npm - @spring-systems/server - Versions diffs - 0.8.0 - Mend

@spring-systems/server 0.8.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (45) hide show

package/CHANGELOG.md +62 -0
package/LICENSE +8 -0
package/README.md +94 -0
package/dist/api-route-handler.d.ts +49 -0
package/dist/api-route-handler.js +19 -0
package/dist/api-route-handler.js.map +1 -0
package/dist/chunk-7IUSTA5W.js +113 -0
package/dist/chunk-7IUSTA5W.js.map +1 -0
package/dist/chunk-CLZU34DG.js +465 -0
package/dist/chunk-CLZU34DG.js.map +1 -0
package/dist/chunk-CP33WQ5Q.js +47 -0
package/dist/chunk-CP33WQ5Q.js.map +1 -0
package/dist/chunk-FEB3UZEG.js +407 -0
package/dist/chunk-FEB3UZEG.js.map +1 -0
package/dist/chunk-KA7RJCWA.js +24 -0
package/dist/chunk-KA7RJCWA.js.map +1 -0
package/dist/chunk-OYTV4D7E.js +159 -0
package/dist/chunk-OYTV4D7E.js.map +1 -0
package/dist/chunk-YV6DZVPI.js +43 -0
package/dist/chunk-YV6DZVPI.js.map +1 -0
package/dist/client.d.ts +6 -0
package/dist/client.js +14 -0
package/dist/client.js.map +1 -0
package/dist/handlers/index.d.ts +81 -0
package/dist/handlers/index.js +48 -0
package/dist/handlers/index.js.map +1 -0
package/dist/index.d.ts +10 -0
package/dist/index.js +44 -0
package/dist/index.js.map +1 -0
package/dist/next-adapters.d.ts +25 -0
package/dist/next-adapters.js +14 -0
package/dist/next-adapters.js.map +1 -0
package/dist/proxy-middleware.d.ts +8 -0
package/dist/proxy-middleware.js +10 -0
package/dist/proxy-middleware.js.map +1 -0
package/dist/rate-limiter.d.ts +67 -0
package/dist/rate-limiter.js +15 -0
package/dist/rate-limiter.js.map +1 -0
package/dist/runtime-env.d.ts +15 -0
package/dist/runtime-env.js +9 -0
package/dist/runtime-env.js.map +1 -0
package/dist/security-headers.d.ts +8 -0
package/dist/security-headers.js +11 -0
package/dist/security-headers.js.map +1 -0
package/package.json +114 -0

package/dist/chunk-FEB3UZEG.js ADDED Viewed

@@ -0,0 +1,407 @@
+import {
+  checkRateLimit,
+  clearRateLimitEntries,
+  getRateLimiterAdapter,
+  recordFailedAttempt
+} from "./chunk-7IUSTA5W.js";
+// src/handlers/auth-session.ts
+import { getFrameworkConfig, getSecureSessionCookieName, getSessionCookieName } from "@spring-systems/core/config";
+var MAX_SESSION_AGE_SECONDS = 604800;
+function getSessionCookieMaxAgeSeconds() {
+  return Number(process.env.AUTH_COOKIE_MAX_AGE_SECONDS || "28800");
+}
+function isTargetProdRuntime() {
+  return (process.env.TARGET_ENV || "") === "prod";
+}
+function getSessionCookieNameLazy() {
+  return getSessionCookieName(getFrameworkConfig().auth.sessionCookiePrefix);
+}
+function getSecureSessionCookieNameLazy() {
+  return getSecureSessionCookieName(getFrameworkConfig().auth.sessionCookiePrefix);
+}
+function getSessionExpiredCodeMarkers() {
+  return new Set(getFrameworkConfig().auth.sessionExpiredCodes);
+}
+function isLocalHostRequest(req) {
+  return req.nextUrl.hostname === "localhost" || req.nextUrl.hostname === "127.0.0.1" || req.nextUrl.hostname === "::1" || req.nextUrl.hostname === "[::1]";
+}
+function useSecureCookies(req) {
+  if (isLocalHostRequest(req)) return false;
+  if (isTargetProdRuntime()) return true;
+  return req.nextUrl.protocol === "https:";
+}
+function resolveSessionCookieName(req) {
+  return useSecureCookies(req) ? getSecureSessionCookieNameLazy() : getSessionCookieNameLazy();
+}
+function setCookieWithName(res, req, cookieName, value, maxAge) {
+  const secure = useSecureCookies(req);
+  res.cookies.set({
+    name: cookieName,
+    value,
+    httpOnly: true,
+    secure,
+    sameSite: "lax",
+    path: "/",
+    maxAge,
+    priority: "high"
+  });
+}
+function setSessionCookie(res, req, token) {
+  const configuredMaxAge = getSessionCookieMaxAgeSeconds();
+  const rawAge = Number.isFinite(configuredMaxAge) && configuredMaxAge > 0 ? Math.floor(configuredMaxAge) : 28800;
+  const maxAge = Math.min(rawAge, MAX_SESSION_AGE_SECONDS);
+  const cookieName = resolveSessionCookieName(req);
+  const staleCookieName = cookieName === getSessionCookieNameLazy() ? getSecureSessionCookieNameLazy() : getSessionCookieNameLazy();
+  setCookieWithName(res, req, cookieName, token, maxAge);
+  setCookieWithName(res, req, staleCookieName, "", 0);
+}
+function clearSessionCookieWithName(res, req, cookieName) {
+  const secure = useSecureCookies(req);
+  res.cookies.set({
+    name: cookieName,
+    value: "",
+    httpOnly: true,
+    secure,
+    sameSite: "lax",
+    path: "/",
+    maxAge: 0,
+    priority: "high"
+  });
+  const oppositeSecure = !secure;
+  const cookieParts = [`${cookieName}=`, "Path=/", "Max-Age=0", "HttpOnly", "SameSite=Lax", "Priority=High"];
+  if (oppositeSecure) {
+    cookieParts.push("Secure");
+  }
+  res.headers.append("Set-Cookie", cookieParts.join("; "));
+}
+function clearSessionCookie(res, req) {
+  clearSessionCookieWithName(res, req, getSessionCookieNameLazy());
+  clearSessionCookieWithName(res, req, getSecureSessionCookieNameLazy());
+}
+function getSessionToken(req) {
+  const cookies = [getSessionCookieNameLazy(), getSecureSessionCookieNameLazy()];
+  for (const cookieName of cookies) {
+    const fromCookiesApi = (req.cookies.get(cookieName)?.value || "").trim();
+    if (fromCookiesApi) return fromCookiesApi;
+  }
+  const cookieHeader = req.headers.get("cookie") || "";
+  if (!cookieHeader) return "";
+  const parts = cookieHeader.split(";").map((part) => part.trim());
+  for (const part of parts) {
+    if (!part) continue;
+    const eqIndex = part.indexOf("=");
+    if (eqIndex <= 0) continue;
+    const key = part.slice(0, eqIndex).trim();
+    if (key !== getSessionCookieNameLazy() && key !== getSecureSessionCookieNameLazy()) continue;
+    const rawValue = part.slice(eqIndex + 1).trim();
+    if (!rawValue) continue;
+    try {
+      return decodeURIComponent(rawValue);
+    } catch {
+      return rawValue;
+    }
+  }
+  return "";
+}
+function normalizeErrorText(value) {
+  return typeof value === "string" ? value.trim().toLowerCase() : "";
+}
+function isSessionExpiredCode(value) {
+  const normalized = normalizeErrorText(value);
+  return normalized !== "" && getSessionExpiredCodeMarkers().has(normalized);
+}
+async function shouldClearSessionFromForbidden(response) {
+  if (response.status !== 403) return false;
+  try {
+    const cloned = response.clone();
+    try {
+      const payload = await cloned.json();
+      return isSessionExpiredCode(payload.code) || isSessionExpiredCode(payload.error_code);
+    } catch {
+      return false;
+    }
+  } catch {
+    return false;
+  }
+}
+// src/handlers/csrf-cors.ts
+import { getFrameworkConfig as getFrameworkConfig2 } from "@spring-systems/core/config";
+var STATE_CHANGING_METHODS = /* @__PURE__ */ new Set(["POST", "PUT", "PATCH", "DELETE"]);
+function getFrontendUrl() {
+  return (process.env.FRONTEND_URL || "").trim();
+}
+function getFrontendIp() {
+  return (process.env.FRONTEND_IP || "").trim();
+}
+function trustProxyHeaders() {
+  return process.env.AUTH_TRUST_PROXY_HEADERS === "true";
+}
+function getCsrfExemptPaths() {
+  return new Set(
+    (process.env.CSRF_EXEMPT_PATHS || "").split(",").map(
+      (v) => v.trim().replace(/^\/+|\/+$/g, "").toLowerCase()
+    ).filter(Boolean)
+  );
+}
+function isProdRuntime() {
+  return (process.env.NODE_ENV || "") === "production" || (process.env.TARGET_ENV || "") === "prod";
+}
+function normalizeOrigin(value) {
+  try {
+    return new URL(value).origin;
+  } catch {
+    return null;
+  }
+}
+function isInternalIpAccess(req) {
+  const frontendIp = getFrontendIp();
+  if (!frontendIp) return false;
+  const directIp = req.ip?.trim();
+  if (directIp) return directIp === frontendIp;
+  if (!trustProxyHeaders()) {
+    return false;
+  }
+  const xForwardedFor = (req.headers.get("x-forwarded-for") || "").trim();
+  const forwardedFirstIp = xForwardedFor.split(",")[0]?.trim();
+  if (forwardedFirstIp) return forwardedFirstIp === frontendIp;
+  const xRealIp = (req.headers.get("x-real-ip") || "").trim();
+  if (xRealIp) return xRealIp === frontendIp;
+  return false;
+}
+function resolveAllowedOrigin(req) {
+  const origin = (req.headers.get("origin") || "").trim();
+  if (!origin) return null;
+  const normalizedOrigin = normalizeOrigin(origin);
+  if (!normalizedOrigin) return null;
+  const frontendUrl = getFrontendUrl();
+  const normalizedFrontendOrigin = frontendUrl ? normalizeOrigin(frontendUrl) : null;
+  if (normalizedFrontendOrigin && normalizedOrigin === normalizedFrontendOrigin) {
+    return normalizedOrigin;
+  }
+  const frontendIp = getFrontendIp();
+  if (!frontendIp) return null;
+  try {
+    const parsedOrigin = new URL(normalizedOrigin);
+    if (parsedOrigin.hostname !== frontendIp) return null;
+    if (!["http:", "https:"].includes(parsedOrigin.protocol)) return null;
+    if (isProdRuntime() && parsedOrigin.protocol !== "https:") return null;
+    const hasCustomPort = parsedOrigin.protocol === "http:" && parsedOrigin.port !== "" && parsedOrigin.port !== "80" || parsedOrigin.protocol === "https:" && parsedOrigin.port !== "" && parsedOrigin.port !== "443";
+    if (hasCustomPort) return null;
+    return normalizedOrigin;
+  } catch {
+    return null;
+  }
+}
+function isStateChangingMethod(method) {
+  return STATE_CHANGING_METHODS.has(method.toUpperCase());
+}
+function mergeVaryHeader(headers, value) {
+  const existing = (headers.get("Vary") || "").trim();
+  if (!existing) {
+    headers.set("Vary", value);
+    return;
+  }
+  const tokens = existing.split(",").map((token) => token.trim()).filter(Boolean);
+  if (tokens.some((token) => token === "*")) {
+    headers.set("Vary", "*");
+    return;
+  }
+  const hasValue = tokens.some((token) => token.toLowerCase() === value.toLowerCase());
+  if (hasValue) {
+    headers.set("Vary", tokens.join(", "));
+    return;
+  }
+  headers.set("Vary", [...tokens, value].join(", "));
+}
+function hasUntrustedFetchSite(req) {
+  const fetchSite = (req.headers.get("sec-fetch-site") || "").trim().toLowerCase();
+  if (!fetchSite) return false;
+  return !(fetchSite === "same-origin" || fetchSite === "same-site" || fetchSite === "none");
+}
+function isTrustedOrigin(req) {
+  const origin = (req.headers.get("origin") || "").trim();
+  if (!origin) return false;
+  const normalizedOrigin = normalizeOrigin(origin);
+  if (!normalizedOrigin) return false;
+  const requestOrigin = req.nextUrl.origin;
+  if (normalizedOrigin === requestOrigin) return true;
+  const allowedOrigin = resolveAllowedOrigin(req);
+  return !!allowedOrigin && allowedOrigin === normalizedOrigin;
+}
+function extractOriginFromReferer(req) {
+  const referer = (req.headers.get("referer") || "").trim();
+  if (!referer) return null;
+  return normalizeOrigin(referer);
+}
+function isTrustedReferer(req) {
+  const refererOrigin = extractOriginFromReferer(req);
+  if (!refererOrigin) return false;
+  if (refererOrigin === req.nextUrl.origin) return true;
+  const allowedOrigin = resolveAllowedOrigin(req);
+  return !!allowedOrigin && allowedOrigin === refererOrigin;
+}
+function shouldRejectByCsrfProtection(req, method, pathKey) {
+  const csrfExemptPaths = getCsrfExemptPaths();
+  if (!isStateChangingMethod(method)) return false;
+  if (csrfExemptPaths.has(pathKey.toLowerCase())) return false;
+  if (hasUntrustedFetchSite(req)) return true;
+  if (isTrustedOrigin(req)) return false;
+  if (isTrustedReferer(req)) return false;
+  return true;
+}
+function applyCorsHeaders(headers, req, isIpAccess) {
+  const allowedOrigin = resolveAllowedOrigin(req);
+  const corsHeaders = getFrameworkConfig2().proxy.corsAllowedHeaders;
+  if (isIpAccess) {
+    if (allowedOrigin) {
+      headers.set("Access-Control-Allow-Origin", allowedOrigin);
+    }
+    headers.set("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, PATCH, OPTIONS");
+    headers.set("Access-Control-Allow-Headers", corsHeaders);
+    headers.set("Access-Control-Max-Age", "86400");
+    if (allowedOrigin) {
+      headers.set("Access-Control-Allow-Credentials", "true");
+    } else {
+      headers.delete("Access-Control-Allow-Credentials");
+    }
+    mergeVaryHeader(headers, "Origin");
+    return;
+  }
+  if (allowedOrigin) {
+    headers.set("Access-Control-Allow-Origin", allowedOrigin);
+    headers.set("Access-Control-Allow-Credentials", "true");
+  } else {
+    headers.delete("Access-Control-Allow-Credentials");
+  }
+  mergeVaryHeader(headers, "Origin");
+  headers.set("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, PATCH, OPTIONS");
+  headers.set("Access-Control-Allow-Headers", corsHeaders);
+  headers.set("Access-Control-Max-Age", "86400");
+}
+function hasCsrfExemptPaths() {
+  return getCsrfExemptPaths().size > 0;
+}
+function resolveProdSecurityConfigError() {
+  if (!isProdRuntime()) return null;
+  if (hasCsrfExemptPaths()) return "CSRF_EXEMPT_PATHS is not allowed in production";
+  return null;
+}
+// src/handlers/rate-limit-handler.ts
+function toValidPositiveInteger(value, fallback) {
+  return Number.isFinite(value) && value > 0 ? Math.floor(value) : fallback;
+}
+function isRateLimitEnabled() {
+  return process.env.AUTH_LOGIN_RATE_LIMIT_ENABLED !== "false";
+}
+function trustProxyHeaders2() {
+  return process.env.AUTH_TRUST_PROXY_HEADERS === "true";
+}
+function getHeader(request, name) {
+  return (request.headers.get(name) || "").trim();
+}
+function buildClientFingerprint(request) {
+  const userAgent = getHeader(request, "user-agent").toLowerCase().slice(0, 64);
+  const acceptLanguage = getHeader(request, "accept-language").toLowerCase().slice(0, 32);
+  const secChUa = getHeader(request, "sec-ch-ua").toLowerCase().slice(0, 64);
+  const signal = [userAgent, acceptLanguage, secChUa].filter(Boolean).join("|");
+  if (!signal) return "unknown";
+  return `fp:${signal}`.slice(0, 128);
+}
+function getPolicy() {
+  return {
+    windowMs: toValidPositiveInteger(Number(process.env.AUTH_LOGIN_RATE_LIMIT_WINDOW_MS || "900000"), 9e5),
+    blockMs: toValidPositiveInteger(Number(process.env.AUTH_LOGIN_RATE_LIMIT_BLOCK_MS || "900000"), 9e5),
+    maxAttemptsByIpAndAccount: toValidPositiveInteger(Number(process.env.AUTH_LOGIN_RATE_LIMIT_MAX_ATTEMPTS || "8"), 8),
+    maxAttemptsByAccount: toValidPositiveInteger(
+      Number(process.env.AUTH_LOGIN_RATE_LIMIT_ACCOUNT_MAX_ATTEMPTS || "20"),
+      20
+    ),
+    maxKeys: toValidPositiveInteger(Number(process.env.AUTH_LOGIN_RATE_LIMIT_MAX_KEYS || "10000"), 1e4)
+  };
+}
+function getClientAddress(request) {
+  if (trustProxyHeaders2()) {
+    const xForwardedFor = getHeader(request, "x-forwarded-for");
+    const first = xForwardedFor.split(",")[0]?.trim();
+    if (first) return first;
+    const xRealIp = getHeader(request, "x-real-ip");
+    if (xRealIp) return xRealIp;
+  }
+  const directIp = request.ip?.trim();
+  if (directIp) return directIp;
+  return buildClientFingerprint(request);
+}
+function normalizeRateLimitKeyPart(value) {
+  const trimmed = value.trim().toLowerCase();
+  if (!trimmed) return "unknown";
+  return trimmed.slice(0, 128);
+}
+function getLoginRateLimitKeys(request, username) {
+  const normalizedUsername = normalizeRateLimitKeyPart(username);
+  const normalizedIp = normalizeRateLimitKeyPart(getClientAddress(request));
+  const pairKey = `${normalizedIp}:${normalizedUsername}`;
+  const accountKey = normalizedUsername !== "unknown" ? normalizedUsername : null;
+  return { pairKey, accountKey };
+}
+function cleanupExpiredLoginLimits(now) {
+  const policy = getPolicy();
+  const adapter = getRateLimiterAdapter();
+  for (const store of ["ip", "account"]) {
+    if (typeof adapter.sweepExpired === "function") {
+      adapter.sweepExpired(store, now, policy.windowMs);
+    }
+    const size = adapter.size(store);
+    if (size > policy.maxKeys) {
+      adapter.evictOldest(store, size - policy.maxKeys);
+    }
+  }
+}
+function getRateLimitRetryAfterMs(keys, now) {
+  if (!isRateLimitEnabled()) return 0;
+  const policy = getPolicy();
+  const result = checkRateLimit(keys.pairKey, keys.accountKey, policy);
+  if (!result) return 0;
+  const adapter = getRateLimiterAdapter();
+  const ipEntry = adapter.get("ip", keys.pairKey);
+  const accountEntry = keys.accountKey ? adapter.get("account", keys.accountKey) : null;
+  const ipRetry = ipEntry && ipEntry.blockedUntil > now ? ipEntry.blockedUntil - now : 0;
+  const accountRetry = accountEntry && accountEntry.blockedUntil > now ? accountEntry.blockedUntil - now : 0;
+  return Math.max(ipRetry, accountRetry);
+}
+function registerFailedLoginAttempt(keys, _now) {
+  if (!isRateLimitEnabled()) return;
+  const policy = getPolicy();
+  recordFailedAttempt(keys.pairKey, keys.accountKey, policy);
+}
+function clearLoginAttemptState(keys) {
+  if (!isRateLimitEnabled()) return;
+  clearRateLimitEntries(keys.pairKey, keys.accountKey);
+}
+export {
+  isLocalHostRequest,
+  useSecureCookies,
+  resolveSessionCookieName,
+  setSessionCookie,
+  clearSessionCookie,
+  getSessionToken,
+  isSessionExpiredCode,
+  shouldClearSessionFromForbidden,
+  normalizeOrigin,
+  isInternalIpAccess,
+  resolveAllowedOrigin,
+  shouldRejectByCsrfProtection,
+  applyCorsHeaders,
+  hasCsrfExemptPaths,
+  resolveProdSecurityConfigError,
+  getClientAddress,
+  getLoginRateLimitKeys,
+  cleanupExpiredLoginLimits,
+  getRateLimitRetryAfterMs,
+  registerFailedLoginAttempt,
+  clearLoginAttemptState
+};
+//# sourceMappingURL=chunk-FEB3UZEG.js.map

package/dist/chunk-FEB3UZEG.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../src/handlers/auth-session.ts","../src/handlers/csrf-cors.ts","../src/handlers/rate-limit-handler.ts"],"sourcesContent":["/**\n * Session/cookie management for the API proxy.\n *\n * Handles session token extraction from cookies, secure cookie setting/clearing,\n * and session expiry detection from API responses.\n *\n * @module handlers/auth-session\n */\n\nimport { getFrameworkConfig, getSecureSessionCookieName, getSessionCookieName } from \"@spring-systems/core/config\";\nimport type { NextRequest, NextResponse } from \"next/server\";\n\n/** Hard upper bound for session cookie lifetime (7 days). */\nconst MAX_SESSION_AGE_SECONDS = 604800;\n\nfunction getSessionCookieMaxAgeSeconds(): number {\n return Number(process.env.AUTH_COOKIE_MAX_AGE_SECONDS || \"28800\");\n}\n\nfunction isTargetProdRuntime(): boolean {\n return (process.env.TARGET_ENV || \"\") === \"prod\";\n}\n\n// Config accessors — read fresh from getFrameworkConfig() on each call so\n// configureFramework() can be called after module import.\nfunction getSessionCookieNameLazy(): string {\n return getSessionCookieName(getFrameworkConfig().auth.sessionCookiePrefix);\n}\n\nfunction getSecureSessionCookieNameLazy(): string {\n return getSecureSessionCookieName(getFrameworkConfig().auth.sessionCookiePrefix);\n}\n\nfunction getSessionExpiredCodeMarkers(): Set<string> {\n return new Set(getFrameworkConfig().auth.sessionExpiredCodes);\n}\n\ninterface AuthFailurePayload {\n message?: string;\n error?: string;\n detail?: string;\n title?: string;\n code?: string;\n error_code?: string;\n}\n\n/** Check if a request targets localhost. */\nexport function isLocalHostRequest(req: NextRequest): boolean {\n return (\n req.nextUrl.hostname === \"localhost\" ||\n req.nextUrl.hostname === \"127.0.0.1\" ||\n req.nextUrl.hostname === \"::1\" ||\n req.nextUrl.hostname === \"[::1]\"\n );\n}\n\n/** Whether to use Secure flag on cookies (HTTPS or TARGET_ENV=prod, excluding localhost). */\nexport function useSecureCookies(req: NextRequest): boolean {\n if (isLocalHostRequest(req)) return false;\n if (isTargetProdRuntime()) return true;\n // Non-prod: secure cookies when the request arrived over HTTPS\n return req.nextUrl.protocol === \"https:\";\n}\n\n/** Resolve the correct session cookie name based on runtime context. */\nexport function resolveSessionCookieName(req: NextRequest): string {\n return useSecureCookies(req) ? getSecureSessionCookieNameLazy() : getSessionCookieNameLazy();\n}\n\nfunction setCookieWithName(res: NextResponse, req: NextRequest, cookieName: string, value: string, maxAge: number) {\n const secure = useSecureCookies(req);\n res.cookies.set({\n name: cookieName,\n value,\n httpOnly: true,\n secure,\n sameSite: \"lax\",\n path: \"/\",\n maxAge,\n priority: \"high\",\n });\n}\n\n/** Set the session cookie with the given token. Clears the stale variant. */\nexport function setSessionCookie(res: NextResponse, req: NextRequest, token: string): void {\n const configuredMaxAge = getSessionCookieMaxAgeSeconds();\n const rawAge =\n Number.isFinite(configuredMaxAge) && configuredMaxAge > 0\n ? Math.floor(configuredMaxAge)\n : 28800;\n const maxAge = Math.min(rawAge, MAX_SESSION_AGE_SECONDS);\n const cookieName = resolveSessionCookieName(req);\n const staleCookieName = cookieName === getSessionCookieNameLazy() ? getSecureSessionCookieNameLazy() : getSessionCookieNameLazy();\n\n setCookieWithName(res, req, cookieName, token, maxAge);\n setCookieWithName(res, req, staleCookieName, \"\", 0);\n}\n\nfunction clearSessionCookieWithName(res: NextResponse, req: NextRequest, cookieName: string) {\n const secure = useSecureCookies(req);\n res.cookies.set({\n name: cookieName,\n value: \"\",\n httpOnly: true,\n secure,\n sameSite: \"lax\",\n path: \"/\",\n maxAge: 0,\n priority: \"high\",\n });\n\n // Also append the opposite Secure variant to clear cookies created under a different\n // runtime/proxy setup (e.g. switching between http/https during development).\n const oppositeSecure = !secure;\n const cookieParts = [`${cookieName}=`, \"Path=/\", \"Max-Age=0\", \"HttpOnly\", \"SameSite=Lax\", \"Priority=High\"];\n if (oppositeSecure) {\n cookieParts.push(\"Secure\");\n }\n res.headers.append(\"Set-Cookie\", cookieParts.join(\"; \"));\n}\n\n/** Clear all session cookies (both regular and secure variants). */\nexport function clearSessionCookie(res: NextResponse, req: NextRequest): void {\n clearSessionCookieWithName(res, req, getSessionCookieNameLazy());\n clearSessionCookieWithName(res, req, getSecureSessionCookieNameLazy());\n}\n\n/** Extract session token from request cookies (tries both cookie names). */\nexport function getSessionToken(req: NextRequest): string {\n const cookies = [getSessionCookieNameLazy(), getSecureSessionCookieNameLazy()];\n for (const cookieName of cookies) {\n const fromCookiesApi = (req.cookies.get(cookieName)?.value || \"\").trim();\n if (fromCookiesApi) return fromCookiesApi;\n }\n\n const cookieHeader = req.headers.get(\"cookie\") || \"\";\n if (!cookieHeader) return \"\";\n\n const parts = cookieHeader.split(\";\").map((part) => part.trim());\n for (const part of parts) {\n if (!part) continue;\n const eqIndex = part.indexOf(\"=\");\n if (eqIndex <= 0) continue;\n const key = part.slice(0, eqIndex).trim();\n if (key !== getSessionCookieNameLazy() && key !== getSecureSessionCookieNameLazy()) continue;\n const rawValue = part.slice(eqIndex + 1).trim();\n if (!rawValue) continue;\n try {\n return decodeURIComponent(rawValue);\n } catch {\n return rawValue;\n }\n }\n\n return \"\";\n}\n\nfunction normalizeErrorText(value: unknown): string {\n return typeof value === \"string\" ? value.trim().toLowerCase() : \"\";\n}\n\n/** Check if a value is a session-expired error code. */\nexport function isSessionExpiredCode(value: unknown): boolean {\n const normalized = normalizeErrorText(value);\n return normalized !== \"\" && getSessionExpiredCodeMarkers().has(normalized);\n}\n\n/** Detect if a 403 response indicates session expiry (reads response body). */\nexport async function shouldClearSessionFromForbidden(response: Response): Promise<boolean> {\n if (response.status !== 403) return false;\n\n try {\n const cloned = response.clone();\n try {\n const payload = (await cloned.json()) as AuthFailurePayload;\n return isSessionExpiredCode(payload.code) || isSessionExpiredCode(payload.error_code);\n } catch {\n return false;\n }\n } catch {\n return false;\n }\n}\n","/**\n * CSRF protection and CORS header management for the API proxy.\n *\n * Validates request origins against configured allowed origins,\n * applies CORS headers to responses, and enforces CSRF protection\n * for state-changing HTTP methods.\n *\n * @module handlers/csrf-cors\n */\n\nimport { getFrameworkConfig } from \"@spring-systems/core/config\";\nimport type { NextRequest } from \"next/server\";\n\nconst STATE_CHANGING_METHODS = new Set([\"POST\", \"PUT\", \"PATCH\", \"DELETE\"]);\n\nfunction getFrontendUrl(): string {\n return (process.env.FRONTEND_URL || \"\").trim();\n}\n\nfunction getFrontendIp(): string {\n return (process.env.FRONTEND_IP || \"\").trim();\n}\n\nfunction trustProxyHeaders(): boolean {\n return process.env.AUTH_TRUST_PROXY_HEADERS === \"true\";\n}\n\nfunction getCsrfExemptPaths(): Set<string> {\n return new Set(\n (process.env.CSRF_EXEMPT_PATHS || \"\")\n .split(\",\")\n .map((v) =>\n v\n .trim()\n .replace(/^\\/+|\\/+$/g, \"\")\n .toLowerCase()\n )\n .filter(Boolean)\n );\n}\n\nfunction isProdRuntime(): boolean {\n return (process.env.NODE_ENV || \"\") === \"production\" || (process.env.TARGET_ENV || \"\") === \"prod\";\n}\n\n/** Normalize a URL string to its origin (scheme + host + port). */\nexport function normalizeOrigin(value: string): string | null {\n try {\n return new URL(value).origin;\n } catch {\n return null;\n }\n}\n\n/** Check if the request comes from the configured FRONTEND_IP. */\nexport function isInternalIpAccess(req: NextRequest): boolean {\n const frontendIp = getFrontendIp();\n if (!frontendIp) return false;\n\n const directIp = (req as unknown as { ip?: string }).ip?.trim();\n if (directIp) return directIp === frontendIp;\n\n if (!trustProxyHeaders()) {\n return false;\n }\n\n const xForwardedFor = (req.headers.get(\"x-forwarded-for\") || \"\").trim();\n const forwardedFirstIp = xForwardedFor.split(\",\")[0]?.trim();\n if (forwardedFirstIp) return forwardedFirstIp === frontendIp;\n\n const xRealIp = (req.headers.get(\"x-real-ip\") || \"\").trim();\n if (xRealIp) return xRealIp === frontendIp;\n\n return false;\n}\n\n/** Resolve the allowed origin for a request (checks FRONTEND_URL and FRONTEND_IP). */\nexport function resolveAllowedOrigin(req: NextRequest): string | null {\n const origin = (req.headers.get(\"origin\") || \"\").trim();\n if (!origin) return null;\n\n const normalizedOrigin = normalizeOrigin(origin);\n if (!normalizedOrigin) return null;\n\n const frontendUrl = getFrontendUrl();\n const normalizedFrontendOrigin = frontendUrl ? normalizeOrigin(frontendUrl) : null;\n if (normalizedFrontendOrigin && normalizedOrigin === normalizedFrontendOrigin) {\n return normalizedOrigin;\n }\n\n const frontendIp = getFrontendIp();\n if (!frontendIp) return null;\n\n try {\n const parsedOrigin = new URL(normalizedOrigin);\n if (parsedOrigin.hostname !== frontendIp) return null;\n if (![\"http:\", \"https:\"].includes(parsedOrigin.protocol)) return null;\n if (isProdRuntime() && parsedOrigin.protocol !== \"https:\") return null;\n // FRONTEND_IP is treated as host-only allowlist. If a custom port is needed,\n // use FRONTEND_URL to pin an exact origin.\n const hasCustomPort =\n (parsedOrigin.protocol === \"http:\" && parsedOrigin.port !== \"\" && parsedOrigin.port !== \"80\") ||\n (parsedOrigin.protocol === \"https:\" && parsedOrigin.port !== \"\" && parsedOrigin.port !== \"443\");\n if (hasCustomPort) return null;\n return normalizedOrigin;\n } catch {\n return null;\n }\n}\n\nfunction isStateChangingMethod(method: string): boolean {\n return STATE_CHANGING_METHODS.has(method.toUpperCase());\n}\n\nfunction mergeVaryHeader(headers: Headers, value: string): void {\n const existing = (headers.get(\"Vary\") || \"\").trim();\n if (!existing) {\n headers.set(\"Vary\", value);\n return;\n }\n\n const tokens = existing\n .split(\",\")\n .map((token) => token.trim())\n .filter(Boolean);\n\n // RFC: wildcard Vary must stand alone.\n if (tokens.some((token) => token === \"*\")) {\n headers.set(\"Vary\", \"*\");\n return;\n }\n\n const hasValue = tokens.some((token) => token.toLowerCase() === value.toLowerCase());\n if (hasValue) {\n headers.set(\"Vary\", tokens.join(\", \"));\n return;\n }\n\n headers.set(\"Vary\", [...tokens, value].join(\", \"));\n}\n\n/**\n * Check whether the Sec-Fetch-Site header indicates a cross-site request.\n *\n * When the header is **missing** (older browsers, non-browser clients, or proxies\n * that strip it), we return `false` (not untrusted) intentionally.\n * This is safe because `shouldRejectByCsrfProtection` always falls through to\n * origin and referer validation when this function returns false, so requests\n * without the header are still verified against the trusted origin/referer list\n * before being allowed through.\n */\nfunction hasUntrustedFetchSite(req: NextRequest): boolean {\n const fetchSite = (req.headers.get(\"sec-fetch-site\") || \"\").trim().toLowerCase();\n // Missing header: allow — origin/referer validation in shouldRejectByCsrfProtection\n // provides the safety net for state-changing methods (POST/PUT/DELETE/PATCH).\n if (!fetchSite) return false;\n return !(fetchSite === \"same-origin\" || fetchSite === \"same-site\" || fetchSite === \"none\");\n}\n\nfunction isTrustedOrigin(req: NextRequest): boolean {\n const origin = (req.headers.get(\"origin\") || \"\").trim();\n if (!origin) return false;\n\n const normalizedOrigin = normalizeOrigin(origin);\n if (!normalizedOrigin) return false;\n\n const requestOrigin = req.nextUrl.origin;\n if (normalizedOrigin === requestOrigin) return true;\n\n const allowedOrigin = resolveAllowedOrigin(req);\n return !!allowedOrigin && allowedOrigin === normalizedOrigin;\n}\n\nfunction extractOriginFromReferer(req: NextRequest): string | null {\n const referer = (req.headers.get(\"referer\") || \"\").trim();\n if (!referer) return null;\n return normalizeOrigin(referer);\n}\n\nfunction isTrustedReferer(req: NextRequest): boolean {\n const refererOrigin = extractOriginFromReferer(req);\n if (!refererOrigin) return false;\n\n if (refererOrigin === req.nextUrl.origin) return true;\n\n const allowedOrigin = resolveAllowedOrigin(req);\n return !!allowedOrigin && allowedOrigin === refererOrigin;\n}\n\n/** Check if a request should be rejected by CSRF protection. */\nexport function shouldRejectByCsrfProtection(req: NextRequest, method: string, pathKey: string): boolean {\n const csrfExemptPaths = getCsrfExemptPaths();\n if (!isStateChangingMethod(method)) return false;\n if (csrfExemptPaths.has(pathKey.toLowerCase())) return false;\n if (hasUntrustedFetchSite(req)) return true;\n if (isTrustedOrigin(req)) return false;\n if (isTrustedReferer(req)) return false;\n return true;\n}\n\n/** Apply CORS headers to a response. */\nexport function applyCorsHeaders(headers: Headers, req: NextRequest, isIpAccess: boolean): void {\n const allowedOrigin = resolveAllowedOrigin(req);\n const corsHeaders = getFrameworkConfig().proxy.corsAllowedHeaders;\n if (isIpAccess) {\n if (allowedOrigin) {\n headers.set(\"Access-Control-Allow-Origin\", allowedOrigin);\n }\n headers.set(\"Access-Control-Allow-Methods\", \"GET, POST, PUT, DELETE, PATCH, OPTIONS\");\n headers.set(\"Access-Control-Allow-Headers\", corsHeaders);\n headers.set(\"Access-Control-Max-Age\", \"86400\");\n if (allowedOrigin) {\n headers.set(\"Access-Control-Allow-Credentials\", \"true\");\n } else {\n headers.delete(\"Access-Control-Allow-Credentials\");\n }\n mergeVaryHeader(headers, \"Origin\");\n return;\n }\n if (allowedOrigin) {\n headers.set(\"Access-Control-Allow-Origin\", allowedOrigin);\n headers.set(\"Access-Control-Allow-Credentials\", \"true\");\n } else {\n headers.delete(\"Access-Control-Allow-Credentials\");\n }\n mergeVaryHeader(headers, \"Origin\");\n headers.set(\"Access-Control-Allow-Methods\", \"GET, POST, PUT, DELETE, PATCH, OPTIONS\");\n headers.set(\"Access-Control-Allow-Headers\", corsHeaders);\n headers.set(\"Access-Control-Max-Age\", \"86400\");\n}\n\n/** Check if CSRF exempt paths are configured (disallowed in production). */\nexport function hasCsrfExemptPaths(): boolean {\n return getCsrfExemptPaths().size > 0;\n}\n\n/** Validate production security config. Returns error string or null. */\nexport function resolveProdSecurityConfigError(): string | null {\n if (!isProdRuntime()) return null;\n if (hasCsrfExemptPaths()) return \"CSRF_EXEMPT_PATHS is not allowed in production\";\n return null;\n}\n","/**\n * Login rate limiting logic for the API proxy.\n *\n * Uses the pluggable RateLimiterAdapter from rate-limiter.ts so multi-instance\n * deployments can swap in a shared-storage adapter.\n *\n * @module handlers/rate-limit-handler\n */\n\nimport type { NextRequest } from \"next/server\";\n\nimport {\n checkRateLimit,\n clearRateLimitEntries,\n getRateLimiterAdapter,\n type RateLimitEntry,\n type RateLimitPolicy,\n recordFailedAttempt,\n} from \"../rate-limiter\";\n\nexport { type RateLimitEntry };\n\nexport interface RateLimitKeys {\n pairKey: string;\n accountKey: string | null;\n}\n\nfunction toValidPositiveInteger(value: number, fallback: number): number {\n return Number.isFinite(value) && value > 0 ? Math.floor(value) : fallback;\n}\n\nfunction isRateLimitEnabled(): boolean {\n return process.env.AUTH_LOGIN_RATE_LIMIT_ENABLED !== \"false\";\n}\n\nfunction trustProxyHeaders(): boolean {\n return process.env.AUTH_TRUST_PROXY_HEADERS === \"true\";\n}\n\nfunction getHeader(request: NextRequest, name: string): string {\n return (request.headers.get(name) || \"\").trim();\n}\n\nfunction buildClientFingerprint(request: NextRequest): string {\n const userAgent = getHeader(request, \"user-agent\").toLowerCase().slice(0, 64);\n const acceptLanguage = getHeader(request, \"accept-language\").toLowerCase().slice(0, 32);\n const secChUa = getHeader(request, \"sec-ch-ua\").toLowerCase().slice(0, 64);\n const signal = [userAgent, acceptLanguage, secChUa].filter(Boolean).join(\"|\");\n if (!signal) return \"unknown\";\n return `fp:${signal}`.slice(0, 128);\n}\n\nfunction getPolicy(): RateLimitPolicy {\n return {\n windowMs: toValidPositiveInteger(Number(process.env.AUTH_LOGIN_RATE_LIMIT_WINDOW_MS || \"900000\"), 900_000),\n blockMs: toValidPositiveInteger(Number(process.env.AUTH_LOGIN_RATE_LIMIT_BLOCK_MS || \"900000\"), 900_000),\n maxAttemptsByIpAndAccount: toValidPositiveInteger(Number(process.env.AUTH_LOGIN_RATE_LIMIT_MAX_ATTEMPTS || \"8\"), 8),\n maxAttemptsByAccount: toValidPositiveInteger(\n Number(process.env.AUTH_LOGIN_RATE_LIMIT_ACCOUNT_MAX_ATTEMPTS || \"20\"),\n 20\n ),\n maxKeys: toValidPositiveInteger(Number(process.env.AUTH_LOGIN_RATE_LIMIT_MAX_KEYS || \"10000\"), 10_000),\n };\n}\n\n/** Get client IP address from request headers or connection. */\nexport function getClientAddress(request: NextRequest): string {\n if (trustProxyHeaders()) {\n const xForwardedFor = getHeader(request, \"x-forwarded-for\");\n const first = xForwardedFor.split(\",\")[0]?.trim();\n if (first) return first;\n\n const xRealIp = getHeader(request, \"x-real-ip\");\n if (xRealIp) return xRealIp;\n }\n\n // Next.js does not expose the raw socket IP in NextRequest.\n // request.ip is available in some runtimes; otherwise use a soft fingerprint\n // to avoid collapsing all clients into one \"unknown\" key.\n const directIp = (request as unknown as { ip?: string }).ip?.trim();\n if (directIp) return directIp;\n return buildClientFingerprint(request);\n}\n\nfunction normalizeRateLimitKeyPart(value: string): string {\n const trimmed = value.trim().toLowerCase();\n if (!trimmed) return \"unknown\";\n return trimmed.slice(0, 128);\n}\n\n/** Build rate limit keys from request and username. */\nexport function getLoginRateLimitKeys(request: NextRequest, username: string): RateLimitKeys {\n const normalizedUsername = normalizeRateLimitKeyPart(username);\n const normalizedIp = normalizeRateLimitKeyPart(getClientAddress(request));\n const pairKey = `${normalizedIp}:${normalizedUsername}`;\n const accountKey = normalizedUsername !== \"unknown\" ? normalizedUsername : null;\n return { pairKey, accountKey };\n}\n\n/** Remove expired rate limit entries from adapter stores. */\nexport function cleanupExpiredLoginLimits(now: number): void {\n const policy = getPolicy();\n const adapter = getRateLimiterAdapter();\n\n for (const store of [\"ip\", \"account\"] as const) {\n if (typeof adapter.sweepExpired === \"function\") {\n adapter.sweepExpired(store, now, policy.windowMs);\n }\n\n const size = adapter.size(store);\n if (size > policy.maxKeys) {\n adapter.evictOldest(store, size - policy.maxKeys);\n }\n }\n}\n\n/** Get remaining block time in ms (0 = not blocked). */\nexport function getRateLimitRetryAfterMs(keys: RateLimitKeys, now: number): number {\n if (!isRateLimitEnabled()) return 0;\n const policy = getPolicy();\n const result = checkRateLimit(keys.pairKey, keys.accountKey, policy);\n if (!result) return 0;\n\n // Extract retry-after from adapter entries\n const adapter = getRateLimiterAdapter();\n const ipEntry = adapter.get(\"ip\", keys.pairKey);\n const accountEntry = keys.accountKey ? adapter.get(\"account\", keys.accountKey) : null;\n const ipRetry = ipEntry && ipEntry.blockedUntil > now ? ipEntry.blockedUntil - now : 0;\n const accountRetry = accountEntry && accountEntry.blockedUntil > now ? accountEntry.blockedUntil - now : 0;\n return Math.max(ipRetry, accountRetry);\n}\n\n/** Record a failed login attempt for rate limiting. */\nexport function registerFailedLoginAttempt(keys: RateLimitKeys, _now: number): void {\n if (!isRateLimitEnabled()) return;\n const policy = getPolicy();\n recordFailedAttempt(keys.pairKey, keys.accountKey, policy);\n}\n\n/** Clear rate limit state for given keys (after successful login). */\nexport function clearLoginAttemptState(keys: RateLimitKeys): void {\n if (!isRateLimitEnabled()) return;\n clearRateLimitEntries(keys.pairKey, keys.accountKey);\n}\n"],"mappings":";;;;;;;;AASA,SAAS,oBAAoB,4BAA4B,4BAA4B;AAIrF,IAAM,0BAA0B;AAEhC,SAAS,gCAAwC;AAC7C,SAAO,OAAO,QAAQ,IAAI,+BAA+B,OAAO;AACpE;AAEA,SAAS,sBAA+B;AACpC,UAAQ,QAAQ,IAAI,cAAc,QAAQ;AAC9C;AAIA,SAAS,2BAAmC;AACxC,SAAO,qBAAqB,mBAAmB,EAAE,KAAK,mBAAmB;AAC7E;AAEA,SAAS,iCAAyC;AAC9C,SAAO,2BAA2B,mBAAmB,EAAE,KAAK,mBAAmB;AACnF;AAEA,SAAS,+BAA4C;AACjD,SAAO,IAAI,IAAI,mBAAmB,EAAE,KAAK,mBAAmB;AAChE;AAYO,SAAS,mBAAmB,KAA2B;AAC1D,SACI,IAAI,QAAQ,aAAa,eACzB,IAAI,QAAQ,aAAa,eACzB,IAAI,QAAQ,aAAa,SACzB,IAAI,QAAQ,aAAa;AAEjC;AAGO,SAAS,iBAAiB,KAA2B;AACxD,MAAI,mBAAmB,GAAG,EAAG,QAAO;AACpC,MAAI,oBAAoB,EAAG,QAAO;AAElC,SAAO,IAAI,QAAQ,aAAa;AACpC;AAGO,SAAS,yBAAyB,KAA0B;AAC/D,SAAO,iBAAiB,GAAG,IAAI,+BAA+B,IAAI,yBAAyB;AAC/F;AAEA,SAAS,kBAAkB,KAAmB,KAAkB,YAAoB,OAAe,QAAgB;AAC/G,QAAM,SAAS,iBAAiB,GAAG;AACnC,MAAI,QAAQ,IAAI;AAAA,IACZ,MAAM;AAAA,IACN;AAAA,IACA,UAAU;AAAA,IACV;AAAA,IACA,UAAU;AAAA,IACV,MAAM;AAAA,IACN;AAAA,IACA,UAAU;AAAA,EACd,CAAC;AACL;AAGO,SAAS,iBAAiB,KAAmB,KAAkB,OAAqB;AACvF,QAAM,mBAAmB,8BAA8B;AACvD,QAAM,SACF,OAAO,SAAS,gBAAgB,KAAK,mBAAmB,IAClD,KAAK,MAAM,gBAAgB,IAC3B;AACV,QAAM,SAAS,KAAK,IAAI,QAAQ,uBAAuB;AACvD,QAAM,aAAa,yBAAyB,GAAG;AAC/C,QAAM,kBAAkB,eAAe,yBAAyB,IAAI,+BAA+B,IAAI,yBAAyB;AAEhI,oBAAkB,KAAK,KAAK,YAAY,OAAO,MAAM;AACrD,oBAAkB,KAAK,KAAK,iBAAiB,IAAI,CAAC;AACtD;AAEA,SAAS,2BAA2B,KAAmB,KAAkB,YAAoB;AACzF,QAAM,SAAS,iBAAiB,GAAG;AACnC,MAAI,QAAQ,IAAI;AAAA,IACZ,MAAM;AAAA,IACN,OAAO;AAAA,IACP,UAAU;AAAA,IACV;AAAA,IACA,UAAU;AAAA,IACV,MAAM;AAAA,IACN,QAAQ;AAAA,IACR,UAAU;AAAA,EACd,CAAC;AAID,QAAM,iBAAiB,CAAC;AACxB,QAAM,cAAc,CAAC,GAAG,UAAU,KAAK,UAAU,aAAa,YAAY,gBAAgB,eAAe;AACzG,MAAI,gBAAgB;AAChB,gBAAY,KAAK,QAAQ;AAAA,EAC7B;AACA,MAAI,QAAQ,OAAO,cAAc,YAAY,KAAK,IAAI,CAAC;AAC3D;AAGO,SAAS,mBAAmB,KAAmB,KAAwB;AAC1E,6BAA2B,KAAK,KAAK,yBAAyB,CAAC;AAC/D,6BAA2B,KAAK,KAAK,+BAA+B,CAAC;AACzE;AAGO,SAAS,gBAAgB,KAA0B;AACtD,QAAM,UAAU,CAAC,yBAAyB,GAAG,+BAA+B,CAAC;AAC7E,aAAW,cAAc,SAAS;AAC9B,UAAM,kBAAkB,IAAI,QAAQ,IAAI,UAAU,GAAG,SAAS,IAAI,KAAK;AACvE,QAAI,eAAgB,QAAO;AAAA,EAC/B;AAEA,QAAM,eAAe,IAAI,QAAQ,IAAI,QAAQ,KAAK;AAClD,MAAI,CAAC,aAAc,QAAO;AAE1B,QAAM,QAAQ,aAAa,MAAM,GAAG,EAAE,IAAI,CAAC,SAAS,KAAK,KAAK,CAAC;AAC/D,aAAW,QAAQ,OAAO;AACtB,QAAI,CAAC,KAAM;AACX,UAAM,UAAU,KAAK,QAAQ,GAAG;AAChC,QAAI,WAAW,EAAG;AAClB,UAAM,MAAM,KAAK,MAAM,GAAG,OAAO,EAAE,KAAK;AACxC,QAAI,QAAQ,yBAAyB,KAAK,QAAQ,+BAA+B,EAAG;AACpF,UAAM,WAAW,KAAK,MAAM,UAAU,CAAC,EAAE,KAAK;AAC9C,QAAI,CAAC,SAAU;AACf,QAAI;AACA,aAAO,mBAAmB,QAAQ;AAAA,IACtC,QAAQ;AACJ,aAAO;AAAA,IACX;AAAA,EACJ;AAEA,SAAO;AACX;AAEA,SAAS,mBAAmB,OAAwB;AAChD,SAAO,OAAO,UAAU,WAAW,MAAM,KAAK,EAAE,YAAY,IAAI;AACpE;AAGO,SAAS,qBAAqB,OAAyB;AAC1D,QAAM,aAAa,mBAAmB,KAAK;AAC3C,SAAO,eAAe,MAAM,6BAA6B,EAAE,IAAI,UAAU;AAC7E;AAGA,eAAsB,gCAAgC,UAAsC;AACxF,MAAI,SAAS,WAAW,IAAK,QAAO;AAEpC,MAAI;AACA,UAAM,SAAS,SAAS,MAAM;AAC9B,QAAI;AACA,YAAM,UAAW,MAAM,OAAO,KAAK;AACnC,aAAO,qBAAqB,QAAQ,IAAI,KAAK,qBAAqB,QAAQ,UAAU;AAAA,IACxF,QAAQ;AACJ,aAAO;AAAA,IACX;AAAA,EACJ,QAAQ;AACJ,WAAO;AAAA,EACX;AACJ;;;AC5KA,SAAS,sBAAAA,2BAA0B;AAGnC,IAAM,yBAAyB,oBAAI,IAAI,CAAC,QAAQ,OAAO,SAAS,QAAQ,CAAC;AAEzE,SAAS,iBAAyB;AAC9B,UAAQ,QAAQ,IAAI,gBAAgB,IAAI,KAAK;AACjD;AAEA,SAAS,gBAAwB;AAC7B,UAAQ,QAAQ,IAAI,eAAe,IAAI,KAAK;AAChD;AAEA,SAAS,oBAA6B;AAClC,SAAO,QAAQ,IAAI,6BAA6B;AACpD;AAEA,SAAS,qBAAkC;AACvC,SAAO,IAAI;AAAA,KACN,QAAQ,IAAI,qBAAqB,IAC7B,MAAM,GAAG,EACT;AAAA,MAAI,CAAC,MACF,EACK,KAAK,EACL,QAAQ,cAAc,EAAE,EACxB,YAAY;AAAA,IACrB,EACC,OAAO,OAAO;AAAA,EACvB;AACJ;AAEA,SAAS,gBAAyB;AAC9B,UAAQ,QAAQ,IAAI,YAAY,QAAQ,iBAAiB,QAAQ,IAAI,cAAc,QAAQ;AAC/F;AAGO,SAAS,gBAAgB,OAA8B;AAC1D,MAAI;AACA,WAAO,IAAI,IAAI,KAAK,EAAE;AAAA,EAC1B,QAAQ;AACJ,WAAO;AAAA,EACX;AACJ;AAGO,SAAS,mBAAmB,KAA2B;AAC1D,QAAM,aAAa,cAAc;AACjC,MAAI,CAAC,WAAY,QAAO;AAExB,QAAM,WAAY,IAAmC,IAAI,KAAK;AAC9D,MAAI,SAAU,QAAO,aAAa;AAElC,MAAI,CAAC,kBAAkB,GAAG;AACtB,WAAO;AAAA,EACX;AAEA,QAAM,iBAAiB,IAAI,QAAQ,IAAI,iBAAiB,KAAK,IAAI,KAAK;AACtE,QAAM,mBAAmB,cAAc,MAAM,GAAG,EAAE,CAAC,GAAG,KAAK;AAC3D,MAAI,iBAAkB,QAAO,qBAAqB;AAElD,QAAM,WAAW,IAAI,QAAQ,IAAI,WAAW,KAAK,IAAI,KAAK;AAC1D,MAAI,QAAS,QAAO,YAAY;AAEhC,SAAO;AACX;AAGO,SAAS,qBAAqB,KAAiC;AAClE,QAAM,UAAU,IAAI,QAAQ,IAAI,QAAQ,KAAK,IAAI,KAAK;AACtD,MAAI,CAAC,OAAQ,QAAO;AAEpB,QAAM,mBAAmB,gBAAgB,MAAM;AAC/C,MAAI,CAAC,iBAAkB,QAAO;AAE9B,QAAM,cAAc,eAAe;AACnC,QAAM,2BAA2B,cAAc,gBAAgB,WAAW,IAAI;AAC9E,MAAI,4BAA4B,qBAAqB,0BAA0B;AAC3E,WAAO;AAAA,EACX;AAEA,QAAM,aAAa,cAAc;AACjC,MAAI,CAAC,WAAY,QAAO;AAExB,MAAI;AACA,UAAM,eAAe,IAAI,IAAI,gBAAgB;AAC7C,QAAI,aAAa,aAAa,WAAY,QAAO;AACjD,QAAI,CAAC,CAAC,SAAS,QAAQ,EAAE,SAAS,aAAa,QAAQ,EAAG,QAAO;AACjE,QAAI,cAAc,KAAK,aAAa,aAAa,SAAU,QAAO;AAGlE,UAAM,gBACD,aAAa,aAAa,WAAW,aAAa,SAAS,MAAM,aAAa,SAAS,QACvF,aAAa,aAAa,YAAY,aAAa,SAAS,MAAM,aAAa,SAAS;AAC7F,QAAI,cAAe,QAAO;AAC1B,WAAO;AAAA,EACX,QAAQ;AACJ,WAAO;AAAA,EACX;AACJ;AAEA,SAAS,sBAAsB,QAAyB;AACpD,SAAO,uBAAuB,IAAI,OAAO,YAAY,CAAC;AAC1D;AAEA,SAAS,gBAAgB,SAAkB,OAAqB;AAC5D,QAAM,YAAY,QAAQ,IAAI,MAAM,KAAK,IAAI,KAAK;AAClD,MAAI,CAAC,UAAU;AACX,YAAQ,IAAI,QAAQ,KAAK;AACzB;AAAA,EACJ;AAEA,QAAM,SAAS,SACV,MAAM,GAAG,EACT,IAAI,CAAC,UAAU,MAAM,KAAK,CAAC,EAC3B,OAAO,OAAO;AAGnB,MAAI,OAAO,KAAK,CAAC,UAAU,UAAU,GAAG,GAAG;AACvC,YAAQ,IAAI,QAAQ,GAAG;AACvB;AAAA,EACJ;AAEA,QAAM,WAAW,OAAO,KAAK,CAAC,UAAU,MAAM,YAAY,MAAM,MAAM,YAAY,CAAC;AACnF,MAAI,UAAU;AACV,YAAQ,IAAI,QAAQ,OAAO,KAAK,IAAI,CAAC;AACrC;AAAA,EACJ;AAEA,UAAQ,IAAI,QAAQ,CAAC,GAAG,QAAQ,KAAK,EAAE,KAAK,IAAI,CAAC;AACrD;AAYA,SAAS,sBAAsB,KAA2B;AACtD,QAAM,aAAa,IAAI,QAAQ,IAAI,gBAAgB,KAAK,IAAI,KAAK,EAAE,YAAY;AAG/E,MAAI,CAAC,UAAW,QAAO;AACvB,SAAO,EAAE,cAAc,iBAAiB,cAAc,eAAe,cAAc;AACvF;AAEA,SAAS,gBAAgB,KAA2B;AAChD,QAAM,UAAU,IAAI,QAAQ,IAAI,QAAQ,KAAK,IAAI,KAAK;AACtD,MAAI,CAAC,OAAQ,QAAO;AAEpB,QAAM,mBAAmB,gBAAgB,MAAM;AAC/C,MAAI,CAAC,iBAAkB,QAAO;AAE9B,QAAM,gBAAgB,IAAI,QAAQ;AAClC,MAAI,qBAAqB,cAAe,QAAO;AAE/C,QAAM,gBAAgB,qBAAqB,GAAG;AAC9C,SAAO,CAAC,CAAC,iBAAiB,kBAAkB;AAChD;AAEA,SAAS,yBAAyB,KAAiC;AAC/D,QAAM,WAAW,IAAI,QAAQ,IAAI,SAAS,KAAK,IAAI,KAAK;AACxD,MAAI,CAAC,QAAS,QAAO;AACrB,SAAO,gBAAgB,OAAO;AAClC;AAEA,SAAS,iBAAiB,KAA2B;AACjD,QAAM,gBAAgB,yBAAyB,GAAG;AAClD,MAAI,CAAC,cAAe,QAAO;AAE3B,MAAI,kBAAkB,IAAI,QAAQ,OAAQ,QAAO;AAEjD,QAAM,gBAAgB,qBAAqB,GAAG;AAC9C,SAAO,CAAC,CAAC,iBAAiB,kBAAkB;AAChD;AAGO,SAAS,6BAA6B,KAAkB,QAAgB,SAA0B;AACrG,QAAM,kBAAkB,mBAAmB;AAC3C,MAAI,CAAC,sBAAsB,MAAM,EAAG,QAAO;AAC3C,MAAI,gBAAgB,IAAI,QAAQ,YAAY,CAAC,EAAG,QAAO;AACvD,MAAI,sBAAsB,GAAG,EAAG,QAAO;AACvC,MAAI,gBAAgB,GAAG,EAAG,QAAO;AACjC,MAAI,iBAAiB,GAAG,EAAG,QAAO;AAClC,SAAO;AACX;AAGO,SAAS,iBAAiB,SAAkB,KAAkB,YAA2B;AAC5F,QAAM,gBAAgB,qBAAqB,GAAG;AAC9C,QAAM,cAAcA,oBAAmB,EAAE,MAAM;AAC/C,MAAI,YAAY;AACZ,QAAI,eAAe;AACf,cAAQ,IAAI,+BAA+B,aAAa;AAAA,IAC5D;AACA,YAAQ,IAAI,gCAAgC,wCAAwC;AACpF,YAAQ,IAAI,gCAAgC,WAAW;AACvD,YAAQ,IAAI,0BAA0B,OAAO;AAC7C,QAAI,eAAe;AACf,cAAQ,IAAI,oCAAoC,MAAM;AAAA,IAC1D,OAAO;AACH,cAAQ,OAAO,kCAAkC;AAAA,IACrD;AACA,oBAAgB,SAAS,QAAQ;AACjC;AAAA,EACJ;AACA,MAAI,eAAe;AACf,YAAQ,IAAI,+BAA+B,aAAa;AACxD,YAAQ,IAAI,oCAAoC,MAAM;AAAA,EAC1D,OAAO;AACH,YAAQ,OAAO,kCAAkC;AAAA,EACrD;AACA,kBAAgB,SAAS,QAAQ;AACjC,UAAQ,IAAI,gCAAgC,wCAAwC;AACpF,UAAQ,IAAI,gCAAgC,WAAW;AACvD,UAAQ,IAAI,0BAA0B,OAAO;AACjD;AAGO,SAAS,qBAA8B;AAC1C,SAAO,mBAAmB,EAAE,OAAO;AACvC;AAGO,SAAS,iCAAgD;AAC5D,MAAI,CAAC,cAAc,EAAG,QAAO;AAC7B,MAAI,mBAAmB,EAAG,QAAO;AACjC,SAAO;AACX;;;ACtNA,SAAS,uBAAuB,OAAe,UAA0B;AACrE,SAAO,OAAO,SAAS,KAAK,KAAK,QAAQ,IAAI,KAAK,MAAM,KAAK,IAAI;AACrE;AAEA,SAAS,qBAA8B;AACnC,SAAO,QAAQ,IAAI,kCAAkC;AACzD;AAEA,SAASC,qBAA6B;AAClC,SAAO,QAAQ,IAAI,6BAA6B;AACpD;AAEA,SAAS,UAAU,SAAsB,MAAsB;AAC3D,UAAQ,QAAQ,QAAQ,IAAI,IAAI,KAAK,IAAI,KAAK;AAClD;AAEA,SAAS,uBAAuB,SAA8B;AAC1D,QAAM,YAAY,UAAU,SAAS,YAAY,EAAE,YAAY,EAAE,MAAM,GAAG,EAAE;AAC5E,QAAM,iBAAiB,UAAU,SAAS,iBAAiB,EAAE,YAAY,EAAE,MAAM,GAAG,EAAE;AACtF,QAAM,UAAU,UAAU,SAAS,WAAW,EAAE,YAAY,EAAE,MAAM,GAAG,EAAE;AACzE,QAAM,SAAS,CAAC,WAAW,gBAAgB,OAAO,EAAE,OAAO,OAAO,EAAE,KAAK,GAAG;AAC5E,MAAI,CAAC,OAAQ,QAAO;AACpB,SAAO,MAAM,MAAM,GAAG,MAAM,GAAG,GAAG;AACtC;AAEA,SAAS,YAA6B;AAClC,SAAO;AAAA,IACH,UAAU,uBAAuB,OAAO,QAAQ,IAAI,mCAAmC,QAAQ,GAAG,GAAO;AAAA,IACzG,SAAS,uBAAuB,OAAO,QAAQ,IAAI,kCAAkC,QAAQ,GAAG,GAAO;AAAA,IACvG,2BAA2B,uBAAuB,OAAO,QAAQ,IAAI,sCAAsC,GAAG,GAAG,CAAC;AAAA,IAClH,sBAAsB;AAAA,MAClB,OAAO,QAAQ,IAAI,8CAA8C,IAAI;AAAA,MACrE;AAAA,IACJ;AAAA,IACA,SAAS,uBAAuB,OAAO,QAAQ,IAAI,kCAAkC,OAAO,GAAG,GAAM;AAAA,EACzG;AACJ;AAGO,SAAS,iBAAiB,SAA8B;AAC3D,MAAIA,mBAAkB,GAAG;AACrB,UAAM,gBAAgB,UAAU,SAAS,iBAAiB;AAC1D,UAAM,QAAQ,cAAc,MAAM,GAAG,EAAE,CAAC,GAAG,KAAK;AAChD,QAAI,MAAO,QAAO;AAElB,UAAM,UAAU,UAAU,SAAS,WAAW;AAC9C,QAAI,QAAS,QAAO;AAAA,EACxB;AAKA,QAAM,WAAY,QAAuC,IAAI,KAAK;AAClE,MAAI,SAAU,QAAO;AACrB,SAAO,uBAAuB,OAAO;AACzC;AAEA,SAAS,0BAA0B,OAAuB;AACtD,QAAM,UAAU,MAAM,KAAK,EAAE,YAAY;AACzC,MAAI,CAAC,QAAS,QAAO;AACrB,SAAO,QAAQ,MAAM,GAAG,GAAG;AAC/B;AAGO,SAAS,sBAAsB,SAAsB,UAAiC;AACzF,QAAM,qBAAqB,0BAA0B,QAAQ;AAC7D,QAAM,eAAe,0BAA0B,iBAAiB,OAAO,CAAC;AACxE,QAAM,UAAU,GAAG,YAAY,IAAI,kBAAkB;AACrD,QAAM,aAAa,uBAAuB,YAAY,qBAAqB;AAC3E,SAAO,EAAE,SAAS,WAAW;AACjC;AAGO,SAAS,0BAA0B,KAAmB;AACzD,QAAM,SAAS,UAAU;AACzB,QAAM,UAAU,sBAAsB;AAEtC,aAAW,SAAS,CAAC,MAAM,SAAS,GAAY;AAC5C,QAAI,OAAO,QAAQ,iBAAiB,YAAY;AAC5C,cAAQ,aAAa,OAAO,KAAK,OAAO,QAAQ;AAAA,IACpD;AAEA,UAAM,OAAO,QAAQ,KAAK,KAAK;AAC/B,QAAI,OAAO,OAAO,SAAS;AACvB,cAAQ,YAAY,OAAO,OAAO,OAAO,OAAO;AAAA,IACpD;AAAA,EACJ;AACJ;AAGO,SAAS,yBAAyB,MAAqB,KAAqB;AAC/E,MAAI,CAAC,mBAAmB,EAAG,QAAO;AAClC,QAAM,SAAS,UAAU;AACzB,QAAM,SAAS,eAAe,KAAK,SAAS,KAAK,YAAY,MAAM;AACnE,MAAI,CAAC,OAAQ,QAAO;AAGpB,QAAM,UAAU,sBAAsB;AACtC,QAAM,UAAU,QAAQ,IAAI,MAAM,KAAK,OAAO;AAC9C,QAAM,eAAe,KAAK,aAAa,QAAQ,IAAI,WAAW,KAAK,UAAU,IAAI;AACjF,QAAM,UAAU,WAAW,QAAQ,eAAe,MAAM,QAAQ,eAAe,MAAM;AACrF,QAAM,eAAe,gBAAgB,aAAa,eAAe,MAAM,aAAa,eAAe,MAAM;AACzG,SAAO,KAAK,IAAI,SAAS,YAAY;AACzC;AAGO,SAAS,2BAA2B,MAAqB,MAAoB;AAChF,MAAI,CAAC,mBAAmB,EAAG;AAC3B,QAAM,SAAS,UAAU;AACzB,sBAAoB,KAAK,SAAS,KAAK,YAAY,MAAM;AAC7D;AAGO,SAAS,uBAAuB,MAA2B;AAC9D,MAAI,CAAC,mBAAmB,EAAG;AAC3B,wBAAsB,KAAK,SAAS,KAAK,UAAU;AACvD;","names":["getFrameworkConfig","trustProxyHeaders"]}

package/dist/chunk-KA7RJCWA.js ADDED Viewed

@@ -0,0 +1,24 @@
+// src/security-headers.ts
+var PERMISSIONS_POLICY_VALUE = "accelerometer=(), autoplay=(), camera=(), display-capture=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=(), browsing-topics=()";
+var BASE_SECURITY_HEADER_VALUES = Object.freeze({
+  "Referrer-Policy": "strict-origin-when-cross-origin",
+  "X-Content-Type-Options": "nosniff",
+  "X-Frame-Options": "DENY",
+  "Cross-Origin-Opener-Policy": "same-origin",
+  "Cross-Origin-Resource-Policy": "same-origin",
+  "X-DNS-Prefetch-Control": "off",
+  "X-Permitted-Cross-Domain-Policies": "none",
+  "Origin-Agent-Cluster": "?1",
+  "Permissions-Policy": PERMISSIONS_POLICY_VALUE
+});
+var BASE_SECURITY_HEADERS = Object.entries(BASE_SECURITY_HEADER_VALUES).map(([key, value]) => ({
+  key,
+  value
+}));
+export {
+  PERMISSIONS_POLICY_VALUE,
+  BASE_SECURITY_HEADER_VALUES,
+  BASE_SECURITY_HEADERS
+};
+//# sourceMappingURL=chunk-KA7RJCWA.js.map

package/dist/chunk-KA7RJCWA.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../src/security-headers.ts"],"sourcesContent":["export const PERMISSIONS_POLICY_VALUE =\n \"accelerometer=(), autoplay=(), camera=(), display-capture=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=(), browsing-topics=()\";\n\nexport const BASE_SECURITY_HEADER_VALUES: Readonly<Record<string, string>> = Object.freeze({\n \"Referrer-Policy\": \"strict-origin-when-cross-origin\",\n \"X-Content-Type-Options\": \"nosniff\",\n \"X-Frame-Options\": \"DENY\",\n \"Cross-Origin-Opener-Policy\": \"same-origin\",\n \"Cross-Origin-Resource-Policy\": \"same-origin\",\n \"X-DNS-Prefetch-Control\": \"off\",\n \"X-Permitted-Cross-Domain-Policies\": \"none\",\n \"Origin-Agent-Cluster\": \"?1\",\n \"Permissions-Policy\": PERMISSIONS_POLICY_VALUE,\n});\n\nexport const BASE_SECURITY_HEADERS = Object.entries(BASE_SECURITY_HEADER_VALUES).map(([key, value]) => ({\n key,\n value,\n}));\n"],"mappings":";AAAO,IAAM,2BACT;AAEG,IAAM,8BAAgE,OAAO,OAAO;AAAA,EACvF,mBAAmB;AAAA,EACnB,0BAA0B;AAAA,EAC1B,mBAAmB;AAAA,EACnB,8BAA8B;AAAA,EAC9B,gCAAgC;AAAA,EAChC,0BAA0B;AAAA,EAC1B,qCAAqC;AAAA,EACrC,wBAAwB;AAAA,EACxB,sBAAsB;AAC1B,CAAC;AAEM,IAAM,wBAAwB,OAAO,QAAQ,2BAA2B,EAAE,IAAI,CAAC,CAAC,KAAK,KAAK,OAAO;AAAA,EACpG;AAAA,EACA;AACJ,EAAE;","names":[]}

package/dist/chunk-OYTV4D7E.js ADDED Viewed

@@ -0,0 +1,159 @@
+import {
+  BASE_SECURITY_HEADER_VALUES
+} from "./chunk-KA7RJCWA.js";
+// src/proxy-middleware.ts
+import { getFrameworkConfig } from "@spring-systems/core/config";
+import { NextResponse } from "next/server.js";
+function toOriginSource(value) {
+  const raw = value.trim();
+  if (!raw) return [];
+  try {
+    const parsed = new URL(raw);
+    const out = [parsed.origin];
+    if (parsed.protocol === "https:") {
+      out.push(`wss://${parsed.host}`);
+    } else if (parsed.protocol === "http:") {
+      out.push(`ws://${parsed.host}`);
+    }
+    return out;
+  } catch {
+    return [];
+  }
+}
+var BLOCKED_CSP_SCHEMES = /* @__PURE__ */ new Set(["javascript:", "data:", "blob:", "vbscript:", "filesystem:"]);
+function parseCspSource(token) {
+  const value = token.trim();
+  if (!value) return null;
+  if (/[\s;,\r\n]/.test(value)) return null;
+  if (/^[a-zA-Z][a-zA-Z0-9+.-]*:$/.test(value)) {
+    const lower = value.toLowerCase();
+    if (BLOCKED_CSP_SCHEMES.has(lower)) return null;
+    return lower;
+  }
+  try {
+    const parsed = new URL(value);
+    if (!["http:", "https:", "ws:", "wss:"].includes(parsed.protocol)) return null;
+    if (parsed.username || parsed.password) return null;
+    if (parsed.pathname !== "/" || parsed.search || parsed.hash) return null;
+    return `${parsed.protocol}//${parsed.host}`;
+  } catch {
+    return null;
+  }
+}
+function parseReportUri(value) {
+  const trimmed = value.trim();
+  if (!trimmed) return null;
+  if (/[\s;,\r\n"]/.test(trimmed)) return null;
+  try {
+    const parsed = new URL(trimmed);
+    if (!["http:", "https:"].includes(parsed.protocol)) return null;
+    if (parsed.username || parsed.password) return null;
+    return parsed.toString();
+  } catch {
+    return null;
+  }
+}
+function parseCspList(value) {
+  const parsed = value.split(",").map((s) => parseCspSource(s)).filter((s) => !!s);
+  return [...new Set(parsed)];
+}
+function proxy(req) {
+  const url = req.nextUrl.clone();
+  const TARGET_ENV = process.env.TARGET_ENV || "test";
+  const isProdRuntime = TARGET_ENV === "prod" || process.env.NODE_ENV === "production";
+  const isTargetProd = TARGET_ENV === "prod";
+  const isLocalHost = url.hostname === "localhost" || url.hostname === "127.0.0.1";
+  const nonce = crypto.randomUUID().replace(/-/g, "");
+  const allowUnsafeStyleAttr = process.env.CSP_ALLOW_UNSAFE_STYLE_ATTR === "true";
+  const denyStyleAttr = isTargetProd && !allowUnsafeStyleAttr;
+  const allowUnsafeInlineStyle = !isTargetProd;
+  const connectHostsEnv = parseCspList(process.env.CSP_CONNECT_HOSTS || "");
+  const apiConnectSources = toOriginSource(process.env.API_URL || "");
+  const imgHostsEnv = parseCspList(process.env.CSP_IMG_HOSTS || "");
+  const scriptHostsEnv = parseCspList(process.env.CSP_SCRIPT_HOSTS || "");
+  const frameHostsEnv = parseCspList(process.env.CSP_FRAME_HOSTS || "");
+  const cspConfig = getFrameworkConfig().csp;
+  const validatedConnectSources = cspConfig.thirdPartyConnectSources.map((s) => parseCspSource(s)).filter((s) => !!s);
+  const validatedImgSources = cspConfig.thirdPartyImageSources.map((s) => parseCspSource(s)).filter((s) => !!s);
+  const validatedScriptSources = cspConfig.thirdPartyScriptSources.map((s) => parseCspSource(s)).filter((s) => !!s);
+  const validatedFrameSources = cspConfig.thirdPartyFrameSources.map((s) => parseCspSource(s)).filter((s) => !!s);
+  const connectSrc = [
+    "'self'",
+    ...validatedConnectSources,
+    ...apiConnectSources,
+    ...connectHostsEnv,
+    ...!isProdRuntime ? ["http://localhost:*", "http://127.0.0.1:*", "ws://localhost:*", "ws://127.0.0.1:*"] : []
+  ].join(" ");
+  const imgSrc = ["'self'", "data:", "blob:", ...validatedImgSources, ...imgHostsEnv].join(" ");
+  const scriptSrcHosts = [...validatedScriptSources, ...scriptHostsEnv].join(" ");
+  const frameSrcHosts = [...validatedFrameSources, ...frameHostsEnv].join(" ");
+  const reportUri = parseReportUri(process.env.CSP_REPORT_URI || "");
+  const cspDirectives = [
+    "default-src 'self'",
+    "base-uri 'self'",
+    "object-src 'none'",
+    `script-src 'self' 'nonce-${nonce}' 'strict-dynamic' ${scriptSrcHosts}`,
+    `script-src-elem 'self' 'nonce-${nonce}' 'strict-dynamic' ${scriptSrcHosts}`,
+    "script-src-attr 'none'",
+    allowUnsafeInlineStyle ? "style-src 'self' 'unsafe-inline'" : `style-src 'self' 'nonce-${nonce}'`,
+    denyStyleAttr ? "style-src-attr 'none'" : "style-src-attr 'unsafe-inline'",
+    `img-src ${imgSrc}`,
+    "media-src 'self' blob: data:",
+    "manifest-src 'self'",
+    `connect-src ${connectSrc}`,
+    `frame-src ${frameSrcHosts || "'none'"}`,
+    "frame-ancestors 'none'",
+    "form-action 'self'",
+    ...isTargetProd ? ["upgrade-insecure-requests"] : [],
+    ...reportUri ? [`report-uri ${reportUri}`, "report-to csp-violations"] : []
+  ];
+  const csp = cspDirectives.join("; ");
+  const blockedPrefixes = getFrameworkConfig().proxy.blockedPathPrefixesInProd ?? [];
+  if (isProdRuntime) {
+    for (const prefix of blockedPrefixes) {
+      if (url.pathname.startsWith(prefix)) {
+        const res2 = new NextResponse("Not Found", { status: 404 });
+        return setSecurity(res2, { isLocalHost, isTargetProd, csp, nonce, reportUri });
+      }
+    }
+  }
+  if (url.pathname === "/") {
+    const dest = new URL(url.toString());
+    if (!isLocalHost) dest.protocol = "https:";
+    dest.pathname = getFrameworkConfig().app.defaultRoute;
+    dest.search = "";
+    const res2 = makeRedirect(dest, 308);
+    return setSecurity(res2, { isLocalHost, isTargetProd, csp, nonce, reportUri });
+  }
+  const requestHeaders = new Headers(req.headers);
+  requestHeaders.set("x-nonce", nonce);
+  const res = NextResponse.next({ request: { headers: requestHeaders } });
+  return setSecurity(res, { isLocalHost, isTargetProd, csp, nonce, reportUri });
+}
+function setSecurity(res, opts) {
+  const { isLocalHost, csp, nonce, reportUri } = opts;
+  if (csp) res.headers.set("Content-Security-Policy", csp);
+  for (const [key, value] of Object.entries(BASE_SECURITY_HEADER_VALUES)) {
+    res.headers.set(key, value);
+  }
+  if (opts.isTargetProd && !isLocalHost)
+    res.headers.set("Strict-Transport-Security", "max-age=63072000; includeSubDomains; preload");
+  if (reportUri) res.headers.set("Reporting-Endpoints", `csp-violations="${reportUri}"`);
+  if (nonce) res.headers.set("x-nonce", nonce);
+  return res;
+}
+function makeRedirect(to, status = 308) {
+  const res = new NextResponse(null, { status });
+  res.headers.set("Location", typeof to === "string" ? to : to.toString());
+  return res;
+}
+var proxyConfig = {
+  matcher: ["/((?!_next/static|_next/image|favicon.ico|sitemap.xml|robots.txt|api/health).*)"]
+};
+export {
+  proxy,
+  proxyConfig
+};
+//# sourceMappingURL=chunk-OYTV4D7E.js.map