npm - @strapi/strapi - Versions diffs - 4.0.0-next.8 → 4.0.2 - Mend

@strapi/strapi 4.0.0-next.8 → 4.0.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (147) hide show

package/README.md +14 -14
package/bin/strapi.js +46 -60
package/lib/Strapi.js +152 -74
package/lib/commands/build.js +19 -8
package/lib/commands/console.js +1 -1
package/lib/commands/content-types/list.js +22 -0
package/lib/commands/controllers/list.js +22 -0
package/lib/commands/develop.js +22 -27
package/lib/commands/generate-template.js +4 -5
package/lib/commands/hooks/list.js +22 -0
package/lib/commands/middlewares/list.js +22 -0
package/lib/commands/new.js +3 -1
package/lib/commands/policies/list.js +22 -0
package/lib/commands/routes/list.js +28 -0
package/lib/commands/services/list.js +22 -0
package/lib/commands/watchAdmin.js +18 -9
package/lib/core/app-configuration/index.js +3 -19
package/lib/core/bootstrap.js +3 -95
package/lib/core/domain/content-type/index.js +5 -11
package/lib/core/domain/module/index.js +42 -11
package/lib/core/domain/module/validation.js +16 -19
package/lib/core/loaders/admin.js +2 -2
package/lib/core/loaders/apis.js +148 -9
package/lib/core/loaders/components.js +4 -6
package/lib/core/loaders/index.js +1 -0
package/lib/core/loaders/middlewares.js +23 -123
package/lib/core/loaders/plugins/get-enabled-plugins.js +55 -19
package/lib/core/loaders/plugins/get-user-plugins-config.js +37 -0
package/lib/core/loaders/plugins/index.js +30 -16
package/lib/core/loaders/policies.js +1 -1
package/lib/core/loaders/src-index.js +39 -0
package/lib/core/registries/apis.js +29 -0
package/lib/core/registries/content-types.js +61 -12
package/lib/core/registries/controllers.d.ts +7 -0
package/lib/core/registries/controllers.js +91 -7
package/lib/core/registries/hooks.d.ts +20 -0
package/lib/core/registries/hooks.js +87 -0
package/lib/core/registries/middlewares.d.ts +5 -0
package/lib/core/registries/middlewares.js +64 -5
package/lib/core/registries/modules.js +3 -3
package/lib/core/registries/plugins.js +2 -2
package/lib/core/registries/policies.d.ts +9 -0
package/lib/core/registries/policies.js +64 -5
package/lib/core/registries/services.d.ts +7 -0
package/lib/core/registries/services.js +86 -17
package/lib/core/utils.js +22 -0
package/lib/core-api/controller/collection-type.js +45 -26
package/lib/core-api/controller/index.d.ts +25 -0
package/lib/core-api/controller/index.js +33 -11
package/lib/core-api/controller/single-type.js +29 -15
package/lib/core-api/controller/transform.js +62 -6
package/lib/core-api/routes/index.js +71 -0
package/lib/core-api/service/collection-type.js +43 -21
package/lib/core-api/service/index.d.ts +21 -0
package/lib/core-api/service/index.js +8 -67
package/lib/core-api/service/pagination.js +125 -0
package/lib/core-api/service/single-type.js +17 -19
package/lib/factories.d.ts +48 -0
package/lib/factories.js +84 -0
package/lib/index.d.ts +10 -31
package/lib/index.js +5 -1
package/lib/middlewares/body.js +33 -0
package/lib/middlewares/compression.js +8 -0
package/lib/middlewares/cors.js +58 -0
package/lib/middlewares/errors.js +40 -0
package/lib/middlewares/favicon.js +19 -0
package/lib/middlewares/index.d.ts +5 -0
package/lib/middlewares/index.js +30 -116
package/lib/middlewares/ip.js +8 -0
package/lib/middlewares/logger.js +27 -0
package/lib/middlewares/powered-by.js +20 -0
package/lib/middlewares/public/index.js +72 -77
package/lib/middlewares/query.js +46 -0
package/lib/middlewares/response-time.js +15 -0
package/lib/middlewares/responses.js +19 -0
package/lib/middlewares/security.js +51 -0
package/lib/middlewares/session/index.js +6 -6
package/lib/migrations/draft-publish.js +57 -0
package/lib/services/auth/index.js +87 -0
package/lib/services/core-store.js +64 -49
package/lib/services/cron.js +54 -0
package/lib/services/entity-service/attributes/index.js +31 -0
package/lib/services/entity-service/attributes/transforms.js +20 -0
package/lib/services/entity-service/components.js +39 -15
package/lib/services/entity-service/index.d.ts +91 -0
package/lib/services/entity-service/index.js +118 -60
package/lib/services/entity-service/params.js +52 -94
package/lib/services/entity-validator/index.js +76 -43
package/lib/services/entity-validator/validators.js +131 -43
package/lib/services/errors.js +77 -0
package/lib/services/fs.js +1 -1
package/lib/services/metrics/index.js +38 -36
package/lib/services/server/admin-api.js +14 -0
package/lib/services/server/api.js +36 -0
package/lib/services/server/compose-endpoint.js +141 -0
package/lib/services/server/content-api.js +16 -0
package/lib/{server.js → services/server/http-server.js} +0 -0
package/lib/services/server/index.js +127 -0
package/lib/services/server/koa.js +64 -0
package/lib/services/server/middleware.js +122 -0
package/lib/services/server/policy.js +32 -0
package/lib/services/server/register-middlewares.js +110 -0
package/lib/services/server/register-routes.js +106 -0
package/lib/services/server/routing.js +120 -0
package/lib/services/webhook-runner.js +1 -1
package/lib/utils/ee.js +3 -3
package/lib/utils/get-dirs.js +17 -0
package/lib/utils/index.js +2 -0
package/lib/utils/signals.js +24 -0
package/lib/utils/update-notifier/index.js +2 -1
package/package.json +94 -97
package/lib/commands/generate.js +0 -76
package/lib/core/app-configuration/load-functions.js +0 -28
package/lib/core-api/index.js +0 -39
package/lib/load/check-reserved-filename.js +0 -10
package/lib/load/load-config-files.js +0 -22
package/lib/load/require-file-parse.js +0 -15
package/lib/middlewares/boom/defaults.json +0 -5
package/lib/middlewares/boom/index.js +0 -147
package/lib/middlewares/cors/index.js +0 -66
package/lib/middlewares/cron/defaults.json +0 -5
package/lib/middlewares/cron/index.js +0 -43
package/lib/middlewares/favicon/defaults.json +0 -7
package/lib/middlewares/favicon/index.js +0 -32
package/lib/middlewares/gzip/defaults.json +0 -6
package/lib/middlewares/gzip/index.js +0 -19
package/lib/middlewares/helmet/defaults.json +0 -18
package/lib/middlewares/helmet/index.js +0 -9
package/lib/middlewares/ip/defaults.json +0 -7
package/lib/middlewares/ip/index.js +0 -25
package/lib/middlewares/language/defaults.json +0 -9
package/lib/middlewares/language/index.js +0 -40
package/lib/middlewares/logger/defaults.json +0 -5
package/lib/middlewares/logger/index.js +0 -37
package/lib/middlewares/parser/defaults.json +0 -11
package/lib/middlewares/parser/index.js +0 -71
package/lib/middlewares/poweredBy/defaults.json +0 -5
package/lib/middlewares/poweredBy/index.js +0 -16
package/lib/middlewares/public/defaults.json +0 -8
package/lib/middlewares/responseTime/defaults.json +0 -5
package/lib/middlewares/responseTime/index.js +0 -25
package/lib/middlewares/responses/defaults.json +0 -5
package/lib/middlewares/responses/index.js +0 -18
package/lib/middlewares/router/defaults.json +0 -7
package/lib/middlewares/router/index.js +0 -58
package/lib/middlewares/router/utils/composeEndpoint.js +0 -177
package/lib/utils/get-prefixed-dependencies.js +0 -7

package/lib/middlewares/body.js ADDED Viewed

@@ -0,0 +1,33 @@
+'use strict';
+const { defaultsDeep } = require('lodash/fp');
+const body = require('koa-body');
+const defaults = {
+  multipart: true,
+  patchKoa: true,
+};
+/**
+ * @type {import('./').MiddlewareFactory}
+ */
+module.exports = config => {
+  const bodyConfig = defaultsDeep(defaults, config);
+  return async (ctx, next) => {
+    // TODO: find a better way later
+    if (ctx.url === '/graphql') {
+      return next();
+    }
+    try {
+      await body({ patchKoa: true, ...bodyConfig })(ctx, next);
+    } catch (e) {
+      if ((e || {}).message && e.message.includes('maxFileSize exceeded')) {
+        return ctx.payloadTooLarge('FileTooBig');
+      }
+      throw e;
+    }
+  };
+};

package/lib/middlewares/compression.js ADDED Viewed

@@ -0,0 +1,8 @@
+'use strict';
+const compress = require('koa-compress');
+/**
+ * @type {import('./').MiddlewareFactory}
+ */
+module.exports = config => compress(config);

package/lib/middlewares/cors.js ADDED Viewed

@@ -0,0 +1,58 @@
+'use strict';
+const { defaultsDeep } = require('lodash/fp');
+const cors = require('@koa/cors');
+const defaults = {
+  origin: '*',
+  maxAge: 31536000,
+  credentials: true,
+  methods: ['GET', 'POST', 'PUT', 'PATCH', 'DELETE', 'HEAD', 'OPTIONS'],
+  headers: ['Content-Type', 'Authorization', 'Origin', 'Accept'],
+  keepHeadersOnError: false,
+};
+/**
+ * @type {import('./').MiddlewareFactory}
+ */
+module.exports = config => {
+  const {
+    origin,
+    expose,
+    maxAge,
+    credentials,
+    methods,
+    headers,
+    keepHeadersOnError,
+  } = defaultsDeep(defaults, config);
+  return cors({
+    async origin(ctx) {
+      let originList;
+      if (typeof origin === 'function') {
+        originList = await origin(ctx);
+      } else {
+        originList = origin;
+      }
+      const whitelist = Array.isArray(originList) ? originList : originList.split(/\s*,\s*/);
+      const requestOrigin = ctx.accept.headers.origin;
+      if (whitelist.includes('*')) {
+        return '*';
+      }
+      if (!whitelist.includes(requestOrigin)) {
+        return ctx.throw(`${requestOrigin} is not a valid origin`);
+      }
+      return requestOrigin;
+    },
+    exposeHeaders: expose,
+    maxAge,
+    credentials,
+    allowMethods: methods,
+    allowHeaders: headers,
+    keepHeadersOnError,
+  });
+};

package/lib/middlewares/errors.js ADDED Viewed

@@ -0,0 +1,40 @@
+'use strict';
+const { HttpError, ApplicationError } = require('@strapi/utils').errors;
+const {
+  formatApplicationError,
+  formatHttpError,
+  formatInternalError,
+} = require('../services/errors');
+module.exports = (/* _, { strapi } */) => {
+  return async (ctx, next) => {
+    try {
+      await next();
+      if (!ctx.response._explicitStatus) {
+        return ctx.notFound();
+      }
+    } catch (error) {
+      if (error instanceof ApplicationError) {
+        const { status, body } = formatApplicationError(error);
+        ctx.status = status;
+        ctx.body = body;
+        return;
+      }
+      if (error instanceof HttpError) {
+        const { status, body } = formatHttpError(error);
+        ctx.status = status;
+        ctx.body = body;
+        return;
+      }
+      strapi.log.error(error);
+      const { status, body } = formatInternalError(error);
+      ctx.status = status;
+      ctx.body = body;
+    }
+  };
+};

package/lib/middlewares/favicon.js ADDED Viewed

@@ -0,0 +1,19 @@
+'use strict';
+const { resolve } = require('path');
+const { defaultsDeep } = require('lodash/fp');
+const favicon = require('koa-favicon');
+const defaults = {
+  path: 'favicon.ico',
+  maxAge: 86400000,
+};
+/**
+ * @type {import('./').MiddlewareFactory}
+ */
+module.exports = (config, { strapi }) => {
+  const { maxAge, path: faviconPath } = defaultsDeep(defaults, config);
+  return favicon(resolve(strapi.dirs.root, faviconPath), { maxAge });
+};

package/lib/middlewares/index.d.ts ADDED Viewed

@@ -0,0 +1,5 @@
+import { Strapi } from '../';
+import { Middleware } from 'koa';
+export type MiddlewareFactory = (config: any, ctx: { strapi: Strapi }) => Middleware | null;
+export type Middleware = Middleware;

package/lib/middlewares/index.js CHANGED Viewed

@@ -1,119 +1,33 @@
 'use strict';
-const { uniq, difference, get, isUndefined, merge } = require('lodash');
-const requiredMiddlewares = [
-  'responses',
-  'router',
-  'logger',
-  'boom',
-  'cors',
-  'cron',
-  'xframe',
-  'xss',
-  'public',
-  'favicon',
-];
-module.exports = async function() {
-  /** Utils */
-  const middlewareConfig = this.config.middleware;
-  // check if a middleware exists
-  const middlewareExists = key => {
-    return !isUndefined(this.middleware[key]);
-  };
-  // check if a middleware is enabled
-  const middlewareEnabled = key => {
-    return (
-      requiredMiddlewares.includes(key) ||
-      get(middlewareConfig, ['settings', key, 'enabled'], false) === true
-    );
-  };
-  // list of enabled middlewares
-  const enabledMiddlewares = Object.keys(this.middleware).filter(middlewareEnabled);
-  // Method to initialize middlewares and emit an event.
-  const initialize = middlewareKey => {
-    if (this.middleware[middlewareKey].loaded === true) return;
-    const module = this.middleware[middlewareKey].load;
-    return new Promise((resolve, reject) => {
-      const timeout = setTimeout(
-        () => reject(`(middleware: ${middlewareKey}) is taking too long to load.`),
-        middlewareConfig.timeout || 1000
-      );
-      this.middleware[middlewareKey] = merge(this.middleware[middlewareKey], module);
-      Promise.resolve()
-        .then(() => module.initialize())
-        .then(() => {
-          clearTimeout(timeout);
-          this.middleware[middlewareKey].loaded = true;
-          resolve();
-        })
-        .catch(err => {
-          clearTimeout(timeout);
-          if (err) {
-            return reject(err);
-          }
-        });
-    });
-  };
-  /**
-   * Run init functions
-   */
-  // Run beforeInitialize of every middleware
-  await Promise.all(
-    enabledMiddlewares.map(key => {
-      const { beforeInitialize } = this.middleware[key].load;
-      if (typeof beforeInitialize === 'function') {
-        return beforeInitialize();
-      }
-    })
-  );
-  // run the initialization of an array of middlewares sequentially
-  const initMiddlewaresSeq = async middlewareArr => {
-    for (let key of uniq(middlewareArr)) {
-      await initialize(key);
-    }
-  };
-  const middlewaresBefore = get(middlewareConfig, 'load.before', [])
-    .filter(middlewareExists)
-    .filter(middlewareEnabled);
-  const middlewaresAfter = get(middlewareConfig, 'load.after', [])
-    .filter(middlewareExists)
-    .filter(middlewareEnabled);
-  const middlewaresOrder = get(middlewareConfig, 'load.order', [])
-    .filter(middlewareExists)
-    .filter(middlewareEnabled);
-  const unspecifiedMiddlewares = difference(
-    enabledMiddlewares,
-    middlewaresBefore,
-    middlewaresOrder,
-    middlewaresAfter
-  );
-  // before
-  await initMiddlewaresSeq(middlewaresBefore);
-  // ordered // rest of middlewares
-  await Promise.all([
-    initMiddlewaresSeq(middlewaresOrder),
-    Promise.all(unspecifiedMiddlewares.map(initialize)),
-  ]);
-  // after
-  await initMiddlewaresSeq(middlewaresAfter);
+const compression = require('./compression');
+const cors = require('./cors');
+const errors = require('./errors');
+const favicon = require('./favicon');
+const ip = require('./ip');
+const logger = require('./logger');
+const poweredBy = require('./powered-by');
+const body = require('./body');
+const query = require('./query');
+const responseTime = require('./response-time');
+const responses = require('./responses');
+const security = require('./security');
+// TODO: add back ?
+// session: require('./session'),
+const publicStatic = require('./public');
+module.exports = {
+  errors,
+  ip,
+  security,
+  cors,
+  responseTime,
+  poweredBy,
+  logger,
+  compression,
+  responses,
+  body,
+  query,
+  favicon,
+  public: publicStatic,
 };

package/lib/middlewares/ip.js ADDED Viewed

@@ -0,0 +1,8 @@
+'use strict';
+const ip = require('koa-ip');
+/**
+ * @type {import('./').MiddlewareFactory}
+ */
+module.exports = config => ip(config);

package/lib/middlewares/logger.js ADDED Viewed

@@ -0,0 +1,27 @@
+'use strict';
+const chalk = require('chalk');
+const codeToColor = code => {
+  return code >= 500
+    ? chalk.red(code)
+    : code >= 400
+    ? chalk.yellow(code)
+    : code >= 300
+    ? chalk.cyan(code)
+    : code >= 200
+    ? chalk.green(code)
+    : code;
+};
+/**
+ * @type {import('./').MiddlewareFactory}
+ */
+module.exports = (_, { strapi }) => {
+  return async (ctx, next) => {
+    const start = Date.now();
+    await next();
+    const delta = Math.ceil(Date.now() - start);
+    strapi.log.http(`${ctx.method} ${ctx.url} (${delta} ms) ${codeToColor(ctx.status)}`);
+  };
+};

package/lib/middlewares/powered-by.js ADDED Viewed

@@ -0,0 +1,20 @@
+'use strict';
+const { defaultsDeep } = require('lodash/fp');
+const defaults = {
+  poweredBy: 'Strapi <strapi.io>',
+};
+/**
+ * @type {import('./').MiddlewareFactory}
+ */
+module.exports = config => {
+  const { poweredBy } = defaultsDeep(defaults, config);
+  return async (ctx, next) => {
+    await next();
+    ctx.set('X-Powered-By', poweredBy);
+  };
+};

package/lib/middlewares/public/index.js CHANGED Viewed

@@ -1,98 +1,93 @@
 'use strict';
-/**
- * Module dependencies
- */
-// Node.js core.
 const fs = require('fs');
 const path = require('path');
 const stream = require('stream');
 const _ = require('lodash');
+const { defaultsDeep } = require('lodash/fp');
 const koaStatic = require('koa-static');
 const utils = require('../../utils');
 const serveStatic = require('./serve-static');
+const defaults = {
+  maxAge: 60000,
+  defaultIndex: true,
+};
 /**
- * Public assets hook
+ * @type {import('../').MiddlewareFactory}
  */
+module.exports = (config, { strapi }) => {
+  const { defaultIndex, maxAge } = defaultsDeep(defaults, config);
-module.exports = strapi => {
-  return {
-    /**
-     * Initialize the hook
-     */
-    async initialize() {
-      const { defaultIndex, maxAge, path: publicPath } = strapi.config.middleware.settings.public;
-      const staticDir = path.resolve(strapi.dir, publicPath || strapi.config.paths.static);
-      if (defaultIndex === true) {
-        const index = fs.readFileSync(path.join(__dirname, 'index.html'), 'utf8');
+  if (defaultIndex === true) {
+    const index = fs.readFileSync(path.join(__dirname, 'index.html'), 'utf8');
-        const serveIndexPage = async (ctx, next) => {
-          // defer rendering of strapi index page
-          await next();
-          if (ctx.body != null || ctx.status !== 404) return;
+    const serveIndexPage = async (ctx, next) => {
+      // defer rendering of strapi index page
+      await next();
-          ctx.url = 'index.html';
-          const isInitialized = await utils.isInitialized(strapi);
-          const data = {
-            serverTime: new Date().toUTCString(),
-            isInitialized,
-            ..._.pick(strapi, [
-              'config.info.version',
-              'config.info.name',
-              'config.admin.url',
-              'config.server.url',
-              'config.environment',
-              'config.serveAdminPanel',
-            ]),
-          };
-          const content = _.template(index)(data);
-          const body = stream.Readable({
-            read() {
-              this.push(Buffer.from(content));
-              this.push(null);
-            },
-          });
-          // Serve static.
-          ctx.type = 'html';
-          ctx.body = body;
-        };
+      if (ctx.body != null || ctx.status !== 404) return;
-        strapi.router.get('/', serveIndexPage);
-        strapi.router.get('/index.html', serveIndexPage);
-        strapi.router.get(
-          '/assets/images/(.*)',
-          serveStatic(path.resolve(__dirname, 'assets/images'), { maxage: maxAge, defer: true })
-        );
-      }
+      ctx.url = 'index.html';
+      const isInitialized = await utils.isInitialized(strapi);
+      const data = {
+        serverTime: new Date().toUTCString(),
+        isInitialized,
+        ..._.pick(strapi, [
+          'config.info.version',
+          'config.info.name',
+          'config.admin.url',
+          'config.server.url',
+          'config.environment',
+          'config.serveAdminPanel',
+        ]),
+      };
+      const content = _.template(index)(data);
+      const body = stream.Readable({
+        read() {
+          this.push(Buffer.from(content));
+          this.push(null);
+        },
+      });
+      // Serve static.
+      ctx.type = 'html';
+      ctx.body = body;
+    };
-      // serve files in public folder unless a sub router renders something else
-      strapi.router.get(
-        '/(.*)',
-        koaStatic(staticDir, {
+    strapi.server.routes([
+      {
+        method: 'GET',
+        path: '/',
+        handler: serveIndexPage,
+        config: { auth: false },
+      },
+      {
+        method: 'GET',
+        path: '/index.html',
+        handler: serveIndexPage,
+        config: { auth: false },
+      },
+      {
+        method: 'GET',
+        path: '/assets/images/(.*)',
+        handler: serveStatic(path.resolve(__dirname, 'assets/images'), {
           maxage: maxAge,
           defer: true,
-        })
-      );
-      if (!strapi.config.serveAdminPanel) return;
-      const buildDir = path.resolve(strapi.dir, 'build');
-      const serveAdmin = ctx => {
-        ctx.type = 'html';
-        ctx.body = fs.createReadStream(path.join(buildDir + '/index.html'));
-      };
-      strapi.router.get(
-        `${strapi.config.admin.path}/*`,
-        serveStatic(buildDir, { maxage: maxAge, defer: false, index: 'index.html' })
-      );
+        }),
+        config: { auth: false },
+      },
+      {
+        method: 'GET',
+        path: '/(.*)',
+        handler: koaStatic(strapi.dirs.public, {
+          maxage: maxAge,
+          defer: true,
+        }),
+        config: { auth: false },
+      },
+    ]);
+  }
-      strapi.router.get(`${strapi.config.admin.path}`, serveAdmin);
-      strapi.router.get(`${strapi.config.admin.path}/*`, serveAdmin);
-    },
-  };
+  return null;
 };

package/lib/middlewares/query.js ADDED Viewed

@@ -0,0 +1,46 @@
+'use strict';
+const { defaultsDeep } = require('lodash/fp');
+const qs = require('qs');
+const defaults = {
+  strictNullHandling: true,
+  arrayLimit: 100,
+  depth: 20,
+};
+/**
+ * Body parser hook
+ */
+const addQsParser = (app, settings) => {
+  Object.defineProperty(app.request, 'query', {
+    configurable: false,
+    enumerable: true,
+    /*
+     * Get parsed query-string.
+     */
+    get() {
+      const qstr = this.querystring;
+      const cache = (this._querycache = this._querycache || {});
+      return cache[qstr] || (cache[qstr] = qs.parse(qstr, settings));
+    },
+    /*
+     * Set query-string as an object.
+     */
+    set(obj) {
+      this.querystring = qs.stringify(obj);
+    },
+  });
+  return app;
+};
+/**
+ * @type {import('./').MiddlewareFactory}
+ */
+module.exports = (config, { strapi }) => {
+  addQsParser(strapi.server.app, defaultsDeep(defaults, config));
+  return null;
+};

package/lib/middlewares/response-time.js ADDED Viewed

@@ -0,0 +1,15 @@
+'use strict';
+/**
+ * @type {import('./').MiddlewareFactory}
+ */
+module.exports = () => {
+  return async (ctx, next) => {
+    const start = Date.now();
+    await next();
+    const delta = Math.ceil(Date.now() - start);
+    ctx.set('X-Response-Time', delta + 'ms');
+  };
+};

package/lib/middlewares/responses.js ADDED Viewed

@@ -0,0 +1,19 @@
+'use strict';
+const { prop, isFunction } = require('lodash/fp');
+/**
+ * @type {import('./').MiddlewareFactory}
+ */
+module.exports = (config = {}) => {
+  return async (ctx, next) => {
+    await next();
+    const status = ctx.status;
+    const handler = prop(`handlers.${status}`, config);
+    if (isFunction(handler)) {
+      await handler(ctx);
+    }
+  };
+};

package/lib/middlewares/security.js ADDED Viewed

@@ -0,0 +1,51 @@
+'use strict';
+const { defaultsDeep, merge } = require('lodash/fp');
+const helmet = require('koa-helmet');
+const defaults = {
+  crossOriginEmbedderPolicy: false,
+  crossOriginOpenerPolicy: false,
+  crossOriginResourcePolicy: false,
+  originAgentCluster: false,
+  contentSecurityPolicy: {
+    useDefaults: true,
+    directives: {
+      'connect-src': ["'self'", 'https:'],
+      'img-src': ["'self'", 'data:', 'blob:'],
+      'media-src': ["'self'", 'data:', 'blob:'],
+      upgradeInsecureRequests: null,
+    },
+  },
+  xssFilter: false,
+  hsts: {
+    maxAge: 31536000,
+    includeSubDomains: true,
+  },
+  frameguard: {
+    action: 'sameorigin',
+  },
+};
+/**
+ * @type {import('./').MiddlewareFactory}
+ */
+module.exports = config => (ctx, next) => {
+  let helmetConfig = defaultsDeep(defaults, config);
+  if (
+    ctx.method === 'GET' &&
+    ['/graphql', '/documentation'].some(str => ctx.path.startsWith(str))
+  ) {
+    helmetConfig = merge(helmetConfig, {
+      contentSecurityPolicy: {
+        directives: {
+          'script-src': ["'self'", "'unsafe-inline'", 'cdn.jsdelivr.net'],
+          'img-src': ["'self'", 'data:', 'cdn.jsdelivr.net', 'strapi.io'],
+        },
+      },
+    });
+  }
+  return helmet(helmetConfig)(ctx, next);
+};