@angular-helpers/security 21.4.1 → 21.4.3

package/README.md

@@ -98,7 +98,7 @@ Security package for Angular applications that prevents common attacks like ReDo
 ## 📦 Installation
 
 ```bash
-npm install @angular-helpers/security
+pnpm add @angular-helpers/security
 ```
 
 ## 🚀 Basic Usage

package/fesm2022/angular-helpers-security.mjs

@@ -286,10 +286,10 @@ class RegexSecurityService {
         });
         this.workers.clear();
     }
-    static ɵfac = i0.ɵɵngDeclareFactory({ minVersion: "12.0.0", version: "21.2.4", ngImport: i0, type: RegexSecurityService, deps: [], target: i0.ɵɵFactoryTarget.Injectable });
-    static ɵprov = i0.ɵɵngDeclareInjectable({ minVersion: "12.0.0", version: "21.2.4", ngImport: i0, type: RegexSecurityService });
+    static ɵfac = i0.ɵɵngDeclareFactory({ minVersion: "12.0.0", version: "21.2.13", ngImport: i0, type: RegexSecurityService, deps: [], target: i0.ɵɵFactoryTarget.Injectable });
+    static ɵprov = i0.ɵɵngDeclareInjectable({ minVersion: "12.0.0", version: "21.2.13", ngImport: i0, type: RegexSecurityService });
 }
-i0.ɵɵngDeclareClassMetadata({ minVersion: "12.0.0", version: "21.2.4", ngImport: i0, type: RegexSecurityService, decorators: [{
+i0.ɵɵngDeclareClassMetadata({ minVersion: "12.0.0", version: "21.2.13", ngImport: i0, type: RegexSecurityService, decorators: [{
             type: Injectable
         }] });
 /**
@@ -529,10 +529,10 @@ class WebCryptoService {
     hmacHashName(algorithm) {
         return algorithm.replace('HMAC-', '');
     }
-    static ɵfac = i0.ɵɵngDeclareFactory({ minVersion: "12.0.0", version: "21.2.4", ngImport: i0, type: WebCryptoService, deps: [], target: i0.ɵɵFactoryTarget.Injectable });
-    static ɵprov = i0.ɵɵngDeclareInjectable({ minVersion: "12.0.0", version: "21.2.4", ngImport: i0, type: WebCryptoService });
+    static ɵfac = i0.ɵɵngDeclareFactory({ minVersion: "12.0.0", version: "21.2.13", ngImport: i0, type: WebCryptoService, deps: [], target: i0.ɵɵFactoryTarget.Injectable });
+    static ɵprov = i0.ɵɵngDeclareInjectable({ minVersion: "12.0.0", version: "21.2.13", ngImport: i0, type: WebCryptoService });
 }
-i0.ɵɵngDeclareClassMetadata({ minVersion: "12.0.0", version: "21.2.4", ngImport: i0, type: WebCryptoService, decorators: [{
+i0.ɵɵngDeclareClassMetadata({ minVersion: "12.0.0", version: "21.2.13", ngImport: i0, type: WebCryptoService, decorators: [{
             type: Injectable
         }] });
 
@@ -720,10 +720,10 @@ class SecureStorageService {
     base64ToBytes(base64) {
         return Uint8Array.from(atob(base64), (c) => c.charCodeAt(0));
     }
-    static ɵfac = i0.ɵɵngDeclareFactory({ minVersion: "12.0.0", version: "21.2.4", ngImport: i0, type: SecureStorageService, deps: [], target: i0.ɵɵFactoryTarget.Injectable });
-    static ɵprov = i0.ɵɵngDeclareInjectable({ minVersion: "12.0.0", version: "21.2.4", ngImport: i0, type: SecureStorageService });
+    static ɵfac = i0.ɵɵngDeclareFactory({ minVersion: "12.0.0", version: "21.2.13", ngImport: i0, type: SecureStorageService, deps: [], target: i0.ɵɵFactoryTarget.Injectable });
+    static ɵprov = i0.ɵɵngDeclareInjectable({ minVersion: "12.0.0", version: "21.2.13", ngImport: i0, type: SecureStorageService });
 }
-i0.ɵɵngDeclareClassMetadata({ minVersion: "12.0.0", version: "21.2.4", ngImport: i0, type: SecureStorageService, decorators: [{
+i0.ɵɵngDeclareClassMetadata({ minVersion: "12.0.0", version: "21.2.13", ngImport: i0, type: SecureStorageService, decorators: [{
             type: Injectable
         }], ctorParameters: () => [] });
 
@@ -922,6 +922,7 @@ const DEFAULT_ALLOWED_TAGS = [
 const DEFAULT_ALLOWED_ATTRIBUTES = {
     a: ['href'],
 };
+const URL_ATTRIBUTES = new Set(['href', 'src', 'action', 'formaction', 'data', 'poster']);
 /**
  * Sanitizes an HTML string by allowlist. Browser-only: requires DOMParser.
  *
@@ -980,7 +981,7 @@ function sanitizeElementAttributes(element, tagName, allowedAttributes) {
             attrsToRemove.push(attr.name);
             continue;
         }
-        if (attr.name === 'href' && sanitizeUrlString(attr.value) === null) {
+        if (URL_ATTRIBUTES.has(attr.name) && sanitizeUrlString(attr.value) === null) {
             attrsToRemove.push(attr.name);
         }
     }
@@ -1068,10 +1069,10 @@ class InputSanitizerService {
             return null;
         }
     }
-    static ɵfac = i0.ɵɵngDeclareFactory({ minVersion: "12.0.0", version: "21.2.4", ngImport: i0, type: InputSanitizerService, deps: [], target: i0.ɵɵFactoryTarget.Injectable });
-    static ɵprov = i0.ɵɵngDeclareInjectable({ minVersion: "12.0.0", version: "21.2.4", ngImport: i0, type: InputSanitizerService });
+    static ɵfac = i0.ɵɵngDeclareFactory({ minVersion: "12.0.0", version: "21.2.13", ngImport: i0, type: InputSanitizerService, deps: [], target: i0.ɵɵFactoryTarget.Injectable });
+    static ɵprov = i0.ɵɵngDeclareInjectable({ minVersion: "12.0.0", version: "21.2.13", ngImport: i0, type: InputSanitizerService });
 }
-i0.ɵɵngDeclareClassMetadata({ minVersion: "12.0.0", version: "21.2.4", ngImport: i0, type: InputSanitizerService, decorators: [{
+i0.ɵɵngDeclareClassMetadata({ minVersion: "12.0.0", version: "21.2.13", ngImport: i0, type: InputSanitizerService, decorators: [{
             type: Injectable
         }], ctorParameters: () => [] });
 
@@ -1103,10 +1104,10 @@ class PasswordStrengthService {
     assess(password) {
         return assessPasswordStrength(password);
     }
-    static ɵfac = i0.ɵɵngDeclareFactory({ minVersion: "12.0.0", version: "21.2.4", ngImport: i0, type: PasswordStrengthService, deps: [], target: i0.ɵɵFactoryTarget.Injectable });
-    static ɵprov = i0.ɵɵngDeclareInjectable({ minVersion: "12.0.0", version: "21.2.4", ngImport: i0, type: PasswordStrengthService });
+    static ɵfac = i0.ɵɵngDeclareFactory({ minVersion: "12.0.0", version: "21.2.13", ngImport: i0, type: PasswordStrengthService, deps: [], target: i0.ɵɵFactoryTarget.Injectable });
+    static ɵprov = i0.ɵɵngDeclareInjectable({ minVersion: "12.0.0", version: "21.2.13", ngImport: i0, type: PasswordStrengthService });
 }
-i0.ɵɵngDeclareClassMetadata({ minVersion: "12.0.0", version: "21.2.4", ngImport: i0, type: PasswordStrengthService, decorators: [{
+i0.ɵɵngDeclareClassMetadata({ minVersion: "12.0.0", version: "21.2.13", ngImport: i0, type: PasswordStrengthService, decorators: [{
             type: Injectable
         }] });
 
@@ -1218,10 +1219,10 @@ class JwtService {
         }
         return payload[name] ?? null;
     }
-    static ɵfac = i0.ɵɵngDeclareFactory({ minVersion: "12.0.0", version: "21.2.4", ngImport: i0, type: JwtService, deps: [], target: i0.ɵɵFactoryTarget.Injectable });
-    static ɵprov = i0.ɵɵngDeclareInjectable({ minVersion: "12.0.0", version: "21.2.4", ngImport: i0, type: JwtService });
+    static ɵfac = i0.ɵɵngDeclareFactory({ minVersion: "12.0.0", version: "21.2.13", ngImport: i0, type: JwtService, deps: [], target: i0.ɵɵFactoryTarget.Injectable });
+    static ɵprov = i0.ɵɵngDeclareInjectable({ minVersion: "12.0.0", version: "21.2.13", ngImport: i0, type: JwtService });
 }
-i0.ɵɵngDeclareClassMetadata({ minVersion: "12.0.0", version: "21.2.4", ngImport: i0, type: JwtService, decorators: [{
+i0.ɵɵngDeclareClassMetadata({ minVersion: "12.0.0", version: "21.2.13", ngImport: i0, type: JwtService, decorators: [{
             type: Injectable
         }] });
 function base64UrlDecode(input) {
@@ -1364,10 +1365,10 @@ class SensitiveClipboardService {
             // ignore
         }
     }
-    static ɵfac = i0.ɵɵngDeclareFactory({ minVersion: "12.0.0", version: "21.2.4", ngImport: i0, type: SensitiveClipboardService, deps: [], target: i0.ɵɵFactoryTarget.Injectable });
-    static ɵprov = i0.ɵɵngDeclareInjectable({ minVersion: "12.0.0", version: "21.2.4", ngImport: i0, type: SensitiveClipboardService });
+    static ɵfac = i0.ɵɵngDeclareFactory({ minVersion: "12.0.0", version: "21.2.13", ngImport: i0, type: SensitiveClipboardService, deps: [], target: i0.ɵɵFactoryTarget.Injectable });
+    static ɵprov = i0.ɵɵngDeclareInjectable({ minVersion: "12.0.0", version: "21.2.13", ngImport: i0, type: SensitiveClipboardService });
 }
-i0.ɵɵngDeclareClassMetadata({ minVersion: "12.0.0", version: "21.2.4", ngImport: i0, type: SensitiveClipboardService, decorators: [{
+i0.ɵɵngDeclareClassMetadata({ minVersion: "12.0.0", version: "21.2.13", ngImport: i0, type: SensitiveClipboardService, decorators: [{
             type: Injectable
         }], ctorParameters: () => [] });
 
@@ -1440,11 +1441,14 @@ class HibpService {
         const match = findSuffixMatch(body, suffix);
         return match > 0 ? { leaked: true, count: match } : { leaked: false, count: 0 };
     }
-    static ɵfac = i0.ɵɵngDeclareFactory({ minVersion: "12.0.0", version: "21.2.4", ngImport: i0, type: HibpService, deps: [], target: i0.ɵɵFactoryTarget.Injectable });
-    static ɵprov = i0.ɵɵngDeclareInjectable({ minVersion: "12.0.0", version: "21.2.4", ngImport: i0, type: HibpService });
+    static ɵfac = i0.ɵɵngDeclareFactory({ minVersion: "12.0.0", version: "21.2.13", ngImport: i0, type: HibpService, deps: [], target: i0.ɵɵFactoryTarget.Injectable });
+    static ɵprov = i0.ɵɵngDeclareInjectable({ minVersion: "12.0.0", version: "21.2.13", ngImport: i0, type: HibpService, providedIn: 'root' });
 }
-i0.ɵɵngDeclareClassMetadata({ minVersion: "12.0.0", version: "21.2.4", ngImport: i0, type: HibpService, decorators: [{
-            type: Injectable
+i0.ɵɵngDeclareClassMetadata({ minVersion: "12.0.0", version: "21.2.13", ngImport: i0, type: HibpService, decorators: [{
+            type: Injectable,
+            args: [{
+                    providedIn: 'root',
+                }]
         }], ctorParameters: () => [] });
 function findSuffixMatch(body, suffix) {
     const lines = body.split(/\r?\n/);
@@ -1509,13 +1513,23 @@ class RateLimiterService {
                 this.configure(key, policy);
             }
         }
-        this.destroyRef.onDestroy(() => this.buckets.clear());
+        this.destroyRef.onDestroy(() => {
+            for (const bucket of this.buckets.values()) {
+                if (bucket.timerId)
+                    clearTimeout(bucket.timerId);
+            }
+            this.buckets.clear();
+        });
     }
     /**
      * Registers or updates the policy for `key`. Re-configuring an existing key resets its state.
      */
     configure(key, policy) {
         validatePolicy(policy);
+        const existing = this.buckets.get(key);
+        if (existing && existing.timerId) {
+            clearTimeout(existing.timerId);
+        }
         const now = Date.now();
         const initialRemaining = policy.type === 'token-bucket' ? policy.capacity : policy.max;
         this.buckets.set(key, {
@@ -1550,6 +1564,7 @@ class RateLimiterService {
             }
             bucket.tokens -= tokens;
             bucket.remaining.set(Math.floor(bucket.tokens));
+            this.scheduleAutoRefill(key, bucket);
             return;
         }
         // sliding-window
@@ -1563,6 +1578,7 @@ class RateLimiterService {
         for (let i = 0; i < tokens; i++)
             bucket.timestamps.push(now);
         bucket.remaining.set(bucket.policy.max - bucket.timestamps.length);
+        this.scheduleAutoRefill(key, bucket);
     }
     /**
      * Reactive signal indicating whether a single unit can be consumed from `key` right now.
@@ -1591,6 +1607,10 @@ class RateLimiterService {
         const bucket = this.buckets.get(key);
         if (!bucket)
             return;
+        if (bucket.timerId) {
+            clearTimeout(bucket.timerId);
+            bucket.timerId = undefined;
+        }
         bucket.timestamps = [];
         if (bucket.policy.type === 'token-bucket') {
             bucket.tokens = bucket.policy.capacity;
@@ -1612,10 +1632,45 @@ class RateLimiterService {
         bucket.lastRefillAt = now;
         bucket.remaining.set(Math.floor(bucket.tokens));
     }
-    static ɵfac = i0.ɵɵngDeclareFactory({ minVersion: "12.0.0", version: "21.2.4", ngImport: i0, type: RateLimiterService, deps: [], target: i0.ɵɵFactoryTarget.Injectable });
-    static ɵprov = i0.ɵɵngDeclareInjectable({ minVersion: "12.0.0", version: "21.2.4", ngImport: i0, type: RateLimiterService });
+    scheduleAutoRefill(key, bucket) {
+        if (bucket.timerId) {
+            clearTimeout(bucket.timerId);
+            bucket.timerId = undefined;
+        }
+        const now = Date.now();
+        if (bucket.policy.type === 'token-bucket') {
+            if (bucket.tokens >= bucket.policy.capacity) {
+                return;
+            }
+            const currentFloor = Math.floor(bucket.tokens);
+            const nextInteger = currentFloor + 1;
+            const deficit = nextInteger - bucket.tokens;
+            const timeToNextTokenMs = Math.max(10, Math.ceil((deficit / bucket.policy.refillPerSecond) * 1000));
+            bucket.timerId = setTimeout(() => {
+                const tNow = Date.now();
+                this.refillTokenBucket(bucket, tNow);
+                this.scheduleAutoRefill(key, bucket);
+            }, timeToNextTokenMs);
+        }
+        else {
+            // sliding-window
+            const windowStart = now - bucket.policy.windowMs;
+            bucket.timestamps = bucket.timestamps.filter((t) => t > windowStart);
+            bucket.remaining.set(bucket.policy.max - bucket.timestamps.length);
+            if (bucket.timestamps.length === 0) {
+                return;
+            }
+            const oldest = bucket.timestamps[0];
+            const timeToExpiryMs = Math.max(10, oldest + bucket.policy.windowMs - now);
+            bucket.timerId = setTimeout(() => {
+                this.scheduleAutoRefill(key, bucket);
+            }, timeToExpiryMs);
+        }
+    }
+    static ɵfac = i0.ɵɵngDeclareFactory({ minVersion: "12.0.0", version: "21.2.13", ngImport: i0, type: RateLimiterService, deps: [], target: i0.ɵɵFactoryTarget.Injectable });
+    static ɵprov = i0.ɵɵngDeclareInjectable({ minVersion: "12.0.0", version: "21.2.13", ngImport: i0, type: RateLimiterService });
 }
-i0.ɵɵngDeclareClassMetadata({ minVersion: "12.0.0", version: "21.2.4", ngImport: i0, type: RateLimiterService, decorators: [{
+i0.ɵɵngDeclareClassMetadata({ minVersion: "12.0.0", version: "21.2.13", ngImport: i0, type: RateLimiterService, decorators: [{
             type: Injectable
         }], ctorParameters: () => [] });
 function validatePolicy(policy) {
@@ -1694,10 +1749,10 @@ class CsrfService {
     get nativeStorage() {
         return this.storageTarget === 'session' ? sessionStorage : localStorage;
     }
-    static ɵfac = i0.ɵɵngDeclareFactory({ minVersion: "12.0.0", version: "21.2.4", ngImport: i0, type: CsrfService, deps: [], target: i0.ɵɵFactoryTarget.Injectable });
-    static ɵprov = i0.ɵɵngDeclareInjectable({ minVersion: "12.0.0", version: "21.2.4", ngImport: i0, type: CsrfService });
+    static ɵfac = i0.ɵɵngDeclareFactory({ minVersion: "12.0.0", version: "21.2.13", ngImport: i0, type: CsrfService, deps: [], target: i0.ɵɵFactoryTarget.Injectable });
+    static ɵprov = i0.ɵɵngDeclareInjectable({ minVersion: "12.0.0", version: "21.2.13", ngImport: i0, type: CsrfService });
 }
-i0.ɵɵngDeclareClassMetadata({ minVersion: "12.0.0", version: "21.2.4", ngImport: i0, type: CsrfService, decorators: [{
+i0.ɵɵngDeclareClassMetadata({ minVersion: "12.0.0", version: "21.2.13", ngImport: i0, type: CsrfService, decorators: [{
             type: Injectable
         }], ctorParameters: () => [] });
 const DEFAULT_HEADER_NAME = 'X-CSRF-Token';
@@ -1833,10 +1888,10 @@ class SessionIdleService {
             this.config = null;
         });
     }
-    static ɵfac = i0.ɵɵngDeclareFactory({ minVersion: "12.0.0", version: "21.2.4", ngImport: i0, type: SessionIdleService, deps: [], target: i0.ɵɵFactoryTarget.Injectable });
-    static ɵprov = i0.ɵɵngDeclareInjectable({ minVersion: "12.0.0", version: "21.2.4", ngImport: i0, type: SessionIdleService, providedIn: 'root' });
+    static ɵfac = i0.ɵɵngDeclareFactory({ minVersion: "12.0.0", version: "21.2.13", ngImport: i0, type: SessionIdleService, deps: [], target: i0.ɵɵFactoryTarget.Injectable });
+    static ɵprov = i0.ɵɵngDeclareInjectable({ minVersion: "12.0.0", version: "21.2.13", ngImport: i0, type: SessionIdleService, providedIn: 'root' });
 }
-i0.ɵɵngDeclareClassMetadata({ minVersion: "12.0.0", version: "21.2.4", ngImport: i0, type: SessionIdleService, decorators: [{
+i0.ɵɵngDeclareClassMetadata({ minVersion: "12.0.0", version: "21.2.13", ngImport: i0, type: SessionIdleService, decorators: [{
             type: Injectable,
             args: [{
                     providedIn: 'root',
@@ -1936,10 +1991,10 @@ class SecureMessageService {
             this._messages$.next(message);
         });
     }
-    static ɵfac = i0.ɵɵngDeclareFactory({ minVersion: "12.0.0", version: "21.2.4", ngImport: i0, type: SecureMessageService, deps: [], target: i0.ɵɵFactoryTarget.Injectable });
-    static ɵprov = i0.ɵɵngDeclareInjectable({ minVersion: "12.0.0", version: "21.2.4", ngImport: i0, type: SecureMessageService, providedIn: 'root' });
+    static ɵfac = i0.ɵɵngDeclareFactory({ minVersion: "12.0.0", version: "21.2.13", ngImport: i0, type: SecureMessageService, deps: [], target: i0.ɵɵFactoryTarget.Injectable });
+    static ɵprov = i0.ɵɵngDeclareInjectable({ minVersion: "12.0.0", version: "21.2.13", ngImport: i0, type: SecureMessageService, providedIn: 'root' });
 }
-i0.ɵɵngDeclareClassMetadata({ minVersion: "12.0.0", version: "21.2.4", ngImport: i0, type: SecureMessageService, decorators: [{
+i0.ɵɵngDeclareClassMetadata({ minVersion: "12.0.0", version: "21.2.13", ngImport: i0, type: SecureMessageService, decorators: [{
             type: Injectable,
             args: [{
                     providedIn: 'root',

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@angular-helpers/security",
-  "version": "21.4.1",
+  "version": "21.4.3",
   "description": "Angular security helpers for preventing ReDoS and other security vulnerabilities",
   "keywords": [
     "angular",
@@ -71,4 +71,4 @@
   },
   "sideEffects": false,
   "type": "module"
-}
+}

package/types/angular-helpers-security.d.ts

@@ -675,6 +675,7 @@ declare class RateLimiterService {
      */
     reset(key: string): void;
     private refillTokenBucket;
+    private scheduleAutoRefill;
     static ɵfac: i0.ɵɵFactoryDeclaration<RateLimiterService, never>;
     static ɵprov: i0.ɵɵInjectableDeclaration<RateLimiterService>;
 }