@taujs/server 0.3.6 → 0.3.7

package/dist/{SSRServer-DPZped7n.d.ts → SSRServer-CbXIDaoA.d.ts}

@@ -1,18 +1,7 @@
 import { ServerResponse } from 'node:http';
-import { FastifyRequest, FastifyReply, HookHandlerDoneFunction, FastifyPluginAsync, FastifyPluginCallback } from 'fastify';
+import { FastifyPluginAsync, FastifyPluginCallback } from 'fastify';
 import { PluginOption } from 'vite';
-
-type CSPDirectives = Record<string, string[]>;
-interface CSPOptions {
-    directives?: CSPDirectives;
-    exposeNonce?: (req: FastifyRequest, nonce: string) => void;
-    generateCSP?: (directives: CSPDirectives, nonce: string) => string;
-}
-declare const defaultGenerateCSP: (directives: CSPDirectives, nonce: string) => string;
-declare const generateNonce: () => string;
-declare const createCSPHook: (options?: CSPOptions) => (req: FastifyRequest, reply: FastifyReply, done: HookHandlerDoneFunction) => void;
-declare const getRequestNonce: (req: FastifyRequest) => string | undefined;
-declare const applyCSP: (security: SSRServerOptions["security"], reply: FastifyReply) => string | undefined;
+import { CSPDirectives } from './security/csp.js';
 
 declare const TEMPLATE: {
     readonly defaultEntryClient: "entry-client";
@@ -66,7 +55,7 @@ type SSRServerOptions = {
     security?: {
         csp?: {
             directives?: CSPDirectives;
-            generateCSP?: (directives: CSPDirectives, nonce: string) => string;
+            generateCSP?: (directives: CSPDirectives, cspNonce: string) => string;
         };
     };
     registerStaticAssets?: false | {
@@ -101,7 +90,7 @@ type RenderSSR = (initialDataResolved: Record<string, unknown>, location: string
     headContent: string;
     appHtml: string;
 }>;
-type RenderStream = (serverResponse: ServerResponse, callbacks: RenderCallbacks, initialDataPromise: Promise<Record<string, unknown>>, location: string, bootstrapModules?: string, meta?: Record<string, unknown>) => void;
+type RenderStream = (serverResponse: ServerResponse, callbacks: RenderCallbacks, initialDataPromise: Promise<Record<string, unknown>>, location: string, bootstrapModules?: string, meta?: Record<string, unknown>, cspNonce?: string) => void;
 type RenderModule = {
     renderSSR: RenderSSR;
     renderStream: RenderStream;
@@ -150,4 +139,4 @@ interface InitialRouteParams extends Record<string, unknown> {
 type RouteParams = InitialRouteParams & Record<string, unknown>;
 type RoutePathsAndAttributes<Params = {}> = Omit<Route<Params>, 'element'>;
 
-export { type BaseMiddleware as B, type Config as C, type DataResult as D, type GenericPlugin as G, type InitialRouteParams as I, type ManifestEntry as M, type NamedService as N, type ProcessedConfig as P, type Route as R, SSRServer as S, TEMPLATE as T, type RouteParams as a, type RouteAttributes as b, createMaps as c, type SSRServerOptions as d, type ServiceMethod as e, type ServiceRegistry as f, type RenderCallbacks as g, type SSRManifest as h, type Manifest as i, type RenderSSR as j, type RenderStream as k, type RenderModule as l, type ServiceCall as m, type DataHandler as n, type RoutePathsAndAttributes as o, processConfigs as p, type CSPDirectives as q, type CSPOptions as r, defaultGenerateCSP as s, generateNonce as t, createCSPHook as u, getRequestNonce as v, applyCSP as w };
+export { type BaseMiddleware as B, type Config as C, type DataResult as D, type GenericPlugin as G, type InitialRouteParams as I, type ManifestEntry as M, type NamedService as N, type ProcessedConfig as P, type Route as R, SSRServer as S, TEMPLATE as T, type RouteParams as a, type RouteAttributes as b, createMaps as c, type SSRServerOptions as d, type ServiceMethod as e, type ServiceRegistry as f, type RenderCallbacks as g, type SSRManifest as h, type Manifest as i, type RenderSSR as j, type RenderStream as k, type RenderModule as l, type ServiceCall as m, type DataHandler as n, type RoutePathsAndAttributes as o, processConfigs as p };

package/dist/build.d.ts

@@ -1,8 +1,9 @@
 import { AppConfig } from './config.js';
 import 'vite';
-import './SSRServer-DPZped7n.js';
+import './SSRServer-CbXIDaoA.js';
 import 'node:http';
 import 'fastify';
+import './security/csp.js';
 
 /**
  * taujs [ τjs ] Orchestration System

package/dist/build.js

@@ -193,7 +193,7 @@ import { build } from "vite";
 import { nodePolyfills } from "vite-plugin-node-polyfills";
 
 // src/SSRServer.ts
-var import_fastify_plugin = __toESM(require_plugin(), 1);
+var import_fastify_plugin2 = __toESM(require_plugin(), 1);
 var import_picocolors = __toESM(require_picocolors(), 1);
 import { readFile } from "fs/promises";
 import path2 from "path";
@@ -266,6 +266,7 @@ function createAuthHook(routes, isDebug) {
 }
 
 // src/security/csp.ts
+var import_fastify_plugin = __toESM(require_plugin(), 1);
 import crypto from "crypto";
 
 // src/utils/Utils.ts
@@ -421,28 +422,22 @@ var defaultGenerateCSP = (directives, nonce) => {
   return Object.entries(merged).map(([key, values]) => `${key} ${values.join(" ")}`).join("; ");
 };
 var generateNonce = () => crypto.randomBytes(16).toString("base64");
-var createCSPHook = (options = {}) => (req, reply, done) => {
-  const nonce = generateNonce();
-  const directives = options.directives ?? DEV_CSP_DIRECTIVES;
-  const generate = options.generateCSP ?? defaultGenerateCSP;
-  const cspHeader = generate(directives, nonce);
-  reply.header("Content-Security-Policy", cspHeader);
-  if (typeof options.exposeNonce === "function") {
-    options.exposeNonce(req, nonce);
-  } else {
-    req.nonce = nonce;
+var cspPlugin = (0, import_fastify_plugin.default)(
+  async (fastify, opts) => {
+    fastify.addHook("onRequest", (req, reply, done) => {
+      const nonce = generateNonce();
+      req.cspNonce = nonce;
+      const directives = opts.directives ?? DEV_CSP_DIRECTIVES;
+      const generate = opts.generateCSP ?? defaultGenerateCSP;
+      const cspHeader = generate(directives, nonce);
+      reply.header("Content-Security-Policy", cspHeader);
+      done();
+    });
+  },
+  {
+    name: "taujs-csp-plugin"
   }
-  done();
-};
-var applyCSP = (security, reply) => {
-  const nonce = generateNonce();
-  const directives = security?.csp?.directives ?? DEV_CSP_DIRECTIVES;
-  const generate = security?.csp?.generateCSP ?? defaultGenerateCSP;
-  const header = generate(directives, nonce);
-  reply.header("Content-Security-Policy", header);
-  reply.request.nonce = nonce;
-  return nonce;
-};
+);
 
 // src/security/verifyMiddleware.ts
 var isAuthRequired = (r) => r.attr?.middleware?.auth?.required === true;
@@ -489,7 +484,7 @@ var processConfigs = (configs, baseClientRoot, templateDefaults) => {
     };
   });
 };
-var SSRServer = (0, import_fastify_plugin.default)(
+var SSRServer = (0, import_fastify_plugin2.default)(
   async (app, opts) => {
     const logger = createLogger(opts.isDebug ?? false);
     const { alias, configs, routes, serviceRegistry, isDebug, clientRoot: baseClientRoot } = opts;
@@ -548,13 +543,10 @@ var SSRServer = (0, import_fastify_plugin.default)(
         ...options ?? {}
       });
     }
-    app.addHook(
-      "onRequest",
-      createCSPHook({
-        directives: opts.security?.csp?.directives,
-        generateCSP: opts.security?.csp?.generateCSP
-      })
-    );
+    app.register(cspPlugin, {
+      directives: opts.security?.csp?.directives,
+      generateCSP: opts.security?.csp?.generateCSP
+    });
     app.addHook("onRequest", createAuthHook(routes));
     if (isDevelopment) {
       const { createServer } = await import("vite");
@@ -613,7 +605,7 @@ var SSRServer = (0, import_fastify_plugin.default)(
         if (/\.\w+$/.test(req.raw.url ?? "")) return reply.callNotFound();
         const url = req.url ? new URL(req.url, `http://${req.headers.host}`).pathname : "/";
         const matchedRoute = matchRoute(url, routes);
-        const nonce = applyCSP(opts.security, reply);
+        const cspNonce = req.cspNonce;
         if (!matchedRoute) {
           reply.callNotFound();
           return;
@@ -655,18 +647,23 @@ var SSRServer = (0, import_fastify_plugin.default)(
         if (renderType === RENDERTYPE.ssr) {
           const { renderSSR } = renderModule;
           const initialDataResolved = await initialDataPromise;
-          const initialDataScript = `<script nonce="${nonce}">window.__INITIAL_DATA__ = ${JSON.stringify(initialDataResolved).replace(/</g, "\\u003c")}</script>`;
+          const initialDataScript = `<script nonce="${cspNonce}">window.__INITIAL_DATA__ = ${JSON.stringify(initialDataResolved).replace(/</g, "\\u003c")}</script>`;
           const { headContent, appHtml } = await renderSSR(initialDataResolved, req.url, attr?.meta);
           let aggregateHeadContent = headContent;
           if (ssrManifest && preloadLink) aggregateHeadContent += preloadLink;
           if (manifest && cssLink) aggregateHeadContent += cssLink;
           const shouldHydrate = attr?.hydrate !== false;
-          const bootstrapScriptTag = shouldHydrate ? `<script nonce="${nonce}" type="module" src="${bootstrapModule}" defer></script>` : "";
+          const bootstrapScriptTag = shouldHydrate ? `<script nonce="${cspNonce}" type="module" src="${bootstrapModule}" defer></script>` : "";
           const fullHtml = template.replace(SSRTAG.ssrHead, aggregateHeadContent).replace(SSRTAG.ssrHtml, `${appHtml}${initialDataScript}${bootstrapScriptTag}`);
           return reply.status(200).header("Content-Type", "text/html").send(fullHtml);
         } else {
           const { renderStream } = renderModule;
-          reply.raw.writeHead(200, { "Content-Type": "text/html" });
+          const cspNonce2 = req.cspNonce;
+          const cspHeader = reply.getHeader("Content-Security-Policy");
+          reply.raw.writeHead(200, {
+            "Content-Security-Policy": cspHeader,
+            "Content-Type": "text/html"
+          });
           renderStream(
             reply.raw,
             {
@@ -677,7 +674,9 @@ var SSRServer = (0, import_fastify_plugin.default)(
                 reply.raw.write(`${beforeHead}${aggregateHeadContent}${afterHead}`);
               },
               onFinish: async (initialDataResolved) => {
-                reply.raw.write(`<script nonce="${nonce}">window.__INITIAL_DATA__ = ${JSON.stringify(initialDataResolved).replace(/</g, "\\u003c")}</script>`);
+                reply.raw.write(
+                  `<script nonce="${cspNonce2}">window.__INITIAL_DATA__ = ${JSON.stringify(initialDataResolved).replace(/</g, "\\u003c")}</script>`
+                );
                 reply.raw.write(afterBody);
                 reply.raw.end();
               },
@@ -689,7 +688,8 @@ var SSRServer = (0, import_fastify_plugin.default)(
             initialDataPromise,
             req.url,
             bootstrapModule,
-            attr?.meta
+            attr?.meta,
+            cspNonce2
           );
         }
       } catch (error) {
@@ -704,13 +704,14 @@ var SSRServer = (0, import_fastify_plugin.default)(
         const defaultConfig = processedConfigs[0];
         if (!defaultConfig) throw new Error("No default configuration found.");
         const { clientRoot } = defaultConfig;
-        const nonce = applyCSP(opts.security, reply);
+        const cspNonce = req.cspNonce;
         let template = ensureNonNull(templates.get(clientRoot), `Template not found for clientRoot: ${clientRoot}`);
         const cssLink = cssLinks.get(clientRoot);
         const bootstrapModule = bootstrapModules.get(clientRoot);
         template = template.replace(SSRTAG.ssrHead, "").replace(SSRTAG.ssrHtml, "");
         if (!isDevelopment && cssLink) template = template.replace("</head>", `${cssLink}</head>`);
-        if (bootstrapModule) template = template.replace("</body>", `<script nonce="${nonce}" type="module" src="${bootstrapModule}" defer></script></body>`);
+        if (bootstrapModule)
+          template = template.replace("</body>", `<script nonce="${cspNonce}" type="module" src="${bootstrapModule}" defer></script></body>`);
         reply.status(200).type("text/html").send(template);
       } catch (error) {
         console.error("Failed to serve clientHtmlTemplate:", error);

package/dist/config.d.ts

@@ -1,7 +1,8 @@
 import { PluginOption } from 'vite';
-import { R as Route, a as RouteParams, b as RouteAttributes } from './SSRServer-DPZped7n.js';
+import { R as Route, a as RouteParams, b as RouteAttributes } from './SSRServer-CbXIDaoA.js';
 import 'node:http';
 import 'fastify';
+import './security/csp.js';
 
 /**
  * taujs [ τjs ] Orchestration System

package/dist/index.d.ts

@@ -1,11 +1,12 @@
 import { FastifyReply } from 'fastify';
-export { B as BaseMiddleware, C as Config, n as DataHandler, D as DataResult, G as GenericPlugin, I as InitialRouteParams, i as Manifest, M as ManifestEntry, N as NamedService, P as ProcessedConfig, g as RenderCallbacks, l as RenderModule, j as RenderSSR, k as RenderStream, R as Route, b as RouteAttributes, a as RouteParams, o as RoutePathsAndAttributes, h as SSRManifest, S as SSRServer, d as SSRServerOptions, m as ServiceCall, e as ServiceMethod, f as ServiceRegistry, T as TEMPLATE, c as createMaps, p as processConfigs } from './SSRServer-DPZped7n.js';
+export { B as BaseMiddleware, C as Config, n as DataHandler, D as DataResult, G as GenericPlugin, I as InitialRouteParams, i as Manifest, M as ManifestEntry, N as NamedService, P as ProcessedConfig, g as RenderCallbacks, l as RenderModule, j as RenderSSR, k as RenderStream, R as Route, b as RouteAttributes, a as RouteParams, o as RoutePathsAndAttributes, h as SSRManifest, S as SSRServer, d as SSRServerOptions, m as ServiceCall, e as ServiceMethod, f as ServiceRegistry, T as TEMPLATE, c as createMaps, p as processConfigs } from './SSRServer-CbXIDaoA.js';
 import 'node:http';
 import 'vite';
+import './security/csp.js';
 
 declare module 'fastify' {
   interface FastifyRequest {
-    nonce?: string;
+    cspNonce?: string;
   }
   interface FastifyInstance {
     /**

package/dist/index.js

@@ -191,7 +191,7 @@ var require_picocolors = __commonJS({
 import "fastify";
 
 // src/SSRServer.ts
-var import_fastify_plugin = __toESM(require_plugin(), 1);
+var import_fastify_plugin2 = __toESM(require_plugin(), 1);
 var import_picocolors = __toESM(require_picocolors(), 1);
 import { readFile } from "fs/promises";
 import path2 from "path";
@@ -264,6 +264,7 @@ function createAuthHook(routes, isDebug) {
 }
 
 // src/security/csp.ts
+var import_fastify_plugin = __toESM(require_plugin(), 1);
 import crypto from "crypto";
 
 // src/utils/Utils.ts
@@ -419,28 +420,22 @@ var defaultGenerateCSP = (directives, nonce) => {
   return Object.entries(merged).map(([key, values]) => `${key} ${values.join(" ")}`).join("; ");
 };
 var generateNonce = () => crypto.randomBytes(16).toString("base64");
-var createCSPHook = (options = {}) => (req, reply, done) => {
-  const nonce = generateNonce();
-  const directives = options.directives ?? DEV_CSP_DIRECTIVES;
-  const generate = options.generateCSP ?? defaultGenerateCSP;
-  const cspHeader = generate(directives, nonce);
-  reply.header("Content-Security-Policy", cspHeader);
-  if (typeof options.exposeNonce === "function") {
-    options.exposeNonce(req, nonce);
-  } else {
-    req.nonce = nonce;
+var cspPlugin = (0, import_fastify_plugin.default)(
+  async (fastify, opts) => {
+    fastify.addHook("onRequest", (req, reply, done) => {
+      const nonce = generateNonce();
+      req.cspNonce = nonce;
+      const directives = opts.directives ?? DEV_CSP_DIRECTIVES;
+      const generate = opts.generateCSP ?? defaultGenerateCSP;
+      const cspHeader = generate(directives, nonce);
+      reply.header("Content-Security-Policy", cspHeader);
+      done();
+    });
+  },
+  {
+    name: "taujs-csp-plugin"
   }
-  done();
-};
-var applyCSP = (security, reply) => {
-  const nonce = generateNonce();
-  const directives = security?.csp?.directives ?? DEV_CSP_DIRECTIVES;
-  const generate = security?.csp?.generateCSP ?? defaultGenerateCSP;
-  const header = generate(directives, nonce);
-  reply.header("Content-Security-Policy", header);
-  reply.request.nonce = nonce;
-  return nonce;
-};
+);
 
 // src/security/verifyMiddleware.ts
 var isAuthRequired = (r) => r.attr?.middleware?.auth?.required === true;
@@ -487,7 +482,7 @@ var processConfigs = (configs, baseClientRoot, templateDefaults) => {
     };
   });
 };
-var SSRServer = (0, import_fastify_plugin.default)(
+var SSRServer = (0, import_fastify_plugin2.default)(
   async (app, opts) => {
     const logger = createLogger(opts.isDebug ?? false);
     const { alias, configs, routes, serviceRegistry, isDebug, clientRoot: baseClientRoot } = opts;
@@ -546,13 +541,10 @@ var SSRServer = (0, import_fastify_plugin.default)(
         ...options ?? {}
       });
     }
-    app.addHook(
-      "onRequest",
-      createCSPHook({
-        directives: opts.security?.csp?.directives,
-        generateCSP: opts.security?.csp?.generateCSP
-      })
-    );
+    app.register(cspPlugin, {
+      directives: opts.security?.csp?.directives,
+      generateCSP: opts.security?.csp?.generateCSP
+    });
     app.addHook("onRequest", createAuthHook(routes));
     if (isDevelopment) {
       const { createServer } = await import("vite");
@@ -611,7 +603,7 @@ var SSRServer = (0, import_fastify_plugin.default)(
         if (/\.\w+$/.test(req.raw.url ?? "")) return reply.callNotFound();
         const url = req.url ? new URL(req.url, `http://${req.headers.host}`).pathname : "/";
         const matchedRoute = matchRoute(url, routes);
-        const nonce = applyCSP(opts.security, reply);
+        const cspNonce = req.cspNonce;
         if (!matchedRoute) {
           reply.callNotFound();
           return;
@@ -653,18 +645,23 @@ var SSRServer = (0, import_fastify_plugin.default)(
         if (renderType === RENDERTYPE.ssr) {
           const { renderSSR } = renderModule;
           const initialDataResolved = await initialDataPromise;
-          const initialDataScript = `<script nonce="${nonce}">window.__INITIAL_DATA__ = ${JSON.stringify(initialDataResolved).replace(/</g, "\\u003c")}</script>`;
+          const initialDataScript = `<script nonce="${cspNonce}">window.__INITIAL_DATA__ = ${JSON.stringify(initialDataResolved).replace(/</g, "\\u003c")}</script>`;
           const { headContent, appHtml } = await renderSSR(initialDataResolved, req.url, attr?.meta);
           let aggregateHeadContent = headContent;
           if (ssrManifest && preloadLink) aggregateHeadContent += preloadLink;
           if (manifest && cssLink) aggregateHeadContent += cssLink;
           const shouldHydrate = attr?.hydrate !== false;
-          const bootstrapScriptTag = shouldHydrate ? `<script nonce="${nonce}" type="module" src="${bootstrapModule}" defer></script>` : "";
+          const bootstrapScriptTag = shouldHydrate ? `<script nonce="${cspNonce}" type="module" src="${bootstrapModule}" defer></script>` : "";
           const fullHtml = template.replace(SSRTAG.ssrHead, aggregateHeadContent).replace(SSRTAG.ssrHtml, `${appHtml}${initialDataScript}${bootstrapScriptTag}`);
           return reply.status(200).header("Content-Type", "text/html").send(fullHtml);
         } else {
           const { renderStream } = renderModule;
-          reply.raw.writeHead(200, { "Content-Type": "text/html" });
+          const cspNonce2 = req.cspNonce;
+          const cspHeader = reply.getHeader("Content-Security-Policy");
+          reply.raw.writeHead(200, {
+            "Content-Security-Policy": cspHeader,
+            "Content-Type": "text/html"
+          });
           renderStream(
             reply.raw,
             {
@@ -675,7 +672,9 @@ var SSRServer = (0, import_fastify_plugin.default)(
                 reply.raw.write(`${beforeHead}${aggregateHeadContent}${afterHead}`);
               },
               onFinish: async (initialDataResolved) => {
-                reply.raw.write(`<script nonce="${nonce}">window.__INITIAL_DATA__ = ${JSON.stringify(initialDataResolved).replace(/</g, "\\u003c")}</script>`);
+                reply.raw.write(
+                  `<script nonce="${cspNonce2}">window.__INITIAL_DATA__ = ${JSON.stringify(initialDataResolved).replace(/</g, "\\u003c")}</script>`
+                );
                 reply.raw.write(afterBody);
                 reply.raw.end();
               },
@@ -687,7 +686,8 @@ var SSRServer = (0, import_fastify_plugin.default)(
             initialDataPromise,
             req.url,
             bootstrapModule,
-            attr?.meta
+            attr?.meta,
+            cspNonce2
           );
         }
       } catch (error) {
@@ -702,13 +702,14 @@ var SSRServer = (0, import_fastify_plugin.default)(
         const defaultConfig = processedConfigs[0];
         if (!defaultConfig) throw new Error("No default configuration found.");
         const { clientRoot } = defaultConfig;
-        const nonce = applyCSP(opts.security, reply);
+        const cspNonce = req.cspNonce;
         let template = ensureNonNull(templates.get(clientRoot), `Template not found for clientRoot: ${clientRoot}`);
         const cssLink = cssLinks.get(clientRoot);
         const bootstrapModule = bootstrapModules.get(clientRoot);
         template = template.replace(SSRTAG.ssrHead, "").replace(SSRTAG.ssrHtml, "");
         if (!isDevelopment && cssLink) template = template.replace("</head>", `${cssLink}</head>`);
-        if (bootstrapModule) template = template.replace("</body>", `<script nonce="${nonce}" type="module" src="${bootstrapModule}" defer></script></body>`);
+        if (bootstrapModule)
+          template = template.replace("</body>", `<script nonce="${cspNonce}" type="module" src="${bootstrapModule}" defer></script></body>`);
         reply.status(200).type("text/html").send(template);
       } catch (error) {
         console.error("Failed to serve clientHtmlTemplate:", error);

package/dist/security/csp.d.ts

@@ -1,4 +1,12 @@
-import 'fastify';
-export { q as CSPDirectives, r as CSPOptions, w as applyCSP, u as createCSPHook, s as defaultGenerateCSP, t as generateNonce, v as getRequestNonce } from '../SSRServer-DPZped7n.js';
-import 'node:http';
-import 'vite';
+import { FastifyPluginAsync } from 'fastify';
+
+interface CSPPluginOptions {
+    directives?: CSPDirectives;
+    generateCSP?: (directives: CSPDirectives, nonce: string) => string;
+}
+type CSPDirectives = Record<string, string[]>;
+declare const defaultGenerateCSP: (directives: CSPDirectives, nonce: string) => string;
+declare const generateNonce: () => string;
+declare const cspPlugin: FastifyPluginAsync<CSPPluginOptions>;
+
+export { type CSPDirectives, type CSPPluginOptions, cspPlugin, defaultGenerateCSP, generateNonce };

package/dist/security/csp.js

@@ -1,4 +1,121 @@
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __commonJS = (cb, mod) => function __require() {
+  return mod || (0, cb[__getOwnPropNames(cb)[0]])((mod = { exports: {} }).exports, mod), mod.exports;
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+
+// node_modules/fastify-plugin/lib/getPluginName.js
+var require_getPluginName = __commonJS({
+  "node_modules/fastify-plugin/lib/getPluginName.js"(exports, module) {
+    "use strict";
+    var fpStackTracePattern = /at\s{1}(?:.*\.)?plugin\s{1}.*\n\s*(.*)/;
+    var fileNamePattern = /(\w*(\.\w*)*)\..*/;
+    module.exports = function getPluginName(fn) {
+      if (fn.name.length > 0) return fn.name;
+      const stackTraceLimit = Error.stackTraceLimit;
+      Error.stackTraceLimit = 10;
+      try {
+        throw new Error("anonymous function");
+      } catch (e) {
+        Error.stackTraceLimit = stackTraceLimit;
+        return extractPluginName(e.stack);
+      }
+    };
+    function extractPluginName(stack) {
+      const m = stack.match(fpStackTracePattern);
+      return m ? m[1].split(/[/\\]/).slice(-1)[0].match(fileNamePattern)[1] : "anonymous";
+    }
+    module.exports.extractPluginName = extractPluginName;
+  }
+});
+
+// node_modules/fastify-plugin/lib/toCamelCase.js
+var require_toCamelCase = __commonJS({
+  "node_modules/fastify-plugin/lib/toCamelCase.js"(exports, module) {
+    "use strict";
+    module.exports = function toCamelCase(name) {
+      if (name[0] === "@") {
+        name = name.slice(1).replace("/", "-");
+      }
+      return name.replace(/-(.)/g, function(match2, g1) {
+        return g1.toUpperCase();
+      });
+    };
+  }
+});
+
+// node_modules/fastify-plugin/plugin.js
+var require_plugin = __commonJS({
+  "node_modules/fastify-plugin/plugin.js"(exports, module) {
+    "use strict";
+    var getPluginName = require_getPluginName();
+    var toCamelCase = require_toCamelCase();
+    var count = 0;
+    function plugin(fn, options = {}) {
+      let autoName = false;
+      if (fn.default !== void 0) {
+        fn = fn.default;
+      }
+      if (typeof fn !== "function") {
+        throw new TypeError(
+          `fastify-plugin expects a function, instead got a '${typeof fn}'`
+        );
+      }
+      if (typeof options === "string") {
+        options = {
+          fastify: options
+        };
+      }
+      if (typeof options !== "object" || Array.isArray(options) || options === null) {
+        throw new TypeError("The options object should be an object");
+      }
+      if (options.fastify !== void 0 && typeof options.fastify !== "string") {
+        throw new TypeError(`fastify-plugin expects a version string, instead got '${typeof options.fastify}'`);
+      }
+      if (!options.name) {
+        autoName = true;
+        options.name = getPluginName(fn) + "-auto-" + count++;
+      }
+      fn[Symbol.for("skip-override")] = options.encapsulate !== true;
+      fn[Symbol.for("fastify.display-name")] = options.name;
+      fn[Symbol.for("plugin-meta")] = options;
+      if (!fn.default) {
+        fn.default = fn;
+      }
+      const camelCase = toCamelCase(options.name);
+      if (!autoName && !fn[camelCase]) {
+        fn[camelCase] = fn;
+      }
+      return fn;
+    }
+    module.exports = plugin;
+    module.exports.default = plugin;
+    module.exports.fastifyPlugin = plugin;
+  }
+});
+
 // src/security/csp.ts
+var import_fastify_plugin = __toESM(require_plugin(), 1);
 import crypto from "crypto";
 
 // src/constants.ts
@@ -35,33 +152,24 @@ var defaultGenerateCSP = (directives, nonce) => {
   return Object.entries(merged).map(([key, values]) => `${key} ${values.join(" ")}`).join("; ");
 };
 var generateNonce = () => crypto.randomBytes(16).toString("base64");
-var createCSPHook = (options = {}) => (req, reply, done) => {
-  const nonce = generateNonce();
-  const directives = options.directives ?? DEV_CSP_DIRECTIVES;
-  const generate = options.generateCSP ?? defaultGenerateCSP;
-  const cspHeader = generate(directives, nonce);
-  reply.header("Content-Security-Policy", cspHeader);
-  if (typeof options.exposeNonce === "function") {
-    options.exposeNonce(req, nonce);
-  } else {
-    req.nonce = nonce;
+var cspPlugin = (0, import_fastify_plugin.default)(
+  async (fastify, opts) => {
+    fastify.addHook("onRequest", (req, reply, done) => {
+      const nonce = generateNonce();
+      req.cspNonce = nonce;
+      const directives = opts.directives ?? DEV_CSP_DIRECTIVES;
+      const generate = opts.generateCSP ?? defaultGenerateCSP;
+      const cspHeader = generate(directives, nonce);
+      reply.header("Content-Security-Policy", cspHeader);
+      done();
+    });
+  },
+  {
+    name: "taujs-csp-plugin"
   }
-  done();
-};
-var getRequestNonce = (req) => req.nonce;
-var applyCSP = (security, reply) => {
-  const nonce = generateNonce();
-  const directives = security?.csp?.directives ?? DEV_CSP_DIRECTIVES;
-  const generate = security?.csp?.generateCSP ?? defaultGenerateCSP;
-  const header = generate(directives, nonce);
-  reply.header("Content-Security-Policy", header);
-  reply.request.nonce = nonce;
-  return nonce;
-};
+);
 export {
-  applyCSP,
-  createCSPHook,
+  cspPlugin,
   defaultGenerateCSP,
-  generateNonce,
-  getRequestNonce
+  generateNonce
 };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@taujs/server",
-  "version": "0.3.6",
+  "version": "0.3.7",
   "description": "taujs [ τjs ]",
   "author": "John Smith | Aoede <taujs@aoede.uk.net> (https://www.aoede.uk.net)",
   "license": "MIT",