hono 4.10.1 → 4.10.3

package/dist/adapter/aws-lambda/handler.js

@@ -282,7 +282,7 @@ var isProxyEventV2 = (event) => {
   return Object.hasOwn(event, "rawPath");
 };
 var defaultIsContentTypeBinary = (contentType) => {
-  return !/^(text\/(plain|html|css|javascript|csv).*|application\/(.*json|.*xml).*|image\/svg\+xml.*)$/.test(
+  return !/^text\/(?:plain|html|css|javascript|csv)|(?:\/|\+)(?:json|xml)\s*(?:;|$)/.test(
     contentType
   );
 };

package/dist/cjs/adapter/aws-lambda/handler.js

@@ -312,7 +312,7 @@ const isProxyEventV2 = (event) => {
   return Object.hasOwn(event, "rawPath");
 };
 const defaultIsContentTypeBinary = (contentType) => {
-  return !/^(text\/(plain|html|css|javascript|csv).*|application\/(.*json|.*xml).*|image\/svg\+xml.*)$/.test(
+  return !/^text\/(?:plain|html|css|javascript|csv)|(?:\/|\+)(?:json|xml)\s*(?:;|$)/.test(
     contentType
   );
 };

package/dist/cjs/middleware/cors/index.js

@@ -62,14 +62,6 @@ const cors = (options) => {
     if (allowOrigin) {
       set("Access-Control-Allow-Origin", allowOrigin);
     }
-    if (opts.origin !== "*") {
-      const existingVary = c.req.header("Vary");
-      if (existingVary) {
-        set("Vary", existingVary);
-      } else {
-        set("Vary", "Origin");
-      }
-    }
     if (opts.credentials) {
       set("Access-Control-Allow-Credentials", "true");
     }
@@ -77,6 +69,9 @@ const cors = (options) => {
       set("Access-Control-Expose-Headers", opts.exposeHeaders.join(","));
     }
     if (c.req.method === "OPTIONS") {
+      if (opts.origin !== "*") {
+        set("Vary", "Origin");
+      }
       if (opts.maxAge != null) {
         set("Access-Control-Max-Age", opts.maxAge.toString());
       }
@@ -104,6 +99,9 @@ const cors = (options) => {
       });
     }
     await next();
+    if (opts.origin !== "*") {
+      c.header("Vary", "Origin", { append: true });
+    }
   };
 };
 // Annotate the CommonJS export names for ESM import in node:

package/dist/cjs/middleware/request-id/request-id.js

@@ -28,7 +28,7 @@ const requestId = ({
 } = {}) => {
   return async function requestId2(c, next) {
     let reqId = headerName ? c.req.header(headerName) : void 0;
-    if (!reqId || reqId.length > limitLength || /[^\w\-]/.test(reqId)) {
+    if (!reqId || reqId.length > limitLength || /[^\w\-=]/.test(reqId)) {
       reqId = generator(c);
     }
     c.set("requestId", reqId);

package/dist/cjs/utils/jwt/jwt.js

@@ -56,14 +56,14 @@ const sign = async (payload, privateKey, alg = "HS256") => {
   return `${partialToken}.${signature}`;
 };
 const verify = async (token, publicKey, algOrOptions) => {
-  const optsIn = typeof algOrOptions === "string" ? { alg: algOrOptions } : algOrOptions || {};
-  const opts = {
-    alg: optsIn.alg ?? "HS256",
-    iss: optsIn.iss,
-    nbf: optsIn.nbf ?? true,
-    exp: optsIn.exp ?? true,
-    iat: optsIn.iat ?? true
-  };
+  const {
+    alg = "HS256",
+    iss,
+    nbf = true,
+    exp = true,
+    iat = true,
+    aud
+  } = typeof algOrOptions === "string" ? { alg: algOrOptions } : algOrOptions || {};
   const tokenParts = token.split(".");
   if (tokenParts.length !== 3) {
     throw new import_types.JwtTokenInvalid(token);
@@ -73,30 +73,42 @@ const verify = async (token, publicKey, algOrOptions) => {
     throw new import_types.JwtHeaderInvalid(header);
   }
   const now = Date.now() / 1e3 | 0;
-  if (opts.nbf && payload.nbf && payload.nbf > now) {
+  if (nbf && payload.nbf && payload.nbf > now) {
     throw new import_types.JwtTokenNotBefore(token);
   }
-  if (opts.exp && payload.exp && payload.exp <= now) {
+  if (exp && payload.exp && payload.exp <= now) {
     throw new import_types.JwtTokenExpired(token);
   }
-  if (opts.iat && payload.iat && now < payload.iat) {
+  if (iat && payload.iat && now < payload.iat) {
     throw new import_types.JwtTokenIssuedAt(now, payload.iat);
   }
-  if (opts.iss) {
+  if (iss) {
     if (!payload.iss) {
-      throw new import_types.JwtTokenIssuer(opts.iss, null);
+      throw new import_types.JwtTokenIssuer(iss, null);
     }
-    if (typeof opts.iss === "string" && payload.iss !== opts.iss) {
-      throw new import_types.JwtTokenIssuer(opts.iss, payload.iss);
+    if (typeof iss === "string" && payload.iss !== iss) {
+      throw new import_types.JwtTokenIssuer(iss, payload.iss);
     }
-    if (opts.iss instanceof RegExp && !opts.iss.test(payload.iss)) {
-      throw new import_types.JwtTokenIssuer(opts.iss, payload.iss);
+    if (iss instanceof RegExp && !iss.test(payload.iss)) {
+      throw new import_types.JwtTokenIssuer(iss, payload.iss);
+    }
+  }
+  if (aud) {
+    if (!payload.aud) {
+      throw new import_types.JwtPayloadRequiresAud(payload);
+    }
+    const audiences = Array.isArray(payload.aud) ? payload.aud : [payload.aud];
+    const matched = audiences.some(
+      (payloadAud) => aud instanceof RegExp ? aud.test(payloadAud) : typeof aud === "string" ? payloadAud === aud : Array.isArray(aud) && aud.includes(payloadAud)
+    );
+    if (!matched) {
+      throw new import_types.JwtTokenAudience(aud, payload.aud);
     }
   }
   const headerPayload = token.substring(0, token.lastIndexOf("."));
   const verified = await (0, import_jws.verifying)(
     publicKey,
-    opts.alg,
+    alg,
     (0, import_encode.decodeBase64Url)(tokenParts[2]),
     import_utf8.utf8Encoder.encode(headerPayload)
   );

package/dist/cjs/utils/jwt/types.js

@@ -22,6 +22,8 @@ __export(types_exports, {
   JwtAlgorithmNotImplemented: () => JwtAlgorithmNotImplemented,
   JwtHeaderInvalid: () => JwtHeaderInvalid,
   JwtHeaderRequiresKid: () => JwtHeaderRequiresKid,
+  JwtPayloadRequiresAud: () => JwtPayloadRequiresAud,
+  JwtTokenAudience: () => JwtTokenAudience,
   JwtTokenExpired: () => JwtTokenExpired,
   JwtTokenInvalid: () => JwtTokenInvalid,
   JwtTokenIssuedAt: () => JwtTokenIssuedAt,
@@ -86,6 +88,20 @@ class JwtTokenSignatureMismatched extends Error {
     this.name = "JwtTokenSignatureMismatched";
   }
 }
+class JwtPayloadRequiresAud extends Error {
+  constructor(payload) {
+    super(`required "aud" in jwt payload: ${JSON.stringify(payload)}`);
+    this.name = "JwtPayloadRequiresAud";
+  }
+}
+class JwtTokenAudience extends Error {
+  constructor(expected, aud) {
+    super(
+      `expected audience "${Array.isArray(expected) ? expected.join(", ") : expected}", got "${aud}"`
+    );
+    this.name = "JwtTokenAudience";
+  }
+}
 var CryptoKeyUsage = /* @__PURE__ */ ((CryptoKeyUsage2) => {
   CryptoKeyUsage2["Encrypt"] = "encrypt";
   CryptoKeyUsage2["Decrypt"] = "decrypt";
@@ -103,6 +119,8 @@ var CryptoKeyUsage = /* @__PURE__ */ ((CryptoKeyUsage2) => {
   JwtAlgorithmNotImplemented,
   JwtHeaderInvalid,
   JwtHeaderRequiresKid,
+  JwtPayloadRequiresAud,
+  JwtTokenAudience,
   JwtTokenExpired,
   JwtTokenInvalid,
   JwtTokenIssuedAt,

package/dist/middleware/cors/index.js

@@ -40,14 +40,6 @@ var cors = (options) => {
     if (allowOrigin) {
       set("Access-Control-Allow-Origin", allowOrigin);
     }
-    if (opts.origin !== "*") {
-      const existingVary = c.req.header("Vary");
-      if (existingVary) {
-        set("Vary", existingVary);
-      } else {
-        set("Vary", "Origin");
-      }
-    }
     if (opts.credentials) {
       set("Access-Control-Allow-Credentials", "true");
     }
@@ -55,6 +47,9 @@ var cors = (options) => {
       set("Access-Control-Expose-Headers", opts.exposeHeaders.join(","));
     }
     if (c.req.method === "OPTIONS") {
+      if (opts.origin !== "*") {
+        set("Vary", "Origin");
+      }
       if (opts.maxAge != null) {
         set("Access-Control-Max-Age", opts.maxAge.toString());
       }
@@ -82,6 +77,9 @@ var cors = (options) => {
       });
     }
     await next();
+    if (opts.origin !== "*") {
+      c.header("Vary", "Origin", { append: true });
+    }
   };
 };
 export {

package/dist/middleware/request-id/request-id.js

@@ -6,7 +6,7 @@ var requestId = ({
 } = {}) => {
   return async function requestId2(c, next) {
     let reqId = headerName ? c.req.header(headerName) : void 0;
-    if (!reqId || reqId.length > limitLength || /[^\w\-]/.test(reqId)) {
+    if (!reqId || reqId.length > limitLength || /[^\w\-=]/.test(reqId)) {
       reqId = generator(c);
     }
     c.set("requestId", reqId);

package/dist/types/utils/jwt/jwt.d.ts

@@ -22,6 +22,8 @@ export type VerifyOptions = {
     exp?: boolean;
     /** Verify the `iat` claim (default: `true`) */
     iat?: boolean;
+    /** Acceptable audience(s) for the token */
+    aud?: string | string[] | RegExp;
 };
 export type VerifyOptionsWithAlg = {
     /** The algorithm used for decoding the token */

package/dist/types/utils/jwt/types.d.ts

@@ -29,6 +29,12 @@ export declare class JwtHeaderRequiresKid extends Error {
 export declare class JwtTokenSignatureMismatched extends Error {
     constructor(token: string);
 }
+export declare class JwtPayloadRequiresAud extends Error {
+    constructor(payload: object);
+}
+export declare class JwtTokenAudience extends Error {
+    constructor(expected: string | string[] | RegExp, aud: string | string[]);
+}
 export declare enum CryptoKeyUsage {
     Encrypt = "encrypt",
     Decrypt = "decrypt",
@@ -60,5 +66,9 @@ export type JWTPayload = {
      * The token is checked to ensure it has been issued by a trusted issuer.
      */
     iss?: string;
+    /**
+     * The token is checked to ensure it is intended for a specific audience.
+     */
+    aud?: string | string[];
 };
 export type { HonoJsonWebKey } from './jws';

package/dist/utils/jwt/jwt.js

@@ -5,6 +5,8 @@ import { signing, verifying } from "./jws.js";
 import {
   JwtHeaderInvalid,
   JwtHeaderRequiresKid,
+  JwtPayloadRequiresAud,
+  JwtTokenAudience,
   JwtTokenExpired,
   JwtTokenInvalid,
   JwtTokenIssuedAt,
@@ -38,14 +40,14 @@ var sign = async (payload, privateKey, alg = "HS256") => {
   return `${partialToken}.${signature}`;
 };
 var verify = async (token, publicKey, algOrOptions) => {
-  const optsIn = typeof algOrOptions === "string" ? { alg: algOrOptions } : algOrOptions || {};
-  const opts = {
-    alg: optsIn.alg ?? "HS256",
-    iss: optsIn.iss,
-    nbf: optsIn.nbf ?? true,
-    exp: optsIn.exp ?? true,
-    iat: optsIn.iat ?? true
-  };
+  const {
+    alg = "HS256",
+    iss,
+    nbf = true,
+    exp = true,
+    iat = true,
+    aud
+  } = typeof algOrOptions === "string" ? { alg: algOrOptions } : algOrOptions || {};
   const tokenParts = token.split(".");
   if (tokenParts.length !== 3) {
     throw new JwtTokenInvalid(token);
@@ -55,30 +57,42 @@ var verify = async (token, publicKey, algOrOptions) => {
     throw new JwtHeaderInvalid(header);
   }
   const now = Date.now() / 1e3 | 0;
-  if (opts.nbf && payload.nbf && payload.nbf > now) {
+  if (nbf && payload.nbf && payload.nbf > now) {
     throw new JwtTokenNotBefore(token);
   }
-  if (opts.exp && payload.exp && payload.exp <= now) {
+  if (exp && payload.exp && payload.exp <= now) {
     throw new JwtTokenExpired(token);
   }
-  if (opts.iat && payload.iat && now < payload.iat) {
+  if (iat && payload.iat && now < payload.iat) {
     throw new JwtTokenIssuedAt(now, payload.iat);
   }
-  if (opts.iss) {
+  if (iss) {
     if (!payload.iss) {
-      throw new JwtTokenIssuer(opts.iss, null);
+      throw new JwtTokenIssuer(iss, null);
     }
-    if (typeof opts.iss === "string" && payload.iss !== opts.iss) {
-      throw new JwtTokenIssuer(opts.iss, payload.iss);
+    if (typeof iss === "string" && payload.iss !== iss) {
+      throw new JwtTokenIssuer(iss, payload.iss);
     }
-    if (opts.iss instanceof RegExp && !opts.iss.test(payload.iss)) {
-      throw new JwtTokenIssuer(opts.iss, payload.iss);
+    if (iss instanceof RegExp && !iss.test(payload.iss)) {
+      throw new JwtTokenIssuer(iss, payload.iss);
+    }
+  }
+  if (aud) {
+    if (!payload.aud) {
+      throw new JwtPayloadRequiresAud(payload);
+    }
+    const audiences = Array.isArray(payload.aud) ? payload.aud : [payload.aud];
+    const matched = audiences.some(
+      (payloadAud) => aud instanceof RegExp ? aud.test(payloadAud) : typeof aud === "string" ? payloadAud === aud : Array.isArray(aud) && aud.includes(payloadAud)
+    );
+    if (!matched) {
+      throw new JwtTokenAudience(aud, payload.aud);
     }
   }
   const headerPayload = token.substring(0, token.lastIndexOf("."));
   const verified = await verifying(
     publicKey,
-    opts.alg,
+    alg,
     decodeBase64Url(tokenParts[2]),
     utf8Encoder.encode(headerPayload)
   );

package/dist/utils/jwt/types.js

@@ -55,6 +55,20 @@ var JwtTokenSignatureMismatched = class extends Error {
     this.name = "JwtTokenSignatureMismatched";
   }
 };
+var JwtPayloadRequiresAud = class extends Error {
+  constructor(payload) {
+    super(`required "aud" in jwt payload: ${JSON.stringify(payload)}`);
+    this.name = "JwtPayloadRequiresAud";
+  }
+};
+var JwtTokenAudience = class extends Error {
+  constructor(expected, aud) {
+    super(
+      `expected audience "${Array.isArray(expected) ? expected.join(", ") : expected}", got "${aud}"`
+    );
+    this.name = "JwtTokenAudience";
+  }
+};
 var CryptoKeyUsage = /* @__PURE__ */ ((CryptoKeyUsage2) => {
   CryptoKeyUsage2["Encrypt"] = "encrypt";
   CryptoKeyUsage2["Decrypt"] = "decrypt";
@@ -71,6 +85,8 @@ export {
   JwtAlgorithmNotImplemented,
   JwtHeaderInvalid,
   JwtHeaderRequiresKid,
+  JwtPayloadRequiresAud,
+  JwtTokenAudience,
   JwtTokenExpired,
   JwtTokenInvalid,
   JwtTokenIssuedAt,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "hono",
-  "version": "4.10.1",
+  "version": "4.10.3",
   "description": "Web framework built on Web Standards",
   "main": "dist/cjs/index.js",
   "type": "module",