@sourceregistry/sveltekit-enhance 1.2.0 → 1.3.0

package/README.md

@@ -138,6 +138,39 @@ All helpers are available from `@sourceregistry/sveltekit-enhance` or `@sourcere
 
 ---
 
+### `CSRF`
+
+Blocks cross-site form submissions on mutating methods (`POST`, `PUT`, `PATCH`, `DELETE`) with form content types. Checks the `Origin` header against the request origin. Absent `Origin` (server-side fetch, curl) is allowed through. Returns `403` — JSON body when `Accept: application/json`, SvelteKit `error()` otherwise.
+
+```ts
+import { CSRF, CSRFChecker } from '@sourceregistry/sveltekit-enhance';
+
+export const handle = enhance.handle(
+    myHandler,
+    CSRF.inspect(
+        CSRFChecker.list('/api/webhooks/stripe'),  // bypass paths
+        myLogger,                                   // optional, defaults to console
+    ),
+);
+```
+
+Built-in bypass checkers:
+
+| Checker | Description |
+|---------|-------------|
+| `CSRFChecker.list(...paths)` | Exact pathname match |
+| `CSRFChecker.regex(...patterns)` | RegExp match against pathname |
+
+Custom checker — any `(input: EnhanceInput) => MaybePromise<boolean>`:
+```ts
+// true = bypass CSRF check
+CSRF.inspect((input) => input.url.pathname.startsWith('/api/public'))
+```
+
+Returns `{ csrf_valid: true }` on pass. Locals set: none.
+
+---
+
 ### `Auth`
 
 Extracts and validates `Authorization: Bearer <token>` headers.
@@ -353,6 +386,7 @@ TraceOptions               // { logger?: TraceLogger; record?: (entry) => any }
 RecordTraceMetricEntry     // { method: string; path: string; status: number; durationMs: number }
 RequestTraceLocals         // { trace?: { id: string; started_at: bigint } }
 RequestCorrelationLocals   // { correlation_id?: string; request_started_at?: number }
+CSRFChecker                // { regex(...patterns): checker; list(...paths): checker }
 ```
 
 ---

package/dist/helpers/CSRF.d.ts

@@ -0,0 +1,14 @@
+import { type EnhanceFunction, type EnhanceInput } from "../index.js";
+import type { MaybePromise } from "../index.js";
+import type { Logger } from "./logger.js";
+export declare const CSRF: {
+    inspect: (checker: (input: EnhanceInput) => MaybePromise<boolean>, logger?: Logger) => EnhanceFunction<"handle">;
+};
+export declare const CSRFChecker: {
+    regex: (...oneOf: RegExp[]) => (input: {
+        url: URL;
+    }) => boolean;
+    list: (...oneOf: string[]) => (input: {
+        url: URL;
+    }) => boolean;
+};

package/dist/helpers/CSRF.js

@@ -0,0 +1,38 @@
+import { json } from '@sveltejs/kit';
+import { error } from "../index.js";
+function isContentType(request, ...types) {
+    const type = request.headers.get('content-type')?.split(';', 1)[0].trim() ?? '';
+    return types.includes(type.toLowerCase());
+}
+function isFormContentType(request) {
+    return isContentType(request, 'application/x-www-form-urlencoded', 'multipart/form-data', 'text/plain');
+}
+const MUTATING_METHODS = new Set(['POST', 'PUT', 'PATCH', 'DELETE']);
+const SAFE_LOG_HEADERS = new Set(['content-type', 'origin', 'referer', 'user-agent', 'accept', 'host']);
+export const CSRF = {
+    inspect: (checker, logger = console) => async (input) => {
+        const { request, url } = input;
+        const origin = request.headers.get('origin');
+        const forbidden = isFormContentType(request) &&
+            MUTATING_METHODS.has(request.method) &&
+            origin !== null &&
+            origin !== url.origin &&
+            !(await checker(input));
+        if (forbidden) {
+            const message = `Cross-site ${request.method} form submissions are forbidden`;
+            logger.warn('CSRF Violation detected', {
+                url: url.toString(),
+                headers: Object.fromEntries([...request.headers.entries()].filter(([k]) => SAFE_LOG_HEADERS.has(k.toLowerCase())))
+            });
+            if (request.headers.get('accept') === 'application/json') {
+                return json({ message }, { status: 403 });
+            }
+            return error(403, { message });
+        }
+        return { csrf_valid: true };
+    }
+};
+export const CSRFChecker = {
+    regex: (...oneOf) => (input) => oneOf.some((exp) => exp[Symbol.match](input.url.pathname)),
+    list: (...oneOf) => (input) => oneOf.includes(input.url.pathname)
+};

package/dist/helpers/index.d.ts

@@ -4,3 +4,5 @@ export * from './featureflag.js';
 export * from './form.ts';
 export * from './request-correlation.ts';
 export * from './request-monitor.js';
+export * from './CSRF.js';
+export * from './logger.js';

package/dist/helpers/index.js

@@ -4,3 +4,5 @@ export * from './featureflag.js';
 export * from "./form.js";
 export * from "./request-correlation.js";
 export * from './request-monitor.js';
+export * from './CSRF.js';
+export * from './logger.js';

package/dist/helpers/logger.d.ts

@@ -0,0 +1,6 @@
+export type Logger = {
+    debug: (...args: any[]) => any;
+    info: (...args: any[]) => any;
+    warn: (...args: any[]) => any;
+    error: (...args: any[]) => any;
+};

package/dist/helpers/logger.js

@@ -0,0 +1 @@
+export {};

package/dist/helpers/request-monitor.d.ts

@@ -1,4 +1,5 @@
 import type { EnhanceFunction } from "../index.js";
+import type { Logger } from "./logger.js";
 export type RequestTraceLocals = {
     trace?: {
         id: string;
@@ -11,14 +12,8 @@ export type RecordTraceMetricEntry = {
     status: number;
     durationMs: number;
 };
-export type TraceLogger = {
-    debug: (...args: any[]) => any;
-    info: (...args: any[]) => any;
-    warn: (...args: any[]) => any;
-    error: (...args: any[]) => any;
-};
 export type TraceOptions = {
-    logger?: TraceLogger;
+    logger?: Logger;
     record?: (entry: RecordTraceMetricEntry) => any;
 };
 export declare const RequestMonitor: {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sourceregistry/sveltekit-enhance",
-  "version": "1.2.0",
+  "version": "1.3.0",
   "description": "Composable enhance and form utilities for SvelteKit actions, loads, methods, and hooks.",
   "author": "A.P.A. Slaa (a.p.a.slaa@projectsource.nl)",
   "scripts": {