@nattyjs/core 0.0.1-beta.4 → 0.0.1-beta.40

package/dist/index.cjs

@@ -27,6 +27,12 @@ function route(path) {
 const CONTROLLER = "controller";
 const INVALID_VALUE = "INVALID_VALUE";
 const BLANK = "";
+const DENY_BY_DEFAULT = {
+  type: "https://cheatsheetseries.owasp.org/cheatsheets/Authorization_Cheat_Sheet.html#deny-by-default",
+  title: "Deny-by-default",
+  description: `Zero Trust Architecture (NIST SP 800-207) \u2014 Core principle is "never trust, always verify," which translates to deny-by-default behavior. OWASP Secure Defaults Principle \u2014 \u201CSecurity should be a default setting, and everything should be locked down unless explicitly permitted.\u201D`,
+  solution: `Please implement proper authentication and authorization checks. If this API needs to be accessed anonymously, add the @anonymous() decorator above the HTTP action.`
+};
 
 function get(path) {
   return function(target, propertyKey, descriptor) {
@@ -60,10 +66,13 @@ const nattyContainer = new class {
     this.container = /* @__PURE__ */ new Map();
     this.containerState = /* @__PURE__ */ new Map();
   }
-  setup(config, routes, types) {
+  get types() {
+    return common.commonContainer.types;
+  }
+  setup(config, routes, resolver) {
     this.config = config;
     this.routes = routes;
-    this.types = types;
+    this.resolver = resolver;
   }
   getTypes() {
     return StaticContainer.types;
@@ -116,7 +125,7 @@ const nattyContainer = new class {
 function init(config, appConfig) {
   common.commonContainer.setupConfig(config);
   common.commonContainer.setEnvTsDefinition(appConfig.envTsDefinition);
-  nattyContainer.setup(config, appConfig.routes, appConfig.types);
+  nattyContainer.setup(config, appConfig.routes, appConfig.resolver);
   return initializeModule(config);
 }
 function initializeModule(config) {
@@ -125,22 +134,26 @@ function initializeModule(config) {
   }
 }
 
-function getPreResponseBody(body) {
+function getPreResponseBody(body, isBuffer = false) {
   let bodyInfo;
   if (body) {
-    if (common.isObject(body) || Array.isArray(body))
-      bodyInfo = { json: body };
-    const typeText = typeof body;
-    switch (typeText) {
-      case "string":
-        bodyInfo = { string: body };
-        break;
-      case "number":
-        bodyInfo = { number: body };
-        break;
-      case "boolean":
-        bodyInfo = { boolean: body };
-        break;
+    if (isBuffer)
+      bodyInfo = { buffer: body };
+    else {
+      if (common.isObject(body) || Array.isArray(body))
+        bodyInfo = { json: body };
+      const typeText = typeof body;
+      switch (typeText) {
+        case "string":
+          bodyInfo = { string: body };
+          break;
+        case "number":
+          bodyInfo = { number: body };
+          break;
+        case "boolean":
+          bodyInfo = { boolean: body };
+          break;
+      }
     }
   }
   return bodyInfo;
@@ -154,6 +167,7 @@ class HttpResponse {
   }
   setValues(responseInit) {
     if (responseInit) {
+      this._isBuffer = responseInit.isBuffer;
       if (responseInit.headers)
         for (const [key, value] of Object.entries(responseInit.headers))
           this.headers.append(key, value);
@@ -185,7 +199,7 @@ class HttpResponse {
     return this._body;
   }
   set body(value) {
-    this._body = getPreResponseBody(value);
+    this._body = getPreResponseBody(value, this._isBuffer);
   }
   write(responseInit) {
     this.setValues(responseInit);
@@ -207,6 +221,26 @@ var RequestPipeline = /* @__PURE__ */ ((RequestPipeline2) => {
   return RequestPipeline2;
 })(RequestPipeline || {});
 
+function lessThan(value) {
+  return value ? value.replace(/</g, "&lt;") : value;
+}
+function greaterThan(value) {
+  return value ? value.replace(/>/g, "&gt;") : value;
+}
+function ampersand(value) {
+  return value ? value.replace(/&/g, "&amp;") : value;
+}
+function doubleDash(value) {
+  return value ? value.replace(/--/g, "") : value;
+}
+function sanitizeSpecialCodes(value) {
+  value = ampersand(value);
+  value = lessThan(value);
+  value = greaterThan(value);
+  value = doubleDash(value);
+  return value;
+}
+
 function isBoolean(value) {
   return typeof value === "boolean" || value === "1" || value === "true" || value === "0" || value === "false";
 }
@@ -267,7 +301,7 @@ function toInt(value, radix = 0) {
 }
 function toString(value) {
   if (isNotBlank(value))
-    return String(value);
+    return sanitizeSpecialCodes(String(value));
   return value;
 }
 function whitelist(value, chars) {
@@ -348,6 +382,7 @@ class BaseResult {
 }
 
 function getResponseBodyObject(body, props) {
+  const sensitiveProps = common.commonContainer.nattyConfig?.secure?.sensitiveProps;
   if (body instanceof common.List)
     return getResponseBodyObject(body.values, body.props);
   if (Array.isArray(body)) {
@@ -361,7 +396,8 @@ function getResponseBodyObject(body, props) {
     const keys = Object.keys(body);
     const getterProps = props ? Object.keys(props).map((key) => props[key]) : [];
     for (const key of [...keys, ...getterProps])
-      jObject[key] = getResponseBodyObject(body[key]);
+      if (!sensitiveProps || sensitiveProps.filter((t) => t == key.toLowerCase()).length == 0)
+        jObject[key] = getResponseBodyObject(body[key]);
     return jObject;
   }
   return body;
@@ -388,7 +424,7 @@ class BaseResponse {
 }
 
 function getTypedErrorMessage(type, value) {
-  const message = common.commonContainer.nattyConfig.modelBinding.errorMessage.typed[type];
+  const message = common.commonContainer.nattyConfig?.modelBinding?.errorMessage?.typed ? common.commonContainer.nattyConfig?.modelBinding?.errorMessage?.typed[type] : "";
   return parseMessage(message, [value]);
 }
 function parseMessage(message, value) {
@@ -464,6 +500,32 @@ const entityContainer = new class {
   }
 }();
 
+class ForbiddenAccessException extends HttpException {
+  constructor(data) {
+    super({
+      body: data,
+      status: 403
+    });
+  }
+}
+
+class UnauthorizedAccessException extends HttpException {
+  constructor(data) {
+    super({
+      body: data,
+      status: 401
+    });
+  }
+}
+
+function CreateProblemDetail(modelName, detail) {
+  return {
+    type: "https://tools.ietf.org/html/rfc7231#section-6.5.1",
+    title: `The specified ${modelName} model props are invalid.`,
+    detail
+  };
+}
+
 class ParameterTypeConverter extends BaseResponse {
   constructor() {
     super(...arguments);
@@ -524,12 +586,14 @@ class ParameterTypeConverter extends BaseResponse {
         } else {
           if (this.isArrayType(property.type) && Array.isArray(value)) {
             let arrayValue = body[property.name] = [];
-            let arrayInvalidProps = invalidProps[property.name] = [];
             for (const item of value) {
               const sanitizeValue = this.sanitizer[property.type.toLowerCase()] ? this.sanitizer[property.type.toLowerCase()](item) : item;
-              if (sanitizeValue === INVALID_VALUE)
+              if (sanitizeValue === INVALID_VALUE) {
+                let arrayInvalidProps = invalidProps[property.name];
+                if (!arrayInvalidProps)
+                  arrayInvalidProps = invalidProps[property.name] = [];
                 arrayInvalidProps.push(property);
-              else
+              } else
                 arrayValue.push(sanitizeValue);
             }
           } else
@@ -550,14 +614,17 @@ class ParameterTypeConverter extends BaseResponse {
     for (const parameterInfo of methodInfo.parameters) {
       const value = jObject[parameterInfo.name];
       if (value !== void 0) {
-        jObject[parameterInfo.name] = SANITIZERS[parameterInfo.type](value);
+        const sanitizedValue = SANITIZERS[parameterInfo.type](value);
+        if (sanitizedValue === null && sanitizedValue != value)
+          throw new HttpBadRequestException(CreateProblemDetail(parameterInfo.type, [{ [parameterInfo.name]: `The supplied data type must be  "${parameterInfo.type}"` }]));
+        jObject[parameterInfo.name] = sanitizedValue;
       }
     }
     return jObject;
   }
   convertToInstance(entityName, data) {
     const typesInfo = this.types[entityName];
-    const target = this.getClassTarget(typesInfo.path) || entityContainer.getTarget(entityName);
+    const target = this.getClassTarget(typesInfo.path, entityName) || entityContainer.getTarget(entityName);
     let instance = null;
     if (target) {
       instance = new target();
@@ -566,11 +633,10 @@ class ParameterTypeConverter extends BaseResponse {
       instance = data;
     return instance;
   }
-  getClassTarget(resolver) {
-    if (resolver) {
-      const classInfo = resolver();
-      const name = Object.keys(classInfo)[0];
-      return classInfo[name];
+  getClassTarget(path, entityName) {
+    if (path) {
+      const classInfo = nattyContainer.resolver(path);
+      return classInfo[entityName];
     }
     return void 0;
   }
@@ -668,15 +734,6 @@ class RouteParser extends ParameterTypeConverter {
   }
 }
 
-class UnauthorizedAccessException extends HttpException {
-  constructor(data) {
-    super({
-      body: data,
-      status: 401
-    });
-  }
-}
-
 const decoratorStateContainer = new class {
   constructor() {
     this.controllerConfig = {};
@@ -722,15 +779,6 @@ var DecoratorType = /* @__PURE__ */ ((DecoratorType2) => {
   return DecoratorType2;
 })(DecoratorType || {});
 
-class ForbiddenAccessException extends HttpException {
-  constructor(data) {
-    super({
-      body: data,
-      status: 403
-    });
-  }
-}
-
 class AbstractExecutionContext {
   constructor(context, routeInfo) {
     this.context = context;
@@ -760,14 +808,6 @@ class ActionExecutingContext extends AbstractExecutionContext {
   }
 }
 
-function CreateProblemDetail(modelName, detail) {
-  return {
-    type: "https://tools.ietf.org/html/rfc7231#section-6.5.1",
-    title: `The specified ${modelName} model props are invalid.`,
-    detail
-  };
-}
-
 function runValidators(entityName, value) {
   const typeInfo = nattyContainer.types[entityName];
   let errors = {};
@@ -829,6 +869,8 @@ class ModelBindingContext extends ParameterTypeConverter {
     else
       this.data = body;
     this.instance = this.convertToInstance(this.type, this.data);
+    if (!this.isValid)
+      throw new HttpBadRequestException(CreateProblemDetail(this.type, this.errors));
   }
   get isValid() {
     const errors = runValidators(this.type, this.instance);
@@ -845,6 +887,17 @@ class ActionExecutedContext extends AbstractExecutionContext {
     super(httpContext, routeInfo);
     this.content = content;
   }
+  get response() {
+    return this.context.response;
+  }
+}
+
+class AuthorizationContext extends AbstractExecutionContext {
+  constructor(models, context, routeInfo, config) {
+    super(context, routeInfo);
+    this.models = models;
+    this.config = config;
+  }
 }
 
 class RequestProcessor extends RouteParser {
@@ -857,9 +910,6 @@ class RequestProcessor extends RouteParser {
       case RequestPipeline.onAuthentication:
         await this.onAuthentication();
         break;
-      case RequestPipeline.onAuthorization:
-        await this.onAuthorization();
-        break;
     }
   }
   resolveFilter(instance) {
@@ -880,26 +930,45 @@ class RequestProcessor extends RouteParser {
     const authentication = this.getAuthenticationClass();
     const authenticationFilter = authentication ? this.resolveFilter(authentication) : void 0;
     const anonymousInfo = decoratorStateContainer.getInfo(this.routeInfo.controller.name, this.routeInfo.methodInfo.name, DecoratorType.anonymous);
+    if (!anonymousInfo && !authenticationFilter)
+      throw new UnauthorizedAccessException(DENY_BY_DEFAULT);
     if (authenticationFilter) {
       const result = await authenticationFilter.onAuthentication(this.httpContext);
       this.httpContext.user = result;
       if (!result.isAuthenticate && !anonymousInfo.controllerConfig && !anonymousInfo.methodConfig)
         throw new UnauthorizedAccessException(authenticationFilter.onFailedResponse());
-      await this.onAuthorization();
     }
   }
-  async onAuthorization() {
+  async onAuthorization(methodParameters) {
     const authorization = common.commonContainer.globalConfig.authorization;
     const authorizationFilter = authorization ? this.resolveFilter(authorization) : void 0;
     const authorizeConfig = decoratorStateContainer.getInfo(this.routeInfo.controller.name, this.routeInfo.methodInfo.name, DecoratorType.authorize);
     const authenticationOnly = decoratorStateContainer.getInfo(this.routeInfo.controller.name, this.routeInfo.methodInfo.name, DecoratorType.authenticationOnly);
-    if (this.httpContext.user?.isAuthenticate && authorizationFilter && (!authenticationOnly.controllerConfig && !authenticationOnly.methodConfig)) {
-      const result = await authorizationFilter.onAuthorization(this.httpContext, authorizeConfig.methodConfig || authorizeConfig.controllerConfig);
+    if (this.httpContext.user?.isAuthenticate && authorizationFilter && (authorizeConfig.controllerConfig || authorizeConfig.methodConfig) && (!authenticationOnly.controllerConfig && !authenticationOnly.methodConfig)) {
+      const authorizationContext = new AuthorizationContext(
+        methodParameters.filter((t) => t instanceof ModelBindingContext),
+        this.httpContext,
+        this.routeInfo,
+        authorizeConfig.methodConfig || authorizeConfig.controllerConfig
+      );
+      const result = await authorizationFilter.onAuthorization(authorizationContext);
       if (!result)
         throw new ForbiddenAccessException(authorizationFilter.onFailedAuthorization());
     }
   }
-  async onActionExecuting(methodParameters) {
+  async onModelBinding(methodParameters) {
+    const { actionExecutingContext, actionFilters } = this.getExecutingContext(methodParameters);
+    for (const actionFilter of actionFilters) {
+      const filter = this.resolveFilter(actionFilter);
+      this.actionFilterInstances.push(filter);
+      await filter.onActionExecuting(actionExecutingContext);
+      if (actionExecutingContext.result) {
+        return actionExecutingContext.result;
+      }
+    }
+    return null;
+  }
+  getExecutingContext(methodParameters) {
     let actionFilters = common.commonContainer.globalConfig.actionFilters || [];
     const actionFiltersConfig = decoratorStateContainer.getInfo(this.routeInfo.controller.name, this.routeInfo.methodInfo.name, DecoratorType.useFilter);
     actionFilters = [...actionFilters, ...actionFiltersConfig.controllerConfig?.actionFilters || [], ...actionFiltersConfig.methodConfig?.actionFilters || []];
@@ -908,6 +977,11 @@ class RequestProcessor extends RouteParser {
       this.httpContext,
       this.routeInfo
     );
+    return { actionFilters, actionExecutingContext };
+  }
+  async onActionExecuting(methodParameters) {
+    await this.onAuthorization(methodParameters);
+    const { actionExecutingContext, actionFilters } = this.getExecutingContext(methodParameters);
     for (const actionFilter of actionFilters) {
       const filter = this.resolveFilter(actionFilter);
       this.actionFilterInstances.push(filter);
@@ -1205,6 +1279,16 @@ function badRequest(value, response) {
   return new BadRequestResult(value || common.BLANK, response);
 }
 
+class FileResult extends BaseResult {
+  constructor(value, response) {
+    super({ ...{ isBuffer: true, body: value }, ...{ status: HttpStatusCode.success } }, response);
+    this.value = value;
+  }
+}
+function fileResult(value, response) {
+  return new FileResult(value || common.BLANK, response);
+}
+
 function base(params, type, additionaConfig) {
   decoratorStateContainer.register(params, type, additionaConfig);
 }
@@ -1231,12 +1315,31 @@ function authenticationOnly() {
   };
 }
 
+function setEnvInfo(envTsDefinition, envValueInfo) {
+  if (envTsDefinition && envValueInfo) {
+    common.commonContainer.setEnvTsDefinition(envTsDefinition);
+    Object.keys(envValueInfo).forEach((key) => process.env[key] = envValueInfo[key]);
+  }
+}
+
+function authorize(permission) {
+  return function(target, propertyKey, descriptor) {
+    base({
+      target,
+      propertyKey,
+      descriptor
+    }, DecoratorType.authorize, permission);
+  };
+}
+
 exports.$request = $request;
 exports.AbstractModelState = AbstractModelState;
 exports.BadRequestResult = BadRequestResult;
 exports.BaseController = BaseController;
+exports.CreateProblemDetail = CreateProblemDetail;
 exports.CreatedResult = CreatedResult;
 exports.Delete = Delete;
+exports.FileResult = FileResult;
 exports.ForbiddenAccessException = ForbiddenAccessException;
 exports.ForbiddenAccessInfoResult = ForbiddenAccessInfoResult;
 exports.HttpBadRequestException = HttpBadRequestException;
@@ -1245,6 +1348,7 @@ exports.HttpException = HttpException;
 exports.HttpHandler = HttpHandler;
 exports.HttpNotFoundException = HttpNotFoundException;
 exports.HttpResponse = HttpResponse;
+exports.HttpStatusCode = HttpStatusCode;
 exports.ModelBindingContext = ModelBindingContext;
 exports.NoContentResult = NoContentResult;
 exports.NotFoundResult = NotFoundResult;
@@ -1253,10 +1357,12 @@ exports.RunOn = RunOn;
 exports.UnauthorizedAccessException = UnauthorizedAccessException;
 exports.anonymous = anonymous;
 exports.authenticationOnly = authenticationOnly;
+exports.authorize = authorize;
 exports.badRequest = badRequest;
 exports.created = created;
 exports.defineNattyConfig = defineNattyConfig;
 exports.entityContainer = entityContainer;
+exports.fileResult = fileResult;
 exports.filter = filter;
 exports.forbiddenAccessInfo = forbiddenAccessInfo;
 exports.get = get;
@@ -1269,4 +1375,5 @@ exports.post = post;
 exports.put = put;
 exports.registerDecorator = registerDecorator;
 exports.route = route;
+exports.setEnvInfo = setEnvInfo;
 exports.useFilter = useFilter;

package/dist/index.d.ts

@@ -53,12 +53,70 @@ declare function route(path: string): (target: any, propertyKey?: string, parame
 
 declare function get(path: string): (target: any, propertyKey?: string, descriptor?: any) => void;
 
-declare function post(path: string): (target: any, propertyKey?: string, descriptor?: any) => void;
+declare function post(path?: string): (target: any, propertyKey?: string, descriptor?: any) => void;
 
-declare function put(path: string): (target: any, propertyKey?: string, descriptor?: any) => void;
+declare function put(path?: string): (target: any, propertyKey?: string, descriptor?: any) => void;
 
 declare function Delete(): (target: any, propertyKey?: string, descriptor?: any) => void;
 
+interface RouteConfig {
+    controller: Function;
+    parameters: Array<{
+        name: string;
+        type: string;
+    }>;
+    get: {
+        [key: string]: {
+            name: string;
+            parameters: Array<{
+                name: string;
+                type: string;
+            }>;
+            returnType: string;
+        };
+    };
+    post: {
+        [key: string]: {
+            name: string;
+            parameters: Array<{
+                name: string;
+                type: string;
+            }>;
+            returnType: string;
+        };
+    };
+    put: {
+        [key: string]: {
+            name: string;
+            parameters: Array<{
+                name: string;
+                type: string;
+            }>;
+            returnType: string;
+        };
+    };
+    delete: {
+        [key: string]: {
+            name: string;
+            parameters: Array<{
+                name: string;
+                type: string;
+            }>;
+            returnType: string;
+        };
+    };
+}
+
+declare function init(config: NattyConfig, appConfig: {
+    routes: {
+        [key: string]: RouteConfig;
+    };
+    envTsDefinition: {
+        [key: string]: string;
+    };
+    resolver: (path: string) => {};
+}): any;
+
 interface DecoratorInfo {
     httpMethod: string;
     route: string;
@@ -81,6 +139,7 @@ type HttpRequestBodyInfo = {
     number?: number | number[];
     boolean?: boolean | boolean[];
     FormData?: FormData;
+    buffer?: any;
     ArrayBuffer?: ArrayBuffer;
     Blob?: Blob;
     json?: {
@@ -120,6 +179,7 @@ interface HttpResponseInit {
     headers?: HeadersInit;
     cookies?: Cookie[];
     enableContentNegotiation?: boolean;
+    isBuffer?: boolean;
 }
 
 interface ProblemDetail {
@@ -190,64 +250,6 @@ interface IHttpResult {
     getResponse(): HttpResponseInit;
 }
 
-interface RouteConfig {
-    controller: Function;
-    parameters: Array<{
-        name: string;
-        type: string;
-    }>;
-    get: {
-        [key: string]: {
-            name: string;
-            parameters: Array<{
-                name: string;
-                type: string;
-            }>;
-            returnType: string;
-        };
-    };
-    post: {
-        [key: string]: {
-            name: string;
-            parameters: Array<{
-                name: string;
-                type: string;
-            }>;
-            returnType: string;
-        };
-    };
-    put: {
-        [key: string]: {
-            name: string;
-            parameters: Array<{
-                name: string;
-                type: string;
-            }>;
-            returnType: string;
-        };
-    };
-    delete: {
-        [key: string]: {
-            name: string;
-            parameters: Array<{
-                name: string;
-                type: string;
-            }>;
-            returnType: string;
-        };
-    };
-}
-
-declare function init(config: NattyConfig, appConfig: {
-    routes: {
-        [key: string]: RouteConfig;
-    };
-    envTsDefinition: {
-        [key: string]: string;
-    };
-    types?: TypesInfo;
-}): any;
-
 declare class HttpRequest {
     private httpRequest;
     constructor(http: HttpRequestInit);
@@ -264,6 +266,7 @@ declare class HttpResponse {
     private _headers;
     private _body;
     private _status;
+    private _isBuffer;
     constructor(response?: HttpResponseInit);
     private setValues;
     addCookie(cookie: Cookie): void;
@@ -341,9 +344,9 @@ declare abstract class ParameterTypeConverter extends BaseResponse {
     };
     get types(): TypesInfo;
     getObjectTypeInfo(typeName: string): {
-        path?: any;
-        props?: TypeInfo[];
-        values?: any[];
+        path?: string | any | Function;
+        props?: Array<TypeInfo>;
+        values?: Array<any>;
     };
     isArrayType(typeName: string): boolean;
     getTypeName(typeName: string): string;
@@ -435,6 +438,12 @@ declare class BadRequestResult extends BaseResult implements IHttpResult {
 }
 declare function badRequest(value?: ExceptionTypeInfo, response?: Pick<HttpResponseInit, "headers" | "cookies">): BadRequestResult;
 
+declare class FileResult extends BaseResult {
+    value: any;
+    constructor(value: any, response?: Pick<HttpResponseInit, "headers" | "cookies">);
+}
+declare function fileResult(value?: any, response?: Pick<HttpResponseInit, "headers" | "cookies">): FileResult;
+
 declare class HttpException {
     private httpResponse;
     constructor(response: HttpResponseInit);
@@ -463,4 +472,27 @@ declare function anonymous(): (target: any, propertyKey?: string, descriptor?: a
 
 declare function authenticationOnly(): (target: any, propertyKey?: string, descriptor?: any) => void;
 
-export { $request, AbstractModelState, BadRequestResult, BaseController, BuildOptions, ClassTypeInfo, CreatedResult, Delete, ForbiddenAccessException, ForbiddenAccessInfoResult, HttpBadRequestException, HttpContext, HttpException, HttpHandler, HttpModule, HttpNotFoundException, HttpResponse, MethodInfo$1 as MethodInfo, ModelBindingContext, NoContentResult, NotFoundResult, OkResult, ParameterInfo, RunOn, TypeInfo$1 as TypeInfo, UnauthorizedAccessException, anonymous, authenticationOnly, badRequest, created, defineNattyConfig, entityContainer, filter, forbiddenAccessInfo, get, init, injectable, noContent, notFound, ok, post, put, registerDecorator, route, useFilter };
+declare function setEnvInfo(envTsDefinition: {
+    [key: string]: string;
+}, envValueInfo: {
+    [key: string]: any;
+}): void;
+
+declare enum HttpStatusCode {
+    success = 200,
+    created = 201,
+    noContent = 204,
+    notFound = 404,
+    unAuthorized = 401,
+    forbiddenAccess = 403,
+    badRequest = 400,
+    serverError = 500
+}
+
+declare function authorize(permission: {
+    [key: string]: any;
+}): (target: any, propertyKey?: string, descriptor?: any) => void;
+
+declare function CreateProblemDetail(modelName: string, detail: any): ProblemDetail;
+
+export { $request, AbstractModelState, BadRequestResult, BaseController, BuildOptions, ClassTypeInfo, CreateProblemDetail, CreatedResult, Delete, FileResult, ForbiddenAccessException, ForbiddenAccessInfoResult, HttpBadRequestException, HttpContext, HttpException, HttpHandler, HttpModule, HttpNotFoundException, HttpResponse, HttpStatusCode, MethodInfo$1 as MethodInfo, ModelBindingContext, NoContentResult, NotFoundResult, OkResult, ParameterInfo, RunOn, TypeInfo$1 as TypeInfo, UnauthorizedAccessException, anonymous, authenticationOnly, authorize, badRequest, created, defineNattyConfig, entityContainer, fileResult, filter, forbiddenAccessInfo, get, init, injectable, noContent, notFound, ok, post, put, registerDecorator, route, setEnvInfo, useFilter };

package/dist/index.mjs

@@ -25,6 +25,12 @@ function route(path) {
 const CONTROLLER = "controller";
 const INVALID_VALUE = "INVALID_VALUE";
 const BLANK = "";
+const DENY_BY_DEFAULT = {
+  type: "https://cheatsheetseries.owasp.org/cheatsheets/Authorization_Cheat_Sheet.html#deny-by-default",
+  title: "Deny-by-default",
+  description: `Zero Trust Architecture (NIST SP 800-207) \u2014 Core principle is "never trust, always verify," which translates to deny-by-default behavior. OWASP Secure Defaults Principle \u2014 \u201CSecurity should be a default setting, and everything should be locked down unless explicitly permitted.\u201D`,
+  solution: `Please implement proper authentication and authorization checks. If this API needs to be accessed anonymously, add the @anonymous() decorator above the HTTP action.`
+};
 
 function get(path) {
   return function(target, propertyKey, descriptor) {
@@ -58,10 +64,13 @@ const nattyContainer = new class {
     this.container = /* @__PURE__ */ new Map();
     this.containerState = /* @__PURE__ */ new Map();
   }
-  setup(config, routes, types) {
+  get types() {
+    return commonContainer.types;
+  }
+  setup(config, routes, resolver) {
     this.config = config;
     this.routes = routes;
-    this.types = types;
+    this.resolver = resolver;
   }
   getTypes() {
     return StaticContainer.types;
@@ -114,7 +123,7 @@ const nattyContainer = new class {
 function init(config, appConfig) {
   commonContainer.setupConfig(config);
   commonContainer.setEnvTsDefinition(appConfig.envTsDefinition);
-  nattyContainer.setup(config, appConfig.routes, appConfig.types);
+  nattyContainer.setup(config, appConfig.routes, appConfig.resolver);
   return initializeModule(config);
 }
 function initializeModule(config) {
@@ -123,22 +132,26 @@ function initializeModule(config) {
   }
 }
 
-function getPreResponseBody(body) {
+function getPreResponseBody(body, isBuffer = false) {
   let bodyInfo;
   if (body) {
-    if (isObject(body) || Array.isArray(body))
-      bodyInfo = { json: body };
-    const typeText = typeof body;
-    switch (typeText) {
-      case "string":
-        bodyInfo = { string: body };
-        break;
-      case "number":
-        bodyInfo = { number: body };
-        break;
-      case "boolean":
-        bodyInfo = { boolean: body };
-        break;
+    if (isBuffer)
+      bodyInfo = { buffer: body };
+    else {
+      if (isObject(body) || Array.isArray(body))
+        bodyInfo = { json: body };
+      const typeText = typeof body;
+      switch (typeText) {
+        case "string":
+          bodyInfo = { string: body };
+          break;
+        case "number":
+          bodyInfo = { number: body };
+          break;
+        case "boolean":
+          bodyInfo = { boolean: body };
+          break;
+      }
     }
   }
   return bodyInfo;
@@ -152,6 +165,7 @@ class HttpResponse {
   }
   setValues(responseInit) {
     if (responseInit) {
+      this._isBuffer = responseInit.isBuffer;
       if (responseInit.headers)
         for (const [key, value] of Object.entries(responseInit.headers))
           this.headers.append(key, value);
@@ -183,7 +197,7 @@ class HttpResponse {
     return this._body;
   }
   set body(value) {
-    this._body = getPreResponseBody(value);
+    this._body = getPreResponseBody(value, this._isBuffer);
   }
   write(responseInit) {
     this.setValues(responseInit);
@@ -205,6 +219,26 @@ var RequestPipeline = /* @__PURE__ */ ((RequestPipeline2) => {
   return RequestPipeline2;
 })(RequestPipeline || {});
 
+function lessThan(value) {
+  return value ? value.replace(/</g, "&lt;") : value;
+}
+function greaterThan(value) {
+  return value ? value.replace(/>/g, "&gt;") : value;
+}
+function ampersand(value) {
+  return value ? value.replace(/&/g, "&amp;") : value;
+}
+function doubleDash(value) {
+  return value ? value.replace(/--/g, "") : value;
+}
+function sanitizeSpecialCodes(value) {
+  value = ampersand(value);
+  value = lessThan(value);
+  value = greaterThan(value);
+  value = doubleDash(value);
+  return value;
+}
+
 function isBoolean(value) {
   return typeof value === "boolean" || value === "1" || value === "true" || value === "0" || value === "false";
 }
@@ -265,7 +299,7 @@ function toInt(value, radix = 0) {
 }
 function toString(value) {
   if (isNotBlank(value))
-    return String(value);
+    return sanitizeSpecialCodes(String(value));
   return value;
 }
 function whitelist(value, chars) {
@@ -346,6 +380,7 @@ class BaseResult {
 }
 
 function getResponseBodyObject(body, props) {
+  const sensitiveProps = commonContainer.nattyConfig?.secure?.sensitiveProps;
   if (body instanceof List)
     return getResponseBodyObject(body.values, body.props);
   if (Array.isArray(body)) {
@@ -359,7 +394,8 @@ function getResponseBodyObject(body, props) {
     const keys = Object.keys(body);
     const getterProps = props ? Object.keys(props).map((key) => props[key]) : [];
     for (const key of [...keys, ...getterProps])
-      jObject[key] = getResponseBodyObject(body[key]);
+      if (!sensitiveProps || sensitiveProps.filter((t) => t == key.toLowerCase()).length == 0)
+        jObject[key] = getResponseBodyObject(body[key]);
     return jObject;
   }
   return body;
@@ -386,7 +422,7 @@ class BaseResponse {
 }
 
 function getTypedErrorMessage(type, value) {
-  const message = commonContainer.nattyConfig.modelBinding.errorMessage.typed[type];
+  const message = commonContainer.nattyConfig?.modelBinding?.errorMessage?.typed ? commonContainer.nattyConfig?.modelBinding?.errorMessage?.typed[type] : "";
   return parseMessage(message, [value]);
 }
 function parseMessage(message, value) {
@@ -462,6 +498,32 @@ const entityContainer = new class {
   }
 }();
 
+class ForbiddenAccessException extends HttpException {
+  constructor(data) {
+    super({
+      body: data,
+      status: 403
+    });
+  }
+}
+
+class UnauthorizedAccessException extends HttpException {
+  constructor(data) {
+    super({
+      body: data,
+      status: 401
+    });
+  }
+}
+
+function CreateProblemDetail(modelName, detail) {
+  return {
+    type: "https://tools.ietf.org/html/rfc7231#section-6.5.1",
+    title: `The specified ${modelName} model props are invalid.`,
+    detail
+  };
+}
+
 class ParameterTypeConverter extends BaseResponse {
   constructor() {
     super(...arguments);
@@ -522,12 +584,14 @@ class ParameterTypeConverter extends BaseResponse {
         } else {
           if (this.isArrayType(property.type) && Array.isArray(value)) {
             let arrayValue = body[property.name] = [];
-            let arrayInvalidProps = invalidProps[property.name] = [];
             for (const item of value) {
               const sanitizeValue = this.sanitizer[property.type.toLowerCase()] ? this.sanitizer[property.type.toLowerCase()](item) : item;
-              if (sanitizeValue === INVALID_VALUE)
+              if (sanitizeValue === INVALID_VALUE) {
+                let arrayInvalidProps = invalidProps[property.name];
+                if (!arrayInvalidProps)
+                  arrayInvalidProps = invalidProps[property.name] = [];
                 arrayInvalidProps.push(property);
-              else
+              } else
                 arrayValue.push(sanitizeValue);
             }
           } else
@@ -548,14 +612,17 @@ class ParameterTypeConverter extends BaseResponse {
     for (const parameterInfo of methodInfo.parameters) {
       const value = jObject[parameterInfo.name];
       if (value !== void 0) {
-        jObject[parameterInfo.name] = SANITIZERS[parameterInfo.type](value);
+        const sanitizedValue = SANITIZERS[parameterInfo.type](value);
+        if (sanitizedValue === null && sanitizedValue != value)
+          throw new HttpBadRequestException(CreateProblemDetail(parameterInfo.type, [{ [parameterInfo.name]: `The supplied data type must be  "${parameterInfo.type}"` }]));
+        jObject[parameterInfo.name] = sanitizedValue;
       }
     }
     return jObject;
   }
   convertToInstance(entityName, data) {
     const typesInfo = this.types[entityName];
-    const target = this.getClassTarget(typesInfo.path) || entityContainer.getTarget(entityName);
+    const target = this.getClassTarget(typesInfo.path, entityName) || entityContainer.getTarget(entityName);
     let instance = null;
     if (target) {
       instance = new target();
@@ -564,11 +631,10 @@ class ParameterTypeConverter extends BaseResponse {
       instance = data;
     return instance;
   }
-  getClassTarget(resolver) {
-    if (resolver) {
-      const classInfo = resolver();
-      const name = Object.keys(classInfo)[0];
-      return classInfo[name];
+  getClassTarget(path, entityName) {
+    if (path) {
+      const classInfo = nattyContainer.resolver(path);
+      return classInfo[entityName];
     }
     return void 0;
   }
@@ -666,15 +732,6 @@ class RouteParser extends ParameterTypeConverter {
   }
 }
 
-class UnauthorizedAccessException extends HttpException {
-  constructor(data) {
-    super({
-      body: data,
-      status: 401
-    });
-  }
-}
-
 const decoratorStateContainer = new class {
   constructor() {
     this.controllerConfig = {};
@@ -720,15 +777,6 @@ var DecoratorType = /* @__PURE__ */ ((DecoratorType2) => {
   return DecoratorType2;
 })(DecoratorType || {});
 
-class ForbiddenAccessException extends HttpException {
-  constructor(data) {
-    super({
-      body: data,
-      status: 403
-    });
-  }
-}
-
 class AbstractExecutionContext {
   constructor(context, routeInfo) {
     this.context = context;
@@ -758,14 +806,6 @@ class ActionExecutingContext extends AbstractExecutionContext {
   }
 }
 
-function CreateProblemDetail(modelName, detail) {
-  return {
-    type: "https://tools.ietf.org/html/rfc7231#section-6.5.1",
-    title: `The specified ${modelName} model props are invalid.`,
-    detail
-  };
-}
-
 function runValidators(entityName, value) {
   const typeInfo = nattyContainer.types[entityName];
   let errors = {};
@@ -827,6 +867,8 @@ class ModelBindingContext extends ParameterTypeConverter {
     else
       this.data = body;
     this.instance = this.convertToInstance(this.type, this.data);
+    if (!this.isValid)
+      throw new HttpBadRequestException(CreateProblemDetail(this.type, this.errors));
   }
   get isValid() {
     const errors = runValidators(this.type, this.instance);
@@ -843,6 +885,17 @@ class ActionExecutedContext extends AbstractExecutionContext {
     super(httpContext, routeInfo);
     this.content = content;
   }
+  get response() {
+    return this.context.response;
+  }
+}
+
+class AuthorizationContext extends AbstractExecutionContext {
+  constructor(models, context, routeInfo, config) {
+    super(context, routeInfo);
+    this.models = models;
+    this.config = config;
+  }
 }
 
 class RequestProcessor extends RouteParser {
@@ -855,9 +908,6 @@ class RequestProcessor extends RouteParser {
       case RequestPipeline.onAuthentication:
         await this.onAuthentication();
         break;
-      case RequestPipeline.onAuthorization:
-        await this.onAuthorization();
-        break;
     }
   }
   resolveFilter(instance) {
@@ -878,26 +928,45 @@ class RequestProcessor extends RouteParser {
     const authentication = this.getAuthenticationClass();
     const authenticationFilter = authentication ? this.resolveFilter(authentication) : void 0;
     const anonymousInfo = decoratorStateContainer.getInfo(this.routeInfo.controller.name, this.routeInfo.methodInfo.name, DecoratorType.anonymous);
+    if (!anonymousInfo && !authenticationFilter)
+      throw new UnauthorizedAccessException(DENY_BY_DEFAULT);
     if (authenticationFilter) {
       const result = await authenticationFilter.onAuthentication(this.httpContext);
       this.httpContext.user = result;
       if (!result.isAuthenticate && !anonymousInfo.controllerConfig && !anonymousInfo.methodConfig)
         throw new UnauthorizedAccessException(authenticationFilter.onFailedResponse());
-      await this.onAuthorization();
     }
   }
-  async onAuthorization() {
+  async onAuthorization(methodParameters) {
     const authorization = commonContainer.globalConfig.authorization;
     const authorizationFilter = authorization ? this.resolveFilter(authorization) : void 0;
     const authorizeConfig = decoratorStateContainer.getInfo(this.routeInfo.controller.name, this.routeInfo.methodInfo.name, DecoratorType.authorize);
     const authenticationOnly = decoratorStateContainer.getInfo(this.routeInfo.controller.name, this.routeInfo.methodInfo.name, DecoratorType.authenticationOnly);
-    if (this.httpContext.user?.isAuthenticate && authorizationFilter && (!authenticationOnly.controllerConfig && !authenticationOnly.methodConfig)) {
-      const result = await authorizationFilter.onAuthorization(this.httpContext, authorizeConfig.methodConfig || authorizeConfig.controllerConfig);
+    if (this.httpContext.user?.isAuthenticate && authorizationFilter && (authorizeConfig.controllerConfig || authorizeConfig.methodConfig) && (!authenticationOnly.controllerConfig && !authenticationOnly.methodConfig)) {
+      const authorizationContext = new AuthorizationContext(
+        methodParameters.filter((t) => t instanceof ModelBindingContext),
+        this.httpContext,
+        this.routeInfo,
+        authorizeConfig.methodConfig || authorizeConfig.controllerConfig
+      );
+      const result = await authorizationFilter.onAuthorization(authorizationContext);
       if (!result)
         throw new ForbiddenAccessException(authorizationFilter.onFailedAuthorization());
     }
   }
-  async onActionExecuting(methodParameters) {
+  async onModelBinding(methodParameters) {
+    const { actionExecutingContext, actionFilters } = this.getExecutingContext(methodParameters);
+    for (const actionFilter of actionFilters) {
+      const filter = this.resolveFilter(actionFilter);
+      this.actionFilterInstances.push(filter);
+      await filter.onActionExecuting(actionExecutingContext);
+      if (actionExecutingContext.result) {
+        return actionExecutingContext.result;
+      }
+    }
+    return null;
+  }
+  getExecutingContext(methodParameters) {
     let actionFilters = commonContainer.globalConfig.actionFilters || [];
     const actionFiltersConfig = decoratorStateContainer.getInfo(this.routeInfo.controller.name, this.routeInfo.methodInfo.name, DecoratorType.useFilter);
     actionFilters = [...actionFilters, ...actionFiltersConfig.controllerConfig?.actionFilters || [], ...actionFiltersConfig.methodConfig?.actionFilters || []];
@@ -906,6 +975,11 @@ class RequestProcessor extends RouteParser {
       this.httpContext,
       this.routeInfo
     );
+    return { actionFilters, actionExecutingContext };
+  }
+  async onActionExecuting(methodParameters) {
+    await this.onAuthorization(methodParameters);
+    const { actionExecutingContext, actionFilters } = this.getExecutingContext(methodParameters);
     for (const actionFilter of actionFilters) {
       const filter = this.resolveFilter(actionFilter);
       this.actionFilterInstances.push(filter);
@@ -1203,6 +1277,16 @@ function badRequest(value, response) {
   return new BadRequestResult(value || BLANK$1, response);
 }
 
+class FileResult extends BaseResult {
+  constructor(value, response) {
+    super({ ...{ isBuffer: true, body: value }, ...{ status: HttpStatusCode.success } }, response);
+    this.value = value;
+  }
+}
+function fileResult(value, response) {
+  return new FileResult(value || BLANK$1, response);
+}
+
 function base(params, type, additionaConfig) {
   decoratorStateContainer.register(params, type, additionaConfig);
 }
@@ -1229,4 +1313,21 @@ function authenticationOnly() {
   };
 }
 
-export { $request, AbstractModelState, BadRequestResult, BaseController, CreatedResult, Delete, ForbiddenAccessException, ForbiddenAccessInfoResult, HttpBadRequestException, HttpContext, HttpException, HttpHandler, HttpNotFoundException, HttpResponse, ModelBindingContext, NoContentResult, NotFoundResult, OkResult, RunOn, UnauthorizedAccessException, anonymous, authenticationOnly, badRequest, created, defineNattyConfig, entityContainer, filter, forbiddenAccessInfo, get, init, injectable, noContent, notFound, ok, post, put, registerDecorator, route, useFilter };
+function setEnvInfo(envTsDefinition, envValueInfo) {
+  if (envTsDefinition && envValueInfo) {
+    commonContainer.setEnvTsDefinition(envTsDefinition);
+    Object.keys(envValueInfo).forEach((key) => process.env[key] = envValueInfo[key]);
+  }
+}
+
+function authorize(permission) {
+  return function(target, propertyKey, descriptor) {
+    base({
+      target,
+      propertyKey,
+      descriptor
+    }, DecoratorType.authorize, permission);
+  };
+}
+
+export { $request, AbstractModelState, BadRequestResult, BaseController, CreateProblemDetail, CreatedResult, Delete, FileResult, ForbiddenAccessException, ForbiddenAccessInfoResult, HttpBadRequestException, HttpContext, HttpException, HttpHandler, HttpNotFoundException, HttpResponse, HttpStatusCode, ModelBindingContext, NoContentResult, NotFoundResult, OkResult, RunOn, UnauthorizedAccessException, anonymous, authenticationOnly, authorize, badRequest, created, defineNattyConfig, entityContainer, fileResult, filter, forbiddenAccessInfo, get, init, injectable, noContent, notFound, ok, post, put, registerDecorator, route, setEnvInfo, useFilter };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@nattyjs/core",
-  "version": "0.0.1-beta.4",
+  "version": "0.0.1-beta.40",
   "description": "",
   "keywords": [],
   "author": "ajayojha",
@@ -15,9 +15,10 @@
     "build": "unbuild"
   },
   "dependencies": {
+    "reflect-metadata": "0.2.2",
     "tsyringe": "^4.7.0",
     "path-to-regexp": "6.2.1",
-    "@nattyjs/common": "0.0.1-beta.4"
+    "@nattyjs/common": "0.0.1-beta.40"
   },
   "devDependencies": {
     "unbuild": "1.2.1"