@blamejs/blamejs-shop 0.4.69 → 0.4.71
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +4 -0
- package/lib/admin.js +8 -6
- package/lib/asset-manifest.json +1 -1
- package/lib/security-middleware.js +65 -23
- package/lib/shipping-insurance.js +29 -4
- package/lib/sms-dispatcher.js +17 -4
- package/lib/storefront.js +10 -7
- package/lib/vendor/MANIFEST.json +319 -267
- package/lib/vendor/blamejs/CHANGELOG.md +2 -0
- package/lib/vendor/blamejs/api-snapshot.json +58 -5
- package/lib/vendor/blamejs/examples/wiki/README.md +1 -1
- package/lib/vendor/blamejs/examples/wiki/docker-compose.prod.yml +9 -8
- package/lib/vendor/blamejs/examples/wiki/docker-compose.yml +10 -9
- package/lib/vendor/blamejs/examples/wiki/env-snapshot.json +4 -3
- package/lib/vendor/blamejs/examples/wiki/lib/build-app.js +33 -17
- package/lib/vendor/blamejs/examples/wiki/routes/admin.js +7 -10
- package/lib/vendor/blamejs/examples/wiki/server.js +5 -4
- package/lib/vendor/blamejs/examples/wiki/test/e2e.js +5 -0
- package/lib/vendor/blamejs/lib/a2a-tasks.js +38 -6
- package/lib/vendor/blamejs/lib/agent-event-bus.js +13 -0
- package/lib/vendor/blamejs/lib/agent-idempotency.js +5 -1
- package/lib/vendor/blamejs/lib/agent-snapshot.js +32 -2
- package/lib/vendor/blamejs/lib/ai-aedt-bias-audit.js +2 -1
- package/lib/vendor/blamejs/lib/ai-content-detect.js +1 -3
- package/lib/vendor/blamejs/lib/ai-frontier-protocol.js +1 -1
- package/lib/vendor/blamejs/lib/ai-model-manifest.js +1 -1
- package/lib/vendor/blamejs/lib/ai-output.js +16 -7
- package/lib/vendor/blamejs/lib/api-snapshot.js +4 -1
- package/lib/vendor/blamejs/lib/app-shutdown.js +7 -1
- package/lib/vendor/blamejs/lib/archive-gz.js +9 -0
- package/lib/vendor/blamejs/lib/archive-read.js +9 -7
- package/lib/vendor/blamejs/lib/archive-tar-read.js +51 -8
- package/lib/vendor/blamejs/lib/archive.js +4 -2
- package/lib/vendor/blamejs/lib/asn1-der.js +70 -22
- package/lib/vendor/blamejs/lib/atomic-file.js +204 -2
- package/lib/vendor/blamejs/lib/audit-chain.js +54 -5
- package/lib/vendor/blamejs/lib/audit-daily-review.js +12 -2
- package/lib/vendor/blamejs/lib/audit-sign.js +2 -1
- package/lib/vendor/blamejs/lib/audit-tools.js +108 -23
- package/lib/vendor/blamejs/lib/audit.js +7 -2
- package/lib/vendor/blamejs/lib/auth/access-lock.js +2 -2
- package/lib/vendor/blamejs/lib/auth/bot-challenge.js +1 -1
- package/lib/vendor/blamejs/lib/auth/ciba.js +43 -4
- package/lib/vendor/blamejs/lib/auth/dpop.js +6 -1
- package/lib/vendor/blamejs/lib/auth/fido-mds3.js +5 -1
- package/lib/vendor/blamejs/lib/auth/jwt.js +2 -2
- package/lib/vendor/blamejs/lib/auth/lockout.js +18 -2
- package/lib/vendor/blamejs/lib/auth/passkey.js +1 -1
- package/lib/vendor/blamejs/lib/auth/password.js +1 -1
- package/lib/vendor/blamejs/lib/auth/saml.js +33 -13
- package/lib/vendor/blamejs/lib/auth/sd-jwt-vc.js +24 -4
- package/lib/vendor/blamejs/lib/auth/status-list.js +14 -2
- package/lib/vendor/blamejs/lib/auth/step-up.js +9 -1
- package/lib/vendor/blamejs/lib/auth-bot-challenge.js +21 -2
- package/lib/vendor/blamejs/lib/backup/bundle.js +7 -2
- package/lib/vendor/blamejs/lib/backup/crypto.js +23 -8
- package/lib/vendor/blamejs/lib/backup/index.js +41 -20
- package/lib/vendor/blamejs/lib/backup/manifest.js +7 -1
- package/lib/vendor/blamejs/lib/break-glass.js +41 -22
- package/lib/vendor/blamejs/lib/cbor.js +34 -11
- package/lib/vendor/blamejs/lib/cdn-cache-control.js +7 -3
- package/lib/vendor/blamejs/lib/cert.js +5 -3
- package/lib/vendor/blamejs/lib/cli.js +5 -1
- package/lib/vendor/blamejs/lib/cloud-events.js +3 -2
- package/lib/vendor/blamejs/lib/cluster-storage.js +7 -3
- package/lib/vendor/blamejs/lib/codepoint-class.js +17 -0
- package/lib/vendor/blamejs/lib/compliance-eaa.js +1 -1
- package/lib/vendor/blamejs/lib/compliance-sanctions.js +9 -7
- package/lib/vendor/blamejs/lib/compliance.js +1 -1
- package/lib/vendor/blamejs/lib/config-drift.js +22 -8
- package/lib/vendor/blamejs/lib/content-credentials.js +11 -8
- package/lib/vendor/blamejs/lib/content-digest.js +11 -4
- package/lib/vendor/blamejs/lib/cookies.js +10 -2
- package/lib/vendor/blamejs/lib/cose.js +20 -0
- package/lib/vendor/blamejs/lib/crdt.js +2 -1
- package/lib/vendor/blamejs/lib/crypto-field.js +29 -23
- package/lib/vendor/blamejs/lib/crypto.js +18 -4
- package/lib/vendor/blamejs/lib/csp.js +4 -0
- package/lib/vendor/blamejs/lib/daemon.js +4 -1
- package/lib/vendor/blamejs/lib/data-act.js +27 -4
- package/lib/vendor/blamejs/lib/db-file-lifecycle.js +14 -6
- package/lib/vendor/blamejs/lib/db-query.js +69 -9
- package/lib/vendor/blamejs/lib/db.js +32 -15
- package/lib/vendor/blamejs/lib/dora.js +43 -13
- package/lib/vendor/blamejs/lib/dr-runbook.js +1 -1
- package/lib/vendor/blamejs/lib/dsa.js +2 -1
- package/lib/vendor/blamejs/lib/dsr.js +22 -8
- package/lib/vendor/blamejs/lib/early-hints.js +19 -0
- package/lib/vendor/blamejs/lib/eat.js +5 -1
- package/lib/vendor/blamejs/lib/external-db.js +60 -4
- package/lib/vendor/blamejs/lib/fda-21cfr11.js +30 -5
- package/lib/vendor/blamejs/lib/flag-providers.js +6 -2
- package/lib/vendor/blamejs/lib/forms.js +1 -1
- package/lib/vendor/blamejs/lib/gate-contract.js +46 -5
- package/lib/vendor/blamejs/lib/gdpr-ropa.js +18 -9
- package/lib/vendor/blamejs/lib/graphql-federation.js +17 -4
- package/lib/vendor/blamejs/lib/guard-all.js +2 -2
- package/lib/vendor/blamejs/lib/guard-dsn.js +1 -1
- package/lib/vendor/blamejs/lib/guard-envelope.js +1 -1
- package/lib/vendor/blamejs/lib/guard-html.js +9 -11
- package/lib/vendor/blamejs/lib/guard-imap-command.js +1 -1
- package/lib/vendor/blamejs/lib/guard-jmap.js +1 -1
- package/lib/vendor/blamejs/lib/guard-json.js +14 -6
- package/lib/vendor/blamejs/lib/guard-mail-move.js +1 -1
- package/lib/vendor/blamejs/lib/guard-managesieve-command.js +1 -1
- package/lib/vendor/blamejs/lib/guard-pop3-command.js +1 -1
- package/lib/vendor/blamejs/lib/guard-smtp-command.js +1 -1
- package/lib/vendor/blamejs/lib/guard-svg.js +8 -9
- package/lib/vendor/blamejs/lib/html-balance.js +7 -3
- package/lib/vendor/blamejs/lib/http-client-cookie-jar.js +33 -12
- package/lib/vendor/blamejs/lib/http-client.js +225 -53
- package/lib/vendor/blamejs/lib/iab-tcf.js +3 -2
- package/lib/vendor/blamejs/lib/importmap-integrity.js +41 -1
- package/lib/vendor/blamejs/lib/incident-report.js +9 -6
- package/lib/vendor/blamejs/lib/json-patch.js +1 -1
- package/lib/vendor/blamejs/lib/json-path.js +24 -3
- package/lib/vendor/blamejs/lib/jtd.js +2 -2
- package/lib/vendor/blamejs/lib/legal-hold.js +24 -8
- package/lib/vendor/blamejs/lib/log.js +2 -2
- package/lib/vendor/blamejs/lib/mail-agent.js +2 -2
- package/lib/vendor/blamejs/lib/mail-arf.js +1 -1
- package/lib/vendor/blamejs/lib/mail-auth.js +3 -3
- package/lib/vendor/blamejs/lib/mail-bimi.js +16 -16
- package/lib/vendor/blamejs/lib/mail-bounce.js +3 -3
- package/lib/vendor/blamejs/lib/mail-crypto-smime.js +71 -6
- package/lib/vendor/blamejs/lib/mail-deploy.js +9 -5
- package/lib/vendor/blamejs/lib/mail-greylist.js +2 -4
- package/lib/vendor/blamejs/lib/mail-helo.js +2 -4
- package/lib/vendor/blamejs/lib/mail-journal.js +11 -8
- package/lib/vendor/blamejs/lib/mail-mdn.js +8 -4
- package/lib/vendor/blamejs/lib/mail-rbl.js +2 -4
- package/lib/vendor/blamejs/lib/mail-scan.js +3 -5
- package/lib/vendor/blamejs/lib/mail-server-jmap.js +4 -1
- package/lib/vendor/blamejs/lib/mail-server-registry.js +1 -1
- package/lib/vendor/blamejs/lib/mail-server-tls.js +9 -2
- package/lib/vendor/blamejs/lib/mail-spam-score.js +2 -4
- package/lib/vendor/blamejs/lib/mail-store-fts.js +1 -1
- package/lib/vendor/blamejs/lib/mail.js +22 -2
- package/lib/vendor/blamejs/lib/markup-tokenizer.js +24 -0
- package/lib/vendor/blamejs/lib/mcp.js +6 -4
- package/lib/vendor/blamejs/lib/mdoc.js +26 -3
- package/lib/vendor/blamejs/lib/metrics.js +14 -3
- package/lib/vendor/blamejs/lib/middleware/api-encrypt.js +2 -2
- package/lib/vendor/blamejs/lib/middleware/body-parser.js +10 -4
- package/lib/vendor/blamejs/lib/middleware/bot-guard.js +26 -18
- package/lib/vendor/blamejs/lib/middleware/clear-site-data.js +5 -1
- package/lib/vendor/blamejs/lib/middleware/compression.js +9 -0
- package/lib/vendor/blamejs/lib/middleware/cors.js +32 -23
- package/lib/vendor/blamejs/lib/middleware/csrf-protect.js +60 -21
- package/lib/vendor/blamejs/lib/middleware/daily-byte-quota.js +6 -4
- package/lib/vendor/blamejs/lib/middleware/fetch-metadata.js +28 -4
- package/lib/vendor/blamejs/lib/middleware/network-allowlist.js +61 -30
- package/lib/vendor/blamejs/lib/middleware/rate-limit.js +25 -16
- package/lib/vendor/blamejs/lib/middleware/scim-server.js +2 -1
- package/lib/vendor/blamejs/lib/middleware/security-headers.js +24 -6
- package/lib/vendor/blamejs/lib/middleware/speculation-rules.js +6 -3
- package/lib/vendor/blamejs/lib/middleware/tus-upload.js +2 -2
- package/lib/vendor/blamejs/lib/money.js +1 -1
- package/lib/vendor/blamejs/lib/mtls-ca.js +10 -6
- package/lib/vendor/blamejs/lib/network-dns-resolver.js +1 -1
- package/lib/vendor/blamejs/lib/network-dns.js +9 -2
- package/lib/vendor/blamejs/lib/network-dnssec.js +2 -1
- package/lib/vendor/blamejs/lib/network-smtp-policy.js +23 -5
- package/lib/vendor/blamejs/lib/network-tls.js +27 -5
- package/lib/vendor/blamejs/lib/network-tsig.js +2 -2
- package/lib/vendor/blamejs/lib/nis2-report.js +1 -1
- package/lib/vendor/blamejs/lib/nist-crosswalk.js +1 -1
- package/lib/vendor/blamejs/lib/ntp-check.js +28 -0
- package/lib/vendor/blamejs/lib/numeric-bounds.js +9 -0
- package/lib/vendor/blamejs/lib/object-store/azure-blob.js +1 -2
- package/lib/vendor/blamejs/lib/object-store/gcs-bucket-ops.js +4 -2
- package/lib/vendor/blamejs/lib/object-store/gcs.js +6 -4
- package/lib/vendor/blamejs/lib/object-store/http-put.js +1 -2
- package/lib/vendor/blamejs/lib/object-store/http-request.js +30 -1
- package/lib/vendor/blamejs/lib/object-store/local.js +37 -17
- package/lib/vendor/blamejs/lib/object-store/sigv4.js +1 -2
- package/lib/vendor/blamejs/lib/observability-otlp-exporter.js +20 -4
- package/lib/vendor/blamejs/lib/outbox.js +11 -4
- package/lib/vendor/blamejs/lib/parsers/safe-xml.js +1 -1
- package/lib/vendor/blamejs/lib/parsers/safe-yaml.js +21 -3
- package/lib/vendor/blamejs/lib/queue-local.js +10 -3
- package/lib/vendor/blamejs/lib/redact.js +7 -3
- package/lib/vendor/blamejs/lib/request-helpers.js +201 -23
- package/lib/vendor/blamejs/lib/resource-access-lock.js +3 -3
- package/lib/vendor/blamejs/lib/restore-bundle.js +46 -18
- package/lib/vendor/blamejs/lib/restore-rollback.js +10 -4
- package/lib/vendor/blamejs/lib/restore.js +19 -0
- package/lib/vendor/blamejs/lib/retention.js +20 -4
- package/lib/vendor/blamejs/lib/router.js +17 -4
- package/lib/vendor/blamejs/lib/safe-ical.js +2 -2
- package/lib/vendor/blamejs/lib/safe-icap.js +1 -1
- package/lib/vendor/blamejs/lib/safe-json.js +44 -0
- package/lib/vendor/blamejs/lib/safe-sieve.js +1 -1
- package/lib/vendor/blamejs/lib/safe-vcard.js +1 -1
- package/lib/vendor/blamejs/lib/sandbox-worker.js +6 -0
- package/lib/vendor/blamejs/lib/sandbox.js +1 -1
- package/lib/vendor/blamejs/lib/scheduler.js +17 -1
- package/lib/vendor/blamejs/lib/self-update-standalone-verifier.js +16 -0
- package/lib/vendor/blamejs/lib/session.js +27 -3
- package/lib/vendor/blamejs/lib/sql.js +3 -3
- package/lib/vendor/blamejs/lib/static.js +65 -13
- package/lib/vendor/blamejs/lib/template.js +7 -5
- package/lib/vendor/blamejs/lib/tenant-quota.js +52 -19
- package/lib/vendor/blamejs/lib/tsa.js +5 -2
- package/lib/vendor/blamejs/lib/vault/index.js +5 -0
- package/lib/vendor/blamejs/lib/vault/passphrase-ops.js +22 -26
- package/lib/vendor/blamejs/lib/vault/passphrase-source.js +8 -3
- package/lib/vendor/blamejs/lib/vault/rotate.js +13 -18
- package/lib/vendor/blamejs/lib/vault/seal-pem-file.js +4 -1
- package/lib/vendor/blamejs/lib/vc.js +1 -1
- package/lib/vendor/blamejs/lib/vendor/MANIFEST.json +10 -10
- package/lib/vendor/blamejs/lib/vendor/public-suffix-list.dat +23 -10
- package/lib/vendor/blamejs/lib/vendor/public-suffix-list.data.js +5498 -5494
- package/lib/vendor/blamejs/lib/webhook.js +16 -1
- package/lib/vendor/blamejs/lib/websocket.js +1 -1
- package/lib/vendor/blamejs/lib/worm.js +1 -1
- package/lib/vendor/blamejs/lib/ws-client.js +57 -46
- package/lib/vendor/blamejs/lib/x509-chain.js +44 -0
- package/lib/vendor/blamejs/package.json +1 -1
- package/lib/vendor/blamejs/release-notes/v0.15.14.json +122 -0
- package/lib/vendor/blamejs/scripts/check-vendor-currency.js +119 -4
- package/lib/vendor/blamejs/test/00-primitives.js +5 -1
- package/lib/vendor/blamejs/test/integration/mail-crypto-smime.test.js +18 -4
- package/lib/vendor/blamejs/test/layer-0-primitives/a2a-tasks.test.js +42 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/agent-event-bus.test.js +36 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/agent-idempotency.test.js +0 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/agent-snapshot.test.js +47 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/archive-gz.test.js +24 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/archive-tar-hardening.test.js +160 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/asn1-der.test.js +45 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/atomic-file-fd-read.test.js +30 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/atomic-file-open-nofollow.test.js +79 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/atomic-file-write-excl.test.js +132 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/atomic-file-write-stream.test.js +181 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/audit-chain-corrupted-anchor.test.js +65 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/audit-chain-incremental-verify.test.js +83 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/audit-daily-review.test.js +48 -1
- package/lib/vendor/blamejs/test/layer-0-primitives/audit-signing-key-rotation.test.js +13 -3
- package/lib/vendor/blamejs/test/layer-0-primitives/audit-verifybundle-tamper.test.js +122 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/auth-bot-challenge.test.js +37 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/auth-jwt-defenses.test.js +5 -3
- package/lib/vendor/blamejs/test/layer-0-primitives/auth-lockout.test.js +21 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/auth-status-list.test.js +73 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/bot-guard.test.js +17 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/break-glass.test.js +62 -3
- package/lib/vendor/blamejs/test/layer-0-primitives/clear-site-data.test.js +12 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/cluster-storage.test.js +40 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/codebase-patterns.test.js +146 -5
- package/lib/vendor/blamejs/test/layer-0-primitives/compliance-sanctions.test.js +14 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/compression-range.test.js +115 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/content-credentials.test.js +17 -5
- package/lib/vendor/blamejs/test/layer-0-primitives/cors.test.js +27 -5
- package/lib/vendor/blamejs/test/layer-0-primitives/crypto-field-per-row-key.test.js +83 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/csrf-protect.test.js +58 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/data-act.test.js +30 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/db-raw-residency-gate.test.js +74 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/dora.test.js +20 -6
- package/lib/vendor/blamejs/test/layer-0-primitives/dpop-alg-kty.test.js +64 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/dsr.test.js +32 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/fda-21cfr11.test.js +43 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/fetch-metadata.test.js +30 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/graphql-federation.test.js +33 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-html.test.js +34 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-json.test.js +12 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/http-client-stream.test.js +72 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/http-client-throttle-transform.test.js +88 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/importmap-integrity.test.js +25 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/legal-hold.test.js +28 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-crypto-smime.test.js +20 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-header-injection.test.js +58 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-journal.test.js +63 -9
- package/lib/vendor/blamejs/test/layer-0-primitives/mdoc.test.js +41 -14
- package/lib/vendor/blamejs/test/layer-0-primitives/network-allowlist.test.js +61 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/object-store-range-header.test.js +51 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/otlp-attr-redaction.test.js +35 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/output-header-hardening.test.js +102 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/parser-verify-hardening.test.js +191 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/proto-shadow-allowlist.test.js +120 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/rate-limit-xff-spoofing.test.js +75 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/request-helpers.test.js +128 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/restore-blob-remap.test.js +128 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/retention-sweep-termination.test.js +104 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/router-body-validation.test.js +98 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/safe-json-stringify-for-script.test.js +43 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/saml-subjectconfirmation-notonorafter.test.js +48 -5
- package/lib/vendor/blamejs/test/layer-0-primitives/sandbox.test.js +23 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/sd-jwt-vc.test.js +54 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/session-extensions.test.js +24 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/static.test.js +42 -1
- package/lib/vendor/blamejs/test/layer-0-primitives/step-up.test.js +7 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/template-escape-html.test.js +43 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/tenant-quota.test.js +15 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/vault-default-store.test.js +48 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/vendor-currency-classify.test.js +77 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/webhook.test.js +50 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/ws-client.test.js +22 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/x509-chain-ca-enforcement.test.js +149 -0
- package/lib/vendor/blamejs/test/layer-5-integration/external-db-residency.test.js +34 -0
- package/package.json +1 -1
package/CHANGELOG.md
CHANGED
|
@@ -8,6 +8,10 @@ upgrading across more than a few patches at a time.
|
|
|
8
8
|
|
|
9
9
|
## v0.4.x
|
|
10
10
|
|
|
11
|
+
- v0.4.71 (2026-06-21) — **SMS dispatch and shipping-insurance adjudication now claim their state transition atomically.** Two exactly-once state transitions advanced their row with a primary-key UPDATE that was not gated on the expected prior status, so two concurrent callers could both win the transition. The scheduled SMS dispatch tick flipped a queued message to sent without an `AND status = 'queued'` guard, so two overlapping ticks could both hand the same message to the provider send hook — a duplicate text and a duplicate carrier charge. The shipping-insurance claim adjudication flipped a filed claim to approved or denied the same way, so a double-submitted approval (or an approval racing a denial) could record two different payout amounts as THE payout, or let a denial clobber an approval. Both transitions now gate the UPDATE on the prior status and act only on the row the UPDATE actually claimed (rowCount === 1); the loser is skipped or refused, matching the atomic-claim shape already used by the push-notification dispatch tick and the affiliate-commission payout. **Fixed:** *SMS dispatch tick advances each message exactly once under concurrent ticks* — The queued→sent (and the no-provider queued→failed) transition in the SMS dispatch tick now gates its UPDATE on `AND status = 'queued'` and hands a message to the operator's send hook only when the UPDATE actually claimed the row. Two overlapping ticks can no longer both dispatch the same message, so a customer is never double-texted and the carrier is never billed twice for one message. · *Shipping-insurance claim adjudication records exactly one outcome under concurrent callers* — markClaimApproved and markClaimDenied now gate their transition on `AND status = 'filed'` and refuse the caller whose UPDATE claimed no row. A double-submitted approval can no longer record two different payout amounts as the approved payout, and an approval can no longer clobber a denial (or vice-versa) — exactly one adjudication outcome sticks.
|
|
12
|
+
|
|
13
|
+
- v0.4.70 (2026-06-21) — **Bundled framework refreshed to blamejs 0.15.14, with the proxy-trust hardening wired through.** Refreshes the vendored blamejs to 0.15.14 — a broad security-hardening release that peer-gates every request-IP and protocol trust decision against the connecting socket, fails closed on a set of authentication and signature verifiers, bounds pre-authentication parsers against algorithmic-complexity denial of service, makes the framework's own file writes atomic and symlink-refusing, and adds a JSON serializer safe to embed in an inline script. The one behavior change that touches a deployment behind a TLS-terminating edge is how the client protocol is trusted: a bare trust-the-forwarded-header flag is no longer accepted for the HSTS and CSRF decisions, because a caller able to reach the origin socket could forge it. The storefront resolves the forwarded protocol through one owned model that the HSTS header, the CSRF origin check, and both session-cookie Secure decisions now share — so HSTS on container responses and authenticated forms behind the Cloudflare edge keep working with no operator action. **Changed:** *Bundled blamejs refreshed to 0.15.14* — Picks up the upstream security-hardening release: client-IP and protocol trust resolved by a peer-gated walk anchored at the connecting socket; SAML, electronic-signature, SD-JWT, DPoP, CIBA, mdoc, and COSE verifiers that could accept a malformed or unsigned credential now refuse it; pre-authentication parsers (CBOR, JSONPath, tar, gzip, YAML, ASN.1 DER) bounded against quadratic-time and frame-desync denial of service; allowlist and posture lookups keyed by untrusted input can no longer reach the prototype chain; the framework's predictable-temp and symlink-following writes go through atomic, symlink-refusing primitives; and several lost-update races (login lockout, bot-challenge, inline webhook delivery) are serialized. · *HSTS and CSRF protocol trust resolved through one owned model behind the edge* — The framework retired the bare forwarded-header trust flag for the decisions that depend on the client protocol (whether to emit HSTS, whether to set the Secure cookie attribute, and the CSRF origin pre-check), since a caller that can reach the origin socket could forge the header. The storefront now resolves the protocol through a single function shared by the security-headers middleware, the CSRF gate, and both the storefront and admin session-cookie paths. Behind the Cloudflare edge the resolver honours the worker-forwarded scheme; a direct connection with no forwarded header resolves to the socket scheme. HSTS on container-served responses and authenticated forms behind the CDN are unchanged; no configuration is required.
|
|
14
|
+
|
|
11
15
|
- v0.4.69 (2026-06-20) — **A gift-card redemption that can't record its audit row no longer loses the balance.** Redeeming a gift card debits the card's balance in one atomic conditional update, then writes a redemption record in a separate statement. Because the bridge runs each statement on its own, a transient failure writing that record left the balance already debited with no redemption row — and the reversal path keys on that row, so the spent balance could never be returned. Redemption is now all-or-nothing: if the record can't be written, the card is re-credited for the amount (and moved back to active if the debit had zeroed it and closed it) before the error is surfaced, so a failed redemption never silently consumes a customer's balance. No API change. **Fixed:** *Redemption re-credits the card if its audit row can't be written* — After the atomic balance debit, the redemption record insert is wrapped so a transient write failure re-credits the card by the redeemed amount and restores it to active if that debit had zeroed and closed it. The customer keeps the balance and the card stays usable, instead of losing the spend to a redemption that left no row for the reversal path to act on.
|
|
12
16
|
|
|
13
17
|
- v0.4.68 (2026-06-20) — **Redeeming a loyalty reward no longer burns points on a failed mint or exceeds the per-customer cap under load.** Redeeming a reward for points debited the customer's balance, then checked the per-customer redemption cap with a separate count and minted the reward coupon as separate steps. Two problems followed. The cap was a read-then-act check: two redemptions arriving together both read a count under the cap and both succeeded, so a customer could exceed a lifetime cap (for example mint two of a once-ever coupon). And if the coupon mint failed after the points were debited — the coupons primitive erroring, or a transient fault — the points were gone with no redemption row recorded, so no refund path could return them; the customer was charged for a reward they never received. Redemption now claims the cap slot in a single conditional insert that recomputes the live count, so concurrent redemptions can't both exceed the cap, and it reverses the points debit (and removes the claimed row) if the coupon can't be minted, so a failed redemption always leaves the balance whole. No API change. **Fixed:** *Per-customer redemption cap is enforced atomically* — The redemption row is now inserted only if the customer's live active/consumed count for that reward is still under the cap, recomputed inside the insert. Two redemptions racing the last slot resolve to a single winner; the loser is refused with the same cap error and its points are returned. The cheap pre-check is kept as a fast path but is no longer the thing that enforces the limit. · *A failed coupon mint returns the points and leaves no row* — If the coupon can't be minted after the points were debited and the slot claimed, both are rolled back — the points debit is reversed and the claimed redemption row is removed — so the customer's balance is whole and no redemption is left recorded for a reward that was never issued. The points reversal rides the same idempotent restore the checkout path uses, so a retry credits exactly once.
|
package/lib/admin.js
CHANGED
|
@@ -41,6 +41,7 @@ var trustBadgesModule = require("./trust-badges");
|
|
|
41
41
|
var cartModule = require("./cart"); // ABANDONED_* window/limit constants for the /admin/carts console
|
|
42
42
|
var inventoryWriteoffsModule = require("./inventory-writeoffs"); // WRITEOFF_REASONS enum for the /admin/inventory/writeoffs console
|
|
43
43
|
var textGuard = require("./text-guard");
|
|
44
|
+
var securityMiddleware = require("./security-middleware"); // resolveProtocol — shared proxy-trust model for the Secure-cookie decision
|
|
44
45
|
var { AsyncLocalStorage } = require("node:async_hooks"); // allow:non-shop-require — Node-core per-request context (no npm dep); the framework itself composes it in db-role-context / log. No b.* request-context primitive exists to wrap it.
|
|
45
46
|
|
|
46
47
|
var b = require("./vendor/blamejs");
|
|
@@ -510,13 +511,14 @@ function _adminJar() {
|
|
|
510
511
|
|
|
511
512
|
// Whether THIS request's PUBLIC connection is https — drives both the
|
|
512
513
|
// Secure attribute and the prefix choice for the admin session cookie.
|
|
513
|
-
// Same rule as the storefront:
|
|
514
|
-
//
|
|
515
|
-
// Worker), and treat a
|
|
516
|
-
//
|
|
517
|
-
// emitted and a real browser
|
|
514
|
+
// Same rule as the storefront: resolve the Worker-set `x-forwarded-proto`
|
|
515
|
+
// through the shared securityMiddleware.resolveProtocol (the container
|
|
516
|
+
// socket may be plain http behind the TLS-terminating Worker), and treat a
|
|
517
|
+
// direct dev/e2e connection (no forwarded header, non-encrypted socket) as
|
|
518
|
+
// http so the bare-named, non-Secure cookie is emitted and a real browser
|
|
519
|
+
// stores it. One proxy-trust model across HSTS, csrf, and both cookie paths.
|
|
518
520
|
function _secureForReq(req) {
|
|
519
|
-
return
|
|
521
|
+
return securityMiddleware.resolveProtocol(req) === "https";
|
|
520
522
|
}
|
|
521
523
|
function _adminCookieName(secure) { return secure ? ADMIN_COOKIE_NAME_SECURE : ADMIN_COOKIE_NAME; }
|
|
522
524
|
|
package/lib/asset-manifest.json
CHANGED
|
@@ -293,6 +293,42 @@ function clientKey(req) {
|
|
|
293
293
|
return sock || "unknown";
|
|
294
294
|
}
|
|
295
295
|
|
|
296
|
+
/**
|
|
297
|
+
* Own the HTTPS decision for every proxy-trust consumer in one place — the
|
|
298
|
+
* single trust model the security middleware (HSTS via securityHeaders, the
|
|
299
|
+
* Secure-cookie + Origin pre-check via csrfProtect) and the storefront/admin
|
|
300
|
+
* session-cookie Secure flag all resolve protocol through.
|
|
301
|
+
*
|
|
302
|
+
* Topology: the Node container has NO public ingress. It is reachable only
|
|
303
|
+
* through the Cloudflare Worker over the service binding, and the edge always
|
|
304
|
+
* terminates TLS, so the real client scheme rides in the Worker-set
|
|
305
|
+
* `x-forwarded-proto` (always `https` for a real visitor). Because no internet
|
|
306
|
+
* caller can reach the container socket, that header cannot be forged from
|
|
307
|
+
* outside — so honoring it is correct here. blamejs 0.15.14 stopped trusting a
|
|
308
|
+
* bare `trustProxy` (a forgeable X-Forwarded-Proto from a *directly reachable*
|
|
309
|
+
* socket); it hands the decision to an operator-supplied `protocolResolver`
|
|
310
|
+
* when the operator can attest the header's provenance, which this deployment
|
|
311
|
+
* can. A direct dev / e2e connection carries no forwarded header and a plain
|
|
312
|
+
* socket, so it resolves to `http` (and the bare-named, non-Secure cookie a
|
|
313
|
+
* browser will actually store over loopback is emitted).
|
|
314
|
+
*
|
|
315
|
+
* Request-shape reader — returns "http"|"https" for any input, never throws.
|
|
316
|
+
*/
|
|
317
|
+
function resolveProtocol(req) {
|
|
318
|
+
var headers = (req && req.headers) || {};
|
|
319
|
+
var xfp = headers["x-forwarded-proto"];
|
|
320
|
+
if (typeof xfp === "string" && xfp.length > 0) {
|
|
321
|
+
// Leftmost hop is the original client scheme (the Worker sets a single
|
|
322
|
+
// `https` token). Normalize and accept only the two valid schemes.
|
|
323
|
+
var first = xfp.split(",")[0].trim().toLowerCase();
|
|
324
|
+
if (first === "https" || first === "http") return first;
|
|
325
|
+
}
|
|
326
|
+
// No forwarded header → direct connection. Delegate the socket-scheme
|
|
327
|
+
// derivation to the vendored primitive (trustProxy:false = socket-only) so
|
|
328
|
+
// that fallback stays single-sourced in the framework.
|
|
329
|
+
return b.requestHelpers.requestProtocol(req, { trustProxy: false });
|
|
330
|
+
}
|
|
331
|
+
|
|
296
332
|
/**
|
|
297
333
|
* Build the security-headers options for createApp's
|
|
298
334
|
* `middleware.securityHeaders`. The vendored blamejs default emits a
|
|
@@ -333,25 +369,28 @@ function clientKey(req) {
|
|
|
333
369
|
* so both substrates stay header-consistent.
|
|
334
370
|
*/
|
|
335
371
|
function securityHeadersOpts() {
|
|
336
|
-
// `
|
|
372
|
+
// `protocolResolver` is what lets the vendored HSTS header actually
|
|
337
373
|
// ship from the container. The vendored securityHeaders middleware
|
|
338
374
|
// emits Strict-Transport-Security ONLY when the request protocol
|
|
339
375
|
// resolves to https (RFC 6797 §7.2: HSTS over plain HTTP is ignored by
|
|
340
376
|
// UAs, so the middleware suppresses it on non-TLS requests). Behind the
|
|
341
377
|
// Cloudflare Worker the container socket is plain http and the real
|
|
342
|
-
// scheme rides in the Worker-set `x-forwarded-proto: https` —
|
|
343
|
-
//
|
|
344
|
-
// TLS, and drops HSTS on EVERY container-served response.
|
|
345
|
-
// Worker sets its own HSTS on edge-rendered pages, but a
|
|
346
|
-
// container request (edge render off, or an internal hop that
|
|
347
|
-
// HTML) then carries no HSTS at all.
|
|
348
|
-
//
|
|
349
|
-
//
|
|
350
|
-
//
|
|
351
|
-
//
|
|
352
|
-
//
|
|
353
|
-
//
|
|
354
|
-
|
|
378
|
+
// scheme rides in the Worker-set `x-forwarded-proto: https` — left to
|
|
379
|
+
// its default (socket only) the middleware reads `http`, decides the
|
|
380
|
+
// request isn't TLS, and drops HSTS on EVERY container-served response.
|
|
381
|
+
// The edge Worker sets its own HSTS on edge-rendered pages, but a
|
|
382
|
+
// direct-to-container request (edge render off, or an internal hop that
|
|
383
|
+
// returns HTML) then carries no HSTS at all. blamejs 0.15.14 refuses a
|
|
384
|
+
// bare `trustProxy` for this decision (an attacker who can reach the
|
|
385
|
+
// socket could forge X-Forwarded-Proto to suppress HSTS), so we own the
|
|
386
|
+
// decision via `resolveProtocol` — sound here because the container has
|
|
387
|
+
// no public ingress (see resolveProtocol). The csrf gate and the
|
|
388
|
+
// storefront/admin session-cookie path resolve protocol the same way
|
|
389
|
+
// (one trust model). HSTS stays OWNED by the vendored middleware (we set
|
|
390
|
+
// no header ourselves), so there is no double-set: on an edge-rendered
|
|
391
|
+
// page only the Worker's header is present; on a container-served page
|
|
392
|
+
// only this one is.
|
|
393
|
+
return { documentPolicy: false, referrerPolicy: "same-origin", protocolResolver: resolveProtocol };
|
|
355
394
|
}
|
|
356
395
|
|
|
357
396
|
// ---- route-scoped CSP (payment processors + CAPTCHA providers) ----------
|
|
@@ -730,16 +769,18 @@ function mountRouteGuards(r) {
|
|
|
730
769
|
cookie: true,
|
|
731
770
|
skipStateless: true,
|
|
732
771
|
// Behind the Cloudflare Worker the container connection is plain http
|
|
733
|
-
// while the visitor is on https;
|
|
734
|
-
// `x-forwarded-proto` so the origin pre-check derives the real
|
|
735
|
-
// origin (and the token cookie carries the `__Host-csrf` prefix),
|
|
772
|
+
// while the visitor is on https; `protocolResolver` owns the Worker-set
|
|
773
|
+
// `x-forwarded-proto` read so the origin pre-check derives the real
|
|
774
|
+
// public origin (and the token cookie carries the `__Host-csrf` prefix),
|
|
736
775
|
// matching the session-cookie stance (storefront `_secureForReq`).
|
|
737
|
-
//
|
|
738
|
-
//
|
|
739
|
-
//
|
|
740
|
-
//
|
|
741
|
-
|
|
742
|
-
|
|
776
|
+
// blamejs 0.15.14 refuses a bare `trustProxy` here (forgeable from a
|
|
777
|
+
// directly-reachable socket); the resolver is sound because the
|
|
778
|
+
// container has no public ingress (see resolveProtocol). allowedOrigins
|
|
779
|
+
// is the explicit public-host allowlist so a legitimate same-origin POST
|
|
780
|
+
// is never refused as cross-origin on a proxy scheme/host mismatch — the
|
|
781
|
+
// regression that breaks sign-in + every authenticated form behind the CDN.
|
|
782
|
+
protocolResolver: resolveProtocol,
|
|
783
|
+
allowedOrigins: PUBLIC_ORIGINS,
|
|
743
784
|
});
|
|
744
785
|
r.use(function csrfGuard(req, res, next) {
|
|
745
786
|
var pathname = req.pathname || req.url || "/";
|
|
@@ -844,6 +885,7 @@ function mountRouteGuards(r) {
|
|
|
844
885
|
|
|
845
886
|
module.exports = {
|
|
846
887
|
clientKey: clientKey,
|
|
888
|
+
resolveProtocol: resolveProtocol,
|
|
847
889
|
securityHeadersOpts: securityHeadersOpts,
|
|
848
890
|
globalRateLimitOpts: globalRateLimitOpts,
|
|
849
891
|
botGuardOpts: botGuardOpts,
|
|
@@ -603,11 +603,26 @@ function create(opts) {
|
|
|
603
603
|
ins.declared_value_minor + " on the parent insurance");
|
|
604
604
|
}
|
|
605
605
|
var now = _now();
|
|
606
|
-
|
|
606
|
+
// Atomic claim: the `AND status = 'filed'` predicate is the
|
|
607
|
+
// serialization point. The JS check above only refuses a SEQUENTIAL
|
|
608
|
+
// re-adjudication; two concurrent approve calls (a double-clicked
|
|
609
|
+
// operator action, a retried insurer callback) would both read
|
|
610
|
+
// 'filed' and both stamp a payout last-write-wins — two different
|
|
611
|
+
// payout_minor amounts could each be recorded as THE approved payout,
|
|
612
|
+
// or an approve could clobber a deny. Gating the UPDATE on the status
|
|
613
|
+
// means exactly one caller transitions the row; the loser sees zero
|
|
614
|
+
// rows and is refused, so one adjudication outcome sticks.
|
|
615
|
+
var approvedUpd = await query(
|
|
607
616
|
"UPDATE insurance_claims SET status = 'approved', payout_minor = ?1, " +
|
|
608
|
-
"resolved_at = ?2, updated_at = ?2 WHERE id = ?3",
|
|
617
|
+
"resolved_at = ?2, updated_at = ?2 WHERE id = ?3 AND status = 'filed'",
|
|
609
618
|
[input.payout_minor, now, claimId],
|
|
610
619
|
);
|
|
620
|
+
if (Number(approvedUpd.rowCount || 0) !== 1) {
|
|
621
|
+
var racedApprove = await _getClaimRow(claimId);
|
|
622
|
+
throw new TypeError("shippingInsurance.markClaimApproved: claim " + claimId +
|
|
623
|
+
" is " + (racedApprove ? racedApprove.status : "gone") +
|
|
624
|
+
", only filed claims can move to approved");
|
|
625
|
+
}
|
|
611
626
|
return _hydrateClaim(await _getClaimRow(claimId));
|
|
612
627
|
}
|
|
613
628
|
|
|
@@ -630,11 +645,21 @@ function create(opts) {
|
|
|
630
645
|
" is " + claim.status + ", only filed claims can move to denied");
|
|
631
646
|
}
|
|
632
647
|
var now = _now();
|
|
633
|
-
|
|
648
|
+
// Atomic claim — same race, same guard as markClaimApproved: the
|
|
649
|
+
// `AND status = 'filed'` predicate serializes the two concurrent
|
|
650
|
+
// callers so exactly one adjudication outcome (approve XOR deny)
|
|
651
|
+
// transitions the row; the loser is refused.
|
|
652
|
+
var deniedUpd = await query(
|
|
634
653
|
"UPDATE insurance_claims SET status = 'denied', denial_reason = ?1, " +
|
|
635
|
-
"resolved_at = ?2, updated_at = ?2 WHERE id = ?3",
|
|
654
|
+
"resolved_at = ?2, updated_at = ?2 WHERE id = ?3 AND status = 'filed'",
|
|
636
655
|
[denialReason, now, claimId],
|
|
637
656
|
);
|
|
657
|
+
if (Number(deniedUpd.rowCount || 0) !== 1) {
|
|
658
|
+
var racedDeny = await _getClaimRow(claimId);
|
|
659
|
+
throw new TypeError("shippingInsurance.markClaimDenied: claim " + claimId +
|
|
660
|
+
" is " + (racedDeny ? racedDeny.status : "gone") +
|
|
661
|
+
", only filed claims can move to denied");
|
|
662
|
+
}
|
|
638
663
|
return _hydrateClaim(await _getClaimRow(claimId));
|
|
639
664
|
}
|
|
640
665
|
|
package/lib/sms-dispatcher.js
CHANGED
|
@@ -867,19 +867,32 @@ function create(opts) {
|
|
|
867
867
|
if (resolved) providerSlug = resolved.slug;
|
|
868
868
|
}
|
|
869
869
|
if (!providerSlug) {
|
|
870
|
-
|
|
870
|
+
// Atomic claim. The snapshot SELECT above is read without a
|
|
871
|
+
// lock, so two concurrent ticks can both pull this same
|
|
872
|
+
// `queued` row. The `AND status = 'queued'` guard makes the
|
|
873
|
+
// transition the claim: SQLite/D1 serialises writers, so
|
|
874
|
+
// exactly one tick's UPDATE matches the row (rowCount === 1)
|
|
875
|
+
// and the other sees rowCount === 0. Only the winner hands the
|
|
876
|
+
// row to the operator's send hook (via `advanced`), so the
|
|
877
|
+
// terminal failure is recorded — and surfaced — exactly once.
|
|
878
|
+
var lostFail = await query(
|
|
871
879
|
"UPDATE sms_messages SET status = 'failed', failure_reason = ?1, " +
|
|
872
|
-
"failed_at = ?2 WHERE id = ?3",
|
|
880
|
+
"failed_at = ?2 WHERE id = ?3 AND status = 'queued'",
|
|
873
881
|
["no_provider_at_dispatch", now, row.id],
|
|
874
882
|
);
|
|
883
|
+
if (Number(lostFail.rowCount || 0) !== 1) continue;
|
|
875
884
|
advanced.push(await _getMessage(row.id));
|
|
876
885
|
continue;
|
|
877
886
|
}
|
|
878
|
-
|
|
887
|
+
// Atomic claim on the advance to `sent` — same race, same guard.
|
|
888
|
+
// The loser skips so the operator's send hook (the real provider
|
|
889
|
+
// POST) fires once per row, never twice for one message.
|
|
890
|
+
var claimed = await query(
|
|
879
891
|
"UPDATE sms_messages SET status = 'sent', provider_slug = ?1, " +
|
|
880
|
-
"sent_at = ?2 WHERE id = ?3",
|
|
892
|
+
"sent_at = ?2 WHERE id = ?3 AND status = 'queued'",
|
|
881
893
|
[providerSlug, now, row.id],
|
|
882
894
|
);
|
|
895
|
+
if (Number(claimed.rowCount || 0) !== 1) continue;
|
|
883
896
|
advanced.push(await _getMessage(row.id));
|
|
884
897
|
}
|
|
885
898
|
return advanced;
|
package/lib/storefront.js
CHANGED
|
@@ -9600,14 +9600,17 @@ function _readCookie(req, name) {
|
|
|
9600
9600
|
// of truth for both the Secure attribute and the cookie-prefix choice.
|
|
9601
9601
|
// The container socket behind the Cloudflare Worker may be plain http even
|
|
9602
9602
|
// when the visitor's connection is https, so the decision rides on the
|
|
9603
|
-
// forwarded protocol the Worker sets (`x-forwarded-proto`)
|
|
9604
|
-
//
|
|
9605
|
-
//
|
|
9606
|
-
//
|
|
9607
|
-
//
|
|
9608
|
-
//
|
|
9603
|
+
// forwarded protocol the Worker sets (`x-forwarded-proto`). Resolution is
|
|
9604
|
+
// delegated to the shared securityMiddleware.resolveProtocol so this Secure-
|
|
9605
|
+
// cookie decision uses the SAME proxy-trust model as the HSTS + csrf gates
|
|
9606
|
+
// (blamejs 0.15.14 refuses a bare `trustProxy`; the resolver owns the
|
|
9607
|
+
// header read, sound because the container has no public ingress). Direct
|
|
9608
|
+
// dev / e2e connections have no forwarded header and a non-encrypted socket,
|
|
9609
|
+
// so this returns false there and the bare-named, non-Secure cookie is
|
|
9610
|
+
// emitted (a real browser drops a Secure cookie over http, so the bare name
|
|
9611
|
+
// is what keeps dev/e2e sessions working).
|
|
9609
9612
|
function _secureForReq(req) {
|
|
9610
|
-
return
|
|
9613
|
+
return securityMiddleware.resolveProtocol(req) === "https";
|
|
9611
9614
|
}
|
|
9612
9615
|
|
|
9613
9616
|
// Resolve the on-wire name for one of the prefix-hardened cookies. Secure
|