@revealui/core 0.3.0 → 0.5.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/client/admin/components/AdminDashboard.d.ts.map +1 -1
- package/dist/client/admin/components/AdminDashboard.js +20 -3
- package/dist/client/richtext/index.d.ts.map +1 -1
- package/dist/client/richtext/plugins/FloatingToolbarPlugin.js +1 -3
- package/dist/collections/operations/create.d.ts +2 -1
- package/dist/collections/operations/create.d.ts.map +1 -1
- package/dist/collections/operations/create.js +28 -1
- package/dist/database/type-adapter.d.ts.map +1 -1
- package/dist/features.d.ts +7 -3
- package/dist/features.d.ts.map +1 -1
- package/dist/features.js +2 -0
- package/dist/globals/GlobalOperations.d.ts.map +1 -1
- package/dist/globals/GlobalOperations.js +12 -2
- package/dist/index.d.ts +11 -0
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +11 -1
- package/dist/license.d.ts +6 -0
- package/dist/license.d.ts.map +1 -1
- package/dist/license.js +14 -1
- package/dist/monitoring/alerts.d.ts +4 -4
- package/dist/monitoring/alerts.d.ts.map +1 -1
- package/dist/plugins/nested-docs.d.ts.map +1 -1
- package/dist/plugins/nested-docs.js +0 -1
- package/dist/queries/queryBuilder.d.ts.map +1 -1
- package/dist/queries/queryBuilder.js +4 -3
- package/dist/richtext/index.d.ts.map +1 -1
- package/dist/storage/vercel-blob.d.ts.map +1 -1
- package/dist/storage/vercel-blob.js +3 -0
- package/dist/types/api.d.ts.map +1 -1
- package/dist/types/config.d.ts.map +1 -1
- package/dist/types/core.d.ts +1 -1
- package/dist/types/core.d.ts.map +1 -1
- package/dist/types/extensions.d.ts.map +1 -1
- package/dist/types/frontend.d.ts.map +1 -1
- package/dist/types/legacy.d.ts.map +1 -1
- package/dist/types/query.d.ts.map +1 -1
- package/dist/types/runtime.d.ts +1 -0
- package/dist/types/runtime.d.ts.map +1 -1
- package/dist/utils/error-responses.d.ts.map +1 -1
- package/dist/utils/error-responses.js +2 -3
- package/package.json +23 -23
- package/dist/caching/app-cache.d.ts +0 -242
- package/dist/caching/app-cache.d.ts.map +0 -1
- package/dist/caching/app-cache.js +0 -438
- package/dist/caching/cdn-config.d.ts +0 -155
- package/dist/caching/cdn-config.d.ts.map +0 -1
- package/dist/caching/cdn-config.js +0 -415
- package/dist/caching/edge-cache.d.ts +0 -177
- package/dist/caching/edge-cache.d.ts.map +0 -1
- package/dist/caching/edge-cache.js +0 -414
- package/dist/caching/service-worker.d.ts +0 -157
- package/dist/caching/service-worker.d.ts.map +0 -1
- package/dist/caching/service-worker.js +0 -438
- package/dist/client/admin/utils/auth.d.ts +0 -23
- package/dist/client/admin/utils/auth.d.ts.map +0 -1
- package/dist/client/admin/utils/auth.js +0 -52
- package/dist/client/http/client.d.ts +0 -15
- package/dist/client/http/client.d.ts.map +0 -1
- package/dist/client/http/client.js +0 -49
- package/dist/client/http/fetchBanner.d.ts +0 -18
- package/dist/client/http/fetchBanner.d.ts.map +0 -1
- package/dist/client/http/fetchBanner.js +0 -44
- package/dist/client/http/fetchCard.d.ts +0 -18
- package/dist/client/http/fetchCard.d.ts.map +0 -1
- package/dist/client/http/fetchCard.js +0 -46
- package/dist/client/http/fetchEvents.d.ts +0 -18
- package/dist/client/http/fetchEvents.d.ts.map +0 -1
- package/dist/client/http/fetchEvents.js +0 -44
- package/dist/client/http/fetchHero.d.ts +0 -17
- package/dist/client/http/fetchHero.d.ts.map +0 -1
- package/dist/client/http/fetchHero.js +0 -55
- package/dist/client/http/fetchMainInfos.d.ts +0 -17
- package/dist/client/http/fetchMainInfos.d.ts.map +0 -1
- package/dist/client/http/fetchMainInfos.js +0 -44
- package/dist/client/http/fetchVideos.d.ts +0 -13
- package/dist/client/http/fetchVideos.d.ts.map +0 -1
- package/dist/client/http/fetchVideos.js +0 -36
- package/dist/client/http/index.d.ts +0 -19
- package/dist/client/http/index.d.ts.map +0 -1
- package/dist/client/http/index.js +0 -11
- package/dist/error-handling/circuit-breaker.d.ts +0 -262
- package/dist/error-handling/circuit-breaker.d.ts.map +0 -1
- package/dist/error-handling/circuit-breaker.js +0 -550
- package/dist/error-handling/retry.d.ts +0 -194
- package/dist/error-handling/retry.d.ts.map +0 -1
- package/dist/error-handling/retry.js +0 -455
- package/dist/errors/index.d.ts +0 -23
- package/dist/errors/index.d.ts.map +0 -1
- package/dist/errors/index.js +0 -40
- package/dist/generated/agents/index.d.ts +0 -8
- package/dist/generated/agents/index.d.ts.map +0 -1
- package/dist/generated/agents/index.js +0 -7
- package/dist/generated/components/index.d.ts +0 -8
- package/dist/generated/components/index.d.ts.map +0 -1
- package/dist/generated/components/index.js +0 -7
- package/dist/generated/functions/index.d.ts +0 -8
- package/dist/generated/functions/index.d.ts.map +0 -1
- package/dist/generated/functions/index.js +0 -7
- package/dist/generated/hooks/index.d.ts +0 -8
- package/dist/generated/hooks/index.d.ts.map +0 -1
- package/dist/generated/hooks/index.js +0 -7
- package/dist/generated/plans/index.d.ts +0 -8
- package/dist/generated/plans/index.d.ts.map +0 -1
- package/dist/generated/plans/index.js +0 -7
- package/dist/generated/prompts/index.d.ts +0 -8
- package/dist/generated/prompts/index.d.ts.map +0 -1
- package/dist/generated/prompts/index.js +0 -7
- package/dist/generated/tools/index.d.ts +0 -8
- package/dist/generated/tools/index.d.ts.map +0 -1
- package/dist/generated/tools/index.js +0 -7
- package/dist/generated/types/supabase.d.ts +0 -193
- package/dist/generated/types/supabase.d.ts.map +0 -1
- package/dist/generated/types/supabase.js +0 -5
- package/dist/optimization/asset-optimizer.d.ts +0 -206
- package/dist/optimization/asset-optimizer.d.ts.map +0 -1
- package/dist/optimization/asset-optimizer.js +0 -336
- package/dist/optimization/build-optimizer.d.ts +0 -202
- package/dist/optimization/build-optimizer.d.ts.map +0 -1
- package/dist/optimization/build-optimizer.js +0 -271
- package/dist/optimization/bundle-analyzer.d.ts +0 -98
- package/dist/optimization/bundle-analyzer.d.ts.map +0 -1
- package/dist/optimization/bundle-analyzer.js +0 -346
- package/dist/optimization/code-splitting.d.ts +0 -121
- package/dist/optimization/code-splitting.d.ts.map +0 -1
- package/dist/optimization/code-splitting.js +0 -261
- package/dist/plugin/index.d.ts +0 -12
- package/dist/plugin/index.d.ts.map +0 -1
- package/dist/plugin/index.js +0 -4
- package/dist/security/audit.d.ts +0 -188
- package/dist/security/audit.d.ts.map +0 -1
- package/dist/security/audit.js +0 -433
- package/dist/security/auth.d.ts +0 -110
- package/dist/security/auth.d.ts.map +0 -1
- package/dist/security/auth.js +0 -257
- package/dist/security/authorization.d.ts +0 -211
- package/dist/security/authorization.d.ts.map +0 -1
- package/dist/security/authorization.js +0 -492
- package/dist/security/encryption.d.ts +0 -226
- package/dist/security/encryption.d.ts.map +0 -1
- package/dist/security/encryption.js +0 -534
- package/dist/security/gdpr-storage.d.ts +0 -102
- package/dist/security/gdpr-storage.d.ts.map +0 -1
- package/dist/security/gdpr-storage.js +0 -65
- package/dist/security/gdpr.d.ts +0 -320
- package/dist/security/gdpr.d.ts.map +0 -1
- package/dist/security/gdpr.js +0 -531
- package/dist/security/headers.d.ts +0 -184
- package/dist/security/headers.d.ts.map +0 -1
- package/dist/security/headers.js +0 -420
- package/dist/utils/jwt-validation.d.ts +0 -14
- package/dist/utils/jwt-validation.d.ts.map +0 -1
- package/dist/utils/jwt-validation.js +0 -36
- package/dist/utils/request-headers.d.ts +0 -15
- package/dist/utils/request-headers.d.ts.map +0 -1
- package/dist/utils/request-headers.js +0 -31
|
@@ -1 +0,0 @@
|
|
|
1
|
-
{"version":3,"file":"headers.d.ts","sourceRoot":"","sources":["../../src/security/headers.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAIH,MAAM,WAAW,qBAAqB;IACpC,qBAAqB,CAAC,EAAE,MAAM,GAAG,2BAA2B,CAAC;IAC7D,uBAAuB,CAAC,EAAE,OAAO,GAAG,UAAU,CAAC;IAC/C,aAAa,CAAC,EAAE,MAAM,GAAG,YAAY,GAAG,MAAM,CAAC;IAC/C,mBAAmB,CAAC,EAAE,OAAO,CAAC;IAC9B,cAAc,CAAC,EAAE,mBAAmB,CAAC;IACrC,iBAAiB,CAAC,EAAE,MAAM,GAAG,uBAAuB,CAAC;IACrD,yBAAyB,CAAC,EAAE,cAAc,GAAG,gBAAgB,CAAC;IAC9D,uBAAuB,CAAC,EAAE,aAAa,GAAG,0BAA0B,GAAG,aAAa,CAAC;IACrF,yBAAyB,CAAC,EAAE,aAAa,GAAG,WAAW,GAAG,cAAc,CAAC;CAC1E;AAED,MAAM,WAAW,2BAA2B;IAC1C,UAAU,CAAC,EAAE,MAAM,EAAE,CAAC;IACtB,SAAS,CAAC,EAAE,MAAM,EAAE,CAAC;IACrB,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;IACpB,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAClB,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB,UAAU,CAAC,EAAE,MAAM,EAAE,CAAC;IACtB,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;IACpB,SAAS,CAAC,EAAE,MAAM,EAAE,CAAC;IACrB,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;IACpB,SAAS,CAAC,EAAE,MAAM,EAAE,CAAC;IACrB,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,EAAE,CAAC;IACtB,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;IAC1B,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;IACvB,uBAAuB,CAAC,EAAE,OAAO,CAAC;IAClC,oBAAoB,CAAC,EAAE,OAAO,CAAC;IAC/B,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,UAAU;IACzB,MAAM,EAAE,MAAM,CAAC;IACf,iBAAiB,CAAC,EAAE,OAAO,CAAC;IAC5B,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB;AAED,MAAM,MAAM,mBAAmB,GAC3B,aAAa,GACb,4BAA4B,GAC5B,QAAQ,GACR,0BAA0B,GAC1B,aAAa,GACb,eAAe,GACf,iCAAiC,GACjC,YAAY,CAAC;AAEjB,MAAM,WAAW,uBAAuB;IACtC,aAAa,CAAC,EAAE,MAAM,EAAE,CAAC;IACzB,kBAAkB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC9B,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;IACpB,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAClB,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;IAC1B,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;IAC1B,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;IAC1B,UAAU,CAAC,EAAE,MAAM,EAAE,CAAC;IACtB,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;IACvB,SAAS,CAAC,EAAE,MAAM,EAAE,CAAC;IACrB,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IACxB,UAAU,CAAC,EAAE,MAAM,EAAE,CAAC;IACtB,IAAI,CAAC,EAAE,MAAM,EAAE,CAAC;IAChB,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB,gBAAgB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC5B,oBAAoB,CAAC,EAAE,MAAM,EAAE,CAAC;IAChC,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;IAC1B,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB,GAAG,CAAC,EAAE,MAAM,EAAE,CAAC;IACf,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;IACpB,iBAAiB,CAAC,EAAE,MAAM,EAAE,CAAC;CAC9B;AAED,MAAM,WAAW,UAAU;IACzB,MAAM,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,GAAG,CAAC,CAAC,MAAM,EAAE,MAAM,KAAK,OAAO,CAAC,CAAC;IAC3D,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;IAC1B,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;IAC1B,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,iBAAiB,CAAC,EAAE,OAAO,CAAC;IAC5B,oBAAoB,CAAC,EAAE,MAAM,CAAC;CAC/B;AAED;;GAEG;AACH,qBAAa,eAAe;IAC1B,OAAO,CAAC,MAAM,CAAwB;gBAE1B,MAAM,GAAE,qBAA0B;IAI9C;;OAEG;IACH,UAAU,IAAI,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC;IAiDpC;;OAEG;IACH,OAAO,CAAC,QAAQ;IAgDhB;;OAEG;IACH,OAAO,CAAC,SAAS;IAuBjB;;OAEG;IACH,OAAO,CAAC,sBAAsB;IAqB9B;;OAEG;IACH,YAAY,CAAC,QAAQ,EAAE,QAAQ,GAAG,QAAQ;CAS3C;AAED;;GAEG;AACH,qBAAa,WAAW;IACtB,OAAO,CAAC,MAAM,CAAuB;gBAEzB,MAAM,GAAE,UAAe;IAanC;;OAEG;IACH,eAAe,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO;IAsBxC;;OAEG;IACH,cAAc,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC;IA2BtD;;OAEG;IACH,mBAAmB,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC;IAe3D;;OAEG;IACH,aAAa,CAAC,OAAO,EAAE,OAAO,GAAG,QAAQ,GAAG,IAAI;IAehD;;OAEG;IACH,eAAe,CAAC,QAAQ,EAAE,OAAO,EAAE,MAAM,EAAE,MAAM,GAAG,QAAQ;IAa5D;;OAEG;IACH,YAAY,CAAC,QAAQ,EAAE,QAAQ,EAAE,MAAM,EAAE,MAAM,GAAG,QAAQ;CAa3D;AAED;;GAEG;AACH,eAAO,MAAM,eAAe;IAC1B;;OAEG;kBACS,qBAAqB;IA4BjC;;OAEG;oBACW,qBAAqB;IAmBnC;;OAEG;uBACc,qBAAqB;CAIvC,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,WAAW;IACtB;;OAEG;kBACS,UAAU;IAQtB;;OAEG;+BACwB,MAAM,EAAE,KAAG,UAAU;IAShD;;;OAGG;sBACa,UAAU;IAe1B;;;OAGG;eACM,UAAU;CAepB,CAAC;AAEF;;GAEG;AACH,wBAAgB,wBAAwB,CACtC,cAAc,CAAC,EAAE,qBAAqB,EACtC,UAAU,CAAC,EAAE,UAAU,IAKT,SAAS,OAAO,EAAE,MAAM,MAAM,OAAO,CAAC,QAAQ,CAAC,KAAG,OAAO,CAAC,QAAQ,CAAC,CAwBlF;AAED;;GAEG;AACH,wBAAgB,mBAAmB,CACjC,QAAQ,EAAE,QAAQ,EAClB,KAAK,EAAE,MAAM,EACb,SAAS,EAAE,MAAM,EACjB,KAAK,EAAE,MAAM,GACZ,IAAI,CAIN"}
|
package/dist/security/headers.js
DELETED
|
@@ -1,420 +0,0 @@
|
|
|
1
|
-
/**
|
|
2
|
-
* Security Headers and CORS Configuration
|
|
3
|
-
*
|
|
4
|
-
* HTTP security headers and CORS policy management
|
|
5
|
-
*/
|
|
6
|
-
import { defaultLogger } from '../instance/logger.js';
|
|
7
|
-
/**
|
|
8
|
-
* Security headers manager
|
|
9
|
-
*/
|
|
10
|
-
export class SecurityHeaders {
|
|
11
|
-
config;
|
|
12
|
-
constructor(config = {}) {
|
|
13
|
-
this.config = config;
|
|
14
|
-
}
|
|
15
|
-
/**
|
|
16
|
-
* Get all security headers
|
|
17
|
-
*/
|
|
18
|
-
getHeaders() {
|
|
19
|
-
const headers = {};
|
|
20
|
-
// Content Security Policy
|
|
21
|
-
if (this.config.contentSecurityPolicy) {
|
|
22
|
-
headers['Content-Security-Policy'] = this.buildCSP(this.config.contentSecurityPolicy);
|
|
23
|
-
}
|
|
24
|
-
// Strict Transport Security
|
|
25
|
-
if (this.config.strictTransportSecurity) {
|
|
26
|
-
headers['Strict-Transport-Security'] = this.buildHSTS(this.config.strictTransportSecurity);
|
|
27
|
-
}
|
|
28
|
-
// X-Frame-Options
|
|
29
|
-
if (this.config.xFrameOptions) {
|
|
30
|
-
headers['X-Frame-Options'] = this.config.xFrameOptions;
|
|
31
|
-
}
|
|
32
|
-
// X-Content-Type-Options
|
|
33
|
-
if (this.config.xContentTypeOptions !== false) {
|
|
34
|
-
headers['X-Content-Type-Options'] = 'nosniff';
|
|
35
|
-
}
|
|
36
|
-
// Referrer-Policy
|
|
37
|
-
if (this.config.referrerPolicy) {
|
|
38
|
-
headers['Referrer-Policy'] = this.config.referrerPolicy;
|
|
39
|
-
}
|
|
40
|
-
// Permissions-Policy
|
|
41
|
-
if (this.config.permissionsPolicy) {
|
|
42
|
-
headers['Permissions-Policy'] = this.buildPermissionsPolicy(this.config.permissionsPolicy);
|
|
43
|
-
}
|
|
44
|
-
// Cross-Origin headers
|
|
45
|
-
if (this.config.crossOriginEmbedderPolicy) {
|
|
46
|
-
headers['Cross-Origin-Embedder-Policy'] = this.config.crossOriginEmbedderPolicy;
|
|
47
|
-
}
|
|
48
|
-
if (this.config.crossOriginOpenerPolicy) {
|
|
49
|
-
headers['Cross-Origin-Opener-Policy'] = this.config.crossOriginOpenerPolicy;
|
|
50
|
-
}
|
|
51
|
-
if (this.config.crossOriginResourcePolicy) {
|
|
52
|
-
headers['Cross-Origin-Resource-Policy'] = this.config.crossOriginResourcePolicy;
|
|
53
|
-
}
|
|
54
|
-
return headers;
|
|
55
|
-
}
|
|
56
|
-
/**
|
|
57
|
-
* Build Content Security Policy header
|
|
58
|
-
*/
|
|
59
|
-
buildCSP(config) {
|
|
60
|
-
if (typeof config === 'string') {
|
|
61
|
-
return config;
|
|
62
|
-
}
|
|
63
|
-
const directives = [];
|
|
64
|
-
const addDirective = (name, values) => {
|
|
65
|
-
if (values && values.length > 0) {
|
|
66
|
-
directives.push(`${name} ${values.join(' ')}`);
|
|
67
|
-
}
|
|
68
|
-
};
|
|
69
|
-
addDirective('default-src', config.defaultSrc);
|
|
70
|
-
addDirective('script-src', config.scriptSrc);
|
|
71
|
-
addDirective('style-src', config.styleSrc);
|
|
72
|
-
addDirective('img-src', config.imgSrc);
|
|
73
|
-
addDirective('font-src', config.fontSrc);
|
|
74
|
-
addDirective('connect-src', config.connectSrc);
|
|
75
|
-
addDirective('frame-src', config.frameSrc);
|
|
76
|
-
addDirective('object-src', config.objectSrc);
|
|
77
|
-
addDirective('media-src', config.mediaSrc);
|
|
78
|
-
addDirective('worker-src', config.workerSrc);
|
|
79
|
-
addDirective('child-src', config.childSrc);
|
|
80
|
-
addDirective('form-action', config.formAction);
|
|
81
|
-
addDirective('frame-ancestors', config.frameAncestors);
|
|
82
|
-
addDirective('base-uri', config.baseUri);
|
|
83
|
-
addDirective('manifest-src', config.manifestSrc);
|
|
84
|
-
if (config.upgradeInsecureRequests) {
|
|
85
|
-
directives.push('upgrade-insecure-requests');
|
|
86
|
-
}
|
|
87
|
-
if (config.blockAllMixedContent) {
|
|
88
|
-
directives.push('block-all-mixed-content');
|
|
89
|
-
}
|
|
90
|
-
if (config.reportUri) {
|
|
91
|
-
directives.push(`report-uri ${config.reportUri}`);
|
|
92
|
-
}
|
|
93
|
-
if (config.reportTo) {
|
|
94
|
-
directives.push(`report-to ${config.reportTo}`);
|
|
95
|
-
}
|
|
96
|
-
return directives.join('; ');
|
|
97
|
-
}
|
|
98
|
-
/**
|
|
99
|
-
* Build HSTS header
|
|
100
|
-
*/
|
|
101
|
-
buildHSTS(config) {
|
|
102
|
-
if (config === true) {
|
|
103
|
-
return 'max-age=31536000; includeSubDomains';
|
|
104
|
-
}
|
|
105
|
-
if (config === false) {
|
|
106
|
-
return '';
|
|
107
|
-
}
|
|
108
|
-
// config is now HSTSConfig
|
|
109
|
-
const parts = [`max-age=${config.maxAge}`];
|
|
110
|
-
if (config.includeSubDomains) {
|
|
111
|
-
parts.push('includeSubDomains');
|
|
112
|
-
}
|
|
113
|
-
if (config.preload) {
|
|
114
|
-
parts.push('preload');
|
|
115
|
-
}
|
|
116
|
-
return parts.join('; ');
|
|
117
|
-
}
|
|
118
|
-
/**
|
|
119
|
-
* Build Permissions-Policy header
|
|
120
|
-
*/
|
|
121
|
-
buildPermissionsPolicy(config) {
|
|
122
|
-
if (typeof config === 'string') {
|
|
123
|
-
return config;
|
|
124
|
-
}
|
|
125
|
-
const policies = [];
|
|
126
|
-
Object.entries(config).forEach(([feature, origins]) => {
|
|
127
|
-
if (!origins || origins.length === 0) {
|
|
128
|
-
policies.push(`${feature}=()`);
|
|
129
|
-
}
|
|
130
|
-
else if (origins.includes('*')) {
|
|
131
|
-
policies.push(`${feature}=*`);
|
|
132
|
-
}
|
|
133
|
-
else {
|
|
134
|
-
const originsList = origins.map((o) => `"${o}"`).join(' ');
|
|
135
|
-
policies.push(`${feature}=(${originsList})`);
|
|
136
|
-
}
|
|
137
|
-
});
|
|
138
|
-
return policies.join(', ');
|
|
139
|
-
}
|
|
140
|
-
/**
|
|
141
|
-
* Apply headers to response
|
|
142
|
-
*/
|
|
143
|
-
applyHeaders(response) {
|
|
144
|
-
const headers = this.getHeaders();
|
|
145
|
-
Object.entries(headers).forEach(([name, value]) => {
|
|
146
|
-
response.headers.set(name, value);
|
|
147
|
-
});
|
|
148
|
-
return response;
|
|
149
|
-
}
|
|
150
|
-
}
|
|
151
|
-
/**
|
|
152
|
-
* CORS manager
|
|
153
|
-
*/
|
|
154
|
-
export class CORSManager {
|
|
155
|
-
config;
|
|
156
|
-
constructor(config = {}) {
|
|
157
|
-
this.config = {
|
|
158
|
-
origin: config.origin ?? [],
|
|
159
|
-
methods: config.methods || ['GET', 'POST', 'PUT', 'DELETE', 'PATCH', 'OPTIONS'],
|
|
160
|
-
allowedHeaders: config.allowedHeaders || ['Content-Type', 'Authorization'],
|
|
161
|
-
exposedHeaders: config.exposedHeaders || [],
|
|
162
|
-
credentials: config.credentials ?? false,
|
|
163
|
-
maxAge: config.maxAge || 86400,
|
|
164
|
-
preflightContinue: config.preflightContinue ?? false,
|
|
165
|
-
optionsSuccessStatus: config.optionsSuccessStatus || 204,
|
|
166
|
-
};
|
|
167
|
-
}
|
|
168
|
-
/**
|
|
169
|
-
* Check if origin is allowed
|
|
170
|
-
*/
|
|
171
|
-
isOriginAllowed(origin) {
|
|
172
|
-
const { origin: allowedOrigin } = this.config;
|
|
173
|
-
if (allowedOrigin === '*') {
|
|
174
|
-
return true;
|
|
175
|
-
}
|
|
176
|
-
if (typeof allowedOrigin === 'function') {
|
|
177
|
-
return allowedOrigin(origin);
|
|
178
|
-
}
|
|
179
|
-
if (typeof allowedOrigin === 'string') {
|
|
180
|
-
return origin === allowedOrigin;
|
|
181
|
-
}
|
|
182
|
-
if (Array.isArray(allowedOrigin)) {
|
|
183
|
-
return allowedOrigin.includes(origin);
|
|
184
|
-
}
|
|
185
|
-
return false;
|
|
186
|
-
}
|
|
187
|
-
/**
|
|
188
|
-
* Get CORS headers
|
|
189
|
-
*/
|
|
190
|
-
getCORSHeaders(origin) {
|
|
191
|
-
const headers = {};
|
|
192
|
-
// Access-Control-Allow-Origin
|
|
193
|
-
if (this.isOriginAllowed(origin)) {
|
|
194
|
-
headers['Access-Control-Allow-Origin'] = this.config.origin === '*' ? '*' : origin;
|
|
195
|
-
}
|
|
196
|
-
// Vary: Origin — required when Access-Control-Allow-Origin is not '*' so caches
|
|
197
|
-
// don't serve a response allowed for origin A to origin B.
|
|
198
|
-
if (this.config.origin !== '*') {
|
|
199
|
-
headers.Vary = 'Origin';
|
|
200
|
-
}
|
|
201
|
-
// Access-Control-Allow-Credentials — incompatible with origin: '*' per Fetch spec
|
|
202
|
-
if (this.config.credentials && this.config.origin !== '*') {
|
|
203
|
-
headers['Access-Control-Allow-Credentials'] = 'true';
|
|
204
|
-
}
|
|
205
|
-
// Access-Control-Expose-Headers
|
|
206
|
-
if (this.config.exposedHeaders.length > 0) {
|
|
207
|
-
headers['Access-Control-Expose-Headers'] = this.config.exposedHeaders.join(', ');
|
|
208
|
-
}
|
|
209
|
-
return headers;
|
|
210
|
-
}
|
|
211
|
-
/**
|
|
212
|
-
* Get preflight headers
|
|
213
|
-
*/
|
|
214
|
-
getPreflightHeaders(origin) {
|
|
215
|
-
const headers = this.getCORSHeaders(origin);
|
|
216
|
-
// Access-Control-Allow-Methods
|
|
217
|
-
headers['Access-Control-Allow-Methods'] = this.config.methods.join(', ');
|
|
218
|
-
// Access-Control-Allow-Headers
|
|
219
|
-
headers['Access-Control-Allow-Headers'] = this.config.allowedHeaders.join(', ');
|
|
220
|
-
// Access-Control-Max-Age
|
|
221
|
-
headers['Access-Control-Max-Age'] = this.config.maxAge.toString();
|
|
222
|
-
return headers;
|
|
223
|
-
}
|
|
224
|
-
/**
|
|
225
|
-
* Handle CORS request
|
|
226
|
-
*/
|
|
227
|
-
handleRequest(request) {
|
|
228
|
-
const origin = request.headers.get('Origin');
|
|
229
|
-
if (!origin) {
|
|
230
|
-
return null;
|
|
231
|
-
}
|
|
232
|
-
// Handle preflight
|
|
233
|
-
if (request.method === 'OPTIONS') {
|
|
234
|
-
return this.handlePreflight(request, origin);
|
|
235
|
-
}
|
|
236
|
-
return null;
|
|
237
|
-
}
|
|
238
|
-
/**
|
|
239
|
-
* Handle preflight request
|
|
240
|
-
*/
|
|
241
|
-
handlePreflight(_request, origin) {
|
|
242
|
-
if (!this.isOriginAllowed(origin)) {
|
|
243
|
-
return new Response(null, { status: 403 });
|
|
244
|
-
}
|
|
245
|
-
const headers = this.getPreflightHeaders(origin);
|
|
246
|
-
return new Response(null, {
|
|
247
|
-
status: this.config.optionsSuccessStatus,
|
|
248
|
-
headers,
|
|
249
|
-
});
|
|
250
|
-
}
|
|
251
|
-
/**
|
|
252
|
-
* Apply CORS headers to response
|
|
253
|
-
*/
|
|
254
|
-
applyHeaders(response, origin) {
|
|
255
|
-
if (!this.isOriginAllowed(origin)) {
|
|
256
|
-
return response;
|
|
257
|
-
}
|
|
258
|
-
const headers = this.getCORSHeaders(origin);
|
|
259
|
-
Object.entries(headers).forEach(([name, value]) => {
|
|
260
|
-
response.headers.set(name, value);
|
|
261
|
-
});
|
|
262
|
-
return response;
|
|
263
|
-
}
|
|
264
|
-
}
|
|
265
|
-
/**
|
|
266
|
-
* Common security header presets
|
|
267
|
-
*/
|
|
268
|
-
export const SecurityPresets = {
|
|
269
|
-
/**
|
|
270
|
-
* Strict security (recommended for production)
|
|
271
|
-
*/
|
|
272
|
-
strict: () => ({
|
|
273
|
-
contentSecurityPolicy: {
|
|
274
|
-
defaultSrc: ["'self'"],
|
|
275
|
-
scriptSrc: ["'self'"],
|
|
276
|
-
styleSrc: ["'self'", "'unsafe-inline'"],
|
|
277
|
-
imgSrc: ["'self'", 'data:', 'https:'],
|
|
278
|
-
fontSrc: ["'self'", 'data:'],
|
|
279
|
-
connectSrc: ["'self'"],
|
|
280
|
-
frameSrc: ["'none'"],
|
|
281
|
-
objectSrc: ["'none'"],
|
|
282
|
-
baseUri: ["'self'"],
|
|
283
|
-
formAction: ["'self'"],
|
|
284
|
-
frameAncestors: ["'none'"],
|
|
285
|
-
upgradeInsecureRequests: true,
|
|
286
|
-
},
|
|
287
|
-
strictTransportSecurity: {
|
|
288
|
-
maxAge: 31536000,
|
|
289
|
-
includeSubDomains: true,
|
|
290
|
-
preload: true,
|
|
291
|
-
},
|
|
292
|
-
xFrameOptions: 'DENY',
|
|
293
|
-
xContentTypeOptions: true,
|
|
294
|
-
referrerPolicy: 'strict-origin-when-cross-origin',
|
|
295
|
-
crossOriginEmbedderPolicy: 'require-corp',
|
|
296
|
-
crossOriginOpenerPolicy: 'same-origin',
|
|
297
|
-
crossOriginResourcePolicy: 'same-origin',
|
|
298
|
-
}),
|
|
299
|
-
/**
|
|
300
|
-
* Moderate security (balanced)
|
|
301
|
-
*/
|
|
302
|
-
moderate: () => ({
|
|
303
|
-
contentSecurityPolicy: {
|
|
304
|
-
defaultSrc: ["'self'"],
|
|
305
|
-
scriptSrc: ["'self'", "'unsafe-inline'"],
|
|
306
|
-
styleSrc: ["'self'", "'unsafe-inline'"],
|
|
307
|
-
imgSrc: ["'self'", 'data:', 'https:'],
|
|
308
|
-
fontSrc: ["'self'", 'data:', 'https:'],
|
|
309
|
-
connectSrc: ["'self'", 'https:'],
|
|
310
|
-
frameAncestors: ["'self'"],
|
|
311
|
-
},
|
|
312
|
-
strictTransportSecurity: {
|
|
313
|
-
maxAge: 31536000,
|
|
314
|
-
includeSubDomains: true,
|
|
315
|
-
},
|
|
316
|
-
xFrameOptions: 'SAMEORIGIN',
|
|
317
|
-
xContentTypeOptions: true,
|
|
318
|
-
referrerPolicy: 'origin-when-cross-origin',
|
|
319
|
-
}),
|
|
320
|
-
/**
|
|
321
|
-
* Development (permissive)
|
|
322
|
-
*/
|
|
323
|
-
development: () => ({
|
|
324
|
-
xContentTypeOptions: true,
|
|
325
|
-
referrerPolicy: 'no-referrer-when-downgrade',
|
|
326
|
-
}),
|
|
327
|
-
};
|
|
328
|
-
/**
|
|
329
|
-
* Common CORS presets
|
|
330
|
-
*/
|
|
331
|
-
export const CORSPresets = {
|
|
332
|
-
/**
|
|
333
|
-
* Strict CORS (same origin only)
|
|
334
|
-
*/
|
|
335
|
-
strict: () => ({
|
|
336
|
-
origin: [],
|
|
337
|
-
methods: ['GET', 'POST', 'PUT', 'DELETE'],
|
|
338
|
-
allowedHeaders: ['Content-Type', 'Authorization'],
|
|
339
|
-
credentials: true,
|
|
340
|
-
maxAge: 86400,
|
|
341
|
-
}),
|
|
342
|
-
/**
|
|
343
|
-
* Moderate CORS (specific origins)
|
|
344
|
-
*/
|
|
345
|
-
moderate: (allowedOrigins) => ({
|
|
346
|
-
origin: allowedOrigins,
|
|
347
|
-
methods: ['GET', 'POST', 'PUT', 'DELETE', 'PATCH'],
|
|
348
|
-
allowedHeaders: ['Content-Type', 'Authorization', 'X-Requested-With'],
|
|
349
|
-
exposedHeaders: ['X-Total-Count'],
|
|
350
|
-
credentials: true,
|
|
351
|
-
maxAge: 86400,
|
|
352
|
-
}),
|
|
353
|
-
/**
|
|
354
|
-
* Permissive CORS (all origins) — development only.
|
|
355
|
-
* Logs a warning if used when NODE_ENV === 'production'.
|
|
356
|
-
*/
|
|
357
|
-
permissive: () => {
|
|
358
|
-
if (process.env.NODE_ENV === 'production') {
|
|
359
|
-
defaultLogger.warn('[SecurityPresets] CORS permissive preset used in production — this allows all origins. Use moderate() with explicit origins instead.');
|
|
360
|
-
}
|
|
361
|
-
return {
|
|
362
|
-
origin: '*',
|
|
363
|
-
methods: ['GET', 'POST', 'PUT', 'DELETE', 'PATCH', 'OPTIONS'],
|
|
364
|
-
allowedHeaders: ['*'],
|
|
365
|
-
credentials: false,
|
|
366
|
-
maxAge: 86400,
|
|
367
|
-
};
|
|
368
|
-
},
|
|
369
|
-
/**
|
|
370
|
-
* API CORS (public read-only APIs) — credentials disabled.
|
|
371
|
-
* Logs a warning if used when NODE_ENV === 'production'.
|
|
372
|
-
*/
|
|
373
|
-
api: () => {
|
|
374
|
-
if (process.env.NODE_ENV === 'production') {
|
|
375
|
-
defaultLogger.warn('[SecurityPresets] CORS api preset uses origin:"*". For production, pass explicit origins to moderate() instead.');
|
|
376
|
-
}
|
|
377
|
-
return {
|
|
378
|
-
origin: '*',
|
|
379
|
-
methods: ['GET', 'POST', 'PUT', 'DELETE', 'PATCH'],
|
|
380
|
-
allowedHeaders: ['Content-Type', 'Authorization', 'X-API-Key'],
|
|
381
|
-
exposedHeaders: ['X-RateLimit-Limit', 'X-RateLimit-Remaining', 'X-RateLimit-Reset'],
|
|
382
|
-
credentials: false,
|
|
383
|
-
maxAge: 86400,
|
|
384
|
-
};
|
|
385
|
-
},
|
|
386
|
-
};
|
|
387
|
-
/**
|
|
388
|
-
* Security middleware creator
|
|
389
|
-
*/
|
|
390
|
-
export function createSecurityMiddleware(securityConfig, corsConfig) {
|
|
391
|
-
const security = new SecurityHeaders(securityConfig);
|
|
392
|
-
const cors = new CORSManager(corsConfig);
|
|
393
|
-
return async (request, next) => {
|
|
394
|
-
const origin = request.headers.get('Origin');
|
|
395
|
-
// Handle CORS preflight
|
|
396
|
-
if (origin && request.method === 'OPTIONS') {
|
|
397
|
-
const preflightResponse = cors.handleRequest(request);
|
|
398
|
-
if (preflightResponse) {
|
|
399
|
-
return preflightResponse;
|
|
400
|
-
}
|
|
401
|
-
}
|
|
402
|
-
// Process request
|
|
403
|
-
const response = await next();
|
|
404
|
-
// Apply security headers
|
|
405
|
-
security.applyHeaders(response);
|
|
406
|
-
// Apply CORS headers
|
|
407
|
-
if (origin) {
|
|
408
|
-
cors.applyHeaders(response, origin);
|
|
409
|
-
}
|
|
410
|
-
return response;
|
|
411
|
-
};
|
|
412
|
-
}
|
|
413
|
-
/**
|
|
414
|
-
* Rate limiting headers
|
|
415
|
-
*/
|
|
416
|
-
export function setRateLimitHeaders(response, limit, remaining, reset) {
|
|
417
|
-
response.headers.set('X-RateLimit-Limit', limit.toString());
|
|
418
|
-
response.headers.set('X-RateLimit-Remaining', remaining.toString());
|
|
419
|
-
response.headers.set('X-RateLimit-Reset', reset.toString());
|
|
420
|
-
}
|
|
@@ -1,14 +0,0 @@
|
|
|
1
|
-
/**
|
|
2
|
-
* JWT Validation Utilities
|
|
3
|
-
*
|
|
4
|
-
* Utilities for validating JWT tokens from RevealRequest objects.
|
|
5
|
-
*/
|
|
6
|
-
import type { RevealRequest } from '../types/index.js';
|
|
7
|
-
/**
|
|
8
|
-
* Validate JWT token from request authorization header
|
|
9
|
-
*
|
|
10
|
-
* @param req - RevealRequest object
|
|
11
|
-
* @throws Error if token is invalid or expired
|
|
12
|
-
*/
|
|
13
|
-
export declare function validateJWTFromRequest(req?: RevealRequest): Promise<void>;
|
|
14
|
-
//# sourceMappingURL=jwt-validation.d.ts.map
|
|
@@ -1 +0,0 @@
|
|
|
1
|
-
{"version":3,"file":"jwt-validation.d.ts","sourceRoot":"","sources":["../../src/utils/jwt-validation.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAGH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAA;AAGtD;;;;;GAKG;AACH,wBAAsB,sBAAsB,CAAC,GAAG,CAAC,EAAE,aAAa,GAAG,OAAO,CAAC,IAAI,CAAC,CA4B/E"}
|
|
@@ -1,36 +0,0 @@
|
|
|
1
|
-
/**
|
|
2
|
-
* JWT Validation Utilities
|
|
3
|
-
*
|
|
4
|
-
* Utilities for validating JWT tokens from RevealRequest objects.
|
|
5
|
-
*/
|
|
6
|
-
import { jwtVerify } from 'jose';
|
|
7
|
-
import { extractAuthHeader } from './request-headers.js';
|
|
8
|
-
/**
|
|
9
|
-
* Validate JWT token from request authorization header
|
|
10
|
-
*
|
|
11
|
-
* @param req - RevealRequest object
|
|
12
|
-
* @throws Error if token is invalid or expired
|
|
13
|
-
*/
|
|
14
|
-
export async function validateJWTFromRequest(req) {
|
|
15
|
-
const authHeader = extractAuthHeader(req);
|
|
16
|
-
if (!authHeader || typeof authHeader !== 'string') {
|
|
17
|
-
return; // No auth header, skip validation
|
|
18
|
-
}
|
|
19
|
-
// Extract token from "JWT <token>" format
|
|
20
|
-
if (!authHeader.startsWith('JWT ')) {
|
|
21
|
-
return; // Not a JWT token, skip validation
|
|
22
|
-
}
|
|
23
|
-
const token = authHeader.substring(4);
|
|
24
|
-
const secret = process.env.REVEALUI_SECRET;
|
|
25
|
-
if (!secret || secret.length < 32) {
|
|
26
|
-
throw new Error('REVEALUI_SECRET must be set to a secure random value (minimum 32 characters). ' +
|
|
27
|
-
'Generate one with: openssl rand -base64 32');
|
|
28
|
-
}
|
|
29
|
-
try {
|
|
30
|
-
await jwtVerify(token, new TextEncoder().encode(secret));
|
|
31
|
-
}
|
|
32
|
-
catch (_error) {
|
|
33
|
-
// Token is invalid, expired, or tampered
|
|
34
|
-
throw new Error('Invalid or expired token');
|
|
35
|
-
}
|
|
36
|
-
}
|
|
@@ -1,15 +0,0 @@
|
|
|
1
|
-
/**
|
|
2
|
-
* Request Header Utilities
|
|
3
|
-
*
|
|
4
|
-
* Utilities for extracting headers from RevealRequest objects.
|
|
5
|
-
* Handles various header types (Headers, Map, plain object).
|
|
6
|
-
*/
|
|
7
|
-
import type { RevealRequest } from '../types/index.js';
|
|
8
|
-
/**
|
|
9
|
-
* Extract authorization header from request
|
|
10
|
-
*
|
|
11
|
-
* @param req - RevealRequest object
|
|
12
|
-
* @returns Authorization header value or null if not found
|
|
13
|
-
*/
|
|
14
|
-
export declare function extractAuthHeader(req?: RevealRequest): string | null;
|
|
15
|
-
//# sourceMappingURL=request-headers.d.ts.map
|
|
@@ -1 +0,0 @@
|
|
|
1
|
-
{"version":3,"file":"request-headers.d.ts","sourceRoot":"","sources":["../../src/utils/request-headers.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAA;AAEtD;;;;;GAKG;AACH,wBAAgB,iBAAiB,CAAC,GAAG,CAAC,EAAE,aAAa,GAAG,MAAM,GAAG,IAAI,CAqBpE"}
|
|
@@ -1,31 +0,0 @@
|
|
|
1
|
-
/**
|
|
2
|
-
* Request Header Utilities
|
|
3
|
-
*
|
|
4
|
-
* Utilities for extracting headers from RevealRequest objects.
|
|
5
|
-
* Handles various header types (Headers, Map, plain object).
|
|
6
|
-
*/
|
|
7
|
-
/**
|
|
8
|
-
* Extract authorization header from request
|
|
9
|
-
*
|
|
10
|
-
* @param req - RevealRequest object
|
|
11
|
-
* @returns Authorization header value or null if not found
|
|
12
|
-
*/
|
|
13
|
-
export function extractAuthHeader(req) {
|
|
14
|
-
if (!req?.headers) {
|
|
15
|
-
return null;
|
|
16
|
-
}
|
|
17
|
-
let authHeader;
|
|
18
|
-
// Handle Headers object
|
|
19
|
-
if (req.headers instanceof Headers) {
|
|
20
|
-
authHeader = req.headers.get('authorization') || undefined;
|
|
21
|
-
}
|
|
22
|
-
// Handle Map object (used in tests) - type cast to avoid TS error
|
|
23
|
-
else if (req.headers instanceof Map) {
|
|
24
|
-
authHeader = req.headers.get('authorization') || undefined;
|
|
25
|
-
}
|
|
26
|
-
// Handle plain object with authorization property
|
|
27
|
-
else if (typeof req.headers === 'object' && 'authorization' in req.headers) {
|
|
28
|
-
authHeader = req.headers.authorization;
|
|
29
|
-
}
|
|
30
|
-
return authHeader || null;
|
|
31
|
-
}
|