@dr.pogodin/react-utils 1.43.11 → 1.43.13

package/build/development/server/server.js

@@ -131,7 +131,7 @@ async function factory(webpackConfig, options) {
   server.use(_express.default.urlencoded({
     extended: false
   }));
-  server.use((0, _cookieParser.default)());
+  server.use((0, _cookieParser.default)(options.cookieSignatureSecret));
   server.use(_requestIp.default.mw());
   server.use((0, _csurf.default)({
     cookie: true

package/build/development/server/server.js.map

@@ -1 +1 @@
-{"version":3,"file":"server.js","names":["_path","require","_url","_lodash","_compression","_interopRequireDefault","_cookieParser","_csurf","_express","_serveFavicon","_helmet","_morgan","_requestIp","_uuid","_renderer","_errors","defaultCspSettings","directives","mapValues","helmet","contentSecurityPolicy","getDefaultDirectives","array","filter","item","push","getDefaultCspSettings","cloneDeep","factory","webpackConfig","options","rendererOps","pick","renderer","rendererFactory","publicPath","output","server","express","beforeExpressJsSetup","logger","httpsRedirect","use","req","res","next","schema","headers","url","host","originalUrl","redirect","compression","crossOriginEmbedderPolicy","crossOriginOpenerPolicy","crossOriginResourcePolicy","noCsp","req2","nonce","uuid","cspNonce","cspSettings","cspSettingsHook","favicon","send","json","limit","urlencoded","extended","cookieParser","requestIp","mw","csrf","cookie","loggerMiddleware","token","clientIp","FORMAT","stream","write","info","bind","get","static","path","setHeaders","set","devMode","global","location","href","pathToFileURL","process","cwd","sep","webpack","webpackDevMiddleware","webpackHotMiddleware","compiler","serverSideRender","onExpressJsSetup","newError","ERRORS","NOT_FOUND","CODES","dontAttachDefaultErrorHandler","beforeExpressJsError","error","headersSent","status","INTERNAL_SERVER_ERROR","serverSide","log","toString","message","getErrorForCode","env","NODE_ENV"],"sources":["../../../src/server/server.ts"],"sourcesContent":["/**\n * Creation of standard ExpressJS server for ReactJS apps.\n */\n\nimport { sep } from 'path';\nimport { pathToFileURL } from 'url';\n\nimport {\n  cloneDeep,\n  mapValues,\n  pick,\n} from 'lodash';\n\nimport compression from 'compression';\nimport cookieParser from 'cookie-parser';\nimport csrf from '@dr.pogodin/csurf';\n\nimport express, {\n  type Express,\n  type NextFunction,\n  type RequestHandler,\n  type Request,\n  type Response,\n} from 'express';\n\nimport favicon from 'serve-favicon';\nimport helmet, { type HelmetOptions } from 'helmet';\nimport loggerMiddleware from 'morgan';\nimport requestIp from 'request-ip';\nimport { v4 as uuid } from 'uuid';\n\nimport type { Compiler, Configuration } from 'webpack';\n\nimport rendererFactory, {\n  type LoggerI,\n  type OptionsT as RendererOptionsT,\n} from './renderer';\n\nimport {\n  CODES,\n  ERRORS,\n  getErrorForCode,\n  newError,\n} from './utils/errors';\n\nexport type CspOptionsT =\nExclude<HelmetOptions['contentSecurityPolicy'], boolean | undefined>;\n\n// eslint-disable-next-line @typescript-eslint/consistent-type-definitions\ninterface RequestT extends Request {\n  cspNonce: string;\n  nonce: string;\n}\n\n/**\n * Default Content Security Policy settings.\n * @ignore\n */\nconst defaultCspSettings = {\n  directives: mapValues(\n    helmet.contentSecurityPolicy.getDefaultDirectives(),\n\n    // 'https:' options (automatic re-write of insecure URLs to secure ones)\n    // is removed to facilitate local development with HTTP server. In cloud\n    // deployments we assume Apache or Nginx server in front of out app takes\n    // care about such re-writes.\n    (array) => (array as string[]).filter((item: string) => item !== 'https:'),\n  ),\n};\ndefaultCspSettings.directives['frame-src'] = [\n  \"'self'\",\n\n  // YouTube domain is whitelisted to allow <YouTubeVideo> component to work\n  // out of box.\n  'https://*.youtube.com',\n];\n\n{\n  const directives = defaultCspSettings.directives['script-src'];\n  if (directives) directives.push(\"'unsafe-eval'\");\n  else defaultCspSettings.directives['script-src'] = [\"'unsafe-eval'\"];\n}\n\n// No need for automatic re-writes via Content Security Policy settings:\n// the forefront Apache or Nginx server is supposed to take care of this\n// in production cloud deployments.\ndelete defaultCspSettings.directives['upgrade-insecure-requests'];\n\n/**\n * @category Utilities\n * @func server/getDefaultCspSettings\n * @global\n * @desc\n * ```js\n * import { server } from '@dr.pogodin/react-utils';\n * const { getDefaultCspSettings } from '@dr.pogodin/react-utils';\n * ```\n * @return {{\n *   directives: object\n * }} A deep copy of default CSP settings object used by `react-utils`,\n * with the exception of `nonce-xxx` clause in `script-src` directive,\n * which is added dynamically for each request.\n */\nexport function getDefaultCspSettings(): {\n  directives: Record<string, string[]>;\n} {\n  return cloneDeep(defaultCspSettings);\n}\n\nexport type ServerT = Express & {\n  logger: LoggerI;\n};\n\nexport type OptionsT = RendererOptionsT & {\n  beforeExpressJsError?:\n  (server: ServerT) => boolean | Promise<boolean>;\n\n  beforeExpressJsSetup?: (server: ServerT) => Promise<void> | void;\n  cspSettingsHook?: (\n    defaultOptions: CspOptionsT,\n    req: Request,\n  ) => CspOptionsT;\n  devMode?: boolean;\n  httpsRedirect?: boolean;\n  onExpressJsSetup?: (server: ServerT) => Promise<void> | void;\n};\n\nexport default async function factory(\n  webpackConfig: Configuration,\n  options: OptionsT,\n): Promise<ServerT> {\n  const rendererOps: RendererOptionsT = pick(options, [\n    'Application',\n    'beforeRender',\n    'favicon',\n    'logger',\n    'maxSsrRounds',\n    'noCsp',\n    'ssrTimeout',\n    'staticCacheController',\n    'staticCacheSize',\n  ]);\n  const renderer = rendererFactory(webpackConfig, rendererOps);\n  const { publicPath } = webpackConfig.output!;\n\n  const server = express() as ServerT;\n\n  if (options.beforeExpressJsSetup) {\n    await options.beforeExpressJsSetup(server);\n  }\n\n  if (options.logger) server.logger = options.logger;\n\n  if (options.httpsRedirect) {\n    server.use((req, res, next) => {\n      const schema = req.headers['x-forwarded-proto'];\n      if (schema === 'http') {\n        let url = `https://${req.headers.host}`;\n        if (req.originalUrl !== '/') url += req.originalUrl;\n        res.redirect(url);\n        return;\n      }\n      next();\n    });\n  }\n\n  server.use(compression());\n  server.use(\n    helmet({\n      contentSecurityPolicy: false,\n      crossOriginEmbedderPolicy: false,\n      crossOriginOpenerPolicy: false,\n      crossOriginResourcePolicy: false,\n    }),\n  );\n\n  if (!options.noCsp) {\n    server.use(\n      (req: Request, res: Response, next: NextFunction) => {\n        const req2 = req as RequestT;\n\n        req2.nonce = uuid();\n\n        // TODO: This is deprecated, but it is kept for now for backward\n        // compatibility. Should be removed sometime later.\n        req2.cspNonce = req2.nonce;\n\n        // The deep clone is necessary here to ensure that default value can't be\n        // mutated during request processing.\n        let cspSettings: CspOptionsT = cloneDeep(defaultCspSettings);\n        (cspSettings.directives?.['script-src'] as string[]).push(`'nonce-${req2.nonce}'`);\n        if (options.cspSettingsHook) {\n          cspSettings = options.cspSettingsHook(cspSettings, req);\n        }\n        helmet.contentSecurityPolicy(cspSettings)(req, res, next);\n      },\n    );\n  }\n\n  if (options.favicon) {\n    server.use(favicon(options.favicon));\n  }\n\n  server.use('/robots.txt', (req, res) => {\n    res.send('User-agent: *\\nDisallow:');\n  });\n\n  server.use(express.json({ limit: '300kb' }));\n  server.use(express.urlencoded({ extended: false }));\n  server.use(cookieParser());\n  server.use(requestIp.mw());\n\n  server.use(csrf({ cookie: true }));\n\n  loggerMiddleware.token(\n    'ip',\n    (req: Request & { clientIp: string }) => req.clientIp,\n  );\n  const FORMAT = ':ip > :status :method :url :response-time ms :res[content-length] :referrer :user-agent';\n  server.use(loggerMiddleware(FORMAT, {\n    stream: {\n      // TODO: This implies the logger is always set. Is it on a higher level?\n      // then mark it as always present.\n      write: options.logger!.info.bind(options.logger),\n    },\n  }));\n\n  // Note: no matter the \"public path\", we want the service worker, if any,\n  // to be served from the root, to have all web app pages in its scope.\n  // Thus, this setup to serve it. Probably, need some more configuration\n  // for special cases, but this will do for now.\n  server.get('/__service-worker.js', express.static(\n    webpackConfig.output?.path ?? '',\n    {\n      setHeaders: (res) => res.set('Cache-Control', 'no-cache'),\n    },\n  ));\n\n  /* Setup of Hot Module Reloading for development environment.\n   * These dependencies are not used, nor installed for production use,\n   * hence we should violate some import-related lint rules. */\n  /* eslint-disable import/no-extraneous-dependencies */\n  if (options.devMode) {\n    // This is a workaround for SASS bug:\n    // https://github.com/dart-lang/sdk/issues/27979\n    // which manifests itself sometimes when webpack dev middleware is used\n    // (in dev mode), and app modules are imported in some unfortunate ways.\n    // TODO: Double-check, what is going on here.\n    // eslint-disable-next-line @typescript-eslint/no-unnecessary-condition\n    if (!global.location) {\n      global.location = {\n        href: `${pathToFileURL(process.cwd()).href}${sep}`,\n      } as Location;\n    }\n\n    /* eslint-disable @typescript-eslint/no-require-imports */\n    const webpack = require('webpack') as (ops: Configuration) => Compiler;\n\n    // TODO: Figure out the exact type for options, don't wanna waste time on it\n    // right now.\n    const webpackDevMiddleware = require('webpack-dev-middleware') as\n      (c: Compiler, ops: unknown) => RequestHandler;\n\n    const webpackHotMiddleware = require('webpack-hot-middleware') as\n      (c: Compiler) => RequestHandler;\n\n    const compiler = webpack(webpackConfig);\n    server.use(webpackDevMiddleware(compiler, {\n      publicPath,\n      serverSideRender: true,\n    }));\n    server.use(webpackHotMiddleware(compiler));\n  }\n  /* eslint-enable import/no-extraneous-dependencies */\n\n  server.use(publicPath as string, express.static(webpackConfig.output!.path!));\n\n  if (options.onExpressJsSetup) {\n    await options.onExpressJsSetup(server);\n  }\n  server.use(renderer);\n\n  /* Detects 404 errors, and forwards them to the error handler. */\n  server.use((req, res, next) => {\n    next(newError(ERRORS.NOT_FOUND, CODES.NOT_FOUND));\n  });\n\n  let dontAttachDefaultErrorHandler;\n  if (options.beforeExpressJsError) {\n    dontAttachDefaultErrorHandler = await options.beforeExpressJsError(server);\n  }\n\n  /* Error handler. */\n  if (!dontAttachDefaultErrorHandler) {\n    // TODO: Do we need this error handler at all? It actually seems to do\n    // what the default ExpressJS error handler does anyway, see:\n    // https://expressjs.com/en/guide/error-handling.html\n    //\n    // TODO: It is better to move the default error handler definition\n    // to a stand-alone function at top-level, but the use of options.logger\n    // prevents to do it without some extra refactoring. Should be done sometime\n    // though.\n    server.use((\n      error: Error & {\n        status?: number;\n      },\n      req: Request,\n      res: Response,\n      next: NextFunction,\n    ) => {\n      // TODO: This is needed to correctly handled any errors thrown after\n      // sending initial response to the client.\n      if (res.headersSent) {\n        next(error);\n        return;\n      }\n\n      const status = error.status ?? CODES.INTERNAL_SERVER_ERROR;\n      const serverSide = status >= (CODES.INTERNAL_SERVER_ERROR as number);\n\n      // Log server-side errors always, client-side at debug level only.\n      options.logger!.log(serverSide ? 'error' : 'debug', error.toString());\n\n      let message = error.message || getErrorForCode(status);\n      if (serverSide && process.env.NODE_ENV === 'production') {\n        message = ERRORS.INTERNAL_SERVER_ERROR;\n      }\n\n      res.status(status).send(message);\n    });\n  }\n\n  return server;\n}\n"],"mappings":";;;;;;;;AAIA,IAAAA,KAAA,GAAAC,OAAA;AACA,IAAAC,IAAA,GAAAD,OAAA;AAEA,IAAAE,OAAA,GAAAF,OAAA;AAMA,IAAAG,YAAA,GAAAC,sBAAA,CAAAJ,OAAA;AACA,IAAAK,aAAA,GAAAD,sBAAA,CAAAJ,OAAA;AACA,IAAAM,MAAA,GAAAF,sBAAA,CAAAJ,OAAA;AAEA,IAAAO,QAAA,GAAAH,sBAAA,CAAAJ,OAAA;AAQA,IAAAQ,aAAA,GAAAJ,sBAAA,CAAAJ,OAAA;AACA,IAAAS,OAAA,GAAAL,sBAAA,CAAAJ,OAAA;AACA,IAAAU,OAAA,GAAAN,sBAAA,CAAAJ,OAAA;AACA,IAAAW,UAAA,GAAAP,sBAAA,CAAAJ,OAAA;AACA,IAAAY,KAAA,GAAAZ,OAAA;AAIA,IAAAa,SAAA,GAAAT,sBAAA,CAAAJ,OAAA;AAKA,IAAAc,OAAA,GAAAd,OAAA;AAtCA;AACA;AACA;;AA8CA;;AAMA;AACA;AACA;AACA;AACA,MAAMe,kBAAkB,GAAG;EACzBC,UAAU,EAAE,IAAAC,iBAAS,EACnBC,eAAM,CAACC,qBAAqB,CAACC,oBAAoB,CAAC,CAAC;EAEnD;EACA;EACA;EACA;EACCC,KAAK,IAAMA,KAAK,CAAcC,MAAM,CAAEC,IAAY,IAAKA,IAAI,KAAK,QAAQ,CAC3E;AACF,CAAC;AACDR,kBAAkB,CAACC,UAAU,CAAC,WAAW,CAAC,GAAG,CAC3C,QAAQ;AAER;AACA;AACA,uBAAuB,CACxB;AAED;EACE,MAAMA,UAAU,GAAGD,kBAAkB,CAACC,UAAU,CAAC,YAAY,CAAC;EAC9D,IAAIA,UAAU,EAAEA,UAAU,CAACQ,IAAI,CAAC,eAAe,CAAC,CAAC,KAC5CT,kBAAkB,CAACC,UAAU,CAAC,YAAY,CAAC,GAAG,CAAC,eAAe,CAAC;AACtE;;AAEA;AACA;AACA;AACA,OAAOD,kBAAkB,CAACC,UAAU,CAAC,2BAA2B,CAAC;;AAEjE;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACO,SAASS,qBAAqBA,CAAA,EAEnC;EACA,OAAO,IAAAC,iBAAS,EAACX,kBAAkB,CAAC;AACtC;AAoBe,eAAeY,OAAOA,CACnCC,aAA4B,EAC5BC,OAAiB,EACC;EAClB,MAAMC,WAA6B,GAAG,IAAAC,YAAI,EAACF,OAAO,EAAE,CAClD,aAAa,EACb,cAAc,EACd,SAAS,EACT,QAAQ,EACR,cAAc,EACd,OAAO,EACP,YAAY,EACZ,uBAAuB,EACvB,iBAAiB,CAClB,CAAC;EACF,MAAMG,QAAQ,GAAG,IAAAC,iBAAe,EAACL,aAAa,EAAEE,WAAW,CAAC;EAC5D,MAAM;IAAEI;EAAW,CAAC,GAAGN,aAAa,CAACO,MAAO;EAE5C,MAAMC,MAAM,GAAG,IAAAC,gBAAO,EAAC,CAAY;EAEnC,IAAIR,OAAO,CAACS,oBAAoB,EAAE;IAChC,MAAMT,OAAO,CAACS,oBAAoB,CAACF,MAAM,CAAC;EAC5C;EAEA,IAAIP,OAAO,CAACU,MAAM,EAAEH,MAAM,CAACG,MAAM,GAAGV,OAAO,CAACU,MAAM;EAElD,IAAIV,OAAO,CAACW,aAAa,EAAE;IACzBJ,MAAM,CAACK,GAAG,CAAC,CAACC,GAAG,EAAEC,GAAG,EAAEC,IAAI,KAAK;MAC7B,MAAMC,MAAM,GAAGH,GAAG,CAACI,OAAO,CAAC,mBAAmB,CAAC;MAC/C,IAAID,MAAM,KAAK,MAAM,EAAE;QACrB,IAAIE,GAAG,GAAG,WAAWL,GAAG,CAACI,OAAO,CAACE,IAAI,EAAE;QACvC,IAAIN,GAAG,CAACO,WAAW,KAAK,GAAG,EAAEF,GAAG,IAAIL,GAAG,CAACO,WAAW;QACnDN,GAAG,CAACO,QAAQ,CAACH,GAAG,CAAC;QACjB;MACF;MACAH,IAAI,CAAC,CAAC;IACR,CAAC,CAAC;EACJ;EAEAR,MAAM,CAACK,GAAG,CAAC,IAAAU,oBAAW,EAAC,CAAC,CAAC;EACzBf,MAAM,CAACK,GAAG,CACR,IAAAvB,eAAM,EAAC;IACLC,qBAAqB,EAAE,KAAK;IAC5BiC,yBAAyB,EAAE,KAAK;IAChCC,uBAAuB,EAAE,KAAK;IAC9BC,yBAAyB,EAAE;EAC7B,CAAC,CACH,CAAC;EAED,IAAI,CAACzB,OAAO,CAAC0B,KAAK,EAAE;IAClBnB,MAAM,CAACK,GAAG,CACR,CAACC,GAAY,EAAEC,GAAa,EAAEC,IAAkB,KAAK;MACnD,MAAMY,IAAI,GAAGd,GAAe;MAE5Bc,IAAI,CAACC,KAAK,GAAG,IAAAC,QAAI,EAAC,CAAC;;MAEnB;MACA;MACAF,IAAI,CAACG,QAAQ,GAAGH,IAAI,CAACC,KAAK;;MAE1B;MACA;MACA,IAAIG,WAAwB,GAAG,IAAAlC,iBAAS,EAACX,kBAAkB,CAAC;MAC5D,CAAC6C,WAAW,CAAC5C,UAAU,GAAG,YAAY,CAAC,EAAcQ,IAAI,CAAC,UAAUgC,IAAI,CAACC,KAAK,GAAG,CAAC;MAClF,IAAI5B,OAAO,CAACgC,eAAe,EAAE;QAC3BD,WAAW,GAAG/B,OAAO,CAACgC,eAAe,CAACD,WAAW,EAAElB,GAAG,CAAC;MACzD;MACAxB,eAAM,CAACC,qBAAqB,CAACyC,WAAW,CAAC,CAAClB,GAAG,EAAEC,GAAG,EAAEC,IAAI,CAAC;IAC3D,CACF,CAAC;EACH;EAEA,IAAIf,OAAO,CAACiC,OAAO,EAAE;IACnB1B,MAAM,CAACK,GAAG,CAAC,IAAAqB,qBAAO,EAACjC,OAAO,CAACiC,OAAO,CAAC,CAAC;EACtC;EAEA1B,MAAM,CAACK,GAAG,CAAC,aAAa,EAAE,CAACC,GAAG,EAAEC,GAAG,KAAK;IACtCA,GAAG,CAACoB,IAAI,CAAC,0BAA0B,CAAC;EACtC,CAAC,CAAC;EAEF3B,MAAM,CAACK,GAAG,CAACJ,gBAAO,CAAC2B,IAAI,CAAC;IAAEC,KAAK,EAAE;EAAQ,CAAC,CAAC,CAAC;EAC5C7B,MAAM,CAACK,GAAG,CAACJ,gBAAO,CAAC6B,UAAU,CAAC;IAAEC,QAAQ,EAAE;EAAM,CAAC,CAAC,CAAC;EACnD/B,MAAM,CAACK,GAAG,CAAC,IAAA2B,qBAAY,EAAC,CAAC,CAAC;EAC1BhC,MAAM,CAACK,GAAG,CAAC4B,kBAAS,CAACC,EAAE,CAAC,CAAC,CAAC;EAE1BlC,MAAM,CAACK,GAAG,CAAC,IAAA8B,cAAI,EAAC;IAAEC,MAAM,EAAE;EAAK,CAAC,CAAC,CAAC;EAElCC,eAAgB,CAACC,KAAK,CACpB,IAAI,EACHhC,GAAmC,IAAKA,GAAG,CAACiC,QAC/C,CAAC;EACD,MAAMC,MAAM,GAAG,yFAAyF;EACxGxC,MAAM,CAACK,GAAG,CAAC,IAAAgC,eAAgB,EAACG,MAAM,EAAE;IAClCC,MAAM,EAAE;MACN;MACA;MACAC,KAAK,EAAEjD,OAAO,CAACU,MAAM,CAAEwC,IAAI,CAACC,IAAI,CAACnD,OAAO,CAACU,MAAM;IACjD;EACF,CAAC,CAAC,CAAC;;EAEH;EACA;EACA;EACA;EACAH,MAAM,CAAC6C,GAAG,CAAC,sBAAsB,EAAE5C,gBAAO,CAAC6C,MAAM,CAC/CtD,aAAa,CAACO,MAAM,EAAEgD,IAAI,IAAI,EAAE,EAChC;IACEC,UAAU,EAAGzC,GAAG,IAAKA,GAAG,CAAC0C,GAAG,CAAC,eAAe,EAAE,UAAU;EAC1D,CACF,CAAC,CAAC;;EAEF;AACF;AACA;EACE;EACA,IAAIxD,OAAO,CAACyD,OAAO,EAAE;IACnB;IACA;IACA;IACA;IACA;IACA;IACA,IAAI,CAACC,MAAM,CAACC,QAAQ,EAAE;MACpBD,MAAM,CAACC,QAAQ,GAAG;QAChBC,IAAI,EAAE,GAAG,IAAAC,kBAAa,EAACC,OAAO,CAACC,GAAG,CAAC,CAAC,CAAC,CAACH,IAAI,GAAGI,SAAG;MAClD,CAAa;IACf;;IAEA;IACA,MAAMC,OAAO,GAAG9F,OAAO,CAAC,SAAS,CAAqC;;IAEtE;IACA;IACA,MAAM+F,oBAAoB,GAAG/F,OAAO,CAAC,wBAAwB,CACd;IAE/C,MAAMgG,oBAAoB,GAAGhG,OAAO,CAAC,wBAAwB,CAC5B;IAEjC,MAAMiG,QAAQ,GAAGH,OAAO,CAAClE,aAAa,CAAC;IACvCQ,MAAM,CAACK,GAAG,CAACsD,oBAAoB,CAACE,QAAQ,EAAE;MACxC/D,UAAU;MACVgE,gBAAgB,EAAE;IACpB,CAAC,CAAC,CAAC;IACH9D,MAAM,CAACK,GAAG,CAACuD,oBAAoB,CAACC,QAAQ,CAAC,CAAC;EAC5C;EACA;;EAEA7D,MAAM,CAACK,GAAG,CAACP,UAAU,EAAYG,gBAAO,CAAC6C,MAAM,CAACtD,aAAa,CAACO,MAAM,CAAEgD,IAAK,CAAC,CAAC;EAE7E,IAAItD,OAAO,CAACsE,gBAAgB,EAAE;IAC5B,MAAMtE,OAAO,CAACsE,gBAAgB,CAAC/D,MAAM,CAAC;EACxC;EACAA,MAAM,CAACK,GAAG,CAACT,QAAQ,CAAC;;EAEpB;EACAI,MAAM,CAACK,GAAG,CAAC,CAACC,GAAG,EAAEC,GAAG,EAAEC,IAAI,KAAK;IAC7BA,IAAI,CAAC,IAAAwD,gBAAQ,EAACC,cAAM,CAACC,SAAS,EAAEC,aAAK,CAACD,SAAS,CAAC,CAAC;EACnD,CAAC,CAAC;EAEF,IAAIE,6BAA6B;EACjC,IAAI3E,OAAO,CAAC4E,oBAAoB,EAAE;IAChCD,6BAA6B,GAAG,MAAM3E,OAAO,CAAC4E,oBAAoB,CAACrE,MAAM,CAAC;EAC5E;;EAEA;EACA,IAAI,CAACoE,6BAA6B,EAAE;IAClC;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACApE,MAAM,CAACK,GAAG,CAAC,CACTiE,KAEC,EACDhE,GAAY,EACZC,GAAa,EACbC,IAAkB,KACf;MACH;MACA;MACA,IAAID,GAAG,CAACgE,WAAW,EAAE;QACnB/D,IAAI,CAAC8D,KAAK,CAAC;QACX;MACF;MAEA,MAAME,MAAM,GAAGF,KAAK,CAACE,MAAM,IAAIL,aAAK,CAACM,qBAAqB;MAC1D,MAAMC,UAAU,GAAGF,MAAM,IAAKL,aAAK,CAACM,qBAAgC;;MAEpE;MACAhF,OAAO,CAACU,MAAM,CAAEwE,GAAG,CAACD,UAAU,GAAG,OAAO,GAAG,OAAO,EAAEJ,KAAK,CAACM,QAAQ,CAAC,CAAC,CAAC;MAErE,IAAIC,OAAO,GAAGP,KAAK,CAACO,OAAO,IAAI,IAAAC,uBAAe,EAACN,MAAM,CAAC;MACtD,IAAIE,UAAU,IAAInB,OAAO,CAACwB,GAAG,CAACC,QAAQ,KAAK,YAAY,EAAE;QACvDH,OAAO,GAAGZ,cAAM,CAACQ,qBAAqB;MACxC;MAEAlE,GAAG,CAACiE,MAAM,CAACA,MAAM,CAAC,CAAC7C,IAAI,CAACkD,OAAO,CAAC;IAClC,CAAC,CAAC;EACJ;EAEA,OAAO7E,MAAM;AACf","ignoreList":[]}
+{"version":3,"file":"server.js","names":["_path","require","_url","_lodash","_compression","_interopRequireDefault","_cookieParser","_csurf","_express","_serveFavicon","_helmet","_morgan","_requestIp","_uuid","_renderer","_errors","defaultCspSettings","directives","mapValues","helmet","contentSecurityPolicy","getDefaultDirectives","array","filter","item","push","getDefaultCspSettings","cloneDeep","factory","webpackConfig","options","rendererOps","pick","renderer","rendererFactory","publicPath","output","server","express","beforeExpressJsSetup","logger","httpsRedirect","use","req","res","next","schema","headers","url","host","originalUrl","redirect","compression","crossOriginEmbedderPolicy","crossOriginOpenerPolicy","crossOriginResourcePolicy","noCsp","req2","nonce","uuid","cspNonce","cspSettings","cspSettingsHook","favicon","send","json","limit","urlencoded","extended","cookieParser","cookieSignatureSecret","requestIp","mw","csrf","cookie","loggerMiddleware","token","clientIp","FORMAT","stream","write","info","bind","get","static","path","setHeaders","set","devMode","global","location","href","pathToFileURL","process","cwd","sep","webpack","webpackDevMiddleware","webpackHotMiddleware","compiler","serverSideRender","onExpressJsSetup","newError","ERRORS","NOT_FOUND","CODES","dontAttachDefaultErrorHandler","beforeExpressJsError","error","headersSent","status","INTERNAL_SERVER_ERROR","serverSide","log","toString","message","getErrorForCode","env","NODE_ENV"],"sources":["../../../src/server/server.ts"],"sourcesContent":["/**\n * Creation of standard ExpressJS server for ReactJS apps.\n */\n\nimport { sep } from 'path';\nimport { pathToFileURL } from 'url';\n\nimport {\n  cloneDeep,\n  mapValues,\n  pick,\n} from 'lodash';\n\nimport compression from 'compression';\nimport cookieParser from 'cookie-parser';\nimport csrf from '@dr.pogodin/csurf';\n\nimport express, {\n  type Express,\n  type NextFunction,\n  type RequestHandler,\n  type Request,\n  type Response,\n} from 'express';\n\nimport favicon from 'serve-favicon';\nimport helmet, { type HelmetOptions } from 'helmet';\nimport loggerMiddleware from 'morgan';\nimport requestIp from 'request-ip';\nimport { v4 as uuid } from 'uuid';\n\nimport type { Compiler, Configuration } from 'webpack';\n\nimport rendererFactory, {\n  type LoggerI,\n  type OptionsT as RendererOptionsT,\n} from './renderer';\n\nimport {\n  CODES,\n  ERRORS,\n  getErrorForCode,\n  newError,\n} from './utils/errors';\n\nexport type CspOptionsT =\nExclude<HelmetOptions['contentSecurityPolicy'], boolean | undefined>;\n\n// eslint-disable-next-line @typescript-eslint/consistent-type-definitions\ninterface RequestT extends Request {\n  cspNonce: string;\n  nonce: string;\n}\n\n/**\n * Default Content Security Policy settings.\n * @ignore\n */\nconst defaultCspSettings = {\n  directives: mapValues(\n    helmet.contentSecurityPolicy.getDefaultDirectives(),\n\n    // 'https:' options (automatic re-write of insecure URLs to secure ones)\n    // is removed to facilitate local development with HTTP server. In cloud\n    // deployments we assume Apache or Nginx server in front of out app takes\n    // care about such re-writes.\n    (array) => (array as string[]).filter((item: string) => item !== 'https:'),\n  ),\n};\ndefaultCspSettings.directives['frame-src'] = [\n  \"'self'\",\n\n  // YouTube domain is whitelisted to allow <YouTubeVideo> component to work\n  // out of box.\n  'https://*.youtube.com',\n];\n\n{\n  const directives = defaultCspSettings.directives['script-src'];\n  if (directives) directives.push(\"'unsafe-eval'\");\n  else defaultCspSettings.directives['script-src'] = [\"'unsafe-eval'\"];\n}\n\n// No need for automatic re-writes via Content Security Policy settings:\n// the forefront Apache or Nginx server is supposed to take care of this\n// in production cloud deployments.\ndelete defaultCspSettings.directives['upgrade-insecure-requests'];\n\n/**\n * @category Utilities\n * @func server/getDefaultCspSettings\n * @global\n * @desc\n * ```js\n * import { server } from '@dr.pogodin/react-utils';\n * const { getDefaultCspSettings } from '@dr.pogodin/react-utils';\n * ```\n * @return {{\n *   directives: object\n * }} A deep copy of default CSP settings object used by `react-utils`,\n * with the exception of `nonce-xxx` clause in `script-src` directive,\n * which is added dynamically for each request.\n */\nexport function getDefaultCspSettings(): {\n  directives: Record<string, string[]>;\n} {\n  return cloneDeep(defaultCspSettings);\n}\n\nexport type ServerT = Express & {\n  logger: LoggerI;\n};\n\nexport type OptionsT = RendererOptionsT & {\n  beforeExpressJsError?:\n  (server: ServerT) => boolean | Promise<boolean>;\n\n  beforeExpressJsSetup?: (server: ServerT) => Promise<void> | void;\n  cookieSignatureSecret?: string;\n  cspSettingsHook?: (\n    defaultOptions: CspOptionsT,\n    req: Request,\n  ) => CspOptionsT;\n  devMode?: boolean;\n  httpsRedirect?: boolean;\n  onExpressJsSetup?: (server: ServerT) => Promise<void> | void;\n};\n\nexport default async function factory(\n  webpackConfig: Configuration,\n  options: OptionsT,\n): Promise<ServerT> {\n  const rendererOps: RendererOptionsT = pick(options, [\n    'Application',\n    'beforeRender',\n    'favicon',\n    'logger',\n    'maxSsrRounds',\n    'noCsp',\n    'ssrTimeout',\n    'staticCacheController',\n    'staticCacheSize',\n  ]);\n  const renderer = rendererFactory(webpackConfig, rendererOps);\n  const { publicPath } = webpackConfig.output!;\n\n  const server = express() as ServerT;\n\n  if (options.beforeExpressJsSetup) {\n    await options.beforeExpressJsSetup(server);\n  }\n\n  if (options.logger) server.logger = options.logger;\n\n  if (options.httpsRedirect) {\n    server.use((req, res, next) => {\n      const schema = req.headers['x-forwarded-proto'];\n      if (schema === 'http') {\n        let url = `https://${req.headers.host}`;\n        if (req.originalUrl !== '/') url += req.originalUrl;\n        res.redirect(url);\n        return;\n      }\n      next();\n    });\n  }\n\n  server.use(compression());\n  server.use(\n    helmet({\n      contentSecurityPolicy: false,\n      crossOriginEmbedderPolicy: false,\n      crossOriginOpenerPolicy: false,\n      crossOriginResourcePolicy: false,\n    }),\n  );\n\n  if (!options.noCsp) {\n    server.use(\n      (req: Request, res: Response, next: NextFunction) => {\n        const req2 = req as RequestT;\n\n        req2.nonce = uuid();\n\n        // TODO: This is deprecated, but it is kept for now for backward\n        // compatibility. Should be removed sometime later.\n        req2.cspNonce = req2.nonce;\n\n        // The deep clone is necessary here to ensure that default value can't be\n        // mutated during request processing.\n        let cspSettings: CspOptionsT = cloneDeep(defaultCspSettings);\n        (cspSettings.directives?.['script-src'] as string[]).push(`'nonce-${req2.nonce}'`);\n        if (options.cspSettingsHook) {\n          cspSettings = options.cspSettingsHook(cspSettings, req);\n        }\n        helmet.contentSecurityPolicy(cspSettings)(req, res, next);\n      },\n    );\n  }\n\n  if (options.favicon) {\n    server.use(favicon(options.favicon));\n  }\n\n  server.use('/robots.txt', (req, res) => {\n    res.send('User-agent: *\\nDisallow:');\n  });\n\n  server.use(express.json({ limit: '300kb' }));\n  server.use(express.urlencoded({ extended: false }));\n  server.use(cookieParser(options.cookieSignatureSecret));\n  server.use(requestIp.mw());\n\n  server.use(csrf({ cookie: true }));\n\n  loggerMiddleware.token(\n    'ip',\n    (req: Request & { clientIp: string }) => req.clientIp,\n  );\n  const FORMAT = ':ip > :status :method :url :response-time ms :res[content-length] :referrer :user-agent';\n  server.use(loggerMiddleware(FORMAT, {\n    stream: {\n      // TODO: This implies the logger is always set. Is it on a higher level?\n      // then mark it as always present.\n      write: options.logger!.info.bind(options.logger),\n    },\n  }));\n\n  // Note: no matter the \"public path\", we want the service worker, if any,\n  // to be served from the root, to have all web app pages in its scope.\n  // Thus, this setup to serve it. Probably, need some more configuration\n  // for special cases, but this will do for now.\n  server.get('/__service-worker.js', express.static(\n    webpackConfig.output?.path ?? '',\n    {\n      setHeaders: (res) => res.set('Cache-Control', 'no-cache'),\n    },\n  ));\n\n  /* Setup of Hot Module Reloading for development environment.\n   * These dependencies are not used, nor installed for production use,\n   * hence we should violate some import-related lint rules. */\n  /* eslint-disable import/no-extraneous-dependencies */\n  if (options.devMode) {\n    // This is a workaround for SASS bug:\n    // https://github.com/dart-lang/sdk/issues/27979\n    // which manifests itself sometimes when webpack dev middleware is used\n    // (in dev mode), and app modules are imported in some unfortunate ways.\n    // TODO: Double-check, what is going on here.\n    // eslint-disable-next-line @typescript-eslint/no-unnecessary-condition\n    if (!global.location) {\n      global.location = {\n        href: `${pathToFileURL(process.cwd()).href}${sep}`,\n      } as Location;\n    }\n\n    /* eslint-disable @typescript-eslint/no-require-imports */\n    const webpack = require('webpack') as (ops: Configuration) => Compiler;\n\n    // TODO: Figure out the exact type for options, don't wanna waste time on it\n    // right now.\n    const webpackDevMiddleware = require('webpack-dev-middleware') as\n      (c: Compiler, ops: unknown) => RequestHandler;\n\n    const webpackHotMiddleware = require('webpack-hot-middleware') as\n      (c: Compiler) => RequestHandler;\n\n    const compiler = webpack(webpackConfig);\n    server.use(webpackDevMiddleware(compiler, {\n      publicPath,\n      serverSideRender: true,\n    }));\n    server.use(webpackHotMiddleware(compiler));\n  }\n  /* eslint-enable import/no-extraneous-dependencies */\n\n  server.use(publicPath as string, express.static(webpackConfig.output!.path!));\n\n  if (options.onExpressJsSetup) {\n    await options.onExpressJsSetup(server);\n  }\n  server.use(renderer);\n\n  /* Detects 404 errors, and forwards them to the error handler. */\n  server.use((req, res, next) => {\n    next(newError(ERRORS.NOT_FOUND, CODES.NOT_FOUND));\n  });\n\n  let dontAttachDefaultErrorHandler;\n  if (options.beforeExpressJsError) {\n    dontAttachDefaultErrorHandler = await options.beforeExpressJsError(server);\n  }\n\n  /* Error handler. */\n  if (!dontAttachDefaultErrorHandler) {\n    // TODO: Do we need this error handler at all? It actually seems to do\n    // what the default ExpressJS error handler does anyway, see:\n    // https://expressjs.com/en/guide/error-handling.html\n    //\n    // TODO: It is better to move the default error handler definition\n    // to a stand-alone function at top-level, but the use of options.logger\n    // prevents to do it without some extra refactoring. Should be done sometime\n    // though.\n    server.use((\n      error: Error & {\n        status?: number;\n      },\n      req: Request,\n      res: Response,\n      next: NextFunction,\n    ) => {\n      // TODO: This is needed to correctly handled any errors thrown after\n      // sending initial response to the client.\n      if (res.headersSent) {\n        next(error);\n        return;\n      }\n\n      const status = error.status ?? CODES.INTERNAL_SERVER_ERROR;\n      const serverSide = status >= (CODES.INTERNAL_SERVER_ERROR as number);\n\n      // Log server-side errors always, client-side at debug level only.\n      options.logger!.log(serverSide ? 'error' : 'debug', error.toString());\n\n      let message = error.message || getErrorForCode(status);\n      if (serverSide && process.env.NODE_ENV === 'production') {\n        message = ERRORS.INTERNAL_SERVER_ERROR;\n      }\n\n      res.status(status).send(message);\n    });\n  }\n\n  return server;\n}\n"],"mappings":";;;;;;;;AAIA,IAAAA,KAAA,GAAAC,OAAA;AACA,IAAAC,IAAA,GAAAD,OAAA;AAEA,IAAAE,OAAA,GAAAF,OAAA;AAMA,IAAAG,YAAA,GAAAC,sBAAA,CAAAJ,OAAA;AACA,IAAAK,aAAA,GAAAD,sBAAA,CAAAJ,OAAA;AACA,IAAAM,MAAA,GAAAF,sBAAA,CAAAJ,OAAA;AAEA,IAAAO,QAAA,GAAAH,sBAAA,CAAAJ,OAAA;AAQA,IAAAQ,aAAA,GAAAJ,sBAAA,CAAAJ,OAAA;AACA,IAAAS,OAAA,GAAAL,sBAAA,CAAAJ,OAAA;AACA,IAAAU,OAAA,GAAAN,sBAAA,CAAAJ,OAAA;AACA,IAAAW,UAAA,GAAAP,sBAAA,CAAAJ,OAAA;AACA,IAAAY,KAAA,GAAAZ,OAAA;AAIA,IAAAa,SAAA,GAAAT,sBAAA,CAAAJ,OAAA;AAKA,IAAAc,OAAA,GAAAd,OAAA;AAtCA;AACA;AACA;;AA8CA;;AAMA;AACA;AACA;AACA;AACA,MAAMe,kBAAkB,GAAG;EACzBC,UAAU,EAAE,IAAAC,iBAAS,EACnBC,eAAM,CAACC,qBAAqB,CAACC,oBAAoB,CAAC,CAAC;EAEnD;EACA;EACA;EACA;EACCC,KAAK,IAAMA,KAAK,CAAcC,MAAM,CAAEC,IAAY,IAAKA,IAAI,KAAK,QAAQ,CAC3E;AACF,CAAC;AACDR,kBAAkB,CAACC,UAAU,CAAC,WAAW,CAAC,GAAG,CAC3C,QAAQ;AAER;AACA;AACA,uBAAuB,CACxB;AAED;EACE,MAAMA,UAAU,GAAGD,kBAAkB,CAACC,UAAU,CAAC,YAAY,CAAC;EAC9D,IAAIA,UAAU,EAAEA,UAAU,CAACQ,IAAI,CAAC,eAAe,CAAC,CAAC,KAC5CT,kBAAkB,CAACC,UAAU,CAAC,YAAY,CAAC,GAAG,CAAC,eAAe,CAAC;AACtE;;AAEA;AACA;AACA;AACA,OAAOD,kBAAkB,CAACC,UAAU,CAAC,2BAA2B,CAAC;;AAEjE;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACO,SAASS,qBAAqBA,CAAA,EAEnC;EACA,OAAO,IAAAC,iBAAS,EAACX,kBAAkB,CAAC;AACtC;AAqBe,eAAeY,OAAOA,CACnCC,aAA4B,EAC5BC,OAAiB,EACC;EAClB,MAAMC,WAA6B,GAAG,IAAAC,YAAI,EAACF,OAAO,EAAE,CAClD,aAAa,EACb,cAAc,EACd,SAAS,EACT,QAAQ,EACR,cAAc,EACd,OAAO,EACP,YAAY,EACZ,uBAAuB,EACvB,iBAAiB,CAClB,CAAC;EACF,MAAMG,QAAQ,GAAG,IAAAC,iBAAe,EAACL,aAAa,EAAEE,WAAW,CAAC;EAC5D,MAAM;IAAEI;EAAW,CAAC,GAAGN,aAAa,CAACO,MAAO;EAE5C,MAAMC,MAAM,GAAG,IAAAC,gBAAO,EAAC,CAAY;EAEnC,IAAIR,OAAO,CAACS,oBAAoB,EAAE;IAChC,MAAMT,OAAO,CAACS,oBAAoB,CAACF,MAAM,CAAC;EAC5C;EAEA,IAAIP,OAAO,CAACU,MAAM,EAAEH,MAAM,CAACG,MAAM,GAAGV,OAAO,CAACU,MAAM;EAElD,IAAIV,OAAO,CAACW,aAAa,EAAE;IACzBJ,MAAM,CAACK,GAAG,CAAC,CAACC,GAAG,EAAEC,GAAG,EAAEC,IAAI,KAAK;MAC7B,MAAMC,MAAM,GAAGH,GAAG,CAACI,OAAO,CAAC,mBAAmB,CAAC;MAC/C,IAAID,MAAM,KAAK,MAAM,EAAE;QACrB,IAAIE,GAAG,GAAG,WAAWL,GAAG,CAACI,OAAO,CAACE,IAAI,EAAE;QACvC,IAAIN,GAAG,CAACO,WAAW,KAAK,GAAG,EAAEF,GAAG,IAAIL,GAAG,CAACO,WAAW;QACnDN,GAAG,CAACO,QAAQ,CAACH,GAAG,CAAC;QACjB;MACF;MACAH,IAAI,CAAC,CAAC;IACR,CAAC,CAAC;EACJ;EAEAR,MAAM,CAACK,GAAG,CAAC,IAAAU,oBAAW,EAAC,CAAC,CAAC;EACzBf,MAAM,CAACK,GAAG,CACR,IAAAvB,eAAM,EAAC;IACLC,qBAAqB,EAAE,KAAK;IAC5BiC,yBAAyB,EAAE,KAAK;IAChCC,uBAAuB,EAAE,KAAK;IAC9BC,yBAAyB,EAAE;EAC7B,CAAC,CACH,CAAC;EAED,IAAI,CAACzB,OAAO,CAAC0B,KAAK,EAAE;IAClBnB,MAAM,CAACK,GAAG,CACR,CAACC,GAAY,EAAEC,GAAa,EAAEC,IAAkB,KAAK;MACnD,MAAMY,IAAI,GAAGd,GAAe;MAE5Bc,IAAI,CAACC,KAAK,GAAG,IAAAC,QAAI,EAAC,CAAC;;MAEnB;MACA;MACAF,IAAI,CAACG,QAAQ,GAAGH,IAAI,CAACC,KAAK;;MAE1B;MACA;MACA,IAAIG,WAAwB,GAAG,IAAAlC,iBAAS,EAACX,kBAAkB,CAAC;MAC5D,CAAC6C,WAAW,CAAC5C,UAAU,GAAG,YAAY,CAAC,EAAcQ,IAAI,CAAC,UAAUgC,IAAI,CAACC,KAAK,GAAG,CAAC;MAClF,IAAI5B,OAAO,CAACgC,eAAe,EAAE;QAC3BD,WAAW,GAAG/B,OAAO,CAACgC,eAAe,CAACD,WAAW,EAAElB,GAAG,CAAC;MACzD;MACAxB,eAAM,CAACC,qBAAqB,CAACyC,WAAW,CAAC,CAAClB,GAAG,EAAEC,GAAG,EAAEC,IAAI,CAAC;IAC3D,CACF,CAAC;EACH;EAEA,IAAIf,OAAO,CAACiC,OAAO,EAAE;IACnB1B,MAAM,CAACK,GAAG,CAAC,IAAAqB,qBAAO,EAACjC,OAAO,CAACiC,OAAO,CAAC,CAAC;EACtC;EAEA1B,MAAM,CAACK,GAAG,CAAC,aAAa,EAAE,CAACC,GAAG,EAAEC,GAAG,KAAK;IACtCA,GAAG,CAACoB,IAAI,CAAC,0BAA0B,CAAC;EACtC,CAAC,CAAC;EAEF3B,MAAM,CAACK,GAAG,CAACJ,gBAAO,CAAC2B,IAAI,CAAC;IAAEC,KAAK,EAAE;EAAQ,CAAC,CAAC,CAAC;EAC5C7B,MAAM,CAACK,GAAG,CAACJ,gBAAO,CAAC6B,UAAU,CAAC;IAAEC,QAAQ,EAAE;EAAM,CAAC,CAAC,CAAC;EACnD/B,MAAM,CAACK,GAAG,CAAC,IAAA2B,qBAAY,EAACvC,OAAO,CAACwC,qBAAqB,CAAC,CAAC;EACvDjC,MAAM,CAACK,GAAG,CAAC6B,kBAAS,CAACC,EAAE,CAAC,CAAC,CAAC;EAE1BnC,MAAM,CAACK,GAAG,CAAC,IAAA+B,cAAI,EAAC;IAAEC,MAAM,EAAE;EAAK,CAAC,CAAC,CAAC;EAElCC,eAAgB,CAACC,KAAK,CACpB,IAAI,EACHjC,GAAmC,IAAKA,GAAG,CAACkC,QAC/C,CAAC;EACD,MAAMC,MAAM,GAAG,yFAAyF;EACxGzC,MAAM,CAACK,GAAG,CAAC,IAAAiC,eAAgB,EAACG,MAAM,EAAE;IAClCC,MAAM,EAAE;MACN;MACA;MACAC,KAAK,EAAElD,OAAO,CAACU,MAAM,CAAEyC,IAAI,CAACC,IAAI,CAACpD,OAAO,CAACU,MAAM;IACjD;EACF,CAAC,CAAC,CAAC;;EAEH;EACA;EACA;EACA;EACAH,MAAM,CAAC8C,GAAG,CAAC,sBAAsB,EAAE7C,gBAAO,CAAC8C,MAAM,CAC/CvD,aAAa,CAACO,MAAM,EAAEiD,IAAI,IAAI,EAAE,EAChC;IACEC,UAAU,EAAG1C,GAAG,IAAKA,GAAG,CAAC2C,GAAG,CAAC,eAAe,EAAE,UAAU;EAC1D,CACF,CAAC,CAAC;;EAEF;AACF;AACA;EACE;EACA,IAAIzD,OAAO,CAAC0D,OAAO,EAAE;IACnB;IACA;IACA;IACA;IACA;IACA;IACA,IAAI,CAACC,MAAM,CAACC,QAAQ,EAAE;MACpBD,MAAM,CAACC,QAAQ,GAAG;QAChBC,IAAI,EAAE,GAAG,IAAAC,kBAAa,EAACC,OAAO,CAACC,GAAG,CAAC,CAAC,CAAC,CAACH,IAAI,GAAGI,SAAG;MAClD,CAAa;IACf;;IAEA;IACA,MAAMC,OAAO,GAAG/F,OAAO,CAAC,SAAS,CAAqC;;IAEtE;IACA;IACA,MAAMgG,oBAAoB,GAAGhG,OAAO,CAAC,wBAAwB,CACd;IAE/C,MAAMiG,oBAAoB,GAAGjG,OAAO,CAAC,wBAAwB,CAC5B;IAEjC,MAAMkG,QAAQ,GAAGH,OAAO,CAACnE,aAAa,CAAC;IACvCQ,MAAM,CAACK,GAAG,CAACuD,oBAAoB,CAACE,QAAQ,EAAE;MACxChE,UAAU;MACViE,gBAAgB,EAAE;IACpB,CAAC,CAAC,CAAC;IACH/D,MAAM,CAACK,GAAG,CAACwD,oBAAoB,CAACC,QAAQ,CAAC,CAAC;EAC5C;EACA;;EAEA9D,MAAM,CAACK,GAAG,CAACP,UAAU,EAAYG,gBAAO,CAAC8C,MAAM,CAACvD,aAAa,CAACO,MAAM,CAAEiD,IAAK,CAAC,CAAC;EAE7E,IAAIvD,OAAO,CAACuE,gBAAgB,EAAE;IAC5B,MAAMvE,OAAO,CAACuE,gBAAgB,CAAChE,MAAM,CAAC;EACxC;EACAA,MAAM,CAACK,GAAG,CAACT,QAAQ,CAAC;;EAEpB;EACAI,MAAM,CAACK,GAAG,CAAC,CAACC,GAAG,EAAEC,GAAG,EAAEC,IAAI,KAAK;IAC7BA,IAAI,CAAC,IAAAyD,gBAAQ,EAACC,cAAM,CAACC,SAAS,EAAEC,aAAK,CAACD,SAAS,CAAC,CAAC;EACnD,CAAC,CAAC;EAEF,IAAIE,6BAA6B;EACjC,IAAI5E,OAAO,CAAC6E,oBAAoB,EAAE;IAChCD,6BAA6B,GAAG,MAAM5E,OAAO,CAAC6E,oBAAoB,CAACtE,MAAM,CAAC;EAC5E;;EAEA;EACA,IAAI,CAACqE,6BAA6B,EAAE;IAClC;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACArE,MAAM,CAACK,GAAG,CAAC,CACTkE,KAEC,EACDjE,GAAY,EACZC,GAAa,EACbC,IAAkB,KACf;MACH;MACA;MACA,IAAID,GAAG,CAACiE,WAAW,EAAE;QACnBhE,IAAI,CAAC+D,KAAK,CAAC;QACX;MACF;MAEA,MAAME,MAAM,GAAGF,KAAK,CAACE,MAAM,IAAIL,aAAK,CAACM,qBAAqB;MAC1D,MAAMC,UAAU,GAAGF,MAAM,IAAKL,aAAK,CAACM,qBAAgC;;MAEpE;MACAjF,OAAO,CAACU,MAAM,CAAEyE,GAAG,CAACD,UAAU,GAAG,OAAO,GAAG,OAAO,EAAEJ,KAAK,CAACM,QAAQ,CAAC,CAAC,CAAC;MAErE,IAAIC,OAAO,GAAGP,KAAK,CAACO,OAAO,IAAI,IAAAC,uBAAe,EAACN,MAAM,CAAC;MACtD,IAAIE,UAAU,IAAInB,OAAO,CAACwB,GAAG,CAACC,QAAQ,KAAK,YAAY,EAAE;QACvDH,OAAO,GAAGZ,cAAM,CAACQ,qBAAqB;MACxC;MAEAnE,GAAG,CAACkE,MAAM,CAACA,MAAM,CAAC,CAAC9C,IAAI,CAACmD,OAAO,CAAC;IAClC,CAAC,CAAC;EACJ;EAEA,OAAO9E,MAAM;AACf","ignoreList":[]}

package/build/development/web.bundle.js

@@ -36,7 +36,7 @@ eval("/**\n * @license React\n * react-jsx-runtime.development.js\n *\n * Copyri
   \*******************************************/
 /***/ (function(module, __unused_webpack_exports, __webpack_require__) {
 
-eval("\n\nif (false) {} else {\n  module.exports = __webpack_require__(/*! ./cjs/react-jsx-runtime.development.js */ \"./node_modules/react/cjs/react-jsx-runtime.development.js\");\n}\n\n\n//# sourceURL=webpack://@dr.pogodin/react-utils/./node_modules/react/jsx-runtime.js?");
+eval("\n\nif (false) // removed by dead control flow\n{} else {\n  module.exports = __webpack_require__(/*! ./cjs/react-jsx-runtime.development.js */ \"./node_modules/react/cjs/react-jsx-runtime.development.js\");\n}\n\n\n//# sourceURL=webpack://@dr.pogodin/react-utils/./node_modules/react/jsx-runtime.js?");
 
 /***/ }),
 

package/build/production/server/server.js

@@ -31,7 +31,7 @@ delete defaultCspSettings.directives["upgrade-insecure-requests"];/**
 // compatibility. Should be removed sometime later.
 req2.cspNonce=req2.nonce;// The deep clone is necessary here to ensure that default value can't be
 // mutated during request processing.
-let cspSettings=(0,_lodash.cloneDeep)(defaultCspSettings);(cspSettings.directives?.["script-src"]).push(`'nonce-${req2.nonce}'`);if(options.cspSettingsHook){cspSettings=options.cspSettingsHook(cspSettings,req)}_helmet.default.contentSecurityPolicy(cspSettings)(req,res,next)})}if(options.favicon){server.use((0,_serveFavicon.default)(options.favicon))}server.use("/robots.txt",(req,res)=>{res.send("User-agent: *\nDisallow:")});server.use(_express.default.json({limit:"300kb"}));server.use(_express.default.urlencoded({extended:false}));server.use((0,_cookieParser.default)());server.use(_requestIp.default.mw());server.use((0,_csurf.default)({cookie:true}));_morgan.default.token("ip",req=>req.clientIp);const FORMAT=":ip > :status :method :url :response-time ms :res[content-length] :referrer :user-agent";server.use((0,_morgan.default)(FORMAT,{stream:{// TODO: This implies the logger is always set. Is it on a higher level?
+let cspSettings=(0,_lodash.cloneDeep)(defaultCspSettings);(cspSettings.directives?.["script-src"]).push(`'nonce-${req2.nonce}'`);if(options.cspSettingsHook){cspSettings=options.cspSettingsHook(cspSettings,req)}_helmet.default.contentSecurityPolicy(cspSettings)(req,res,next)})}if(options.favicon){server.use((0,_serveFavicon.default)(options.favicon))}server.use("/robots.txt",(req,res)=>{res.send("User-agent: *\nDisallow:")});server.use(_express.default.json({limit:"300kb"}));server.use(_express.default.urlencoded({extended:false}));server.use((0,_cookieParser.default)(options.cookieSignatureSecret));server.use(_requestIp.default.mw());server.use((0,_csurf.default)({cookie:true}));_morgan.default.token("ip",req=>req.clientIp);const FORMAT=":ip > :status :method :url :response-time ms :res[content-length] :referrer :user-agent";server.use((0,_morgan.default)(FORMAT,{stream:{// TODO: This implies the logger is always set. Is it on a higher level?
 // then mark it as always present.
 write:options.logger.info.bind(options.logger)}}));// Note: no matter the "public path", we want the service worker, if any,
 // to be served from the root, to have all web app pages in its scope.

package/build/production/server/server.js.map

@@ -1 +1 @@
-{"version":3,"file":"server.js","names":["_path","require","_url","_lodash","_compression","_interopRequireDefault","_cookieParser","_csurf","_express","_serveFavicon","_helmet","_morgan","_requestIp","_uuid","_renderer","_errors","defaultCspSettings","directives","mapValues","helmet","contentSecurityPolicy","getDefaultDirectives","array","filter","item","push","getDefaultCspSettings","cloneDeep","factory","webpackConfig","options","rendererOps","pick","renderer","rendererFactory","publicPath","output","server","express","beforeExpressJsSetup","logger","httpsRedirect","use","req","res","next","schema","headers","url","host","originalUrl","redirect","compression","crossOriginEmbedderPolicy","crossOriginOpenerPolicy","crossOriginResourcePolicy","noCsp","req2","nonce","uuid","cspNonce","cspSettings","cspSettingsHook","favicon","send","json","limit","urlencoded","extended","cookieParser","requestIp","mw","csrf","cookie","loggerMiddleware","token","clientIp","FORMAT","stream","write","info","bind","get","static","path","setHeaders","set","devMode","global","location","href","pathToFileURL","process","cwd","sep","webpack","webpackDevMiddleware","webpackHotMiddleware","compiler","serverSideRender","onExpressJsSetup","newError","ERRORS","NOT_FOUND","CODES","dontAttachDefaultErrorHandler","beforeExpressJsError","error","headersSent","status","INTERNAL_SERVER_ERROR","serverSide","log","toString","message","getErrorForCode","env","NODE_ENV"],"sources":["../../../src/server/server.ts"],"sourcesContent":["/**\n * Creation of standard ExpressJS server for ReactJS apps.\n */\n\nimport { sep } from 'path';\nimport { pathToFileURL } from 'url';\n\nimport {\n  cloneDeep,\n  mapValues,\n  pick,\n} from 'lodash';\n\nimport compression from 'compression';\nimport cookieParser from 'cookie-parser';\nimport csrf from '@dr.pogodin/csurf';\n\nimport express, {\n  type Express,\n  type NextFunction,\n  type RequestHandler,\n  type Request,\n  type Response,\n} from 'express';\n\nimport favicon from 'serve-favicon';\nimport helmet, { type HelmetOptions } from 'helmet';\nimport loggerMiddleware from 'morgan';\nimport requestIp from 'request-ip';\nimport { v4 as uuid } from 'uuid';\n\nimport type { Compiler, Configuration } from 'webpack';\n\nimport rendererFactory, {\n  type LoggerI,\n  type OptionsT as RendererOptionsT,\n} from './renderer';\n\nimport {\n  CODES,\n  ERRORS,\n  getErrorForCode,\n  newError,\n} from './utils/errors';\n\nexport type CspOptionsT =\nExclude<HelmetOptions['contentSecurityPolicy'], boolean | undefined>;\n\n// eslint-disable-next-line @typescript-eslint/consistent-type-definitions\ninterface RequestT extends Request {\n  cspNonce: string;\n  nonce: string;\n}\n\n/**\n * Default Content Security Policy settings.\n * @ignore\n */\nconst defaultCspSettings = {\n  directives: mapValues(\n    helmet.contentSecurityPolicy.getDefaultDirectives(),\n\n    // 'https:' options (automatic re-write of insecure URLs to secure ones)\n    // is removed to facilitate local development with HTTP server. In cloud\n    // deployments we assume Apache or Nginx server in front of out app takes\n    // care about such re-writes.\n    (array) => (array as string[]).filter((item: string) => item !== 'https:'),\n  ),\n};\ndefaultCspSettings.directives['frame-src'] = [\n  \"'self'\",\n\n  // YouTube domain is whitelisted to allow <YouTubeVideo> component to work\n  // out of box.\n  'https://*.youtube.com',\n];\n\n{\n  const directives = defaultCspSettings.directives['script-src'];\n  if (directives) directives.push(\"'unsafe-eval'\");\n  else defaultCspSettings.directives['script-src'] = [\"'unsafe-eval'\"];\n}\n\n// No need for automatic re-writes via Content Security Policy settings:\n// the forefront Apache or Nginx server is supposed to take care of this\n// in production cloud deployments.\ndelete defaultCspSettings.directives['upgrade-insecure-requests'];\n\n/**\n * @category Utilities\n * @func server/getDefaultCspSettings\n * @global\n * @desc\n * ```js\n * import { server } from '@dr.pogodin/react-utils';\n * const { getDefaultCspSettings } from '@dr.pogodin/react-utils';\n * ```\n * @return {{\n *   directives: object\n * }} A deep copy of default CSP settings object used by `react-utils`,\n * with the exception of `nonce-xxx` clause in `script-src` directive,\n * which is added dynamically for each request.\n */\nexport function getDefaultCspSettings(): {\n  directives: Record<string, string[]>;\n} {\n  return cloneDeep(defaultCspSettings);\n}\n\nexport type ServerT = Express & {\n  logger: LoggerI;\n};\n\nexport type OptionsT = RendererOptionsT & {\n  beforeExpressJsError?:\n  (server: ServerT) => boolean | Promise<boolean>;\n\n  beforeExpressJsSetup?: (server: ServerT) => Promise<void> | void;\n  cspSettingsHook?: (\n    defaultOptions: CspOptionsT,\n    req: Request,\n  ) => CspOptionsT;\n  devMode?: boolean;\n  httpsRedirect?: boolean;\n  onExpressJsSetup?: (server: ServerT) => Promise<void> | void;\n};\n\nexport default async function factory(\n  webpackConfig: Configuration,\n  options: OptionsT,\n): Promise<ServerT> {\n  const rendererOps: RendererOptionsT = pick(options, [\n    'Application',\n    'beforeRender',\n    'favicon',\n    'logger',\n    'maxSsrRounds',\n    'noCsp',\n    'ssrTimeout',\n    'staticCacheController',\n    'staticCacheSize',\n  ]);\n  const renderer = rendererFactory(webpackConfig, rendererOps);\n  const { publicPath } = webpackConfig.output!;\n\n  const server = express() as ServerT;\n\n  if (options.beforeExpressJsSetup) {\n    await options.beforeExpressJsSetup(server);\n  }\n\n  if (options.logger) server.logger = options.logger;\n\n  if (options.httpsRedirect) {\n    server.use((req, res, next) => {\n      const schema = req.headers['x-forwarded-proto'];\n      if (schema === 'http') {\n        let url = `https://${req.headers.host}`;\n        if (req.originalUrl !== '/') url += req.originalUrl;\n        res.redirect(url);\n        return;\n      }\n      next();\n    });\n  }\n\n  server.use(compression());\n  server.use(\n    helmet({\n      contentSecurityPolicy: false,\n      crossOriginEmbedderPolicy: false,\n      crossOriginOpenerPolicy: false,\n      crossOriginResourcePolicy: false,\n    }),\n  );\n\n  if (!options.noCsp) {\n    server.use(\n      (req: Request, res: Response, next: NextFunction) => {\n        const req2 = req as RequestT;\n\n        req2.nonce = uuid();\n\n        // TODO: This is deprecated, but it is kept for now for backward\n        // compatibility. Should be removed sometime later.\n        req2.cspNonce = req2.nonce;\n\n        // The deep clone is necessary here to ensure that default value can't be\n        // mutated during request processing.\n        let cspSettings: CspOptionsT = cloneDeep(defaultCspSettings);\n        (cspSettings.directives?.['script-src'] as string[]).push(`'nonce-${req2.nonce}'`);\n        if (options.cspSettingsHook) {\n          cspSettings = options.cspSettingsHook(cspSettings, req);\n        }\n        helmet.contentSecurityPolicy(cspSettings)(req, res, next);\n      },\n    );\n  }\n\n  if (options.favicon) {\n    server.use(favicon(options.favicon));\n  }\n\n  server.use('/robots.txt', (req, res) => {\n    res.send('User-agent: *\\nDisallow:');\n  });\n\n  server.use(express.json({ limit: '300kb' }));\n  server.use(express.urlencoded({ extended: false }));\n  server.use(cookieParser());\n  server.use(requestIp.mw());\n\n  server.use(csrf({ cookie: true }));\n\n  loggerMiddleware.token(\n    'ip',\n    (req: Request & { clientIp: string }) => req.clientIp,\n  );\n  const FORMAT = ':ip > :status :method :url :response-time ms :res[content-length] :referrer :user-agent';\n  server.use(loggerMiddleware(FORMAT, {\n    stream: {\n      // TODO: This implies the logger is always set. Is it on a higher level?\n      // then mark it as always present.\n      write: options.logger!.info.bind(options.logger),\n    },\n  }));\n\n  // Note: no matter the \"public path\", we want the service worker, if any,\n  // to be served from the root, to have all web app pages in its scope.\n  // Thus, this setup to serve it. Probably, need some more configuration\n  // for special cases, but this will do for now.\n  server.get('/__service-worker.js', express.static(\n    webpackConfig.output?.path ?? '',\n    {\n      setHeaders: (res) => res.set('Cache-Control', 'no-cache'),\n    },\n  ));\n\n  /* Setup of Hot Module Reloading for development environment.\n   * These dependencies are not used, nor installed for production use,\n   * hence we should violate some import-related lint rules. */\n  /* eslint-disable import/no-extraneous-dependencies */\n  if (options.devMode) {\n    // This is a workaround for SASS bug:\n    // https://github.com/dart-lang/sdk/issues/27979\n    // which manifests itself sometimes when webpack dev middleware is used\n    // (in dev mode), and app modules are imported in some unfortunate ways.\n    // TODO: Double-check, what is going on here.\n    // eslint-disable-next-line @typescript-eslint/no-unnecessary-condition\n    if (!global.location) {\n      global.location = {\n        href: `${pathToFileURL(process.cwd()).href}${sep}`,\n      } as Location;\n    }\n\n    /* eslint-disable @typescript-eslint/no-require-imports */\n    const webpack = require('webpack') as (ops: Configuration) => Compiler;\n\n    // TODO: Figure out the exact type for options, don't wanna waste time on it\n    // right now.\n    const webpackDevMiddleware = require('webpack-dev-middleware') as\n      (c: Compiler, ops: unknown) => RequestHandler;\n\n    const webpackHotMiddleware = require('webpack-hot-middleware') as\n      (c: Compiler) => RequestHandler;\n\n    const compiler = webpack(webpackConfig);\n    server.use(webpackDevMiddleware(compiler, {\n      publicPath,\n      serverSideRender: true,\n    }));\n    server.use(webpackHotMiddleware(compiler));\n  }\n  /* eslint-enable import/no-extraneous-dependencies */\n\n  server.use(publicPath as string, express.static(webpackConfig.output!.path!));\n\n  if (options.onExpressJsSetup) {\n    await options.onExpressJsSetup(server);\n  }\n  server.use(renderer);\n\n  /* Detects 404 errors, and forwards them to the error handler. */\n  server.use((req, res, next) => {\n    next(newError(ERRORS.NOT_FOUND, CODES.NOT_FOUND));\n  });\n\n  let dontAttachDefaultErrorHandler;\n  if (options.beforeExpressJsError) {\n    dontAttachDefaultErrorHandler = await options.beforeExpressJsError(server);\n  }\n\n  /* Error handler. */\n  if (!dontAttachDefaultErrorHandler) {\n    // TODO: Do we need this error handler at all? It actually seems to do\n    // what the default ExpressJS error handler does anyway, see:\n    // https://expressjs.com/en/guide/error-handling.html\n    //\n    // TODO: It is better to move the default error handler definition\n    // to a stand-alone function at top-level, but the use of options.logger\n    // prevents to do it without some extra refactoring. Should be done sometime\n    // though.\n    server.use((\n      error: Error & {\n        status?: number;\n      },\n      req: Request,\n      res: Response,\n      next: NextFunction,\n    ) => {\n      // TODO: This is needed to correctly handled any errors thrown after\n      // sending initial response to the client.\n      if (res.headersSent) {\n        next(error);\n        return;\n      }\n\n      const status = error.status ?? CODES.INTERNAL_SERVER_ERROR;\n      const serverSide = status >= (CODES.INTERNAL_SERVER_ERROR as number);\n\n      // Log server-side errors always, client-side at debug level only.\n      options.logger!.log(serverSide ? 'error' : 'debug', error.toString());\n\n      let message = error.message || getErrorForCode(status);\n      if (serverSide && process.env.NODE_ENV === 'production') {\n        message = ERRORS.INTERNAL_SERVER_ERROR;\n      }\n\n      res.status(status).send(message);\n    });\n  }\n\n  return server;\n}\n"],"mappings":"qOAIA,IAAAA,KAAA,CAAAC,OAAA,SACA,IAAAC,IAAA,CAAAD,OAAA,QAEA,IAAAE,OAAA,CAAAF,OAAA,WAMA,IAAAG,YAAA,CAAAC,sBAAA,CAAAJ,OAAA,iBACA,IAAAK,aAAA,CAAAD,sBAAA,CAAAJ,OAAA,mBACA,IAAAM,MAAA,CAAAF,sBAAA,CAAAJ,OAAA,uBAEA,IAAAO,QAAA,CAAAH,sBAAA,CAAAJ,OAAA,aAQA,IAAAQ,aAAA,CAAAJ,sBAAA,CAAAJ,OAAA,mBACA,IAAAS,OAAA,CAAAL,sBAAA,CAAAJ,OAAA,YACA,IAAAU,OAAA,CAAAN,sBAAA,CAAAJ,OAAA,YACA,IAAAW,UAAA,CAAAP,sBAAA,CAAAJ,OAAA,gBACA,IAAAY,KAAA,CAAAZ,OAAA,SAIA,IAAAa,SAAA,CAAAT,sBAAA,CAAAJ,OAAA,gBAKA,IAAAc,OAAA,CAAAd,OAAA,mBAtCA;AACA;AACA,GA8CA;AAMA;AACA;AACA;AACA,GACA,KAAM,CAAAe,kBAAkB,CAAG,CACzBC,UAAU,CAAE,GAAAC,iBAAS,EACnBC,eAAM,CAACC,qBAAqB,CAACC,oBAAoB,CAAC,CAAC,CAEnD;AACA;AACA;AACA;AACCC,KAAK,EAAMA,KAAK,CAAcC,MAAM,CAAEC,IAAY,EAAKA,IAAI,GAAK,QAAQ,CAC3E,CACF,CAAC,CACDR,kBAAkB,CAACC,UAAU,CAAC,WAAW,CAAC,CAAG,CAC3C,QAAQ,CAER;AACA;AACA,uBAAuB,CACxB,CAED,CACE,KAAM,CAAAA,UAAU,CAAGD,kBAAkB,CAACC,UAAU,CAAC,YAAY,CAAC,CAC9D,GAAIA,UAAU,CAAEA,UAAU,CAACQ,IAAI,CAAC,eAAe,CAAC,CAAC,IAC5C,CAAAT,kBAAkB,CAACC,UAAU,CAAC,YAAY,CAAC,CAAG,CAAC,eAAe,CACrE,CAEA;AACA;AACA;AACA,MAAO,CAAAD,kBAAkB,CAACC,UAAU,CAAC,2BAA2B,CAAC,CAEjE;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,GACO,QAAS,CAAAS,qBAAqBA,CAAA,CAEnC,CACA,MAAO,GAAAC,iBAAS,EAACX,kBAAkB,CACrC,CAoBe,cAAe,CAAAY,OAAOA,CACnCC,aAA4B,CAC5BC,OAAiB,CACC,CAClB,KAAM,CAAAC,WAA6B,CAAG,GAAAC,YAAI,EAACF,OAAO,CAAE,CAClD,aAAa,CACb,cAAc,CACd,SAAS,CACT,QAAQ,CACR,cAAc,CACd,OAAO,CACP,YAAY,CACZ,uBAAuB,CACvB,iBAAiB,CAClB,CAAC,CACF,KAAM,CAAAG,QAAQ,CAAG,GAAAC,iBAAe,EAACL,aAAa,CAAEE,WAAW,CAAC,CAC5D,KAAM,CAAEI,UAAW,CAAC,CAAGN,aAAa,CAACO,MAAO,CAE5C,KAAM,CAAAC,MAAM,CAAG,GAAAC,gBAAO,EAAC,CAAY,CAEnC,GAAIR,OAAO,CAACS,oBAAoB,CAAE,CAChC,KAAM,CAAAT,OAAO,CAACS,oBAAoB,CAACF,MAAM,CAC3C,CAEA,GAAIP,OAAO,CAACU,MAAM,CAAEH,MAAM,CAACG,MAAM,CAAGV,OAAO,CAACU,MAAM,CAElD,GAAIV,OAAO,CAACW,aAAa,CAAE,CACzBJ,MAAM,CAACK,GAAG,CAAC,CAACC,GAAG,CAAEC,GAAG,CAAEC,IAAI,GAAK,CAC7B,KAAM,CAAAC,MAAM,CAAGH,GAAG,CAACI,OAAO,CAAC,mBAAmB,CAAC,CAC/C,GAAID,MAAM,GAAK,MAAM,CAAE,CACrB,GAAI,CAAAE,GAAG,CAAG,WAAWL,GAAG,CAACI,OAAO,CAACE,IAAI,EAAE,CACvC,GAAIN,GAAG,CAACO,WAAW,GAAK,GAAG,CAAEF,GAAG,EAAIL,GAAG,CAACO,WAAW,CACnDN,GAAG,CAACO,QAAQ,CAACH,GAAG,CAAC,CACjB,MACF,CACAH,IAAI,CAAC,CACP,CAAC,CACH,CAEAR,MAAM,CAACK,GAAG,CAAC,GAAAU,oBAAW,EAAC,CAAC,CAAC,CACzBf,MAAM,CAACK,GAAG,CACR,GAAAvB,eAAM,EAAC,CACLC,qBAAqB,CAAE,KAAK,CAC5BiC,yBAAyB,CAAE,KAAK,CAChCC,uBAAuB,CAAE,KAAK,CAC9BC,yBAAyB,CAAE,KAC7B,CAAC,CACH,CAAC,CAED,GAAI,CAACzB,OAAO,CAAC0B,KAAK,CAAE,CAClBnB,MAAM,CAACK,GAAG,CACR,CAACC,GAAY,CAAEC,GAAa,CAAEC,IAAkB,GAAK,CACnD,KAAM,CAAAY,IAAI,CAAGd,GAAe,CAE5Bc,IAAI,CAACC,KAAK,CAAG,GAAAC,QAAI,EAAC,CAAC,CAEnB;AACA;AACAF,IAAI,CAACG,QAAQ,CAAGH,IAAI,CAACC,KAAK,CAE1B;AACA;AACA,GAAI,CAAAG,WAAwB,CAAG,GAAAlC,iBAAS,EAACX,kBAAkB,CAAC,CAC5D,CAAC6C,WAAW,CAAC5C,UAAU,GAAG,YAAY,CAAC,EAAcQ,IAAI,CAAC,UAAUgC,IAAI,CAACC,KAAK,GAAG,CAAC,CAClF,GAAI5B,OAAO,CAACgC,eAAe,CAAE,CAC3BD,WAAW,CAAG/B,OAAO,CAACgC,eAAe,CAACD,WAAW,CAAElB,GAAG,CACxD,CACAxB,eAAM,CAACC,qBAAqB,CAACyC,WAAW,CAAC,CAAClB,GAAG,CAAEC,GAAG,CAAEC,IAAI,CAC1D,CACF,CACF,CAEA,GAAIf,OAAO,CAACiC,OAAO,CAAE,CACnB1B,MAAM,CAACK,GAAG,CAAC,GAAAqB,qBAAO,EAACjC,OAAO,CAACiC,OAAO,CAAC,CACrC,CAEA1B,MAAM,CAACK,GAAG,CAAC,aAAa,CAAE,CAACC,GAAG,CAAEC,GAAG,GAAK,CACtCA,GAAG,CAACoB,IAAI,CAAC,0BAA0B,CACrC,CAAC,CAAC,CAEF3B,MAAM,CAACK,GAAG,CAACJ,gBAAO,CAAC2B,IAAI,CAAC,CAAEC,KAAK,CAAE,OAAQ,CAAC,CAAC,CAAC,CAC5C7B,MAAM,CAACK,GAAG,CAACJ,gBAAO,CAAC6B,UAAU,CAAC,CAAEC,QAAQ,CAAE,KAAM,CAAC,CAAC,CAAC,CACnD/B,MAAM,CAACK,GAAG,CAAC,GAAA2B,qBAAY,EAAC,CAAC,CAAC,CAC1BhC,MAAM,CAACK,GAAG,CAAC4B,kBAAS,CAACC,EAAE,CAAC,CAAC,CAAC,CAE1BlC,MAAM,CAACK,GAAG,CAAC,GAAA8B,cAAI,EAAC,CAAEC,MAAM,CAAE,IAAK,CAAC,CAAC,CAAC,CAElCC,eAAgB,CAACC,KAAK,CACpB,IAAI,CACHhC,GAAmC,EAAKA,GAAG,CAACiC,QAC/C,CAAC,CACD,KAAM,CAAAC,MAAM,CAAG,yFAAyF,CACxGxC,MAAM,CAACK,GAAG,CAAC,GAAAgC,eAAgB,EAACG,MAAM,CAAE,CAClCC,MAAM,CAAE,CACN;AACA;AACAC,KAAK,CAAEjD,OAAO,CAACU,MAAM,CAAEwC,IAAI,CAACC,IAAI,CAACnD,OAAO,CAACU,MAAM,CACjD,CACF,CAAC,CAAC,CAAC,CAEH;AACA;AACA;AACA;AACAH,MAAM,CAAC6C,GAAG,CAAC,sBAAsB,CAAE5C,gBAAO,CAAC6C,MAAM,CAC/CtD,aAAa,CAACO,MAAM,EAAEgD,IAAI,EAAI,EAAE,CAChC,CACEC,UAAU,CAAGzC,GAAG,EAAKA,GAAG,CAAC0C,GAAG,CAAC,eAAe,CAAE,UAAU,CAC1D,CACF,CAAC,CAAC,CAEF;AACF;AACA,+DACE,sDACA,GAAIxD,OAAO,CAACyD,OAAO,CAAE,CACnB;AACA;AACA;AACA;AACA;AACA;AACA,GAAI,CAACC,MAAM,CAACC,QAAQ,CAAE,CACpBD,MAAM,CAACC,QAAQ,CAAG,CAChBC,IAAI,CAAE,GAAG,GAAAC,kBAAa,EAACC,OAAO,CAACC,GAAG,CAAC,CAAC,CAAC,CAACH,IAAI,GAAGI,SAAG,EAClD,CACF,CAEA,0DACA,KAAM,CAAAC,OAAO,CAAG9F,OAAO,CAAC,SAAS,CAAqC,CAEtE;AACA;AACA,KAAM,CAAA+F,oBAAoB,CAAG/F,OAAO,CAAC,wBAAwB,CACd,CAE/C,KAAM,CAAAgG,oBAAoB,CAAGhG,OAAO,CAAC,wBAAwB,CAC5B,CAEjC,KAAM,CAAAiG,QAAQ,CAAGH,OAAO,CAAClE,aAAa,CAAC,CACvCQ,MAAM,CAACK,GAAG,CAACsD,oBAAoB,CAACE,QAAQ,CAAE,CACxC/D,UAAU,CACVgE,gBAAgB,CAAE,IACpB,CAAC,CAAC,CAAC,CACH9D,MAAM,CAACK,GAAG,CAACuD,oBAAoB,CAACC,QAAQ,CAAC,CAC3C,CACA,qDAEA7D,MAAM,CAACK,GAAG,CAACP,UAAU,CAAYG,gBAAO,CAAC6C,MAAM,CAACtD,aAAa,CAACO,MAAM,CAAEgD,IAAK,CAAC,CAAC,CAE7E,GAAItD,OAAO,CAACsE,gBAAgB,CAAE,CAC5B,KAAM,CAAAtE,OAAO,CAACsE,gBAAgB,CAAC/D,MAAM,CACvC,CACAA,MAAM,CAACK,GAAG,CAACT,QAAQ,CAAC,CAEpB,iEACAI,MAAM,CAACK,GAAG,CAAC,CAACC,GAAG,CAAEC,GAAG,CAAEC,IAAI,GAAK,CAC7BA,IAAI,CAAC,GAAAwD,gBAAQ,EAACC,cAAM,CAACC,SAAS,CAAEC,aAAK,CAACD,SAAS,CAAC,CAClD,CAAC,CAAC,CAEF,GAAI,CAAAE,6BAA6B,CACjC,GAAI3E,OAAO,CAAC4E,oBAAoB,CAAE,CAChCD,6BAA6B,CAAG,KAAM,CAAA3E,OAAO,CAAC4E,oBAAoB,CAACrE,MAAM,CAC3E,CAEA,oBACA,GAAI,CAACoE,6BAA6B,CAAE,CAClC;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACApE,MAAM,CAACK,GAAG,CAAC,CACTiE,KAEC,CACDhE,GAAY,CACZC,GAAa,CACbC,IAAkB,GACf,CACH;AACA;AACA,GAAID,GAAG,CAACgE,WAAW,CAAE,CACnB/D,IAAI,CAAC8D,KAAK,CAAC,CACX,MACF,CAEA,KAAM,CAAAE,MAAM,CAAGF,KAAK,CAACE,MAAM,EAAIL,aAAK,CAACM,qBAAqB,CAC1D,KAAM,CAAAC,UAAU,CAAGF,MAAM,EAAKL,aAAK,CAACM,qBAAgC,CAEpE;AACAhF,OAAO,CAACU,MAAM,CAAEwE,GAAG,CAACD,UAAU,CAAG,OAAO,CAAG,OAAO,CAAEJ,KAAK,CAACM,QAAQ,CAAC,CAAC,CAAC,CAErE,GAAI,CAAAC,OAAO,CAAGP,KAAK,CAACO,OAAO,EAAI,GAAAC,uBAAe,EAACN,MAAM,CAAC,CACtD,GAAIE,UAAU,EAAInB,OAAO,CAACwB,GAAG,CAACC,QAAQ,GAAK,YAAY,CAAE,CACvDH,OAAO,CAAGZ,cAAM,CAACQ,qBACnB,CAEAlE,GAAG,CAACiE,MAAM,CAACA,MAAM,CAAC,CAAC7C,IAAI,CAACkD,OAAO,CACjC,CAAC,CACH,CAEA,MAAO,CAAA7E,MACT","ignoreList":[]}
+{"version":3,"file":"server.js","names":["_path","require","_url","_lodash","_compression","_interopRequireDefault","_cookieParser","_csurf","_express","_serveFavicon","_helmet","_morgan","_requestIp","_uuid","_renderer","_errors","defaultCspSettings","directives","mapValues","helmet","contentSecurityPolicy","getDefaultDirectives","array","filter","item","push","getDefaultCspSettings","cloneDeep","factory","webpackConfig","options","rendererOps","pick","renderer","rendererFactory","publicPath","output","server","express","beforeExpressJsSetup","logger","httpsRedirect","use","req","res","next","schema","headers","url","host","originalUrl","redirect","compression","crossOriginEmbedderPolicy","crossOriginOpenerPolicy","crossOriginResourcePolicy","noCsp","req2","nonce","uuid","cspNonce","cspSettings","cspSettingsHook","favicon","send","json","limit","urlencoded","extended","cookieParser","cookieSignatureSecret","requestIp","mw","csrf","cookie","loggerMiddleware","token","clientIp","FORMAT","stream","write","info","bind","get","static","path","setHeaders","set","devMode","global","location","href","pathToFileURL","process","cwd","sep","webpack","webpackDevMiddleware","webpackHotMiddleware","compiler","serverSideRender","onExpressJsSetup","newError","ERRORS","NOT_FOUND","CODES","dontAttachDefaultErrorHandler","beforeExpressJsError","error","headersSent","status","INTERNAL_SERVER_ERROR","serverSide","log","toString","message","getErrorForCode","env","NODE_ENV"],"sources":["../../../src/server/server.ts"],"sourcesContent":["/**\n * Creation of standard ExpressJS server for ReactJS apps.\n */\n\nimport { sep } from 'path';\nimport { pathToFileURL } from 'url';\n\nimport {\n  cloneDeep,\n  mapValues,\n  pick,\n} from 'lodash';\n\nimport compression from 'compression';\nimport cookieParser from 'cookie-parser';\nimport csrf from '@dr.pogodin/csurf';\n\nimport express, {\n  type Express,\n  type NextFunction,\n  type RequestHandler,\n  type Request,\n  type Response,\n} from 'express';\n\nimport favicon from 'serve-favicon';\nimport helmet, { type HelmetOptions } from 'helmet';\nimport loggerMiddleware from 'morgan';\nimport requestIp from 'request-ip';\nimport { v4 as uuid } from 'uuid';\n\nimport type { Compiler, Configuration } from 'webpack';\n\nimport rendererFactory, {\n  type LoggerI,\n  type OptionsT as RendererOptionsT,\n} from './renderer';\n\nimport {\n  CODES,\n  ERRORS,\n  getErrorForCode,\n  newError,\n} from './utils/errors';\n\nexport type CspOptionsT =\nExclude<HelmetOptions['contentSecurityPolicy'], boolean | undefined>;\n\n// eslint-disable-next-line @typescript-eslint/consistent-type-definitions\ninterface RequestT extends Request {\n  cspNonce: string;\n  nonce: string;\n}\n\n/**\n * Default Content Security Policy settings.\n * @ignore\n */\nconst defaultCspSettings = {\n  directives: mapValues(\n    helmet.contentSecurityPolicy.getDefaultDirectives(),\n\n    // 'https:' options (automatic re-write of insecure URLs to secure ones)\n    // is removed to facilitate local development with HTTP server. In cloud\n    // deployments we assume Apache or Nginx server in front of out app takes\n    // care about such re-writes.\n    (array) => (array as string[]).filter((item: string) => item !== 'https:'),\n  ),\n};\ndefaultCspSettings.directives['frame-src'] = [\n  \"'self'\",\n\n  // YouTube domain is whitelisted to allow <YouTubeVideo> component to work\n  // out of box.\n  'https://*.youtube.com',\n];\n\n{\n  const directives = defaultCspSettings.directives['script-src'];\n  if (directives) directives.push(\"'unsafe-eval'\");\n  else defaultCspSettings.directives['script-src'] = [\"'unsafe-eval'\"];\n}\n\n// No need for automatic re-writes via Content Security Policy settings:\n// the forefront Apache or Nginx server is supposed to take care of this\n// in production cloud deployments.\ndelete defaultCspSettings.directives['upgrade-insecure-requests'];\n\n/**\n * @category Utilities\n * @func server/getDefaultCspSettings\n * @global\n * @desc\n * ```js\n * import { server } from '@dr.pogodin/react-utils';\n * const { getDefaultCspSettings } from '@dr.pogodin/react-utils';\n * ```\n * @return {{\n *   directives: object\n * }} A deep copy of default CSP settings object used by `react-utils`,\n * with the exception of `nonce-xxx` clause in `script-src` directive,\n * which is added dynamically for each request.\n */\nexport function getDefaultCspSettings(): {\n  directives: Record<string, string[]>;\n} {\n  return cloneDeep(defaultCspSettings);\n}\n\nexport type ServerT = Express & {\n  logger: LoggerI;\n};\n\nexport type OptionsT = RendererOptionsT & {\n  beforeExpressJsError?:\n  (server: ServerT) => boolean | Promise<boolean>;\n\n  beforeExpressJsSetup?: (server: ServerT) => Promise<void> | void;\n  cookieSignatureSecret?: string;\n  cspSettingsHook?: (\n    defaultOptions: CspOptionsT,\n    req: Request,\n  ) => CspOptionsT;\n  devMode?: boolean;\n  httpsRedirect?: boolean;\n  onExpressJsSetup?: (server: ServerT) => Promise<void> | void;\n};\n\nexport default async function factory(\n  webpackConfig: Configuration,\n  options: OptionsT,\n): Promise<ServerT> {\n  const rendererOps: RendererOptionsT = pick(options, [\n    'Application',\n    'beforeRender',\n    'favicon',\n    'logger',\n    'maxSsrRounds',\n    'noCsp',\n    'ssrTimeout',\n    'staticCacheController',\n    'staticCacheSize',\n  ]);\n  const renderer = rendererFactory(webpackConfig, rendererOps);\n  const { publicPath } = webpackConfig.output!;\n\n  const server = express() as ServerT;\n\n  if (options.beforeExpressJsSetup) {\n    await options.beforeExpressJsSetup(server);\n  }\n\n  if (options.logger) server.logger = options.logger;\n\n  if (options.httpsRedirect) {\n    server.use((req, res, next) => {\n      const schema = req.headers['x-forwarded-proto'];\n      if (schema === 'http') {\n        let url = `https://${req.headers.host}`;\n        if (req.originalUrl !== '/') url += req.originalUrl;\n        res.redirect(url);\n        return;\n      }\n      next();\n    });\n  }\n\n  server.use(compression());\n  server.use(\n    helmet({\n      contentSecurityPolicy: false,\n      crossOriginEmbedderPolicy: false,\n      crossOriginOpenerPolicy: false,\n      crossOriginResourcePolicy: false,\n    }),\n  );\n\n  if (!options.noCsp) {\n    server.use(\n      (req: Request, res: Response, next: NextFunction) => {\n        const req2 = req as RequestT;\n\n        req2.nonce = uuid();\n\n        // TODO: This is deprecated, but it is kept for now for backward\n        // compatibility. Should be removed sometime later.\n        req2.cspNonce = req2.nonce;\n\n        // The deep clone is necessary here to ensure that default value can't be\n        // mutated during request processing.\n        let cspSettings: CspOptionsT = cloneDeep(defaultCspSettings);\n        (cspSettings.directives?.['script-src'] as string[]).push(`'nonce-${req2.nonce}'`);\n        if (options.cspSettingsHook) {\n          cspSettings = options.cspSettingsHook(cspSettings, req);\n        }\n        helmet.contentSecurityPolicy(cspSettings)(req, res, next);\n      },\n    );\n  }\n\n  if (options.favicon) {\n    server.use(favicon(options.favicon));\n  }\n\n  server.use('/robots.txt', (req, res) => {\n    res.send('User-agent: *\\nDisallow:');\n  });\n\n  server.use(express.json({ limit: '300kb' }));\n  server.use(express.urlencoded({ extended: false }));\n  server.use(cookieParser(options.cookieSignatureSecret));\n  server.use(requestIp.mw());\n\n  server.use(csrf({ cookie: true }));\n\n  loggerMiddleware.token(\n    'ip',\n    (req: Request & { clientIp: string }) => req.clientIp,\n  );\n  const FORMAT = ':ip > :status :method :url :response-time ms :res[content-length] :referrer :user-agent';\n  server.use(loggerMiddleware(FORMAT, {\n    stream: {\n      // TODO: This implies the logger is always set. Is it on a higher level?\n      // then mark it as always present.\n      write: options.logger!.info.bind(options.logger),\n    },\n  }));\n\n  // Note: no matter the \"public path\", we want the service worker, if any,\n  // to be served from the root, to have all web app pages in its scope.\n  // Thus, this setup to serve it. Probably, need some more configuration\n  // for special cases, but this will do for now.\n  server.get('/__service-worker.js', express.static(\n    webpackConfig.output?.path ?? '',\n    {\n      setHeaders: (res) => res.set('Cache-Control', 'no-cache'),\n    },\n  ));\n\n  /* Setup of Hot Module Reloading for development environment.\n   * These dependencies are not used, nor installed for production use,\n   * hence we should violate some import-related lint rules. */\n  /* eslint-disable import/no-extraneous-dependencies */\n  if (options.devMode) {\n    // This is a workaround for SASS bug:\n    // https://github.com/dart-lang/sdk/issues/27979\n    // which manifests itself sometimes when webpack dev middleware is used\n    // (in dev mode), and app modules are imported in some unfortunate ways.\n    // TODO: Double-check, what is going on here.\n    // eslint-disable-next-line @typescript-eslint/no-unnecessary-condition\n    if (!global.location) {\n      global.location = {\n        href: `${pathToFileURL(process.cwd()).href}${sep}`,\n      } as Location;\n    }\n\n    /* eslint-disable @typescript-eslint/no-require-imports */\n    const webpack = require('webpack') as (ops: Configuration) => Compiler;\n\n    // TODO: Figure out the exact type for options, don't wanna waste time on it\n    // right now.\n    const webpackDevMiddleware = require('webpack-dev-middleware') as\n      (c: Compiler, ops: unknown) => RequestHandler;\n\n    const webpackHotMiddleware = require('webpack-hot-middleware') as\n      (c: Compiler) => RequestHandler;\n\n    const compiler = webpack(webpackConfig);\n    server.use(webpackDevMiddleware(compiler, {\n      publicPath,\n      serverSideRender: true,\n    }));\n    server.use(webpackHotMiddleware(compiler));\n  }\n  /* eslint-enable import/no-extraneous-dependencies */\n\n  server.use(publicPath as string, express.static(webpackConfig.output!.path!));\n\n  if (options.onExpressJsSetup) {\n    await options.onExpressJsSetup(server);\n  }\n  server.use(renderer);\n\n  /* Detects 404 errors, and forwards them to the error handler. */\n  server.use((req, res, next) => {\n    next(newError(ERRORS.NOT_FOUND, CODES.NOT_FOUND));\n  });\n\n  let dontAttachDefaultErrorHandler;\n  if (options.beforeExpressJsError) {\n    dontAttachDefaultErrorHandler = await options.beforeExpressJsError(server);\n  }\n\n  /* Error handler. */\n  if (!dontAttachDefaultErrorHandler) {\n    // TODO: Do we need this error handler at all? It actually seems to do\n    // what the default ExpressJS error handler does anyway, see:\n    // https://expressjs.com/en/guide/error-handling.html\n    //\n    // TODO: It is better to move the default error handler definition\n    // to a stand-alone function at top-level, but the use of options.logger\n    // prevents to do it without some extra refactoring. Should be done sometime\n    // though.\n    server.use((\n      error: Error & {\n        status?: number;\n      },\n      req: Request,\n      res: Response,\n      next: NextFunction,\n    ) => {\n      // TODO: This is needed to correctly handled any errors thrown after\n      // sending initial response to the client.\n      if (res.headersSent) {\n        next(error);\n        return;\n      }\n\n      const status = error.status ?? CODES.INTERNAL_SERVER_ERROR;\n      const serverSide = status >= (CODES.INTERNAL_SERVER_ERROR as number);\n\n      // Log server-side errors always, client-side at debug level only.\n      options.logger!.log(serverSide ? 'error' : 'debug', error.toString());\n\n      let message = error.message || getErrorForCode(status);\n      if (serverSide && process.env.NODE_ENV === 'production') {\n        message = ERRORS.INTERNAL_SERVER_ERROR;\n      }\n\n      res.status(status).send(message);\n    });\n  }\n\n  return server;\n}\n"],"mappings":"qOAIA,IAAAA,KAAA,CAAAC,OAAA,SACA,IAAAC,IAAA,CAAAD,OAAA,QAEA,IAAAE,OAAA,CAAAF,OAAA,WAMA,IAAAG,YAAA,CAAAC,sBAAA,CAAAJ,OAAA,iBACA,IAAAK,aAAA,CAAAD,sBAAA,CAAAJ,OAAA,mBACA,IAAAM,MAAA,CAAAF,sBAAA,CAAAJ,OAAA,uBAEA,IAAAO,QAAA,CAAAH,sBAAA,CAAAJ,OAAA,aAQA,IAAAQ,aAAA,CAAAJ,sBAAA,CAAAJ,OAAA,mBACA,IAAAS,OAAA,CAAAL,sBAAA,CAAAJ,OAAA,YACA,IAAAU,OAAA,CAAAN,sBAAA,CAAAJ,OAAA,YACA,IAAAW,UAAA,CAAAP,sBAAA,CAAAJ,OAAA,gBACA,IAAAY,KAAA,CAAAZ,OAAA,SAIA,IAAAa,SAAA,CAAAT,sBAAA,CAAAJ,OAAA,gBAKA,IAAAc,OAAA,CAAAd,OAAA,mBAtCA;AACA;AACA,GA8CA;AAMA;AACA;AACA;AACA,GACA,KAAM,CAAAe,kBAAkB,CAAG,CACzBC,UAAU,CAAE,GAAAC,iBAAS,EACnBC,eAAM,CAACC,qBAAqB,CAACC,oBAAoB,CAAC,CAAC,CAEnD;AACA;AACA;AACA;AACCC,KAAK,EAAMA,KAAK,CAAcC,MAAM,CAAEC,IAAY,EAAKA,IAAI,GAAK,QAAQ,CAC3E,CACF,CAAC,CACDR,kBAAkB,CAACC,UAAU,CAAC,WAAW,CAAC,CAAG,CAC3C,QAAQ,CAER;AACA;AACA,uBAAuB,CACxB,CAED,CACE,KAAM,CAAAA,UAAU,CAAGD,kBAAkB,CAACC,UAAU,CAAC,YAAY,CAAC,CAC9D,GAAIA,UAAU,CAAEA,UAAU,CAACQ,IAAI,CAAC,eAAe,CAAC,CAAC,IAC5C,CAAAT,kBAAkB,CAACC,UAAU,CAAC,YAAY,CAAC,CAAG,CAAC,eAAe,CACrE,CAEA;AACA;AACA;AACA,MAAO,CAAAD,kBAAkB,CAACC,UAAU,CAAC,2BAA2B,CAAC,CAEjE;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,GACO,QAAS,CAAAS,qBAAqBA,CAAA,CAEnC,CACA,MAAO,GAAAC,iBAAS,EAACX,kBAAkB,CACrC,CAqBe,cAAe,CAAAY,OAAOA,CACnCC,aAA4B,CAC5BC,OAAiB,CACC,CAClB,KAAM,CAAAC,WAA6B,CAAG,GAAAC,YAAI,EAACF,OAAO,CAAE,CAClD,aAAa,CACb,cAAc,CACd,SAAS,CACT,QAAQ,CACR,cAAc,CACd,OAAO,CACP,YAAY,CACZ,uBAAuB,CACvB,iBAAiB,CAClB,CAAC,CACF,KAAM,CAAAG,QAAQ,CAAG,GAAAC,iBAAe,EAACL,aAAa,CAAEE,WAAW,CAAC,CAC5D,KAAM,CAAEI,UAAW,CAAC,CAAGN,aAAa,CAACO,MAAO,CAE5C,KAAM,CAAAC,MAAM,CAAG,GAAAC,gBAAO,EAAC,CAAY,CAEnC,GAAIR,OAAO,CAACS,oBAAoB,CAAE,CAChC,KAAM,CAAAT,OAAO,CAACS,oBAAoB,CAACF,MAAM,CAC3C,CAEA,GAAIP,OAAO,CAACU,MAAM,CAAEH,MAAM,CAACG,MAAM,CAAGV,OAAO,CAACU,MAAM,CAElD,GAAIV,OAAO,CAACW,aAAa,CAAE,CACzBJ,MAAM,CAACK,GAAG,CAAC,CAACC,GAAG,CAAEC,GAAG,CAAEC,IAAI,GAAK,CAC7B,KAAM,CAAAC,MAAM,CAAGH,GAAG,CAACI,OAAO,CAAC,mBAAmB,CAAC,CAC/C,GAAID,MAAM,GAAK,MAAM,CAAE,CACrB,GAAI,CAAAE,GAAG,CAAG,WAAWL,GAAG,CAACI,OAAO,CAACE,IAAI,EAAE,CACvC,GAAIN,GAAG,CAACO,WAAW,GAAK,GAAG,CAAEF,GAAG,EAAIL,GAAG,CAACO,WAAW,CACnDN,GAAG,CAACO,QAAQ,CAACH,GAAG,CAAC,CACjB,MACF,CACAH,IAAI,CAAC,CACP,CAAC,CACH,CAEAR,MAAM,CAACK,GAAG,CAAC,GAAAU,oBAAW,EAAC,CAAC,CAAC,CACzBf,MAAM,CAACK,GAAG,CACR,GAAAvB,eAAM,EAAC,CACLC,qBAAqB,CAAE,KAAK,CAC5BiC,yBAAyB,CAAE,KAAK,CAChCC,uBAAuB,CAAE,KAAK,CAC9BC,yBAAyB,CAAE,KAC7B,CAAC,CACH,CAAC,CAED,GAAI,CAACzB,OAAO,CAAC0B,KAAK,CAAE,CAClBnB,MAAM,CAACK,GAAG,CACR,CAACC,GAAY,CAAEC,GAAa,CAAEC,IAAkB,GAAK,CACnD,KAAM,CAAAY,IAAI,CAAGd,GAAe,CAE5Bc,IAAI,CAACC,KAAK,CAAG,GAAAC,QAAI,EAAC,CAAC,CAEnB;AACA;AACAF,IAAI,CAACG,QAAQ,CAAGH,IAAI,CAACC,KAAK,CAE1B;AACA;AACA,GAAI,CAAAG,WAAwB,CAAG,GAAAlC,iBAAS,EAACX,kBAAkB,CAAC,CAC5D,CAAC6C,WAAW,CAAC5C,UAAU,GAAG,YAAY,CAAC,EAAcQ,IAAI,CAAC,UAAUgC,IAAI,CAACC,KAAK,GAAG,CAAC,CAClF,GAAI5B,OAAO,CAACgC,eAAe,CAAE,CAC3BD,WAAW,CAAG/B,OAAO,CAACgC,eAAe,CAACD,WAAW,CAAElB,GAAG,CACxD,CACAxB,eAAM,CAACC,qBAAqB,CAACyC,WAAW,CAAC,CAAClB,GAAG,CAAEC,GAAG,CAAEC,IAAI,CAC1D,CACF,CACF,CAEA,GAAIf,OAAO,CAACiC,OAAO,CAAE,CACnB1B,MAAM,CAACK,GAAG,CAAC,GAAAqB,qBAAO,EAACjC,OAAO,CAACiC,OAAO,CAAC,CACrC,CAEA1B,MAAM,CAACK,GAAG,CAAC,aAAa,CAAE,CAACC,GAAG,CAAEC,GAAG,GAAK,CACtCA,GAAG,CAACoB,IAAI,CAAC,0BAA0B,CACrC,CAAC,CAAC,CAEF3B,MAAM,CAACK,GAAG,CAACJ,gBAAO,CAAC2B,IAAI,CAAC,CAAEC,KAAK,CAAE,OAAQ,CAAC,CAAC,CAAC,CAC5C7B,MAAM,CAACK,GAAG,CAACJ,gBAAO,CAAC6B,UAAU,CAAC,CAAEC,QAAQ,CAAE,KAAM,CAAC,CAAC,CAAC,CACnD/B,MAAM,CAACK,GAAG,CAAC,GAAA2B,qBAAY,EAACvC,OAAO,CAACwC,qBAAqB,CAAC,CAAC,CACvDjC,MAAM,CAACK,GAAG,CAAC6B,kBAAS,CAACC,EAAE,CAAC,CAAC,CAAC,CAE1BnC,MAAM,CAACK,GAAG,CAAC,GAAA+B,cAAI,EAAC,CAAEC,MAAM,CAAE,IAAK,CAAC,CAAC,CAAC,CAElCC,eAAgB,CAACC,KAAK,CACpB,IAAI,CACHjC,GAAmC,EAAKA,GAAG,CAACkC,QAC/C,CAAC,CACD,KAAM,CAAAC,MAAM,CAAG,yFAAyF,CACxGzC,MAAM,CAACK,GAAG,CAAC,GAAAiC,eAAgB,EAACG,MAAM,CAAE,CAClCC,MAAM,CAAE,CACN;AACA;AACAC,KAAK,CAAElD,OAAO,CAACU,MAAM,CAAEyC,IAAI,CAACC,IAAI,CAACpD,OAAO,CAACU,MAAM,CACjD,CACF,CAAC,CAAC,CAAC,CAEH;AACA;AACA;AACA;AACAH,MAAM,CAAC8C,GAAG,CAAC,sBAAsB,CAAE7C,gBAAO,CAAC8C,MAAM,CAC/CvD,aAAa,CAACO,MAAM,EAAEiD,IAAI,EAAI,EAAE,CAChC,CACEC,UAAU,CAAG1C,GAAG,EAAKA,GAAG,CAAC2C,GAAG,CAAC,eAAe,CAAE,UAAU,CAC1D,CACF,CAAC,CAAC,CAEF;AACF;AACA,+DACE,sDACA,GAAIzD,OAAO,CAAC0D,OAAO,CAAE,CACnB;AACA;AACA;AACA;AACA;AACA;AACA,GAAI,CAACC,MAAM,CAACC,QAAQ,CAAE,CACpBD,MAAM,CAACC,QAAQ,CAAG,CAChBC,IAAI,CAAE,GAAG,GAAAC,kBAAa,EAACC,OAAO,CAACC,GAAG,CAAC,CAAC,CAAC,CAACH,IAAI,GAAGI,SAAG,EAClD,CACF,CAEA,0DACA,KAAM,CAAAC,OAAO,CAAG/F,OAAO,CAAC,SAAS,CAAqC,CAEtE;AACA;AACA,KAAM,CAAAgG,oBAAoB,CAAGhG,OAAO,CAAC,wBAAwB,CACd,CAE/C,KAAM,CAAAiG,oBAAoB,CAAGjG,OAAO,CAAC,wBAAwB,CAC5B,CAEjC,KAAM,CAAAkG,QAAQ,CAAGH,OAAO,CAACnE,aAAa,CAAC,CACvCQ,MAAM,CAACK,GAAG,CAACuD,oBAAoB,CAACE,QAAQ,CAAE,CACxChE,UAAU,CACViE,gBAAgB,CAAE,IACpB,CAAC,CAAC,CAAC,CACH/D,MAAM,CAACK,GAAG,CAACwD,oBAAoB,CAACC,QAAQ,CAAC,CAC3C,CACA,qDAEA9D,MAAM,CAACK,GAAG,CAACP,UAAU,CAAYG,gBAAO,CAAC8C,MAAM,CAACvD,aAAa,CAACO,MAAM,CAAEiD,IAAK,CAAC,CAAC,CAE7E,GAAIvD,OAAO,CAACuE,gBAAgB,CAAE,CAC5B,KAAM,CAAAvE,OAAO,CAACuE,gBAAgB,CAAChE,MAAM,CACvC,CACAA,MAAM,CAACK,GAAG,CAACT,QAAQ,CAAC,CAEpB,iEACAI,MAAM,CAACK,GAAG,CAAC,CAACC,GAAG,CAAEC,GAAG,CAAEC,IAAI,GAAK,CAC7BA,IAAI,CAAC,GAAAyD,gBAAQ,EAACC,cAAM,CAACC,SAAS,CAAEC,aAAK,CAACD,SAAS,CAAC,CAClD,CAAC,CAAC,CAEF,GAAI,CAAAE,6BAA6B,CACjC,GAAI5E,OAAO,CAAC6E,oBAAoB,CAAE,CAChCD,6BAA6B,CAAG,KAAM,CAAA5E,OAAO,CAAC6E,oBAAoB,CAACtE,MAAM,CAC3E,CAEA,oBACA,GAAI,CAACqE,6BAA6B,CAAE,CAClC;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACArE,MAAM,CAACK,GAAG,CAAC,CACTkE,KAEC,CACDjE,GAAY,CACZC,GAAa,CACbC,IAAkB,GACf,CACH;AACA;AACA,GAAID,GAAG,CAACiE,WAAW,CAAE,CACnBhE,IAAI,CAAC+D,KAAK,CAAC,CACX,MACF,CAEA,KAAM,CAAAE,MAAM,CAAGF,KAAK,CAACE,MAAM,EAAIL,aAAK,CAACM,qBAAqB,CAC1D,KAAM,CAAAC,UAAU,CAAGF,MAAM,EAAKL,aAAK,CAACM,qBAAgC,CAEpE;AACAjF,OAAO,CAACU,MAAM,CAAEyE,GAAG,CAACD,UAAU,CAAG,OAAO,CAAG,OAAO,CAAEJ,KAAK,CAACM,QAAQ,CAAC,CAAC,CAAC,CAErE,GAAI,CAAAC,OAAO,CAAGP,KAAK,CAACO,OAAO,EAAI,GAAAC,uBAAe,EAACN,MAAM,CAAC,CACtD,GAAIE,UAAU,EAAInB,OAAO,CAACwB,GAAG,CAACC,QAAQ,GAAK,YAAY,CAAE,CACvDH,OAAO,CAAGZ,cAAM,CAACQ,qBACnB,CAEAnE,GAAG,CAACkE,MAAM,CAACA,MAAM,CAAC,CAAC9C,IAAI,CAACmD,OAAO,CACjC,CAAC,CACH,CAEA,MAAO,CAAA9E,MACT","ignoreList":[]}

package/build/types-code/server/server.d.ts

@@ -30,6 +30,7 @@ export type ServerT = Express & {
 export type OptionsT = RendererOptionsT & {
     beforeExpressJsError?: (server: ServerT) => boolean | Promise<boolean>;
     beforeExpressJsSetup?: (server: ServerT) => Promise<void> | void;
+    cookieSignatureSecret?: string;
     cspSettingsHook?: (defaultOptions: CspOptionsT, req: Request) => CspOptionsT;
     devMode?: boolean;
     httpsRedirect?: boolean;

package/package.json

@@ -1,5 +1,5 @@
 {
-  "version": "1.43.11",
+  "version": "1.43.13",
   "bin": {
     "react-utils-build": "bin/build.js",
     "react-utils-setup": "bin/setup.js"
@@ -10,16 +10,16 @@
   "dependencies": {
     "@babel/runtime": "^7.27.1",
     "@dr.pogodin/babel-plugin-react-css-modules": "^6.13.5",
-    "@dr.pogodin/csurf": "^1.16.1",
+    "@dr.pogodin/csurf": "^1.16.2",
     "@dr.pogodin/js-utils": "^0.0.18",
     "@dr.pogodin/react-global-state": "^0.19.2",
     "@dr.pogodin/react-helmet": "^3.0.2",
     "@dr.pogodin/react-themes": "^1.9.0",
     "@jest/environment": "^29.7.0",
     "axios": "^1.9.0",
-    "commander": "^13.1.0",
+    "commander": "^14.0.0",
     "compression": "^1.8.0",
-    "config": "^3.3.12",
+    "config": "^4.0.0",
     "cookie": "^1.0.2",
     "cookie-parser": "^1.4.7",
     "cross-env": "^7.0.3",
@@ -66,14 +66,14 @@
     "@types/config": "^3.3.5",
     "@types/cookie": "^0.6.0",
     "@types/cookie-parser": "^1.4.8",
-    "@types/express": "^5.0.1",
+    "@types/express": "^5.0.2",
     "@types/jest": "^29.5.14",
     "@types/lodash": "^4.17.16",
     "@types/morgan": "^1.9.9",
     "@types/node-forge": "^1.3.11",
     "@types/pretty": "^2.0.3",
-    "@types/react": "^19.1.3",
-    "@types/react-dom": "^19.1.3",
+    "@types/react": "^19.1.4",
+    "@types/react-dom": "^19.1.5",
     "@types/request-ip": "^0.0.41",
     "@types/serialize-javascript": "^5.0.4",
     "@types/serve-favicon": "^2.5.7",
@@ -90,7 +90,7 @@
     "identity-obj-proxy": "^3.0.0",
     "jest": "^29.7.0",
     "jest-environment-jsdom": "^29.7.0",
-    "memfs": "^4.17.1",
+    "memfs": "^4.17.2",
     "mini-css-extract-plugin": "^2.9.2",
     "mockdate": "^3.0.5",
     "nodelist-foreach-polyfill": "^1.2.0",
@@ -101,18 +101,18 @@
     "react-refresh": "^0.17.0",
     "regenerator-runtime": "^0.14.1",
     "resolve-url-loader": "^5.0.0",
-    "sass": "^1.88.0",
+    "sass": "^1.89.0",
     "sass-loader": "^16.0.5",
     "sitemap": "^8.0.0",
     "source-map-loader": "^5.0.0",
     "stylelint": "^16.19.1",
-    "stylelint-config-standard-scss": "^15.0.0",
-    "supertest": "^7.1.0",
+    "stylelint-config-standard-scss": "^15.0.1",
+    "supertest": "^7.1.1",
     "tsc-alias": "1.8.16",
     "tstyche": "^3.5.0",
     "typed-scss-modules": "^8.1.1",
     "typescript": "^5.8.3",
-    "webpack": "^5.99.8",
+    "webpack": "^5.99.9",
     "webpack-dev-middleware": "^7.4.2",
     "webpack-hot-middleware": "^2.26.1",
     "webpack-merge": "^6.0.1",

package/src/server/server.ts

@@ -116,6 +116,7 @@ export type OptionsT = RendererOptionsT & {
   (server: ServerT) => boolean | Promise<boolean>;
 
   beforeExpressJsSetup?: (server: ServerT) => Promise<void> | void;
+  cookieSignatureSecret?: string;
   cspSettingsHook?: (
     defaultOptions: CspOptionsT,
     req: Request,
@@ -207,7 +208,7 @@ export default async function factory(
 
   server.use(express.json({ limit: '300kb' }));
   server.use(express.urlencoded({ extended: false }));
-  server.use(cookieParser());
+  server.use(cookieParser(options.cookieSignatureSecret));
   server.use(requestIp.mw());
 
   server.use(csrf({ cookie: true }));