@abejarano/ts-express-server 1.7.5 → 1.7.6

package/dist/abstract/ServerTypes.d.ts

@@ -25,6 +25,7 @@ export interface ServerResponse {
     send(body: unknown): void | Promise<void>;
     set(name: string, value: string): this;
     header(name: string, value: string): this;
+    setHeader?(name: string, value: string): this;
     cookie?(name: string, value: string, options?: {
         maxAge?: number;
         domain?: string;

package/dist/adapters/BunAdapter.js

@@ -1,11 +1,16 @@
 "use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.BunAdapter = void 0;
 exports.getFiles = getFiles;
 exports.getFile = getFile;
+const fs_1 = require("fs");
+const path_1 = __importDefault(require("path"));
 const ServerTypes_1 = require("../abstract/ServerTypes");
 class BunResponse {
-    constructor(cookieJar, handlerTimeoutMs, cookieDefaults) {
+    constructor(cookieJar, handlerTimeoutMs, cookieDefaults, downloadRoot) {
         this.statusCode = 200;
         this.statusExplicitlySet = false;
         this.headers = new Headers();
@@ -15,6 +20,7 @@ class BunResponse {
         this.cookieJar = cookieJar;
         this.handlerTimeoutMs = handlerTimeoutMs;
         this.cookieDefaults = cookieDefaults;
+        this.downloadRoot = downloadRoot ?? DEFAULT_DOWNLOAD_ROOT;
         this.endPromise = new Promise((resolve) => {
             this.resolveEnd = resolve;
         });
@@ -44,6 +50,9 @@ class BunResponse {
     header(name, value) {
         return this.set(name, value);
     }
+    setHeader(name, value) {
+        return this.set(name, value);
+    }
     cookie(name, value, options = {}) {
         if (this.ended) {
             return this;
@@ -110,6 +119,39 @@ class BunResponse {
         this.ended = true;
         this.resolveEnd?.();
     }
+    download(filePath, filename, callback) {
+        if (this.ended) {
+            return this;
+        }
+        try {
+            const safePath = resolveSafeDownloadPath(this.downloadRoot, filePath);
+            const stat = (0, fs_1.statSync)(safePath);
+            if (!stat.isFile()) {
+                const error = new Error("File not found");
+                callback?.(error);
+                if (!this.ended) {
+                    this.status(404).json({ message: "File not found" });
+                }
+                return this;
+            }
+            const resolvedName = filename && filename.trim().length > 0
+                ? filename
+                : path_1.default.basename(safePath);
+            this.headers.set("content-disposition", `attachment; filename="${sanitizeFilename(resolvedName)}"`);
+            this.rawResponse = new Response(Bun.file(safePath));
+            this.ended = true;
+            this.resolveEnd?.();
+            callback?.();
+            return this;
+        }
+        catch (error) {
+            callback?.(error);
+            if (!this.ended) {
+                this.status(500).json({ message: "File download failed" });
+            }
+            return this;
+        }
+    }
     isEnded() {
         return this.ended;
     }
@@ -324,7 +366,7 @@ class BunApp extends BunRouter {
                 : typeof handlerTimeoutSetting === "number"
                     ? handlerTimeoutSetting
                     : undefined;
-            const trustProxy = resolveTrustProxySetting(this.get("trustProxy"));
+            const trustProxy = resolveTrustProxySetting(this);
             const maxConcurrentRequests = Number(this.get("maxConcurrentRequests") ?? 0);
             if (maxConcurrentRequests > 0 && this.activeRequests >= maxConcurrentRequests) {
                 return new Response(JSON.stringify({ message: "Server busy" }), {
@@ -334,7 +376,7 @@ class BunApp extends BunRouter {
             }
             this.activeRequests += 1;
             const req = createRequest(request, client?.address, trustProxy);
-            const res = new BunResponse(cookieJar, handlerTimeoutMs, resolveCookieDefaults(this.get("cookieDefaults")));
+            const res = new BunResponse(cookieJar, handlerTimeoutMs, resolveCookieDefaults(this.get("cookieDefaults")), resolveDownloadRoot(this.get("downloadRoot")));
             try {
                 await this.handle(req, res, () => undefined);
             }
@@ -487,6 +529,8 @@ const createMultipartBodyParser = (app) => {
             const fields = {};
             const files = {};
             let fileCount = 0;
+            let fieldCount = 0;
+            let fieldBytes = 0;
             for (const [key, value] of formData.entries()) {
                 if (isFile(value)) {
                     if (value.size > options.maxFileBytes) {
@@ -530,6 +574,17 @@ const createMultipartBodyParser = (app) => {
                 }
                 const existing = fields[key];
                 const textValue = String(value);
+                fieldCount += 1;
+                if (fieldCount > options.maxFields) {
+                    res.status(413).json({ message: "Payload too large" });
+                    return;
+                }
+                const textBytes = Buffer.byteLength(textValue, "utf8");
+                fieldBytes += textBytes;
+                if (textBytes > options.maxFieldBytes || fieldBytes > options.maxFieldsBytes) {
+                    res.status(413).json({ message: "Payload too large" });
+                    return;
+                }
                 if (existing === undefined) {
                     fields[key] = textValue;
                 }
@@ -598,6 +653,9 @@ const DEFAULT_MULTIPART_OPTIONS = {
     maxBodyBytes: 10 * 1024 * 1024,
     maxFileBytes: 10 * 1024 * 1024,
     maxFiles: 10,
+    maxFields: 200,
+    maxFieldBytes: 64 * 1024,
+    maxFieldsBytes: 512 * 1024,
 };
 function serializeCookie(name, value, options) {
     const parts = [`${name}=${encodeURIComponent(value)}`];
@@ -670,6 +728,9 @@ function normalizeMultipartOptions(input) {
         maxBodyBytes: value.maxBodyBytes ?? DEFAULT_MULTIPART_OPTIONS.maxBodyBytes,
         maxFileBytes: value.maxFileBytes ?? DEFAULT_MULTIPART_OPTIONS.maxFileBytes,
         maxFiles: value.maxFiles ?? DEFAULT_MULTIPART_OPTIONS.maxFiles,
+        maxFields: value.maxFields ?? DEFAULT_MULTIPART_OPTIONS.maxFields,
+        maxFieldBytes: value.maxFieldBytes ?? DEFAULT_MULTIPART_OPTIONS.maxFieldBytes,
+        maxFieldsBytes: value.maxFieldsBytes ?? DEFAULT_MULTIPART_OPTIONS.maxFieldsBytes,
         allowedMimeTypes: value.allowedMimeTypes,
         allowedFileSignatures: value.allowedFileSignatures,
         validateFile: value.validateFile,
@@ -734,6 +795,7 @@ function parseContentLength(header) {
     return Number.isNaN(parsed) ? undefined : parsed;
 }
 const DEFAULT_HANDLER_TIMEOUT_MS = 30000;
+const DEFAULT_DOWNLOAD_ROOT = process.cwd();
 function readSetCookieHeaders(headers) {
     const bunHeaders = headers;
     const setCookieFromApi = bunHeaders.getSetCookie?.() ??
@@ -909,18 +971,31 @@ function applyCookieDefaults(options, defaults) {
     return { ...defaults.options, ...options };
 }
 function resolveCookieDefaults(input) {
+    const baseDefaults = getDefaultCookieDefaults();
     if (!input || typeof input !== "object") {
-        return undefined;
+        return baseDefaults;
     }
     const defaults = input;
     if (!defaults.options || typeof defaults.options !== "object") {
-        return undefined;
+        return baseDefaults;
     }
-    return defaults;
+    return {
+        applyTo: defaults.applyTo ?? baseDefaults.applyTo,
+        options: { ...baseDefaults.options, ...defaults.options },
+    };
 }
-function resolveTrustProxySetting(input) {
-    if (input === true || input === false) {
-        return input;
+function resolveTrustProxySetting(app) {
+    const input = app.get("trustProxy");
+    const allowInsecure = app.get("allowInsecureTrustProxy") === true ||
+        process?.env?.ALLOW_INSECURE_TRUST_PROXY === "true";
+    if (input === true) {
+        if (!allowInsecure) {
+            throw new Error("Invalid trustProxy=true. Use CIDR allowlist or set allowInsecureTrustProxy=true explicitly.");
+        }
+        return true;
+    }
+    if (input === false) {
+        return false;
     }
     if (Array.isArray(input) && input.every((entry) => typeof entry === "string")) {
         return input;
@@ -937,6 +1012,19 @@ function shouldEnableSecurityHeaders(setting) {
     if (typeof setting === "boolean") {
         return setting;
     }
+    return isProduction();
+}
+function getDefaultCookieDefaults() {
+    return {
+        applyTo: "session",
+        options: {
+            httpOnly: true,
+            sameSite: "lax",
+            secure: isProduction(),
+        },
+    };
+}
+function isProduction() {
     return process?.env?.NODE_ENV === "production";
 }
 function createSecurityHeadersMiddleware(_app) {
@@ -1019,6 +1107,26 @@ function matchesSignature(buffer, kind) {
 function isValidCookieName(name) {
     return /^[!#$%&'*+\-.^_|~0-9A-Za-z]+$/.test(name);
 }
+function sanitizeFilename(value) {
+    return value.replace(/[/\\"]/g, "_");
+}
+function resolveDownloadRoot(input) {
+    if (typeof input === "string" && input.trim().length > 0) {
+        return path_1.default.resolve(input);
+    }
+    return DEFAULT_DOWNLOAD_ROOT;
+}
+function resolveSafeDownloadPath(root, inputPath) {
+    const resolvedRoot = path_1.default.resolve(root);
+    const resolved = path_1.default.resolve(resolvedRoot, inputPath);
+    const rootPrefix = resolvedRoot === path_1.default.parse(resolvedRoot).root
+        ? resolvedRoot
+        : `${resolvedRoot}${path_1.default.sep}`;
+    if (!resolved.startsWith(rootPrefix)) {
+        throw new Error("Invalid path");
+    }
+    return resolved;
+}
 async function runHandlers(handlers, req, res) {
     let index = 0;
     const dispatch = async () => {

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@abejarano/ts-express-server",
   "author": "angel bejarano / angel.bejarano@jaspesoft.com",
-  "version": "1.7.5",
+  "version": "1.7.6",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
   "files": [