@eggjs/jsonp 3.0.0

package/LICENSE

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) Alibaba Group Holding Limited and other contributors.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,141 @@
+# @eggjs/jsonp
+
+[![NPM version][npm-image]][npm-url]
+[![Node.js CI](https://github.com/eggjs/jsonp/actions/workflows/nodejs.yml/badge.svg)](https://github.com/eggjs/jsonp/actions/workflows/nodejs.yml)
+[![Test coverage][codecov-image]][codecov-url]
+[![Known Vulnerabilities][snyk-image]][snyk-url]
+[![npm download][download-image]][download-url]
+[![Node.js Version](https://img.shields.io/node/v/@eggjs/jsonp.svg?style=flat)](https://nodejs.org/en/download/)
+[![PRs Welcome](https://img.shields.io/badge/PRs-welcome-brightgreen.svg?style=flat-square)](https://makeapullrequest.com)
+
+[npm-image]: https://img.shields.io/npm/v/@eggjs/jsonp.svg?style=flat-square
+[npm-url]: https://npmjs.org/package/@eggjs/jsonp
+[codecov-image]: https://img.shields.io/codecov/c/github/eggjs/jsonp.svg?style=flat-square
+[codecov-url]: https://codecov.io/github/eggjs/jsonp?branch=master
+[snyk-image]: https://snyk.io/test/npm/@eggjs/jsonp/badge.svg?style=flat-square
+[snyk-url]: https://snyk.io/test/npm/@eggjs/jsonp
+[download-image]: https://img.shields.io/npm/dm/@eggjs/jsonp.svg?style=flat-square
+[download-url]: https://npmjs.org/package/@eggjs/jsonp
+
+An egg plugin for jsonp support.
+
+## Requirements
+
+- egg >= 4.x
+
+## Install
+
+```bash
+npm i @eggjs/jsonp
+```
+
+## Usage
+
+```ts
+// {app_root}/config/plugin.ts
+
+export default {
+  jsonp: {
+    enable: true,
+    package: '@eggjs/jsonp',
+  },
+};
+```
+
+## Configuration
+
+- {String|Array} callback - jsonp callback method key, default to `[ '_callback', 'callback' ]`
+- {Number} limit - callback method name's max length, default to `50`
+- {Boolean} csrf - enable csrf check or not. default to false
+- {String|RegExp|Array} whiteList - referrer white list
+
+if whiteList's type is `RegExp`, referrer must match `whiteList`, pay attention to the first `^` and last `/`.
+
+```ts
+export default {
+  jsonp: {
+    whiteList: /^https?:\/\/test.com\//,
+  },
+};
+
+// matchs referrer:
+// https://test.com/hello
+// http://test.com/
+```
+
+if whiteList's type is `String` and starts with `.`:
+
+```ts
+export default {
+  jsonp: {
+    whiteList: '.test.com',
+  },
+};
+
+// matchs domain test.com:
+// https://test.com/hello
+// http://test.com/
+
+// matchs subdomain
+// https://sub.test.com/hello
+// http://sub.sub.test.com/
+```
+
+if whiteList's type is `String` and not starts with `.`:
+
+```ts
+export default {
+  jsonp: {
+    whiteList: 'sub.test.com',
+  },
+};
+
+// only matchs domain sub.test.com:
+// https://sub.test.com/hello
+// http://sub.test.com/
+```
+
+whiteList also can be an array:
+
+```ts
+export default {
+  jsonp: {
+    whiteList: [ '.foo.com', '.bar.com' ],
+  },
+};
+```
+
+see [config/config.default.ts](https://github.com/eggjs/jsonp/blob/master/src/config/config.default.ts) for more detail.
+
+## API
+
+- ctx.acceptJSONP - detect if response should be jsonp, readonly
+
+## Example
+
+In `app/router.ts`
+
+```ts
+// Create once and use in any router you want to support jsonp.
+const jsonp = app.jsonp();
+
+app.get('/default', jsonp, 'jsonp.index');
+app.get('/another', jsonp, 'jsonp.another');
+
+// Customize by create another jsonp middleware with specific configurations.
+app.get('/customize', app.jsonp({ callback: 'fn' }), 'jsonp.customize');
+```
+
+## Questions & Suggestions
+
+Please open an issue [here](https://github.com/eggjs/egg/issues).
+
+## License
+
+[MIT](LICENSE)
+
+## Contributors
+
+[![Contributors](https://contrib.rocks/image?repo=eggjs/jsonp)](https://github.com/eggjs/jsonp/graphs/contributors)
+
+Made with [contributors-img](https://contrib.rocks).

package/dist/commonjs/app/extend/application.d.ts

@@ -0,0 +1,10 @@
+import { EggCore, type MiddlewareFunc } from '@eggjs/core';
+import { JSONPConfig } from '../../types.js';
+export default class JSONPApplication extends EggCore {
+    /**
+     * return a middleware to enable jsonp response.
+     * will do some security check inside.
+     * @public
+     */
+    jsonp(initOptions?: Partial<JSONPConfig>): MiddlewareFunc;
+}

package/dist/commonjs/app/extend/application.js

@@ -0,0 +1,115 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const node_util_1 = require("node:util");
+const node_url_1 = require("node:url");
+const core_1 = require("@eggjs/core");
+const private_key_js_1 = require("../../lib/private_key.js");
+const JSONPForbiddenReferrerError_js_1 = require("../../error/JSONPForbiddenReferrerError.js");
+const debug = (0, node_util_1.debuglog)('@egg/jsonp/app/extend/application');
+class JSONPApplication extends core_1.EggCore {
+    /**
+     * return a middleware to enable jsonp response.
+     * will do some security check inside.
+     * @public
+     */
+    jsonp(initOptions = {}) {
+        const options = {
+            ...this.config.jsonp,
+            ...initOptions,
+        };
+        if (!Array.isArray(options.callback)) {
+            options.callback = [options.callback];
+        }
+        const csrfEnable = this.plugins.security && this.plugins.security.enable // security enable
+            && this.config.security.csrf && this.config.security.csrf.enable !== false // csrf enable
+            && options.csrf; // jsonp csrf enabled
+        const validateReferrer = options.whiteList && createValidateReferer(options.whiteList);
+        if (!csrfEnable && !validateReferrer) {
+            this.coreLogger.warn('[@eggjs/jsonp] SECURITY WARNING!! csrf check and referrer check are both closed!');
+        }
+        /**
+         * jsonp request security check, pass if
+         *
+         * 1. hit referrer white list
+         * 2. or pass csrf check
+         * 3. both check are disabled
+         *
+         * @param {Context} ctx request context
+         */
+        function securityAssert(ctx) {
+            // all disabled. don't need check
+            if (!csrfEnable && !validateReferrer)
+                return;
+            // pass referrer check
+            const referrer = ctx.get('referrer');
+            if (validateReferrer && validateReferrer(referrer))
+                return;
+            if (csrfEnable && validateCsrf(ctx))
+                return;
+            throw new JSONPForbiddenReferrerError_js_1.JSONPForbiddenReferrerError('jsonp request security validate failed', referrer, 403);
+        }
+        return async function jsonp(ctx, next) {
+            const jsonpFunction = getJsonpFunction(ctx.query, options.callback);
+            ctx[private_key_js_1.JSONP_CONFIG] = {
+                jsonpFunction,
+                options,
+            };
+            // before handle request, must do some security checks
+            securityAssert(ctx);
+            await next();
+            // generate jsonp body
+            ctx.createJsonpBody(ctx.body);
+        };
+    }
+}
+exports.default = JSONPApplication;
+function createValidateReferer(whiteList) {
+    if (!Array.isArray(whiteList)) {
+        whiteList = [whiteList];
+    }
+    return (referrer) => {
+        let parsed;
+        for (const rule of whiteList) {
+            if (rule instanceof RegExp) {
+                if (rule.test(referrer)) {
+                    // regexp(/^https?:\/\/github.com\//): test the referrer with rule
+                    return true;
+                }
+                continue;
+            }
+            parsed = parsed ?? (0, node_url_1.parse)(referrer);
+            const hostname = parsed.hostname || '';
+            // check if referrer's hostname match the string rule
+            if (rule[0] === '.' &&
+                (hostname.endsWith(rule) || hostname === rule.slice(1))) {
+                // string start with `.`(.github.com): referrer's hostname must ends with rule
+                return true;
+            }
+            else if (hostname === rule) {
+                // string not start with `.`(github.com): referrer's hostname must strict equal to rule
+                return true;
+            }
+        }
+        // no rule matched
+        return false;
+    };
+}
+function validateCsrf(ctx) {
+    try {
+        // TODO(fengmk2): remove this when @eggjs/security support ctx.assertCsrf type define
+        ctx.assertCsrf();
+        return true;
+    }
+    catch (err) {
+        debug('validate csrf failed: %s', err);
+        return false;
+    }
+}
+function getJsonpFunction(query, callbacks) {
+    for (const callback of callbacks) {
+        if (query[callback]) {
+            return query[callback];
+        }
+    }
+}
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiYXBwbGljYXRpb24uanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi8uLi9zcmMvYXBwL2V4dGVuZC9hcHBsaWNhdGlvbi50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiOztBQUFBLHlDQUFxQztBQUNyQyx1Q0FBc0U7QUFFdEUsc0NBQTJEO0FBQzNELDZEQUF3RDtBQUV4RCwrRkFBeUY7QUFHekYsTUFBTSxLQUFLLEdBQUcsSUFBQSxvQkFBUSxFQUFDLG1DQUFtQyxDQUFDLENBQUM7QUFFNUQsTUFBcUIsZ0JBQWlCLFNBQVEsY0FBTztJQUNuRDs7OztPQUlHO0lBQ0gsS0FBSyxDQUFDLGNBQW9DLEVBQUU7UUFDMUMsTUFBTSxPQUFPLEdBQUc7WUFDZCxHQUFHLElBQUksQ0FBQyxNQUFNLENBQUMsS0FBSztZQUNwQixHQUFHLFdBQVc7U0FDeUIsQ0FBQztRQUMxQyxJQUFJLENBQUMsS0FBSyxDQUFDLE9BQU8sQ0FBQyxPQUFPLENBQUMsUUFBUSxDQUFDLEVBQUUsQ0FBQztZQUNyQyxPQUFPLENBQUMsUUFBUSxHQUFHLENBQUUsT0FBTyxDQUFDLFFBQVEsQ0FBRSxDQUFDO1FBQzFDLENBQUM7UUFFRCxNQUFNLFVBQVUsR0FBRyxJQUFJLENBQUMsT0FBTyxDQUFDLFFBQVEsSUFBSSxJQUFJLENBQUMsT0FBTyxDQUFDLFFBQVEsQ0FBQyxNQUFNLENBQUMsa0JBQWtCO2VBQ3RGLElBQUksQ0FBQyxNQUFNLENBQUMsUUFBUSxDQUFDLElBQUksSUFBSSxJQUFJLENBQUMsTUFBTSxDQUFDLFFBQVEsQ0FBQyxJQUFJLENBQUMsTUFBTSxLQUFLLEtBQUssQ0FBQyxjQUFjO2VBQ3RGLE9BQU8sQ0FBQyxJQUFJLENBQUMsQ0FBQyxxQkFBcUI7UUFFeEMsTUFBTSxnQkFBZ0IsR0FBRyxPQUFPLENBQUMsU0FBUyxJQUFJLHFCQUFxQixDQUFDLE9BQU8sQ0FBQyxTQUFTLENBQUMsQ0FBQztRQUV2RixJQUFJLENBQUMsVUFBVSxJQUFJLENBQUMsZ0JBQWdCLEVBQUUsQ0FBQztZQUNyQyxJQUFJLENBQUMsVUFBVSxDQUFDLElBQUksQ0FBQyxrRkFBa0YsQ0FBQyxDQUFDO1FBQzNHLENBQUM7UUFDRDs7Ozs7Ozs7V0FRRztRQUNILFNBQVMsY0FBYyxDQUFDLEdBQWlCO1lBQ3ZDLGlDQUFpQztZQUNqQyxJQUFJLENBQUMsVUFBVSxJQUFJLENBQUMsZ0JBQWdCO2dCQUFFLE9BQU87WUFFN0Msc0JBQXNCO1lBQ3RCLE1BQU0sUUFBUSxHQUFHLEdBQUcsQ0FBQyxHQUFHLENBQVMsVUFBVSxDQUFDLENBQUM7WUFDN0MsSUFBSSxnQkFBZ0IsSUFBSSxnQkFBZ0IsQ0FBQyxRQUFRLENBQUM7Z0JBQUUsT0FBTztZQUMzRCxJQUFJLFVBQVUsSUFBSSxZQUFZLENBQUMsR0FBRyxDQUFDO2dCQUFFLE9BQU87WUFFNUMsTUFBTSxJQUFJLDREQUEyQixDQUNuQyx3Q0FBd0MsRUFDeEMsUUFBUSxFQUNSLEdBQUcsQ0FBQyxDQUFDO1FBQ1QsQ0FBQztRQUVELE9BQU8sS0FBSyxVQUFVLEtBQUssQ0FBQyxHQUFpQixFQUFFLElBQUk7WUFDakQsTUFBTSxhQUFhLEdBQUcsZ0JBQWdCLENBQUMsR0FBRyxDQUFDLEtBQUssRUFBRSxPQUFPLENBQUMsUUFBUSxDQUFDLENBQUM7WUFFcEUsR0FBRyxDQUFDLDZCQUFZLENBQUMsR0FBRztnQkFDbEIsYUFBYTtnQkFDYixPQUFPO2FBQ1IsQ0FBQztZQUVGLHNEQUFzRDtZQUN0RCxjQUFjLENBQUMsR0FBRyxDQUFDLENBQUM7WUFFcEIsTUFBTSxJQUFJLEVBQUUsQ0FBQztZQUViLHNCQUFzQjtZQUN0QixHQUFHLENBQUMsZUFBZSxDQUFDLEdBQUcsQ0FBQyxJQUFJLENBQUMsQ0FBQztRQUNoQyxDQUFDLENBQUM7SUFDSixDQUFDO0NBQ0Y7QUFqRUQsbUNBaUVDO0FBRUQsU0FBUyxxQkFBcUIsQ0FBQyxTQUE2QztJQUMxRSxJQUFJLENBQUMsS0FBSyxDQUFDLE9BQU8sQ0FBQyxTQUFTLENBQUMsRUFBRSxDQUFDO1FBQzlCLFNBQVMsR0FBRyxDQUFFLFNBQVMsQ0FBRSxDQUFDO0lBQzVCLENBQUM7SUFFRCxPQUFPLENBQUMsUUFBZ0IsRUFBRSxFQUFFO1FBQzFCLElBQUksTUFBc0MsQ0FBQztRQUMzQyxLQUFLLE1BQU0sSUFBSSxJQUFJLFNBQVMsRUFBRSxDQUFDO1lBQzdCLElBQUksSUFBSSxZQUFZLE1BQU0sRUFBRSxDQUFDO2dCQUMzQixJQUFJLElBQUksQ0FBQyxJQUFJLENBQUMsUUFBUSxDQUFDLEVBQUUsQ0FBQztvQkFDeEIsa0VBQWtFO29CQUNsRSxPQUFPLElBQUksQ0FBQztnQkFDZCxDQUFDO2dCQUNELFNBQVM7WUFDWCxDQUFDO1lBRUQsTUFBTSxHQUFHLE1BQU0sSUFBSSxJQUFBLGdCQUFRLEVBQUMsUUFBUSxDQUFDLENBQUM7WUFDdEMsTUFBTSxRQUFRLEdBQUcsTUFBTSxDQUFDLFFBQVEsSUFBSSxFQUFFLENBQUM7WUFFdkMscURBQXFEO1lBQ3JELElBQUksSUFBSSxDQUFDLENBQUMsQ0FBQyxLQUFLLEdBQUc7Z0JBQ2pCLENBQUMsUUFBUSxDQUFDLFFBQVEsQ0FBQyxJQUFJLENBQUMsSUFBSSxRQUFRLEtBQUssSUFBSSxDQUFDLEtBQUssQ0FBQyxDQUFDLENBQUMsQ0FBQyxFQUFFLENBQUM7Z0JBQzFELDhFQUE4RTtnQkFDOUUsT0FBTyxJQUFJLENBQUM7WUFDZCxDQUFDO2lCQUFNLElBQUksUUFBUSxLQUFLLElBQUksRUFBRSxDQUFDO2dCQUM3Qix1RkFBdUY7Z0JBQ3ZGLE9BQU8sSUFBSSxDQUFDO1lBQ2QsQ0FBQztRQUNILENBQUM7UUFFRCxrQkFBa0I7UUFDbEIsT0FBTyxLQUFLLENBQUM7SUFDZixDQUFDLENBQUM7QUFDSixDQUFDO0FBRUQsU0FBUyxZQUFZLENBQUMsR0FBUTtJQUM1QixJQUFJLENBQUM7UUFDSCxxRkFBcUY7UUFDckYsR0FBRyxDQUFDLFVBQVUsRUFBRSxDQUFDO1FBQ2pCLE9BQU8sSUFBSSxDQUFDO0lBQ2QsQ0FBQztJQUFDLE9BQU8sR0FBRyxFQUFFLENBQUM7UUFDYixLQUFLLENBQUMsMEJBQTBCLEVBQUUsR0FBRyxDQUFDLENBQUM7UUFDdkMsT0FBTyxLQUFLLENBQUM7SUFDZixDQUFDO0FBQ0gsQ0FBQztBQUVELFNBQVMsZ0JBQWdCLENBQUMsS0FBcUIsRUFBRSxTQUFtQjtJQUNsRSxLQUFLLE1BQU0sUUFBUSxJQUFJLFNBQVMsRUFBRSxDQUFDO1FBQ2pDLElBQUksS0FBSyxDQUFDLFFBQVEsQ0FBQyxFQUFFLENBQUM7WUFDcEIsT0FBTyxLQUFLLENBQUMsUUFBUSxDQUFXLENBQUM7UUFDbkMsQ0FBQztJQUNILENBQUM7QUFDSCxDQUFDIn0=

package/dist/commonjs/app/extend/context.d.ts

@@ -0,0 +1,15 @@
+import { Context } from '@eggjs/core';
+export default class JSONPContext extends Context {
+    /**
+     * detect if response should be jsonp
+     */
+    get acceptJSONP(): boolean;
+    /**
+     * JSONP wrap body function
+     * Set jsonp response wrap function, other plugin can use it.
+     * If not necessary, please don't use this method in your application code.
+     * @param {Object} body response body
+     * @private
+     */
+    createJsonpBody(body: any): void;
+}

package/dist/commonjs/app/extend/context.js

@@ -0,0 +1,35 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const jsonp_body_1 = require("jsonp-body");
+const core_1 = require("@eggjs/core");
+const private_key_js_1 = require("../../lib/private_key.js");
+class JSONPContext extends core_1.Context {
+    /**
+     * detect if response should be jsonp
+     */
+    get acceptJSONP() {
+        const jsonpConfig = Reflect.get(this, private_key_js_1.JSONP_CONFIG);
+        return !!(jsonpConfig?.jsonpFunction);
+    }
+    /**
+     * JSONP wrap body function
+     * Set jsonp response wrap function, other plugin can use it.
+     * If not necessary, please don't use this method in your application code.
+     * @param {Object} body response body
+     * @private
+     */
+    createJsonpBody(body) {
+        const jsonpConfig = Reflect.get(this, private_key_js_1.JSONP_CONFIG);
+        if (!jsonpConfig?.jsonpFunction) {
+            this.body = body;
+            return;
+        }
+        this.set('x-content-type-options', 'nosniff');
+        this.type = 'js';
+        body = body === undefined ? null : body;
+        // protect from jsonp xss
+        this.body = (0, jsonp_body_1.jsonp)(body, jsonpConfig.jsonpFunction, jsonpConfig.options);
+    }
+}
+exports.default = JSONPContext;
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiY29udGV4dC5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uLy4uLy4uL3NyYy9hcHAvZXh0ZW5kL2NvbnRleHQudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6Ijs7QUFBQSwyQ0FBZ0Q7QUFDaEQsc0NBQXNDO0FBQ3RDLDZEQUF3RDtBQUV4RCxNQUFxQixZQUFhLFNBQVEsY0FBTztJQUMvQzs7T0FFRztJQUNILElBQUksV0FBVztRQUNiLE1BQU0sV0FBVyxHQUFHLE9BQU8sQ0FBQyxHQUFHLENBQUMsSUFBSSxFQUFFLDZCQUFZLENBQVEsQ0FBQztRQUMzRCxPQUFPLENBQUMsQ0FBQyxDQUFDLFdBQVcsRUFBRSxhQUFhLENBQUMsQ0FBQztJQUN4QyxDQUFDO0lBRUQ7Ozs7OztPQU1HO0lBQ0gsZUFBZSxDQUFDLElBQVM7UUFDdkIsTUFBTSxXQUFXLEdBQUcsT0FBTyxDQUFDLEdBQUcsQ0FBQyxJQUFJLEVBQUUsNkJBQVksQ0FBUSxDQUFDO1FBQzNELElBQUksQ0FBQyxXQUFXLEVBQUUsYUFBYSxFQUFFLENBQUM7WUFDaEMsSUFBSSxDQUFDLElBQUksR0FBRyxJQUFJLENBQUM7WUFDakIsT0FBTztRQUNULENBQUM7UUFFRCxJQUFJLENBQUMsR0FBRyxDQUFDLHdCQUF3QixFQUFFLFNBQVMsQ0FBQyxDQUFDO1FBQzlDLElBQUksQ0FBQyxJQUFJLEdBQUcsSUFBSSxDQUFDO1FBQ2pCLElBQUksR0FBRyxJQUFJLEtBQUssU0FBUyxDQUFDLENBQUMsQ0FBQyxJQUFJLENBQUMsQ0FBQyxDQUFDLElBQUksQ0FBQztRQUN4Qyx5QkFBeUI7UUFDekIsSUFBSSxDQUFDLElBQUksR0FBRyxJQUFBLGtCQUFTLEVBQUMsSUFBSSxFQUFFLFdBQVcsQ0FBQyxhQUFhLEVBQUUsV0FBVyxDQUFDLE9BQU8sQ0FBQyxDQUFDO0lBQzlFLENBQUM7Q0FDRjtBQTdCRCwrQkE2QkMifQ==

package/dist/commonjs/config/config.default.d.ts

@@ -0,0 +1,5 @@
+import type { JSONPConfig } from '../types.js';
+declare const _default: {
+    jsonp: JSONPConfig;
+};
+export default _default;

package/dist/commonjs/config/config.default.js

@@ -0,0 +1,11 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.default = {
+    jsonp: {
+        limit: 50,
+        callback: ['_callback', 'callback'],
+        csrf: false,
+        whiteList: undefined,
+    },
+};
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiY29uZmlnLmRlZmF1bHQuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi9zcmMvY29uZmlnL2NvbmZpZy5kZWZhdWx0LnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiI7O0FBRUEsa0JBQWU7SUFDYixLQUFLLEVBQUU7UUFDTCxLQUFLLEVBQUUsRUFBRTtRQUNULFFBQVEsRUFBRSxDQUFFLFdBQVcsRUFBRSxVQUFVLENBQUU7UUFDckMsSUFBSSxFQUFFLEtBQUs7UUFDWCxTQUFTLEVBQUUsU0FBUztLQUNOO0NBQ2pCLENBQUMifQ==

package/dist/commonjs/error/JSONPForbiddenReferrerError.d.ts

@@ -0,0 +1,5 @@
+export declare class JSONPForbiddenReferrerError extends Error {
+    referrer: string;
+    status: number;
+    constructor(message: string, referrer: string, status: number);
+}

package/dist/commonjs/error/JSONPForbiddenReferrerError.js

@@ -0,0 +1,16 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.JSONPForbiddenReferrerError = void 0;
+class JSONPForbiddenReferrerError extends Error {
+    referrer;
+    status;
+    constructor(message, referrer, status) {
+        super(message);
+        this.name = this.constructor.name;
+        this.referrer = referrer;
+        this.status = status;
+        Error.captureStackTrace(this, this.constructor);
+    }
+}
+exports.JSONPForbiddenReferrerError = JSONPForbiddenReferrerError;
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiSlNPTlBGb3JiaWRkZW5SZWZlcnJlckVycm9yLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vLi4vc3JjL2Vycm9yL0pTT05QRm9yYmlkZGVuUmVmZXJyZXJFcnJvci50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiOzs7QUFBQSxNQUFhLDJCQUE0QixTQUFRLEtBQUs7SUFDcEQsUUFBUSxDQUFTO0lBQ2pCLE1BQU0sQ0FBUztJQUVmLFlBQVksT0FBZSxFQUFFLFFBQWdCLEVBQUUsTUFBYztRQUMzRCxLQUFLLENBQUMsT0FBTyxDQUFDLENBQUM7UUFDZixJQUFJLENBQUMsSUFBSSxHQUFHLElBQUksQ0FBQyxXQUFXLENBQUMsSUFBSSxDQUFDO1FBQ2xDLElBQUksQ0FBQyxRQUFRLEdBQUcsUUFBUSxDQUFDO1FBQ3pCLElBQUksQ0FBQyxNQUFNLEdBQUcsTUFBTSxDQUFDO1FBQ3JCLEtBQUssQ0FBQyxpQkFBaUIsQ0FBQyxJQUFJLEVBQUUsSUFBSSxDQUFDLFdBQVcsQ0FBQyxDQUFDO0lBQ2xELENBQUM7Q0FDRjtBQVhELGtFQVdDIn0=

package/dist/commonjs/index.d.ts

@@ -0,0 +1 @@
+import './types.js';

package/dist/commonjs/index.js

@@ -0,0 +1,4 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+require("./types.js");
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiaW5kZXguanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi9zcmMvaW5kZXgudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6Ijs7QUFBQSxzQkFBb0IifQ==

package/dist/commonjs/lib/private_key.d.ts

@@ -0,0 +1 @@
+export declare const JSONP_CONFIG: unique symbol;

package/dist/commonjs/lib/private_key.js

@@ -0,0 +1,5 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.JSONP_CONFIG = void 0;
+exports.JSONP_CONFIG = Symbol('jsonp#config');
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoicHJpdmF0ZV9rZXkuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi9zcmMvbGliL3ByaXZhdGVfa2V5LnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiI7OztBQUFhLFFBQUEsWUFBWSxHQUFHLE1BQU0sQ0FBQyxjQUFjLENBQUMsQ0FBQyJ9

package/dist/commonjs/package.json

@@ -0,0 +1,3 @@
+{
+  "type": "commonjs"
+}

package/dist/commonjs/types.d.ts

@@ -0,0 +1,50 @@
+import type { MiddlewareFunc } from '@eggjs/core';
+/**
+ * jsonp options
+ * @member Config#jsonp
+ */
+export interface JSONPConfig {
+    /**
+     * jsonp callback methods key, default to `['_callback', 'callback' ]`
+     */
+    callback: string[] | string;
+    /**
+     * callback method name's max length, default to `50`
+     */
+    limit: number;
+    /**
+     * enable csrf check or not, default to `false`
+     */
+    csrf: boolean;
+    /**
+     * referrer white list, default to `undefined`
+     */
+    whiteList?: string | RegExp | (string | RegExp)[];
+}
+declare module '@eggjs/core' {
+    interface EggAppConfig {
+        jsonp: JSONPConfig;
+    }
+    interface Context {
+        /**
+         * detect if response should be jsonp
+         */
+        acceptJSONP: boolean;
+        /**
+         * JSONP wrap body function
+         * Set jsonp response wrap function, other plugin can use it.
+         * If not necessary, please don't use this method in your application code.
+         * @param {Object} body response body
+         * @private
+         */
+        createJsonpBody(body: any): void;
+    }
+    interface EggCore {
+        /**
+         * return a middleware to enable jsonp response.
+         * will do some security check inside.
+         * @public
+         */
+        jsonp(initOptions?: Partial<JSONPConfig>): MiddlewareFunc;
+    }
+}

package/dist/commonjs/types.js

@@ -0,0 +1,3 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoidHlwZXMuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi9zcmMvdHlwZXMudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6IiJ9

package/dist/esm/app/extend/application.d.ts

@@ -0,0 +1,10 @@
+import { EggCore, type MiddlewareFunc } from '@eggjs/core';
+import { JSONPConfig } from '../../types.js';
+export default class JSONPApplication extends EggCore {
+    /**
+     * return a middleware to enable jsonp response.
+     * will do some security check inside.
+     * @public
+     */
+    jsonp(initOptions?: Partial<JSONPConfig>): MiddlewareFunc;
+}

package/dist/esm/app/extend/application.js

@@ -0,0 +1,112 @@
+import { debuglog } from 'node:util';
+import { parse as urlParse } from 'node:url';
+import { EggCore } from '@eggjs/core';
+import { JSONP_CONFIG } from '../../lib/private_key.js';
+import { JSONPForbiddenReferrerError } from '../../error/JSONPForbiddenReferrerError.js';
+const debug = debuglog('@egg/jsonp/app/extend/application');
+export default class JSONPApplication extends EggCore {
+    /**
+     * return a middleware to enable jsonp response.
+     * will do some security check inside.
+     * @public
+     */
+    jsonp(initOptions = {}) {
+        const options = {
+            ...this.config.jsonp,
+            ...initOptions,
+        };
+        if (!Array.isArray(options.callback)) {
+            options.callback = [options.callback];
+        }
+        const csrfEnable = this.plugins.security && this.plugins.security.enable // security enable
+            && this.config.security.csrf && this.config.security.csrf.enable !== false // csrf enable
+            && options.csrf; // jsonp csrf enabled
+        const validateReferrer = options.whiteList && createValidateReferer(options.whiteList);
+        if (!csrfEnable && !validateReferrer) {
+            this.coreLogger.warn('[@eggjs/jsonp] SECURITY WARNING!! csrf check and referrer check are both closed!');
+        }
+        /**
+         * jsonp request security check, pass if
+         *
+         * 1. hit referrer white list
+         * 2. or pass csrf check
+         * 3. both check are disabled
+         *
+         * @param {Context} ctx request context
+         */
+        function securityAssert(ctx) {
+            // all disabled. don't need check
+            if (!csrfEnable && !validateReferrer)
+                return;
+            // pass referrer check
+            const referrer = ctx.get('referrer');
+            if (validateReferrer && validateReferrer(referrer))
+                return;
+            if (csrfEnable && validateCsrf(ctx))
+                return;
+            throw new JSONPForbiddenReferrerError('jsonp request security validate failed', referrer, 403);
+        }
+        return async function jsonp(ctx, next) {
+            const jsonpFunction = getJsonpFunction(ctx.query, options.callback);
+            ctx[JSONP_CONFIG] = {
+                jsonpFunction,
+                options,
+            };
+            // before handle request, must do some security checks
+            securityAssert(ctx);
+            await next();
+            // generate jsonp body
+            ctx.createJsonpBody(ctx.body);
+        };
+    }
+}
+function createValidateReferer(whiteList) {
+    if (!Array.isArray(whiteList)) {
+        whiteList = [whiteList];
+    }
+    return (referrer) => {
+        let parsed;
+        for (const rule of whiteList) {
+            if (rule instanceof RegExp) {
+                if (rule.test(referrer)) {
+                    // regexp(/^https?:\/\/github.com\//): test the referrer with rule
+                    return true;
+                }
+                continue;
+            }
+            parsed = parsed ?? urlParse(referrer);
+            const hostname = parsed.hostname || '';
+            // check if referrer's hostname match the string rule
+            if (rule[0] === '.' &&
+                (hostname.endsWith(rule) || hostname === rule.slice(1))) {
+                // string start with `.`(.github.com): referrer's hostname must ends with rule
+                return true;
+            }
+            else if (hostname === rule) {
+                // string not start with `.`(github.com): referrer's hostname must strict equal to rule
+                return true;
+            }
+        }
+        // no rule matched
+        return false;
+    };
+}
+function validateCsrf(ctx) {
+    try {
+        // TODO(fengmk2): remove this when @eggjs/security support ctx.assertCsrf type define
+        ctx.assertCsrf();
+        return true;
+    }
+    catch (err) {
+        debug('validate csrf failed: %s', err);
+        return false;
+    }
+}
+function getJsonpFunction(query, callbacks) {
+    for (const callback of callbacks) {
+        if (query[callback]) {
+            return query[callback];
+        }
+    }
+}
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiYXBwbGljYXRpb24uanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi8uLi9zcmMvYXBwL2V4dGVuZC9hcHBsaWNhdGlvbi50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiQUFBQSxPQUFPLEVBQUUsUUFBUSxFQUFFLE1BQU0sV0FBVyxDQUFDO0FBQ3JDLE9BQU8sRUFBRSxLQUFLLElBQUksUUFBUSxFQUEyQixNQUFNLFVBQVUsQ0FBQztBQUV0RSxPQUFPLEVBQUUsT0FBTyxFQUF1QixNQUFNLGFBQWEsQ0FBQztBQUMzRCxPQUFPLEVBQUUsWUFBWSxFQUFFLE1BQU0sMEJBQTBCLENBQUM7QUFFeEQsT0FBTyxFQUFFLDJCQUEyQixFQUFFLE1BQU0sNENBQTRDLENBQUM7QUFHekYsTUFBTSxLQUFLLEdBQUcsUUFBUSxDQUFDLG1DQUFtQyxDQUFDLENBQUM7QUFFNUQsTUFBTSxDQUFDLE9BQU8sT0FBTyxnQkFBaUIsU0FBUSxPQUFPO0lBQ25EOzs7O09BSUc7SUFDSCxLQUFLLENBQUMsY0FBb0MsRUFBRTtRQUMxQyxNQUFNLE9BQU8sR0FBRztZQUNkLEdBQUcsSUFBSSxDQUFDLE1BQU0sQ0FBQyxLQUFLO1lBQ3BCLEdBQUcsV0FBVztTQUN5QixDQUFDO1FBQzFDLElBQUksQ0FBQyxLQUFLLENBQUMsT0FBTyxDQUFDLE9BQU8sQ0FBQyxRQUFRLENBQUMsRUFBRSxDQUFDO1lBQ3JDLE9BQU8sQ0FBQyxRQUFRLEdBQUcsQ0FBRSxPQUFPLENBQUMsUUFBUSxDQUFFLENBQUM7UUFDMUMsQ0FBQztRQUVELE1BQU0sVUFBVSxHQUFHLElBQUksQ0FBQyxPQUFPLENBQUMsUUFBUSxJQUFJLElBQUksQ0FBQyxPQUFPLENBQUMsUUFBUSxDQUFDLE1BQU0sQ0FBQyxrQkFBa0I7ZUFDdEYsSUFBSSxDQUFDLE1BQU0sQ0FBQyxRQUFRLENBQUMsSUFBSSxJQUFJLElBQUksQ0FBQyxNQUFNLENBQUMsUUFBUSxDQUFDLElBQUksQ0FBQyxNQUFNLEtBQUssS0FBSyxDQUFDLGNBQWM7ZUFDdEYsT0FBTyxDQUFDLElBQUksQ0FBQyxDQUFDLHFCQUFxQjtRQUV4QyxNQUFNLGdCQUFnQixHQUFHLE9BQU8sQ0FBQyxTQUFTLElBQUkscUJBQXFCLENBQUMsT0FBTyxDQUFDLFNBQVMsQ0FBQyxDQUFDO1FBRXZGLElBQUksQ0FBQyxVQUFVLElBQUksQ0FBQyxnQkFBZ0IsRUFBRSxDQUFDO1lBQ3JDLElBQUksQ0FBQyxVQUFVLENBQUMsSUFBSSxDQUFDLGtGQUFrRixDQUFDLENBQUM7UUFDM0csQ0FBQztRQUNEOzs7Ozs7OztXQVFHO1FBQ0gsU0FBUyxjQUFjLENBQUMsR0FBaUI7WUFDdkMsaUNBQWlDO1lBQ2pDLElBQUksQ0FBQyxVQUFVLElBQUksQ0FBQyxnQkFBZ0I7Z0JBQUUsT0FBTztZQUU3QyxzQkFBc0I7WUFDdEIsTUFBTSxRQUFRLEdBQUcsR0FBRyxDQUFDLEdBQUcsQ0FBUyxVQUFVLENBQUMsQ0FBQztZQUM3QyxJQUFJLGdCQUFnQixJQUFJLGdCQUFnQixDQUFDLFFBQVEsQ0FBQztnQkFBRSxPQUFPO1lBQzNELElBQUksVUFBVSxJQUFJLFlBQVksQ0FBQyxHQUFHLENBQUM7Z0JBQUUsT0FBTztZQUU1QyxNQUFNLElBQUksMkJBQTJCLENBQ25DLHdDQUF3QyxFQUN4QyxRQUFRLEVBQ1IsR0FBRyxDQUFDLENBQUM7UUFDVCxDQUFDO1FBRUQsT0FBTyxLQUFLLFVBQVUsS0FBSyxDQUFDLEdBQWlCLEVBQUUsSUFBSTtZQUNqRCxNQUFNLGFBQWEsR0FBRyxnQkFBZ0IsQ0FBQyxHQUFHLENBQUMsS0FBSyxFQUFFLE9BQU8sQ0FBQyxRQUFRLENBQUMsQ0FBQztZQUVwRSxHQUFHLENBQUMsWUFBWSxDQUFDLEdBQUc7Z0JBQ2xCLGFBQWE7Z0JBQ2IsT0FBTzthQUNSLENBQUM7WUFFRixzREFBc0Q7WUFDdEQsY0FBYyxDQUFDLEdBQUcsQ0FBQyxDQUFDO1lBRXBCLE1BQU0sSUFBSSxFQUFFLENBQUM7WUFFYixzQkFBc0I7WUFDdEIsR0FBRyxDQUFDLGVBQWUsQ0FBQyxHQUFHLENBQUMsSUFBSSxDQUFDLENBQUM7UUFDaEMsQ0FBQyxDQUFDO0lBQ0osQ0FBQztDQUNGO0FBRUQsU0FBUyxxQkFBcUIsQ0FBQyxTQUE2QztJQUMxRSxJQUFJLENBQUMsS0FBSyxDQUFDLE9BQU8sQ0FBQyxTQUFTLENBQUMsRUFBRSxDQUFDO1FBQzlCLFNBQVMsR0FBRyxDQUFFLFNBQVMsQ0FBRSxDQUFDO0lBQzVCLENBQUM7SUFFRCxPQUFPLENBQUMsUUFBZ0IsRUFBRSxFQUFFO1FBQzFCLElBQUksTUFBc0MsQ0FBQztRQUMzQyxLQUFLLE1BQU0sSUFBSSxJQUFJLFNBQVMsRUFBRSxDQUFDO1lBQzdCLElBQUksSUFBSSxZQUFZLE1BQU0sRUFBRSxDQUFDO2dCQUMzQixJQUFJLElBQUksQ0FBQyxJQUFJLENBQUMsUUFBUSxDQUFDLEVBQUUsQ0FBQztvQkFDeEIsa0VBQWtFO29CQUNsRSxPQUFPLElBQUksQ0FBQztnQkFDZCxDQUFDO2dCQUNELFNBQVM7WUFDWCxDQUFDO1lBRUQsTUFBTSxHQUFHLE1BQU0sSUFBSSxRQUFRLENBQUMsUUFBUSxDQUFDLENBQUM7WUFDdEMsTUFBTSxRQUFRLEdBQUcsTUFBTSxDQUFDLFFBQVEsSUFBSSxFQUFFLENBQUM7WUFFdkMscURBQXFEO1lBQ3JELElBQUksSUFBSSxDQUFDLENBQUMsQ0FBQyxLQUFLLEdBQUc7Z0JBQ2pCLENBQUMsUUFBUSxDQUFDLFFBQVEsQ0FBQyxJQUFJLENBQUMsSUFBSSxRQUFRLEtBQUssSUFBSSxDQUFDLEtBQUssQ0FBQyxDQUFDLENBQUMsQ0FBQyxFQUFFLENBQUM7Z0JBQzFELDhFQUE4RTtnQkFDOUUsT0FBTyxJQUFJLENBQUM7WUFDZCxDQUFDO2lCQUFNLElBQUksUUFBUSxLQUFLLElBQUksRUFBRSxDQUFDO2dCQUM3Qix1RkFBdUY7Z0JBQ3ZGLE9BQU8sSUFBSSxDQUFDO1lBQ2QsQ0FBQztRQUNILENBQUM7UUFFRCxrQkFBa0I7UUFDbEIsT0FBTyxLQUFLLENBQUM7SUFDZixDQUFDLENBQUM7QUFDSixDQUFDO0FBRUQsU0FBUyxZQUFZLENBQUMsR0FBUTtJQUM1QixJQUFJLENBQUM7UUFDSCxxRkFBcUY7UUFDckYsR0FBRyxDQUFDLFVBQVUsRUFBRSxDQUFDO1FBQ2pCLE9BQU8sSUFBSSxDQUFDO0lBQ2QsQ0FBQztJQUFDLE9BQU8sR0FBRyxFQUFFLENBQUM7UUFDYixLQUFLLENBQUMsMEJBQTBCLEVBQUUsR0FBRyxDQUFDLENBQUM7UUFDdkMsT0FBTyxLQUFLLENBQUM7SUFDZixDQUFDO0FBQ0gsQ0FBQztBQUVELFNBQVMsZ0JBQWdCLENBQUMsS0FBcUIsRUFBRSxTQUFtQjtJQUNsRSxLQUFLLE1BQU0sUUFBUSxJQUFJLFNBQVMsRUFBRSxDQUFDO1FBQ2pDLElBQUksS0FBSyxDQUFDLFFBQVEsQ0FBQyxFQUFFLENBQUM7WUFDcEIsT0FBTyxLQUFLLENBQUMsUUFBUSxDQUFXLENBQUM7UUFDbkMsQ0FBQztJQUNILENBQUM7QUFDSCxDQUFDIn0=

package/dist/esm/app/extend/context.d.ts

@@ -0,0 +1,15 @@
+import { Context } from '@eggjs/core';
+export default class JSONPContext extends Context {
+    /**
+     * detect if response should be jsonp
+     */
+    get acceptJSONP(): boolean;
+    /**
+     * JSONP wrap body function
+     * Set jsonp response wrap function, other plugin can use it.
+     * If not necessary, please don't use this method in your application code.
+     * @param {Object} body response body
+     * @private
+     */
+    createJsonpBody(body: any): void;
+}

package/dist/esm/app/extend/context.js

@@ -0,0 +1,32 @@
+import { jsonp as jsonpBody } from 'jsonp-body';
+import { Context } from '@eggjs/core';
+import { JSONP_CONFIG } from '../../lib/private_key.js';
+export default class JSONPContext extends Context {
+    /**
+     * detect if response should be jsonp
+     */
+    get acceptJSONP() {
+        const jsonpConfig = Reflect.get(this, JSONP_CONFIG);
+        return !!(jsonpConfig?.jsonpFunction);
+    }
+    /**
+     * JSONP wrap body function
+     * Set jsonp response wrap function, other plugin can use it.
+     * If not necessary, please don't use this method in your application code.
+     * @param {Object} body response body
+     * @private
+     */
+    createJsonpBody(body) {
+        const jsonpConfig = Reflect.get(this, JSONP_CONFIG);
+        if (!jsonpConfig?.jsonpFunction) {
+            this.body = body;
+            return;
+        }
+        this.set('x-content-type-options', 'nosniff');
+        this.type = 'js';
+        body = body === undefined ? null : body;
+        // protect from jsonp xss
+        this.body = jsonpBody(body, jsonpConfig.jsonpFunction, jsonpConfig.options);
+    }
+}
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiY29udGV4dC5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uLy4uLy4uL3NyYy9hcHAvZXh0ZW5kL2NvbnRleHQudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6IkFBQUEsT0FBTyxFQUFFLEtBQUssSUFBSSxTQUFTLEVBQUUsTUFBTSxZQUFZLENBQUM7QUFDaEQsT0FBTyxFQUFFLE9BQU8sRUFBRSxNQUFNLGFBQWEsQ0FBQztBQUN0QyxPQUFPLEVBQUUsWUFBWSxFQUFFLE1BQU0sMEJBQTBCLENBQUM7QUFFeEQsTUFBTSxDQUFDLE9BQU8sT0FBTyxZQUFhLFNBQVEsT0FBTztJQUMvQzs7T0FFRztJQUNILElBQUksV0FBVztRQUNiLE1BQU0sV0FBVyxHQUFHLE9BQU8sQ0FBQyxHQUFHLENBQUMsSUFBSSxFQUFFLFlBQVksQ0FBUSxDQUFDO1FBQzNELE9BQU8sQ0FBQyxDQUFDLENBQUMsV0FBVyxFQUFFLGFBQWEsQ0FBQyxDQUFDO0lBQ3hDLENBQUM7SUFFRDs7Ozs7O09BTUc7SUFDSCxlQUFlLENBQUMsSUFBUztRQUN2QixNQUFNLFdBQVcsR0FBRyxPQUFPLENBQUMsR0FBRyxDQUFDLElBQUksRUFBRSxZQUFZLENBQVEsQ0FBQztRQUMzRCxJQUFJLENBQUMsV0FBVyxFQUFFLGFBQWEsRUFBRSxDQUFDO1lBQ2hDLElBQUksQ0FBQyxJQUFJLEdBQUcsSUFBSSxDQUFDO1lBQ2pCLE9BQU87UUFDVCxDQUFDO1FBRUQsSUFBSSxDQUFDLEdBQUcsQ0FBQyx3QkFBd0IsRUFBRSxTQUFTLENBQUMsQ0FBQztRQUM5QyxJQUFJLENBQUMsSUFBSSxHQUFHLElBQUksQ0FBQztRQUNqQixJQUFJLEdBQUcsSUFBSSxLQUFLLFNBQVMsQ0FBQyxDQUFDLENBQUMsSUFBSSxDQUFDLENBQUMsQ0FBQyxJQUFJLENBQUM7UUFDeEMseUJBQXlCO1FBQ3pCLElBQUksQ0FBQyxJQUFJLEdBQUcsU0FBUyxDQUFDLElBQUksRUFBRSxXQUFXLENBQUMsYUFBYSxFQUFFLFdBQVcsQ0FBQyxPQUFPLENBQUMsQ0FBQztJQUM5RSxDQUFDO0NBQ0YifQ==

package/dist/esm/config/config.default.d.ts

@@ -0,0 +1,5 @@
+import type { JSONPConfig } from '../types.js';
+declare const _default: {
+    jsonp: JSONPConfig;
+};
+export default _default;

package/dist/esm/config/config.default.js

@@ -0,0 +1,9 @@
+export default {
+    jsonp: {
+        limit: 50,
+        callback: ['_callback', 'callback'],
+        csrf: false,
+        whiteList: undefined,
+    },
+};
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiY29uZmlnLmRlZmF1bHQuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi9zcmMvY29uZmlnL2NvbmZpZy5kZWZhdWx0LnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiJBQUVBLGVBQWU7SUFDYixLQUFLLEVBQUU7UUFDTCxLQUFLLEVBQUUsRUFBRTtRQUNULFFBQVEsRUFBRSxDQUFFLFdBQVcsRUFBRSxVQUFVLENBQUU7UUFDckMsSUFBSSxFQUFFLEtBQUs7UUFDWCxTQUFTLEVBQUUsU0FBUztLQUNOO0NBQ2pCLENBQUMifQ==

package/dist/esm/error/JSONPForbiddenReferrerError.d.ts

@@ -0,0 +1,5 @@
+export declare class JSONPForbiddenReferrerError extends Error {
+    referrer: string;
+    status: number;
+    constructor(message: string, referrer: string, status: number);
+}

package/dist/esm/error/JSONPForbiddenReferrerError.js

@@ -0,0 +1,12 @@
+export class JSONPForbiddenReferrerError extends Error {
+    referrer;
+    status;
+    constructor(message, referrer, status) {
+        super(message);
+        this.name = this.constructor.name;
+        this.referrer = referrer;
+        this.status = status;
+        Error.captureStackTrace(this, this.constructor);
+    }
+}
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiSlNPTlBGb3JiaWRkZW5SZWZlcnJlckVycm9yLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vLi4vc3JjL2Vycm9yL0pTT05QRm9yYmlkZGVuUmVmZXJyZXJFcnJvci50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiQUFBQSxNQUFNLE9BQU8sMkJBQTRCLFNBQVEsS0FBSztJQUNwRCxRQUFRLENBQVM7SUFDakIsTUFBTSxDQUFTO0lBRWYsWUFBWSxPQUFlLEVBQUUsUUFBZ0IsRUFBRSxNQUFjO1FBQzNELEtBQUssQ0FBQyxPQUFPLENBQUMsQ0FBQztRQUNmLElBQUksQ0FBQyxJQUFJLEdBQUcsSUFBSSxDQUFDLFdBQVcsQ0FBQyxJQUFJLENBQUM7UUFDbEMsSUFBSSxDQUFDLFFBQVEsR0FBRyxRQUFRLENBQUM7UUFDekIsSUFBSSxDQUFDLE1BQU0sR0FBRyxNQUFNLENBQUM7UUFDckIsS0FBSyxDQUFDLGlCQUFpQixDQUFDLElBQUksRUFBRSxJQUFJLENBQUMsV0FBVyxDQUFDLENBQUM7SUFDbEQsQ0FBQztDQUNGIn0=

package/dist/esm/index.d.ts

@@ -0,0 +1 @@
+import './types.js';

package/dist/esm/index.js

@@ -0,0 +1,2 @@
+import './types.js';
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiaW5kZXguanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi9zcmMvaW5kZXgudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6IkFBQUEsT0FBTyxZQUFZLENBQUMifQ==

package/dist/esm/lib/private_key.d.ts

@@ -0,0 +1 @@
+export declare const JSONP_CONFIG: unique symbol;

package/dist/esm/lib/private_key.js

@@ -0,0 +1,2 @@
+export const JSONP_CONFIG = Symbol('jsonp#config');
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoicHJpdmF0ZV9rZXkuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi9zcmMvbGliL3ByaXZhdGVfa2V5LnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiJBQUFBLE1BQU0sQ0FBQyxNQUFNLFlBQVksR0FBRyxNQUFNLENBQUMsY0FBYyxDQUFDLENBQUMifQ==

package/dist/esm/package.json

@@ -0,0 +1,3 @@
+{
+  "type": "module"
+}

package/dist/esm/types.d.ts

@@ -0,0 +1,50 @@
+import type { MiddlewareFunc } from '@eggjs/core';
+/**
+ * jsonp options
+ * @member Config#jsonp
+ */
+export interface JSONPConfig {
+    /**
+     * jsonp callback methods key, default to `['_callback', 'callback' ]`
+     */
+    callback: string[] | string;
+    /**
+     * callback method name's max length, default to `50`
+     */
+    limit: number;
+    /**
+     * enable csrf check or not, default to `false`
+     */
+    csrf: boolean;
+    /**
+     * referrer white list, default to `undefined`
+     */
+    whiteList?: string | RegExp | (string | RegExp)[];
+}
+declare module '@eggjs/core' {
+    interface EggAppConfig {
+        jsonp: JSONPConfig;
+    }
+    interface Context {
+        /**
+         * detect if response should be jsonp
+         */
+        acceptJSONP: boolean;
+        /**
+         * JSONP wrap body function
+         * Set jsonp response wrap function, other plugin can use it.
+         * If not necessary, please don't use this method in your application code.
+         * @param {Object} body response body
+         * @private
+         */
+        createJsonpBody(body: any): void;
+    }
+    interface EggCore {
+        /**
+         * return a middleware to enable jsonp response.
+         * will do some security check inside.
+         * @public
+         */
+        jsonp(initOptions?: Partial<JSONPConfig>): MiddlewareFunc;
+    }
+}

package/dist/esm/types.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoidHlwZXMuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi9zcmMvdHlwZXMudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6IiJ9

package/dist/package.json

@@ -0,0 +1,4 @@
+{
+  "name": "@eggjs/jsonp",
+  "version": "3.0.0"
+}

package/package.json

@@ -0,0 +1,94 @@
+{
+  "name": "@eggjs/jsonp",
+  "version": "3.0.0",
+  "publishConfig": {
+    "access": "public"
+  },
+  "description": "jsonp support for egg",
+  "eggPlugin": {
+    "name": "jsonp",
+    "optionalDependencies": [
+      "security"
+    ],
+    "exports": {
+      "import": "./dist/esm",
+      "require": "./dist/commonjs",
+      "typescript": "./src"
+    }
+  },
+  "keywords": [
+    "egg",
+    "egg-plugin",
+    "jsonp",
+    "security"
+  ],
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/eggjs/jsonp.git"
+  },
+  "bugs": {
+    "url": "https://github.com/eggjs/egg/issues"
+  },
+  "homepage": "https://github.com/eggjs/jsonp#readme",
+  "author": "dead-horse",
+  "license": "MIT",
+  "engines": {
+    "node": ">= 18.19.0"
+  },
+  "dependencies": {
+    "@eggjs/core": "^6.2.13",
+    "jsonp-body": "^2.0.0"
+  },
+  "devDependencies": {
+    "@arethetypeswrong/cli": "^0.17.1",
+    "@eggjs/bin": "7",
+    "@eggjs/mock": "6",
+    "@eggjs/tsconfig": "1",
+    "@types/mocha": "10",
+    "@types/node": "22",
+    "egg": "4",
+    "eslint": "8",
+    "eslint-config-egg": "14",
+    "rimraf": "6",
+    "tshy": "3",
+    "tshy-after": "1",
+    "typescript": "5"
+  },
+  "scripts": {
+    "lint": "eslint --cache src test --ext .ts",
+    "pretest": "npm run clean && npm run lint -- --fix",
+    "test": "egg-bin test",
+    "preci": "npm run clean &&  npm run lint",
+    "ci": "egg-bin cov",
+    "postci": "npm run prepublishOnly && npm run clean",
+    "clean": "rimraf dist",
+    "prepublishOnly": "tshy && tshy-after && attw --pack"
+  },
+  "type": "module",
+  "tshy": {
+    "exports": {
+      ".": "./src/index.ts",
+      "./package.json": "./package.json"
+    }
+  },
+  "exports": {
+    ".": {
+      "import": {
+        "types": "./dist/esm/index.d.ts",
+        "default": "./dist/esm/index.js"
+      },
+      "require": {
+        "types": "./dist/commonjs/index.d.ts",
+        "default": "./dist/commonjs/index.js"
+      }
+    },
+    "./package.json": "./package.json"
+  },
+  "files": [
+    "dist",
+    "src"
+  ],
+  "types": "./dist/commonjs/index.d.ts",
+  "main": "./dist/commonjs/index.js",
+  "module": "./dist/esm/index.js"
+}

package/src/app/extend/application.ts

@@ -0,0 +1,131 @@
+import { debuglog } from 'node:util';
+import { parse as urlParse, type UrlWithStringQuery } from 'node:url';
+import type { ParsedUrlQuery } from 'node:querystring';
+import { EggCore, type MiddlewareFunc } from '@eggjs/core';
+import { JSONP_CONFIG } from '../../lib/private_key.js';
+import { JSONPConfig } from '../../types.js';
+import { JSONPForbiddenReferrerError } from '../../error/JSONPForbiddenReferrerError.js';
+import JSONPContext from './context.js';
+
+const debug = debuglog('@egg/jsonp/app/extend/application');
+
+export default class JSONPApplication extends EggCore {
+  /**
+   * return a middleware to enable jsonp response.
+   * will do some security check inside.
+   * @public
+   */
+  jsonp(initOptions: Partial<JSONPConfig> = {}): MiddlewareFunc {
+    const options = {
+      ...this.config.jsonp,
+      ...initOptions,
+    } as JSONPConfig & { callback: string[] };
+    if (!Array.isArray(options.callback)) {
+      options.callback = [ options.callback ];
+    }
+
+    const csrfEnable = this.plugins.security && this.plugins.security.enable // security enable
+      && this.config.security.csrf && this.config.security.csrf.enable !== false // csrf enable
+      && options.csrf; // jsonp csrf enabled
+
+    const validateReferrer = options.whiteList && createValidateReferer(options.whiteList);
+
+    if (!csrfEnable && !validateReferrer) {
+      this.coreLogger.warn('[@eggjs/jsonp] SECURITY WARNING!! csrf check and referrer check are both closed!');
+    }
+    /**
+     * jsonp request security check, pass if
+     *
+     * 1. hit referrer white list
+     * 2. or pass csrf check
+     * 3. both check are disabled
+     *
+     * @param {Context} ctx request context
+     */
+    function securityAssert(ctx: JSONPContext) {
+      // all disabled. don't need check
+      if (!csrfEnable && !validateReferrer) return;
+
+      // pass referrer check
+      const referrer = ctx.get<string>('referrer');
+      if (validateReferrer && validateReferrer(referrer)) return;
+      if (csrfEnable && validateCsrf(ctx)) return;
+
+      throw new JSONPForbiddenReferrerError(
+        'jsonp request security validate failed',
+        referrer,
+        403);
+    }
+
+    return async function jsonp(ctx: JSONPContext, next) {
+      const jsonpFunction = getJsonpFunction(ctx.query, options.callback);
+
+      ctx[JSONP_CONFIG] = {
+        jsonpFunction,
+        options,
+      };
+
+      // before handle request, must do some security checks
+      securityAssert(ctx);
+
+      await next();
+
+      // generate jsonp body
+      ctx.createJsonpBody(ctx.body);
+    };
+  }
+}
+
+function createValidateReferer(whiteList: Required<JSONPConfig>['whiteList']) {
+  if (!Array.isArray(whiteList)) {
+    whiteList = [ whiteList ];
+  }
+
+  return (referrer: string) => {
+    let parsed: UrlWithStringQuery | undefined;
+    for (const rule of whiteList) {
+      if (rule instanceof RegExp) {
+        if (rule.test(referrer)) {
+          // regexp(/^https?:\/\/github.com\//): test the referrer with rule
+          return true;
+        }
+        continue;
+      }
+
+      parsed = parsed ?? urlParse(referrer);
+      const hostname = parsed.hostname || '';
+
+      // check if referrer's hostname match the string rule
+      if (rule[0] === '.' &&
+        (hostname.endsWith(rule) || hostname === rule.slice(1))) {
+        // string start with `.`(.github.com): referrer's hostname must ends with rule
+        return true;
+      } else if (hostname === rule) {
+        // string not start with `.`(github.com): referrer's hostname must strict equal to rule
+        return true;
+      }
+    }
+
+    // no rule matched
+    return false;
+  };
+}
+
+function validateCsrf(ctx: any) {
+  try {
+    // TODO(fengmk2): remove this when @eggjs/security support ctx.assertCsrf type define
+    ctx.assertCsrf();
+    return true;
+  } catch (err) {
+    debug('validate csrf failed: %s', err);
+    return false;
+  }
+}
+
+function getJsonpFunction(query: ParsedUrlQuery, callbacks: string[]) {
+  for (const callback of callbacks) {
+    if (query[callback]) {
+      return query[callback] as string;
+    }
+  }
+}

package/src/app/extend/context.ts

@@ -0,0 +1,34 @@
+import { jsonp as jsonpBody } from 'jsonp-body';
+import { Context } from '@eggjs/core';
+import { JSONP_CONFIG } from '../../lib/private_key.js';
+
+export default class JSONPContext extends Context {
+  /**
+   * detect if response should be jsonp
+   */
+  get acceptJSONP() {
+    const jsonpConfig = Reflect.get(this, JSONP_CONFIG) as any;
+    return !!(jsonpConfig?.jsonpFunction);
+  }
+
+  /**
+   * JSONP wrap body function
+   * Set jsonp response wrap function, other plugin can use it.
+   * If not necessary, please don't use this method in your application code.
+   * @param {Object} body response body
+   * @private
+   */
+  createJsonpBody(body: any) {
+    const jsonpConfig = Reflect.get(this, JSONP_CONFIG) as any;
+    if (!jsonpConfig?.jsonpFunction) {
+      this.body = body;
+      return;
+    }
+
+    this.set('x-content-type-options', 'nosniff');
+    this.type = 'js';
+    body = body === undefined ? null : body;
+    // protect from jsonp xss
+    this.body = jsonpBody(body, jsonpConfig.jsonpFunction, jsonpConfig.options);
+  }
+}

package/src/config/config.default.ts

@@ -0,0 +1,10 @@
+import type { JSONPConfig } from '../types.js';
+
+export default {
+  jsonp: {
+    limit: 50,
+    callback: [ '_callback', 'callback' ],
+    csrf: false,
+    whiteList: undefined,
+  } as JSONPConfig,
+};

package/src/error/JSONPForbiddenReferrerError.ts

@@ -0,0 +1,12 @@
+export class JSONPForbiddenReferrerError extends Error {
+  referrer: string;
+  status: number;
+
+  constructor(message: string, referrer: string, status: number) {
+    super(message);
+    this.name = this.constructor.name;
+    this.referrer = referrer;
+    this.status = status;
+    Error.captureStackTrace(this, this.constructor);
+  }
+}

package/src/index.ts

@@ -0,0 +1 @@
+import './types.js';

package/src/lib/private_key.ts

@@ -0,0 +1 @@
+export const JSONP_CONFIG = Symbol('jsonp#config');

package/src/types.ts

@@ -0,0 +1,55 @@
+import type { MiddlewareFunc } from '@eggjs/core';
+
+/**
+ * jsonp options
+ * @member Config#jsonp
+ */
+export interface JSONPConfig {
+  /**
+   * jsonp callback methods key, default to `['_callback', 'callback' ]`
+   */
+  callback: string[] | string;
+  /**
+   * callback method name's max length, default to `50`
+   */
+  limit: number;
+  /**
+   * enable csrf check or not, default to `false`
+   */
+  csrf: boolean;
+  /**
+   * referrer white list, default to `undefined`
+   */
+  whiteList?: string | RegExp | (string | RegExp)[];
+}
+
+declare module '@eggjs/core' {
+  // add EggAppConfig overrides types
+  interface EggAppConfig {
+    jsonp: JSONPConfig;
+  }
+
+  interface Context {
+    /**
+     * detect if response should be jsonp
+     */
+    acceptJSONP: boolean;
+    /**
+     * JSONP wrap body function
+     * Set jsonp response wrap function, other plugin can use it.
+     * If not necessary, please don't use this method in your application code.
+     * @param {Object} body response body
+     * @private
+     */
+    createJsonpBody(body: any): void;
+  }
+
+  interface EggCore {
+    /**
+     * return a middleware to enable jsonp response.
+     * will do some security check inside.
+     * @public
+     */
+    jsonp(initOptions?: Partial<JSONPConfig>): MiddlewareFunc;
+  }
+}

package/src/typings/index.d.ts

@@ -0,0 +1,4 @@
+// make sure to import egg typings and let typescript know about it
+// @see https://github.com/whxaxes/blog/issues/11
+// and https://www.typescriptlang.org/docs/handbook/declaration-merging.html
+import 'egg';