@react-foundry/fastify-harden 0.1.9 → 0.2.0

package/dist/common.js

@@ -1,7 +1,2 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.isDefined = exports.id = void 0;
-const id = (v) => v;
-exports.id = id;
-const isDefined = (v) => (v !== undefined && v !== '');
-exports.isDefined = isDefined;
+export const id = (v) => v;
+export const isDefined = (v) => (v !== undefined && v !== '');

package/dist/content-security-policy.js

@@ -1,41 +1,38 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.contentSecurityPolicy = exports.unsafeInline = exports.unsafeEval = exports.self = exports.none = void 0;
-const common_1 = require("./common");
-exports.none = "'none'";
-exports.self = "'self'";
-exports.unsafeEval = "'unsafe-eval'";
-exports.unsafeInline = "'unsafe-inline'";
-const contentSecurityPolicy = ({ dev = process.env.NODE_ENV === 'development', formAction: _formAction, frameAncestors: _frameAncestors, nonce: _nonce }) => {
+import { id, isDefined } from './common';
+export const none = "'none'";
+export const self = "'self'";
+export const unsafeEval = "'unsafe-eval'";
+export const unsafeInline = "'unsafe-inline'";
+export const contentSecurityPolicy = ({ dev = process.env.NODE_ENV === 'development', formAction: _formAction, frameAncestors: _frameAncestors, nonce: _nonce }) => {
     const formAction = (Array.isArray(_formAction)
         ? _formAction
-        : [_formAction]).filter(common_1.id);
+        : [_formAction]).filter(id);
     const frameAncestors = (Array.isArray(_frameAncestors)
         ? _frameAncestors
-        : [_frameAncestors]).filter(common_1.id);
+        : [_frameAncestors]).filter(id);
     const frameAncestor = (frameAncestors.length > 1
         ? 'multiple'
-        : frameAncestors[0]) || exports.none;
+        : frameAncestors[0]) || none;
     const frameOptions = (frameAncestor === 'multiple'
         ? undefined
-        : (frameAncestor === exports.self
+        : (frameAncestor === self
             ? 'SAMEORIGIN'
             : 'DENY'));
     const nonce = _nonce && `'nonce-${_nonce}'`;
     const cspObject = {
-        'default-src': exports.none,
+        'default-src': none,
         'connect-src': (dev
-            ? [exports.self, 'ws://localhost:*']
-            : exports.self),
-        'font-src': exports.self,
-        'frame-src': exports.self,
-        'img-src': exports.self,
-        'manifest-src': exports.self,
-        'media-src': exports.self,
-        'script-src': [exports.self, nonce],
-        'style-src': [exports.self, exports.unsafeInline],
-        'form-action': formAction.length && formAction || exports.self,
-        'frame-ancestors': frameAncestors.length && frameAncestors || exports.none
+            ? [self, 'ws://localhost:*']
+            : self),
+        'font-src': self,
+        'frame-src': self,
+        'img-src': self,
+        'manifest-src': self,
+        'media-src': self,
+        'script-src': [self, nonce],
+        'style-src': [self, unsafeInline],
+        'form-action': formAction.length && formAction || self,
+        'frame-ancestors': frameAncestors.length && frameAncestors || none
     };
     const cspString = (Object.keys(cspObject)
         .map(directive => {
@@ -44,18 +41,17 @@ const contentSecurityPolicy = ({ dev = process.env.NODE_ENV === 'development', f
             ? _valueArr
             : [_valueArr]);
         const values = (valueArr
-            .filter(common_1.isDefined)
+            .filter(isDefined)
             .map(v => `${v}`)
             .join(' '));
         return (values === ''
             ? undefined
             : `${directive} ${values}`);
     })
-        .filter(common_1.isDefined)
+        .filter(isDefined)
         .join('; '));
     return {
         policy: cspString,
         frameOptions
     };
 };
-exports.contentSecurityPolicy = contentSecurityPolicy;

package/dist/index.js

@@ -1,12 +1,6 @@
-"use strict";
-var __importDefault = (this && this.__importDefault) || function (mod) {
-    return (mod && mod.__esModule) ? mod : { "default": mod };
-};
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.fastifyHarden = void 0;
-const fastify_plugin_1 = __importDefault(require("fastify-plugin"));
-const permissions_policy_1 = require("./permissions-policy");
-const content_security_policy_1 = require("./content-security-policy");
+import fp from 'fastify-plugin';
+import { permissionsPolicy } from './permissions-policy';
+import { contentSecurityPolicy } from './content-security-policy';
 const fastifyHardenPlugin = async (fastify, { contentSecurityPolicy: cspOptions = {}, dev = process.env.NODE_ENV === 'development', permissionsPolicy: ppOptions = {} }) => {
     if (!dev) {
         fastify.setErrorHandler((error, req, reply) => {
@@ -26,8 +20,8 @@ const fastifyHardenPlugin = async (fastify, { contentSecurityPolicy: cspOptions
     fastify.addHook('onSend', async (_req, reply, payload) => {
         const nonce = reply.cspNonce;
         const headers = reply.getHeaders();
-        const { policy: pp } = (0, permissions_policy_1.permissionsPolicy)(ppOptions);
-        const { policy: csp, frameOptions } = (0, content_security_policy_1.contentSecurityPolicy)({
+        const { policy: pp } = permissionsPolicy(ppOptions);
+        const { policy: csp, frameOptions } = contentSecurityPolicy({
             ...cspOptions,
             dev,
             nonce
@@ -49,8 +43,8 @@ const fastifyHardenPlugin = async (fastify, { contentSecurityPolicy: cspOptions
         return payload;
     });
 };
-exports.fastifyHarden = (0, fastify_plugin_1.default)(fastifyHardenPlugin, {
+export const fastifyHarden = fp(fastifyHardenPlugin, {
     fastify: '5.x',
     name: 'harden',
 });
-exports.default = exports.fastifyHarden;
+export default fastifyHarden;

package/dist/permissions-policy.js

@@ -1,7 +1,4 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.permissionsPolicy = void 0;
-const common_1 = require("./common");
+import { isDefined } from './common';
 const keywords = [
     'self',
     'src'
@@ -60,7 +57,7 @@ const ppObj = {
     'vertical-scroll': 'self',
     'xr-spatial-tracking': 'self'
 };
-const permissionsPolicy = (_options) => ({
+export const permissionsPolicy = (_options) => ({
     policy: Object.keys(ppObj)
         .map(directive => {
         const _valueArr = ppObj[directive];
@@ -68,7 +65,7 @@ const permissionsPolicy = (_options) => ({
             ? _valueArr
             : [_valueArr]);
         const values = (valueArr
-            .filter(common_1.isDefined)
+            .filter(isDefined)
             .map(v => (keywords.includes(v)
             ? v
             : `"${v}"`))
@@ -77,7 +74,6 @@ const permissionsPolicy = (_options) => ({
             ? undefined
             : `${directive}=(${values})`);
     })
-        .filter(common_1.isDefined)
+        .filter(isDefined)
         .join(', ')
 });
-exports.permissionsPolicy = permissionsPolicy;

package/package.json

@@ -1,14 +1,14 @@
 {
   "name": "@react-foundry/fastify-harden",
-  "version": "0.1.9",
+  "version": "0.2.0",
   "description": "Fastify plugin for extra cyber-security hardening.",
+  "type": "module",
   "main": "dist/index.js",
   "exports": {
     ".": {
       "types": "./dist/index.d.ts",
-      "import": "./dist/index.mjs",
-      "require": "./dist/index.js",
-      "default": "./dist/index.mjs"
+      "import": "./dist/index.js",
+      "default": "./dist/index.js"
     }
   },
   "files": [
@@ -31,11 +31,9 @@
   },
   "scripts": {
     "test": "NODE_OPTIONS=--experimental-vm-modules jest",
-    "build": "npm run build:esm && npm run build:cjs",
-    "build:esm": "tsc -m es2022 && find dist -name '*.js' -exec sh -c 'mv \"$0\" \"${0%.js}.mjs\"' {} \\;",
-    "build:cjs": "tsc",
+    "build": "tsc",
     "clean": "rm -rf dist tsconfig.tsbuildinfo"
   },
-  "module": "dist/index.mjs",
+  "module": "dist/index.js",
   "typings": "dist/index.d.ts"
 }

package/dist/common.mjs

@@ -1,2 +0,0 @@
-export const id = (v) => v;
-export const isDefined = (v) => (v !== undefined && v !== '');

package/dist/content-security-policy.mjs

@@ -1,57 +0,0 @@
-import { id, isDefined } from './common';
-export const none = "'none'";
-export const self = "'self'";
-export const unsafeEval = "'unsafe-eval'";
-export const unsafeInline = "'unsafe-inline'";
-export const contentSecurityPolicy = ({ dev = process.env.NODE_ENV === 'development', formAction: _formAction, frameAncestors: _frameAncestors, nonce: _nonce }) => {
-    const formAction = (Array.isArray(_formAction)
-        ? _formAction
-        : [_formAction]).filter(id);
-    const frameAncestors = (Array.isArray(_frameAncestors)
-        ? _frameAncestors
-        : [_frameAncestors]).filter(id);
-    const frameAncestor = (frameAncestors.length > 1
-        ? 'multiple'
-        : frameAncestors[0]) || none;
-    const frameOptions = (frameAncestor === 'multiple'
-        ? undefined
-        : (frameAncestor === self
-            ? 'SAMEORIGIN'
-            : 'DENY'));
-    const nonce = _nonce && `'nonce-${_nonce}'`;
-    const cspObject = {
-        'default-src': none,
-        'connect-src': (dev
-            ? [self, 'ws://localhost:*']
-            : self),
-        'font-src': self,
-        'frame-src': self,
-        'img-src': self,
-        'manifest-src': self,
-        'media-src': self,
-        'script-src': [self, nonce],
-        'style-src': [self, unsafeInline],
-        'form-action': formAction.length && formAction || self,
-        'frame-ancestors': frameAncestors.length && frameAncestors || none
-    };
-    const cspString = (Object.keys(cspObject)
-        .map(directive => {
-        const _valueArr = cspObject[directive];
-        const valueArr = (Array.isArray(_valueArr)
-            ? _valueArr
-            : [_valueArr]);
-        const values = (valueArr
-            .filter(isDefined)
-            .map(v => `${v}`)
-            .join(' '));
-        return (values === ''
-            ? undefined
-            : `${directive} ${values}`);
-    })
-        .filter(isDefined)
-        .join('; '));
-    return {
-        policy: cspString,
-        frameOptions
-    };
-};

package/dist/index.mjs

@@ -1,50 +0,0 @@
-import fp from 'fastify-plugin';
-import { permissionsPolicy } from './permissions-policy';
-import { contentSecurityPolicy } from './content-security-policy';
-const fastifyHardenPlugin = async (fastify, { contentSecurityPolicy: cspOptions = {}, dev = process.env.NODE_ENV === 'development', permissionsPolicy: ppOptions = {} }) => {
-    if (!dev) {
-        fastify.setErrorHandler((error, req, reply) => {
-            const statusCode = error && error.statusCode;
-            if (!statusCode || statusCode === 500) {
-                error.message = 'An unexpected error occurred.';
-            }
-            reply.send(error);
-        });
-    }
-    fastify.addHook('preHandler', async (_req, reply) => {
-        const nonce = (Math.random()
-            .toString(36)
-            .slice(2));
-        reply.cspNonce = nonce;
-    });
-    fastify.addHook('onSend', async (_req, reply, payload) => {
-        const nonce = reply.cspNonce;
-        const headers = reply.getHeaders();
-        const { policy: pp } = permissionsPolicy(ppOptions);
-        const { policy: csp, frameOptions } = contentSecurityPolicy({
-            ...cspOptions,
-            dev,
-            nonce
-        });
-        if (!headers['cache-control']) {
-            reply.header('Cache-Control', 'no-cache, no-store, must-revalidate, private');
-            reply.header('Pragma', 'no-cache');
-            reply.header('Expires', '0');
-            reply.header('Cross-Origin-Embedder-Policy', 'require-corp');
-            reply.header('Cross-Origin-Resource-Policy', 'same-origin');
-            reply.header('Cross-Origin-Opener-Policy', 'same-origin');
-        }
-        reply.header('X-Content-Type-Options', 'nosniff');
-        if (frameOptions) {
-            reply.header('X-Frame-Options', frameOptions);
-        }
-        reply.header('Content-Security-Policy', csp);
-        reply.header('Permissions-Policy', pp);
-        return payload;
-    });
-};
-export const fastifyHarden = fp(fastifyHardenPlugin, {
-    fastify: '5.x',
-    name: 'harden',
-});
-export default fastifyHarden;

package/dist/permissions-policy.mjs

@@ -1,79 +0,0 @@
-import { isDefined } from './common';
-const keywords = [
-    'self',
-    'src'
-];
-const ppObj = {
-    'accelerometer': 'self',
-    'ambient-light-sensor': 'self',
-    'attribution-reporting': 'self',
-    'autoplay': 'self',
-    'battery': 'self',
-    'bluetooth': 'self',
-    'browsing-topics': 'self',
-    'camera': 'self',
-    'clipboard-read': 'self',
-    'clipboard-write': 'self',
-    'compute-pressure': 'self',
-    'conversion-measurement': 'self',
-    'cross-origin-isolated': 'self',
-    'display-capture': 'self',
-    'document-domain': 'self',
-    'encrypted-media': 'self',
-    'execution-while-not-rendered': 'self',
-    'execution-while-out-of-viewport': 'self',
-    'focus-without-user-activation': 'self',
-    'fullscreen': 'self',
-    'gamepad': 'self',
-    'geolocation': 'self',
-    'gyroscope': 'self',
-    'keyboard-map': 'self',
-    'hid': 'self',
-    'identity-credentials-get': 'self',
-    'idle-detection': 'self',
-    'interest-cohort': 'self',
-    'local-fonts': 'self',
-    'magnetometer': 'self',
-    'microphone': 'self',
-    'midi': 'self',
-    'navigation-override': 'self',
-    'otp-credentials': 'self',
-    'payment': 'self',
-    'picture-in-picture': 'self',
-    'publickey-credentials-create': 'self',
-    'publickey-credentials-get': 'self',
-    'screen-wake-lock': 'self',
-    'serial': 'self',
-    'speaker-selection': 'self',
-    'storage-access': 'self',
-    'sync-script': 'self',
-    'sync-xhr': 'self',
-    'trust-token-redemption': 'self',
-    'unload': 'self',
-    'usb': 'self',
-    'web-share': 'self',
-    'window-management': 'self',
-    'window-placement': 'self',
-    'vertical-scroll': 'self',
-    'xr-spatial-tracking': 'self'
-};
-export const permissionsPolicy = (_options) => ({
-    policy: Object.keys(ppObj)
-        .map(directive => {
-        const _valueArr = ppObj[directive];
-        const valueArr = (Array.isArray(_valueArr)
-            ? _valueArr
-            : [_valueArr]);
-        const values = (valueArr
-            .filter(isDefined)
-            .map(v => (keywords.includes(v)
-            ? v
-            : `"${v}"`))
-            .join(' '));
-        return (values === ''
-            ? undefined
-            : `${directive}=(${values})`);
-    })
-        .filter(isDefined)
-        .join(', ')
-});