npm - @grackle-ai/auth - Versions diffs - 0.107.1 → 0.108.0 - Mend

@grackle-ai/auth 0.107.1 → 0.108.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/dist/security-headers.d.ts +9 -5
package/dist/security-headers.d.ts.map +1 -1
package/dist/security-headers.js +40 -5
package/dist/security-headers.js.map +1 -1
package/package.json +2 -2

package/dist/security-headers.d.ts CHANGED Viewed

@@ -1,9 +1,7 @@
 import type { ServerResponse } from "node:http";
 /**
- * Content Security Policy for the web handler.
- *
- * Covers the React SPA (served from 'self') and server-rendered pages
- * (pairing/authorize) which use inline styles.
+ * Full CSP string with `form-action 'self'` — used by tests and as a
+ * backwards-compatible export.
  */
 export declare const WEB_CONTENT_SECURITY_POLICY: string;
 /**
@@ -12,6 +10,12 @@ export declare const WEB_CONTENT_SECURITY_POLICY: string;
  * Called at the top of `createWebHandler`'s returned function so that all
  * response paths (static files, HTML pages, JSON APIs, redirects) are covered
  * without modifying each `writeHead` call individually.
+ *
+ * @param res - The HTTP response to set headers on.
+ * @param requestHost - The `Host` header from the incoming request. When
+ *   provided, the CSP `form-action` directive explicitly includes the
+ *   request origin to work around a Chromium bug where `'self'` does not
+ *   match form submissions on non-standard ports.
  */
-export declare function setSecurityHeaders(res: ServerResponse): void;
+export declare function setSecurityHeaders(res: ServerResponse, requestHost?: string): void;
 //# sourceMappingURL=security-headers.d.ts.map

package/dist/security-headers.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"security-headers.d.ts","sourceRoot":"","sources":["../src/security-headers.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,WAAW,CAAC;~~AAEhD;;;;;GAKG~~;AACH,eAAO,MAAM,2BAA2B,EAAE,~~MAW9B~~,CAAC;AAEb~~;;;;;;GAMG~~;AACH,wBAAgB,kBAAkB,CAAC,GAAG,EAAE,cAAc,GAAG,IAAI,~~CAI5D~~"}
1	+ {"version":3,"file":"security-headers.d.ts","sourceRoot":"","sources":["../src/security-headers.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,WAAW,CAAC;AAyBhD;;;GAGG;AACH,eAAO,MAAM,2BAA2B,EAAE,MAG9B,CAAC;AAEb;;;;;;;;;;;;GAYG;AACH,wBAAgB,kBAAkB,CAAC,GAAG,EAAE,cAAc,EAAE,WAAW,CAAC,EAAE,MAAM,GAAG,IAAI,CAoBlF"}

package/dist/security-headers.js CHANGED Viewed

@@ -1,10 +1,15 @@
 /**
- * Content Security Policy for the web handler.
+ * Base Content Security Policy directives for the web handler.
  *
  * Covers the React SPA (served from 'self') and server-rendered pages
  * (pairing/authorize) which use inline styles.
+ *
+ * Note: `form-action` is intentionally omitted here and appended dynamically
+ * by {@link setSecurityHeaders} using the request's Host header, because
+ * Chromium does not reliably match `'self'` for form submissions on
+ * non-standard ports.
  */
-export const WEB_CONTENT_SECURITY_POLICY = [
+const BASE_CSP_DIRECTIVES = [
     "default-src 'self'",
     "script-src 'self'",
     "style-src 'self' 'unsafe-inline'",
@@ -12,9 +17,16 @@ export const WEB_CONTENT_SECURITY_POLICY = [
     "font-src 'self'",
     "connect-src 'self'",
     "object-src 'none'",
-    "form-action 'self'",
     "frame-ancestors 'none'",
     "base-uri 'self'",
+];
+/**
+ * Full CSP string with `form-action 'self'` — used by tests and as a
+ * backwards-compatible export.
+ */
+export const WEB_CONTENT_SECURITY_POLICY = [
+    ...BASE_CSP_DIRECTIVES,
+    "form-action 'self'",
 ].join("; ");
 /**
  * Set defense-in-depth security headers on every web response.
@@ -22,10 +34,33 @@ export const WEB_CONTENT_SECURITY_POLICY = [
  * Called at the top of `createWebHandler`'s returned function so that all
  * response paths (static files, HTML pages, JSON APIs, redirects) are covered
  * without modifying each `writeHead` call individually.
+ *
+ * @param res - The HTTP response to set headers on.
+ * @param requestHost - The `Host` header from the incoming request. When
+ *   provided, the CSP `form-action` directive explicitly includes the
+ *   request origin to work around a Chromium bug where `'self'` does not
+ *   match form submissions on non-standard ports.
  */
-export function setSecurityHeaders(res) {
+export function setSecurityHeaders(res, requestHost) {
     res.setHeader("X-Content-Type-Options", "nosniff");
     res.setHeader("X-Frame-Options", "DENY");
-    res.setHeader("Content-Security-Policy", WEB_CONTENT_SECURITY_POLICY);
+    // Chromium does not reliably match 'self' or explicit origin+port for
+    // form-action on non-standard ports. Use the request hostname with a
+    // wildcard port so the form POST is allowed regardless of port.
+    // Validate via URL constructor to prevent CSP header injection (e.g. Host
+    // containing ';' could splice directives).
+    let formAction = "form-action 'self'";
+    if (requestHost) {
+        try {
+            const parsed = new URL(`http://${requestHost}`);
+            const hostname = parsed.hostname;
+            formAction = `form-action 'self' http://${hostname}:* https://${hostname}:*`;
+        }
+        catch {
+            // Malformed Host header — fall back to 'self' only
+        }
+    }
+    const csp = [...BASE_CSP_DIRECTIVES, formAction].join("; ");
+    res.setHeader("Content-Security-Policy", csp);
 }
 //# sourceMappingURL=security-headers.js.map

package/dist/security-headers.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"security-headers.js","sourceRoot":"","sources":["../src/security-headers.ts"],"names":[],"mappings":"AAEA~~;;;;;GAKG~~;AACH,MAAM,~~CAAC~~,~~MAAM,2BAA2B,GAAW~~;~~IACjD~~,oBAAoB;IACpB,mBAAmB;IACnB,kCAAkC;IAClC,sBAAsB;IACtB,iBAAiB;IACjB,oBAAoB;IACpB,mBAAmB;IACnB,~~oBAAoB;IACpB,~~wBAAwB;IACxB,iBAAiB;CAClB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAEb~~;;;;;;GAMG~~;AACH,MAAM,UAAU,kBAAkB,CAAC,GAAmB;~~IACpD~~,GAAG,CAAC,SAAS,CAAC,wBAAwB,EAAE,SAAS,CAAC,CAAC;IACnD,GAAG,CAAC,SAAS,CAAC,iBAAiB,EAAE,MAAM,CAAC,CAAC;IACzC,GAAG,CAAC,SAAS,CAAC,yBAAyB,EAAE,~~2BAA2B~~,CAAC,CAAC;~~AACxE~~,CAAC"}
1	+ {"version":3,"file":"security-headers.js","sourceRoot":"","sources":["../src/security-headers.ts"],"names":[],"mappings":"AAEA;;;;;;;;;;GAUG;AACH,MAAM,mBAAmB,GAAsB;IAC7C,oBAAoB;IACpB,mBAAmB;IACnB,kCAAkC;IAClC,sBAAsB;IACtB,iBAAiB;IACjB,oBAAoB;IACpB,mBAAmB;IACnB,wBAAwB;IACxB,iBAAiB;CAClB,CAAC;AAEF;;;GAGG;AACH,MAAM,CAAC,MAAM,2BAA2B,GAAW;IACjD,GAAG,mBAAmB;IACtB,oBAAoB;CACrB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAEb;;;;;;;;;;;;GAYG;AACH,MAAM,UAAU,kBAAkB,CAAC,GAAmB,EAAE,WAAoB;IAC1E,GAAG,CAAC,SAAS,CAAC,wBAAwB,EAAE,SAAS,CAAC,CAAC;IACnD,GAAG,CAAC,SAAS,CAAC,iBAAiB,EAAE,MAAM,CAAC,CAAC;IACzC,sEAAsE;IACtE,qEAAqE;IACrE,gEAAgE;IAChE,0EAA0E;IAC1E,2CAA2C;IAC3C,IAAI,UAAU,GAAG,oBAAoB,CAAC;IACtC,IAAI,WAAW,EAAE,CAAC;QAChB,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,UAAU,WAAW,EAAE,CAAC,CAAC;YAChD,MAAM,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAC;YACjC,UAAU,GAAG,6BAA6B,QAAQ,cAAc,QAAQ,IAAI,CAAC;QAC/E,CAAC;QAAC,MAAM,CAAC;YACP,mDAAmD;QACrD,CAAC;IACH,CAAC;IACD,MAAM,GAAG,GAAG,CAAC,GAAG,mBAAmB,EAAE,UAAU,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC5D,GAAG,CAAC,SAAS,CAAC,yBAAyB,EAAE,GAAG,CAAC,CAAC;AAChD,CAAC"}

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@grackle-ai/auth",
-  "version": "0.107.1",
+  "version": "0.108.0",
   "description": "Authentication and authorization primitives for Grackle",
   "license": "MIT",
   "repository": {
@@ -29,7 +29,7 @@
     "dist/"
   ],
   "dependencies": {
-    "@grackle-ai/common": "0.107.1"
+    "@grackle-ai/common": "0.108.0"
   },
   "devDependencies": {
     "@rushstack/heft": "1.2.7",