npm - @benjavicente/start-client-core - Versions diffs - 1.167.9 → 1.168.3 - Mend

@benjavicente/start-client-core 1.167.9 → 1.168.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (51) hide show

package/dist/esm/client/hydrateStart.js +4 -2
package/dist/esm/client/hydrateStart.js.map +1 -1
package/dist/esm/client-rpc/serverFnFetcher.d.ts +21 -0
package/dist/esm/client-rpc/serverFnFetcher.js +94 -71
package/dist/esm/client-rpc/serverFnFetcher.js.map +1 -1
package/dist/esm/createCsrfMiddleware.d.ts +46 -0
package/dist/esm/createCsrfMiddleware.js +63 -0
package/dist/esm/createCsrfMiddleware.js.map +1 -0
package/dist/esm/createMiddleware.d.ts +4 -0
package/dist/esm/createMiddleware.js.map +1 -1
package/dist/esm/createServerFn.d.ts +44 -31
package/dist/esm/createServerFn.js +1 -1
package/dist/esm/createServerFn.js.map +1 -1
package/dist/esm/fake-entries/plugin-adapters.d.ts +3 -0
package/dist/esm/fake-entries/plugin-adapters.js +7 -0
package/dist/esm/fake-entries/plugin-adapters.js.map +1 -0
package/dist/esm/fake-entries/router.d.ts +1 -0
package/dist/esm/fake-entries/router.js +6 -0
package/dist/esm/fake-entries/router.js.map +1 -0
package/dist/esm/{fake-start-entry.d.ts → fake-entries/start.d.ts} +0 -1
package/dist/esm/fake-entries/start.js +6 -0
package/dist/esm/fake-entries/start.js.map +1 -0
package/dist/esm/getDefaultSerovalPlugins.d.ts +2 -1
package/dist/esm/getDefaultSerovalPlugins.js.map +1 -1
package/dist/esm/index.d.ts +4 -1
package/dist/esm/index.js +3 -1
package/dist/esm/tests/createCsrfMiddleware.test.d.ts +1 -0
package/package.json +10 -11
package/skills/start-core/SKILL.md +11 -7
package/skills/start-core/auth-server-primitives/SKILL.md +410 -0
package/skills/start-core/deployment/SKILL.md +9 -0
package/skills/start-core/execution-model/SKILL.md +68 -19
package/skills/start-core/middleware/SKILL.md +42 -9
package/skills/start-core/server-functions/SKILL.md +115 -17
package/src/client/hydrateStart.ts +12 -6
package/src/client-rpc/serverFnFetcher.ts +132 -103
package/src/createCsrfMiddleware.ts +197 -0
package/src/createMiddleware.ts +4 -0
package/src/createServerFn.ts +192 -63
package/src/fake-entries/plugin-adapters.ts +4 -0
package/src/fake-entries/router.ts +1 -0
package/src/{fake-start-entry.ts → fake-entries/start.ts} +0 -1
package/src/getDefaultSerovalPlugins.ts +2 -1
package/src/index.tsx +16 -0
package/src/start-entry.d.ts +9 -2
package/src/tests/createCsrfMiddleware.test.ts +290 -0
package/src/tests/createServerFn.test-d.ts +152 -2
package/src/tests/createServerMiddleware.test-d.ts +16 -3
package/bin/intent.js +0 -25
package/dist/esm/fake-start-entry.js +0 -7
package/dist/esm/fake-start-entry.js.map +0 -1

package/src/createCsrfMiddleware.ts ADDED Viewed

@@ -0,0 +1,197 @@
+import { createIsomorphicFn } from '@benjavicente/start-fn-stubs'
+import { createMiddleware } from './createMiddleware'
+import type {
+  RequestMiddlewareAfterServer,
+  RequestServerOptions,
+} from './createMiddleware'
+import type { Register } from '@benjavicente/router-core'
+export const csrfSymbol = Symbol.for('tanstack-start:csrf-middleware')
+export type CsrfSecFetchSite =
+  | 'same-origin'
+  | 'same-site'
+  | 'cross-site'
+  | 'none'
+export type CsrfMatcher<TValue, TRegister = Register, TMiddlewares = unknown> =
+  | TValue
+  | Array<TValue>
+  | ((
+      value: TValue | (string & {}),
+      ctx: RequestServerOptions<TRegister, TMiddlewares>,
+    ) => boolean | Promise<boolean>)
+export interface CsrfMiddlewareOptions<
+  TRegister = Register,
+  TMiddlewares = unknown,
+> {
+  /**
+   * Return `true` to validate this request, or `false` to skip validation.
+   *
+   * @default undefined, which validates every request handled by this middleware.
+   */
+  filter?: (
+    ctx: RequestServerOptions<TRegister, TMiddlewares>,
+  ) => boolean | Promise<boolean>
+  /**
+   * Allowed Origin values. Defaults to the trusted request origin.
+   */
+  origin?: CsrfMatcher<string, TRegister, TMiddlewares>
+  /**
+   * Allowed Sec-Fetch-Site values.
+   *
+   * @default 'same-origin'
+   */
+  secFetchSite?: CsrfMatcher<CsrfSecFetchSite, TRegister, TMiddlewares>
+  /**
+   * Whether to use Referer as a fallback when Sec-Fetch-Site and Origin are absent.
+   *
+   * @default true
+   */
+  referer?:
+    | boolean
+    | ((
+        referer: string,
+        ctx: RequestServerOptions<TRegister, TMiddlewares>,
+      ) => boolean | Promise<boolean>)
+  /**
+   * Allow requests when Sec-Fetch-Site, Origin, and Referer are all missing.
+   *
+   * @default false
+   */
+  allowRequestsWithoutOriginCheck?: boolean
+  /**
+   * Optional response returned when CSRF validation fails.
+   *
+   * @default new Response('Forbidden', { status: 403 })
+   */
+  failureResponse?:
+    | Response
+    | ((
+        ctx: RequestServerOptions<TRegister, TMiddlewares>,
+      ) => Response | Promise<Response>)
+}
+type CreateCsrfMiddleware = <TRegister, TMiddlewares>(
+  opts?: CsrfMiddlewareOptions<TRegister, TMiddlewares>,
+) => RequestMiddlewareAfterServer<{}, undefined, undefined>
+const innerCreateCsrfMiddleware: CreateCsrfMiddleware = (opts = {}) => {
+  const middleware = createMiddleware().server(async (ctx) => {
+    const csrfCtx = ctx as RequestServerOptions<any, any> & typeof ctx
+    if (opts.filter && !(await opts.filter(csrfCtx))) {
+      return ctx.next()
+    }
+    if (await isCsrfRequestAllowed(opts, csrfCtx)) {
+      return ctx.next()
+    }
+    return getFailureResponse(opts, csrfCtx)
+  })
+  if (process.env.NODE_ENV !== 'production') {
+    Object.defineProperty(middleware, csrfSymbol, { value: true })
+  }
+  return middleware
+}
+export const createCsrfMiddleware: CreateCsrfMiddleware =
+  createIsomorphicFn().server(innerCreateCsrfMiddleware) as CreateCsrfMiddleware
+export async function isCsrfRequestAllowed<TRegister, TMiddlewares>(
+  opts: CsrfMiddlewareOptions<TRegister, TMiddlewares>,
+  ctx: RequestServerOptions<TRegister, TMiddlewares>,
+): Promise<boolean> {
+  const result = await getCsrfRequestValidationResult(opts, ctx)
+  return (
+    result === true ||
+    (result === undefined && opts.allowRequestsWithoutOriginCheck === true)
+  )
+}
+export async function getCsrfRequestValidationResult<TRegister, TMiddlewares>(
+  opts: CsrfMiddlewareOptions<TRegister, TMiddlewares>,
+  ctx: RequestServerOptions<TRegister, TMiddlewares>,
+): Promise<boolean | undefined> {
+  const fetchSite = ctx.request.headers.get('Sec-Fetch-Site')
+  if (fetchSite !== null) {
+    return matchValue(opts.secFetchSite ?? 'same-origin', fetchSite, ctx)
+  }
+  const origin = ctx.request.headers.get('Origin')
+  if (origin !== null) {
+    if (opts.origin) {
+      return matchValue(opts.origin, origin, ctx)
+    }
+    return origin === new URL(ctx.request.url).origin
+  }
+  const referer = ctx.request.headers.get('Referer')
+  if (referer === null || opts.referer === false) {
+    return undefined
+  }
+  if (typeof opts.referer === 'function') {
+    return opts.referer(referer, ctx)
+  }
+  if (opts.origin) {
+    const refererOrigin = getOriginFromUrl(referer)
+    return (
+      refererOrigin !== undefined && matchValue(opts.origin, refererOrigin, ctx)
+    )
+  }
+  return isRefererSameOrigin(referer, new URL(ctx.request.url).origin)
+}
+async function matchValue<TValue extends string, TRegister, TMiddlewares>(
+  matcher: CsrfMatcher<TValue, TRegister, TMiddlewares>,
+  value: string,
+  ctx: RequestServerOptions<TRegister, TMiddlewares>,
+): Promise<boolean> {
+  if (typeof matcher === 'function') {
+    return matcher(value, ctx)
+  }
+  if (Array.isArray(matcher)) {
+    // typescript is dumb for array.includes()
+    return matcher.includes(value as TValue)
+  }
+  return value === matcher
+}
+function getOriginFromUrl(url: string): string | undefined {
+  try {
+    return new URL(url).origin
+  } catch {
+    return undefined
+  }
+}
+function isRefererSameOrigin(referer: string, requestOrigin: string): boolean {
+  if (referer === requestOrigin) return true
+  if (!referer.startsWith(requestOrigin)) return false
+  if (referer.length === requestOrigin.length) return true
+  const code = referer.charCodeAt(requestOrigin.length)
+  return code === 47 /* '/' */ || code === 63 /* '?' */ || code === 35 /* '#' */
+}
+async function getFailureResponse<TRegister, TMiddlewares>(
+  opts: CsrfMiddlewareOptions<TRegister, TMiddlewares>,
+  ctx: RequestServerOptions<TRegister, TMiddlewares>,
+): Promise<Response> {
+  if (typeof opts.failureResponse === 'function') {
+    return opts.failureResponse(ctx)
+  }
+  return (
+    opts.failureResponse?.clone() ?? new Response('Forbidden', { status: 403 })
+  )
+}

package/src/createMiddleware.ts CHANGED Viewed

@@ -770,6 +770,10 @@ export interface RequestServerOptions<TRegister, TMiddlewares> {
   pathname: string
   context: Expand<AssignAllServerRequestContext<TRegister, TMiddlewares>>
   next: RequestServerNextFn<TRegister, TMiddlewares>
+  /**
+   * Type of Start handler currently processing this request.
+   */
+  handlerType: 'serverFn' | 'router'
   /**
    * Metadata about the server function being invoked.
    * This is only present when the request is handling a server function call.