@hyperspan/framework 0.4.1 → 0.4.3

package/dist/server.js

@@ -29,7 +29,8 @@ async function clientJSPlugin(config) {
           external: Array.from(clientImportMap.keys()),
           minify: true,
           format: "esm",
-          target: "browser"
+          target: "browser",
+          env: "APP_PUBLIC_*"
         });
         const esmName = String(result.outputs[0].path.split("/").reverse()[0]).replace(".js", "");
         clientImportMap.set(esmName, `${CLIENTJS_PUBLIC_PATH}/${esmName}.js`);
@@ -1893,6 +1894,38 @@ var HTTPException = class extends Error {
   }
 };
 
+// ../../node_modules/hono/dist/middleware/csrf/index.js
+var isSafeMethodRe = /^(GET|HEAD)$/;
+var isRequestedByFormElementRe = /^\b(application\/x-www-form-urlencoded|multipart\/form-data|text\/plain)\b/i;
+var csrf = (options) => {
+  const handler = ((optsOrigin) => {
+    if (!optsOrigin) {
+      return (origin, c) => origin === new URL(c.req.url).origin;
+    } else if (typeof optsOrigin === "string") {
+      return (origin) => origin === optsOrigin;
+    } else if (typeof optsOrigin === "function") {
+      return optsOrigin;
+    } else {
+      return (origin) => optsOrigin.includes(origin);
+    }
+  })(options?.origin);
+  const isAllowedOrigin = (origin, c) => {
+    if (origin === undefined) {
+      return false;
+    }
+    return handler(origin, c);
+  };
+  return async function csrf2(c, next) {
+    if (!isSafeMethodRe.test(c.req.method) && isRequestedByFormElementRe.test(c.req.header("content-type") || "text/plain") && !isAllowedOrigin(c.req.header("origin"), c)) {
+      const res = new Response("Forbidden", {
+        status: 403
+      });
+      throw new HTTPException(403, { res });
+    }
+    await next();
+  };
+};
+
 // src/server.ts
 var IS_PROD = false;
 var CWD = process.cwd();
@@ -2192,6 +2225,7 @@ function createRouteFromModule(RouteModule) {
 async function createServer(config) {
   await Promise.all([buildClientJS(), buildClientCSS(), clientJSPlugin(config)]);
   const app = new Hono2;
+  app.use(csrf());
   config.beforeRoutesAdded && config.beforeRoutesAdded(app);
   const [routes, actions] = await Promise.all([buildRoutes(config), buildActions(config)]);
   const fileRoutes = routes.concat(actions);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@hyperspan/framework",
-  "version": "0.4.1",
+  "version": "0.4.3",
   "description": "Hyperspan Web Framework",
   "main": "dist/server.ts",
   "types": "src/server.ts",

package/src/clientjs/hyperspan-client.ts

@@ -12,7 +12,7 @@ function htmlAsyncContentObserver() {
       const asyncContent = list
         .map((mutation) =>
           Array.from(mutation.addedNodes).find((node: any) => {
-            if (!node) {
+            if (!node || !node?.id) {
               return false;
             }
             return node.id?.startsWith('async_loading_') && node.id?.endsWith('_content');

package/src/plugins.ts

@@ -34,6 +34,7 @@ export async function clientJSPlugin(config: THSServerConfig) {
           minify: true,
           format: 'esm',
           target: 'browser',
+          env: 'APP_PUBLIC_*',
         });
 
         // Add output file to import map

package/src/server.ts

@@ -7,6 +7,7 @@ import { isbot } from 'isbot';
 import { Hono, type Context } from 'hono';
 import { serveStatic } from 'hono/bun';
 import { HTTPException } from 'hono/http-exception';
+import { csrf } from 'hono/csrf';
 
 import type { HandlerResponse, MiddlewareHandler } from 'hono/types';
 import type { ContentfulStatusCode } from 'hono/utils/http-status';
@@ -509,6 +510,8 @@ export async function createServer(config: THSServerConfig): Promise<Hono> {
 
   const app = new Hono();
 
+  app.use(csrf());
+
   // [Customization] Before routes added...
   config.beforeRoutesAdded && config.beforeRoutesAdded(app);