npm - @davaux/csrf - Versions diffs - 0.8.0 → 0.8.1 - Mend

@davaux/csrf 0.8.0 → 0.8.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/dist/index.d.ts ADDED Viewed

@@ -0,0 +1,41 @@
+import type { MiddlewareFn } from 'davaux';
+declare module 'davaux' {
+    interface State {
+        csrf: {
+            token: string;
+        };
+    }
+}
+export interface CsrfOptions {
+    /**
+     * Form field name to check on `application/x-www-form-urlencoded` requests.
+     * Default: `'_csrf'`
+     */
+    field?: string;
+    /**
+     * Request header name to check (case-insensitive).
+     * Default: `'x-csrf-token'`
+     */
+    header?: string;
+    /**
+     * Session key used to store the token.
+     * Default: `'_csrf'`
+     */
+    sessionKey?: string;
+}
+/**
+ * CSRF protection middleware. Generates a random token per session and rejects
+ * mutating requests (`POST`, `PUT`, `PATCH`, `DELETE`) that do not carry a
+ * matching token in either the request header or a form field.
+ *
+ * Requires `@davaux/session` — register `sessionMiddleware` before this in
+ * your middleware chain. The current token is available as `ctx.state.csrf.token`
+ * for embedding in forms.
+ *
+ * @example
+ * // _global.ts
+ * import { csrfMiddleware } from '@davaux/csrf'
+ * export default csrfMiddleware({ field: '_csrf' })
+ */
+export declare function csrfMiddleware(options?: CsrfOptions): MiddlewareFn;
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,QAAQ,CAAA;AAI1C,OAAO,QAAQ,QAAQ,CAAC;IACtB,UAAU,KAAK;QACb,IAAI,EAAE;YAAE,KAAK,EAAE,MAAM,CAAA;SAAE,CAAA;KACxB;CACF;AAID,MAAM,WAAW,WAAW;IAC1B;;;OAGG;IACH,KAAK,CAAC,EAAE,MAAM,CAAA;IACd;;;OAGG;IACH,MAAM,CAAC,EAAE,MAAM,CAAA;IACf;;;OAGG;IACH,UAAU,CAAC,EAAE,MAAM,CAAA;CACpB;AAMD;;;;;;;;;;;;;GAaG;AACH,wBAAgB,cAAc,CAAC,OAAO,GAAE,WAAgB,GAAG,YAAY,CAuCtE"}

package/dist/index.js ADDED Viewed

@@ -0,0 +1,70 @@
+import { randomBytes, timingSafeEqual } from 'node:crypto';
+const SAFE_METHODS = new Set(['GET', 'HEAD', 'OPTIONS']);
+// ─── Middleware ───────────────────────────────────────────────────────────────
+/**
+ * CSRF protection middleware. Generates a random token per session and rejects
+ * mutating requests (`POST`, `PUT`, `PATCH`, `DELETE`) that do not carry a
+ * matching token in either the request header or a form field.
+ *
+ * Requires `@davaux/session` — register `sessionMiddleware` before this in
+ * your middleware chain. The current token is available as `ctx.state.csrf.token`
+ * for embedding in forms.
+ *
+ * @example
+ * // _global.ts
+ * import { csrfMiddleware } from '@davaux/csrf'
+ * export default csrfMiddleware({ field: '_csrf' })
+ */
+export function csrfMiddleware(options = {}) {
+    const field = options.field ?? '_csrf';
+    const headerName = (options.header ?? 'x-csrf-token').toLowerCase();
+    const sessionKey = options.sessionKey ?? '_csrf';
+    return async (ctx, next) => {
+        if (!ctx.state.session) {
+            throw new Error('@davaux/csrf: sessionMiddleware must be registered before csrfMiddleware');
+        }
+        // Get or generate the token for this session
+        let token = ctx.state.session.get(sessionKey);
+        if (!token) {
+            token = randomBytes(32).toString('hex');
+            ctx.state.session.set(sessionKey, token);
+        }
+        ctx.state.csrf = { token };
+        // Safe methods pass through immediately
+        const method = (ctx.req.method ?? 'GET').toUpperCase();
+        if (SAFE_METHODS.has(method)) {
+            return next();
+        }
+        // Mutating requests must carry a valid token
+        const submitted = await resolveSubmitted(ctx.req, ctx.req.headers[headerName], field, ctx);
+        if (!submitted || !safeEqual(submitted, token)) {
+            ctx.res.writeHead(403, { 'Content-Type': 'text/plain; charset=utf-8' });
+            ctx.res.end('Forbidden: invalid or missing CSRF token');
+            return;
+        }
+        await next();
+    };
+}
+// ─── Helpers ──────────────────────────────────────────────────────────────────
+async function resolveSubmitted(req, headerValue, field, ctx) {
+    if (headerValue)
+        return headerValue;
+    const contentType = req.headers['content-type'] ?? '';
+    if (contentType.includes('application/x-www-form-urlencoded')) {
+        const body = await ctx.form();
+        return body[field];
+    }
+    if (contentType.includes('multipart/form-data')) {
+        const { fields } = await ctx.multipart();
+        return fields[field];
+    }
+    return undefined;
+}
+function safeEqual(a, b) {
+    const aBuf = Buffer.from(a);
+    const bBuf = Buffer.from(b);
+    if (aBuf.length !== bBuf.length)
+        return false;
+    return timingSafeEqual(aBuf, bBuf);
+}
+//# sourceMappingURL=index.js.map

package/dist/index.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,eAAe,EAAE,MAAM,aAAa,CAAA;AAgC1D,MAAM,YAAY,GAAG,IAAI,GAAG,CAAC,CAAC,KAAK,EAAE,MAAM,EAAE,SAAS,CAAC,CAAC,CAAA;AAExD,iFAAiF;AAEjF;;;;;;;;;;;;;GAaG;AACH,MAAM,UAAU,cAAc,CAAC,UAAuB,EAAE;IACtD,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,IAAI,OAAO,CAAA;IACtC,MAAM,UAAU,GAAG,CAAC,OAAO,CAAC,MAAM,IAAI,cAAc,CAAC,CAAC,WAAW,EAAE,CAAA;IACnE,MAAM,UAAU,GAAG,OAAO,CAAC,UAAU,IAAI,OAAO,CAAA;IAEhD,OAAO,KAAK,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE;QACzB,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC;YACvB,MAAM,IAAI,KAAK,CAAC,0EAA0E,CAAC,CAAA;QAC7F,CAAC;QAED,6CAA6C;QAC7C,IAAI,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,OAAO,CAAC,GAAG,CAAS,UAAU,CAAC,CAAA;QACrD,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,KAAK,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAA;YACvC,GAAG,CAAC,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,EAAE,KAAK,CAAC,CAAA;QAC1C,CAAC;QACD,GAAG,CAAC,KAAK,CAAC,IAAI,GAAG,EAAE,KAAK,EAAE,CAAA;QAE1B,wCAAwC;QACxC,MAAM,MAAM,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,MAAM,IAAI,KAAK,CAAC,CAAC,WAAW,EAAE,CAAA;QACtD,IAAI,YAAY,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC;YAC7B,OAAO,IAAI,EAAE,CAAA;QACf,CAAC;QAED,6CAA6C;QAC7C,MAAM,SAAS,GAAG,MAAM,gBAAgB,CACtC,GAAG,CAAC,GAAG,EACP,GAAG,CAAC,GAAG,CAAC,OAAO,CAAC,UAAU,CAAuB,EACjD,KAAK,EACL,GAAG,CACJ,CAAA;QACD,IAAI,CAAC,SAAS,IAAI,CAAC,SAAS,CAAC,SAAS,EAAE,KAAK,CAAC,EAAE,CAAC;YAC/C,GAAG,CAAC,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,2BAA2B,EAAE,CAAC,CAAA;YACvE,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,0CAA0C,CAAC,CAAA;YACvD,OAAM;QACR,CAAC;QAED,MAAM,IAAI,EAAE,CAAA;IACd,CAAC,CAAA;AACH,CAAC;AAED,iFAAiF;AAEjF,KAAK,UAAU,gBAAgB,CAC7B,GAAwC,EACxC,WAA+B,EAC/B,KAAa,EACb,GAAoC;IAEpC,IAAI,WAAW;QAAE,OAAO,WAAW,CAAA;IAEnC,MAAM,WAAW,GAAG,GAAG,CAAC,OAAO,CAAC,cAAc,CAAC,IAAI,EAAE,CAAA;IACrD,IAAI,WAAW,CAAC,QAAQ,CAAC,mCAAmC,CAAC,EAAE,CAAC;QAC9D,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAA;QAC7B,OAAO,IAAI,CAAC,KAAK,CAAuB,CAAA;IAC1C,CAAC;IAED,IAAI,WAAW,CAAC,QAAQ,CAAC,qBAAqB,CAAC,EAAE,CAAC;QAChD,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,GAAG,CAAC,SAAS,EAAE,CAAA;QACxC,OAAO,MAAM,CAAC,KAAK,CAAC,CAAA;IACtB,CAAC;IAED,OAAO,SAAS,CAAA;AAClB,CAAC;AAED,SAAS,SAAS,CAAC,CAAS,EAAE,CAAS;IACrC,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;IAC3B,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;IAC3B,IAAI,IAAI,CAAC,MAAM,KAAK,IAAI,CAAC,MAAM;QAAE,OAAO,KAAK,CAAA;IAC7C,OAAO,eAAe,CAAC,IAAI,EAAE,IAAI,CAAC,CAAA;AACpC,CAAC"}

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@davaux/csrf",
-  "version": "0.8.0",
+  "version": "0.8.1",
   "description": "CSRF protection middleware for Davaux",
   "type": "module",
   "author": "David L Dyess II",
@@ -13,6 +13,9 @@
     "url": "https://codeberg.org/davaux/davaux/issues"
   },
   "homepage": "https://codeberg.org/davaux/davaux#readme",
+  "files": [
+    "dist"
+  ],
   "exports": {
     ".": {
       "import": "./dist/index.js",
@@ -24,8 +27,8 @@
     "typecheck": "tsc --noEmit"
   },
   "peerDependencies": {
-    "@davaux/session": ">=0.8.0",
-    "davaux": ">=0.8.0"
+    "@davaux/session": ">=0.8.1",
+    "davaux": ">=0.8.1"
   },
   "devDependencies": {
     "@davaux/session": "*",
@@ -33,4 +36,4 @@
     "davaux": "*",
     "typescript": "^6.0.3"
   }
-}
+}

package/CLAUDE.md DELETED Viewed

@@ -1,95 +0,0 @@
-<!-- pka-generated -->
-# @davaux/csrf
-> Generated by Project Knowledge Analyzer on 2026-06-06T21:53:10.185Z
-## Overview
-CSRF protection middleware for Davaux
-**Version**: 0.8.0
-**Author**: David L Dyess II
-**License**: MIT
-**Repository**: https://codeberg.org/davaux/davaux#readme
-## Tech Stack
-- **Language**: TypeScript
-- **Module System**: ESM (`type: module`)
-## Commands
-- `npm run build` — tsc
-- `npm run typecheck` — tsc --noEmit
-## Project Structure
-```
-├── CLAUDE.md
-├── README.md
-├── package.json
-├── tsconfig.json
-└── src/
-    └── index.ts
-```
-## Entry Points
-- `src/index.ts`
-## Files by Type
-### Documentation (2)
-- `CLAUDE.md`
-- `README.md`
-### Config (2)
-- `package.json`
-- `tsconfig.json`
-### Module (1)
-- `src/index.ts`
-## Git
-- **Branch**: main
-- **Last Commit**: chore: Add alpha status note to README
-- **Author**: David Dyess II
-- **Date**: 2026-06-06 15:52:27 -0600
-- **Remote**: https://codeberg.org/davaux/davaux.git
-### Recent Commits
-```
-f527031 chore: Add alpha status note to README
-90c819e chore: Add repo info to package.json files
-b200d9d feat(davaux)!: Add OmlCacheConfig - opt-in with includes option or opt-out with excludes option; Fix OML implementation to follow OML spec - use output instead of return
-3bce0c2 chore: Update and add READMEs to packages; update ROADMAP
-fc27c20 fix(davaux): Remove old dist folder on new builds; fix server port per DavauxConfig
-c760659 feat(davaux): Add minify CSS in production builds
-c899ab8 fix(davaux): Added method JS and JSX extenstion to scanner
-7d99f04 feat(davaux): Add support for declarative partial updates
-3b47f37 chore: Bump package versions to 0.8.0
-aa0460f chore: Add CHANGELOG.md
-```
-## Dependencies
-### Development
-@davaux/session, @types/node, davaux, typescript
-## Exported Symbols
-**`src/index.ts`**
-`csrfMiddleware`, `CsrfOptions`

package/src/index.ts DELETED Viewed

@@ -1,121 +0,0 @@
-import { randomBytes, timingSafeEqual } from 'node:crypto'
-import type {} from '@davaux/session'
-import type { MiddlewareFn } from 'davaux'
-// ─── State augmentation ───────────────────────────────────────────────────────
-declare module 'davaux' {
-  interface State {
-    csrf: { token: string }
-  }
-}
-// ─── Options ──────────────────────────────────────────────────────────────────
-export interface CsrfOptions {
-  /**
-   * Form field name to check on `application/x-www-form-urlencoded` requests.
-   * Default: `'_csrf'`
-   */
-  field?: string
-  /**
-   * Request header name to check (case-insensitive).
-   * Default: `'x-csrf-token'`
-   */
-  header?: string
-  /**
-   * Session key used to store the token.
-   * Default: `'_csrf'`
-   */
-  sessionKey?: string
-}
-const SAFE_METHODS = new Set(['GET', 'HEAD', 'OPTIONS'])
-// ─── Middleware ───────────────────────────────────────────────────────────────
-/**
- * CSRF protection middleware. Generates a random token per session and rejects
- * mutating requests (`POST`, `PUT`, `PATCH`, `DELETE`) that do not carry a
- * matching token in either the request header or a form field.
- *
- * Requires `@davaux/session` — register `sessionMiddleware` before this in
- * your middleware chain. The current token is available as `ctx.state.csrf.token`
- * for embedding in forms.
- *
- * @example
- * // _global.ts
- * import { csrfMiddleware } from '@davaux/csrf'
- * export default csrfMiddleware({ field: '_csrf' })
- */
-export function csrfMiddleware(options: CsrfOptions = {}): MiddlewareFn {
-  const field = options.field ?? '_csrf'
-  const headerName = (options.header ?? 'x-csrf-token').toLowerCase()
-  const sessionKey = options.sessionKey ?? '_csrf'
-  return async (ctx, next) => {
-    if (!ctx.state.session) {
-      throw new Error('@davaux/csrf: sessionMiddleware must be registered before csrfMiddleware')
-    }
-    // Get or generate the token for this session
-    let token = ctx.state.session.get<string>(sessionKey)
-    if (!token) {
-      token = randomBytes(32).toString('hex')
-      ctx.state.session.set(sessionKey, token)
-    }
-    ctx.state.csrf = { token }
-    // Safe methods pass through immediately
-    const method = (ctx.req.method ?? 'GET').toUpperCase()
-    if (SAFE_METHODS.has(method)) {
-      return next()
-    }
-    // Mutating requests must carry a valid token
-    const submitted = await resolveSubmitted(
-      ctx.req,
-      ctx.req.headers[headerName] as string | undefined,
-      field,
-      ctx,
-    )
-    if (!submitted || !safeEqual(submitted, token)) {
-      ctx.res.writeHead(403, { 'Content-Type': 'text/plain; charset=utf-8' })
-      ctx.res.end('Forbidden: invalid or missing CSRF token')
-      return
-    }
-    await next()
-  }
-}
-// ─── Helpers ──────────────────────────────────────────────────────────────────
-async function resolveSubmitted(
-  req: import('node:http').IncomingMessage,
-  headerValue: string | undefined,
-  field: string,
-  ctx: import('davaux').RequestContext,
-): Promise<string | undefined> {
-  if (headerValue) return headerValue
-  const contentType = req.headers['content-type'] ?? ''
-  if (contentType.includes('application/x-www-form-urlencoded')) {
-    const body = await ctx.form()
-    return body[field] as string | undefined
-  }
-  if (contentType.includes('multipart/form-data')) {
-    const { fields } = await ctx.multipart()
-    return fields[field]
-  }
-  return undefined
-}
-function safeEqual(a: string, b: string): boolean {
-  const aBuf = Buffer.from(a)
-  const bBuf = Buffer.from(b)
-  if (aBuf.length !== bBuf.length) return false
-  return timingSafeEqual(aBuf, bBuf)
-}

package/tsconfig.json DELETED Viewed

@@ -1,17 +0,0 @@
-{
-  "compilerOptions": {
-    "target": "ESNext",
-    "module": "NodeNext",
-    "moduleResolution": "NodeNext",
-    "strict": true,
-    "declaration": true,
-    "declarationMap": true,
-    "sourceMap": true,
-    "outDir": "./dist",
-    "rootDir": "./src",
-    "skipLibCheck": true,
-    "lib": ["ESNext"],
-    "types": ["node"]
-  },
-  "include": ["src/**/*"]
-}