npm - @schalkneethling/toolkit - Versions diffs - 0.5.1 → 0.6.0 - Mend

@schalkneethling/toolkit 0.5.1 → 0.6.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (28) hide show

package/skills/frontend-security/references/input-validation.md CHANGED Viewed

@@ -15,8 +15,8 @@ function validateUsername(input) {
 // AVOID: Denylist (block known bad)
 function validateInput(input) {
-  const blocked = ['<script>', 'javascript:', 'onerror'];
-  return !blocked.some(bad => input.includes(bad)); // Easily bypassed
+  const blocked = ["<script>", "javascript:", "onerror"];
+  return !blocked.some((bad) => input.includes(bad)); // Easily bypassed
 }
 ```
@@ -33,8 +33,8 @@ function validateEmail(email) {
 }
 // Use built-in browser validation
-const input = document.createElement('input');
-input.type = 'email';
+const input = document.createElement("input");
+input.type = "email";
 input.value = email;
 return input.checkValidity();
 ```
@@ -45,7 +45,7 @@ return input.checkValidity();
 function validateUrl(input) {
   try {
     const url = new URL(input);
-    return ['http:', 'https:'].includes(url.protocol);
+    return ["http:", "https:"].includes(url.protocol);
   } catch {
     return false;
   }
@@ -57,8 +57,8 @@ function validateSafeUrl(input) {
   if (!url) return false;
   // Block data: and javascript: schemes
-  const dangerous = ['javascript:', 'data:', 'vbscript:'];
-  return !dangerous.some(scheme => input.toLowerCase().startsWith(scheme));
+  const dangerous = ["javascript:", "data:", "vbscript:"];
+  return !dangerous.some((scheme) => input.toLowerCase().startsWith(scheme));
 }
 ```
@@ -77,7 +77,7 @@ function validateDecimal(input, min, max, decimals) {
   if (isNaN(num)) return false;
   if (num < min || num > max) return false;
-  const parts = input.split('.');
+  const parts = input.split(".");
   if (parts.length > 2) return false;
   if (parts[1] && parts[1].length > decimals) return false;
@@ -107,7 +107,7 @@ function validateDateRange(input, minDate, maxDate) {
 function validatePhone(input) {
   // E.164 format: +[country][number], max 15 digits
   const pattern = /^\+[1-9]\d{1,14}$/;
-  return pattern.test(input.replace(/[\s\-()]/g, ''));
+  return pattern.test(input.replace(/[\s\-()]/g, ""));
 }
 ```
@@ -118,14 +118,14 @@ function validatePhone(input) {
 ```javascript
 function escapeHtml(input) {
   const map = {
-    '&': '&amp;',
-    '<': '&lt;',
-    '>': '&gt;',
-    '"': '&quot;',
-    "'": '&#x27;',
-    '/': '&#x2F;'
+    "&": "&amp;",
+    "<": "&lt;",
+    ">": "&gt;",
+    '"': "&quot;",
+    "'": "&#x27;",
+    "/": "&#x2F;",
   };
-  return String(input).replace(/[&<>"'/]/g, char => map[char]);
+  return String(input).replace(/[&<>"'/]/g, (char) => map[char]);
 }
 ```
@@ -136,14 +136,14 @@ function escapeHtml(input) {
 const query = `SELECT * FROM users WHERE name = '${userInput}'`;
 // RIGHT - use parameterized queries
-const query = 'SELECT * FROM users WHERE name = ?';
+const query = "SELECT * FROM users WHERE name = ?";
 db.query(query, [userInput]);
 ```
 ### Path Traversal Prevention
 ```javascript
-const path = require('path');
+const path = require("path");
 function validateFilePath(userPath, baseDir) {
   const baseCanonical = path.resolve(baseDir);
@@ -151,8 +151,8 @@ function validateFilePath(userPath, baseDir) {
   const relativePath = path.relative(baseCanonical, resolved);
   // Ensure resolved path stays inside the base directory
-  if (relativePath.startsWith('..') || path.isAbsolute(relativePath)) {
-    throw new Error('Path traversal detected');
+  if (relativePath.startsWith("..") || path.isAbsolute(relativePath)) {
+    throw new Error("Path traversal detected");
   }
   return resolved;
@@ -164,13 +164,13 @@ function validateFilePath(userPath, baseDir) {
 ### Node.js with Joi
 ```javascript
-const Joi = require('joi');
+const Joi = require("joi");
 const userSchema = Joi.object({
   username: Joi.string().alphanum().min(3).max(30).required(),
   email: Joi.string().email().required(),
   age: Joi.number().integer().min(0).max(150),
-  website: Joi.string().uri({ scheme: ['http', 'https'] })
+  website: Joi.string().uri({ scheme: ["http", "https"] }),
 });
 function validateUser(data) {
@@ -183,32 +183,37 @@ function validateUser(data) {
 ### Express Validator
 ```javascript
-const { body, validationResult } = require('express-validator');
+const { body, validationResult } = require("express-validator");
-app.post('/user',
-  body('email').isEmail().normalizeEmail(),
-  body('password').isLength({ min: 8 }),
-  body('age').isInt({ min: 0, max: 150 }),
+app.post(
+  "/user",
+  body("email").isEmail().normalizeEmail(),
+  body("password").isLength({ min: 8 }),
+  body("age").isInt({ min: 0, max: 150 }),
   (req, res) => {
     const errors = validationResult(req);
     if (!errors.isEmpty()) {
       return res.status(400).json({ errors: errors.array() });
     }
     // Process valid input
-  }
+  },
 );
 ```
 ### Zod (TypeScript)
 ```typescript
-import { z } from 'zod';
+import { z } from "zod";
 const UserSchema = z.object({
-  username: z.string().min(3).max(30).regex(/^[a-zA-Z0-9_]+$/),
+  username: z
+    .string()
+    .min(3)
+    .max(30)
+    .regex(/^[a-zA-Z0-9_]+$/),
   email: z.string().email(),
   age: z.number().int().min(0).max(150).optional(),
-  website: z.string().url().optional()
+  website: z.string().url().optional(),
 });
 type User = z.infer<typeof UserSchema>;

package/skills/frontend-security/references/jwt-security.md CHANGED Viewed

@@ -12,7 +12,7 @@ const decoded = jwt.verify(token, secret);
 // SECURE - explicitly specify allowed algorithms
 const decoded = jwt.verify(token, secret, {
-  algorithms: ['HS256']  // Only accept HS256
+  algorithms: ["HS256"], // Only accept HS256
 });
 ```
@@ -26,7 +26,7 @@ const decoded = jwt.verify(token, publicKey);
 // SECURE - specify expected algorithm
 const decoded = jwt.verify(token, publicKey, {
-  algorithms: ['RS256']  // Only accept RS256
+  algorithms: ["RS256"], // Only accept RS256
 });
 ```
@@ -36,16 +36,16 @@ Attack: Brute-force weak HMAC secrets.
 ```javascript
 // VULNERABLE - weak secret
-const token = jwt.sign(payload, 'password123');
+const token = jwt.sign(payload, "password123");
 // SECURE - strong random secret (256+ bits)
-const crypto = require('crypto');
-const secret = crypto.randomBytes(32);  // 256 bits
+const crypto = require("crypto");
+const secret = crypto.randomBytes(32); // 256 bits
 const token = jwt.sign(payload, secret);
 // Or use RSA keys
-const privateKey = fs.readFileSync('private.pem');
-const token = jwt.sign(payload, privateKey, { algorithm: 'RS256' });
+const privateKey = fs.readFileSync("private.pem");
+const token = jwt.sign(payload, privateKey, { algorithm: "RS256" });
 ```
 ## Token Sidejacking Prevention
@@ -53,46 +53,36 @@ const token = jwt.sign(payload, privateKey, { algorithm: 'RS256' });
 Add fingerprint to prevent stolen token reuse:
 ```javascript
-const crypto = require('crypto');
+const crypto = require("crypto");
 // Generate fingerprint on login
 function generateFingerprint() {
-  return crypto.randomBytes(32).toString('hex');
+  return crypto.randomBytes(32).toString("hex");
 }
 // Create token with fingerprint hash
 function createToken(userId, fingerprint) {
-  const fingerprintHash = crypto
-    .createHash('sha256')
-    .update(fingerprint)
-    .digest('hex');
-  return jwt.sign(
-    { sub: userId, fph: fingerprintHash },
-    secret,
-    { expiresIn: '15m' }
-  );
+  const fingerprintHash = crypto.createHash("sha256").update(fingerprint).digest("hex");
+  return jwt.sign({ sub: userId, fph: fingerprintHash }, secret, { expiresIn: "15m" });
 }
 // Set fingerprint as httpOnly cookie
-res.cookie('__Secure-Fgp', fingerprint, {
+res.cookie("__Secure-Fgp", fingerprint, {
   httpOnly: true,
   secure: true,
-  sameSite: 'Strict',
-  maxAge: 15 * 60 * 1000  // Match token expiry
+  sameSite: "Strict",
+  maxAge: 15 * 60 * 1000, // Match token expiry
 });
 // Validate both token and fingerprint
 function validateToken(token, fingerprintCookie) {
-  const decoded = jwt.verify(token, secret, { algorithms: ['HS256'] });
+  const decoded = jwt.verify(token, secret, { algorithms: ["HS256"] });
-  const fingerprintHash = crypto
-    .createHash('sha256')
-    .update(fingerprintCookie)
-    .digest('hex');
+  const fingerprintHash = crypto.createHash("sha256").update(fingerprintCookie).digest("hex");
   if (decoded.fph !== fingerprintHash) {
-    throw new Error('Invalid fingerprint');
+    throw new Error("Invalid fingerprint");
   }
   return decoded;
@@ -105,16 +95,16 @@ function validateToken(token, fingerprintCookie) {
 ```javascript
 // Store token in sessionStorage
-sessionStorage.setItem('token', jwt);
+sessionStorage.setItem("token", jwt);
 // Clear on logout
-sessionStorage.removeItem('token');
+sessionStorage.removeItem("token");
 // Send in Authorization header
-fetch('/api/data', {
+fetch("/api/data", {
   headers: {
-    'Authorization': `Bearer ${sessionStorage.getItem('token')}`
-  }
+    Authorization: `Bearer ${sessionStorage.getItem("token")}`,
+  },
 });
 ```
@@ -122,11 +112,11 @@ fetch('/api/data', {
 ```javascript
 // Server sets cookie
-res.cookie('token', jwt, {
-  httpOnly: true,     // Not accessible via JavaScript
-  secure: true,       // HTTPS only
-  sameSite: 'Strict', // CSRF protection
-  maxAge: 15 * 60 * 1000
+res.cookie("token", jwt, {
+  httpOnly: true, // Not accessible via JavaScript
+  secure: true, // HTTPS only
+  sameSite: "Strict", // CSRF protection
+  maxAge: 15 * 60 * 1000,
 });
 // Need CSRF protection with cookie-based auth
@@ -136,50 +126,42 @@ res.cookie('token', jwt, {
 ```javascript
 // VULNERABLE - persists after browser close, accessible to XSS
-localStorage.setItem('token', jwt);  // Not recommended
+localStorage.setItem("token", jwt); // Not recommended
 ```
 ## Token Expiration
 ```javascript
 // Short-lived access tokens (15-60 minutes)
-const accessToken = jwt.sign(payload, secret, { expiresIn: '15m' });
+const accessToken = jwt.sign(payload, secret, { expiresIn: "15m" });
 // Longer refresh tokens (days/weeks)
-const refreshToken = jwt.sign(
-  { sub: userId, type: 'refresh' },
-  refreshSecret,
-  { expiresIn: '7d' }
-);
+const refreshToken = jwt.sign({ sub: userId, type: "refresh" }, refreshSecret, { expiresIn: "7d" });
 // Refresh endpoint
-app.post('/refresh', async (req, res) => {
+app.post("/refresh", async (req, res) => {
   const { refreshToken } = req.body;
   try {
     const decoded = jwt.verify(refreshToken, refreshSecret, {
-      algorithms: ['HS256']
+      algorithms: ["HS256"],
     });
-    if (decoded.type !== 'refresh') {
-      throw new Error('Invalid token type');
+    if (decoded.type !== "refresh") {
+      throw new Error("Invalid token type");
     }
     // Check if refresh token is revoked
     if (await isTokenRevoked(decoded)) {
-      throw new Error('Token revoked');
+      throw new Error("Token revoked");
     }
     // Issue new access token
-    const newAccessToken = jwt.sign(
-      { sub: decoded.sub },
-      secret,
-      { expiresIn: '15m' }
-    );
+    const newAccessToken = jwt.sign({ sub: decoded.sub }, secret, { expiresIn: "15m" });
     res.json({ accessToken: newAccessToken });
   } catch (error) {
-    res.status(401).json({ error: 'Invalid refresh token' });
+    res.status(401).json({ error: "Invalid refresh token" });
   }
 });
 ```
@@ -190,15 +172,15 @@ JWTs are stateless, so revocation requires additional mechanisms:
 ```javascript
 // Denylist approach
-const revokedTokens = new Map();  // Use Redis in production
+const revokedTokens = new Map(); // Use Redis in production
 function revokeToken(token) {
-  const decoded = jwt.verify(token, secret, { algorithms: ['HS256'] });
+  const decoded = jwt.verify(token, secret, { algorithms: ["HS256"] });
   const tokenId = decoded.jti;
   const expiry = decoded.exp * 1000;
   if (!tokenId || !expiry) {
-    throw new Error('Token missing required revocation claims');
+    throw new Error("Token missing required revocation claims");
   }
   // Store until token expires
@@ -213,11 +195,7 @@ function isTokenRevoked(decoded) {
 }
 // Include jti (JWT ID) in tokens
-const token = jwt.sign(
-  { sub: userId, jti: crypto.randomUUID() },
-  secret,
-  { expiresIn: '15m' }
-);
+const token = jwt.sign({ sub: userId, jti: crypto.randomUUID() }, secret, { expiresIn: "15m" });
 ```
 ## Token Information Disclosure
@@ -226,17 +204,23 @@ JWTs are base64-encoded, not encrypted. Sensitive data is visible.
 ```javascript
 // VULNERABLE - sensitive data in payload
-const token = jwt.sign({
-  sub: userId,
-  ssn: '123-45-6789',  // Visible to anyone!
-  salary: 100000
-}, secret);
+const token = jwt.sign(
+  {
+    sub: userId,
+    ssn: "123-45-6789", // Visible to anyone!
+    salary: 100000,
+  },
+  secret,
+);
 // SECURE - minimal claims
-const token = jwt.sign({
-  sub: userId,
-  role: 'user'
-}, secret);
+const token = jwt.sign(
+  {
+    sub: userId,
+    role: "user",
+  },
+  secret,
+);
 // If sensitive data required, encrypt the token
 const encryptedToken = encrypt(token, encryptionKey);
@@ -248,38 +232,38 @@ const encryptedToken = encrypt(token, encryptionKey);
 function authenticateToken(req, res, next) {
   // Get token from header
   const authHeader = req.headers.authorization;
-  const token = authHeader?.split(' ')[1];  // "Bearer TOKEN"
+  const token = authHeader?.startsWith("Bearer ") ? authHeader.slice(7) : undefined;
   if (!token) {
-    return res.status(401).json({ error: 'Token required' });
+    return res.status(401).json({ error: "Token required" });
   }
   try {
     // Verify with explicit algorithm
     const decoded = jwt.verify(token, secret, {
-      algorithms: ['HS256'],
-      issuer: 'myapp',
-      audience: 'myapp-users'
+      algorithms: ["HS256"],
+      issuer: "myapp",
+      audience: "myapp-users",
     });
     // Validate fingerprint if using sidejacking protection
-    const fingerprint = req.cookies['__Secure-Fgp'];
+    const fingerprint = req.cookies["__Secure-Fgp"];
     if (!validateFingerprint(decoded, fingerprint)) {
-      throw new Error('Invalid fingerprint');
+      throw new Error("Invalid fingerprint");
     }
     // Check revocation
     if (isTokenRevoked(decoded)) {
-      throw new Error('Token revoked');
+      throw new Error("Token revoked");
     }
     req.user = decoded;
     next();
   } catch (error) {
-    if (error.name === 'TokenExpiredError') {
-      return res.status(401).json({ error: 'Token expired' });
+    if (error.name === "TokenExpiredError") {
+      return res.status(401).json({ error: "Token expired" });
     }
-    return res.status(403).json({ error: 'Invalid token' });
+    return res.status(403).json({ error: "Invalid token" });
   }
 }
 ```