@blamejs/core 0.7.107 → 0.8.4

package/lib/middleware/asyncapi-serve.js

@@ -0,0 +1,136 @@
+"use strict";
+/**
+ * asyncapi-serve middleware — expose an AsyncAPI 3.0 document at a
+ * mount point.
+ *
+ *   var aapi = b.asyncapi.create({ ... });
+ *   ...add channels / operations / schemas / security...
+ *
+ *   router.use(b.middleware.asyncapiServe({
+ *     document:      aapi,
+ *     pathJson:      "/asyncapi.json",
+ *     pathYaml:      "/asyncapi.yaml",
+ *     pretty:        true,
+ *     accessControl: "public",
+ *   }));
+ *
+ * Behaviour matches openapiServe: GET / HEAD only, SHA3-512 ETag with
+ * conditional 304, configurable CORS gate, falls through on other
+ * paths / methods.
+ */
+
+var nodeCrypto    = require("crypto");
+var validateOpts  = require("../validate-opts");
+var lazyRequire   = require("../lazy-require");
+var { defineClass } = require("../framework-error");
+var AsyncApiError = defineClass("AsyncApiError", { alwaysPermanent: true });
+
+var openapiYaml   = lazyRequire(function () { return require("../openapi-yaml"); });
+var audit         = lazyRequire(function () { return require("../audit"); });
+
+function create(opts) {
+  opts = opts || {};
+  validateOpts(opts, [
+    "document", "pathJson", "pathYaml", "pretty",
+    "cacheControl", "accessControl", "audit",
+  ], "middleware.asyncapiServe");
+  if (!opts.document || typeof opts.document.toJson !== "function") {
+    throw new AsyncApiError("asyncapi/bad-document",
+      "asyncapiServe: document must be a builder created via b.asyncapi.create()");
+  }
+  var pathJson      = opts.pathJson || "/asyncapi.json";
+  var pathYaml      = opts.pathYaml || "/asyncapi.yaml";
+  var pretty        = opts.pretty === true ? 2 : 0;
+  var cacheControl  = (typeof opts.cacheControl === "string" && opts.cacheControl.length > 0)
+    ? opts.cacheControl : "public, max-age=300";
+  var accessControl = opts.accessControl || "public";
+  var auditOn       = opts.audit !== false;
+
+  if (typeof pathJson !== "string" || pathJson.charAt(0) !== "/") {
+    throw new AsyncApiError("asyncapi/bad-path",
+      "asyncapiServe: pathJson must start with '/'");
+  }
+  if (typeof pathYaml !== "string" || pathYaml.charAt(0) !== "/") {
+    throw new AsyncApiError("asyncapi/bad-path",
+      "asyncapiServe: pathYaml must start with '/'");
+  }
+
+  var cachedJsonStr  = null;
+  var cachedYamlStr  = null;
+  var cachedJsonEtag = null;
+  var cachedYamlEtag = null;
+
+  function _rebuild() {
+    var doc = opts.document.toJson();
+    cachedJsonStr  = JSON.stringify(doc, null, pretty);
+    cachedYamlStr  = openapiYaml().toYaml(doc);
+    cachedJsonEtag = '"' + nodeCrypto.createHash("sha3-512").update(cachedJsonStr).digest("base64url").slice(0, 24) + '"';
+    cachedYamlEtag = '"' + nodeCrypto.createHash("sha3-512").update(cachedYamlStr).digest("base64url").slice(0, 24) + '"';
+  }
+  _rebuild();
+
+  function _writeBody(req, res, body, etag, contentType) {
+    var requestEtag = (req.headers && req.headers["if-none-match"]) || null;
+    if (requestEtag && requestEtag === etag) {
+      res.writeHead(304, { "ETag": etag, "Cache-Control": cacheControl });           // allow:raw-byte-literal — HTTP 304
+      res.end();
+      return;
+    }
+    var headers = {
+      "Content-Type":   contentType,
+      "Content-Length": Buffer.byteLength(body),
+      "Cache-Control":  cacheControl,
+      "ETag":           etag,
+    };
+    if (accessControl === "public") {
+      headers["Access-Control-Allow-Origin"] = "*";
+    }
+    res.writeHead(200, headers);                                                     // allow:raw-byte-literal — HTTP 200
+    res.end(body);
+  }
+
+  var mw = function (req, res, next) {
+    if (typeof res.writeHead !== "function") return next();
+    var method = (req.method || "GET").toUpperCase();
+    if (method !== "GET" && method !== "HEAD") return next();
+    var pathname = req.pathname;
+    if (typeof pathname !== "string") {
+      var url = req.url || "";
+      var qIdx = url.indexOf("?");
+      pathname = qIdx === -1 ? url : url.slice(0, qIdx);
+    }
+    if (pathname === pathJson) {
+      _writeBody(req, res, cachedJsonStr, cachedJsonEtag, "application/json; charset=utf-8");
+      if (auditOn) {
+        try {
+          audit().safeEmit({
+            action:   "asyncapi.document.served",
+            outcome:  "success",
+            actor:    null,
+            metadata: { format: "json", path: pathname, bytes: cachedJsonStr.length },
+          });
+        } catch (_e) { /* drop-silent */ }
+      }
+      return;
+    }
+    if (pathname === pathYaml) {
+      _writeBody(req, res, cachedYamlStr, cachedYamlEtag, "application/yaml; charset=utf-8");
+      if (auditOn) {
+        try {
+          audit().safeEmit({
+            action:   "asyncapi.document.served",
+            outcome:  "success",
+            actor:    null,
+            metadata: { format: "yaml", path: pathname, bytes: cachedYamlStr.length },
+          });
+        } catch (_e) { /* drop-silent */ }
+      }
+      return;
+    }
+    return next();
+  };
+  mw.forceRebuild = _rebuild;
+  return mw;
+}
+
+module.exports = { create: create };

package/lib/middleware/attach-user.js

@@ -67,6 +67,7 @@ function create(opts) {
   opts = opts || {};
   validateOpts(opts, [
     "cookieName", "tokenFrom", "sealed", "vault", "userLoader", "audit",
+    "requireFingerprintMatch", "maxAnomalyScore", "scorer",
   ], "middleware.attachUser");
   if (typeof opts.userLoader !== "function") {
     throw new Error("middleware.attachUser: opts.userLoader is required " +
@@ -76,6 +77,17 @@ function create(opts) {
   var tokenFrom  = opts.tokenFrom  || "both";
   var auditOn    = opts.audit !== false;
   var sealed     = !!opts.sealed;
+  // Fingerprint-drift / IP-UA pin / anomaly-score opts thread through
+  // session.verify so the documented session.create({ req,
+  // fingerprintFields }) defenses actually engage on every verify
+  // through the standard middleware path. Without this they were inert
+  // — an operator who set them at session.create only got the signal,
+  // not enforcement, when the session was checked through attachUser.
+  var verifyOpts = {
+    requireFingerprintMatch: opts.requireFingerprintMatch === true,
+    maxAnomalyScore:         (typeof opts.maxAnomalyScore === "number") ? opts.maxAnomalyScore : null,
+    scorer:                  (typeof opts.scorer === "function") ? opts.scorer : null,
+  };
   if (sealed && (!opts.vault || typeof opts.vault.unseal !== "function")) {
     throw new Error("middleware.attachUser: opts.sealed requires opts.vault " +
       "with a .unseal method (typically b.vault)");
@@ -94,14 +106,25 @@ function create(opts) {
         ? cookieJar.readSealed(req, cookieName)
         : _readCookie(req.headers && req.headers.cookie, cookieName);
     }
-    if (!token && (tokenFrom === "header" || tokenFrom === "both")) {
+    if (!token && (tokenFrom === "header" || tokenFrom === "both") &&
+        !req._bearerAuthHandled) {
+      // bearer-auth (when mounted upstream) sets req._bearerAuthHandled
+      // after consuming + verifying the Authorization header. Skipping
+      // the header re-read here avoids the duplicate verify and the
+      // confusing "session.verify failed" audit row that would land
+      // when the bearer token is a JWT or API key, not a session ID.
       token = _readBearer(req.headers && req.headers.authorization);
     }
     if (!token) return next();
 
     var verified;
     try {
-      verified = await session().verify(token);
+      verified = await session().verify(token, {
+        req: req,
+        requireFingerprintMatch: verifyOpts.requireFingerprintMatch,
+        maxAnomalyScore:         verifyOpts.maxAnomalyScore,
+        scorer:                  verifyOpts.scorer,
+      });
     } catch (_e) {
       // session.verify is tolerant — shouldn't normally throw, but if it
       // does (DB hiccup), don't propagate; treat as "no user" and let

package/lib/middleware/bearer-auth.js

@@ -54,14 +54,28 @@ function _writeUnauthorized(res, scheme, message, realm) {
   res.end(body);
 }
 
+// Three-state extractor: { state: "absent" } when no Authorization
+// header was sent, { state: "malformed" } when one is present but
+// doesn't parse against this middleware's scheme, or { state: "ok",
+// token } on success. The "malformed" case must NOT fall through to
+// downstream auth (cookie-session) — operators relying on bearer-auth
+// expect a 401 when a client deliberately sends `Authorization: ...`
+// even if the value is unparseable.
 function _extractToken(req, scheme) {
   var h = req.headers && req.headers.authorization;
-  if (typeof h !== "string" || h.length === 0) return null;
+  if (typeof h !== "string" || h.length === 0) return { state: "absent" };
   var prefix = scheme + " ";
-  if (h.length <= prefix.length) return null;
-  if (h.slice(0, prefix.length).toLowerCase() !== prefix.toLowerCase()) return null;
+  if (h.length <= prefix.length) return { state: "malformed" };
+  if (h.slice(0, prefix.length).toLowerCase() !== prefix.toLowerCase()) {
+    // Authorization header is for a different scheme (Basic, Digest,
+    // Negotiate, etc.) — leave the request for the next middleware
+    // that handles that scheme. From this middleware's perspective,
+    // it's effectively "absent."
+    return { state: "absent" };
+  }
   var token = h.slice(prefix.length).trim();
-  return token.length > 0 ? token : null;
+  if (token.length === 0) return { state: "malformed" };
+  return { state: "ok", token: token };
 }
 
 function create(opts) {
@@ -80,6 +94,29 @@ function create(opts) {
   var scheme        = opts.scheme || "Bearer";
   var errorMessage  = opts.errorMessage || "Bearer token required.";
   var realm         = opts.realm || null;
+  // CRLF-injection defense on operator-supplied realm — without this,
+  // a config-fed realm like `api\r\nX-Inject: 1` lands in the
+  // WWW-Authenticate response header verbatim. RFC 7235 §2.2 quoted-
+  // string excludes CTLs (codepoints < 0x20 and 0x7F) and the literal
+  // `"` / `\` characters.
+  if (realm !== null) {
+    if (typeof realm !== "string") {
+      throw new AuthError("auth-bearer/bad-realm",
+        "middleware.bearerAuth: realm must be a string");
+    }
+    for (var ri = 0; ri < realm.length; ri += 1) {
+      var rcode = realm.charCodeAt(ri);
+      if (rcode < 32 || rcode === 127) {                                  // allow:raw-byte-literal — ASCII control codepoints
+        throw new AuthError("auth-bearer/bad-realm",
+          "realm contains control character at index " + ri);
+      }
+      var rchar = realm.charAt(ri);
+      if (rchar === '"' || rchar === "\\") {
+        throw new AuthError("auth-bearer/bad-realm",
+          "realm contains illegal character " + JSON.stringify(rchar) + " at index " + ri);
+      }
+    }
+  }
   var tokenAttach   = opts.tokenAttachKey || "bearerToken";
   var userAttach    = opts.userAttachKey || "user";
 
@@ -104,12 +141,33 @@ function create(opts) {
   }
 
   return async function bearerAuth(req, res, next) {
-    var token = _extractToken(req, scheme);
-    if (!token) {
+    var extracted = _extractToken(req, scheme);
+    if (extracted.state === "absent") {
       // No Bearer header — fall through. Cookie-based session middleware
       // running after this can attach a user via the cookie path.
       return next();
     }
+    if (extracted.state === "malformed") {
+      // Authorization header present but does not parse against this
+      // scheme. Refuse with 401 — the request is unambiguously trying
+      // to authenticate via bearer, and falling through to cookie-auth
+      // would mask the operator's malformed-input bug.
+      _emitAudit("auth.bearer.failure", "failure", req, "malformed-authorization");
+      _emitObs("auth.bearer.rejected", 1, { reason: "malformed-authorization" });
+      if (!res.headersSent) {
+        var malformedChallenge = scheme + ' error="invalid_request"' +
+          (realm ? ', realm="' + realm + '"' : "");
+        var malformedBody = JSON.stringify({ error: errorMessage });
+        res.writeHead(401, {                                                     // allow:raw-byte-literal — HTTP 401 status
+          "Content-Type":     "application/json; charset=utf-8",
+          "Content-Length":   Buffer.byteLength(malformedBody),
+          "WWW-Authenticate": malformedChallenge,
+        });
+        res.end(malformedBody);
+      }
+      return;
+    }
+    var token = extracted.token;
 
     var user;
     try {
@@ -143,6 +201,13 @@ function create(opts) {
 
     req[tokenAttach] = token;
     req[userAttach]  = user;
+    // Signal to attach-user (and any other downstream auth middleware)
+    // that this Authorization header has already been consumed and
+    // verified — without this flag, attach-user would re-read the
+    // header and try to parse it as a session token, producing a
+    // confusing "session.verify-tried-and-failed" audit row alongside
+    // the successful "auth.bearer.success" we just emitted.
+    req._bearerAuthHandled = true;
     _emitAudit("auth.bearer.success", "success", req, null);
     _emitObs("auth.bearer.accepted", 1, {});
     next();

package/lib/middleware/body-parser.js

@@ -715,6 +715,19 @@ async function _parseMultipart(req, opts, ctParams) {
               }
               return;
             }
+            // Count the per-part header bytes toward totalSize so a
+            // burst of small parts can't slip past the request-level
+            // cap. Without this, fileCount: 20 + fieldCount: 100
+            // gives an attacker ~120 × 16 KiB = ~1.9 MiB of pending
+            // header state per request, multiplied across concurrent
+            // requests.
+            totalRead += headEnd + 4;
+            if (totalRead > totalSize) {
+              done(new BodyParserError("body-parser/multipart-too-large",
+                "multipart total request size exceeds totalSize (" + totalSize + ")",
+                true, HTTP_STATUS.PAYLOAD_TOO_LARGE));
+              return;
+            }
             currentHeaders = _parseMultipartHeaders(pending.slice(0, headEnd).toString("utf8"));
             pending = pending.slice(headEnd + 4);
             // Decode Content-Disposition.

package/lib/middleware/cors.js

@@ -241,6 +241,16 @@ function create(opts) {
 
     var matched = _matchOrigin(origin, origins);
     if (!matched) {
+      // Always append Vary: Origin when the request carried an Origin
+      // header — otherwise downstream caches that previously cached a
+      // matched-origin response (with ACAO + Vary: Origin set) may
+      // serve the wrong cached entry to this unmatched-origin
+      // request, OR cache the no-CORS response and replay it for a
+      // future matched-origin request. Cheap; matches Fetch-spec
+      // discipline.
+      if (typeof res.setHeader === "function") {
+        try { requestHelpers.appendVary(res, "Origin"); } catch (_e) { /* best-effort */ }
+      }
       if (refuseUnknown) {
         try {
           audit().emit({

package/lib/middleware/csrf-protect.js

@@ -165,7 +165,7 @@ function _appendSetCookie(res, value) {
 // throws on file:// / data:// schemes which would crash the middleware
 // instead of refusing the request. URL constructor + try/catch is the
 // right shape for "is this URL well-formed and what's its origin?".
-function _checkOriginAllowed(req, allowedOrigins, isHttpsFn) {
+function _checkOriginAllowed(req, allowedOrigins, isHttpsFn, requireOrigin) {
   var headers = req.headers || {};
   var origin = headers.origin;
   var referer = headers.referer;
@@ -175,6 +175,9 @@ function _checkOriginAllowed(req, allowedOrigins, isHttpsFn) {
     // gate doesn't add to it. Defense-in-depth against a stolen
     // cookie via a browser-rendered cross-origin fetch IS the value;
     // headless clients carry their own auth threat model.
+    if (requireOrigin === true) {
+      return { allowed: false, reason: "missing-origin-and-referer" };
+    }
     return null;
   }
 
@@ -229,6 +232,7 @@ function create(opts) {
   validateOpts(opts, [
     "cookie", "tokenLookup", "fieldName", "headerName", "methods", "audit",
     "trustProxy", "checkOrigin", "allowedOrigins", "requireJsonContentType",
+    "requireOrigin",
   ], "middleware.csrfProtect");
   var trustProxy = opts.trustProxy === true || typeof opts.trustProxy === "number"
     ? opts.trustProxy : false;
@@ -277,6 +281,14 @@ function create(opts) {
   // SPA + classic form pages) leave this opt-out (default).
   var requireJsonCt = opts.requireJsonContentType === true;
 
+  // requireOrigin — when true, refuse state-changing requests that
+  // carry NO Origin/Referer at all. Default false (back-compat for
+  // server-to-server / curl callers). Operators on a browser-only
+  // route mount the middleware with `requireOrigin: true` so the
+  // documented "no headers = bypass for non-browser" pass-through
+  // is opt-in rather than silent.
+  var requireOriginOpt = opts.requireOrigin === true;
+
   // Cookie issuance config (only when opts.cookie is set).
   var cookieCfg = null;
   if (hasCookie) {
@@ -341,10 +353,29 @@ function create(opts) {
     var cookieName = _resolveCookieName(req);
     var cookies = _parseCookieHeader(req.headers && req.headers.cookie);
     var existing = cookies[cookieName];
-    if (existing && /^[a-f0-9]{2,}$/.test(existing)) {
+    // Strict 64-hex-char check matches the byte-length of every token
+    // forms.generateCsrfToken() produces (CSRF_TOKEN_BYTES = 32 bytes
+    // → 64 hex chars). The previous {2,} floor accepted any 2-char
+    // hex string a sibling-subdomain XSS could plant on plain HTTP
+    // (cookie name falls back to `csrf` when the request isn't HTTPS,
+    // so the `__Host-` prefix safety doesn't apply). Attacker plants
+    // `csrf=ab` then submits matching X-CSRF-Token to bypass the
+    // double-submit gate.
+    if (existing && /^[a-f0-9]{64}$/.test(existing)) {
       req.csrfToken = existing;
       return existing;
     }
+    if (existing && !/^[a-f0-9]{64}$/.test(existing)) {
+      // Audit-emit so operators see when a planted/short cookie is
+      // refused — surfaces the attack class in compliance logs.
+      try {
+        audit().safeEmit({
+          action: "csrf.bad_cookie_value",
+          outcome: "denied",
+          metadata: { cookieName: cookieName, length: existing.length },
+        });
+      } catch (_e) { /* drop-silent */ }
+    }
     var fresh = forms.generateCsrfToken();
     var setCookie = _formatSetCookie(cookieName, fresh, {
       path:     cookieCfg.path,
@@ -381,7 +412,7 @@ function create(opts) {
     // requests even when the token is valid (e.g. operator-mistaken
     // CORS configuration that exposes the cookie).
     if (checkOrigin) {
-      var originReason = _checkOriginAllowed(req, allowedOrigins, _isHttps);
+      var originReason = _checkOriginAllowed(req, allowedOrigins, _isHttps, requireOriginOpt);
       if (originReason !== null) {
         _emitDenied(req, "origin/referer: " + originReason);
         return _writeReject(res, "CSRF cross-origin request refused.");

package/lib/middleware/dpop.js

@@ -215,7 +215,7 @@ function create(opts) {
           audit().safeEmit({
             action:  "auth.bearer.failure",
             actor:   { clientIp: requestHelpers.clientIp(req) },
-            outcome: "fail",
+            outcome: "failure",
             metadata: {
               method: "dpop",
               reason: (e && e.code) || "verify-failed",
@@ -245,7 +245,7 @@ function create(opts) {
             audit().safeEmit({
               action:  "auth.bearer.failure",
               actor:   { clientIp: requestHelpers.clientIp(req) },
-              outcome: "fail",
+              outcome: "failure",
               metadata: { method: "dpop", reason: "stale-nonce", route: req.url },
             });
           } catch (_ignored) { /* drop-silent */ }
@@ -268,7 +268,7 @@ function create(opts) {
         audit().safeEmit({
           action:  "auth.bearer.success",
           actor:   { clientIp: requestHelpers.clientIp(req) },
-          outcome: "ok",
+          outcome: "success",
           metadata: { method: "dpop", jkt: result.jkt, route: req.url },
         });
       } catch (_ignored) { /* drop-silent */ }

package/lib/middleware/flag-context.js

@@ -0,0 +1,76 @@
+"use strict";
+/**
+ * flag-context middleware — extracts an OpenFeature evaluation context
+ * onto the request so downstream handlers and multiple flag clients
+ * can read a consistent context without re-deriving it per call.
+ *
+ *   var attachCtx = b.middleware.flagContext({
+ *     userKey: "x-user-id",                 // header to pull targetingKey from
+ *     extractAttributes: function (req) {   // operator-supplied augmentation
+ *       return { tenantId: req.tenantId, environment: process.env.NODE_ENV };
+ *     },
+ *   });
+ *   router.use(attachCtx);
+ *
+ *   // Downstream:
+ *   var ctx = req.flagCtx;                       // readonly Frozen object
+ *   var enabled = b.flagClient.getBoolean("foo", ctx);
+ *
+ * The middleware does NOT evaluate flags — it only constructs the
+ * context. Pair with `flag.middleware()` for the request-attached
+ * convenience accessor; or pass `req.flagCtx` directly to a flag
+ * client method for a more decoupled shape (e.g. when several flag
+ * clients with different providers share the same context).
+ */
+
+var validateOpts  = require("../validate-opts");
+var lazyRequire   = require("../lazy-require");
+var { defineClass } = require("../framework-error");
+var FlagError = defineClass("FlagError", { alwaysPermanent: true });
+
+var contextMod = lazyRequire(function () { return require("../flag-evaluation-context"); });
+
+function create(opts) {
+  opts = opts || {};
+  validateOpts(opts, [
+    "userKey", "userKeyHeader", "extractAttributes", "tenantKeyHeader",
+  ], "middleware.flagContext");
+  if (opts.extractAttributes != null && typeof opts.extractAttributes !== "function") {
+    throw new FlagError("flag/bad-opt",
+      "flagContext: extractAttributes must be a function");
+  }
+  var userKeyHeader = (typeof opts.userKeyHeader === "string" && opts.userKeyHeader.length > 0)
+    ? opts.userKeyHeader.toLowerCase()
+    : null;
+  var tenantKeyHeader = (typeof opts.tenantKeyHeader === "string" && opts.tenantKeyHeader.length > 0)
+    ? opts.tenantKeyHeader.toLowerCase()
+    : null;
+  var explicitUserKey = (typeof opts.userKey === "string" && opts.userKey.length > 0)
+    ? opts.userKey
+    : null;
+
+  return function flagContextMiddleware(req, res, next) {
+    var headers = req.headers || {};
+    var headerKey = userKeyHeader && typeof headers[userKeyHeader] === "string"
+      ? headers[userKeyHeader]
+      : null;
+    var fromReqOpts = {};
+    if (explicitUserKey)            fromReqOpts.userKey = explicitUserKey;
+    else if (headerKey)             fromReqOpts.userKey = headerKey;
+    var augment = {};
+    if (typeof opts.extractAttributes === "function") {
+      try {
+        var extra = opts.extractAttributes(req);
+        if (extra && typeof extra === "object") augment = extra;
+      } catch (_e) { /* drop-silent on extraction error */ }
+    }
+    if (tenantKeyHeader && typeof headers[tenantKeyHeader] === "string") {
+      augment.tenantId = headers[tenantKeyHeader];
+    }
+    fromReqOpts.extra = augment;
+    req.flagCtx = contextMod().fromRequest(req, fromReqOpts);
+    return next();
+  };
+}
+
+module.exports = { create: create };

package/lib/middleware/host-allowlist.js

@@ -142,7 +142,7 @@ function create(opts) {
     try {
       audit().safeEmit({
         action:  "network.host_allowlist.denied",
-        outcome: "fail",
+        outcome: "denied",
         actor:   { clientIp: requestHelpers.clientIp(req) },
         metadata: {
           reason:  reason,

package/lib/middleware/index.js

@@ -16,7 +16,11 @@
  *   6. (your auth + business middleware + routes)
  *   7. errorHandler     — must be LAST so it catches everything that throws
  */
+var aiActDisclosure = require("./ai-act-disclosure");
 var apiEncrypt = require("./api-encrypt");
+var openapiServe = require("./openapi-serve");
+var asyncapiServe = require("./asyncapi-serve");
+var flagContext = require("./flag-context");
 var assetlinks = require("./assetlinks");
 var attachUser = require("./attach-user");
 var bearerAuth = require("./bearer-auth");
@@ -43,6 +47,7 @@ var requireAal = require("./require-aal");
 var requireAuth = require("./require-auth");
 var requireContentType = require("./require-content-type");
 var requireMethods = require("./require-methods");
+var requireStepUp = require("./require-step-up");
 var securityHeaders = require("./security-headers");
 var securityTxt = require("./security-txt");
 var spanHttpServer = require("./span-http-server");
@@ -65,6 +70,7 @@ module.exports = {
   requireAuth:      requireAuth.create,
   requireContentType: requireContentType.create,
   requireMethods:   requireMethods.create,
+  requireStepUp:    requireStepUp.create,
   csrfProtect:      csrfProtect.create,
   fetchMetadata:    fetchMetadata.create,
   gpc:              gpc.create,
@@ -78,6 +84,10 @@ module.exports = {
   sse:              sse.create,
   requestLog:       requestLog.create,
   apiEncrypt:       apiEncrypt,
+  aiActDisclosure:  aiActDisclosure.create,
+  openapiServe:     openapiServe.create,
+  asyncapiServe:    asyncapiServe.create,
+  flagContext:      flagContext.create,
   assetlinks:       assetlinks.create,
   dbRoleFor:        dbRoleFor.create,
   dpop:             dpop.create,
@@ -103,6 +113,7 @@ module.exports = {
     requireAuth:      requireAuth,
     requireContentType: requireContentType,
     requireMethods:   requireMethods,
+    requireStepUp:    requireStepUp,
     csrfProtect:      csrfProtect,
     fetchMetadata:    fetchMetadata,
     bodyParser:       bodyParser,
@@ -113,6 +124,10 @@ module.exports = {
     sse:              sse,
     requestLog:       requestLog,
     apiEncrypt:       apiEncrypt,
+    aiActDisclosure:  aiActDisclosure,
+    openapiServe:     openapiServe,
+    asyncapiServe:    asyncapiServe,
+    flagContext:      flagContext,
     assetlinks:       assetlinks,
     dbRoleFor:        dbRoleFor,
     dpop:             dpop,