimitOptions {
   windowMs?: number
   max?: number
+  message?: string
   keyGenerator?: (req: ZeroRequest) => Promise<string> | string
   handler?: (
     req: ZeroRequest,
@@ -126,7 +113,7 @@ export interface RateLimitOptions {
     resetTime: Date,
   ) => Promise<Response> | Response
   store?: RateLimitStore
-  standardHeaders?: boolean
+  standardHeaders?: boolean | 'minimal'
   excludePaths?: string[]
   skip?: (req: ZeroRequest) => boolean
 }
@@ -169,7 +156,7 @@ export interface CORSOptions {
     | boolean
     | ((origin: string, req: ZeroRequest) => boolean | string)
   methods?: string[]
-  allowedHeaders?: string[]
+  allowedHeaders?: string[] | ((req: ZeroRequest) => string[])
   exposedHeaders?: string[]
   credentials?: boolean
   maxAge?: number
@@ -187,25 +174,30 @@ export function getAllowedOrigin(
 
 // Body parser middleware types
 export interface JSONParserOptions {
-  limit?: number
+  limit?: number | string
   reviver?: (key: string, value: any) => any
   strict?: boolean
   type?: string
+  deferNext?: boolean
 }
 
 export interface TextParserOptions {
-  limit?: number
+  limit?: number | string
   type?: string
   defaultCharset?: string
+  deferNext?: boolean
 }
 
 export interface URLEncodedParserOptions {
-  limit?: number
+  limit?: number | string
   extended?: boolean
+  parseNestedObjects?: boolean
+  deferNext?: boolean
 }
 
 export interface MultipartParserOptions {
-  limit?: number
+  limit?: number | string
+  deferNext?: boolean
 }
 
 export interface BodyParserOptions {
@@ -213,6 +205,15 @@ export interface BodyParserOptions {
   text?: TextParserOptions
   urlencoded?: URLEncodedParserOptions
   multipart?: MultipartParserOptions
+  jsonTypes?: string[]
+  jsonParser?: (text: string) => any
+  onError?: (error: Error, req: ZeroRequest, next: () => any) => any
+  verify?: (req: ZeroRequest, rawBody: string) => void
+  parseNestedObjects?: boolean
+  jsonLimit?: number | string
+  textLimit?: number | string
+  urlencodedLimit?: number | string
+  multipartLimit?: number | string
 }
 
 export interface ParsedFile {
@@ -233,6 +234,8 @@ export function createMultipartParser(
 export function createBodyParser(options?: BodyParserOptions): RequestHandler
 export function hasBody(req: ZeroRequest): boolean
 export function shouldParse(req: ZeroRequest, type: string): boolean
+export function parseLimit(limit: number | string): number
+export const RAW_BODY_SYMBOL: symbol
 
 // Prometheus metrics middleware types
 export interface PrometheusMetrics {

package/lib/middleware/index.js

@@ -23,6 +23,8 @@ module.exports = {
   createJWTAuth: jwtAuthModule.createJWTAuth,
   createAPIKeyAuth: jwtAuthModule.createAPIKeyAuth,
   extractTokenFromHeader: jwtAuthModule.extractTokenFromHeader,
+  API_KEY_SYMBOL: jwtAuthModule.API_KEY_SYMBOL,
+  maskApiKey: jwtAuthModule.maskApiKey,
 
   // Rate limiting middleware
   createRateLimit: rateLimitModule.createRateLimit,
@@ -44,6 +46,8 @@ module.exports = {
   createBodyParser: bodyParserModule.createBodyParser,
   hasBody: bodyParserModule.hasBody,
   shouldParse: bodyParserModule.shouldParse,
+  parseLimit: bodyParserModule.parseLimit,
+  RAW_BODY_SYMBOL: bodyParserModule.RAW_BODY_SYMBOL,
 
   // Prometheus metrics middleware
   createPrometheusMiddleware: prometheusModule.createPrometheusMiddleware,

package/lib/middleware/jwt-auth.js

@@ -13,6 +13,40 @@ function loadJose() {
   return joseLib
 }
 
+const crypto = require('crypto')
+
+/**
+ * Symbol key for storing raw API key to prevent accidental serialization (M-7 fix)
+ */
+const API_KEY_SYMBOL = Symbol.for('0http.apiKey')
+
+/**
+ * Masks an API key for safe storage/logging.
+ * Shows first 4 and last 4 characters, masks the rest.
+ * @param {string} key - Raw API key
+ * @returns {string} Masked key
+ */
+function maskApiKey(key) {
+  if (!key || typeof key !== 'string') return '****'
+  if (key.length <= 8) return '****'
+  return key.slice(0, 4) + '****' + key.slice(-4)
+}
+
+/**
+ * Constant-time string comparison to prevent timing attacks
+ */
+function timingSafeCompare(a, b) {
+  if (typeof a !== 'string' || typeof b !== 'string') return false
+  const aBuf = Buffer.from(a)
+  const bBuf = Buffer.from(b)
+  if (aBuf.length !== bBuf.length) {
+    // Still perform comparison to maintain constant time
+    crypto.timingSafeEqual(aBuf, aBuf)
+    return false
+  }
+  return crypto.timingSafeEqual(aBuf, bBuf)
+}
+
 /**
  * Creates JWT authentication middleware
  * @param {Object} options - JWT configuration options
@@ -53,6 +87,7 @@ function createJWTAuth(options = {}) {
     audience,
     issuer,
     algorithms,
+    requiredTokenType,
   } = options
 
   // API key mode doesn't require JWT secret
@@ -61,6 +96,35 @@ function createJWTAuth(options = {}) {
     throw new Error('JWT middleware requires either secret or jwksUri')
   }
 
+  // H-8: Warn about security risk of JWT tokens in query parameters
+  if (tokenQuery) {
+    console.warn(
+      `[0http-bun] SECURITY WARNING: JWT tokenQuery ("${tokenQuery}") is deprecated. ` +
+        'Tokens in query parameters are logged in server access logs, browser history, and Referer headers. ' +
+        'Use Authorization header or a custom getToken function instead.',
+    )
+  }
+
+  // M-8: Validate JWKS URI uses HTTPS in production
+  if (jwksUri) {
+    const parsedUri = new URL(jwksUri)
+    if (
+      parsedUri.protocol !== 'https:' &&
+      process.env.NODE_ENV === 'production'
+    ) {
+      throw new Error(
+        'JWT middleware: JWKS URI must use HTTPS in production to prevent MitM key substitution. ' +
+          `Got: ${parsedUri.protocol}// Set NODE_ENV to a non-production value to bypass this check.`,
+      )
+    }
+    if (parsedUri.protocol !== 'https:') {
+      console.warn(
+        `[0http-bun] SECURITY WARNING: JWKS URI "${jwksUri}" uses ${parsedUri.protocol} instead of https:. ` +
+          'This is insecure and will be rejected in production (NODE_ENV=production).',
+      )
+    }
+  }
+
   // Setup key resolver for JWT
   let keyLike
   if (jwks) {
@@ -82,18 +146,36 @@ function createJWTAuth(options = {}) {
   }
 
   // Default JWT verification options
+  const resolvedAlgorithms = algorithms || jwtOptions.algorithms || ['HS256']
+
+  // Prevent algorithm confusion attacks
+  const hasSymmetric = resolvedAlgorithms.some((alg) => alg.startsWith('HS'))
+  const hasAsymmetric = resolvedAlgorithms.some(
+    (alg) =>
+      alg.startsWith('RS') || alg.startsWith('ES') || alg.startsWith('PS'),
+  )
+  if (hasSymmetric && hasAsymmetric) {
+    throw new Error(
+      'JWT middleware: mixing symmetric (HS*) and asymmetric (RS*/ES*/PS*) algorithms is not allowed. This prevents algorithm confusion attacks.',
+    )
+  }
+
   const defaultJwtOptions = {
-    algorithms: algorithms || ['HS256', 'RS256'],
+    ...jwtOptions,
+    algorithms: resolvedAlgorithms,
     audience,
     issuer,
-    ...jwtOptions,
   }
 
   return async function jwtAuthMiddleware(req, next) {
     const url = new URL(req.url)
 
     // Skip authentication for excluded paths
-    if (excludePaths.some((path) => url.pathname.startsWith(path))) {
+    if (
+      excludePaths.some(
+        (path) => url.pathname === path || url.pathname.startsWith(path + '/'),
+      )
+    ) {
       return next()
     }
 
@@ -109,18 +191,19 @@ function createJWTAuth(options = {}) {
             req,
           )
           if (validationResult !== false) {
-            // Set API key context
+            // Set API key context — store masked version to prevent leakage (M-7 fix)
             req.ctx = req.ctx || {}
-            req.ctx.apiKey = apiKey
+            req.ctx.apiKey = maskApiKey(apiKey)
+            req[API_KEY_SYMBOL] = apiKey // Raw key via Symbol for programmatic access only
 
             // If validation result is an object, use it as user data, otherwise default
             const userData =
               validationResult && typeof validationResult === 'object'
                 ? validationResult
-                : {apiKey}
+                : {apiKey: maskApiKey(apiKey)}
 
             req.ctx.user = userData
-            req.apiKey = apiKey
+            req.apiKey = maskApiKey(apiKey)
             req.user = userData
             return next()
           } else {
@@ -164,24 +247,40 @@ function createJWTAuth(options = {}) {
         defaultJwtOptions,
       )
 
+      // L-4: Validate JWT token type header if configured
+      if (requiredTokenType) {
+        const tokenType = protectedHeader.typ
+        if (
+          !tokenType ||
+          tokenType.toLowerCase() !== requiredTokenType.toLowerCase()
+        ) {
+          return handleAuthError(
+            new Error('Invalid token type'),
+            {unauthorizedResponse, onError},
+            req,
+          )
+        }
+      }
+
       // Add user info to request context
       req.ctx = req.ctx || {}
       req.ctx.user = payload
       req.ctx.jwt = {
         payload,
         header: protectedHeader,
-        token,
       }
       req.user = payload // Mirror to root for compatibility
       req.jwt = {
         payload,
         header: protectedHeader,
-        token,
       }
 
       return next()
     } catch (error) {
       if (optional && (!hasApiKeyMode || !req.headers.get(apiKeyHeader))) {
+        req.ctx = req.ctx || {}
+        req.ctx.authError = error.message
+        req.ctx.authAttempted = true
         return next()
       }
 
@@ -200,12 +299,6 @@ function createJWTAuth(options = {}) {
  */
 async function validateApiKeyInternal(apiKey, apiKeys, apiKeyValidator, req) {
   if (apiKeyValidator) {
-    // Check if this is the simplified validateApiKey function (expects only key)
-    if (apiKeyValidator.length === 1) {
-      const result = await apiKeyValidator(apiKey)
-      return result || false
-    }
-    // Otherwise call with both key and req
     const result = await apiKeyValidator(apiKey, req)
     return result || false
   }
@@ -216,10 +309,10 @@ async function validateApiKeyInternal(apiKey, apiKeys, apiKeyValidator, req) {
   }
 
   if (Array.isArray(apiKeys)) {
-    return apiKeys.includes(apiKey)
+    return apiKeys.some((key) => timingSafeCompare(key, apiKey))
   }
 
-  return apiKeys === apiKey
+  return timingSafeCompare(apiKeys, apiKey)
 }
 
 /**
@@ -271,7 +364,8 @@ function handleAuthError(error, handlers = {}, req) {
         return result
       }
     } catch (handlerError) {
-      // Fall back to default handling if custom handler fails
+      // I-4: Log errors from custom handlers to aid debugging
+      console.error('[0http-bun] Custom onError handler threw:', handlerError)
     }
   }
 
@@ -303,7 +397,11 @@ function handleAuthError(error, handlers = {}, req) {
         }
       }
     } catch (responseError) {
-      // Fall back to default response if custom response fails
+      // I-4: Log errors from custom response handlers to aid debugging
+      console.error(
+        '[0http-bun] Custom unauthorizedResponse handler threw:',
+        responseError,
+      )
     }
   }
 
@@ -317,19 +415,10 @@ function handleAuthError(error, handlers = {}, req) {
     message = 'Invalid API key'
   } else if (error.message === 'JWT verification not configured') {
     message = 'JWT verification not configured'
+  } else if (error.message === 'Invalid token type') {
+    message = 'Invalid token type'
   } else {
-    const {errors} = loadJose()
-    if (error instanceof errors.JWTExpired) {
-      message = 'Token expired'
-    } else if (error instanceof errors.JWTInvalid) {
-      message = 'Invalid token format'
-    } else if (error instanceof errors.JWKSNoMatchingKey) {
-      message = 'Token signature verification failed'
-    } else if (error.message.includes('audience')) {
-      message = 'Invalid token audience'
-    } else if (error.message.includes('issuer')) {
-      message = 'Invalid token issuer'
-    }
+    message = 'Invalid or expired token'
   }
 
   return new Response(JSON.stringify({error: message}), {
@@ -376,7 +465,10 @@ function createAPIKeyAuth(options = {}) {
   const validateKey =
     typeof keys === 'function'
       ? keys
-      : (key) => (Array.isArray(keys) ? keys.includes(key) : keys === key)
+      : (key) =>
+          Array.isArray(keys)
+            ? keys.some((k) => timingSafeCompare(k, key))
+            : timingSafeCompare(keys, key)
 
   return async function apiKeyAuthMiddleware(req, next) {
     try {
@@ -400,9 +492,10 @@ function createAPIKeyAuth(options = {}) {
         })
       }
 
-      // Add API key info to context
+      // Add API key info to context — store masked version (M-7 fix)
       req.ctx = req.ctx || {}
-      req.ctx.apiKey = apiKey
+      req.ctx.apiKey = maskApiKey(apiKey)
+      req[API_KEY_SYMBOL] = apiKey // Raw key via Symbol for programmatic access only
 
       return next()
     } catch (error) {
@@ -418,7 +511,6 @@ module.exports = {
   createJWTAuth,
   createAPIKeyAuth,
   extractTokenFromHeader,
-  extractToken,
-  validateApiKeyInternal,
-  handleAuthError,
+  API_KEY_SYMBOL,
+  maskApiKey,
 }