@midwayjs/security 3.0.0-beta.16

package/README.md

@@ -0,0 +1,166 @@
+# Security 安全组件
+
+适用于 `@midwayjs/faas` 、`@midwayjs/web` 、`@midwayjs/koa` 和 `@midwayjs/express` 多种框架的通用安全组件，支持 `csrf` 、`xss` 等多种安全策略。
+
+## 安装使用
+
+1. 安装依赖
+```shell
+tnpm i @midwayjs/security --save
+```
+2. 在 configuration 中引入组件,
+```ts
+import * as Security from '@midwayjs/security';
+@Configuration({
+  imports: [
+    // ...other components
+    Security
+  ],
+})
+export class AutoConfiguration {}
+```
+
+
+
+## 配置
+```ts
+// 默认配置
+export const security = {
+  csrf: {
+    enable: true,
+    type: 'ctoken',
+    useSession: false,
+    cookieName: 'csrfToken',
+    sessionName: 'csrfToken',
+    headerName: 'x-csrf-token',
+    bodyName: '_csrf',
+    queryName: '_csrf',
+    refererWhiteList: [],
+  },
+  xframe: {
+    enable: true,
+    value: 'SAMEORIGIN',
+  },
+  csp: {
+    enable: false,
+  },
+  hsts: {
+    enable: false,
+    maxAge: 365 * 24 * 3600,
+    includeSubdomains: false,
+  },
+  noopen: {
+    enable: false,
+  },
+  nosniff: {
+    enable: false,
+  },
+  xssProtection: {
+    enable: true,
+    value: '1; mode=block',
+  },
+}
+```
+
+### csrf
+
+| 配置项 | 类型 | 作用描述 | 默认值 |
+| --- | --- | --- | --- |
+| enable | boolean | 是否开启 | true |
+| type | 'all' / 'any' / 'ctoken' / 'referer' | csrf 校验类型，all/any 等于 ctoken + referer | 'ctoken' 从query/header/body 中获取 csrf token |
+| useSession | boolean | csrf token 是否存放在 session 中 | false，默认存放在 cookies 中 |
+| cookieName | string | token 在 cookie 中存放的 字段 | 'csrfToken' |
+| sessionName | string | token 在 session 中存放的 字段 | 'csrfToken' |
+| headerName | string | token 在 header 中存放的 字段 | 'x-csrf-token' |
+| bodyName | string | token 在 body 中存放的 字段 | '_csrf' |
+| queryName | string | token 在 query 中存放的 字段 | '_csrf' |
+| refererWhiteList | Array<string> | 允许的来源白名单 | [] |
+
+
+### xframe
+
+
+xframe 用来配置 `X-Frame-Options` 响应头，用来给浏览器指示允许一个页面可否在 `frame`, `iframe`, `embed` 或者 `object` 中展现的标记。站点可以通过确保网站没有被嵌入到别人的站点里面，从而避免 `clickjacking` 攻击。
+
+`X-Frame-Options` 有三个可能的值：
+
++ X-Frame-Options: deny：页面不允许在 frame 中展示
++ X-Frame-Options: sameorigin：该页面可以在相同域名页面的 frame 中展示
++ X-Frame-Options: allow-from https://example.com/：该页面可以在指定来源的 frame 中展示
+
+
+
+| 配置项 | 类型 | 作用描述 | 默认值 |
+| --- | --- | --- | --- |
+| enable | boolean | 是否开启 | true |
+| value | string | X-Frame-Options 值 | 'SAMEORIGIN' |
+
+
+
+### hsts
+
+`HTTP Strict Transport Security`（通常简称为 `HSTS` ）是一个安全功能，它告诉浏览器只能通过 `HTTPS` 访问当前资源，而不是 `HTTP`。
+
+| 配置项 | 类型 | 作用描述 | 默认值 |
+| --- | --- | --- | --- |
+| enable | boolean | 是否开启 | false |
+| maxAge | number | 在浏览器收到这个请求后的多少 `秒` 时间内凡是访问这个域名下的请求都使用HTTPS请求 | `365 * 24 * 3600` 即一年 |
+| includeSubdomains | boolean | 此规则是否适用于该网站的所有子域名 | false |
+
+
+### csp
+
+HTTP 响应头 `Content-Security-Policy` 允许站点管理者控制指定的页面加载哪些资源。这将帮助防止跨站脚本攻击（XSS）。
+
+
+| 配置项 | 类型 | 作用描述 | 默认值 |
+| --- | --- | --- | --- |
+| enable | boolean | 是否开启 | false |
+| policy | Object<key: string, value: string / string[] / boolean> | 策略列表 | {} |
+| reportOnly | boolean | 是否开启 | false |
+| supportIE | boolean | 是否支持IE浏览器 | false |
+
+详细的 `policy` 配置可以参考: [Content Security Policy (CSP) 是什么？阿里聚安全](https://www.zhihu.com/question/21979782/answer/122682029)
+
+
+### noopen
+
+用于指定 `IE 8` 以上版本的用户不打开文件而直接保存文件。在下载对话框中不显示“打开”选项。
+
+| 配置项 | 类型 | 作用描述 | 默认值 |
+| --- | --- | --- | --- |
+| enable | boolean | 是否开启 | false |
+
+
+
+
+### nosniff
+
+开启后，如果从 `script` 或 `stylesheet` 读入的文件的 `MIME` 类型与指定 `MIME` 类型不匹配，不允许读取该文件。用于防止 `XSS` 等跨站脚本攻击。
+
+| 配置项 | 类型 | 作用描述 | 默认值 |
+| --- | --- | --- | --- |
+| enable | boolean | 是否开启 | false |
+
+
+
+
+### xssProtection
+
+用于启用浏览器的XSS过滤功能，以防止 `XSS` 跨站脚本攻击。
+
+`X-XSS-Protection` 响应头是 `IE`，`Chrome` 和 `Safari` 的一个特性，当检测到跨站脚本攻击 (XSS (en-US))时，浏览器将停止加载页面。若网站设置了良好的 `Content-Security-Policy` 来禁用内联 JavaScript ('unsafe-inline')，现代浏览器不太需要这些保护， 但其仍然可以为尚不支持 `CSP` 的旧版浏览器的用户提供保护。
+
+`X-XSS-Protection` 可以配置下述四个值
+
++ `0`: 禁止XSS过滤。
++ `1`：启用XSS过滤（通常浏览器是默认的）。 如果检测到跨站脚本攻击，浏览器将清除页面（删除不安全的部分）。
++ `1;mode=block`：启用XSS过滤。 如果检测到攻击，浏览器将不会清除页面，而是阻止页面加载。
++ `1; report=<reporting-URI>`： Chromium only，启用XSS过滤。 如果检测到跨站脚本攻击，浏览器将清除页面并使用CSP report-uri (en-US)指令的功能发送违规报告。
+
+| 配置项 | 类型 | 作用描述 | 默认值 |
+| --- | --- | --- | --- |
+| enable | boolean | 是否开启 | false |
+| value | string | X-XSS-Protection 配置 | `1; mode=block` |
+
+

package/dist/config/config.default.d.ts

@@ -0,0 +1,3 @@
+import { SecurityOptions } from '../interface';
+export declare const security: Partial<SecurityOptions>;
+//# sourceMappingURL=config.default.d.ts.map

package/dist/config/config.default.js

@@ -0,0 +1,39 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.security = void 0;
+exports.security = {
+    csrf: {
+        enable: true,
+        type: 'ctoken',
+        useSession: false,
+        cookieName: 'csrfToken',
+        sessionName: 'csrfToken',
+        headerName: 'x-csrf-token',
+        bodyName: '_csrf',
+        queryName: '_csrf',
+        refererWhiteList: [],
+    },
+    xframe: {
+        enable: true,
+        value: 'SAMEORIGIN',
+    },
+    csp: {
+        enable: false,
+    },
+    hsts: {
+        enable: false,
+        maxAge: 365 * 24 * 3600,
+        includeSubdomains: false,
+    },
+    noopen: {
+        enable: false,
+    },
+    nosniff: {
+        enable: false,
+    },
+    xssProtection: {
+        enable: true,
+        value: '1; mode=block',
+    },
+};
+//# sourceMappingURL=config.default.js.map

package/dist/configuration.d.ts

@@ -0,0 +1,8 @@
+import { MidwayApplicationManager } from '@midwayjs/core';
+import { SecurityOptions } from './interface';
+export declare class SecurityConfiguration {
+    applicationManager: MidwayApplicationManager;
+    security: SecurityOptions;
+    onReady(): Promise<void>;
+}
+//# sourceMappingURL=configuration.d.ts.map

package/dist/configuration.js

@@ -0,0 +1,72 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SecurityConfiguration = void 0;
+const decorator_1 = require("@midwayjs/decorator");
+const DefaultConfig = require("./config/config.default");
+const core_1 = require("@midwayjs/core");
+const csrf_1 = require("./middleware/csrf");
+const xframe_1 = require("./middleware/xframe");
+const hsts_1 = require("./middleware/hsts");
+const noopen_1 = require("./middleware/noopen");
+const _1 = require(".");
+const xssProtection_1 = require("./middleware/xssProtection");
+const csp_1 = require("./middleware/csp");
+let SecurityConfiguration = class SecurityConfiguration {
+    async onReady() {
+        this.applicationManager
+            .getApplications(['koa', 'faas', 'express', 'egg'])
+            .forEach(app => {
+            var _a, _b, _c, _d, _e, _f, _g;
+            if ((_a = this.security.csrf) === null || _a === void 0 ? void 0 : _a.enable) {
+                app.useMiddleware(csrf_1.CSRFMiddleware);
+            }
+            if ((_b = this.security.csp) === null || _b === void 0 ? void 0 : _b.enable) {
+                app.useMiddleware(csp_1.CSPMiddleware);
+            }
+            if ((_c = this.security.xframe) === null || _c === void 0 ? void 0 : _c.enable) {
+                app.useMiddleware(xframe_1.XFrameMiddleware);
+            }
+            if ((_d = this.security.hsts) === null || _d === void 0 ? void 0 : _d.enable) {
+                app.useMiddleware(hsts_1.HSTSMiddleware);
+            }
+            if ((_e = this.security.noopen) === null || _e === void 0 ? void 0 : _e.enable) {
+                app.useMiddleware(noopen_1.NoOpenMiddleware);
+            }
+            if ((_f = this.security.nosniff) === null || _f === void 0 ? void 0 : _f.enable) {
+                app.useMiddleware(_1.NoSniffMiddleware);
+            }
+            if ((_g = this.security.xssProtection) === null || _g === void 0 ? void 0 : _g.enable) {
+                app.useMiddleware(xssProtection_1.XSSProtectionMiddleware);
+            }
+        });
+    }
+};
+__decorate([
+    (0, decorator_1.Inject)(),
+    __metadata("design:type", core_1.MidwayApplicationManager)
+], SecurityConfiguration.prototype, "applicationManager", void 0);
+__decorate([
+    (0, decorator_1.Config)('security'),
+    __metadata("design:type", Object)
+], SecurityConfiguration.prototype, "security", void 0);
+SecurityConfiguration = __decorate([
+    (0, decorator_1.Configuration)({
+        namespace: 'security',
+        importConfigs: [
+            {
+                default: DefaultConfig,
+            },
+        ],
+    })
+], SecurityConfiguration);
+exports.SecurityConfiguration = SecurityConfiguration;
+//# sourceMappingURL=configuration.js.map

package/dist/error.d.ts

@@ -0,0 +1,5 @@
+import { httpError } from '@midwayjs/core';
+export declare class CSRFError extends httpError.ForbiddenError {
+    constructor(message?: any);
+}
+//# sourceMappingURL=error.d.ts.map

package/dist/error.js

@@ -0,0 +1,12 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CSRFError = void 0;
+const core_1 = require("@midwayjs/core");
+// csrf 403
+class CSRFError extends core_1.httpError.ForbiddenError {
+    constructor(message) {
+        super(message || 'csrf error');
+    }
+}
+exports.CSRFError = CSRFError;
+//# sourceMappingURL=error.js.map

package/dist/index.d.ts

@@ -0,0 +1,10 @@
+export { SecurityConfiguration as Configuration } from './configuration';
+export * from './interface';
+export * from './middleware/csrf';
+export * from './middleware/xframe';
+export * from './middleware/hsts';
+export * from './middleware/noopen';
+export * from './middleware/nosniff';
+export * from './middleware/xssProtection';
+export * from './middleware/csp';
+//# sourceMappingURL=index.d.ts.map

package/dist/index.js

@@ -0,0 +1,24 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } });
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.Configuration = void 0;
+var configuration_1 = require("./configuration");
+Object.defineProperty(exports, "Configuration", { enumerable: true, get: function () { return configuration_1.SecurityConfiguration; } });
+__exportStar(require("./interface"), exports);
+__exportStar(require("./middleware/csrf"), exports);
+__exportStar(require("./middleware/xframe"), exports);
+__exportStar(require("./middleware/hsts"), exports);
+__exportStar(require("./middleware/noopen"), exports);
+__exportStar(require("./middleware/nosniff"), exports);
+__exportStar(require("./middleware/xssProtection"), exports);
+__exportStar(require("./middleware/csp"), exports);
+//# sourceMappingURL=index.js.map

package/dist/interface.d.ts

@@ -0,0 +1,43 @@
+export interface SecurityOptions {
+    csrf: Partial<SecurityCSRFOptions>;
+    csp: Partial<SecurityCSPOptions>;
+    xframe: Partial<SecurityXFrameOptions>;
+    hsts: Partial<SecurityHSTSOptions>;
+    noopen: Partial<SecurityEnableOptions>;
+    nosniff: Partial<SecurityEnableOptions>;
+    xssProtection: Partial<SecurityXSSProtectionOptions>;
+}
+export interface SecurityCSRFOptions extends SecurityEnableOptions {
+    type: SecurityCSRFType;
+    useSession: boolean;
+    cookieName: string | string[];
+    sessionName: string;
+    headerName: string;
+    bodyName: string;
+    queryName: string;
+    refererWhiteList: string[];
+    cookieDomain: (context: any) => string;
+    matching: (context: any) => boolean;
+}
+export interface SecurityXFrameOptions extends SecurityEnableOptions {
+    value: string;
+}
+export interface SecurityHSTSOptions extends SecurityEnableOptions {
+    maxAge: number;
+    includeSubdomains: boolean;
+}
+export interface SecurityXSSProtectionOptions extends SecurityEnableOptions {
+    value: string;
+}
+export interface SecurityCSPOptions extends SecurityEnableOptions {
+    policy: {
+        [otherPolicy: string]: string | string[] | boolean;
+    };
+    reportOnly: boolean;
+    supportIE: boolean;
+}
+export interface SecurityEnableOptions {
+    enable: boolean;
+}
+export declare type SecurityCSRFType = 'all' | 'any' | 'ctoken' | 'referer';
+//# sourceMappingURL=interface.d.ts.map

package/dist/interface.js

@@ -0,0 +1,3 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=interface.js.map

package/dist/middleware/base.d.ts

@@ -0,0 +1,8 @@
+import { IMiddleware } from '@midwayjs/core';
+import { SecurityOptions } from '../interface';
+export declare abstract class BaseMiddleware implements IMiddleware<any, any> {
+    security: SecurityOptions;
+    resolve(app: any): (req: any, res: any, next: any) => Promise<any>;
+    abstract compatibleMiddleware(context: any, req: any, res: any, next: any): any;
+}
+//# sourceMappingURL=base.d.ts.map

package/dist/middleware/base.js

@@ -0,0 +1,33 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.BaseMiddleware = void 0;
+const decorator_1 = require("@midwayjs/decorator");
+class BaseMiddleware {
+    resolve(app) {
+        if (app.getFrameworkType() === decorator_1.MidwayFrameworkType.WEB_EXPRESS) {
+            return async (req, res, next) => {
+                return this.compatibleMiddleware(req, req, res, next);
+            };
+        }
+        else {
+            return async (ctx, next) => {
+                return this.compatibleMiddleware(ctx, ctx.request, ctx, next);
+            };
+        }
+    }
+}
+__decorate([
+    (0, decorator_1.Config)('security'),
+    __metadata("design:type", Object)
+], BaseMiddleware.prototype, "security", void 0);
+exports.BaseMiddleware = BaseMiddleware;
+//# sourceMappingURL=base.js.map

package/dist/middleware/csp.d.ts

@@ -0,0 +1,5 @@
+import { BaseMiddleware } from './base';
+export declare class CSPMiddleware extends BaseMiddleware {
+    compatibleMiddleware(context: any, req: any, res: any, next: any): Promise<any>;
+}
+//# sourceMappingURL=csp.d.ts.map

package/dist/middleware/csp.js

@@ -0,0 +1,81 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CSPMiddleware = void 0;
+const decorator_1 = require("@midwayjs/decorator");
+const base_1 = require("./base");
+const platform_1 = require("platform");
+const non_secure_1 = require("nanoid/non-secure");
+const HEADER = ['x-content-security-policy', 'content-security-policy'];
+const REPORT_ONLY_HEADER = [
+    'x-content-security-policy-report-only',
+    'content-security-policy-report-only',
+];
+const NONCE = Symbol('midway-security#NONCE');
+let CSPMiddleware = class CSPMiddleware extends base_1.BaseMiddleware {
+    async compatibleMiddleware(context, req, res, next) {
+        Object.defineProperty(context, 'nonce', {
+            get: () => {
+                if (!context[NONCE]) {
+                    context[NONCE] = non_secure_1.nanoid(16);
+                }
+                return context[NONCE];
+            },
+        });
+        const result = await next();
+        let finalHeader;
+        let value;
+        const { policy = {}, reportOnly, supportIE } = this.security.csp;
+        const isIE = (0, platform_1.parse)(req.header['user-agent']).name === 'IE';
+        const bufArray = [];
+        const headers = reportOnly ? REPORT_ONLY_HEADER : HEADER;
+        if (isIE && supportIE) {
+            finalHeader = headers[0];
+        }
+        else {
+            finalHeader = headers[1];
+        }
+        for (const key in policy) {
+            value = policy[key];
+            value = Array.isArray(value) ? value : [value];
+            switch (key) {
+                case 'sandbox':
+                    if (value[0] === true) {
+                        bufArray.push(key);
+                    }
+                    break;
+                default:
+                    if (key === 'script-src') {
+                        const hasNonce = value.find(val => {
+                            return val.includes('nonce-');
+                        });
+                        if (!hasNonce) {
+                            value.push(`'nonce-${context.nonce}'`);
+                        }
+                    }
+                    value = value.map(d => {
+                        if (d.startsWith('.')) {
+                            d = '*' + d;
+                        }
+                        return d;
+                    });
+                    bufArray.push(key + ' ' + value.join(' '));
+                    break;
+            }
+        }
+        const headerString = bufArray.join(';');
+        res.set(finalHeader, headerString);
+        res.set('x-csp-nonce', context.nonce);
+        return result;
+    }
+};
+CSPMiddleware = __decorate([
+    (0, decorator_1.Middleware)()
+], CSPMiddleware);
+exports.CSPMiddleware = CSPMiddleware;
+//# sourceMappingURL=csp.js.map

package/dist/middleware/csrf.d.ts

@@ -0,0 +1,11 @@
+import { BaseMiddleware } from './base';
+export declare class CSRFMiddleware extends BaseMiddleware {
+    compatibleMiddleware(context: any, req: any, res: any, next: any): Promise<any>;
+    assertCsrf(context: any, request: any): void;
+    getCSRFSecret(context: any): any;
+    getInputToken(context: any, request: any): any;
+    private checkCSRFToken;
+    private checkCSRFReferer;
+    private ensureCsrfSecret;
+}
+//# sourceMappingURL=csrf.d.ts.map

package/dist/middleware/csrf.js

@@ -0,0 +1,161 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CSRFMiddleware = void 0;
+const decorator_1 = require("@midwayjs/decorator");
+const error_1 = require("../error");
+const CsrfTokens = require("csrf");
+const utils_1 = require("../utils");
+const base_1 = require("./base");
+const _CSRF_SECRET = Symbol('midway-security#_CSRF_SECRET');
+const NEW_CSRF_SECRET = Symbol('midway-security#NEW_CSRF_SECRET');
+const tokens = new CsrfTokens();
+let CSRFMiddleware = class CSRFMiddleware extends base_1.BaseMiddleware {
+    async compatibleMiddleware(context, req, res, next) {
+        context.assertCsrf = () => {
+            this.assertCsrf(context, req);
+        };
+        // Must call this method when user login to ensure each user has independent secret.
+        context.rotateCsrfSecret = () => {
+            if (!context[NEW_CSRF_SECRET] && this.getCSRFSecret(context)) {
+                this.ensureCsrfSecret(context, req, res, true);
+            }
+        };
+        Object.defineProperty(context, 'csrf', {
+            get: () => {
+                const secret = context[NEW_CSRF_SECRET] || this.getCSRFSecret(context);
+                return secret ? tokens.create(secret) : '';
+            },
+        });
+        // ensure csrf token exists
+        if (['any', 'all', 'ctoken'].includes(this.security.csrf.type)) {
+            this.ensureCsrfSecret(context, req, res);
+        }
+        // ignore requests: get, head, options and trace
+        const method = req.method.toUpperCase();
+        const ignoreMethods = ['GET', 'HEAD', 'OPTIONS', 'TRACE'];
+        if (!ignoreMethods.includes(method)) {
+            context.assertCsrf();
+        }
+        return next();
+    }
+    assertCsrf(context, request) {
+        const { type } = this.security.csrf;
+        switch (type) {
+            case 'ctoken':
+                this.checkCSRFToken(context, request);
+                break;
+            case 'referer':
+                this.checkCSRFReferer(context, request);
+                break;
+            case 'all':
+            case 'any':
+                this.checkCSRFToken(context, request);
+                this.checkCSRFReferer(context, request);
+                break;
+            default:
+                throw new error_1.CSRFError();
+        }
+    }
+    getCSRFSecret(context) {
+        var _a, _b;
+        if (context[_CSRF_SECRET]) {
+            return context[_CSRF_SECRET];
+        }
+        const { useSession, sessionName } = this.security.csrf;
+        let { cookieName } = this.security.csrf;
+        // // get secret from session or cookie
+        if (useSession) {
+            context[_CSRF_SECRET] = context.session[sessionName] || '';
+        }
+        else {
+            // cookieName support array. so we can change csrf cookie name smoothly
+            if (!Array.isArray(cookieName)) {
+                cookieName = [cookieName];
+            }
+            for (const name of cookieName) {
+                context[_CSRF_SECRET] =
+                    ((_b = (_a = context.cookies).get) === null || _b === void 0 ? void 0 : _b.call(_a, name, { signed: false })) ||
+                        context.cookies[name] ||
+                        '';
+                if (context[_CSRF_SECRET]) {
+                    break;
+                }
+            }
+        }
+        return context[_CSRF_SECRET];
+    }
+    getInputToken(context, request) {
+        var _a, _b;
+        const { headerName, bodyName, queryName } = this.security.csrf;
+        return (((_a = context.query) === null || _a === void 0 ? void 0 : _a[queryName]) ||
+            ((_b = request.body) === null || _b === void 0 ? void 0 : _b[bodyName]) ||
+            (headerName && context.get(headerName)));
+    }
+    checkCSRFToken(context, request) {
+        const tokenSecret = this.getCSRFSecret(context);
+        if (!tokenSecret) {
+            throw new error_1.CSRFError('missing csrf token');
+        }
+        const token = this.getInputToken(context, request);
+        if (token !== tokenSecret && !tokens.verify(tokenSecret, token)) {
+            throw new error_1.CSRFError('invalid csrf token');
+        }
+    }
+    checkCSRFReferer(context, request) {
+        const { refererWhiteList } = this.security.csrf;
+        const referer = (context.get('referer') || '').toLowerCase();
+        if (!referer) {
+            throw new error_1.CSRFError('missing csrf referer');
+        }
+        const host = (0, utils_1.parseUrl)(referer, 'host');
+        const domainList = refererWhiteList.concat(request.host);
+        if (!host || !(0, utils_1.isSafeDomain)(host, domainList)) {
+            throw new error_1.CSRFError('invalid csrf referer');
+        }
+    }
+    ensureCsrfSecret(context, request, response, rotate) {
+        var _a;
+        const tokenSecret = this.getCSRFSecret(context);
+        if (tokenSecret && !rotate) {
+            return;
+        }
+        const secret = tokens.secretSync();
+        context[NEW_CSRF_SECRET] = secret;
+        const { useSession, sessionName, cookieDomain } = this.security.csrf;
+        let { cookieName } = this.security.csrf;
+        if (useSession) {
+            context.session[sessionName] = secret;
+        }
+        else {
+            const cookieOpts = {
+                domain: cookieDomain && cookieDomain(request),
+                signed: false,
+                httpOnly: false,
+                overwrite: true,
+            };
+            // cookieName support array. so we can change csrf cookie name smoothly
+            if (!Array.isArray(cookieName)) {
+                cookieName = [cookieName];
+            }
+            for (const name of cookieName) {
+                if ((_a = response.cookies) === null || _a === void 0 ? void 0 : _a.set) {
+                    response.cookies.set(name, secret, cookieOpts);
+                }
+                else {
+                    response.cookie(name, secret, cookieOpts);
+                }
+            }
+        }
+    }
+};
+CSRFMiddleware = __decorate([
+    (0, decorator_1.Middleware)()
+], CSRFMiddleware);
+exports.CSRFMiddleware = CSRFMiddleware;
+//# sourceMappingURL=csrf.js.map

package/dist/middleware/hsts.d.ts

@@ -0,0 +1,5 @@
+import { BaseMiddleware } from './base';
+export declare class HSTSMiddleware extends BaseMiddleware {
+    compatibleMiddleware(context: any, req: any, res: any, next: any): Promise<any>;
+}
+//# sourceMappingURL=hsts.d.ts.map

package/dist/middleware/hsts.js

@@ -0,0 +1,27 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.HSTSMiddleware = void 0;
+const decorator_1 = require("@midwayjs/decorator");
+const base_1 = require("./base");
+let HSTSMiddleware = class HSTSMiddleware extends base_1.BaseMiddleware {
+    async compatibleMiddleware(context, req, res, next) {
+        const result = await next();
+        let val = 'max-age=' + this.security.hsts.maxAge;
+        if (this.security.hsts.includeSubdomains) {
+            val += '; includeSubdomains';
+        }
+        res.set('strict-transport-security', val);
+        return result;
+    }
+};
+HSTSMiddleware = __decorate([
+    (0, decorator_1.Middleware)()
+], HSTSMiddleware);
+exports.HSTSMiddleware = HSTSMiddleware;
+//# sourceMappingURL=hsts.js.map

package/dist/middleware/noopen.d.ts

@@ -0,0 +1,5 @@
+import { BaseMiddleware } from './base';
+export declare class NoOpenMiddleware extends BaseMiddleware {
+    compatibleMiddleware(context: any, req: any, res: any, next: any): Promise<any>;
+}
+//# sourceMappingURL=noopen.d.ts.map

package/dist/middleware/noopen.js

@@ -0,0 +1,23 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.NoOpenMiddleware = void 0;
+const decorator_1 = require("@midwayjs/decorator");
+const base_1 = require("./base");
+let NoOpenMiddleware = class NoOpenMiddleware extends base_1.BaseMiddleware {
+    async compatibleMiddleware(context, req, res, next) {
+        const result = await next();
+        res.set('x-download-options', 'noopen');
+        return result;
+    }
+};
+NoOpenMiddleware = __decorate([
+    (0, decorator_1.Middleware)()
+], NoOpenMiddleware);
+exports.NoOpenMiddleware = NoOpenMiddleware;
+//# sourceMappingURL=noopen.js.map

package/dist/middleware/nosniff.d.ts

@@ -0,0 +1,5 @@
+import { BaseMiddleware } from './base';
+export declare class NoSniffMiddleware extends BaseMiddleware {
+    compatibleMiddleware(context: any, req: any, res: any, next: any): Promise<any>;
+}
+//# sourceMappingURL=nosniff.d.ts.map

package/dist/middleware/nosniff.js

@@ -0,0 +1,26 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.NoSniffMiddleware = void 0;
+const decorator_1 = require("@midwayjs/decorator");
+const base_1 = require("./base");
+let NoSniffMiddleware = class NoSniffMiddleware extends base_1.BaseMiddleware {
+    async compatibleMiddleware(context, req, res, next) {
+        const result = await next();
+        if (res.status >= 300 && res.status <= 308) {
+            return result;
+        }
+        res.set('x-content-type-options', 'nosniff');
+        return result;
+    }
+};
+NoSniffMiddleware = __decorate([
+    (0, decorator_1.Middleware)()
+], NoSniffMiddleware);
+exports.NoSniffMiddleware = NoSniffMiddleware;
+//# sourceMappingURL=nosniff.js.map

package/dist/middleware/xframe.d.ts

@@ -0,0 +1,5 @@
+import { BaseMiddleware } from './base';
+export declare class XFrameMiddleware extends BaseMiddleware {
+    compatibleMiddleware(context: any, req: any, res: any, next: any): Promise<any>;
+}
+//# sourceMappingURL=xframe.d.ts.map

package/dist/middleware/xframe.js

@@ -0,0 +1,25 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.XFrameMiddleware = void 0;
+const decorator_1 = require("@midwayjs/decorator");
+const base_1 = require("./base");
+let XFrameMiddleware = class XFrameMiddleware extends base_1.BaseMiddleware {
+    async compatibleMiddleware(context, req, res, next) {
+        var _a;
+        const result = await next();
+        const value = ((_a = this.security.xframe) === null || _a === void 0 ? void 0 : _a.value) || 'SAMEORIGIN';
+        res.set('x-frame-options', value);
+        return result;
+    }
+};
+XFrameMiddleware = __decorate([
+    (0, decorator_1.Middleware)()
+], XFrameMiddleware);
+exports.XFrameMiddleware = XFrameMiddleware;
+//# sourceMappingURL=xframe.js.map

package/dist/middleware/xssProtection.d.ts

@@ -0,0 +1,5 @@
+import { BaseMiddleware } from './base';
+export declare class XSSProtectionMiddleware extends BaseMiddleware {
+    compatibleMiddleware(context: any, req: any, res: any, next: any): Promise<any>;
+}
+//# sourceMappingURL=xssProtection.d.ts.map

package/dist/middleware/xssProtection.js

@@ -0,0 +1,23 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.XSSProtectionMiddleware = void 0;
+const decorator_1 = require("@midwayjs/decorator");
+const base_1 = require("./base");
+let XSSProtectionMiddleware = class XSSProtectionMiddleware extends base_1.BaseMiddleware {
+    async compatibleMiddleware(context, req, res, next) {
+        const result = await next();
+        res.set('x-xss-protection', this.security.xssProtection.value);
+        return result;
+    }
+};
+XSSProtectionMiddleware = __decorate([
+    (0, decorator_1.Middleware)()
+], XSSProtectionMiddleware);
+exports.XSSProtectionMiddleware = XSSProtectionMiddleware;
+//# sourceMappingURL=xssProtection.js.map

package/dist/utils.d.ts

@@ -0,0 +1,3 @@
+export declare const parseUrl: (url: string, prop?: string) => any;
+export declare const isSafeDomain: (domain: string, whiteList: string[]) => boolean;
+//# sourceMappingURL=utils.d.ts.map

package/dist/utils.js

@@ -0,0 +1,37 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.isSafeDomain = exports.parseUrl = void 0;
+const url_1 = require("url");
+const pm = require("picomatch");
+const parseUrl = (url, prop) => {
+    try {
+        const parsed = new url_1.URL(url);
+        return prop ? parsed[prop] : parsed;
+    }
+    catch (err) {
+        return null;
+    }
+};
+exports.parseUrl = parseUrl;
+const isSafeDomain = (domain, whiteList) => {
+    if (typeof domain !== 'string') {
+        return false;
+    }
+    domain = domain.toLowerCase();
+    const hostname = '.' + domain;
+    return whiteList.some(rule => {
+        // Check whether we've got '*' as a wild character symbol()
+        if (rule.includes('*')) {
+            return pm(rule)(domain);
+        }
+        if (domain === rule) {
+            return true;
+        }
+        if (!/^\./.test(rule)) {
+            rule = `.${rule}`;
+        }
+        return hostname.endsWith(rule);
+    });
+};
+exports.isSafeDomain = isSafeDomain;
+//# sourceMappingURL=utils.js.map

package/index.d.ts

@@ -0,0 +1,8 @@
+import { SecurityOptions } from './dist/index';
+export * from './dist/index';
+
+declare module '@midwayjs/core/dist/interface' {
+  interface MidwayConfig {
+    security?: Partial<SecurityOptions>;
+  }
+}

package/package.json

@@ -0,0 +1,40 @@
+{
+  "name": "@midwayjs/security",
+  "version": "3.0.0-beta.16",
+  "description": "Midway Security Component",
+  "main": "dist/index.js",
+  "typings": "index.d.ts",
+  "scripts": {
+    "build": "tsc",
+    "test": "node --require=ts-node/register ../../node_modules/.bin/jest --runInBand",
+    "cov": "node --require=ts-node/register ../../node_modules/.bin/jest --runInBand --coverage --forceExit",
+    "ci": "npm run test"
+  },
+  "keywords": [],
+  "author": "",
+  "files": [
+    "dist/**/*.js",
+    "dist/**/*.d.ts",
+    "index.d.ts"
+  ],
+  "engines": {
+    "node": ">=12"
+  },
+  "license": "MIT",
+  "dependencies": {
+    "csrf": "3.1.0",
+    "nanoid": "3.2.0",
+    "picomatch": "2.3.1",
+    "platform": "1.3.6"
+  },
+  "devDependencies": {
+    "@midwayjs/core": "^3.0.0-beta.16",
+    "@midwayjs/decorator": "^3.0.0-beta.16",
+    "@midwayjs/express": "^3.0.0-beta.16",
+    "@midwayjs/faas": "^3.0.0-beta.16",
+    "@midwayjs/koa": "^3.0.0-beta.16",
+    "@midwayjs/mock": "^3.0.0-beta.16",
+    "@midwayjs/serverless-app": "^3.0.0-beta.16",
+    "@midwayjs/web": "^3.0.0-beta.16"
+  }
+}