@eggjs/security 5.0.0-beta.15 → 5.0.0-beta.18

package/dist/app/extend/agent.d.ts

@@ -5,10 +5,5 @@ import { Agent } from "egg";
 declare class SecurityAgent extends Agent {
   safeCurl<T = any>(url: HttpClientRequestURL, options?: HttpClientOptions): Promise<HttpClientResponse<T>>;
 }
-declare module 'egg' {
-  interface Agent {
-    safeCurl<T = any>(url: HttpClientRequestURL, options?: HttpClientOptions): Promise<HttpClientResponse<T>>;
-  }
-}
 //#endregion
 export { SecurityAgent as default };

package/dist/app/extend/application.d.ts

@@ -8,13 +8,5 @@ declare class SecurityApplication extends Application {
   injectHijackingDefense(html: string): string;
   safeCurl<T = any>(url: HttpClientRequestURL, options?: HttpClientOptions): Promise<HttpClientResponse<T>>;
 }
-declare module 'egg' {
-  interface Application {
-    injectCsrf(html: string): string;
-    injectNonce(html: string): string;
-    injectHijackingDefense(html: string): string;
-    safeCurl<T = any>(url: HttpClientRequestURL, options?: HttpClientOptions): Promise<HttpClientResponse<T>>;
-  }
-}
 //#endregion
 export { SecurityApplication as default };

package/dist/app/extend/context.d.ts

@@ -1,6 +1,6 @@
-import SecurityResponse from "./response.js";
-import { SecurityConfig, SecurityHelperConfig } from "../../config/config.default.js";
+import { SecurityConfig } from "../../config/config.default.js";
 import { HttpClientOptions, HttpClientRequestURL, HttpClientResponse } from "../../lib/extend/safe_curl.js";
+import SecurityResponse from "./response.js";
 import { Context } from "egg";
 
 //#region src/app/extend/context.d.ts
@@ -57,18 +57,5 @@ declare class SecurityContext extends Context {
   safeCurl<T = any>(url: HttpClientRequestURL, options?: HttpClientOptions): Promise<HttpClientResponse<T>>;
   unsafeRedirect(url: string, alt?: string): void;
 }
-declare module 'egg' {
-  interface Context {
-    get securityOptions(): Partial<SecurityConfig & SecurityHelperConfig>;
-    isSafeDomain(domain: string, customWhiteList?: string[]): boolean;
-    get nonce(): string;
-    get csrf(): string;
-    ensureCsrfSecret(rotate?: boolean): void;
-    rotateCsrfSecret(): void;
-    assertCsrf(): void;
-    safeCurl<T = any>(url: HttpClientRequestURL, options?: HttpClientOptions): Promise<HttpClientResponse<T>>;
-    unsafeRedirect(url: string, alt?: string): void;
-  }
-}
 //#endregion
 export { SecurityContext as default };

package/dist/app/extend/response.d.ts

@@ -35,11 +35,5 @@ declare class SecurityResponse extends Response {
    */
   redirect(url: string, alt?: string): void;
 }
-declare module 'egg' {
-  interface Response {
-    unsafeRedirect(url: string, alt?: string): void;
-    redirect(url: string, alt?: string): void;
-  }
-}
 //#endregion
 export { SecurityResponse as default };

package/dist/app/middleware/securities.d.ts

@@ -1,8 +1,8 @@
-import * as egg9 from "egg";
+import * as egg0 from "egg";
 import { Application } from "egg";
 import compose from "koa-compose";
 
 //#region src/app/middleware/securities.d.ts
-declare const _default: (_: unknown, app: Application) => compose.ComposedMiddleware<egg9.Context>;
+declare const _default: (_: unknown, app: Application) => compose.ComposedMiddleware<egg0.Context>;
 //#endregion
 export { _default as default };

package/dist/config/config.default.d.ts

@@ -59,10 +59,6 @@ declare const IgnoreOrMatch: z.ZodUnion<[z.ZodString, z.ZodType<RegExp, z.ZodTyp
 type IgnoreOrMatch = z.infer<typeof IgnoreOrMatch>;
 declare const IgnoreOrMatchOption: z.ZodOptional<z.ZodUnion<[z.ZodUnion<[z.ZodString, z.ZodType<RegExp, z.ZodTypeDef, RegExp>, z.ZodFunction<z.ZodTuple<[z.ZodType<Context, z.ZodTypeDef, Context>], z.ZodUnknown>, z.ZodBoolean>]>, z.ZodArray<z.ZodUnion<[z.ZodString, z.ZodType<RegExp, z.ZodTypeDef, RegExp>, z.ZodFunction<z.ZodTuple<[z.ZodType<Context, z.ZodTypeDef, Context>], z.ZodUnknown>, z.ZodBoolean>]>, "many">]>>;
 type IgnoreOrMatchOption = z.infer<typeof IgnoreOrMatchOption>;
-/**
- * security options
- * @member Config#security
- */
 declare const SecurityConfig: z.ZodObject<{
   /**
    * domain white list
@@ -549,8 +545,6 @@ declare const SecurityConfig: z.ZodObject<{
   ignore: z.ZodOptional<z.ZodUnion<[z.ZodUnion<[z.ZodString, z.ZodType<RegExp, z.ZodTypeDef, RegExp>, z.ZodFunction<z.ZodTuple<[z.ZodType<Context, z.ZodTypeDef, Context>], z.ZodUnknown>, z.ZodBoolean>]>, z.ZodArray<z.ZodUnion<[z.ZodString, z.ZodType<RegExp, z.ZodTypeDef, RegExp>, z.ZodFunction<z.ZodTuple<[z.ZodType<Context, z.ZodTypeDef, Context>], z.ZodUnknown>, z.ZodBoolean>]>, "many">]>>;
   __protocolWhiteListSet: z.ZodReadonly<z.ZodOptional<z.ZodSet<z.ZodString>>>;
 }, "strip", z.ZodTypeAny, {
-  domainWhiteList: string[];
-  protocolWhiteList: string[];
   csrf: {
     type: "ctoken" | "referer" | "all" | "any";
     enable: boolean;
@@ -623,6 +617,8 @@ declare const SecurityConfig: z.ZodObject<{
     match?: string | RegExp | ((args_0: Context, ...args: unknown[]) => boolean) | (string | RegExp | ((args_0: Context, ...args: unknown[]) => boolean))[] | undefined;
     ignore?: string | RegExp | ((args_0: Context, ...args: unknown[]) => boolean) | (string | RegExp | ((args_0: Context, ...args: unknown[]) => boolean))[] | undefined;
   };
+  domainWhiteList: string[];
+  protocolWhiteList: string[];
   defaultMiddleware: string | ("csrf" | "hsts" | "methodnoallow" | "noopen" | "nosniff" | "csp" | "xssProtection" | "xframe" | "dta")[];
   referrerPolicy: {
     value: string;
@@ -646,8 +642,6 @@ declare const SecurityConfig: z.ZodObject<{
   ignore?: string | RegExp | ((args_0: Context, ...args: unknown[]) => boolean) | (string | RegExp | ((args_0: Context, ...args: unknown[]) => boolean))[] | undefined;
   __protocolWhiteListSet?: ReadonlySet<string> | undefined;
 }, {
-  domainWhiteList?: string[] | undefined;
-  protocolWhiteList?: string[] | undefined;
   csrf?: unknown;
   hsts?: {
     match?: string | RegExp | ((args_0: Context, ...args: unknown[]) => boolean) | (string | RegExp | ((args_0: Context, ...args: unknown[]) => boolean))[] | undefined;
@@ -696,6 +690,8 @@ declare const SecurityConfig: z.ZodObject<{
     ignore?: string | RegExp | ((args_0: Context, ...args: unknown[]) => boolean) | (string | RegExp | ((args_0: Context, ...args: unknown[]) => boolean))[] | undefined;
     enable?: boolean | undefined;
   } | undefined;
+  domainWhiteList?: string[] | undefined;
+  protocolWhiteList?: string[] | undefined;
   defaultMiddleware?: string | ("csrf" | "hsts" | "methodnoallow" | "noopen" | "nosniff" | "csp" | "xssProtection" | "xframe" | "dta")[] | undefined;
   match?: string | RegExp | ((args_0: Context, ...args: unknown[]) => boolean) | (string | RegExp | ((args_0: Context, ...args: unknown[]) => boolean))[] | undefined;
   ignore?: string | RegExp | ((args_0: Context, ...args: unknown[]) => boolean) | (string | RegExp | ((args_0: Context, ...args: unknown[]) => boolean))[] | undefined;
@@ -765,8 +761,6 @@ declare const SecurityHelperConfig: z.ZodObject<{
 type SecurityHelperConfig = z.infer<typeof SecurityHelperConfig>;
 declare const _default: {
   security: {
-    domainWhiteList: string[];
-    protocolWhiteList: string[];
     csrf: {
       type: "ctoken" | "referer" | "all" | "any";
       enable: boolean;
@@ -839,6 +833,8 @@ declare const _default: {
       match?: string | RegExp | ((args_0: Context, ...args: unknown[]) => boolean) | (string | RegExp | ((args_0: Context, ...args: unknown[]) => boolean))[] | undefined;
       ignore?: string | RegExp | ((args_0: Context, ...args: unknown[]) => boolean) | (string | RegExp | ((args_0: Context, ...args: unknown[]) => boolean))[] | undefined;
     };
+    domainWhiteList: string[];
+    protocolWhiteList: string[];
     defaultMiddleware: string | ("csrf" | "hsts" | "methodnoallow" | "noopen" | "nosniff" | "csp" | "xssProtection" | "xframe" | "dta")[];
     referrerPolicy: {
       value: string;

package/dist/config/config.default.js

@@ -37,10 +37,6 @@ const IgnoreOrMatch = z.union([
 	IgnoreOrMatchHandler
 ]);
 const IgnoreOrMatchOption = z.union([IgnoreOrMatch, IgnoreOrMatch.array()]).optional();
-/**
-* security options
-* @member Config#security
-*/
 const SecurityConfig = z.object({
 	domainWhiteList: z.array(z.string()).default([]),
 	protocolWhiteList: z.array(z.string()).default([]),

package/dist/index.js

@@ -1,3 +1,5 @@
-import "./types.js";
+import "./app/extend/application.js";
+import "./app/extend/context.js";
+import "./app/extend/response.js";
 
 export {  };

package/dist/lib/extend/safe_curl.d.ts

@@ -1,5 +1,5 @@
 import { SSRFCheckAddressFunction } from "../../config/config.default.js";
-import * as egg10 from "egg";
+import * as egg0 from "egg";
 import { EggApplicationCore } from "egg";
 
 //#region src/lib/extend/safe_curl.d.ts
@@ -15,6 +15,6 @@ type HttpClientResponse<T = any> = Awaited<ReturnType<HttpClient['prototype']['r
 /**
  * safe curl with ssrf protection
  */
-declare function safeCurlForApplication<T = any>(app: EggApplicationCore, url: HttpClientRequestURL, options?: HttpClientOptions): Promise<egg10.HttpClientResponse<T>>;
+declare function safeCurlForApplication<T = any>(app: EggApplicationCore, url: HttpClientRequestURL, options?: HttpClientOptions): Promise<egg0.HttpClientResponse<T>>;
 //#endregion
 export { HttpClientOptions, HttpClientRequestURL, HttpClientResponse, safeCurlForApplication };

package/dist/lib/middlewares/index.d.ts

@@ -1,18 +1,18 @@
 import { SecurityConfig } from "../../config/config.default.js";
-import * as egg0 from "egg";
+import * as egg1 from "egg";
 
 //#region src/lib/middlewares/index.d.ts
 declare const _default: {
-  csp: (options: SecurityConfig["csp"]) => egg0.MiddlewareFunc;
-  csrf: (options: SecurityConfig["csrf"]) => egg0.MiddlewareFunc;
-  dta: () => egg0.MiddlewareFunc;
-  hsts: (options: SecurityConfig["hsts"]) => egg0.MiddlewareFunc;
-  methodnoallow: () => egg0.MiddlewareFunc;
-  noopen: (options: SecurityConfig["noopen"]) => egg0.MiddlewareFunc;
-  nosniff: (options: SecurityConfig["nosniff"]) => egg0.MiddlewareFunc;
-  referrerPolicy: (options: SecurityConfig["referrerPolicy"]) => egg0.MiddlewareFunc;
-  xframe: (options: SecurityConfig["xframe"]) => egg0.MiddlewareFunc;
-  xssProtection: (options: SecurityConfig["xssProtection"]) => egg0.MiddlewareFunc;
+  csp: (options: SecurityConfig["csp"]) => egg1.MiddlewareFunc;
+  csrf: (options: SecurityConfig["csrf"]) => egg1.MiddlewareFunc;
+  dta: () => egg1.MiddlewareFunc;
+  hsts: (options: SecurityConfig["hsts"]) => egg1.MiddlewareFunc;
+  methodnoallow: () => egg1.MiddlewareFunc;
+  noopen: (options: SecurityConfig["noopen"]) => egg1.MiddlewareFunc;
+  nosniff: (options: SecurityConfig["nosniff"]) => egg1.MiddlewareFunc;
+  referrerPolicy: (options: SecurityConfig["referrerPolicy"]) => egg1.MiddlewareFunc;
+  xframe: (options: SecurityConfig["xframe"]) => egg1.MiddlewareFunc;
+  xssProtection: (options: SecurityConfig["xssProtection"]) => egg1.MiddlewareFunc;
 };
 //#endregion
 export { _default as default };

package/dist/types.d.ts

@@ -1,12 +1,38 @@
-import { CSRFSupportRequestItem, IgnoreOrMatch, IgnoreOrMatchHandler, IgnoreOrMatchOption, LookupAddress, SSRFCheckAddressFunction, SecurityConfig, SecurityHelperConfig, SecurityHelperOnTagAttrHandler, SecurityMiddlewareName } from "./config/config.default.js";
+import { SecurityConfig, SecurityHelperConfig } from "./config/config.default.js";
+import { HttpClientOptions, HttpClientRequestURL, HttpClientResponse } from "./lib/extend/safe_curl.js";
 
 //#region src/types.d.ts
-
 declare module 'egg' {
   interface EggAppConfig {
+    /**
+     * security options
+     * @member Config#security
+     */
     security: SecurityConfig;
     helper: SecurityHelperConfig;
   }
-}
-//#endregion
-export { CSRFSupportRequestItem, IgnoreOrMatch, IgnoreOrMatchHandler, IgnoreOrMatchOption, LookupAddress, SSRFCheckAddressFunction, SecurityConfig, SecurityHelperConfig, SecurityHelperOnTagAttrHandler, SecurityMiddlewareName };
+  interface Agent {
+    safeCurl<T = any>(url: HttpClientRequestURL, options?: HttpClientOptions): Promise<HttpClientResponse<T>>;
+  }
+  interface Application {
+    injectCsrf(html: string): string;
+    injectNonce(html: string): string;
+    injectHijackingDefense(html: string): string;
+    safeCurl<T = any>(url: HttpClientRequestURL, options?: HttpClientOptions): Promise<HttpClientResponse<T>>;
+  }
+  interface Context {
+    get securityOptions(): Partial<SecurityConfig & SecurityHelperConfig>;
+    isSafeDomain(domain: string, customWhiteList?: string[]): boolean;
+    get nonce(): string;
+    get csrf(): string;
+    ensureCsrfSecret(rotate?: boolean): void;
+    rotateCsrfSecret(): void;
+    assertCsrf(): void;
+    safeCurl<T = any>(url: HttpClientRequestURL, options?: HttpClientOptions): Promise<HttpClientResponse<T>>;
+    unsafeRedirect(url: string, alt?: string): void;
+  }
+  interface Response {
+    unsafeRedirect(url: string, alt?: string): void;
+    redirect(url: string, alt?: string): void;
+  }
+}

package/dist/types.js

@@ -1,5 +1 @@
-import "./app/extend/application.js";
-import "./app/extend/context.js";
-import "./app/extend/response.js";
-
 export {  };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@eggjs/security",
-  "version": "5.0.0-beta.15",
+  "version": "5.0.0-beta.18",
   "type": "module",
   "publishConfig": {
     "access": "public"
@@ -78,13 +78,13 @@
     "extend": "^3.0.2",
     "koa-compose": "^4.1.0",
     "matcher": "^4.0.0",
-    "nanoid": "^3.3.8",
+    "nanoid": "^5.0.0",
     "type-is": "^2.0.0",
     "xss": "^1.0.15",
     "zod": "^3.24.1"
   },
   "peerDependencies": {
-    "egg": "4.1.0-beta.15"
+    "egg": "4.1.0-beta.18"
   },
   "devDependencies": {
     "@types/escape-html": "^1.0.4",
@@ -100,9 +100,9 @@
     "tsdown": "^0.15.4",
     "typescript": "5.9.2",
     "vitest": "4.0.0-beta.13",
-    "@eggjs/supertest": "9.0.0-beta.15",
-    "@eggjs/tsconfig": "3.1.0-beta.15",
-    "@eggjs/mock": "7.0.0-beta.15"
+    "@eggjs/mock": "7.0.0-beta.18",
+    "@eggjs/supertest": "9.0.0-beta.18",
+    "@eggjs/tsconfig": "3.1.0-beta.18"
   },
   "files": [
     "dist"