@nauth-toolkit/nestjs 0.1.69 → 0.1.72
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/guards/auth.guard.d.ts +1 -0
- package/dist/guards/auth.guard.d.ts.map +1 -1
- package/dist/guards/auth.guard.js +20 -3
- package/dist/guards/auth.guard.js.map +1 -1
- package/dist/guards/csrf.guard.d.ts +1 -0
- package/dist/guards/csrf.guard.d.ts.map +1 -1
- package/dist/guards/csrf.guard.js +36 -3
- package/dist/guards/csrf.guard.js.map +1 -1
- package/package.json +2 -2
|
@@ -16,6 +16,7 @@ import { CanActivate, ExecutionContext } from '@nestjs/common';
|
|
|
16
16
|
* Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
|
|
17
17
|
*/
|
|
18
18
|
export declare class AuthGuard implements CanActivate {
|
|
19
|
+
private readonly logger;
|
|
19
20
|
private readonly _reflector;
|
|
20
21
|
private readonly _jwtService;
|
|
21
22
|
private readonly _sessionService;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"auth.guard.d.ts","sourceRoot":"","sources":["../../src/guards/auth.guard.ts"],"names":[],"mappings":"AAAA,OAAO,EAAc,WAAW,EAAE,gBAAgB,
|
|
1
|
+
{"version":3,"file":"auth.guard.d.ts","sourceRoot":"","sources":["../../src/guards/auth.guard.ts"],"names":[],"mappings":"AAAA,OAAO,EAAc,WAAW,EAAE,gBAAgB,EAAkB,MAAM,gBAAgB,CAAC;AAiB3F;;;;;;;;;;;;;;;GAeG;AACH,qBACa,SAAU,YAAW,WAAW;IAC3C,OAAO,CAAC,QAAQ,CAAC,MAAM,CAA8B;IAUrD,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAa;IAGxC,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAc;IAG1C,OAAO,CAAC,QAAQ,CAAC,eAAe,CAAkB;IAGlD,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAe;IAG5C,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAe;IAEhC,WAAW,CAAC,OAAO,EAAE,gBAAgB,GAAG,OAAO,CAAC,OAAO,CAAC;IAiB9D;;;;;;;;;OASG;YACW,oBAAoB;IA0IlC;;;;;;;;;OASG;IACH,OAAO,CAAC,YAAY;CAoFrB"}
|
|
@@ -8,6 +8,7 @@ var __decorate = (this && this.__decorate) || function (decorators, target, key,
|
|
|
8
8
|
var __metadata = (this && this.__metadata) || function (k, v) {
|
|
9
9
|
if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
|
|
10
10
|
};
|
|
11
|
+
var AuthGuard_1;
|
|
11
12
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
12
13
|
exports.AuthGuard = void 0;
|
|
13
14
|
const common_1 = require("@nestjs/common");
|
|
@@ -33,7 +34,8 @@ const nauth_context_guard_1 = require("./nauth-context.guard");
|
|
|
33
34
|
* // Works with Authorization header (API clients)
|
|
34
35
|
* Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
|
|
35
36
|
*/
|
|
36
|
-
let AuthGuard = class AuthGuard {
|
|
37
|
+
let AuthGuard = AuthGuard_1 = class AuthGuard {
|
|
38
|
+
logger = new common_1.Logger(AuthGuard_1.name);
|
|
37
39
|
// ============================================================================
|
|
38
40
|
// Dependency Injection (property-based)
|
|
39
41
|
// ============================================================================
|
|
@@ -205,7 +207,8 @@ let AuthGuard = class AuthGuard {
|
|
|
205
207
|
const request = context.switchToHttp().getRequest();
|
|
206
208
|
const cfg = this.config.tokenDelivery;
|
|
207
209
|
const method = cfg?.method || 'json';
|
|
208
|
-
|
|
210
|
+
// Handle case-insensitive header lookup (Express uses lowercase, Fastify may use original case)
|
|
211
|
+
const authHeader = request.headers?.authorization || request.headers?.Authorization;
|
|
209
212
|
const headerToken = authHeader?.startsWith('Bearer ') ? authHeader.substring(7) : null;
|
|
210
213
|
const accessTokenCookieName = (0, core_2.getAccessTokenCookieName)(this.config);
|
|
211
214
|
const cookieToken = request.cookies?.[accessTokenCookieName];
|
|
@@ -214,6 +217,7 @@ let AuthGuard = class AuthGuard {
|
|
|
214
217
|
let effective = 'json';
|
|
215
218
|
if (routeMode) {
|
|
216
219
|
effective = routeMode;
|
|
220
|
+
this.logger.debug(`[AuthGuard] Route mode override: ${routeMode}`);
|
|
217
221
|
}
|
|
218
222
|
else if (method === 'hybrid') {
|
|
219
223
|
// ============================================================================
|
|
@@ -227,22 +231,35 @@ let AuthGuard = class AuthGuard {
|
|
|
227
231
|
// SECURITY:
|
|
228
232
|
// - We do NOT "leak" tokens to browsers; we only accept Bearer when the client sends it.
|
|
229
233
|
// - When both cookie and bearer are present, we fall back to hybridPolicy/origin resolution.
|
|
234
|
+
// Match AuthGuard logic: if client sends Bearer token, treat as JSON mode
|
|
235
|
+
// This prevents CSRF enforcement for mobile apps using Bearer tokens
|
|
236
|
+
// Handle case-insensitive header lookup (Express uses lowercase, Fastify may use original case)
|
|
237
|
+
this.logger.debug(`[AuthGuard] Hybrid mode - Bearer: ${!!headerToken}, Cookie: ${!!cookieToken}, Origin: ${request.headers?.origin || 'MISSING'}`);
|
|
238
|
+
this.logger.debug(`[AuthGuard] Header check - authHeader exists: ${!!authHeader}, startsWith Bearer: ${authHeader?.startsWith('Bearer ')}, headerToken length: ${headerToken?.length || 0}`);
|
|
239
|
+
this.logger.debug(`[AuthGuard] Cookie check - cookieName: ${accessTokenCookieName}, cookieToken exists: ${!!cookieToken}`);
|
|
230
240
|
if (headerToken && !cookieToken) {
|
|
231
241
|
effective = 'json';
|
|
242
|
+
this.logger.debug(`[AuthGuard] Detected JSON mode (Bearer token only)`);
|
|
232
243
|
}
|
|
233
244
|
else if (cookieToken && !headerToken) {
|
|
234
245
|
effective = 'cookies';
|
|
246
|
+
this.logger.debug(`[AuthGuard] Detected cookies mode (cookie only)`);
|
|
235
247
|
}
|
|
236
248
|
else {
|
|
249
|
+
// Both present, neither present, or edge case - fall back to origin-based
|
|
237
250
|
effective = (0, core_2.resolveDeliveryForRequest)(request, cfg?.hybridPolicy);
|
|
251
|
+
this.logger.debug(`[AuthGuard] Fallback to origin-based resolution: ${effective} (Bearer: ${!!headerToken}, Cookie: ${!!cookieToken})`);
|
|
238
252
|
}
|
|
239
253
|
}
|
|
240
254
|
else if (method === 'cookies') {
|
|
241
255
|
effective = 'cookies';
|
|
256
|
+
this.logger.debug(`[AuthGuard] Global cookies mode`);
|
|
242
257
|
}
|
|
243
258
|
else {
|
|
244
259
|
effective = 'json';
|
|
260
|
+
this.logger.debug(`[AuthGuard] Global JSON mode`);
|
|
245
261
|
}
|
|
262
|
+
this.logger.debug(`[AuthGuard] Effective delivery mode: ${effective} for ${request.method} ${request.url}`);
|
|
246
263
|
if (effective === 'cookies') {
|
|
247
264
|
if (headerToken && !cookieToken) {
|
|
248
265
|
throw new core_2.NAuthException(core_2.AuthErrorCode.BEARER_NOT_ALLOWED, 'Bearer tokens are not allowed in cookie-only path.');
|
|
@@ -277,7 +294,7 @@ __decorate([
|
|
|
277
294
|
(0, common_1.Inject)('NAUTH_CONFIG'),
|
|
278
295
|
__metadata("design:type", Object)
|
|
279
296
|
], AuthGuard.prototype, "config", void 0);
|
|
280
|
-
exports.AuthGuard = AuthGuard = __decorate([
|
|
297
|
+
exports.AuthGuard = AuthGuard = AuthGuard_1 = __decorate([
|
|
281
298
|
(0, common_1.Injectable)()
|
|
282
299
|
], AuthGuard);
|
|
283
300
|
//# sourceMappingURL=auth.guard.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"auth.guard.js","sourceRoot":"","sources":["../../src/guards/auth.guard.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"auth.guard.js","sourceRoot":"","sources":["../../src/guards/auth.guard.ts"],"names":[],"mappings":";;;;;;;;;;;;;AAAA,2CAA2F;AAC3F,uCAAyC;AACzC,8CAS6B;AAC7B,2DAA0E;AAC1E,qEAA+D;AAC/D,qFAA2F;AAC3F,+DAA6D;AAE7D;;;;;;;;;;;;;;;GAeG;AAEI,IAAM,SAAS,iBAAf,MAAM,SAAS;IACH,MAAM,GAAG,IAAI,eAAM,CAAC,WAAS,CAAC,IAAI,CAAC,CAAC;IAErD,+EAA+E;IAC/E,wCAAwC;IACxC,+EAA+E;IAC/E,OAAO;IACP,4DAA4D;IAC5D,qGAAqG;IACrG,4FAA4F;IAE3E,UAAU,CAAa;IAGvB,WAAW,CAAc;IAGzB,eAAe,CAAkB;IAGjC,YAAY,CAAe;IAG3B,MAAM,CAAe;IAEtC,KAAK,CAAC,WAAW,CAAC,OAAyB;QACzC,2BAA2B;QAC3B,MAAM,QAAQ,GAAG,IAAI,CAAC,UAAU,CAAC,iBAAiB,CAAU,gCAAa,EAAE;YACzE,OAAO,CAAC,UAAU,EAAE;YACpB,OAAO,CAAC,QAAQ,EAAE;SACnB,CAAC,CAAC;QAEH,sDAAsD;QACtD,mFAAmF;QACnF,0FAA0F;QAC1F,yFAAyF;QACzF,MAAM,IAAI,CAAC,oBAAoB,CAAC,OAAO,EAAE,EAAE,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,CAAC;QAEhE,gEAAgE;QAChE,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;;;;;;;;OASG;IACK,KAAK,CAAC,oBAAoB,CAAC,OAAyB,EAAE,OAA4B;QACxF,MAAM,OAAO,GAAG,OAAO,CAAC,YAAY,EAAE,CAAC,UAAU,EAAE,CAAC;QAEpD,+EAA+E;QAC/E,yCAAyC;QACzC,+EAA+E;QAC/E,IAAI,KAAK,GAAkB,IAAI,CAAC;QAChC,IAAI,CAAC;YACH,KAAK,GAAG,IAAI,CAAC,YAAY,CAAC,OAAO,CAAC,CAAC;QACrC,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;gBACnB,MAAM,KAAK,CAAC;YACd,CAAC;YACD,OAAO,CAAC,0CAA0C;QACpD,CAAC;QAED,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;gBACnB,MAAM,IAAI,qBAAc,CAAC,oBAAa,CAAC,aAAa,EAAE,mBAAmB,CAAC,CAAC;YAC7E,CAAC;YACD,OAAO;QACT,CAAC;QAED,iBAAiB;QACjB,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,WAAW,CAAC,mBAAmB,CAAC,KAAK,CAAC,CAAC;QACrE,IAAI,CAAC,UAAU,CAAC,KAAK,EAAE,CAAC;YACtB,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;gBACnB,MAAM,IAAI,qBAAc,CAAC,oBAAa,CAAC,aAAa,EAAE,UAAU,CAAC,KAAK,IAAI,eAAe,CAAC,CAAC;YAC7F,CAAC;YACD,OAAO;QACT,CAAC;QAED,+EAA+E;QAC/E,uCAAuC;QACvC,+EAA+E;QAC/E,OAAO;QACP,2EAA2E;QAC3E,6CAA6C;QAC7C,MAAM,SAAS,GAAG,UAAU,CAAC,OAAQ,CAAC,SAAS,CAAC;QAChD,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,eAAe,CAAC,aAAa,CAAC,SAAS,CAAC,CAAC;QAEpE,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;gBACnB,MAAM,IAAI,qBAAc,CAAC,oBAAa,CAAC,iBAAiB,EAAE,mBAAmB,CAAC,CAAC;YACjF,CAAC;YACD,OAAO;QACT,CAAC;QAED,yEAAyE;QACzE,MAAM,cAAc,GAAG,OAAO,CAAC,OAAO,CAAC;QAEvC,IAAI,OAAO,CAAC,SAAS,EAAE,CAAC;YACtB,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;gBACnB,MAAM,IAAI,qBAAc,CAAC,oBAAa,CAAC,oBAAoB,EAAE,0BAA0B,CAAC,CAAC;YAC3F,CAAC;YACD,OAAO;QACT,CAAC;QAED,IAAI,OAAO,CAAC,SAAS,GAAG,IAAI,IAAI,EAAE,EAAE,CAAC;YACnC,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;gBACnB,MAAM,IAAI,qBAAc,CAAC,oBAAa,CAAC,eAAe,EAAE,qBAAqB,CAAC,CAAC;YACjF,CAAC;YACD,OAAO;QACT,CAAC;QAED,+EAA+E;QAC/E,yDAAyD;QACzD,+EAA+E;QAC/E,oEAAoE;QACpE,MAAM,KAAK,GAAG,IAAA,0CAAoB,EAAC,OAAO,CAAC,CAAC;QAC5C,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;gBACnB,6DAA6D;gBAC7D,MAAM,IAAI,qBAAc,CAAC,oBAAa,CAAC,cAAc,EAAE,yBAAyB,CAAC,CAAC;YACpF,CAAC;YAED,0FAA0F;YAC1F,yEAAyE;YACzE,IAAI,CAAC;gBACH,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,qBAAqB,CAAC,UAAU,CAAC,OAAQ,CAAC,GAAG,CAAC,CAAC;gBACpF,OAAO,CAAC,IAAI,GAAG,IAAI,CAAC;gBACpB,OAAO,CAAC,KAAK,GAAG,UAAU,CAAC,OAAO,CAAC;YACrC,CAAC;YAAC,MAAM,CAAC;gBACP,gDAAgD;YAClD,CAAC;YACD,OAAO;QACT,CAAC;QAED,IAAI,CAAC;YACH,MAAM,qBAAc,CAAC,UAAU,CAAC,KAAK,EAAE,KAAK,IAAI,EAAE;gBAChD,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,qBAAqB,CAAC,UAAU,CAAC,OAAQ,CAAC,GAAG,CAAC,CAAC;gBAEpF,+EAA+E;gBAC/E,yCAAyC;gBACzC,+EAA+E;gBAC/E,MAAM,iBAAiB,GAAI,OAAqD,CAAC,UAAU,IAAI,IAAI,CAAC;gBACnG,IAAsD,CAAC,iBAAiB,GAAG,iBAAiB,CAAC;gBAE9F,gFAAgF;gBAChF,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,eAAe,CAAC,aAAa,CAAC,SAAS,CAAC,CAAC;gBACxE,IAAI,CAAC,WAAW,IAAI,WAAW,CAAC,OAAO,KAAK,cAAc,IAAI,WAAW,CAAC,SAAS,EAAE,CAAC;oBACpF,MAAM,IAAI,qBAAc,CACtB,oBAAa,CAAC,aAAa,EAC3B,gEAAgE,CACjE,CAAC;gBACJ,CAAC;gBAED,yBAAyB;gBACzB,OAAO,CAAC,IAAI,GAAG,IAAI,CAAC;gBACpB,OAAO,CAAC,KAAK,GAAG,UAAU,CAAC,OAAO,CAAC;gBAEnC,6CAA6C;gBAC7C,qBAAc,CAAC,GAAG,CAAC,cAAc,EAAE,IAAI,CAAC,CAAC;gBACzC,qBAAc,CAAC,GAAG,CAAC,aAAa,EAAE,UAAU,CAAC,OAAO,CAAC,CAAC;gBACtD,qBAAc,CAAC,GAAG,CAAC,iBAAiB,EAAE,SAAS,CAAC,CAAC;gBAEjD,+CAA+C;gBAC/C,MAAM,UAAU,GAAG,qBAAc,CAAC,GAAG,CAA0C,aAAa,CAAC,CAAC;gBAC9F,IAAI,UAAU,EAAE,CAAC;oBACf,MAAM,eAAe,GAAG,OAAO,SAAS,KAAK,QAAQ,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,SAAS,CAAC,EAAE,EAAE,CAAC,CAAC;oBACpG,MAAM,YAAY,GAAG,OAAO,IAAI,CAAC,EAAE,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC;oBAC3F,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC,IAAI,eAAe,GAAG,CAAC,EAAE,CAAC;wBACnD,UAAU,CAAC,SAAS,GAAG,eAAe,CAAC;oBACzC,CAAC;oBACD,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,IAAI,YAAY,GAAG,CAAC,EAAE,CAAC;wBAC7C,UAAU,CAAC,MAAM,GAAG,YAAY,CAAC;oBACnC,CAAC;oBACD,qBAAc,CAAC,GAAG,CAAC,aAAa,EAAE,UAAU,CAAC,CAAC;gBAChD,CAAC;YACH,CAAC,CAAC,CAAC;QACL,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;gBACnB,MAAM,KAAK,CAAC;YACd,CAAC;YACD,2EAA2E;QAC7E,CAAC;IACH,CAAC;IAED;;;;;;;;;OASG;IACK,YAAY,CAAC,OAAyB;QAC5C,MAAM,OAAO,GAAG,OAAO,CAAC,YAAY,EAAE,CAAC,UAAU,EAAE,CAAC;QACpD,MAAM,GAAG,GAAG,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC;QACtC,MAAM,MAAM,GAAG,GAAG,EAAE,MAAM,IAAI,MAAM,CAAC;QAErC,gGAAgG;QAChG,MAAM,UAAU,GACb,OAAO,CAAC,OAAO,EAAE,aAAoC,IAAK,OAAO,CAAC,OAAO,EAAE,aAAoC,CAAC;QACnH,MAAM,WAAW,GAAG,UAAU,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;QACvF,MAAM,qBAAqB,GAAG,IAAA,+BAAwB,EAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QACpE,MAAM,WAAW,GAAuB,OAAO,CAAC,OAAO,EAAE,CAAC,qBAAqB,CAAC,CAAC;QAEjF,iFAAiF;QACjF,MAAM,SAAS,GAAG,IAAI,CAAC,UAAU,CAAC,GAAG,CAAgB,6CAAkB,EAAE,OAAO,CAAC,UAAU,EAAE,CAAC,CAAC;QAE/F,IAAI,SAAS,GAAuB,MAAM,CAAC;QAE3C,IAAI,SAAS,EAAE,CAAC;YACd,SAAS,GAAG,SAAS,CAAC;YACtB,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,oCAAoC,SAAS,EAAE,CAAC,CAAC;QACrE,CAAC;aAAM,IAAI,MAAM,KAAK,QAAQ,EAAE,CAAC;YAC/B,+EAA+E;YAC/E,8DAA8D;YAC9D,+EAA+E;YAC/E,OAAO;YACP,yFAAyF;YACzF,2FAA2F;YAC3F,2FAA2F;YAC3F,EAAE;YACF,YAAY;YACZ,yFAAyF;YACzF,6FAA6F;YAC7F,0EAA0E;YAC1E,qEAAqE;YACrE,gGAAgG;YAChG,IAAI,CAAC,MAAM,CAAC,KAAK,CACf,qCAAqC,CAAC,CAAC,WAAW,aAAa,CAAC,CAAC,WAAW,aAAa,OAAO,CAAC,OAAO,EAAE,MAAM,IAAI,SAAS,EAAE,CAChI,CAAC;YACF,IAAI,CAAC,MAAM,CAAC,KAAK,CACf,iDAAiD,CAAC,CAAC,UAAU,wBAAwB,UAAU,EAAE,UAAU,CAAC,SAAS,CAAC,yBAAyB,WAAW,EAAE,MAAM,IAAI,CAAC,EAAE,CAC1K,CAAC;YACF,IAAI,CAAC,MAAM,CAAC,KAAK,CACf,0CAA0C,qBAAqB,yBAAyB,CAAC,CAAC,WAAW,EAAE,CACxG,CAAC;YAEF,IAAI,WAAW,IAAI,CAAC,WAAW,EAAE,CAAC;gBAChC,SAAS,GAAG,MAAM,CAAC;gBACnB,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,oDAAoD,CAAC,CAAC;YAC1E,CAAC;iBAAM,IAAI,WAAW,IAAI,CAAC,WAAW,EAAE,CAAC;gBACvC,SAAS,GAAG,SAAS,CAAC;gBACtB,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,iDAAiD,CAAC,CAAC;YACvE,CAAC;iBAAM,CAAC;gBACN,0EAA0E;gBAC1E,SAAS,GAAG,IAAA,gCAAyB,EAAC,OAAO,EAAE,GAAG,EAAE,YAAY,CAAC,CAAC;gBAClE,IAAI,CAAC,MAAM,CAAC,KAAK,CACf,oDAAoD,SAAS,aAAa,CAAC,CAAC,WAAW,aAAa,CAAC,CAAC,WAAW,GAAG,CACrH,CAAC;YACJ,CAAC;QACH,CAAC;aAAM,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;YAChC,SAAS,GAAG,SAAS,CAAC;YACtB,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,iCAAiC,CAAC,CAAC;QACvD,CAAC;aAAM,CAAC;YACN,SAAS,GAAG,MAAM,CAAC;YACnB,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,8BAA8B,CAAC,CAAC;QACpD,CAAC;QAED,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,wCAAwC,SAAS,QAAQ,OAAO,CAAC,MAAM,IAAI,OAAO,CAAC,GAAG,EAAE,CAAC,CAAC;QAE5G,IAAI,SAAS,KAAK,SAAS,EAAE,CAAC;YAC5B,IAAI,WAAW,IAAI,CAAC,WAAW,EAAE,CAAC;gBAChC,MAAM,IAAI,qBAAc,CACtB,oBAAa,CAAC,kBAAkB,EAChC,oDAAoD,CACrD,CAAC;YACJ,CAAC;YACD,OAAO,WAAW,IAAI,IAAI,CAAC;QAC7B,CAAC;QAED,uBAAuB;QACvB,IAAI,WAAW,IAAI,CAAC,WAAW,EAAE,CAAC;YAChC,MAAM,IAAI,qBAAc,CAAC,oBAAa,CAAC,mBAAmB,EAAE,kDAAkD,CAAC,CAAC;QAClH,CAAC;QACD,OAAO,WAAW,IAAI,IAAI,CAAC;IAC7B,CAAC;CACF,CAAA;AA5RY,8BAAS;AAWH;IADhB,IAAA,eAAM,EAAC,gBAAS,CAAC;8BACY,gBAAS;6CAAC;AAGvB;IADhB,IAAA,eAAM,EAAC,qBAAU,CAAC;8BACY,qBAAU;8CAAC;AAGzB;IADhB,IAAA,eAAM,EAAC,yBAAc,CAAC;8BACY,yBAAc;kDAAC;AAGjC;IADhB,IAAA,eAAM,EAAC,kBAAW,CAAC;8BACY,kBAAW;+CAAC;AAG3B;IADhB,IAAA,eAAM,EAAC,cAAc,CAAC;;yCACe;oBAvB3B,SAAS;IADrB,IAAA,mBAAU,GAAE;GACA,SAAS,CA4RrB"}
|
|
@@ -27,6 +27,7 @@ export declare class CsrfGuard implements CanActivate {
|
|
|
27
27
|
private readonly config;
|
|
28
28
|
private readonly csrfService;
|
|
29
29
|
private readonly reflector;
|
|
30
|
+
private readonly logger;
|
|
30
31
|
constructor(config: NAuthConfig, csrfService: CsrfService, reflector: Reflector);
|
|
31
32
|
canActivate(context: ExecutionContext): boolean;
|
|
32
33
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"csrf.guard.d.ts","sourceRoot":"","sources":["../../src/guards/csrf.guard.ts"],"names":[],"mappings":"AAAA,OAAO,EAAc,WAAW,EAAE,gBAAgB,
|
|
1
|
+
{"version":3,"file":"csrf.guard.d.ts","sourceRoot":"","sources":["../../src/guards/csrf.guard.ts"],"names":[],"mappings":"AAAA,OAAO,EAAc,WAAW,EAAE,gBAAgB,EAAkB,MAAM,gBAAgB,CAAC;AAC3F,OAAO,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AACzC,OAAO,EACL,WAAW,EAKZ,MAAM,qBAAqB,CAAC;AAG7B,OAAO,EAAE,WAAW,EAAE,MAAM,0BAA0B,CAAC;AAEvD;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,qBACa,SAAU,YAAW,WAAW;IAKzC,OAAO,CAAC,QAAQ,CAAC,MAAM;IACvB,OAAO,CAAC,QAAQ,CAAC,WAAW;IAC5B,OAAO,CAAC,QAAQ,CAAC,SAAS;IAN5B,OAAO,CAAC,QAAQ,CAAC,MAAM,CAA8B;gBAIlC,MAAM,EAAE,WAAW,EACnB,WAAW,EAAE,WAAW,EACxB,SAAS,EAAE,SAAS;IAGvC,WAAW,CAAC,OAAO,EAAE,gBAAgB,GAAG,OAAO;CAmHhD"}
|
|
@@ -11,6 +11,7 @@ var __metadata = (this && this.__metadata) || function (k, v) {
|
|
|
11
11
|
var __param = (this && this.__param) || function (paramIndex, decorator) {
|
|
12
12
|
return function (target, key) { decorator(target, key, paramIndex); }
|
|
13
13
|
};
|
|
14
|
+
var CsrfGuard_1;
|
|
14
15
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
15
16
|
exports.CsrfGuard = void 0;
|
|
16
17
|
const common_1 = require("@nestjs/common");
|
|
@@ -40,10 +41,11 @@ const csrf_service_1 = require("../services/csrf.service");
|
|
|
40
41
|
* async sensitiveAction() { ... }
|
|
41
42
|
* ```
|
|
42
43
|
*/
|
|
43
|
-
let CsrfGuard = class CsrfGuard {
|
|
44
|
+
let CsrfGuard = CsrfGuard_1 = class CsrfGuard {
|
|
44
45
|
config;
|
|
45
46
|
csrfService;
|
|
46
47
|
reflector;
|
|
48
|
+
logger = new common_1.Logger(CsrfGuard_1.name);
|
|
47
49
|
constructor(config, csrfService, reflector) {
|
|
48
50
|
this.config = config;
|
|
49
51
|
this.csrfService = csrfService;
|
|
@@ -83,18 +85,49 @@ let CsrfGuard = class CsrfGuard {
|
|
|
83
85
|
let effective = 'json';
|
|
84
86
|
if (routeMode) {
|
|
85
87
|
effective = routeMode;
|
|
88
|
+
this.logger.debug(`[CSRF] Route mode override: ${routeMode}`);
|
|
86
89
|
}
|
|
87
90
|
else if (method === 'hybrid') {
|
|
88
|
-
|
|
91
|
+
// ============================================================================
|
|
92
|
+
// HYBRID MODE: Prefer the credential that is actually present
|
|
93
|
+
// ============================================================================
|
|
94
|
+
// Match AuthGuard logic: if client sends Bearer token, treat as JSON mode
|
|
95
|
+
// This prevents CSRF enforcement for mobile apps using Bearer tokens
|
|
96
|
+
// Handle case-insensitive header lookup (Express uses lowercase, Fastify may use original case)
|
|
97
|
+
const authHeader = request.headers?.authorization ||
|
|
98
|
+
request.headers?.Authorization;
|
|
99
|
+
const headerToken = authHeader?.startsWith('Bearer ') ? authHeader.substring(7) : null;
|
|
100
|
+
const accessTokenCookieName = (0, core_2.getAccessTokenCookieName)(this.config);
|
|
101
|
+
const cookieToken = request.cookies?.[accessTokenCookieName];
|
|
102
|
+
this.logger.debug(`[CSRF] Hybrid mode - Bearer: ${!!headerToken}, Cookie: ${!!cookieToken}, Origin: ${request.headers?.origin || 'MISSING'}`);
|
|
103
|
+
this.logger.debug(`[CSRF] Header check - authHeader exists: ${!!authHeader}, startsWith Bearer: ${authHeader?.startsWith('Bearer ')}, headerToken length: ${headerToken?.length || 0}`);
|
|
104
|
+
this.logger.debug(`[CSRF] Cookie check - cookieName: ${accessTokenCookieName}, cookieToken exists: ${!!cookieToken}`);
|
|
105
|
+
if (headerToken && !cookieToken) {
|
|
106
|
+
effective = 'json';
|
|
107
|
+
this.logger.debug(`[CSRF] Detected JSON mode (Bearer token only)`);
|
|
108
|
+
}
|
|
109
|
+
else if (cookieToken && !headerToken) {
|
|
110
|
+
effective = 'cookies';
|
|
111
|
+
this.logger.debug(`[CSRF] Detected cookies mode (cookie only)`);
|
|
112
|
+
}
|
|
113
|
+
else {
|
|
114
|
+
// Both present, neither present, or edge case - fall back to origin-based
|
|
115
|
+
effective = (0, core_2.resolveDeliveryForRequest)(request, deliveryConfig?.hybridPolicy);
|
|
116
|
+
this.logger.debug(`[CSRF] Fallback to origin-based resolution: ${effective} (Bearer: ${!!headerToken}, Cookie: ${!!cookieToken})`);
|
|
117
|
+
}
|
|
89
118
|
}
|
|
90
119
|
else if (method === 'cookies') {
|
|
91
120
|
effective = 'cookies';
|
|
121
|
+
this.logger.debug(`[CSRF] Global cookies mode`);
|
|
92
122
|
}
|
|
93
123
|
else {
|
|
94
124
|
effective = 'json';
|
|
125
|
+
this.logger.debug(`[CSRF] Global JSON mode`);
|
|
95
126
|
}
|
|
127
|
+
this.logger.debug(`[CSRF] Effective delivery mode: ${effective} for ${request.method} ${request.url}`);
|
|
96
128
|
// Only enforce CSRF for cookie-based token delivery
|
|
97
129
|
if (effective !== 'cookies') {
|
|
130
|
+
this.logger.debug(`[CSRF] Skipping CSRF check (JSON mode)`);
|
|
98
131
|
return true; // JSON mode doesn't need CSRF (Bearer tokens are CSRF-safe)
|
|
99
132
|
}
|
|
100
133
|
// Validate CSRF token
|
|
@@ -115,7 +148,7 @@ let CsrfGuard = class CsrfGuard {
|
|
|
115
148
|
}
|
|
116
149
|
};
|
|
117
150
|
exports.CsrfGuard = CsrfGuard;
|
|
118
|
-
exports.CsrfGuard = CsrfGuard = __decorate([
|
|
151
|
+
exports.CsrfGuard = CsrfGuard = CsrfGuard_1 = __decorate([
|
|
119
152
|
(0, common_1.Injectable)(),
|
|
120
153
|
__param(0, (0, common_1.Inject)('NAUTH_CONFIG')),
|
|
121
154
|
__metadata("design:paramtypes", [Object, csrf_service_1.CsrfService,
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"csrf.guard.js","sourceRoot":"","sources":["../../src/guards/csrf.guard.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"csrf.guard.js","sourceRoot":"","sources":["../../src/guards/csrf.guard.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAAA,2CAA2F;AAC3F,uCAAyC;AACzC,8CAM6B;AAC7B,qEAA+D;AAC/D,qFAA2F;AAC3F,2DAAuD;AAEvD;;;;;;;;;;;;;;;;;;;;GAoBG;AAEI,IAAM,SAAS,iBAAf,MAAM,SAAS;IAKD;IACA;IACA;IANF,MAAM,GAAG,IAAI,eAAM,CAAC,WAAS,CAAC,IAAI,CAAC,CAAC;IAErD,YAEmB,MAAmB,EACnB,WAAwB,EACxB,SAAoB;QAFpB,WAAM,GAAN,MAAM,CAAa;QACnB,gBAAW,GAAX,WAAW,CAAa;QACxB,cAAS,GAAT,SAAS,CAAW;IACpC,CAAC;IAEJ,WAAW,CAAC,OAAyB;QACnC,+BAA+B;QAC/B,IAAI,OAAO,CAAC,OAAO,EAAE,KAAK,MAAM,EAAE,CAAC;YACjC,OAAO,IAAI,CAAC;QACd,CAAC;QAED,MAAM,OAAO,GAAG,OAAO,CAAC,YAAY,EAAE,CAAC,UAAU,EAAE,CAAC;QACpD,MAAM,UAAU,GAAG,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE,IAAI,CAAC;QAE9C,sCAAsC;QACtC,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,OAAO,IAAI,CAAC;QACd,CAAC;QAED,kDAAkD;QAClD,IAAI,CAAC,KAAK,EAAE,MAAM,EAAE,SAAS,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;YACxD,OAAO,IAAI,CAAC;QACd,CAAC;QAED,oCAAoC;QACpC,MAAM,QAAQ,GAAG,IAAI,CAAC,SAAS,CAAC,iBAAiB,CAAU,gCAAa,EAAE;YACxE,OAAO,CAAC,UAAU,EAAE;YACpB,OAAO,CAAC,QAAQ,EAAE;SACnB,CAAC,CAAC;QACH,IAAI,QAAQ,EAAE,CAAC;YACb,OAAO,IAAI,CAAC;QACd,CAAC;QAED,sBAAsB;QACtB,IAAI,UAAU,CAAC,aAAa,EAAE,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,EAAE,CAAC;YAC3E,OAAO,IAAI,CAAC;QACd,CAAC;QAED,kCAAkC;QAClC,MAAM,cAAc,GAAG,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC;QACjD,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC,GAAG,CAAgB,6CAAkB,EAAE,OAAO,CAAC,UAAU,EAAE,CAAC,CAAC;QAC9F,MAAM,MAAM,GAAG,cAAc,EAAE,MAAM,IAAI,MAAM,CAAC;QAChD,IAAI,SAAS,GAAuB,MAAM,CAAC;QAE3C,IAAI,SAAS,EAAE,CAAC;YACd,SAAS,GAAG,SAAS,CAAC;YACtB,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,+BAA+B,SAAS,EAAE,CAAC,CAAC;QAChE,CAAC;aAAM,IAAI,MAAM,KAAK,QAAQ,EAAE,CAAC;YAC/B,+EAA+E;YAC/E,8DAA8D;YAC9D,+EAA+E;YAC/E,0EAA0E;YAC1E,qEAAqE;YACrE,gGAAgG;YAChG,MAAM,UAAU,GACb,OAAO,CAAC,OAAO,EAAE,aAAoC;gBACrD,OAAO,CAAC,OAAO,EAAE,aAAoC,CAAC;YACzD,MAAM,WAAW,GAAG,UAAU,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;YACvF,MAAM,qBAAqB,GAAG,IAAA,+BAAwB,EAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YACpE,MAAM,WAAW,GAAuB,OAAO,CAAC,OAAO,EAAE,CAAC,qBAAqB,CAAC,CAAC;YAEjF,IAAI,CAAC,MAAM,CAAC,KAAK,CACf,gCAAgC,CAAC,CAAC,WAAW,aAAa,CAAC,CAAC,WAAW,aAAa,OAAO,CAAC,OAAO,EAAE,MAAM,IAAI,SAAS,EAAE,CAC3H,CAAC;YACF,IAAI,CAAC,MAAM,CAAC,KAAK,CACf,4CAA4C,CAAC,CAAC,UAAU,wBAAwB,UAAU,EAAE,UAAU,CAAC,SAAS,CAAC,yBAAyB,WAAW,EAAE,MAAM,IAAI,CAAC,EAAE,CACrK,CAAC;YACF,IAAI,CAAC,MAAM,CAAC,KAAK,CACf,qCAAqC,qBAAqB,yBAAyB,CAAC,CAAC,WAAW,EAAE,CACnG,CAAC;YAEF,IAAI,WAAW,IAAI,CAAC,WAAW,EAAE,CAAC;gBAChC,SAAS,GAAG,MAAM,CAAC;gBACnB,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,+CAA+C,CAAC,CAAC;YACrE,CAAC;iBAAM,IAAI,WAAW,IAAI,CAAC,WAAW,EAAE,CAAC;gBACvC,SAAS,GAAG,SAAS,CAAC;gBACtB,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,4CAA4C,CAAC,CAAC;YAClE,CAAC;iBAAM,CAAC;gBACN,0EAA0E;gBAC1E,SAAS,GAAG,IAAA,gCAAyB,EAAC,OAAO,EAAE,cAAc,EAAE,YAAY,CAAC,CAAC;gBAC7E,IAAI,CAAC,MAAM,CAAC,KAAK,CACf,+CAA+C,SAAS,aAAa,CAAC,CAAC,WAAW,aAAa,CAAC,CAAC,WAAW,GAAG,CAChH,CAAC;YACJ,CAAC;QACH,CAAC;aAAM,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;YAChC,SAAS,GAAG,SAAS,CAAC;YACtB,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,4BAA4B,CAAC,CAAC;QAClD,CAAC;aAAM,CAAC;YACN,SAAS,GAAG,MAAM,CAAC;YACnB,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,yBAAyB,CAAC,CAAC;QAC/C,CAAC;QAED,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,mCAAmC,SAAS,QAAQ,OAAO,CAAC,MAAM,IAAI,OAAO,CAAC,GAAG,EAAE,CAAC,CAAC;QAEvG,oDAAoD;QACpD,IAAI,SAAS,KAAK,SAAS,EAAE,CAAC;YAC5B,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,wCAAwC,CAAC,CAAC;YAC5D,OAAO,IAAI,CAAC,CAAC,4DAA4D;QAC3E,CAAC;QAED,sBAAsB;QACtB,MAAM,UAAU,GAAG,IAAI,CAAC,WAAW,CAAC,aAAa,EAAE,CAAC;QACpD,MAAM,UAAU,GAAG,IAAI,CAAC,WAAW,CAAC,aAAa,EAAE,CAAC;QACpD,MAAM,SAAS,GAAG,OAAO,CAAC,OAAO,CAAC,UAAU,CAAC,WAAW,EAAE,CAAuB,CAAC;QAClF,MAAM,UAAU,GAAG,OAAO,CAAC,OAAO,EAAE,CAAC,UAAU,CAAuB,CAAC;QAEvE,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,MAAM,IAAI,qBAAc,CAAC,oBAAa,CAAC,kBAAkB,EAAE,iCAAiC,UAAU,EAAE,CAAC,CAAC;QAC5G,CAAC;QAED,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,MAAM,IAAI,qBAAc,CAAC,oBAAa,CAAC,kBAAkB,EAAE,iCAAiC,UAAU,EAAE,CAAC,CAAC;QAC5G,CAAC;QAED,IAAI,SAAS,KAAK,UAAU,EAAE,CAAC;YAC7B,MAAM,IAAI,qBAAc,CAAC,oBAAa,CAAC,kBAAkB,EAAE,qBAAqB,CAAC,CAAC;QACpF,CAAC;QAED,OAAO,IAAI,CAAC;IACd,CAAC;CACF,CAAA;AA7HY,8BAAS;oBAAT,SAAS;IADrB,IAAA,mBAAU,GAAE;IAKR,WAAA,IAAA,eAAM,EAAC,cAAc,CAAC,CAAA;6CAEO,0BAAW;QACb,gBAAS;GAP5B,SAAS,CA6HrB"}
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@nauth-toolkit/nestjs",
|
|
3
|
-
"version": "0.1.
|
|
3
|
+
"version": "0.1.72",
|
|
4
4
|
"description": "NestJS adapter for nauth-toolkit - Platform-specific integrations",
|
|
5
5
|
"main": "dist/index.js",
|
|
6
6
|
"types": "dist/index.d.ts",
|
|
@@ -39,7 +39,7 @@
|
|
|
39
39
|
"typeorm": "^0.3.0"
|
|
40
40
|
},
|
|
41
41
|
"dependencies": {
|
|
42
|
-
"@nauth-toolkit/core": "0.1.
|
|
42
|
+
"@nauth-toolkit/core": "0.1.72"
|
|
43
43
|
},
|
|
44
44
|
"devDependencies": {
|
|
45
45
|
"@nestjs/common": "^11.1.8",
|