npm - @shware/http - Versions diffs - 1.1.9 → 1.1.10 - Mend

@shware/http 1.1.9 → 1.1.10

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (24) hide show

package/LICENSE +21 -0
package/dist/hono/__tests__/csrf.test.cjs +164 -0
package/dist/hono/__tests__/csrf.test.cjs.map +1 -0
package/dist/hono/__tests__/csrf.test.d.cts +2 -0
package/dist/hono/__tests__/csrf.test.d.ts +2 -0
package/dist/hono/__tests__/csrf.test.mjs +162 -0
package/dist/hono/__tests__/csrf.test.mjs.map +1 -0
package/dist/hono/csrf.cjs +93 -0
package/dist/hono/csrf.cjs.map +1 -0
package/dist/hono/csrf.d.cts +65 -0
package/dist/hono/csrf.d.ts +65 -0
package/dist/hono/csrf.mjs +68 -0
package/dist/hono/csrf.mjs.map +1 -0
package/dist/hono/handler.cjs.map +1 -1
package/dist/hono/handler.d.cts +1 -1
package/dist/hono/handler.d.ts +1 -1
package/dist/hono/handler.mjs.map +1 -1
package/dist/hono/index.cjs +3 -0
package/dist/hono/index.cjs.map +1 -1
package/dist/hono/index.d.cts +1 -0
package/dist/hono/index.d.ts +1 -0
package/dist/hono/index.mjs +2 -0
package/dist/hono/index.mjs.map +1 -1
package/package.json +12 -12

package/LICENSE ADDED Viewed

@@ -0,0 +1,21 @@
+MIT License
+Copyright (c) 2025 Shware Inc.
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/dist/hono/__tests__/csrf.test.cjs ADDED Viewed

@@ -0,0 +1,164 @@
+"use strict";
+// src/hono/__tests__/csrf.test.ts
+var import_hono = require("hono");
+var import_csrf = require("../csrf.cjs");
+var import_handler = require("../handler.cjs");
+describe("CSRF Protection", () => {
+  describe("csrfProtection middleware", () => {
+    let app;
+    beforeEach(() => {
+      app = new import_hono.Hono();
+      app.onError(import_handler.errorHandler);
+    });
+    it("should allow GET requests without CSRF token", async () => {
+      app.use((0, import_csrf.csrf)());
+      app.get("/test", (c) => c.text("OK"));
+      const res = await app.request("/test");
+      expect(res.status).toBe(200);
+      expect(await res.text()).toBe("OK");
+    });
+    it("should allow HEAD requests without CSRF token", async () => {
+      app.use((0, import_csrf.csrf)());
+      app.all("/test", (c) => c.text("OK"));
+      const res = await app.request("/test", { method: "HEAD" });
+      expect(res.status).toBe(200);
+    });
+    it("should allow OPTIONS requests without CSRF token", async () => {
+      app.use((0, import_csrf.csrf)());
+      app.options("/test", (c) => c.text("OK"));
+      const res = await app.request("/test", { method: "OPTIONS" });
+      expect(res.status).toBe(200);
+    });
+    it("should reject POST requests without CSRF token", async () => {
+      app.use((0, import_csrf.csrf)());
+      app.post("/test", (c) => c.text("OK"));
+      const res = await app.request("/test", { method: "POST" });
+      expect(res.status).toBe(403);
+    });
+    it("should reject POST requests with mismatched tokens", async () => {
+      app.use((0, import_csrf.csrf)());
+      app.post("/test", (c) => c.text("OK"));
+      const res = await app.request("/test", {
+        method: "POST",
+        headers: { "X-XSRF-TOKEN": "header-token", Cookie: "XSRF-TOKEN=cookie-token" }
+      });
+      expect(res.status).toBe(403);
+    });
+    it("should allow POST requests with matching tokens", async () => {
+      app.use((0, import_csrf.csrf)());
+      app.post("/test", (c) => c.text("OK"));
+      const res = await app.request("/test", {
+        method: "POST",
+        headers: {
+          "X-XSRF-TOKEN": "matching-token",
+          Cookie: "XSRF-TOKEN=matching-token"
+        }
+      });
+      expect(res.status).toBe(200);
+      expect(await res.text()).toBe("OK");
+    });
+    it("should use custom cookie and header names", async () => {
+      app.use((0, import_csrf.csrf)({ cookieName: "csrf-token", headerName: "X-CSRF-Token" }));
+      app.post("/test", (c) => c.text("OK"));
+      const res = await app.request("/test", {
+        method: "POST",
+        headers: {
+          "X-CSRF-Token": "test-token",
+          Cookie: "csrf-token=test-token"
+        }
+      });
+      expect(res.status).toBe(200);
+    });
+    it("should ignore specified paths", async () => {
+      app.use((0, import_csrf.csrf)({ ignores: [{ path: "/webhook/*", methods: ["POST"] }] }));
+      app.post("/webhook/stripe", (c) => c.text("OK"));
+      app.post("/api/data", (c) => c.text("OK"));
+      const webhookRes = await app.request("/webhook/stripe", { method: "POST" });
+      expect(webhookRes.status).toBe(200);
+      const apiRes = await app.request("/api/data", { method: "POST" });
+      expect(apiRes.status).toBe(403);
+    });
+    it("should ignore all methods for a path when methods not specified", async () => {
+      app.use((0, import_csrf.csrf)({ ignores: [{ path: "/auth/apple/callback" }] }));
+      app.post("/auth/apple/callback", (c) => c.text("OK"));
+      app.put("/auth/apple/callback", (c) => c.text("OK"));
+      const postRes = await app.request("/auth/apple/callback", { method: "POST" });
+      expect(postRes.status).toBe(200);
+      const putRes = await app.request("/auth/apple/callback", { method: "PUT" });
+      expect(putRes.status).toBe(200);
+    });
+    it("should handle empty tokens safely", async () => {
+      app.use((0, import_csrf.csrf)());
+      app.post("/test", (c) => c.text("OK"));
+      const res = await app.request("/test", {
+        method: "POST",
+        headers: { "X-XSRF-TOKEN": "", Cookie: "XSRF-TOKEN=" }
+      });
+      expect(res.status).toBe(403);
+    });
+    it("should handle missing cookie", async () => {
+      app.use((0, import_csrf.csrf)());
+      app.post("/test", (c) => c.text("OK"));
+      const res = await app.request("/test", {
+        method: "POST",
+        headers: { "X-XSRF-TOKEN": "token" }
+      });
+      expect(res.status).toBe(403);
+    });
+    it("should handle missing header", async () => {
+      app.use((0, import_csrf.csrf)());
+      app.post("/test", (c) => c.text("OK"));
+      const res = await app.request("/test", {
+        method: "POST",
+        headers: { Cookie: "XSRF-TOKEN=token" }
+      });
+      expect(res.status).toBe(403);
+    });
+    it("should use custom error message", async () => {
+      app.use((0, import_csrf.csrf)({ errorMessage: "Custom CSRF error" }));
+      app.post("/test", (c) => c.text("OK"));
+      const res = await app.request("/test", { method: "POST" });
+      expect(res.status).toBe(403);
+      const body = await res.json();
+      expect(body.error.message).toBe("Custom CSRF error");
+    });
+    it("should work with custom safe methods", async () => {
+      app.use((0, import_csrf.csrf)({ safeMethods: ["GET"] }));
+      app.all("/test", (c) => c.text("OK"));
+      const res = await app.request("/test", { method: "HEAD" });
+      expect(res.status).toBe(403);
+    });
+    it("should handle complex ignore patterns", async () => {
+      app.use(
+        (0, import_csrf.csrf)({
+          ignores: [
+            { path: "/api/v1/*", methods: ["GET", "POST"] },
+            { path: "/api/v2/*", methods: ["POST"] },
+            { path: "/public/*" }
+            // All methods
+          ]
+        })
+      );
+      app.get("/api/v1/users", (c) => c.text("OK"));
+      app.post("/api/v1/users", (c) => c.text("OK"));
+      app.put("/api/v1/users", (c) => c.text("OK"));
+      app.post("/api/v2/users", (c) => c.text("OK"));
+      app.get("/api/v2/users", (c) => c.text("OK"));
+      app.post("/public/data", (c) => c.text("OK"));
+      let res = await app.request("/api/v1/users", { method: "GET" });
+      expect(res.status).toBe(200);
+      res = await app.request("/api/v1/users", { method: "POST" });
+      expect(res.status).toBe(200);
+      res = await app.request("/api/v1/users", { method: "PUT" });
+      expect(res.status).toBe(403);
+      res = await app.request("/api/v2/users", { method: "POST" });
+      expect(res.status).toBe(200);
+      res = await app.request("/api/v2/users", { method: "GET" });
+      expect(res.status).toBe(200);
+      res = await app.request("/public/data", { method: "POST" });
+      expect(res.status).toBe(200);
+    });
+  });
+});
+//# sourceMappingURL=csrf.test.cjs.map

package/dist/hono/__tests__/csrf.test.cjs.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../../../src/hono/__tests__/csrf.test.ts"],"sourcesContent":["import { Hono } from 'hono';\nimport { csrf } from '../csrf';\nimport { errorHandler, type Env } from '../handler';\n\ndescribe('CSRF Protection', () => {\n describe('csrfProtection middleware', () => {\n let app: Hono<Env>;\n\n beforeEach(() => {\n app = new Hono();\n app.onError(errorHandler);\n });\n\n it('should allow GET requests without CSRF token', async () => {\n app.use(csrf());\n app.get('/test', (c) => c.text('OK'));\n\n const res = await app.request('/test');\n expect(res.status).toBe(200);\n expect(await res.text()).toBe('OK');\n });\n\n it('should allow HEAD requests without CSRF token', async () => {\n app.use(csrf());\n app.all('/test', (c) => c.text('OK'));\n\n const res = await app.request('/test', { method: 'HEAD' });\n expect(res.status).toBe(200);\n });\n\n it('should allow OPTIONS requests without CSRF token', async () => {\n app.use(csrf());\n app.options('/test', (c) => c.text('OK'));\n\n const res = await app.request('/test', { method: 'OPTIONS' });\n expect(res.status).toBe(200);\n });\n\n it('should reject POST requests without CSRF token', async () => {\n app.use(csrf());\n app.post('/test', (c) => c.text('OK'));\n\n const res = await app.request('/test', { method: 'POST' });\n expect(res.status).toBe(403);\n });\n\n it('should reject POST requests with mismatched tokens', async () => {\n app.use(csrf());\n app.post('/test', (c) => c.text('OK'));\n\n const res = await app.request('/test', {\n method: 'POST',\n headers: { 'X-XSRF-TOKEN': 'header-token', Cookie: 'XSRF-TOKEN=cookie-token' },\n });\n expect(res.status).toBe(403);\n });\n\n it('should allow POST requests with matching tokens', async () => {\n app.use(csrf());\n app.post('/test', (c) => c.text('OK'));\n\n const res = await app.request('/test', {\n method: 'POST',\n headers: {\n 'X-XSRF-TOKEN': 'matching-token',\n Cookie: 'XSRF-TOKEN=matching-token',\n },\n });\n expect(res.status).toBe(200);\n expect(await res.text()).toBe('OK');\n });\n\n it('should use custom cookie and header names', async () => {\n app.use(csrf({ cookieName: 'csrf-token', headerName: 'X-CSRF-Token' }));\n app.post('/test', (c) => c.text('OK'));\n\n const res = await app.request('/test', {\n method: 'POST',\n headers: {\n 'X-CSRF-Token': 'test-token',\n Cookie: 'csrf-token=test-token',\n },\n });\n expect(res.status).toBe(200);\n });\n\n it('should ignore specified paths', async () => {\n app.use(csrf({ ignores: [{ path: '/webhook/*', methods: ['POST'] }] }));\n app.post('/webhook/stripe', (c) => c.text('OK'));\n app.post('/api/data', (c) => c.text('OK'));\n\n // Ignored path should work without CSRF token\n const webhookRes = await app.request('/webhook/stripe', { method: 'POST' });\n expect(webhookRes.status).toBe(200);\n\n // Non-ignored path should require CSRF token\n const apiRes = await app.request('/api/data', { method: 'POST' });\n expect(apiRes.status).toBe(403);\n });\n\n it('should ignore all methods for a path when methods not specified', async () => {\n app.use(csrf({ ignores: [{ path: '/auth/apple/callback' }] }));\n app.post('/auth/apple/callback', (c) => c.text('OK'));\n app.put('/auth/apple/callback', (c) => c.text('OK'));\n\n const postRes = await app.request('/auth/apple/callback', { method: 'POST' });\n expect(postRes.status).toBe(200);\n\n const putRes = await app.request('/auth/apple/callback', { method: 'PUT' });\n expect(putRes.status).toBe(200);\n });\n\n it('should handle empty tokens safely', async () => {\n app.use(csrf());\n app.post('/test', (c) => c.text('OK'));\n\n const res = await app.request('/test', {\n method: 'POST',\n headers: { 'X-XSRF-TOKEN': '', Cookie: 'XSRF-TOKEN=' },\n });\n expect(res.status).toBe(403);\n });\n\n it('should handle missing cookie', async () => {\n app.use(csrf());\n app.post('/test', (c) => c.text('OK'));\n\n const res = await app.request('/test', {\n method: 'POST',\n headers: { 'X-XSRF-TOKEN': 'token' },\n });\n expect(res.status).toBe(403);\n });\n\n it('should handle missing header', async () => {\n app.use(csrf());\n app.post('/test', (c) => c.text('OK'));\n\n const res = await app.request('/test', {\n method: 'POST',\n headers: { Cookie: 'XSRF-TOKEN=token' },\n });\n expect(res.status).toBe(403);\n });\n\n it('should use custom error message', async () => {\n app.use(csrf({ errorMessage: 'Custom CSRF error' }));\n app.post('/test', (c) => c.text('OK'));\n\n const res = await app.request('/test', { method: 'POST' });\n expect(res.status).toBe(403);\n const body = await res.json();\n expect(body.error.message).toBe('Custom CSRF error');\n });\n\n it('should work with custom safe methods', async () => {\n app.use(csrf({ safeMethods: ['GET'] }));\n app.all('/test', (c) => c.text('OK'));\n\n // HEAD is no longer safe, should require CSRF token\n const res = await app.request('/test', { method: 'HEAD' });\n expect(res.status).toBe(403);\n });\n\n it('should handle complex ignore patterns', async () => {\n app.use(\n csrf({\n ignores: [\n { path: '/api/v1/*', methods: ['GET', 'POST'] },\n { path: '/api/v2/*', methods: ['POST'] },\n { path: '/public/*' }, // All methods\n ],\n })\n );\n\n app.get('/api/v1/users', (c) => c.text('OK'));\n app.post('/api/v1/users', (c) => c.text('OK'));\n app.put('/api/v1/users', (c) => c.text('OK'));\n app.post('/api/v2/users', (c) => c.text('OK'));\n app.get('/api/v2/users', (c) => c.text('OK'));\n app.post('/public/data', (c) => c.text('OK'));\n\n // Ignored GET and POST for /api/v1/*\n let res = await app.request('/api/v1/users', { method: 'GET' });\n expect(res.status).toBe(200);\n\n res = await app.request('/api/v1/users', { method: 'POST' });\n expect(res.status).toBe(200);\n\n // PUT not ignored for /api/v1/*\n res = await app.request('/api/v1/users', { method: 'PUT' });\n expect(res.status).toBe(403);\n\n // Only POST ignored for /api/v2/*\n res = await app.request('/api/v2/users', { method: 'POST' });\n expect(res.status).toBe(200);\n\n // GET not ignored for /api/v2/* (but GET is safe by default)\n res = await app.request('/api/v2/users', { method: 'GET' });\n expect(res.status).toBe(200);\n\n // All methods ignored for /public/*\n res = await app.request('/public/data', { method: 'POST' });\n expect(res.status).toBe(200);\n });\n });\n});\n"],"mappings":";;;AAAA,kBAAqB;AACrB,kBAAqB;AACrB,qBAAuC;AAEvC,SAAS,mBAAmB,MAAM;AAChC,WAAS,6BAA6B,MAAM;AAC1C,QAAI;AAEJ,eAAW,MAAM;AACf,YAAM,IAAI,iBAAK;AACf,UAAI,QAAQ,2BAAY;AAAA,IAC1B,CAAC;AAED,OAAG,gDAAgD,YAAY;AAC7D,UAAI,QAAI,kBAAK,CAAC;AACd,UAAI,IAAI,SAAS,CAAC,MAAM,EAAE,KAAK,IAAI,CAAC;AAEpC,YAAM,MAAM,MAAM,IAAI,QAAQ,OAAO;AACrC,aAAO,IAAI,MAAM,EAAE,KAAK,GAAG;AAC3B,aAAO,MAAM,IAAI,KAAK,CAAC,EAAE,KAAK,IAAI;AAAA,IACpC,CAAC;AAED,OAAG,iDAAiD,YAAY;AAC9D,UAAI,QAAI,kBAAK,CAAC;AACd,UAAI,IAAI,SAAS,CAAC,MAAM,EAAE,KAAK,IAAI,CAAC;AAEpC,YAAM,MAAM,MAAM,IAAI,QAAQ,SAAS,EAAE,QAAQ,OAAO,CAAC;AACzD,aAAO,IAAI,MAAM,EAAE,KAAK,GAAG;AAAA,IAC7B,CAAC;AAED,OAAG,oDAAoD,YAAY;AACjE,UAAI,QAAI,kBAAK,CAAC;AACd,UAAI,QAAQ,SAAS,CAAC,MAAM,EAAE,KAAK,IAAI,CAAC;AAExC,YAAM,MAAM,MAAM,IAAI,QAAQ,SAAS,EAAE,QAAQ,UAAU,CAAC;AAC5D,aAAO,IAAI,MAAM,EAAE,KAAK,GAAG;AAAA,IAC7B,CAAC;AAED,OAAG,kDAAkD,YAAY;AAC/D,UAAI,QAAI,kBAAK,CAAC;AACd,UAAI,KAAK,SAAS,CAAC,MAAM,EAAE,KAAK,IAAI,CAAC;AAErC,YAAM,MAAM,MAAM,IAAI,QAAQ,SAAS,EAAE,QAAQ,OAAO,CAAC;AACzD,aAAO,IAAI,MAAM,EAAE,KAAK,GAAG;AAAA,IAC7B,CAAC;AAED,OAAG,sDAAsD,YAAY;AACnE,UAAI,QAAI,kBAAK,CAAC;AACd,UAAI,KAAK,SAAS,CAAC,MAAM,EAAE,KAAK,IAAI,CAAC;AAErC,YAAM,MAAM,MAAM,IAAI,QAAQ,SAAS;AAAA,QACrC,QAAQ;AAAA,QACR,SAAS,EAAE,gBAAgB,gBAAgB,QAAQ,0BAA0B;AAAA,MAC/E,CAAC;AACD,aAAO,IAAI,MAAM,EAAE,KAAK,GAAG;AAAA,IAC7B,CAAC;AAED,OAAG,mDAAmD,YAAY;AAChE,UAAI,QAAI,kBAAK,CAAC;AACd,UAAI,KAAK,SAAS,CAAC,MAAM,EAAE,KAAK,IAAI,CAAC;AAErC,YAAM,MAAM,MAAM,IAAI,QAAQ,SAAS;AAAA,QACrC,QAAQ;AAAA,QACR,SAAS;AAAA,UACP,gBAAgB;AAAA,UAChB,QAAQ;AAAA,QACV;AAAA,MACF,CAAC;AACD,aAAO,IAAI,MAAM,EAAE,KAAK,GAAG;AAC3B,aAAO,MAAM,IAAI,KAAK,CAAC,EAAE,KAAK,IAAI;AAAA,IACpC,CAAC;AAED,OAAG,6CAA6C,YAAY;AAC1D,UAAI,QAAI,kBAAK,EAAE,YAAY,cAAc,YAAY,eAAe,CAAC,CAAC;AACtE,UAAI,KAAK,SAAS,CAAC,MAAM,EAAE,KAAK,IAAI,CAAC;AAErC,YAAM,MAAM,MAAM,IAAI,QAAQ,SAAS;AAAA,QACrC,QAAQ;AAAA,QACR,SAAS;AAAA,UACP,gBAAgB;AAAA,UAChB,QAAQ;AAAA,QACV;AAAA,MACF,CAAC;AACD,aAAO,IAAI,MAAM,EAAE,KAAK,GAAG;AAAA,IAC7B,CAAC;AAED,OAAG,iCAAiC,YAAY;AAC9C,UAAI,QAAI,kBAAK,EAAE,SAAS,CAAC,EAAE,MAAM,cAAc,SAAS,CAAC,MAAM,EAAE,CAAC,EAAE,CAAC,CAAC;AACtE,UAAI,KAAK,mBAAmB,CAAC,MAAM,EAAE,KAAK,IAAI,CAAC;AAC/C,UAAI,KAAK,aAAa,CAAC,MAAM,EAAE,KAAK,IAAI,CAAC;AAGzC,YAAM,aAAa,MAAM,IAAI,QAAQ,mBAAmB,EAAE,QAAQ,OAAO,CAAC;AAC1E,aAAO,WAAW,MAAM,EAAE,KAAK,GAAG;AAGlC,YAAM,SAAS,MAAM,IAAI,QAAQ,aAAa,EAAE,QAAQ,OAAO,CAAC;AAChE,aAAO,OAAO,MAAM,EAAE,KAAK,GAAG;AAAA,IAChC,CAAC;AAED,OAAG,mEAAmE,YAAY;AAChF,UAAI,QAAI,kBAAK,EAAE,SAAS,CAAC,EAAE,MAAM,uBAAuB,CAAC,EAAE,CAAC,CAAC;AAC7D,UAAI,KAAK,wBAAwB,CAAC,MAAM,EAAE,KAAK,IAAI,CAAC;AACpD,UAAI,IAAI,wBAAwB,CAAC,MAAM,EAAE,KAAK,IAAI,CAAC;AAEnD,YAAM,UAAU,MAAM,IAAI,QAAQ,wBAAwB,EAAE,QAAQ,OAAO,CAAC;AAC5E,aAAO,QAAQ,MAAM,EAAE,KAAK,GAAG;AAE/B,YAAM,SAAS,MAAM,IAAI,QAAQ,wBAAwB,EAAE,QAAQ,MAAM,CAAC;AAC1E,aAAO,OAAO,MAAM,EAAE,KAAK,GAAG;AAAA,IAChC,CAAC;AAED,OAAG,qCAAqC,YAAY;AAClD,UAAI,QAAI,kBAAK,CAAC;AACd,UAAI,KAAK,SAAS,CAAC,MAAM,EAAE,KAAK,IAAI,CAAC;AAErC,YAAM,MAAM,MAAM,IAAI,QAAQ,SAAS;AAAA,QACrC,QAAQ;AAAA,QACR,SAAS,EAAE,gBAAgB,IAAI,QAAQ,cAAc;AAAA,MACvD,CAAC;AACD,aAAO,IAAI,MAAM,EAAE,KAAK,GAAG;AAAA,IAC7B,CAAC;AAED,OAAG,gCAAgC,YAAY;AAC7C,UAAI,QAAI,kBAAK,CAAC;AACd,UAAI,KAAK,SAAS,CAAC,MAAM,EAAE,KAAK,IAAI,CAAC;AAErC,YAAM,MAAM,MAAM,IAAI,QAAQ,SAAS;AAAA,QACrC,QAAQ;AAAA,QACR,SAAS,EAAE,gBAAgB,QAAQ;AAAA,MACrC,CAAC;AACD,aAAO,IAAI,MAAM,EAAE,KAAK,GAAG;AAAA,IAC7B,CAAC;AAED,OAAG,gCAAgC,YAAY;AAC7C,UAAI,QAAI,kBAAK,CAAC;AACd,UAAI,KAAK,SAAS,CAAC,MAAM,EAAE,KAAK,IAAI,CAAC;AAErC,YAAM,MAAM,MAAM,IAAI,QAAQ,SAAS;AAAA,QACrC,QAAQ;AAAA,QACR,SAAS,EAAE,QAAQ,mBAAmB;AAAA,MACxC,CAAC;AACD,aAAO,IAAI,MAAM,EAAE,KAAK,GAAG;AAAA,IAC7B,CAAC;AAED,OAAG,mCAAmC,YAAY;AAChD,UAAI,QAAI,kBAAK,EAAE,cAAc,oBAAoB,CAAC,CAAC;AACnD,UAAI,KAAK,SAAS,CAAC,MAAM,EAAE,KAAK,IAAI,CAAC;AAErC,YAAM,MAAM,MAAM,IAAI,QAAQ,SAAS,EAAE,QAAQ,OAAO,CAAC;AACzD,aAAO,IAAI,MAAM,EAAE,KAAK,GAAG;AAC3B,YAAM,OAAO,MAAM,IAAI,KAAK;AAC5B,aAAO,KAAK,MAAM,OAAO,EAAE,KAAK,mBAAmB;AAAA,IACrD,CAAC;AAED,OAAG,wCAAwC,YAAY;AACrD,UAAI,QAAI,kBAAK,EAAE,aAAa,CAAC,KAAK,EAAE,CAAC,CAAC;AACtC,UAAI,IAAI,SAAS,CAAC,MAAM,EAAE,KAAK,IAAI,CAAC;AAGpC,YAAM,MAAM,MAAM,IAAI,QAAQ,SAAS,EAAE,QAAQ,OAAO,CAAC;AACzD,aAAO,IAAI,MAAM,EAAE,KAAK,GAAG;AAAA,IAC7B,CAAC;AAED,OAAG,yCAAyC,YAAY;AACtD,UAAI;AAAA,YACF,kBAAK;AAAA,UACH,SAAS;AAAA,YACP,EAAE,MAAM,aAAa,SAAS,CAAC,OAAO,MAAM,EAAE;AAAA,YAC9C,EAAE,MAAM,aAAa,SAAS,CAAC,MAAM,EAAE;AAAA,YACvC,EAAE,MAAM,YAAY;AAAA;AAAA,UACtB;AAAA,QACF,CAAC;AAAA,MACH;AAEA,UAAI,IAAI,iBAAiB,CAAC,MAAM,EAAE,KAAK,IAAI,CAAC;AAC5C,UAAI,KAAK,iBAAiB,CAAC,MAAM,EAAE,KAAK,IAAI,CAAC;AAC7C,UAAI,IAAI,iBAAiB,CAAC,MAAM,EAAE,KAAK,IAAI,CAAC;AAC5C,UAAI,KAAK,iBAAiB,CAAC,MAAM,EAAE,KAAK,IAAI,CAAC;AAC7C,UAAI,IAAI,iBAAiB,CAAC,MAAM,EAAE,KAAK,IAAI,CAAC;AAC5C,UAAI,KAAK,gBAAgB,CAAC,MAAM,EAAE,KAAK,IAAI,CAAC;AAG5C,UAAI,MAAM,MAAM,IAAI,QAAQ,iBAAiB,EAAE,QAAQ,MAAM,CAAC;AAC9D,aAAO,IAAI,MAAM,EAAE,KAAK,GAAG;AAE3B,YAAM,MAAM,IAAI,QAAQ,iBAAiB,EAAE,QAAQ,OAAO,CAAC;AAC3D,aAAO,IAAI,MAAM,EAAE,KAAK,GAAG;AAG3B,YAAM,MAAM,IAAI,QAAQ,iBAAiB,EAAE,QAAQ,MAAM,CAAC;AAC1D,aAAO,IAAI,MAAM,EAAE,KAAK,GAAG;AAG3B,YAAM,MAAM,IAAI,QAAQ,iBAAiB,EAAE,QAAQ,OAAO,CAAC;AAC3D,aAAO,IAAI,MAAM,EAAE,KAAK,GAAG;AAG3B,YAAM,MAAM,IAAI,QAAQ,iBAAiB,EAAE,QAAQ,MAAM,CAAC;AAC1D,aAAO,IAAI,MAAM,EAAE,KAAK,GAAG;AAG3B,YAAM,MAAM,IAAI,QAAQ,gBAAgB,EAAE,QAAQ,OAAO,CAAC;AAC1D,aAAO,IAAI,MAAM,EAAE,KAAK,GAAG;AAAA,IAC7B,CAAC;AAAA,EACH,CAAC;AACH,CAAC;","names":[]}

package/dist/hono/__tests__/csrf.test.d.cts ADDED Viewed

	@@ -0,0 +1,2 @@
1	+
2	+ export { }

package/dist/hono/__tests__/csrf.test.d.ts ADDED Viewed

	@@ -0,0 +1,2 @@
1	+
2	+ export { }

package/dist/hono/__tests__/csrf.test.mjs ADDED Viewed

@@ -0,0 +1,162 @@
+// src/hono/__tests__/csrf.test.ts
+import { Hono } from "hono";
+import { csrf } from "../csrf.mjs";
+import { errorHandler } from "../handler.mjs";
+describe("CSRF Protection", () => {
+  describe("csrfProtection middleware", () => {
+    let app;
+    beforeEach(() => {
+      app = new Hono();
+      app.onError(errorHandler);
+    });
+    it("should allow GET requests without CSRF token", async () => {
+      app.use(csrf());
+      app.get("/test", (c) => c.text("OK"));
+      const res = await app.request("/test");
+      expect(res.status).toBe(200);
+      expect(await res.text()).toBe("OK");
+    });
+    it("should allow HEAD requests without CSRF token", async () => {
+      app.use(csrf());
+      app.all("/test", (c) => c.text("OK"));
+      const res = await app.request("/test", { method: "HEAD" });
+      expect(res.status).toBe(200);
+    });
+    it("should allow OPTIONS requests without CSRF token", async () => {
+      app.use(csrf());
+      app.options("/test", (c) => c.text("OK"));
+      const res = await app.request("/test", { method: "OPTIONS" });
+      expect(res.status).toBe(200);
+    });
+    it("should reject POST requests without CSRF token", async () => {
+      app.use(csrf());
+      app.post("/test", (c) => c.text("OK"));
+      const res = await app.request("/test", { method: "POST" });
+      expect(res.status).toBe(403);
+    });
+    it("should reject POST requests with mismatched tokens", async () => {
+      app.use(csrf());
+      app.post("/test", (c) => c.text("OK"));
+      const res = await app.request("/test", {
+        method: "POST",
+        headers: { "X-XSRF-TOKEN": "header-token", Cookie: "XSRF-TOKEN=cookie-token" }
+      });
+      expect(res.status).toBe(403);
+    });
+    it("should allow POST requests with matching tokens", async () => {
+      app.use(csrf());
+      app.post("/test", (c) => c.text("OK"));
+      const res = await app.request("/test", {
+        method: "POST",
+        headers: {
+          "X-XSRF-TOKEN": "matching-token",
+          Cookie: "XSRF-TOKEN=matching-token"
+        }
+      });
+      expect(res.status).toBe(200);
+      expect(await res.text()).toBe("OK");
+    });
+    it("should use custom cookie and header names", async () => {
+      app.use(csrf({ cookieName: "csrf-token", headerName: "X-CSRF-Token" }));
+      app.post("/test", (c) => c.text("OK"));
+      const res = await app.request("/test", {
+        method: "POST",
+        headers: {
+          "X-CSRF-Token": "test-token",
+          Cookie: "csrf-token=test-token"
+        }
+      });
+      expect(res.status).toBe(200);
+    });
+    it("should ignore specified paths", async () => {
+      app.use(csrf({ ignores: [{ path: "/webhook/*", methods: ["POST"] }] }));
+      app.post("/webhook/stripe", (c) => c.text("OK"));
+      app.post("/api/data", (c) => c.text("OK"));
+      const webhookRes = await app.request("/webhook/stripe", { method: "POST" });
+      expect(webhookRes.status).toBe(200);
+      const apiRes = await app.request("/api/data", { method: "POST" });
+      expect(apiRes.status).toBe(403);
+    });
+    it("should ignore all methods for a path when methods not specified", async () => {
+      app.use(csrf({ ignores: [{ path: "/auth/apple/callback" }] }));
+      app.post("/auth/apple/callback", (c) => c.text("OK"));
+      app.put("/auth/apple/callback", (c) => c.text("OK"));
+      const postRes = await app.request("/auth/apple/callback", { method: "POST" });
+      expect(postRes.status).toBe(200);
+      const putRes = await app.request("/auth/apple/callback", { method: "PUT" });
+      expect(putRes.status).toBe(200);
+    });
+    it("should handle empty tokens safely", async () => {
+      app.use(csrf());
+      app.post("/test", (c) => c.text("OK"));
+      const res = await app.request("/test", {
+        method: "POST",
+        headers: { "X-XSRF-TOKEN": "", Cookie: "XSRF-TOKEN=" }
+      });
+      expect(res.status).toBe(403);
+    });
+    it("should handle missing cookie", async () => {
+      app.use(csrf());
+      app.post("/test", (c) => c.text("OK"));
+      const res = await app.request("/test", {
+        method: "POST",
+        headers: { "X-XSRF-TOKEN": "token" }
+      });
+      expect(res.status).toBe(403);
+    });
+    it("should handle missing header", async () => {
+      app.use(csrf());
+      app.post("/test", (c) => c.text("OK"));
+      const res = await app.request("/test", {
+        method: "POST",
+        headers: { Cookie: "XSRF-TOKEN=token" }
+      });
+      expect(res.status).toBe(403);
+    });
+    it("should use custom error message", async () => {
+      app.use(csrf({ errorMessage: "Custom CSRF error" }));
+      app.post("/test", (c) => c.text("OK"));
+      const res = await app.request("/test", { method: "POST" });
+      expect(res.status).toBe(403);
+      const body = await res.json();
+      expect(body.error.message).toBe("Custom CSRF error");
+    });
+    it("should work with custom safe methods", async () => {
+      app.use(csrf({ safeMethods: ["GET"] }));
+      app.all("/test", (c) => c.text("OK"));
+      const res = await app.request("/test", { method: "HEAD" });
+      expect(res.status).toBe(403);
+    });
+    it("should handle complex ignore patterns", async () => {
+      app.use(
+        csrf({
+          ignores: [
+            { path: "/api/v1/*", methods: ["GET", "POST"] },
+            { path: "/api/v2/*", methods: ["POST"] },
+            { path: "/public/*" }
+            // All methods
+          ]
+        })
+      );
+      app.get("/api/v1/users", (c) => c.text("OK"));
+      app.post("/api/v1/users", (c) => c.text("OK"));
+      app.put("/api/v1/users", (c) => c.text("OK"));
+      app.post("/api/v2/users", (c) => c.text("OK"));
+      app.get("/api/v2/users", (c) => c.text("OK"));
+      app.post("/public/data", (c) => c.text("OK"));
+      let res = await app.request("/api/v1/users", { method: "GET" });
+      expect(res.status).toBe(200);
+      res = await app.request("/api/v1/users", { method: "POST" });
+      expect(res.status).toBe(200);
+      res = await app.request("/api/v1/users", { method: "PUT" });
+      expect(res.status).toBe(403);
+      res = await app.request("/api/v2/users", { method: "POST" });
+      expect(res.status).toBe(200);
+      res = await app.request("/api/v2/users", { method: "GET" });
+      expect(res.status).toBe(200);
+      res = await app.request("/public/data", { method: "POST" });
+      expect(res.status).toBe(200);
+    });
+  });
+});
+//# sourceMappingURL=csrf.test.mjs.map

package/dist/hono/__tests__/csrf.test.mjs.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../../../src/hono/__tests__/csrf.test.ts"],"sourcesContent":["import { Hono } from 'hono';\nimport { csrf } from '../csrf';\nimport { errorHandler, type Env } from '../handler';\n\ndescribe('CSRF Protection', () => {\n describe('csrfProtection middleware', () => {\n let app: Hono<Env>;\n\n beforeEach(() => {\n app = new Hono();\n app.onError(errorHandler);\n });\n\n it('should allow GET requests without CSRF token', async () => {\n app.use(csrf());\n app.get('/test', (c) => c.text('OK'));\n\n const res = await app.request('/test');\n expect(res.status).toBe(200);\n expect(await res.text()).toBe('OK');\n });\n\n it('should allow HEAD requests without CSRF token', async () => {\n app.use(csrf());\n app.all('/test', (c) => c.text('OK'));\n\n const res = await app.request('/test', { method: 'HEAD' });\n expect(res.status).toBe(200);\n });\n\n it('should allow OPTIONS requests without CSRF token', async () => {\n app.use(csrf());\n app.options('/test', (c) => c.text('OK'));\n\n const res = await app.request('/test', { method: 'OPTIONS' });\n expect(res.status).toBe(200);\n });\n\n it('should reject POST requests without CSRF token', async () => {\n app.use(csrf());\n app.post('/test', (c) => c.text('OK'));\n\n const res = await app.request('/test', { method: 'POST' });\n expect(res.status).toBe(403);\n });\n\n it('should reject POST requests with mismatched tokens', async () => {\n app.use(csrf());\n app.post('/test', (c) => c.text('OK'));\n\n const res = await app.request('/test', {\n method: 'POST',\n headers: { 'X-XSRF-TOKEN': 'header-token', Cookie: 'XSRF-TOKEN=cookie-token' },\n });\n expect(res.status).toBe(403);\n });\n\n it('should allow POST requests with matching tokens', async () => {\n app.use(csrf());\n app.post('/test', (c) => c.text('OK'));\n\n const res = await app.request('/test', {\n method: 'POST',\n headers: {\n 'X-XSRF-TOKEN': 'matching-token',\n Cookie: 'XSRF-TOKEN=matching-token',\n },\n });\n expect(res.status).toBe(200);\n expect(await res.text()).toBe('OK');\n });\n\n it('should use custom cookie and header names', async () => {\n app.use(csrf({ cookieName: 'csrf-token', headerName: 'X-CSRF-Token' }));\n app.post('/test', (c) => c.text('OK'));\n\n const res = await app.request('/test', {\n method: 'POST',\n headers: {\n 'X-CSRF-Token': 'test-token',\n Cookie: 'csrf-token=test-token',\n },\n });\n expect(res.status).toBe(200);\n });\n\n it('should ignore specified paths', async () => {\n app.use(csrf({ ignores: [{ path: '/webhook/*', methods: ['POST'] }] }));\n app.post('/webhook/stripe', (c) => c.text('OK'));\n app.post('/api/data', (c) => c.text('OK'));\n\n // Ignored path should work without CSRF token\n const webhookRes = await app.request('/webhook/stripe', { method: 'POST' });\n expect(webhookRes.status).toBe(200);\n\n // Non-ignored path should require CSRF token\n const apiRes = await app.request('/api/data', { method: 'POST' });\n expect(apiRes.status).toBe(403);\n });\n\n it('should ignore all methods for a path when methods not specified', async () => {\n app.use(csrf({ ignores: [{ path: '/auth/apple/callback' }] }));\n app.post('/auth/apple/callback', (c) => c.text('OK'));\n app.put('/auth/apple/callback', (c) => c.text('OK'));\n\n const postRes = await app.request('/auth/apple/callback', { method: 'POST' });\n expect(postRes.status).toBe(200);\n\n const putRes = await app.request('/auth/apple/callback', { method: 'PUT' });\n expect(putRes.status).toBe(200);\n });\n\n it('should handle empty tokens safely', async () => {\n app.use(csrf());\n app.post('/test', (c) => c.text('OK'));\n\n const res = await app.request('/test', {\n method: 'POST',\n headers: { 'X-XSRF-TOKEN': '', Cookie: 'XSRF-TOKEN=' },\n });\n expect(res.status).toBe(403);\n });\n\n it('should handle missing cookie', async () => {\n app.use(csrf());\n app.post('/test', (c) => c.text('OK'));\n\n const res = await app.request('/test', {\n method: 'POST',\n headers: { 'X-XSRF-TOKEN': 'token' },\n });\n expect(res.status).toBe(403);\n });\n\n it('should handle missing header', async () => {\n app.use(csrf());\n app.post('/test', (c) => c.text('OK'));\n\n const res = await app.request('/test', {\n method: 'POST',\n headers: { Cookie: 'XSRF-TOKEN=token' },\n });\n expect(res.status).toBe(403);\n });\n\n it('should use custom error message', async () => {\n app.use(csrf({ errorMessage: 'Custom CSRF error' }));\n app.post('/test', (c) => c.text('OK'));\n\n const res = await app.request('/test', { method: 'POST' });\n expect(res.status).toBe(403);\n const body = await res.json();\n expect(body.error.message).toBe('Custom CSRF error');\n });\n\n it('should work with custom safe methods', async () => {\n app.use(csrf({ safeMethods: ['GET'] }));\n app.all('/test', (c) => c.text('OK'));\n\n // HEAD is no longer safe, should require CSRF token\n const res = await app.request('/test', { method: 'HEAD' });\n expect(res.status).toBe(403);\n });\n\n it('should handle complex ignore patterns', async () => {\n app.use(\n csrf({\n ignores: [\n { path: '/api/v1/*', methods: ['GET', 'POST'] },\n { path: '/api/v2/*', methods: ['POST'] },\n { path: '/public/*' }, // All methods\n ],\n })\n );\n\n app.get('/api/v1/users', (c) => c.text('OK'));\n app.post('/api/v1/users', (c) => c.text('OK'));\n app.put('/api/v1/users', (c) => c.text('OK'));\n app.post('/api/v2/users', (c) => c.text('OK'));\n app.get('/api/v2/users', (c) => c.text('OK'));\n app.post('/public/data', (c) => c.text('OK'));\n\n // Ignored GET and POST for /api/v1/*\n let res = await app.request('/api/v1/users', { method: 'GET' });\n expect(res.status).toBe(200);\n\n res = await app.request('/api/v1/users', { method: 'POST' });\n expect(res.status).toBe(200);\n\n // PUT not ignored for /api/v1/*\n res = await app.request('/api/v1/users', { method: 'PUT' });\n expect(res.status).toBe(403);\n\n // Only POST ignored for /api/v2/*\n res = await app.request('/api/v2/users', { method: 'POST' });\n expect(res.status).toBe(200);\n\n // GET not ignored for /api/v2/* (but GET is safe by default)\n res = await app.request('/api/v2/users', { method: 'GET' });\n expect(res.status).toBe(200);\n\n // All methods ignored for /public/*\n res = await app.request('/public/data', { method: 'POST' });\n expect(res.status).toBe(200);\n });\n });\n});\n"],"mappings":";AAAA,SAAS,YAAY;AACrB,SAAS,YAAY;AACrB,SAAS,oBAA8B;AAEvC,SAAS,mBAAmB,MAAM;AAChC,WAAS,6BAA6B,MAAM;AAC1C,QAAI;AAEJ,eAAW,MAAM;AACf,YAAM,IAAI,KAAK;AACf,UAAI,QAAQ,YAAY;AAAA,IAC1B,CAAC;AAED,OAAG,gDAAgD,YAAY;AAC7D,UAAI,IAAI,KAAK,CAAC;AACd,UAAI,IAAI,SAAS,CAAC,MAAM,EAAE,KAAK,IAAI,CAAC;AAEpC,YAAM,MAAM,MAAM,IAAI,QAAQ,OAAO;AACrC,aAAO,IAAI,MAAM,EAAE,KAAK,GAAG;AAC3B,aAAO,MAAM,IAAI,KAAK,CAAC,EAAE,KAAK,IAAI;AAAA,IACpC,CAAC;AAED,OAAG,iDAAiD,YAAY;AAC9D,UAAI,IAAI,KAAK,CAAC;AACd,UAAI,IAAI,SAAS,CAAC,MAAM,EAAE,KAAK,IAAI,CAAC;AAEpC,YAAM,MAAM,MAAM,IAAI,QAAQ,SAAS,EAAE,QAAQ,OAAO,CAAC;AACzD,aAAO,IAAI,MAAM,EAAE,KAAK,GAAG;AAAA,IAC7B,CAAC;AAED,OAAG,oDAAoD,YAAY;AACjE,UAAI,IAAI,KAAK,CAAC;AACd,UAAI,QAAQ,SAAS,CAAC,MAAM,EAAE,KAAK,IAAI,CAAC;AAExC,YAAM,MAAM,MAAM,IAAI,QAAQ,SAAS,EAAE,QAAQ,UAAU,CAAC;AAC5D,aAAO,IAAI,MAAM,EAAE,KAAK,GAAG;AAAA,IAC7B,CAAC;AAED,OAAG,kDAAkD,YAAY;AAC/D,UAAI,IAAI,KAAK,CAAC;AACd,UAAI,KAAK,SAAS,CAAC,MAAM,EAAE,KAAK,IAAI,CAAC;AAErC,YAAM,MAAM,MAAM,IAAI,QAAQ,SAAS,EAAE,QAAQ,OAAO,CAAC;AACzD,aAAO,IAAI,MAAM,EAAE,KAAK,GAAG;AAAA,IAC7B,CAAC;AAED,OAAG,sDAAsD,YAAY;AACnE,UAAI,IAAI,KAAK,CAAC;AACd,UAAI,KAAK,SAAS,CAAC,MAAM,EAAE,KAAK,IAAI,CAAC;AAErC,YAAM,MAAM,MAAM,IAAI,QAAQ,SAAS;AAAA,QACrC,QAAQ;AAAA,QACR,SAAS,EAAE,gBAAgB,gBAAgB,QAAQ,0BAA0B;AAAA,MAC/E,CAAC;AACD,aAAO,IAAI,MAAM,EAAE,KAAK,GAAG;AAAA,IAC7B,CAAC;AAED,OAAG,mDAAmD,YAAY;AAChE,UAAI,IAAI,KAAK,CAAC;AACd,UAAI,KAAK,SAAS,CAAC,MAAM,EAAE,KAAK,IAAI,CAAC;AAErC,YAAM,MAAM,MAAM,IAAI,QAAQ,SAAS;AAAA,QACrC,QAAQ;AAAA,QACR,SAAS;AAAA,UACP,gBAAgB;AAAA,UAChB,QAAQ;AAAA,QACV;AAAA,MACF,CAAC;AACD,aAAO,IAAI,MAAM,EAAE,KAAK,GAAG;AAC3B,aAAO,MAAM,IAAI,KAAK,CAAC,EAAE,KAAK,IAAI;AAAA,IACpC,CAAC;AAED,OAAG,6CAA6C,YAAY;AAC1D,UAAI,IAAI,KAAK,EAAE,YAAY,cAAc,YAAY,eAAe,CAAC,CAAC;AACtE,UAAI,KAAK,SAAS,CAAC,MAAM,EAAE,KAAK,IAAI,CAAC;AAErC,YAAM,MAAM,MAAM,IAAI,QAAQ,SAAS;AAAA,QACrC,QAAQ;AAAA,QACR,SAAS;AAAA,UACP,gBAAgB;AAAA,UAChB,QAAQ;AAAA,QACV;AAAA,MACF,CAAC;AACD,aAAO,IAAI,MAAM,EAAE,KAAK,GAAG;AAAA,IAC7B,CAAC;AAED,OAAG,iCAAiC,YAAY;AAC9C,UAAI,IAAI,KAAK,EAAE,SAAS,CAAC,EAAE,MAAM,cAAc,SAAS,CAAC,MAAM,EAAE,CAAC,EAAE,CAAC,CAAC;AACtE,UAAI,KAAK,mBAAmB,CAAC,MAAM,EAAE,KAAK,IAAI,CAAC;AAC/C,UAAI,KAAK,aAAa,CAAC,MAAM,EAAE,KAAK,IAAI,CAAC;AAGzC,YAAM,aAAa,MAAM,IAAI,QAAQ,mBAAmB,EAAE,QAAQ,OAAO,CAAC;AAC1E,aAAO,WAAW,MAAM,EAAE,KAAK,GAAG;AAGlC,YAAM,SAAS,MAAM,IAAI,QAAQ,aAAa,EAAE,QAAQ,OAAO,CAAC;AAChE,aAAO,OAAO,MAAM,EAAE,KAAK,GAAG;AAAA,IAChC,CAAC;AAED,OAAG,mEAAmE,YAAY;AAChF,UAAI,IAAI,KAAK,EAAE,SAAS,CAAC,EAAE,MAAM,uBAAuB,CAAC,EAAE,CAAC,CAAC;AAC7D,UAAI,KAAK,wBAAwB,CAAC,MAAM,EAAE,KAAK,IAAI,CAAC;AACpD,UAAI,IAAI,wBAAwB,CAAC,MAAM,EAAE,KAAK,IAAI,CAAC;AAEnD,YAAM,UAAU,MAAM,IAAI,QAAQ,wBAAwB,EAAE,QAAQ,OAAO,CAAC;AAC5E,aAAO,QAAQ,MAAM,EAAE,KAAK,GAAG;AAE/B,YAAM,SAAS,MAAM,IAAI,QAAQ,wBAAwB,EAAE,QAAQ,MAAM,CAAC;AAC1E,aAAO,OAAO,MAAM,EAAE,KAAK,GAAG;AAAA,IAChC,CAAC;AAED,OAAG,qCAAqC,YAAY;AAClD,UAAI,IAAI,KAAK,CAAC;AACd,UAAI,KAAK,SAAS,CAAC,MAAM,EAAE,KAAK,IAAI,CAAC;AAErC,YAAM,MAAM,MAAM,IAAI,QAAQ,SAAS;AAAA,QACrC,QAAQ;AAAA,QACR,SAAS,EAAE,gBAAgB,IAAI,QAAQ,cAAc;AAAA,MACvD,CAAC;AACD,aAAO,IAAI,MAAM,EAAE,KAAK,GAAG;AAAA,IAC7B,CAAC;AAED,OAAG,gCAAgC,YAAY;AAC7C,UAAI,IAAI,KAAK,CAAC;AACd,UAAI,KAAK,SAAS,CAAC,MAAM,EAAE,KAAK,IAAI,CAAC;AAErC,YAAM,MAAM,MAAM,IAAI,QAAQ,SAAS;AAAA,QACrC,QAAQ;AAAA,QACR,SAAS,EAAE,gBAAgB,QAAQ;AAAA,MACrC,CAAC;AACD,aAAO,IAAI,MAAM,EAAE,KAAK,GAAG;AAAA,IAC7B,CAAC;AAED,OAAG,gCAAgC,YAAY;AAC7C,UAAI,IAAI,KAAK,CAAC;AACd,UAAI,KAAK,SAAS,CAAC,MAAM,EAAE,KAAK,IAAI,CAAC;AAErC,YAAM,MAAM,MAAM,IAAI,QAAQ,SAAS;AAAA,QACrC,QAAQ;AAAA,QACR,SAAS,EAAE,QAAQ,mBAAmB;AAAA,MACxC,CAAC;AACD,aAAO,IAAI,MAAM,EAAE,KAAK,GAAG;AAAA,IAC7B,CAAC;AAED,OAAG,mCAAmC,YAAY;AAChD,UAAI,IAAI,KAAK,EAAE,cAAc,oBAAoB,CAAC,CAAC;AACnD,UAAI,KAAK,SAAS,CAAC,MAAM,EAAE,KAAK,IAAI,CAAC;AAErC,YAAM,MAAM,MAAM,IAAI,QAAQ,SAAS,EAAE,QAAQ,OAAO,CAAC;AACzD,aAAO,IAAI,MAAM,EAAE,KAAK,GAAG;AAC3B,YAAM,OAAO,MAAM,IAAI,KAAK;AAC5B,aAAO,KAAK,MAAM,OAAO,EAAE,KAAK,mBAAmB;AAAA,IACrD,CAAC;AAED,OAAG,wCAAwC,YAAY;AACrD,UAAI,IAAI,KAAK,EAAE,aAAa,CAAC,KAAK,EAAE,CAAC,CAAC;AACtC,UAAI,IAAI,SAAS,CAAC,MAAM,EAAE,KAAK,IAAI,CAAC;AAGpC,YAAM,MAAM,MAAM,IAAI,QAAQ,SAAS,EAAE,QAAQ,OAAO,CAAC;AACzD,aAAO,IAAI,MAAM,EAAE,KAAK,GAAG;AAAA,IAC7B,CAAC;AAED,OAAG,yCAAyC,YAAY;AACtD,UAAI;AAAA,QACF,KAAK;AAAA,UACH,SAAS;AAAA,YACP,EAAE,MAAM,aAAa,SAAS,CAAC,OAAO,MAAM,EAAE;AAAA,YAC9C,EAAE,MAAM,aAAa,SAAS,CAAC,MAAM,EAAE;AAAA,YACvC,EAAE,MAAM,YAAY;AAAA;AAAA,UACtB;AAAA,QACF,CAAC;AAAA,MACH;AAEA,UAAI,IAAI,iBAAiB,CAAC,MAAM,EAAE,KAAK,IAAI,CAAC;AAC5C,UAAI,KAAK,iBAAiB,CAAC,MAAM,EAAE,KAAK,IAAI,CAAC;AAC7C,UAAI,IAAI,iBAAiB,CAAC,MAAM,EAAE,KAAK,IAAI,CAAC;AAC5C,UAAI,KAAK,iBAAiB,CAAC,MAAM,EAAE,KAAK,IAAI,CAAC;AAC7C,UAAI,IAAI,iBAAiB,CAAC,MAAM,EAAE,KAAK,IAAI,CAAC;AAC5C,UAAI,KAAK,gBAAgB,CAAC,MAAM,EAAE,KAAK,IAAI,CAAC;AAG5C,UAAI,MAAM,MAAM,IAAI,QAAQ,iBAAiB,EAAE,QAAQ,MAAM,CAAC;AAC9D,aAAO,IAAI,MAAM,EAAE,KAAK,GAAG;AAE3B,YAAM,MAAM,IAAI,QAAQ,iBAAiB,EAAE,QAAQ,OAAO,CAAC;AAC3D,aAAO,IAAI,MAAM,EAAE,KAAK,GAAG;AAG3B,YAAM,MAAM,IAAI,QAAQ,iBAAiB,EAAE,QAAQ,MAAM,CAAC;AAC1D,aAAO,IAAI,MAAM,EAAE,KAAK,GAAG;AAG3B,YAAM,MAAM,IAAI,QAAQ,iBAAiB,EAAE,QAAQ,OAAO,CAAC;AAC3D,aAAO,IAAI,MAAM,EAAE,KAAK,GAAG;AAG3B,YAAM,MAAM,IAAI,QAAQ,iBAAiB,EAAE,QAAQ,MAAM,CAAC;AAC1D,aAAO,IAAI,MAAM,EAAE,KAAK,GAAG;AAG3B,YAAM,MAAM,IAAI,QAAQ,gBAAgB,EAAE,QAAQ,OAAO,CAAC;AAC1D,aAAO,IAAI,MAAM,EAAE,KAAK,GAAG;AAAA,IAC7B,CAAC;AAAA,EACH,CAAC;AACH,CAAC;","names":[]}

package/dist/hono/csrf.cjs ADDED Viewed

@@ -0,0 +1,93 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+// src/hono/csrf.ts
+var csrf_exports = {};
+__export(csrf_exports, {
+  csrf: () => csrf
+});
+module.exports = __toCommonJS(csrf_exports);
+var import_crypto = require("crypto");
+var import_cookie = require("hono/cookie");
+var import_router = require("hono/router");
+var import_reg_exp_router = require("hono/router/reg-exp-router");
+var import_smart_router = require("hono/router/smart-router");
+var import_trie_router = require("hono/router/trie-router");
+var import_status = require("../error/status.cjs");
+function safeCompare(a, b) {
+  if (typeof a !== "string" || typeof b !== "string") return false;
+  if (a.length === 0 || b.length === 0) return false;
+  const bufferA = Buffer.from(a, "utf-8");
+  const bufferB = Buffer.from(b, "utf-8");
+  if (bufferA.length !== bufferB.length) return false;
+  return (0, import_crypto.timingSafeEqual)(bufferA, bufferB);
+}
+function csrf(config = {}) {
+  const cookieName = config.cookieName ?? "XSRF-TOKEN";
+  const headerName = config.headerName ?? "X-XSRF-TOKEN";
+  const safeMethods = new Set(config.safeMethods ?? ["GET", "HEAD", "OPTIONS"]);
+  const errorMessage = config.errorMessage ?? "CSRF token validation failed";
+  const router = new import_smart_router.SmartRouter({
+    routers: [new import_reg_exp_router.RegExpRouter(), new import_trie_router.TrieRouter()]
+  });
+  if (config.ignores) {
+    for (const rule of config.ignores) {
+      if (rule.methods && rule.methods.length > 0) {
+        for (const method of rule.methods) {
+          router.add(method, rule.path, true);
+        }
+      } else {
+        router.add(import_router.METHOD_NAME_ALL, rule.path, true);
+      }
+    }
+  }
+  function shouldIgnore(method, path) {
+    if (safeMethods.has(method)) {
+      return true;
+    }
+    const [matchedAll] = router.match(import_router.METHOD_NAME_ALL, path);
+    if (matchedAll.length > 0) {
+      return true;
+    }
+    const [matchedMethod] = router.match(method, path);
+    return matchedMethod.length > 0;
+  }
+  return async (c, next) => {
+    const method = c.req.method;
+    const path = c.req.path;
+    if (shouldIgnore(method, path)) {
+      await next();
+      return;
+    }
+    const cookieToken = (0, import_cookie.getCookie)(c, cookieName);
+    const headerToken = c.req.header(headerName);
+    if (!cookieToken || !headerToken) {
+      throw import_status.Status.permissionDenied(errorMessage).error();
+    }
+    if (!safeCompare(cookieToken, headerToken)) {
+      throw import_status.Status.permissionDenied(errorMessage).error();
+    }
+    await next();
+  };
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  csrf
+});
+//# sourceMappingURL=csrf.cjs.map

package/dist/hono/csrf.cjs.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../../src/hono/csrf.ts"],"sourcesContent":["import { timingSafeEqual } from 'crypto';\nimport { getCookie } from 'hono/cookie';\nimport { METHOD_NAME_ALL } from 'hono/router';\nimport { RegExpRouter } from 'hono/router/reg-exp-router';\nimport { SmartRouter } from 'hono/router/smart-router';\nimport { TrieRouter } from 'hono/router/trie-router';\nimport { Status } from '../error/status';\nimport type { MiddlewareHandler } from 'hono';\n\ntype HTTPMethod = 'GET' | 'POST' | 'PUT' | 'DELETE' | 'PATCH' | 'HEAD' | 'OPTIONS';\n\nexport interface CSRFIgnoreRule {\n path: string;\n methods?: HTTPMethod[];\n}\n\nexport interface CSRFConfig {\n /**\n * Cookie name for CSRF token\n * @default 'XSRF-TOKEN'\n */\n cookieName?: string;\n\n /**\n * Header name for CSRF token\n * @default 'X-XSRF-TOKEN'\n */\n headerName?: string;\n\n /**\n * Ignore rules for specific paths and methods\n * @example\n * [\n * { path: '/api/webhook/*', methods: ['POST'] },\n * { path: '/auth/apple/callback' }, // ignores all methods\n * ]\n */\n ignores?: CSRFIgnoreRule[];\n\n /**\n * Skip CSRF check for these methods\n * @default ['GET', 'HEAD', 'OPTIONS']\n */\n safeMethods?: HTTPMethod[];\n\n /**\n * Custom error message\n * @default 'CSRF token validation failed'\n */\n errorMessage?: string;\n}\n\n/** use timing safe compare to prevent timing attack */\nfunction safeCompare(a: string, b: string): boolean {\n if (typeof a !== 'string' || typeof b !== 'string') return false;\n if (a.length === 0 || b.length === 0) return false;\n\n const bufferA = Buffer.from(a, 'utf-8');\n const bufferB = Buffer.from(b, 'utf-8');\n if (bufferA.length !== bufferB.length) return false;\n return timingSafeEqual(bufferA, bufferB);\n}\n\n/**\n * Create CSRF protection middleware\n *\n * @example\n * ```ts\n * import { Hono } from 'hono';\n * import { csrf } from '@shware/http/hono';\n *\n * const app = new Hono();\n *\n * // basic usage\n * app.use(csrf());\n *\n * // with configuration\n * app.use(csrf({\n * cookieName: 'csrf-token',\n * headerName: 'X-CSRF-Token',\n * ignores: [\n * { path: '/api/webhook/*', methods: ['POST'] },\n * { path: '/auth/apple/callback' },\n * ]\n * }));\n * ```\n */\nexport function csrf(config: CSRFConfig = {}): MiddlewareHandler {\n const cookieName = config.cookieName ?? 'XSRF-TOKEN';\n const headerName = config.headerName ?? 'X-XSRF-TOKEN';\n const safeMethods = new Set(config.safeMethods ?? ['GET', 'HEAD', 'OPTIONS']);\n const errorMessage = config.errorMessage ?? 'CSRF token validation failed';\n\n // initialize router for matching ignore rules\n const router = new SmartRouter<boolean>({\n routers: [new RegExpRouter(), new TrieRouter()],\n });\n\n // register ignore rules\n if (config.ignores) {\n for (const rule of config.ignores) {\n if (rule.methods && rule.methods.length > 0) {\n for (const method of rule.methods) {\n router.add(method, rule.path, true);\n }\n } else {\n // if no methods are specified, ignore all methods\n router.add(METHOD_NAME_ALL, rule.path, true);\n }\n }\n }\n\n // check if the request should be ignored\n function shouldIgnore(method: string, path: string): boolean {\n if (safeMethods.has(method)) {\n return true;\n }\n const [matchedAll] = router.match(METHOD_NAME_ALL, path);\n if (matchedAll.length > 0) {\n return true;\n }\n const [matchedMethod] = router.match(method, path);\n return matchedMethod.length > 0;\n }\n\n // return middleware\n return async (c, next) => {\n const method = c.req.method;\n const path = c.req.path;\n\n if (shouldIgnore(method, path)) {\n await next();\n return;\n }\n\n const cookieToken = getCookie(c, cookieName);\n const headerToken = c.req.header(headerName);\n\n if (!cookieToken || !headerToken) {\n throw Status.permissionDenied(errorMessage).error();\n }\n\n if (!safeCompare(cookieToken, headerToken)) {\n throw Status.permissionDenied(errorMessage).error();\n }\n\n await next();\n };\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,oBAAgC;AAChC,oBAA0B;AAC1B,oBAAgC;AAChC,4BAA6B;AAC7B,0BAA4B;AAC5B,yBAA2B;AAC3B,oBAAuB;AA+CvB,SAAS,YAAY,GAAW,GAAoB;AAClD,MAAI,OAAO,MAAM,YAAY,OAAO,MAAM,SAAU,QAAO;AAC3D,MAAI,EAAE,WAAW,KAAK,EAAE,WAAW,EAAG,QAAO;AAE7C,QAAM,UAAU,OAAO,KAAK,GAAG,OAAO;AACtC,QAAM,UAAU,OAAO,KAAK,GAAG,OAAO;AACtC,MAAI,QAAQ,WAAW,QAAQ,OAAQ,QAAO;AAC9C,aAAO,+BAAgB,SAAS,OAAO;AACzC;AA0BO,SAAS,KAAK,SAAqB,CAAC,GAAsB;AAC/D,QAAM,aAAa,OAAO,cAAc;AACxC,QAAM,aAAa,OAAO,cAAc;AACxC,QAAM,cAAc,IAAI,IAAI,OAAO,eAAe,CAAC,OAAO,QAAQ,SAAS,CAAC;AAC5E,QAAM,eAAe,OAAO,gBAAgB;AAG5C,QAAM,SAAS,IAAI,gCAAqB;AAAA,IACtC,SAAS,CAAC,IAAI,mCAAa,GAAG,IAAI,8BAAW,CAAC;AAAA,EAChD,CAAC;AAGD,MAAI,OAAO,SAAS;AAClB,eAAW,QAAQ,OAAO,SAAS;AACjC,UAAI,KAAK,WAAW,KAAK,QAAQ,SAAS,GAAG;AAC3C,mBAAW,UAAU,KAAK,SAAS;AACjC,iBAAO,IAAI,QAAQ,KAAK,MAAM,IAAI;AAAA,QACpC;AAAA,MACF,OAAO;AAEL,eAAO,IAAI,+BAAiB,KAAK,MAAM,IAAI;AAAA,MAC7C;AAAA,IACF;AAAA,EACF;AAGA,WAAS,aAAa,QAAgB,MAAuB;AAC3D,QAAI,YAAY,IAAI,MAAM,GAAG;AAC3B,aAAO;AAAA,IACT;AACA,UAAM,CAAC,UAAU,IAAI,OAAO,MAAM,+BAAiB,IAAI;AACvD,QAAI,WAAW,SAAS,GAAG;AACzB,aAAO;AAAA,IACT;AACA,UAAM,CAAC,aAAa,IAAI,OAAO,MAAM,QAAQ,IAAI;AACjD,WAAO,cAAc,SAAS;AAAA,EAChC;AAGA,SAAO,OAAO,GAAG,SAAS;AACxB,UAAM,SAAS,EAAE,IAAI;AACrB,UAAM,OAAO,EAAE,IAAI;AAEnB,QAAI,aAAa,QAAQ,IAAI,GAAG;AAC9B,YAAM,KAAK;AACX;AAAA,IACF;AAEA,UAAM,kBAAc,yBAAU,GAAG,UAAU;AAC3C,UAAM,cAAc,EAAE,IAAI,OAAO,UAAU;AAE3C,QAAI,CAAC,eAAe,CAAC,aAAa;AAChC,YAAM,qBAAO,iBAAiB,YAAY,EAAE,MAAM;AAAA,IACpD;AAEA,QAAI,CAAC,YAAY,aAAa,WAAW,GAAG;AAC1C,YAAM,qBAAO,iBAAiB,YAAY,EAAE,MAAM;AAAA,IACpD;AAEA,UAAM,KAAK;AAAA,EACb;AACF;","names":[]}

package/dist/hono/csrf.d.cts ADDED Viewed

@@ -0,0 +1,65 @@
+import { MiddlewareHandler } from 'hono';
+type HTTPMethod = 'GET' | 'POST' | 'PUT' | 'DELETE' | 'PATCH' | 'HEAD' | 'OPTIONS';
+interface CSRFIgnoreRule {
+    path: string;
+    methods?: HTTPMethod[];
+}
+interface CSRFConfig {
+    /**
+     * Cookie name for CSRF token
+     * @default 'XSRF-TOKEN'
+     */
+    cookieName?: string;
+    /**
+     * Header name for CSRF token
+     * @default 'X-XSRF-TOKEN'
+     */
+    headerName?: string;
+    /**
+     * Ignore rules for specific paths and methods
+     * @example
+     * [
+     *   { path: '/api/webhook/*', methods: ['POST'] },
+     *   { path: '/auth/apple/callback' }, // ignores all methods
+     * ]
+     */
+    ignores?: CSRFIgnoreRule[];
+    /**
+     * Skip CSRF check for these methods
+     * @default ['GET', 'HEAD', 'OPTIONS']
+     */
+    safeMethods?: HTTPMethod[];
+    /**
+     * Custom error message
+     * @default 'CSRF token validation failed'
+     */
+    errorMessage?: string;
+}
+/**
+ * Create CSRF protection middleware
+ *
+ * @example
+ * ```ts
+ * import { Hono } from 'hono';
+ * import { csrf } from '@shware/http/hono';
+ *
+ * const app = new Hono();
+ *
+ * // basic usage
+ * app.use(csrf());
+ *
+ * // with configuration
+ * app.use(csrf({
+ *   cookieName: 'csrf-token',
+ *   headerName: 'X-CSRF-Token',
+ *   ignores: [
+ *     { path: '/api/webhook/*', methods: ['POST'] },
+ *     { path: '/auth/apple/callback' },
+ *   ]
+ * }));
+ * ```
+ */
+declare function csrf(config?: CSRFConfig): MiddlewareHandler;
+export { type CSRFConfig, type CSRFIgnoreRule, csrf };

package/dist/hono/csrf.d.ts ADDED Viewed

@@ -0,0 +1,65 @@
+import { MiddlewareHandler } from 'hono';
+type HTTPMethod = 'GET' | 'POST' | 'PUT' | 'DELETE' | 'PATCH' | 'HEAD' | 'OPTIONS';
+interface CSRFIgnoreRule {
+    path: string;
+    methods?: HTTPMethod[];
+}
+interface CSRFConfig {
+    /**
+     * Cookie name for CSRF token
+     * @default 'XSRF-TOKEN'
+     */
+    cookieName?: string;
+    /**
+     * Header name for CSRF token
+     * @default 'X-XSRF-TOKEN'
+     */
+    headerName?: string;
+    /**
+     * Ignore rules for specific paths and methods
+     * @example
+     * [
+     *   { path: '/api/webhook/*', methods: ['POST'] },
+     *   { path: '/auth/apple/callback' }, // ignores all methods
+     * ]
+     */
+    ignores?: CSRFIgnoreRule[];
+    /**
+     * Skip CSRF check for these methods
+     * @default ['GET', 'HEAD', 'OPTIONS']
+     */
+    safeMethods?: HTTPMethod[];
+    /**
+     * Custom error message
+     * @default 'CSRF token validation failed'
+     */
+    errorMessage?: string;
+}
+/**
+ * Create CSRF protection middleware
+ *
+ * @example
+ * ```ts
+ * import { Hono } from 'hono';
+ * import { csrf } from '@shware/http/hono';
+ *
+ * const app = new Hono();
+ *
+ * // basic usage
+ * app.use(csrf());
+ *
+ * // with configuration
+ * app.use(csrf({
+ *   cookieName: 'csrf-token',
+ *   headerName: 'X-CSRF-Token',
+ *   ignores: [
+ *     { path: '/api/webhook/*', methods: ['POST'] },
+ *     { path: '/auth/apple/callback' },
+ *   ]
+ * }));
+ * ```
+ */
+declare function csrf(config?: CSRFConfig): MiddlewareHandler;
+export { type CSRFConfig, type CSRFIgnoreRule, csrf };

package/dist/hono/csrf.mjs ADDED Viewed

@@ -0,0 +1,68 @@
+// src/hono/csrf.ts
+import { timingSafeEqual } from "crypto";
+import { getCookie } from "hono/cookie";
+import { METHOD_NAME_ALL } from "hono/router";
+import { RegExpRouter } from "hono/router/reg-exp-router";
+import { SmartRouter } from "hono/router/smart-router";
+import { TrieRouter } from "hono/router/trie-router";
+import { Status } from "../error/status.mjs";
+function safeCompare(a, b) {
+  if (typeof a !== "string" || typeof b !== "string") return false;
+  if (a.length === 0 || b.length === 0) return false;
+  const bufferA = Buffer.from(a, "utf-8");
+  const bufferB = Buffer.from(b, "utf-8");
+  if (bufferA.length !== bufferB.length) return false;
+  return timingSafeEqual(bufferA, bufferB);
+}
+function csrf(config = {}) {
+  const cookieName = config.cookieName ?? "XSRF-TOKEN";
+  const headerName = config.headerName ?? "X-XSRF-TOKEN";
+  const safeMethods = new Set(config.safeMethods ?? ["GET", "HEAD", "OPTIONS"]);
+  const errorMessage = config.errorMessage ?? "CSRF token validation failed";
+  const router = new SmartRouter({
+    routers: [new RegExpRouter(), new TrieRouter()]
+  });
+  if (config.ignores) {
+    for (const rule of config.ignores) {
+      if (rule.methods && rule.methods.length > 0) {
+        for (const method of rule.methods) {
+          router.add(method, rule.path, true);
+        }
+      } else {
+        router.add(METHOD_NAME_ALL, rule.path, true);
+      }
+    }
+  }
+  function shouldIgnore(method, path) {
+    if (safeMethods.has(method)) {
+      return true;
+    }
+    const [matchedAll] = router.match(METHOD_NAME_ALL, path);
+    if (matchedAll.length > 0) {
+      return true;
+    }
+    const [matchedMethod] = router.match(method, path);
+    return matchedMethod.length > 0;
+  }
+  return async (c, next) => {
+    const method = c.req.method;
+    const path = c.req.path;
+    if (shouldIgnore(method, path)) {
+      await next();
+      return;
+    }
+    const cookieToken = getCookie(c, cookieName);
+    const headerToken = c.req.header(headerName);
+    if (!cookieToken || !headerToken) {
+      throw Status.permissionDenied(errorMessage).error();
+    }
+    if (!safeCompare(cookieToken, headerToken)) {
+      throw Status.permissionDenied(errorMessage).error();
+    }
+    await next();
+  };
+}
+export {
+  csrf
+};
+//# sourceMappingURL=csrf.mjs.map

package/dist/hono/csrf.mjs.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../../src/hono/csrf.ts"],"sourcesContent":["import { timingSafeEqual } from 'crypto';\nimport { getCookie } from 'hono/cookie';\nimport { METHOD_NAME_ALL } from 'hono/router';\nimport { RegExpRouter } from 'hono/router/reg-exp-router';\nimport { SmartRouter } from 'hono/router/smart-router';\nimport { TrieRouter } from 'hono/router/trie-router';\nimport { Status } from '../error/status';\nimport type { MiddlewareHandler } from 'hono';\n\ntype HTTPMethod = 'GET' | 'POST' | 'PUT' | 'DELETE' | 'PATCH' | 'HEAD' | 'OPTIONS';\n\nexport interface CSRFIgnoreRule {\n path: string;\n methods?: HTTPMethod[];\n}\n\nexport interface CSRFConfig {\n /**\n * Cookie name for CSRF token\n * @default 'XSRF-TOKEN'\n */\n cookieName?: string;\n\n /**\n * Header name for CSRF token\n * @default 'X-XSRF-TOKEN'\n */\n headerName?: string;\n\n /**\n * Ignore rules for specific paths and methods\n * @example\n * [\n * { path: '/api/webhook/*', methods: ['POST'] },\n * { path: '/auth/apple/callback' }, // ignores all methods\n * ]\n */\n ignores?: CSRFIgnoreRule[];\n\n /**\n * Skip CSRF check for these methods\n * @default ['GET', 'HEAD', 'OPTIONS']\n */\n safeMethods?: HTTPMethod[];\n\n /**\n * Custom error message\n * @default 'CSRF token validation failed'\n */\n errorMessage?: string;\n}\n\n/** use timing safe compare to prevent timing attack */\nfunction safeCompare(a: string, b: string): boolean {\n if (typeof a !== 'string' || typeof b !== 'string') return false;\n if (a.length === 0 || b.length === 0) return false;\n\n const bufferA = Buffer.from(a, 'utf-8');\n const bufferB = Buffer.from(b, 'utf-8');\n if (bufferA.length !== bufferB.length) return false;\n return timingSafeEqual(bufferA, bufferB);\n}\n\n/**\n * Create CSRF protection middleware\n *\n * @example\n * ```ts\n * import { Hono } from 'hono';\n * import { csrf } from '@shware/http/hono';\n *\n * const app = new Hono();\n *\n * // basic usage\n * app.use(csrf());\n *\n * // with configuration\n * app.use(csrf({\n * cookieName: 'csrf-token',\n * headerName: 'X-CSRF-Token',\n * ignores: [\n * { path: '/api/webhook/*', methods: ['POST'] },\n * { path: '/auth/apple/callback' },\n * ]\n * }));\n * ```\n */\nexport function csrf(config: CSRFConfig = {}): MiddlewareHandler {\n const cookieName = config.cookieName ?? 'XSRF-TOKEN';\n const headerName = config.headerName ?? 'X-XSRF-TOKEN';\n const safeMethods = new Set(config.safeMethods ?? ['GET', 'HEAD', 'OPTIONS']);\n const errorMessage = config.errorMessage ?? 'CSRF token validation failed';\n\n // initialize router for matching ignore rules\n const router = new SmartRouter<boolean>({\n routers: [new RegExpRouter(), new TrieRouter()],\n });\n\n // register ignore rules\n if (config.ignores) {\n for (const rule of config.ignores) {\n if (rule.methods && rule.methods.length > 0) {\n for (const method of rule.methods) {\n router.add(method, rule.path, true);\n }\n } else {\n // if no methods are specified, ignore all methods\n router.add(METHOD_NAME_ALL, rule.path, true);\n }\n }\n }\n\n // check if the request should be ignored\n function shouldIgnore(method: string, path: string): boolean {\n if (safeMethods.has(method)) {\n return true;\n }\n const [matchedAll] = router.match(METHOD_NAME_ALL, path);\n if (matchedAll.length > 0) {\n return true;\n }\n const [matchedMethod] = router.match(method, path);\n return matchedMethod.length > 0;\n }\n\n // return middleware\n return async (c, next) => {\n const method = c.req.method;\n const path = c.req.path;\n\n if (shouldIgnore(method, path)) {\n await next();\n return;\n }\n\n const cookieToken = getCookie(c, cookieName);\n const headerToken = c.req.header(headerName);\n\n if (!cookieToken || !headerToken) {\n throw Status.permissionDenied(errorMessage).error();\n }\n\n if (!safeCompare(cookieToken, headerToken)) {\n throw Status.permissionDenied(errorMessage).error();\n }\n\n await next();\n };\n}\n"],"mappings":";AAAA,SAAS,uBAAuB;AAChC,SAAS,iBAAiB;AAC1B,SAAS,uBAAuB;AAChC,SAAS,oBAAoB;AAC7B,SAAS,mBAAmB;AAC5B,SAAS,kBAAkB;AAC3B,SAAS,cAAc;AA+CvB,SAAS,YAAY,GAAW,GAAoB;AAClD,MAAI,OAAO,MAAM,YAAY,OAAO,MAAM,SAAU,QAAO;AAC3D,MAAI,EAAE,WAAW,KAAK,EAAE,WAAW,EAAG,QAAO;AAE7C,QAAM,UAAU,OAAO,KAAK,GAAG,OAAO;AACtC,QAAM,UAAU,OAAO,KAAK,GAAG,OAAO;AACtC,MAAI,QAAQ,WAAW,QAAQ,OAAQ,QAAO;AAC9C,SAAO,gBAAgB,SAAS,OAAO;AACzC;AA0BO,SAAS,KAAK,SAAqB,CAAC,GAAsB;AAC/D,QAAM,aAAa,OAAO,cAAc;AACxC,QAAM,aAAa,OAAO,cAAc;AACxC,QAAM,cAAc,IAAI,IAAI,OAAO,eAAe,CAAC,OAAO,QAAQ,SAAS,CAAC;AAC5E,QAAM,eAAe,OAAO,gBAAgB;AAG5C,QAAM,SAAS,IAAI,YAAqB;AAAA,IACtC,SAAS,CAAC,IAAI,aAAa,GAAG,IAAI,WAAW,CAAC;AAAA,EAChD,CAAC;AAGD,MAAI,OAAO,SAAS;AAClB,eAAW,QAAQ,OAAO,SAAS;AACjC,UAAI,KAAK,WAAW,KAAK,QAAQ,SAAS,GAAG;AAC3C,mBAAW,UAAU,KAAK,SAAS;AACjC,iBAAO,IAAI,QAAQ,KAAK,MAAM,IAAI;AAAA,QACpC;AAAA,MACF,OAAO;AAEL,eAAO,IAAI,iBAAiB,KAAK,MAAM,IAAI;AAAA,MAC7C;AAAA,IACF;AAAA,EACF;AAGA,WAAS,aAAa,QAAgB,MAAuB;AAC3D,QAAI,YAAY,IAAI,MAAM,GAAG;AAC3B,aAAO;AAAA,IACT;AACA,UAAM,CAAC,UAAU,IAAI,OAAO,MAAM,iBAAiB,IAAI;AACvD,QAAI,WAAW,SAAS,GAAG;AACzB,aAAO;AAAA,IACT;AACA,UAAM,CAAC,aAAa,IAAI,OAAO,MAAM,QAAQ,IAAI;AACjD,WAAO,cAAc,SAAS;AAAA,EAChC;AAGA,SAAO,OAAO,GAAG,SAAS;AACxB,UAAM,SAAS,EAAE,IAAI;AACrB,UAAM,OAAO,EAAE,IAAI;AAEnB,QAAI,aAAa,QAAQ,IAAI,GAAG;AAC9B,YAAM,KAAK;AACX;AAAA,IACF;AAEA,UAAM,cAAc,UAAU,GAAG,UAAU;AAC3C,UAAM,cAAc,EAAE,IAAI,OAAO,UAAU;AAE3C,QAAI,CAAC,eAAe,CAAC,aAAa;AAChC,YAAM,OAAO,iBAAiB,YAAY,EAAE,MAAM;AAAA,IACpD;AAEA,QAAI,CAAC,YAAY,aAAa,WAAW,GAAG;AAC1C,YAAM,OAAO,iBAAiB,YAAY,EAAE,MAAM;AAAA,IACpD;AAEA,UAAM,KAAK;AAAA,EACb;AACF;","names":[]}

package/dist/hono/handler.cjs.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"sources":["../../src/hono/handler.ts"],"sourcesContent":["import { Details, DetailType } from '../error/detail';\nimport { Status, StatusError } from '../error/status';\nimport type { AxiosError } from 'axios';\nimport type { Context } from 'hono';\nimport type { RequestIdVariables } from 'hono/request-id';\nimport type { HTTPResponseError, Bindings } from 'hono/types';\nimport type { ContentfulStatusCode } from 'hono/utils/http-status';\n\~~ntype~~ Env = {\n Variables: RequestIdVariables;\n Bindings?: Bindings;\n};\n\nexport function isAxiosError(payload: unknown): payload is AxiosError {\n return (\n payload !== null &&\n typeof payload === 'object' &&\n 'isAxiosError' in payload &&\n payload.isAxiosError === true\n );\n}\n\nexport function errorHandler<E extends Env = never>(\n error: Error \| HTTPResponseError,\n c: Context<E>\n): Response \| Promise<Response> {\n const requestId = c.get('requestId');\n const servingData = `${c.req.method}: ${c.req.path}`;\n const details = Details.new().requestInfo({ requestId, servingData });\n\n if (error instanceof StatusError) {\n error.body?.error?.details?.push(...details.list);\n const badRequest = error.body?.error?.details.find((d) => d.type === DetailType.BAD_REQUEST);\n if (badRequest) console.warn(servingData, badRequest);\n return c.json(error.body, error.status as ContentfulStatusCode);\n }\n\n if (error instanceof SyntaxError) {\n if (/^Cannot convert .* to a BigInt$/.test(error.message)) {\n return Status.invalidArgument(`Invalid number. ${error.message}`).response(details);\n }\n }\n\n if (isAxiosError(error)) {\n console.error({\n status: error.status,\n message: error.message,\n request: {\n method: error.config?.method,\n url: error.config?.url,\n data: error.config?.data,\n },\n response: { data: error.response?.data },\n });\n return Status.internal('Axios error').response(details);\n }\n\n console.error(`Unknown error: ${servingData}`, error);\n return Status.internal('Unknown error').response(details);\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,oBAAoC;AACpC,oBAAoC;AAY7B,SAAS,aAAa,SAAyC;AACpE,SACE,YAAY,QACZ,OAAO,YAAY,YACnB,kBAAkB,WAClB,QAAQ,iBAAiB;AAE7B;AAEO,SAAS,aACd,OACA,GAC8B;AAC9B,QAAM,YAAY,EAAE,IAAI,WAAW;AACnC,QAAM,cAAc,GAAG,EAAE,IAAI,MAAM,KAAK,EAAE,IAAI,IAAI;AAClD,QAAM,UAAU,sBAAQ,IAAI,EAAE,YAAY,EAAE,WAAW,YAAY,CAAC;AAEpE,MAAI,iBAAiB,2BAAa;AAChC,UAAM,MAAM,OAAO,SAAS,KAAK,GAAG,QAAQ,IAAI;AAChD,UAAM,aAAa,MAAM,MAAM,OAAO,QAAQ,KAAK,CAAC,MAAM,EAAE,SAAS,yBAAW,WAAW;AAC3F,QAAI,WAAY,SAAQ,KAAK,aAAa,UAAU;AACpD,WAAO,EAAE,KAAK,MAAM,MAAM,MAAM,MAA8B;AAAA,EAChE;AAEA,MAAI,iBAAiB,aAAa;AAChC,QAAI,kCAAkC,KAAK,MAAM,OAAO,GAAG;AACzD,aAAO,qBAAO,gBAAgB,mBAAmB,MAAM,OAAO,EAAE,EAAE,SAAS,OAAO;AAAA,IACpF;AAAA,EACF;AAEA,MAAI,aAAa,KAAK,GAAG;AACvB,YAAQ,MAAM;AAAA,MACZ,QAAQ,MAAM;AAAA,MACd,SAAS,MAAM;AAAA,MACf,SAAS;AAAA,QACP,QAAQ,MAAM,QAAQ;AAAA,QACtB,KAAK,MAAM,QAAQ;AAAA,QACnB,MAAM,MAAM,QAAQ;AAAA,MACtB;AAAA,MACA,UAAU,EAAE,MAAM,MAAM,UAAU,KAAK;AAAA,IACzC,CAAC;AACD,WAAO,qBAAO,SAAS,aAAa,EAAE,SAAS,OAAO;AAAA,EACxD;AAEA,UAAQ,MAAM,kBAAkB,WAAW,IAAI,KAAK;AACpD,SAAO,qBAAO,SAAS,eAAe,EAAE,SAAS,OAAO;AAC1D;","names":[]}
1	+ {"version":3,"sources":["../../src/hono/handler.ts"],"sourcesContent":["import { Details, DetailType } from '../error/detail';\nimport { Status, StatusError } from '../error/status';\nimport type { AxiosError } from 'axios';\nimport type { Context } from 'hono';\nimport type { RequestIdVariables } from 'hono/request-id';\nimport type { HTTPResponseError, Bindings } from 'hono/types';\nimport type { ContentfulStatusCode } from 'hono/utils/http-status';\n\nexport type Env = {\n Variables: RequestIdVariables;\n Bindings?: Bindings;\n};\n\nexport function isAxiosError(payload: unknown): payload is AxiosError {\n return (\n payload !== null &&\n typeof payload === 'object' &&\n 'isAxiosError' in payload &&\n payload.isAxiosError === true\n );\n}\n\nexport function errorHandler<E extends Env = never>(\n error: Error \| HTTPResponseError,\n c: Context<E>\n): Response \| Promise<Response> {\n const requestId = c.get('requestId');\n const servingData = `${c.req.method}: ${c.req.path}`;\n const details = Details.new().requestInfo({ requestId, servingData });\n\n if (error instanceof StatusError) {\n error.body?.error?.details?.push(...details.list);\n const badRequest = error.body?.error?.details.find((d) => d.type === DetailType.BAD_REQUEST);\n if (badRequest) console.warn(servingData, badRequest);\n return c.json(error.body, error.status as ContentfulStatusCode);\n }\n\n if (error instanceof SyntaxError) {\n if (/^Cannot convert .* to a BigInt$/.test(error.message)) {\n return Status.invalidArgument(`Invalid number. ${error.message}`).response(details);\n }\n }\n\n if (isAxiosError(error)) {\n console.error({\n status: error.status,\n message: error.message,\n request: {\n method: error.config?.method,\n url: error.config?.url,\n data: error.config?.data,\n },\n response: { data: error.response?.data },\n });\n return Status.internal('Axios error').response(details);\n }\n\n console.error(`Unknown error: ${servingData}`, error);\n return Status.internal('Unknown error').response(details);\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,oBAAoC;AACpC,oBAAoC;AAY7B,SAAS,aAAa,SAAyC;AACpE,SACE,YAAY,QACZ,OAAO,YAAY,YACnB,kBAAkB,WAClB,QAAQ,iBAAiB;AAE7B;AAEO,SAAS,aACd,OACA,GAC8B;AAC9B,QAAM,YAAY,EAAE,IAAI,WAAW;AACnC,QAAM,cAAc,GAAG,EAAE,IAAI,MAAM,KAAK,EAAE,IAAI,IAAI;AAClD,QAAM,UAAU,sBAAQ,IAAI,EAAE,YAAY,EAAE,WAAW,YAAY,CAAC;AAEpE,MAAI,iBAAiB,2BAAa;AAChC,UAAM,MAAM,OAAO,SAAS,KAAK,GAAG,QAAQ,IAAI;AAChD,UAAM,aAAa,MAAM,MAAM,OAAO,QAAQ,KAAK,CAAC,MAAM,EAAE,SAAS,yBAAW,WAAW;AAC3F,QAAI,WAAY,SAAQ,KAAK,aAAa,UAAU;AACpD,WAAO,EAAE,KAAK,MAAM,MAAM,MAAM,MAA8B;AAAA,EAChE;AAEA,MAAI,iBAAiB,aAAa;AAChC,QAAI,kCAAkC,KAAK,MAAM,OAAO,GAAG;AACzD,aAAO,qBAAO,gBAAgB,mBAAmB,MAAM,OAAO,EAAE,EAAE,SAAS,OAAO;AAAA,IACpF;AAAA,EACF;AAEA,MAAI,aAAa,KAAK,GAAG;AACvB,YAAQ,MAAM;AAAA,MACZ,QAAQ,MAAM;AAAA,MACd,SAAS,MAAM;AAAA,MACf,SAAS;AAAA,QACP,QAAQ,MAAM,QAAQ;AAAA,QACtB,KAAK,MAAM,QAAQ;AAAA,QACnB,MAAM,MAAM,QAAQ;AAAA,MACtB;AAAA,MACA,UAAU,EAAE,MAAM,MAAM,UAAU,KAAK;AAAA,IACzC,CAAC;AACD,WAAO,qBAAO,SAAS,aAAa,EAAE,SAAS,OAAO;AAAA,EACxD;AAEA,UAAQ,MAAM,kBAAkB,WAAW,IAAI,KAAK;AACpD,SAAO,qBAAO,SAAS,eAAe,EAAE,SAAS,OAAO;AAC1D;","names":[]}

package/dist/hono/handler.d.cts CHANGED Viewed

@@ -10,4 +10,4 @@ type Env = {
 declare function isAxiosError(payload: unknown): payload is AxiosError;
 declare function errorHandler<E extends Env = never>(error: Error | HTTPResponseError, c: Context<E>): Response | Promise<Response>;
-export { errorHandler, isAxiosError };
+export { type Env, errorHandler, isAxiosError };

package/dist/hono/handler.d.ts CHANGED Viewed

@@ -10,4 +10,4 @@ type Env = {
 declare function isAxiosError(payload: unknown): payload is AxiosError;
 declare function errorHandler<E extends Env = never>(error: Error | HTTPResponseError, c: Context<E>): Response | Promise<Response>;
-export { errorHandler, isAxiosError };
+export { type Env, errorHandler, isAxiosError };

package/dist/hono/handler.mjs.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"sources":["../../src/hono/handler.ts"],"sourcesContent":["import { Details, DetailType } from '../error/detail';\nimport { Status, StatusError } from '../error/status';\nimport type { AxiosError } from 'axios';\nimport type { Context } from 'hono';\nimport type { RequestIdVariables } from 'hono/request-id';\nimport type { HTTPResponseError, Bindings } from 'hono/types';\nimport type { ContentfulStatusCode } from 'hono/utils/http-status';\n\~~ntype~~ Env = {\n Variables: RequestIdVariables;\n Bindings?: Bindings;\n};\n\nexport function isAxiosError(payload: unknown): payload is AxiosError {\n return (\n payload !== null &&\n typeof payload === 'object' &&\n 'isAxiosError' in payload &&\n payload.isAxiosError === true\n );\n}\n\nexport function errorHandler<E extends Env = never>(\n error: Error \| HTTPResponseError,\n c: Context<E>\n): Response \| Promise<Response> {\n const requestId = c.get('requestId');\n const servingData = `${c.req.method}: ${c.req.path}`;\n const details = Details.new().requestInfo({ requestId, servingData });\n\n if (error instanceof StatusError) {\n error.body?.error?.details?.push(...details.list);\n const badRequest = error.body?.error?.details.find((d) => d.type === DetailType.BAD_REQUEST);\n if (badRequest) console.warn(servingData, badRequest);\n return c.json(error.body, error.status as ContentfulStatusCode);\n }\n\n if (error instanceof SyntaxError) {\n if (/^Cannot convert .* to a BigInt$/.test(error.message)) {\n return Status.invalidArgument(`Invalid number. ${error.message}`).response(details);\n }\n }\n\n if (isAxiosError(error)) {\n console.error({\n status: error.status,\n message: error.message,\n request: {\n method: error.config?.method,\n url: error.config?.url,\n data: error.config?.data,\n },\n response: { data: error.response?.data },\n });\n return Status.internal('Axios error').response(details);\n }\n\n console.error(`Unknown error: ${servingData}`, error);\n return Status.internal('Unknown error').response(details);\n}\n"],"mappings":";AAAA,SAAS,SAAS,kBAAkB;AACpC,SAAS,QAAQ,mBAAmB;AAY7B,SAAS,aAAa,SAAyC;AACpE,SACE,YAAY,QACZ,OAAO,YAAY,YACnB,kBAAkB,WAClB,QAAQ,iBAAiB;AAE7B;AAEO,SAAS,aACd,OACA,GAC8B;AAC9B,QAAM,YAAY,EAAE,IAAI,WAAW;AACnC,QAAM,cAAc,GAAG,EAAE,IAAI,MAAM,KAAK,EAAE,IAAI,IAAI;AAClD,QAAM,UAAU,QAAQ,IAAI,EAAE,YAAY,EAAE,WAAW,YAAY,CAAC;AAEpE,MAAI,iBAAiB,aAAa;AAChC,UAAM,MAAM,OAAO,SAAS,KAAK,GAAG,QAAQ,IAAI;AAChD,UAAM,aAAa,MAAM,MAAM,OAAO,QAAQ,KAAK,CAAC,MAAM,EAAE,SAAS,WAAW,WAAW;AAC3F,QAAI,WAAY,SAAQ,KAAK,aAAa,UAAU;AACpD,WAAO,EAAE,KAAK,MAAM,MAAM,MAAM,MAA8B;AAAA,EAChE;AAEA,MAAI,iBAAiB,aAAa;AAChC,QAAI,kCAAkC,KAAK,MAAM,OAAO,GAAG;AACzD,aAAO,OAAO,gBAAgB,mBAAmB,MAAM,OAAO,EAAE,EAAE,SAAS,OAAO;AAAA,IACpF;AAAA,EACF;AAEA,MAAI,aAAa,KAAK,GAAG;AACvB,YAAQ,MAAM;AAAA,MACZ,QAAQ,MAAM;AAAA,MACd,SAAS,MAAM;AAAA,MACf,SAAS;AAAA,QACP,QAAQ,MAAM,QAAQ;AAAA,QACtB,KAAK,MAAM,QAAQ;AAAA,QACnB,MAAM,MAAM,QAAQ;AAAA,MACtB;AAAA,MACA,UAAU,EAAE,MAAM,MAAM,UAAU,KAAK;AAAA,IACzC,CAAC;AACD,WAAO,OAAO,SAAS,aAAa,EAAE,SAAS,OAAO;AAAA,EACxD;AAEA,UAAQ,MAAM,kBAAkB,WAAW,IAAI,KAAK;AACpD,SAAO,OAAO,SAAS,eAAe,EAAE,SAAS,OAAO;AAC1D;","names":[]}
1	+ {"version":3,"sources":["../../src/hono/handler.ts"],"sourcesContent":["import { Details, DetailType } from '../error/detail';\nimport { Status, StatusError } from '../error/status';\nimport type { AxiosError } from 'axios';\nimport type { Context } from 'hono';\nimport type { RequestIdVariables } from 'hono/request-id';\nimport type { HTTPResponseError, Bindings } from 'hono/types';\nimport type { ContentfulStatusCode } from 'hono/utils/http-status';\n\nexport type Env = {\n Variables: RequestIdVariables;\n Bindings?: Bindings;\n};\n\nexport function isAxiosError(payload: unknown): payload is AxiosError {\n return (\n payload !== null &&\n typeof payload === 'object' &&\n 'isAxiosError' in payload &&\n payload.isAxiosError === true\n );\n}\n\nexport function errorHandler<E extends Env = never>(\n error: Error \| HTTPResponseError,\n c: Context<E>\n): Response \| Promise<Response> {\n const requestId = c.get('requestId');\n const servingData = `${c.req.method}: ${c.req.path}`;\n const details = Details.new().requestInfo({ requestId, servingData });\n\n if (error instanceof StatusError) {\n error.body?.error?.details?.push(...details.list);\n const badRequest = error.body?.error?.details.find((d) => d.type === DetailType.BAD_REQUEST);\n if (badRequest) console.warn(servingData, badRequest);\n return c.json(error.body, error.status as ContentfulStatusCode);\n }\n\n if (error instanceof SyntaxError) {\n if (/^Cannot convert .* to a BigInt$/.test(error.message)) {\n return Status.invalidArgument(`Invalid number. ${error.message}`).response(details);\n }\n }\n\n if (isAxiosError(error)) {\n console.error({\n status: error.status,\n message: error.message,\n request: {\n method: error.config?.method,\n url: error.config?.url,\n data: error.config?.data,\n },\n response: { data: error.response?.data },\n });\n return Status.internal('Axios error').response(details);\n }\n\n console.error(`Unknown error: ${servingData}`, error);\n return Status.internal('Unknown error').response(details);\n}\n"],"mappings":";AAAA,SAAS,SAAS,kBAAkB;AACpC,SAAS,QAAQ,mBAAmB;AAY7B,SAAS,aAAa,SAAyC;AACpE,SACE,YAAY,QACZ,OAAO,YAAY,YACnB,kBAAkB,WAClB,QAAQ,iBAAiB;AAE7B;AAEO,SAAS,aACd,OACA,GAC8B;AAC9B,QAAM,YAAY,EAAE,IAAI,WAAW;AACnC,QAAM,cAAc,GAAG,EAAE,IAAI,MAAM,KAAK,EAAE,IAAI,IAAI;AAClD,QAAM,UAAU,QAAQ,IAAI,EAAE,YAAY,EAAE,WAAW,YAAY,CAAC;AAEpE,MAAI,iBAAiB,aAAa;AAChC,UAAM,MAAM,OAAO,SAAS,KAAK,GAAG,QAAQ,IAAI;AAChD,UAAM,aAAa,MAAM,MAAM,OAAO,QAAQ,KAAK,CAAC,MAAM,EAAE,SAAS,WAAW,WAAW;AAC3F,QAAI,WAAY,SAAQ,KAAK,aAAa,UAAU;AACpD,WAAO,EAAE,KAAK,MAAM,MAAM,MAAM,MAA8B;AAAA,EAChE;AAEA,MAAI,iBAAiB,aAAa;AAChC,QAAI,kCAAkC,KAAK,MAAM,OAAO,GAAG;AACzD,aAAO,OAAO,gBAAgB,mBAAmB,MAAM,OAAO,EAAE,EAAE,SAAS,OAAO;AAAA,IACpF;AAAA,EACF;AAEA,MAAI,aAAa,KAAK,GAAG;AACvB,YAAQ,MAAM;AAAA,MACZ,QAAQ,MAAM;AAAA,MACd,SAAS,MAAM;AAAA,MACf,SAAS;AAAA,QACP,QAAQ,MAAM,QAAQ;AAAA,QACtB,KAAK,MAAM,QAAQ;AAAA,QACnB,MAAM,MAAM,QAAQ;AAAA,MACtB;AAAA,MACA,UAAU,EAAE,MAAM,MAAM,UAAU,KAAK;AAAA,IACzC,CAAC;AACD,WAAO,OAAO,SAAS,aAAa,EAAE,SAAS,OAAO;AAAA,EACxD;AAEA,UAAQ,MAAM,kBAAkB,WAAW,IAAI,KAAK;AACpD,SAAO,OAAO,SAAS,eAAe,EAAE,SAAS,OAAO;AAC1D;","names":[]}

package/dist/hono/index.cjs CHANGED Viewed

@@ -22,6 +22,7 @@ var hono_exports = {};
 __export(hono_exports, {
   Authorizer: () => import_authorizer.Authorizer,
   bigintId: () => import_validator.bigintId,
+  csrf: () => import_csrf.csrf,
   errorHandler: () => import_handler.errorHandler,
   geolocation: () => import_geolocation.geolocation,
   zValidator: () => import_validator.zValidator
@@ -31,10 +32,12 @@ var import_validator = require("./validator.cjs");
 var import_handler = require("./handler.cjs");
 var import_geolocation = require("./geolocation.cjs");
 var import_authorizer = require("./authorizer.cjs");
+var import_csrf = require("./csrf.cjs");
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
   Authorizer,
   bigintId,
+  csrf,
   errorHandler,
   geolocation,
   zValidator

package/dist/hono/index.cjs.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"sources":["../../src/hono/index.ts"],"sourcesContent":["export { zValidator, bigintId } from './validator';\nexport { errorHandler } from './handler';\nexport { geolocation } from './geolocation';\nexport { Authorizer } from './authorizer';\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,uBAAqC;AACrC,qBAA6B;AAC7B,yBAA4B;AAC5B,wBAA2B;","names":[]}
1	+ {"version":3,"sources":["../../src/hono/index.ts"],"sourcesContent":["export { zValidator, bigintId } from './validator';\nexport { errorHandler } from './handler';\nexport { geolocation } from './geolocation';\nexport { Authorizer } from './authorizer';\nexport { csrf, type CSRFConfig, type CSRFIgnoreRule } from './csrf';\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,uBAAqC;AACrC,qBAA6B;AAC7B,yBAA4B;AAC5B,wBAA2B;AAC3B,kBAA2D;","names":[]}

package/dist/hono/index.d.cts CHANGED Viewed

@@ -2,6 +2,7 @@ export { bigintId, zValidator } from './validator.cjs';
 export { errorHandler } from './handler.cjs';
 export { geolocation } from './geolocation.cjs';
 export { Authorizer } from './authorizer.cjs';
+export { CSRFConfig, CSRFIgnoreRule, csrf } from './csrf.cjs';
 import 'zod/mini';
 import 'hono';
 import 'zod/v4/core';

package/dist/hono/index.d.ts CHANGED Viewed

@@ -2,6 +2,7 @@ export { bigintId, zValidator } from './validator.js';
 export { errorHandler } from './handler.js';
 export { geolocation } from './geolocation.js';
 export { Authorizer } from './authorizer.js';
+export { CSRFConfig, CSRFIgnoreRule, csrf } from './csrf.js';
 import 'zod/mini';
 import 'hono';
 import 'zod/v4/core';

package/dist/hono/index.mjs CHANGED Viewed

@@ -3,9 +3,11 @@ import { zValidator, bigintId } from "./validator.mjs";
 import { errorHandler } from "./handler.mjs";
 import { geolocation } from "./geolocation.mjs";
 import { Authorizer } from "./authorizer.mjs";
+import { csrf } from "./csrf.mjs";
 export {
   Authorizer,
   bigintId,
+  csrf,
   errorHandler,
   geolocation,
   zValidator

package/dist/hono/index.mjs.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"sources":["../../src/hono/index.ts"],"sourcesContent":["export { zValidator, bigintId } from './validator';\nexport { errorHandler } from './handler';\nexport { geolocation } from './geolocation';\nexport { Authorizer } from './authorizer';\n"],"mappings":";AAAA,SAAS,YAAY,gBAAgB;AACrC,SAAS,oBAAoB;AAC7B,SAAS,mBAAmB;AAC5B,SAAS,kBAAkB;","names":[]}
1	+ {"version":3,"sources":["../../src/hono/index.ts"],"sourcesContent":["export { zValidator, bigintId } from './validator';\nexport { errorHandler } from './handler';\nexport { geolocation } from './geolocation';\nexport { Authorizer } from './authorizer';\nexport { csrf, type CSRFConfig, type CSRFIgnoreRule } from './csrf';\n"],"mappings":";AAAA,SAAS,YAAY,gBAAgB;AACrC,SAAS,oBAAoB;AAC7B,SAAS,mBAAmB;AAC5B,SAAS,kBAAkB;AAC3B,SAAS,YAAkD;","names":[]}

package/package.json CHANGED Viewed

@@ -1,15 +1,8 @@
 {
   "name": "@shware/http",
-  "version": "1.1.9",
+  "version": "1.1.10",
   "private": false,
   "type": "module",
-  "scripts": {
-    "dev": "tsc --watch",
-    "build": "tsup",
-    "test": "jest",
-    "check-types": "tsc --noEmit",
-    "lint": "eslint . --fix --ext .js,.jsx,.ts,.tsx"
-  },
   "repository": {
     "type": "git",
     "url": "git+https://github.com/ShwareHQ/shware-sdk.git"
@@ -45,14 +38,14 @@
     "dist"
   ],
   "devDependencies": {
-    "@repo/eslint-config": "workspace:*",
-    "@repo/typescript-config": "workspace:*",
     "@types/jest": "^30.0.0",
     "@types/node": "^24.3.1",
     "@types/react": "^19.1.12",
     "jest": "^30.1.3",
     "ts-jest": "^29.4.1",
-    "typescript": "^5.9.2"
+    "typescript": "^5.9.2",
+    "@repo/eslint-config": "0.0.2",
+    "@repo/typescript-config": "0.0.0"
   },
   "dependencies": {
     "zod": "^4.1.5"
@@ -76,5 +69,12 @@
     "react": {
       "optional": true
     }
+  },
+  "scripts": {
+    "dev": "tsc --watch",
+    "build": "tsup",
+    "test": "jest",
+    "check-types": "tsc --noEmit",
+    "lint": "eslint . --fix --ext .js,.jsx,.ts,.tsx"
   }
-}
+}