@beignet/devtools 0.0.23 → 0.0.24

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/CHANGELOG.md CHANGED
@@ -1,5 +1,13 @@
1
1
  # @beignet/devtools
2
2
 
3
+ ## 0.0.24
4
+
5
+ ### Patch Changes
6
+
7
+ - 91bc9b5: Harden framework security defaults for generated tenancy, auth secrets, CORS,
8
+ body limits, uploads, devtools, OpenAPI, rate-limit IP sources, public storage,
9
+ and Meilisearch query fields.
10
+
3
11
  ## 0.0.23
4
12
 
5
13
  ## 0.0.22
package/README.md CHANGED
@@ -385,7 +385,7 @@ path.
385
385
  The provider controls whether events are recorded. The HTTP route controls
386
386
  whether those events are exposed. Both default to development-only behavior.
387
387
  Route handlers return `404` when `NODE_ENV === "production"` unless explicitly
388
- enabled:
388
+ enabled with an app-owned `authorize` callback:
389
389
 
390
390
  ```typescript
391
391
  export const { GET, POST } = createDevtoolsRoute(server.ports.devtools, {
@@ -519,8 +519,9 @@ type DevtoolsRequestOptions = {
519
519
  ## Production safety
520
520
 
521
521
  The HTTP handlers return `404` when `NODE_ENV === "production"` by default. The
522
- provider also installs a no-op devtools port in production by default so app
523
- code does not need null checks.
522
+ Setting `enabled: true` in production still requires `authorize`; without it
523
+ the route remains hidden. The provider also installs a no-op devtools port in
524
+ production by default so app code does not need null checks.
524
525
 
525
526
  Devtools can contain sensitive request, error, and domain data. Keep it on local
526
527
  development routes unless you intentionally add authentication and redaction.
@@ -1 +1 @@
1
- {"version":3,"file":"access.d.ts","sourceRoot":"","sources":["../src/access.ts"],"names":[],"mappings":"AAAA;;GAEG;AACH,MAAM,MAAM,uBAAuB,GAAG,OAAO,GAAG,QAAQ,CAAC;AAEzD;;GAEG;AACH,MAAM,MAAM,iBAAiB,GAAG,CAC9B,GAAG,EAAE,OAAO,KACT,uBAAuB,GAAG,OAAO,CAAC,uBAAuB,CAAC,CAAC;AAEhE;;GAEG;AACH,MAAM,WAAW,0BAA0B;IACzC;;;;OAIG;IACH,OAAO,CAAC,EAAE,OAAO,CAAC;IAElB;;;;;OAKG;IACH,SAAS,CAAC,EAAE,iBAAiB,CAAC;CAC/B;AAED;;;;GAIG;AACH,wBAAgB,sBAAsB,CACpC,OAAO,GAAE,0BAA+B,GACvC,OAAO,CAET;AAED;;GAEG;AACH,wBAAgB,wBAAwB,IAAI,QAAQ,CAEnD;AAED;;GAEG;AACH,wBAAsB,wBAAwB,CAC5C,GAAG,EAAE,OAAO,EACZ,OAAO,GAAE,0BAA+B,GACvC,OAAO,CAAC,QAAQ,GAAG,SAAS,CAAC,CAe/B"}
1
+ {"version":3,"file":"access.d.ts","sourceRoot":"","sources":["../src/access.ts"],"names":[],"mappings":"AAAA;;GAEG;AACH,MAAM,MAAM,uBAAuB,GAAG,OAAO,GAAG,QAAQ,CAAC;AAEzD;;GAEG;AACH,MAAM,MAAM,iBAAiB,GAAG,CAC9B,GAAG,EAAE,OAAO,KACT,uBAAuB,GAAG,OAAO,CAAC,uBAAuB,CAAC,CAAC;AAEhE;;GAEG;AACH,MAAM,WAAW,0BAA0B;IACzC;;;;OAIG;IACH,OAAO,CAAC,EAAE,OAAO,CAAC;IAElB;;;;;OAKG;IACH,SAAS,CAAC,EAAE,iBAAiB,CAAC;CAC/B;AAED;;;;GAIG;AACH,wBAAgB,sBAAsB,CACpC,OAAO,GAAE,0BAA+B,GACvC,OAAO,CAET;AAED;;GAEG;AACH,wBAAgB,wBAAwB,IAAI,QAAQ,CAEnD;AAED;;GAEG;AACH,wBAAsB,wBAAwB,CAC5C,GAAG,EAAE,OAAO,EACZ,OAAO,GAAE,0BAA+B,GACvC,OAAO,CAAC,QAAQ,GAAG,SAAS,CAAC,CAkB/B"}
package/dist/access.js CHANGED
@@ -20,6 +20,9 @@ export async function authorizeDevtoolsRequest(req, options = {}) {
20
20
  return devtoolsNotFoundResponse();
21
21
  }
22
22
  if (!options.authorize) {
23
+ if (process.env.NODE_ENV === "production" && options.enabled === true) {
24
+ return devtoolsNotFoundResponse();
25
+ }
23
26
  return undefined;
24
27
  }
25
28
  const result = await options.authorize(req);
@@ -1 +1 @@
1
- {"version":3,"file":"access.js","sourceRoot":"","sources":["../src/access.ts"],"names":[],"mappings":"AAgCA;;;;GAIG;AACH,MAAM,UAAU,sBAAsB,CACpC,UAAsC,EAAE;IAExC,OAAO,OAAO,CAAC,OAAO,IAAI,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY,CAAC;AAClE,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,wBAAwB;IACtC,OAAO,IAAI,QAAQ,CAAC,WAAW,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;AACpD,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,wBAAwB,CAC5C,GAAY,EACZ,UAAsC,EAAE;IAExC,IAAI,CAAC,sBAAsB,CAAC,OAAO,CAAC,EAAE,CAAC;QACrC,OAAO,wBAAwB,EAAE,CAAC;IACpC,CAAC;IAED,IAAI,CAAC,OAAO,CAAC,SAAS,EAAE,CAAC;QACvB,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;IAC5C,IAAI,MAAM,YAAY,QAAQ,EAAE,CAAC;QAC/B,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,OAAO,MAAM,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,wBAAwB,EAAE,CAAC;AACzD,CAAC"}
1
+ {"version":3,"file":"access.js","sourceRoot":"","sources":["../src/access.ts"],"names":[],"mappings":"AAgCA;;;;GAIG;AACH,MAAM,UAAU,sBAAsB,CACpC,UAAsC,EAAE;IAExC,OAAO,OAAO,CAAC,OAAO,IAAI,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY,CAAC;AAClE,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,wBAAwB;IACtC,OAAO,IAAI,QAAQ,CAAC,WAAW,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;AACpD,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,wBAAwB,CAC5C,GAAY,EACZ,UAAsC,EAAE;IAExC,IAAI,CAAC,sBAAsB,CAAC,OAAO,CAAC,EAAE,CAAC;QACrC,OAAO,wBAAwB,EAAE,CAAC;IACpC,CAAC;IAED,IAAI,CAAC,OAAO,CAAC,SAAS,EAAE,CAAC;QACvB,IAAI,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY,IAAI,OAAO,CAAC,OAAO,KAAK,IAAI,EAAE,CAAC;YACtE,OAAO,wBAAwB,EAAE,CAAC;QACpC,CAAC;QACD,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;IAC5C,IAAI,MAAM,YAAY,QAAQ,EAAE,CAAC;QAC/B,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,OAAO,MAAM,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,wBAAwB,EAAE,CAAC;AACzD,CAAC"}
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@beignet/devtools",
3
- "version": "0.0.23",
3
+ "version": "0.0.24",
4
4
  "type": "module",
5
5
  "description": "Development-time devtools for Beignet - mini Telescope for the server runtime",
6
6
  "main": "./dist/index.js",
package/src/access.ts CHANGED
@@ -60,6 +60,9 @@ export async function authorizeDevtoolsRequest(
60
60
  }
61
61
 
62
62
  if (!options.authorize) {
63
+ if (process.env.NODE_ENV === "production" && options.enabled === true) {
64
+ return devtoolsNotFoundResponse();
65
+ }
63
66
  return undefined;
64
67
  }
65
68