@eggjs/security 4.0.0 → 5.0.0-beta.15

package/dist/esm/lib/helper/sjs.js

@@ -1,49 +0,0 @@
-/**
- * Escape JavaScript to \xHH format
- */
-// escape \x00-\x7f
-// except 0-9,A-Z,a-z(\x2f-\x3a \x40-\x5b \x60-\x7b)
-// eslint-disable-next-line
-const MATCH_VULNERABLE_REGEXP = /[\x00-\x2f\x3a-\x40\x5b-\x60\x7b-\x7f]/;
-// eslint-enable-next-line
-const BASIC_ALPHABETS = new Set('abcdefghijklmnopqrstuvwxyz1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ'.split(''));
-const map = {
-    '\t': '\\t',
-    '\n': '\\n',
-    '\r': '\\r',
-};
-export default function escapeJavaScript(text) {
-    const str = '' + text;
-    const match = MATCH_VULNERABLE_REGEXP.exec(str);
-    if (!match) {
-        return str;
-    }
-    let res = '';
-    let index = 0;
-    let lastIndex = 0;
-    let ascii;
-    for (index = match.index; index < str.length; index++) {
-        ascii = str[index];
-        if (BASIC_ALPHABETS.has(ascii)) {
-            continue;
-        }
-        else {
-            if (map[ascii] === undefined) {
-                const code = ascii.charCodeAt(0);
-                if (code > 127) {
-                    continue;
-                }
-                else {
-                    map[ascii] = '\\x' + code.toString(16);
-                }
-            }
-        }
-        if (lastIndex !== index) {
-            res += str.substring(lastIndex, index);
-        }
-        lastIndex = index + 1;
-        res += map[ascii];
-    }
-    return lastIndex !== index ? res + str.substring(lastIndex, index) : res;
-}
-//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoic2pzLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vLi4vLi4vc3JjL2xpYi9oZWxwZXIvc2pzLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiJBQUFBOztHQUVHO0FBRUgsbUJBQW1CO0FBQ25CLG9EQUFvRDtBQUVwRCwyQkFBMkI7QUFDM0IsTUFBTSx1QkFBdUIsR0FBRyx3Q0FBd0MsQ0FBQztBQUN6RSwwQkFBMEI7QUFFMUIsTUFBTSxlQUFlLEdBQUcsSUFBSSxHQUFHLENBQUMsZ0VBQWdFLENBQUMsS0FBSyxDQUFDLEVBQUUsQ0FBQyxDQUFDLENBQUM7QUFFNUcsTUFBTSxHQUFHLEdBQTJCO0lBQ2xDLElBQUksRUFBRSxLQUFLO0lBQ1gsSUFBSSxFQUFFLEtBQUs7SUFDWCxJQUFJLEVBQUUsS0FBSztDQUNaLENBQUM7QUFFRixNQUFNLENBQUMsT0FBTyxVQUFVLGdCQUFnQixDQUFDLElBQVk7SUFDbkQsTUFBTSxHQUFHLEdBQUcsRUFBRSxHQUFHLElBQUksQ0FBQztJQUN0QixNQUFNLEtBQUssR0FBRyx1QkFBdUIsQ0FBQyxJQUFJLENBQUMsR0FBRyxDQUFDLENBQUM7SUFFaEQsSUFBSSxDQUFDLEtBQUssRUFBRSxDQUFDO1FBQ1gsT0FBTyxHQUFHLENBQUM7SUFDYixDQUFDO0lBRUQsSUFBSSxHQUFHLEdBQUcsRUFBRSxDQUFDO0lBQ2IsSUFBSSxLQUFLLEdBQUcsQ0FBQyxDQUFDO0lBQ2QsSUFBSSxTQUFTLEdBQUcsQ0FBQyxDQUFDO0lBQ2xCLElBQUksS0FBSyxDQUFDO0lBRVYsS0FBSyxLQUFLLEdBQUcsS0FBSyxDQUFDLEtBQUssRUFBRSxLQUFLLEdBQUcsR0FBRyxDQUFDLE1BQU0sRUFBRSxLQUFLLEVBQUUsRUFBRSxDQUFDO1FBQ3RELEtBQUssR0FBRyxHQUFHLENBQUMsS0FBSyxDQUFDLENBQUM7UUFDbkIsSUFBSSxlQUFlLENBQUMsR0FBRyxDQUFDLEtBQUssQ0FBQyxFQUFFLENBQUM7WUFDL0IsU0FBUztRQUNYLENBQUM7YUFBTSxDQUFDO1lBQ04sSUFBSSxHQUFHLENBQUMsS0FBSyxDQUFDLEtBQUssU0FBUyxFQUFFLENBQUM7Z0JBQzdCLE1BQU0sSUFBSSxHQUFHLEtBQUssQ0FBQyxVQUFVLENBQUMsQ0FBQyxDQUFDLENBQUM7Z0JBQ2pDLElBQUksSUFBSSxHQUFHLEdBQUcsRUFBRSxDQUFDO29CQUNmLFNBQVM7Z0JBQ1gsQ0FBQztxQkFBTSxDQUFDO29CQUNOLEdBQUcsQ0FBQyxLQUFLLENBQUMsR0FBRyxLQUFLLEdBQUcsSUFBSSxDQUFDLFFBQVEsQ0FBQyxFQUFFLENBQUMsQ0FBQztnQkFDekMsQ0FBQztZQUNILENBQUM7UUFDSCxDQUFDO1FBRUQsSUFBSSxTQUFTLEtBQUssS0FBSyxFQUFFLENBQUM7WUFDeEIsR0FBRyxJQUFJLEdBQUcsQ0FBQyxTQUFTLENBQUMsU0FBUyxFQUFFLEtBQUssQ0FBQyxDQUFDO1FBQ3pDLENBQUM7UUFFRCxTQUFTLEdBQUcsS0FBSyxHQUFHLENBQUMsQ0FBQztRQUN0QixHQUFHLElBQUksR0FBRyxDQUFDLEtBQUssQ0FBQyxDQUFDO0lBQ3BCLENBQUM7SUFFRCxPQUFPLFNBQVMsS0FBSyxLQUFLLENBQUMsQ0FBQyxDQUFDLEdBQUcsR0FBRyxHQUFHLENBQUMsU0FBUyxDQUFDLFNBQVMsRUFBRSxLQUFLLENBQUMsQ0FBQyxDQUFDLENBQUMsR0FBRyxDQUFDO0FBQzNFLENBQUMifQ==

package/dist/esm/lib/helper/sjson.d.ts

@@ -1 +0,0 @@
-export default function jsonEscape(obj: any): string;

package/dist/esm/lib/helper/sjson.js

@@ -1,39 +0,0 @@
-import sjs from './sjs.js';
-/**
- * escape json
- * for output json in script
- */
-function sanitizeKey(obj) {
-    if (typeof obj !== 'object')
-        return obj;
-    if (Array.isArray(obj))
-        return obj;
-    if (obj === null)
-        return null;
-    if (typeof obj === 'boolean')
-        return obj;
-    if (typeof obj === 'number')
-        return obj;
-    if (Buffer.isBuffer(obj))
-        return obj.toString();
-    for (const k in obj) {
-        const escapedK = sjs(k);
-        if (escapedK !== k) {
-            obj[escapedK] = sanitizeKey(obj[k]);
-            obj[k] = undefined;
-        }
-        else {
-            obj[k] = sanitizeKey(obj[k]);
-        }
-    }
-    return obj;
-}
-export default function jsonEscape(obj) {
-    return JSON.stringify(sanitizeKey(obj), (_k, v) => {
-        if (typeof v === 'string') {
-            return sjs(v);
-        }
-        return v;
-    });
-}
-//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoic2pzb24uanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi8uLi9zcmMvbGliL2hlbHBlci9zanNvbi50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiQUFBQSxPQUFPLEdBQUcsTUFBTSxVQUFVLENBQUM7QUFFM0I7OztHQUdHO0FBRUgsU0FBUyxXQUFXLENBQUMsR0FBUTtJQUMzQixJQUFJLE9BQU8sR0FBRyxLQUFLLFFBQVE7UUFBRSxPQUFPLEdBQUcsQ0FBQztJQUN4QyxJQUFJLEtBQUssQ0FBQyxPQUFPLENBQUMsR0FBRyxDQUFDO1FBQUUsT0FBTyxHQUFHLENBQUM7SUFDbkMsSUFBSSxHQUFHLEtBQUssSUFBSTtRQUFFLE9BQU8sSUFBSSxDQUFDO0lBQzlCLElBQUksT0FBTyxHQUFHLEtBQUssU0FBUztRQUFFLE9BQU8sR0FBRyxDQUFDO0lBQ3pDLElBQUksT0FBTyxHQUFHLEtBQUssUUFBUTtRQUFFLE9BQU8sR0FBRyxDQUFDO0lBQ3hDLElBQUksTUFBTSxDQUFDLFFBQVEsQ0FBQyxHQUFHLENBQUM7UUFBRSxPQUFPLEdBQUcsQ0FBQyxRQUFRLEVBQUUsQ0FBQztJQUVoRCxLQUFLLE1BQU0sQ0FBQyxJQUFJLEdBQUcsRUFBRSxDQUFDO1FBQ3BCLE1BQU0sUUFBUSxHQUFHLEdBQUcsQ0FBQyxDQUFDLENBQUMsQ0FBQztRQUN4QixJQUFJLFFBQVEsS0FBSyxDQUFDLEVBQUUsQ0FBQztZQUNuQixHQUFHLENBQUMsUUFBUSxDQUFDLEdBQUcsV0FBVyxDQUFDLEdBQUcsQ0FBQyxDQUFDLENBQUMsQ0FBQyxDQUFDO1lBQ3BDLEdBQUcsQ0FBQyxDQUFDLENBQUMsR0FBRyxTQUFTLENBQUM7UUFDckIsQ0FBQzthQUFNLENBQUM7WUFDTixHQUFHLENBQUMsQ0FBQyxDQUFDLEdBQUcsV0FBVyxDQUFDLEdBQUcsQ0FBQyxDQUFDLENBQUMsQ0FBQyxDQUFDO1FBQy9CLENBQUM7SUFDSCxDQUFDO0lBQ0QsT0FBTyxHQUFHLENBQUM7QUFDYixDQUFDO0FBRUQsTUFBTSxDQUFDLE9BQU8sVUFBVSxVQUFVLENBQUMsR0FBUTtJQUN6QyxPQUFPLElBQUksQ0FBQyxTQUFTLENBQUMsV0FBVyxDQUFDLEdBQUcsQ0FBQyxFQUFFLENBQUMsRUFBRSxFQUFFLENBQUMsRUFBRSxFQUFFO1FBQ2hELElBQUksT0FBTyxDQUFDLEtBQUssUUFBUSxFQUFFLENBQUM7WUFDMUIsT0FBTyxHQUFHLENBQUMsQ0FBQyxDQUFDLENBQUM7UUFDaEIsQ0FBQztRQUNELE9BQU8sQ0FBQyxDQUFDO0lBQ1gsQ0FBQyxDQUFDLENBQUM7QUFDTCxDQUFDIn0=

package/dist/esm/lib/helper/spath.d.ts

@@ -1,5 +0,0 @@
-/**
- * File Inclusion
- */
-import type { BaseContextClass } from '@eggjs/core';
-export default function pathFilter(this: BaseContextClass, path: string): string | null;

package/dist/esm/lib/helper/spath.js

@@ -1,25 +0,0 @@
-/**
- * File Inclusion
- */
-export default function pathFilter(path) {
-    if (typeof path !== 'string')
-        return path;
-    const pathSource = path;
-    while (path.indexOf('%') !== -1) {
-        try {
-            path = decodeURIComponent(path);
-        }
-        catch (e) {
-            if (process.env.NODE_ENV !== 'production') {
-                // Not a PROD env, logging with a warning.
-                this.ctx.coreLogger.warn('[@eggjs/security/lib/helper/spath] : decode file path %j failed.', path);
-            }
-            break;
-        }
-    }
-    if (path.indexOf('..') !== -1 || path[0] === '/') {
-        return null;
-    }
-    return pathSource;
-}
-//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoic3BhdGguanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi8uLi9zcmMvbGliL2hlbHBlci9zcGF0aC50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiQUFBQTs7R0FFRztBQUlILE1BQU0sQ0FBQyxPQUFPLFVBQVUsVUFBVSxDQUF5QixJQUFZO0lBQ3JFLElBQUksT0FBTyxJQUFJLEtBQUssUUFBUTtRQUFFLE9BQU8sSUFBSSxDQUFDO0lBRTFDLE1BQU0sVUFBVSxHQUFHLElBQUksQ0FBQztJQUV4QixPQUFPLElBQUksQ0FBQyxPQUFPLENBQUMsR0FBRyxDQUFDLEtBQUssQ0FBQyxDQUFDLEVBQUUsQ0FBQztRQUNoQyxJQUFJLENBQUM7WUFDSCxJQUFJLEdBQUcsa0JBQWtCLENBQUMsSUFBSSxDQUFDLENBQUM7UUFDbEMsQ0FBQztRQUFDLE9BQU8sQ0FBQyxFQUFFLENBQUM7WUFDWCxJQUFJLE9BQU8sQ0FBQyxHQUFHLENBQUMsUUFBUSxLQUFLLFlBQVksRUFBRSxDQUFDO2dCQUMxQywwQ0FBMEM7Z0JBQzFDLElBQUksQ0FBQyxHQUFHLENBQUMsVUFBVSxDQUFDLElBQUksQ0FBQyxrRUFBa0UsRUFBRSxJQUFJLENBQUMsQ0FBQztZQUNyRyxDQUFDO1lBQ0QsTUFBTTtRQUNSLENBQUM7SUFDSCxDQUFDO0lBQ0QsSUFBSSxJQUFJLENBQUMsT0FBTyxDQUFDLElBQUksQ0FBQyxLQUFLLENBQUMsQ0FBQyxJQUFJLElBQUksQ0FBQyxDQUFDLENBQUMsS0FBSyxHQUFHLEVBQUUsQ0FBQztRQUNqRCxPQUFPLElBQUksQ0FBQztJQUNkLENBQUM7SUFDRCxPQUFPLFVBQVUsQ0FBQztBQUNwQixDQUFDIn0=

package/dist/esm/lib/helper/surl.d.ts

@@ -1,2 +0,0 @@
-import type { BaseContextClass } from '@eggjs/core';
-export default function surl(this: BaseContextClass, val: string): string;

package/dist/esm/lib/helper/surl.js

@@ -1,30 +0,0 @@
-const escapeMap = {
-    '"': '"',
-    '<': '&lt;',
-    '>': '&gt;',
-    '\'': '&#x27;',
-};
-export default function surl(val) {
-    // Just get the converted the protocolWhiteList in `Set` mode,
-    // Avoid conversions in `foreach`
-    const protocolWhiteListSet = this.app.config.security.__protocolWhiteListSet;
-    if (typeof val !== 'string') {
-        return val;
-    }
-    // only test on absolute path
-    if (val[0] !== '/') {
-        const arr = val.split('://', 2);
-        const protocol = arr.length > 1 ? arr[0].toLowerCase() : '';
-        if (protocol === '' || !protocolWhiteListSet.has(protocol)) {
-            if (this.app.config.env === 'local') {
-                this.ctx.coreLogger.warn('[@eggjs/security/surl] url: %j, protocol: %j, ' +
-                    'protocol is empty or not in white list, convert to empty string', val, protocol);
-            }
-            return '';
-        }
-    }
-    return val.replace(/["'<>]/g, ch => {
-        return escapeMap[ch];
-    });
-}
-//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoic3VybC5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uLy4uLy4uL3NyYy9saWIvaGVscGVyL3N1cmwudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6IkFBRUEsTUFBTSxTQUFTLEdBQTJCO0lBQ3hDLEdBQUcsRUFBRSxRQUFRO0lBQ2IsR0FBRyxFQUFFLE1BQU07SUFDWCxHQUFHLEVBQUUsTUFBTTtJQUNYLElBQUksRUFBRSxRQUFRO0NBQ2YsQ0FBQztBQUVGLE1BQU0sQ0FBQyxPQUFPLFVBQVUsSUFBSSxDQUF5QixHQUFXO0lBQzlELDhEQUE4RDtJQUM5RCxpQ0FBaUM7SUFDakMsTUFBTSxvQkFBb0IsR0FBRyxJQUFJLENBQUMsR0FBRyxDQUFDLE1BQU0sQ0FBQyxRQUFRLENBQUMsc0JBQXVCLENBQUM7SUFFOUUsSUFBSSxPQUFPLEdBQUcsS0FBSyxRQUFRLEVBQUUsQ0FBQztRQUM1QixPQUFPLEdBQUcsQ0FBQztJQUNiLENBQUM7SUFFRCw2QkFBNkI7SUFDN0IsSUFBSSxHQUFHLENBQUMsQ0FBQyxDQUFDLEtBQUssR0FBRyxFQUFFLENBQUM7UUFDbkIsTUFBTSxHQUFHLEdBQUcsR0FBRyxDQUFDLEtBQUssQ0FBQyxLQUFLLEVBQUUsQ0FBQyxDQUFDLENBQUM7UUFDaEMsTUFBTSxRQUFRLEdBQUcsR0FBRyxDQUFDLE1BQU0sR0FBRyxDQUFDLENBQUMsQ0FBQyxDQUFDLEdBQUcsQ0FBQyxDQUFDLENBQUMsQ0FBQyxXQUFXLEVBQUUsQ0FBQyxDQUFDLENBQUMsRUFBRSxDQUFDO1FBQzVELElBQUksUUFBUSxLQUFLLEVBQUUsSUFBSSxDQUFDLG9CQUFvQixDQUFDLEdBQUcsQ0FBQyxRQUFRLENBQUMsRUFBRSxDQUFDO1lBQzNELElBQUksSUFBSSxDQUFDLEdBQUcsQ0FBQyxNQUFNLENBQUMsR0FBRyxLQUFLLE9BQU8sRUFBRSxDQUFDO2dCQUNwQyxJQUFJLENBQUMsR0FBRyxDQUFDLFVBQVUsQ0FBQyxJQUFJLENBQUMsZ0RBQWdEO29CQUN2RSxpRUFBaUUsRUFBRSxHQUFHLEVBQUUsUUFBUSxDQUFDLENBQUM7WUFDdEYsQ0FBQztZQUNELE9BQU8sRUFBRSxDQUFDO1FBQ1osQ0FBQztJQUNILENBQUM7SUFFRCxPQUFPLEdBQUcsQ0FBQyxPQUFPLENBQUMsU0FBUyxFQUFFLEVBQUUsQ0FBQyxFQUFFO1FBQ2pDLE9BQU8sU0FBUyxDQUFDLEVBQUUsQ0FBQyxDQUFDO0lBQ3ZCLENBQUMsQ0FBQyxDQUFDO0FBQ0wsQ0FBQyJ9

package/dist/esm/lib/middlewares/csp.d.ts

@@ -1,4 +0,0 @@
-import type { Context, Next } from '@eggjs/core';
-import type { SecurityConfig } from '../../types.js';
-declare const _default: (options: SecurityConfig["csp"]) => (ctx: Context, next: Next) => Promise<void>;
-export default _default;

package/dist/esm/lib/middlewares/csp.js

@@ -1,63 +0,0 @@
-import extend from 'extend';
-import { checkIfIgnore } from '../utils.js';
-const HEADER = [
-    'x-content-security-policy',
-    'content-security-policy',
-];
-const REPORT_ONLY_HEADER = [
-    'x-content-security-policy-report-only',
-    'content-security-policy-report-only',
-];
-// Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
-const MSIE_REGEXP = / MSIE /i;
-export default (options) => {
-    return async function csp(ctx, next) {
-        await next();
-        const opts = {
-            ...options,
-            ...ctx.securityOptions.csp,
-        };
-        if (checkIfIgnore(opts, ctx))
-            return;
-        let finalHeader;
-        const matchedOption = extend(true, {}, opts.policy);
-        const bufArray = [];
-        const headers = opts.reportOnly ? REPORT_ONLY_HEADER : HEADER;
-        if (opts.supportIE && MSIE_REGEXP.test(ctx.get('user-agent'))) {
-            finalHeader = headers[0];
-        }
-        else {
-            finalHeader = headers[1];
-        }
-        for (const key in matchedOption) {
-            const value = matchedOption[key];
-            // Other arrays are splitted into strings EXCEPT `sandbox`
-            // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/sandbox
-            if (key === 'sandbox' && value === true) {
-                bufArray.push(key);
-            }
-            else {
-                let values = (Array.isArray(value) ? value : [value]);
-                if (key === 'script-src') {
-                    const hasNonce = values.some(function (val) {
-                        return val.indexOf('nonce-') !== -1;
-                    });
-                    if (!hasNonce) {
-                        values.push('\'nonce-' + ctx.nonce + '\'');
-                    }
-                }
-                values = values.map(function (d) {
-                    if (d.startsWith('.')) {
-                        d = '*' + d;
-                    }
-                    return d;
-                });
-                bufArray.push(key + ' ' + values.join(' '));
-            }
-        }
-        const headerString = bufArray.join(';');
-        ctx.set(finalHeader, headerString);
-        ctx.set('x-csp-nonce', ctx.nonce);
-    };
-};
-//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiY3NwLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vLi4vLi4vc3JjL2xpYi9taWRkbGV3YXJlcy9jc3AudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6IkFBQUEsT0FBTyxNQUFNLE1BQU0sUUFBUSxDQUFDO0FBRTVCLE9BQU8sRUFBRSxhQUFhLEVBQUUsTUFBTSxhQUFhLENBQUM7QUFHNUMsTUFBTSxNQUFNLEdBQUc7SUFDYiwyQkFBMkI7SUFDM0IseUJBQXlCO0NBQzFCLENBQUM7QUFDRixNQUFNLGtCQUFrQixHQUFHO0lBQ3pCLHVDQUF1QztJQUN2QyxxQ0FBcUM7Q0FDdEMsQ0FBQztBQUVGLHFEQUFxRDtBQUNyRCxNQUFNLFdBQVcsR0FBRyxTQUFTLENBQUM7QUFFOUIsZUFBZSxDQUFDLE9BQThCLEVBQUUsRUFBRTtJQUNoRCxPQUFPLEtBQUssVUFBVSxHQUFHLENBQUMsR0FBWSxFQUFFLElBQVU7UUFDaEQsTUFBTSxJQUFJLEVBQUUsQ0FBQztRQUViLE1BQU0sSUFBSSxHQUFHO1lBQ1gsR0FBRyxPQUFPO1lBQ1YsR0FBRyxHQUFHLENBQUMsZUFBZSxDQUFDLEdBQUc7U0FDM0IsQ0FBQztRQUNGLElBQUksYUFBYSxDQUFDLElBQUksRUFBRSxHQUFHLENBQUM7WUFBRSxPQUFPO1FBRXJDLElBQUksV0FBVyxDQUFDO1FBQ2hCLE1BQU0sYUFBYSxHQUFHLE1BQU0sQ0FBQyxJQUFJLEVBQUUsRUFBRSxFQUFFLElBQUksQ0FBQyxNQUFNLENBQUMsQ0FBQztRQUNwRCxNQUFNLFFBQVEsR0FBRyxFQUFFLENBQUM7UUFFcEIsTUFBTSxPQUFPLEdBQUcsSUFBSSxDQUFDLFVBQVUsQ0FBQyxDQUFDLENBQUMsa0JBQWtCLENBQUMsQ0FBQyxDQUFDLE1BQU0sQ0FBQztRQUM5RCxJQUFJLElBQUksQ0FBQyxTQUFTLElBQUksV0FBVyxDQUFDLElBQUksQ0FBQyxHQUFHLENBQUMsR0FBRyxDQUFDLFlBQVksQ0FBQyxDQUFDLEVBQUUsQ0FBQztZQUM5RCxXQUFXLEdBQUcsT0FBTyxDQUFDLENBQUMsQ0FBQyxDQUFDO1FBQzNCLENBQUM7YUFBTSxDQUFDO1lBQ04sV0FBVyxHQUFHLE9BQU8sQ0FBQyxDQUFDLENBQUMsQ0FBQztRQUMzQixDQUFDO1FBRUQsS0FBSyxNQUFNLEdBQUcsSUFBSSxhQUFhLEVBQUUsQ0FBQztZQUNoQyxNQUFNLEtBQUssR0FBRyxhQUFhLENBQUMsR0FBRyxDQUFDLENBQUM7WUFDakMsMERBQTBEO1lBQzFELDRGQUE0RjtZQUM1RixJQUFJLEdBQUcsS0FBSyxTQUFTLElBQUksS0FBSyxLQUFLLElBQUksRUFBRSxDQUFDO2dCQUN4QyxRQUFRLENBQUMsSUFBSSxDQUFDLEdBQUcsQ0FBQyxDQUFDO1lBQ3JCLENBQUM7aUJBQU0sQ0FBQztnQkFDTixJQUFJLE1BQU0sR0FBRyxDQUFDLEtBQUssQ0FBQyxPQUFPLENBQUMsS0FBSyxDQUFDLENBQUMsQ0FBQyxDQUFDLEtBQUssQ0FBQyxDQUFDLENBQUMsQ0FBRSxLQUFLLENBQUUsQ0FBYSxDQUFDO2dCQUNwRSxJQUFJLEdBQUcsS0FBSyxZQUFZLEVBQUUsQ0FBQztvQkFDekIsTUFBTSxRQUFRLEdBQUcsTUFBTSxDQUFDLElBQUksQ0FBQyxVQUFTLEdBQUc7d0JBQ3ZDLE9BQU8sR0FBRyxDQUFDLE9BQU8sQ0FBQyxRQUFRLENBQUMsS0FBSyxDQUFDLENBQUMsQ0FBQztvQkFDdEMsQ0FBQyxDQUFDLENBQUM7b0JBRUgsSUFBSSxDQUFDLFFBQVEsRUFBRSxDQUFDO3dCQUNkLE1BQU0sQ0FBQyxJQUFJLENBQUMsVUFBVSxHQUFHLEdBQUcsQ0FBQyxLQUFLLEdBQUcsSUFBSSxDQUFDLENBQUM7b0JBQzdDLENBQUM7Z0JBQ0gsQ0FBQztnQkFFRCxNQUFNLEdBQUcsTUFBTSxDQUFDLEdBQUcsQ0FBQyxVQUFTLENBQUM7b0JBQzVCLElBQUksQ0FBQyxDQUFDLFVBQVUsQ0FBQyxHQUFHLENBQUMsRUFBRSxDQUFDO3dCQUN0QixDQUFDLEdBQUcsR0FBRyxHQUFHLENBQUMsQ0FBQztvQkFDZCxDQUFDO29CQUNELE9BQU8sQ0FBQyxDQUFDO2dCQUNYLENBQUMsQ0FBQyxDQUFDO2dCQUNILFFBQVEsQ0FBQyxJQUFJLENBQUMsR0FBRyxHQUFHLEdBQUcsR0FBRyxNQUFNLENBQUMsSUFBSSxDQUFDLEdBQUcsQ0FBQyxDQUFDLENBQUM7WUFDOUMsQ0FBQztRQUNILENBQUM7UUFDRCxNQUFNLFlBQVksR0FBRyxRQUFRLENBQUMsSUFBSSxDQUFDLEdBQUcsQ0FBQyxDQUFDO1FBQ3hDLEdBQUcsQ0FBQyxHQUFHLENBQUMsV0FBVyxFQUFFLFlBQVksQ0FBQyxDQUFDO1FBQ25DLEdBQUcsQ0FBQyxHQUFHLENBQUMsYUFBYSxFQUFFLEdBQUcsQ0FBQyxLQUFLLENBQUMsQ0FBQztJQUNwQyxDQUFDLENBQUM7QUFDSixDQUFDLENBQUMifQ==

package/dist/esm/lib/middlewares/csrf.d.ts

@@ -1,4 +0,0 @@
-import type { Context, Next } from '@eggjs/core';
-import type { SecurityConfig } from '../../types.js';
-declare const _default: (options: SecurityConfig["csrf"]) => (ctx: Context, next: Next) => Promise<void>;
-export default _default;

package/dist/esm/lib/middlewares/csrf.js

@@ -1,37 +0,0 @@
-import { debuglog } from 'node:util';
-import typeis from 'type-is';
-import { checkIfIgnore } from '../utils.js';
-const debug = debuglog('@eggjs/security/lib/middlewares/csrf');
-export default (options) => {
-    return function csrf(ctx, next) {
-        if (checkIfIgnore(options, ctx)) {
-            return next();
-        }
-        // ensure csrf token exists
-        if (['any', 'all', 'ctoken'].includes(options.type)) {
-            ctx.ensureCsrfSecret();
-        }
-        // supported requests
-        const method = ctx.method;
-        let isSupported = false;
-        for (const eachRule of options.supportedRequests) {
-            if (eachRule.path.test(ctx.path)) {
-                if (eachRule.methods.includes(method)) {
-                    isSupported = true;
-                    break;
-                }
-            }
-        }
-        if (!isSupported) {
-            return next();
-        }
-        if (options.ignoreJSON && typeis.is(ctx.get('content-type'), 'json')) {
-            return next();
-        }
-        const body = ctx.request.body;
-        debug('%s %s, got %j', ctx.method, ctx.url, body);
-        ctx.assertCsrf();
-        return next();
-    };
-};
-//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiY3NyZi5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uLy4uLy4uL3NyYy9saWIvbWlkZGxld2FyZXMvY3NyZi50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiQUFBQSxPQUFPLEVBQUUsUUFBUSxFQUFFLE1BQU0sV0FBVyxDQUFDO0FBRXJDLE9BQU8sTUFBTSxNQUFNLFNBQVMsQ0FBQztBQUM3QixPQUFPLEVBQUUsYUFBYSxFQUFFLE1BQU0sYUFBYSxDQUFDO0FBRzVDLE1BQU0sS0FBSyxHQUFHLFFBQVEsQ0FBQyxzQ0FBc0MsQ0FBQyxDQUFDO0FBRS9ELGVBQWUsQ0FBQyxPQUErQixFQUFFLEVBQUU7SUFDakQsT0FBTyxTQUFTLElBQUksQ0FBQyxHQUFZLEVBQUUsSUFBVTtRQUMzQyxJQUFJLGFBQWEsQ0FBQyxPQUFPLEVBQUUsR0FBRyxDQUFDLEVBQUUsQ0FBQztZQUNoQyxPQUFPLElBQUksRUFBRSxDQUFDO1FBQ2hCLENBQUM7UUFFRCwyQkFBMkI7UUFDM0IsSUFBSSxDQUFFLEtBQUssRUFBRSxLQUFLLEVBQUUsUUFBUSxDQUFFLENBQUMsUUFBUSxDQUFDLE9BQU8sQ0FBQyxJQUFJLENBQUMsRUFBRSxDQUFDO1lBQ3RELEdBQUcsQ0FBQyxnQkFBZ0IsRUFBRSxDQUFDO1FBQ3pCLENBQUM7UUFFRCxxQkFBcUI7UUFDckIsTUFBTSxNQUFNLEdBQUcsR0FBRyxDQUFDLE1BQU0sQ0FBQztRQUMxQixJQUFJLFdBQVcsR0FBRyxLQUFLLENBQUM7UUFDeEIsS0FBSyxNQUFNLFFBQVEsSUFBSSxPQUFPLENBQUMsaUJBQWlCLEVBQUUsQ0FBQztZQUNqRCxJQUFJLFFBQVEsQ0FBQyxJQUFJLENBQUMsSUFBSSxDQUFDLEdBQUcsQ0FBQyxJQUFJLENBQUMsRUFBRSxDQUFDO2dCQUNqQyxJQUFJLFFBQVEsQ0FBQyxPQUFPLENBQUMsUUFBUSxDQUFDLE1BQU0sQ0FBQyxFQUFFLENBQUM7b0JBQ3RDLFdBQVcsR0FBRyxJQUFJLENBQUM7b0JBQ25CLE1BQU07Z0JBQ1IsQ0FBQztZQUNILENBQUM7UUFDSCxDQUFDO1FBQ0QsSUFBSSxDQUFDLFdBQVcsRUFBRSxDQUFDO1lBQ2pCLE9BQU8sSUFBSSxFQUFFLENBQUM7UUFDaEIsQ0FBQztRQUVELElBQUksT0FBTyxDQUFDLFVBQVUsSUFBSSxNQUFNLENBQUMsRUFBRSxDQUFDLEdBQUcsQ0FBQyxHQUFHLENBQUMsY0FBYyxDQUFDLEVBQUUsTUFBTSxDQUFDLEVBQUUsQ0FBQztZQUNyRSxPQUFPLElBQUksRUFBRSxDQUFDO1FBQ2hCLENBQUM7UUFFRCxNQUFNLElBQUksR0FBRyxHQUFHLENBQUMsT0FBTyxDQUFDLElBQUksQ0FBQztRQUM5QixLQUFLLENBQUMsZUFBZSxFQUFFLEdBQUcsQ0FBQyxNQUFNLEVBQUUsR0FBRyxDQUFDLEdBQUcsRUFBRSxJQUFJLENBQUMsQ0FBQztRQUNsRCxHQUFHLENBQUMsVUFBVSxFQUFFLENBQUM7UUFDakIsT0FBTyxJQUFJLEVBQUUsQ0FBQztJQUNoQixDQUFDLENBQUM7QUFDSixDQUFDLENBQUMifQ==

package/dist/esm/lib/middlewares/dta.d.ts

@@ -1,3 +0,0 @@
-import type { Context, Next } from '@eggjs/core';
-declare const _default: () => (ctx: Context, next: Next) => Promise<void>;
-export default _default;

package/dist/esm/lib/middlewares/dta.js

@@ -1,12 +0,0 @@
-import { isSafePath } from '../utils.js';
-// https://en.wikipedia.org/wiki/Directory_traversal_attack
-export default () => {
-    return function dta(ctx, next) {
-        const path = ctx.path;
-        if (!isSafePath(path, ctx)) {
-            ctx.throw(400);
-        }
-        return next();
-    };
-};
-//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiZHRhLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vLi4vLi4vc3JjL2xpYi9taWRkbGV3YXJlcy9kdGEudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6IkFBQ0EsT0FBTyxFQUFFLFVBQVUsRUFBRSxNQUFNLGFBQWEsQ0FBQztBQUV6QywyREFBMkQ7QUFDM0QsZUFBZSxHQUFHLEVBQUU7SUFDbEIsT0FBTyxTQUFTLEdBQUcsQ0FBQyxHQUFZLEVBQUUsSUFBVTtRQUMxQyxNQUFNLElBQUksR0FBRyxHQUFHLENBQUMsSUFBSSxDQUFDO1FBQ3RCLElBQUksQ0FBQyxVQUFVLENBQUMsSUFBSSxFQUFFLEdBQUcsQ0FBQyxFQUFFLENBQUM7WUFDM0IsR0FBRyxDQUFDLEtBQUssQ0FBQyxHQUFHLENBQUMsQ0FBQztRQUNqQixDQUFDO1FBQ0QsT0FBTyxJQUFJLEVBQUUsQ0FBQztJQUNoQixDQUFDLENBQUM7QUFDSixDQUFDLENBQUMifQ==

package/dist/esm/lib/middlewares/hsts.d.ts

@@ -1,4 +0,0 @@
-import type { Context, Next } from '@eggjs/core';
-import type { SecurityConfig } from '../../types.js';
-declare const _default: (options: SecurityConfig["hsts"]) => (ctx: Context, next: Next) => Promise<void>;
-export default _default;

package/dist/esm/lib/middlewares/hsts.js

@@ -1,21 +0,0 @@
-import { checkIfIgnore } from '../utils.js';
-// Set Strict-Transport-Security header
-export default (options) => {
-    return async function hsts(ctx, next) {
-        await next();
-        const opts = {
-            ...options,
-            ...ctx.securityOptions.hsts,
-        };
-        if (checkIfIgnore(opts, ctx))
-            return;
-        let val = 'max-age=' + opts.maxAge;
-        // If opts.includeSubdomains is defined,
-        // the rule is also valid for all the sub domains of the website
-        if (opts.includeSubdomains) {
-            val += '; includeSubdomains';
-        }
-        ctx.set('strict-transport-security', val);
-    };
-};
-//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiaHN0cy5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uLy4uLy4uL3NyYy9saWIvbWlkZGxld2FyZXMvaHN0cy50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiQUFDQSxPQUFPLEVBQUUsYUFBYSxFQUFFLE1BQU0sYUFBYSxDQUFDO0FBRzVDLHVDQUF1QztBQUN2QyxlQUFlLENBQUMsT0FBK0IsRUFBRSxFQUFFO0lBQ2pELE9BQU8sS0FBSyxVQUFVLElBQUksQ0FBQyxHQUFZLEVBQUUsSUFBVTtRQUNqRCxNQUFNLElBQUksRUFBRSxDQUFDO1FBRWIsTUFBTSxJQUFJLEdBQUc7WUFDWCxHQUFHLE9BQU87WUFDVixHQUFHLEdBQUcsQ0FBQyxlQUFlLENBQUMsSUFBSTtTQUM1QixDQUFDO1FBQ0YsSUFBSSxhQUFhLENBQUMsSUFBSSxFQUFFLEdBQUcsQ0FBQztZQUFFLE9BQU87UUFFckMsSUFBSSxHQUFHLEdBQUcsVUFBVSxHQUFHLElBQUksQ0FBQyxNQUFNLENBQUM7UUFDbkMsd0NBQXdDO1FBQ3hDLGdFQUFnRTtRQUNoRSxJQUFJLElBQUksQ0FBQyxpQkFBaUIsRUFBRSxDQUFDO1lBQzNCLEdBQUcsSUFBSSxxQkFBcUIsQ0FBQztRQUMvQixDQUFDO1FBQ0QsR0FBRyxDQUFDLEdBQUcsQ0FBQywyQkFBMkIsRUFBRSxHQUFHLENBQUMsQ0FBQztJQUM1QyxDQUFDLENBQUM7QUFDSixDQUFDLENBQUMifQ==

package/dist/esm/lib/middlewares/index.d.ts

@@ -1,13 +0,0 @@
-declare const _default: {
-    csp: (options: import("../../types.js").SecurityConfig["csp"]) => (ctx: import("@eggjs/core").Context, next: import("egg").Next) => Promise<void>;
-    csrf: (options: import("../../types.js").SecurityConfig["csrf"]) => (ctx: import("@eggjs/core").Context, next: import("egg").Next) => Promise<void>;
-    dta: () => (ctx: import("@eggjs/core").Context, next: import("egg").Next) => Promise<void>;
-    hsts: (options: import("../../types.js").SecurityConfig["hsts"]) => (ctx: import("@eggjs/core").Context, next: import("egg").Next) => Promise<void>;
-    methodnoallow: () => (ctx: import("@eggjs/core").Context, next: import("egg").Next) => Promise<void>;
-    noopen: (options: import("../../types.js").SecurityConfig["noopen"]) => (ctx: import("@eggjs/core").Context, next: import("egg").Next) => Promise<void>;
-    nosniff: (options: import("../../types.js").SecurityConfig["nosniff"]) => (ctx: import("@eggjs/core").Context, next: import("egg").Next) => Promise<void>;
-    referrerPolicy: (options: import("../../types.js").SecurityConfig["referrerPolicy"]) => (ctx: import("@eggjs/core").Context, next: import("egg").Next) => Promise<void>;
-    xframe: (options: import("../../types.js").SecurityConfig["xframe"]) => (ctx: import("@eggjs/core").Context, next: import("egg").Next) => Promise<void>;
-    xssProtection: (options: import("../../types.js").SecurityConfig["xssProtection"]) => (ctx: import("@eggjs/core").Context, next: import("egg").Next) => Promise<void>;
-};
-export default _default;

package/dist/esm/lib/middlewares/index.js

@@ -1,23 +0,0 @@
-import csp from './csp.js';
-import csrf from './csrf.js';
-import dta from './dta.js';
-import hsts from './hsts.js';
-import methodnoallow from './methodnoallow.js';
-import noopen from './noopen.js';
-import nosniff from './nosniff.js';
-import referrerPolicy from './referrerPolicy.js';
-import xframe from './xframe.js';
-import xssProtection from './xssProtection.js';
-export default {
-    csp,
-    csrf,
-    dta,
-    hsts,
-    methodnoallow,
-    noopen,
-    nosniff,
-    referrerPolicy,
-    xframe,
-    xssProtection,
-};
-//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiaW5kZXguanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi8uLi9zcmMvbGliL21pZGRsZXdhcmVzL2luZGV4LnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiJBQUFBLE9BQU8sR0FBRyxNQUFNLFVBQVUsQ0FBQztBQUMzQixPQUFPLElBQUksTUFBTSxXQUFXLENBQUM7QUFDN0IsT0FBTyxHQUFHLE1BQU0sVUFBVSxDQUFDO0FBQzNCLE9BQU8sSUFBSSxNQUFNLFdBQVcsQ0FBQztBQUM3QixPQUFPLGFBQWEsTUFBTSxvQkFBb0IsQ0FBQztBQUMvQyxPQUFPLE1BQU0sTUFBTSxhQUFhLENBQUM7QUFDakMsT0FBTyxPQUFPLE1BQU0sY0FBYyxDQUFDO0FBQ25DLE9BQU8sY0FBYyxNQUFNLHFCQUFxQixDQUFDO0FBQ2pELE9BQU8sTUFBTSxNQUFNLGFBQWEsQ0FBQztBQUNqQyxPQUFPLGFBQWEsTUFBTSxvQkFBb0IsQ0FBQztBQUUvQyxlQUFlO0lBQ2IsR0FBRztJQUNILElBQUk7SUFDSixHQUFHO0lBQ0gsSUFBSTtJQUNKLGFBQWE7SUFDYixNQUFNO0lBQ04sT0FBTztJQUNQLGNBQWM7SUFDZCxNQUFNO0lBQ04sYUFBYTtDQUNkLENBQUMifQ==

package/dist/esm/lib/middlewares/methodnoallow.d.ts

@@ -1,3 +0,0 @@
-import type { Context, Next } from '@eggjs/core';
-declare const _default: () => (ctx: Context, next: Next) => Promise<void>;
-export default _default;

package/dist/esm/lib/middlewares/methodnoallow.js

@@ -1,20 +0,0 @@
-import { METHODS } from 'node:http';
-const METHODS_NOT_ALLOWED = ['TRACE', 'TRACK'];
-const safeHttpMethodsMap = {};
-for (const method of METHODS) {
-    if (!METHODS_NOT_ALLOWED.includes(method)) {
-        safeHttpMethodsMap[method.toUpperCase()] = true;
-    }
-}
-// https://www.owasp.org/index.php/Cross_Site_Tracing
-// http://jsperf.com/find-by-map-with-find-by-array
-export default () => {
-    return function notAllow(ctx, next) {
-        // ctx.method is upper case
-        if (!safeHttpMethodsMap[ctx.method]) {
-            ctx.throw(405);
-        }
-        return next();
-    };
-};
-//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoibWV0aG9kbm9hbGxvdy5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uLy4uLy4uL3NyYy9saWIvbWlkZGxld2FyZXMvbWV0aG9kbm9hbGxvdy50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiQUFBQSxPQUFPLEVBQUUsT0FBTyxFQUFFLE1BQU0sV0FBVyxDQUFDO0FBR3BDLE1BQU0sbUJBQW1CLEdBQUcsQ0FBRSxPQUFPLEVBQUUsT0FBTyxDQUFFLENBQUM7QUFDakQsTUFBTSxrQkFBa0IsR0FBNEIsRUFBRSxDQUFDO0FBRXZELEtBQUssTUFBTSxNQUFNLElBQUksT0FBTyxFQUFFLENBQUM7SUFDN0IsSUFBSSxDQUFDLG1CQUFtQixDQUFDLFFBQVEsQ0FBQyxNQUFNLENBQUMsRUFBRSxDQUFDO1FBQzFDLGtCQUFrQixDQUFDLE1BQU0sQ0FBQyxXQUFXLEVBQUUsQ0FBQyxHQUFHLElBQUksQ0FBQztJQUNsRCxDQUFDO0FBQ0gsQ0FBQztBQUVELHFEQUFxRDtBQUNyRCxtREFBbUQ7QUFDbkQsZUFBZSxHQUFHLEVBQUU7SUFDbEIsT0FBTyxTQUFTLFFBQVEsQ0FBQyxHQUFZLEVBQUUsSUFBVTtRQUMvQywyQkFBMkI7UUFDM0IsSUFBSSxDQUFDLGtCQUFrQixDQUFDLEdBQUcsQ0FBQyxNQUFNLENBQUMsRUFBRSxDQUFDO1lBQ3BDLEdBQUcsQ0FBQyxLQUFLLENBQUMsR0FBRyxDQUFDLENBQUM7UUFDakIsQ0FBQztRQUNELE9BQU8sSUFBSSxFQUFFLENBQUM7SUFDaEIsQ0FBQyxDQUFDO0FBQ0osQ0FBQyxDQUFDIn0=

package/dist/esm/lib/middlewares/noopen.d.ts

@@ -1,4 +0,0 @@
-import type { Context, Next } from '@eggjs/core';
-import type { SecurityConfig } from '../../types.js';
-declare const _default: (options: SecurityConfig["noopen"]) => (ctx: Context, next: Next) => Promise<void>;
-export default _default;

package/dist/esm/lib/middlewares/noopen.js

@@ -1,15 +0,0 @@
-import { checkIfIgnore } from '../utils.js';
-// @see http://blogs.msdn.com/b/ieinternals/archive/2009/06/30/internet-explorer-custom-http-headers.aspx
-export default (options) => {
-    return async function noopen(ctx, next) {
-        await next();
-        const opts = {
-            ...options,
-            ...ctx.securityOptions.noopen,
-        };
-        if (checkIfIgnore(opts, ctx))
-            return;
-        ctx.set('x-download-options', 'noopen');
-    };
-};
-//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoibm9vcGVuLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vLi4vLi4vc3JjL2xpYi9taWRkbGV3YXJlcy9ub29wZW4udHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6IkFBQ0EsT0FBTyxFQUFFLGFBQWEsRUFBRSxNQUFNLGFBQWEsQ0FBQztBQUc1Qyx5R0FBeUc7QUFDekcsZUFBZSxDQUFDLE9BQWlDLEVBQUUsRUFBRTtJQUNuRCxPQUFPLEtBQUssVUFBVSxNQUFNLENBQUMsR0FBWSxFQUFFLElBQVU7UUFDbkQsTUFBTSxJQUFJLEVBQUUsQ0FBQztRQUViLE1BQU0sSUFBSSxHQUFHO1lBQ1gsR0FBRyxPQUFPO1lBQ1YsR0FBRyxHQUFHLENBQUMsZUFBZSxDQUFDLE1BQU07U0FDOUIsQ0FBQztRQUNGLElBQUksYUFBYSxDQUFDLElBQUksRUFBRSxHQUFHLENBQUM7WUFBRSxPQUFPO1FBRXJDLEdBQUcsQ0FBQyxHQUFHLENBQUMsb0JBQW9CLEVBQUUsUUFBUSxDQUFDLENBQUM7SUFDMUMsQ0FBQyxDQUFDO0FBQ0osQ0FBQyxDQUFDIn0=

package/dist/esm/lib/middlewares/nosniff.d.ts

@@ -1,4 +0,0 @@
-import type { Context, Next } from '@eggjs/core';
-import type { SecurityConfig } from '../../types.js';
-declare const _default: (options: SecurityConfig["nosniff"]) => (ctx: Context, next: Next) => Promise<void>;
-export default _default;

package/dist/esm/lib/middlewares/nosniff.js

@@ -1,28 +0,0 @@
-import { checkIfIgnore } from '../utils.js';
-// status codes for redirects
-// @see https://github.com/jshttp/statuses/blob/master/index.js#L33
-const RedirectStatus = {
-    300: true,
-    301: true,
-    302: true,
-    303: true,
-    305: true,
-    307: true,
-    308: true,
-};
-export default (options) => {
-    return async function nosniff(ctx, next) {
-        await next();
-        // ignore redirect response
-        if (RedirectStatus[ctx.status])
-            return;
-        const opts = {
-            ...options,
-            ...ctx.securityOptions.nosniff,
-        };
-        if (checkIfIgnore(opts, ctx))
-            return;
-        ctx.set('x-content-type-options', 'nosniff');
-    };
-};
-//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoibm9zbmlmZi5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uLy4uLy4uL3NyYy9saWIvbWlkZGxld2FyZXMvbm9zbmlmZi50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiQUFDQSxPQUFPLEVBQUUsYUFBYSxFQUFFLE1BQU0sYUFBYSxDQUFDO0FBRzVDLDZCQUE2QjtBQUM3QixtRUFBbUU7QUFDbkUsTUFBTSxjQUFjLEdBQTRCO0lBQzlDLEdBQUcsRUFBRSxJQUFJO0lBQ1QsR0FBRyxFQUFFLElBQUk7SUFDVCxHQUFHLEVBQUUsSUFBSTtJQUNULEdBQUcsRUFBRSxJQUFJO0lBQ1QsR0FBRyxFQUFFLElBQUk7SUFDVCxHQUFHLEVBQUUsSUFBSTtJQUNULEdBQUcsRUFBRSxJQUFJO0NBQ1YsQ0FBQztBQUVGLGVBQWUsQ0FBQyxPQUFrQyxFQUFFLEVBQUU7SUFDcEQsT0FBTyxLQUFLLFVBQVUsT0FBTyxDQUFDLEdBQVksRUFBRSxJQUFVO1FBQ3BELE1BQU0sSUFBSSxFQUFFLENBQUM7UUFFYiwyQkFBMkI7UUFDM0IsSUFBSSxjQUFjLENBQUMsR0FBRyxDQUFDLE1BQU0sQ0FBQztZQUFFLE9BQU87UUFFdkMsTUFBTSxJQUFJLEdBQUc7WUFDWCxHQUFHLE9BQU87WUFDVixHQUFHLEdBQUcsQ0FBQyxlQUFlLENBQUMsT0FBTztTQUMvQixDQUFDO1FBQ0YsSUFBSSxhQUFhLENBQUMsSUFBSSxFQUFFLEdBQUcsQ0FBQztZQUFFLE9BQU87UUFFckMsR0FBRyxDQUFDLEdBQUcsQ0FBQyx3QkFBd0IsRUFBRSxTQUFTLENBQUMsQ0FBQztJQUMvQyxDQUFDLENBQUM7QUFDSixDQUFDLENBQUMifQ==

package/dist/esm/lib/middlewares/referrerPolicy.d.ts

@@ -1,4 +0,0 @@
-import type { Context, Next } from '@eggjs/core';
-import type { SecurityConfig } from '../../types.js';
-declare const _default: (options: SecurityConfig["referrerPolicy"]) => (ctx: Context, next: Next) => Promise<void>;
-export default _default;

package/dist/esm/lib/middlewares/referrerPolicy.js

@@ -1,34 +0,0 @@
-import { checkIfIgnore } from '../utils.js';
-// https://developer.mozilla.org/zh-CN/docs/Web/HTTP/Headers/Referrer-Policy
-const ALLOWED_POLICIES_ENUM = [
-    'no-referrer',
-    'no-referrer-when-downgrade',
-    'origin',
-    'origin-when-cross-origin',
-    'same-origin',
-    'strict-origin',
-    'strict-origin-when-cross-origin',
-    'unsafe-url',
-    '',
-];
-export default (options) => {
-    return async function referrerPolicy(ctx, next) {
-        await next();
-        const opts = {
-            ...options,
-            // check refererPolicy for backward compatibility
-            // typo on the old version
-            // @see https://github.com/eggjs/security/blob/e3408408adec5f8d009d37f75126ed082481d0ac/lib/middlewares/referrerPolicy.js#L21C59-L21C72
-            ...ctx.securityOptions.refererPolicy,
-            ...ctx.securityOptions.referrerPolicy,
-        };
-        if (checkIfIgnore(opts, ctx))
-            return;
-        const policy = opts.value;
-        if (!ALLOWED_POLICIES_ENUM.includes(policy)) {
-            throw new Error('"' + policy + '" is not available.');
-        }
-        ctx.set('referrer-policy', policy);
-    };
-};
-//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoicmVmZXJyZXJQb2xpY3kuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi8uLi9zcmMvbGliL21pZGRsZXdhcmVzL3JlZmVycmVyUG9saWN5LnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiJBQUNBLE9BQU8sRUFBRSxhQUFhLEVBQUUsTUFBTSxhQUFhLENBQUM7QUFHNUMsNEVBQTRFO0FBQzVFLE1BQU0scUJBQXFCLEdBQUc7SUFDNUIsYUFBYTtJQUNiLDRCQUE0QjtJQUM1QixRQUFRO0lBQ1IsMEJBQTBCO0lBQzFCLGFBQWE7SUFDYixlQUFlO0lBQ2YsaUNBQWlDO0lBQ2pDLFlBQVk7SUFDWixFQUFFO0NBQ0gsQ0FBQztBQUVGLGVBQWUsQ0FBQyxPQUF5QyxFQUFFLEVBQUU7SUFDM0QsT0FBTyxLQUFLLFVBQVUsY0FBYyxDQUFDLEdBQVksRUFBRSxJQUFVO1FBQzNELE1BQU0sSUFBSSxFQUFFLENBQUM7UUFFYixNQUFNLElBQUksR0FBRztZQUNYLEdBQUcsT0FBTztZQUNWLGlEQUFpRDtZQUNqRCwwQkFBMEI7WUFDMUIsdUlBQXVJO1lBQ3ZJLEdBQUksR0FBRyxDQUFDLGVBQXVCLENBQUMsYUFBYTtZQUM3QyxHQUFHLEdBQUcsQ0FBQyxlQUFlLENBQUMsY0FBYztTQUN0QyxDQUFDO1FBQ0YsSUFBSSxhQUFhLENBQUMsSUFBSSxFQUFFLEdBQUcsQ0FBQztZQUFFLE9BQU87UUFFckMsTUFBTSxNQUFNLEdBQUcsSUFBSSxDQUFDLEtBQUssQ0FBQztRQUMxQixJQUFJLENBQUMscUJBQXFCLENBQUMsUUFBUSxDQUFDLE1BQU0sQ0FBQyxFQUFFLENBQUM7WUFDNUMsTUFBTSxJQUFJLEtBQUssQ0FBQyxHQUFHLEdBQUcsTUFBTSxHQUFHLHFCQUFxQixDQUFDLENBQUM7UUFDeEQsQ0FBQztRQUVELEdBQUcsQ0FBQyxHQUFHLENBQUMsaUJBQWlCLEVBQUUsTUFBTSxDQUFDLENBQUM7SUFDckMsQ0FBQyxDQUFDO0FBQ0osQ0FBQyxDQUFDIn0=

package/dist/esm/lib/middlewares/xframe.d.ts

@@ -1,4 +0,0 @@
-import type { Context, Next } from '@eggjs/core';
-import type { SecurityConfig } from '../../types.js';
-declare const _default: (options: SecurityConfig["xframe"]) => (ctx: Context, next: Next) => Promise<void>;
-export default _default;

package/dist/esm/lib/middlewares/xframe.js

@@ -1,17 +0,0 @@
-import { checkIfIgnore } from '../utils.js';
-export default (options) => {
-    return async function xframe(ctx, next) {
-        await next();
-        const opts = {
-            ...options,
-            ...ctx.securityOptions.xframe,
-        };
-        if (checkIfIgnore(opts, ctx))
-            return;
-        // DENY, SAMEORIGIN, ALLOW-FROM
-        // https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options?redirectlocale=en-US&redirectslug=The_X-FRAME-OPTIONS_response_header
-        const value = opts.value || 'SAMEORIGIN';
-        ctx.set('x-frame-options', value);
-    };
-};
-//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoieGZyYW1lLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vLi4vLi4vc3JjL2xpYi9taWRkbGV3YXJlcy94ZnJhbWUudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6IkFBQ0EsT0FBTyxFQUFFLGFBQWEsRUFBRSxNQUFNLGFBQWEsQ0FBQztBQUc1QyxlQUFlLENBQUMsT0FBaUMsRUFBRSxFQUFFO0lBQ25ELE9BQU8sS0FBSyxVQUFVLE1BQU0sQ0FBQyxHQUFZLEVBQUUsSUFBVTtRQUNuRCxNQUFNLElBQUksRUFBRSxDQUFDO1FBRWIsTUFBTSxJQUFJLEdBQUc7WUFDWCxHQUFHLE9BQU87WUFDVixHQUFHLEdBQUcsQ0FBQyxlQUFlLENBQUMsTUFBTTtTQUM5QixDQUFDO1FBQ0YsSUFBSSxhQUFhLENBQUMsSUFBSSxFQUFFLEdBQUcsQ0FBQztZQUFFLE9BQU87UUFFckMsK0JBQStCO1FBQy9CLHNJQUFzSTtRQUN0SSxNQUFNLEtBQUssR0FBRyxJQUFJLENBQUMsS0FBSyxJQUFJLFlBQVksQ0FBQztRQUN6QyxHQUFHLENBQUMsR0FBRyxDQUFDLGlCQUFpQixFQUFFLEtBQUssQ0FBQyxDQUFDO0lBQ3BDLENBQUMsQ0FBQztBQUNKLENBQUMsQ0FBQyJ9

package/dist/esm/lib/middlewares/xssProtection.d.ts

@@ -1,4 +0,0 @@
-import type { Context, Next } from '@eggjs/core';
-import type { SecurityConfig } from '../../types.js';
-declare const _default: (options: SecurityConfig["xssProtection"]) => (ctx: Context, next: Next) => Promise<void>;
-export default _default;

package/dist/esm/lib/middlewares/xssProtection.js

@@ -1,14 +0,0 @@
-import { checkIfIgnore } from '../utils.js';
-export default (options) => {
-    return async function xssProtection(ctx, next) {
-        await next();
-        const opts = {
-            ...options,
-            ...ctx.securityOptions.xssProtection,
-        };
-        if (checkIfIgnore(opts, ctx))
-            return;
-        ctx.set('x-xss-protection', opts.value);
-    };
-};
-//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoieHNzUHJvdGVjdGlvbi5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uLy4uLy4uL3NyYy9saWIvbWlkZGxld2FyZXMveHNzUHJvdGVjdGlvbi50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiQUFDQSxPQUFPLEVBQUUsYUFBYSxFQUFFLE1BQU0sYUFBYSxDQUFDO0FBRzVDLGVBQWUsQ0FBQyxPQUF3QyxFQUFFLEVBQUU7SUFDMUQsT0FBTyxLQUFLLFVBQVUsYUFBYSxDQUFDLEdBQVksRUFBRSxJQUFVO1FBQzFELE1BQU0sSUFBSSxFQUFFLENBQUM7UUFFYixNQUFNLElBQUksR0FBRztZQUNYLEdBQUcsT0FBTztZQUNWLEdBQUcsR0FBRyxDQUFDLGVBQWUsQ0FBQyxhQUFhO1NBQ3JDLENBQUM7UUFDRixJQUFJLGFBQWEsQ0FBQyxJQUFJLEVBQUUsR0FBRyxDQUFDO1lBQUUsT0FBTztRQUVyQyxHQUFHLENBQUMsR0FBRyxDQUFDLGtCQUFrQixFQUFFLElBQUksQ0FBQyxLQUFLLENBQUMsQ0FBQztJQUMxQyxDQUFDLENBQUM7QUFDSixDQUFDLENBQUMifQ==

package/dist/esm/lib/utils.d.ts

@@ -1,19 +0,0 @@
-import { Context } from '@eggjs/core';
-import type { PathMatchingFun } from 'egg-path-matching';
-import { SecurityConfig } from '../types.js';
-/**
- * Check whether a domain is in the safe domain white list or not.
- * @param {String} domain The inputted domain.
- * @param {Array<string>} whiteList The white list for domain.
- * @return {Boolean} If the `domain` is in the white list, return true; otherwise false.
- */
-export declare function isSafeDomain(domain: string, whiteList: string[]): boolean;
-export declare function isSafePath(path: string, ctx: Context): boolean;
-export declare function checkIfIgnore(opts: {
-    enable: boolean;
-    matching?: PathMatchingFun;
-}, ctx: Context): boolean;
-export declare function getCookieDomain(hostname: string): string;
-export declare function merge(origin: Record<string, any>, opts?: Record<string, any>): Record<string, any>;
-export declare function preprocessConfig(config: SecurityConfig): void;
-export declare function getFromUrl(url: string, prop?: string): string | null;