@morojs/moro 1.6.2 → 1.6.3

package/dist/core/middleware/built-in/cookie/middleware.js

@@ -0,0 +1,36 @@
+import { CookieCore } from './core.js';
+/**
+ * Create cookie middleware for use in middleware chains
+ * Adds cookie parsing and response methods to req/res
+ *
+ * @example
+ * ```ts
+ * const cookieMw = createCookieMiddleware();
+ * app.use(cookieMw);
+ *
+ * // In routes:
+ * req.cookies // { sessionId: '123' }
+ * res.cookie('user', 'john', { httpOnly: true })
+ * res.clearCookie('user')
+ * ```
+ */
+export function createCookieMiddleware() {
+    const cookieCore = new CookieCore();
+    return async (req, res, next) => {
+        const reqAny = req;
+        const resAny = res;
+        // Parse cookies from request
+        reqAny.cookies = cookieCore.parseCookies(req.headers.cookie);
+        // Add cookie methods to response
+        resAny.cookie = (name, value, options = {}) => {
+            cookieCore.setCookie(res, name, value, options);
+            return res;
+        };
+        resAny.clearCookie = (name, options = {}) => {
+            cookieCore.clearCookie(res, name, options);
+            return res;
+        };
+        await next();
+    };
+}
+//# sourceMappingURL=middleware.js.map

package/dist/core/middleware/built-in/cookie/middleware.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"middleware.js","sourceRoot":"","sources":["../../../../../src/core/middleware/built-in/cookie/middleware.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,UAAU,EAAsB,MAAM,WAAW,CAAC;AAE3D;;;;;;;;;;;;;;GAcG;AACH,MAAM,UAAU,sBAAsB;IACpC,MAAM,UAAU,GAAG,IAAI,UAAU,EAAE,CAAC;IAEpC,OAAO,KAAK,EAAE,GAAgB,EAAE,GAAiB,EAAE,IAAyB,EAAE,EAAE;QAC9E,MAAM,MAAM,GAAG,GAAU,CAAC;QAC1B,MAAM,MAAM,GAAG,GAAU,CAAC;QAE1B,6BAA6B;QAC7B,MAAM,CAAC,OAAO,GAAG,UAAU,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;QAE7D,iCAAiC;QACjC,MAAM,CAAC,MAAM,GAAG,CAAC,IAAY,EAAE,KAAa,EAAE,UAAyB,EAAE,EAAE,EAAE;YAC3E,UAAU,CAAC,SAAS,CAAC,GAAG,EAAE,IAAI,EAAE,KAAK,EAAE,OAAO,CAAC,CAAC;YAChD,OAAO,GAAG,CAAC;QACb,CAAC,CAAC;QAEF,MAAM,CAAC,WAAW,GAAG,CAAC,IAAY,EAAE,UAAyB,EAAE,EAAE,EAAE;YACjE,UAAU,CAAC,WAAW,CAAC,GAAG,EAAE,IAAI,EAAE,OAAO,CAAC,CAAC;YAC3C,OAAO,GAAG,CAAC;QACb,CAAC,CAAC;QAEF,MAAM,IAAI,EAAE,CAAC;IACf,CAAC,CAAC;AACJ,CAAC"}

package/dist/core/middleware/built-in/cors/core.d.ts

@@ -0,0 +1,23 @@
+import { HttpResponse } from '../../../../types/http.js';
+export interface CORSOptions {
+    origin?: string | string[];
+    methods?: string | string[];
+    headers?: string | string[];
+    credentials?: boolean;
+    maxAge?: number;
+    exposedHeaders?: string[];
+    preflightContinue?: boolean;
+}
+/**
+ * CORSCore - Core CORS header management logic
+ * Used directly by the router for route-based CORS
+ * Can be instantiated for use in middleware or hooks
+ */
+export declare class CORSCore {
+    private options;
+    constructor(options?: CORSOptions);
+    /**
+     * Apply CORS headers to response
+     */
+    applyCORS(res: HttpResponse): void;
+}

package/dist/core/middleware/built-in/cors/core.js

@@ -0,0 +1,51 @@
+// ===== Core Logic =====
+/**
+ * CORSCore - Core CORS header management logic
+ * Used directly by the router for route-based CORS
+ * Can be instantiated for use in middleware or hooks
+ */
+export class CORSCore {
+    options;
+    constructor(options = {}) {
+        this.options = {
+            origin: '*',
+            methods: 'GET,POST,PUT,DELETE,OPTIONS',
+            headers: 'Content-Type,Authorization',
+            credentials: false,
+            ...options,
+        };
+    }
+    /**
+     * Apply CORS headers to response
+     */
+    applyCORS(res) {
+        // Origin
+        const origin = Array.isArray(this.options.origin)
+            ? this.options.origin.join(',')
+            : this.options.origin || '*';
+        res.setHeader('Access-Control-Allow-Origin', origin);
+        // Methods
+        const methods = Array.isArray(this.options.methods)
+            ? this.options.methods.join(',')
+            : this.options.methods || 'GET,POST,PUT,DELETE,OPTIONS';
+        res.setHeader('Access-Control-Allow-Methods', methods);
+        // Headers
+        const headers = Array.isArray(this.options.headers)
+            ? this.options.headers.join(',')
+            : this.options.headers || 'Content-Type,Authorization';
+        res.setHeader('Access-Control-Allow-Headers', headers);
+        // Credentials
+        if (this.options.credentials) {
+            res.setHeader('Access-Control-Allow-Credentials', 'true');
+        }
+        // Max Age
+        if (this.options.maxAge) {
+            res.setHeader('Access-Control-Max-Age', String(this.options.maxAge));
+        }
+        // Exposed Headers
+        if (this.options.exposedHeaders && this.options.exposedHeaders.length > 0) {
+            res.setHeader('Access-Control-Expose-Headers', this.options.exposedHeaders.join(','));
+        }
+    }
+}
+//# sourceMappingURL=core.js.map

package/dist/core/middleware/built-in/cors/core.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"core.js","sourceRoot":"","sources":["../../../../../src/core/middleware/built-in/cors/core.ts"],"names":[],"mappings":"AAeA,yBAAyB;AAEzB;;;;GAIG;AACH,MAAM,OAAO,QAAQ;IACX,OAAO,CAAc;IAE7B,YAAY,UAAuB,EAAE;QACnC,IAAI,CAAC,OAAO,GAAG;YACb,MAAM,EAAE,GAAG;YACX,OAAO,EAAE,6BAA6B;YACtC,OAAO,EAAE,4BAA4B;YACrC,WAAW,EAAE,KAAK;YAClB,GAAG,OAAO;SACX,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,SAAS,CAAC,GAAiB;QACzB,SAAS;QACT,MAAM,MAAM,GAAG,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC;YAC/C,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC;YAC/B,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,IAAI,GAAG,CAAC;QAC/B,GAAG,CAAC,SAAS,CAAC,6BAA6B,EAAE,MAAM,CAAC,CAAC;QAErD,UAAU;QACV,MAAM,OAAO,GAAG,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC;YACjD,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC;YAChC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,OAAO,IAAI,6BAA6B,CAAC;QAC1D,GAAG,CAAC,SAAS,CAAC,8BAA8B,EAAE,OAAO,CAAC,CAAC;QAEvD,UAAU;QACV,MAAM,OAAO,GAAG,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC;YACjD,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC;YAChC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,OAAO,IAAI,4BAA4B,CAAC;QACzD,GAAG,CAAC,SAAS,CAAC,8BAA8B,EAAE,OAAO,CAAC,CAAC;QAEvD,cAAc;QACd,IAAI,IAAI,CAAC,OAAO,CAAC,WAAW,EAAE,CAAC;YAC7B,GAAG,CAAC,SAAS,CAAC,kCAAkC,EAAE,MAAM,CAAC,CAAC;QAC5D,CAAC;QAED,UAAU;QACV,IAAI,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC;YACxB,GAAG,CAAC,SAAS,CAAC,wBAAwB,EAAE,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC;QACvE,CAAC;QAED,kBAAkB;QAClB,IAAI,IAAI,CAAC,OAAO,CAAC,cAAc,IAAI,IAAI,CAAC,OAAO,CAAC,cAAc,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC1E,GAAG,CAAC,SAAS,CAAC,+BAA+B,EAAE,IAAI,CAAC,OAAO,CAAC,cAAc,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;QACxF,CAAC;IACH,CAAC;CACF"}

package/dist/core/middleware/built-in/cors/hook.d.ts

@@ -0,0 +1,17 @@
+import { MiddlewareInterface } from '../../../../types/hooks.js';
+import { type CORSOptions } from './core.js';
+/**
+ * CORS hook for global usage
+ * Registers with the hooks system for application-wide CORS
+ *
+ * @example
+ * ```ts
+ * import { cors } from '@/middleware/built-in/cors';
+ *
+ * app.use(cors({
+ *   origin: 'https://example.com',
+ *   credentials: true
+ * }));
+ * ```
+ */
+export declare const cors: (options?: CORSOptions) => MiddlewareInterface;

package/dist/core/middleware/built-in/cors/hook.js

@@ -0,0 +1,37 @@
+import { createFrameworkLogger } from '../../../logger/index.js';
+import { CORSCore } from './core.js';
+const logger = createFrameworkLogger('CorsMiddleware');
+/**
+ * CORS hook for global usage
+ * Registers with the hooks system for application-wide CORS
+ *
+ * @example
+ * ```ts
+ * import { cors } from '@/middleware/built-in/cors';
+ *
+ * app.use(cors({
+ *   origin: 'https://example.com',
+ *   credentials: true
+ * }));
+ * ```
+ */
+export const cors = (options = {}) => ({
+    name: 'cors',
+    version: '1.0.0',
+    metadata: {
+        name: 'cors',
+        version: '1.0.0',
+        description: 'Cross-Origin Resource Sharing middleware',
+        author: 'MoroJS Team',
+    },
+    install: async (hooks, middlewareOptions = {}) => {
+        logger.debug('Installing CORS middleware', 'Installation', { options: middlewareOptions });
+        const config = { ...options, ...middlewareOptions };
+        const corsCore = new CORSCore(config);
+        hooks.before('request', async (context) => {
+            const response = context.response;
+            corsCore.applyCORS(response);
+        });
+    },
+});
+//# sourceMappingURL=hook.js.map

package/dist/core/middleware/built-in/cors/hook.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"hook.js","sourceRoot":"","sources":["../../../../../src/core/middleware/built-in/cors/hook.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,qBAAqB,EAAE,MAAM,0BAA0B,CAAC;AACjE,OAAO,EAAE,QAAQ,EAAoB,MAAM,WAAW,CAAC;AAEvD,MAAM,MAAM,GAAG,qBAAqB,CAAC,gBAAgB,CAAC,CAAC;AAEvD;;;;;;;;;;;;;GAaG;AACH,MAAM,CAAC,MAAM,IAAI,GAAG,CAAC,UAAuB,EAAE,EAAuB,EAAE,CAAC,CAAC;IACvE,IAAI,EAAE,MAAM;IACZ,OAAO,EAAE,OAAO;IAChB,QAAQ,EAAE;QACR,IAAI,EAAE,MAAM;QACZ,OAAO,EAAE,OAAO;QAChB,WAAW,EAAE,0CAA0C;QACvD,MAAM,EAAE,aAAa;KACtB;IAED,OAAO,EAAE,KAAK,EAAE,KAAU,EAAE,oBAAyB,EAAE,EAAE,EAAE;QACzD,MAAM,CAAC,KAAK,CAAC,4BAA4B,EAAE,cAAc,EAAE,EAAE,OAAO,EAAE,iBAAiB,EAAE,CAAC,CAAC;QAE3F,MAAM,MAAM,GAAG,EAAE,GAAG,OAAO,EAAE,GAAG,iBAAiB,EAAE,CAAC;QACpD,MAAM,QAAQ,GAAG,IAAI,QAAQ,CAAC,MAAM,CAAC,CAAC;QAEtC,KAAK,CAAC,MAAM,CAAC,SAAS,EAAE,KAAK,EAAE,OAAoB,EAAE,EAAE;YACrD,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAe,CAAC;YACzC,QAAQ,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC;QAC/B,CAAC,CAAC,CAAC;IACL,CAAC;CACF,CAAC,CAAC"}

package/dist/core/middleware/built-in/cors/index.d.ts

@@ -0,0 +1,3 @@
+export { CORSCore, type CORSOptions } from './core.js';
+export { createCORSMiddleware } from './middleware.js';
+export { cors } from './hook.js';

package/dist/core/middleware/built-in/cors/index.js

@@ -0,0 +1,9 @@
+// CORS - Main entry point
+// Re-exports all public APIs for the CORS built-in
+// Core (for direct use by router and custom implementations)
+export { CORSCore } from './core.js';
+// Middleware (for middleware chains)
+export { createCORSMiddleware } from './middleware.js';
+// Hook (for global registration)
+export { cors } from './hook.js';
+//# sourceMappingURL=index.js.map

package/dist/core/middleware/built-in/cors/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../../src/core/middleware/built-in/cors/index.ts"],"names":[],"mappings":"AAAA,0BAA0B;AAC1B,mDAAmD;AAEnD,6DAA6D;AAC7D,OAAO,EAAE,QAAQ,EAAoB,MAAM,WAAW,CAAC;AAEvD,qCAAqC;AACrC,OAAO,EAAE,oBAAoB,EAAE,MAAM,iBAAiB,CAAC;AAEvD,iCAAiC;AACjC,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC"}

package/dist/core/middleware/built-in/cors/middleware.d.ts

@@ -0,0 +1,16 @@
+import { StandardMiddleware } from '../../../../types/hooks.js';
+import { type CORSOptions } from './core.js';
+/**
+ * Create CORS middleware for use in middleware chains
+ *
+ * @example
+ * ```ts
+ * const corsMw = createCORSMiddleware({
+ *   origin: 'https://example.com',
+ *   credentials: true
+ * });
+ *
+ * app.use(corsMw);
+ * ```
+ */
+export declare function createCORSMiddleware(options?: CORSOptions): StandardMiddleware;

package/dist/core/middleware/built-in/cors/middleware.js

@@ -0,0 +1,22 @@
+import { CORSCore } from './core.js';
+/**
+ * Create CORS middleware for use in middleware chains
+ *
+ * @example
+ * ```ts
+ * const corsMw = createCORSMiddleware({
+ *   origin: 'https://example.com',
+ *   credentials: true
+ * });
+ *
+ * app.use(corsMw);
+ * ```
+ */
+export function createCORSMiddleware(options = {}) {
+    const corsCore = new CORSCore(options);
+    return async (_req, res, next) => {
+        corsCore.applyCORS(res);
+        await next();
+    };
+}
+//# sourceMappingURL=middleware.js.map

package/dist/core/middleware/built-in/cors/middleware.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"middleware.js","sourceRoot":"","sources":["../../../../../src/core/middleware/built-in/cors/middleware.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,QAAQ,EAAoB,MAAM,WAAW,CAAC;AAEvD;;;;;;;;;;;;GAYG;AACH,MAAM,UAAU,oBAAoB,CAAC,UAAuB,EAAE;IAC5D,MAAM,QAAQ,GAAG,IAAI,QAAQ,CAAC,OAAO,CAAC,CAAC;IAEvC,OAAO,KAAK,EAAE,IAAiB,EAAE,GAAiB,EAAE,IAAyB,EAAE,EAAE;QAC/E,QAAQ,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;QACxB,MAAM,IAAI,EAAE,CAAC;IACf,CAAC,CAAC;AACJ,CAAC"}

package/dist/core/middleware/built-in/csp/core.d.ts

@@ -0,0 +1,45 @@
+import { HttpResponse } from '../../../../types/http.js';
+export interface CSPDirectives {
+    defaultSrc?: string[];
+    scriptSrc?: string[];
+    styleSrc?: string[];
+    imgSrc?: string[];
+    connectSrc?: string[];
+    fontSrc?: string[];
+    objectSrc?: string[];
+    mediaSrc?: string[];
+    frameSrc?: string[];
+    childSrc?: string[];
+    workerSrc?: string[];
+    formAction?: string[];
+    upgradeInsecureRequests?: boolean;
+    blockAllMixedContent?: boolean;
+}
+export interface CSPOptions {
+    directives?: CSPDirectives;
+    reportOnly?: boolean;
+    reportUri?: string;
+    nonce?: boolean;
+}
+/**
+ * Generate a cryptographically secure nonce for CSP
+ */
+export declare function generateNonce(): string;
+/**
+ * Build CSP header value from directives
+ */
+export declare function buildCSPHeader(directives: CSPDirectives, nonce?: string, reportUri?: string): string;
+/**
+ * CSPCore - Core Content Security Policy management logic
+ * Used directly by the router for route-based CSP
+ */
+export declare class CSPCore {
+    private options;
+    private defaultDirectives;
+    constructor(options?: CSPOptions);
+    /**
+     * Apply CSP header to response
+     * Returns the generated nonce if nonce support is enabled
+     */
+    applyCSP(res: HttpResponse): string | undefined;
+}

package/dist/core/middleware/built-in/csp/core.js

@@ -0,0 +1,88 @@
+// CSP Core - Reusable Content Security Policy logic
+import crypto from 'crypto';
+// ===== Core Logic =====
+/**
+ * Generate a cryptographically secure nonce for CSP
+ */
+export function generateNonce() {
+    return crypto.randomBytes(16).toString('base64');
+}
+/**
+ * Convert camelCase directive name to kebab-case
+ */
+function toKebabCase(str) {
+    return str.replace(/([A-Z])/g, '-$1').toLowerCase();
+}
+/**
+ * Build CSP header value from directives
+ */
+export function buildCSPHeader(directives, nonce, reportUri) {
+    const cspParts = [];
+    for (const [directive, sources] of Object.entries(directives)) {
+        if (directive === 'upgradeInsecureRequests' && sources === true) {
+            cspParts.push('upgrade-insecure-requests');
+            continue;
+        }
+        if (directive === 'blockAllMixedContent' && sources === true) {
+            cspParts.push('block-all-mixed-content');
+            continue;
+        }
+        if (Array.isArray(sources)) {
+            let sourceList = sources.join(' ');
+            // Add nonce to script-src and style-src if enabled
+            if (nonce && (directive === 'scriptSrc' || directive === 'styleSrc')) {
+                sourceList += ` 'nonce-${nonce}'`;
+            }
+            // Convert camelCase to kebab-case
+            const kebabDirective = toKebabCase(directive);
+            cspParts.push(`${kebabDirective} ${sourceList}`);
+        }
+    }
+    // Add report-uri if specified
+    if (reportUri) {
+        cspParts.push(`report-uri ${reportUri}`);
+    }
+    return cspParts.join('; ');
+}
+/**
+ * CSPCore - Core Content Security Policy management logic
+ * Used directly by the router for route-based CSP
+ */
+export class CSPCore {
+    options;
+    defaultDirectives;
+    constructor(options = {}) {
+        this.options = options;
+        this.defaultDirectives = {
+            defaultSrc: ["'self'"],
+            scriptSrc: ["'self'"],
+            styleSrc: ["'self'", "'unsafe-inline'"],
+            imgSrc: ["'self'", 'data:', 'https:'],
+            connectSrc: ["'self'"],
+            fontSrc: ["'self'"],
+            objectSrc: ["'none'"],
+            mediaSrc: ["'self'"],
+            frameSrc: ["'none'"],
+        };
+    }
+    /**
+     * Apply CSP header to response
+     * Returns the generated nonce if nonce support is enabled
+     */
+    applyCSP(res) {
+        const directives = this.options.directives || this.defaultDirectives;
+        // Generate nonce if requested
+        let nonce;
+        if (this.options.nonce) {
+            nonce = generateNonce();
+        }
+        // Build CSP header value
+        const cspValue = buildCSPHeader(directives, nonce, this.options.reportUri);
+        const headerName = this.options.reportOnly
+            ? 'Content-Security-Policy-Report-Only'
+            : 'Content-Security-Policy';
+        res.setHeader(headerName, cspValue);
+        return nonce;
+    }
+}
+//# sourceMappingURL=core.js.map

package/dist/core/middleware/built-in/csp/core.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"core.js","sourceRoot":"","sources":["../../../../../src/core/middleware/built-in/csp/core.ts"],"names":[],"mappings":"AAAA,oDAAoD;AACpD,OAAO,MAAM,MAAM,QAAQ,CAAC;AA6B5B,yBAAyB;AAEzB;;GAEG;AACH,MAAM,UAAU,aAAa;IAC3B,OAAO,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;AACnD,CAAC;AAED;;GAEG;AACH,SAAS,WAAW,CAAC,GAAW;IAC9B,OAAO,GAAG,CAAC,OAAO,CAAC,UAAU,EAAE,KAAK,CAAC,CAAC,WAAW,EAAE,CAAC;AACtD,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,cAAc,CAC5B,UAAyB,EACzB,KAAc,EACd,SAAkB;IAElB,MAAM,QAAQ,GAAa,EAAE,CAAC;IAE9B,KAAK,MAAM,CAAC,SAAS,EAAE,OAAO,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,UAAU,CAAC,EAAE,CAAC;QAC9D,IAAI,SAAS,KAAK,yBAAyB,IAAI,OAAO,KAAK,IAAI,EAAE,CAAC;YAChE,QAAQ,CAAC,IAAI,CAAC,2BAA2B,CAAC,CAAC;YAC3C,SAAS;QACX,CAAC;QAED,IAAI,SAAS,KAAK,sBAAsB,IAAI,OAAO,KAAK,IAAI,EAAE,CAAC;YAC7D,QAAQ,CAAC,IAAI,CAAC,yBAAyB,CAAC,CAAC;YACzC,SAAS;QACX,CAAC;QAED,IAAI,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;YAC3B,IAAI,UAAU,GAAG,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YAEnC,mDAAmD;YACnD,IAAI,KAAK,IAAI,CAAC,SAAS,KAAK,WAAW,IAAI,SAAS,KAAK,UAAU,CAAC,EAAE,CAAC;gBACrE,UAAU,IAAI,WAAW,KAAK,GAAG,CAAC;YACpC,CAAC;YAED,kCAAkC;YAClC,MAAM,cAAc,GAAG,WAAW,CAAC,SAAS,CAAC,CAAC;YAC9C,QAAQ,CAAC,IAAI,CAAC,GAAG,cAAc,IAAI,UAAU,EAAE,CAAC,CAAC;QACnD,CAAC;IACH,CAAC;IAED,8BAA8B;IAC9B,IAAI,SAAS,EAAE,CAAC;QACd,QAAQ,CAAC,IAAI,CAAC,cAAc,SAAS,EAAE,CAAC,CAAC;IAC3C,CAAC;IAED,OAAO,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC7B,CAAC;AAED;;;GAGG;AACH,MAAM,OAAO,OAAO;IACV,OAAO,CAAa;IACpB,iBAAiB,CAAgB;IAEzC,YAAY,UAAsB,EAAE;QAClC,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC;QACvB,IAAI,CAAC,iBAAiB,GAAG;YACvB,UAAU,EAAE,CAAC,QAAQ,CAAC;YACtB,SAAS,EAAE,CAAC,QAAQ,CAAC;YACrB,QAAQ,EAAE,CAAC,QAAQ,EAAE,iBAAiB,CAAC;YACvC,MAAM,EAAE,CAAC,QAAQ,EAAE,OAAO,EAAE,QAAQ,CAAC;YACrC,UAAU,EAAE,CAAC,QAAQ,CAAC;YACtB,OAAO,EAAE,CAAC,QAAQ,CAAC;YACnB,SAAS,EAAE,CAAC,QAAQ,CAAC;YACrB,QAAQ,EAAE,CAAC,QAAQ,CAAC;YACpB,QAAQ,EAAE,CAAC,QAAQ,CAAC;SACrB,CAAC;IACJ,CAAC;IAED;;;OAGG;IACH,QAAQ,CAAC,GAAiB;QACxB,MAAM,UAAU,GAAG,IAAI,CAAC,OAAO,CAAC,UAAU,IAAI,IAAI,CAAC,iBAAiB,CAAC;QAErE,8BAA8B;QAC9B,IAAI,KAAyB,CAAC;QAC9B,IAAI,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,CAAC;YACvB,KAAK,GAAG,aAAa,EAAE,CAAC;QAC1B,CAAC;QAED,yBAAyB;QACzB,MAAM,QAAQ,GAAG,cAAc,CAAC,UAAU,EAAE,KAAK,EAAE,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;QAE3E,MAAM,UAAU,GAAG,IAAI,CAAC,OAAO,CAAC,UAAU;YACxC,CAAC,CAAC,qCAAqC;YACvC,CAAC,CAAC,yBAAyB,CAAC;QAE9B,GAAG,CAAC,SAAS,CAAC,UAAU,EAAE,QAAQ,CAAC,CAAC;QAEpC,OAAO,KAAK,CAAC;IACf,CAAC;CACF"}

package/dist/core/middleware/built-in/csp/hook.d.ts

@@ -0,0 +1,22 @@
+import { MiddlewareInterface } from '../../../../types/hooks.js';
+import { type CSPOptions } from './core.js';
+/**
+ * CSP hook for global usage
+ * Registers with the hooks system for application-wide Content Security Policy
+ *
+ * @example
+ * ```ts
+ * import { csp } from '@/middleware/built-in/csp';
+ *
+ * app.use(csp({
+ *   directives: {
+ *     defaultSrc: ["'self'"],
+ *     scriptSrc: ["'self'", 'https://cdn.example.com'],
+ *     styleSrc: ["'self'", "'unsafe-inline'"]
+ *   },
+ *   nonce: true,
+ *   reportUri: '/csp-report'
+ * }));
+ * ```
+ */
+export declare const csp: (options?: CSPOptions) => MiddlewareInterface;

package/dist/core/middleware/built-in/csp/hook.js

@@ -0,0 +1,47 @@
+import { createFrameworkLogger } from '../../../logger/index.js';
+import { CSPCore } from './core.js';
+const logger = createFrameworkLogger('CSPMiddleware');
+/**
+ * CSP hook for global usage
+ * Registers with the hooks system for application-wide Content Security Policy
+ *
+ * @example
+ * ```ts
+ * import { csp } from '@/middleware/built-in/csp';
+ *
+ * app.use(csp({
+ *   directives: {
+ *     defaultSrc: ["'self'"],
+ *     scriptSrc: ["'self'", 'https://cdn.example.com'],
+ *     styleSrc: ["'self'", "'unsafe-inline'"]
+ *   },
+ *   nonce: true,
+ *   reportUri: '/csp-report'
+ * }));
+ * ```
+ */
+export const csp = (options = {}) => ({
+    name: 'csp',
+    version: '1.0.0',
+    metadata: {
+        name: 'csp',
+        version: '1.0.0',
+        description: 'Content Security Policy middleware with nonce support and violation reporting',
+        author: 'MoroJS Team',
+    },
+    install: async (hooks, middlewareOptions = {}) => {
+        logger.debug('Installing CSP middleware', 'Installation', { options: middlewareOptions });
+        const config = { ...options, ...middlewareOptions };
+        const cspCore = new CSPCore(config);
+        hooks.before('request', async (context) => {
+            const req = context.request;
+            const res = context.response;
+            const nonce = cspCore.applyCSP(res);
+            // Attach nonce to request if generated
+            if (nonce) {
+                req.cspNonce = nonce;
+            }
+        });
+    },
+});
+//# sourceMappingURL=hook.js.map

package/dist/core/middleware/built-in/csp/hook.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"hook.js","sourceRoot":"","sources":["../../../../../src/core/middleware/built-in/csp/hook.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,qBAAqB,EAAE,MAAM,0BAA0B,CAAC;AACjE,OAAO,EAAE,OAAO,EAAmB,MAAM,WAAW,CAAC;AAErD,MAAM,MAAM,GAAG,qBAAqB,CAAC,eAAe,CAAC,CAAC;AAEtD;;;;;;;;;;;;;;;;;;GAkBG;AACH,MAAM,CAAC,MAAM,GAAG,GAAG,CAAC,UAAsB,EAAE,EAAuB,EAAE,CAAC,CAAC;IACrE,IAAI,EAAE,KAAK;IACX,OAAO,EAAE,OAAO;IAChB,QAAQ,EAAE;QACR,IAAI,EAAE,KAAK;QACX,OAAO,EAAE,OAAO;QAChB,WAAW,EAAE,+EAA+E;QAC5F,MAAM,EAAE,aAAa;KACtB;IAED,OAAO,EAAE,KAAK,EAAE,KAAU,EAAE,oBAAyB,EAAE,EAAE,EAAE;QACzD,MAAM,CAAC,KAAK,CAAC,2BAA2B,EAAE,cAAc,EAAE,EAAE,OAAO,EAAE,iBAAiB,EAAE,CAAC,CAAC;QAE1F,MAAM,MAAM,GAAG,EAAE,GAAG,OAAO,EAAE,GAAG,iBAAiB,EAAE,CAAC;QACpD,MAAM,OAAO,GAAG,IAAI,OAAO,CAAC,MAAM,CAAC,CAAC;QAEpC,KAAK,CAAC,MAAM,CAAC,SAAS,EAAE,KAAK,EAAE,OAAoB,EAAE,EAAE;YACrD,MAAM,GAAG,GAAG,OAAO,CAAC,OAAc,CAAC;YACnC,MAAM,GAAG,GAAG,OAAO,CAAC,QAAe,CAAC;YAEpC,MAAM,KAAK,GAAG,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;YAEpC,uCAAuC;YACvC,IAAI,KAAK,EAAE,CAAC;gBACV,GAAG,CAAC,QAAQ,GAAG,KAAK,CAAC;YACvB,CAAC;QACH,CAAC,CAAC,CAAC;IACL,CAAC;CACF,CAAC,CAAC"}

package/dist/core/middleware/built-in/csp/index.d.ts

@@ -0,0 +1,3 @@
+export { CSPCore, generateNonce, buildCSPHeader, type CSPDirectives, type CSPOptions, } from './core.js';
+export { createCSPMiddleware } from './middleware.js';
+export { csp } from './hook.js';

package/dist/core/middleware/built-in/csp/index.js

@@ -0,0 +1,9 @@
+// CSP - Main entry point
+// Re-exports all public APIs for the CSP built-in
+// Core (for direct use by router and custom implementations)
+export { CSPCore, generateNonce, buildCSPHeader, } from './core.js';
+// Middleware (for middleware chains)
+export { createCSPMiddleware } from './middleware.js';
+// Hook (for global registration)
+export { csp } from './hook.js';
+//# sourceMappingURL=index.js.map

package/dist/core/middleware/built-in/csp/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../../src/core/middleware/built-in/csp/index.ts"],"names":[],"mappings":"AAAA,yBAAyB;AACzB,kDAAkD;AAElD,6DAA6D;AAC7D,OAAO,EACL,OAAO,EACP,aAAa,EACb,cAAc,GAGf,MAAM,WAAW,CAAC;AAEnB,qCAAqC;AACrC,OAAO,EAAE,mBAAmB,EAAE,MAAM,iBAAiB,CAAC;AAEtD,iCAAiC;AACjC,OAAO,EAAE,GAAG,EAAE,MAAM,WAAW,CAAC"}

package/dist/core/middleware/built-in/csp/middleware.d.ts

@@ -0,0 +1,19 @@
+import { StandardMiddleware } from '../../../../types/hooks.js';
+import { type CSPOptions } from './core.js';
+/**
+ * Create CSP middleware for use in middleware chains
+ *
+ * @example
+ * ```ts
+ * const cspMw = createCSPMiddleware({
+ *   directives: {
+ *     defaultSrc: ["'self'"],
+ *     scriptSrc: ["'self'", "'unsafe-inline'"]
+ *   },
+ *   nonce: true
+ * });
+ *
+ * app.use(cspMw);
+ * ```
+ */
+export declare function createCSPMiddleware(options?: CSPOptions): StandardMiddleware;

package/dist/core/middleware/built-in/csp/middleware.js

@@ -0,0 +1,29 @@
+import { CSPCore } from './core.js';
+/**
+ * Create CSP middleware for use in middleware chains
+ *
+ * @example
+ * ```ts
+ * const cspMw = createCSPMiddleware({
+ *   directives: {
+ *     defaultSrc: ["'self'"],
+ *     scriptSrc: ["'self'", "'unsafe-inline'"]
+ *   },
+ *   nonce: true
+ * });
+ *
+ * app.use(cspMw);
+ * ```
+ */
+export function createCSPMiddleware(options = {}) {
+    const cspCore = new CSPCore(options);
+    return async (req, res, next) => {
+        const nonce = cspCore.applyCSP(res);
+        // Attach nonce to request if generated
+        if (nonce) {
+            req.cspNonce = nonce;
+        }
+        await next();
+    };
+}
+//# sourceMappingURL=middleware.js.map

package/dist/core/middleware/built-in/csp/middleware.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"middleware.js","sourceRoot":"","sources":["../../../../../src/core/middleware/built-in/csp/middleware.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,OAAO,EAAmB,MAAM,WAAW,CAAC;AAErD;;;;;;;;;;;;;;;GAeG;AACH,MAAM,UAAU,mBAAmB,CAAC,UAAsB,EAAE;IAC1D,MAAM,OAAO,GAAG,IAAI,OAAO,CAAC,OAAO,CAAC,CAAC;IAErC,OAAO,KAAK,EAAE,GAAgB,EAAE,GAAiB,EAAE,IAAyB,EAAE,EAAE;QAC9E,MAAM,KAAK,GAAG,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;QAEpC,uCAAuC;QACvC,IAAI,KAAK,EAAE,CAAC;YACT,GAAW,CAAC,QAAQ,GAAG,KAAK,CAAC;QAChC,CAAC;QAED,MAAM,IAAI,EAAE,CAAC;IACf,CAAC,CAAC;AACJ,CAAC"}

package/dist/core/middleware/built-in/csrf/core.d.ts

@@ -0,0 +1,28 @@
+import { HttpRequest, HttpResponse } from '../../../../types/http.js';
+export interface CSRFOptions {
+    secret?: string;
+    tokenLength?: number;
+    cookieName?: string;
+    headerName?: string;
+    ignoreMethods?: string[];
+    sameSite?: boolean;
+}
+/**
+ * CSRFCore - Core CSRF protection logic
+ * Used directly by the router for route-based CSRF protection
+ * Can be instantiated for use in middleware or hooks
+ */
+export declare class CSRFCore {
+    private secret;
+    private tokenLength;
+    private cookieName;
+    private headerName;
+    private ignoreMethods;
+    private sameSite;
+    constructor(options?: CSRFOptions);
+    generateToken(): string;
+    verifyToken(token: string, sessionToken: string): boolean;
+    attachToken(req: HttpRequest, res: HttpResponse): Promise<string>;
+    validateToken(req: HttpRequest): Promise<void>;
+    getCookieName(): string;
+}

package/dist/core/middleware/built-in/csrf/core.js

@@ -0,0 +1,69 @@
+// CSRF Core - Reusable CSRF protection logic
+import crypto from 'crypto';
+import { createFrameworkLogger } from '../../../logger/index.js';
+const logger = createFrameworkLogger('CSRFCore');
+// ===== Core Logic =====
+/**
+ * CSRFCore - Core CSRF protection logic
+ * Used directly by the router for route-based CSRF protection
+ * Can be instantiated for use in middleware or hooks
+ */
+export class CSRFCore {
+    secret;
+    tokenLength;
+    cookieName;
+    headerName;
+    ignoreMethods;
+    sameSite;
+    constructor(options = {}) {
+        this.secret = options.secret || 'moro-csrf-secret';
+        this.tokenLength = options.tokenLength || 32;
+        this.cookieName = options.cookieName || '_csrf';
+        this.headerName = options.headerName || 'x-csrf-token';
+        this.ignoreMethods = options.ignoreMethods || ['GET', 'HEAD', 'OPTIONS'];
+        this.sameSite = options.sameSite !== false;
+    }
+    generateToken() {
+        return crypto.randomBytes(this.tokenLength).toString('hex');
+    }
+    verifyToken(token, sessionToken) {
+        return !!(token && sessionToken && token === sessionToken);
+    }
+    async attachToken(req, res) {
+        let token = req._csrfToken;
+        if (!token) {
+            token = this.generateToken();
+            req._csrfToken = token;
+            // Set token in cookie
+            res.cookie(this.cookieName, token, {
+                httpOnly: true,
+                sameSite: this.sameSite ? 'strict' : undefined,
+                secure: req.headers['x-forwarded-proto'] === 'https' || req.socket.encrypted,
+            });
+        }
+        return token;
+    }
+    async validateToken(req) {
+        // Skip verification for safe methods
+        const method = req.method || 'GET';
+        if (this.ignoreMethods.includes(method)) {
+            return;
+        }
+        // Get token from header or body
+        const token = req.headers[this.headerName] ||
+            (req.body && req.body._csrf) ||
+            (req.query && req.query._csrf);
+        // Get session token from cookie
+        const sessionToken = req.cookies?.[this.cookieName];
+        if (!this.verifyToken(token, sessionToken || '')) {
+            const error = new Error('Invalid CSRF token');
+            error.status = 403;
+            error.code = 'CSRF_TOKEN_MISMATCH';
+            throw error;
+        }
+    }
+    getCookieName() {
+        return this.cookieName;
+    }
+}
+//# sourceMappingURL=core.js.map

package/dist/core/middleware/built-in/csrf/core.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"core.js","sourceRoot":"","sources":["../../../../../src/core/middleware/built-in/csrf/core.ts"],"names":[],"mappings":"AAAA,6CAA6C;AAC7C,OAAO,MAAM,MAAM,QAAQ,CAAC;AAC5B,OAAO,EAAE,qBAAqB,EAAE,MAAM,0BAA0B,CAAC;AAGjE,MAAM,MAAM,GAAG,qBAAqB,CAAC,UAAU,CAAC,CAAC;AAajD,yBAAyB;AAEzB;;;;GAIG;AACH,MAAM,OAAO,QAAQ;IACX,MAAM,CAAS;IACf,WAAW,CAAS;IACpB,UAAU,CAAS;IACnB,UAAU,CAAS;IACnB,aAAa,CAAW;IACxB,QAAQ,CAAU;IAE1B,YAAY,UAAuB,EAAE;QACnC,IAAI,CAAC,MAAM,GAAG,OAAO,CAAC,MAAM,IAAI,kBAAkB,CAAC;QACnD,IAAI,CAAC,WAAW,GAAG,OAAO,CAAC,WAAW,IAAI,EAAE,CAAC;QAC7C,IAAI,CAAC,UAAU,GAAG,OAAO,CAAC,UAAU,IAAI,OAAO,CAAC;QAChD,IAAI,CAAC,UAAU,GAAG,OAAO,CAAC,UAAU,IAAI,cAAc,CAAC;QACvD,IAAI,CAAC,aAAa,GAAG,OAAO,CAAC,aAAa,IAAI,CAAC,KAAK,EAAE,MAAM,EAAE,SAAS,CAAC,CAAC;QACzE,IAAI,CAAC,QAAQ,GAAG,OAAO,CAAC,QAAQ,KAAK,KAAK,CAAC;IAC7C,CAAC;IAED,aAAa;QACX,OAAO,MAAM,CAAC,WAAW,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;IAC9D,CAAC;IAED,WAAW,CAAC,KAAa,EAAE,YAAoB;QAC7C,OAAO,CAAC,CAAC,CAAC,KAAK,IAAI,YAAY,IAAI,KAAK,KAAK,YAAY,CAAC,CAAC;IAC7D,CAAC;IAED,KAAK,CAAC,WAAW,CAAC,GAAgB,EAAE,GAAiB;QACnD,IAAI,KAAK,GAAI,GAAW,CAAC,UAAU,CAAC;QAEpC,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,KAAK,GAAG,IAAI,CAAC,aAAa,EAAE,CAAC;YAC5B,GAAW,CAAC,UAAU,GAAG,KAAK,CAAC;YAEhC,sBAAsB;YACtB,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,UAAU,EAAE,KAAK,EAAE;gBACjC,QAAQ,EAAE,IAAI;gBACd,QAAQ,EAAE,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,SAAS;gBAC9C,MAAM,EAAE,GAAG,CAAC,OAAO,CAAC,mBAAmB,CAAC,KAAK,OAAO,IAAK,GAAG,CAAC,MAAc,CAAC,SAAS;aACtF,CAAC,CAAC;QACL,CAAC;QAED,OAAO,KAAK,CAAC;IACf,CAAC;IAED,KAAK,CAAC,aAAa,CAAC,GAAgB;QAClC,qCAAqC;QACrC,MAAM,MAAM,GAAG,GAAG,CAAC,MAAM,IAAI,KAAK,CAAC;QACnC,IAAI,IAAI,CAAC,aAAa,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;YACxC,OAAO;QACT,CAAC;QAED,gCAAgC;QAChC,MAAM,KAAK,GACT,GAAG,CAAC,OAAO,CAAC,IAAI,CAAC,UAAU,CAAC;YAC5B,CAAE,GAAW,CAAC,IAAI,IAAK,GAAW,CAAC,IAAI,CAAC,KAAK,CAAC;YAC9C,CAAE,GAAW,CAAC,KAAK,IAAK,GAAW,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;QAEnD,gCAAgC;QAChC,MAAM,YAAY,GAAG,GAAG,CAAC,OAAO,EAAE,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QAEpD,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,KAAe,EAAE,YAAY,IAAI,EAAE,CAAC,EAAE,CAAC;YAC3D,MAAM,KAAK,GAAG,IAAI,KAAK,CAAC,oBAAoB,CAAC,CAAC;YAC7C,KAAa,CAAC,MAAM,GAAG,GAAG,CAAC;YAC3B,KAAa,CAAC,IAAI,GAAG,qBAAqB,CAAC;YAC5C,MAAM,KAAK,CAAC;QACd,CAAC;IACH,CAAC;IAED,aAAa;QACX,OAAO,IAAI,CAAC,UAAU,CAAC;IACzB,CAAC;CACF"}