@meridianjs/framework 0.1.9 → 0.1.12
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.d.ts +14 -2
- package/dist/index.js +8 -0
- package/package.json +3 -1
package/dist/index.d.ts
CHANGED
|
@@ -173,8 +173,20 @@ declare class ConsoleLogger implements ILogger {
|
|
|
173
173
|
|
|
174
174
|
declare function createServer(container: MeridianContainer, config: MeridianConfig): Express;
|
|
175
175
|
|
|
176
|
-
/**
|
|
176
|
+
/**
|
|
177
|
+
* Strict limiter for password-based auth endpoints (login, register).
|
|
178
|
+
* 10 requests per minute per IP — guards against brute-force attacks.
|
|
179
|
+
*/
|
|
177
180
|
declare const authRateLimit: express_rate_limit.RateLimitRequestHandler;
|
|
181
|
+
/**
|
|
182
|
+
* Loose limiter for OAuth redirect/callback endpoints.
|
|
183
|
+
* 30 requests per minute per IP — a complete OAuth flow (initiate → callback →
|
|
184
|
+
* exchange) consumes 3 requests, so 30/min allows ~10 flows per minute.
|
|
185
|
+
* OAuth routes are not brute-forceable at the application level because they
|
|
186
|
+
* require a real interaction with the external identity provider and a
|
|
187
|
+
* cryptographic CSRF nonce.
|
|
188
|
+
*/
|
|
189
|
+
declare const oauthRateLimit: express_rate_limit.RateLimitRequestHandler;
|
|
178
190
|
/** General API limiter: 300 requests per minute per IP. */
|
|
179
191
|
declare const apiRateLimit: express_rate_limit.RateLimitRequestHandler;
|
|
180
192
|
|
|
@@ -211,4 +223,4 @@ declare class SseManager {
|
|
|
211
223
|
/** Singleton shared across all routes and subscribers. */
|
|
212
224
|
declare const sseManager: SseManager;
|
|
213
225
|
|
|
214
|
-
export { type BootstrapOptions, ConsoleLogger, type MeridianApp, type MiddlewareRoute, type MiddlewaresConfig, SseManager, apiRateLimit, authRateLimit, bootstrap, createMeridianContainer, createServer, defineConfig, defineMiddlewares, loadConfig, loadJobs, loadLinks, loadModules, loadPlugins, loadRoutes, loadSubscribers, resolveModuleDefinition, sseManager, validate };
|
|
226
|
+
export { type BootstrapOptions, ConsoleLogger, type MeridianApp, type MiddlewareRoute, type MiddlewaresConfig, SseManager, apiRateLimit, authRateLimit, bootstrap, createMeridianContainer, createServer, defineConfig, defineMiddlewares, loadConfig, loadJobs, loadLinks, loadModules, loadPlugins, loadRoutes, loadSubscribers, oauthRateLimit, resolveModuleDefinition, sseManager, validate };
|
package/dist/index.js
CHANGED
|
@@ -510,6 +510,7 @@ function resolveNpmPackageRoot(packageName, fromDir) {
|
|
|
510
510
|
|
|
511
511
|
// src/server.ts
|
|
512
512
|
import express from "express";
|
|
513
|
+
import cookieParser from "cookie-parser";
|
|
513
514
|
import cors from "cors";
|
|
514
515
|
import helmet from "helmet";
|
|
515
516
|
function createServer(container, config) {
|
|
@@ -518,6 +519,7 @@ function createServer(container, config) {
|
|
|
518
519
|
const logger = container.resolve("logger");
|
|
519
520
|
app.use(express.json({ limit: "10mb" }));
|
|
520
521
|
app.use(express.urlencoded({ extended: true, limit: "10mb" }));
|
|
522
|
+
app.use(cookieParser());
|
|
521
523
|
app.use(helmet({
|
|
522
524
|
contentSecurityPolicy: {
|
|
523
525
|
directives: {
|
|
@@ -728,6 +730,11 @@ var authRateLimit = rateLimit({
|
|
|
728
730
|
max: 10,
|
|
729
731
|
...sharedOpts
|
|
730
732
|
});
|
|
733
|
+
var oauthRateLimit = rateLimit({
|
|
734
|
+
windowMs: 6e4,
|
|
735
|
+
max: 30,
|
|
736
|
+
...sharedOpts
|
|
737
|
+
});
|
|
731
738
|
var apiRateLimit = rateLimit({
|
|
732
739
|
windowMs: 6e4,
|
|
733
740
|
max: 300,
|
|
@@ -818,6 +825,7 @@ export {
|
|
|
818
825
|
loadPlugins,
|
|
819
826
|
loadRoutes,
|
|
820
827
|
loadSubscribers,
|
|
828
|
+
oauthRateLimit,
|
|
821
829
|
resolveModuleDefinition,
|
|
822
830
|
sseManager,
|
|
823
831
|
validate
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@meridianjs/framework",
|
|
3
|
-
"version": "0.1.
|
|
3
|
+
"version": "0.1.12",
|
|
4
4
|
"description": "Core Meridian framework: bootstrap, DI container, module/route/subscriber/job loaders",
|
|
5
5
|
"main": "./dist/index.js",
|
|
6
6
|
"module": "./dist/index.js",
|
|
@@ -26,6 +26,7 @@
|
|
|
26
26
|
"@meridianjs/framework-utils": "^0.1.0",
|
|
27
27
|
"@meridianjs/types": "^0.1.0",
|
|
28
28
|
"awilix": "^12.0.5",
|
|
29
|
+
"cookie-parser": "^1.4.7",
|
|
29
30
|
"cors": "^2.8.5",
|
|
30
31
|
"express": "^4.21.2",
|
|
31
32
|
"express-rate-limit": "^7.5.0",
|
|
@@ -33,6 +34,7 @@
|
|
|
33
34
|
"zod": "^3.24.0"
|
|
34
35
|
},
|
|
35
36
|
"devDependencies": {
|
|
37
|
+
"@types/cookie-parser": "^1.4.8",
|
|
36
38
|
"@types/cors": "^2.8.17",
|
|
37
39
|
"@types/express": "^5.0.0",
|
|
38
40
|
"tsup": "^8.3.5",
|