@actuate-media/cms-core 0.10.4 → 0.11.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/__tests__/actions/document-crud.test.js +5 -1
- package/dist/__tests__/actions/document-crud.test.js.map +1 -1
- package/dist/__tests__/api/admin-contracts.test.js +1 -0
- package/dist/__tests__/api/admin-contracts.test.js.map +1 -1
- package/dist/__tests__/api/public-globals.test.js +8 -4
- package/dist/__tests__/api/public-globals.test.js.map +1 -1
- package/dist/__tests__/auth/password.test.js.map +1 -1
- package/dist/__tests__/auth/session.test.js.map +1 -1
- package/dist/__tests__/codegen/generate-types.test.js.map +1 -1
- package/dist/__tests__/next.test.js +1 -3
- package/dist/__tests__/next.test.js.map +1 -1
- package/dist/__tests__/scheduling/scheduling.test.js +28 -4
- package/dist/__tests__/scheduling/scheduling.test.js.map +1 -1
- package/dist/__tests__/security/access.test.js +1 -1
- package/dist/__tests__/security/access.test.js.map +1 -1
- package/dist/__tests__/security/audit.test.d.ts +2 -0
- package/dist/__tests__/security/audit.test.d.ts.map +1 -0
- package/dist/__tests__/security/audit.test.js +50 -0
- package/dist/__tests__/security/audit.test.js.map +1 -0
- package/dist/__tests__/security/client-ip.test.d.ts +2 -0
- package/dist/__tests__/security/client-ip.test.d.ts.map +1 -0
- package/dist/__tests__/security/client-ip.test.js +37 -0
- package/dist/__tests__/security/client-ip.test.js.map +1 -0
- package/dist/__tests__/security/csrf.test.js.map +1 -1
- package/dist/__tests__/security/ip-allowlist.test.d.ts +2 -0
- package/dist/__tests__/security/ip-allowlist.test.d.ts.map +1 -0
- package/dist/__tests__/security/ip-allowlist.test.js +40 -0
- package/dist/__tests__/security/ip-allowlist.test.js.map +1 -0
- package/dist/__tests__/security/rate-limit.test.js.map +1 -1
- package/dist/__tests__/security/reauth.test.js.map +1 -1
- package/dist/__tests__/security/redact.test.d.ts +2 -0
- package/dist/__tests__/security/redact.test.d.ts.map +1 -0
- package/dist/__tests__/security/redact.test.js +31 -0
- package/dist/__tests__/security/redact.test.js.map +1 -0
- package/dist/__tests__/security/sanitize.test.js.map +1 -1
- package/dist/__tests__/security/secret-storage.test.d.ts +2 -0
- package/dist/__tests__/security/secret-storage.test.d.ts.map +1 -0
- package/dist/__tests__/security/secret-storage.test.js +42 -0
- package/dist/__tests__/security/secret-storage.test.js.map +1 -0
- package/dist/__tests__/security/upload-magic.test.d.ts +2 -0
- package/dist/__tests__/security/upload-magic.test.d.ts.map +1 -0
- package/dist/__tests__/security/upload-magic.test.js +55 -0
- package/dist/__tests__/security/upload-magic.test.js.map +1 -0
- package/dist/__tests__/server-site.test.d.ts +2 -0
- package/dist/__tests__/server-site.test.d.ts.map +1 -0
- package/dist/__tests__/server-site.test.js +123 -0
- package/dist/__tests__/server-site.test.js.map +1 -0
- package/dist/__tests__/site.test.js +5 -2
- package/dist/__tests__/site.test.js.map +1 -1
- package/dist/__tests__/webhooks/webhooks.test.js.map +1 -1
- package/dist/a11y/index.d.ts +1 -1
- package/dist/a11y/index.d.ts.map +1 -1
- package/dist/a11y/index.js +23 -20
- package/dist/a11y/index.js.map +1 -1
- package/dist/actions.d.ts +1 -1
- package/dist/actions.d.ts.map +1 -1
- package/dist/actions.js +211 -68
- package/dist/actions.js.map +1 -1
- package/dist/api/handler-factory.d.ts.map +1 -1
- package/dist/api/handler-factory.js +76 -14
- package/dist/api/handler-factory.js.map +1 -1
- package/dist/api/handlers.d.ts.map +1 -1
- package/dist/api/handlers.js +952 -220
- package/dist/api/handlers.js.map +1 -1
- package/dist/api/index.d.ts.map +1 -1
- package/dist/api/index.js.map +1 -1
- package/dist/api/openapi.d.ts.map +1 -1
- package/dist/api/openapi.js +182 -23
- package/dist/api/openapi.js.map +1 -1
- package/dist/api/router.d.ts +6 -6
- package/dist/api/router.d.ts.map +1 -1
- package/dist/api/router.js +27 -10
- package/dist/api/router.js.map +1 -1
- package/dist/auth/index.d.ts +12 -12
- package/dist/auth/index.d.ts.map +1 -1
- package/dist/auth/index.js +9 -9
- package/dist/auth/index.js.map +1 -1
- package/dist/auth/mfa-pending.d.ts +24 -0
- package/dist/auth/mfa-pending.d.ts.map +1 -0
- package/dist/auth/mfa-pending.js +38 -0
- package/dist/auth/mfa-pending.js.map +1 -0
- package/dist/auth/oauth.d.ts +25 -3
- package/dist/auth/oauth.d.ts.map +1 -1
- package/dist/auth/oauth.js +118 -21
- package/dist/auth/oauth.js.map +1 -1
- package/dist/auth/password.d.ts +1 -1
- package/dist/auth/password.d.ts.map +1 -1
- package/dist/auth/password.js +14 -14
- package/dist/auth/password.js.map +1 -1
- package/dist/auth/providers/github.d.ts +1 -1
- package/dist/auth/providers/github.d.ts.map +1 -1
- package/dist/auth/providers/github.js +2 -2
- package/dist/auth/providers/github.js.map +1 -1
- package/dist/auth/providers/google.d.ts +1 -1
- package/dist/auth/providers/google.d.ts.map +1 -1
- package/dist/auth/providers/google.js +2 -2
- package/dist/auth/providers/google.js.map +1 -1
- package/dist/auth/providers/microsoft.d.ts +1 -1
- package/dist/auth/providers/microsoft.d.ts.map +1 -1
- package/dist/auth/providers/microsoft.js +2 -2
- package/dist/auth/providers/microsoft.js.map +1 -1
- package/dist/auth/reset-email.d.ts.map +1 -1
- package/dist/auth/reset-email.js +1 -1
- package/dist/auth/reset-email.js.map +1 -1
- package/dist/auth/reset.d.ts.map +1 -1
- package/dist/auth/reset.js +34 -10
- package/dist/auth/reset.js.map +1 -1
- package/dist/auth/session.d.ts +9 -2
- package/dist/auth/session.d.ts.map +1 -1
- package/dist/auth/session.js +26 -8
- package/dist/auth/session.js.map +1 -1
- package/dist/auth/totp.d.ts.map +1 -1
- package/dist/auth/totp.js +8 -2
- package/dist/auth/totp.js.map +1 -1
- package/dist/backup/index.d.ts +2 -2
- package/dist/backup/index.d.ts.map +1 -1
- package/dist/backup/index.js +5 -5
- package/dist/backup/index.js.map +1 -1
- package/dist/cache/index.d.ts +1 -1
- package/dist/cache/index.d.ts.map +1 -1
- package/dist/cache/index.js +1 -1
- package/dist/cache/index.js.map +1 -1
- package/dist/client.d.ts +1 -1
- package/dist/client.d.ts.map +1 -1
- package/dist/client.js +8 -8
- package/dist/client.js.map +1 -1
- package/dist/codegen/index.d.ts +1 -1
- package/dist/codegen/index.d.ts.map +1 -1
- package/dist/codegen/index.js +170 -174
- package/dist/codegen/index.js.map +1 -1
- package/dist/collections/index.d.ts +1 -1
- package/dist/collections/index.d.ts.map +1 -1
- package/dist/collections/index.js.map +1 -1
- package/dist/config/define.d.ts +2 -2
- package/dist/config/define.d.ts.map +1 -1
- package/dist/config/define.js +1 -1
- package/dist/config/define.js.map +1 -1
- package/dist/config/index.d.ts +3 -3
- package/dist/config/index.d.ts.map +1 -1
- package/dist/config/index.js +32 -18
- package/dist/config/index.js.map +1 -1
- package/dist/config/types.d.ts +26 -26
- package/dist/config/types.d.ts.map +1 -1
- package/dist/content/ai-api.d.ts.map +1 -1
- package/dist/content/ai-api.js +8 -2
- package/dist/content/ai-api.js.map +1 -1
- package/dist/content/content-graph.d.ts +1 -1
- package/dist/content/content-graph.d.ts.map +1 -1
- package/dist/content/content-graph.js +7 -7
- package/dist/content/content-graph.js.map +1 -1
- package/dist/content/extract.js +13 -13
- package/dist/content/extract.js.map +1 -1
- package/dist/content/index.d.ts +7 -7
- package/dist/content/index.d.ts.map +1 -1
- package/dist/content/index.js +4 -4
- package/dist/content/index.js.map +1 -1
- package/dist/content/structured-data.d.ts +3 -3
- package/dist/content/structured-data.d.ts.map +1 -1
- package/dist/content/structured-data.js +65 -67
- package/dist/content/structured-data.js.map +1 -1
- package/dist/db/adapters/mysql.d.ts.map +1 -1
- package/dist/db/adapters/mysql.js.map +1 -1
- package/dist/db/adapters/postgres.d.ts.map +1 -1
- package/dist/db/adapters/postgres.js.map +1 -1
- package/dist/db/adapters/sqlite.d.ts.map +1 -1
- package/dist/db/adapters/sqlite.js.map +1 -1
- package/dist/db/create-adapter.d.ts.map +1 -1
- package/dist/db/create-adapter.js.map +1 -1
- package/dist/db/index.d.ts +1 -1
- package/dist/db/index.d.ts.map +1 -1
- package/dist/db/index.js +1 -1
- package/dist/db/index.js.map +1 -1
- package/dist/db.d.ts +1 -1
- package/dist/db.d.ts.map +1 -1
- package/dist/db.js +1 -1
- package/dist/db.js.map +1 -1
- package/dist/fields/index.d.ts +2 -2
- package/dist/fields/index.d.ts.map +1 -1
- package/dist/fields/index.js +51 -47
- package/dist/fields/index.js.map +1 -1
- package/dist/forms/analytics.d.ts.map +1 -1
- package/dist/forms/analytics.js.map +1 -1
- package/dist/forms/attribution.d.ts.map +1 -1
- package/dist/forms/attribution.js +7 -2
- package/dist/forms/attribution.js.map +1 -1
- package/dist/forms/index.d.ts.map +1 -1
- package/dist/forms/index.js.map +1 -1
- package/dist/graphql/index.d.ts.map +1 -1
- package/dist/graphql/index.js.map +1 -1
- package/dist/graphql/resolvers.d.ts.map +1 -1
- package/dist/graphql/resolvers.js +17 -21
- package/dist/graphql/resolvers.js.map +1 -1
- package/dist/graphql/schema-builder.d.ts.map +1 -1
- package/dist/graphql/schema-builder.js.map +1 -1
- package/dist/health/index.d.ts +2 -2
- package/dist/health/index.d.ts.map +1 -1
- package/dist/health/index.js +9 -9
- package/dist/health/index.js.map +1 -1
- package/dist/i18n/index.d.ts +1 -1
- package/dist/i18n/index.d.ts.map +1 -1
- package/dist/i18n/index.js +2 -2
- package/dist/i18n/index.js.map +1 -1
- package/dist/index.d.ts +78 -76
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +44 -42
- package/dist/index.js.map +1 -1
- package/dist/media/index.d.ts +2 -2
- package/dist/media/index.d.ts.map +1 -1
- package/dist/media/index.js +1 -1
- package/dist/media/index.js.map +1 -1
- package/dist/media/optimize.d.ts.map +1 -1
- package/dist/media/optimize.js +7 -4
- package/dist/media/optimize.js.map +1 -1
- package/dist/middleware.d.ts.map +1 -1
- package/dist/middleware.js +21 -34
- package/dist/middleware.js.map +1 -1
- package/dist/multisite/index.d.ts.map +1 -1
- package/dist/multisite/index.js +4 -4
- package/dist/multisite/index.js.map +1 -1
- package/dist/next/preview.d.ts.map +1 -1
- package/dist/next/preview.js.map +1 -1
- package/dist/next.d.ts.map +1 -1
- package/dist/next.js +4 -5
- package/dist/next.js.map +1 -1
- package/dist/notifications/index.d.ts +1 -1
- package/dist/notifications/index.d.ts.map +1 -1
- package/dist/notifications/index.js +5 -5
- package/dist/notifications/index.js.map +1 -1
- package/dist/page-builder/__tests__/a11y-fix.test.js +1 -5
- package/dist/page-builder/__tests__/a11y-fix.test.js.map +1 -1
- package/dist/page-builder/__tests__/blocks.test.js +108 -1
- package/dist/page-builder/__tests__/blocks.test.js.map +1 -1
- package/dist/page-builder/__tests__/design-scorer.test.js +44 -11
- package/dist/page-builder/__tests__/design-scorer.test.js.map +1 -1
- package/dist/page-builder/__tests__/schema.test.js +12 -12
- package/dist/page-builder/__tests__/schema.test.js.map +1 -1
- package/dist/page-builder/__tests__/seo-analyzer.test.js +27 -13
- package/dist/page-builder/__tests__/seo-analyzer.test.js.map +1 -1
- package/dist/page-builder/ai-pipeline.d.ts.map +1 -1
- package/dist/page-builder/ai-pipeline.js +1 -3
- package/dist/page-builder/ai-pipeline.js.map +1 -1
- package/dist/page-builder/blocks.d.ts +18 -1
- package/dist/page-builder/blocks.d.ts.map +1 -1
- package/dist/page-builder/blocks.js +67 -11
- package/dist/page-builder/blocks.js.map +1 -1
- package/dist/page-builder/design-scorer.d.ts.map +1 -1
- package/dist/page-builder/design-scorer.js +249 -41
- package/dist/page-builder/design-scorer.js.map +1 -1
- package/dist/page-builder/index.d.ts +3 -3
- package/dist/page-builder/index.d.ts.map +1 -1
- package/dist/page-builder/index.js +2 -2
- package/dist/page-builder/index.js.map +1 -1
- package/dist/page-builder/seo-analyzer.d.ts.map +1 -1
- package/dist/page-builder/seo-analyzer.js +252 -56
- package/dist/page-builder/seo-analyzer.js.map +1 -1
- package/dist/page-builder/templates.d.ts.map +1 -1
- package/dist/page-builder/templates.js +45 -16
- package/dist/page-builder/templates.js.map +1 -1
- package/dist/page-builder/tree.d.ts.map +1 -1
- package/dist/page-builder/tree.js.map +1 -1
- package/dist/page-builder/validate.js.map +1 -1
- package/dist/presence/index.d.ts.map +1 -1
- package/dist/presence/index.js +2 -2
- package/dist/presence/index.js.map +1 -1
- package/dist/preview/index.d.ts.map +1 -1
- package/dist/preview/index.js.map +1 -1
- package/dist/privacy/index.d.ts +1 -1
- package/dist/privacy/index.d.ts.map +1 -1
- package/dist/privacy/index.js +3 -3
- package/dist/privacy/index.js.map +1 -1
- package/dist/relationships/index.d.ts.map +1 -1
- package/dist/relationships/index.js +1 -1
- package/dist/relationships/index.js.map +1 -1
- package/dist/scheduling/index.d.ts +2 -2
- package/dist/scheduling/index.d.ts.map +1 -1
- package/dist/scheduling/index.js +3 -1
- package/dist/scheduling/index.js.map +1 -1
- package/dist/search/index.d.ts.map +1 -1
- package/dist/search/index.js +1 -3
- package/dist/search/index.js.map +1 -1
- package/dist/security/access.d.ts +4 -4
- package/dist/security/access.d.ts.map +1 -1
- package/dist/security/access.js +11 -15
- package/dist/security/access.js.map +1 -1
- package/dist/security/anomaly-detection.d.ts.map +1 -1
- package/dist/security/anomaly-detection.js +5 -5
- package/dist/security/anomaly-detection.js.map +1 -1
- package/dist/security/api-key-enhanced.d.ts +2 -2
- package/dist/security/api-key-enhanced.d.ts.map +1 -1
- package/dist/security/api-key-enhanced.js +5 -5
- package/dist/security/api-key-enhanced.js.map +1 -1
- package/dist/security/audit.d.ts.map +1 -1
- package/dist/security/audit.js +8 -4
- package/dist/security/audit.js.map +1 -1
- package/dist/security/breach-check.js.map +1 -1
- package/dist/security/captcha.d.ts.map +1 -1
- package/dist/security/captcha.js.map +1 -1
- package/dist/security/client-ip.d.ts +33 -0
- package/dist/security/client-ip.d.ts.map +1 -0
- package/dist/security/client-ip.js +42 -0
- package/dist/security/client-ip.js.map +1 -0
- package/dist/security/cors.d.ts +1 -1
- package/dist/security/cors.d.ts.map +1 -1
- package/dist/security/cors.js +12 -12
- package/dist/security/cors.js.map +1 -1
- package/dist/security/csp-nonces.js +11 -11
- package/dist/security/csp-nonces.js.map +1 -1
- package/dist/security/csrf.js +2 -2
- package/dist/security/csrf.js.map +1 -1
- package/dist/security/encrypted-fields.d.ts.map +1 -1
- package/dist/security/encrypted-fields.js +7 -4
- package/dist/security/encrypted-fields.js.map +1 -1
- package/dist/security/headers.d.ts.map +1 -1
- package/dist/security/headers.js +12 -12
- package/dist/security/headers.js.map +1 -1
- package/dist/security/index.d.ts +39 -32
- package/dist/security/index.d.ts.map +1 -1
- package/dist/security/index.js +25 -20
- package/dist/security/index.js.map +1 -1
- package/dist/security/internal-keys.d.ts +15 -0
- package/dist/security/internal-keys.d.ts.map +1 -0
- package/dist/security/internal-keys.js +33 -0
- package/dist/security/internal-keys.js.map +1 -0
- package/dist/security/ip-allowlist.d.ts +13 -1
- package/dist/security/ip-allowlist.d.ts.map +1 -1
- package/dist/security/ip-allowlist.js +117 -11
- package/dist/security/ip-allowlist.js.map +1 -1
- package/dist/security/middleware.d.ts +2 -2
- package/dist/security/middleware.d.ts.map +1 -1
- package/dist/security/middleware.js +11 -11
- package/dist/security/middleware.js.map +1 -1
- package/dist/security/rate-limit.d.ts.map +1 -1
- package/dist/security/rate-limit.js +50 -18
- package/dist/security/rate-limit.js.map +1 -1
- package/dist/security/reauth.d.ts +1 -1
- package/dist/security/reauth.d.ts.map +1 -1
- package/dist/security/reauth.js.map +1 -1
- package/dist/security/redact.d.ts +12 -0
- package/dist/security/redact.d.ts.map +1 -0
- package/dist/security/redact.js +44 -0
- package/dist/security/redact.js.map +1 -0
- package/dist/security/safe-fetch.d.ts +35 -0
- package/dist/security/safe-fetch.d.ts.map +1 -0
- package/dist/security/safe-fetch.js +45 -0
- package/dist/security/safe-fetch.js.map +1 -0
- package/dist/security/sanitize.d.ts.map +1 -1
- package/dist/security/sanitize.js +40 -8
- package/dist/security/sanitize.js.map +1 -1
- package/dist/security/secret-storage.d.ts +22 -0
- package/dist/security/secret-storage.d.ts.map +1 -0
- package/dist/security/secret-storage.js +75 -0
- package/dist/security/secret-storage.js.map +1 -0
- package/dist/security/security-txt.d.ts.map +1 -1
- package/dist/security/security-txt.js +2 -2
- package/dist/security/security-txt.js.map +1 -1
- package/dist/security/session-limits.d.ts +1 -1
- package/dist/security/session-limits.d.ts.map +1 -1
- package/dist/security/session-limits.js +1 -1
- package/dist/security/session-limits.js.map +1 -1
- package/dist/security/upload.d.ts +23 -4
- package/dist/security/upload.d.ts.map +1 -1
- package/dist/security/upload.js +118 -23
- package/dist/security/upload.js.map +1 -1
- package/dist/security/webhook.d.ts.map +1 -1
- package/dist/security/webhook.js +12 -8
- package/dist/security/webhook.js.map +1 -1
- package/dist/seo/analysis.d.ts.map +1 -1
- package/dist/seo/analysis.js +25 -13
- package/dist/seo/analysis.js.map +1 -1
- package/dist/seo/index.d.ts +9 -9
- package/dist/seo/index.d.ts.map +1 -1
- package/dist/seo/index.js +4 -4
- package/dist/seo/index.js.map +1 -1
- package/dist/seo/llms-txt.js +1 -3
- package/dist/seo/llms-txt.js.map +1 -1
- package/dist/server-site.d.ts +54 -0
- package/dist/server-site.d.ts.map +1 -0
- package/dist/server-site.js +147 -0
- package/dist/server-site.js.map +1 -0
- package/dist/setup/index.d.ts.map +1 -1
- package/dist/setup/index.js.map +1 -1
- package/dist/site.d.ts.map +1 -1
- package/dist/site.js +26 -4
- package/dist/site.js.map +1 -1
- package/dist/storage/index.d.ts +20 -10
- package/dist/storage/index.d.ts.map +1 -1
- package/dist/storage/index.js +6 -3
- package/dist/storage/index.js.map +1 -1
- package/dist/templates/index.d.ts.map +1 -1
- package/dist/templates/index.js +3 -3
- package/dist/templates/index.js.map +1 -1
- package/dist/upgrade/changelog.d.ts +1 -1
- package/dist/upgrade/changelog.d.ts.map +1 -1
- package/dist/upgrade/changelog.js +12 -12
- package/dist/upgrade/changelog.js.map +1 -1
- package/dist/upgrade/index.d.ts +6 -6
- package/dist/upgrade/index.d.ts.map +1 -1
- package/dist/upgrade/index.js +3 -3
- package/dist/upgrade/index.js.map +1 -1
- package/dist/upgrade/upgrade-pr.d.ts.map +1 -1
- package/dist/upgrade/upgrade-pr.js +36 -36
- package/dist/upgrade/upgrade-pr.js.map +1 -1
- package/dist/upgrade/version-check.d.ts +1 -1
- package/dist/upgrade/version-check.d.ts.map +1 -1
- package/dist/upgrade/version-check.js +13 -13
- package/dist/upgrade/version-check.js.map +1 -1
- package/dist/webhooks/index.d.ts +1 -1
- package/dist/webhooks/index.d.ts.map +1 -1
- package/dist/webhooks/index.js +24 -13
- package/dist/webhooks/index.js.map +1 -1
- package/dist/workflow/index.d.ts.map +1 -1
- package/dist/workflow/index.js.map +1 -1
- package/dist/workflows/index.d.ts +1 -1
- package/dist/workflows/index.d.ts.map +1 -1
- package/dist/workflows/index.js +3 -3
- package/dist/workflows/index.js.map +1 -1
- package/package.json +1 -1
- package/prisma/seed.ts +31 -31
|
@@ -2,14 +2,14 @@
|
|
|
2
2
|
export async function generateApiKey(config) {
|
|
3
3
|
const rawBytes = crypto.getRandomValues(new Uint8Array(32));
|
|
4
4
|
const rawKey = Array.from(rawBytes)
|
|
5
|
-
.map((b) => b.toString(16).padStart(2,
|
|
6
|
-
.join(
|
|
5
|
+
.map((b) => b.toString(16).padStart(2, '0'))
|
|
6
|
+
.join('');
|
|
7
7
|
const key = `${config.prefix}_${rawKey}`;
|
|
8
8
|
const keyPrefix = key.slice(0, config.prefix.length + 9);
|
|
9
|
-
const hashBuffer = await crypto.subtle.digest(
|
|
9
|
+
const hashBuffer = await crypto.subtle.digest('SHA-256', new TextEncoder().encode(key));
|
|
10
10
|
const keyHash = Array.from(new Uint8Array(hashBuffer))
|
|
11
|
-
.map((b) => b.toString(16).padStart(2,
|
|
12
|
-
.join(
|
|
11
|
+
.map((b) => b.toString(16).padStart(2, '0'))
|
|
12
|
+
.join('');
|
|
13
13
|
return { key, keyHash, keyPrefix };
|
|
14
14
|
}
|
|
15
15
|
/** Validate an API key's scopes against a requested action. */
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"api-key-enhanced.js","sourceRoot":"","sources":["../../src/security/api-key-enhanced.ts"],"names":[],"mappings":"AAeA,sDAAsD;AACtD,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,MAA4B;IAE5B,MAAM,QAAQ,GAAG,MAAM,CAAC,eAAe,CAAC,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC,
|
|
1
|
+
{"version":3,"file":"api-key-enhanced.js","sourceRoot":"","sources":["../../src/security/api-key-enhanced.ts"],"names":[],"mappings":"AAeA,sDAAsD;AACtD,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,MAA4B;IAE5B,MAAM,QAAQ,GAAG,MAAM,CAAC,eAAe,CAAC,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC,CAAA;IAC3D,MAAM,MAAM,GAAG,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC;SAChC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;SAC3C,IAAI,CAAC,EAAE,CAAC,CAAA;IACX,MAAM,GAAG,GAAG,GAAG,MAAM,CAAC,MAAM,IAAI,MAAM,EAAE,CAAA;IACxC,MAAM,SAAS,GAAG,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC,CAAA;IAExD,MAAM,UAAU,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAA;IACvF,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,UAAU,CAAC,UAAU,CAAC,CAAC;SACnD,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;SAC3C,IAAI,CAAC,EAAE,CAAC,CAAA;IAEX,OAAO,EAAE,GAAG,EAAE,OAAO,EAAE,SAAS,EAAE,CAAA;AACpC,CAAC;AAED,+DAA+D;AAC/D,MAAM,UAAU,mBAAmB,CACjC,MAAmB,EACnB,UAAkB,EAClB,MAA+C;IAE/C,IAAI,MAAM,CAAC,WAAW,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,CAAC;QACnE,OAAO,KAAK,CAAA;IACd,CAAC;IACD,IAAI,MAAM,CAAC,OAAO,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;QACvD,OAAO,KAAK,CAAA;IACd,CAAC;IACD,OAAO,IAAI,CAAA;AACb,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"audit.d.ts","sourceRoot":"","sources":["../../src/security/audit.ts"],"names":[],"mappings":"AAEA,MAAM,WAAW,UAAU;IACzB,KAAK,EAAE,MAAM,
|
|
1
|
+
{"version":3,"file":"audit.d.ts","sourceRoot":"","sources":["../../src/security/audit.ts"],"names":[],"mappings":"AAEA,MAAM,WAAW,UAAU;IACzB,KAAK,EAAE,MAAM,CAAA;IACb,MAAM,CAAC,EAAE,MAAM,CAAA;IACf,SAAS,CAAC,EAAE,MAAM,CAAA;IAClB,SAAS,CAAC,EAAE,MAAM,CAAA;IAClB,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;IACjC,SAAS,CAAC,EAAE,IAAI,CAAA;CACjB;AAED,MAAM,WAAW,aAAa;IAC5B,KAAK,CAAC,EAAE,MAAM,CAAA;IACd,MAAM,CAAC,EAAE,MAAM,CAAA;IACf,IAAI,CAAC,EAAE,IAAI,CAAA;IACX,EAAE,CAAC,EAAE,IAAI,CAAA;IACT,KAAK,CAAC,EAAE,MAAM,CAAA;IACd,MAAM,CAAC,EAAE,MAAM,CAAA;CAChB;AAED,MAAM,WAAW,cAAc;IAC7B,OAAO,EAAE,UAAU,EAAE,CAAA;IACrB,KAAK,EAAE,MAAM,CAAA;CACd;AAED,iCAAiC;AACjC,wBAAsB,QAAQ,CAAC,KAAK,EAAE;IACpC,KAAK,EAAE,MAAM,CAAA;IACb,MAAM,CAAC,EAAE,MAAM,CAAA;IACf,SAAS,CAAC,EAAE,MAAM,CAAA;IAClB,SAAS,CAAC,EAAE,MAAM,CAAA;IAClB,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;CAClC,GAAG,OAAO,CAAC,IAAI,CAAC,CAmBhB;AAED,2DAA2D;AAC3D,wBAAsB,WAAW,CAC/B,OAAO,GAAE;IACP,MAAM,CAAC,EAAE,MAAM,CAAA;IACf,KAAK,CAAC,EAAE,MAAM,CAAA;IACd,IAAI,CAAC,EAAE,MAAM,CAAA;IACb,QAAQ,CAAC,EAAE,MAAM,CAAA;CACb,GACL,OAAO,CAAC;IAAE,OAAO,EAAE,GAAG,EAAE,CAAC;IAAC,KAAK,EAAE,MAAM,CAAA;CAAE,CAAC,CAmB5C"}
|
package/dist/security/audit.js
CHANGED
|
@@ -9,12 +9,16 @@ export async function logEvent(event) {
|
|
|
9
9
|
userId: event.userId ?? null,
|
|
10
10
|
ipAddress: event.ipAddress ?? null,
|
|
11
11
|
userAgent: event.userAgent ?? null,
|
|
12
|
-
details: event.details ??
|
|
12
|
+
details: event.details ?? null,
|
|
13
13
|
},
|
|
14
14
|
});
|
|
15
15
|
}
|
|
16
|
-
catch {
|
|
17
|
-
// Fail open — audit logging should never block the primary operation
|
|
16
|
+
catch (err) {
|
|
17
|
+
// Fail open — audit logging should never block the primary operation,
|
|
18
|
+
// but still surface the failure so the operator can fix it.
|
|
19
|
+
if (process.env.NODE_ENV !== 'test') {
|
|
20
|
+
console.error('[actuate][audit] logEvent failed:', err instanceof Error ? err.message : err);
|
|
21
|
+
}
|
|
18
22
|
}
|
|
19
23
|
}
|
|
20
24
|
/** Query audit log entries with filters and pagination. */
|
|
@@ -29,7 +33,7 @@ export async function getAuditLog(options = {}) {
|
|
|
29
33
|
const [entries, total] = await Promise.all([
|
|
30
34
|
db.auditLog.findMany({
|
|
31
35
|
where,
|
|
32
|
-
orderBy: {
|
|
36
|
+
orderBy: { timestamp: 'desc' },
|
|
33
37
|
skip: (page - 1) * pageSize,
|
|
34
38
|
take: pageSize,
|
|
35
39
|
}),
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"audit.js","sourceRoot":"","sources":["../../src/security/audit.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAE,MAAM,UAAU,
|
|
1
|
+
{"version":3,"file":"audit.js","sourceRoot":"","sources":["../../src/security/audit.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAE,MAAM,UAAU,CAAA;AAyBhC,iCAAiC;AACjC,MAAM,CAAC,KAAK,UAAU,QAAQ,CAAC,KAM9B;IACC,IAAI,CAAC;QACH,MAAM,EAAE,GAAG,KAAK,EAAO,CAAA;QACvB,MAAM,EAAE,CAAC,QAAQ,CAAC,MAAM,CAAC;YACvB,IAAI,EAAE;gBACJ,KAAK,EAAE,KAAK,CAAC,KAAK;gBAClB,MAAM,EAAE,KAAK,CAAC,MAAM,IAAI,IAAI;gBAC5B,SAAS,EAAE,KAAK,CAAC,SAAS,IAAI,IAAI;gBAClC,SAAS,EAAE,KAAK,CAAC,SAAS,IAAI,IAAI;gBAClC,OAAO,EAAE,KAAK,CAAC,OAAO,IAAI,IAAI;aAC/B;SACF,CAAC,CAAA;IACJ,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,sEAAsE;QACtE,4DAA4D;QAC5D,IAAI,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,MAAM,EAAE,CAAC;YACpC,OAAO,CAAC,KAAK,CAAC,mCAAmC,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC,CAAA;QAC9F,CAAC;IACH,CAAC;AACH,CAAC;AAED,2DAA2D;AAC3D,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,UAKI,EAAE;IAEN,MAAM,EAAE,GAAG,KAAK,EAAO,CAAA;IACvB,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,GAAG,CAAC,EAAE,QAAQ,GAAG,EAAE,EAAE,GAAG,OAAO,CAAA;IAE1D,MAAM,KAAK,GAAQ,EAAE,CAAA;IACrB,IAAI,MAAM;QAAE,KAAK,CAAC,MAAM,GAAG,MAAM,CAAA;IACjC,IAAI,KAAK;QAAE,KAAK,CAAC,KAAK,GAAG,KAAK,CAAA;IAE9B,MAAM,CAAC,OAAO,EAAE,KAAK,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC;QACzC,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC;YACnB,KAAK;YACL,OAAO,EAAE,EAAE,SAAS,EAAE,MAAM,EAAE;YAC9B,IAAI,EAAE,CAAC,IAAI,GAAG,CAAC,CAAC,GAAG,QAAQ;YAC3B,IAAI,EAAE,QAAQ;SACf,CAAC;QACF,EAAE,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,KAAK,EAAE,CAAC;KAC7B,CAAC,CAAA;IAEF,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,CAAA;AAC3B,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"breach-check.js","sourceRoot":"","sources":["../../src/security/breach-check.ts"],"names":[],"mappings":"AAAA,mFAAmF;AACnF,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,QAAgB;IAClD,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,
|
|
1
|
+
{"version":3,"file":"breach-check.js","sourceRoot":"","sources":["../../src/security/breach-check.ts"],"names":[],"mappings":"AAAA,mFAAmF;AACnF,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,QAAgB;IAClD,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAA;IACjC,MAAM,IAAI,GAAG,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAA;IACrC,MAAM,UAAU,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,OAAO,EAAE,IAAI,CAAC,CAAA;IAC5D,MAAM,SAAS,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,UAAU,CAAC,UAAU,CAAC,CAAC,CAAA;IACxD,MAAM,OAAO,GAAG,SAAS;SACtB,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;SAC3C,IAAI,CAAC,EAAE,CAAC;SACR,WAAW,EAAE,CAAA;IAEhB,MAAM,MAAM,GAAG,OAAO,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC,CAAC,CAAA;IACtC,MAAM,MAAM,GAAG,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC,CAAA;IAEnC,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,wCAAwC,MAAM,EAAE,EAAE;YAC7E,OAAO,EAAE,EAAE,YAAY,EAAE,0BAA0B,EAAE;YACrD,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,IAAI,CAAC;SAClC,CAAC,CAAA;QAEF,IAAI,CAAC,QAAQ,CAAC,EAAE;YAAE,OAAO,KAAK,CAAA;QAE9B,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAA;QAClC,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,CAAA;IACjE,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAA;IACd,CAAC;AACH,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"captcha.d.ts","sourceRoot":"","sources":["../../src/security/captcha.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,MAAM,MAAM,eAAe,GAAG,WAAW,GAAG,WAAW,GAAG,MAAM,
|
|
1
|
+
{"version":3,"file":"captcha.d.ts","sourceRoot":"","sources":["../../src/security/captcha.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,MAAM,MAAM,eAAe,GAAG,WAAW,GAAG,WAAW,GAAG,MAAM,CAAA;AAEhE,MAAM,WAAW,aAAa;IAC5B,QAAQ,EAAE,eAAe,CAAA;IACzB,iDAAiD;IACjD,OAAO,EAAE,MAAM,CAAA;IACf,wCAAwC;IACxC,SAAS,EAAE,MAAM,CAAA;IACjB,6FAA6F;IAC7F,cAAc,CAAC,EAAE,MAAM,CAAA;CACxB;AAED,MAAM,WAAW,mBAAmB;IAClC,OAAO,EAAE,OAAO,CAAA;IAChB,KAAK,CAAC,EAAE,MAAM,CAAA;IACd,MAAM,CAAC,EAAE,MAAM,CAAA;IACf,UAAU,CAAC,EAAE,MAAM,EAAE,CAAA;CACtB;AAOD;;;GAGG;AACH,wBAAsB,aAAa,CACjC,KAAK,EAAE,MAAM,EACb,MAAM,EAAE,aAAa,EACrB,QAAQ,CAAC,EAAE,MAAM,GAChB,OAAO,CAAC,mBAAmB,CAAC,CAyE9B;AAED;;;GAGG;AACH,wBAAgB,gBAAgB,IAAI,aAAa,CAyBhD"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"captcha.js","sourceRoot":"","sources":["../../src/security/captcha.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAqBH,MAAM,WAAW,GAA2B;IAC1C,SAAS,EAAE,iDAAiD;IAC5D,SAAS,EAAE,2DAA2D;CACvE,
|
|
1
|
+
{"version":3,"file":"captcha.js","sourceRoot":"","sources":["../../src/security/captcha.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAqBH,MAAM,WAAW,GAA2B;IAC1C,SAAS,EAAE,iDAAiD;IAC5D,SAAS,EAAE,2DAA2D;CACvE,CAAA;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,KAAa,EACb,MAAqB,EACrB,QAAiB;IAEjB,IAAI,MAAM,CAAC,QAAQ,KAAK,MAAM,EAAE,CAAC;QAC/B,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAA;IAC1B,CAAC;IAED,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,UAAU,EAAE,CAAC,wBAAwB,CAAC,EAAE,CAAA;IACnE,CAAC;IAED,MAAM,SAAS,GAAG,WAAW,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAA;IAC9C,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,UAAU,EAAE,CAAC,oBAAoB,MAAM,CAAC,QAAQ,EAAE,CAAC,EAAE,CAAA;IAChF,CAAC;IAED,MAAM,MAAM,GAAG,IAAI,eAAe,CAAC;QACjC,MAAM,EAAE,MAAM,CAAC,SAAS;QACxB,QAAQ,EAAE,KAAK;KAChB,CAAC,CAAA;IACF,IAAI,QAAQ,EAAE,CAAC;QACb,MAAM,CAAC,GAAG,CAAC,UAAU,EAAE,QAAQ,CAAC,CAAA;IAClC,CAAC;IAED,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,SAAS,EAAE;YACjC,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,EAAE,cAAc,EAAE,mCAAmC,EAAE;YAChE,IAAI,EAAE,MAAM,CAAC,QAAQ,EAAE;SACxB,CAAC,CAAA;QAEF,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;YACZ,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,UAAU,EAAE,CAAC,cAAc,GAAG,CAAC,MAAM,EAAE,CAAC,EAAE,CAAA;QACrE,CAAC;QAED,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAK7B,CAAA;QAED,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC;YAClB,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,KAAK,EAAE,IAAI,CAAC,KAAK;gBACjB,MAAM,EAAE,IAAI,CAAC,MAAM;gBACnB,UAAU,EAAE,IAAI,CAAC,aAAa,CAAC,IAAI,EAAE;aACtC,CAAA;QACH,CAAC;QAED,sDAAsD;QACtD,IAAI,MAAM,CAAC,QAAQ,KAAK,WAAW,IAAI,OAAO,IAAI,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;YACtE,MAAM,SAAS,GAAG,MAAM,CAAC,cAAc,IAAI,GAAG,CAAA;YAC9C,IAAI,IAAI,CAAC,KAAK,GAAG,SAAS,EAAE,CAAC;gBAC3B,OAAO;oBACL,OAAO,EAAE,KAAK;oBACd,KAAK,EAAE,IAAI,CAAC,KAAK;oBACjB,MAAM,EAAE,IAAI,CAAC,MAAM;oBACnB,UAAU,EAAE,CAAC,uBAAuB,CAAC;iBACtC,CAAA;YACH,CAAC;QACH,CAAC;QAED,OAAO;YACL,OAAO,EAAE,IAAI;YACb,KAAK,EAAE,IAAI,CAAC,KAAK;YACjB,MAAM,EAAE,IAAI,CAAC,MAAM;SACpB,CAAA;IACH,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO;YACL,OAAO,EAAE,KAAK;YACd,UAAU,EAAE,CAAC,eAAe,CAAC;SAC9B,CAAA;IACH,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,gBAAgB;IAC9B,MAAM,gBAAgB,GAAG,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAA;IACvD,MAAM,eAAe,GAAG,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAA;IAExD,IAAI,gBAAgB,IAAI,eAAe,EAAE,CAAC;QACxC,OAAO;YACL,QAAQ,EAAE,WAAW;YACrB,OAAO,EAAE,gBAAgB;YACzB,SAAS,EAAE,eAAe;YAC1B,cAAc,EAAE,UAAU,CAAC,OAAO,CAAC,GAAG,CAAC,yBAAyB,IAAI,KAAK,CAAC;SAC3E,CAAA;IACH,CAAC;IAED,MAAM,gBAAgB,GAAG,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAA;IACvD,MAAM,eAAe,GAAG,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAA;IAExD,IAAI,gBAAgB,IAAI,eAAe,EAAE,CAAC;QACxC,OAAO;YACL,QAAQ,EAAE,WAAW;YACrB,OAAO,EAAE,gBAAgB;YACzB,SAAS,EAAE,eAAe;SAC3B,CAAA;IACH,CAAC;IAED,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,OAAO,EAAE,EAAE,EAAE,SAAS,EAAE,EAAE,EAAE,CAAA;AACzD,CAAC"}
|
|
@@ -0,0 +1,33 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Trusted client-IP extraction.
|
|
3
|
+
*
|
|
4
|
+
* The `X-Forwarded-For` header is fully attacker-controlled when the server is
|
|
5
|
+
* directly reachable from the Internet — anyone can send `X-Forwarded-For: 1.2.3.4`
|
|
6
|
+
* to bypass per-IP rate limits and poison audit logs.
|
|
7
|
+
*
|
|
8
|
+
* This helper resolves the real client IP using the most trustworthy header
|
|
9
|
+
* available, in this order:
|
|
10
|
+
*
|
|
11
|
+
* 1. Vercel — `x-vercel-forwarded-for` is set by the Vercel edge and cannot
|
|
12
|
+
* be spoofed by clients (Vercel strips inbound copies).
|
|
13
|
+
* 2. Common reverse proxies — `x-real-ip` is typically set by nginx/Caddy
|
|
14
|
+
* to the directly-connected client IP.
|
|
15
|
+
* 3. `x-forwarded-for` — only honoured when the integrator opts in via
|
|
16
|
+
* `trustProxy: true`. In that mode we use the **last** entry (closest to
|
|
17
|
+
* the proxy) rather than the first (closest to the client / spoofable).
|
|
18
|
+
*
|
|
19
|
+
* Returns the literal string `'unknown'` when no trusted source is available;
|
|
20
|
+
* callers should treat that as a hard failure for security-sensitive decisions.
|
|
21
|
+
*/
|
|
22
|
+
export interface TrustedIpOptions {
|
|
23
|
+
/** When true, fall back to parsing X-Forwarded-For. Defaults to false. */
|
|
24
|
+
trustProxy?: boolean;
|
|
25
|
+
}
|
|
26
|
+
export declare function getClientIp(request: Request, options?: TrustedIpOptions): string;
|
|
27
|
+
/**
|
|
28
|
+
* Returns true when the resolved client IP is a real value we can use for
|
|
29
|
+
* security-sensitive keys (rate limits, IP allowlists). Returns false for the
|
|
30
|
+
* `'unknown'` sentinel.
|
|
31
|
+
*/
|
|
32
|
+
export declare function isResolvedIp(ip: string): boolean;
|
|
33
|
+
//# sourceMappingURL=client-ip.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"client-ip.d.ts","sourceRoot":"","sources":["../../src/security/client-ip.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,MAAM,WAAW,gBAAgB;IAC/B,0EAA0E;IAC1E,UAAU,CAAC,EAAE,OAAO,CAAA;CACrB;AAMD,wBAAgB,WAAW,CAAC,OAAO,EAAE,OAAO,EAAE,OAAO,GAAE,gBAAqB,GAAG,MAAM,CA8BpF;AAED;;;;GAIG;AACH,wBAAgB,YAAY,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAEhD"}
|
|
@@ -0,0 +1,42 @@
|
|
|
1
|
+
const VERCEL_HEADER = 'x-vercel-forwarded-for';
|
|
2
|
+
const REAL_IP_HEADER = 'x-real-ip';
|
|
3
|
+
const FORWARDED_HEADER = 'x-forwarded-for';
|
|
4
|
+
export function getClientIp(request, options = {}) {
|
|
5
|
+
const trustProxy = options.trustProxy ?? process.env.ACTUATE_TRUST_PROXY === '1';
|
|
6
|
+
const vercel = request.headers.get(VERCEL_HEADER);
|
|
7
|
+
if (vercel) {
|
|
8
|
+
const first = vercel.split(',')[0]?.trim();
|
|
9
|
+
if (first)
|
|
10
|
+
return first;
|
|
11
|
+
}
|
|
12
|
+
const realIp = request.headers.get(REAL_IP_HEADER);
|
|
13
|
+
if (realIp) {
|
|
14
|
+
const trimmed = realIp.trim();
|
|
15
|
+
if (trimmed)
|
|
16
|
+
return trimmed;
|
|
17
|
+
}
|
|
18
|
+
if (trustProxy) {
|
|
19
|
+
const fwd = request.headers.get(FORWARDED_HEADER);
|
|
20
|
+
if (fwd) {
|
|
21
|
+
// Use the last entry — that's the IP your trusted proxy itself saw,
|
|
22
|
+
// not whatever the original client claimed in the chain.
|
|
23
|
+
const parts = fwd
|
|
24
|
+
.split(',')
|
|
25
|
+
.map((p) => p.trim())
|
|
26
|
+
.filter(Boolean);
|
|
27
|
+
const last = parts[parts.length - 1];
|
|
28
|
+
if (last)
|
|
29
|
+
return last;
|
|
30
|
+
}
|
|
31
|
+
}
|
|
32
|
+
return 'unknown';
|
|
33
|
+
}
|
|
34
|
+
/**
|
|
35
|
+
* Returns true when the resolved client IP is a real value we can use for
|
|
36
|
+
* security-sensitive keys (rate limits, IP allowlists). Returns false for the
|
|
37
|
+
* `'unknown'` sentinel.
|
|
38
|
+
*/
|
|
39
|
+
export function isResolvedIp(ip) {
|
|
40
|
+
return ip !== 'unknown' && ip.length > 0;
|
|
41
|
+
}
|
|
42
|
+
//# sourceMappingURL=client-ip.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"client-ip.js","sourceRoot":"","sources":["../../src/security/client-ip.ts"],"names":[],"mappings":"AA0BA,MAAM,aAAa,GAAG,wBAAwB,CAAA;AAC9C,MAAM,cAAc,GAAG,WAAW,CAAA;AAClC,MAAM,gBAAgB,GAAG,iBAAiB,CAAA;AAE1C,MAAM,UAAU,WAAW,CAAC,OAAgB,EAAE,UAA4B,EAAE;IAC1E,MAAM,UAAU,GAAG,OAAO,CAAC,UAAU,IAAI,OAAO,CAAC,GAAG,CAAC,mBAAmB,KAAK,GAAG,CAAA;IAEhF,MAAM,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC,CAAA;IACjD,IAAI,MAAM,EAAE,CAAC;QACX,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,CAAA;QAC1C,IAAI,KAAK;YAAE,OAAO,KAAK,CAAA;IACzB,CAAC;IAED,MAAM,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,CAAA;IAClD,IAAI,MAAM,EAAE,CAAC;QACX,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,EAAE,CAAA;QAC7B,IAAI,OAAO;YAAE,OAAO,OAAO,CAAA;IAC7B,CAAC;IAED,IAAI,UAAU,EAAE,CAAC;QACf,MAAM,GAAG,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,CAAA;QACjD,IAAI,GAAG,EAAE,CAAC;YACR,oEAAoE;YACpE,yDAAyD;YACzD,MAAM,KAAK,GAAG,GAAG;iBACd,KAAK,CAAC,GAAG,CAAC;iBACV,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;iBACpB,MAAM,CAAC,OAAO,CAAC,CAAA;YAClB,MAAM,IAAI,GAAG,KAAK,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAA;YACpC,IAAI,IAAI;gBAAE,OAAO,IAAI,CAAA;QACvB,CAAC;IACH,CAAC;IAED,OAAO,SAAS,CAAA;AAClB,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,YAAY,CAAC,EAAU;IACrC,OAAO,EAAE,KAAK,SAAS,IAAI,EAAE,CAAC,MAAM,GAAG,CAAC,CAAA;AAC1C,CAAC"}
|
package/dist/security/cors.d.ts
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"cors.d.ts","sourceRoot":"","sources":["../../src/security/cors.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,UAAU;IACzB,cAAc,EAAE,MAAM,EAAE,GAAG,GAAG,
|
|
1
|
+
{"version":3,"file":"cors.d.ts","sourceRoot":"","sources":["../../src/security/cors.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,UAAU;IACzB,cAAc,EAAE,MAAM,EAAE,GAAG,GAAG,CAAA;IAC9B,cAAc,CAAC,EAAE,MAAM,EAAE,CAAA;IACzB,cAAc,CAAC,EAAE,MAAM,EAAE,CAAA;IACzB,cAAc,CAAC,EAAE,MAAM,EAAE,CAAA;IACzB,WAAW,CAAC,EAAE,OAAO,CAAA;IACrB,MAAM,CAAC,EAAE,MAAM,CAAA;CAChB;AAKD,qDAAqD;AACrD,wBAAgB,cAAc,CAC5B,aAAa,EAAE,MAAM,GAAG,IAAI,EAC5B,MAAM,EAAE,UAAU,GACjB,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAwBxB"}
|
package/dist/security/cors.js
CHANGED
|
@@ -1,31 +1,31 @@
|
|
|
1
|
-
const DEFAULT_METHODS = [
|
|
2
|
-
const DEFAULT_HEADERS = [
|
|
1
|
+
const DEFAULT_METHODS = ['GET', 'POST', 'PUT', 'PATCH', 'DELETE', 'OPTIONS'];
|
|
2
|
+
const DEFAULT_HEADERS = ['Content-Type', 'Authorization', 'X-CSRF-Token'];
|
|
3
3
|
/** Build CORS headers for a given request origin. */
|
|
4
4
|
export function getCorsHeaders(requestOrigin, config) {
|
|
5
5
|
const headers = {};
|
|
6
6
|
const allowedOrigin = resolveOrigin(requestOrigin, config.allowedOrigins);
|
|
7
7
|
if (!allowedOrigin)
|
|
8
8
|
return headers;
|
|
9
|
-
headers[
|
|
10
|
-
headers[
|
|
11
|
-
headers[
|
|
9
|
+
headers['Access-Control-Allow-Origin'] = allowedOrigin;
|
|
10
|
+
headers['Access-Control-Allow-Methods'] = (config.allowedMethods ?? DEFAULT_METHODS).join(', ');
|
|
11
|
+
headers['Access-Control-Allow-Headers'] = (config.allowedHeaders ?? DEFAULT_HEADERS).join(', ');
|
|
12
12
|
if (config.exposedHeaders?.length) {
|
|
13
|
-
headers[
|
|
13
|
+
headers['Access-Control-Expose-Headers'] = config.exposedHeaders.join(', ');
|
|
14
14
|
}
|
|
15
15
|
if (config.credentials) {
|
|
16
|
-
headers[
|
|
16
|
+
headers['Access-Control-Allow-Credentials'] = 'true';
|
|
17
17
|
}
|
|
18
18
|
if (config.maxAge !== undefined) {
|
|
19
|
-
headers[
|
|
19
|
+
headers['Access-Control-Max-Age'] = String(config.maxAge);
|
|
20
20
|
}
|
|
21
|
-
if (config.allowedOrigins !==
|
|
22
|
-
headers[
|
|
21
|
+
if (config.allowedOrigins !== '*') {
|
|
22
|
+
headers['Vary'] = 'Origin';
|
|
23
23
|
}
|
|
24
24
|
return headers;
|
|
25
25
|
}
|
|
26
26
|
function resolveOrigin(requestOrigin, allowed) {
|
|
27
|
-
if (allowed ===
|
|
28
|
-
return
|
|
27
|
+
if (allowed === '*')
|
|
28
|
+
return '*';
|
|
29
29
|
if (!requestOrigin)
|
|
30
30
|
return null;
|
|
31
31
|
return allowed.includes(requestOrigin) ? requestOrigin : null;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"cors.js","sourceRoot":"","sources":["../../src/security/cors.ts"],"names":[],"mappings":"AASA,MAAM,eAAe,GAAG,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,QAAQ,EAAE,SAAS,CAAC,
|
|
1
|
+
{"version":3,"file":"cors.js","sourceRoot":"","sources":["../../src/security/cors.ts"],"names":[],"mappings":"AASA,MAAM,eAAe,GAAG,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,QAAQ,EAAE,SAAS,CAAC,CAAA;AAC5E,MAAM,eAAe,GAAG,CAAC,cAAc,EAAE,eAAe,EAAE,cAAc,CAAC,CAAA;AAEzE,qDAAqD;AACrD,MAAM,UAAU,cAAc,CAC5B,aAA4B,EAC5B,MAAkB;IAElB,MAAM,OAAO,GAA2B,EAAE,CAAA;IAE1C,MAAM,aAAa,GAAG,aAAa,CAAC,aAAa,EAAE,MAAM,CAAC,cAAc,CAAC,CAAA;IACzE,IAAI,CAAC,aAAa;QAAE,OAAO,OAAO,CAAA;IAElC,OAAO,CAAC,6BAA6B,CAAC,GAAG,aAAa,CAAA;IACtD,OAAO,CAAC,8BAA8B,CAAC,GAAG,CAAC,MAAM,CAAC,cAAc,IAAI,eAAe,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;IAC/F,OAAO,CAAC,8BAA8B,CAAC,GAAG,CAAC,MAAM,CAAC,cAAc,IAAI,eAAe,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;IAE/F,IAAI,MAAM,CAAC,cAAc,EAAE,MAAM,EAAE,CAAC;QAClC,OAAO,CAAC,+BAA+B,CAAC,GAAG,MAAM,CAAC,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;IAC7E,CAAC;IACD,IAAI,MAAM,CAAC,WAAW,EAAE,CAAC;QACvB,OAAO,CAAC,kCAAkC,CAAC,GAAG,MAAM,CAAA;IACtD,CAAC;IACD,IAAI,MAAM,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;QAChC,OAAO,CAAC,wBAAwB,CAAC,GAAG,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAA;IAC3D,CAAC;IACD,IAAI,MAAM,CAAC,cAAc,KAAK,GAAG,EAAE,CAAC;QAClC,OAAO,CAAC,MAAM,CAAC,GAAG,QAAQ,CAAA;IAC5B,CAAC;IAED,OAAO,OAAO,CAAA;AAChB,CAAC;AAED,SAAS,aAAa,CAAC,aAA4B,EAAE,OAAuB;IAC1E,IAAI,OAAO,KAAK,GAAG;QAAE,OAAO,GAAG,CAAA;IAC/B,IAAI,CAAC,aAAa;QAAE,OAAO,IAAI,CAAA;IAC/B,OAAO,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,IAAI,CAAA;AAC/D,CAAC"}
|
|
@@ -6,19 +6,19 @@ export function generateCspNonce() {
|
|
|
6
6
|
/** Build a CSP header value incorporating the generated nonce. */
|
|
7
7
|
export function buildCspHeader(nonce, directives) {
|
|
8
8
|
const defaults = {
|
|
9
|
-
|
|
10
|
-
|
|
11
|
-
|
|
12
|
-
|
|
13
|
-
|
|
14
|
-
|
|
15
|
-
|
|
16
|
-
|
|
17
|
-
|
|
9
|
+
'default-src': ["'self'"],
|
|
10
|
+
'script-src': ["'self'", `'nonce-${nonce}'`],
|
|
11
|
+
'style-src': ["'self'", `'nonce-${nonce}'`, "'unsafe-inline'"],
|
|
12
|
+
'img-src': ["'self'", 'data:', 'https:'],
|
|
13
|
+
'font-src': ["'self'"],
|
|
14
|
+
'connect-src': ["'self'"],
|
|
15
|
+
'frame-ancestors': ["'none'"],
|
|
16
|
+
'base-uri': ["'self'"],
|
|
17
|
+
'form-action': ["'self'"],
|
|
18
18
|
...directives,
|
|
19
19
|
};
|
|
20
20
|
return Object.entries(defaults)
|
|
21
|
-
.map(([key, values]) => `${key} ${values.join(
|
|
22
|
-
.join(
|
|
21
|
+
.map(([key, values]) => `${key} ${values.join(' ')}`)
|
|
22
|
+
.join('; ');
|
|
23
23
|
}
|
|
24
24
|
//# sourceMappingURL=csp-nonces.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"csp-nonces.js","sourceRoot":"","sources":["../../src/security/csp-nonces.ts"],"names":[],"mappings":"AAAA,mGAAmG;AACnG,MAAM,UAAU,gBAAgB;IAC9B,MAAM,KAAK,GAAG,MAAM,CAAC,eAAe,CAAC,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC,
|
|
1
|
+
{"version":3,"file":"csp-nonces.js","sourceRoot":"","sources":["../../src/security/csp-nonces.ts"],"names":[],"mappings":"AAAA,mGAAmG;AACnG,MAAM,UAAU,gBAAgB;IAC9B,MAAM,KAAK,GAAG,MAAM,CAAC,eAAe,CAAC,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC,CAAA;IACxD,OAAO,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC,GAAG,KAAK,CAAC,CAAC,CAAA;AAC5C,CAAC;AAED,kEAAkE;AAClE,MAAM,UAAU,cAAc,CAAC,KAAa,EAAE,UAAqC;IACjF,MAAM,QAAQ,GAA6B;QACzC,aAAa,EAAE,CAAC,QAAQ,CAAC;QACzB,YAAY,EAAE,CAAC,QAAQ,EAAE,UAAU,KAAK,GAAG,CAAC;QAC5C,WAAW,EAAE,CAAC,QAAQ,EAAE,UAAU,KAAK,GAAG,EAAE,iBAAiB,CAAC;QAC9D,SAAS,EAAE,CAAC,QAAQ,EAAE,OAAO,EAAE,QAAQ,CAAC;QACxC,UAAU,EAAE,CAAC,QAAQ,CAAC;QACtB,aAAa,EAAE,CAAC,QAAQ,CAAC;QACzB,iBAAiB,EAAE,CAAC,QAAQ,CAAC;QAC7B,UAAU,EAAE,CAAC,QAAQ,CAAC;QACtB,aAAa,EAAE,CAAC,QAAQ,CAAC;QACzB,GAAG,UAAU;KACd,CAAA;IAED,OAAO,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC;SAC5B,GAAG,CAAC,CAAC,CAAC,GAAG,EAAE,MAAM,CAAC,EAAE,EAAE,CAAC,GAAG,GAAG,IAAI,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;SACpD,IAAI,CAAC,IAAI,CAAC,CAAA;AACf,CAAC"}
|
package/dist/security/csrf.js
CHANGED
|
@@ -2,8 +2,8 @@
|
|
|
2
2
|
export async function generateToken() {
|
|
3
3
|
const bytes = crypto.getRandomValues(new Uint8Array(32));
|
|
4
4
|
return Array.from(bytes)
|
|
5
|
-
.map((b) => b.toString(16).padStart(2,
|
|
6
|
-
.join(
|
|
5
|
+
.map((b) => b.toString(16).padStart(2, '0'))
|
|
6
|
+
.join('');
|
|
7
7
|
}
|
|
8
8
|
/** Validate a submitted CSRF token against the stored value using constant-time comparison. */
|
|
9
9
|
export function validateToken(token, storedToken) {
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"csrf.js","sourceRoot":"","sources":["../../src/security/csrf.ts"],"names":[],"mappings":"AAAA,8CAA8C;AAC9C,MAAM,CAAC,KAAK,UAAU,aAAa;IACjC,MAAM,KAAK,GAAG,MAAM,CAAC,eAAe,CAAC,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC,
|
|
1
|
+
{"version":3,"file":"csrf.js","sourceRoot":"","sources":["../../src/security/csrf.ts"],"names":[],"mappings":"AAAA,8CAA8C;AAC9C,MAAM,CAAC,KAAK,UAAU,aAAa;IACjC,MAAM,KAAK,GAAG,MAAM,CAAC,eAAe,CAAC,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC,CAAA;IACxD,OAAO,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC;SACrB,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;SAC3C,IAAI,CAAC,EAAE,CAAC,CAAA;AACb,CAAC;AAED,+FAA+F;AAC/F,MAAM,UAAU,aAAa,CAAC,KAAa,EAAE,WAAmB;IAC9D,IAAI,KAAK,CAAC,MAAM,KAAK,WAAW,CAAC,MAAM;QAAE,OAAO,KAAK,CAAA;IAErD,MAAM,CAAC,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,KAAK,CAAC,CAAA;IACzC,MAAM,CAAC,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,WAAW,CAAC,CAAA;IAE/C,IAAI,IAAI,GAAG,CAAC,CAAA;IACZ,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QAClC,IAAI,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAA;IACnC,CAAC;IACD,OAAO,IAAI,KAAK,CAAC,CAAA;AACnB,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"encrypted-fields.d.ts","sourceRoot":"","sources":["../../src/security/encrypted-fields.ts"],"names":[],"mappings":"AAIA,+CAA+C;AAC/C,wBAAsB,YAAY,
|
|
1
|
+
{"version":3,"file":"encrypted-fields.d.ts","sourceRoot":"","sources":["../../src/security/encrypted-fields.ts"],"names":[],"mappings":"AAIA,+CAA+C;AAC/C,wBAAsB,YAAY,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAgBjF;AAED,wDAAwD;AACxD,wBAAsB,YAAY,CAAC,SAAS,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAarF"}
|
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
const ALGORITHM =
|
|
1
|
+
const ALGORITHM = 'AES-GCM';
|
|
2
2
|
const IV_LENGTH = 12;
|
|
3
3
|
const TAG_LENGTH = 128;
|
|
4
4
|
/** Encrypt a field value using AES-256-GCM. */
|
|
@@ -23,12 +23,15 @@ export async function decryptField(encrypted, keyHex) {
|
|
|
23
23
|
}
|
|
24
24
|
async function importKey(keyHex) {
|
|
25
25
|
const keyData = hexToBuffer(keyHex);
|
|
26
|
-
return crypto.subtle.importKey(
|
|
26
|
+
return crypto.subtle.importKey('raw', keyData, ALGORITHM, false, [
|
|
27
|
+
'encrypt',
|
|
28
|
+
'decrypt',
|
|
29
|
+
]);
|
|
27
30
|
}
|
|
28
31
|
function bufferToHex(buffer) {
|
|
29
32
|
return Array.from(buffer)
|
|
30
|
-
.map((b) => b.toString(16).padStart(2,
|
|
31
|
-
.join(
|
|
33
|
+
.map((b) => b.toString(16).padStart(2, '0'))
|
|
34
|
+
.join('');
|
|
32
35
|
}
|
|
33
36
|
function hexToBuffer(hex) {
|
|
34
37
|
const bytes = new Uint8Array(hex.length / 2);
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"encrypted-fields.js","sourceRoot":"","sources":["../../src/security/encrypted-fields.ts"],"names":[],"mappings":"AAAA,MAAM,SAAS,GAAG,SAAS,
|
|
1
|
+
{"version":3,"file":"encrypted-fields.js","sourceRoot":"","sources":["../../src/security/encrypted-fields.ts"],"names":[],"mappings":"AAAA,MAAM,SAAS,GAAG,SAAS,CAAA;AAC3B,MAAM,SAAS,GAAG,EAAE,CAAA;AACpB,MAAM,UAAU,GAAG,GAAG,CAAA;AAEtB,+CAA+C;AAC/C,MAAM,CAAC,KAAK,UAAU,YAAY,CAAC,KAAa,EAAE,MAAc;IAC9D,MAAM,GAAG,GAAG,MAAM,SAAS,CAAC,MAAM,CAAC,CAAA;IACnC,MAAM,EAAE,GAAG,MAAM,CAAC,eAAe,CAAC,IAAI,UAAU,CAAC,SAAS,CAAC,CAAC,CAAA;IAC5D,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,KAAK,CAAC,CAAA;IAE/C,MAAM,UAAU,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,OAAO,CAC5C,EAAE,IAAI,EAAE,SAAS,EAAE,EAAE,EAAE,SAAS,EAAE,UAAU,EAAE,EAC9C,GAAG,EACH,OAAO,CACR,CAAA;IAED,MAAM,QAAQ,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,MAAM,GAAG,UAAU,CAAC,UAAU,CAAC,CAAA;IAClE,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC,CAAA;IAChB,QAAQ,CAAC,GAAG,CAAC,IAAI,UAAU,CAAC,UAAU,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,CAAA;IAEnD,OAAO,WAAW,CAAC,QAAQ,CAAC,CAAA;AAC9B,CAAC;AAED,wDAAwD;AACxD,MAAM,CAAC,KAAK,UAAU,YAAY,CAAC,SAAiB,EAAE,MAAc;IAClE,MAAM,GAAG,GAAG,MAAM,SAAS,CAAC,MAAM,CAAC,CAAA;IACnC,MAAM,IAAI,GAAG,WAAW,CAAC,SAAS,CAAC,CAAA;IACnC,MAAM,EAAE,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,SAAS,CAAC,CAAA;IACnC,MAAM,UAAU,GAAG,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,CAAA;IAExC,MAAM,SAAS,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,OAAO,CAC3C,EAAE,IAAI,EAAE,SAAS,EAAE,EAAE,EAAE,SAAS,EAAE,UAAU,EAAE,EAC9C,GAAG,EACH,UAAU,CACX,CAAA;IAED,OAAO,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,CAAA;AAC5C,CAAC;AAED,KAAK,UAAU,SAAS,CAAC,MAAc;IACrC,MAAM,OAAO,GAAG,WAAW,CAAC,MAAM,CAAC,CAAA;IACnC,OAAO,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,EAAE,OAAkC,EAAE,SAAS,EAAE,KAAK,EAAE;QAC1F,SAAS;QACT,SAAS;KACV,CAAC,CAAA;AACJ,CAAC;AAED,SAAS,WAAW,CAAC,MAAkB;IACrC,OAAO,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC;SACtB,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;SAC3C,IAAI,CAAC,EAAE,CAAC,CAAA;AACb,CAAC;AAED,SAAS,WAAW,CAAC,GAAW;IAC9B,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,GAAG,CAAC,MAAM,GAAG,CAAC,CAAC,CAAA;IAC5C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,GAAG,CAAC,MAAM,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC;QACvC,KAAK,CAAC,CAAC,GAAG,CAAC,CAAC,GAAG,QAAQ,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,EAAE,EAAE,CAAC,CAAA;IAClD,CAAC;IACD,OAAO,KAAK,CAAA;AACd,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"headers.d.ts","sourceRoot":"","sources":["../../src/security/headers.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,qBAAqB;IACpC,qBAAqB,CAAC,EAAE,MAAM,
|
|
1
|
+
{"version":3,"file":"headers.d.ts","sourceRoot":"","sources":["../../src/security/headers.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,qBAAqB;IACpC,qBAAqB,CAAC,EAAE,MAAM,CAAA;IAC9B,uBAAuB,CAAC,EAAE,MAAM,CAAA;IAChC,mBAAmB,CAAC,EAAE,MAAM,CAAA;IAC5B,aAAa,CAAC,EAAE,MAAM,CAAA;IACtB,cAAc,CAAC,EAAE,MAAM,CAAA;IACvB,iBAAiB,CAAC,EAAE,MAAM,CAAA;CAC3B;AAWD,2DAA2D;AAC3D,wBAAgB,kBAAkB,CAAC,SAAS,CAAC,EAAE,qBAAqB,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAuB5F"}
|
package/dist/security/headers.js
CHANGED
|
@@ -1,31 +1,31 @@
|
|
|
1
1
|
const DEFAULT_HEADERS = {
|
|
2
|
-
|
|
3
|
-
|
|
4
|
-
|
|
5
|
-
|
|
6
|
-
|
|
7
|
-
|
|
2
|
+
'X-Content-Type-Options': 'nosniff',
|
|
3
|
+
'X-Frame-Options': 'DENY',
|
|
4
|
+
'X-XSS-Protection': '0',
|
|
5
|
+
'Referrer-Policy': 'strict-origin-when-cross-origin',
|
|
6
|
+
'Strict-Transport-Security': 'max-age=63072000; includeSubDomains; preload',
|
|
7
|
+
'Permissions-Policy': 'camera=(), microphone=(), geolocation=()',
|
|
8
8
|
};
|
|
9
9
|
/** Get the default security headers for HTTP responses. */
|
|
10
10
|
export function getSecurityHeaders(overrides) {
|
|
11
11
|
const headers = { ...DEFAULT_HEADERS };
|
|
12
12
|
if (overrides?.contentSecurityPolicy) {
|
|
13
|
-
headers[
|
|
13
|
+
headers['Content-Security-Policy'] = overrides.contentSecurityPolicy;
|
|
14
14
|
}
|
|
15
15
|
if (overrides?.strictTransportSecurity) {
|
|
16
|
-
headers[
|
|
16
|
+
headers['Strict-Transport-Security'] = overrides.strictTransportSecurity;
|
|
17
17
|
}
|
|
18
18
|
if (overrides?.xContentTypeOptions) {
|
|
19
|
-
headers[
|
|
19
|
+
headers['X-Content-Type-Options'] = overrides.xContentTypeOptions;
|
|
20
20
|
}
|
|
21
21
|
if (overrides?.xFrameOptions) {
|
|
22
|
-
headers[
|
|
22
|
+
headers['X-Frame-Options'] = overrides.xFrameOptions;
|
|
23
23
|
}
|
|
24
24
|
if (overrides?.referrerPolicy) {
|
|
25
|
-
headers[
|
|
25
|
+
headers['Referrer-Policy'] = overrides.referrerPolicy;
|
|
26
26
|
}
|
|
27
27
|
if (overrides?.permissionsPolicy) {
|
|
28
|
-
headers[
|
|
28
|
+
headers['Permissions-Policy'] = overrides.permissionsPolicy;
|
|
29
29
|
}
|
|
30
30
|
return headers;
|
|
31
31
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"headers.js","sourceRoot":"","sources":["../../src/security/headers.ts"],"names":[],"mappings":"AASA,MAAM,eAAe,GAA2B;IAC9C,wBAAwB,EAAE,SAAS;IACnC,iBAAiB,EAAE,MAAM;IACzB,kBAAkB,EAAE,GAAG;IACvB,iBAAiB,EAAE,iCAAiC;IACpD,2BAA2B,EAAE,8CAA8C;IAC3E,oBAAoB,EAAE,0CAA0C;CACjE,
|
|
1
|
+
{"version":3,"file":"headers.js","sourceRoot":"","sources":["../../src/security/headers.ts"],"names":[],"mappings":"AASA,MAAM,eAAe,GAA2B;IAC9C,wBAAwB,EAAE,SAAS;IACnC,iBAAiB,EAAE,MAAM;IACzB,kBAAkB,EAAE,GAAG;IACvB,iBAAiB,EAAE,iCAAiC;IACpD,2BAA2B,EAAE,8CAA8C;IAC3E,oBAAoB,EAAE,0CAA0C;CACjE,CAAA;AAED,2DAA2D;AAC3D,MAAM,UAAU,kBAAkB,CAAC,SAAiC;IAClE,MAAM,OAAO,GAAG,EAAE,GAAG,eAAe,EAAE,CAAA;IAEtC,IAAI,SAAS,EAAE,qBAAqB,EAAE,CAAC;QACrC,OAAO,CAAC,yBAAyB,CAAC,GAAG,SAAS,CAAC,qBAAqB,CAAA;IACtE,CAAC;IACD,IAAI,SAAS,EAAE,uBAAuB,EAAE,CAAC;QACvC,OAAO,CAAC,2BAA2B,CAAC,GAAG,SAAS,CAAC,uBAAuB,CAAA;IAC1E,CAAC;IACD,IAAI,SAAS,EAAE,mBAAmB,EAAE,CAAC;QACnC,OAAO,CAAC,wBAAwB,CAAC,GAAG,SAAS,CAAC,mBAAmB,CAAA;IACnE,CAAC;IACD,IAAI,SAAS,EAAE,aAAa,EAAE,CAAC;QAC7B,OAAO,CAAC,iBAAiB,CAAC,GAAG,SAAS,CAAC,aAAa,CAAA;IACtD,CAAC;IACD,IAAI,SAAS,EAAE,cAAc,EAAE,CAAC;QAC9B,OAAO,CAAC,iBAAiB,CAAC,GAAG,SAAS,CAAC,cAAc,CAAA;IACvD,CAAC;IACD,IAAI,SAAS,EAAE,iBAAiB,EAAE,CAAC;QACjC,OAAO,CAAC,oBAAoB,CAAC,GAAG,SAAS,CAAC,iBAAiB,CAAA;IAC7D,CAAC;IAED,OAAO,OAAO,CAAA;AAChB,CAAC"}
|
package/dist/security/index.d.ts
CHANGED
|
@@ -1,33 +1,40 @@
|
|
|
1
|
-
export { checkAccess, getPermissionsForRole, filterFieldsByRole, filterWritableFields, applyFieldAccess } from
|
|
2
|
-
export type { Role, Permission, FieldAccessUser } from
|
|
3
|
-
export { generateToken as generateCsrfToken, validateToken as validateCsrfToken } from
|
|
4
|
-
export { createRateLimiter } from
|
|
5
|
-
export type { RateLimiter, RateLimitConfig, RateLimitResult } from
|
|
6
|
-
export { sanitizeHtml, stripHtml } from
|
|
7
|
-
export { validateMimeType, checkMagicBytes } from
|
|
8
|
-
export { validateWebhookUrl, resolveAndCheck } from
|
|
9
|
-
export { logEvent, getAuditLog } from
|
|
10
|
-
export type { AuditEntry, AuditLogQuery, AuditLogResult } from
|
|
11
|
-
export { getSecurityHeaders } from
|
|
12
|
-
export type { SecurityHeadersConfig } from
|
|
13
|
-
export { applySecurityMiddleware } from
|
|
14
|
-
export type { SecurityMiddlewareConfig, SecurityMiddlewareResult } from
|
|
15
|
-
export { checkBreached } from
|
|
16
|
-
export { detectLoginAnomaly, checkBruteForce } from
|
|
17
|
-
export type { LoginAttempt, AnomalyResult } from
|
|
18
|
-
export { requiresReauth, verifyReauth } from
|
|
19
|
-
export type { ReauthConfig, ReauthContext } from
|
|
20
|
-
export { isIpAllowed } from
|
|
21
|
-
export { enforceSessionLimits } from
|
|
22
|
-
export type { SessionInfo, SessionLimitConfig } from
|
|
23
|
-
export { encryptField, decryptField } from
|
|
24
|
-
export { getCorsHeaders } from
|
|
25
|
-
export type { CorsConfig } from
|
|
26
|
-
export { generateCspNonce, buildCspHeader } from
|
|
27
|
-
export { generateSecurityTxt } from
|
|
28
|
-
export type { SecurityTxtConfig } from
|
|
29
|
-
export { generateApiKey, validateApiKeyScope } from
|
|
30
|
-
export type { ApiKeyScope, EnhancedApiKeyConfig } from
|
|
31
|
-
export { verifyCaptcha, getCaptchaConfig } from
|
|
32
|
-
export type { CaptchaConfig, CaptchaProvider, CaptchaVerifyResult } from
|
|
1
|
+
export { checkAccess, getPermissionsForRole, filterFieldsByRole, filterWritableFields, applyFieldAccess, } from './access.js';
|
|
2
|
+
export type { Role, Permission, FieldAccessUser } from './access.js';
|
|
3
|
+
export { generateToken as generateCsrfToken, validateToken as validateCsrfToken } from './csrf.js';
|
|
4
|
+
export { createRateLimiter } from './rate-limit.js';
|
|
5
|
+
export type { RateLimiter, RateLimitConfig, RateLimitResult } from './rate-limit.js';
|
|
6
|
+
export { sanitizeHtml, stripHtml } from './sanitize.js';
|
|
7
|
+
export { validateMimeType, checkMagicBytes } from './upload.js';
|
|
8
|
+
export { validateWebhookUrl, resolveAndCheck } from './webhook.js';
|
|
9
|
+
export { logEvent, getAuditLog } from './audit.js';
|
|
10
|
+
export type { AuditEntry, AuditLogQuery, AuditLogResult } from './audit.js';
|
|
11
|
+
export { getSecurityHeaders } from './headers.js';
|
|
12
|
+
export type { SecurityHeadersConfig } from './headers.js';
|
|
13
|
+
export { applySecurityMiddleware } from './middleware.js';
|
|
14
|
+
export type { SecurityMiddlewareConfig, SecurityMiddlewareResult } from './middleware.js';
|
|
15
|
+
export { checkBreached } from './breach-check.js';
|
|
16
|
+
export { detectLoginAnomaly, checkBruteForce } from './anomaly-detection.js';
|
|
17
|
+
export type { LoginAttempt, AnomalyResult } from './anomaly-detection.js';
|
|
18
|
+
export { requiresReauth, verifyReauth } from './reauth.js';
|
|
19
|
+
export type { ReauthConfig, ReauthContext } from './reauth.js';
|
|
20
|
+
export { isIpAllowed } from './ip-allowlist.js';
|
|
21
|
+
export { enforceSessionLimits } from './session-limits.js';
|
|
22
|
+
export type { SessionInfo, SessionLimitConfig } from './session-limits.js';
|
|
23
|
+
export { encryptField, decryptField } from './encrypted-fields.js';
|
|
24
|
+
export { getCorsHeaders } from './cors.js';
|
|
25
|
+
export type { CorsConfig } from './cors.js';
|
|
26
|
+
export { generateCspNonce, buildCspHeader } from './csp-nonces.js';
|
|
27
|
+
export { generateSecurityTxt } from './security-txt.js';
|
|
28
|
+
export type { SecurityTxtConfig } from './security-txt.js';
|
|
29
|
+
export { generateApiKey, validateApiKeyScope } from './api-key-enhanced.js';
|
|
30
|
+
export type { ApiKeyScope, EnhancedApiKeyConfig } from './api-key-enhanced.js';
|
|
31
|
+
export { verifyCaptcha, getCaptchaConfig } from './captcha.js';
|
|
32
|
+
export type { CaptchaConfig, CaptchaProvider, CaptchaVerifyResult } from './captcha.js';
|
|
33
|
+
export { getClientIp, isResolvedIp } from './client-ip.js';
|
|
34
|
+
export type { TrustedIpOptions } from './client-ip.js';
|
|
35
|
+
export { safeFetch, SsrfBlockedError } from './safe-fetch.js';
|
|
36
|
+
export type { SafeFetchOptions } from './safe-fetch.js';
|
|
37
|
+
export { encryptSecret, decryptSecret, isEncrypted, encryptStringArray, decryptStringArray, } from './secret-storage.js';
|
|
38
|
+
export { redactSecrets } from './redact.js';
|
|
39
|
+
export { INTERNAL_DATA_KEYS, isInternalDataKey, stripInternalDataKeys } from './internal-keys.js';
|
|
33
40
|
//# sourceMappingURL=index.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/security/index.ts"],"names":[],"mappings":"AAAA,OAAO,
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/security/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,WAAW,EACX,qBAAqB,EACrB,kBAAkB,EAClB,oBAAoB,EACpB,gBAAgB,GACjB,MAAM,aAAa,CAAA;AACpB,YAAY,EAAE,IAAI,EAAE,UAAU,EAAE,eAAe,EAAE,MAAM,aAAa,CAAA;AAEpE,OAAO,EAAE,aAAa,IAAI,iBAAiB,EAAE,aAAa,IAAI,iBAAiB,EAAE,MAAM,WAAW,CAAA;AAElG,OAAO,EAAE,iBAAiB,EAAE,MAAM,iBAAiB,CAAA;AACnD,YAAY,EAAE,WAAW,EAAE,eAAe,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAA;AAEpF,OAAO,EAAE,YAAY,EAAE,SAAS,EAAE,MAAM,eAAe,CAAA;AAEvD,OAAO,EAAE,gBAAgB,EAAE,eAAe,EAAE,MAAM,aAAa,CAAA;AAE/D,OAAO,EAAE,kBAAkB,EAAE,eAAe,EAAE,MAAM,cAAc,CAAA;AAElE,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,YAAY,CAAA;AAClD,YAAY,EAAE,UAAU,EAAE,aAAa,EAAE,cAAc,EAAE,MAAM,YAAY,CAAA;AAE3E,OAAO,EAAE,kBAAkB,EAAE,MAAM,cAAc,CAAA;AACjD,YAAY,EAAE,qBAAqB,EAAE,MAAM,cAAc,CAAA;AAEzD,OAAO,EAAE,uBAAuB,EAAE,MAAM,iBAAiB,CAAA;AACzD,YAAY,EAAE,wBAAwB,EAAE,wBAAwB,EAAE,MAAM,iBAAiB,CAAA;AAEzF,OAAO,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAA;AAEjD,OAAO,EAAE,kBAAkB,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAA;AAC5E,YAAY,EAAE,YAAY,EAAE,aAAa,EAAE,MAAM,wBAAwB,CAAA;AAEzE,OAAO,EAAE,cAAc,EAAE,YAAY,EAAE,MAAM,aAAa,CAAA;AAC1D,YAAY,EAAE,YAAY,EAAE,aAAa,EAAE,MAAM,aAAa,CAAA;AAE9D,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAA;AAE/C,OAAO,EAAE,oBAAoB,EAAE,MAAM,qBAAqB,CAAA;AAC1D,YAAY,EAAE,WAAW,EAAE,kBAAkB,EAAE,MAAM,qBAAqB,CAAA;AAE1E,OAAO,EAAE,YAAY,EAAE,YAAY,EAAE,MAAM,uBAAuB,CAAA;AAElE,OAAO,EAAE,cAAc,EAAE,MAAM,WAAW,CAAA;AAC1C,YAAY,EAAE,UAAU,EAAE,MAAM,WAAW,CAAA;AAE3C,OAAO,EAAE,gBAAgB,EAAE,cAAc,EAAE,MAAM,iBAAiB,CAAA;AAElE,OAAO,EAAE,mBAAmB,EAAE,MAAM,mBAAmB,CAAA;AACvD,YAAY,EAAE,iBAAiB,EAAE,MAAM,mBAAmB,CAAA;AAE1D,OAAO,EAAE,cAAc,EAAE,mBAAmB,EAAE,MAAM,uBAAuB,CAAA;AAC3E,YAAY,EAAE,WAAW,EAAE,oBAAoB,EAAE,MAAM,uBAAuB,CAAA;AAE9E,OAAO,EAAE,aAAa,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAA;AAC9D,YAAY,EAAE,aAAa,EAAE,eAAe,EAAE,mBAAmB,EAAE,MAAM,cAAc,CAAA;AAEvF,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAA;AAC1D,YAAY,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAA;AAEtD,OAAO,EAAE,SAAS,EAAE,gBAAgB,EAAE,MAAM,iBAAiB,CAAA;AAC7D,YAAY,EAAE,gBAAgB,EAAE,MAAM,iBAAiB,CAAA;AAEvD,OAAO,EACL,aAAa,EACb,aAAa,EACb,WAAW,EACX,kBAAkB,EAClB,kBAAkB,GACnB,MAAM,qBAAqB,CAAA;AAE5B,OAAO,EAAE,aAAa,EAAE,MAAM,aAAa,CAAA;AAE3C,OAAO,EAAE,kBAAkB,EAAE,iBAAiB,EAAE,qBAAqB,EAAE,MAAM,oBAAoB,CAAA"}
|
package/dist/security/index.js
CHANGED
|
@@ -1,21 +1,26 @@
|
|
|
1
|
-
export { checkAccess, getPermissionsForRole, filterFieldsByRole, filterWritableFields, applyFieldAccess } from
|
|
2
|
-
export { generateToken as generateCsrfToken, validateToken as validateCsrfToken } from
|
|
3
|
-
export { createRateLimiter } from
|
|
4
|
-
export { sanitizeHtml, stripHtml } from
|
|
5
|
-
export { validateMimeType, checkMagicBytes } from
|
|
6
|
-
export { validateWebhookUrl, resolveAndCheck } from
|
|
7
|
-
export { logEvent, getAuditLog } from
|
|
8
|
-
export { getSecurityHeaders } from
|
|
9
|
-
export { applySecurityMiddleware } from
|
|
10
|
-
export { checkBreached } from
|
|
11
|
-
export { detectLoginAnomaly, checkBruteForce } from
|
|
12
|
-
export { requiresReauth, verifyReauth } from
|
|
13
|
-
export { isIpAllowed } from
|
|
14
|
-
export { enforceSessionLimits } from
|
|
15
|
-
export { encryptField, decryptField } from
|
|
16
|
-
export { getCorsHeaders } from
|
|
17
|
-
export { generateCspNonce, buildCspHeader } from
|
|
18
|
-
export { generateSecurityTxt } from
|
|
19
|
-
export { generateApiKey, validateApiKeyScope } from
|
|
20
|
-
export { verifyCaptcha, getCaptchaConfig } from
|
|
1
|
+
export { checkAccess, getPermissionsForRole, filterFieldsByRole, filterWritableFields, applyFieldAccess, } from './access.js';
|
|
2
|
+
export { generateToken as generateCsrfToken, validateToken as validateCsrfToken } from './csrf.js';
|
|
3
|
+
export { createRateLimiter } from './rate-limit.js';
|
|
4
|
+
export { sanitizeHtml, stripHtml } from './sanitize.js';
|
|
5
|
+
export { validateMimeType, checkMagicBytes } from './upload.js';
|
|
6
|
+
export { validateWebhookUrl, resolveAndCheck } from './webhook.js';
|
|
7
|
+
export { logEvent, getAuditLog } from './audit.js';
|
|
8
|
+
export { getSecurityHeaders } from './headers.js';
|
|
9
|
+
export { applySecurityMiddleware } from './middleware.js';
|
|
10
|
+
export { checkBreached } from './breach-check.js';
|
|
11
|
+
export { detectLoginAnomaly, checkBruteForce } from './anomaly-detection.js';
|
|
12
|
+
export { requiresReauth, verifyReauth } from './reauth.js';
|
|
13
|
+
export { isIpAllowed } from './ip-allowlist.js';
|
|
14
|
+
export { enforceSessionLimits } from './session-limits.js';
|
|
15
|
+
export { encryptField, decryptField } from './encrypted-fields.js';
|
|
16
|
+
export { getCorsHeaders } from './cors.js';
|
|
17
|
+
export { generateCspNonce, buildCspHeader } from './csp-nonces.js';
|
|
18
|
+
export { generateSecurityTxt } from './security-txt.js';
|
|
19
|
+
export { generateApiKey, validateApiKeyScope } from './api-key-enhanced.js';
|
|
20
|
+
export { verifyCaptcha, getCaptchaConfig } from './captcha.js';
|
|
21
|
+
export { getClientIp, isResolvedIp } from './client-ip.js';
|
|
22
|
+
export { safeFetch, SsrfBlockedError } from './safe-fetch.js';
|
|
23
|
+
export { encryptSecret, decryptSecret, isEncrypted, encryptStringArray, decryptStringArray, } from './secret-storage.js';
|
|
24
|
+
export { redactSecrets } from './redact.js';
|
|
25
|
+
export { INTERNAL_DATA_KEYS, isInternalDataKey, stripInternalDataKeys } from './internal-keys.js';
|
|
21
26
|
//# sourceMappingURL=index.js.map
|