@noony-serverless/core 0.1.0

package/build/middlewares/securityHeadersMiddleware.js

@@ -0,0 +1,183 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SecurityPresets = exports.securityHeaders = exports.SecurityHeadersMiddleware = void 0;
+const DEFAULT_OPTIONS = {
+    contentSecurityPolicy: "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self'; connect-src 'self'; frame-ancestors 'none';",
+    hstsMaxAge: 31536000, // 1 year
+    hstsIncludeSubDomains: true,
+    frameOptions: 'DENY',
+    contentTypeOptions: 'nosniff',
+    referrerPolicy: 'strict-origin-when-cross-origin',
+    permissionsPolicy: 'geolocation=(), microphone=(), camera=(), payment=(), usb=(), magnetometer=(), gyroscope=(), speaker=()',
+    crossOriginEmbedderPolicy: 'require-corp',
+    crossOriginOpenerPolicy: 'same-origin',
+    crossOriginResourcePolicy: 'same-origin',
+    removeServerHeader: true,
+    removePoweredBy: true,
+};
+/**
+ * Validates CORS origin against allowed patterns
+ */
+const isOriginAllowed = (origin, allowedOrigins) => {
+    if (allowedOrigins === true)
+        return true;
+    if (allowedOrigins === false)
+        return false;
+    if (typeof allowedOrigins === 'string')
+        return origin === allowedOrigins;
+    if (Array.isArray(allowedOrigins)) {
+        return allowedOrigins.some((allowed) => {
+            // Support wildcard patterns like *.example.com
+            if (allowed.includes('*')) {
+                const regex = new RegExp('^' + allowed.replace(/\*/g, '.*') + '$');
+                return regex.test(origin);
+            }
+            return origin === allowed;
+        });
+    }
+    return false;
+};
+/**
+ * Security Headers Middleware
+ * Implements comprehensive security headers following OWASP recommendations
+ */
+class SecurityHeadersMiddleware {
+    options;
+    constructor(options = {}) {
+        this.options = { ...DEFAULT_OPTIONS, ...options };
+    }
+    async before(context) {
+        const headers = {};
+        // Content Security Policy
+        headers['Content-Security-Policy'] = this.options.contentSecurityPolicy;
+        // Strict Transport Security (HTTPS only)
+        const hstsValue = `max-age=${this.options.hstsMaxAge}${this.options.hstsIncludeSubDomains ? '; includeSubDomains' : ''}; preload`;
+        headers['Strict-Transport-Security'] = hstsValue;
+        // Frame Options
+        headers['X-Frame-Options'] = this.options.frameOptions;
+        // Content Type Options
+        headers['X-Content-Type-Options'] = this.options.contentTypeOptions;
+        // Referrer Policy
+        headers['Referrer-Policy'] = this.options.referrerPolicy;
+        // Permissions Policy
+        headers['Permissions-Policy'] = this.options.permissionsPolicy;
+        // Cross-Origin Policies
+        headers['Cross-Origin-Embedder-Policy'] =
+            this.options.crossOriginEmbedderPolicy;
+        headers['Cross-Origin-Opener-Policy'] =
+            this.options.crossOriginOpenerPolicy;
+        headers['Cross-Origin-Resource-Policy'] =
+            this.options.crossOriginResourcePolicy;
+        // Remove identifying headers
+        if (this.options.removeServerHeader) {
+            delete headers['Server'];
+        }
+        if (this.options.removePoweredBy) {
+            delete headers['X-Powered-By'];
+        }
+        // CORS headers
+        if (this.options.cors) {
+            const originHeader = context.req.headers?.['origin'];
+            const origin = Array.isArray(originHeader)
+                ? originHeader[0]
+                : originHeader || '';
+            const requestMethod = context.req.headers?.['access-control-request-method'];
+            const requestHeaders = context.req.headers?.['access-control-request-headers'];
+            // Handle preflight requests
+            if (context.req.method === 'OPTIONS' &&
+                (requestMethod || requestHeaders)) {
+                if (this.options.cors.origin &&
+                    isOriginAllowed(origin, this.options.cors.origin)) {
+                    headers['Access-Control-Allow-Origin'] = origin;
+                }
+                if (this.options.cors.methods) {
+                    headers['Access-Control-Allow-Methods'] =
+                        this.options.cors.methods.join(', ');
+                }
+                if (this.options.cors.allowedHeaders) {
+                    headers['Access-Control-Allow-Headers'] =
+                        this.options.cors.allowedHeaders.join(', ');
+                }
+                if (this.options.cors.maxAge !== undefined) {
+                    headers['Access-Control-Max-Age'] = String(this.options.cors.maxAge);
+                }
+                if (this.options.cors.credentials) {
+                    headers['Access-Control-Allow-Credentials'] = 'true';
+                }
+                // Apply headers and return early for preflight
+                Object.entries(headers).forEach(([key, value]) => {
+                    if (value !== undefined) {
+                        context.res.header(key, value);
+                    }
+                });
+                context.res.status(204).json({});
+                return;
+            }
+            // Handle actual requests
+            if (this.options.cors.origin &&
+                isOriginAllowed(origin, this.options.cors.origin)) {
+                headers['Access-Control-Allow-Origin'] = origin;
+            }
+            if (this.options.cors.exposedHeaders) {
+                headers['Access-Control-Expose-Headers'] =
+                    this.options.cors.exposedHeaders.join(', ');
+            }
+            if (this.options.cors.credentials) {
+                headers['Access-Control-Allow-Credentials'] = 'true';
+            }
+        }
+        // Apply headers to response
+        Object.entries(headers).forEach(([key, value]) => {
+            if (value !== undefined) {
+                context.res.header(key, value);
+            }
+        });
+    }
+}
+exports.SecurityHeadersMiddleware = SecurityHeadersMiddleware;
+/**
+ * Security Headers Middleware Factory
+ * @param options Security headers configuration
+ * @returns BaseMiddleware
+ */
+const securityHeaders = (options = {}) => new SecurityHeadersMiddleware(options);
+exports.securityHeaders = securityHeaders;
+/**
+ * Predefined security configurations
+ */
+exports.SecurityPresets = {
+    /**
+     * Strict security configuration for high-security applications
+     */
+    STRICT: {
+        contentSecurityPolicy: "default-src 'none'; script-src 'self'; style-src 'self'; img-src 'self'; font-src 'self'; connect-src 'self'; frame-ancestors 'none'; base-uri 'none'; form-action 'self';",
+        hstsMaxAge: 63072000, // 2 years
+        frameOptions: 'DENY',
+        crossOriginEmbedderPolicy: 'require-corp',
+        crossOriginOpenerPolicy: 'same-origin',
+        crossOriginResourcePolicy: 'same-origin',
+    },
+    /**
+     * Balanced security configuration for most applications
+     */
+    BALANCED: {
+        contentSecurityPolicy: "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self'; connect-src 'self'; frame-ancestors 'none';",
+        hstsMaxAge: 31536000, // 1 year
+        frameOptions: 'SAMEORIGIN',
+    },
+    /**
+     * Permissive security configuration for development
+     */
+    DEVELOPMENT: {
+        contentSecurityPolicy: "default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data: https:; font-src 'self'; connect-src 'self' ws: wss:;",
+        hstsMaxAge: 0,
+        frameOptions: 'SAMEORIGIN',
+        cors: {
+            origin: true,
+            methods: ['GET', 'POST', 'PUT', 'DELETE', 'OPTIONS'],
+            allowedHeaders: ['Content-Type', 'Authorization'],
+            credentials: true,
+        },
+    },
+};
+//# sourceMappingURL=securityHeadersMiddleware.js.map

package/build/middlewares/validationMiddleware.d.ts

@@ -0,0 +1,9 @@
+import { BaseMiddleware, Context } from '../core';
+import { z } from 'zod';
+export declare class ValidationMiddleware implements BaseMiddleware {
+    private readonly schema;
+    constructor(schema: z.ZodSchema);
+    before(context: Context): Promise<void>;
+}
+export declare const validationMiddleware: (schema: z.ZodSchema) => BaseMiddleware;
+//# sourceMappingURL=validationMiddleware.d.ts.map

package/build/middlewares/validationMiddleware.js

@@ -0,0 +1,40 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.validationMiddleware = exports.ValidationMiddleware = void 0;
+const core_1 = require("../core");
+const zod_1 = require("zod");
+const validate = async (schema, context) => {
+    try {
+        const data = context.req.method === 'GET' ? context.req.query : context.req.parsedBody;
+        const validated = await schema.parseAsync(data);
+        if (context.req.method === 'GET') {
+            context.req.query = validated;
+        }
+        else {
+            context.req.validatedBody = validated;
+        }
+    }
+    catch (error) {
+        if (error instanceof zod_1.z.ZodError) {
+            throw new core_1.ValidationError('Validation error', JSON.stringify(error.errors));
+        }
+        throw error;
+    }
+};
+class ValidationMiddleware {
+    schema;
+    constructor(schema) {
+        this.schema = schema;
+    }
+    async before(context) {
+        await validate(this.schema, context);
+    }
+}
+exports.ValidationMiddleware = ValidationMiddleware;
+const validationMiddleware = (schema) => ({
+    before: async (context) => {
+        await validate(schema, context);
+    },
+});
+exports.validationMiddleware = validationMiddleware;
+//# sourceMappingURL=validationMiddleware.js.map

package/package.json

@@ -0,0 +1,73 @@
+{
+  "name": "@noony-serverless/core",
+  "version": "0.1.0",
+  "description": "A Middy base framework compatible with Firebase and GCP Cloud Functions with TypeScript",
+  "main": "build/index.js",
+  "types": "build/index.d.ts",
+  "keywords": [
+    "serverless",
+    "middleware",
+    "google-cloud-functions",
+    "firebase",
+    "gcp",
+    "typescript",
+    "middy"
+  ],
+  "author": "Noony Serverless",
+  "license": "MIT",
+  "files": [
+    "build/core/**/*.js",
+    "build/core/**/*.d.ts",
+    "build/middlewares/**/*.js", 
+    "build/middlewares/**/*.d.ts",
+    "build/index.js",
+    "build/index.d.ts",
+    "README.md"
+  ],
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/noony-serverless/noony-core.git"
+  },
+  "scripts": {
+    "build": "tsc -p tsconfig.json && cp package.json build/",
+    "watch": "tsc -w",
+    "test": "jest --config jest.config.js",
+    "test:coverage": "jest --config jest.config.js --coverage",
+    "lint": "eslint . --ext .ts",
+    "lint:fix": "eslint . --ext .ts --fix",
+    "format": "prettier --write \"**/*.{ts,js,json}\"",
+    "format:check": "prettier --check \"src/**/*.{ts,js,json}\""
+  },
+  "dependencies": {
+    "@google-cloud/firestore": "^7.1.0",
+    "@google-cloud/functions-framework": "^3.3.0",
+    "@google-cloud/pubsub": "^4.1.0",
+    "@types/jsonwebtoken": "^9.0.8",
+    "axios": "^1.7.9",
+    "fastify": "^5.3.3",
+    "firebase-admin": "^12.6.0",
+    "firebase-functions": "^6.3.1",
+    "jsonwebtoken": "^9.0.2",
+    "reflect-metadata": "^0.2.2",
+    "typedi": "^0.10.0",
+    "zod": "^3.22.4"
+  },
+  "devDependencies": {
+    "@types/jest": "^29.5.11",
+    "@types/module-alias": "^2.0.4",
+    "@types/node": "^20.10.5",
+    "@typescript-eslint/eslint-plugin": "^6.15.0",
+    "@typescript-eslint/parser": "^6.15.0",
+    "concurrently": "^8.2.2",
+    "eslint": "^8.56.0",
+    "eslint-config-prettier": "^9.1.0",
+    "eslint-plugin-prettier": "^5.1.2",
+    "firebase-functions-test": "^3.1.0",
+    "jest": "^29.7.0",
+    "module-alias": "^2.2.3",
+    "prettier": "^3.1.1",
+    "ts-jest": "^29.1.1",
+    "typescript": "^5.3.3"
+  },
+  "private": false
+}