@eggjs/security 5.0.0-beta.19 → 5.0.0-beta.21

package/dist/app/extend/response.js

@@ -1,70 +1,83 @@
-import "./context.js";
-import { Response } from "egg";
-
-//#region src/app/extend/response.ts
+import { Response } from 'egg';
+import SecurityContext from "./context.js";
 const unsafeRedirect = Response.prototype.redirect;
-var SecurityResponse = class extends Response {
-	/**
-	* This is an unsafe redirection, and we WON'T check if the
-	* destination url is safe or not.
-	* Please DO NOT use this method unless in some very special cases,
-	* otherwise there may be security vulnerabilities.
-	*
-	* @function Response#unsafeRedirect
-	* @param {String} url URL to forward
-	* @example
-	* ```js
-	* ctx.response.unsafeRedirect('http://www.domain.com');
-	* ctx.unsafeRedirect('http://www.domain.com');
-	* ```
-	*/
-	unsafeRedirect(url, alt) {
-		unsafeRedirect.call(this, url, alt);
-	}
-	/**
-	* A safe redirection, and we'll check if the URL is in
-	* a safe domain or not.
-	* We've overridden the default Koa's implementation by adding a
-	* white list as the filter for that.
-	*
-	* @function Response#redirect
-	* @param {String} url URL to forward
-	* @example
-	* ```js
-	* ctx.response.redirect('/login');
-	* ctx.redirect('/login');
-	* ```
-	*/
-	redirect(url, alt) {
-		url = (url || "/").trim();
-		if (url[0] === "/" && url[1] === "/") url = "/";
-		if (url[0] === "/" && url[1] !== "\\") {
-			this.unsafeRedirect(url, alt);
-			return;
-		}
-		let urlObject;
-		try {
-			urlObject = new URL(url);
-		} catch {
-			url = "/";
-			this.unsafeRedirect(url);
-			return;
-		}
-		const domainWhiteList = this.app.config.security.domainWhiteList;
-		if (urlObject.protocol !== "http:" && urlObject.protocol !== "https:") url = "/";
-		else if (!urlObject.hostname) url = "/";
-		else if (domainWhiteList && domainWhiteList.length !== 0) {
-			if (!this.ctx.isSafeDomain(urlObject.hostname)) {
-				const message = `a security problem has been detected for url "${url}", redirection is prohibited.`;
-				if (process.env.NODE_ENV === "production") {
-					this.app.coreLogger.warn("[@eggjs/security/response/redirect] %s", message);
-					url = "/";
-				} else return this.ctx.throw(500, message);
-			}
-		}
-		this.unsafeRedirect(url);
-	}
-};
-
-//#endregion
-export { SecurityResponse as default };
+export default class SecurityResponse extends Response {
+    /**
+     * This is an unsafe redirection, and we WON'T check if the
+     * destination url is safe or not.
+     * Please DO NOT use this method unless in some very special cases,
+     * otherwise there may be security vulnerabilities.
+     *
+     * @function Response#unsafeRedirect
+     * @param {String} url URL to forward
+     * @example
+     * ```js
+     * ctx.response.unsafeRedirect('http://www.domain.com');
+     * ctx.unsafeRedirect('http://www.domain.com');
+     * ```
+     */
+    unsafeRedirect(url, alt) {
+        unsafeRedirect.call(this, url, alt);
+    }
+    // app.response.unsafeRedirect = app.response.redirect;
+    // delegate(app.context, 'response').method('unsafeRedirect');
+    /**
+     * A safe redirection, and we'll check if the URL is in
+     * a safe domain or not.
+     * We've overridden the default Koa's implementation by adding a
+     * white list as the filter for that.
+     *
+     * @function Response#redirect
+     * @param {String} url URL to forward
+     * @example
+     * ```js
+     * ctx.response.redirect('/login');
+     * ctx.redirect('/login');
+     * ```
+     */
+    redirect(url, alt) {
+        url = (url || '/').trim();
+        // Process with `//`
+        if (url[0] === '/' && url[1] === '/') {
+            url = '/';
+        }
+        // if begin with '/', it means an internal jump
+        if (url[0] === '/' && url[1] !== '\\') {
+            this.unsafeRedirect(url, alt);
+            return;
+        }
+        let urlObject;
+        try {
+            urlObject = new URL(url);
+        }
+        catch {
+            url = '/';
+            this.unsafeRedirect(url);
+            return;
+        }
+        const domainWhiteList = this.app.config.security.domainWhiteList;
+        if (urlObject.protocol !== 'http:' && urlObject.protocol !== 'https:') {
+            url = '/';
+        }
+        else if (!urlObject.hostname) {
+            url = '/';
+        }
+        else {
+            if (domainWhiteList && domainWhiteList.length !== 0) {
+                if (!this.ctx.isSafeDomain(urlObject.hostname)) {
+                    const message = `a security problem has been detected for url "${url}", redirection is prohibited.`;
+                    if (process.env.NODE_ENV === 'production') {
+                        this.app.coreLogger.warn('[@eggjs/security/response/redirect] %s', message);
+                        url = '/';
+                    }
+                    else {
+                        // Exception will be thrown out in a non-PROD env.
+                        return this.ctx.throw(500, message);
+                    }
+                }
+            }
+        }
+        this.unsafeRedirect(url);
+    }
+}
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoicmVzcG9uc2UuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi9zcmMvYXBwL2V4dGVuZC9yZXNwb25zZS50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiQUFBQSxPQUFPLEVBQUUsUUFBUSxFQUFFLE1BQU0sS0FBSyxDQUFDO0FBRS9CLE9BQU8sZUFBZSxNQUFNLGNBQWMsQ0FBQztBQUUzQyxNQUFNLGNBQWMsR0FBRyxRQUFRLENBQUMsU0FBUyxDQUFDLFFBQVEsQ0FBQztBQUVuRCxNQUFNLENBQUMsT0FBTyxPQUFPLGdCQUFpQixTQUFRLFFBQVE7SUFHcEQ7Ozs7Ozs7Ozs7Ozs7T0FhRztJQUNILGNBQWMsQ0FBQyxHQUFXLEVBQUUsR0FBWTtRQUN0QyxjQUFjLENBQUMsSUFBSSxDQUFDLElBQUksRUFBRSxHQUFHLEVBQUUsR0FBRyxDQUFDLENBQUM7SUFDdEMsQ0FBQztJQUVELHVEQUF1RDtJQUN2RCw4REFBOEQ7SUFDOUQ7Ozs7Ozs7Ozs7Ozs7T0FhRztJQUNILFFBQVEsQ0FBQyxHQUFXLEVBQUUsR0FBWTtRQUNoQyxHQUFHLEdBQUcsQ0FBQyxHQUFHLElBQUksR0FBRyxDQUFDLENBQUMsSUFBSSxFQUFFLENBQUM7UUFFMUIsb0JBQW9CO1FBQ3BCLElBQUksR0FBRyxDQUFDLENBQUMsQ0FBQyxLQUFLLEdBQUcsSUFBSSxHQUFHLENBQUMsQ0FBQyxDQUFDLEtBQUssR0FBRyxFQUFFLENBQUM7WUFDckMsR0FBRyxHQUFHLEdBQUcsQ0FBQztRQUNaLENBQUM7UUFFRCwrQ0FBK0M7UUFDL0MsSUFBSSxHQUFHLENBQUMsQ0FBQyxDQUFDLEtBQUssR0FBRyxJQUFJLEdBQUcsQ0FBQyxDQUFDLENBQUMsS0FBSyxJQUFJLEVBQUUsQ0FBQztZQUN0QyxJQUFJLENBQUMsY0FBYyxDQUFDLEdBQUcsRUFBRSxHQUFHLENBQUMsQ0FBQztZQUM5QixPQUFPO1FBQ1QsQ0FBQztRQUVELElBQUksU0FBYyxDQUFDO1FBQ25CLElBQUksQ0FBQztZQUNILFNBQVMsR0FBRyxJQUFJLEdBQUcsQ0FBQyxHQUFHLENBQUMsQ0FBQztRQUMzQixDQUFDO1FBQUMsTUFBTSxDQUFDO1lBQ1AsR0FBRyxHQUFHLEdBQUcsQ0FBQztZQUNWLElBQUksQ0FBQyxjQUFjLENBQUMsR0FBRyxDQUFDLENBQUM7WUFDekIsT0FBTztRQUNULENBQUM7UUFFRCxNQUFNLGVBQWUsR0FBRyxJQUFJLENBQUMsR0FBRyxDQUFDLE1BQU0sQ0FBQyxRQUFRLENBQUMsZUFBZSxDQUFDO1FBQ2pFLElBQUksU0FBUyxDQUFDLFFBQVEsS0FBSyxPQUFPLElBQUksU0FBUyxDQUFDLFFBQVEsS0FBSyxRQUFRLEVBQUUsQ0FBQztZQUN0RSxHQUFHLEdBQUcsR0FBRyxDQUFDO1FBQ1osQ0FBQzthQUFNLElBQUksQ0FBQyxTQUFTLENBQUMsUUFBUSxFQUFFLENBQUM7WUFDL0IsR0FBRyxHQUFHLEdBQUcsQ0FBQztRQUNaLENBQUM7YUFBTSxDQUFDO1lBQ04sSUFBSSxlQUFlLElBQUksZUFBZSxDQUFDLE1BQU0sS0FBSyxDQUFDLEVBQUUsQ0FBQztnQkFDcEQsSUFBSSxDQUFDLElBQUksQ0FBQyxHQUFHLENBQUMsWUFBWSxDQUFDLFNBQVMsQ0FBQyxRQUFRLENBQUMsRUFBRSxDQUFDO29CQUMvQyxNQUFNLE9BQU8sR0FBRyxpREFBaUQsR0FBRywrQkFBK0IsQ0FBQztvQkFDcEcsSUFBSSxPQUFPLENBQUMsR0FBRyxDQUFDLFFBQVEsS0FBSyxZQUFZLEVBQUUsQ0FBQzt3QkFDMUMsSUFBSSxDQUFDLEdBQUcsQ0FBQyxVQUFVLENBQUMsSUFBSSxDQUFDLHdDQUF3QyxFQUFFLE9BQU8sQ0FBQyxDQUFDO3dCQUM1RSxHQUFHLEdBQUcsR0FBRyxDQUFDO29CQUNaLENBQUM7eUJBQU0sQ0FBQzt3QkFDTixrREFBa0Q7d0JBQ2xELE9BQU8sSUFBSSxDQUFDLEdBQUcsQ0FBQyxLQUFLLENBQUMsR0FBRyxFQUFFLE9BQU8sQ0FBQyxDQUFDO29CQUN0QyxDQUFDO2dCQUNILENBQUM7WUFDSCxDQUFDO1FBQ0gsQ0FBQztRQUNELElBQUksQ0FBQyxjQUFjLENBQUMsR0FBRyxDQUFDLENBQUM7SUFDM0IsQ0FBQztDQUNGIn0=

package/dist/app/middleware/securities.d.ts

@@ -1,8 +1,4 @@
-import * as egg0 from "egg";
-import { Application } from "egg";
-import compose from "koa-compose";
-
-//#region src/app/middleware/securities.d.ts
-declare const _default: (_: unknown, app: Application) => compose.ComposedMiddleware<egg0.Context>;
-//#endregion
-export { _default as default };
+import compose from 'koa-compose';
+import type { Application } from 'egg';
+declare const _default: (_: unknown, app: Application) => compose.ComposedMiddleware<import("egg").Context>;
+export default _default;

package/dist/app/middleware/securities.js

@@ -1,39 +1,53 @@
-import middlewares_default from "../../lib/middlewares/index.js";
-import assert from "node:assert";
-import compose from "koa-compose";
-import { pathMatching } from "egg-path-matching";
-
-//#region src/app/middleware/securities.ts
-var securities_default = (_, app) => {
-	const options = app.config.security;
-	const middlewares = [];
-	const defaultMiddlewares = typeof options.defaultMiddleware === "string" ? options.defaultMiddleware.split(",").map((m) => m.trim()).filter((m) => !!m) : options.defaultMiddleware;
-	if (options.match || options.ignore) app.coreLogger.warn("[@eggjs/security/middleware/securities] Please set `match` or `ignore` on sub config");
-	const originalCookieDomain = options.csrf.cookieDomain;
-	if (originalCookieDomain && typeof originalCookieDomain !== "function") options.csrf.cookieDomain = () => originalCookieDomain;
-	defaultMiddlewares.forEach((middlewareName) => {
-		const opt = Reflect.get(options, middlewareName);
-		if (opt === false) app.coreLogger.warn("[egg-security] Please use `config.security.%s = { enable: false }` instead of `config.security.%s = false`", middlewareName, middlewareName);
-		assert(opt === false || typeof opt === "object", `config.security.${middlewareName} must be an object, or false(if you turn it off)`);
-		if (opt === false || opt && opt.enable === false) return;
-		if (middlewareName === "csrf" && opt.useSession && !app.plugins.session) throw new Error("csrf.useSession enabled, but session plugin is disabled");
-		if (opt.match && opt.ignore) {
-			app.coreLogger.warn("[@eggjs/security/middleware/securities] `options.match` and `options.ignore` are both set, using `options.match`");
-			opt.ignore = void 0;
-		}
-		if (!opt.ignore && opt.blackUrls) {
-			app.deprecate("[@eggjs/security/middleware/securities] Please use `config.security.xframe.ignore` instead, `config.security.xframe.blackUrls` will be removed very soon");
-			opt.ignore = opt.blackUrls;
-		}
-		opt.matching = pathMatching(opt);
-		const createMiddleware = middlewares_default[middlewareName];
-		const fn = createMiddleware(opt);
-		middlewares.push(fn);
-		app.coreLogger.info("[@eggjs/security/middleware/securities] use %s middleware", middlewareName);
-	});
-	app.coreLogger.info("[@eggjs/security/middleware/securities] compose %d middlewares into one security middleware", middlewares.length);
-	return compose(middlewares);
+import assert from 'node:assert';
+import compose from 'koa-compose';
+import { pathMatching } from 'egg-path-matching';
+import securityMiddlewares from "../../lib/middlewares/index.js";
+export default (_, app) => {
+    const options = app.config.security;
+    const middlewares = [];
+    const defaultMiddlewares = typeof options.defaultMiddleware === 'string'
+        ? options.defaultMiddleware
+            .split(',')
+            .map(m => m.trim())
+            .filter(m => !!m)
+        : options.defaultMiddleware;
+    if (options.match || options.ignore) {
+        app.coreLogger.warn('[@eggjs/security/middleware/securities] Please set `match` or `ignore` on sub config');
+    }
+    // format csrf.cookieDomain
+    const originalCookieDomain = options.csrf.cookieDomain;
+    if (originalCookieDomain && typeof originalCookieDomain !== 'function') {
+        options.csrf.cookieDomain = () => originalCookieDomain;
+    }
+    defaultMiddlewares.forEach(middlewareName => {
+        const opt = Reflect.get(options, middlewareName);
+        if (opt === false) {
+            app.coreLogger.warn('[egg-security] Please use `config.security.%s = { enable: false }` instead of `config.security.%s = false`', middlewareName, middlewareName);
+        }
+        assert(opt === false || typeof opt === 'object', `config.security.${middlewareName} must be an object, or false(if you turn it off)`);
+        if (opt === false || (opt && opt.enable === false)) {
+            return;
+        }
+        if (middlewareName === 'csrf' && opt.useSession && !app.plugins.session) {
+            throw new Error('csrf.useSession enabled, but session plugin is disabled');
+        }
+        // use opt.match first (compatibility)
+        if (opt.match && opt.ignore) {
+            app.coreLogger.warn('[@eggjs/security/middleware/securities] `options.match` and `options.ignore` are both set, using `options.match`');
+            opt.ignore = undefined;
+        }
+        if (!opt.ignore && opt.blackUrls) {
+            app.deprecate('[@eggjs/security/middleware/securities] Please use `config.security.xframe.ignore` instead, `config.security.xframe.blackUrls` will be removed very soon');
+            opt.ignore = opt.blackUrls;
+        }
+        // set matching function to security middleware options
+        opt.matching = pathMatching(opt);
+        const createMiddleware = securityMiddlewares[middlewareName];
+        const fn = createMiddleware(opt);
+        middlewares.push(fn);
+        app.coreLogger.info('[@eggjs/security/middleware/securities] use %s middleware', middlewareName);
+    });
+    app.coreLogger.info('[@eggjs/security/middleware/securities] compose %d middlewares into one security middleware', middlewares.length);
+    return compose(middlewares);
 };
-
-//#endregion
-export { securities_default as default };
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoic2VjdXJpdGllcy5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uLy4uL3NyYy9hcHAvbWlkZGxld2FyZS9zZWN1cml0aWVzLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiJBQUFBLE9BQU8sTUFBTSxNQUFNLGFBQWEsQ0FBQztBQUVqQyxPQUFPLE9BQU8sTUFBTSxhQUFhLENBQUM7QUFDbEMsT0FBTyxFQUFFLFlBQVksRUFBRSxNQUFNLG1CQUFtQixDQUFDO0FBR2pELE9BQU8sbUJBQW1CLE1BQU0sZ0NBQWdDLENBQUM7QUFHakUsZUFBZSxDQUFDLENBQVUsRUFBRSxHQUFnQixFQUFFLEVBQUU7SUFDOUMsTUFBTSxPQUFPLEdBQUcsR0FBRyxDQUFDLE1BQU0sQ0FBQyxRQUFRLENBQUM7SUFDcEMsTUFBTSxXQUFXLEdBQXFCLEVBQUUsQ0FBQztJQUN6QyxNQUFNLGtCQUFrQixHQUN0QixPQUFPLE9BQU8sQ0FBQyxpQkFBaUIsS0FBSyxRQUFRO1FBQzNDLENBQUMsQ0FBRSxPQUFPLENBQUMsaUJBQWlCO2FBQ3ZCLEtBQUssQ0FBQyxHQUFHLENBQUM7YUFDVixHQUFHLENBQUMsQ0FBQyxDQUFDLEVBQUUsQ0FBQyxDQUFDLENBQUMsSUFBSSxFQUFFLENBQUM7YUFDbEIsTUFBTSxDQUFDLENBQUMsQ0FBQyxFQUFFLENBQUMsQ0FBQyxDQUFDLENBQUMsQ0FBOEI7UUFDbEQsQ0FBQyxDQUFDLE9BQU8sQ0FBQyxpQkFBaUIsQ0FBQztJQUVoQyxJQUFJLE9BQU8sQ0FBQyxLQUFLLElBQUksT0FBTyxDQUFDLE1BQU0sRUFBRSxDQUFDO1FBQ3BDLEdBQUcsQ0FBQyxVQUFVLENBQUMsSUFBSSxDQUFDLHNGQUFzRixDQUFDLENBQUM7SUFDOUcsQ0FBQztJQUVELDJCQUEyQjtJQUMzQixNQUFNLG9CQUFvQixHQUFHLE9BQU8sQ0FBQyxJQUFJLENBQUMsWUFBWSxDQUFDO0lBQ3ZELElBQUksb0JBQW9CLElBQUksT0FBTyxvQkFBb0IsS0FBSyxVQUFVLEVBQUUsQ0FBQztRQUN2RSxPQUFPLENBQUMsSUFBSSxDQUFDLFlBQVksR0FBRyxHQUFHLEVBQUUsQ0FBQyxvQkFBb0IsQ0FBQztJQUN6RCxDQUFDO0lBRUQsa0JBQWtCLENBQUMsT0FBTyxDQUFDLGNBQWMsQ0FBQyxFQUFFO1FBQzFDLE1BQU0sR0FBRyxHQUFHLE9BQU8sQ0FBQyxHQUFHLENBQUMsT0FBTyxFQUFFLGNBQWMsQ0FBUSxDQUFDO1FBQ3hELElBQUksR0FBRyxLQUFLLEtBQUssRUFBRSxDQUFDO1lBQ2xCLEdBQUcsQ0FBQyxVQUFVLENBQUMsSUFBSSxDQUNqQiw0R0FBNEcsRUFDNUcsY0FBYyxFQUNkLGNBQWMsQ0FDZixDQUFDO1FBQ0osQ0FBQztRQUVELE1BQU0sQ0FDSixHQUFHLEtBQUssS0FBSyxJQUFJLE9BQU8sR0FBRyxLQUFLLFFBQVEsRUFDeEMsbUJBQW1CLGNBQWMsa0RBQWtELENBQ3BGLENBQUM7UUFFRixJQUFJLEdBQUcsS0FBSyxLQUFLLElBQUksQ0FBQyxHQUFHLElBQUksR0FBRyxDQUFDLE1BQU0sS0FBSyxLQUFLLENBQUMsRUFBRSxDQUFDO1lBQ25ELE9BQU87UUFDVCxDQUFDO1FBRUQsSUFBSSxjQUFjLEtBQUssTUFBTSxJQUFJLEdBQUcsQ0FBQyxVQUFVLElBQUksQ0FBQyxHQUFHLENBQUMsT0FBTyxDQUFDLE9BQU8sRUFBRSxDQUFDO1lBQ3hFLE1BQU0sSUFBSSxLQUFLLENBQUMseURBQXlELENBQUMsQ0FBQztRQUM3RSxDQUFDO1FBRUQsc0NBQXNDO1FBQ3RDLElBQUksR0FBRyxDQUFDLEtBQUssSUFBSSxHQUFHLENBQUMsTUFBTSxFQUFFLENBQUM7WUFDNUIsR0FBRyxDQUFDLFVBQVUsQ0FBQyxJQUFJLENBQ2pCLGtIQUFrSCxDQUNuSCxDQUFDO1lBQ0YsR0FBRyxDQUFDLE1BQU0sR0FBRyxTQUFTLENBQUM7UUFDekIsQ0FBQztRQUNELElBQUksQ0FBQyxHQUFHLENBQUMsTUFBTSxJQUFJLEdBQUcsQ0FBQyxTQUFTLEVBQUUsQ0FBQztZQUNqQyxHQUFHLENBQUMsU0FBUyxDQUNYLDBKQUEwSixDQUMzSixDQUFDO1lBQ0YsR0FBRyxDQUFDLE1BQU0sR0FBRyxHQUFHLENBQUMsU0FBUyxDQUFDO1FBQzdCLENBQUM7UUFDRCx1REFBdUQ7UUFDdkQsR0FBRyxDQUFDLFFBQVEsR0FBRyxZQUFZLENBQUMsR0FBRyxDQUFDLENBQUM7UUFFakMsTUFBTSxnQkFBZ0IsR0FBRyxtQkFBbUIsQ0FBQyxjQUFjLENBQUMsQ0FBQztRQUM3RCxNQUFNLEVBQUUsR0FBRyxnQkFBZ0IsQ0FBQyxHQUFHLENBQUMsQ0FBQztRQUNqQyxXQUFXLENBQUMsSUFBSSxDQUFDLEVBQUUsQ0FBQyxDQUFDO1FBQ3JCLEdBQUcsQ0FBQyxVQUFVLENBQUMsSUFBSSxDQUFDLDJEQUEyRCxFQUFFLGNBQWMsQ0FBQyxDQUFDO0lBQ25HLENBQUMsQ0FBQyxDQUFDO0lBRUgsR0FBRyxDQUFDLFVBQVUsQ0FBQyxJQUFJLENBQ2pCLDZGQUE2RixFQUM3RixXQUFXLENBQUMsTUFBTSxDQUNuQixDQUFDO0lBQ0YsT0FBTyxPQUFPLENBQUMsV0FBVyxDQUFDLENBQUM7QUFDOUIsQ0FBQyxDQUFDIn0=

package/dist/app.d.ts

@@ -1,10 +1,6 @@
-import { Application, ILifecycleBoot } from "egg";
-
-//#region src/app.d.ts
-declare class AppBoot implements ILifecycleBoot {
-  private readonly app;
-  constructor(app: Application);
-  configWillLoad(): void;
+import type { ILifecycleBoot, Application } from 'egg';
+export default class AppBoot implements ILifecycleBoot {
+    private readonly app;
+    constructor(app: Application);
+    configWillLoad(): void;
 }
-//#endregion
-export { AppBoot as default };

package/dist/app.js

@@ -1,24 +1,26 @@
 import { preprocessConfig } from "./lib/utils.js";
 import { SecurityConfig } from "./config/config.default.js";
-
-//#region src/app.ts
-var AppBoot = class {
-	app;
-	constructor(app) {
-		this.app = app;
-	}
-	configWillLoad() {
-		const app = this.app;
-		app.config.coreMiddleware.push("securities");
-		const parsed = SecurityConfig.parse(app.config.security);
-		if (typeof app.config.security.csrf === "boolean") app.config.security.csrf = parsed.csrf;
-		if (app.config.security.csrf.enable) {
-			const { ignoreJSON } = app.config.security.csrf;
-			if (ignoreJSON) app.deprecate("[@eggjs/security/app] `config.security.csrf.ignoreJSON` is not safe now, please disable it.");
-		}
-		preprocessConfig(app.config.security);
-	}
-};
-
-//#endregion
-export { AppBoot as default };
+export default class AppBoot {
+    app;
+    constructor(app) {
+        this.app = app;
+    }
+    configWillLoad() {
+        const app = this.app;
+        app.config.coreMiddleware.push('securities');
+        // parse config and check if config is legal
+        const parsed = SecurityConfig.parse(app.config.security);
+        if (typeof app.config.security.csrf === 'boolean') {
+            // support old config: `config.security.csrf = false`
+            app.config.security.csrf = parsed.csrf;
+        }
+        if (app.config.security.csrf.enable) {
+            const { ignoreJSON } = app.config.security.csrf;
+            if (ignoreJSON) {
+                app.deprecate('[@eggjs/security/app] `config.security.csrf.ignoreJSON` is not safe now, please disable it.');
+            }
+        }
+        preprocessConfig(app.config.security);
+    }
+}
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiYXBwLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vc3JjL2FwcC50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiQUFFQSxPQUFPLEVBQUUsZ0JBQWdCLEVBQUUsTUFBTSxnQkFBZ0IsQ0FBQztBQUNsRCxPQUFPLEVBQUUsY0FBYyxFQUFFLE1BQU0sNEJBQTRCLENBQUM7QUFFNUQsTUFBTSxDQUFDLE9BQU8sT0FBTyxPQUFPO0lBQ1QsR0FBRyxDQUFDO0lBRXJCLFlBQVksR0FBZ0I7UUFDMUIsSUFBSSxDQUFDLEdBQUcsR0FBRyxHQUFHLENBQUM7SUFDakIsQ0FBQztJQUVELGNBQWM7UUFDWixNQUFNLEdBQUcsR0FBRyxJQUFJLENBQUMsR0FBRyxDQUFDO1FBQ3JCLEdBQUcsQ0FBQyxNQUFNLENBQUMsY0FBYyxDQUFDLElBQUksQ0FBQyxZQUFZLENBQUMsQ0FBQztRQUM3Qyw0Q0FBNEM7UUFDNUMsTUFBTSxNQUFNLEdBQUcsY0FBYyxDQUFDLEtBQUssQ0FBQyxHQUFHLENBQUMsTUFBTSxDQUFDLFFBQVEsQ0FBQyxDQUFDO1FBQ3pELElBQUksT0FBTyxHQUFHLENBQUMsTUFBTSxDQUFDLFFBQVEsQ0FBQyxJQUFJLEtBQUssU0FBUyxFQUFFLENBQUM7WUFDbEQscURBQXFEO1lBQ3JELEdBQUcsQ0FBQyxNQUFNLENBQUMsUUFBUSxDQUFDLElBQUksR0FBRyxNQUFNLENBQUMsSUFBSSxDQUFDO1FBQ3pDLENBQUM7UUFFRCxJQUFJLEdBQUcsQ0FBQyxNQUFNLENBQUMsUUFBUSxDQUFDLElBQUksQ0FBQyxNQUFNLEVBQUUsQ0FBQztZQUNwQyxNQUFNLEVBQUUsVUFBVSxFQUFFLEdBQUcsR0FBRyxDQUFDLE1BQU0sQ0FBQyxRQUFRLENBQUMsSUFBSSxDQUFDO1lBQ2hELElBQUksVUFBVSxFQUFFLENBQUM7Z0JBQ2YsR0FBRyxDQUFDLFNBQVMsQ0FBQyw2RkFBNkYsQ0FBQyxDQUFDO1lBQy9HLENBQUM7UUFDSCxDQUFDO1FBRUQsZ0JBQWdCLENBQUMsR0FBRyxDQUFDLE1BQU0sQ0FBQyxRQUFRLENBQUMsQ0FBQztJQUN4QyxDQUFDO0NBQ0YifQ==