@zintrust/core 0.4.18 → 0.4.20

package/src/security/Xss.js

@@ -2,11 +2,10 @@
  * XSS Sanitizer
  * Recursive, zero-dependency input sanitization utility.
  *
- * This is intentionally conservative:
- * - Strings: strip tags, then escape HTML entities.
+ * This is intentionally conservative for request-body handling:
+ * - Strings: strip markup tags but preserve plain text characters.
  * - Arrays/Objects: sanitize recursively.
  */
-import { XssProtection } from './XssProtection.js';
 const stripTags = (value) => {
     // Remove all HTML tags in linear time (no regex backtracking / ReDoS risk).
     let out = '';
@@ -28,7 +27,7 @@ const stripTags = (value) => {
 };
 const sanitizeRecursive = (input, seen) => {
     if (typeof input === 'string') {
-        return XssProtection.escape(stripTags(input));
+        return stripTags(input);
     }
     if (Array.isArray(input)) {
         if (seen.has(input))

package/src/templates/project/basic/app/Middleware/AuthFailureResponder.ts.tpl

@@ -0,0 +1,10 @@
+import type { MiddlewareFailureResponder } from '@zintrust/core';
+
+export const authFailureResponder: MiddlewareFailureResponder = async (_req, res, context) => {
+  res.setStatus(context.statusCode).json({
+    error: {
+      code: context.reason,
+      message: context.message,
+    },
+  });
+};

package/src/templates/project/basic/config/middleware.ts.tpl

@@ -9,6 +9,12 @@ import type { MiddlewaresType } from '@zintrust/core';
  * 2. Import it below.
  * 3. Register route middleware under `route` or append global middleware under `global`.
  * 4. Use the route key in `routes/*.ts`.
+ * 5. Use `responders` when you only want to reshape built-in failure payloads.
+ *
+ * Built-in middleware keys are overrideable by reusing the same key under `route`.
+ * For example, `route.jwt = MyJwtMiddleware` replaces the framework `jwt` middleware
+ * anywhere that key is used, including shared global slots such as `log`, `error`,
+ * `security`, `rateLimit`, `csrf`, and `sanitizeBody`.
  *
  * For custom route keys, extend the framework type locally in your route file:
  * `type AppMiddlewareKey = MiddlewareKey | 'yourMiddleware';`
@@ -16,6 +22,8 @@ import type { MiddlewaresType } from '@zintrust/core';
 
 // Example custom middleware import:
 // import { AuthMiddleware } from '@app/Middleware/AuthMiddleware';
+// import { authFailureResponder } from '@app/Middleware/AuthFailureResponder';
+// import { JwtAuthOverrideMiddleware } from '@app/Middleware/JwtAuthOverrideMiddleware';
 
 export default {
   skipPaths: Env.get('CSRF_SKIP_PATHS', '')
@@ -37,10 +45,20 @@ export default {
     max: 20,
     message: 'Too many user mutation requests, please try again later.',
   },
+  responders: {
+    // auth: authFailureResponder,
+    // jwt: authFailureResponder,
+    // bulletproof: authFailureResponder,
+    // csrf: authFailureResponder,
+    // rateLimit: authFailureResponder,
+    // error: authFailureResponder,
+  },
   global: [
     // AuthMiddleware,
   ],
   route: {
     // authMiddleware: AuthMiddleware,
+    // Plug-and-play built-in override example:
+    // jwt: JwtAuthOverrideMiddleware,
   },
 } as MiddlewaresType;