@reldens/cms 0.36.0 → 0.38.0

package/README.md

@@ -292,6 +292,178 @@ const cms = new Manager({
 // - Configures template reloading
 ```
 
+### Development Mode Detection
+
+The CMS automatically detects development environments based on domain patterns. Domain mapping keys are **no longer automatically treated as development domains**.
+
+**Default Development Patterns:**
+```javascript
+const patterns = [
+    'localhost',
+    '127.0.0.1',
+    '.local',    // Domains ending with .local
+    '.test',     // Domains ending with .test
+    '.dev',      // Domains ending with .dev
+    '.acc',      // Domains ending with .acc
+    '.staging',  // Domains ending with .staging
+    'local.',    // Domains starting with local.
+    'test.',     // Domains starting with test.
+    'dev.',      // Domains starting with dev.
+    'acc.',      // Domains starting with acc.
+    'staging.'   // Domains starting with staging.
+];
+```
+
+**Override Development Patterns:**
+```javascript
+const cms = new Manager({
+    // Only these patterns will trigger development mode
+    developmentPatterns: [
+        'localhost',
+        '127.0.0.1',
+        '.local'
+    ],
+    domainMapping: {
+        // These are just aliases - NOT automatically development
+        'www.example.com': 'example.com',
+        'new.example.com': 'example.com'
+    }
+});
+```
+
+**Important Notes:**
+- The bug in pattern matching where domains with common substrings (e.g., "reldens" in both "acc.reldens.com" and "reldens.new") incorrectly triggered development mode has been fixed.
+- Domain patterns now only match at the start or end of domains, not arbitrary positions.
+- Override `developmentPatterns` in production to prevent staging/acc domains from enabling development mode.
+
+### Security Configuration
+
+Configure Content Security Policy and security headers through the app server config:
+
+#### External Domains for CSP
+
+When configuring external domains for CSP directives, keys can be in either kebab-case or camelCase format:
+
+```javascript
+const cms = new Manager({
+    appServerConfig: {
+        developmentExternalDomains: {
+            // Both formats work - choose whichever you prefer
+            'scriptSrc': ['https://cdn.example.com'],           // camelCase
+            'script-src': ['https://analytics.example.com'],    // kebab-case (auto-converted)
+            'styleSrc': ['https://fonts.googleapis.com'],       // camelCase  
+            'font-src': ['https://fonts.gstatic.com']           // kebab-case (auto-converted)
+        }
+    }
+});
+```
+
+The system automatically:
+- Converts kebab-case keys to camelCase (e.g., `'script-src'` → `scriptSrc`)
+- Adds domains to both the base directive and the `-elem` variant (e.g., `scriptSrc` and `scriptSrcElem`)
+
+#### CSP Directive Merging vs Override
+
+By default, custom CSP directives are **merged** with security defaults:
+
+```javascript
+const cms = new Manager({
+    appServerConfig: {
+        helmetConfig: {
+            contentSecurityPolicy: {
+                // Default: merge with base directives
+                directives: {
+                    scriptSrc: ['https://cdn.example.com']
+                }
+            }
+        }
+    }
+});
+
+// Result: default scriptSrc values + 'https://cdn.example.com'
+```
+
+**Default Base Directives:**
+```javascript
+{
+    defaultSrc: ["'self'"],
+    scriptSrc: ["'self'"],
+    scriptSrcElem: ["'self'"],
+    styleSrc: ["'self'", "'unsafe-inline'"],
+    styleSrcElem: ["'self'", "'unsafe-inline'"],
+    imgSrc: ["'self'", "data:", "https:"],
+    fontSrc: ["'self'"],
+    connectSrc: ["'self'"],
+    frameAncestors: ["'none'"],
+    baseUri: ["'self'"],
+    formAction: ["'self'"]
+}
+```
+
+To **completely replace** the default directives, use `overrideDirectives: true`:
+
+```javascript
+const cms = new Manager({
+    appServerConfig: {
+        helmetConfig: {
+            contentSecurityPolicy: {
+                overrideDirectives: true,  // Replace defaults entirely
+                directives: {
+                    defaultSrc: ["'self'"],
+                    scriptSrc: ["'self'", "https://trusted-cdn.com"],
+                    styleSrc: ["'self'", "'unsafe-inline'"],
+                    imgSrc: ["'self'", "data:", "https:"],
+                    fontSrc: ["'self'"],
+                    connectSrc: ["'self'"],
+                    frameAncestors: ["'none'"],
+                    baseUri: ["'self'"],
+                    formAction: ["'self'"]
+                }
+            }
+        }
+    }
+});
+```
+
+#### Additional Helmet Security Headers
+
+Configure other security headers through `helmetConfig`:
+
+```javascript
+const cms = new Manager({
+    appServerConfig: {
+        helmetConfig: {
+            // HTTP Strict Transport Security
+            hsts: {
+                maxAge: 31536000,        // 1 year in seconds
+                includeSubDomains: true,
+                preload: true
+            },
+            // Cross-Origin-Opener-Policy
+            crossOriginOpenerPolicy: {
+                policy: "same-origin"
+            },
+            // Cross-Origin-Resource-Policy
+            crossOriginResourcePolicy: {
+                policy: "same-origin"
+            },
+            // Cross-Origin-Embedder-Policy
+            crossOriginEmbedderPolicy: {
+                policy: "require-corp"
+            }
+        }
+    }
+});
+```
+
+**Note:** In development mode, CSP and HSTS are automatically disabled to ease development. Security headers are only enforced when the CMS is not in development mode.
+
+**Trusted Types:** To enable Trusted Types for enhanced XSS protection, add to CSP directives:
+```javascript
+requireTrustedTypesFor: ["'script'"]
+```
+However, this requires updating all JavaScript code to use the Trusted Types API.
+
 ## Dynamic Forms System
 
 ### Basic Form Usage

package/admin/reldens-admin-client.js

@@ -4,6 +4,10 @@
  *
  */
 
+if(window.trustedTypes?.createPolicy){
+    trustedTypes.createPolicy('default', {createHTML: s => s});
+}
+
 window.addEventListener('DOMContentLoaded', () => {
 
     // helpers:

package/lib/manager.js

@@ -236,13 +236,11 @@ class Manager
 
     buildAppServerConfiguration()
     {
-        let useHelmet = true;
-        if(!this.isInstalled()){
-            useHelmet = false;
-        }
+        let useHelmet = this.isInstalled();
+        let useHttps = this.config.host.startsWith('https://');
         let baseConfig = {
             port: this.config.port,
-            useHttps: this.config.host.startsWith('https://'),
+            useHttps,
             useHelmet,
             domainMapping: this.domainMapping || {},
             defaultDomain: this.defaultDomain,
@@ -254,12 +252,14 @@ class Manager
         };
         let appServerConfig = Object.assign({}, baseConfig, this.appServerConfig);
         if(this.domainMapping && 'object' === typeof this.domainMapping){
+            this.appServerFactory.setDomainMapping(this.domainMapping);
             this.validateCdnMappingsInDevelopment();
-            let mappingKeys = Object.keys(this.domainMapping);
-            for(let domain of mappingKeys){
-                this.appServerFactory.addDevelopmentDomain(domain);
+            if(!useHttps){
+                let mappingKeys = Object.keys(this.domainMapping);
+                for(let domain of mappingKeys){
+                    this.appServerFactory.addDevelopmentDomain(domain);
+                }
             }
-            this.appServerFactory.setDomainMapping(this.domainMapping);
         }
         if(sc.isArray(this.domains) && 0 < this.domains.length){
             for(let domain of this.domains){
@@ -278,7 +278,7 @@ class Manager
             return;
         }
         if(!sc.isObject(this.developmentExternalDomains) || sc.isArray(this.developmentExternalDomains)){
-            Logger.warning('CDN mappings configured but developmentExternalDomains not provided. '
+            Logger.info('CDN mappings configured but developmentExternalDomains not provided. '
                 +'CDN assets may fail in development mode due to CORS. '
                 +'Add CDN domains to developmentExternalDomains configuration.');
             return;
@@ -292,7 +292,7 @@ class Manager
             }
         }
         if(0 < missingCDNs.length){
-            Logger.warning('CDN domains not found in developmentExternalDomains: '+missingCDNs.join(', ')
+            Logger.info('CDN domains not found in developmentExternalDomains: '+missingCDNs.join(', ')
                 +'. Add them to avoid CORS issues in development mode.');
         }
     }

package/lib/template-engine/asset-transformer.js

@@ -1,54 +1,41 @@
-/**
- *
- * Reldens - CMS - AssetTransformer
- *
- */
-
-const { sc } = require('@reldens/utils');
-
-class AssetTransformer
-{
-
-    async transform(template, domain, req, systemVariables)
-    {
-        if(!template){
-            return template;
-        }
-        let currentRequest = sc.get(systemVariables, 'currentRequest', {});
-        let assetPattern = /\[asset\(([^)]+)\)\]/g;
-        let matches = [...template.matchAll(assetPattern)];
-        for(let i = matches.length - 1; i >= 0; i--){
-            let match = matches[i];
-            let assetPath = match[1].replace(/['"]/g, '');
-            let absoluteUrl = this.buildAssetUrl(assetPath, currentRequest);
-            template = template.substring(0, match.index) +
-                absoluteUrl +
-                template.substring(match.index + match[0].length);
-        }
-        return template;
-    }
-
-    buildAssetUrl(assetPath, currentRequest)
-    {
-        // if the path is a url, we will not transform it:
-        if(assetPath && assetPath.startsWith('http')){
-            return assetPath;
-        }
-        let assetUrl = sc.get(currentRequest, 'assetUrl', '');
-        let publicUrl = sc.get(currentRequest, 'publicUrl', '');
-        if(!assetPath){
-            if(assetUrl){
-                return assetUrl;
-            }
-            return '';
-        }
-        let normalizedPath = assetPath.startsWith('/') ? assetPath : '/'+assetPath;
-        if(assetUrl){
-            return assetUrl+normalizedPath;
-        }
-        return publicUrl+'/assets'+normalizedPath;
-    }
-
-}
-
-module.exports.AssetTransformer = AssetTransformer;
+/**
+ *
+ * Reldens - CMS - AssetTransformer
+ *
+ */
+
+const { sc } = require('@reldens/utils');
+
+class AssetTransformer
+{
+
+    async transform(template, domain, req, systemVariables)
+    {
+        if(!template){
+            return template;
+        }
+        let currentRequest = sc.get(systemVariables, 'currentRequest', {});
+        let assetPattern = /\[asset\(([^)]+)\)\]/g;
+        let matches = [...template.matchAll(assetPattern)];
+        for(let i = matches.length - 1; i >= 0; i--){
+            let match = matches[i];
+            let assetPath = match[1].replace(/['"]/g, '');
+            let absoluteUrl = this.buildAssetUrl(assetPath, currentRequest);
+            template = template.substring(0, match.index) +
+                absoluteUrl +
+                template.substring(match.index + match[0].length);
+        }
+        return template;
+    }
+
+    buildAssetUrl(assetPath, currentRequest)
+    {
+        if(!assetPath || assetPath.startsWith('http')){
+            return assetPath;
+        }
+        return sc.get(currentRequest, 'assetUrl', '')+'/assets'+(assetPath.startsWith('/') ? assetPath : '/'+assetPath);
+    }
+
+}
+
+module.exports.AssetTransformer = AssetTransformer;

package/package.json

@@ -1,7 +1,7 @@
 {
     "name": "@reldens/cms",
     "scope": "@reldens",
-    "version": "0.36.0",
+    "version": "0.38.0",
     "description": "Reldens - CMS",
     "author": "Damian A. Pastorini",
     "license": "MIT",
@@ -33,8 +33,8 @@
         "url": "https://github.com/damian-pastorini/reldens-cms/issues"
     },
     "dependencies": {
-        "@reldens/server-utils": "^0.36.0",
-        "@reldens/storage": "^0.73.0",
+        "@reldens/server-utils": "^0.37.0",
+        "@reldens/storage": "^0.75.0",
         "@reldens/utils": "^0.53.0",
         "dotenv": "17.2.3",
         "mustache": "4.2.0"