astro 4.5.17 → 4.6.0

package/dist/@types/astro.d.ts

@@ -17,7 +17,7 @@ import type { AstroIntegrationLogger, Logger, LoggerLevel } from '../core/logger
 import type { AstroPreferences } from '../preferences/index.js';
 import type { AstroDevToolbar, DevToolbarCanvas } from '../runtime/client/dev-toolbar/toolbar.js';
 import type { Icon } from '../runtime/client/dev-toolbar/ui-library/icons.js';
-import type { DevToolbarBadge, DevToolbarButton, DevToolbarCard, DevToolbarHighlight, DevToolbarIcon, DevToolbarToggle, DevToolbarTooltip, DevToolbarWindow } from '../runtime/client/dev-toolbar/ui-library/index.js';
+import type { DevToolbarBadge, DevToolbarButton, DevToolbarCard, DevToolbarHighlight, DevToolbarIcon, DevToolbarSelect, DevToolbarToggle, DevToolbarTooltip, DevToolbarWindow } from '../runtime/client/dev-toolbar/ui-library/index.js';
 import type { AstroComponentFactory, AstroComponentInstance } from '../runtime/server/index.js';
 import type { TransitionBeforePreparationEvent, TransitionBeforeSwapEvent } from '../transitions/events.js';
 import type { DeepPartial, OmitIndexSignature, Simplify } from '../type-utils.js';
@@ -1375,6 +1375,7 @@ export interface AstroUserConfig {
          * @description
          *
          * Controls the routing strategy to determine your site URLs. Set this based on your folder/URL path configuration for your default language.
+         *
          */
         routing?: {
             /**
@@ -1393,6 +1394,18 @@ export interface AstroUserConfig {
              * When `true`, all URLs will display a language prefix.
              * URLs will be of the form `example.com/[locale]/content/` for every route, including the default language.
              * Localized folders are used for every language, including the default.
+         *
+           * ```js
+       * export default defineConfig({
+       * 	i18n: {
+       * 		defaultLocale: "en",
+       * 		locales: ["en", "fr", "pt-br", "es"],
+       * 		routing: {
+       * 			prefixDefaultLocale: true,
+       * 		}
+       * 	}
+       * })
+       * ```
              */
             prefixDefaultLocale?: boolean;
             /**
@@ -1433,7 +1446,32 @@ export interface AstroUserConfig {
              * - `"pathname": The strategy is applied to the pathname of the URLs
              */
             strategy?: 'pathname';
-        };
+        } | 
+        /**
+             *
+             * @docs
+             * @name i18n.routing.manual
+           * @kind h4
+             * @type {string}
+             * @version 4.6.0
+             * @description
+             * When this option is enabled, Astro will **disable** its i18n middleware so that you can implement your own custom logic. No other `routing` options (e.g. `prefixDefaultLocale`) may be configured with `routing: "manual"`.
+             *
+             * You will be responsible for writing your own routing logic, or executing Astro's i18n middleware manually alongside your own.
+           *
+             * ```js
+           * export default defineConfig({
+           * 	i18n: {
+           * 		defaultLocale: "en",
+           * 		locales: ["en", "fr", "pt-br", "es"],
+           * 		routing: {
+           * 			prefixDefaultLocale: true,
+           * 		}
+           * 	}
+           * })
+           * ```
+             */
+        'manual';
         /**
          * @name i18n.domains
          * @type {Record<string, string> }
@@ -1468,7 +1506,7 @@ export interface AstroUserConfig {
          * })
          * ```
          *
-         * Both page routes built and URLs returned by the `astro:i18n` helper functions [`getAbsoluteLocaleUrl()`](https://docs.astro.build/en/guides/internationalization/#getabsolutelocaleurl) and [`getAbsoluteLocaleUrlList()`](https://docs.astro.build/en/guides/internationalization/#getabsolutelocaleurllist) will use the options set in `i18n.domains`.
+         * Both page routes built and URLs returned by the `astro:i18n` helper functions [`getAbsoluteLocaleUrl()`](https://docs.astro.build/en/reference/api-reference/#getabsolutelocaleurl) and [`getAbsoluteLocaleUrlList()`](https://docs.astro.build/en/reference/api-reference/#getabsolutelocaleurllist) will use the options set in `i18n.domains`.
          *
          * See the [Internationalization Guide](https://docs.astro.build/en/guides/internationalization/#domains) for more details, including the limitations of this feature.
          */
@@ -1692,6 +1730,60 @@ export interface AstroUserConfig {
          * See the [Internationalization Guide](https://docs.astro.build/en/guides/internationalization/#domains-experimental) for more details, including the limitations of this experimental feature.
          */
         i18nDomains?: boolean;
+        /**
+         * @docs
+         * @name experimental.security
+         * @type {boolean}
+         * @default `false`
+         * @version 4.6.0
+         * @description
+         *
+         * Enables CSRF protection for Astro websites.
+         *
+         * The CSRF protection works only for pages rendered on demand (SSR) using `server` or `hybrid` mode. The pages must opt out of prerendering in `hybrid` mode.
+         *
+         * ```js
+         * // astro.config.mjs
+         * export default defineConfig({
+         *   output: "server",
+         *   experimental: {
+         *     security: {
+         *       csrfProtection: {
+         *         origin: true
+         *       }
+         *     }
+         *   }
+         * })
+         * ```
+         */
+        security?: {
+            /**
+             * @name security.csrfProtection
+             * @type {object}
+             * @default '{}'
+             * @version 4.6.0
+             * @description
+             *
+             * Allows you to enable security measures to prevent CSRF attacks: https://owasp.org/www-community/attacks/csrf
+             */
+            csrfProtection?: {
+                /**
+                 * @name security.csrfProtection.origin
+                 * @type {boolean}
+                 * @default 'false'
+                 * @version 4.6.0
+                 * @description
+                 *
+                 * When enabled, performs a check that the "origin" header, automatically passed by all modern browsers, matches the URL sent by each `Request`.
+                 *
+                 * The "origin" check is executed only for pages rendered on demand, and only for the requests `POST, `PATCH`, `DELETE` and `PUT` with
+                 * the following `content-type` header: 'application/x-www-form-urlencoded', 'multipart/form-data', 'text/plain'.
+                 *
+                 * If the "origin" header doesn't match the `pathname` of the request, Astro will return a 403 status code and will not render the page.
+                 */
+                origin?: boolean;
+            };
+        };
     };
 }
 /**
@@ -2628,6 +2720,7 @@ declare global {
         'astro-dev-toolbar-button': DevToolbarButton;
         'astro-dev-toolbar-icon': DevToolbarIcon;
         'astro-dev-toolbar-card': DevToolbarCard;
+        'astro-dev-toolbar-select': DevToolbarSelect;
         'astro-dev-overlay': AstroDevToolbar;
         'astro-dev-overlay-window': DevToolbarWindow;
         'astro-dev-overlay-plugin-canvas': DevToolbarCanvas;

package/dist/core/app/index.js

@@ -11,6 +11,7 @@ import { getSetCookiesFromResponse } from "../cookies/index.js";
 import { AstroError, AstroErrorData } from "../errors/index.js";
 import { consoleLogDestination } from "../logger/console.js";
 import { AstroIntegrationLogger, Logger } from "../logger/core.js";
+import { sequence } from "../middleware/index.js";
 import {
   appendForwardSlash,
   collapseDuplicateSlashes,
@@ -23,6 +24,7 @@ import { RenderContext } from "../render-context.js";
 import { createAssetLink } from "../render/ssr-element.js";
 import { ensure404Route } from "../routing/astro-designed-error-pages.js";
 import { matchRoute } from "../routing/match.js";
+import { createOriginCheckMiddleware } from "./middlewares.js";
 import { AppPipeline } from "./pipeline.js";
 import { deserializeManifest } from "./common.js";
 class App {
@@ -58,6 +60,12 @@ class App {
    * @private
    */
   #createPipeline(streaming = false) {
+    if (this.#manifest.checkOrigin) {
+      this.#manifest.middleware = sequence(
+        createOriginCheckMiddleware(),
+        this.#manifest.middleware
+      );
+    }
     return AppPipeline.create({
       logger: this.#logger,
       manifest: this.#manifest,

package/dist/core/app/middlewares.d.ts

@@ -0,0 +1,7 @@
+import type { MiddlewareHandler } from '../../@types/astro.js';
+/**
+ * Returns a middleware function in charge to check the `origin` header.
+ *
+ * @private
+ */
+export declare function createOriginCheckMiddleware(): MiddlewareHandler;

package/dist/core/app/middlewares.js

@@ -0,0 +1,26 @@
+import { defineMiddleware } from "../middleware/index.js";
+const FORM_CONTENT_TYPES = [
+  "application/x-www-form-urlencoded",
+  "multipart/form-data",
+  "text/plain"
+];
+function createOriginCheckMiddleware() {
+  return defineMiddleware((context, next) => {
+    const { request, url } = context;
+    const contentType = request.headers.get("content-type");
+    if (contentType) {
+      if (FORM_CONTENT_TYPES.includes(contentType.toLowerCase())) {
+        const forbidden = (request.method === "POST" || request.method === "PUT" || request.method === "PATCH" || request.method === "DELETE") && request.headers.get("origin") !== url.origin;
+        if (forbidden) {
+          return new Response(`Cross-site ${request.method} form submissions are forbidden`, {
+            status: 403
+          });
+        }
+      }
+    }
+    return next();
+  });
+}
+export {
+  createOriginCheckMiddleware
+};

package/dist/core/app/types.d.ts

@@ -51,9 +51,10 @@ export type SSRManifest = {
     pageMap?: Map<ComponentPath, ImportComponentInstance>;
     i18n: SSRManifestI18n | undefined;
     middleware: MiddlewareHandler;
+    checkOrigin: boolean;
 };
 export type SSRManifestI18n = {
-    fallback?: Record<string, string>;
+    fallback: Record<string, string> | undefined;
     strategy: RoutingStrategies;
     locales: Locales;
     defaultLocale: string;

package/dist/core/base-pipeline.js

@@ -17,9 +17,12 @@ class Pipeline {
     this.middleware = middleware;
     this.routeCache = routeCache;
     this.site = site;
-    this.internalMiddleware = [
-      createI18nMiddleware(i18n, manifest.base, manifest.trailingSlash, manifest.buildFormat)
-    ];
+    this.internalMiddleware = [];
+    if (i18n?.strategy !== "manual") {
+      this.internalMiddleware.push(
+        createI18nMiddleware(i18n, manifest.base, manifest.trailingSlash, manifest.buildFormat)
+      );
+    }
   }
   internalMiddleware;
 }

package/dist/core/build/generate.js

@@ -411,7 +411,7 @@ function createBuildManifest(settings, internals, renderers, middleware) {
   if (settings.config.i18n) {
     i18nManifest = {
       fallback: settings.config.i18n.fallback,
-      strategy: toRoutingStrategy(settings.config.i18n),
+      strategy: toRoutingStrategy(settings.config.i18n.routing, settings.config.i18n.domains),
       defaultLocale: settings.config.i18n.defaultLocale,
       locales: settings.config.i18n.locales,
       domainLookupTable: {}
@@ -433,7 +433,8 @@ function createBuildManifest(settings, internals, renderers, middleware) {
     componentMetadata: internals.componentMetadata,
     i18n: i18nManifest,
     buildFormat: settings.config.build.format,
-    middleware
+    middleware,
+    checkOrigin: settings.config.experimental.security?.csrfProtection?.origin ?? false
   };
 }
 export {

package/dist/core/build/plugins/plugin-manifest.js

@@ -192,7 +192,7 @@ function buildManifest(opts, internals, staticFiles) {
   if (settings.config.i18n) {
     i18nManifest = {
       fallback: settings.config.i18n.fallback,
-      strategy: toRoutingStrategy(settings.config.i18n),
+      strategy: toRoutingStrategy(settings.config.i18n.routing, settings.config.i18n.domains),
       locales: settings.config.i18n.locales,
       defaultLocale: settings.config.i18n.defaultLocale,
       domainLookupTable
@@ -213,7 +213,8 @@ function buildManifest(opts, internals, staticFiles) {
     inlinedScripts: Array.from(internals.inlinedScripts),
     assets: staticFiles.map(prefixAssetPath),
     i18n: i18nManifest,
-    buildFormat: settings.config.build.format
+    buildFormat: settings.config.build.format,
+    checkOrigin: settings.config.experimental.security?.csrfProtection?.origin ?? false
   };
 }
 export {