npm - @arcis/node - Versions diffs - 1.3.0 → 1.4.2 - Mend

@arcis/node 1.3.0 → 1.4.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (139) hide show

package/README.md +1 -1
package/dist/core/{index.d.mts → constants.d.ts} +21 -70
package/dist/core/constants.d.ts.map +1 -0
package/dist/core/errors.d.ts +53 -0
package/dist/core/errors.d.ts.map +1 -0
package/dist/core/index.d.ts +6 -168
package/dist/core/index.d.ts.map +1 -0
package/dist/core/index.js +11 -3
package/dist/core/index.js.map +1 -1
package/dist/core/index.mjs +11 -3
package/dist/core/index.mjs.map +1 -1
package/dist/{types-BOkx5YJc.d.mts → core/types.d.ts} +27 -30
package/dist/core/types.d.ts.map +1 -0
package/dist/index.d.ts +71 -166
package/dist/index.d.ts.map +1 -0
package/dist/index.js +182 -48
package/dist/index.js.map +1 -1
package/dist/index.mjs +182 -50
package/dist/index.mjs.map +1 -1
package/dist/logging/index.d.ts +4 -36
package/dist/logging/index.d.ts.map +1 -0
package/dist/logging/index.js.map +1 -1
package/dist/logging/index.mjs.map +1 -1
package/dist/logging/{index.d.mts → redactor.d.ts} +5 -9
package/dist/logging/redactor.d.ts.map +1 -0
package/dist/middleware/bot-detection.d.ts +86 -0
package/dist/middleware/bot-detection.d.ts.map +1 -0
package/dist/middleware/cookies.d.ts +48 -0
package/dist/middleware/cookies.d.ts.map +1 -0
package/dist/middleware/cors.d.ts +65 -0
package/dist/middleware/cors.d.ts.map +1 -0
package/dist/middleware/csrf.d.ts +109 -0
package/dist/middleware/csrf.d.ts.map +1 -0
package/dist/middleware/error-handler.d.ts +43 -0
package/dist/middleware/error-handler.d.ts.map +1 -0
package/dist/middleware/headers.d.ts +29 -0
package/dist/middleware/headers.d.ts.map +1 -0
package/dist/middleware/hpp.d.ts +56 -0
package/dist/middleware/hpp.d.ts.map +1 -0
package/dist/middleware/index.d.ts +16 -3
package/dist/middleware/index.d.ts.map +1 -0
package/dist/middleware/index.js +68 -31
package/dist/middleware/index.js.map +1 -1
package/dist/middleware/index.mjs +69 -32
package/dist/middleware/index.mjs.map +1 -1
package/dist/middleware/main.d.ts +40 -0
package/dist/middleware/main.d.ts.map +1 -0
package/dist/middleware/rate-limit-sliding.d.ts +46 -0
package/dist/middleware/rate-limit-sliding.d.ts.map +1 -0
package/dist/middleware/rate-limit-token.d.ts +51 -0
package/dist/middleware/rate-limit-token.d.ts.map +1 -0
package/dist/middleware/rate-limit.d.ts +34 -0
package/dist/middleware/rate-limit.d.ts.map +1 -0
package/dist/sanitizers/command.d.ts +28 -0
package/dist/sanitizers/command.d.ts.map +1 -0
package/dist/sanitizers/encode.d.ts +46 -0
package/dist/sanitizers/encode.d.ts.map +1 -0
package/dist/sanitizers/headers.d.ts +46 -0
package/dist/sanitizers/headers.d.ts.map +1 -0
package/dist/sanitizers/index.d.ts +18 -22
package/dist/sanitizers/index.d.ts.map +1 -0
package/dist/sanitizers/index.js +90 -32
package/dist/sanitizers/index.js.map +1 -1
package/dist/sanitizers/index.mjs +88 -33
package/dist/sanitizers/index.mjs.map +1 -1
package/dist/sanitizers/jsonp.d.ts +34 -0
package/dist/sanitizers/jsonp.d.ts.map +1 -0
package/dist/sanitizers/ldap.d.ts +42 -0
package/dist/sanitizers/ldap.d.ts.map +1 -0
package/dist/sanitizers/nosql.d.ts +31 -0
package/dist/sanitizers/nosql.d.ts.map +1 -0
package/dist/sanitizers/path.d.ts +28 -0
package/dist/sanitizers/path.d.ts.map +1 -0
package/dist/sanitizers/pii.d.ts +80 -0
package/dist/sanitizers/pii.d.ts.map +1 -0
package/dist/sanitizers/prototype.d.ts +34 -0
package/dist/sanitizers/prototype.d.ts.map +1 -0
package/dist/sanitizers/sanitize.d.ts +51 -0
package/dist/sanitizers/sanitize.d.ts.map +1 -0
package/dist/sanitizers/sql.d.ts +28 -0
package/dist/sanitizers/sql.d.ts.map +1 -0
package/dist/sanitizers/ssti.d.ts +20 -0
package/dist/sanitizers/ssti.d.ts.map +1 -0
package/dist/sanitizers/utils.d.ts +19 -0
package/dist/sanitizers/utils.d.ts.map +1 -0
package/dist/sanitizers/xss.d.ts +35 -0
package/dist/sanitizers/xss.d.ts.map +1 -0
package/dist/sanitizers/xxe.d.ts +20 -0
package/dist/sanitizers/xxe.d.ts.map +1 -0
package/dist/stores/index.d.ts +6 -104
package/dist/stores/index.d.ts.map +1 -0
package/dist/stores/index.js +21 -1
package/dist/stores/index.js.map +1 -1
package/dist/stores/index.mjs +21 -1
package/dist/stores/index.mjs.map +1 -1
package/dist/stores/memory.d.ts +29 -0
package/dist/stores/memory.d.ts.map +1 -0
package/dist/stores/{index.d.mts → redis.d.ts} +6 -45
package/dist/stores/redis.d.ts.map +1 -0
package/dist/utils/duration.d.ts +34 -0
package/dist/utils/duration.d.ts.map +1 -0
package/dist/utils/fingerprint.d.ts +64 -0
package/dist/utils/fingerprint.d.ts.map +1 -0
package/dist/utils/index.d.ts +10 -0
package/dist/utils/index.d.ts.map +1 -0
package/dist/utils/index.js +188 -0
package/dist/utils/index.js.map +1 -0
package/dist/utils/index.mjs +182 -0
package/dist/utils/index.mjs.map +1 -0
package/dist/utils/ip.d.ts +70 -0
package/dist/utils/ip.d.ts.map +1 -0
package/dist/validation/email.d.ts +82 -0
package/dist/validation/email.d.ts.map +1 -0
package/dist/validation/file.d.ts +90 -0
package/dist/validation/file.d.ts.map +1 -0
package/dist/validation/index.d.ts +10 -3
package/dist/validation/index.d.ts.map +1 -0
package/dist/validation/index.js +38 -21
package/dist/validation/index.js.map +1 -1
package/dist/validation/index.mjs +38 -21
package/dist/validation/index.mjs.map +1 -1
package/dist/validation/redirect.d.ts +64 -0
package/dist/validation/redirect.d.ts.map +1 -0
package/dist/validation/schema.d.ts +36 -0
package/dist/validation/schema.d.ts.map +1 -0
package/dist/validation/url.d.ts +65 -0
package/dist/validation/url.d.ts.map +1 -0
package/package.json +8 -6
package/dist/encode-CrQCGlBq.d.mts +0 -484
package/dist/encode-jl9sOwmA.d.ts +0 -484
package/dist/index-BAhgn9V2.d.ts +0 -532
package/dist/index-BGNKspqH.d.ts +0 -340
package/dist/index-Cd02z-0j.d.mts +0 -340
package/dist/index-DgJtWMSj.d.mts +0 -532
package/dist/index.d.mts +0 -175
package/dist/middleware/index.d.mts +0 -3
package/dist/sanitizers/index.d.mts +0 -24
package/dist/types-BOkx5YJc.d.ts +0 -279
package/dist/validation/index.d.mts +0 -3

package/dist/middleware/csrf.d.ts ADDED Viewed

@@ -0,0 +1,109 @@
+/**
+ * @module @arcis/node/middleware/csrf
+ * CSRF (Cross-Site Request Forgery) protection middleware
+ *
+ * Implements the double-submit cookie pattern:
+ * 1. Server sets a CSRF token in a cookie
+ * 2. Client must send the same token in a header or form field
+ * 3. Middleware rejects requests where cookie token !== header/field token
+ *
+ * This works because an attacker's cross-origin form submission will include
+ * the cookie automatically, but cannot read it (same-origin policy) to set
+ * the matching header.
+ */
+import type { Request, Response, NextFunction, RequestHandler } from 'express';
+/** CSRF protection configuration */
+export interface CsrfOptions {
+    /** Cookie name for the CSRF token. Default: '_csrf' */
+    cookieName?: string;
+    /** Header name to check for the token. Default: 'x-csrf-token' */
+    headerName?: string;
+    /** Form field name to check for the token. Default: '_csrf' */
+    fieldName?: string;
+    /** Token byte length (hex-encoded = 2x chars). Default: 32 */
+    tokenLength?: number;
+    /** HTTP methods to protect. Default: ['POST', 'PUT', 'PATCH', 'DELETE'] */
+    protectedMethods?: string[];
+    /** Paths to exclude from CSRF checks (e.g., webhook endpoints) */
+    excludePaths?: string[];
+    /**
+     * Per-request skip function. If it returns true, CSRF check is skipped
+     * for that request. Useful for API key auth or signed webhooks.
+     *
+     * @example
+     * skipCsrf: (req) => Boolean(req.headers['x-api-key'])
+     */
+    skipCsrf?: (req: Request) => boolean;
+    /**
+     * Use the __Host- cookie prefix for stronger cookie security.
+     * When enabled, the browser enforces: Secure=true, no Domain, Path=/.
+     * This prevents CSRF cookie theft across subdomains.
+     * Default: false
+     */
+    useHostPrefix?: boolean;
+    /** Cookie options */
+    cookie?: {
+        /** Cookie path. Default: '/' */
+        path?: string;
+        /** HttpOnly — set false so client JS can read it for headers. Default: false */
+        httpOnly?: boolean;
+        /** Secure flag (HTTPS only). Default: true in production */
+        secure?: boolean;
+        /** SameSite attribute. Default: 'Lax' */
+        sameSite?: 'Strict' | 'Lax' | 'None';
+        /** Cookie domain */
+        domain?: string;
+    };
+    /** Custom error handler when CSRF validation fails */
+    onError?: (req: Request, res: Response, next: NextFunction) => void;
+}
+/**
+ * Generate a cryptographically random CSRF token.
+ *
+ * @param length - Byte length (output is hex, so 2x chars). Default: 32
+ * @returns Hex-encoded random token
+ *
+ * @example
+ * const token = generateCsrfToken(); // 64 hex chars
+ */
+export declare function generateCsrfToken(length?: number): string;
+/**
+ * Validate that two CSRF tokens match using constant-time comparison.
+ *
+ * @param cookieToken - Token from the cookie
+ * @param requestToken - Token from the header or form field
+ * @returns true if tokens match
+ */
+export declare function validateCsrfToken(cookieToken: string, requestToken: string): boolean;
+/**
+ * Create CSRF protection middleware using double-submit cookie pattern.
+ *
+ * For safe methods (GET, HEAD, OPTIONS), sets a CSRF token cookie if not present.
+ * For unsafe methods (POST, PUT, PATCH, DELETE), validates the token.
+ *
+ * @param options - CSRF configuration
+ * @returns Express middleware
+ *
+ * @example
+ * // Basic usage
+ * app.use(csrfProtection());
+ *
+ * @example
+ * // Exclude webhook paths
+ * app.use(csrfProtection({
+ *   excludePaths: ['/api/webhooks/stripe', '/api/webhooks/github']
+ * }));
+ *
+ * @example
+ * // Client-side: read cookie + set header
+ * const token = document.cookie.match(/_csrf=([^;]+)/)?.[1];
+ * fetch('/api/data', {
+ *   method: 'POST',
+ *   headers: { 'X-CSRF-Token': token },
+ *   credentials: 'same-origin'
+ * });
+ */
+export declare function csrfProtection(options?: CsrfOptions): RequestHandler;
+/** Alias for csrfProtection */
+export declare const createCsrf: typeof csrfProtection;
+//# sourceMappingURL=csrf.d.ts.map

package/dist/middleware/csrf.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"csrf.d.ts","sourceRoot":"","sources":["../../src/middleware/csrf.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAGH,OAAO,KAAK,EAAE,OAAO,EAAE,QAAQ,EAAE,YAAY,EAAE,cAAc,EAAE,MAAM,SAAS,CAAC;AAE/E,oCAAoC;AACpC,MAAM,WAAW,WAAW;IAC1B,uDAAuD;IACvD,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,kEAAkE;IAClE,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,+DAA+D;IAC/D,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,8DAA8D;IAC9D,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,2EAA2E;IAC3E,gBAAgB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC5B,kEAAkE;IAClE,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IACxB;;;;;;OAMG;IACH,QAAQ,CAAC,EAAE,CAAC,GAAG,EAAE,OAAO,KAAK,OAAO,CAAC;IACrC;;;;;OAKG;IACH,aAAa,CAAC,EAAE,OAAO,CAAC;IACxB,qBAAqB;IACrB,MAAM,CAAC,EAAE;QACP,gCAAgC;QAChC,IAAI,CAAC,EAAE,MAAM,CAAC;QACd,gFAAgF;QAChF,QAAQ,CAAC,EAAE,OAAO,CAAC;QACnB,4DAA4D;QAC5D,MAAM,CAAC,EAAE,OAAO,CAAC;QACjB,yCAAyC;QACzC,QAAQ,CAAC,EAAE,QAAQ,GAAG,KAAK,GAAG,MAAM,CAAC;QACrC,oBAAoB;QACpB,MAAM,CAAC,EAAE,MAAM,CAAC;KACjB,CAAC;IACF,sDAAsD;IACtD,OAAO,CAAC,EAAE,CAAC,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,QAAQ,EAAE,IAAI,EAAE,YAAY,KAAK,IAAI,CAAC;CACrE;AAUD;;;;;;;;GAQG;AACH,wBAAgB,iBAAiB,CAAC,MAAM,GAAE,MAAW,GAAG,MAAM,CAE7D;AAED;;;;;;GAMG;AACH,wBAAgB,iBAAiB,CAAC,WAAW,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,GAAG,OAAO,CAQpF;AAsBD;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AACH,wBAAgB,cAAc,CAAC,OAAO,GAAE,WAAgB,GAAG,cAAc,CAmFxE;AAsDD,+BAA+B;AAC/B,eAAO,MAAM,UAAU,uBAAiB,CAAC"}

package/dist/middleware/error-handler.d.ts ADDED Viewed

@@ -0,0 +1,43 @@
+/**
+ * @module @arcis/node/middleware/error-handler
+ * Production-safe error handler middleware
+ */
+import type { Request, Response, NextFunction } from 'express';
+import type { ErrorHandlerOptions } from '../core/types';
+/**
+ * Check if an error message contains sensitive infrastructure details.
+ */
+export declare function containsSensitiveInfo(message: string): boolean;
+/**
+ * Create Express error handler that hides sensitive details in production.
+ *
+ * Prevents information leakage by:
+ * - Hiding stack traces in production
+ * - Hiding error messages unless explicitly exposed
+ * - Scrubbing database errors, connection strings, and internal IPs
+ *
+ * @param options - Error handler configuration (or boolean for isDev)
+ * @returns Express error handling middleware
+ *
+ * @example
+ * // Production mode (default) - hides error details
+ * app.use(errorHandler());
+ *
+ * @example
+ * // Development mode - shows error details and stack traces
+ * app.use(errorHandler({ isDev: true }));
+ *
+ * @example
+ * // With custom logger
+ * app.use(errorHandler({
+ *   isDev: false,
+ *   logger: arcis.logger()
+ * }));
+ */
+export declare function errorHandler(options?: ErrorHandlerOptions | boolean): (err: Error, req: Request, res: Response, next: NextFunction) => void;
+/**
+ * Alias for errorHandler
+ * @see errorHandler
+ */
+export declare const createErrorHandler: typeof errorHandler;
+//# sourceMappingURL=error-handler.d.ts.map

package/dist/middleware/error-handler.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"error-handler.d.ts","sourceRoot":"","sources":["../../src/middleware/error-handler.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,OAAO,EAAE,QAAQ,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAE/D,OAAO,KAAK,EAAE,mBAAmB,EAAa,MAAM,eAAe,CAAC;AAyBpE;;GAEG;AACH,wBAAgB,qBAAqB,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAE9D;AAED;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,wBAAgB,YAAY,CAC1B,OAAO,GAAE,mBAAmB,GAAG,OAAe,GAC7C,CAAC,GAAG,EAAE,KAAK,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,QAAQ,EAAE,IAAI,EAAE,YAAY,KAAK,IAAI,CA2DvE;AAED;;;GAGG;AACH,eAAO,MAAM,kBAAkB,qBAAe,CAAC"}

package/dist/middleware/headers.d.ts ADDED Viewed

@@ -0,0 +1,29 @@
+/**
+ * @module @arcis/node/middleware/headers
+ * Security headers middleware
+ */
+import type { RequestHandler } from 'express';
+import type { HeaderOptions } from '../core/types';
+/**
+ * Create Express middleware for security headers.
+ * Sets CSP, HSTS, X-Frame-Options, and other security headers.
+ *
+ * @param options - Header configuration
+ * @returns Express middleware
+ *
+ * @example
+ * app.use(createHeaders());
+ *
+ * @example
+ * app.use(createHeaders({
+ *   frameOptions: 'SAMEORIGIN',
+ *   contentSecurityPolicy: "default-src 'self'"
+ * }));
+ */
+export declare function createHeaders(options?: HeaderOptions): RequestHandler;
+/**
+ * Alias for createHeaders
+ * @see createHeaders
+ */
+export declare const securityHeaders: typeof createHeaders;
+//# sourceMappingURL=headers.d.ts.map

package/dist/middleware/headers.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"headers.d.ts","sourceRoot":"","sources":["../../src/middleware/headers.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAmC,cAAc,EAAE,MAAM,SAAS,CAAC;AAE/E,OAAO,KAAK,EAAE,aAAa,EAAe,MAAM,eAAe,CAAC;AAEhE;;;;;;;;;;;;;;;GAeG;AACH,wBAAgB,aAAa,CAAC,OAAO,GAAE,aAAkB,GAAG,cAAc,CAwHzE;AAED;;;GAGG;AACH,eAAO,MAAM,eAAe,sBAAgB,CAAC"}

package/dist/middleware/hpp.d.ts ADDED Viewed

@@ -0,0 +1,56 @@
+/**
+ * @module @arcis/node/middleware/hpp
+ * HTTP Parameter Pollution (HPP) protection middleware
+ *
+ * Normalizes duplicate query and body parameters to their last value,
+ * preventing attackers from bypassing validation by repeating parameters.
+ *
+ * Attack example:
+ *   GET /search?role=user&role=admin
+ *   Without HPP: req.query.role = ['user', 'admin']
+ *   With HPP:    req.query.role = 'admin'  (last value wins)
+ *
+ * Originals are preserved in req.queryPolluted / req.bodyPolluted
+ * for logging or auditing without blocking the request.
+ */
+import type { RequestHandler } from 'express';
+/** HPP protection configuration */
+export interface HppOptions {
+    /**
+     * Parameters that legitimately accept arrays and should not be normalized.
+     * Example: ['tags', 'ids', 'filter']
+     */
+    whitelist?: string[];
+    /** Normalize duplicate query string parameters. Default: true */
+    checkQuery?: boolean;
+    /** Normalize duplicate body parameters. Default: true */
+    checkBody?: boolean;
+}
+/**
+ * HTTP Parameter Pollution protection middleware.
+ *
+ * Normalizes duplicate query/body parameters to a single value (last wins).
+ * Whitelisted parameters are allowed to remain as arrays.
+ *
+ * @param options - HPP configuration
+ * @returns Express middleware
+ *
+ * @example
+ * // Basic — normalize all duplicates
+ * app.use(hpp());
+ *
+ * @example
+ * // Allow arrays for specific params (e.g., tag filters, IDs)
+ * app.use(hpp({ whitelist: ['tags', 'ids'] }));
+ *
+ * @example
+ * // Inspect what was removed (for logging)
+ * app.use((req, res, next) => {
+ *   const polluted = (req as any).queryPolluted;
+ *   if (Object.keys(polluted).length) logger.warn('HPP detected', polluted);
+ *   next();
+ * });
+ */
+export declare function hpp(options?: HppOptions): RequestHandler;
+export declare const createHpp: typeof hpp;
+//# sourceMappingURL=hpp.d.ts.map

package/dist/middleware/hpp.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"hpp.d.ts","sourceRoot":"","sources":["../../src/middleware/hpp.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,KAAK,EAAmC,cAAc,EAAE,MAAM,SAAS,CAAC;AAE/E,mCAAmC;AACnC,MAAM,WAAW,UAAU;IACzB;;;OAGG;IACH,SAAS,CAAC,EAAE,MAAM,EAAE,CAAC;IACrB,iEAAiE;IACjE,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB,yDAAyD;IACzD,SAAS,CAAC,EAAE,OAAO,CAAC;CACrB;AAED;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,wBAAgB,GAAG,CAAC,OAAO,GAAE,UAAe,GAAG,cAAc,CAwD5D;AAED,eAAO,MAAM,SAAS,YAAM,CAAC"}

package/dist/middleware/index.d.ts CHANGED Viewed

@@ -1,3 +1,16 @@
-export { g as arcis, h as arcisFunction, i as botProtection, j as createCors, k as createCsrf, l as createErrorHandler, m as createHeaders, n as createRateLimiter, o as createSecureCookies, p as createSlidingWindowLimiter, q as createTokenBucketLimiter, r as csrfProtection, h as default, s as detectBot, t as enforceSecureCookie, u as errorHandler, v as generateCsrfToken, w as rateLimit, x as safeCors, y as secureCookieDefaults, z as securityHeaders, A as validateCsrfToken } from '../index-BAhgn9V2.js';
-import '../types-BOkx5YJc.js';
-import 'express';
+/**
+ * @module @arcis/node/middleware
+ * All middleware for Arcis
+ */
+export { arcis, arcisFunction } from './main';
+export { default } from './main';
+export { createRateLimiter, rateLimit } from './rate-limit';
+export { createSlidingWindowLimiter } from './rate-limit-sliding';
+export { createTokenBucketLimiter } from './rate-limit-token';
+export { createHeaders, securityHeaders } from './headers';
+export { errorHandler, createErrorHandler } from './error-handler';
+export { safeCors, createCors } from './cors';
+export { secureCookieDefaults, createSecureCookies, enforceSecureCookie } from './cookies';
+export { botProtection, detectBot } from './bot-detection';
+export { csrfProtection, createCsrf, generateCsrfToken, validateCsrfToken } from './csrf';
+//# sourceMappingURL=index.d.ts.map

package/dist/middleware/index.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/middleware/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAGH,OAAO,EAAE,KAAK,EAAE,aAAa,EAAE,MAAM,QAAQ,CAAC;AAC9C,OAAO,EAAE,OAAO,EAAE,MAAM,QAAQ,CAAC;AAGjC,OAAO,EAAE,iBAAiB,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AAC5D,OAAO,EAAE,0BAA0B,EAAE,MAAM,sBAAsB,CAAC;AAClE,OAAO,EAAE,wBAAwB,EAAE,MAAM,oBAAoB,CAAC;AAC9D,OAAO,EAAE,aAAa,EAAE,eAAe,EAAE,MAAM,WAAW,CAAC;AAC3D,OAAO,EAAE,YAAY,EAAE,kBAAkB,EAAE,MAAM,iBAAiB,CAAC;AACnE,OAAO,EAAE,QAAQ,EAAE,UAAU,EAAE,MAAM,QAAQ,CAAC;AAC9C,OAAO,EAAE,oBAAoB,EAAE,mBAAmB,EAAE,mBAAmB,EAAE,MAAM,WAAW,CAAC;AAC3F,OAAO,EAAE,aAAa,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAC3D,OAAO,EAAE,cAAc,EAAE,UAAU,EAAE,iBAAiB,EAAE,iBAAiB,EAAE,MAAM,QAAQ,CAAC"}

package/dist/middleware/index.js CHANGED Viewed

@@ -69,7 +69,15 @@ var XSS_REMOVE_PATTERNS = [
   /javascript\s*:/gi,
   /vbscript\s*:/gi,
   /** data: URIs with HTML/script content */
-  /data\s*:\s*text\/html[^>\s]*/gi
+  /data\s*:\s*text\/html[^>\s]*/gi,
+  /** form tag injection — phishing via action= redirection */
+  /<form[\s>][^>]*/gi,
+  /** meta tag injection — http-equiv refresh or CSP bypass */
+  /<meta[\s>][^>]*/gi,
+  /** base href hijacking */
+  /<base[\s>][^>]*/gi,
+  /** link tag injection — stylesheet or preload attacks */
+  /<link[\s>][^>]*/gi
 ];
 var SQL_PATTERNS = [
   /** SQL keywords */
@@ -133,8 +141,8 @@ var COMMAND_PATTERNS = [
   /[;&|`]/g,
   /** Command substitution: $( ... ) — matched as a pair to reduce false positives */
   /\$\(/g,
-  /** URL-encoded newline/carriage-return injection (%0a, %0d) */
-  /%0[ad]/gi
+  /** URL-encoded control characters (%00-%0F): null, tab, vtab, formfeed, LF, CR */
+  /%0[0-9a-f]/gi
 ];
 var DANGEROUS_PROTO_KEYS = /* @__PURE__ */ new Set([
   "__proto__",
@@ -422,7 +430,24 @@ function createRateLimiter(options = {}) {
       }
       next();
     } catch (error) {
-      console.error("[arcis] Rate limiter error:", error);
+      console.error("[arcis] Rate limiter store error, using in-memory fallback:", error);
+      try {
+        const key = keyGenerator(req);
+        const now = Date.now();
+        if (!inMemoryStore[key] || inMemoryStore[key].resetTime < now) {
+          inMemoryStore[key] = { count: 1, resetTime: now + windowMs };
+        } else {
+          inMemoryStore[key].count++;
+        }
+        const count = inMemoryStore[key].count;
+        if (count > max) {
+          const resetSeconds = Math.ceil((inMemoryStore[key].resetTime - now) / 1e3);
+          res.setHeader("Retry-After", resetSeconds.toString());
+          res.status(statusCode).json({ error: message, retryAfter: resetSeconds });
+          return;
+        }
+      } catch {
+      }
       next();
     }
   };
@@ -632,26 +657,31 @@ function sanitizePath(input, collectThreats = false) {
   const threats = [];
   let value = input;
   let wasSanitized = false;
-  for (const pattern of PATH_PATTERNS) {
-    pattern.lastIndex = 0;
-    if (pattern.test(value)) {
+  value = value.normalize("NFKC");
+  let prev;
+  do {
+    prev = value;
+    for (const pattern of PATH_PATTERNS) {
       pattern.lastIndex = 0;
-      if (collectThreats) {
-        const matches = value.match(pattern);
-        if (matches) {
-          for (const match of matches) {
-            threats.push({
-              type: "path_traversal",
-              pattern: pattern.source,
-              original: match
-            });
+      if (pattern.test(value)) {
+        pattern.lastIndex = 0;
+        if (collectThreats) {
+          const matches = value.match(pattern);
+          if (matches) {
+            for (const match of matches) {
+              threats.push({
+                type: "path_traversal",
+                pattern: pattern.source,
+                original: match
+              });
+            }
           }
         }
+        value = value.replace(pattern, "");
+        wasSanitized = true;
       }
-      value = value.replace(pattern, "");
-      wasSanitized = true;
     }
-  }
+  } while (value !== prev);
   if (collectThreats) {
     return { value, wasSanitized, threats };
   }
@@ -709,7 +739,7 @@ function sanitizeString(value, options = {}) {
   if (value.length > maxSize) {
     throw new InputTooLargeError(maxSize, value.length);
   }
-  const reject = options.mode !== "sanitize";
+  const reject = options.mode === "reject";
   let result = value;
   if (options.sql !== false) {
     if (reject) {
@@ -1586,11 +1616,9 @@ function generateCsrfToken(length = 32) {
 function validateCsrfToken(cookieToken, requestToken) {
   if (!cookieToken || !requestToken) return false;
   if (cookieToken.length !== requestToken.length) return false;
-  let result = 0;
-  for (let i = 0; i < cookieToken.length; i++) {
-    result |= cookieToken.charCodeAt(i) ^ requestToken.charCodeAt(i);
-  }
-  return result === 0;
+  const a = Buffer.from(cookieToken);
+  const b = Buffer.from(requestToken);
+  return crypto.timingSafeEqual(a, b);
 }
 function getRequestToken(req, headerName, fieldName) {
   const headerToken = req.headers[headerName.toLowerCase()];
@@ -1599,19 +1627,17 @@ function getRequestToken(req, headerName, fieldName) {
     const bodyToken = req.body[fieldName];
     if (typeof bodyToken === "string" && bodyToken) return bodyToken;
   }
-  if (req.query && fieldName in req.query) {
-    const queryToken = req.query[fieldName];
-    if (typeof queryToken === "string" && queryToken) return queryToken;
-  }
   return void 0;
 }
 function csrfProtection(options = {}) {
-  const cookieName = options.cookieName ?? DEFAULTS.cookieName;
+  const baseCookieName = options.cookieName ?? DEFAULTS.cookieName;
+  const cookieName = options.useHostPrefix ? `__Host-${baseCookieName}` : baseCookieName;
   const headerName = options.headerName ?? DEFAULTS.headerName;
   const fieldName = options.fieldName ?? DEFAULTS.fieldName;
   const tokenLength = options.tokenLength ?? DEFAULTS.tokenLength;
   const protectedMethods = options.protectedMethods ?? [...DEFAULTS.protectedMethods];
   const excludePaths = options.excludePaths ?? [];
+  const skipCsrf = options.skipCsrf;
   const isProduction = process.env.NODE_ENV === "production";
   const cookieOpts = {
     path: options.cookie?.path ?? "/",
@@ -1631,6 +1657,9 @@ function csrfProtection(options = {}) {
   const protectedSet = new Set(protectedMethods.map((m) => m.toUpperCase()));
   return (req, res, next) => {
     const method = req.method.toUpperCase();
+    if (skipCsrf && skipCsrf(req)) {
+      return next();
+    }
     const requestPath = req.path || req.url;
     if (excludePaths.some((p) => requestPath === p || requestPath.startsWith(p + "/"))) {
       return next();
@@ -1680,7 +1709,15 @@ function setCsrfCookie(res, name, token, opts) {
   if (opts.secure) parts.push("Secure");
   parts.push(`SameSite=${opts.sameSite}`);
   if (opts.domain) parts.push(`Domain=${opts.domain}`);
-  res.setHeader("Set-Cookie", parts.join("; "));
+  const newCookie = parts.join("; ");
+  const existing = res.getHeader("Set-Cookie");
+  if (existing === void 0) {
+    res.setHeader("Set-Cookie", newCookie);
+  } else if (Array.isArray(existing)) {
+    res.setHeader("Set-Cookie", [...existing, newCookie]);
+  } else {
+    res.setHeader("Set-Cookie", [existing, newCookie]);
+  }
 }
 function escapeRegex(str) {
   return str.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");