@eggjs/security 5.0.0-beta.19 → 5.0.0-beta.20

package/dist/lib/middlewares/xssProtection.js

@@ -1,17 +1,4 @@
-import { checkIfIgnore } from "../utils.js";
+import "../../utils-Cajs5P8M.js";
+import { xssProtection_default } from "../../xssProtection-D5QsHX-e.js";
 
-//#region src/lib/middlewares/xssProtection.ts
-var xssProtection_default = (options) => {
-	return async function xssProtection(ctx, next) {
-		await next();
-		const opts = {
-			...options,
-			...ctx.securityOptions.xssProtection
-		};
-		if (checkIfIgnore(opts, ctx)) return;
-		ctx.set("x-xss-protection", opts.value);
-	};
-};
-
-//#endregion
 export { xssProtection_default as default };

package/dist/lib/utils.d.ts

@@ -1,4 +1,4 @@
-import { SecurityConfig } from "../config/config.default.js";
+import { SecurityConfig } from "../config.default-D8v08Vox.js";
 import { Context } from "egg";
 import { PathMatchingFun } from "egg-path-matching";
 

package/dist/lib/utils.js

@@ -1,127 +1,3 @@
-import { normalize } from "node:path";
-import matcher from "matcher";
-import IP from "@eggjs/ip";
+import { checkIfIgnore, getCookieDomain, getFromUrl, isSafeDomain, isSafePath, merge, preprocessConfig } from "../utils-Cajs5P8M.js";
 
-//#region src/lib/utils.ts
-/**
-* Check whether a domain is in the safe domain white list or not.
-* @param {String} domain The inputted domain.
-* @param {Array<string>} whiteList The white list for domain.
-* @return {Boolean} If the `domain` is in the white list, return true; otherwise false.
-*/
-function isSafeDomain(domain, whiteList) {
-	if (typeof domain !== "string") return false;
-	domain = domain.toLowerCase();
-	const hostname = "." + domain;
-	return whiteList.some((rule) => {
-		if (rule.includes("*")) return matcher.isMatch(domain, rule);
-		if (domain === rule) return true;
-		if (!rule.startsWith(".")) rule = `.${rule}`;
-		return hostname.endsWith(rule);
-	});
-}
-function isSafePath(path, ctx) {
-	path = "." + path;
-	if (path.includes("%")) try {
-		path = decodeURIComponent(path);
-	} catch {
-		if (ctx.app.config.env === "local" || ctx.app.config.env === "unittest") ctx.coreLogger.warn("[@eggjs/security: dta global block] : decode file path %j failed.", path);
-	}
-	const normalizePath = normalize(path);
-	return !(normalizePath.startsWith("../") || normalizePath.startsWith("..\\"));
-}
-function checkIfIgnore(opts, ctx) {
-	if (!opts.enable) return true;
-	return !opts.matching?.(ctx);
-}
-const IP_RE = /^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/;
-const topDomains = {};
-[
-	".net.cn",
-	".gov.cn",
-	".org.cn",
-	".com.cn"
-].forEach((item) => {
-	topDomains[item] = 2 - item.split(".").length;
-});
-function getCookieDomain(hostname) {
-	if (IP_RE.test(hostname)) return hostname;
-	const splits = hostname.split(".");
-	let index = -2;
-	if (splits.length >= 4 && splits[splits.length - 3] === "test") index = -3;
-	let domain = getDomain(splits, index);
-	if (topDomains[domain]) domain = getDomain(splits, index + topDomains[domain]);
-	return domain;
-}
-function getDomain(splits, index) {
-	return "." + splits.slice(index).join(".");
-}
-function merge(origin, opts) {
-	if (!opts) return origin;
-	const res = {};
-	const originKeys = Object.keys(origin);
-	for (let i = 0; i < originKeys.length; i++) {
-		const key = originKeys[i];
-		res[key] = origin[key];
-	}
-	const keys = Object.keys(opts);
-	for (let i = 0; i < keys.length; i++) {
-		const key = keys[i];
-		res[key] = opts[key];
-	}
-	return res;
-}
-function preprocessConfig(config) {
-	const ssrf = config.ssrf;
-	if (ssrf && ssrf.ipBlackList && !ssrf.checkAddress) {
-		const blackList = ssrf.ipBlackList.map(getContains);
-		const exceptionList = (ssrf.ipExceptionList || []).map(getContains);
-		const hostnameExceptionList = ssrf.hostnameExceptionList;
-		ssrf.checkAddress = (ipAddresses, _family, hostname) => {
-			if (hostname && hostnameExceptionList) {
-				if (hostnameExceptionList.includes(hostname)) return true;
-			}
-			if (!Array.isArray(ipAddresses)) ipAddresses = [ipAddresses];
-			for (const ipAddress of ipAddresses) {
-				let address;
-				if (typeof ipAddress === "string") address = ipAddress;
-				else {
-					if (ipAddress.family === 6) continue;
-					address = ipAddress.address;
-				}
-				for (const exception of exceptionList) if (exception(address)) return true;
-				for (const contains of blackList) if (contains(address)) return false;
-			}
-			return true;
-		};
-	}
-	config.domainWhiteList = config.domainWhiteList || [];
-	config.domainWhiteList = config.domainWhiteList.map((domain) => domain.toLowerCase());
-	config.protocolWhiteList = config.protocolWhiteList || [];
-	config.protocolWhiteList = config.protocolWhiteList.map((protocol) => protocol.toLowerCase());
-	if (config.csrf && config.csrf.refererWhiteList) config.csrf.refererWhiteList = config.csrf.refererWhiteList.map((ref) => ref.toLowerCase());
-	const protocolWhiteListSet = new Set(config.protocolWhiteList);
-	protocolWhiteListSet.add("http");
-	protocolWhiteListSet.add("https");
-	protocolWhiteListSet.add("file");
-	protocolWhiteListSet.add("data");
-	Object.defineProperty(config, "__protocolWhiteListSet", {
-		value: protocolWhiteListSet,
-		enumerable: false
-	});
-}
-function getFromUrl(url, prop) {
-	try {
-		const parsed = new URL(url);
-		return Reflect.get(parsed, prop);
-	} catch {
-		return null;
-	}
-}
-function getContains(ip) {
-	if (IP.isV4Format(ip) || IP.isV6Format(ip)) return (address) => address === ip;
-	return IP.cidrSubnet(ip).contains;
-}
-
-//#endregion
 export { checkIfIgnore, getCookieDomain, getFromUrl, isSafeDomain, isSafePath, merge, preprocessConfig };

package/dist/methodnoallow-BAZONArS.js

@@ -0,0 +1,15 @@
+import { METHODS } from "node:http";
+
+//#region src/lib/middlewares/methodnoallow.ts
+const METHODS_NOT_ALLOWED = ["TRACE", "TRACK"];
+const safeHttpMethodsMap = {};
+for (const method of METHODS) if (!METHODS_NOT_ALLOWED.includes(method)) safeHttpMethodsMap[method.toUpperCase()] = true;
+var methodnoallow_default = () => {
+	return function notAllow(ctx, next) {
+		if (!safeHttpMethodsMap[ctx.method]) ctx.throw(405);
+		return next();
+	};
+};
+
+//#endregion
+export { methodnoallow_default };

package/dist/middlewares-CkQjv8t0.js

@@ -0,0 +1,27 @@
+import { csp_default } from "./csp-BW5AJd_f.js";
+import { csrf_default } from "./csrf-9aSLHiby.js";
+import { dta_default } from "./dta-DVAKEpJ3.js";
+import { hsts_default } from "./hsts-CWMKNTEh.js";
+import { methodnoallow_default } from "./methodnoallow-BAZONArS.js";
+import { noopen_default } from "./noopen-C3jUBwoH.js";
+import { nosniff_default } from "./nosniff-CcLkhX2I.js";
+import { referrerPolicy_default } from "./referrerPolicy-D4Uafq6c.js";
+import { xframe_default } from "./xframe-q9fEZkVI.js";
+import { xssProtection_default } from "./xssProtection-D5QsHX-e.js";
+
+//#region src/lib/middlewares/index.ts
+var middlewares_default = {
+	csp: csp_default,
+	csrf: csrf_default,
+	dta: dta_default,
+	hsts: hsts_default,
+	methodnoallow: methodnoallow_default,
+	noopen: noopen_default,
+	nosniff: nosniff_default,
+	referrerPolicy: referrerPolicy_default,
+	xframe: xframe_default,
+	xssProtection: xssProtection_default
+};
+
+//#endregion
+export { middlewares_default };

package/dist/noopen-C3jUBwoH.js

@@ -0,0 +1,17 @@
+import { checkIfIgnore } from "./utils-Cajs5P8M.js";
+
+//#region src/lib/middlewares/noopen.ts
+var noopen_default = (options) => {
+	return async function noopen(ctx, next) {
+		await next();
+		const opts = {
+			...options,
+			...ctx.securityOptions.noopen
+		};
+		if (checkIfIgnore(opts, ctx)) return;
+		ctx.set("x-download-options", "noopen");
+	};
+};
+
+//#endregion
+export { noopen_default };

package/dist/nosniff-CcLkhX2I.js

@@ -0,0 +1,27 @@
+import { checkIfIgnore } from "./utils-Cajs5P8M.js";
+
+//#region src/lib/middlewares/nosniff.ts
+const RedirectStatus = {
+	300: true,
+	301: true,
+	302: true,
+	303: true,
+	305: true,
+	307: true,
+	308: true
+};
+var nosniff_default = (options) => {
+	return async function nosniff(ctx, next) {
+		await next();
+		if (RedirectStatus[ctx.status]) return;
+		const opts = {
+			...options,
+			...ctx.securityOptions.nosniff
+		};
+		if (checkIfIgnore(opts, ctx)) return;
+		ctx.set("x-content-type-options", "nosniff");
+	};
+};
+
+//#endregion
+export { nosniff_default };

package/dist/referrerPolicy-D4Uafq6c.js

@@ -0,0 +1,31 @@
+import { checkIfIgnore } from "./utils-Cajs5P8M.js";
+
+//#region src/lib/middlewares/referrerPolicy.ts
+const ALLOWED_POLICIES_ENUM = [
+	"no-referrer",
+	"no-referrer-when-downgrade",
+	"origin",
+	"origin-when-cross-origin",
+	"same-origin",
+	"strict-origin",
+	"strict-origin-when-cross-origin",
+	"unsafe-url",
+	""
+];
+var referrerPolicy_default = (options) => {
+	return async function referrerPolicy(ctx, next) {
+		await next();
+		const opts = {
+			...options,
+			...ctx.securityOptions.refererPolicy,
+			...ctx.securityOptions.referrerPolicy
+		};
+		if (checkIfIgnore(opts, ctx)) return;
+		const policy = opts.value;
+		if (!ALLOWED_POLICIES_ENUM.includes(policy)) throw new Error(`"${policy}" is not available.`);
+		ctx.set("referrer-policy", policy);
+	};
+};
+
+//#endregion
+export { referrerPolicy_default };

package/dist/response-BFnHAJrV.js

@@ -0,0 +1,69 @@
+import { Response } from "egg";
+
+//#region src/app/extend/response.ts
+const unsafeRedirect = Response.prototype.redirect;
+var SecurityResponse = class extends Response {
+	/**
+	* This is an unsafe redirection, and we WON'T check if the
+	* destination url is safe or not.
+	* Please DO NOT use this method unless in some very special cases,
+	* otherwise there may be security vulnerabilities.
+	*
+	* @function Response#unsafeRedirect
+	* @param {String} url URL to forward
+	* @example
+	* ```js
+	* ctx.response.unsafeRedirect('http://www.domain.com');
+	* ctx.unsafeRedirect('http://www.domain.com');
+	* ```
+	*/
+	unsafeRedirect(url, alt) {
+		unsafeRedirect.call(this, url, alt);
+	}
+	/**
+	* A safe redirection, and we'll check if the URL is in
+	* a safe domain or not.
+	* We've overridden the default Koa's implementation by adding a
+	* white list as the filter for that.
+	*
+	* @function Response#redirect
+	* @param {String} url URL to forward
+	* @example
+	* ```js
+	* ctx.response.redirect('/login');
+	* ctx.redirect('/login');
+	* ```
+	*/
+	redirect(url, alt) {
+		url = (url || "/").trim();
+		if (url[0] === "/" && url[1] === "/") url = "/";
+		if (url[0] === "/" && url[1] !== "\\") {
+			this.unsafeRedirect(url, alt);
+			return;
+		}
+		let urlObject;
+		try {
+			urlObject = new URL(url);
+		} catch {
+			url = "/";
+			this.unsafeRedirect(url);
+			return;
+		}
+		const domainWhiteList = this.app.config.security.domainWhiteList;
+		if (urlObject.protocol !== "http:" && urlObject.protocol !== "https:") url = "/";
+		else if (!urlObject.hostname) url = "/";
+		else if (domainWhiteList && domainWhiteList.length !== 0) {
+			if (!this.ctx.isSafeDomain(urlObject.hostname)) {
+				const message = `a security problem has been detected for url "${url}", redirection is prohibited.`;
+				if (process.env.NODE_ENV === "production") {
+					this.app.coreLogger.warn("[@eggjs/security/response/redirect] %s", message);
+					url = "/";
+				} else return this.ctx.throw(500, message);
+			}
+		}
+		this.unsafeRedirect(url);
+	}
+};
+
+//#endregion
+export { SecurityResponse };

package/dist/safe_curl-UlViaxoF.js

@@ -0,0 +1,19 @@
+//#region src/lib/extend/safe_curl.ts
+const SSRF_HTTPCLIENT = Symbol("SSRF_HTTPCLIENT");
+/**
+* safe curl with ssrf protection
+*/
+async function safeCurlForApplication(app, url, options = {}) {
+	const ssrfConfig = app.config.security.ssrf;
+	if (ssrfConfig?.checkAddress) options.checkAddress = ssrfConfig.checkAddress;
+	else app.logger.warn("[@eggjs/security] please configure `config.security.ssrf` first");
+	if (ssrfConfig?.checkAddress) {
+		let httpClient = app[SSRF_HTTPCLIENT];
+		if (!httpClient) httpClient = app[SSRF_HTTPCLIENT] = app.createHttpClient({ checkAddress: ssrfConfig.checkAddress });
+		return await httpClient.request(url, options);
+	}
+	return await app.curl(url, options);
+}
+
+//#endregion
+export { safeCurlForApplication };

package/dist/safe_curl-mqZZv_YQ.d.ts

@@ -0,0 +1,20 @@
+import { SSRFCheckAddressFunction } from "./config.default-D8v08Vox.js";
+import * as egg0 from "egg";
+import { EggApplicationCore } from "egg";
+
+//#region src/lib/extend/safe_curl.d.ts
+type HttpClient = EggApplicationCore['HttpClient'];
+type HttpClientParameters = Parameters<HttpClient['prototype']['request']>;
+type HttpClientRequestURL = HttpClientParameters[0];
+type HttpClientOptions = HttpClientParameters[1] & {
+  checkAddress?: SSRFCheckAddressFunction;
+};
+type HttpClientResponse<T = any> = Awaited<ReturnType<HttpClient['prototype']['request']>> & {
+  data: T;
+};
+/**
+ * safe curl with ssrf protection
+ */
+declare function safeCurlForApplication<T = any>(app: EggApplicationCore, url: HttpClientRequestURL, options?: HttpClientOptions): Promise<egg0.HttpClientResponse<T>>;
+//#endregion
+export { HttpClientOptions, HttpClientRequestURL, HttpClientResponse, safeCurlForApplication };

package/dist/shtml-CAquTzgV.d.ts

@@ -0,0 +1,6 @@
+import { BaseContextClass } from "egg";
+
+//#region src/lib/helper/shtml.d.ts
+declare function shtml(this: BaseContextClass, val: string): string;
+//#endregion
+export { shtml };

package/dist/shtml-CgF4kOx-.js

@@ -0,0 +1,53 @@
+import { getFromUrl, isSafeDomain } from "./utils-Cajs5P8M.js";
+import xss from "xss";
+
+//#region src/lib/helper/shtml.ts
+const BUILD_IN_ON_TAG_ATTR = Symbol("buildInOnTagAttr");
+function shtml(val) {
+	if (typeof val !== "string") return val;
+	const securityOptions = this.ctx.securityOptions;
+	const shtmlConfig = {
+		...this.app.config.helper.shtml,
+		...securityOptions.shtml,
+		[BUILD_IN_ON_TAG_ATTR]: void 0
+	};
+	const domainWhiteList = this.app.config.security.domainWhiteList;
+	const app = this.app;
+	if (!shtmlConfig[BUILD_IN_ON_TAG_ATTR]) {
+		shtmlConfig[BUILD_IN_ON_TAG_ATTR] = (_tag, name, value, isWhiteAttr) => {
+			if (isWhiteAttr && (name === "href" || name === "src")) {
+				if (!value) return;
+				value = String(value);
+				if (value[0] === "/" || value[0] === "#") return;
+				const hostname = getFromUrl(value, "hostname");
+				if (!hostname) return;
+				if (!isSafeDomain(hostname, domainWhiteList)) if (shtmlConfig.domainWhiteList && shtmlConfig.domainWhiteList.length > 0) {
+					app.deprecate("[@eggjs/security/lib/helper/shtml] `config.helper.shtml.domainWhiteList` has been deprecate. Please use `config.security.domainWhiteList` instead.");
+					if (!isSafeDomain(hostname, shtmlConfig.domainWhiteList)) return "";
+				} else return "";
+			}
+		};
+		if (shtmlConfig.onTagAttr) {
+			const customOnTagAttrHandler = shtmlConfig.onTagAttr;
+			shtmlConfig.onTagAttr = function(tag, name, value, isWhiteAttr) {
+				const result = customOnTagAttrHandler.apply(this, [
+					tag,
+					name,
+					value,
+					isWhiteAttr
+				]);
+				if (result !== void 0) return result;
+				return shtmlConfig[BUILD_IN_ON_TAG_ATTR].apply(this, [
+					tag,
+					name,
+					value,
+					isWhiteAttr
+				]);
+			};
+		} else shtmlConfig.onTagAttr = shtmlConfig[BUILD_IN_ON_TAG_ATTR];
+	}
+	return xss(val, shtmlConfig);
+}
+
+//#endregion
+export { shtml };

package/dist/sjs-Cbmkk5xS.js

@@ -0,0 +1,36 @@
+//#region src/lib/helper/sjs.ts
+/**
+* Escape JavaScript to \xHH format
+*/
+const MATCH_VULNERABLE_REGEXP = /[\x00-\x2f\x3a-\x40\x5b-\x60\x7b-\x7f]/;
+const BASIC_ALPHABETS = new Set("abcdefghijklmnopqrstuvwxyz1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ".split(""));
+const map = {
+	"	": "\\t",
+	"\n": "\\n",
+	"\r": "\\r"
+};
+function escapeJavaScript(text) {
+	const str = "" + text;
+	const match = MATCH_VULNERABLE_REGEXP.exec(str);
+	if (!match) return str;
+	let res = "";
+	let index = 0;
+	let lastIndex = 0;
+	let ascii;
+	for (index = match.index; index < str.length; index++) {
+		ascii = str[index];
+		if (BASIC_ALPHABETS.has(ascii)) continue;
+		else if (map[ascii] === void 0) {
+			const code = ascii.charCodeAt(0);
+			if (code > 127) continue;
+			else map[ascii] = "\\x" + code.toString(16);
+		}
+		if (lastIndex !== index) res += str.substring(lastIndex, index);
+		lastIndex = index + 1;
+		res += map[ascii];
+	}
+	return lastIndex !== index ? res + str.substring(lastIndex, index) : res;
+}
+
+//#endregion
+export { escapeJavaScript };

package/dist/sjs-QZIJYS71.d.ts

@@ -0,0 +1,7 @@
+//#region src/lib/helper/sjs.d.ts
+/**
+ * Escape JavaScript to \xHH format
+ */
+declare function escapeJavaScript(text: string): string;
+//#endregion
+export { escapeJavaScript };

package/dist/sjson-BetFnVR6.js

@@ -0,0 +1,32 @@
+import { escapeJavaScript } from "./sjs-Cbmkk5xS.js";
+
+//#region src/lib/helper/sjson.ts
+/**
+* escape json
+* for output json in script
+*/
+function sanitizeKey(obj) {
+	if (typeof obj !== "object") return obj;
+	if (Array.isArray(obj)) return obj;
+	if (obj === null) return null;
+	if (typeof obj === "boolean") return obj;
+	if (typeof obj === "number") return obj;
+	if (Buffer.isBuffer(obj)) return obj.toString();
+	for (const k in obj) {
+		const escapedK = escapeJavaScript(k);
+		if (escapedK !== k) {
+			obj[escapedK] = sanitizeKey(obj[k]);
+			obj[k] = void 0;
+		} else obj[k] = sanitizeKey(obj[k]);
+	}
+	return obj;
+}
+function jsonEscape(obj) {
+	return JSON.stringify(sanitizeKey(obj), (_k, v) => {
+		if (typeof v === "string") return escapeJavaScript(v);
+		return v;
+	});
+}
+
+//#endregion
+export { jsonEscape };

package/dist/sjson-O-vKJPws.d.ts

@@ -0,0 +1,4 @@
+//#region src/lib/helper/sjson.d.ts
+declare function jsonEscape(obj: any): string;
+//#endregion
+export { jsonEscape };

package/dist/spath-Bu9sy6Kz.js

@@ -0,0 +1,16 @@
+//#region src/lib/helper/spath.ts
+function pathFilter(path) {
+	if (typeof path !== "string") return path;
+	const pathSource = path;
+	while (path.indexOf("%") !== -1) try {
+		path = decodeURIComponent(path);
+	} catch {
+		if (process.env.NODE_ENV !== "production") this.ctx.coreLogger.warn("[@eggjs/security/lib/helper/spath] : decode file path %j failed.", path);
+		break;
+	}
+	if (path.indexOf("..") !== -1 || path[0] === "/") return null;
+	return pathSource;
+}
+
+//#endregion
+export { pathFilter };

package/dist/spath-DseDPHxf.d.ts

@@ -0,0 +1,7 @@
+import { BaseContextClass } from "egg";
+
+//#region src/lib/helper/spath.d.ts
+
+declare function pathFilter(this: BaseContextClass, path: string): string | null;
+//#endregion
+export { pathFilter };

package/dist/surl-ClleTea7.js

@@ -0,0 +1,25 @@
+//#region src/lib/helper/surl.ts
+const escapeMap = {
+	"\"": """,
+	"<": "&lt;",
+	">": "&gt;",
+	"'": "&#x27;"
+};
+function surl(val) {
+	const protocolWhiteListSet = this.app.config.security.__protocolWhiteListSet;
+	if (typeof val !== "string") return val;
+	if (val[0] !== "/") {
+		const arr = val.split("://", 2);
+		const protocol = arr.length > 1 ? arr[0].toLowerCase() : "";
+		if (protocol === "" || !protocolWhiteListSet.has(protocol)) {
+			if (this.app.config.env === "local") this.ctx.coreLogger.warn("[@eggjs/security/surl] url: %j, protocol: %j, protocol is empty or not in white list, convert to empty string", val, protocol);
+			return "";
+		}
+	}
+	return val.replace(/["'<>]/g, (ch) => {
+		return escapeMap[ch];
+	});
+}
+
+//#endregion
+export { surl };

package/dist/surl-JV70X_RZ.d.ts

@@ -0,0 +1,6 @@
+import { BaseContextClass } from "egg";
+
+//#region src/lib/helper/surl.d.ts
+declare function surl(this: BaseContextClass, val: string): string;
+//#endregion
+export { surl };

package/dist/types-BZR2U30p.d.ts

@@ -0,0 +1,38 @@
+import { SecurityConfig, SecurityHelperConfig } from "./config.default-D8v08Vox.js";
+import { HttpClientOptions, HttpClientRequestURL, HttpClientResponse } from "./safe_curl-mqZZv_YQ.js";
+
+//#region src/types.d.ts
+declare module 'egg' {
+  interface EggAppConfig {
+    /**
+     * security options
+     * @member Config#security
+     */
+    security: SecurityConfig;
+    helper: SecurityHelperConfig;
+  }
+  interface Agent {
+    safeCurl<T = any>(url: HttpClientRequestURL, options?: HttpClientOptions): Promise<HttpClientResponse<T>>;
+  }
+  interface Application {
+    injectCsrf(html: string): string;
+    injectNonce(html: string): string;
+    injectHijackingDefense(html: string): string;
+    safeCurl<T = any>(url: HttpClientRequestURL, options?: HttpClientOptions): Promise<HttpClientResponse<T>>;
+  }
+  interface Context {
+    get securityOptions(): Partial<SecurityConfig & SecurityHelperConfig>;
+    isSafeDomain(domain: string, customWhiteList?: string[]): boolean;
+    get nonce(): string;
+    get csrf(): string;
+    ensureCsrfSecret(rotate?: boolean): void;
+    rotateCsrfSecret(): void;
+    assertCsrf(): void;
+    safeCurl<T = any>(url: HttpClientRequestURL, options?: HttpClientOptions): Promise<HttpClientResponse<T>>;
+    unsafeRedirect(url: string, alt?: string): void;
+  }
+  interface Response {
+    unsafeRedirect(url: string, alt?: string): void;
+    redirect(url: string, alt?: string): void;
+  }
+}

package/dist/types-DnJpiSJb.js

@@ -0,0 +1 @@
+export {  };