npm - fastify-txstate - Versions diffs - 3.0.4 → 3.0.5 - Mend

fastify-txstate 3.0.4 → 3.0.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/lib/index.js CHANGED Viewed

@@ -10,11 +10,13 @@ const http_1 = __importDefault(require("http"));
 const http_status_codes_1 = require("http-status-codes");
 class Server {
     constructor(config = {}) {
-        var _a, _b, _c;
+        var _a, _b, _c, _d, _e, _f, _g, _h, _j;
         this.https = false;
         this.errorHandlers = [];
         this.shuttingDown = false;
+        this.validOrigins = {};
         this.validOriginHosts = {};
+        this.validOriginSuffixes = new Set();
         try {
             const key = fs_1.default.readFileSync('/securekeys/private.key');
             const cert = fs_1.default.readFileSync('/securekeys/cert.pem');
@@ -42,18 +44,41 @@ class Server {
             config.trustProxy = true;
         this.app = (0, fastify_1.fastify)(config);
         if (!config.skipOriginCheck && !process.env.SKIP_ORIGIN_CHECK) {
-            this.setValidOriginHosts([...((_a = config.validOriginHosts) !== null && _a !== void 0 ? _a : []), ...((_c = (_b = process.env.VALID_ORIGIN_HOSTS) === null || _b === void 0 ? void 0 : _b.split(',')) !== null && _c !== void 0 ? _c : [])]);
+            this.setValidOrigins([...((_a = config.validOrigins) !== null && _a !== void 0 ? _a : []), ...((_c = (_b = process.env.VALID_ORIGINS) === null || _b === void 0 ? void 0 : _b.split(',')) !== null && _c !== void 0 ? _c : [])]);
+            this.setValidOriginHosts([...((_d = config.validOriginHosts) !== null && _d !== void 0 ? _d : []), ...((_f = (_e = process.env.VALID_ORIGIN_HOSTS) === null || _e === void 0 ? void 0 : _e.split(',')) !== null && _f !== void 0 ? _f : [])]);
+            this.setValidOriginSuffixes([...((_g = config.validOriginSuffixes) !== null && _g !== void 0 ? _g : []), ...((_j = (_h = process.env.VALID_ORIGIN_SUFFIXES) === null || _h === void 0 ? void 0 : _h.split(',')) !== null && _j !== void 0 ? _j : [])]);
             this.app.addHook('preHandler', async (req, res) => {
+                var _a;
                 if (!req.headers.origin)
                     return;
-                const parsedOrigin = new URL(req.headers.origin);
-                if (req.hostname.replace(/:\d+$/, '') !== parsedOrigin.hostname && !this.validOriginHosts[parsedOrigin.hostname]) {
+                let passed = this.validOrigins[req.headers.origin];
+                if (!passed) {
+                    const parsedOrigin = new URL(req.headers.origin);
+                    if (req.hostname.replace(/:\d+$/, '') === parsedOrigin.hostname)
+                        passed = true;
+                    if (this.validOriginHosts[parsedOrigin.hostname])
+                        passed = true;
+                    if (!passed && this.validOriginSuffixes.size > 0) {
+                        const originParts = parsedOrigin.hostname.split('.');
+                        for (let i = 0; i < originParts.length; i++) {
+                            const suffix = originParts.slice(i).join('.');
+                            if (this.validOriginSuffixes.has(suffix))
+                                passed = true;
+                        }
+                    }
+                    if (!passed && ((_a = config.checkOrigin) === null || _a === void 0 ? void 0 : _a.call(config, req)))
+                        passed = true;
+                }
+                if (!passed) {
                     await res.status(403).send('Origin check failed. Suspected XSRF attack.');
                     return res;
                 }
-                void res.header('Access-Control-Allow-Origin', req.headers.origin);
-                if (req.headers['access-control-request-headers'])
-                    void res.header('Access-Control-Allow-Headers', req.headers['access-control-request-headers']);
+                else {
+                    void res.header('Access-Control-Allow-Origin', req.headers.origin);
+                    void res.header('Access-Control-Max-Age', '600'); // ask browser to skip pre-flights for 10 minutes after a yes
+                    if (req.headers['access-control-request-headers'])
+                        void res.header('Access-Control-Allow-Headers', req.headers['access-control-request-headers']);
+                }
             });
             this.app.options('*', async (req, res) => {
                 await res.send();
@@ -133,8 +158,16 @@ class Server {
     setHealthy() {
         this.healthMessage = undefined;
     }
+    setValidOrigins(origins) {
+        this.validOrigins = origins.reduce((validOrigins, origin) => ({ ...validOrigins, [origin]: true }), {});
+    }
     setValidOriginHosts(hosts) {
-        this.validOriginHosts = hosts.reduce((validOrigins, origin) => ({ ...validOrigins, [origin]: true }), {});
+        this.validOriginHosts = hosts.reduce((validHosts, host) => ({ ...validHosts, [host]: true }), {});
+    }
+    setValidOriginSuffixes(suffixes) {
+        this.validOriginSuffixes.clear();
+        for (const s of suffixes)
+            this.validOriginSuffixes.add(s);
     }
     async close(softSeconds) {
         var _a;

package/lib-esm/index.d.ts CHANGED Viewed

@@ -4,8 +4,11 @@ import http2 from 'http2';
 declare type ErrorHandler = (error: Error, req: FastifyRequest, res: FastifyReply) => Promise<void>;
 export interface FastifyTxStateOptions extends Partial<FastifyServerOptions> {
     https?: http2.SecureServerOptions;
+    validOrigins?: string[];
     validOriginHosts?: string[];
+    validOriginSuffixes?: string[];
     skipOriginCheck?: boolean;
+    checkOrigin?: (req: FastifyRequest) => boolean;
 }
 export default class Server {
     protected https: boolean;
@@ -13,7 +16,9 @@ export default class Server {
     protected healthMessage?: string;
     protected shuttingDown: boolean;
     protected sigHandler: (signal: any) => void;
+    protected validOrigins: Record<string, boolean>;
     protected validOriginHosts: Record<string, boolean>;
+    protected validOriginSuffixes: Set<string>;
     app: FastifyInstance;
     constructor(config?: FastifyTxStateOptions & {
         http2?: true;
@@ -22,7 +27,9 @@ export default class Server {
     addErrorHandler(handler: ErrorHandler): void;
     setUnhealthy(message: string): void;
     setHealthy(): void;
+    setValidOrigins(origins: string[]): void;
     setValidOriginHosts(hosts: string[]): void;
+    setValidOriginSuffixes(suffixes: string[]): void;
     close(softSeconds?: number): Promise<void>;
 }
 export declare class HttpError extends Error {

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "fastify-txstate",
-  "version": "3.0.4",
+  "version": "3.0.5",
   "description": "A small wrapper for fastify providing a set of common conventions & utility functions we use.",
   "exports": {
     "types": "./lib-esm/index.d.ts",