npm - @react-foundry/fastify-harden - Versions diffs - 0.1.8 → 0.2.0 - Mend

@react-foundry/fastify-harden 0.1.8 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/dist/common.js +2 -7
package/dist/content-security-policy.js +24 -28
package/dist/index.js +7 -13
package/dist/permissions-policy.js +4 -8
package/package.json +7 -9
package/dist/common.mjs +0 -2
package/dist/content-security-policy.mjs +0 -57
package/dist/index.mjs +0 -50
package/dist/permissions-policy.mjs +0 -79

package/dist/common.js CHANGED Viewed

@@ -1,7 +1,2 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.isDefined = exports.id = void 0;
-const id = (v) => v;
-exports.id = id;
-const isDefined = (v) => (v !== undefined && v !== '');
-exports.isDefined = isDefined;
+export const id = (v) => v;
+export const isDefined = (v) => (v !== undefined && v !== '');

package/dist/content-security-policy.js CHANGED Viewed

@@ -1,41 +1,38 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.contentSecurityPolicy = exports.unsafeInline = exports.unsafeEval = exports.self = exports.none = void 0;
-const common_1 = require("./common");
-exports.none = "'none'";
-exports.self = "'self'";
-exports.unsafeEval = "'unsafe-eval'";
-exports.unsafeInline = "'unsafe-inline'";
-const contentSecurityPolicy = ({ dev = process.env.NODE_ENV === 'development', formAction: _formAction, frameAncestors: _frameAncestors, nonce: _nonce }) => {
+import { id, isDefined } from './common';
+export const none = "'none'";
+export const self = "'self'";
+export const unsafeEval = "'unsafe-eval'";
+export const unsafeInline = "'unsafe-inline'";
+export const contentSecurityPolicy = ({ dev = process.env.NODE_ENV === 'development', formAction: _formAction, frameAncestors: _frameAncestors, nonce: _nonce }) => {
     const formAction = (Array.isArray(_formAction)
         ? _formAction
-        : [_formAction]).filter(common_1.id);
+        : [_formAction]).filter(id);
     const frameAncestors = (Array.isArray(_frameAncestors)
         ? _frameAncestors
-        : [_frameAncestors]).filter(common_1.id);
+        : [_frameAncestors]).filter(id);
     const frameAncestor = (frameAncestors.length > 1
         ? 'multiple'
-        : frameAncestors[0]) || exports.none;
+        : frameAncestors[0]) || none;
     const frameOptions = (frameAncestor === 'multiple'
         ? undefined
-        : (frameAncestor === exports.self
+        : (frameAncestor === self
             ? 'SAMEORIGIN'
             : 'DENY'));
     const nonce = _nonce && `'nonce-${_nonce}'`;
     const cspObject = {
-        'default-src': exports.none,
+        'default-src': none,
         'connect-src': (dev
-            ? [exports.self, 'ws://localhost:*']
-            : exports.self),
-        'font-src': exports.self,
-        'frame-src': exports.self,
-        'img-src': exports.self,
-        'manifest-src': exports.self,
-        'media-src': exports.self,
-        'script-src': [exports.self, nonce],
-        'style-src': [exports.self, exports.unsafeInline],
-        'form-action': formAction.length && formAction || exports.self,
-        'frame-ancestors': frameAncestors.length && frameAncestors || exports.none
+            ? [self, 'ws://localhost:*']
+            : self),
+        'font-src': self,
+        'frame-src': self,
+        'img-src': self,
+        'manifest-src': self,
+        'media-src': self,
+        'script-src': [self, nonce],
+        'style-src': [self, unsafeInline],
+        'form-action': formAction.length && formAction || self,
+        'frame-ancestors': frameAncestors.length && frameAncestors || none
     };
     const cspString = (Object.keys(cspObject)
         .map(directive => {
@@ -44,18 +41,17 @@ const contentSecurityPolicy = ({ dev = process.env.NODE_ENV === 'development', f
             ? _valueArr
             : [_valueArr]);
         const values = (valueArr
-            .filter(common_1.isDefined)
+            .filter(isDefined)
             .map(v => `${v}`)
             .join(' '));
         return (values === ''
             ? undefined
             : `${directive} ${values}`);
     })
-        .filter(common_1.isDefined)
+        .filter(isDefined)
         .join('; '));
     return {
         policy: cspString,
         frameOptions
     };
 };
-exports.contentSecurityPolicy = contentSecurityPolicy;

package/dist/index.js CHANGED Viewed

@@ -1,12 +1,6 @@
-"use strict";
-var __importDefault = (this && this.__importDefault) || function (mod) {
-    return (mod && mod.__esModule) ? mod : { "default": mod };
-};
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.fastifyHarden = void 0;
-const fastify_plugin_1 = __importDefault(require("fastify-plugin"));
-const permissions_policy_1 = require("./permissions-policy");
-const content_security_policy_1 = require("./content-security-policy");
+import fp from 'fastify-plugin';
+import { permissionsPolicy } from './permissions-policy';
+import { contentSecurityPolicy } from './content-security-policy';
 const fastifyHardenPlugin = async (fastify, { contentSecurityPolicy: cspOptions = {}, dev = process.env.NODE_ENV === 'development', permissionsPolicy: ppOptions = {} }) => {
     if (!dev) {
         fastify.setErrorHandler((error, req, reply) => {
@@ -26,8 +20,8 @@ const fastifyHardenPlugin = async (fastify, { contentSecurityPolicy: cspOptions
     fastify.addHook('onSend', async (_req, reply, payload) => {
         const nonce = reply.cspNonce;
         const headers = reply.getHeaders();
-        const { policy: pp } = (0, permissions_policy_1.permissionsPolicy)(ppOptions);
-        const { policy: csp, frameOptions } = (0, content_security_policy_1.contentSecurityPolicy)({
+        const { policy: pp } = permissionsPolicy(ppOptions);
+        const { policy: csp, frameOptions } = contentSecurityPolicy({
             ...cspOptions,
             dev,
             nonce
@@ -49,8 +43,8 @@ const fastifyHardenPlugin = async (fastify, { contentSecurityPolicy: cspOptions
         return payload;
     });
 };
-exports.fastifyHarden = (0, fastify_plugin_1.default)(fastifyHardenPlugin, {
+export const fastifyHarden = fp(fastifyHardenPlugin, {
     fastify: '5.x',
     name: 'harden',
 });
-exports.default = exports.fastifyHarden;
+export default fastifyHarden;

package/dist/permissions-policy.js CHANGED Viewed

@@ -1,7 +1,4 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.permissionsPolicy = void 0;
-const common_1 = require("./common");
+import { isDefined } from './common';
 const keywords = [
     'self',
     'src'
@@ -60,7 +57,7 @@ const ppObj = {
     'vertical-scroll': 'self',
     'xr-spatial-tracking': 'self'
 };
-const permissionsPolicy = (_options) => ({
+export const permissionsPolicy = (_options) => ({
     policy: Object.keys(ppObj)
         .map(directive => {
         const _valueArr = ppObj[directive];
@@ -68,7 +65,7 @@ const permissionsPolicy = (_options) => ({
             ? _valueArr
             : [_valueArr]);
         const values = (valueArr
-            .filter(common_1.isDefined)
+            .filter(isDefined)
             .map(v => (keywords.includes(v)
             ? v
             : `"${v}"`))
@@ -77,7 +74,6 @@ const permissionsPolicy = (_options) => ({
             ? undefined
             : `${directive}=(${values})`);
     })
-        .filter(common_1.isDefined)
+        .filter(isDefined)
         .join(', ')
 });
-exports.permissionsPolicy = permissionsPolicy;

package/package.json CHANGED Viewed

@@ -1,14 +1,14 @@
 {
   "name": "@react-foundry/fastify-harden",
-  "version": "0.1.8",
+  "version": "0.2.0",
   "description": "Fastify plugin for extra cyber-security hardening.",
+  "type": "module",
   "main": "dist/index.js",
   "exports": {
     ".": {
       "types": "./dist/index.d.ts",
-      "import": "./dist/index.mjs",
-      "require": "./dist/index.js",
-      "default": "./dist/index.mjs"
+      "import": "./dist/index.js",
+      "default": "./dist/index.js"
     }
   },
   "files": [
@@ -26,16 +26,14 @@
     "fastify": "5.8.4",
     "jest": "30.3.0",
     "jest-environment-jsdom": "30.3.0",
-    "ts-jest": "29.4.6",
+    "ts-jest": "29.4.9",
     "typescript": "5.9.3"
   },
   "scripts": {
     "test": "NODE_OPTIONS=--experimental-vm-modules jest",
-    "build": "npm run build:esm && npm run build:cjs",
-    "build:esm": "tsc -m es2022 && find dist -name '*.js' -exec sh -c 'mv \"$0\" \"${0%.js}.mjs\"' {} \\;",
-    "build:cjs": "tsc",
+    "build": "tsc",
     "clean": "rm -rf dist tsconfig.tsbuildinfo"
   },
-  "module": "dist/index.mjs",
+  "module": "dist/index.js",
   "typings": "dist/index.d.ts"
 }

package/dist/common.mjs DELETED Viewed

	@@ -1,2 +0,0 @@
1	- export const id = (v) => v;
2	- export const isDefined = (v) => (v !== undefined && v !== '');

package/dist/content-security-policy.mjs DELETED Viewed

@@ -1,57 +0,0 @@
-import { id, isDefined } from './common';
-export const none = "'none'";
-export const self = "'self'";
-export const unsafeEval = "'unsafe-eval'";
-export const unsafeInline = "'unsafe-inline'";
-export const contentSecurityPolicy = ({ dev = process.env.NODE_ENV === 'development', formAction: _formAction, frameAncestors: _frameAncestors, nonce: _nonce }) => {
-    const formAction = (Array.isArray(_formAction)
-        ? _formAction
-        : [_formAction]).filter(id);
-    const frameAncestors = (Array.isArray(_frameAncestors)
-        ? _frameAncestors
-        : [_frameAncestors]).filter(id);
-    const frameAncestor = (frameAncestors.length > 1
-        ? 'multiple'
-        : frameAncestors[0]) || none;
-    const frameOptions = (frameAncestor === 'multiple'
-        ? undefined
-        : (frameAncestor === self
-            ? 'SAMEORIGIN'
-            : 'DENY'));
-    const nonce = _nonce && `'nonce-${_nonce}'`;
-    const cspObject = {
-        'default-src': none,
-        'connect-src': (dev
-            ? [self, 'ws://localhost:*']
-            : self),
-        'font-src': self,
-        'frame-src': self,
-        'img-src': self,
-        'manifest-src': self,
-        'media-src': self,
-        'script-src': [self, nonce],
-        'style-src': [self, unsafeInline],
-        'form-action': formAction.length && formAction || self,
-        'frame-ancestors': frameAncestors.length && frameAncestors || none
-    };
-    const cspString = (Object.keys(cspObject)
-        .map(directive => {
-        const _valueArr = cspObject[directive];
-        const valueArr = (Array.isArray(_valueArr)
-            ? _valueArr
-            : [_valueArr]);
-        const values = (valueArr
-            .filter(isDefined)
-            .map(v => `${v}`)
-            .join(' '));
-        return (values === ''
-            ? undefined
-            : `${directive} ${values}`);
-    })
-        .filter(isDefined)
-        .join('; '));
-    return {
-        policy: cspString,
-        frameOptions
-    };
-};

package/dist/index.mjs DELETED Viewed

@@ -1,50 +0,0 @@
-import fp from 'fastify-plugin';
-import { permissionsPolicy } from './permissions-policy';
-import { contentSecurityPolicy } from './content-security-policy';
-const fastifyHardenPlugin = async (fastify, { contentSecurityPolicy: cspOptions = {}, dev = process.env.NODE_ENV === 'development', permissionsPolicy: ppOptions = {} }) => {
-    if (!dev) {
-        fastify.setErrorHandler((error, req, reply) => {
-            const statusCode = error && error.statusCode;
-            if (!statusCode || statusCode === 500) {
-                error.message = 'An unexpected error occurred.';
-            }
-            reply.send(error);
-        });
-    }
-    fastify.addHook('preHandler', async (_req, reply) => {
-        const nonce = (Math.random()
-            .toString(36)
-            .slice(2));
-        reply.cspNonce = nonce;
-    });
-    fastify.addHook('onSend', async (_req, reply, payload) => {
-        const nonce = reply.cspNonce;
-        const headers = reply.getHeaders();
-        const { policy: pp } = permissionsPolicy(ppOptions);
-        const { policy: csp, frameOptions } = contentSecurityPolicy({
-            ...cspOptions,
-            dev,
-            nonce
-        });
-        if (!headers['cache-control']) {
-            reply.header('Cache-Control', 'no-cache, no-store, must-revalidate, private');
-            reply.header('Pragma', 'no-cache');
-            reply.header('Expires', '0');
-            reply.header('Cross-Origin-Embedder-Policy', 'require-corp');
-            reply.header('Cross-Origin-Resource-Policy', 'same-origin');
-            reply.header('Cross-Origin-Opener-Policy', 'same-origin');
-        }
-        reply.header('X-Content-Type-Options', 'nosniff');
-        if (frameOptions) {
-            reply.header('X-Frame-Options', frameOptions);
-        }
-        reply.header('Content-Security-Policy', csp);
-        reply.header('Permissions-Policy', pp);
-        return payload;
-    });
-};
-export const fastifyHarden = fp(fastifyHardenPlugin, {
-    fastify: '5.x',
-    name: 'harden',
-});
-export default fastifyHarden;

package/dist/permissions-policy.mjs DELETED Viewed

@@ -1,79 +0,0 @@
-import { isDefined } from './common';
-const keywords = [
-    'self',
-    'src'
-];
-const ppObj = {
-    'accelerometer': 'self',
-    'ambient-light-sensor': 'self',
-    'attribution-reporting': 'self',
-    'autoplay': 'self',
-    'battery': 'self',
-    'bluetooth': 'self',
-    'browsing-topics': 'self',
-    'camera': 'self',
-    'clipboard-read': 'self',
-    'clipboard-write': 'self',
-    'compute-pressure': 'self',
-    'conversion-measurement': 'self',
-    'cross-origin-isolated': 'self',
-    'display-capture': 'self',
-    'document-domain': 'self',
-    'encrypted-media': 'self',
-    'execution-while-not-rendered': 'self',
-    'execution-while-out-of-viewport': 'self',
-    'focus-without-user-activation': 'self',
-    'fullscreen': 'self',
-    'gamepad': 'self',
-    'geolocation': 'self',
-    'gyroscope': 'self',
-    'keyboard-map': 'self',
-    'hid': 'self',
-    'identity-credentials-get': 'self',
-    'idle-detection': 'self',
-    'interest-cohort': 'self',
-    'local-fonts': 'self',
-    'magnetometer': 'self',
-    'microphone': 'self',
-    'midi': 'self',
-    'navigation-override': 'self',
-    'otp-credentials': 'self',
-    'payment': 'self',
-    'picture-in-picture': 'self',
-    'publickey-credentials-create': 'self',
-    'publickey-credentials-get': 'self',
-    'screen-wake-lock': 'self',
-    'serial': 'self',
-    'speaker-selection': 'self',
-    'storage-access': 'self',
-    'sync-script': 'self',
-    'sync-xhr': 'self',
-    'trust-token-redemption': 'self',
-    'unload': 'self',
-    'usb': 'self',
-    'web-share': 'self',
-    'window-management': 'self',
-    'window-placement': 'self',
-    'vertical-scroll': 'self',
-    'xr-spatial-tracking': 'self'
-};
-export const permissionsPolicy = (_options) => ({
-    policy: Object.keys(ppObj)
-        .map(directive => {
-        const _valueArr = ppObj[directive];
-        const valueArr = (Array.isArray(_valueArr)
-            ? _valueArr
-            : [_valueArr]);
-        const values = (valueArr
-            .filter(isDefined)
-            .map(v => (keywords.includes(v)
-            ? v
-            : `"${v}"`))
-            .join(' '));
-        return (values === ''
-            ? undefined
-            : `${directive}=(${values})`);
-    })
-        .filter(isDefined)
-        .join(', ')
-});