@blamejs/core 0.7.85 → 0.7.87

package/CHANGELOG.md

@@ -8,6 +8,10 @@ upgrading across more than a few patches at a time.
 
 ## v0.7.x
 
+- **0.7.87** (2026-05-06) — Two route-guard middlewares for API hardening: `b.middleware.requireMethods` + `b.middleware.requireContentType`. **`b.middleware.requireMethods(["GET", "POST"])`** refuses any HTTP method outside the allowlist with `405 Method Not Allowed` + `Allow:` header listing the allowed methods (per RFC 9110 §15.5.6). Defends against unexpected verb routing — many CVE-class bugs trace to a route handler wired for GET that accidentally accepts arbitrary verbs (PROPFIND, OPTIONS, custom). **`b.middleware.requireContentType(["application/json"])`** refuses requests with a body (POST/PUT/PATCH by default) whose `Content-Type` isn't in the allowlist with `415 Unsupported Media Type` + `Accept:` header listing the allowed types (RFC 9110 §15.5.16). Defends against MIME-type confusion — a route that processes JSON shouldn't accept `application/x-www-form-urlencoded` even if the body parses. Both middlewares emit observability events (`middleware.requireMethods.denied` / `middleware.requireContentType.denied`) on every refusal for triage. Operators wanting to enforce content-type on idempotent verbs that DO carry bodies (rare DELETE-with-body shapes) override the default body-method list via `requireContentType(types, { methods })`.
+
+- **0.7.86** (2026-05-06) — `b.middleware.csrfProtect({ requireJsonContentType: true })` — strict-fetch mode for JSON-only API surfaces. State-changing requests (POST/PUT/PATCH/DELETE) without `Content-Type: application/json` are refused before the token check with `CSRF: state-changing requests require Content-Type: application/json.` and audit emission `csrf.denied` with `reason: "non-JSON content-type: ..."`. The browser's form-encoded POST shape is the canonical CSRF vector — a malicious page can `<form action="/transfer" method=POST>` a victim into a state-changing request without a preflight. An `application/json` body forces a CORS preflight (the browser refuses to skip it for non-simple Content-Type values), so an attacker without an operator-allowlisted CORS origin can't reach the route at all. Default `false` — operators with HTML form submissions on the same routes (mixed SPA + classic form pages) keep current behavior; pure-fetch API operators opt in.
+
 - **0.7.85** (2026-05-06) — `b.auth.statusList` — OAuth Token Status List (draft-ietf-oauth-status-list-20). The canonical credential-revocation mechanism for SD-JWT VC and OpenID for Verifiable Credentials. An issuer publishes a JWT-wrapped bitstring at a URL; relying parties fetch + check the bit at index N to determine if the credential whose `status_list` claim points at that URL+index is valid / invalid / suspended / application-specific. **`b.auth.statusList.create({ size, bits?, fill? })`** allocates a bit-packed buffer (`bits` ∈ {1, 2, 4, 8} per draft §6.1.1, default 1). The returned object exposes `.set(idx, status)` / `.get(idx)` / `.snapshot()` / `.toJwt({ issuer, subject, privateKey, algorithm, expiresInSec?, ... })`. **`b.auth.statusList.fromJwt(token, { publicKey | keyResolver, algorithms?, expectedIssuer?, ... })`** verifies the JWT through `b.auth.jwt.verify` and returns `{ list, claims }` — the list exposes `.get(idx)` to check status of an individual credential without decompressing into a separate Buffer. The bitstring is zlib-deflated (RFC 1951 raw deflate per draft §6.1.4) before base64url encoding so a million-entry list collapses to ~125 KB on the wire when most bits are zero. Caps the compressed payload at 1 MiB; operators publishing larger lists shard. Status constants exported as `b.auth.statusList.STATUS_{VALID,INVALID,SUSPENDED,APPLICATION_SPECIFIC}`. Foundational for the v0.7.58 EU AI Act + eIDAS 2.0 wallet slice.
 
 - **0.7.84** (2026-05-06) — `b.crypto.sri(content, { algorithm? })` — Subresource Integrity hash builder per W3C SRI 1.0. Operators emit `<script integrity="sha384-...">` and `<link integrity="sha384-...">` to defend against CDN compromise + ISP MITM injection — the browser refuses to load a resource whose actual hash diverges from the integrity attribute. Default algorithm is `sha384` (W3C §3.2 — collision margin without sha512's 64-byte overhead); `sha256` and `sha512` also accepted, anything else refused. Accepts `Buffer` / `Uint8Array` / `string` / array of those — array inputs emit multiple space-separated integrity tokens per W3C §3.3 multi-integrity (browser picks the strongest it recognizes). Returns the standard `sha###-<base64>` format ready to paste into the `integrity=""` attribute.

package/lib/middleware/csrf-protect.js

@@ -228,7 +228,7 @@ function create(opts) {
 
   validateOpts(opts, [
     "cookie", "tokenLookup", "fieldName", "headerName", "methods", "audit",
-    "trustProxy", "checkOrigin", "allowedOrigins",
+    "trustProxy", "checkOrigin", "allowedOrigins", "requireJsonContentType",
   ], "middleware.csrfProtect");
   var trustProxy = opts.trustProxy === true || typeof opts.trustProxy === "number"
     ? opts.trustProxy : false;
@@ -264,6 +264,19 @@ function create(opts) {
   var allowedOrigins = Array.isArray(opts.allowedOrigins)
     ? opts.allowedOrigins.slice() : null;
 
+  // requireJsonContentType — strict-fetch mode for JSON-only API
+  // surfaces. State-changing requests without `Content-Type:
+  // application/json` are refused before the token check. The browser's
+  // form-encoded POST shape is the canonical CSRF vector — a malicious
+  // page can <form action="/transfer" method=POST> a victim into a
+  // state-changing request without a preflight; an `application/json`
+  // body forces a CORS preflight (the browser refuses to skip it for
+  // non-simple Content-Type values), so an attacker without an
+  // operator-allowlisted CORS origin can't reach the route at all.
+  // Operators with HTML form submissions on the same routes (mixed
+  // SPA + classic form pages) leave this opt-out (default).
+  var requireJsonCt = opts.requireJsonContentType === true;
+
   // Cookie issuance config (only when opts.cookie is set).
   var cookieCfg = null;
   if (hasCookie) {
@@ -353,6 +366,16 @@ function create(opts) {
 
     if (methods.indexOf(req.method) === -1) return next();
 
+    // requireJsonContentType — refuse before the token check.
+    if (requireJsonCt) {
+      var ct = req.headers && req.headers["content-type"];
+      var bare = (typeof ct === "string" ? ct.split(";")[0].trim().toLowerCase() : "");
+      if (bare !== "application/json") {
+        _emitDenied(req, "non-JSON content-type: " + (bare || "<absent>"));
+        return _writeReject(res, "CSRF: state-changing requests require Content-Type: application/json.");
+      }
+    }
+
     // Origin / Referer cross-check (defense-in-depth alongside the
     // double-submit token). Refuses cross-origin state-changing
     // requests even when the token is valid (e.g. operator-mistaken

package/lib/middleware/index.js

@@ -40,6 +40,8 @@ var requestId = require("./request-id");
 var requestLog = require("./request-log");
 var requireAal = require("./require-aal");
 var requireAuth = require("./require-auth");
+var requireContentType = require("./require-content-type");
+var requireMethods = require("./require-methods");
 var securityHeaders = require("./security-headers");
 var securityTxt = require("./security-txt");
 var sse = require("./sse");
@@ -55,6 +57,8 @@ module.exports = {
   bearerAuth:       bearerAuth.create,
   requireAal:       requireAal.create,
   requireAuth:      requireAuth.create,
+  requireContentType: requireContentType.create,
+  requireMethods:   requireMethods.create,
   csrfProtect:      csrfProtect.create,
   fetchMetadata:    fetchMetadata.create,
   gpc:              gpc.create,
@@ -85,6 +89,8 @@ module.exports = {
     bearerAuth:       bearerAuth,
     requireAal:       requireAal,
     requireAuth:      requireAuth,
+    requireContentType: requireContentType,
+    requireMethods:   requireMethods,
     csrfProtect:      csrfProtect,
     fetchMetadata:    fetchMetadata,
     bodyParser:       bodyParser,

package/lib/middleware/require-content-type.js

@@ -0,0 +1,81 @@
+"use strict";
+/**
+ * require-content-type middleware — refuses requests with a body
+ * (POST/PUT/PATCH) whose `Content-Type` header isn't in the
+ * operator-supplied allowlist.
+ *
+ * Defense against MIME-type confusion: a route that processes JSON
+ * shouldn't accept `application/x-www-form-urlencoded` even if the
+ * body parses (and vice versa). The middleware refuses with 415
+ * before the body parser runs, per RFC 9110 §15.5.16.
+ *
+ *   router.use(b.middleware.requireContentType(["application/json"]));
+ *
+ * GET / HEAD / DELETE / OPTIONS without a body bypass the check by
+ * default. Operators wanting to enforce content-type on idempotent
+ * verbs that DO carry bodies (rare DELETE-with-body shapes) pass
+ * `methods` to override.
+ */
+
+var lazyRequire = require("../lazy-require");
+var { defineClass } = require("../framework-error");
+
+var RequireContentTypeError = defineClass("RequireContentTypeError", { alwaysPermanent: true });
+
+var observability = lazyRequire(function () { return require("../observability"); });
+
+var DEFAULT_BODY_METHODS = ["POST", "PUT", "PATCH"];
+
+function _normalizeAllowed(types) {
+  if (!Array.isArray(types) || types.length === 0) return null;
+  var out = [];
+  for (var i = 0; i < types.length; i += 1) {
+    var t = types[i];
+    if (typeof t !== "string" || t.length === 0) return null;
+    var bare = t.split(";")[0].trim().toLowerCase();
+    if (bare.length === 0) return null;
+    out.push(bare);
+  }
+  return out;
+}
+
+function create(allowed, opts) {
+  var normalized = _normalizeAllowed(allowed);
+  if (!normalized) {
+    throw new RequireContentTypeError("require-content-type/no-allowlist",
+      "middleware.requireContentType: first argument must be a non-empty array of content-type strings");
+  }
+  opts = opts || {};
+  var methods = Array.isArray(opts.methods) && opts.methods.length > 0
+                  ? opts.methods.map(function (m) { return m.toUpperCase(); })
+                  : DEFAULT_BODY_METHODS.slice();
+  var auditOn = opts.audit !== false;
+
+  return function requireContentTypeMiddleware(req, res, next) {
+    var m = (req.method || "").toUpperCase();
+    if (methods.indexOf(m) === -1) return next();
+    var ct = req.headers && req.headers["content-type"];
+    var bare = (typeof ct === "string" ? ct.split(";")[0].trim().toLowerCase() : "");
+    if (bare.length > 0 && normalized.indexOf(bare) !== -1) return next();
+    if (!res.headersSent) {
+      var body = "Unsupported Media Type";
+      res.writeHead(415, {                                                       // allow:raw-byte-literal — HTTP 415 status
+        "Accept":         normalized.join(", "),
+        "Content-Type":   "text/plain; charset=utf-8",
+        "Content-Length": Buffer.byteLength(body),
+      });
+      res.end(body);
+    }
+    if (auditOn) {
+      try {
+        observability().safeEvent("middleware.requireContentType.denied", 1, {
+          method: m, contentType: bare || "<absent>", route: req.url,
+        });
+      } catch (_e) { /* drop-silent */ }
+    }
+  };
+}
+
+module.exports = {
+  create: create,
+};

package/lib/middleware/require-methods.js

@@ -0,0 +1,70 @@
+"use strict";
+/**
+ * require-methods middleware — refuses HTTP methods outside an
+ * operator-supplied allowlist.
+ *
+ * Defense against unexpected verb routing. Many CVE-class bugs trace
+ * to a route handler that was wired for GET but accidentally also
+ * accepts arbitrary verbs (PROPFIND, OPTIONS, custom). Mounting
+ * `requireMethods(["GET", "POST"])` on the route blocks anything
+ * outside the allowlist before the handler sees the request.
+ *
+ *   router.use(b.middleware.requireMethods(["GET", "POST"]));
+ *
+ * Refusal returns 405 with `Allow:` listing the allowed methods, per
+ * RFC 9110 §15.5.6.
+ */
+
+var lazyRequire = require("../lazy-require");
+var { defineClass } = require("../framework-error");
+
+var RequireMethodsError = defineClass("RequireMethodsError", { alwaysPermanent: true });
+
+var observability = lazyRequire(function () { return require("../observability"); });
+
+function create(allowed, opts) {
+  if (!Array.isArray(allowed) || allowed.length === 0) {
+    throw new RequireMethodsError("require-methods/no-allowlist",
+      "middleware.requireMethods: first argument must be a non-empty array of HTTP methods");
+  }
+  var normalized = [];
+  for (var i = 0; i < allowed.length; i += 1) {
+    if (typeof allowed[i] !== "string" || allowed[i].length === 0) {
+      throw new RequireMethodsError("require-methods/bad-method",
+        "middleware.requireMethods: method[" + i + "] must be a non-empty string");
+    }
+    if (/[\r\n\0\s,;]/.test(allowed[i])) {
+      throw new RequireMethodsError("require-methods/bad-method",
+        "middleware.requireMethods: method[" + i + "] contains forbidden whitespace / separator characters");
+    }
+    normalized.push(allowed[i].toUpperCase());
+  }
+  var allowHeader = normalized.join(", ");
+  opts = opts || {};
+  var auditOn = opts.audit !== false;
+
+  return function requireMethodsMiddleware(req, res, next) {
+    var m = (req.method || "").toUpperCase();
+    if (normalized.indexOf(m) !== -1) return next();
+    if (!res.headersSent) {
+      var body = "Method Not Allowed";
+      res.writeHead(405, {                                                       // allow:raw-byte-literal — HTTP 405 status
+        "Allow":          allowHeader,
+        "Content-Type":   "text/plain; charset=utf-8",
+        "Content-Length": Buffer.byteLength(body),
+      });
+      res.end(body);
+    }
+    if (auditOn) {
+      try {
+        observability().safeEvent("middleware.requireMethods.denied", 1, {
+          method: m, route: req.url,
+        });
+      } catch (_e) { /* drop-silent */ }
+    }
+  };
+}
+
+module.exports = {
+  create: create,
+};

package/lib/ntp-check.js

@@ -124,10 +124,22 @@ function querySingle(server, opts) {
         return done({ code: "ntp/bad-reply", message: "reply too short (" + (msg && msg.length) + " bytes)" });
       }
       // Bytes 40-47 = Transmit Timestamp (NTP epoch seconds.fraction)
-      var ntpSeconds  = msg.readUInt32BE(40);
-      var ntpFraction = msg.readUInt32BE(44);
+      var ntpSeconds  = msg.readUInt32BE(40);                                    // allow:raw-byte-literal — NTP packet offset
+      var ntpFraction = msg.readUInt32BE(44);                                    // allow:raw-byte-literal — NTP packet offset
+      // Refuse a reply whose Transmit Timestamp is zero or earlier than
+      // the NTP epoch (1900-01-01). RFC 5905 §7.3 — a Stratum-16
+      // unsynchronized server emits 0 here; fed to the Unix-offset
+      // subtraction it produces a large-negative serverUnixSeconds
+      // that crashes downstream C.TIME helpers (which require non-
+      // negative finite). Treat as "unsynchronized peer — no drift
+      // measurement possible" rather than throw out of the dgram
+      // 'message' handler.
+      if (ntpSeconds < NTP_TO_UNIX_OFFSET_SECONDS) {
+        return done({ code: "ntp/unsynchronized",
+          message: "server returned NTP transmit timestamp < Unix epoch (likely Stratum-16 unsynchronized)" });
+      }
       var serverUnixSeconds = ntpSeconds - NTP_TO_UNIX_OFFSET_SECONDS;
-      var fracMs = Math.round(C.TIME.seconds(ntpFraction / 0x100000000));
+      var fracMs = Math.round(C.TIME.seconds(ntpFraction / 0x100000000));       // allow:raw-byte-literal — NTP fraction divisor (2^32)
       var serverTimeMs = C.TIME.seconds(serverUnixSeconds) + fracMs;
 
       // Round-trip-corrected drift: assume the server's reply transmit

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.7.85",
+  "version": "0.7.87",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/sbom.cyclonedx.json

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.5",
-  "serialNumber": "urn:uuid:c3167b3e-7af4-4368-b131-46f9d9c44ccc",
+  "serialNumber": "urn:uuid:96ee5394-43c1-471e-98e9-f3b59c96f3e0",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-06T06:22:16.402Z",
+    "timestamp": "2026-05-06T06:37:03.759Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -19,14 +19,14 @@
       }
     ],
     "component": {
-      "bom-ref": "@blamejs/core@0.7.85",
+      "bom-ref": "@blamejs/core@0.7.87",
       "type": "library",
       "name": "blamejs",
-      "version": "0.7.85",
+      "version": "0.7.87",
       "scope": "required",
       "author": "blamejs contributors",
       "description": "The Node framework that owns its stack.",
-      "purl": "pkg:npm/%40blamejs/core@0.7.85",
+      "purl": "pkg:npm/%40blamejs/core@0.7.87",
       "properties": [],
       "externalReferences": [
         {
@@ -54,7 +54,7 @@
   "components": [],
   "dependencies": [
     {
-      "ref": "@blamejs/core@0.7.85",
+      "ref": "@blamejs/core@0.7.87",
       "dependsOn": []
     }
   ]