@djangocfg/monitor 2.1.427 → 2.1.428

package/src/_api/generated/core/params.gen.ts

@@ -62,7 +62,7 @@ type KeyMap = Map<
     }
 >;
 
-const buildKeyMap = (fields: FieldsConfig, map?: KeyMap): KeyMap => {
+function buildKeyMap(fields: FieldsConfig, map?: KeyMap): KeyMap {
   if (!map) {
     map = new Map();
   }
@@ -85,7 +85,7 @@ const buildKeyMap = (fields: FieldsConfig, map?: KeyMap): KeyMap => {
   }
 
   return map;
-};
+}
 
 interface Params {
   body: unknown;
@@ -94,16 +94,18 @@ interface Params {
   query: Record<string, unknown>;
 }
 
-const stripEmptySlots = (params: Params) => {
+type ParamsSlotMap = Record<Slot, unknown>;
+
+function stripEmptySlots(params: ParamsSlotMap): void {
   for (const [slot, value] of Object.entries(params)) {
     if (value && typeof value === 'object' && !Array.isArray(value) && !Object.keys(value).length) {
       delete params[slot as Slot];
     }
   }
-};
+}
 
-export const buildClientParams = (args: ReadonlyArray<unknown>, fields: FieldsConfig) => {
-  const params: Params = {
+export function buildClientParams(args: ReadonlyArray<unknown>, fields: FieldsConfig): Params {
+  const params: ParamsSlotMap = {
     body: Object.create(null),
     headers: Object.create(null),
     path: Object.create(null),
@@ -165,5 +167,5 @@ export const buildClientParams = (args: ReadonlyArray<unknown>, fields: FieldsCo
 
   stripEmptySlots(params);
 
-  return params;
-};
+  return params as Params;
+}

package/src/_api/generated/core/pathSerializer.gen.ts

@@ -25,7 +25,7 @@ interface SerializePrimitiveParam extends SerializePrimitiveOptions {
   value: string;
 }
 
-export const separatorArrayExplode = (style: ArraySeparatorStyle) => {
+export const separatorArrayExplode = (style: ArraySeparatorStyle): '.' | ';' | ',' | '&' => {
   switch (style) {
     case 'label':
       return '.';
@@ -38,7 +38,7 @@ export const separatorArrayExplode = (style: ArraySeparatorStyle) => {
   }
 };
 
-export const separatorArrayNoExplode = (style: ArraySeparatorStyle) => {
+export const separatorArrayNoExplode = (style: ArraySeparatorStyle): ',' | '|' | '%20' => {
   switch (style) {
     case 'form':
       return ',';
@@ -51,7 +51,7 @@ export const separatorArrayNoExplode = (style: ArraySeparatorStyle) => {
   }
 };
 
-export const separatorObjectExplode = (style: ObjectSeparatorStyle) => {
+export const separatorObjectExplode = (style: ObjectSeparatorStyle): '.' | ';' | ',' | '&' => {
   switch (style) {
     case 'label':
       return '.';
@@ -72,7 +72,7 @@ export const serializeArrayParam = ({
   value,
 }: SerializeOptions<ArraySeparatorStyle> & {
   value: unknown[];
-}) => {
+}): string => {
   if (!explode) {
     const joinedValues = (
       allowReserved ? value : value.map((v) => encodeURIComponent(v as string))
@@ -110,7 +110,7 @@ export const serializePrimitiveParam = ({
   allowReserved,
   name,
   value,
-}: SerializePrimitiveParam) => {
+}: SerializePrimitiveParam): string => {
   if (value === undefined || value === null) {
     return '';
   }
@@ -134,7 +134,7 @@ export const serializeObjectParam = ({
 }: SerializeOptions<ObjectSeparatorStyle> & {
   value: Record<string, unknown> | Date;
   valueOnly?: boolean;
-}) => {
+}): string => {
   if (value instanceof Date) {
     return valueOnly ? value.toISOString() : `${name}=${value.toISOString()}`;
   }

package/src/_api/generated/core/queryKeySerializer.gen.ts

@@ -14,7 +14,7 @@ export type JsonValue =
 /**
  * Replacer that converts non-JSON values (bigint, Date, etc.) to safe substitutes.
  */
-export const queryKeyJsonReplacer = (_key: string, value: unknown) => {
+export const queryKeyJsonReplacer = (_key: string, value: unknown): unknown | undefined => {
   if (value === undefined || typeof value === 'function' || typeof value === 'symbol') {
     return undefined;
   }

package/src/_api/generated/core/utils.gen.ts

@@ -13,9 +13,9 @@ export interface PathSerializer {
   url: string;
 }
 
-export const PATH_PARAM_RE = /\{[^{}]+\}/g;
+export const PATH_PARAM_RE: RegExp = /\{[^{}]+\}/g;
 
-export const defaultPathSerializer = ({ path, url: _url }: PathSerializer) => {
+export const defaultPathSerializer = ({ path, url: _url }: PathSerializer): string => {
   let url = _url;
   const matches = _url.match(PATH_PARAM_RE);
   if (matches) {
@@ -94,7 +94,7 @@ export const getUrl = ({
   query?: Record<string, unknown>;
   querySerializer: QuerySerializer;
   url: string;
-}) => {
+}): string => {
   const pathUrl = _url.startsWith('/') ? _url : `/${_url}`;
   let url = (baseUrl ?? '') + pathUrl;
   if (path) {
@@ -114,7 +114,7 @@ export function getValidRequestBody(options: {
   body?: unknown;
   bodySerializer?: BodySerializer | null;
   serializedBody?: unknown;
-}) {
+}): unknown {
   const hasBody = options.body !== undefined;
   const isSerializedBody = hasBody && options.bodySerializer;
 

package/src/_api/generated/helpers/auth.ts

@@ -334,6 +334,119 @@ async function tryRefresh(): Promise<string | null> {
  *     headers: { 'X-API-Key': userKey },
  *   })
  */
+// ── DPoP (RFC 9449) — sender-constrained tokens ────────────────────────────
+//
+// When NEXT_PUBLIC_DPOP_ENABLED === 'true', the client holds a P-256 keypair
+// whose PRIVATE key is non-extractable (Web Crypto `extractable:false`) and
+// stored in IndexedDB. JS — including XSS — can sign with it but can NEVER read
+// it. Each request carries a fresh `DPoP` proof signed by that key; the backend
+// binds the token to the key (`cnf.jkt`) and rejects any request whose proof key
+// doesn't match. A stolen token is therefore useless to an attacker.
+//
+// Dormant unless the env flag is on — bearer-mode apps are unaffected.
+
+function dpopEnabled(): boolean {
+  try {
+    return typeof process !== 'undefined'
+      && process.env?.NEXT_PUBLIC_DPOP_ENABLED === 'true';
+  } catch { return false; }
+}
+
+const _DPOP_DB = 'cfg-auth';
+const _DPOP_STORE = 'keys';
+const _DPOP_KEY_ID = 'dpop-ec-p256';
+
+function _idbOpen(): Promise<IDBDatabase> {
+  return new Promise((resolve, reject) => {
+    const req = indexedDB.open(_DPOP_DB, 1);
+    req.onupgradeneeded = () => req.result.createObjectStore(_DPOP_STORE);
+    req.onsuccess = () => resolve(req.result);
+    req.onerror = () => reject(req.error);
+  });
+}
+
+function _idbGet(key: string): Promise<CryptoKeyPair | undefined> {
+  return _idbOpen().then((db) => new Promise((resolve, reject) => {
+    const tx = db.transaction(_DPOP_STORE, 'readonly');
+    const req = tx.objectStore(_DPOP_STORE).get(key);
+    req.onsuccess = () => resolve(req.result);
+    req.onerror = () => reject(req.error);
+  }));
+}
+
+function _idbPut(key: string, value: CryptoKeyPair): Promise<void> {
+  return _idbOpen().then((db) => new Promise((resolve, reject) => {
+    const tx = db.transaction(_DPOP_STORE, 'readwrite');
+    tx.objectStore(_DPOP_STORE).put(value, key);
+    tx.oncomplete = () => resolve();
+    tx.onerror = () => reject(tx.error);
+  }));
+}
+
+/** Single-flight keypair init — the private key is created non-extractable. */
+let _dpopKeyPromise: Promise<CryptoKeyPair> | null = null;
+
+function _getDpopKeyPair(): Promise<CryptoKeyPair> {
+  if (_dpopKeyPromise) return _dpopKeyPromise;
+  _dpopKeyPromise = (async () => {
+    const existing = await _idbGet(_DPOP_KEY_ID).catch(() => undefined);
+    if (existing) return existing;
+    const pair = await crypto.subtle.generateKey(
+      { name: 'ECDSA', namedCurve: 'P-256' },
+      false, // extractable:false — JS can sign but never export the private key
+      ['sign'],
+    );
+    // CryptoKey is structured-cloneable; IndexedDB persists it across reloads
+    // WITHOUT ever exposing raw key bytes to JS.
+    await _idbPut(_DPOP_KEY_ID, pair).catch(() => {});
+    return pair;
+  })();
+  return _dpopKeyPromise;
+}
+
+function _b64urlFromBytes(bytes: ArrayBuffer | Uint8Array): string {
+  const arr = bytes instanceof Uint8Array ? bytes : new Uint8Array(bytes);
+  let s = '';
+  for (let i = 0; i < arr.length; i++) s += String.fromCharCode(arr[i]);
+  return btoa(s).replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, '');
+}
+
+function _b64urlFromString(str: string): string {
+  return _b64urlFromBytes(new TextEncoder().encode(str));
+}
+
+/** ECDSA raw signature (r||s) → JOSE base64url (Web Crypto already returns raw). */
+async function _publicJwk(pub: CryptoKey): Promise<Record<string, string>> {
+  const jwk = await crypto.subtle.exportKey('jwk', pub);
+  // Public components only — required RFC 7638 members for EC.
+  return { kty: 'EC', crv: 'P-256', x: jwk.x as string, y: jwk.y as string };
+}
+
+/** Build a DPoP proof JWT for this request (htm/htu/iat/jti), signed in-key. */
+async function _makeDpopProof(method: string, url: string): Promise<string | null> {
+  try {
+    const pair = await _getDpopKeyPair();
+    const jwk = await _publicJwk(pair.publicKey);
+    const header = { typ: 'dpop+jwt', alg: 'ES256', jwk };
+    // htu = scheme://authority/path without query/fragment.
+    const htu = url.split('#')[0].split('?')[0];
+    const jti =
+      (crypto.randomUUID && crypto.randomUUID()) ||
+      _b64urlFromBytes(crypto.getRandomValues(new Uint8Array(16)));
+    const payload = { htm: method.toUpperCase(), htu, iat: Math.floor(Date.now() / 1000), jti };
+    const signingInput =
+      `${_b64urlFromString(JSON.stringify(header))}.${_b64urlFromString(JSON.stringify(payload))}`;
+    const sig = await crypto.subtle.sign(
+      { name: 'ECDSA', hash: 'SHA-256' },
+      pair.privateKey,
+      new TextEncoder().encode(signingInput),
+    );
+    return `${signingInput}.${_b64urlFromBytes(sig)}`;
+  } catch {
+    return null; // never break a request because proof generation failed
+  }
+}
+
 export function installAuthOnClient(client: HeyClient): void {
   if (_client) return; // idempotent
   _client = client;
@@ -343,7 +456,7 @@ export function installAuthOnClient(client: HeyClient): void {
     credentials: _withCredentials ? 'include' : 'same-origin',
   });
 
-  client.interceptors.request.use((request) => {
+  client.interceptors.request.use(async (request) => {
     const token = auth.getToken();
     if (token) request.headers.set('Authorization', `Bearer ${token}`);
 
@@ -361,6 +474,13 @@ export function installAuthOnClient(client: HeyClient): void {
     } catch {}
     request.headers.set('X-Client-Time', new Date().toISOString());
 
+    // DPoP proof — sign a fresh per-request proof with the non-extractable key.
+    // Only in a browser, only when enabled. Failure is non-fatal (proof null).
+    if (dpopEnabled() && typeof window !== 'undefined') {
+      const proof = await _makeDpopProof(request.method, request.url);
+      if (proof) request.headers.set('DPoP', proof);
+    }
+
     return request;
   });
 
@@ -400,6 +520,12 @@ export function installAuthOnClient(client: HeyClient): void {
     const retry = request.clone();
     retry.headers.set('Authorization', `Bearer ${newToken}`);
     retry.headers.set(RETRY_MARKER, '1');
+    // This retry uses raw fetch() and bypasses the request interceptor, so the
+    // DPoP proof must be re-attached here or a bound token would 401 on retry.
+    if (dpopEnabled() && typeof window !== 'undefined') {
+      const proof = await _makeDpopProof(retry.method, retry.url);
+      if (proof) retry.headers.set('DPoP', proof);
+    }
     try {
       const retried = await fetch(retry);
       if (retried.status === 401 && _onUnauthorized) {

package/src/_api/generated/sdk.gen.ts

@@ -1,6 +1,6 @@
 // This file is auto-generated by @hey-api/openapi-ts
 
-import type { Client, Options as Options2, TDataShape } from './client';
+import type { Client, Options as Options2, RequestResult, TDataShape } from './client';
 import { client } from './client.gen';
 import type { CfgMonitorIngestCreateData, CfgMonitorIngestCreateResponses } from './types.gen';
 
@@ -24,7 +24,7 @@ export class CfgMonitor {
      *
      * Accepts a batch of up to 50 frontend events. No authentication required — anonymous visitors can send events.
      */
-    public static cfgMonitorIngestCreate<ThrowOnError extends boolean = false>(options: Options<CfgMonitorIngestCreateData, ThrowOnError>) {
+    public static cfgMonitorIngestCreate<ThrowOnError extends boolean = false>(options: Options<CfgMonitorIngestCreateData, ThrowOnError>): RequestResult<CfgMonitorIngestCreateResponses, unknown, ThrowOnError> {
         return (options.client ?? client).post<CfgMonitorIngestCreateResponses, unknown, ThrowOnError>({
             url: '/cfg/monitor/ingest/',
             ...options,