@eggjs/security 4.0.1 → 5.0.0-beta.15

package/dist/esm/app/extend/context.js

@@ -1,244 +0,0 @@
-import { debuglog } from 'node:util';
-import { nanoid } from 'nanoid/non-secure';
-import Tokens from 'csrf';
-import { Context } from '@eggjs/core';
-import * as utils from '../../lib/utils.js';
-const debug = debuglog('@eggjs/security/app/extend/context');
-const tokens = new Tokens();
-const CSRF_SECRET = Symbol('egg-security#CSRF_SECRET');
-const _CSRF_SECRET = Symbol('egg-security#_CSRF_SECRET');
-const NEW_CSRF_SECRET = Symbol('egg-security#NEW_CSRF_SECRET');
-const LOG_CSRF_NOTICE = Symbol('egg-security#LOG_CSRF_NOTICE');
-const INPUT_TOKEN = Symbol('egg-security#INPUT_TOKEN');
-const NONCE_CACHE = Symbol('egg-security#NONCE_CACHE');
-const SECURITY_OPTIONS = Symbol('egg-security#SECURITY_OPTIONS');
-const CSRF_REFERER_CHECK = Symbol('egg-security#CSRF_REFERER_CHECK');
-const CSRF_CTOKEN_CHECK = Symbol('egg-security#CSRF_CTOKEN_CHECK');
-function findToken(obj, keys) {
-    if (!obj)
-        return;
-    if (!keys || !keys.length)
-        return;
-    if (typeof keys === 'string')
-        return obj[keys];
-    for (const key of keys) {
-        if (obj[key])
-            return obj[key];
-    }
-}
-export default class SecurityContext extends Context {
-    get securityOptions() {
-        if (!this[SECURITY_OPTIONS]) {
-            this[SECURITY_OPTIONS] = {};
-        }
-        return this[SECURITY_OPTIONS];
-    }
-    /**
-     * Check whether the specific `domain` is in / matches the whiteList or not.
-     * @param {string} domain The assigned domain.
-     * @param {Array<string>} [customWhiteList] The custom white list for domain.
-     * @return {boolean} If the domain is in / matches the whiteList, return true;
-     * otherwise false.
-     */
-    isSafeDomain(domain, customWhiteList) {
-        const domainWhiteList = customWhiteList && customWhiteList.length > 0 ? customWhiteList : this.app.config.security.domainWhiteList;
-        return utils.isSafeDomain(domain, domainWhiteList);
-    }
-    // Add nonce, random characters will be OK.
-    // https://w3c.github.io/webappsec/specs/content-security-policy/#nonce_source
-    get nonce() {
-        if (!this[NONCE_CACHE]) {
-            this[NONCE_CACHE] = nanoid(16);
-        }
-        return this[NONCE_CACHE];
-    }
-    /**
-     * get csrf token, general use in template
-     * @return {String} csrf token
-     * @public
-     */
-    get csrf() {
-        // csrfSecret can be rotate, use NEW_CSRF_SECRET first
-        const secret = this[NEW_CSRF_SECRET] || this[CSRF_SECRET];
-        debug('get csrf token, NEW_CSRF_SECRET: %s, _CSRF_SECRET: %s', this[NEW_CSRF_SECRET], this[CSRF_SECRET]);
-        //  In order to protect against BREACH attacks,
-        //  the token is not simply the secret;
-        //  a random salt is prepended to the secret and used to scramble it.
-        //  http://breachattack.com/
-        return secret ? tokens.create(secret) : '';
-    }
-    /**
-     * get csrf secret from session or cookie
-     * @return {String} csrf secret
-     * @private
-     */
-    get [CSRF_SECRET]() {
-        if (this[_CSRF_SECRET]) {
-            return this[_CSRF_SECRET];
-        }
-        let { useSession, sessionName, cookieName: cookieNames, cookieOptions, } = this.app.config.security.csrf;
-        // get secret from session or cookie
-        if (useSession) {
-            this[_CSRF_SECRET] = this.session[sessionName] || '';
-        }
-        else {
-            // cookieName support array. so we can change csrf cookie name smoothly
-            if (!Array.isArray(cookieNames)) {
-                cookieNames = [cookieNames];
-            }
-            for (const cookieName of cookieNames) {
-                this[_CSRF_SECRET] = this.cookies.get(cookieName, { signed: cookieOptions.signed }) || '';
-                if (this[_CSRF_SECRET]) {
-                    break;
-                }
-            }
-        }
-        return this[_CSRF_SECRET];
-    }
-    /**
-     * ensure csrf secret exists in session or cookie.
-     * @param {Boolean} [rotate] reset secret even if the secret exists
-     * @public
-     */
-    ensureCsrfSecret(rotate) {
-        if (this[CSRF_SECRET] && !rotate)
-            return;
-        debug('ensure csrf secret, exists: %s, rotate; %s', this[CSRF_SECRET], rotate);
-        const secret = tokens.secretSync();
-        this[NEW_CSRF_SECRET] = secret;
-        let { useSession, sessionName, cookieDomain, cookieName: cookieNames, cookieOptions, } = this.app.config.security.csrf;
-        if (useSession) {
-            // TODO(fengmk2): need to refactor egg-session plugin to support ctx.session type define
-            this.session[sessionName] = secret;
-        }
-        else {
-            if (typeof cookieDomain === 'function') {
-                cookieDomain = cookieDomain(this);
-            }
-            const cookieOpts = {
-                domain: cookieDomain,
-                ...cookieOptions,
-            };
-            // cookieName support array. so we can change csrf cookie name smoothly
-            if (!Array.isArray(cookieNames)) {
-                cookieNames = [cookieNames];
-            }
-            for (const cookieName of cookieNames) {
-                this.cookies.set(cookieName, secret, cookieOpts);
-            }
-        }
-    }
-    get [INPUT_TOKEN]() {
-        const { headerName, bodyName, queryName } = this.app.config.security.csrf;
-        // try order: query, body, header
-        const token = findToken(this.request.query, queryName)
-            || findToken(this.request.body, bodyName)
-            || (headerName && this.request.get(headerName));
-        debug('get token: %j, secret: %j', token, this[CSRF_SECRET]);
-        return token;
-    }
-    /**
-     * rotate csrf secret exists in session or cookie.
-     * must rotate the secret when user login
-     * @public
-     */
-    rotateCsrfSecret() {
-        if (!this[NEW_CSRF_SECRET] && this[CSRF_SECRET]) {
-            this.ensureCsrfSecret(true);
-        }
-    }
-    /**
-     * assert csrf token/referer is present
-     * @public
-     */
-    assertCsrf() {
-        if (utils.checkIfIgnore(this.app.config.security.csrf, this)) {
-            debug('%s, ignore by csrf options', this.path);
-            return;
-        }
-        const { type } = this.app.config.security.csrf;
-        let message;
-        const messages = [];
-        switch (type) {
-            case 'ctoken':
-                message = this[CSRF_CTOKEN_CHECK]();
-                if (message)
-                    this.throw(403, message);
-                break;
-            case 'referer':
-                message = this[CSRF_REFERER_CHECK]();
-                if (message)
-                    this.throw(403, message);
-                break;
-            case 'all':
-                message = this[CSRF_CTOKEN_CHECK]();
-                if (message)
-                    this.throw(403, message);
-                message = this[CSRF_REFERER_CHECK]();
-                if (message)
-                    this.throw(403, message);
-                break;
-            case 'any':
-                message = this[CSRF_CTOKEN_CHECK]();
-                if (!message)
-                    return;
-                messages.push(message);
-                message = this[CSRF_REFERER_CHECK]();
-                if (!message)
-                    return;
-                messages.push(message);
-                this.throw(403, `both ctoken and referer check error: ${messages.join(', ')}`);
-                break;
-            default:
-                this.throw(`invalid type ${type}`);
-        }
-    }
-    [CSRF_CTOKEN_CHECK]() {
-        if (!this[CSRF_SECRET]) {
-            debug('missing csrf token');
-            this[LOG_CSRF_NOTICE]('missing csrf token');
-            return 'missing csrf token';
-        }
-        const token = this[INPUT_TOKEN];
-        // AJAX requests get csrf token from cookie, in this situation token will equal to secret
-        // synchronize form requests' token always changing to protect against BREACH attacks
-        if (token !== this[CSRF_SECRET] && !tokens.verify(this[CSRF_SECRET], token)) {
-            debug('verify secret and token error');
-            this[LOG_CSRF_NOTICE]('invalid csrf token');
-            const { rotateWhenInvalid } = this.app.config.security.csrf;
-            if (rotateWhenInvalid) {
-                this.rotateCsrfSecret();
-            }
-            return 'invalid csrf token';
-        }
-    }
-    [CSRF_REFERER_CHECK]() {
-        const { refererWhiteList } = this.app.config.security.csrf;
-        // check Origin/Referer headers
-        const referer = (this.headers.referer || this.headers.origin || '').toLowerCase();
-        if (!referer) {
-            debug('missing csrf referer or origin');
-            this[LOG_CSRF_NOTICE]('missing csrf referer or origin');
-            return 'missing csrf referer or origin';
-        }
-        const host = utils.getFromUrl(referer, 'host');
-        const domainList = refererWhiteList.concat(this.host);
-        if (!host || !utils.isSafeDomain(host, domainList)) {
-            debug('verify referer or origin error');
-            this[LOG_CSRF_NOTICE]('invalid csrf referer or origin');
-            return 'invalid csrf referer or origin';
-        }
-    }
-    [LOG_CSRF_NOTICE](msg) {
-        if (this.app.config.env === 'local') {
-            this.logger.warn(`${msg}. See https://eggjs.org/zh-cn/core/security.html#安全威胁csrf的防范`);
-        }
-    }
-    async safeCurl(url, options) {
-        return await this.app.safeCurl(url, options);
-    }
-    unsafeRedirect(url, alt) {
-        this.response.unsafeRedirect(url, alt);
-    }
-}
-//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiY29udGV4dC5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uLy4uLy4uL3NyYy9hcHAvZXh0ZW5kL2NvbnRleHQudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6IkFBQUEsT0FBTyxFQUFFLFFBQVEsRUFBRSxNQUFNLFdBQVcsQ0FBQztBQUNyQyxPQUFPLEVBQUUsTUFBTSxFQUFFLE1BQU0sbUJBQW1CLENBQUM7QUFDM0MsT0FBTyxNQUFNLE1BQU0sTUFBTSxDQUFDO0FBQzFCLE9BQU8sRUFBRSxPQUFPLEVBQUUsTUFBTSxhQUFhLENBQUM7QUFDdEMsT0FBTyxLQUFLLEtBQUssTUFBTSxvQkFBb0IsQ0FBQztBQVE1QyxNQUFNLEtBQUssR0FBRyxRQUFRLENBQUMsb0NBQW9DLENBQUMsQ0FBQztBQUU3RCxNQUFNLE1BQU0sR0FBRyxJQUFJLE1BQU0sRUFBRSxDQUFDO0FBRTVCLE1BQU0sV0FBVyxHQUFHLE1BQU0sQ0FBQywwQkFBMEIsQ0FBQyxDQUFDO0FBQ3ZELE1BQU0sWUFBWSxHQUFHLE1BQU0sQ0FBQywyQkFBMkIsQ0FBQyxDQUFDO0FBQ3pELE1BQU0sZUFBZSxHQUFHLE1BQU0sQ0FBQyw4QkFBOEIsQ0FBQyxDQUFDO0FBQy9ELE1BQU0sZUFBZSxHQUFHLE1BQU0sQ0FBQyw4QkFBOEIsQ0FBQyxDQUFDO0FBQy9ELE1BQU0sV0FBVyxHQUFHLE1BQU0sQ0FBQywwQkFBMEIsQ0FBQyxDQUFDO0FBQ3ZELE1BQU0sV0FBVyxHQUFHLE1BQU0sQ0FBQywwQkFBMEIsQ0FBQyxDQUFDO0FBQ3ZELE1BQU0sZ0JBQWdCLEdBQUcsTUFBTSxDQUFDLCtCQUErQixDQUFDLENBQUM7QUFDakUsTUFBTSxrQkFBa0IsR0FBRyxNQUFNLENBQUMsaUNBQWlDLENBQUMsQ0FBQztBQUNyRSxNQUFNLGlCQUFpQixHQUFHLE1BQU0sQ0FBQyxnQ0FBZ0MsQ0FBQyxDQUFDO0FBRW5FLFNBQVMsU0FBUyxDQUFDLEdBQTJCLEVBQUUsSUFBdUI7SUFDckUsSUFBSSxDQUFDLEdBQUc7UUFBRSxPQUFPO0lBQ2pCLElBQUksQ0FBQyxJQUFJLElBQUksQ0FBQyxJQUFJLENBQUMsTUFBTTtRQUFFLE9BQU87SUFDbEMsSUFBSSxPQUFPLElBQUksS0FBSyxRQUFRO1FBQUUsT0FBTyxHQUFHLENBQUMsSUFBSSxDQUFDLENBQUM7SUFDL0MsS0FBSyxNQUFNLEdBQUcsSUFBSSxJQUFJLEVBQUUsQ0FBQztRQUN2QixJQUFJLEdBQUcsQ0FBQyxHQUFHLENBQUM7WUFBRSxPQUFPLEdBQUcsQ0FBQyxHQUFHLENBQUMsQ0FBQztJQUNoQyxDQUFDO0FBQ0gsQ0FBQztBQUVELE1BQU0sQ0FBQyxPQUFPLE9BQU8sZUFBZ0IsU0FBUSxPQUFPO0lBQ2xELElBQUksZUFBZTtRQUNqQixJQUFJLENBQUMsSUFBSSxDQUFDLGdCQUFnQixDQUFDLEVBQUUsQ0FBQztZQUM1QixJQUFJLENBQUMsZ0JBQWdCLENBQUMsR0FBRyxFQUFFLENBQUM7UUFDOUIsQ0FBQztRQUNELE9BQU8sSUFBSSxDQUFDLGdCQUFnQixDQUE0QixDQUFDO0lBQzNELENBQUM7SUFFRDs7Ozs7O09BTUc7SUFDSCxZQUFZLENBQUMsTUFBYyxFQUFFLGVBQTBCO1FBQ3JELE1BQU0sZUFBZSxHQUNuQixlQUFlLElBQUksZUFBZSxDQUFDLE1BQU0sR0FBRyxDQUFDLENBQUMsQ0FBQyxDQUFDLGVBQWUsQ0FBQyxDQUFDLENBQUMsSUFBSSxDQUFDLEdBQUcsQ0FBQyxNQUFNLENBQUMsUUFBUSxDQUFDLGVBQWUsQ0FBQztRQUM3RyxPQUFPLEtBQUssQ0FBQyxZQUFZLENBQUMsTUFBTSxFQUFFLGVBQWUsQ0FBQyxDQUFDO0lBQ3JELENBQUM7SUFFRCwyQ0FBMkM7SUFDM0MsOEVBQThFO0lBQzlFLElBQUksS0FBSztRQUNQLElBQUksQ0FBQyxJQUFJLENBQUMsV0FBVyxDQUFDLEVBQUUsQ0FBQztZQUN2QixJQUFJLENBQUMsV0FBVyxDQUFDLEdBQUcsTUFBTSxDQUFDLEVBQUUsQ0FBQyxDQUFDO1FBQ2pDLENBQUM7UUFDRCxPQUFPLElBQUksQ0FBQyxXQUFXLENBQVcsQ0FBQztJQUNyQyxDQUFDO0lBRUQ7Ozs7T0FJRztJQUNILElBQUksSUFBSTtRQUNOLHNEQUFzRDtRQUN0RCxNQUFNLE1BQU0sR0FBRyxJQUFJLENBQUMsZUFBZSxDQUFDLElBQUksSUFBSSxDQUFDLFdBQVcsQ0FBQyxDQUFDO1FBQzFELEtBQUssQ0FBQyx1REFBdUQsRUFBRSxJQUFJLENBQUMsZUFBZSxDQUFDLEVBQUUsSUFBSSxDQUFDLFdBQVcsQ0FBQyxDQUFDLENBQUM7UUFDekcsK0NBQStDO1FBQy9DLHVDQUF1QztRQUN2QyxxRUFBcUU7UUFDckUsNEJBQTRCO1FBQzVCLE9BQU8sTUFBTSxDQUFDLENBQUMsQ0FBQyxNQUFNLENBQUMsTUFBTSxDQUFDLE1BQWdCLENBQUMsQ0FBQyxDQUFDLENBQUMsRUFBRSxDQUFDO0lBQ3ZELENBQUM7SUFFRDs7OztPQUlHO0lBQ0gsSUFBSSxDQUFDLFdBQVcsQ0FBQztRQUNmLElBQUksSUFBSSxDQUFDLFlBQVksQ0FBQyxFQUFFLENBQUM7WUFDdkIsT0FBTyxJQUFJLENBQUMsWUFBWSxDQUFXLENBQUM7UUFDdEMsQ0FBQztRQUNELElBQUksRUFDRixVQUFVLEVBQUUsV0FBVyxFQUN2QixVQUFVLEVBQUUsV0FBVyxFQUN2QixhQUFhLEdBQ2QsR0FBRyxJQUFJLENBQUMsR0FBRyxDQUFDLE1BQU0sQ0FBQyxRQUFRLENBQUMsSUFBSSxDQUFDO1FBQ2xDLG9DQUFvQztRQUNwQyxJQUFJLFVBQVUsRUFBRSxDQUFDO1lBQ2YsSUFBSSxDQUFDLFlBQVksQ0FBQyxHQUFJLElBQUksQ0FBQyxPQUFlLENBQUMsV0FBVyxDQUFDLElBQUksRUFBRSxDQUFDO1FBQ2hFLENBQUM7YUFBTSxDQUFDO1lBQ04sdUVBQXVFO1lBQ3ZFLElBQUksQ0FBQyxLQUFLLENBQUMsT0FBTyxDQUFDLFdBQVcsQ0FBQyxFQUFFLENBQUM7Z0JBQ2hDLFdBQVcsR0FBRyxDQUFFLFdBQVcsQ0FBRSxDQUFDO1lBQ2hDLENBQUM7WUFDRCxLQUFLLE1BQU0sVUFBVSxJQUFJLFdBQVcsRUFBRSxDQUFDO2dCQUNyQyxJQUFJLENBQUMsWUFBWSxDQUFDLEdBQUcsSUFBSSxDQUFDLE9BQU8sQ0FBQyxHQUFHLENBQUMsVUFBVSxFQUFFLEVBQUUsTUFBTSxFQUFFLGFBQWEsQ0FBQyxNQUFNLEVBQUUsQ0FBQyxJQUFJLEVBQUUsQ0FBQztnQkFDMUYsSUFBSSxJQUFJLENBQUMsWUFBWSxDQUFDLEVBQUUsQ0FBQztvQkFDdkIsTUFBTTtnQkFDUixDQUFDO1lBQ0gsQ0FBQztRQUNILENBQUM7UUFDRCxPQUFPLElBQUksQ0FBQyxZQUFZLENBQVcsQ0FBQztJQUN0QyxDQUFDO0lBRUQ7Ozs7T0FJRztJQUNILGdCQUFnQixDQUFDLE1BQWdCO1FBQy9CLElBQUksSUFBSSxDQUFDLFdBQVcsQ0FBQyxJQUFJLENBQUMsTUFBTTtZQUFFLE9BQU87UUFDekMsS0FBSyxDQUFDLDRDQUE0QyxFQUFFLElBQUksQ0FBQyxXQUFXLENBQUMsRUFBRSxNQUFNLENBQUMsQ0FBQztRQUMvRSxNQUFNLE1BQU0sR0FBRyxNQUFNLENBQUMsVUFBVSxFQUFFLENBQUM7UUFDbkMsSUFBSSxDQUFDLGVBQWUsQ0FBQyxHQUFHLE1BQU0sQ0FBQztRQUMvQixJQUFJLEVBQ0YsVUFBVSxFQUFFLFdBQVcsRUFDdkIsWUFBWSxFQUNaLFVBQVUsRUFBRSxXQUFXLEVBQ3ZCLGFBQWEsR0FDZCxHQUFHLElBQUksQ0FBQyxHQUFHLENBQUMsTUFBTSxDQUFDLFFBQVEsQ0FBQyxJQUFJLENBQUM7UUFFbEMsSUFBSSxVQUFVLEVBQUUsQ0FBQztZQUNmLHdGQUF3RjtZQUN2RixJQUFJLENBQUMsT0FBZSxDQUFDLFdBQVcsQ0FBQyxHQUFHLE1BQU0sQ0FBQztRQUM5QyxDQUFDO2FBQU0sQ0FBQztZQUNOLElBQUksT0FBTyxZQUFZLEtBQUssVUFBVSxFQUFFLENBQUM7Z0JBQ3ZDLFlBQVksR0FBRyxZQUFZLENBQUMsSUFBSSxDQUFDLENBQUM7WUFDcEMsQ0FBQztZQUNELE1BQU0sVUFBVSxHQUFHO2dCQUNqQixNQUFNLEVBQUUsWUFBWTtnQkFDcEIsR0FBRyxhQUFhO2FBQ2pCLENBQUM7WUFDRix1RUFBdUU7WUFDdkUsSUFBSSxDQUFDLEtBQUssQ0FBQyxPQUFPLENBQUMsV0FBVyxDQUFDLEVBQUUsQ0FBQztnQkFDaEMsV0FBVyxHQUFHLENBQUUsV0FBVyxDQUFFLENBQUM7WUFDaEMsQ0FBQztZQUNELEtBQUssTUFBTSxVQUFVLElBQUksV0FBVyxFQUFFLENBQUM7Z0JBQ3JDLElBQUksQ0FBQyxPQUFPLENBQUMsR0FBRyxDQUFDLFVBQVUsRUFBRSxNQUFNLEVBQUUsVUFBVSxDQUFDLENBQUM7WUFDbkQsQ0FBQztRQUNILENBQUM7SUFDSCxDQUFDO0lBRUQsSUFBSSxDQUFDLFdBQVcsQ0FBQztRQUNmLE1BQU0sRUFBRSxVQUFVLEVBQUUsUUFBUSxFQUFFLFNBQVMsRUFBRSxHQUFHLElBQUksQ0FBQyxHQUFHLENBQUMsTUFBTSxDQUFDLFFBQVEsQ0FBQyxJQUFJLENBQUM7UUFDMUUsaUNBQWlDO1FBQ2pDLE1BQU0sS0FBSyxHQUFHLFNBQVMsQ0FBQyxJQUFJLENBQUMsT0FBTyxDQUFDLEtBQUssRUFBRSxTQUFTLENBQUM7ZUFDakQsU0FBUyxDQUFDLElBQUksQ0FBQyxPQUFPLENBQUMsSUFBSSxFQUFFLFFBQVEsQ0FBQztlQUN0QyxDQUFDLFVBQVUsSUFBSSxJQUFJLENBQUMsT0FBTyxDQUFDLEdBQUcsQ0FBUyxVQUFVLENBQUMsQ0FBQyxDQUFDO1FBQzFELEtBQUssQ0FBQywyQkFBMkIsRUFBRSxLQUFLLEVBQUUsSUFBSSxDQUFDLFdBQVcsQ0FBQyxDQUFDLENBQUM7UUFDN0QsT0FBTyxLQUFLLENBQUM7SUFDZixDQUFDO0lBRUQ7Ozs7T0FJRztJQUNILGdCQUFnQjtRQUNkLElBQUksQ0FBQyxJQUFJLENBQUMsZUFBZSxDQUFDLElBQUksSUFBSSxDQUFDLFdBQVcsQ0FBQyxFQUFFLENBQUM7WUFDaEQsSUFBSSxDQUFDLGdCQUFnQixDQUFDLElBQUksQ0FBQyxDQUFDO1FBQzlCLENBQUM7SUFDSCxDQUFDO0lBRUQ7OztPQUdHO0lBQ0gsVUFBVTtRQUNSLElBQUksS0FBSyxDQUFDLGFBQWEsQ0FBQyxJQUFJLENBQUMsR0FBRyxDQUFDLE1BQU0sQ0FBQyxRQUFRLENBQUMsSUFBSSxFQUFFLElBQUksQ0FBQyxFQUFFLENBQUM7WUFDN0QsS0FBSyxDQUFDLDRCQUE0QixFQUFFLElBQUksQ0FBQyxJQUFJLENBQUMsQ0FBQztZQUMvQyxPQUFPO1FBQ1QsQ0FBQztRQUVELE1BQU0sRUFBRSxJQUFJLEVBQUUsR0FBRyxJQUFJLENBQUMsR0FBRyxDQUFDLE1BQU0sQ0FBQyxRQUFRLENBQUMsSUFBSSxDQUFDO1FBQy9DLElBQUksT0FBTyxDQUFDO1FBQ1osTUFBTSxRQUFRLEdBQUcsRUFBRSxDQUFDO1FBQ3BCLFFBQVEsSUFBSSxFQUFFLENBQUM7WUFDYixLQUFLLFFBQVE7Z0JBQ1gsT0FBTyxHQUFHLElBQUksQ0FBQyxpQkFBaUIsQ0FBQyxFQUFFLENBQUM7Z0JBQ3BDLElBQUksT0FBTztvQkFBRSxJQUFJLENBQUMsS0FBSyxDQUFDLEdBQUcsRUFBRSxPQUFPLENBQUMsQ0FBQztnQkFDdEMsTUFBTTtZQUNSLEtBQUssU0FBUztnQkFDWixPQUFPLEdBQUcsSUFBSSxDQUFDLGtCQUFrQixDQUFDLEVBQUUsQ0FBQztnQkFDckMsSUFBSSxPQUFPO29CQUFFLElBQUksQ0FBQyxLQUFLLENBQUMsR0FBRyxFQUFFLE9BQU8sQ0FBQyxDQUFDO2dCQUN0QyxNQUFNO1lBQ1IsS0FBSyxLQUFLO2dCQUNSLE9BQU8sR0FBRyxJQUFJLENBQUMsaUJBQWlCLENBQUMsRUFBRSxDQUFDO2dCQUNwQyxJQUFJLE9BQU87b0JBQUUsSUFBSSxDQUFDLEtBQUssQ0FBQyxHQUFHLEVBQUUsT0FBTyxDQUFDLENBQUM7Z0JBQ3RDLE9BQU8sR0FBRyxJQUFJLENBQUMsa0JBQWtCLENBQUMsRUFBRSxDQUFDO2dCQUNyQyxJQUFJLE9BQU87b0JBQUUsSUFBSSxDQUFDLEtBQUssQ0FBQyxHQUFHLEVBQUUsT0FBTyxDQUFDLENBQUM7Z0JBQ3RDLE1BQU07WUFDUixLQUFLLEtBQUs7Z0JBQ1IsT0FBTyxHQUFHLElBQUksQ0FBQyxpQkFBaUIsQ0FBQyxFQUFFLENBQUM7Z0JBQ3BDLElBQUksQ0FBQyxPQUFPO29CQUFFLE9BQU87Z0JBQ3JCLFFBQVEsQ0FBQyxJQUFJLENBQUMsT0FBTyxDQUFDLENBQUM7Z0JBQ3ZCLE9BQU8sR0FBRyxJQUFJLENBQUMsa0JBQWtCLENBQUMsRUFBRSxDQUFDO2dCQUNyQyxJQUFJLENBQUMsT0FBTztvQkFBRSxPQUFPO2dCQUNyQixRQUFRLENBQUMsSUFBSSxDQUFDLE9BQU8sQ0FBQyxDQUFDO2dCQUN2QixJQUFJLENBQUMsS0FBSyxDQUFDLEdBQUcsRUFBRSx3Q0FBd0MsUUFBUSxDQUFDLElBQUksQ0FBQyxJQUFJLENBQUMsRUFBRSxDQUFDLENBQUM7Z0JBQy9FLE1BQU07WUFDUjtnQkFDRSxJQUFJLENBQUMsS0FBSyxDQUFDLGdCQUFnQixJQUFJLEVBQUUsQ0FBQyxDQUFDO1FBQ3ZDLENBQUM7SUFDSCxDQUFDO0lBRUQsQ0FBQyxpQkFBaUIsQ0FBQztRQUNqQixJQUFJLENBQUMsSUFBSSxDQUFDLFdBQVcsQ0FBQyxFQUFFLENBQUM7WUFDdkIsS0FBSyxDQUFDLG9CQUFvQixDQUFDLENBQUM7WUFDNUIsSUFBSSxDQUFDLGVBQWUsQ0FBQyxDQUFDLG9CQUFvQixDQUFDLENBQUM7WUFDNUMsT0FBTyxvQkFBb0IsQ0FBQztRQUM5QixDQUFDO1FBQ0QsTUFBTSxLQUFLLEdBQUcsSUFBSSxDQUFDLFdBQVcsQ0FBQyxDQUFDO1FBQ2hDLHlGQUF5RjtRQUN6RixxRkFBcUY7UUFDckYsSUFBSSxLQUFLLEtBQUssSUFBSSxDQUFDLFdBQVcsQ0FBQyxJQUFJLENBQUMsTUFBTSxDQUFDLE1BQU0sQ0FBQyxJQUFJLENBQUMsV0FBVyxDQUFDLEVBQUUsS0FBSyxDQUFDLEVBQUUsQ0FBQztZQUM1RSxLQUFLLENBQUMsK0JBQStCLENBQUMsQ0FBQztZQUN2QyxJQUFJLENBQUMsZUFBZSxDQUFDLENBQUMsb0JBQW9CLENBQUMsQ0FBQztZQUM1QyxNQUFNLEVBQUUsaUJBQWlCLEVBQUUsR0FBRyxJQUFJLENBQUMsR0FBRyxDQUFDLE1BQU0sQ0FBQyxRQUFRLENBQUMsSUFBSSxDQUFDO1lBQzVELElBQUksaUJBQWlCLEVBQUUsQ0FBQztnQkFDdEIsSUFBSSxDQUFDLGdCQUFnQixFQUFFLENBQUM7WUFDMUIsQ0FBQztZQUNELE9BQU8sb0JBQW9CLENBQUM7UUFDOUIsQ0FBQztJQUNILENBQUM7SUFFRCxDQUFDLGtCQUFrQixDQUFDO1FBQ2xCLE1BQU0sRUFBRSxnQkFBZ0IsRUFBRSxHQUFHLElBQUksQ0FBQyxHQUFHLENBQUMsTUFBTSxDQUFDLFFBQVEsQ0FBQyxJQUFJLENBQUM7UUFDM0QsK0JBQStCO1FBQy9CLE1BQU0sT0FBTyxHQUFHLENBQUMsSUFBSSxDQUFDLE9BQU8sQ0FBQyxPQUFPLElBQUksSUFBSSxDQUFDLE9BQU8sQ0FBQyxNQUFNLElBQUksRUFBRSxDQUFDLENBQUMsV0FBVyxFQUFFLENBQUM7UUFFbEYsSUFBSSxDQUFDLE9BQU8sRUFBRSxDQUFDO1lBQ2IsS0FBSyxDQUFDLGdDQUFnQyxDQUFDLENBQUM7WUFDeEMsSUFBSSxDQUFDLGVBQWUsQ0FBQyxDQUFDLGdDQUFnQyxDQUFDLENBQUM7WUFDeEQsT0FBTyxnQ0FBZ0MsQ0FBQztRQUMxQyxDQUFDO1FBRUQsTUFBTSxJQUFJLEdBQUcsS0FBSyxDQUFDLFVBQVUsQ0FBQyxPQUFPLEVBQUUsTUFBTSxDQUFDLENBQUM7UUFDL0MsTUFBTSxVQUFVLEdBQUcsZ0JBQWdCLENBQUMsTUFBTSxDQUFDLElBQUksQ0FBQyxJQUFJLENBQUMsQ0FBQztRQUN0RCxJQUFJLENBQUMsSUFBSSxJQUFJLENBQUMsS0FBSyxDQUFDLFlBQVksQ0FBQyxJQUFJLEVBQUUsVUFBVSxDQUFDLEVBQUUsQ0FBQztZQUNuRCxLQUFLLENBQUMsZ0NBQWdDLENBQUMsQ0FBQztZQUN4QyxJQUFJLENBQUMsZUFBZSxDQUFDLENBQUMsZ0NBQWdDLENBQUMsQ0FBQztZQUN4RCxPQUFPLGdDQUFnQyxDQUFDO1FBQzFDLENBQUM7SUFDSCxDQUFDO0lBRUQsQ0FBQyxlQUFlLENBQUMsQ0FBQyxHQUFXO1FBQzNCLElBQUksSUFBSSxDQUFDLEdBQUcsQ0FBQyxNQUFNLENBQUMsR0FBRyxLQUFLLE9BQU8sRUFBRSxDQUFDO1lBQ3BDLElBQUksQ0FBQyxNQUFNLENBQUMsSUFBSSxDQUFDLEdBQUcsR0FBRyw4REFBOEQsQ0FBQyxDQUFDO1FBQ3pGLENBQUM7SUFDSCxDQUFDO0lBRUQsS0FBSyxDQUFDLFFBQVEsQ0FDWixHQUF5QixFQUFFLE9BQTJCO1FBQ3RELE9BQU8sTUFBTSxJQUFJLENBQUMsR0FBRyxDQUFDLFFBQVEsQ0FBSSxHQUFHLEVBQUUsT0FBTyxDQUFDLENBQUM7SUFDbEQsQ0FBQztJQUVELGNBQWMsQ0FBQyxHQUFXLEVBQUUsR0FBWTtRQUN0QyxJQUFJLENBQUMsUUFBUSxDQUFDLGNBQWMsQ0FBQyxHQUFHLEVBQUUsR0FBRyxDQUFDLENBQUM7SUFDekMsQ0FBQztDQUNGIn0=

package/dist/esm/app/extend/helper.d.ts

@@ -1,12 +0,0 @@
-declare const _default: {
-    cliFilter: typeof import("../../lib/helper/cliFilter.js").default;
-    escape: typeof import("escape-html");
-    escapeShellArg: typeof import("../../lib/helper/escapeShellArg.js").default;
-    escapeShellCmd: typeof import("../../lib/helper/escapeShellCmd.js").default;
-    shtml: typeof import("../../lib/helper/shtml.js").default;
-    sjs: typeof import("../../lib/helper/sjs.js").default;
-    sjson: typeof import("../../lib/helper/sjson.js").default;
-    spath: typeof import("../../lib/helper/spath.js").default;
-    surl: typeof import("../../lib/helper/surl.js").default;
-};
-export default _default;

package/dist/esm/app/extend/helper.js

@@ -1,5 +0,0 @@
-import helpers from '../../lib/helper/index.js';
-export default {
-    ...helpers,
-};
-//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiaGVscGVyLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vLi4vLi4vc3JjL2FwcC9leHRlbmQvaGVscGVyLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiJBQUFBLE9BQU8sT0FBTyxNQUFNLDJCQUEyQixDQUFDO0FBRWhELGVBQWU7SUFDYixHQUFHLE9BQU87Q0FDWCxDQUFDIn0=

package/dist/esm/app/extend/response.d.ts

@@ -1,41 +0,0 @@
-import { Response as KoaResponse } from '@eggjs/core';
-import SecurityContext from './context.js';
-export default class SecurityResponse extends KoaResponse {
-    ctx: SecurityContext;
-    /**
-     * This is an unsafe redirection, and we WON'T check if the
-     * destination url is safe or not.
-     * Please DO NOT use this method unless in some very special cases,
-     * otherwise there may be security vulnerabilities.
-     *
-     * @function Response#unsafeRedirect
-     * @param {String} url URL to forward
-     * @example
-     * ```js
-     * ctx.response.unsafeRedirect('http://www.domain.com');
-     * ctx.unsafeRedirect('http://www.domain.com');
-     * ```
-     */
-    unsafeRedirect(url: string, alt?: string): void;
-    /**
-     * A safe redirection, and we'll check if the URL is in
-     * a safe domain or not.
-     * We've overridden the default Koa's implementation by adding a
-     * white list as the filter for that.
-     *
-     * @function Response#redirect
-     * @param {String} url URL to forward
-     * @example
-     * ```js
-     * ctx.response.redirect('/login');
-     * ctx.redirect('/login');
-     * ```
-     */
-    redirect(url: string, alt?: string): void;
-}
-declare module '@eggjs/core' {
-    interface Response {
-        unsafeRedirect(url: string, alt?: string): void;
-        redirect(url: string, alt?: string): void;
-    }
-}

package/dist/esm/app/extend/response.js

@@ -1,82 +0,0 @@
-import { Response as KoaResponse } from '@eggjs/core';
-const unsafeRedirect = KoaResponse.prototype.redirect;
-export default class SecurityResponse extends KoaResponse {
-    /**
-     * This is an unsafe redirection, and we WON'T check if the
-     * destination url is safe or not.
-     * Please DO NOT use this method unless in some very special cases,
-     * otherwise there may be security vulnerabilities.
-     *
-     * @function Response#unsafeRedirect
-     * @param {String} url URL to forward
-     * @example
-     * ```js
-     * ctx.response.unsafeRedirect('http://www.domain.com');
-     * ctx.unsafeRedirect('http://www.domain.com');
-     * ```
-     */
-    unsafeRedirect(url, alt) {
-        unsafeRedirect.call(this, url, alt);
-    }
-    // app.response.unsafeRedirect = app.response.redirect;
-    // delegate(app.context, 'response').method('unsafeRedirect');
-    /**
-     * A safe redirection, and we'll check if the URL is in
-     * a safe domain or not.
-     * We've overridden the default Koa's implementation by adding a
-     * white list as the filter for that.
-     *
-     * @function Response#redirect
-     * @param {String} url URL to forward
-     * @example
-     * ```js
-     * ctx.response.redirect('/login');
-     * ctx.redirect('/login');
-     * ```
-     */
-    redirect(url, alt) {
-        url = (url || '/').trim();
-        // Process with `//`
-        if (url[0] === '/' && url[1] === '/') {
-            url = '/';
-        }
-        // if begin with '/', it means an internal jump
-        if (url[0] === '/' && url[1] !== '\\') {
-            this.unsafeRedirect(url, alt);
-            return;
-        }
-        let urlObject;
-        try {
-            urlObject = new URL(url);
-        }
-        catch {
-            url = '/';
-            this.unsafeRedirect(url);
-            return;
-        }
-        const domainWhiteList = this.app.config.security.domainWhiteList;
-        if (urlObject.protocol !== 'http:' && urlObject.protocol !== 'https:') {
-            url = '/';
-        }
-        else if (!urlObject.hostname) {
-            url = '/';
-        }
-        else {
-            if (domainWhiteList && domainWhiteList.length !== 0) {
-                if (!this.ctx.isSafeDomain(urlObject.hostname)) {
-                    const message = `a security problem has been detected for url "${url}", redirection is prohibited.`;
-                    if (process.env.NODE_ENV === 'production') {
-                        this.app.coreLogger.warn('[@eggjs/security/response/redirect] %s', message);
-                        url = '/';
-                    }
-                    else {
-                        // Exception will be thrown out in a non-PROD env.
-                        return this.ctx.throw(500, message);
-                    }
-                }
-            }
-        }
-        this.unsafeRedirect(url);
-    }
-}
-//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoicmVzcG9uc2UuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi8uLi9zcmMvYXBwL2V4dGVuZC9yZXNwb25zZS50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiQUFBQSxPQUFPLEVBQUUsUUFBUSxJQUFJLFdBQVcsRUFBRSxNQUFNLGFBQWEsQ0FBQztBQUd0RCxNQUFNLGNBQWMsR0FBRyxXQUFXLENBQUMsU0FBUyxDQUFDLFFBQVEsQ0FBQztBQUV0RCxNQUFNLENBQUMsT0FBTyxPQUFPLGdCQUFpQixTQUFRLFdBQVc7SUFHdkQ7Ozs7Ozs7Ozs7Ozs7T0FhRztJQUNILGNBQWMsQ0FBQyxHQUFXLEVBQUUsR0FBWTtRQUN0QyxjQUFjLENBQUMsSUFBSSxDQUFDLElBQUksRUFBRSxHQUFHLEVBQUUsR0FBRyxDQUFDLENBQUM7SUFDdEMsQ0FBQztJQUVELHVEQUF1RDtJQUN2RCw4REFBOEQ7SUFDOUQ7Ozs7Ozs7Ozs7Ozs7T0FhRztJQUNILFFBQVEsQ0FBQyxHQUFXLEVBQUUsR0FBWTtRQUNoQyxHQUFHLEdBQUcsQ0FBQyxHQUFHLElBQUksR0FBRyxDQUFDLENBQUMsSUFBSSxFQUFFLENBQUM7UUFFMUIsb0JBQW9CO1FBQ3BCLElBQUksR0FBRyxDQUFDLENBQUMsQ0FBQyxLQUFLLEdBQUcsSUFBSSxHQUFHLENBQUMsQ0FBQyxDQUFDLEtBQUssR0FBRyxFQUFFLENBQUM7WUFDckMsR0FBRyxHQUFHLEdBQUcsQ0FBQztRQUNaLENBQUM7UUFFRCwrQ0FBK0M7UUFDL0MsSUFBSSxHQUFHLENBQUMsQ0FBQyxDQUFDLEtBQUssR0FBRyxJQUFJLEdBQUcsQ0FBQyxDQUFDLENBQUMsS0FBSyxJQUFJLEVBQUUsQ0FBQztZQUN0QyxJQUFJLENBQUMsY0FBYyxDQUFDLEdBQUcsRUFBRSxHQUFHLENBQUMsQ0FBQztZQUM5QixPQUFPO1FBQ1QsQ0FBQztRQUVELElBQUksU0FBYyxDQUFDO1FBQ25CLElBQUksQ0FBQztZQUNILFNBQVMsR0FBRyxJQUFJLEdBQUcsQ0FBQyxHQUFHLENBQUMsQ0FBQztRQUMzQixDQUFDO1FBQUMsTUFBTSxDQUFDO1lBQ1AsR0FBRyxHQUFHLEdBQUcsQ0FBQztZQUNWLElBQUksQ0FBQyxjQUFjLENBQUMsR0FBRyxDQUFDLENBQUM7WUFDekIsT0FBTztRQUNULENBQUM7UUFFRCxNQUFNLGVBQWUsR0FBRyxJQUFJLENBQUMsR0FBRyxDQUFDLE1BQU0sQ0FBQyxRQUFRLENBQUMsZUFBZSxDQUFDO1FBQ2pFLElBQUksU0FBUyxDQUFDLFFBQVEsS0FBSyxPQUFPLElBQUksU0FBUyxDQUFDLFFBQVEsS0FBSyxRQUFRLEVBQUUsQ0FBQztZQUN0RSxHQUFHLEdBQUcsR0FBRyxDQUFDO1FBQ1osQ0FBQzthQUFNLElBQUksQ0FBQyxTQUFTLENBQUMsUUFBUSxFQUFFLENBQUM7WUFDL0IsR0FBRyxHQUFHLEdBQUcsQ0FBQztRQUNaLENBQUM7YUFBTSxDQUFDO1lBQ04sSUFBSSxlQUFlLElBQUksZUFBZSxDQUFDLE1BQU0sS0FBSyxDQUFDLEVBQUUsQ0FBQztnQkFDcEQsSUFBSSxDQUFDLElBQUksQ0FBQyxHQUFHLENBQUMsWUFBWSxDQUFDLFNBQVMsQ0FBQyxRQUFRLENBQUMsRUFBRSxDQUFDO29CQUMvQyxNQUFNLE9BQU8sR0FBRyxpREFBaUQsR0FBRywrQkFBK0IsQ0FBQztvQkFDcEcsSUFBSSxPQUFPLENBQUMsR0FBRyxDQUFDLFFBQVEsS0FBSyxZQUFZLEVBQUUsQ0FBQzt3QkFDMUMsSUFBSSxDQUFDLEdBQUcsQ0FBQyxVQUFVLENBQUMsSUFBSSxDQUFDLHdDQUF3QyxFQUFFLE9BQU8sQ0FBQyxDQUFDO3dCQUM1RSxHQUFHLEdBQUcsR0FBRyxDQUFDO29CQUNaLENBQUM7eUJBQU0sQ0FBQzt3QkFDTixrREFBa0Q7d0JBQ2xELE9BQU8sSUFBSSxDQUFDLEdBQUcsQ0FBQyxLQUFLLENBQUMsR0FBRyxFQUFFLE9BQU8sQ0FBQyxDQUFDO29CQUN0QyxDQUFDO2dCQUNILENBQUM7WUFDSCxDQUFDO1FBQ0gsQ0FBQztRQUNELElBQUksQ0FBQyxjQUFjLENBQUMsR0FBRyxDQUFDLENBQUM7SUFDM0IsQ0FBQztDQUNGIn0=

package/dist/esm/app/middleware/securities.d.ts

@@ -1,4 +0,0 @@
-import compose from 'koa-compose';
-import { EggCore } from '@eggjs/core';
-declare const _default: (_: unknown, app: EggCore) => compose.ComposedMiddleware<import("@eggjs/core").Context>;
-export default _default;

package/dist/esm/app/middleware/securities.js

@@ -1,50 +0,0 @@
-import assert from 'node:assert';
-import compose from 'koa-compose';
-import { pathMatching } from 'egg-path-matching';
-import securityMiddlewares from '../../lib/middlewares/index.js';
-export default (_, app) => {
-    const options = app.config.security;
-    const middlewares = [];
-    const defaultMiddlewares = typeof options.defaultMiddleware === 'string'
-        ? options.defaultMiddleware.split(',').map(m => m.trim()).filter(m => !!m)
-        : options.defaultMiddleware;
-    if (options.match || options.ignore) {
-        app.coreLogger.warn('[@eggjs/security/middleware/securities] Please set `match` or `ignore` on sub config');
-    }
-    // format csrf.cookieDomain
-    const originalCookieDomain = options.csrf.cookieDomain;
-    if (originalCookieDomain && typeof originalCookieDomain !== 'function') {
-        options.csrf.cookieDomain = () => originalCookieDomain;
-    }
-    defaultMiddlewares.forEach(middlewareName => {
-        const opt = Reflect.get(options, middlewareName);
-        if (opt === false) {
-            app.coreLogger.warn('[egg-security] Please use `config.security.%s = { enable: false }` instead of `config.security.%s = false`', middlewareName, middlewareName);
-        }
-        assert(opt === false || typeof opt === 'object', `config.security.${middlewareName} must be an object, or false(if you turn it off)`);
-        if (opt === false || opt && opt.enable === false) {
-            return;
-        }
-        if (middlewareName === 'csrf' && opt.useSession && !app.plugins.session) {
-            throw new Error('csrf.useSession enabled, but session plugin is disabled');
-        }
-        // use opt.match first (compatibility)
-        if (opt.match && opt.ignore) {
-            app.coreLogger.warn('[@eggjs/security/middleware/securities] `options.match` and `options.ignore` are both set, using `options.match`');
-            opt.ignore = undefined;
-        }
-        if (!opt.ignore && opt.blackUrls) {
-            app.deprecate('[@eggjs/security/middleware/securities] Please use `config.security.xframe.ignore` instead, `config.security.xframe.blackUrls` will be removed very soon');
-            opt.ignore = opt.blackUrls;
-        }
-        // set matching function to security middleware options
-        opt.matching = pathMatching(opt);
-        const createMiddleware = securityMiddlewares[middlewareName];
-        const fn = createMiddleware(opt);
-        middlewares.push(fn);
-        app.coreLogger.info('[@eggjs/security/middleware/securities] use %s middleware', middlewareName);
-    });
-    app.coreLogger.info('[@eggjs/security/middleware/securities] compose %d middlewares into one security middleware', middlewares.length);
-    return compose(middlewares);
-};
-//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoic2VjdXJpdGllcy5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uLy4uLy4uL3NyYy9hcHAvbWlkZGxld2FyZS9zZWN1cml0aWVzLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiJBQUFBLE9BQU8sTUFBTSxNQUFNLGFBQWEsQ0FBQztBQUNqQyxPQUFPLE9BQU8sTUFBTSxhQUFhLENBQUM7QUFDbEMsT0FBTyxFQUFFLFlBQVksRUFBRSxNQUFNLG1CQUFtQixDQUFDO0FBRWpELE9BQU8sbUJBQW1CLE1BQU0sZ0NBQWdDLENBQUM7QUFHakUsZUFBZSxDQUFDLENBQVUsRUFBRSxHQUFZLEVBQUUsRUFBRTtJQUMxQyxNQUFNLE9BQU8sR0FBRyxHQUFHLENBQUMsTUFBTSxDQUFDLFFBQVEsQ0FBQztJQUNwQyxNQUFNLFdBQVcsR0FBcUIsRUFBRSxDQUFDO0lBQ3pDLE1BQU0sa0JBQWtCLEdBQUcsT0FBTyxPQUFPLENBQUMsaUJBQWlCLEtBQUssUUFBUTtRQUN0RSxDQUFDLENBQUMsT0FBTyxDQUFDLGlCQUFpQixDQUFDLEtBQUssQ0FBQyxHQUFHLENBQUMsQ0FBQyxHQUFHLENBQUMsQ0FBQyxDQUFDLEVBQUUsQ0FBQyxDQUFDLENBQUMsSUFBSSxFQUFFLENBQUMsQ0FBQyxNQUFNLENBQUMsQ0FBQyxDQUFDLEVBQUUsQ0FBQyxDQUFDLENBQUMsQ0FBQyxDQUE2QjtRQUN0RyxDQUFDLENBQUMsT0FBTyxDQUFDLGlCQUFpQixDQUFDO0lBRTlCLElBQUksT0FBTyxDQUFDLEtBQUssSUFBSSxPQUFPLENBQUMsTUFBTSxFQUFFLENBQUM7UUFDcEMsR0FBRyxDQUFDLFVBQVUsQ0FBQyxJQUFJLENBQUMsc0ZBQXNGLENBQUMsQ0FBQztJQUM5RyxDQUFDO0lBRUQsMkJBQTJCO0lBQzNCLE1BQU0sb0JBQW9CLEdBQUcsT0FBTyxDQUFDLElBQUksQ0FBQyxZQUFZLENBQUM7SUFDdkQsSUFBSSxvQkFBb0IsSUFBSSxPQUFPLG9CQUFvQixLQUFLLFVBQVUsRUFBRSxDQUFDO1FBQ3ZFLE9BQU8sQ0FBQyxJQUFJLENBQUMsWUFBWSxHQUFHLEdBQUcsRUFBRSxDQUFDLG9CQUFvQixDQUFDO0lBQ3pELENBQUM7SUFFRCxrQkFBa0IsQ0FBQyxPQUFPLENBQUMsY0FBYyxDQUFDLEVBQUU7UUFDMUMsTUFBTSxHQUFHLEdBQUcsT0FBTyxDQUFDLEdBQUcsQ0FBQyxPQUFPLEVBQUUsY0FBYyxDQUFRLENBQUM7UUFDeEQsSUFBSSxHQUFHLEtBQUssS0FBSyxFQUFFLENBQUM7WUFDbEIsR0FBRyxDQUFDLFVBQVUsQ0FBQyxJQUFJLENBQUMsNEdBQTRHLEVBQUUsY0FBYyxFQUFFLGNBQWMsQ0FBQyxDQUFDO1FBQ3BLLENBQUM7UUFFRCxNQUFNLENBQUMsR0FBRyxLQUFLLEtBQUssSUFBSSxPQUFPLEdBQUcsS0FBSyxRQUFRLEVBQzdDLG1CQUFtQixjQUFjLGtEQUFrRCxDQUFDLENBQUM7UUFFdkYsSUFBSSxHQUFHLEtBQUssS0FBSyxJQUFJLEdBQUcsSUFBSSxHQUFHLENBQUMsTUFBTSxLQUFLLEtBQUssRUFBRSxDQUFDO1lBQ2pELE9BQU87UUFDVCxDQUFDO1FBRUQsSUFBSSxjQUFjLEtBQUssTUFBTSxJQUFJLEdBQUcsQ0FBQyxVQUFVLElBQUksQ0FBQyxHQUFHLENBQUMsT0FBTyxDQUFDLE9BQU8sRUFBRSxDQUFDO1lBQ3hFLE1BQU0sSUFBSSxLQUFLLENBQUMseURBQXlELENBQUMsQ0FBQztRQUM3RSxDQUFDO1FBRUQsc0NBQXNDO1FBQ3RDLElBQUksR0FBRyxDQUFDLEtBQUssSUFBSSxHQUFHLENBQUMsTUFBTSxFQUFFLENBQUM7WUFDNUIsR0FBRyxDQUFDLFVBQVUsQ0FBQyxJQUFJLENBQUMsa0hBQWtILENBQUMsQ0FBQztZQUN4SSxHQUFHLENBQUMsTUFBTSxHQUFHLFNBQVMsQ0FBQztRQUN6QixDQUFDO1FBQ0QsSUFBSSxDQUFDLEdBQUcsQ0FBQyxNQUFNLElBQUksR0FBRyxDQUFDLFNBQVMsRUFBRSxDQUFDO1lBQ2pDLEdBQUcsQ0FBQyxTQUFTLENBQUMsMEpBQTBKLENBQUMsQ0FBQztZQUMxSyxHQUFHLENBQUMsTUFBTSxHQUFHLEdBQUcsQ0FBQyxTQUFTLENBQUM7UUFDN0IsQ0FBQztRQUNELHVEQUF1RDtRQUN2RCxHQUFHLENBQUMsUUFBUSxHQUFHLFlBQVksQ0FBQyxHQUFHLENBQUMsQ0FBQztRQUVqQyxNQUFNLGdCQUFnQixHQUFHLG1CQUFtQixDQUFDLGNBQWMsQ0FBQyxDQUFDO1FBQzdELE1BQU0sRUFBRSxHQUFHLGdCQUFnQixDQUFDLEdBQUcsQ0FBQyxDQUFDO1FBQ2pDLFdBQVcsQ0FBQyxJQUFJLENBQUMsRUFBRSxDQUFDLENBQUM7UUFDckIsR0FBRyxDQUFDLFVBQVUsQ0FBQyxJQUFJLENBQUMsMkRBQTJELEVBQUUsY0FBYyxDQUFDLENBQUM7SUFDbkcsQ0FBQyxDQUFDLENBQUM7SUFFSCxHQUFHLENBQUMsVUFBVSxDQUFDLElBQUksQ0FBQyw2RkFBNkYsRUFDL0csV0FBVyxDQUFDLE1BQU0sQ0FBQyxDQUFDO0lBQ3RCLE9BQU8sT0FBTyxDQUFDLFdBQVcsQ0FBQyxDQUFDO0FBQzlCLENBQUMsQ0FBQyJ9

package/dist/esm/app.d.ts

@@ -1,6 +0,0 @@
-import type { ILifecycleBoot, EggCore } from '@eggjs/core';
-export default class AppBoot implements ILifecycleBoot {
-    private readonly app;
-    constructor(app: EggCore);
-    configWillLoad(): void;
-}

package/dist/esm/app.js

@@ -1,26 +0,0 @@
-import { preprocessConfig } from './lib/utils.js';
-import { SecurityConfig } from './config/config.default.js';
-export default class AppBoot {
-    app;
-    constructor(app) {
-        this.app = app;
-    }
-    configWillLoad() {
-        const app = this.app;
-        app.config.coreMiddleware.push('securities');
-        // parse config and check if config is legal
-        const parsed = SecurityConfig.parse(app.config.security);
-        if (typeof app.config.security.csrf === 'boolean') {
-            // support old config: `config.security.csrf = false`
-            app.config.security.csrf = parsed.csrf;
-        }
-        if (app.config.security.csrf.enable) {
-            const { ignoreJSON } = app.config.security.csrf;
-            if (ignoreJSON) {
-                app.deprecate('[@eggjs/security/app] `config.security.csrf.ignoreJSON` is not safe now, please disable it.');
-            }
-        }
-        preprocessConfig(app.config.security);
-    }
-}
-//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiYXBwLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vc3JjL2FwcC50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiQUFDQSxPQUFPLEVBQUUsZ0JBQWdCLEVBQUUsTUFBTSxnQkFBZ0IsQ0FBQztBQUNsRCxPQUFPLEVBQUUsY0FBYyxFQUFFLE1BQU0sNEJBQTRCLENBQUM7QUFFNUQsTUFBTSxDQUFDLE9BQU8sT0FBTyxPQUFPO0lBQ1QsR0FBRyxDQUFDO0lBRXJCLFlBQVksR0FBWTtRQUN0QixJQUFJLENBQUMsR0FBRyxHQUFHLEdBQUcsQ0FBQztJQUNqQixDQUFDO0lBRUQsY0FBYztRQUNaLE1BQU0sR0FBRyxHQUFHLElBQUksQ0FBQyxHQUFHLENBQUM7UUFDckIsR0FBRyxDQUFDLE1BQU0sQ0FBQyxjQUFjLENBQUMsSUFBSSxDQUFDLFlBQVksQ0FBQyxDQUFDO1FBQzdDLDRDQUE0QztRQUM1QyxNQUFNLE1BQU0sR0FBRyxjQUFjLENBQUMsS0FBSyxDQUFDLEdBQUcsQ0FBQyxNQUFNLENBQUMsUUFBUSxDQUFDLENBQUM7UUFDekQsSUFBSSxPQUFPLEdBQUcsQ0FBQyxNQUFNLENBQUMsUUFBUSxDQUFDLElBQUksS0FBSyxTQUFTLEVBQUUsQ0FBQztZQUNsRCxxREFBcUQ7WUFDckQsR0FBRyxDQUFDLE1BQU0sQ0FBQyxRQUFRLENBQUMsSUFBSSxHQUFHLE1BQU0sQ0FBQyxJQUFJLENBQUM7UUFDekMsQ0FBQztRQUVELElBQUksR0FBRyxDQUFDLE1BQU0sQ0FBQyxRQUFRLENBQUMsSUFBSSxDQUFDLE1BQU0sRUFBRSxDQUFDO1lBQ3BDLE1BQU0sRUFBRSxVQUFVLEVBQUUsR0FBRyxHQUFHLENBQUMsTUFBTSxDQUFDLFFBQVEsQ0FBQyxJQUFJLENBQUM7WUFDaEQsSUFBSSxVQUFVLEVBQUUsQ0FBQztnQkFDZixHQUFHLENBQUMsU0FBUyxDQUFDLDZGQUE2RixDQUFDLENBQUM7WUFDL0csQ0FBQztRQUNILENBQUM7UUFFRCxnQkFBZ0IsQ0FBQyxHQUFHLENBQUMsTUFBTSxDQUFDLFFBQVEsQ0FBQyxDQUFDO0lBQ3hDLENBQUM7Q0FDRiJ9