@appwarden/middleware 3.2.0 → 3.2.1

package/README.md

@@ -1,6 +1,6 @@
 # @appwarden/middleware
 
-![Test Coverage](https://img.shields.io/badge/coverage-95.67%25-brightgreen)
+![Test Coverage](https://img.shields.io/badge/coverage-95.58%25-brightgreen)
 [![npm version](https://img.shields.io/npm/v/@appwarden/middleware.svg)](https://www.npmjs.com/package/@appwarden/middleware)
 [![npm provenance](https://img.shields.io/badge/npm-provenance-green)](https://docs.npmjs.com/generating-provenance-statements)
 [![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](https://opensource.org/licenses/MIT)

package/{chunk-FGAJVKNM.js → chunk-A5XGYLYS.js}

@@ -75,6 +75,47 @@ var UseCSPInputSchema = z2.object({
   { path: ["directives"], message: "DirectivesRequired" /* DirectivesRequired */ }
 );
 
+// src/utils/cloudflare/csp-keywords.ts
+var CSP_KEYWORDS = [
+  "self",
+  "none",
+  "unsafe-inline",
+  "unsafe-eval",
+  "unsafe-hashes",
+  "strict-dynamic",
+  "report-sample",
+  "unsafe-allow-redirects",
+  "wasm-unsafe-eval",
+  "trusted-types-eval",
+  "report-sha256",
+  "report-sha384",
+  "report-sha512",
+  "unsafe-webtransport-hashes"
+];
+var CSP_KEYWORDS_SET = new Set(CSP_KEYWORDS);
+var isCSPKeyword = (value) => {
+  return CSP_KEYWORDS_SET.has(value.toLowerCase());
+};
+var isQuoted = (value) => {
+  return value.startsWith("'") && value.endsWith("'");
+};
+var autoQuoteCSPKeyword = (value) => {
+  const trimmed = value.trim();
+  if (isQuoted(trimmed)) {
+    return trimmed;
+  }
+  if (isCSPKeyword(trimmed)) {
+    return `'${trimmed}'`;
+  }
+  return trimmed;
+};
+var autoQuoteCSPDirectiveValue = (value) => {
+  return value.trim().split(/\s+/).filter(Boolean).map(autoQuoteCSPKeyword).join(" ");
+};
+var autoQuoteCSPDirectiveArray = (values) => {
+  return values.map(autoQuoteCSPKeyword);
+};
+
 // src/utils/cloudflare/make-csp-header.ts
 var addNonce = (value, cspNonce) => value.replace("{{nonce}}", `'nonce-${cspNonce}'`);
 var makeCSPHeader = (cspNonce, directives, mode) => {
@@ -85,14 +126,19 @@ var makeCSPHeader = (cspNonce, directives, mode) => {
       throw new Error(`${originalName} is specified more than once`);
     }
     namesSeen.add(name);
+    let directiveValue;
     if (Array.isArray(value)) {
-      value = addNonce(value.join(" "), cspNonce);
+      directiveValue = autoQuoteCSPDirectiveArray(value).join(" ");
     } else if (value === true) {
-      value = "";
+      directiveValue = "";
+    } else if (typeof value === "string") {
+      directiveValue = autoQuoteCSPDirectiveValue(value);
+    } else {
+      return;
     }
-    if (value) {
-      result.push(`${name} ${addNonce(value, cspNonce)}`);
-    } else if (value !== false) {
+    if (directiveValue) {
+      result.push(`${name} ${addNonce(directiveValue, cspNonce)}`);
+    } else {
       result.push(name);
     }
   });

package/cloudflare.js

@@ -1,6 +1,6 @@
 import {
   useContentSecurityPolicy
-} from "./chunk-FGAJVKNM.js";
+} from "./chunk-A5XGYLYS.js";
 import {
   checkLockStatus,
   getLockValue,

package/index.js

@@ -7,7 +7,7 @@ import {
   CSPDirectivesSchema,
   CSPModeSchema,
   useContentSecurityPolicy
-} from "./chunk-FGAJVKNM.js";
+} from "./chunk-A5XGYLYS.js";
 import {
   APPWARDEN_CACHE_KEY,
   LOCKDOWN_TEST_EXPIRY_MS

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@appwarden/middleware",
-  "version": "3.2.0",
+  "version": "3.2.1",
   "description": "Instantly shut off access your app deployed on Cloudflare or Vercel",
   "type": "module",
   "license": "MIT",