@zintrust/core 0.1.18 → 0.1.20

package/src/middleware/AuthMiddleware.d.ts

@@ -0,0 +1,10 @@
+import type { Middleware } from './MiddlewareStack';
+export interface AuthOptions {
+    headerName?: string;
+    message?: string;
+}
+export declare const AuthMiddleware: Readonly<{
+    create(options?: AuthOptions): Middleware;
+}>;
+export default AuthMiddleware;
+//# sourceMappingURL=AuthMiddleware.d.ts.map

package/src/middleware/AuthMiddleware.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"AuthMiddleware.d.ts","sourceRoot":"","sources":["../../../src/middleware/AuthMiddleware.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,6BAA6B,CAAC;AAE9D,MAAM,WAAW,WAAW;IAC1B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED,eAAO,MAAM,cAAc;qBACT,WAAW,GAAQ,UAAU;EAgB7C,CAAC;AAEH,eAAe,cAAc,CAAC"}

package/src/middleware/AuthMiddleware.js

@@ -0,0 +1,16 @@
+export const AuthMiddleware = Object.freeze({
+    create(options = {}) {
+        const headerName = (options.headerName ?? 'authorization').toLowerCase();
+        const message = options.message ?? 'Unauthorized';
+        return async (req, res, next) => {
+            const header = req.getHeader(headerName);
+            const value = Array.isArray(header) ? header[0] : header;
+            if (typeof value !== 'string' || value.trim() === '') {
+                res.setStatus(401).json({ error: message });
+                return;
+            }
+            await next();
+        };
+    },
+});
+export default AuthMiddleware;

package/src/middleware/CsrfMiddleware.d.ts

@@ -3,12 +3,22 @@
  * Protects against Cross-Site Request Forgery attacks
  * Uses CsrfTokenManager for token generation and validation
  */
-import { Middleware } from './MiddlewareStack';
+import type { Middleware } from './MiddlewareStack';
 export interface CsrfOptions {
     cookieName?: string;
     headerName?: string;
     bodyKey?: string;
     ignoreMethods?: string[];
+    /**
+     * Optional path patterns to bypass CSRF entirely.
+     *
+     * Supports simple glob-style matching where `*` matches any characters.
+     * Examples:
+     * - `/api/*`
+     * - `/webhooks/*`
+     * - `/api/v1/auth/login`
+     */
+    skipPaths?: string[];
 }
 export declare const CsrfMiddleware: Readonly<{
     /**

package/src/middleware/CsrfMiddleware.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"CsrfMiddleware.d.ts","sourceRoot":"","sources":["../../../src/middleware/CsrfMiddleware.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAKH,OAAO,EAAE,UAAU,EAAE,MAAM,6BAA6B,CAAC;AAIzD,MAAM,WAAW,WAAW;IAC1B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,aAAa,CAAC,EAAE,MAAM,EAAE,CAAC;CAC1B;AASD,eAAO,MAAM,cAAc;IACzB;;OAEG;qBACa,WAAW,GAAQ,UAAU;EA4D7C,CAAC"}
+{"version":3,"file":"CsrfMiddleware.d.ts","sourceRoot":"","sources":["../../../src/middleware/CsrfMiddleware.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAKH,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,6BAA6B,CAAC;AAI9D,MAAM,WAAW,WAAW;IAC1B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,aAAa,CAAC,EAAE,MAAM,EAAE,CAAC;IACzB;;;;;;;;OAQG;IACH,SAAS,CAAC,EAAE,MAAM,EAAE,CAAC;CACtB;AASD,eAAO,MAAM,cAAc;IACzB;;OAEG;qBACa,WAAW,GAAQ,UAAU;EAiE7C,CAAC"}

package/src/middleware/CsrfMiddleware.js

@@ -30,6 +30,10 @@ export const CsrfMiddleware = Object.freeze({
             cleanupTimer.unref();
         }
         return async (req, res, next) => {
+            if (shouldSkipCsrfForRequest(req, config)) {
+                await next();
+                return;
+            }
             const cookieHeader = req.getHeader('cookie');
             const cookies = parseCookies(typeof cookieHeader === 'string' ? cookieHeader : '');
             // Guarantee a session id exists and a session cookie is set if missing.
@@ -64,6 +68,35 @@ export const CsrfMiddleware = Object.freeze({
         };
     },
 });
+function shouldSkipCsrfForRequest(req, config) {
+    const patterns = config.skipPaths;
+    if (patterns === undefined || patterns.length === 0)
+        return false;
+    const path = req.getPath();
+    for (const pattern of patterns) {
+        const trimmed = pattern.trim();
+        if (trimmed === '')
+            continue;
+        if (pathMatchesPattern(path, trimmed))
+            return true;
+    }
+    return false;
+}
+function pathMatchesPattern(path, pattern) {
+    if (pattern === '*')
+        return true;
+    if (pattern === path)
+        return true;
+    // Fast path: treat trailing "/*" as a prefix match.
+    if (pattern.endsWith('/*')) {
+        const prefix = pattern.slice(0, -1); // keep the trailing '/'
+        return path.startsWith(prefix);
+    }
+    // Generic glob-to-regex conversion where '*' matches any characters.
+    const escaped = pattern.replaceAll(/[.+?^${}()|[\]\\]/g, String.raw `\$&`);
+    const regex = new RegExp(`^${escaped.replaceAll('*', '.*')}$`);
+    return regex.test(path);
+}
 function appendSetCookie(res, cookie) {
     const existing = res.getHeader('Set-Cookie');
     if (existing === undefined) {

package/src/middleware/JwtAuthMiddleware.d.ts

@@ -0,0 +1,11 @@
+import type { Middleware } from './MiddlewareStack';
+import type { JwtAlgorithm } from '../security/JwtManager';
+export interface JwtAuthOptions {
+    algorithm?: JwtAlgorithm;
+    secret?: string;
+}
+export declare const JwtAuthMiddleware: Readonly<{
+    create(options?: JwtAuthOptions): Middleware;
+}>;
+export default JwtAuthMiddleware;
+//# sourceMappingURL=JwtAuthMiddleware.d.ts.map

package/src/middleware/JwtAuthMiddleware.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"JwtAuthMiddleware.d.ts","sourceRoot":"","sources":["../../../src/middleware/JwtAuthMiddleware.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,6BAA6B,CAAC;AAC9D,OAAO,KAAK,EAAe,YAAY,EAAE,MAAM,sBAAsB,CAAC;AAItE,MAAM,WAAW,cAAc;IAC7B,SAAS,CAAC,EAAE,YAAY,CAAC;IACzB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AA2BD,eAAO,MAAM,iBAAiB;qBACZ,cAAc,GAAQ,UAAU;EAwDhD,CAAC;AAEH,eAAe,iBAAiB,CAAC"}

package/src/middleware/JwtAuthMiddleware.js

@@ -0,0 +1,73 @@
+import { securityConfig } from '../config/security.js';
+import { RequestContext } from '../http/RequestContext.js';
+import { JwtManager } from '../security/JwtManager.js';
+import { TokenRevocation } from '../security/TokenRevocation.js';
+const getHeaderValue = (value) => {
+    if (Array.isArray(value))
+        return typeof value[0] === 'string' ? value[0] : '';
+    return typeof value === 'string' ? value : '';
+};
+const getBearerToken = (authorizationHeader) => {
+    const trimmed = authorizationHeader.trim();
+    if (trimmed === '')
+        return null;
+    const [scheme, token] = trimmed.split(' ');
+    if (scheme !== 'Bearer')
+        return null;
+    if (typeof token !== 'string' || token.trim() === '')
+        return null;
+    return token;
+};
+const getOptionalStringOrNumberClaim = (payload, key) => {
+    const value = payload[key];
+    if (typeof value === 'string')
+        return value;
+    if (typeof value === 'number')
+        return String(value);
+    return undefined;
+};
+export const JwtAuthMiddleware = Object.freeze({
+    create(options = {}) {
+        const algorithm = options.algorithm ?? securityConfig.jwt.algorithm;
+        const secret = options.secret ?? securityConfig.jwt.secret;
+        const jwt = JwtManager.create();
+        if (algorithm === 'HS256' || algorithm === 'HS512') {
+            jwt.setHmacSecret(secret);
+        }
+        return async (req, res, next) => {
+            const authorizationHeader = getHeaderValue(req.getHeader('authorization'));
+            if (authorizationHeader === '') {
+                res.setStatus(401).json({ error: 'Missing authorization header' });
+                return;
+            }
+            const token = getBearerToken(authorizationHeader);
+            if (token === null) {
+                res.setStatus(401).json({ error: 'Invalid authorization header format' });
+                return;
+            }
+            if (TokenRevocation.isRevoked(token)) {
+                res.setStatus(401).json({ error: 'Invalid or expired token' });
+                return;
+            }
+            try {
+                const payload = jwt.verify(token, algorithm);
+                req.user = payload;
+                // Standardize request-scoped context fields.
+                if (typeof payload.sub === 'string' && payload.sub.trim() !== '') {
+                    RequestContext.setUserId(req, payload.sub);
+                }
+                // Optional: if a tenant claim exists, attach it. (Apps may use a different claim name.)
+                const tenantId = getOptionalStringOrNumberClaim(payload, 'tenantId') ??
+                    getOptionalStringOrNumberClaim(payload, 'tenant_id');
+                if (tenantId !== undefined && tenantId.trim() !== '') {
+                    RequestContext.setTenantId(req, tenantId);
+                }
+                await next();
+            }
+            catch {
+                res.setStatus(401).json({ error: 'Invalid or expired token' });
+            }
+        };
+    },
+});
+export default JwtAuthMiddleware;

package/src/middleware/LoggingMiddleware.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"LoggingMiddleware.d.ts","sourceRoot":"","sources":["../../../src/middleware/LoggingMiddleware.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,6BAA6B,CAAC;AAE9D,MAAM,WAAW,cAAc;IAC7B,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB;AASD,eAAO,MAAM,iBAAiB;qBACZ,cAAc,GAAQ,UAAU;EA0BhD,CAAC;AAEH,eAAe,iBAAiB,CAAC"}
+{"version":3,"file":"LoggingMiddleware.d.ts","sourceRoot":"","sources":["../../../src/middleware/LoggingMiddleware.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,6BAA6B,CAAC;AAE9D,MAAM,WAAW,cAAc;IAC7B,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB;AASD,eAAO,MAAM,iBAAiB;qBACZ,cAAc,GAAQ,UAAU;EAiChD,CAAC;AAEH,eAAe,iBAAiB,CAAC"}

package/src/middleware/LoggingMiddleware.js

@@ -20,15 +20,20 @@ export const LoggingMiddleware = Object.freeze({
             const start = Date.now();
             const method = req.getMethod();
             const path = req.getPath();
-            const requestId = RequestContext.get(req)?.requestId ?? req.context['requestId'];
-            Logger.info(`[${requestId}] ↓ ${method} ${path}`);
+            const ctx = RequestContext.get(req);
+            const requestId = ctx?.requestId ?? req.context['requestId'];
+            const traceId = ctx?.traceId;
+            const prefix = typeof traceId === 'string' && traceId.trim() !== ''
+                ? `[${requestId} trace=${traceId}]`
+                : `[${requestId}]`;
+            Logger.info(`${prefix} ↓ ${method} ${path}`);
             try {
                 await next();
             }
             finally {
                 const durationMs = Date.now() - start;
                 const status = getStatusSafe(res);
-                Logger.info(`[${requestId}] ↑ ${method} ${path} ${status} ${durationMs}ms`);
+                Logger.info(`${prefix} ↑ ${method} ${path} ${status} ${durationMs}ms`);
             }
         };
     },

package/src/middleware/MiddlewareStack.d.ts

@@ -1,5 +1,5 @@
-import { IRequest } from '../http/Request';
-import { IResponse } from '../http/Response';
+import type { IRequest } from '../http/Request';
+import type { IResponse } from '../http/Response';
 /**
  * Middleware Stack
  * Manages middleware execution pipeline

package/src/middleware/MiddlewareStack.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"MiddlewareStack.d.ts","sourceRoot":"","sources":["../../../src/middleware/MiddlewareStack.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,eAAe,CAAC;AACzC,OAAO,EAAE,SAAS,EAAE,MAAM,gBAAgB,CAAC;AAE3C;;;GAGG;AAEH,MAAM,MAAM,UAAU,GAAG,CACvB,GAAG,EAAE,QAAQ,EACb,GAAG,EAAE,SAAS,EACd,IAAI,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,KACtB,OAAO,CAAC,IAAI,CAAC,CAAC;AAEnB,MAAM,WAAW,gBAAgB;IAC/B,QAAQ,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,UAAU,GAAG,IAAI,CAAC;IAClD,OAAO,CAAC,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE,SAAS,EAAE,IAAI,CAAC,EAAE,MAAM,EAAE,GAAG,UAAU,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAC/F,cAAc,IAAI,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,UAAU,CAAA;KAAE,CAAC,CAAC;CAChE;AAED;;;GAGG;AACH,eAAO,MAAM,eAAe;IAC1B;;OAEG;cACO,gBAAgB;EAsC1B,CAAC;AAEH,eAAe,eAAe,CAAC"}
+{"version":3,"file":"MiddlewareStack.d.ts","sourceRoot":"","sources":["../../../src/middleware/MiddlewareStack.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,eAAe,CAAC;AAC9C,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,gBAAgB,CAAC;AAEhD;;;GAGG;AAEH,MAAM,MAAM,UAAU,GAAG,CACvB,GAAG,EAAE,QAAQ,EACb,GAAG,EAAE,SAAS,EACd,IAAI,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,KACtB,OAAO,CAAC,IAAI,CAAC,CAAC;AAEnB,MAAM,WAAW,gBAAgB;IAC/B,QAAQ,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,UAAU,GAAG,IAAI,CAAC;IAClD,OAAO,CAAC,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE,SAAS,EAAE,IAAI,CAAC,EAAE,MAAM,EAAE,GAAG,UAAU,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAC/F,cAAc,IAAI,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,UAAU,CAAA;KAAE,CAAC,CAAC;CAChE;AAED;;;GAGG;AACH,eAAO,MAAM,eAAe;IAC1B;;OAEG;cACO,gBAAgB;EAsC1B,CAAC;AAEH,eAAe,eAAe,CAAC"}

package/src/middleware/RateLimiter.d.ts

@@ -3,8 +3,8 @@
  * Token bucket implementation for request rate limiting
  * Zero-dependency implementation
  */
-import { IRequest } from '../http/Request';
-import { Middleware } from './MiddlewareStack';
+import type { IRequest } from '../http/Request';
+import type { Middleware } from './MiddlewareStack';
 export interface RateLimitOptions {
     windowMs: number;
     max: number;

package/src/middleware/RateLimiter.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"RateLimiter.d.ts","sourceRoot":"","sources":["../../../src/middleware/RateLimiter.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAIH,OAAO,EAAE,QAAQ,EAAE,MAAM,eAAe,CAAC;AAEzC,OAAO,EAAE,UAAU,EAAE,MAAM,6BAA6B,CAAC;AAEzD,MAAM,WAAW,gBAAgB;IAC/B,QAAQ,EAAE,MAAM,CAAC;IACjB,GAAG,EAAE,MAAM,CAAC;IACZ,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,YAAY,CAAC,EAAE,CAAC,GAAG,EAAE,QAAQ,KAAK,MAAM,CAAC;IAEzC;;;;;;OAMG;IACH,KAAK,CAAC,EAAE,kBAAkB,CAAC;CAC5B;AAED,MAAM,MAAM,kBAAkB,GAAG,QAAQ,GAAG,OAAO,GAAG,IAAI,GAAG,IAAI,CAAC;AAyIlE,eAAO,MAAM,WAAW;IACtB;;;OAGG;uBACgB;QAAE,KAAK,CAAC,EAAE,kBAAkB,CAAA;KAAE,GAAG,IAAI;IAKxD;;;;OAIG;iBACgB,MAAM,eAAe,MAAM,gBAAgB,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAYvF;;OAEG;yBACwB,MAAM,eAAe,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAQzE;;;OAGG;cACa,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAQxC;;OAEG;eACc,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAKvC;;OAEG;qBACa,gBAAgB,GAAqB,UAAU;EAgF/D,CAAC"}
+{"version":3,"file":"RateLimiter.d.ts","sourceRoot":"","sources":["../../../src/middleware/RateLimiter.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAIH,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,eAAe,CAAC;AAE9C,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,6BAA6B,CAAC;AAE9D,MAAM,WAAW,gBAAgB;IAC/B,QAAQ,EAAE,MAAM,CAAC;IACjB,GAAG,EAAE,MAAM,CAAC;IACZ,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,YAAY,CAAC,EAAE,CAAC,GAAG,EAAE,QAAQ,KAAK,MAAM,CAAC;IAEzC;;;;;;OAMG;IACH,KAAK,CAAC,EAAE,kBAAkB,CAAC;CAC5B;AAED,MAAM,MAAM,kBAAkB,GAAG,QAAQ,GAAG,OAAO,GAAG,IAAI,GAAG,IAAI,CAAC;AAqKlE,eAAO,MAAM,WAAW;IACtB;;;OAGG;uBACgB;QAAE,KAAK,CAAC,EAAE,kBAAkB,CAAA;KAAE,GAAG,IAAI;IAKxD;;;;OAIG;iBACgB,MAAM,eAAe,MAAM,gBAAgB,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAYvF;;OAEG;yBACwB,MAAM,eAAe,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAQzE;;;OAGG;cACa,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAQxC;;OAEG;eACc,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAKvC;;OAEG;qBACa,gBAAgB,GAAqB,UAAU;EAgF/D,CAAC"}

package/src/middleware/RateLimiter.js

@@ -101,6 +101,25 @@ const consume = async (params) => {
         allowed: nextCount <= params.max,
     };
 };
+const resolveRemoteAddress = (candidate) => {
+    if (candidate === null || candidate === undefined)
+        return undefined;
+    if (typeof candidate !== 'object')
+        return undefined;
+    const record = candidate;
+    const ip = record['remoteAddress'];
+    return typeof ip === 'string' && ip.length > 0 ? ip : undefined;
+};
+const resolveRemoteAddressFromRaw = (raw) => {
+    if (raw === null || raw === undefined)
+        return undefined;
+    if (typeof raw !== 'object')
+        return undefined;
+    const rawRecord = raw;
+    return (resolveRemoteAddress(rawRecord['socket']) ??
+        resolveRemoteAddress(rawRecord['connection']) ??
+        resolveRemoteAddress(raw));
+};
 const DEFAULT_OPTIONS = {
     windowMs: 60 * 1000, // 1 minute
     max: 100, // 100 requests per minute
@@ -108,7 +127,13 @@ const DEFAULT_OPTIONS = {
     statusCode: 429,
     headers: true,
     keyGenerator: (req) => {
-        return (req.getHeader('x-forwarded-for') ?? req.getRaw().socket.remoteAddress ?? 'unknown');
+        const forwardedFor = req.getHeader('x-forwarded-for');
+        const forwardedForIp = typeof forwardedFor === 'string' && forwardedFor.length > 0
+            ? forwardedFor.split(',')[0]?.trim()
+            : undefined;
+        const raw = req.getRaw();
+        const rawIp = resolveRemoteAddressFromRaw(raw);
+        return forwardedForIp ?? rawIp ?? 'unknown';
     },
 };
 export const RateLimiter = Object.freeze({

package/src/middleware/SanitizeBodyMiddleware.d.ts

@@ -0,0 +1,12 @@
+/**
+ * Sanitize Body Middleware
+ * Applies recursive XSS sanitization (tag stripping + entity escaping) to JSON request bodies.
+ *
+ * This is a defense-in-depth layer that normalizes untrusted input early.
+ */
+import type { Middleware } from './MiddlewareStack';
+export declare const SanitizeBodyMiddleware: Readonly<{
+    create(): Middleware;
+}>;
+export default SanitizeBodyMiddleware;
+//# sourceMappingURL=SanitizeBodyMiddleware.d.ts.map

package/src/middleware/SanitizeBodyMiddleware.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"SanitizeBodyMiddleware.d.ts","sourceRoot":"","sources":["../../../src/middleware/SanitizeBodyMiddleware.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,6BAA6B,CAAC;AAG9D,eAAO,MAAM,sBAAsB;cACvB,UAAU;EAyBpB,CAAC;AAEH,eAAe,sBAAsB,CAAC"}

package/src/middleware/SanitizeBodyMiddleware.js

@@ -0,0 +1,31 @@
+/**
+ * Sanitize Body Middleware
+ * Applies recursive XSS sanitization (tag stripping + entity escaping) to JSON request bodies.
+ *
+ * This is a defense-in-depth layer that normalizes untrusted input early.
+ */
+import { Xss } from '../security/Xss.js';
+export const SanitizeBodyMiddleware = Object.freeze({
+    create() {
+        return async (req, _res, next) => {
+            const method = req.getMethod();
+            if (method === 'GET' || method === 'HEAD' || method === 'OPTIONS' || method === 'DELETE') {
+                await next();
+                return;
+            }
+            if (req.isJson() === false) {
+                await next();
+                return;
+            }
+            const rawBody = req.getBody();
+            if (rawBody === undefined || rawBody === null) {
+                await next();
+                return;
+            }
+            const sanitized = Xss.sanitize(rawBody);
+            req.setBody(sanitized);
+            await next();
+        };
+    },
+});
+export default SanitizeBodyMiddleware;

package/src/middleware/SecurityMiddleware.d.ts

@@ -3,7 +3,7 @@
  * Implements standard security headers and CORS protection
  * Zero-dependency implementation replacing helmet/cors
  */
-import { Middleware } from './MiddlewareStack';
+import type { Middleware } from './MiddlewareStack';
 export interface SecurityOptions {
     hsts?: {
         maxAge?: number;

package/src/middleware/SecurityMiddleware.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"SecurityMiddleware.d.ts","sourceRoot":"","sources":["../../../src/middleware/SecurityMiddleware.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAIH,OAAO,EAAE,UAAU,EAAE,MAAM,6BAA6B,CAAC;AAEzD,MAAM,WAAW,eAAe;IAC9B,IAAI,CAAC,EAAE;QACL,MAAM,CAAC,EAAE,MAAM,CAAC;QAChB,iBAAiB,CAAC,EAAE,OAAO,CAAC;QAC5B,OAAO,CAAC,EAAE,OAAO,CAAC;KACnB,CAAC;IACF,UAAU,CAAC,EAAE;QACX,MAAM,CAAC,EAAE,MAAM,GAAG,YAAY,CAAC;KAChC,CAAC;IACF,IAAI,CAAC,EAAE;QACL,MAAM,CAAC,EAAE,MAAM,CAAC;QAChB,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;QACnB,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;QAC1B,WAAW,CAAC,EAAE,OAAO,CAAC;QACtB,MAAM,CAAC,EAAE,MAAM,CAAC;KACjB,CAAC;IACF,GAAG,CAAC,EAAE;QACJ,UAAU,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC;KACvC,CAAC;CACH;AA+FD,eAAO,MAAM,kBAAkB;IAC7B;;OAEG;qBACa,eAAe,GAAQ,UAAU;EAgBjD,CAAC"}
+{"version":3,"file":"SecurityMiddleware.d.ts","sourceRoot":"","sources":["../../../src/middleware/SecurityMiddleware.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAIH,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,6BAA6B,CAAC;AAE9D,MAAM,WAAW,eAAe;IAC9B,IAAI,CAAC,EAAE;QACL,MAAM,CAAC,EAAE,MAAM,CAAC;QAChB,iBAAiB,CAAC,EAAE,OAAO,CAAC;QAC5B,OAAO,CAAC,EAAE,OAAO,CAAC;KACnB,CAAC;IACF,UAAU,CAAC,EAAE;QACX,MAAM,CAAC,EAAE,MAAM,GAAG,YAAY,CAAC;KAChC,CAAC;IACF,IAAI,CAAC,EAAE;QACL,MAAM,CAAC,EAAE,MAAM,CAAC;QAChB,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;QACnB,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;QAC1B,WAAW,CAAC,EAAE,OAAO,CAAC;QACtB,MAAM,CAAC,EAAE,MAAM,CAAC;KACjB,CAAC;IACF,GAAG,CAAC,EAAE;QACJ,UAAU,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC;KACvC,CAAC;CACH;AA+FD,eAAO,MAAM,kBAAkB;IAC7B;;OAEG;qBACa,eAAe,GAAQ,UAAU;EAgBjD,CAAC"}

package/src/middleware/SessionMiddleware.d.ts

@@ -1,4 +1,4 @@
-import { Middleware } from './MiddlewareStack';
+import type { Middleware } from './MiddlewareStack';
 import { type SessionManagerOptions } from '../session/SessionManager';
 export type SessionOptions = SessionManagerOptions;
 export declare const SessionMiddleware: Readonly<{

package/src/middleware/SessionMiddleware.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"SessionMiddleware.d.ts","sourceRoot":"","sources":["../../../src/middleware/SessionMiddleware.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,UAAU,EAAE,MAAM,6BAA6B,CAAC;AACzD,OAAO,EAAkB,KAAK,qBAAqB,EAAE,MAAM,yBAAyB,CAAC;AAErF,MAAM,MAAM,cAAc,GAAG,qBAAqB,CAAC;AAEnD,eAAO,MAAM,iBAAiB;qBACZ,cAAc,GAAQ,UAAU;EAehD,CAAC;AAEH,eAAe,iBAAiB,CAAC"}
+{"version":3,"file":"SessionMiddleware.d.ts","sourceRoot":"","sources":["../../../src/middleware/SessionMiddleware.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,6BAA6B,CAAC;AAC9D,OAAO,EAAkB,KAAK,qBAAqB,EAAE,MAAM,yBAAyB,CAAC;AAErF,MAAM,MAAM,cAAc,GAAG,qBAAqB,CAAC;AAEnD,eAAO,MAAM,iBAAiB;qBACZ,cAAc,GAAQ,UAAU;EAehD,CAAC;AAEH,eAAe,iBAAiB,CAAC"}

package/src/middleware/ValidationMiddleware.d.ts

@@ -0,0 +1,25 @@
+import type { Middleware } from './MiddlewareStack';
+import type { ISchema, TypedSchema } from '../validation/Validator';
+type FieldSanitizers = Readonly<Record<string, (value: unknown) => unknown>>;
+export declare const ValidationMiddleware: Readonly<{
+    create(schema: ISchema): Middleware;
+    createBody<TSchema extends TypedSchema<unknown>>(schema: TSchema): Middleware;
+    createBodyWithSanitization<TSchema extends TypedSchema<unknown>>(schema: TSchema, sanitizers?: FieldSanitizers): Middleware;
+    createQuery<TSchema extends TypedSchema<unknown>>(schema: TSchema): Middleware;
+    createParams<TSchema extends TypedSchema<unknown>>(schema: TSchema): Middleware;
+    /**
+     * Create body validation middleware with bulletproof sanitization error handling.
+     * Automatically converts SanitizerError to 422 validation response.
+     * Recommended for authentication, user management, and financial operations.
+     *
+     * Use this when controllers apply Sanitizer methods with bulletproof=true (default).
+     * The middleware will catch SanitizerError and convert to proper validation error response.
+     *
+     * @param schema - Validation schema
+     * @param sanitizers - Optional field sanitizers to apply before validation
+     * @returns Middleware with bulletproof error handling
+     */
+    createBodyWithBulletproofSanitization<TSchema extends TypedSchema<unknown>>(schema: TSchema, sanitizers?: FieldSanitizers): Middleware;
+}>;
+export {};
+//# sourceMappingURL=ValidationMiddleware.d.ts.map

package/src/middleware/ValidationMiddleware.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ValidationMiddleware.d.ts","sourceRoot":"","sources":["../../../src/middleware/ValidationMiddleware.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,6BAA6B,CAAC;AAE9D,OAAO,KAAK,EAAe,OAAO,EAAE,WAAW,EAAE,MAAM,uBAAuB,CAAC;AAW/E,KAAK,eAAe,GAAG,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,KAAK,EAAE,OAAO,KAAK,OAAO,CAAC,CAAC,CAAC;AAqG7E,eAAO,MAAM,oBAAoB;mBAChB,OAAO,GAAG,UAAU;eAwBxB,OAAO,SAAS,WAAW,CAAC,OAAO,CAAC,UAAU,OAAO,GAAG,UAAU;+BA0BlD,OAAO,SAAS,WAAW,CAAC,OAAO,CAAC,UACrD,OAAO,eACF,eAAe,GAC3B,UAAU;gBA6BD,OAAO,SAAS,WAAW,CAAC,OAAO,CAAC,UAAU,OAAO,GAAG,UAAU;iBAejE,OAAO,SAAS,WAAW,CAAC,OAAO,CAAC,UAAU,OAAO,GAAG,UAAU;IAe/E;;;;;;;;;;;OAWG;0CACmC,OAAO,SAAS,WAAW,CAAC,OAAO,CAAC,UAChE,OAAO,eACF,eAAe,GAC3B,UAAU;EAqCb,CAAC"}