@eggjs/security 4.0.1 → 5.0.0-beta.15

package/dist/config/config.default.js

@@ -0,0 +1,170 @@
+import z from "zod";
+import { Context } from "egg";
+
+//#region src/config/config.default.ts
+const CSRFSupportRequestItem = z.object({
+	path: z.instanceof(RegExp),
+	methods: z.array(z.string())
+});
+const LookupAddress = z.object({
+	address: z.string(),
+	family: z.number()
+});
+const LookupAddressAndStringArray = z.union([z.string(), LookupAddress]).array();
+const SSRFCheckAddressFunction = z.function().args(z.union([
+	z.string(),
+	LookupAddress,
+	LookupAddressAndStringArray
+]), z.union([z.number(), z.string()]), z.string()).returns(z.boolean());
+const SecurityMiddlewareName = z.enum([
+	"csrf",
+	"hsts",
+	"methodnoallow",
+	"noopen",
+	"nosniff",
+	"csp",
+	"xssProtection",
+	"xframe",
+	"dta"
+]);
+/**
+* (ctx) => boolean
+*/
+const IgnoreOrMatchHandler = z.function().args(z.instanceof(Context)).returns(z.boolean());
+const IgnoreOrMatch = z.union([
+	z.string(),
+	z.instanceof(RegExp),
+	IgnoreOrMatchHandler
+]);
+const IgnoreOrMatchOption = z.union([IgnoreOrMatch, IgnoreOrMatch.array()]).optional();
+/**
+* security options
+* @member Config#security
+*/
+const SecurityConfig = z.object({
+	domainWhiteList: z.array(z.string()).default([]),
+	protocolWhiteList: z.array(z.string()).default([]),
+	defaultMiddleware: z.union([z.string(), z.array(SecurityMiddlewareName)]).default(SecurityMiddlewareName.options),
+	csrf: z.preprocess((val) => {
+		if (typeof val === "boolean") return { enable: val };
+		return val;
+	}, z.object({
+		match: IgnoreOrMatchOption,
+		ignore: IgnoreOrMatchOption,
+		enable: z.boolean().default(true),
+		type: z.enum([
+			"ctoken",
+			"referer",
+			"all",
+			"any"
+		]).default("ctoken"),
+		ignoreJSON: z.boolean().default(false),
+		cookieName: z.union([z.string(), z.array(z.string())]).default("csrfToken"),
+		sessionName: z.string().default("csrfToken"),
+		headerName: z.string().default("x-csrf-token"),
+		bodyName: z.union([z.string(), z.array(z.string())]).default("_csrf"),
+		queryName: z.union([z.string(), z.array(z.string())]).default("_csrf"),
+		rotateWhenInvalid: z.boolean().default(false),
+		useSession: z.boolean().default(false),
+		cookieDomain: z.union([z.string(), z.function().args(z.instanceof(Context)).returns(z.string())]).optional(),
+		supportedRequests: z.array(CSRFSupportRequestItem).default([{
+			path: /^\//,
+			methods: [
+				"POST",
+				"PATCH",
+				"DELETE",
+				"PUT",
+				"CONNECT"
+			]
+		}]),
+		refererWhiteList: z.array(z.string()).default([]),
+		cookieOptions: z.object({
+			signed: z.boolean(),
+			httpOnly: z.boolean(),
+			overwrite: z.boolean()
+		}).default({
+			signed: false,
+			httpOnly: false,
+			overwrite: true
+		})
+	}).default({})),
+	xframe: z.object({
+		match: IgnoreOrMatchOption,
+		ignore: IgnoreOrMatchOption,
+		enable: z.boolean().default(true),
+		value: z.string().default("SAMEORIGIN")
+	}).default({}),
+	hsts: z.object({
+		match: IgnoreOrMatchOption,
+		ignore: IgnoreOrMatchOption,
+		enable: z.boolean().default(false),
+		maxAge: z.number().default(365 * 24 * 3600),
+		includeSubdomains: z.boolean().default(false)
+	}).default({}),
+	methodnoallow: z.object({
+		match: IgnoreOrMatchOption,
+		ignore: IgnoreOrMatchOption,
+		enable: z.boolean().default(true)
+	}).default({}),
+	noopen: z.object({
+		match: IgnoreOrMatchOption,
+		ignore: IgnoreOrMatchOption,
+		enable: z.boolean().default(true)
+	}).default({}),
+	nosniff: z.object({
+		match: IgnoreOrMatchOption,
+		ignore: IgnoreOrMatchOption,
+		enable: z.boolean().default(true)
+	}).default({}),
+	xssProtection: z.object({
+		match: IgnoreOrMatchOption,
+		ignore: IgnoreOrMatchOption,
+		enable: z.boolean().default(true),
+		value: z.coerce.string().default("1; mode=block")
+	}).default({}),
+	csp: z.object({
+		match: IgnoreOrMatchOption,
+		ignore: IgnoreOrMatchOption,
+		enable: z.boolean().default(false),
+		policy: z.record(z.union([
+			z.string(),
+			z.array(z.string()),
+			z.boolean()
+		])).default({}),
+		reportOnly: z.boolean().optional(),
+		supportIE: z.boolean().optional()
+	}).default({}),
+	referrerPolicy: z.object({
+		match: IgnoreOrMatchOption,
+		ignore: IgnoreOrMatchOption,
+		enable: z.boolean().default(false),
+		value: z.string().default("no-referrer-when-downgrade")
+	}).default({}),
+	dta: z.object({
+		match: IgnoreOrMatchOption,
+		ignore: IgnoreOrMatchOption,
+		enable: z.boolean().default(true)
+	}).default({}),
+	ssrf: z.object({
+		ipBlackList: z.array(z.string()).optional(),
+		ipExceptionList: z.array(z.string()).optional(),
+		hostnameExceptionList: z.array(z.string()).optional(),
+		checkAddress: SSRFCheckAddressFunction.optional()
+	}).default({}),
+	match: z.union([IgnoreOrMatch, IgnoreOrMatch.array()]).optional(),
+	ignore: z.union([IgnoreOrMatch, IgnoreOrMatch.array()]).optional(),
+	__protocolWhiteListSet: z.set(z.string()).optional().readonly()
+});
+const SecurityHelperOnTagAttrHandler = z.function().args(z.string(), z.string(), z.string(), z.boolean()).returns(z.union([z.string(), z.void()]));
+const SecurityHelperConfig = z.object({ shtml: z.object({
+	whiteList: z.record(z.array(z.string())).optional(),
+	domainWhiteList: z.array(z.string()).optional(),
+	onTagAttr: SecurityHelperOnTagAttrHandler.optional()
+}).default({}) });
+var config_default_default = {
+	security: SecurityConfig.parse({}),
+	helper: SecurityHelperConfig.parse({})
+};
+
+//#endregion
+export { LookupAddress, SecurityConfig, SecurityHelperConfig, SecurityMiddlewareName, config_default_default as default };

package/dist/config/config.local.d.ts

@@ -0,0 +1,6 @@
+import { PartialEggConfig } from "egg";
+
+//#region src/config/config.local.d.ts
+declare const _default: PartialEggConfig;
+//#endregion
+export { _default as default };

package/dist/config/config.local.js

@@ -0,0 +1,5 @@
+//#region src/config/config.local.ts
+var config_local_default = { security: { hsts: { enable: false } } };
+
+//#endregion
+export { config_local_default as default };

package/dist/index.d.ts

@@ -0,0 +1 @@
+export { };

package/dist/index.js

@@ -0,0 +1,3 @@
+import "./types.js";
+
+export {  };

package/dist/lib/extend/safe_curl.d.ts

@@ -0,0 +1,20 @@
+import { SSRFCheckAddressFunction } from "../../config/config.default.js";
+import * as egg10 from "egg";
+import { EggApplicationCore } from "egg";
+
+//#region src/lib/extend/safe_curl.d.ts
+type HttpClient = EggApplicationCore['HttpClient'];
+type HttpClientParameters = Parameters<HttpClient['prototype']['request']>;
+type HttpClientRequestURL = HttpClientParameters[0];
+type HttpClientOptions = HttpClientParameters[1] & {
+  checkAddress?: SSRFCheckAddressFunction;
+};
+type HttpClientResponse<T = any> = Awaited<ReturnType<HttpClient['prototype']['request']>> & {
+  data: T;
+};
+/**
+ * safe curl with ssrf protection
+ */
+declare function safeCurlForApplication<T = any>(app: EggApplicationCore, url: HttpClientRequestURL, options?: HttpClientOptions): Promise<egg10.HttpClientResponse<T>>;
+//#endregion
+export { HttpClientOptions, HttpClientRequestURL, HttpClientResponse, safeCurlForApplication };

package/dist/lib/extend/safe_curl.js

@@ -0,0 +1,19 @@
+//#region src/lib/extend/safe_curl.ts
+const SSRF_HTTPCLIENT = Symbol("SSRF_HTTPCLIENT");
+/**
+* safe curl with ssrf protection
+*/
+async function safeCurlForApplication(app, url, options = {}) {
+	const ssrfConfig = app.config.security.ssrf;
+	if (ssrfConfig?.checkAddress) options.checkAddress = ssrfConfig.checkAddress;
+	else app.logger.warn("[@eggjs/security] please configure `config.security.ssrf` first");
+	if (ssrfConfig?.checkAddress) {
+		let httpClient = app[SSRF_HTTPCLIENT];
+		if (!httpClient) httpClient = app[SSRF_HTTPCLIENT] = app.createHttpClient({ checkAddress: ssrfConfig.checkAddress });
+		return await httpClient.request(url, options);
+	}
+	return await app.curl(url, options);
+}
+
+//#endregion
+export { safeCurlForApplication };

package/dist/lib/helper/cliFilter.d.ts

@@ -0,0 +1,7 @@
+//#region src/lib/helper/cliFilter.d.ts
+/**
+ * remote command execution
+ */
+declare function cliFilter(text: string): string;
+//#endregion
+export { cliFilter as default };

package/dist/lib/helper/cliFilter.js

@@ -0,0 +1,18 @@
+//#region src/lib/helper/cliFilter.ts
+/**
+* remote command execution
+*/
+const BASIC_ALPHABETS = new Set("abcdefghijklmnopqrstuvwxyz1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ.-_".split(""));
+function cliFilter(text) {
+	const str = "" + text;
+	let res = "";
+	let ascii;
+	for (let index = 0; index < str.length; index++) {
+		ascii = str[index];
+		if (BASIC_ALPHABETS.has(ascii)) res += ascii;
+	}
+	return res;
+}
+
+//#endregion
+export { cliFilter as default };

package/dist/lib/helper/escape.d.ts

@@ -0,0 +1,2 @@
+import escapeHTML from "escape-html";
+export { escapeHTML as default };

package/dist/lib/helper/escape.js

@@ -0,0 +1,7 @@
+import escapeHTML from "escape-html";
+
+//#region src/lib/helper/escape.ts
+var escape_default = escapeHTML;
+
+//#endregion
+export { escape_default as default };

package/dist/lib/helper/escapeShellArg.d.ts

@@ -0,0 +1,4 @@
+//#region src/lib/helper/escapeShellArg.d.ts
+declare function escapeShellArg(text: string): string;
+//#endregion
+export { escapeShellArg as default };

package/dist/lib/helper/escapeShellArg.js

@@ -0,0 +1,7 @@
+//#region src/lib/helper/escapeShellArg.ts
+function escapeShellArg(text) {
+	return "'" + ("" + text).replace(/\\/g, "\\\\").replace(/'/g, "\\'") + "'";
+}
+
+//#endregion
+export { escapeShellArg as default };

package/dist/lib/helper/escapeShellCmd.d.ts

@@ -0,0 +1,4 @@
+//#region src/lib/helper/escapeShellCmd.d.ts
+declare function escapeShellCmd(text: string): string;
+//#endregion
+export { escapeShellCmd as default };

package/dist/lib/helper/escapeShellCmd.js

@@ -0,0 +1,15 @@
+//#region src/lib/helper/escapeShellCmd.ts
+const BASIC_ALPHABETS = new Set("#&;`|*?~<>^()[]{}$;'\",\nÿ".split(""));
+function escapeShellCmd(text) {
+	const str = "" + text;
+	let res = "";
+	let ascii;
+	for (let index = 0; index < str.length; index++) {
+		ascii = str[index];
+		if (!BASIC_ALPHABETS.has(ascii)) res += ascii;
+	}
+	return res;
+}
+
+//#endregion
+export { escapeShellCmd as default };

package/dist/lib/helper/index.d.ts

@@ -0,0 +1,24 @@
+import cliFilter from "./cliFilter.js";
+import escapeShellArg from "./escapeShellArg.js";
+import escapeShellCmd from "./escapeShellCmd.js";
+import shtml from "./shtml.js";
+import escapeJavaScript from "./sjs.js";
+import jsonEscape from "./sjson.js";
+import pathFilter from "./spath.js";
+import surl from "./surl.js";
+import escapeHTML from "./escape.js";
+
+//#region src/lib/helper/index.d.ts
+declare const _default: {
+  cliFilter: typeof cliFilter;
+  escape: typeof escapeHTML;
+  escapeShellArg: typeof escapeShellArg;
+  escapeShellCmd: typeof escapeShellCmd;
+  shtml: typeof shtml;
+  sjs: typeof escapeJavaScript;
+  sjson: typeof jsonEscape;
+  spath: typeof pathFilter;
+  surl: typeof surl;
+};
+//#endregion
+export { _default as default };

package/dist/lib/helper/index.js

@@ -0,0 +1,25 @@
+import cliFilter from "./cliFilter.js";
+import escape_default from "./escape.js";
+import escapeShellArg from "./escapeShellArg.js";
+import escapeShellCmd from "./escapeShellCmd.js";
+import shtml from "./shtml.js";
+import escapeJavaScript from "./sjs.js";
+import jsonEscape from "./sjson.js";
+import pathFilter from "./spath.js";
+import surl from "./surl.js";
+
+//#region src/lib/helper/index.ts
+var helper_default = {
+	cliFilter,
+	escape: escape_default,
+	escapeShellArg,
+	escapeShellCmd,
+	shtml,
+	sjs: escapeJavaScript,
+	sjson: jsonEscape,
+	spath: pathFilter,
+	surl
+};
+
+//#endregion
+export { helper_default as default };

package/dist/lib/helper/shtml.d.ts

@@ -0,0 +1,6 @@
+import { BaseContextClass } from "egg";
+
+//#region src/lib/helper/shtml.d.ts
+declare function shtml(this: BaseContextClass, val: string): string;
+//#endregion
+export { shtml as default };

package/dist/lib/helper/shtml.js

@@ -0,0 +1,53 @@
+import { getFromUrl, isSafeDomain } from "../utils.js";
+import xss from "xss";
+
+//#region src/lib/helper/shtml.ts
+const BUILD_IN_ON_TAG_ATTR = Symbol("buildInOnTagAttr");
+function shtml(val) {
+	if (typeof val !== "string") return val;
+	const securityOptions = this.ctx.securityOptions;
+	const shtmlConfig = {
+		...this.app.config.helper.shtml,
+		...securityOptions.shtml,
+		[BUILD_IN_ON_TAG_ATTR]: void 0
+	};
+	const domainWhiteList = this.app.config.security.domainWhiteList;
+	const app = this.app;
+	if (!shtmlConfig[BUILD_IN_ON_TAG_ATTR]) {
+		shtmlConfig[BUILD_IN_ON_TAG_ATTR] = (_tag, name, value, isWhiteAttr) => {
+			if (isWhiteAttr && (name === "href" || name === "src")) {
+				if (!value) return;
+				value = String(value);
+				if (value[0] === "/" || value[0] === "#") return;
+				const hostname = getFromUrl(value, "hostname");
+				if (!hostname) return;
+				if (!isSafeDomain(hostname, domainWhiteList)) if (shtmlConfig.domainWhiteList && shtmlConfig.domainWhiteList.length > 0) {
+					app.deprecate("[@eggjs/security/lib/helper/shtml] `config.helper.shtml.domainWhiteList` has been deprecate. Please use `config.security.domainWhiteList` instead.");
+					if (!isSafeDomain(hostname, shtmlConfig.domainWhiteList)) return "";
+				} else return "";
+			}
+		};
+		if (shtmlConfig.onTagAttr) {
+			const customOnTagAttrHandler = shtmlConfig.onTagAttr;
+			shtmlConfig.onTagAttr = function(tag, name, value, isWhiteAttr) {
+				const result = customOnTagAttrHandler.apply(this, [
+					tag,
+					name,
+					value,
+					isWhiteAttr
+				]);
+				if (result !== void 0) return result;
+				return shtmlConfig[BUILD_IN_ON_TAG_ATTR].apply(this, [
+					tag,
+					name,
+					value,
+					isWhiteAttr
+				]);
+			};
+		} else shtmlConfig.onTagAttr = shtmlConfig[BUILD_IN_ON_TAG_ATTR];
+	}
+	return xss(val, shtmlConfig);
+}
+
+//#endregion
+export { shtml as default };

package/dist/lib/helper/sjs.d.ts

@@ -0,0 +1,7 @@
+//#region src/lib/helper/sjs.d.ts
+/**
+ * Escape JavaScript to \xHH format
+ */
+declare function escapeJavaScript(text: string): string;
+//#endregion
+export { escapeJavaScript as default };

package/dist/lib/helper/sjs.js

@@ -0,0 +1,36 @@
+//#region src/lib/helper/sjs.ts
+/**
+* Escape JavaScript to \xHH format
+*/
+const MATCH_VULNERABLE_REGEXP = /[\x00-\x2f\x3a-\x40\x5b-\x60\x7b-\x7f]/;
+const BASIC_ALPHABETS = new Set("abcdefghijklmnopqrstuvwxyz1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ".split(""));
+const map = {
+	"	": "\\t",
+	"\n": "\\n",
+	"\r": "\\r"
+};
+function escapeJavaScript(text) {
+	const str = "" + text;
+	const match = MATCH_VULNERABLE_REGEXP.exec(str);
+	if (!match) return str;
+	let res = "";
+	let index = 0;
+	let lastIndex = 0;
+	let ascii;
+	for (index = match.index; index < str.length; index++) {
+		ascii = str[index];
+		if (BASIC_ALPHABETS.has(ascii)) continue;
+		else if (map[ascii] === void 0) {
+			const code = ascii.charCodeAt(0);
+			if (code > 127) continue;
+			else map[ascii] = "\\x" + code.toString(16);
+		}
+		if (lastIndex !== index) res += str.substring(lastIndex, index);
+		lastIndex = index + 1;
+		res += map[ascii];
+	}
+	return lastIndex !== index ? res + str.substring(lastIndex, index) : res;
+}
+
+//#endregion
+export { escapeJavaScript as default };

package/dist/lib/helper/sjson.d.ts

@@ -0,0 +1,4 @@
+//#region src/lib/helper/sjson.d.ts
+declare function jsonEscape(obj: any): string;
+//#endregion
+export { jsonEscape as default };

package/dist/lib/helper/sjson.js

@@ -0,0 +1,32 @@
+import escapeJavaScript from "./sjs.js";
+
+//#region src/lib/helper/sjson.ts
+/**
+* escape json
+* for output json in script
+*/
+function sanitizeKey(obj) {
+	if (typeof obj !== "object") return obj;
+	if (Array.isArray(obj)) return obj;
+	if (obj === null) return null;
+	if (typeof obj === "boolean") return obj;
+	if (typeof obj === "number") return obj;
+	if (Buffer.isBuffer(obj)) return obj.toString();
+	for (const k in obj) {
+		const escapedK = escapeJavaScript(k);
+		if (escapedK !== k) {
+			obj[escapedK] = sanitizeKey(obj[k]);
+			obj[k] = void 0;
+		} else obj[k] = sanitizeKey(obj[k]);
+	}
+	return obj;
+}
+function jsonEscape(obj) {
+	return JSON.stringify(sanitizeKey(obj), (_k, v) => {
+		if (typeof v === "string") return escapeJavaScript(v);
+		return v;
+	});
+}
+
+//#endregion
+export { jsonEscape as default };

package/dist/lib/helper/spath.d.ts

@@ -0,0 +1,7 @@
+import { BaseContextClass } from "egg";
+
+//#region src/lib/helper/spath.d.ts
+
+declare function pathFilter(this: BaseContextClass, path: string): string | null;
+//#endregion
+export { pathFilter as default };

package/dist/lib/helper/spath.js

@@ -0,0 +1,16 @@
+//#region src/lib/helper/spath.ts
+function pathFilter(path) {
+	if (typeof path !== "string") return path;
+	const pathSource = path;
+	while (path.indexOf("%") !== -1) try {
+		path = decodeURIComponent(path);
+	} catch {
+		if (process.env.NODE_ENV !== "production") this.ctx.coreLogger.warn("[@eggjs/security/lib/helper/spath] : decode file path %j failed.", path);
+		break;
+	}
+	if (path.indexOf("..") !== -1 || path[0] === "/") return null;
+	return pathSource;
+}
+
+//#endregion
+export { pathFilter as default };

package/dist/lib/helper/surl.d.ts

@@ -0,0 +1,6 @@
+import { BaseContextClass } from "egg";
+
+//#region src/lib/helper/surl.d.ts
+declare function surl(this: BaseContextClass, val: string): string;
+//#endregion
+export { surl as default };

package/dist/lib/helper/surl.js

@@ -0,0 +1,25 @@
+//#region src/lib/helper/surl.ts
+const escapeMap = {
+	"\"": """,
+	"<": "&lt;",
+	">": "&gt;",
+	"'": "&#x27;"
+};
+function surl(val) {
+	const protocolWhiteListSet = this.app.config.security.__protocolWhiteListSet;
+	if (typeof val !== "string") return val;
+	if (val[0] !== "/") {
+		const arr = val.split("://", 2);
+		const protocol = arr.length > 1 ? arr[0].toLowerCase() : "";
+		if (protocol === "" || !protocolWhiteListSet.has(protocol)) {
+			if (this.app.config.env === "local") this.ctx.coreLogger.warn("[@eggjs/security/surl] url: %j, protocol: %j, protocol is empty or not in white list, convert to empty string", val, protocol);
+			return "";
+		}
+	}
+	return val.replace(/["'<>]/g, (ch) => {
+		return escapeMap[ch];
+	});
+}
+
+//#endregion
+export { surl as default };

package/dist/lib/middlewares/csp.d.ts

@@ -0,0 +1,7 @@
+import { SecurityConfig } from "../../config/config.default.js";
+import { MiddlewareFunc } from "egg";
+
+//#region src/lib/middlewares/csp.d.ts
+declare const _default: (options: SecurityConfig["csp"]) => MiddlewareFunc;
+//#endregion
+export { _default as default };

package/dist/lib/middlewares/csp.js

@@ -0,0 +1,46 @@
+import { checkIfIgnore } from "../utils.js";
+import extend from "extend";
+
+//#region src/lib/middlewares/csp.ts
+const HEADER = ["x-content-security-policy", "content-security-policy"];
+const REPORT_ONLY_HEADER = ["x-content-security-policy-report-only", "content-security-policy-report-only"];
+const MSIE_REGEXP = / MSIE /i;
+var csp_default = (options) => {
+	return async function csp(ctx, next) {
+		await next();
+		const opts = {
+			...options,
+			...ctx.securityOptions.csp
+		};
+		if (checkIfIgnore(opts, ctx)) return;
+		let finalHeader;
+		const matchedOption = extend(true, {}, opts.policy);
+		const bufArray = [];
+		const headers = opts.reportOnly ? REPORT_ONLY_HEADER : HEADER;
+		if (opts.supportIE && MSIE_REGEXP.test(ctx.get("user-agent"))) finalHeader = headers[0];
+		else finalHeader = headers[1];
+		for (const key in matchedOption) {
+			const value = matchedOption[key];
+			if (key === "sandbox" && value === true) bufArray.push(key);
+			else {
+				let values = Array.isArray(value) ? value : [value];
+				if (key === "script-src") {
+					if (!values.some(function(val) {
+						return val.indexOf("nonce-") !== -1;
+					})) values.push("'nonce-" + ctx.nonce + "'");
+				}
+				values = values.map(function(d) {
+					if (d.startsWith(".")) d = "*" + d;
+					return d;
+				});
+				bufArray.push(key + " " + values.join(" "));
+			}
+		}
+		const headerString = bufArray.join(";");
+		ctx.set(finalHeader, headerString);
+		ctx.set("x-csp-nonce", ctx.nonce);
+	};
+};
+
+//#endregion
+export { csp_default as default };

package/dist/lib/middlewares/csrf.d.ts

@@ -0,0 +1,7 @@
+import { SecurityConfig } from "../../config/config.default.js";
+import { MiddlewareFunc } from "egg";
+
+//#region src/lib/middlewares/csrf.d.ts
+declare const _default: (options: SecurityConfig["csrf"]) => MiddlewareFunc;
+//#endregion
+export { _default as default };

package/dist/lib/middlewares/csrf.js

@@ -0,0 +1,33 @@
+import { checkIfIgnore } from "../utils.js";
+import { debuglog } from "node:util";
+import typeis from "type-is";
+
+//#region src/lib/middlewares/csrf.ts
+const debug = debuglog("egg/security/lib/middlewares/csrf");
+var csrf_default = (options) => {
+	return function csrf(ctx, next) {
+		if (checkIfIgnore(options, ctx)) return next();
+		if ([
+			"any",
+			"all",
+			"ctoken"
+		].includes(options.type)) ctx.ensureCsrfSecret();
+		const method = ctx.method;
+		let isSupported = false;
+		for (const eachRule of options.supportedRequests) if (eachRule.path.test(ctx.path)) {
+			if (eachRule.methods.includes(method)) {
+				isSupported = true;
+				break;
+			}
+		}
+		if (!isSupported) return next();
+		if (options.ignoreJSON && typeis.is(ctx.get("content-type"), "json")) return next();
+		const body = ctx.request.body;
+		debug("%s %s, got %j", ctx.method, ctx.url, body);
+		ctx.assertCsrf();
+		return next();
+	};
+};
+
+//#endregion
+export { csrf_default as default };