@blamejs/core 0.14.27 → 0.15.0

package/lib/middleware/fetch-metadata.js

@@ -125,11 +125,13 @@ function _writeReject(req, res, message, reason, onDeny, problemMode) {
  * destination list, including `webidentity` (FedCM credentialed
  * requests). `deniedDest` refuses chosen destinations outright on the
  * gated methods — a FedCM `webidentity` Sec-Fetch-Dest hitting a route
- * that is not an identity endpoint is refused. `allowStorageAccess:
- * false` refuses the Storage Access API escalation (a cross-site request
- * carrying `Sec-Fetch-Storage-Access: active` / `inactive`) on routes
- * that do not participate in the Storage Access flow. Both are opt-in;
- * leaving them unset preserves the prior behavior exactly.
+ * that is not an identity endpoint is refused. The Storage Access API
+ * escalation (a cross-site request carrying `Sec-Fetch-Storage-Access:
+ * active` / `inactive`) is REFUSED BY DEFAULT (v0.15.0) on routes that do
+ * not participate in the Storage Access flow; operators running an
+ * embedded-iframe SaaS that legitimately uses the API opt back in with
+ * `allowStorageAccess: true`. `deniedDest` stays opt-in (unset = no
+ * destination is denied outright).
  *
  * @opts
  *   {
@@ -138,7 +140,7 @@ function _writeReject(req, res, message, reason, onDeny, problemMode) {
  *     allowMissing:       boolean,    // default true
  *     allowedDest:        string[],   // cross-site allowlist of Sec-Fetch-Dest values
  *     deniedDest:         string[],   // Sec-Fetch-Dest values refused on gated methods regardless of site (e.g. ["webidentity"])
- *     allowStorageAccess: boolean,    // default true — false refuses Sec-Fetch-Storage-Access: active|inactive
+ *     allowStorageAccess: boolean,    // default false — refuses Sec-Fetch-Storage-Access: active|inactive; pass true to opt back in for Storage-Access-flow routes
  *     strictDest:         boolean,    // default false — true throws at config time on an allowedDest/deniedDest value outside the known Sec-Fetch-Dest vocabulary
  *     allowedNavigate:    boolean,    // default true
  *     methods:            string[],   // default POST/PUT/DELETE/PATCH
@@ -178,7 +180,15 @@ function create(opts) {
   var allowCrossSite     = opts.allowCrossSite === true;
   var allowMissing       = opts.allowMissing !== false;
   var allowedDest        = Array.isArray(opts.allowedDest)    ? opts.allowedDest.slice()    : null;
-  var allowStorageAccess = opts.allowStorageAccess !== false;
+  // Storage Access escalation default-deny (v0.15.0): a cross-site
+  // credentialed request carrying Sec-Fetch-Storage-Access: active|inactive
+  // is REFUSED by default on the gated methods, because that header signals
+  // the embedded context can reach unpartitioned cross-site cookies — a
+  // capability a route that does not participate in the Storage Access flow
+  // should not silently honor. Operators running an embedded-iframe SaaS
+  // that legitimately uses the Storage Access API opt back in with
+  // allowStorageAccess: true.
+  var allowStorageAccess = opts.allowStorageAccess === true;
   // deniedDest → a null-prototype membership map; an operator-supplied
   // destination string is never assigned onto a plain object, so no
   // reserved name (__proto__ / constructor / prototype) can pollute it.

package/lib/middleware/idempotency-key.js

@@ -47,6 +47,7 @@ var validateOpts  = require("../validate-opts");
 var safeBuffer    = require("../safe-buffer");
 var safeJson      = require("../safe-json");
 var safeSql       = require("../safe-sql");
+var sql           = require("../sql");
 var bCrypto       = require("../crypto");
 var cryptoField   = require("../crypto-field");
 var vault         = require("../vault");
@@ -250,17 +251,23 @@ function dbStore(opts) {
       "dbStore: opts.db must be a sqlite-shaped database with a `prepare(sql)` method", true);
   }
   var tableNameRaw = opts.tableName !== undefined ? opts.tableName : "blamejs_idempotency_keys";
-  // Quote-and-validate via safeSql.quoteIdentifier — runs
-  // validateIdentifier internally + emits the dialect-correct quoted
-  // form. Identifier always reaches SQL through the quoted form.
-  var qTable;
-  try { qTable = safeSql.quoteIdentifier(tableNameRaw, "sqlite"); }
+  // Validate the operator-supplied table name up front so a bad
+  // identifier fails at construction with the stable
+  // idempotency/bad-table-name code (b.sql would otherwise raise its own
+  // SqlBuilderError deeper in the first build). b.sql then quotes the
+  // name by construction in every statement it emits for this store
+  // (quoteName:true — this is a direct sqlite handle, not a
+  // clusterStorage rewrite target, so the name is quoted, not left bare).
+  try { safeSql.validateIdentifier(tableNameRaw, { allowReserved: true }); }
   catch (sqlErr) {
     throw new IdempotencyError("idempotency/bad-table-name",
       "dbStore: opts.tableName is not a valid SQL identifier: " +
       (sqlErr && sqlErr.message ? sqlErr.message : String(sqlErr)), true);
   }
-  var qIndex = safeSql.quoteIdentifier(tableNameRaw + "_expires_idx", "sqlite");
+  // b.sql opts for every statement this store builds against the local
+  // sqlite handle: sqlite dialect (native `?` placeholders, double-quoted
+  // identifiers) + quoteName so the operator table name is emitted quoted.
+  var sqlOpts = { dialect: "sqlite", quoteName: true };
   var doInit   = opts.init     !== false;
   var hashKeys = opts.hashKeys !== false;
   var sealReq  = opts.seal     !== false;
@@ -342,38 +349,46 @@ function dbStore(opts) {
   }
 
   if (doInit) {
-    db.prepare("CREATE TABLE IF NOT EXISTS " + qTable + " (" +
-      "k TEXT PRIMARY KEY, " +
-      "fingerprint TEXT NOT NULL, " +
-      "status_code INTEGER NOT NULL, " +
-      "headers TEXT NOT NULL, " +
-      "body TEXT NOT NULL, " +
-      "expires_at INTEGER NOT NULL)").run();
-    db.prepare("CREATE INDEX IF NOT EXISTS " + qIndex + " ON " +
-      qTable + "(expires_at)").run();
+    db.prepare(sql.createTable(tableNameRaw, [
+      { name: "k",           type: "text", primaryKey: true },
+      { name: "fingerprint", type: "text", notNull: true },
+      { name: "status_code", type: "int",  notNull: true },
+      { name: "headers",     type: "text", notNull: true },
+      { name: "body",        type: "text", notNull: true },
+      { name: "expires_at",  type: "int",  notNull: true },
+    ], sqlOpts).sql).run();
+    db.prepare(sql.createIndex(tableNameRaw + "_expires_idx", tableNameRaw,
+      ["expires_at"], sqlOpts).sql).run();
   }
 
-  // Prepared statements. status_code + expires_at stay non-sealed
-  // so audit/forensic SELECTs don't have to unseal-everything. The
-  // `k` column is selected even when not strictly needed for read
-  // because cryptoField.unsealRow uses it as the rowId in AAD when
-  // the table is AAD-bound.
-  var stmtGet = db.prepare(
-    "SELECT k, fingerprint, status_code, headers, body, expires_at FROM " +
-    qTable + " WHERE k = ?");
-  var stmtUpsert = db.prepare(
-    "INSERT INTO " + qTable +
-    "(k, fingerprint, status_code, headers, body, expires_at) " +
-    "VALUES (?, ?, ?, ?, ?, ?) " +
-    "ON CONFLICT(k) DO UPDATE SET " +
-    "  fingerprint = excluded.fingerprint, " +
-    "  status_code = excluded.status_code, " +
-    "  headers     = excluded.headers, " +
-    "  body        = excluded.body, " +
-    "  expires_at  = excluded.expires_at");
-  var stmtDeleteStale = db.prepare("DELETE FROM " + qTable +
-    " WHERE k = ? AND expires_at <= ?");
-  var stmtDelete = db.prepare("DELETE FROM " + qTable + " WHERE k = ?");
+  // Prepared statements, composed once through b.sql and reused per call.
+  // b.sql binds concrete values into a params array; for a reusable
+  // prepared statement we keep only the emitted SQL text (its `?`
+  // placeholders) and bind fresh values at run time, so a build-time
+  // sentinel value is just a placeholder slot. status_code + expires_at
+  // stay non-sealed so audit/forensic SELECTs don't have to unseal-
+  // everything. The `k` column is selected even when not strictly needed
+  // for read because cryptoField.unsealRow uses it as the rowId in AAD
+  // when the table is AAD-bound.
+  var _slot = 0;   // sentinel bind value; the prepared statement rebinds at call time
+  var stmtGet = db.prepare(sql.select(tableNameRaw, sqlOpts)
+    .columns(["k", "fingerprint", "status_code", "headers", "body", "expires_at"])
+    .where("k", _slot)
+    .toSql().sql);
+  var stmtUpsert = db.prepare(sql.upsert(tableNameRaw, sqlOpts)
+    .columns(["k", "fingerprint", "status_code", "headers", "body", "expires_at"])
+    .values({ k: _slot, fingerprint: _slot, status_code: _slot,
+              headers: _slot, body: _slot, expires_at: _slot })
+    .onConflict(["k"])
+    .doUpdateFromExcluded(["fingerprint", "status_code", "headers", "body", "expires_at"])
+    .toSql().sql);
+  var stmtDeleteStale = db.prepare(sql.delete(tableNameRaw, sqlOpts)
+    .where("k", _slot)
+    .where("expires_at", "<=", _slot)
+    .toSql().sql);
+  var stmtDelete = db.prepare(sql.delete(tableNameRaw, sqlOpts)
+    .where("k", _slot)
+    .toSql().sql);
 
   function _k(rawKey) {
     if (!hashKeys) return rawKey;
@@ -484,8 +499,9 @@ function dbStore(opts) {
       }
       var migrated = 0;
       var skipped = 0;
-      var rows = db.prepare("SELECT k, fingerprint, status_code, headers, body, expires_at FROM " +
-        qTable).all();
+      var rows = db.prepare(sql.select(tableNameRaw, sqlOpts)
+        .columns(["k", "fingerprint", "status_code", "headers", "body", "expires_at"])
+        .toSql().sql).all();
       for (var i = 0; i < rows.length; i += 1) {
         var r = rows[i];
         // If headers/body already start with vault.aad: this row is

package/lib/middleware/rate-limit.js

@@ -57,13 +57,63 @@
  * Audit: every limit hit emits system.ratelimit.block with the key + path.
  */
 var C = require("../constants");
+var frameworkSchema = require("../framework-schema");
 var lazyRequire = require("../lazy-require");
 var requestHelpers = require("../request-helpers");
 var safeAsync = require("../safe-async");
+var sql = require("../sql");
 var validateOpts = require("../validate-opts");
 var clusterStorage = require("../cluster-storage");
 var denyResponse = require("./deny-response").denyResponse;
 
+// Cluster-backend table — resolved through frameworkSchema.tableName so a
+// configured table prefix (b.frameworkSchema.setTablePrefix) is honored.
+// The name is identity-mapped in LOCAL_TO_EXTERNAL, so clusterStorage's
+// resolveTables leaves it untouched at dispatch and the resolved name is
+// what reaches the backend on both single-node + cluster sides.
+var RATE_LIMIT_TABLE = "_blamejs_rate_limit_counters";   // allow:hand-rolled-sql — canonical logical table-name declaration
+function _rateLimitSqlTable() { return frameworkSchema.tableName(RATE_LIMIT_TABLE); }
+
+// b.sql opts for every cluster-backend statement: thread the ACTIVE backend
+// dialect (clusterStorage.dialect() — "sqlite" single-node, "postgres" |
+// "mysql" in cluster mode) so the emitted identifier quoting and dialect
+// idioms (ON CONFLICT ... DO UPDATE vs ON DUPLICATE KEY UPDATE) match the
+// backend the SQL dispatches to. b.sql defaults to "sqlite", which works on
+// Postgres only by accident (both double-quote identifiers) and emits the
+// wrong quoting + ON CONFLICT (which MySQL rejects) on MySQL.
+// clusterStorage.execute still rewrites table names + translates `?`
+// placeholders at dispatch; this controls only the builder-side quoting +
+// idiom selection.
+function _rateLimitSqlOpts() { return { dialect: clusterStorage.dialect() }; }
+
+// Dialect-aware references for the conflict-action CASE expressions in
+// take(). The fixed-window counter's update is per-column conditional (a new
+// window resets count to 1; the same window increments), so it can't reduce
+// to doUpdateFromExcluded — it needs a CASE that reads BOTH the proposed row
+// and the existing row. Those two references are spelled differently per
+// dialect and b.sql passes a doUpdate({col: rawExpr}) expression through
+// verbatim (it is NOT EXCLUDED->VALUES translated on MySQL), so the caller
+// must emit the dialect-correct tokens itself:
+//   - proposed-row column: EXCLUDED."<col>" (Postgres/SQLite) vs
+//                          VALUES(`<col>`) (MySQL ON DUPLICATE KEY UPDATE)
+//   - existing-row column: "<table>"."<col>" (Postgres/SQLite) vs
+//                          `<table>`.`<col>` (MySQL)
+// Identifiers here are framework-controlled constants (the table name + the
+// three counter columns), never operator input, so the inline quoting is
+// closed over a fixed set of names.
+function _conflictRefs(dialect, table) {
+  if (dialect === "mysql") {
+    return {
+      proposed: function (col) { return "VALUES(`" + col + "`)"; },
+      existing: function (col) { return "`" + table + "`.`" + col + "`"; },
+    };
+  }
+  return {
+    proposed: function (col) { return "EXCLUDED.\"" + col + "\""; },
+    existing: function (col) { return "\"" + table + "\".\"" + col + "\""; },
+  };
+}
+
 var audit  = lazyRequire(function () { return require("../audit"); });
 var logger = lazyRequire(function () { return require("../log").boot("rate-limit"); });
 
@@ -260,10 +310,10 @@ function _clusterBackend(opts) {
     if (now - lastPruneAt < pruneIntervalMs) return;
     lastPruneAt = now;
     var cutoff = now - windowMs;
-    clusterStorage.execute(
-      "DELETE FROM _blamejs_rate_limit_counters WHERE windowStart < ?",
-      [cutoff]
-    ).catch(function (e) {
+    var built = sql.delete(_rateLimitSqlTable(), _rateLimitSqlOpts())
+      .where("windowStart", "<", cutoff)
+      .toSql();
+    clusterStorage.execute(built.sql, built.params).catch(function (e) {
       try {
         logger().warn("rate-limit prune failed: " + ((e && e.message) || String(e)));
       } catch (_e) { /* logger best-effort */ }
@@ -274,29 +324,49 @@ function _clusterBackend(opts) {
     var now = Date.now();
     var windowStart = Math.floor(now / windowMs) * windowMs;
 
-    // Atomic increment: a fresh window resets count to 1; an existing
-    // row in the same window gets count + 1. Postgres + SQLite both
-    // support ON CONFLICT...DO UPDATE...RETURNING.
-    var result = await clusterStorage.execute(
-      "INSERT INTO _blamejs_rate_limit_counters (key, windowStart, count) " +
-      "VALUES (?, ?, 1) " +
-      "ON CONFLICT (key) DO UPDATE SET " +
-      "  count = CASE " +
-      "    WHEN excluded.windowStart > _blamejs_rate_limit_counters.windowStart " +
-      "    THEN 1 " +
-      "    ELSE _blamejs_rate_limit_counters.count + 1 " +
-      "  END, " +
-      "  windowStart = CASE " +
-      "    WHEN excluded.windowStart > _blamejs_rate_limit_counters.windowStart " +
-      "    THEN excluded.windowStart " +
-      "    ELSE _blamejs_rate_limit_counters.windowStart " +
-      "  END " +
-      "RETURNING count, windowStart",
-      [key, windowStart]
-    );
-    var row = result.rows && result.rows[0];
-    var count = row ? row.count : 1;
-    var rowWindow = row ? row.windowStart : windowStart;
+    // Atomic increment: a fresh window resets count to 1; an existing row in
+    // the same window gets count + 1. The per-column conflict action is a
+    // CASE that reads the proposed row AND the existing row, so it goes
+    // through the STRUCTURED upsert().doUpdate({...}) form with the dialect
+    // threaded — b.sql then renders ON CONFLICT...DO UPDATE...RETURNING
+    // (Postgres/SQLite) or ON DUPLICATE KEY UPDATE + a readback SELECT
+    // (MySQL). The CASE bodies spell the proposed-row (EXCLUDED / VALUES())
+    // and existing-row (table self-reference) tokens per dialect via
+    // _conflictRefs so the same logic compiles on every backend. No `?` in
+    // the CASE bodies; the count seed of 1 binds as the third inserted value.
+    var t = _rateLimitSqlTable();
+    var dialect = clusterStorage.dialect();
+    var refs = _conflictRefs(dialect, t);
+    var newerWindow = refs.proposed("windowStart") + " > " + refs.existing("windowStart");
+    var countExpr = "CASE WHEN " + newerWindow + " THEN 1 ELSE " +
+      refs.existing("count") + " + 1 END";
+    var windowExpr = "CASE WHEN " + newerWindow + " THEN " + refs.proposed("windowStart") +
+      " ELSE " + refs.existing("windowStart") + " END";
+    var built = sql.upsert(t, _rateLimitSqlOpts())
+      .columns(["key", "windowStart", "count"])
+      .values({ key: key, windowStart: windowStart, count: 1 })
+      .onConflict(["key"])
+      .doUpdate({ count: countExpr, windowStart: windowExpr })
+      .returning(["count", "windowStart"])
+      .toSql();
+    var row;
+    if (built.readbackSql) {
+      // MySQL: ON DUPLICATE KEY UPDATE has no RETURNING. Run the upsert,
+      // then the readback SELECT b.sql emits (keyed on the conflict key) to
+      // learn the post-upsert count/windowStart. clusterStorage.execute
+      // coerces the framework int columns (count/windowStart) back to JS
+      // numbers on both reads.
+      await clusterStorage.execute(built.sql, built.params);
+      var readback = await clusterStorage.execute(built.readbackSql.sql, built.readbackSql.params);
+      row = readback.rows && readback.rows[0];
+    } else {
+      var result = await clusterStorage.execute(built.sql, built.params);
+      row = result.rows && result.rows[0];
+    }
+    // count/windowStart are framework int columns coerced to JS numbers by
+    // clusterStorage; the absent-row fall-back keeps the verdict math finite.
+    var count = row ? Number(row.count) : 1;
+    var rowWindow = row ? Number(row.windowStart) : windowStart;
 
     _maybePrune();
 
@@ -318,10 +388,10 @@ function _clusterBackend(opts) {
   }
 
   async function reset(key) {
-    await clusterStorage.execute(
-      "DELETE FROM _blamejs_rate_limit_counters WHERE key = ?",
-      [key]
-    );
+    var built = sql.delete(_rateLimitSqlTable(), _rateLimitSqlOpts())
+      .where("key", key)
+      .toSql();
+    await clusterStorage.execute(built.sql, built.params);
   }
 
   function close() { /* no resources to release */ }
@@ -417,7 +487,7 @@ function create(opts) {
   // pass "RateLimit-", or a gateway's own prefix. Kept as a matched pair.
   var headerPrefix = (typeof opts.headerPrefix === "string" && opts.headerPrefix.length > 0)
     ? opts.headerPrefix : "X-RateLimit-";
-  var limitHeader = headerPrefix + "Limit";
+  var limitHeader = headerPrefix + "Limit";   // allow:hand-rolled-sql — HTTP response-header name (X-RateLimit-Limit), not a SQL LIMIT clause
   var remainingHeader = headerPrefix + "Remaining";
   var skipPaths = opts.skipPaths || [];
   // Throw at create(): each entry must be a string prefix or a RegExp.

package/lib/middleware/security-headers.js

@@ -10,8 +10,12 @@
  *   Referrer-Policy: no-referrer     — don't leak full URL to outbound links
  *   Permissions-Policy               — disable common-attack APIs (camera, geolocation, payment, etc.)
  *   Cross-Origin-Opener-Policy: same-origin
- *   Cross-Origin-Embedder-Policy: require-corp / credentialless   (off by default — breaks images from CDNs; credentialless is the
- *   CR 2024-12 relaxed mode that lets cross-origin no-cors requests load without CORP markers as long as they don't carry credentials)
+ *   Cross-Origin-Embedder-Policy: credentialless   (default-on — with COOP
+ *   same-origin this yields cross-origin isolation; credentialless is the
+ *   relaxed enforcing mode that lets cross-origin no-cors requests load
+ *   without CORP markers as long as they don't carry credentials, so CDN
+ *   images/fonts keep working. Pass coep: "require-corp" to tighten, or
+ *   coep: false to disable.)
  *   Cross-Origin-Resource-Policy: same-origin
  *   Origin-Agent-Cluster: ?1        — origin-keyed agent cluster; extra process isolation
  *   X-DNS-Prefetch-Control: off     — don't pre-resolve DNS for off-page links
@@ -173,8 +177,9 @@ function _validatePermissionsPolicy(value) {
  * nosniff, X-Frame-Options DENY, Referrer-Policy no-referrer, an
  * extensive Permissions-Policy denylist (camera / geolocation /
  * payment / Privacy-Sandbox attribution-reporting / bluetooth /
- * etc.), COOP same-origin, CORP same-origin, Origin-Agent-Cluster
- * `?1`, and a strict default CSP with `require-trusted-types-for
+ * etc.), COOP same-origin, COEP credentialless (cross-origin isolation
+ * on by default; pass `coep: false` to disable), CORP same-origin,
+ * Origin-Agent-Cluster `?1`, and a strict default CSP with `require-trusted-types-for
  * 'script'`. Each header can be softened by passing the option
  * value or disabled by passing `false`. Mount FIRST (after
  * `requestId`) so headers are set before any response could be
@@ -233,7 +238,18 @@ function create(opts) {
   var refPolicy = opts.referrerPolicy === undefined ? "no-referrer" : opts.referrerPolicy;
   var permPolicy = opts.permissionsPolicy === undefined ? DEFAULT_PERMISSIONS.join(", ") : opts.permissionsPolicy;
   var coop  = opts.coop === undefined ? "same-origin" : opts.coop;
-  var coep  = opts.coep === undefined ? false : opts.coep;
+  // COEP default-on (v0.15.0): emit Cross-Origin-Embedder-Policy:
+  // credentialless. With COOP same-origin this completes cross-origin
+  // isolation (crossOriginIsolated === true), re-enabling SharedArrayBuffer
+  // / high-resolution timers while closing the Spectre-class cross-origin
+  // read surface. `credentialless` (HTML spec, shipped Chrome 110+) is the
+  // least-breaking enforcing mode: cross-origin no-cors subresources (CDN
+  // images, fonts) still load — they're fetched WITHOUT credentials rather
+  // than requiring an explicit CORP/CORS opt-in, so existing pages keep
+  // working where `require-corp` would have broken them. Operators serving
+  // credentialed cross-origin subresources pass coep: "require-corp" (and
+  // add CORP/CORS headers), or coep: false to opt out of COEP entirely.
+  var coep  = opts.coep === undefined ? "credentialless" : opts.coep;
   var corp  = opts.corp === undefined ? "same-origin" : opts.corp;
   var oac   = opts.originAgentCluster === undefined ? "?1" : opts.originAgentCluster;
   var dpc   = opts.dnsPrefetchControl === undefined ? "off" : opts.dnsPrefetchControl;