@strapi/core 5.48.0 → 5.49.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (210) hide show
  1. package/dist/Strapi.js +9 -5
  2. package/dist/Strapi.js.map +1 -1
  3. package/dist/Strapi.mjs +0 -1
  4. package/dist/Strapi.mjs.map +1 -1
  5. package/dist/ai.d.ts +2 -0
  6. package/dist/ai.d.ts.map +1 -0
  7. package/dist/ai.js +8 -0
  8. package/dist/ai.js.map +1 -0
  9. package/dist/ai.mjs +3 -0
  10. package/dist/ai.mjs.map +1 -0
  11. package/dist/configuration/config-loader.js +11 -6
  12. package/dist/configuration/config-loader.js.map +1 -1
  13. package/dist/configuration/index.js +22 -15
  14. package/dist/configuration/index.js.map +1 -1
  15. package/dist/configuration/urls.js +11 -7
  16. package/dist/configuration/urls.js.map +1 -1
  17. package/dist/core-api/routes/index.js +3 -2
  18. package/dist/core-api/routes/index.js.map +1 -1
  19. package/dist/core-api/routes/validation/common.js +3 -2
  20. package/dist/core-api/routes/validation/common.js.map +1 -1
  21. package/dist/core-api/routes/validation/content-type.js +3 -2
  22. package/dist/core-api/routes/validation/content-type.js.map +1 -1
  23. package/dist/core-api/routes/validation/mappers.js +3 -2
  24. package/dist/core-api/routes/validation/mappers.js.map +1 -1
  25. package/dist/core-api/routes/validation/utils.js +3 -2
  26. package/dist/core-api/routes/validation/utils.js.map +1 -1
  27. package/dist/domain/content-type/index.js +9 -5
  28. package/dist/domain/content-type/index.js.map +1 -1
  29. package/dist/domain/content-type/validator.js +6 -2
  30. package/dist/domain/content-type/validator.js.map +1 -1
  31. package/dist/domain/module/index.js +6 -2
  32. package/dist/domain/module/index.js.map +1 -1
  33. package/dist/ee/license.js +8 -3
  34. package/dist/ee/license.js.map +1 -1
  35. package/dist/index.d.ts +1 -0
  36. package/dist/index.d.ts.map +1 -1
  37. package/dist/index.js +2 -0
  38. package/dist/index.js.map +1 -1
  39. package/dist/index.mjs +2 -0
  40. package/dist/index.mjs.map +1 -1
  41. package/dist/loaders/admin.js +5 -1
  42. package/dist/loaders/admin.js.map +1 -1
  43. package/dist/loaders/apis.js +16 -11
  44. package/dist/loaders/apis.js.map +1 -1
  45. package/dist/loaders/components.js +6 -2
  46. package/dist/loaders/components.js.map +1 -1
  47. package/dist/loaders/middlewares.js +6 -2
  48. package/dist/loaders/middlewares.js.map +1 -1
  49. package/dist/loaders/plugins/get-enabled-plugins.js +5 -1
  50. package/dist/loaders/plugins/get-enabled-plugins.js.map +1 -1
  51. package/dist/loaders/plugins/get-user-plugins-config.js +6 -2
  52. package/dist/loaders/plugins/get-user-plugins-config.js.map +1 -1
  53. package/dist/loaders/plugins/index.js +8 -4
  54. package/dist/loaders/plugins/index.js.map +1 -1
  55. package/dist/loaders/policies.js +6 -2
  56. package/dist/loaders/policies.js.map +1 -1
  57. package/dist/mcp.d.ts +4 -0
  58. package/dist/mcp.d.ts.map +1 -0
  59. package/dist/mcp.js +12 -0
  60. package/dist/mcp.js.map +1 -0
  61. package/dist/mcp.mjs +4 -0
  62. package/dist/mcp.mjs.map +1 -0
  63. package/dist/middlewares/body.js +8 -3
  64. package/dist/middlewares/body.js.map +1 -1
  65. package/dist/middlewares/compression.js +5 -1
  66. package/dist/middlewares/compression.js.map +1 -1
  67. package/dist/middlewares/cors.js +5 -1
  68. package/dist/middlewares/cors.js.map +1 -1
  69. package/dist/middlewares/favicon.js +5 -1
  70. package/dist/middlewares/favicon.js.map +1 -1
  71. package/dist/middlewares/ip.js +5 -1
  72. package/dist/middlewares/ip.js.map +1 -1
  73. package/dist/middlewares/public.js +5 -1
  74. package/dist/middlewares/public.js.map +1 -1
  75. package/dist/middlewares/query.js +6 -2
  76. package/dist/middlewares/query.js.map +1 -1
  77. package/dist/middlewares/security.js +5 -1
  78. package/dist/middlewares/security.js.map +1 -1
  79. package/dist/migrations/database/5.0.0-discard-drafts.js +5 -1
  80. package/dist/migrations/database/5.0.0-discard-drafts.js.map +1 -1
  81. package/dist/migrations/first-published-at.js +5 -1
  82. package/dist/migrations/first-published-at.js.map +1 -1
  83. package/dist/package.json.js +19 -18
  84. package/dist/package.json.js.map +1 -1
  85. package/dist/package.json.mjs +19 -18
  86. package/dist/package.json.mjs.map +1 -1
  87. package/dist/registries/sanitizers.js +7 -3
  88. package/dist/registries/sanitizers.js.map +1 -1
  89. package/dist/registries/validators.js +7 -3
  90. package/dist/registries/validators.js.map +1 -1
  91. package/dist/services/auth/index.js +7 -3
  92. package/dist/services/auth/index.js.map +1 -1
  93. package/dist/services/content-api/index.js +10 -6
  94. package/dist/services/content-api/index.js.map +1 -1
  95. package/dist/services/content-api/permissions/engine.js +5 -1
  96. package/dist/services/content-api/permissions/engine.js.map +1 -1
  97. package/dist/services/content-api/permissions/index.js +10 -6
  98. package/dist/services/content-api/permissions/index.js.map +1 -1
  99. package/dist/services/document-service/attributes/transforms.js +5 -1
  100. package/dist/services/document-service/attributes/transforms.js.map +1 -1
  101. package/dist/services/document-service/components.d.ts.map +1 -1
  102. package/dist/services/document-service/components.js +14 -10
  103. package/dist/services/document-service/components.js.map +1 -1
  104. package/dist/services/document-service/components.mjs.map +1 -1
  105. package/dist/services/document-service/draft-and-publish.js +1 -1
  106. package/dist/services/document-service/draft-and-publish.js.map +1 -1
  107. package/dist/services/document-service/draft-and-publish.mjs +1 -1
  108. package/dist/services/document-service/draft-and-publish.mjs.map +1 -1
  109. package/dist/services/document-service/entries.d.ts.map +1 -1
  110. package/dist/services/document-service/entries.js +6 -2
  111. package/dist/services/document-service/entries.js.map +1 -1
  112. package/dist/services/document-service/entries.mjs +7 -3
  113. package/dist/services/document-service/entries.mjs.map +1 -1
  114. package/dist/services/document-service/internationalization.js.map +1 -1
  115. package/dist/services/document-service/internationalization.mjs.map +1 -1
  116. package/dist/services/document-service/transform/data.d.ts +2 -0
  117. package/dist/services/document-service/transform/data.d.ts.map +1 -1
  118. package/dist/services/document-service/transform/data.js +7 -1
  119. package/dist/services/document-service/transform/data.js.map +1 -1
  120. package/dist/services/document-service/transform/data.mjs +7 -2
  121. package/dist/services/document-service/transform/data.mjs.map +1 -1
  122. package/dist/services/document-service/utils/populate.d.ts +1 -1
  123. package/dist/services/document-service/utils/populate.d.ts.map +1 -1
  124. package/dist/services/document-service/utils/populate.js.map +1 -1
  125. package/dist/services/document-service/utils/populate.mjs.map +1 -1
  126. package/dist/services/entity-service/index.js +9 -4
  127. package/dist/services/entity-service/index.js.map +1 -1
  128. package/dist/services/entity-validator/index.d.ts.map +1 -1
  129. package/dist/services/entity-validator/index.js +9 -4
  130. package/dist/services/entity-validator/index.js.map +1 -1
  131. package/dist/services/entity-validator/index.mjs.map +1 -1
  132. package/dist/services/entity-validator/validators.js +10 -6
  133. package/dist/services/entity-validator/validators.js.map +1 -1
  134. package/dist/services/errors.js +7 -3
  135. package/dist/services/errors.js.map +1 -1
  136. package/dist/services/fs.js +10 -5
  137. package/dist/services/fs.js.map +1 -1
  138. package/dist/services/mcp/prompt-registry.d.ts +31 -3
  139. package/dist/services/mcp/prompt-registry.d.ts.map +1 -1
  140. package/dist/services/mcp/prompt-registry.js +31 -0
  141. package/dist/services/mcp/prompt-registry.js.map +1 -1
  142. package/dist/services/mcp/prompt-registry.mjs +31 -1
  143. package/dist/services/mcp/prompt-registry.mjs.map +1 -1
  144. package/dist/services/mcp/resource-registry.d.ts +31 -1
  145. package/dist/services/mcp/resource-registry.d.ts.map +1 -1
  146. package/dist/services/mcp/resource-registry.js +31 -0
  147. package/dist/services/mcp/resource-registry.js.map +1 -1
  148. package/dist/services/mcp/resource-registry.mjs +31 -1
  149. package/dist/services/mcp/resource-registry.mjs.map +1 -1
  150. package/dist/services/mcp/tool-registry.d.ts +36 -9
  151. package/dist/services/mcp/tool-registry.d.ts.map +1 -1
  152. package/dist/services/mcp/tool-registry.js +35 -3
  153. package/dist/services/mcp/tool-registry.js.map +1 -1
  154. package/dist/services/mcp/tool-registry.mjs +35 -3
  155. package/dist/services/mcp/tool-registry.mjs.map +1 -1
  156. package/dist/services/mcp/tools/log.d.ts +15 -85
  157. package/dist/services/mcp/tools/log.d.ts.map +1 -1
  158. package/dist/services/metrics/admin-user-hash.js +5 -1
  159. package/dist/services/metrics/admin-user-hash.js.map +1 -1
  160. package/dist/services/metrics/is-truthy.js +5 -1
  161. package/dist/services/metrics/is-truthy.js.map +1 -1
  162. package/dist/services/metrics/sender.js +17 -9
  163. package/dist/services/metrics/sender.js.map +1 -1
  164. package/dist/services/server/api.js +5 -1
  165. package/dist/services/server/api.js.map +1 -1
  166. package/dist/services/server/compose-endpoint.js +5 -1
  167. package/dist/services/server/compose-endpoint.js.map +1 -1
  168. package/dist/services/server/http-server.js +5 -1
  169. package/dist/services/server/http-server.js.map +1 -1
  170. package/dist/services/server/index.js +5 -1
  171. package/dist/services/server/index.js.map +1 -1
  172. package/dist/services/server/koa.js +12 -5
  173. package/dist/services/server/koa.js.map +1 -1
  174. package/dist/services/server/middleware.js +5 -1
  175. package/dist/services/server/middleware.js.map +1 -1
  176. package/dist/services/server/openapi.js +11 -6
  177. package/dist/services/server/openapi.js.map +1 -1
  178. package/dist/services/server/register-routes.js +8 -4
  179. package/dist/services/server/register-routes.js.map +1 -1
  180. package/dist/services/server/routing.js +5 -1
  181. package/dist/services/server/routing.js.map +1 -1
  182. package/dist/services/session-manager.js +14 -9
  183. package/dist/services/session-manager.js.map +1 -1
  184. package/dist/services/webhook-runner.js +7 -2
  185. package/dist/services/webhook-runner.js.map +1 -1
  186. package/dist/services/worker-queue.js +5 -1
  187. package/dist/services/worker-queue.js.map +1 -1
  188. package/dist/utils/filepath-to-prop-path.js +13 -8
  189. package/dist/utils/filepath-to-prop-path.js.map +1 -1
  190. package/dist/utils/load-config-file.js +7 -2
  191. package/dist/utils/load-config-file.js.map +1 -1
  192. package/dist/utils/load-files.js +12 -6
  193. package/dist/utils/load-files.js.map +1 -1
  194. package/dist/utils/open-browser.js +5 -1
  195. package/dist/utils/open-browser.js.map +1 -1
  196. package/dist/utils/resolve-working-dirs.js +6 -2
  197. package/dist/utils/resolve-working-dirs.js.map +1 -1
  198. package/dist/utils/startup-logger.js +27 -21
  199. package/dist/utils/startup-logger.js.map +1 -1
  200. package/dist/utils/transform-content-types-to-models.d.ts.map +1 -1
  201. package/dist/utils/transform-content-types-to-models.js +15 -6
  202. package/dist/utils/transform-content-types-to-models.js.map +1 -1
  203. package/dist/utils/transform-content-types-to-models.mjs +5 -1
  204. package/dist/utils/transform-content-types-to-models.mjs.map +1 -1
  205. package/dist/utils/update-notifier/index.d.ts.map +1 -1
  206. package/dist/utils/update-notifier/index.js +21 -8
  207. package/dist/utils/update-notifier/index.js.map +1 -1
  208. package/dist/utils/update-notifier/index.mjs +6 -1
  209. package/dist/utils/update-notifier/index.mjs.map +1 -1
  210. package/package.json +19 -18
@@ -4,6 +4,10 @@ var fp = require('lodash/fp');
4
4
  var helmet = require('koa-helmet');
5
5
  var strapiUtils = require('@strapi/utils');
6
6
 
7
+ function _interopDefault (e) { return e && e.__esModule ? e : { default: e }; }
8
+
9
+ var helmet__default = /*#__PURE__*/_interopDefault(helmet);
10
+
7
11
  const defaults = {
8
12
  crossOriginEmbedderPolicy: false,
9
13
  crossOriginOpenerPolicy: false,
@@ -96,7 +100,7 @@ const security = (config, { strapi })=>(ctx, next)=>{
96
100
  }
97
101
  });
98
102
  }
99
- return helmet(helmetConfig)(ctx, next);
103
+ return helmet__default.default(helmetConfig)(ctx, next);
100
104
  };
101
105
 
102
106
  exports.security = security;
@@ -1 +1 @@
1
- {"version":3,"file":"security.js","sources":["../../src/middlewares/security.ts"],"sourcesContent":["import { defaultsDeep, mergeWith } from 'lodash/fp';\nimport helmet, { KoaHelmet } from 'koa-helmet';\nimport { CSP_DEFAULTS } from '@strapi/utils';\n\nimport type { Core } from '@strapi/types';\n\nexport type Config = NonNullable<Parameters<KoaHelmet>[0]>;\n\nconst defaults: Config = {\n crossOriginEmbedderPolicy: false,\n crossOriginOpenerPolicy: false,\n crossOriginResourcePolicy: false,\n originAgentCluster: false,\n contentSecurityPolicy: {\n useDefaults: true,\n directives: {\n ...CSP_DEFAULTS,\n upgradeInsecureRequests: null,\n },\n },\n xssFilter: false,\n hsts: {\n maxAge: 31536000,\n includeSubDomains: true,\n },\n frameguard: {\n action: 'sameorigin',\n },\n};\n\nconst mergeConfig = (existingConfig: Config, newConfig: Config) => {\n return mergeWith(\n (obj, src) => (Array.isArray(obj) && Array.isArray(src) ? obj.concat(src) : undefined),\n existingConfig,\n newConfig\n );\n};\n\nexport const security: Core.MiddlewareFactory<Config> =\n (config, { strapi }) =>\n (ctx, next) => {\n let helmetConfig: Config = defaultsDeep(defaults, config);\n const specialPaths = ['/documentation'];\n\n const directives: {\n 'script-src': string[];\n 'img-src': string[];\n 'manifest-src': string[];\n 'frame-src': string[];\n } = {\n 'script-src': [\"'self'\", \"'unsafe-inline'\", 'cdn.jsdelivr.net'],\n 'img-src': [\"'self'\", 'data:', 'cdn.jsdelivr.net', 'strapi.io'],\n 'manifest-src': [],\n 'frame-src': [],\n };\n\n // if apollo graphql playground is enabled, add exceptions for it\n if (strapi.plugin('graphql')?.service('utils').playground.isEnabled()) {\n const { config: gqlConfig } = strapi.plugin('graphql');\n specialPaths.push(gqlConfig('endpoint'));\n\n directives['script-src'].push(`https: 'unsafe-inline'`);\n directives['img-src'].push(`'apollo-server-landing-page.cdn.apollographql.com'`);\n directives['manifest-src'].push(`'self'`);\n directives['manifest-src'].push('apollo-server-landing-page.cdn.apollographql.com');\n directives['frame-src'].push(`'self'`);\n directives['frame-src'].push('sandbox.embed.apollographql.com');\n }\n\n // TODO: we shouldn't combine playground exceptions with documentation for all routes, we should first check the path and then return exceptions specific to that\n if (ctx.method === 'GET' && specialPaths.some((str) => ctx.path.startsWith(str))) {\n helmetConfig = mergeConfig(helmetConfig, {\n crossOriginEmbedderPolicy: false, // TODO: only use this for graphql playground\n contentSecurityPolicy: {\n directives,\n },\n });\n }\n\n /**\n * These are for vite's watch mode so it can accurately\n * connect to the HMR websocket & reconnect on failure\n * or when the server restarts.\n *\n * It only applies in development, and only on GET requests\n * that are part of the admin route.\n */\n\n if (\n ['development', 'test'].includes(process.env.NODE_ENV ?? '') &&\n ctx.method === 'GET' &&\n ctx.path.startsWith(strapi.config.get('admin.path'))\n ) {\n helmetConfig = mergeConfig(helmetConfig, {\n contentSecurityPolicy: {\n directives: {\n 'script-src': [\"'self'\", \"'unsafe-inline'\"],\n 'connect-src': [\"'self'\", 'http:', 'https:', 'ws:'],\n },\n },\n });\n }\n\n return helmet(helmetConfig)(ctx, next);\n };\n"],"names":["defaults","crossOriginEmbedderPolicy","crossOriginOpenerPolicy","crossOriginResourcePolicy","originAgentCluster","contentSecurityPolicy","useDefaults","directives","CSP_DEFAULTS","upgradeInsecureRequests","xssFilter","hsts","maxAge","includeSubDomains","frameguard","action","mergeConfig","existingConfig","newConfig","mergeWith","obj","src","Array","isArray","concat","undefined","security","config","strapi","ctx","next","helmetConfig","defaultsDeep","specialPaths","plugin","service","playground","isEnabled","gqlConfig","push","method","some","str","path","startsWith","includes","process","env","NODE_ENV","get","helmet"],"mappings":";;;;;;AAQA,MAAMA,QAAAA,GAAmB;IACvBC,yBAAAA,EAA2B,KAAA;IAC3BC,uBAAAA,EAAyB,KAAA;IACzBC,yBAAAA,EAA2B,KAAA;IAC3BC,kBAAAA,EAAoB,KAAA;IACpBC,qBAAAA,EAAuB;QACrBC,WAAAA,EAAa,IAAA;QACbC,UAAAA,EAAY;AACV,YAAA,GAAGC,wBAAY;YACfC,uBAAAA,EAAyB;AAC3B;AACF,KAAA;IACAC,SAAAA,EAAW,KAAA;IACXC,IAAAA,EAAM;QACJC,MAAAA,EAAQ,QAAA;QACRC,iBAAAA,EAAmB;AACrB,KAAA;IACAC,UAAAA,EAAY;QACVC,MAAAA,EAAQ;AACV;AACF,CAAA;AAEA,MAAMC,WAAAA,GAAc,CAACC,cAAAA,EAAwBC,SAAAA,GAAAA;AAC3C,IAAA,OAAOC,aACL,CAACC,GAAAA,EAAKC,GAAAA,GAASC,KAAAA,CAAMC,OAAO,CAACH,GAAAA,CAAAA,IAAQE,KAAAA,CAAMC,OAAO,CAACF,GAAAA,CAAAA,GAAOD,GAAAA,CAAII,MAAM,CAACH,GAAAA,CAAAA,GAAOI,WAC5ER,cAAAA,EACAC,SAAAA,CAAAA;AAEJ,CAAA;AAEO,MAAMQ,WACX,CAACC,MAAAA,EAAQ,EAAEC,MAAM,EAAE,GACnB,CAACC,GAAAA,EAAKC,IAAAA,GAAAA;QACJ,IAAIC,YAAAA,GAAuBC,gBAAahC,QAAAA,EAAU2B,MAAAA,CAAAA;AAClD,QAAA,MAAMM,YAAAA,GAAe;AAAC,YAAA;AAAiB,SAAA;AAEvC,QAAA,MAAM1B,UAAAA,GAKF;YACF,YAAA,EAAc;AAAC,gBAAA,QAAA;AAAU,gBAAA,iBAAA;AAAmB,gBAAA;AAAmB,aAAA;YAC/D,SAAA,EAAW;AAAC,gBAAA,QAAA;AAAU,gBAAA,OAAA;AAAS,gBAAA,kBAAA;AAAoB,gBAAA;AAAY,aAAA;AAC/D,YAAA,cAAA,EAAgB,EAAE;AAClB,YAAA,WAAA,EAAa;AACf,SAAA;;AAGA,QAAA,IAAIqB,OAAOM,MAAM,CAAC,YAAYC,OAAAA,CAAQ,OAAA,CAAA,CAASC,WAAWC,SAAAA,EAAAA,EAAa;AACrE,YAAA,MAAM,EAAEV,MAAAA,EAAQW,SAAS,EAAE,GAAGV,MAAAA,CAAOM,MAAM,CAAC,SAAA,CAAA;YAC5CD,YAAAA,CAAaM,IAAI,CAACD,SAAAA,CAAU,UAAA,CAAA,CAAA;AAE5B/B,YAAAA,UAAU,CAAC,YAAA,CAAa,CAACgC,IAAI,CAAC,CAAC,sBAAsB,CAAC,CAAA;AACtDhC,YAAAA,UAAU,CAAC,SAAA,CAAU,CAACgC,IAAI,CAAC,CAAC,kDAAkD,CAAC,CAAA;AAC/EhC,YAAAA,UAAU,CAAC,cAAA,CAAe,CAACgC,IAAI,CAAC,CAAC,MAAM,CAAC,CAAA;AACxChC,YAAAA,UAAU,CAAC,cAAA,CAAe,CAACgC,IAAI,CAAC,kDAAA,CAAA;AAChChC,YAAAA,UAAU,CAAC,WAAA,CAAY,CAACgC,IAAI,CAAC,CAAC,MAAM,CAAC,CAAA;AACrChC,YAAAA,UAAU,CAAC,WAAA,CAAY,CAACgC,IAAI,CAAC,iCAAA,CAAA;AAC/B,QAAA;;AAGA,QAAA,IAAIV,GAAAA,CAAIW,MAAM,KAAK,KAAA,IAASP,aAAaQ,IAAI,CAAC,CAACC,GAAAA,GAAQb,GAAAA,CAAIc,IAAI,CAACC,UAAU,CAACF,GAAAA,CAAAA,CAAAA,EAAO;AAChFX,YAAAA,YAAAA,GAAef,YAAYe,YAAAA,EAAc;gBACvC9B,yBAAAA,EAA2B,KAAA;gBAC3BI,qBAAAA,EAAuB;AACrBE,oBAAAA;AACF;AACF,aAAA,CAAA;AACF,QAAA;AAEA;;;;;;;AAOC,QAED,IACE;AAAC,YAAA,aAAA;AAAe,YAAA;SAAO,CAACsC,QAAQ,CAACC,OAAAA,CAAQC,GAAG,CAACC,QAAQ,IAAI,EAAA,CAAA,IACzDnB,GAAAA,CAAIW,MAAM,KAAK,SACfX,GAAAA,CAAIc,IAAI,CAACC,UAAU,CAAChB,OAAOD,MAAM,CAACsB,GAAG,CAAC,YAAA,CAAA,CAAA,EACtC;AACAlB,YAAAA,YAAAA,GAAef,YAAYe,YAAAA,EAAc;gBACvC1B,qBAAAA,EAAuB;oBACrBE,UAAAA,EAAY;wBACV,YAAA,EAAc;AAAC,4BAAA,QAAA;AAAU,4BAAA;AAAkB,yBAAA;wBAC3C,aAAA,EAAe;AAAC,4BAAA,QAAA;AAAU,4BAAA,OAAA;AAAS,4BAAA,QAAA;AAAU,4BAAA;AAAM;AACrD;AACF;AACF,aAAA,CAAA;AACF,QAAA;QAEA,OAAO2C,MAAAA,CAAOnB,cAAcF,GAAAA,EAAKC,IAAAA,CAAAA;IACnC;;;;"}
1
+ {"version":3,"file":"security.js","sources":["../../src/middlewares/security.ts"],"sourcesContent":["import { defaultsDeep, mergeWith } from 'lodash/fp';\nimport helmet, { KoaHelmet } from 'koa-helmet';\nimport { CSP_DEFAULTS } from '@strapi/utils';\n\nimport type { Core } from '@strapi/types';\n\nexport type Config = NonNullable<Parameters<KoaHelmet>[0]>;\n\nconst defaults: Config = {\n crossOriginEmbedderPolicy: false,\n crossOriginOpenerPolicy: false,\n crossOriginResourcePolicy: false,\n originAgentCluster: false,\n contentSecurityPolicy: {\n useDefaults: true,\n directives: {\n ...CSP_DEFAULTS,\n upgradeInsecureRequests: null,\n },\n },\n xssFilter: false,\n hsts: {\n maxAge: 31536000,\n includeSubDomains: true,\n },\n frameguard: {\n action: 'sameorigin',\n },\n};\n\nconst mergeConfig = (existingConfig: Config, newConfig: Config) => {\n return mergeWith(\n (obj, src) => (Array.isArray(obj) && Array.isArray(src) ? obj.concat(src) : undefined),\n existingConfig,\n newConfig\n );\n};\n\nexport const security: Core.MiddlewareFactory<Config> =\n (config, { strapi }) =>\n (ctx, next) => {\n let helmetConfig: Config = defaultsDeep(defaults, config);\n const specialPaths = ['/documentation'];\n\n const directives: {\n 'script-src': string[];\n 'img-src': string[];\n 'manifest-src': string[];\n 'frame-src': string[];\n } = {\n 'script-src': [\"'self'\", \"'unsafe-inline'\", 'cdn.jsdelivr.net'],\n 'img-src': [\"'self'\", 'data:', 'cdn.jsdelivr.net', 'strapi.io'],\n 'manifest-src': [],\n 'frame-src': [],\n };\n\n // if apollo graphql playground is enabled, add exceptions for it\n if (strapi.plugin('graphql')?.service('utils').playground.isEnabled()) {\n const { config: gqlConfig } = strapi.plugin('graphql');\n specialPaths.push(gqlConfig('endpoint'));\n\n directives['script-src'].push(`https: 'unsafe-inline'`);\n directives['img-src'].push(`'apollo-server-landing-page.cdn.apollographql.com'`);\n directives['manifest-src'].push(`'self'`);\n directives['manifest-src'].push('apollo-server-landing-page.cdn.apollographql.com');\n directives['frame-src'].push(`'self'`);\n directives['frame-src'].push('sandbox.embed.apollographql.com');\n }\n\n // TODO: we shouldn't combine playground exceptions with documentation for all routes, we should first check the path and then return exceptions specific to that\n if (ctx.method === 'GET' && specialPaths.some((str) => ctx.path.startsWith(str))) {\n helmetConfig = mergeConfig(helmetConfig, {\n crossOriginEmbedderPolicy: false, // TODO: only use this for graphql playground\n contentSecurityPolicy: {\n directives,\n },\n });\n }\n\n /**\n * These are for vite's watch mode so it can accurately\n * connect to the HMR websocket & reconnect on failure\n * or when the server restarts.\n *\n * It only applies in development, and only on GET requests\n * that are part of the admin route.\n */\n\n if (\n ['development', 'test'].includes(process.env.NODE_ENV ?? '') &&\n ctx.method === 'GET' &&\n ctx.path.startsWith(strapi.config.get('admin.path'))\n ) {\n helmetConfig = mergeConfig(helmetConfig, {\n contentSecurityPolicy: {\n directives: {\n 'script-src': [\"'self'\", \"'unsafe-inline'\"],\n 'connect-src': [\"'self'\", 'http:', 'https:', 'ws:'],\n },\n },\n });\n }\n\n return helmet(helmetConfig)(ctx, next);\n };\n"],"names":["defaults","crossOriginEmbedderPolicy","crossOriginOpenerPolicy","crossOriginResourcePolicy","originAgentCluster","contentSecurityPolicy","useDefaults","directives","CSP_DEFAULTS","upgradeInsecureRequests","xssFilter","hsts","maxAge","includeSubDomains","frameguard","action","mergeConfig","existingConfig","newConfig","mergeWith","obj","src","Array","isArray","concat","undefined","security","config","strapi","ctx","next","helmetConfig","defaultsDeep","specialPaths","plugin","service","playground","isEnabled","gqlConfig","push","method","some","str","path","startsWith","includes","process","env","NODE_ENV","get","helmet"],"mappings":";;;;;;;;;;AAQA,MAAMA,QAAAA,GAAmB;IACvBC,yBAAAA,EAA2B,KAAA;IAC3BC,uBAAAA,EAAyB,KAAA;IACzBC,yBAAAA,EAA2B,KAAA;IAC3BC,kBAAAA,EAAoB,KAAA;IACpBC,qBAAAA,EAAuB;QACrBC,WAAAA,EAAa,IAAA;QACbC,UAAAA,EAAY;AACV,YAAA,GAAGC,wBAAY;YACfC,uBAAAA,EAAyB;AAC3B;AACF,KAAA;IACAC,SAAAA,EAAW,KAAA;IACXC,IAAAA,EAAM;QACJC,MAAAA,EAAQ,QAAA;QACRC,iBAAAA,EAAmB;AACrB,KAAA;IACAC,UAAAA,EAAY;QACVC,MAAAA,EAAQ;AACV;AACF,CAAA;AAEA,MAAMC,WAAAA,GAAc,CAACC,cAAAA,EAAwBC,SAAAA,GAAAA;AAC3C,IAAA,OAAOC,aACL,CAACC,GAAAA,EAAKC,GAAAA,GAASC,KAAAA,CAAMC,OAAO,CAACH,GAAAA,CAAAA,IAAQE,KAAAA,CAAMC,OAAO,CAACF,GAAAA,CAAAA,GAAOD,GAAAA,CAAII,MAAM,CAACH,GAAAA,CAAAA,GAAOI,WAC5ER,cAAAA,EACAC,SAAAA,CAAAA;AAEJ,CAAA;AAEO,MAAMQ,WACX,CAACC,MAAAA,EAAQ,EAAEC,MAAM,EAAE,GACnB,CAACC,GAAAA,EAAKC,IAAAA,GAAAA;QACJ,IAAIC,YAAAA,GAAuBC,gBAAahC,QAAAA,EAAU2B,MAAAA,CAAAA;AAClD,QAAA,MAAMM,YAAAA,GAAe;AAAC,YAAA;AAAiB,SAAA;AAEvC,QAAA,MAAM1B,UAAAA,GAKF;YACF,YAAA,EAAc;AAAC,gBAAA,QAAA;AAAU,gBAAA,iBAAA;AAAmB,gBAAA;AAAmB,aAAA;YAC/D,SAAA,EAAW;AAAC,gBAAA,QAAA;AAAU,gBAAA,OAAA;AAAS,gBAAA,kBAAA;AAAoB,gBAAA;AAAY,aAAA;AAC/D,YAAA,cAAA,EAAgB,EAAE;AAClB,YAAA,WAAA,EAAa;AACf,SAAA;;AAGA,QAAA,IAAIqB,OAAOM,MAAM,CAAC,YAAYC,OAAAA,CAAQ,OAAA,CAAA,CAASC,WAAWC,SAAAA,EAAAA,EAAa;AACrE,YAAA,MAAM,EAAEV,MAAAA,EAAQW,SAAS,EAAE,GAAGV,MAAAA,CAAOM,MAAM,CAAC,SAAA,CAAA;YAC5CD,YAAAA,CAAaM,IAAI,CAACD,SAAAA,CAAU,UAAA,CAAA,CAAA;AAE5B/B,YAAAA,UAAU,CAAC,YAAA,CAAa,CAACgC,IAAI,CAAC,CAAC,sBAAsB,CAAC,CAAA;AACtDhC,YAAAA,UAAU,CAAC,SAAA,CAAU,CAACgC,IAAI,CAAC,CAAC,kDAAkD,CAAC,CAAA;AAC/EhC,YAAAA,UAAU,CAAC,cAAA,CAAe,CAACgC,IAAI,CAAC,CAAC,MAAM,CAAC,CAAA;AACxChC,YAAAA,UAAU,CAAC,cAAA,CAAe,CAACgC,IAAI,CAAC,kDAAA,CAAA;AAChChC,YAAAA,UAAU,CAAC,WAAA,CAAY,CAACgC,IAAI,CAAC,CAAC,MAAM,CAAC,CAAA;AACrChC,YAAAA,UAAU,CAAC,WAAA,CAAY,CAACgC,IAAI,CAAC,iCAAA,CAAA;AAC/B,QAAA;;AAGA,QAAA,IAAIV,GAAAA,CAAIW,MAAM,KAAK,KAAA,IAASP,aAAaQ,IAAI,CAAC,CAACC,GAAAA,GAAQb,GAAAA,CAAIc,IAAI,CAACC,UAAU,CAACF,GAAAA,CAAAA,CAAAA,EAAO;AAChFX,YAAAA,YAAAA,GAAef,YAAYe,YAAAA,EAAc;gBACvC9B,yBAAAA,EAA2B,KAAA;gBAC3BI,qBAAAA,EAAuB;AACrBE,oBAAAA;AACF;AACF,aAAA,CAAA;AACF,QAAA;AAEA;;;;;;;AAOC,QAED,IACE;AAAC,YAAA,aAAA;AAAe,YAAA;SAAO,CAACsC,QAAQ,CAACC,OAAAA,CAAQC,GAAG,CAACC,QAAQ,IAAI,EAAA,CAAA,IACzDnB,GAAAA,CAAIW,MAAM,KAAK,SACfX,GAAAA,CAAIc,IAAI,CAACC,UAAU,CAAChB,OAAOD,MAAM,CAACsB,GAAG,CAAC,YAAA,CAAA,CAAA,EACtC;AACAlB,YAAAA,YAAAA,GAAef,YAAYe,YAAAA,EAAc;gBACvC1B,qBAAAA,EAAuB;oBACrBE,UAAAA,EAAY;wBACV,YAAA,EAAc;AAAC,4BAAA,QAAA;AAAU,4BAAA;AAAkB,yBAAA;wBAC3C,aAAA,EAAe;AAAC,4BAAA,QAAA;AAAU,4BAAA,OAAA;AAAS,4BAAA,QAAA;AAAU,4BAAA;AAAM;AACrD;AACF;AACF,aAAA,CAAA;AACF,QAAA;QAEA,OAAO2C,uBAAAA,CAAOnB,cAAcF,GAAAA,EAAKC,IAAAA,CAAAA;IACnC;;;;"}
@@ -5,6 +5,10 @@ var strapiUtils = require('@strapi/utils');
5
5
  var createDebug = require('debug');
6
6
  var transformContentTypesToModels = require('../../utils/transform-content-types-to-models.js');
7
7
 
8
+ function _interopDefault (e) { return e && e.__esModule ? e : { default: e }; }
9
+
10
+ var createDebug__default = /*#__PURE__*/_interopDefault(createDebug);
11
+
8
12
  const resolveComponentMetadataUidCandidates = (componentUid)=>{
9
13
  if (componentUid.startsWith('component::')) {
10
14
  return [
@@ -561,7 +565,7 @@ const DUPLICATE_ERROR_CODES = new Set([
561
565
  'ER_DUP_ENTRY',
562
566
  'SQLITE_CONSTRAINT_UNIQUE'
563
567
  ]);
564
- const debug = createDebug('strapi::migration::discard-drafts');
568
+ const debug = createDebug__default.default('strapi::migration::discard-drafts');
565
569
  /**
566
570
  * Converts arbitrary id values into numbers when possible so we can safely index into
567
571
  * mapping tables without worrying about string/number mismatches.