@holo-js/security 0.1.3 → 0.1.5

package/dist/next/server.d.ts

@@ -0,0 +1,16 @@
+type NextCsrfRequest = Request & {
+    readonly nextUrl?: URL;
+    readonly cookies?: {
+        get(name: string): string | {
+            readonly value?: string;
+        } | undefined;
+    };
+};
+type NextCsrfMiddleware = (request: NextCsrfRequest) => Response | undefined | Promise<Response | undefined>;
+declare function issueCsrfCookie(request: NextCsrfRequest): Promise<Response | undefined>;
+declare function csrfProtection(): NextCsrfMiddleware;
+declare const nextSecurityInternals: {
+    issueCsrfCookie: typeof issueCsrfCookie;
+};
+
+export { type NextCsrfMiddleware, csrfProtection, nextSecurityInternals };

package/dist/next/server.mjs

@@ -0,0 +1,84 @@
+import {
+  csrf,
+  csrfInternals,
+  getSecurityRuntime,
+  isSecureRequest,
+  protect
+} from "../chunk-Q3A7RJ67.mjs";
+import {
+  SECURITY_CLIENT_CONFIG_COOKIE,
+  createSecurityClientConfig,
+  serializeSecurityClientConfig
+} from "../chunk-FUOZWKHK.mjs";
+import {
+  SecurityCsrfError
+} from "../chunk-EWQKJSFA.mjs";
+
+// src/next/server.ts
+function isSafeMethod(method) {
+  const normalized = method.trim().toUpperCase();
+  return normalized === "GET" || normalized === "HEAD";
+}
+function createCsrfErrorResponse(error) {
+  return new Response(error.message, {
+    status: error.status,
+    headers: {
+      "content-type": "text/plain; charset=utf-8"
+    }
+  });
+}
+function getRequestCookie(request, name) {
+  const cookie = request.cookies?.get(name);
+  if (typeof cookie === "string") {
+    return cookie;
+  }
+  return typeof cookie?.value === "string" ? cookie.value : void 0;
+}
+async function issueCsrfCookie(request) {
+  const { config } = getSecurityRuntime();
+  if (!config.csrf.enabled || !isSafeMethod(request.method)) {
+    return void 0;
+  }
+  const existingCsrfToken = getRequestCookie(request, config.csrf.cookie);
+  const shouldIssueCsrfToken = !existingCsrfToken || !csrfInternals.isValidSignedCsrfToken(existingCsrfToken);
+  const clientConfig = serializeSecurityClientConfig(createSecurityClientConfig(config));
+  const shouldIssueClientConfig = getRequestCookie(request, SECURITY_CLIENT_CONFIG_COOKIE) !== clientConfig;
+  if (!shouldIssueCsrfToken && !shouldIssueClientConfig) {
+    return void 0;
+  }
+  const { NextResponse } = await import("next/server");
+  const response = NextResponse.next();
+  const cookieOptions = {
+    httpOnly: false,
+    path: "/",
+    sameSite: "lax",
+    secure: isSecureRequest(request)
+  };
+  if (shouldIssueCsrfToken) {
+    response.cookies.set(config.csrf.cookie, await csrf.token(request), cookieOptions);
+  }
+  if (shouldIssueClientConfig) {
+    response.cookies.set(SECURITY_CLIENT_CONFIG_COOKIE, clientConfig, cookieOptions);
+  }
+  return response;
+}
+function csrfProtection() {
+  return async (request) => {
+    try {
+      await protect(request);
+    } catch (error) {
+      if (error instanceof SecurityCsrfError) {
+        return createCsrfErrorResponse(error);
+      }
+      throw error;
+    }
+    return await issueCsrfCookie(request);
+  };
+}
+var nextSecurityInternals = {
+  issueCsrfCookie
+};
+export {
+  csrfProtection,
+  nextSecurityInternals
+};

package/dist/nuxt/server.d.ts

@@ -0,0 +1,11 @@
+import { defineEventHandler, H3Event } from 'h3';
+
+declare function createRequest(event: H3Event): Promise<Request>;
+declare function issueCsrfCookie(event: H3Event, request: Request): Promise<void>;
+declare function csrfProtection(): ReturnType<typeof defineEventHandler>;
+declare const nuxtSecurityInternals: {
+    createRequest: typeof createRequest;
+    issueCsrfCookie: typeof issueCsrfCookie;
+};
+
+export { csrfProtection, nuxtSecurityInternals };

package/dist/nuxt/server.mjs

@@ -0,0 +1,109 @@
+import {
+  csrf,
+  csrfInternals,
+  getSecurityRuntime,
+  isSecureRequest,
+  protect
+} from "../chunk-Q3A7RJ67.mjs";
+import {
+  SECURITY_CLIENT_CONFIG_COOKIE,
+  createSecurityClientConfig,
+  serializeSecurityClientConfig
+} from "../chunk-FUOZWKHK.mjs";
+import {
+  SecurityCsrfError
+} from "../chunk-EWQKJSFA.mjs";
+
+// src/nuxt/server.ts
+import {
+  createError,
+  defineEventHandler,
+  getCookie,
+  getMethod,
+  getRequestHeaders,
+  getRequestURL,
+  readRawBody,
+  setCookie
+} from "h3";
+function isSafeMethod(method) {
+  const normalized = method.trim().toUpperCase();
+  return normalized === "GET" || normalized === "HEAD";
+}
+function createHeaders(event) {
+  const headers = new Headers();
+  for (const [name, value] of Object.entries(getRequestHeaders(event))) {
+    if (typeof value === "string") {
+      headers.append(name, value);
+    }
+  }
+  return headers;
+}
+function createRequestBody(body) {
+  if (!body) {
+    return void 0;
+  }
+  const copy = new Uint8Array(body.byteLength);
+  copy.set(body);
+  return copy.buffer;
+}
+async function createRequest(event) {
+  const method = getMethod(event);
+  const headers = createHeaders(event);
+  const body = isSafeMethod(method) ? void 0 : await readRawBody(event, false);
+  return new Request(getRequestURL(event), {
+    method,
+    headers,
+    body: createRequestBody(body)
+  });
+}
+async function issueCsrfCookie(event, request) {
+  const { config } = getSecurityRuntime();
+  if (!config.csrf.enabled || !isSafeMethod(request.method)) {
+    return;
+  }
+  const existingCsrfToken = getCookie(event, config.csrf.cookie);
+  const shouldIssueCsrfToken = !existingCsrfToken || !csrfInternals.isValidSignedCsrfToken(existingCsrfToken);
+  const clientConfig = serializeSecurityClientConfig(createSecurityClientConfig(config));
+  const shouldIssueClientConfig = getCookie(event, SECURITY_CLIENT_CONFIG_COOKIE) !== clientConfig;
+  if (!shouldIssueCsrfToken && !shouldIssueClientConfig) {
+    return;
+  }
+  const cookieOptions = {
+    httpOnly: false,
+    path: "/",
+    sameSite: "lax",
+    secure: isSecureRequest(request)
+  };
+  if (shouldIssueCsrfToken) {
+    setCookie(event, config.csrf.cookie, await csrf.token(request), cookieOptions);
+  }
+  if (shouldIssueClientConfig) {
+    setCookie(event, SECURITY_CLIENT_CONFIG_COOKIE, clientConfig, cookieOptions);
+  }
+}
+function csrfProtection() {
+  return defineEventHandler(async (event) => {
+    const request = await createRequest(event);
+    try {
+      await protect(request);
+    } catch (error) {
+      if (error instanceof SecurityCsrfError) {
+        throw createError({
+          statusCode: error.status,
+          statusMessage: error.message,
+          message: error.message
+        });
+      }
+      throw error;
+    }
+    await issueCsrfCookie(event, request);
+  });
+}
+var nuxtSecurityInternals = {
+  createRequest,
+  issueCsrfCookie
+};
+export {
+  csrfProtection,
+  nuxtSecurityInternals
+};

package/dist/sveltekit/server.d.ts

@@ -0,0 +1,37 @@
+type SvelteKitCookieOptions = {
+    path: string;
+    secure?: boolean;
+    httpOnly?: boolean;
+    sameSite?: 'lax' | 'strict' | 'none';
+};
+type SvelteKitCsrfEvent = {
+    readonly url: URL;
+    readonly request: Request;
+    readonly cookies: {
+        get(name: string): string | undefined;
+        set(name: string, value: string, options: SvelteKitCookieOptions): void;
+    };
+};
+type SvelteKitResolveOptions = {
+    readonly transformPageChunk?: (input: {
+        readonly html: string;
+        readonly done: boolean;
+    }) => string | Promise<string>;
+    readonly filterSerializedResponseHeaders?: (name: string, value: string) => boolean;
+    readonly preload?: (input: {
+        readonly type: 'js' | 'css' | 'font' | 'asset';
+        readonly path: string;
+    }) => boolean;
+};
+type SvelteKitCsrfHandleInput<TEvent extends SvelteKitCsrfEvent = SvelteKitCsrfEvent> = {
+    readonly event: TEvent;
+    readonly resolve: (event: TEvent, options?: SvelteKitResolveOptions) => Response | Promise<Response>;
+};
+type SvelteKitCsrfHandle = <TEvent extends SvelteKitCsrfEvent>(input: SvelteKitCsrfHandleInput<TEvent>) => Response | Promise<Response>;
+declare function issueCsrfCookie(event: SvelteKitCsrfEvent): Promise<void>;
+declare function csrfProtection(): SvelteKitCsrfHandle;
+declare const svelteKitSecurityInternals: {
+    issueCsrfCookie: typeof issueCsrfCookie;
+};
+
+export { type SvelteKitCsrfHandle, type SvelteKitCsrfHandleInput, csrfProtection, svelteKitSecurityInternals };

package/dist/sveltekit/server.mjs

@@ -0,0 +1,68 @@
+import {
+  csrf,
+  getSecurityRuntime,
+  isSecureRequest,
+  protect
+} from "../chunk-Q3A7RJ67.mjs";
+import {
+  SECURITY_CLIENT_CONFIG_COOKIE,
+  createSecurityClientConfig,
+  serializeSecurityClientConfig
+} from "../chunk-FUOZWKHK.mjs";
+import {
+  SecurityCsrfError
+} from "../chunk-EWQKJSFA.mjs";
+
+// src/sveltekit/server.ts
+function isSafeMethod(method) {
+  const normalized = method.trim().toUpperCase();
+  return normalized === "GET" || normalized === "HEAD";
+}
+async function issueCsrfCookie(event) {
+  const runtime = getSecurityRuntime();
+  const { config } = runtime;
+  if (!config.csrf.enabled || !isSafeMethod(event.request.method)) {
+    return;
+  }
+  event.cookies.set(config.csrf.cookie, await csrf.token(event.request), {
+    httpOnly: false,
+    path: "/",
+    sameSite: "lax",
+    secure: isSecureRequest(event.request)
+  });
+  event.cookies.set(SECURITY_CLIENT_CONFIG_COOKIE, serializeSecurityClientConfig(createSecurityClientConfig(config)), {
+    httpOnly: false,
+    path: "/",
+    sameSite: "lax",
+    secure: isSecureRequest(event.request)
+  });
+}
+function createCsrfErrorResponse(error) {
+  return new Response(error.message, {
+    status: error.status,
+    headers: {
+      "content-type": "text/plain; charset=utf-8"
+    }
+  });
+}
+function csrfProtection() {
+  return async ({ event, resolve }) => {
+    try {
+      await protect(event.request);
+    } catch (error) {
+      if (error instanceof SecurityCsrfError) {
+        return createCsrfErrorResponse(error);
+      }
+      throw error;
+    }
+    await issueCsrfCookie(event);
+    return resolve(event);
+  };
+}
+var svelteKitSecurityInternals = {
+  issueCsrfCookie
+};
+export {
+  csrfProtection,
+  svelteKitSecurityInternals
+};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@holo-js/security",
-  "version": "0.1.3",
+  "version": "0.1.5",
   "description": "Holo-JS Framework - CSRF and rate-limit contracts, config, and runtime seams",
   "type": "module",
   "license": "MIT",
@@ -20,6 +20,21 @@
       "import": "./dist/contracts.mjs",
       "default": "./dist/contracts.mjs"
     },
+    "./next/server": {
+      "types": "./dist/next/server.d.ts",
+      "import": "./dist/next/server.mjs",
+      "default": "./dist/next/server.mjs"
+    },
+    "./nuxt/server": {
+      "types": "./dist/nuxt/server.d.ts",
+      "import": "./dist/nuxt/server.mjs",
+      "default": "./dist/nuxt/server.mjs"
+    },
+    "./sveltekit/server": {
+      "types": "./dist/sveltekit/server.d.ts",
+      "import": "./dist/sveltekit/server.mjs",
+      "default": "./dist/sveltekit/server.mjs"
+    },
     "./drivers/redis-adapter": {
       "types": "./dist/drivers/redis-adapter.d.ts",
       "import": "./dist/drivers/redis-adapter.mjs",
@@ -35,24 +50,34 @@
     "build": "tsup",
     "stub": "tsup",
     "typecheck": "tsc -p tsconfig.json --noEmit",
-    "test": "vitest --run"
+    "test": "vitest --run --coverage"
   },
   "dependencies": {
-    "@holo-js/config": "^0.1.3"
+    "@holo-js/config": "^0.1.5"
   },
   "peerDependencies": {
-    "ioredis": "catalog:"
+    "h3": "^1.15.11",
+    "next": "^16.2.4",
+    "ioredis": "^5.4.2"
   },
   "peerDependenciesMeta": {
+    "h3": {
+      "optional": true
+    },
+    "next": {
+      "optional": true
+    },
     "ioredis": {
       "optional": true
     }
   },
   "devDependencies": {
     "@types/node": "^22.10.2",
-    "ioredis": "catalog:",
+    "h3": "^1.15.11",
+    "ioredis": "^5.4.2",
+    "next": "^16.2.4",
     "tsup": "^8.3.5",
     "typescript": "^5.7.2",
-    "vitest": "^2.1.8"
+    "vitest": "^4.1.5"
   }
 }