@strapi/core 0.0.0-experimental.f49f46a1c17445a39e8af3f63124bcccf73842e6 → 0.0.0-experimental.f56bca7c4d88bc4c61b6de9f65648d857cf242d9

package/dist/middlewares/security.js.map

@@ -1 +1 @@
-{"version":3,"file":"security.js","sources":["../../src/middlewares/security.ts"],"sourcesContent":["import { defaultsDeep, mergeWith } from 'lodash/fp';\nimport helmet, { KoaHelmet } from 'koa-helmet';\n\nimport type { Core } from '@strapi/types';\n\nexport type Config = NonNullable<Parameters<KoaHelmet>[0]>;\n\nconst defaults: Config = {\n  crossOriginEmbedderPolicy: false,\n  crossOriginOpenerPolicy: false,\n  crossOriginResourcePolicy: false,\n  originAgentCluster: false,\n  contentSecurityPolicy: {\n    useDefaults: true,\n    directives: {\n      'connect-src': [\"'self'\", 'https:'],\n      'img-src': [\"'self'\", 'data:', 'blob:', 'https://market-assets.strapi.io'],\n      'media-src': [\"'self'\", 'data:', 'blob:'],\n      upgradeInsecureRequests: null,\n    },\n  },\n  xssFilter: false,\n  hsts: {\n    maxAge: 31536000,\n    includeSubDomains: true,\n  },\n  frameguard: {\n    action: 'sameorigin',\n  },\n};\n\nconst mergeConfig = (existingConfig: Config, newConfig: Config) => {\n  return mergeWith(\n    (obj, src) => (Array.isArray(obj) && Array.isArray(src) ? obj.concat(src) : undefined),\n    existingConfig,\n    newConfig\n  );\n};\n\nexport const security: Core.MiddlewareFactory<Config> =\n  (config, { strapi }) =>\n  (ctx, next) => {\n    let helmetConfig: Config = defaultsDeep(defaults, config);\n\n    const specialPaths = ['/documentation'];\n\n    const directives: {\n      'script-src': string[];\n      'img-src': string[];\n      'manifest-src': string[];\n      'frame-src': string[];\n    } = {\n      'script-src': [\"'self'\", \"'unsafe-inline'\", 'cdn.jsdelivr.net'],\n      'img-src': [\"'self'\", 'data:', 'cdn.jsdelivr.net', 'strapi.io'],\n      'manifest-src': [],\n      'frame-src': [],\n    };\n\n    // if apollo graphql playground is enabled, add exceptions for it\n    if (strapi.plugin('graphql')?.service('utils').playground.isEnabled()) {\n      const { config: gqlConfig } = strapi.plugin('graphql');\n      specialPaths.push(gqlConfig('endpoint'));\n\n      directives['script-src'].push(`https: 'unsafe-inline'`);\n      directives['img-src'].push(`'apollo-server-landing-page.cdn.apollographql.com'`);\n      directives['manifest-src'].push(`'self'`);\n      directives['manifest-src'].push('apollo-server-landing-page.cdn.apollographql.com');\n      directives['frame-src'].push(`'self'`);\n      directives['frame-src'].push('sandbox.embed.apollographql.com');\n    }\n\n    // TODO: we shouldn't combine playground exceptions with documentation for all routes, we should first check the path and then return exceptions specific to that\n    if (ctx.method === 'GET' && specialPaths.some((str) => ctx.path.startsWith(str))) {\n      helmetConfig = mergeConfig(helmetConfig, {\n        crossOriginEmbedderPolicy: false, // TODO: only use this for graphql playground\n        contentSecurityPolicy: {\n          directives,\n        },\n      });\n    }\n\n    /**\n     * These are for vite's watch mode so it can accurately\n     * connect to the HMR websocket & reconnect on failure\n     * or when the server restarts.\n     *\n     * It only applies in development, and only on GET requests\n     * that are part of the admin route.\n     */\n\n    if (\n      ['development', 'test'].includes(process.env.NODE_ENV ?? '') &&\n      ctx.method === 'GET' &&\n      ctx.path.startsWith(strapi.config.get('admin.path'))\n    ) {\n      helmetConfig = mergeConfig(helmetConfig, {\n        contentSecurityPolicy: {\n          directives: {\n            'script-src': [\"'self'\", \"'unsafe-inline'\"],\n            'connect-src': [\"'self'\", 'http:', 'https:', 'ws:'],\n          },\n        },\n      });\n    }\n\n    return helmet(helmetConfig)(ctx, next);\n  };\n"],"names":["mergeWith","defaultsDeep","helmet"],"mappings":";;;;;;AAOA,MAAM,WAAmB;AAAA,EACvB,2BAA2B;AAAA,EAC3B,yBAAyB;AAAA,EACzB,2BAA2B;AAAA,EAC3B,oBAAoB;AAAA,EACpB,uBAAuB;AAAA,IACrB,aAAa;AAAA,IACb,YAAY;AAAA,MACV,eAAe,CAAC,UAAU,QAAQ;AAAA,MAClC,WAAW,CAAC,UAAU,SAAS,SAAS,iCAAiC;AAAA,MACzE,aAAa,CAAC,UAAU,SAAS,OAAO;AAAA,MACxC,yBAAyB;AAAA,IAC3B;AAAA,EACF;AAAA,EACA,WAAW;AAAA,EACX,MAAM;AAAA,IACJ,QAAQ;AAAA,IACR,mBAAmB;AAAA,EACrB;AAAA,EACA,YAAY;AAAA,IACV,QAAQ;AAAA,EACV;AACF;AAEA,MAAM,cAAc,CAAC,gBAAwB,cAAsB;AAC1D,SAAAA,GAAA;AAAA,IACL,CAAC,KAAK,QAAS,MAAM,QAAQ,GAAG,KAAK,MAAM,QAAQ,GAAG,IAAI,IAAI,OAAO,GAAG,IAAI;AAAA,IAC5E;AAAA,IACA;AAAA,EAAA;AAEJ;AAEa,MAAA,WACX,CAAC,QAAQ,EAAE,aACX,CAAC,KAAK,SAAS;AACT,MAAA,eAAuBC,GAAAA,aAAa,UAAU,MAAM;AAElD,QAAA,eAAe,CAAC,gBAAgB;AAEtC,QAAM,aAKF;AAAA,IACF,cAAc,CAAC,UAAU,mBAAmB,kBAAkB;AAAA,IAC9D,WAAW,CAAC,UAAU,SAAS,oBAAoB,WAAW;AAAA,IAC9D,gBAAgB,CAAC;AAAA,IACjB,aAAa,CAAC;AAAA,EAAA;AAIZ,MAAA,OAAO,OAAO,SAAS,GAAG,QAAQ,OAAO,EAAE,WAAW,aAAa;AACrE,UAAM,EAAE,QAAQ,UAAA,IAAc,OAAO,OAAO,SAAS;AACxC,iBAAA,KAAK,UAAU,UAAU,CAAC;AAE5B,eAAA,YAAY,EAAE,KAAK,wBAAwB;AAC3C,eAAA,SAAS,EAAE,KAAK,oDAAoD;AACpE,eAAA,cAAc,EAAE,KAAK,QAAQ;AAC7B,eAAA,cAAc,EAAE,KAAK,kDAAkD;AACvE,eAAA,WAAW,EAAE,KAAK,QAAQ;AAC1B,eAAA,WAAW,EAAE,KAAK,iCAAiC;AAAA,EAChE;AAGA,MAAI,IAAI,WAAW,SAAS,aAAa,KAAK,CAAC,QAAQ,IAAI,KAAK,WAAW,GAAG,CAAC,GAAG;AAChF,mBAAe,YAAY,cAAc;AAAA,MACvC,2BAA2B;AAAA;AAAA,MAC3B,uBAAuB;AAAA,QACrB;AAAA,MACF;AAAA,IAAA,CACD;AAAA,EACH;AAYE,MAAA,CAAC,eAAe,MAAM,EAAE,SAAS,QAAQ,IAAI,YAAY,EAAE,KAC3D,IAAI,WAAW,SACf,IAAI,KAAK,WAAW,OAAO,OAAO,IAAI,YAAY,CAAC,GACnD;AACA,mBAAe,YAAY,cAAc;AAAA,MACvC,uBAAuB;AAAA,QACrB,YAAY;AAAA,UACV,cAAc,CAAC,UAAU,iBAAiB;AAAA,UAC1C,eAAe,CAAC,UAAU,SAAS,UAAU,KAAK;AAAA,QACpD;AAAA,MACF;AAAA,IAAA,CACD;AAAA,EACH;AAEA,SAAOC,gBAAO,QAAA,YAAY,EAAE,KAAK,IAAI;AACvC;;"}
+{"version":3,"file":"security.js","sources":["../../src/middlewares/security.ts"],"sourcesContent":["import { defaultsDeep, mergeWith } from 'lodash/fp';\nimport helmet, { KoaHelmet } from 'koa-helmet';\n\nimport type { Core } from '@strapi/types';\n\nexport type Config = NonNullable<Parameters<KoaHelmet>[0]>;\n\nconst defaults: Config = {\n  crossOriginEmbedderPolicy: false,\n  crossOriginOpenerPolicy: false,\n  crossOriginResourcePolicy: false,\n  originAgentCluster: false,\n  contentSecurityPolicy: {\n    useDefaults: true,\n    directives: {\n      'connect-src': [\"'self'\", 'https:'],\n      'img-src': [\"'self'\", 'data:', 'blob:', 'https://market-assets.strapi.io'],\n      'media-src': [\"'self'\", 'data:', 'blob:'],\n      upgradeInsecureRequests: null,\n    },\n  },\n  xssFilter: false,\n  hsts: {\n    maxAge: 31536000,\n    includeSubDomains: true,\n  },\n  frameguard: {\n    action: 'sameorigin',\n  },\n};\n\nconst mergeConfig = (existingConfig: Config, newConfig: Config) => {\n  return mergeWith(\n    (obj, src) => (Array.isArray(obj) && Array.isArray(src) ? obj.concat(src) : undefined),\n    existingConfig,\n    newConfig\n  );\n};\n\nexport const security: Core.MiddlewareFactory<Config> =\n  (config, { strapi }) =>\n  (ctx, next) => {\n    let helmetConfig: Config = defaultsDeep(defaults, config);\n\n    const specialPaths = ['/documentation'];\n\n    const directives: {\n      'script-src': string[];\n      'img-src': string[];\n      'manifest-src': string[];\n      'frame-src': string[];\n    } = {\n      'script-src': [\"'self'\", \"'unsafe-inline'\", 'cdn.jsdelivr.net'],\n      'img-src': [\"'self'\", 'data:', 'cdn.jsdelivr.net', 'strapi.io'],\n      'manifest-src': [],\n      'frame-src': [],\n    };\n\n    // if apollo graphql playground is enabled, add exceptions for it\n    if (strapi.plugin('graphql')?.service('utils').playground.isEnabled()) {\n      const { config: gqlConfig } = strapi.plugin('graphql');\n      specialPaths.push(gqlConfig('endpoint'));\n\n      directives['script-src'].push(`https: 'unsafe-inline'`);\n      directives['img-src'].push(`'apollo-server-landing-page.cdn.apollographql.com'`);\n      directives['manifest-src'].push(`'self'`);\n      directives['manifest-src'].push('apollo-server-landing-page.cdn.apollographql.com');\n      directives['frame-src'].push(`'self'`);\n      directives['frame-src'].push('sandbox.embed.apollographql.com');\n    }\n\n    // TODO: we shouldn't combine playground exceptions with documentation for all routes, we should first check the path and then return exceptions specific to that\n    if (ctx.method === 'GET' && specialPaths.some((str) => ctx.path.startsWith(str))) {\n      helmetConfig = mergeConfig(helmetConfig, {\n        crossOriginEmbedderPolicy: false, // TODO: only use this for graphql playground\n        contentSecurityPolicy: {\n          directives,\n        },\n      });\n    }\n\n    /**\n     * These are for vite's watch mode so it can accurately\n     * connect to the HMR websocket & reconnect on failure\n     * or when the server restarts.\n     *\n     * It only applies in development, and only on GET requests\n     * that are part of the admin route.\n     */\n\n    if (\n      ['development', 'test'].includes(process.env.NODE_ENV ?? '') &&\n      ctx.method === 'GET' &&\n      ctx.path.startsWith(strapi.config.get('admin.path'))\n    ) {\n      helmetConfig = mergeConfig(helmetConfig, {\n        contentSecurityPolicy: {\n          directives: {\n            'script-src': [\"'self'\", \"'unsafe-inline'\"],\n            'connect-src': [\"'self'\", 'http:', 'https:', 'ws:'],\n          },\n        },\n      });\n    }\n\n    return helmet(helmetConfig)(ctx, next);\n  };\n"],"names":["defaults","crossOriginEmbedderPolicy","crossOriginOpenerPolicy","crossOriginResourcePolicy","originAgentCluster","contentSecurityPolicy","useDefaults","directives","upgradeInsecureRequests","xssFilter","hsts","maxAge","includeSubDomains","frameguard","action","mergeConfig","existingConfig","newConfig","mergeWith","obj","src","Array","isArray","concat","undefined","security","config","strapi","ctx","next","helmetConfig","defaultsDeep","specialPaths","plugin","service","playground","isEnabled","gqlConfig","push","method","some","str","path","startsWith","includes","process","env","NODE_ENV","get","helmet"],"mappings":";;;;;AAOA,MAAMA,QAAmB,GAAA;IACvBC,yBAA2B,EAAA,KAAA;IAC3BC,uBAAyB,EAAA,KAAA;IACzBC,yBAA2B,EAAA,KAAA;IAC3BC,kBAAoB,EAAA,KAAA;IACpBC,qBAAuB,EAAA;QACrBC,WAAa,EAAA,IAAA;QACbC,UAAY,EAAA;YACV,aAAe,EAAA;AAAC,gBAAA,QAAA;AAAU,gBAAA;AAAS,aAAA;YACnC,SAAW,EAAA;AAAC,gBAAA,QAAA;AAAU,gBAAA,OAAA;AAAS,gBAAA,OAAA;AAAS,gBAAA;AAAkC,aAAA;YAC1E,WAAa,EAAA;AAAC,gBAAA,QAAA;AAAU,gBAAA,OAAA;AAAS,gBAAA;AAAQ,aAAA;YACzCC,uBAAyB,EAAA;AAC3B;AACF,KAAA;IACAC,SAAW,EAAA,KAAA;IACXC,IAAM,EAAA;QACJC,MAAQ,EAAA,QAAA;QACRC,iBAAmB,EAAA;AACrB,KAAA;IACAC,UAAY,EAAA;QACVC,MAAQ,EAAA;AACV;AACF,CAAA;AAEA,MAAMC,WAAAA,GAAc,CAACC,cAAwBC,EAAAA,SAAAA,GAAAA;AAC3C,IAAA,OAAOC,aACL,CAACC,GAAAA,EAAKC,GAASC,GAAAA,KAAAA,CAAMC,OAAO,CAACH,GAAAA,CAAAA,IAAQE,KAAMC,CAAAA,OAAO,CAACF,GAAOD,CAAAA,GAAAA,GAAAA,CAAII,MAAM,CAACH,GAAAA,CAAAA,GAAOI,WAC5ER,cACAC,EAAAA,SAAAA,CAAAA;AAEJ,CAAA;AAEO,MAAMQ,WACX,CAACC,MAAAA,EAAQ,EAAEC,MAAM,EAAE,GACnB,CAACC,GAAKC,EAAAA,IAAAA,GAAAA;QACJ,IAAIC,YAAAA,GAAuBC,gBAAa/B,QAAU0B,EAAAA,MAAAA,CAAAA;AAElD,QAAA,MAAMM,YAAe,GAAA;AAAC,YAAA;AAAiB,SAAA;AAEvC,QAAA,MAAMzB,UAKF,GAAA;YACF,YAAc,EAAA;AAAC,gBAAA,QAAA;AAAU,gBAAA,iBAAA;AAAmB,gBAAA;AAAmB,aAAA;YAC/D,SAAW,EAAA;AAAC,gBAAA,QAAA;AAAU,gBAAA,OAAA;AAAS,gBAAA,kBAAA;AAAoB,gBAAA;AAAY,aAAA;AAC/D,YAAA,cAAA,EAAgB,EAAE;AAClB,YAAA,WAAA,EAAa;AACf,SAAA;;AAGA,QAAA,IAAIoB,OAAOM,MAAM,CAAC,YAAYC,OAAQ,CAAA,OAAA,CAAA,CAASC,WAAWC,SAAa,EAAA,EAAA;AACrE,YAAA,MAAM,EAAEV,MAAQW,EAAAA,SAAS,EAAE,GAAGV,MAAAA,CAAOM,MAAM,CAAC,SAAA,CAAA;YAC5CD,YAAaM,CAAAA,IAAI,CAACD,SAAU,CAAA,UAAA,CAAA,CAAA;AAE5B9B,YAAAA,UAAU,CAAC,YAAa,CAAA,CAAC+B,IAAI,CAAC,CAAC,sBAAsB,CAAC,CAAA;AACtD/B,YAAAA,UAAU,CAAC,SAAU,CAAA,CAAC+B,IAAI,CAAC,CAAC,kDAAkD,CAAC,CAAA;AAC/E/B,YAAAA,UAAU,CAAC,cAAe,CAAA,CAAC+B,IAAI,CAAC,CAAC,MAAM,CAAC,CAAA;AACxC/B,YAAAA,UAAU,CAAC,cAAA,CAAe,CAAC+B,IAAI,CAAC,kDAAA,CAAA;AAChC/B,YAAAA,UAAU,CAAC,WAAY,CAAA,CAAC+B,IAAI,CAAC,CAAC,MAAM,CAAC,CAAA;AACrC/B,YAAAA,UAAU,CAAC,WAAA,CAAY,CAAC+B,IAAI,CAAC,iCAAA,CAAA;AAC/B;;AAGA,QAAA,IAAIV,GAAIW,CAAAA,MAAM,KAAK,KAAA,IAASP,aAAaQ,IAAI,CAAC,CAACC,GAAAA,GAAQb,GAAIc,CAAAA,IAAI,CAACC,UAAU,CAACF,GAAO,CAAA,CAAA,EAAA;AAChFX,YAAAA,YAAAA,GAAef,YAAYe,YAAc,EAAA;gBACvC7B,yBAA2B,EAAA,KAAA;gBAC3BI,qBAAuB,EAAA;AACrBE,oBAAAA;AACF;AACF,aAAA,CAAA;AACF;AAEA;;;;;;;AAOC,QAED,IACE;AAAC,YAAA,aAAA;AAAe,YAAA;SAAO,CAACqC,QAAQ,CAACC,OAAQC,CAAAA,GAAG,CAACC,QAAQ,IAAI,EACzDnB,CAAAA,IAAAA,GAAAA,CAAIW,MAAM,KAAK,SACfX,GAAIc,CAAAA,IAAI,CAACC,UAAU,CAAChB,OAAOD,MAAM,CAACsB,GAAG,CAAC,YACtC,CAAA,CAAA,EAAA;AACAlB,YAAAA,YAAAA,GAAef,YAAYe,YAAc,EAAA;gBACvCzB,qBAAuB,EAAA;oBACrBE,UAAY,EAAA;wBACV,YAAc,EAAA;AAAC,4BAAA,QAAA;AAAU,4BAAA;AAAkB,yBAAA;wBAC3C,aAAe,EAAA;AAAC,4BAAA,QAAA;AAAU,4BAAA,OAAA;AAAS,4BAAA,QAAA;AAAU,4BAAA;AAAM;AACrD;AACF;AACF,aAAA,CAAA;AACF;QAEA,OAAO0C,MAAAA,CAAOnB,cAAcF,GAAKC,EAAAA,IAAAA,CAAAA;;;;;"}

package/dist/middlewares/security.mjs

@@ -1,76 +1,114 @@
-import { defaultsDeep, mergeWith } from "lodash/fp";
-import helmet from "koa-helmet";
+import { defaultsDeep, mergeWith } from 'lodash/fp';
+import helmet from 'koa-helmet';
+
 const defaults = {
-  crossOriginEmbedderPolicy: false,
-  crossOriginOpenerPolicy: false,
-  crossOriginResourcePolicy: false,
-  originAgentCluster: false,
-  contentSecurityPolicy: {
-    useDefaults: true,
-    directives: {
-      "connect-src": ["'self'", "https:"],
-      "img-src": ["'self'", "data:", "blob:", "https://market-assets.strapi.io"],
-      "media-src": ["'self'", "data:", "blob:"],
-      upgradeInsecureRequests: null
-    }
-  },
-  xssFilter: false,
-  hsts: {
-    maxAge: 31536e3,
-    includeSubDomains: true
-  },
-  frameguard: {
-    action: "sameorigin"
-  }
-};
-const mergeConfig = (existingConfig, newConfig) => {
-  return mergeWith(
-    (obj, src) => Array.isArray(obj) && Array.isArray(src) ? obj.concat(src) : void 0,
-    existingConfig,
-    newConfig
-  );
-};
-const security = (config, { strapi }) => (ctx, next) => {
-  let helmetConfig = defaultsDeep(defaults, config);
-  const specialPaths = ["/documentation"];
-  const directives = {
-    "script-src": ["'self'", "'unsafe-inline'", "cdn.jsdelivr.net"],
-    "img-src": ["'self'", "data:", "cdn.jsdelivr.net", "strapi.io"],
-    "manifest-src": [],
-    "frame-src": []
-  };
-  if (strapi.plugin("graphql")?.service("utils").playground.isEnabled()) {
-    const { config: gqlConfig } = strapi.plugin("graphql");
-    specialPaths.push(gqlConfig("endpoint"));
-    directives["script-src"].push(`https: 'unsafe-inline'`);
-    directives["img-src"].push(`'apollo-server-landing-page.cdn.apollographql.com'`);
-    directives["manifest-src"].push(`'self'`);
-    directives["manifest-src"].push("apollo-server-landing-page.cdn.apollographql.com");
-    directives["frame-src"].push(`'self'`);
-    directives["frame-src"].push("sandbox.embed.apollographql.com");
-  }
-  if (ctx.method === "GET" && specialPaths.some((str) => ctx.path.startsWith(str))) {
-    helmetConfig = mergeConfig(helmetConfig, {
-      crossOriginEmbedderPolicy: false,
-      // TODO: only use this for graphql playground
-      contentSecurityPolicy: {
-        directives
-      }
-    });
-  }
-  if (["development", "test"].includes(process.env.NODE_ENV ?? "") && ctx.method === "GET" && ctx.path.startsWith(strapi.config.get("admin.path"))) {
-    helmetConfig = mergeConfig(helmetConfig, {
-      contentSecurityPolicy: {
+    crossOriginEmbedderPolicy: false,
+    crossOriginOpenerPolicy: false,
+    crossOriginResourcePolicy: false,
+    originAgentCluster: false,
+    contentSecurityPolicy: {
+        useDefaults: true,
         directives: {
-          "script-src": ["'self'", "'unsafe-inline'"],
-          "connect-src": ["'self'", "http:", "https:", "ws:"]
+            'connect-src': [
+                "'self'",
+                'https:'
+            ],
+            'img-src': [
+                "'self'",
+                'data:',
+                'blob:',
+                'https://market-assets.strapi.io'
+            ],
+            'media-src': [
+                "'self'",
+                'data:',
+                'blob:'
+            ],
+            upgradeInsecureRequests: null
         }
-      }
-    });
-  }
-  return helmet(helmetConfig)(ctx, next);
+    },
+    xssFilter: false,
+    hsts: {
+        maxAge: 31536000,
+        includeSubDomains: true
+    },
+    frameguard: {
+        action: 'sameorigin'
+    }
 };
-export {
-  security
+const mergeConfig = (existingConfig, newConfig)=>{
+    return mergeWith((obj, src)=>Array.isArray(obj) && Array.isArray(src) ? obj.concat(src) : undefined, existingConfig, newConfig);
 };
+const security = (config, { strapi })=>(ctx, next)=>{
+        let helmetConfig = defaultsDeep(defaults, config);
+        const specialPaths = [
+            '/documentation'
+        ];
+        const directives = {
+            'script-src': [
+                "'self'",
+                "'unsafe-inline'",
+                'cdn.jsdelivr.net'
+            ],
+            'img-src': [
+                "'self'",
+                'data:',
+                'cdn.jsdelivr.net',
+                'strapi.io'
+            ],
+            'manifest-src': [],
+            'frame-src': []
+        };
+        // if apollo graphql playground is enabled, add exceptions for it
+        if (strapi.plugin('graphql')?.service('utils').playground.isEnabled()) {
+            const { config: gqlConfig } = strapi.plugin('graphql');
+            specialPaths.push(gqlConfig('endpoint'));
+            directives['script-src'].push(`https: 'unsafe-inline'`);
+            directives['img-src'].push(`'apollo-server-landing-page.cdn.apollographql.com'`);
+            directives['manifest-src'].push(`'self'`);
+            directives['manifest-src'].push('apollo-server-landing-page.cdn.apollographql.com');
+            directives['frame-src'].push(`'self'`);
+            directives['frame-src'].push('sandbox.embed.apollographql.com');
+        }
+        // TODO: we shouldn't combine playground exceptions with documentation for all routes, we should first check the path and then return exceptions specific to that
+        if (ctx.method === 'GET' && specialPaths.some((str)=>ctx.path.startsWith(str))) {
+            helmetConfig = mergeConfig(helmetConfig, {
+                crossOriginEmbedderPolicy: false,
+                contentSecurityPolicy: {
+                    directives
+                }
+            });
+        }
+        /**
+     * These are for vite's watch mode so it can accurately
+     * connect to the HMR websocket & reconnect on failure
+     * or when the server restarts.
+     *
+     * It only applies in development, and only on GET requests
+     * that are part of the admin route.
+     */ if ([
+            'development',
+            'test'
+        ].includes(process.env.NODE_ENV ?? '') && ctx.method === 'GET' && ctx.path.startsWith(strapi.config.get('admin.path'))) {
+            helmetConfig = mergeConfig(helmetConfig, {
+                contentSecurityPolicy: {
+                    directives: {
+                        'script-src': [
+                            "'self'",
+                            "'unsafe-inline'"
+                        ],
+                        'connect-src': [
+                            "'self'",
+                            'http:',
+                            'https:',
+                            'ws:'
+                        ]
+                    }
+                }
+            });
+        }
+        return helmet(helmetConfig)(ctx, next);
+    };
+
+export { security };
 //# sourceMappingURL=security.mjs.map

package/dist/middlewares/security.mjs.map

@@ -1 +1 @@
-{"version":3,"file":"security.mjs","sources":["../../src/middlewares/security.ts"],"sourcesContent":["import { defaultsDeep, mergeWith } from 'lodash/fp';\nimport helmet, { KoaHelmet } from 'koa-helmet';\n\nimport type { Core } from '@strapi/types';\n\nexport type Config = NonNullable<Parameters<KoaHelmet>[0]>;\n\nconst defaults: Config = {\n  crossOriginEmbedderPolicy: false,\n  crossOriginOpenerPolicy: false,\n  crossOriginResourcePolicy: false,\n  originAgentCluster: false,\n  contentSecurityPolicy: {\n    useDefaults: true,\n    directives: {\n      'connect-src': [\"'self'\", 'https:'],\n      'img-src': [\"'self'\", 'data:', 'blob:', 'https://market-assets.strapi.io'],\n      'media-src': [\"'self'\", 'data:', 'blob:'],\n      upgradeInsecureRequests: null,\n    },\n  },\n  xssFilter: false,\n  hsts: {\n    maxAge: 31536000,\n    includeSubDomains: true,\n  },\n  frameguard: {\n    action: 'sameorigin',\n  },\n};\n\nconst mergeConfig = (existingConfig: Config, newConfig: Config) => {\n  return mergeWith(\n    (obj, src) => (Array.isArray(obj) && Array.isArray(src) ? obj.concat(src) : undefined),\n    existingConfig,\n    newConfig\n  );\n};\n\nexport const security: Core.MiddlewareFactory<Config> =\n  (config, { strapi }) =>\n  (ctx, next) => {\n    let helmetConfig: Config = defaultsDeep(defaults, config);\n\n    const specialPaths = ['/documentation'];\n\n    const directives: {\n      'script-src': string[];\n      'img-src': string[];\n      'manifest-src': string[];\n      'frame-src': string[];\n    } = {\n      'script-src': [\"'self'\", \"'unsafe-inline'\", 'cdn.jsdelivr.net'],\n      'img-src': [\"'self'\", 'data:', 'cdn.jsdelivr.net', 'strapi.io'],\n      'manifest-src': [],\n      'frame-src': [],\n    };\n\n    // if apollo graphql playground is enabled, add exceptions for it\n    if (strapi.plugin('graphql')?.service('utils').playground.isEnabled()) {\n      const { config: gqlConfig } = strapi.plugin('graphql');\n      specialPaths.push(gqlConfig('endpoint'));\n\n      directives['script-src'].push(`https: 'unsafe-inline'`);\n      directives['img-src'].push(`'apollo-server-landing-page.cdn.apollographql.com'`);\n      directives['manifest-src'].push(`'self'`);\n      directives['manifest-src'].push('apollo-server-landing-page.cdn.apollographql.com');\n      directives['frame-src'].push(`'self'`);\n      directives['frame-src'].push('sandbox.embed.apollographql.com');\n    }\n\n    // TODO: we shouldn't combine playground exceptions with documentation for all routes, we should first check the path and then return exceptions specific to that\n    if (ctx.method === 'GET' && specialPaths.some((str) => ctx.path.startsWith(str))) {\n      helmetConfig = mergeConfig(helmetConfig, {\n        crossOriginEmbedderPolicy: false, // TODO: only use this for graphql playground\n        contentSecurityPolicy: {\n          directives,\n        },\n      });\n    }\n\n    /**\n     * These are for vite's watch mode so it can accurately\n     * connect to the HMR websocket & reconnect on failure\n     * or when the server restarts.\n     *\n     * It only applies in development, and only on GET requests\n     * that are part of the admin route.\n     */\n\n    if (\n      ['development', 'test'].includes(process.env.NODE_ENV ?? '') &&\n      ctx.method === 'GET' &&\n      ctx.path.startsWith(strapi.config.get('admin.path'))\n    ) {\n      helmetConfig = mergeConfig(helmetConfig, {\n        contentSecurityPolicy: {\n          directives: {\n            'script-src': [\"'self'\", \"'unsafe-inline'\"],\n            'connect-src': [\"'self'\", 'http:', 'https:', 'ws:'],\n          },\n        },\n      });\n    }\n\n    return helmet(helmetConfig)(ctx, next);\n  };\n"],"names":[],"mappings":";;AAOA,MAAM,WAAmB;AAAA,EACvB,2BAA2B;AAAA,EAC3B,yBAAyB;AAAA,EACzB,2BAA2B;AAAA,EAC3B,oBAAoB;AAAA,EACpB,uBAAuB;AAAA,IACrB,aAAa;AAAA,IACb,YAAY;AAAA,MACV,eAAe,CAAC,UAAU,QAAQ;AAAA,MAClC,WAAW,CAAC,UAAU,SAAS,SAAS,iCAAiC;AAAA,MACzE,aAAa,CAAC,UAAU,SAAS,OAAO;AAAA,MACxC,yBAAyB;AAAA,IAC3B;AAAA,EACF;AAAA,EACA,WAAW;AAAA,EACX,MAAM;AAAA,IACJ,QAAQ;AAAA,IACR,mBAAmB;AAAA,EACrB;AAAA,EACA,YAAY;AAAA,IACV,QAAQ;AAAA,EACV;AACF;AAEA,MAAM,cAAc,CAAC,gBAAwB,cAAsB;AAC1D,SAAA;AAAA,IACL,CAAC,KAAK,QAAS,MAAM,QAAQ,GAAG,KAAK,MAAM,QAAQ,GAAG,IAAI,IAAI,OAAO,GAAG,IAAI;AAAA,IAC5E;AAAA,IACA;AAAA,EAAA;AAEJ;AAEa,MAAA,WACX,CAAC,QAAQ,EAAE,aACX,CAAC,KAAK,SAAS;AACT,MAAA,eAAuB,aAAa,UAAU,MAAM;AAElD,QAAA,eAAe,CAAC,gBAAgB;AAEtC,QAAM,aAKF;AAAA,IACF,cAAc,CAAC,UAAU,mBAAmB,kBAAkB;AAAA,IAC9D,WAAW,CAAC,UAAU,SAAS,oBAAoB,WAAW;AAAA,IAC9D,gBAAgB,CAAC;AAAA,IACjB,aAAa,CAAC;AAAA,EAAA;AAIZ,MAAA,OAAO,OAAO,SAAS,GAAG,QAAQ,OAAO,EAAE,WAAW,aAAa;AACrE,UAAM,EAAE,QAAQ,UAAA,IAAc,OAAO,OAAO,SAAS;AACxC,iBAAA,KAAK,UAAU,UAAU,CAAC;AAE5B,eAAA,YAAY,EAAE,KAAK,wBAAwB;AAC3C,eAAA,SAAS,EAAE,KAAK,oDAAoD;AACpE,eAAA,cAAc,EAAE,KAAK,QAAQ;AAC7B,eAAA,cAAc,EAAE,KAAK,kDAAkD;AACvE,eAAA,WAAW,EAAE,KAAK,QAAQ;AAC1B,eAAA,WAAW,EAAE,KAAK,iCAAiC;AAAA,EAChE;AAGA,MAAI,IAAI,WAAW,SAAS,aAAa,KAAK,CAAC,QAAQ,IAAI,KAAK,WAAW,GAAG,CAAC,GAAG;AAChF,mBAAe,YAAY,cAAc;AAAA,MACvC,2BAA2B;AAAA;AAAA,MAC3B,uBAAuB;AAAA,QACrB;AAAA,MACF;AAAA,IAAA,CACD;AAAA,EACH;AAYE,MAAA,CAAC,eAAe,MAAM,EAAE,SAAS,QAAQ,IAAI,YAAY,EAAE,KAC3D,IAAI,WAAW,SACf,IAAI,KAAK,WAAW,OAAO,OAAO,IAAI,YAAY,CAAC,GACnD;AACA,mBAAe,YAAY,cAAc;AAAA,MACvC,uBAAuB;AAAA,QACrB,YAAY;AAAA,UACV,cAAc,CAAC,UAAU,iBAAiB;AAAA,UAC1C,eAAe,CAAC,UAAU,SAAS,UAAU,KAAK;AAAA,QACpD;AAAA,MACF;AAAA,IAAA,CACD;AAAA,EACH;AAEA,SAAO,OAAO,YAAY,EAAE,KAAK,IAAI;AACvC;"}
+{"version":3,"file":"security.mjs","sources":["../../src/middlewares/security.ts"],"sourcesContent":["import { defaultsDeep, mergeWith } from 'lodash/fp';\nimport helmet, { KoaHelmet } from 'koa-helmet';\n\nimport type { Core } from '@strapi/types';\n\nexport type Config = NonNullable<Parameters<KoaHelmet>[0]>;\n\nconst defaults: Config = {\n  crossOriginEmbedderPolicy: false,\n  crossOriginOpenerPolicy: false,\n  crossOriginResourcePolicy: false,\n  originAgentCluster: false,\n  contentSecurityPolicy: {\n    useDefaults: true,\n    directives: {\n      'connect-src': [\"'self'\", 'https:'],\n      'img-src': [\"'self'\", 'data:', 'blob:', 'https://market-assets.strapi.io'],\n      'media-src': [\"'self'\", 'data:', 'blob:'],\n      upgradeInsecureRequests: null,\n    },\n  },\n  xssFilter: false,\n  hsts: {\n    maxAge: 31536000,\n    includeSubDomains: true,\n  },\n  frameguard: {\n    action: 'sameorigin',\n  },\n};\n\nconst mergeConfig = (existingConfig: Config, newConfig: Config) => {\n  return mergeWith(\n    (obj, src) => (Array.isArray(obj) && Array.isArray(src) ? obj.concat(src) : undefined),\n    existingConfig,\n    newConfig\n  );\n};\n\nexport const security: Core.MiddlewareFactory<Config> =\n  (config, { strapi }) =>\n  (ctx, next) => {\n    let helmetConfig: Config = defaultsDeep(defaults, config);\n\n    const specialPaths = ['/documentation'];\n\n    const directives: {\n      'script-src': string[];\n      'img-src': string[];\n      'manifest-src': string[];\n      'frame-src': string[];\n    } = {\n      'script-src': [\"'self'\", \"'unsafe-inline'\", 'cdn.jsdelivr.net'],\n      'img-src': [\"'self'\", 'data:', 'cdn.jsdelivr.net', 'strapi.io'],\n      'manifest-src': [],\n      'frame-src': [],\n    };\n\n    // if apollo graphql playground is enabled, add exceptions for it\n    if (strapi.plugin('graphql')?.service('utils').playground.isEnabled()) {\n      const { config: gqlConfig } = strapi.plugin('graphql');\n      specialPaths.push(gqlConfig('endpoint'));\n\n      directives['script-src'].push(`https: 'unsafe-inline'`);\n      directives['img-src'].push(`'apollo-server-landing-page.cdn.apollographql.com'`);\n      directives['manifest-src'].push(`'self'`);\n      directives['manifest-src'].push('apollo-server-landing-page.cdn.apollographql.com');\n      directives['frame-src'].push(`'self'`);\n      directives['frame-src'].push('sandbox.embed.apollographql.com');\n    }\n\n    // TODO: we shouldn't combine playground exceptions with documentation for all routes, we should first check the path and then return exceptions specific to that\n    if (ctx.method === 'GET' && specialPaths.some((str) => ctx.path.startsWith(str))) {\n      helmetConfig = mergeConfig(helmetConfig, {\n        crossOriginEmbedderPolicy: false, // TODO: only use this for graphql playground\n        contentSecurityPolicy: {\n          directives,\n        },\n      });\n    }\n\n    /**\n     * These are for vite's watch mode so it can accurately\n     * connect to the HMR websocket & reconnect on failure\n     * or when the server restarts.\n     *\n     * It only applies in development, and only on GET requests\n     * that are part of the admin route.\n     */\n\n    if (\n      ['development', 'test'].includes(process.env.NODE_ENV ?? '') &&\n      ctx.method === 'GET' &&\n      ctx.path.startsWith(strapi.config.get('admin.path'))\n    ) {\n      helmetConfig = mergeConfig(helmetConfig, {\n        contentSecurityPolicy: {\n          directives: {\n            'script-src': [\"'self'\", \"'unsafe-inline'\"],\n            'connect-src': [\"'self'\", 'http:', 'https:', 'ws:'],\n          },\n        },\n      });\n    }\n\n    return helmet(helmetConfig)(ctx, next);\n  };\n"],"names":["defaults","crossOriginEmbedderPolicy","crossOriginOpenerPolicy","crossOriginResourcePolicy","originAgentCluster","contentSecurityPolicy","useDefaults","directives","upgradeInsecureRequests","xssFilter","hsts","maxAge","includeSubDomains","frameguard","action","mergeConfig","existingConfig","newConfig","mergeWith","obj","src","Array","isArray","concat","undefined","security","config","strapi","ctx","next","helmetConfig","defaultsDeep","specialPaths","plugin","service","playground","isEnabled","gqlConfig","push","method","some","str","path","startsWith","includes","process","env","NODE_ENV","get","helmet"],"mappings":";;;AAOA,MAAMA,QAAmB,GAAA;IACvBC,yBAA2B,EAAA,KAAA;IAC3BC,uBAAyB,EAAA,KAAA;IACzBC,yBAA2B,EAAA,KAAA;IAC3BC,kBAAoB,EAAA,KAAA;IACpBC,qBAAuB,EAAA;QACrBC,WAAa,EAAA,IAAA;QACbC,UAAY,EAAA;YACV,aAAe,EAAA;AAAC,gBAAA,QAAA;AAAU,gBAAA;AAAS,aAAA;YACnC,SAAW,EAAA;AAAC,gBAAA,QAAA;AAAU,gBAAA,OAAA;AAAS,gBAAA,OAAA;AAAS,gBAAA;AAAkC,aAAA;YAC1E,WAAa,EAAA;AAAC,gBAAA,QAAA;AAAU,gBAAA,OAAA;AAAS,gBAAA;AAAQ,aAAA;YACzCC,uBAAyB,EAAA;AAC3B;AACF,KAAA;IACAC,SAAW,EAAA,KAAA;IACXC,IAAM,EAAA;QACJC,MAAQ,EAAA,QAAA;QACRC,iBAAmB,EAAA;AACrB,KAAA;IACAC,UAAY,EAAA;QACVC,MAAQ,EAAA;AACV;AACF,CAAA;AAEA,MAAMC,WAAAA,GAAc,CAACC,cAAwBC,EAAAA,SAAAA,GAAAA;AAC3C,IAAA,OAAOC,UACL,CAACC,GAAAA,EAAKC,GAASC,GAAAA,KAAAA,CAAMC,OAAO,CAACH,GAAAA,CAAAA,IAAQE,KAAMC,CAAAA,OAAO,CAACF,GAAOD,CAAAA,GAAAA,GAAAA,CAAII,MAAM,CAACH,GAAAA,CAAAA,GAAOI,WAC5ER,cACAC,EAAAA,SAAAA,CAAAA;AAEJ,CAAA;AAEO,MAAMQ,WACX,CAACC,MAAAA,EAAQ,EAAEC,MAAM,EAAE,GACnB,CAACC,GAAKC,EAAAA,IAAAA,GAAAA;QACJ,IAAIC,YAAAA,GAAuBC,aAAa/B,QAAU0B,EAAAA,MAAAA,CAAAA;AAElD,QAAA,MAAMM,YAAe,GAAA;AAAC,YAAA;AAAiB,SAAA;AAEvC,QAAA,MAAMzB,UAKF,GAAA;YACF,YAAc,EAAA;AAAC,gBAAA,QAAA;AAAU,gBAAA,iBAAA;AAAmB,gBAAA;AAAmB,aAAA;YAC/D,SAAW,EAAA;AAAC,gBAAA,QAAA;AAAU,gBAAA,OAAA;AAAS,gBAAA,kBAAA;AAAoB,gBAAA;AAAY,aAAA;AAC/D,YAAA,cAAA,EAAgB,EAAE;AAClB,YAAA,WAAA,EAAa;AACf,SAAA;;AAGA,QAAA,IAAIoB,OAAOM,MAAM,CAAC,YAAYC,OAAQ,CAAA,OAAA,CAAA,CAASC,WAAWC,SAAa,EAAA,EAAA;AACrE,YAAA,MAAM,EAAEV,MAAQW,EAAAA,SAAS,EAAE,GAAGV,MAAAA,CAAOM,MAAM,CAAC,SAAA,CAAA;YAC5CD,YAAaM,CAAAA,IAAI,CAACD,SAAU,CAAA,UAAA,CAAA,CAAA;AAE5B9B,YAAAA,UAAU,CAAC,YAAa,CAAA,CAAC+B,IAAI,CAAC,CAAC,sBAAsB,CAAC,CAAA;AACtD/B,YAAAA,UAAU,CAAC,SAAU,CAAA,CAAC+B,IAAI,CAAC,CAAC,kDAAkD,CAAC,CAAA;AAC/E/B,YAAAA,UAAU,CAAC,cAAe,CAAA,CAAC+B,IAAI,CAAC,CAAC,MAAM,CAAC,CAAA;AACxC/B,YAAAA,UAAU,CAAC,cAAA,CAAe,CAAC+B,IAAI,CAAC,kDAAA,CAAA;AAChC/B,YAAAA,UAAU,CAAC,WAAY,CAAA,CAAC+B,IAAI,CAAC,CAAC,MAAM,CAAC,CAAA;AACrC/B,YAAAA,UAAU,CAAC,WAAA,CAAY,CAAC+B,IAAI,CAAC,iCAAA,CAAA;AAC/B;;AAGA,QAAA,IAAIV,GAAIW,CAAAA,MAAM,KAAK,KAAA,IAASP,aAAaQ,IAAI,CAAC,CAACC,GAAAA,GAAQb,GAAIc,CAAAA,IAAI,CAACC,UAAU,CAACF,GAAO,CAAA,CAAA,EAAA;AAChFX,YAAAA,YAAAA,GAAef,YAAYe,YAAc,EAAA;gBACvC7B,yBAA2B,EAAA,KAAA;gBAC3BI,qBAAuB,EAAA;AACrBE,oBAAAA;AACF;AACF,aAAA,CAAA;AACF;AAEA;;;;;;;AAOC,QAED,IACE;AAAC,YAAA,aAAA;AAAe,YAAA;SAAO,CAACqC,QAAQ,CAACC,OAAQC,CAAAA,GAAG,CAACC,QAAQ,IAAI,EACzDnB,CAAAA,IAAAA,GAAAA,CAAIW,MAAM,KAAK,SACfX,GAAIc,CAAAA,IAAI,CAACC,UAAU,CAAChB,OAAOD,MAAM,CAACsB,GAAG,CAAC,YACtC,CAAA,CAAA,EAAA;AACAlB,YAAAA,YAAAA,GAAef,YAAYe,YAAc,EAAA;gBACvCzB,qBAAuB,EAAA;oBACrBE,UAAY,EAAA;wBACV,YAAc,EAAA;AAAC,4BAAA,QAAA;AAAU,4BAAA;AAAkB,yBAAA;wBAC3C,aAAe,EAAA;AAAC,4BAAA,QAAA;AAAU,4BAAA,OAAA;AAAS,4BAAA,QAAA;AAAU,4BAAA;AAAM;AACrD;AACF;AACF,aAAA,CAAA;AACF;QAEA,OAAO0C,MAAAA,CAAOnB,cAAcF,GAAKC,EAAAA,IAAAA,CAAAA;;;;;"}

package/dist/middlewares/session.js

@@ -1,30 +1,31 @@
-"use strict";
-Object.defineProperty(exports, Symbol.toStringTag, { value: "Module" });
-const fp = require("lodash/fp");
-const koaSession = require("koa-session");
-const _interopDefault = (e) => e && e.__esModule ? e : { default: e };
-const koaSession__default = /* @__PURE__ */ _interopDefault(koaSession);
+'use strict';
+
+var fp = require('lodash/fp');
+var koaSession = require('koa-session');
+
 const defaultConfig = {
-  key: "koa.sess",
-  maxAge: 864e5,
-  autoCommit: true,
-  overwrite: true,
-  httpOnly: true,
-  signed: true,
-  rolling: false,
-  renew: false,
-  secure: process.env.NODE_ENV === "production",
-  sameSite: void 0
+    key: 'koa.sess',
+    maxAge: 86400000,
+    autoCommit: true,
+    overwrite: true,
+    httpOnly: true,
+    signed: true,
+    rolling: false,
+    renew: false,
+    secure: process.env.NODE_ENV === 'production',
+    sameSite: undefined
 };
-const session = (userConfig, { strapi }) => {
-  const { keys } = strapi.server.app;
-  if (!fp.isArray(keys) || fp.isEmpty(keys) || keys.some(fp.isEmpty)) {
-    throw new Error(
-      `App keys are required. Please set app.keys in config/server.js (ex: keys: ['myKeyA', 'myKeyB'])`
-    );
-  }
-  const config = { ...defaultConfig, ...userConfig };
-  strapi.server.use(koaSession__default.default(config, strapi.server.app));
+const session = (userConfig, { strapi })=>{
+    const { keys } = strapi.server.app;
+    if (!fp.isArray(keys) || fp.isEmpty(keys) || keys.some(fp.isEmpty)) {
+        throw new Error(`App keys are required. Please set app.keys in config/server.js (ex: keys: ['myKeyA', 'myKeyB'])`);
+    }
+    const config = {
+        ...defaultConfig,
+        ...userConfig
+    };
+    strapi.server.use(koaSession(config, strapi.server.app));
 };
+
 exports.session = session;
 //# sourceMappingURL=session.js.map

package/dist/middlewares/session.js.map

@@ -1 +1 @@
-{"version":3,"file":"session.js","sources":["../../src/middlewares/session.ts"],"sourcesContent":["import { isEmpty, isArray } from 'lodash/fp';\nimport koaSession from 'koa-session';\nimport type { Core } from '@strapi/types';\n\nconst defaultConfig = {\n  key: 'koa.sess',\n  maxAge: 86400000,\n  autoCommit: true,\n  overwrite: true,\n  httpOnly: true,\n  signed: true,\n  rolling: false,\n  renew: false,\n  secure: process.env.NODE_ENV === 'production',\n  sameSite: undefined,\n};\n\nexport const session: Core.MiddlewareFactory<Partial<koaSession.opts>> = (\n  userConfig,\n  { strapi }\n) => {\n  const { keys } = strapi.server.app;\n  if (!isArray(keys) || isEmpty(keys) || keys.some(isEmpty)) {\n    throw new Error(\n      `App keys are required. Please set app.keys in config/server.js (ex: keys: ['myKeyA', 'myKeyB'])`\n    );\n  }\n\n  const config: Partial<koaSession.opts> = { ...defaultConfig, ...userConfig };\n\n  strapi.server.use(koaSession(config, strapi.server.app));\n};\n"],"names":["isArray","isEmpty","koaSession"],"mappings":";;;;;;AAIA,MAAM,gBAAgB;AAAA,EACpB,KAAK;AAAA,EACL,QAAQ;AAAA,EACR,YAAY;AAAA,EACZ,WAAW;AAAA,EACX,UAAU;AAAA,EACV,QAAQ;AAAA,EACR,SAAS;AAAA,EACT,OAAO;AAAA,EACP,QAAQ,QAAQ,IAAI,aAAa;AAAA,EACjC,UAAU;AACZ;AAEO,MAAM,UAA4D,CACvE,YACA,EAAE,aACC;AACH,QAAM,EAAE,KAAS,IAAA,OAAO,OAAO;AAC3B,MAAA,CAACA,GAAAA,QAAQ,IAAI,KAAKC,GAAA,QAAQ,IAAI,KAAK,KAAK,KAAKA,GAAAA,OAAO,GAAG;AACzD,UAAM,IAAI;AAAA,MACR;AAAA,IAAA;AAAA,EAEJ;AAEA,QAAM,SAAmC,EAAE,GAAG,eAAe,GAAG,WAAW;AAE3E,SAAO,OAAO,IAAIC,oBAAA,QAAW,QAAQ,OAAO,OAAO,GAAG,CAAC;AACzD;;"}
+{"version":3,"file":"session.js","sources":["../../src/middlewares/session.ts"],"sourcesContent":["import { isEmpty, isArray } from 'lodash/fp';\nimport koaSession from 'koa-session';\nimport type { Core } from '@strapi/types';\n\nconst defaultConfig = {\n  key: 'koa.sess',\n  maxAge: 86400000,\n  autoCommit: true,\n  overwrite: true,\n  httpOnly: true,\n  signed: true,\n  rolling: false,\n  renew: false,\n  secure: process.env.NODE_ENV === 'production',\n  sameSite: undefined,\n};\n\nexport const session: Core.MiddlewareFactory<Partial<koaSession.opts>> = (\n  userConfig,\n  { strapi }\n) => {\n  const { keys } = strapi.server.app;\n  if (!isArray(keys) || isEmpty(keys) || keys.some(isEmpty)) {\n    throw new Error(\n      `App keys are required. Please set app.keys in config/server.js (ex: keys: ['myKeyA', 'myKeyB'])`\n    );\n  }\n\n  const config: Partial<koaSession.opts> = { ...defaultConfig, ...userConfig };\n\n  strapi.server.use(koaSession(config, strapi.server.app));\n};\n"],"names":["defaultConfig","key","maxAge","autoCommit","overwrite","httpOnly","signed","rolling","renew","secure","process","env","NODE_ENV","sameSite","undefined","session","userConfig","strapi","keys","server","app","isArray","isEmpty","some","Error","config","use","koaSession"],"mappings":";;;;;AAIA,MAAMA,aAAgB,GAAA;IACpBC,GAAK,EAAA,UAAA;IACLC,MAAQ,EAAA,QAAA;IACRC,UAAY,EAAA,IAAA;IACZC,SAAW,EAAA,IAAA;IACXC,QAAU,EAAA,IAAA;IACVC,MAAQ,EAAA,IAAA;IACRC,OAAS,EAAA,KAAA;IACTC,KAAO,EAAA,KAAA;AACPC,IAAAA,MAAAA,EAAQC,OAAQC,CAAAA,GAAG,CAACC,QAAQ,KAAK,YAAA;IACjCC,QAAUC,EAAAA;AACZ,CAAA;MAEaC,OAA4D,GAAA,CACvEC,UACA,EAAA,EAAEC,MAAM,EAAE,GAAA;AAEV,IAAA,MAAM,EAAEC,IAAI,EAAE,GAAGD,MAAOE,CAAAA,MAAM,CAACC,GAAG;IAClC,IAAI,CAACC,WAAQH,IAASI,CAAAA,IAAAA,UAAAA,CAAQJ,SAASA,IAAKK,CAAAA,IAAI,CAACD,UAAU,CAAA,EAAA;AACzD,QAAA,MAAM,IAAIE,KAAAA,CACR,CAAC,+FAA+F,CAAC,CAAA;AAErG;AAEA,IAAA,MAAMC,MAAmC,GAAA;AAAE,QAAA,GAAGzB,aAAa;AAAE,QAAA,GAAGgB;AAAW,KAAA;IAE3EC,MAAOE,CAAAA,MAAM,CAACO,GAAG,CAACC,WAAWF,MAAQR,EAAAA,MAAAA,CAAOE,MAAM,CAACC,GAAG,CAAA,CAAA;AACxD;;;;"}

package/dist/middlewares/session.mjs

@@ -1,28 +1,29 @@
-import { isArray, isEmpty } from "lodash/fp";
-import koaSession from "koa-session";
+import { isArray, isEmpty } from 'lodash/fp';
+import koaSession from 'koa-session';
+
 const defaultConfig = {
-  key: "koa.sess",
-  maxAge: 864e5,
-  autoCommit: true,
-  overwrite: true,
-  httpOnly: true,
-  signed: true,
-  rolling: false,
-  renew: false,
-  secure: process.env.NODE_ENV === "production",
-  sameSite: void 0
+    key: 'koa.sess',
+    maxAge: 86400000,
+    autoCommit: true,
+    overwrite: true,
+    httpOnly: true,
+    signed: true,
+    rolling: false,
+    renew: false,
+    secure: process.env.NODE_ENV === 'production',
+    sameSite: undefined
 };
-const session = (userConfig, { strapi }) => {
-  const { keys } = strapi.server.app;
-  if (!isArray(keys) || isEmpty(keys) || keys.some(isEmpty)) {
-    throw new Error(
-      `App keys are required. Please set app.keys in config/server.js (ex: keys: ['myKeyA', 'myKeyB'])`
-    );
-  }
-  const config = { ...defaultConfig, ...userConfig };
-  strapi.server.use(koaSession(config, strapi.server.app));
-};
-export {
-  session
+const session = (userConfig, { strapi })=>{
+    const { keys } = strapi.server.app;
+    if (!isArray(keys) || isEmpty(keys) || keys.some(isEmpty)) {
+        throw new Error(`App keys are required. Please set app.keys in config/server.js (ex: keys: ['myKeyA', 'myKeyB'])`);
+    }
+    const config = {
+        ...defaultConfig,
+        ...userConfig
+    };
+    strapi.server.use(koaSession(config, strapi.server.app));
 };
+
+export { session };
 //# sourceMappingURL=session.mjs.map

package/dist/middlewares/session.mjs.map

@@ -1 +1 @@
-{"version":3,"file":"session.mjs","sources":["../../src/middlewares/session.ts"],"sourcesContent":["import { isEmpty, isArray } from 'lodash/fp';\nimport koaSession from 'koa-session';\nimport type { Core } from '@strapi/types';\n\nconst defaultConfig = {\n  key: 'koa.sess',\n  maxAge: 86400000,\n  autoCommit: true,\n  overwrite: true,\n  httpOnly: true,\n  signed: true,\n  rolling: false,\n  renew: false,\n  secure: process.env.NODE_ENV === 'production',\n  sameSite: undefined,\n};\n\nexport const session: Core.MiddlewareFactory<Partial<koaSession.opts>> = (\n  userConfig,\n  { strapi }\n) => {\n  const { keys } = strapi.server.app;\n  if (!isArray(keys) || isEmpty(keys) || keys.some(isEmpty)) {\n    throw new Error(\n      `App keys are required. Please set app.keys in config/server.js (ex: keys: ['myKeyA', 'myKeyB'])`\n    );\n  }\n\n  const config: Partial<koaSession.opts> = { ...defaultConfig, ...userConfig };\n\n  strapi.server.use(koaSession(config, strapi.server.app));\n};\n"],"names":[],"mappings":";;AAIA,MAAM,gBAAgB;AAAA,EACpB,KAAK;AAAA,EACL,QAAQ;AAAA,EACR,YAAY;AAAA,EACZ,WAAW;AAAA,EACX,UAAU;AAAA,EACV,QAAQ;AAAA,EACR,SAAS;AAAA,EACT,OAAO;AAAA,EACP,QAAQ,QAAQ,IAAI,aAAa;AAAA,EACjC,UAAU;AACZ;AAEO,MAAM,UAA4D,CACvE,YACA,EAAE,aACC;AACH,QAAM,EAAE,KAAS,IAAA,OAAO,OAAO;AAC3B,MAAA,CAAC,QAAQ,IAAI,KAAK,QAAQ,IAAI,KAAK,KAAK,KAAK,OAAO,GAAG;AACzD,UAAM,IAAI;AAAA,MACR;AAAA,IAAA;AAAA,EAEJ;AAEA,QAAM,SAAmC,EAAE,GAAG,eAAe,GAAG,WAAW;AAE3E,SAAO,OAAO,IAAI,WAAW,QAAQ,OAAO,OAAO,GAAG,CAAC;AACzD;"}
+{"version":3,"file":"session.mjs","sources":["../../src/middlewares/session.ts"],"sourcesContent":["import { isEmpty, isArray } from 'lodash/fp';\nimport koaSession from 'koa-session';\nimport type { Core } from '@strapi/types';\n\nconst defaultConfig = {\n  key: 'koa.sess',\n  maxAge: 86400000,\n  autoCommit: true,\n  overwrite: true,\n  httpOnly: true,\n  signed: true,\n  rolling: false,\n  renew: false,\n  secure: process.env.NODE_ENV === 'production',\n  sameSite: undefined,\n};\n\nexport const session: Core.MiddlewareFactory<Partial<koaSession.opts>> = (\n  userConfig,\n  { strapi }\n) => {\n  const { keys } = strapi.server.app;\n  if (!isArray(keys) || isEmpty(keys) || keys.some(isEmpty)) {\n    throw new Error(\n      `App keys are required. Please set app.keys in config/server.js (ex: keys: ['myKeyA', 'myKeyB'])`\n    );\n  }\n\n  const config: Partial<koaSession.opts> = { ...defaultConfig, ...userConfig };\n\n  strapi.server.use(koaSession(config, strapi.server.app));\n};\n"],"names":["defaultConfig","key","maxAge","autoCommit","overwrite","httpOnly","signed","rolling","renew","secure","process","env","NODE_ENV","sameSite","undefined","session","userConfig","strapi","keys","server","app","isArray","isEmpty","some","Error","config","use","koaSession"],"mappings":";;;AAIA,MAAMA,aAAgB,GAAA;IACpBC,GAAK,EAAA,UAAA;IACLC,MAAQ,EAAA,QAAA;IACRC,UAAY,EAAA,IAAA;IACZC,SAAW,EAAA,IAAA;IACXC,QAAU,EAAA,IAAA;IACVC,MAAQ,EAAA,IAAA;IACRC,OAAS,EAAA,KAAA;IACTC,KAAO,EAAA,KAAA;AACPC,IAAAA,MAAAA,EAAQC,OAAQC,CAAAA,GAAG,CAACC,QAAQ,KAAK,YAAA;IACjCC,QAAUC,EAAAA;AACZ,CAAA;MAEaC,OAA4D,GAAA,CACvEC,UACA,EAAA,EAAEC,MAAM,EAAE,GAAA;AAEV,IAAA,MAAM,EAAEC,IAAI,EAAE,GAAGD,MAAOE,CAAAA,MAAM,CAACC,GAAG;IAClC,IAAI,CAACC,QAAQH,IAASI,CAAAA,IAAAA,OAAAA,CAAQJ,SAASA,IAAKK,CAAAA,IAAI,CAACD,OAAU,CAAA,EAAA;AACzD,QAAA,MAAM,IAAIE,KAAAA,CACR,CAAC,+FAA+F,CAAC,CAAA;AAErG;AAEA,IAAA,MAAMC,MAAmC,GAAA;AAAE,QAAA,GAAGzB,aAAa;AAAE,QAAA,GAAGgB;AAAW,KAAA;IAE3EC,MAAOE,CAAAA,MAAM,CAACO,GAAG,CAACC,WAAWF,MAAQR,EAAAA,MAAAA,CAAOE,MAAM,CAACC,GAAG,CAAA,CAAA;AACxD;;;;"}

package/dist/migrations/database/5.0.0-discard-drafts.d.ts

@@ -22,11 +22,11 @@ type Knex = Parameters<Migration['up']>[0];
  * Versions with only a draft version will be ignored.
  * Only versions with a published version (which always have a draft version) will be discarded.
  */
-export declare function getBatchToDiscard({ db, trx, uid, batchSize, }: {
+export declare function getBatchToDiscard({ db, trx, uid, defaultBatchSize, }: {
     db: Database;
     trx: Knex;
     uid: string;
-    batchSize?: number;
+    defaultBatchSize?: number;
 }): AsyncGenerator<DocumentVersion[], void, unknown>;
 export declare const discardDocumentDrafts: Migration;
 export {};

package/dist/migrations/database/5.0.0-discard-drafts.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"5.0.0-discard-drafts.d.ts","sourceRoot":"","sources":["../../../src/migrations/database/5.0.0-discard-drafts.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAIH,OAAO,KAAK,EAAE,QAAQ,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AAI5D,KAAK,eAAe,GAAG;IAAE,UAAU,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,CAAC;AAC9D,KAAK,IAAI,GAAG,UAAU,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;AAqF3C;;;;;GAKG;AACH,wBAAuB,iBAAiB,CAAC,EACvC,EAAE,EACF,GAAG,EACH,GAAG,EACH,SAAgB,GACjB,EAAE;IACD,EAAE,EAAE,QAAQ,CAAC;IACb,GAAG,EAAE,IAAI,CAAC;IACV,GAAG,EAAE,MAAM,CAAC;IACZ,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB,oDAuBA;AA2DD,eAAO,MAAM,qBAAqB,EAAE,SAQnC,CAAC"}
+{"version":3,"file":"5.0.0-discard-drafts.d.ts","sourceRoot":"","sources":["../../../src/migrations/database/5.0.0-discard-drafts.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAIH,OAAO,KAAK,EAAE,QAAQ,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AAI5D,KAAK,eAAe,GAAG;IAAE,UAAU,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,CAAC;AAC9D,KAAK,IAAI,GAAG,UAAU,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;AAqF3C;;;;;GAKG;AACH,wBAAuB,iBAAiB,CAAC,EACvC,EAAE,EACF,GAAG,EACH,GAAG,EACH,gBAAuB,GACxB,EAAE;IACD,EAAE,EAAE,QAAQ,CAAC;IACb,GAAG,EAAE,IAAI,CAAC;IACV,GAAG,EAAE,MAAM,CAAC;IACZ,gBAAgB,CAAC,EAAE,MAAM,CAAC;CAC3B,oDAgCA;AA2DD,eAAO,MAAM,qBAAqB,EAAE,SAQnC,CAAC"}