@graphql-yoga/plugin-csrf-prevention 3.18.0 → 3.18.1-alpha-20260116132831-dc9fc0ad2f1ad6ee99bc438c173cf8496ae505a7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (9) hide show
  1. package/dist/index.cjs +34 -0
  2. package/{typings → dist}/index.d.cts +13 -9
  3. package/{typings/index.d.ts → dist/index.d.mts} +13 -9
  4. package/dist/index.mjs +34 -0
  5. package/package.json +40 -18
  6. package/LICENSE +0 -23
  7. package/cjs/index.js +0 -46
  8. package/cjs/package.json +0 -1
  9. package/esm/index.js +0 -43
package/dist/index.cjs ADDED
@@ -0,0 +1,34 @@
1
+ let graphql_yoga = require("graphql-yoga");
2
+
3
+ //#region src/index.ts
4
+ const NON_PREFLIGHTED_CONTENT_TYPES = [
5
+ "application/x-www-form-urlencoded",
6
+ "multipart/form-data",
7
+ "text/plain"
8
+ ];
9
+ /**
10
+ * If you have CORS enabled, almost all requests coming from the browser will have a
11
+ * preflight request - however, some requests are deemed "simple" and don't make a preflight.
12
+ *
13
+ * One example of such a request is a good ol' GET request without any headers, this request can
14
+ * be marked as "simple" and have preflight CORS checks skipped therefore skipping the CORS check.
15
+ *
16
+ * This attack can be mitigated by saying: "all GET requests must have a custom header set". This
17
+ * would force all clients to manipulate the headers of GET requests, marking them as "_not-_simple"
18
+ * and therefore always executing a preflight request.
19
+ */
20
+ function useCSRFPrevention(options = {}) {
21
+ const { requestHeaders = ["x-graphql-yoga-csrf"] } = options;
22
+ return { onRequestParse({ request }) {
23
+ if (wasTheRequestAlreadyPreflightChecked(request.headers?.get("content-type"))) return;
24
+ if (requestHeaders.some((headerName) => request.headers.has(headerName))) return;
25
+ throw (0, graphql_yoga.createGraphQLError)("Required CSRF header(s) not present", { extensions: { http: { status: 403 } } });
26
+ } };
27
+ }
28
+ const wasTheRequestAlreadyPreflightChecked = (contentType) => {
29
+ if (!contentType) return false;
30
+ return !NON_PREFLIGHTED_CONTENT_TYPES.some((nonPreflightContentType) => contentType.toLowerCase().startsWith(nonPreflightContentType));
31
+ };
32
+
33
+ //#endregion
34
+ exports.useCSRFPrevention = useCSRFPrevention;
package/{typings → dist}/index.d.cts RENAMED
@@ -1,11 +1,13 @@
1
- import { Plugin, YogaInitialContext } from 'graphql-yoga';
2
- export interface CSRFPreventionPluginOptions {
3
- /**
4
- * List of headers that are required to be set on every request.
5
- *
6
- * @default 'x-graphql-yoga-csrf'
7
- */
8
- requestHeaders?: string[];
1
+ import { Plugin, YogaInitialContext } from "graphql-yoga";
2
+
3
+ //#region src/index.d.ts
4
+ interface CSRFPreventionPluginOptions {
5
+ /**
6
+ * List of headers that are required to be set on every request.
7
+ *
8
+ * @default 'x-graphql-yoga-csrf'
9
+ */
10
+ requestHeaders?: string[];
9
11
  }
10
12
  /**
11
13
  * If you have CORS enabled, almost all requests coming from the browser will have a
@@ -18,4 +20,6 @@ export interface CSRFPreventionPluginOptions {
18
20
  * would force all clients to manipulate the headers of GET requests, marking them as "_not-_simple"
19
21
  * and therefore always executing a preflight request.
20
22
  */
21
- export declare function useCSRFPrevention(options?: CSRFPreventionPluginOptions): Plugin<YogaInitialContext>;
23
+ declare function useCSRFPrevention(options?: CSRFPreventionPluginOptions): Plugin<YogaInitialContext>;
24
+ //#endregion
25
+ export { CSRFPreventionPluginOptions, useCSRFPrevention };
package/{typings/index.d.ts → dist/index.d.mts} RENAMED
@@ -1,11 +1,13 @@
1
- import { Plugin, YogaInitialContext } from 'graphql-yoga';
2
- export interface CSRFPreventionPluginOptions {
3
- /**
4
- * List of headers that are required to be set on every request.
5
- *
6
- * @default 'x-graphql-yoga-csrf'
7
- */
8
- requestHeaders?: string[];
1
+ import { Plugin, YogaInitialContext } from "graphql-yoga";
2
+
3
+ //#region src/index.d.ts
4
+ interface CSRFPreventionPluginOptions {
5
+ /**
6
+ * List of headers that are required to be set on every request.
7
+ *
8
+ * @default 'x-graphql-yoga-csrf'
9
+ */
10
+ requestHeaders?: string[];
9
11
  }
10
12
  /**
11
13
  * If you have CORS enabled, almost all requests coming from the browser will have a
@@ -18,4 +20,6 @@ export interface CSRFPreventionPluginOptions {
18
20
  * would force all clients to manipulate the headers of GET requests, marking them as "_not-_simple"
19
21
  * and therefore always executing a preflight request.
20
22
  */
21
- export declare function useCSRFPrevention(options?: CSRFPreventionPluginOptions): Plugin<YogaInitialContext>;
23
+ declare function useCSRFPrevention(options?: CSRFPreventionPluginOptions): Plugin<YogaInitialContext>;
24
+ //#endregion
25
+ export { CSRFPreventionPluginOptions, useCSRFPrevention };
package/dist/index.mjs ADDED
@@ -0,0 +1,34 @@
1
+ import { createGraphQLError } from "graphql-yoga";
2
+
3
+ //#region src/index.ts
4
+ const NON_PREFLIGHTED_CONTENT_TYPES = [
5
+ "application/x-www-form-urlencoded",
6
+ "multipart/form-data",
7
+ "text/plain"
8
+ ];
9
+ /**
10
+ * If you have CORS enabled, almost all requests coming from the browser will have a
11
+ * preflight request - however, some requests are deemed "simple" and don't make a preflight.
12
+ *
13
+ * One example of such a request is a good ol' GET request without any headers, this request can
14
+ * be marked as "simple" and have preflight CORS checks skipped therefore skipping the CORS check.
15
+ *
16
+ * This attack can be mitigated by saying: "all GET requests must have a custom header set". This
17
+ * would force all clients to manipulate the headers of GET requests, marking them as "_not-_simple"
18
+ * and therefore always executing a preflight request.
19
+ */
20
+ function useCSRFPrevention(options = {}) {
21
+ const { requestHeaders = ["x-graphql-yoga-csrf"] } = options;
22
+ return { onRequestParse({ request }) {
23
+ if (wasTheRequestAlreadyPreflightChecked(request.headers?.get("content-type"))) return;
24
+ if (requestHeaders.some((headerName) => request.headers.has(headerName))) return;
25
+ throw createGraphQLError("Required CSRF header(s) not present", { extensions: { http: { status: 403 } } });
26
+ } };
27
+ }
28
+ const wasTheRequestAlreadyPreflightChecked = (contentType) => {
29
+ if (!contentType) return false;
30
+ return !NON_PREFLIGHTED_CONTENT_TYPES.some((nonPreflightContentType) => contentType.toLowerCase().startsWith(nonPreflightContentType));
31
+ };
32
+
33
+ //#endregion
34
+ export { useCSRFPrevention };
package/package.json CHANGED
@@ -1,10 +1,8 @@
1
1
  {
2
2
  "name": "@graphql-yoga/plugin-csrf-prevention",
3
- "version": "3.18.0",
3
+ "version": "3.18.1-alpha-20260116132831-dc9fc0ad2f1ad6ee99bc438c173cf8496ae505a7",
4
+ "type": "module",
4
5
  "description": "CSRF prevention plugin for GraphQL Yoga that requires the clients to have a specific header set.",
5
- "peerDependencies": {
6
- "graphql-yoga": "^5.18.0"
7
- },
8
6
  "repository": {
9
7
  "type": "git",
10
8
  "url": "https://github.com/graphql-hive/graphql-yoga.git",
@@ -15,28 +13,52 @@
15
13
  "engines": {
16
14
  "node": ">=18.0.0"
17
15
  },
18
- "main": "cjs/index.js",
19
- "module": "esm/index.js",
20
- "typings": "typings/index.d.ts",
21
- "typescript": {
22
- "definition": "typings/index.d.ts"
23
- },
24
- "type": "module",
16
+ "main": "dist/index.cjs",
17
+ "typings": "dist/index.d.mts",
18
+ "module": "dist/index.mjs",
25
19
  "exports": {
26
20
  ".": {
27
21
  "require": {
28
- "types": "./typings/index.d.cts",
29
- "default": "./cjs/index.js"
22
+ "types": "./dist/index.d.cts",
23
+ "default": "./dist/index.cjs"
30
24
  },
31
25
  "import": {
32
- "types": "./typings/index.d.ts",
33
- "default": "./esm/index.js"
26
+ "types": "./dist/index.d.mts",
27
+ "default": "./dist/index.mjs"
34
28
  },
35
29
  "default": {
36
- "types": "./typings/index.d.ts",
37
- "default": "./esm/index.js"
30
+ "types": "./dist/index.d.mts",
31
+ "default": "./dist/index.mjs"
38
32
  }
39
33
  },
40
34
  "./package.json": "./package.json"
35
+ },
36
+ "files": [
37
+ "dist"
38
+ ],
39
+ "scripts": {
40
+ "build": "tsdown",
41
+ "check": "tsc --pretty --noEmit",
42
+ "watch": "tsdown --watch"
43
+ },
44
+ "peerDependencies": {
45
+ "graphql": "^15.2.0 || ^16.0.0",
46
+ "graphql-yoga": "workspace:^"
47
+ },
48
+ "devDependencies": {
49
+ "graphql": "^16.12.0",
50
+ "graphql-yoga": "workspace:*",
51
+ "tsdown": "^0.20.0-beta.1",
52
+ "tslib": "^2.8.1"
53
+ },
54
+ "publishConfig": {
55
+ "access": "public"
56
+ },
57
+ "sideEffects": false,
58
+ "buildOptions": {
59
+ "input": "./src/index.ts"
60
+ },
61
+ "typescript": {
62
+ "definition": "dist/index.d.mts"
41
63
  }
42
- }
64
+ }
package/LICENSE DELETED
@@ -1,23 +0,0 @@
1
- MIT License
2
-
3
- Copyright (c) 2018-2020 Graphcool
4
- Copyright (c) 2020-2021 Prisma
5
- Copyright (c) 2021- The Guild
6
-
7
- Permission is hereby granted, free of charge, to any person obtaining a copy
8
- of this software and associated documentation files (the "Software"), to deal
9
- in the Software without restriction, including without limitation the rights
10
- to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
11
- copies of the Software, and to permit persons to whom the Software is
12
- furnished to do so, subject to the following conditions:
13
-
14
- The above copyright notice and this permission notice shall be included in all
15
- copies or substantial portions of the Software.
16
-
17
- THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
18
- IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
19
- FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
20
- AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
21
- LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
22
- OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
23
- SOFTWARE.
package/cjs/index.js DELETED
@@ -1,46 +0,0 @@
1
- "use strict";
2
- Object.defineProperty(exports, "__esModule", { value: true });
3
- exports.useCSRFPrevention = useCSRFPrevention;
4
- const graphql_yoga_1 = require("graphql-yoga");
5
- const NON_PREFLIGHTED_CONTENT_TYPES = [
6
- 'application/x-www-form-urlencoded',
7
- 'multipart/form-data',
8
- 'text/plain',
9
- ];
10
- /**
11
- * If you have CORS enabled, almost all requests coming from the browser will have a
12
- * preflight request - however, some requests are deemed "simple" and don't make a preflight.
13
- *
14
- * One example of such a request is a good ol' GET request without any headers, this request can
15
- * be marked as "simple" and have preflight CORS checks skipped therefore skipping the CORS check.
16
- *
17
- * This attack can be mitigated by saying: "all GET requests must have a custom header set". This
18
- * would force all clients to manipulate the headers of GET requests, marking them as "_not-_simple"
19
- * and therefore always executing a preflight request.
20
- */
21
- function useCSRFPrevention(options = {}) {
22
- const { requestHeaders = ['x-graphql-yoga-csrf'] } = options;
23
- return {
24
- onRequestParse({ request }) {
25
- if (wasTheRequestAlreadyPreflightChecked(request.headers?.get('content-type'))) {
26
- return;
27
- }
28
- if (requestHeaders.some(headerName => request.headers.has(headerName))) {
29
- return;
30
- }
31
- throw (0, graphql_yoga_1.createGraphQLError)('Required CSRF header(s) not present', {
32
- extensions: {
33
- http: {
34
- status: 403,
35
- },
36
- },
37
- });
38
- },
39
- };
40
- }
41
- const wasTheRequestAlreadyPreflightChecked = (contentType) => {
42
- if (!contentType) {
43
- return false;
44
- }
45
- return !NON_PREFLIGHTED_CONTENT_TYPES.some(nonPreflightContentType => contentType.toLowerCase().startsWith(nonPreflightContentType));
46
- };
package/cjs/package.json DELETED
@@ -1 +0,0 @@
1
- {"type":"commonjs"}
package/esm/index.js DELETED
@@ -1,43 +0,0 @@
1
- import { createGraphQLError } from 'graphql-yoga';
2
- const NON_PREFLIGHTED_CONTENT_TYPES = [
3
- 'application/x-www-form-urlencoded',
4
- 'multipart/form-data',
5
- 'text/plain',
6
- ];
7
- /**
8
- * If you have CORS enabled, almost all requests coming from the browser will have a
9
- * preflight request - however, some requests are deemed "simple" and don't make a preflight.
10
- *
11
- * One example of such a request is a good ol' GET request without any headers, this request can
12
- * be marked as "simple" and have preflight CORS checks skipped therefore skipping the CORS check.
13
- *
14
- * This attack can be mitigated by saying: "all GET requests must have a custom header set". This
15
- * would force all clients to manipulate the headers of GET requests, marking them as "_not-_simple"
16
- * and therefore always executing a preflight request.
17
- */
18
- export function useCSRFPrevention(options = {}) {
19
- const { requestHeaders = ['x-graphql-yoga-csrf'] } = options;
20
- return {
21
- onRequestParse({ request }) {
22
- if (wasTheRequestAlreadyPreflightChecked(request.headers?.get('content-type'))) {
23
- return;
24
- }
25
- if (requestHeaders.some(headerName => request.headers.has(headerName))) {
26
- return;
27
- }
28
- throw createGraphQLError('Required CSRF header(s) not present', {
29
- extensions: {
30
- http: {
31
- status: 403,
32
- },
33
- },
34
- });
35
- },
36
- };
37
- }
38
- const wasTheRequestAlreadyPreflightChecked = (contentType) => {
39
- if (!contentType) {
40
- return false;
41
- }
42
- return !NON_PREFLIGHTED_CONTENT_TYPES.some(nonPreflightContentType => contentType.toLowerCase().startsWith(nonPreflightContentType));
43
- };