npm - @angular-helpers/security - Versions diffs - 21.3.0 → 21.4.2 - Mend

@angular-helpers/security 21.3.0 → 21.4.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/README.md +95 -1
package/fesm2022/angular-helpers-security.mjs +280 -35
package/package.json +10 -4
package/types/angular-helpers-security.d.ts +86 -2

package/README.md CHANGED Viewed

@@ -76,6 +76,19 @@ Security package for Angular applications that prevents common attacks like ReDo
 - **Verified auto-clear**: reads back the clipboard before clearing to avoid clobbering unrelated content.
 - **Password-manager semantics**: default 15-second clear, configurable.
+### **Session Inactivity Monitor**
+- **NgZone-optimized**: DOM events tracked outside Angular change detection.
+- **Security interop**: Can automatically clear SecureStorage and SensitiveClipboard upon timeout.
+- **Warning states**: Configurable thresholds to warn users before expiration.
+### **Secure Cross-Window Messaging**
+- **HMAC-SHA-256 signatures**: Every message is signed; tampered payloads are discarded.
+- **Origin whitelist**: Messages from non-allowed origins are rejected before any crypto work.
+- **Anti-replay protection**: Envelope includes `timestamp + nonce`; messages older than 30s are discarded.
+- **SSR-safe**: No-op on the server — no `window` access.
 ### **Builder Pattern**
 - **Fluent API**: Intuitively build regular expressions.
@@ -85,7 +98,7 @@ Security package for Angular applications that prevents common attacks like ReDo
 ## 📦 Installation
 ```bash
-npm install @angular-helpers/security
+pnpm add @angular-helpers/security
 ```
 ## 🚀 Basic Usage
@@ -568,6 +581,87 @@ export class ApiKeyPanel {
 The service reads the clipboard before clearing and skips the clear if the content no longer
 matches what was copied — so third-party copies by the user are never overwritten.
+### **SessionIdleService**
+```typescript
+import { SessionIdleService } from '@angular-helpers/security';
+export class AppComponent {
+  private sessionIdle = inject(SessionIdleService);
+  ngOnInit() {
+    this.sessionIdle.start({
+      timeoutMs: 15 * 60 * 1000, // 15 minutes
+      warningThresholdMs: 60 * 1000, // 1 minute warning
+      autoClearStorage: true,
+      autoClearClipboard: true,
+    });
+    // React to states
+    effect(() => {
+      if (this.sessionIdle.isWarning()) {
+        console.warn(`Session will expire in ${this.sessionIdle.timeRemaining()}ms`);
+      }
+    });
+    // React to timeout
+    this.sessionIdle.onTimeout.subscribe(() => {
+      this.authService.logout();
+    });
+  }
+}
+```
+The service tracks DOM events (`mousemove`, `keydown`, etc.) outside the Angular Zone to prevent change detection spam. It can automatically clear `SecureStorageService` and `SensitiveClipboardService` when the session times out.
+### **SecureMessageService**
+```typescript
+import { SecureMessageService, provideSecureMessage } from '@angular-helpers/security';
+// app.config.ts
+bootstrapApplication(AppComponent, {
+  providers: [provideSecureMessage()],
+});
+// parent-app.component.ts
+export class ParentComponent {
+  private channel = inject(SecureMessageService);
+  async ngOnInit() {
+    // 1. Generate a shared key (transport it to the iframe via a secure channel)
+    const key = await this.channel.generateChannelKey();
+    // 2. Configure: only accept messages from the iframe origin
+    this.channel.configure({
+      allowedOrigins: ['https://child-app.example.com'],
+      signingKey: key,
+    });
+    // 3. React to incoming messages
+    this.channel.messages$<{ type: string; payload: unknown }>().subscribe(({ data, origin }) => {
+      console.log('Verified message from', origin, data);
+    });
+    // 4. Or use the Signal for reactive UI
+    effect(() => {
+      const msg = this.channel.lastMessage()();
+      if (msg) console.log('Last message:', msg.data);
+    });
+  }
+  async sendToChild(iframe: HTMLIFrameElement) {
+    await this.channel.send(
+      iframe.contentWindow!,
+      { type: 'INIT', payload: { userId: 42 } },
+      'https://child-app.example.com', // targetOrigin — never '*'
+    );
+  }
+}
+```
+> **Key exchange**: `SecureMessageService` does not perform automatic key negotiation — transport the `CryptoKey` to the other context via a secure out-of-band channel (e.g., derive it from a shared secret using `WebCryptoService.generateHmacKey()` seeded by a passphrase). Once both sides share the key, all message integrity is handled automatically.
 ## 🔧 Advanced Configuration
 ### **Security Options**

package/fesm2022/angular-helpers-security.mjs CHANGED Viewed

@@ -1,7 +1,8 @@
 import * as i0 from '@angular/core';
-import { inject, DestroyRef, Injectable, PLATFORM_ID, InjectionToken, signal, computed, makeEnvironmentProviders } from '@angular/core';
-import { isPlatformBrowser } from '@angular/common';
-import { Observable } from 'rxjs';
+import { inject, DestroyRef, Injectable, PLATFORM_ID, InjectionToken, signal, computed, NgZone, Injector, makeEnvironmentProviders } from '@angular/core';
+import { isPlatformBrowser, DOCUMENT } from '@angular/common';
+import { Observable, Subject, fromEvent, merge } from 'rxjs';
+import { throttleTime } from 'rxjs/operators';
 /**
  * Security service for regular expressions that prevents ReDoS
@@ -285,10 +286,10 @@ class RegexSecurityService {
         });
         this.workers.clear();
     }
-    static ɵfac = i0.ɵɵngDeclareFactory({ minVersion: "12.0.0", version: "21.2.4", ngImport: i0, type: RegexSecurityService, deps: [], target: i0.ɵɵFactoryTarget.Injectable });
-    static ɵprov = i0.ɵɵngDeclareInjectable({ minVersion: "12.0.0", version: "21.2.4", ngImport: i0, type: RegexSecurityService });
+    static ɵfac = i0.ɵɵngDeclareFactory({ minVersion: "12.0.0", version: "21.2.13", ngImport: i0, type: RegexSecurityService, deps: [], target: i0.ɵɵFactoryTarget.Injectable });
+    static ɵprov = i0.ɵɵngDeclareInjectable({ minVersion: "12.0.0", version: "21.2.13", ngImport: i0, type: RegexSecurityService });
 }
-i0.ɵɵngDeclareClassMetadata({ minVersion: "12.0.0", version: "21.2.4", ngImport: i0, type: RegexSecurityService, decorators: [{
+i0.ɵɵngDeclareClassMetadata({ minVersion: "12.0.0", version: "21.2.13", ngImport: i0, type: RegexSecurityService, decorators: [{
             type: Injectable
         }] });
 /**
@@ -528,10 +529,10 @@ class WebCryptoService {
     hmacHashName(algorithm) {
         return algorithm.replace('HMAC-', '');
     }
-    static ɵfac = i0.ɵɵngDeclareFactory({ minVersion: "12.0.0", version: "21.2.4", ngImport: i0, type: WebCryptoService, deps: [], target: i0.ɵɵFactoryTarget.Injectable });
-    static ɵprov = i0.ɵɵngDeclareInjectable({ minVersion: "12.0.0", version: "21.2.4", ngImport: i0, type: WebCryptoService });
+    static ɵfac = i0.ɵɵngDeclareFactory({ minVersion: "12.0.0", version: "21.2.13", ngImport: i0, type: WebCryptoService, deps: [], target: i0.ɵɵFactoryTarget.Injectable });
+    static ɵprov = i0.ɵɵngDeclareInjectable({ minVersion: "12.0.0", version: "21.2.13", ngImport: i0, type: WebCryptoService });
 }
-i0.ɵɵngDeclareClassMetadata({ minVersion: "12.0.0", version: "21.2.4", ngImport: i0, type: WebCryptoService, decorators: [{
+i0.ɵɵngDeclareClassMetadata({ minVersion: "12.0.0", version: "21.2.13", ngImport: i0, type: WebCryptoService, decorators: [{
             type: Injectable
         }] });
@@ -719,10 +720,10 @@ class SecureStorageService {
     base64ToBytes(base64) {
         return Uint8Array.from(atob(base64), (c) => c.charCodeAt(0));
     }
-    static ɵfac = i0.ɵɵngDeclareFactory({ minVersion: "12.0.0", version: "21.2.4", ngImport: i0, type: SecureStorageService, deps: [], target: i0.ɵɵFactoryTarget.Injectable });
-    static ɵprov = i0.ɵɵngDeclareInjectable({ minVersion: "12.0.0", version: "21.2.4", ngImport: i0, type: SecureStorageService });
+    static ɵfac = i0.ɵɵngDeclareFactory({ minVersion: "12.0.0", version: "21.2.13", ngImport: i0, type: SecureStorageService, deps: [], target: i0.ɵɵFactoryTarget.Injectable });
+    static ɵprov = i0.ɵɵngDeclareInjectable({ minVersion: "12.0.0", version: "21.2.13", ngImport: i0, type: SecureStorageService });
 }
-i0.ɵɵngDeclareClassMetadata({ minVersion: "12.0.0", version: "21.2.4", ngImport: i0, type: SecureStorageService, decorators: [{
+i0.ɵɵngDeclareClassMetadata({ minVersion: "12.0.0", version: "21.2.13", ngImport: i0, type: SecureStorageService, decorators: [{
             type: Injectable
         }], ctorParameters: () => [] });
@@ -1067,10 +1068,10 @@ class InputSanitizerService {
             return null;
         }
     }
-    static ɵfac = i0.ɵɵngDeclareFactory({ minVersion: "12.0.0", version: "21.2.4", ngImport: i0, type: InputSanitizerService, deps: [], target: i0.ɵɵFactoryTarget.Injectable });
-    static ɵprov = i0.ɵɵngDeclareInjectable({ minVersion: "12.0.0", version: "21.2.4", ngImport: i0, type: InputSanitizerService });
+    static ɵfac = i0.ɵɵngDeclareFactory({ minVersion: "12.0.0", version: "21.2.13", ngImport: i0, type: InputSanitizerService, deps: [], target: i0.ɵɵFactoryTarget.Injectable });
+    static ɵprov = i0.ɵɵngDeclareInjectable({ minVersion: "12.0.0", version: "21.2.13", ngImport: i0, type: InputSanitizerService });
 }
-i0.ɵɵngDeclareClassMetadata({ minVersion: "12.0.0", version: "21.2.4", ngImport: i0, type: InputSanitizerService, decorators: [{
+i0.ɵɵngDeclareClassMetadata({ minVersion: "12.0.0", version: "21.2.13", ngImport: i0, type: InputSanitizerService, decorators: [{
             type: Injectable
         }], ctorParameters: () => [] });
@@ -1102,10 +1103,10 @@ class PasswordStrengthService {
     assess(password) {
         return assessPasswordStrength(password);
     }
-    static ɵfac = i0.ɵɵngDeclareFactory({ minVersion: "12.0.0", version: "21.2.4", ngImport: i0, type: PasswordStrengthService, deps: [], target: i0.ɵɵFactoryTarget.Injectable });
-    static ɵprov = i0.ɵɵngDeclareInjectable({ minVersion: "12.0.0", version: "21.2.4", ngImport: i0, type: PasswordStrengthService });
+    static ɵfac = i0.ɵɵngDeclareFactory({ minVersion: "12.0.0", version: "21.2.13", ngImport: i0, type: PasswordStrengthService, deps: [], target: i0.ɵɵFactoryTarget.Injectable });
+    static ɵprov = i0.ɵɵngDeclareInjectable({ minVersion: "12.0.0", version: "21.2.13", ngImport: i0, type: PasswordStrengthService });
 }
-i0.ɵɵngDeclareClassMetadata({ minVersion: "12.0.0", version: "21.2.4", ngImport: i0, type: PasswordStrengthService, decorators: [{
+i0.ɵɵngDeclareClassMetadata({ minVersion: "12.0.0", version: "21.2.13", ngImport: i0, type: PasswordStrengthService, decorators: [{
             type: Injectable
         }] });
@@ -1217,10 +1218,10 @@ class JwtService {
         }
         return payload[name] ?? null;
     }
-    static ɵfac = i0.ɵɵngDeclareFactory({ minVersion: "12.0.0", version: "21.2.4", ngImport: i0, type: JwtService, deps: [], target: i0.ɵɵFactoryTarget.Injectable });
-    static ɵprov = i0.ɵɵngDeclareInjectable({ minVersion: "12.0.0", version: "21.2.4", ngImport: i0, type: JwtService });
+    static ɵfac = i0.ɵɵngDeclareFactory({ minVersion: "12.0.0", version: "21.2.13", ngImport: i0, type: JwtService, deps: [], target: i0.ɵɵFactoryTarget.Injectable });
+    static ɵprov = i0.ɵɵngDeclareInjectable({ minVersion: "12.0.0", version: "21.2.13", ngImport: i0, type: JwtService });
 }
-i0.ɵɵngDeclareClassMetadata({ minVersion: "12.0.0", version: "21.2.4", ngImport: i0, type: JwtService, decorators: [{
+i0.ɵɵngDeclareClassMetadata({ minVersion: "12.0.0", version: "21.2.13", ngImport: i0, type: JwtService, decorators: [{
             type: Injectable
         }] });
 function base64UrlDecode(input) {
@@ -1349,10 +1350,24 @@ class SensitiveClipboardService {
             return 'read-denied';
         }
     }
-    static ɵfac = i0.ɵɵngDeclareFactory({ minVersion: "12.0.0", version: "21.2.4", ngImport: i0, type: SensitiveClipboardService, deps: [], target: i0.ɵɵFactoryTarget.Injectable });
-    static ɵprov = i0.ɵɵngDeclareInjectable({ minVersion: "12.0.0", version: "21.2.4", ngImport: i0, type: SensitiveClipboardService });
+    /**
+     * Forcefully clears the clipboard unconditionally.
+     */
+    async clear() {
+        if (!this.isSupported())
+            return;
+        this.cancelPendingClear();
+        try {
+            await navigator.clipboard.writeText('');
+        }
+        catch {
+            // ignore
+        }
+    }
+    static ɵfac = i0.ɵɵngDeclareFactory({ minVersion: "12.0.0", version: "21.2.13", ngImport: i0, type: SensitiveClipboardService, deps: [], target: i0.ɵɵFactoryTarget.Injectable });
+    static ɵprov = i0.ɵɵngDeclareInjectable({ minVersion: "12.0.0", version: "21.2.13", ngImport: i0, type: SensitiveClipboardService });
 }
-i0.ɵɵngDeclareClassMetadata({ minVersion: "12.0.0", version: "21.2.4", ngImport: i0, type: SensitiveClipboardService, decorators: [{
+i0.ɵɵngDeclareClassMetadata({ minVersion: "12.0.0", version: "21.2.13", ngImport: i0, type: SensitiveClipboardService, decorators: [{
             type: Injectable
         }], ctorParameters: () => [] });
@@ -1425,11 +1440,14 @@ class HibpService {
         const match = findSuffixMatch(body, suffix);
         return match > 0 ? { leaked: true, count: match } : { leaked: false, count: 0 };
     }
-    static ɵfac = i0.ɵɵngDeclareFactory({ minVersion: "12.0.0", version: "21.2.4", ngImport: i0, type: HibpService, deps: [], target: i0.ɵɵFactoryTarget.Injectable });
-    static ɵprov = i0.ɵɵngDeclareInjectable({ minVersion: "12.0.0", version: "21.2.4", ngImport: i0, type: HibpService });
+    static ɵfac = i0.ɵɵngDeclareFactory({ minVersion: "12.0.0", version: "21.2.13", ngImport: i0, type: HibpService, deps: [], target: i0.ɵɵFactoryTarget.Injectable });
+    static ɵprov = i0.ɵɵngDeclareInjectable({ minVersion: "12.0.0", version: "21.2.13", ngImport: i0, type: HibpService, providedIn: 'root' });
 }
-i0.ɵɵngDeclareClassMetadata({ minVersion: "12.0.0", version: "21.2.4", ngImport: i0, type: HibpService, decorators: [{
-            type: Injectable
+i0.ɵɵngDeclareClassMetadata({ minVersion: "12.0.0", version: "21.2.13", ngImport: i0, type: HibpService, decorators: [{
+            type: Injectable,
+            args: [{
+                    providedIn: 'root',
+                }]
         }], ctorParameters: () => [] });
 function findSuffixMatch(body, suffix) {
     const lines = body.split(/\r?\n/);
@@ -1597,10 +1615,10 @@ class RateLimiterService {
         bucket.lastRefillAt = now;
         bucket.remaining.set(Math.floor(bucket.tokens));
     }
-    static ɵfac = i0.ɵɵngDeclareFactory({ minVersion: "12.0.0", version: "21.2.4", ngImport: i0, type: RateLimiterService, deps: [], target: i0.ɵɵFactoryTarget.Injectable });
-    static ɵprov = i0.ɵɵngDeclareInjectable({ minVersion: "12.0.0", version: "21.2.4", ngImport: i0, type: RateLimiterService });
+    static ɵfac = i0.ɵɵngDeclareFactory({ minVersion: "12.0.0", version: "21.2.13", ngImport: i0, type: RateLimiterService, deps: [], target: i0.ɵɵFactoryTarget.Injectable });
+    static ɵprov = i0.ɵɵngDeclareInjectable({ minVersion: "12.0.0", version: "21.2.13", ngImport: i0, type: RateLimiterService });
 }
-i0.ɵɵngDeclareClassMetadata({ minVersion: "12.0.0", version: "21.2.4", ngImport: i0, type: RateLimiterService, decorators: [{
+i0.ɵɵngDeclareClassMetadata({ minVersion: "12.0.0", version: "21.2.13", ngImport: i0, type: RateLimiterService, decorators: [{
             type: Injectable
         }], ctorParameters: () => [] });
 function validatePolicy(policy) {
@@ -1679,10 +1697,10 @@ class CsrfService {
     get nativeStorage() {
         return this.storageTarget === 'session' ? sessionStorage : localStorage;
     }
-    static ɵfac = i0.ɵɵngDeclareFactory({ minVersion: "12.0.0", version: "21.2.4", ngImport: i0, type: CsrfService, deps: [], target: i0.ɵɵFactoryTarget.Injectable });
-    static ɵprov = i0.ɵɵngDeclareInjectable({ minVersion: "12.0.0", version: "21.2.4", ngImport: i0, type: CsrfService });
+    static ɵfac = i0.ɵɵngDeclareFactory({ minVersion: "12.0.0", version: "21.2.13", ngImport: i0, type: CsrfService, deps: [], target: i0.ɵɵFactoryTarget.Injectable });
+    static ɵprov = i0.ɵɵngDeclareInjectable({ minVersion: "12.0.0", version: "21.2.13", ngImport: i0, type: CsrfService });
 }
-i0.ɵɵngDeclareClassMetadata({ minVersion: "12.0.0", version: "21.2.4", ngImport: i0, type: CsrfService, decorators: [{
+i0.ɵɵngDeclareClassMetadata({ minVersion: "12.0.0", version: "21.2.13", ngImport: i0, type: CsrfService, decorators: [{
             type: Injectable
         }], ctorParameters: () => [] });
 const DEFAULT_HEADER_NAME = 'X-CSRF-Token';
@@ -1716,6 +1734,221 @@ function withCsrfHeader(options = {}) {
     };
 }
+const DEFAULT_EVENTS = ['mousemove', 'keydown', 'mousedown', 'touchstart', 'scroll'];
+class SessionIdleService {
+    ngZone = inject(NgZone);
+    document = inject(DOCUMENT);
+    injector = inject(Injector);
+    destroyRef = inject(DestroyRef);
+    _isIdle = signal(false, ...(ngDevMode ? [{ debugName: "_isIdle" }] : /* istanbul ignore next */ []));
+    _isWarning = signal(false, ...(ngDevMode ? [{ debugName: "_isWarning" }] : /* istanbul ignore next */ []));
+    _timeRemaining = signal(null, ...(ngDevMode ? [{ debugName: "_timeRemaining" }] : /* istanbul ignore next */ []));
+    _timeoutSubject = new Subject();
+    isIdle = this._isIdle.asReadonly();
+    isWarning = this._isWarning.asReadonly();
+    timeRemaining = this._timeRemaining.asReadonly();
+    onTimeout = this._timeoutSubject.asObservable();
+    config = null;
+    lastActivityTime = 0;
+    timerInterval = null;
+    eventSubscription;
+    constructor() {
+        this.destroyRef.onDestroy(() => this.stop());
+    }
+    start(config) {
+        this.stop();
+        this.config = config;
+        this._isIdle.set(false);
+        this._isWarning.set(false);
+        this._timeRemaining.set(config.timeoutMs);
+        this.lastActivityTime = Date.now();
+        const eventsToTrack = config.events || DEFAULT_EVENTS;
+        this.ngZone.runOutsideAngular(() => {
+            const observables = eventsToTrack.map((ev) => fromEvent(this.document, ev));
+            this.eventSubscription = merge(...observables)
+                .pipe(throttleTime(500))
+                .subscribe(() => {
+                this.lastActivityTime = Date.now();
+            });
+            this.timerInterval = setInterval(() => this.checkIdle(), 1000);
+        });
+    }
+    stop() {
+        if (this.timerInterval) {
+            clearInterval(this.timerInterval);
+            this.timerInterval = null;
+        }
+        if (this.eventSubscription) {
+            this.eventSubscription.unsubscribe();
+            this.eventSubscription = undefined;
+        }
+        this.config = null;
+        this._timeRemaining.set(null);
+        this._isIdle.set(false);
+        this._isWarning.set(false);
+    }
+    reset() {
+        if (!this.config)
+            return;
+        this.lastActivityTime = Date.now();
+        this._timeRemaining.set(this.config.timeoutMs);
+        this._isIdle.set(false);
+        this._isWarning.set(false);
+    }
+    checkIdle() {
+        if (!this.config || this._isIdle())
+            return;
+        const elapsed = Date.now() - this.lastActivityTime;
+        const remaining = Math.max(0, this.config.timeoutMs - elapsed);
+        if (remaining === 0) {
+            this.triggerTimeout();
+        }
+        else {
+            const warningThreshold = this.config.warningThresholdMs || 0;
+            const shouldBeWarning = remaining <= warningThreshold;
+            this.ngZone.run(() => {
+                this._timeRemaining.set(remaining);
+                if (this._isWarning() !== shouldBeWarning) {
+                    this._isWarning.set(shouldBeWarning);
+                }
+            });
+        }
+    }
+    triggerTimeout() {
+        const config = this.config;
+        this.stop();
+        // Restore config temporarily to check for autoClear flags
+        this.config = config;
+        this.ngZone.run(() => {
+            this._timeRemaining.set(0);
+            this._isIdle.set(true);
+            this._timeoutSubject.next();
+            if (this.config?.autoClearStorage) {
+                const storage = this.injector.get(SecureStorageService, null);
+                if (storage)
+                    storage.clear();
+            }
+            if (this.config?.autoClearClipboard) {
+                const clipboard = this.injector.get(SensitiveClipboardService, null);
+                if (clipboard)
+                    clipboard.clear();
+            }
+            this.config = null;
+        });
+    }
+    static ɵfac = i0.ɵɵngDeclareFactory({ minVersion: "12.0.0", version: "21.2.13", ngImport: i0, type: SessionIdleService, deps: [], target: i0.ɵɵFactoryTarget.Injectable });
+    static ɵprov = i0.ɵɵngDeclareInjectable({ minVersion: "12.0.0", version: "21.2.13", ngImport: i0, type: SessionIdleService, providedIn: 'root' });
+}
+i0.ɵɵngDeclareClassMetadata({ minVersion: "12.0.0", version: "21.2.13", ngImport: i0, type: SessionIdleService, decorators: [{
+            type: Injectable,
+            args: [{
+                    providedIn: 'root',
+                }]
+        }], ctorParameters: () => [] });
+const REPLAY_WINDOW_MS = 30_000;
+class SecureMessageService {
+    ngZone = inject(NgZone);
+    platformId = inject(PLATFORM_ID);
+    document = inject(DOCUMENT);
+    crypto = inject(WebCryptoService);
+    config = null;
+    _lastMessage = signal(null, ...(ngDevMode ? [{ debugName: "_lastMessage" }] : /* istanbul ignore next */ []));
+    _messages$ = new Subject();
+    messageHandler = null;
+    get targetWindow() {
+        return this.document.defaultView;
+    }
+    /** Returns a new HMAC-SHA-256 CryptoKey ready to use in `configure()`. */
+    generateChannelKey() {
+        return this.crypto.generateHmacKey('HMAC-SHA-256');
+    }
+    /**
+     * Configures the service with a signing key and allowed origins.
+     * Starts listening for incoming messages.
+     */
+    configure(config) {
+        this.destroy();
+        this.config = config;
+        if (!isPlatformBrowser(this.platformId))
+            return;
+        this.ngZone.runOutsideAngular(() => {
+            this.messageHandler = (event) => this.handleMessage(event);
+            this.targetWindow.addEventListener('message', this.messageHandler);
+        });
+    }
+    /**
+     * Signs and sends a payload to a target window.
+     * @throws if `targetOrigin` is `'*'`
+     */
+    async send(target, payload, targetOrigin) {
+        if (targetOrigin === '*') {
+            throw new Error('SecureMessageService: targetOrigin must be an explicit origin, not "*".');
+        }
+        if (!this.config) {
+            throw new Error('SecureMessageService: call configure() before send().');
+        }
+        const timestamp = Date.now();
+        const nonce = this.targetWindow.crypto.randomUUID();
+        const body = { payload, timestamp, nonce };
+        const signature = await this.crypto.sign(this.config.signingKey, JSON.stringify(body));
+        const envelope = { __signed: true, ...body, signature };
+        target.postMessage(envelope, targetOrigin);
+    }
+    /** Observable of verified incoming messages. */
+    messages$() {
+        return this._messages$.asObservable();
+    }
+    /** Signal with the last verified incoming message (null before first message). */
+    lastMessage() {
+        return this._lastMessage;
+    }
+    /** Removes the window listener and completes the internal Subject. */
+    destroy() {
+        if (this.messageHandler && isPlatformBrowser(this.platformId)) {
+            this.targetWindow.removeEventListener('message', this.messageHandler);
+            this.messageHandler = null;
+        }
+        this.config = null;
+    }
+    async handleMessage(event) {
+        if (!this.config)
+            return;
+        // 1. Origin whitelist
+        if (!this.config.allowedOrigins.includes(event.origin))
+            return;
+        // 2. Envelope shape
+        const env = event.data;
+        if (env?.__signed !== true)
+            return;
+        const { payload, timestamp, nonce, signature } = env;
+        if (!payload || !timestamp || !nonce || !signature)
+            return;
+        // 3. Replay window
+        if (Date.now() - timestamp > REPLAY_WINDOW_MS)
+            return;
+        // 4. Signature verification
+        const body = { payload, timestamp, nonce };
+        const valid = await this.crypto.verify(this.config.signingKey, JSON.stringify(body), signature);
+        if (!valid)
+            return;
+        // 5. Emit inside NgZone so signals trigger CD
+        this.ngZone.run(() => {
+            const message = { data: payload, origin: event.origin, timestamp };
+            this._lastMessage.set(message);
+            this._messages$.next(message);
+        });
+    }
+    static ɵfac = i0.ɵɵngDeclareFactory({ minVersion: "12.0.0", version: "21.2.13", ngImport: i0, type: SecureMessageService, deps: [], target: i0.ɵɵFactoryTarget.Injectable });
+    static ɵprov = i0.ɵɵngDeclareInjectable({ minVersion: "12.0.0", version: "21.2.13", ngImport: i0, type: SecureMessageService, providedIn: 'root' });
+}
+i0.ɵɵngDeclareClassMetadata({ minVersion: "12.0.0", version: "21.2.13", ngImport: i0, type: SecureMessageService, decorators: [{
+            type: Injectable,
+            args: [{
+                    providedIn: 'root',
+                }]
+        }] });
 const defaultSecurityConfig = {
     enableRegexSecurity: true,
     enableWebCrypto: true,
@@ -1727,6 +1960,8 @@ const defaultSecurityConfig = {
     enableHibp: false,
     enableRateLimiter: false,
     enableCsrf: false,
+    enableSessionIdle: false,
+    enableSecureMessage: false,
     defaultTimeout: 5000,
     safeMode: false,
 };
@@ -1755,6 +1990,10 @@ function provideSecurity(config = {}) {
     if (mergedConfig.enableCsrf) {
         providers.push(WebCryptoService, CsrfService);
     }
+    if (mergedConfig.enableSessionIdle)
+        providers.push(SessionIdleService);
+    if (mergedConfig.enableSecureMessage)
+        providers.push(SecureMessageService);
     return makeEnvironmentProviders(providers);
 }
 function provideRegexSecurity() {
@@ -1804,9 +2043,15 @@ function provideCsrf(config) {
         ...(config ? [{ provide: CSRF_CONFIG, useValue: config }] : []),
     ]);
 }
+function provideSessionIdle() {
+    return makeEnvironmentProviders([SessionIdleService]);
+}
+function provideSecureMessage() {
+    return makeEnvironmentProviders([WebCryptoService, SecureMessageService]);
+}
 /**
  * Generated bundle index. Do not edit.
  */
-export { CSRF_CONFIG, ClipboardUnsupportedError, CsrfService, DEFAULT_ALLOWED_ATTRIBUTES, DEFAULT_ALLOWED_TAGS, HIBP_CONFIG, HibpService, InputSanitizerService, InvalidJwtError, JwtService, PasswordStrengthService, RATE_LIMITER_CONFIG, RateLimitExceededError, RateLimiterService, RegexSecurityBuilder, RegexSecurityService, SANITIZER_CONFIG, SECURE_STORAGE_CONFIG, SecureStorageService, SensitiveClipboardService, WebCryptoService, assessPasswordStrength, containsScriptInjection, containsSqlInjectionHints, defaultSecurityConfig, isHtmlSafe, isUrlSafe, provideCsrf, provideHibp, provideInputSanitizer, provideJwt, providePasswordStrength, provideRateLimiter, provideRegexSecurity, provideSecureStorage, provideSecurity, provideSensitiveClipboard, provideWebCrypto, sanitizeHtmlString, sanitizeUrlString, withCsrfHeader };
+export { CSRF_CONFIG, ClipboardUnsupportedError, CsrfService, DEFAULT_ALLOWED_ATTRIBUTES, DEFAULT_ALLOWED_TAGS, HIBP_CONFIG, HibpService, InputSanitizerService, InvalidJwtError, JwtService, PasswordStrengthService, RATE_LIMITER_CONFIG, RateLimitExceededError, RateLimiterService, RegexSecurityBuilder, RegexSecurityService, SANITIZER_CONFIG, SECURE_STORAGE_CONFIG, SecureMessageService, SecureStorageService, SensitiveClipboardService, SessionIdleService, WebCryptoService, assessPasswordStrength, containsScriptInjection, containsSqlInjectionHints, defaultSecurityConfig, isHtmlSafe, isUrlSafe, provideCsrf, provideHibp, provideInputSanitizer, provideJwt, providePasswordStrength, provideRateLimiter, provideRegexSecurity, provideSecureMessage, provideSecureStorage, provideSecurity, provideSensitiveClipboard, provideSessionIdle, provideWebCrypto, sanitizeHtmlString, sanitizeUrlString, withCsrfHeader };

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@angular-helpers/security",
-  "version": "21.3.0",
+  "version": "21.4.2",
   "description": "Angular security helpers for preventing ReDoS and other security vulnerabilities",
   "keywords": [
     "angular",
@@ -16,7 +16,12 @@
     "xss",
     "sanitization",
     "password-strength",
-    "secure-storage"
+    "secure-storage",
+    "session-idle",
+    "inactivity",
+    "postmessage",
+    "iframe",
+    "secure-channel"
   ],
   "author": "Angular Helpers Team",
   "license": "MIT",
@@ -64,5 +69,6 @@
       "default": "./fesm2022/angular-helpers-security-signal-forms.mjs"
     }
   },
-  "sideEffects": false
-}
+  "sideEffects": false,
+  "type": "module"
+}

package/types/angular-helpers-security.d.ts CHANGED Viewed

@@ -537,6 +537,10 @@ declare class SensitiveClipboardService {
      */
     cancelPendingClear(): void;
     private safeClear;
+    /**
+     * Forcefully clears the clipboard unconditionally.
+     */
+    clear(): Promise<void>;
     static ɵfac: i0.ɵɵFactoryDeclaration<SensitiveClipboardService, never>;
     static ɵprov: i0.ɵɵInjectableDeclaration<SensitiveClipboardService>;
 }
@@ -745,6 +749,82 @@ interface CsrfHeaderOptions {
  */
 declare function withCsrfHeader(options?: CsrfHeaderOptions): HttpInterceptorFn;
+interface SessionIdleConfig {
+    timeoutMs: number;
+    warningThresholdMs?: number;
+    autoClearStorage?: boolean;
+    autoClearClipboard?: boolean;
+    events?: string[];
+}
+declare class SessionIdleService {
+    private ngZone;
+    private document;
+    private injector;
+    private destroyRef;
+    private _isIdle;
+    private _isWarning;
+    private _timeRemaining;
+    private _timeoutSubject;
+    readonly isIdle: Signal<boolean>;
+    readonly isWarning: Signal<boolean>;
+    readonly timeRemaining: Signal<number | null>;
+    readonly onTimeout: Observable<void>;
+    private config;
+    private lastActivityTime;
+    private timerInterval;
+    private eventSubscription?;
+    constructor();
+    start(config: SessionIdleConfig): void;
+    stop(): void;
+    reset(): void;
+    private checkIdle;
+    private triggerTimeout;
+    static ɵfac: i0.ɵɵFactoryDeclaration<SessionIdleService, never>;
+    static ɵprov: i0.ɵɵInjectableDeclaration<SessionIdleService>;
+}
+interface SecureMessageConfig {
+    allowedOrigins: string[];
+    signingKey: CryptoKey;
+}
+interface SecureMessage<T = unknown> {
+    data: T;
+    origin: string;
+    timestamp: number;
+}
+declare class SecureMessageService {
+    private readonly ngZone;
+    private readonly platformId;
+    private readonly document;
+    private readonly crypto;
+    private config;
+    private _lastMessage;
+    private _messages$;
+    private messageHandler;
+    private get targetWindow();
+    /** Returns a new HMAC-SHA-256 CryptoKey ready to use in `configure()`. */
+    generateChannelKey(): Promise<CryptoKey>;
+    /**
+     * Configures the service with a signing key and allowed origins.
+     * Starts listening for incoming messages.
+     */
+    configure(config: SecureMessageConfig): void;
+    /**
+     * Signs and sends a payload to a target window.
+     * @throws if `targetOrigin` is `'*'`
+     */
+    send<T>(target: Window, payload: T, targetOrigin: string): Promise<void>;
+    /** Observable of verified incoming messages. */
+    messages$<T = unknown>(): Observable<SecureMessage<T>>;
+    /** Signal with the last verified incoming message (null before first message). */
+    lastMessage<T = unknown>(): Signal<SecureMessage<T> | null>;
+    /** Removes the window listener and completes the internal Subject. */
+    destroy(): void;
+    private handleMessage;
+    static ɵfac: i0.ɵɵFactoryDeclaration<SecureMessageService, never>;
+    static ɵprov: i0.ɵɵInjectableDeclaration<SecureMessageService>;
+}
 interface SecurityConfig {
     enableRegexSecurity?: boolean;
     enableWebCrypto?: boolean;
@@ -756,6 +836,8 @@ interface SecurityConfig {
     enableHibp?: boolean;
     enableRateLimiter?: boolean;
     enableCsrf?: boolean;
+    enableSessionIdle?: boolean;
+    enableSecureMessage?: boolean;
     defaultTimeout?: number;
     safeMode?: boolean;
 }
@@ -771,6 +853,8 @@ declare function provideSensitiveClipboard(): EnvironmentProviders;
 declare function provideHibp(config?: HibpConfig): EnvironmentProviders;
 declare function provideRateLimiter(config?: RateLimiterConfig): EnvironmentProviders;
 declare function provideCsrf(config?: CsrfConfig): EnvironmentProviders;
+declare function provideSessionIdle(): EnvironmentProviders;
+declare function provideSecureMessage(): EnvironmentProviders;
-export { CSRF_CONFIG, ClipboardUnsupportedError, CsrfService, DEFAULT_ALLOWED_ATTRIBUTES, DEFAULT_ALLOWED_TAGS, HIBP_CONFIG, HibpService, InputSanitizerService, InvalidJwtError, JwtService, PasswordStrengthService, RATE_LIMITER_CONFIG, RateLimitExceededError, RateLimiterService, RegexSecurityBuilder, RegexSecurityService, SANITIZER_CONFIG, SECURE_STORAGE_CONFIG, SecureStorageService, SensitiveClipboardService, WebCryptoService, assessPasswordStrength, containsScriptInjection, containsSqlInjectionHints, defaultSecurityConfig, isHtmlSafe, isUrlSafe, provideCsrf, provideHibp, provideInputSanitizer, provideJwt, providePasswordStrength, provideRateLimiter, provideRegexSecurity, provideSecureStorage, provideSecurity, provideSensitiveClipboard, provideWebCrypto, sanitizeHtmlString, sanitizeUrlString, withCsrfHeader };
-export type { AesEncryptResult, AesKeyLength, CopyStatus, CsrfConfig, CsrfHeaderOptions, CsrfStorageTarget, HashAlgorithm, HibpConfig, HibpResult, HmacAlgorithm, HtmlSanitizerOptions, HttpMethod, JwtStandardClaims, PasswordAssessment, PasswordLabel, PasswordScore, PasswordStrengthResult, RateLimitPolicy, RateLimiterConfig, RegexBuilderOptions, RegexSecurityConfig, RegexSecurityResult, RegexTestResult, SanitizerConfig, SecureStorageConfig, SecurityConfig, SensitiveCopyOptions, StorageTarget };
+export { CSRF_CONFIG, ClipboardUnsupportedError, CsrfService, DEFAULT_ALLOWED_ATTRIBUTES, DEFAULT_ALLOWED_TAGS, HIBP_CONFIG, HibpService, InputSanitizerService, InvalidJwtError, JwtService, PasswordStrengthService, RATE_LIMITER_CONFIG, RateLimitExceededError, RateLimiterService, RegexSecurityBuilder, RegexSecurityService, SANITIZER_CONFIG, SECURE_STORAGE_CONFIG, SecureMessageService, SecureStorageService, SensitiveClipboardService, SessionIdleService, WebCryptoService, assessPasswordStrength, containsScriptInjection, containsSqlInjectionHints, defaultSecurityConfig, isHtmlSafe, isUrlSafe, provideCsrf, provideHibp, provideInputSanitizer, provideJwt, providePasswordStrength, provideRateLimiter, provideRegexSecurity, provideSecureMessage, provideSecureStorage, provideSecurity, provideSensitiveClipboard, provideSessionIdle, provideWebCrypto, sanitizeHtmlString, sanitizeUrlString, withCsrfHeader };
+export type { AesEncryptResult, AesKeyLength, CopyStatus, CsrfConfig, CsrfHeaderOptions, CsrfStorageTarget, HashAlgorithm, HibpConfig, HibpResult, HmacAlgorithm, HtmlSanitizerOptions, HttpMethod, JwtStandardClaims, PasswordAssessment, PasswordLabel, PasswordScore, PasswordStrengthResult, RateLimitPolicy, RateLimiterConfig, RegexBuilderOptions, RegexSecurityConfig, RegexSecurityResult, RegexTestResult, SanitizerConfig, SecureMessage, SecureMessageConfig, SecureStorageConfig, SecurityConfig, SensitiveCopyOptions, SessionIdleConfig, StorageTarget };