miqro 7.3.3 → 7.3.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (8) hide show
  1. package/build/esm/editor/auth.js +6 -4
  2. package/build/esm/src/common/esbuild.js +1 -0
  3. package/build/esm/src/common/exit.js +21 -3
  4. package/build/esm/src/services/app.d.ts +1 -0
  5. package/build/esm/src/services/app.js +6 -1
  6. package/build/lib.cjs +102 -44
  7. package/editor/auth.ts +6 -5
  8. package/package.json +3 -3
package/build/esm/editor/auth.js CHANGED
@@ -18,13 +18,15 @@ export default {
18
18
  const cookieToken = args.req.cookies[ADMIN_EDITOR_AUTH_COOKIE];
19
19
  //console.log("\n\nqueryToken[%s] cookieToken[%s] KEY[%s]\n\n", queryToken, cookieToken, KEY);
20
20
  if (queryToken) {
21
- if (typeof queryToken === "string" && timingSafeEqual(Buffer.from(queryToken), Buffer.from(KEY))) {
21
+ const queryBuf = Buffer.from(String(queryToken));
22
+ const keyBuf = Buffer.from(KEY);
23
+ if (typeof queryToken === "string" && queryBuf.length === keyBuf.length && timingSafeEqual(queryBuf, keyBuf)) {
22
24
  args.res.setCookie(ADMIN_EDITOR_AUTH_COOKIE, KEY, {
23
- expires: new Date(Date.now() + 1000 * 60 * 60 * 24 * 31 * 12 * 500),
25
+ expires: new Date(Date.now() + 1000 * 60 * 60 * 24),
24
26
  httpOnly: true,
25
- //secure: true,
27
+ //secure: args.req.secure,
28
+ sameSite: "strict",
26
29
  path: "/",
27
- //sameSite: "strict"
28
30
  });
29
31
  args.req.searchParams.delete(ADMIN_EDITOR_AUTH_QUERY);
30
32
  const queryString = args.req.searchParams.toString();
package/build/esm/src/common/esbuild.js CHANGED
@@ -59,6 +59,7 @@ export async function esBuild(options, logger) {
59
59
  else {
60
60
  exec(esBuildCMD, {
61
61
  maxBuffer: 1024 * 1000 * 2000,
62
+ timeout: 60000,
62
63
  cwd: dirname(options.entryPoints[0])
63
64
  }, (err, stdout, _stderr) => {
64
65
  if (err) {
package/build/esm/src/common/exit.js CHANGED
@@ -80,20 +80,38 @@ export function setupExitHandlers(app) {
80
80
  }
81
81
  process.exit(EXIT_CODES.ABNORMAL_UNCONTROLLED);
82
82
  });
83
- process.on("SIGTERM", function () {
83
+ process.on("SIGTERM", async function () {
84
84
  app.logger?.info('SIGTERM received');
85
+ if (app.server) {
86
+ await Promise.race([
87
+ app.stop(),
88
+ new Promise(r => setTimeout(r, 5000))
89
+ ]);
90
+ }
85
91
  process.exit(EXIT_CODES.ABNORMAL_UNCONTROLLED);
86
92
  });
87
- process.on('SIGHUP', function () {
93
+ process.on('SIGHUP', async function () {
88
94
  app.logger?.info('SIGHUP received');
95
+ if (app.server) {
96
+ await Promise.race([
97
+ app.stop(),
98
+ new Promise(r => setTimeout(r, 5000))
99
+ ]);
100
+ }
89
101
  process.exit(EXIT_CODES.ABNORMAL_UNCONTROLLED);
90
102
  });
91
103
  /*process.on('SIGKILL', function () {
92
104
  server.logger.info('SIGKILL received');
93
105
  process.exit(EXIT_CODES.ABNORMAL_UNCONTROLLED);
94
106
  });*/
95
- process.on('SIGINT', function () {
107
+ process.on('SIGINT', async function () {
96
108
  app.logger?.info('SIGINT received');
109
+ if (app.server) {
110
+ await Promise.race([
111
+ app.stop(),
112
+ new Promise(r => setTimeout(r, 5000))
113
+ ]);
114
+ }
97
115
  process.exit(EXIT_CODES.ABNORMAL_UNCONTROLLED);
98
116
  });
99
117
  }
package/build/esm/src/services/app.d.ts CHANGED
@@ -28,6 +28,7 @@ export interface MiqroOptions extends ImportJSXFileOptions {
28
28
  https?: boolean;
29
29
  httpRedirect?: number;
30
30
  noMinify?: boolean;
31
+ allowedRedirectHosts?: string[];
31
32
  }
32
33
  export interface InflateOptions {
33
34
  inflateDir?: string;
package/build/esm/src/services/app.js CHANGED
@@ -383,7 +383,12 @@ export class Miqro {
383
383
  if (this.options?.httpRedirect) {
384
384
  this.httpsRedirectServer = new App();
385
385
  this.httpsRedirectServer.use(async (req, res) => {
386
- const hostname = req.headers.host.split(":").length > 1 ? req.headers.host.split(":")[0] : req.headers.host;
386
+ const hostname = req.headers.host?.split(":")[0] ?? "";
387
+ const allowed = this.options?.allowedRedirectHosts;
388
+ if (allowed && !allowed.includes(hostname)) {
389
+ res.writeHead(400).end("Invalid Host header");
390
+ return;
391
+ }
387
392
  return await res.redirect('https://' + hostname + ":" + this.options.port + req.url);
388
393
  });
389
394
  }
package/build/lib.cjs CHANGED
@@ -720,7 +720,7 @@ function ReadBuffer(options) {
720
720
  req.removeListener("end", endListener);
721
721
  try {
722
722
  const concatBuffers = Buffer.concat(buffers);
723
- const responseBuffer = req.headers["content-encoding"] === "gzip" ? (0, import_zlib.gunzipSync)(concatBuffers) : concatBuffers;
723
+ const responseBuffer = req.headers["content-encoding"] === "gzip" ? (0, import_zlib.gunzipSync)(concatBuffers, { maxOutputLength: limit }) : concatBuffers;
724
724
  req.logger.trace("ctx.buffer %o", responseBuffer);
725
725
  req.buffer = responseBuffer;
726
726
  resolve24();
@@ -2897,32 +2897,42 @@ var init_websocket = __esm({
2897
2897
  req.logger.debug("upgrading connection");
2898
2898
  socket.write(createUpgradeHeaders(acceptKey, extraHeaders));
2899
2899
  socket.on("data", async (data) => {
2900
- const frame = parseFrame(data, this.options.maxFrameSize);
2901
- if (frame === PING) {
2902
- try {
2903
- socket.write(Buffer.from([138, 0]));
2904
- } catch (e) {
2905
- req.logger.error(e);
2906
- }
2907
- } else if (frame !== null) {
2908
- if (!this.options.onMessage) {
2909
- socket.end();
2910
- socket.destroy();
2900
+ try {
2901
+ const frame = parseFrame(data, this.options.maxFrameSize);
2902
+ if (frame === PING) {
2903
+ try {
2904
+ socket.write(Buffer.from([138, 0]));
2905
+ } catch (e) {
2906
+ req.logger.error(e);
2907
+ }
2908
+ } else if (frame !== null) {
2909
+ if (!this.options.onMessage) {
2910
+ socket.end();
2911
+ socket.destroy();
2912
+ } else {
2913
+ try {
2914
+ await this.options.onMessage(client, frame);
2915
+ } catch (e) {
2916
+ req.logger.error(e);
2917
+ }
2918
+ }
2911
2919
  } else {
2912
2920
  try {
2913
- await this.options.onMessage(client, frame);
2921
+ socket.write(Buffer.from([136, 0]));
2914
2922
  } catch (e) {
2915
2923
  req.logger.error(e);
2916
2924
  }
2925
+ socket.end();
2926
+ socket.destroy();
2917
2927
  }
2918
- } else {
2928
+ } catch (e) {
2919
2929
  try {
2920
- socket.write(Buffer.from([136, 0]));
2921
- } catch (e) {
2922
- req.logger.error(e);
2930
+ req.logger?.error(e);
2931
+ socket.end();
2932
+ socket.destroy();
2933
+ } catch (e2) {
2934
+ console.error(e2);
2923
2935
  }
2924
- socket.end();
2925
- socket.destroy();
2926
2936
  }
2927
2937
  });
2928
2938
  socket.on("error", async (error2) => {
@@ -9446,6 +9456,7 @@ async function esBuild2(options, logger) {
9446
9456
  } else {
9447
9457
  (0, import_node_child_process.exec)(esBuildCMD, {
9448
9458
  maxBuffer: 1024 * 1e3 * 2e3,
9459
+ timeout: 6e4,
9449
9460
  cwd: (0, import_node_path5.dirname)(options.entryPoints[0])
9450
9461
  }, (err, stdout, _stderr) => {
9451
9462
  if (err) {
@@ -9891,7 +9902,7 @@ function sqlite3ExecutorPrepare(args) {
9891
9902
  const where = getWhereStatement(q);
9892
9903
  const returing = q._returning.length === 0 ? "*" : q._returning.join(",");
9893
9904
  const whereSQL = where.sql !== "" ? ` WHERE ${where.sql}` : "";
9894
- const sql = `DELETE FROM "${q._table}"${whereSQL}${getOrderBy(q._orderBy)}${getLimit(q._limitBy, q._offsetBy)} RETURNING ${returing}`;
9905
+ const sql = `DELETE FROM ${renderTable(q._table)}${whereSQL}${getOrderBy(q._orderBy)}${getLimit(q._limitBy, q._offsetBy)} RETURNING ${returing}`;
9895
9906
  return {
9896
9907
  sql,
9897
9908
  values: where.values
@@ -9904,7 +9915,7 @@ function sqlite3ExecutorPrepare(args) {
9904
9915
  }
9905
9916
  case "create-table": {
9906
9917
  const q = args;
9907
- const sql = `CREATE TABLE${q._ignoreDuplicate ? " IF NOT EXISTS" : ""} "${q._table}"${getCreateTableColumns(q._definition)}`;
9918
+ const sql = `CREATE TABLE${q._ignoreDuplicate ? " IF NOT EXISTS" : ""} ${renderTable(q._table)}${getCreateTableColumns(q._definition)}`;
9908
9919
  return sql;
9909
9920
  }
9910
9921
  case "drop-database": {
@@ -9914,7 +9925,7 @@ function sqlite3ExecutorPrepare(args) {
9914
9925
  }
9915
9926
  case "drop-table": {
9916
9927
  const q = args;
9917
- const sql = `DROP TABLE${q._ignoreDuplicate ? " IF EXISTS" : ""} "${q._table}"`;
9928
+ const sql = `DROP TABLE${q._ignoreDuplicate ? " IF EXISTS" : ""} ${renderTable(q._table)}`;
9918
9929
  return sql;
9919
9930
  }
9920
9931
  case "alter-table": {
@@ -9933,17 +9944,17 @@ function sqlite3ExecutorPrepare(args) {
9933
9944
  throw new Error("unsupported alter action add without definition");
9934
9945
  }
9935
9946
  alters.push({
9936
- sql: `ALTER TABLE "${q._table}" ADD COLUMN ${getCreateTableColumn(l._column, l._definition, [])}`
9947
+ sql: `ALTER TABLE ${renderTable(q._table)} ADD COLUMN ${getCreateTableColumn(l._column, l._definition, [])}`
9937
9948
  });
9938
9949
  break;
9939
9950
  case "drop":
9940
9951
  alters.push({
9941
- sql: `ALTER TABLE "${q._table}" DROP COLUMN "${l._column}"`
9952
+ sql: `ALTER TABLE ${renderTable(q._table)} DROP COLUMN "${l._column}"`
9942
9953
  });
9943
9954
  break;
9944
9955
  case "rename":
9945
9956
  alters.push({
9946
- sql: `ALTER TABLE "${q._table}" RENAME COLUMN "${l._column}" TO "${l._newName}"`
9957
+ sql: `ALTER TABLE ${renderTable(q._table)} RENAME COLUMN "${l._column}" TO "${l._newName}"`
9947
9958
  });
9948
9959
  break;
9949
9960
  default:
@@ -9956,7 +9967,7 @@ function sqlite3ExecutorPrepare(args) {
9956
9967
  const q = args;
9957
9968
  const rows = getInsertValues(q._columns, q._values);
9958
9969
  const returing = q._returning.length === 0 ? "*" : q._returning.join(",");
9959
- const sql = `INSERT${q._ignoreDuplicate ? " OR IGNORE" : ""} INTO "${q._table}"${getInsertColumns(q._columns)}${rows.sql} RETURNING ${returing}`;
9970
+ const sql = `INSERT${q._ignoreDuplicate ? " OR IGNORE" : ""} INTO ${renderTable(q._table)}${getInsertColumns(q._columns)}${rows.sql} RETURNING ${returing}`;
9960
9971
  return [{
9961
9972
  sql,
9962
9973
  values: rows.values
@@ -9994,7 +10005,7 @@ function sqlite3ExecutorPrepare(args) {
9994
10005
  const where = getWhereStatement(q);
9995
10006
  const whereSQL = where.sql !== "" ? ` WHERE ${where.sql}` : "";
9996
10007
  const setSQL = ` SET ${q._sets.map((set) => `${renderColumn(set.column)}=?`)}`;
9997
- const sql = `UPDATE "${q._table}"${setSQL}${whereSQL}${getOrderBy(q._orderBy)}${getLimit(q._limitBy, q._offsetBy)} RETURNING ${returing}`;
10008
+ const sql = `UPDATE ${renderTable(q._table)}${setSQL}${whereSQL}${getOrderBy(q._orderBy)}${getLimit(q._limitBy, q._offsetBy)} RETURNING ${returing}`;
9998
10009
  return [{
9999
10010
  sql,
10000
10011
  values: q._sets.map((set) => set.value).concat(where.values)
@@ -10159,7 +10170,7 @@ function getCreateTableColumns(definition) {
10159
10170
  function getCreateTableColumn(columnName, def, primaryKeyColumns) {
10160
10171
  const primaryKey = primaryKeyColumns.length === 1 && columnName === primaryKeyColumns[0] ? " PRIMARY KEY" : "";
10161
10172
  const notNull = `${def.allowNull == false ? " NOT NULL" : ""}`;
10162
- const defaultValue = `${def.defaultValue !== void 0 ? ` DEFAULT '${def.defaultValue}'` : ""}`;
10173
+ const defaultValue = def.defaultValue !== void 0 ? ` DEFAULT '${String(def.defaultValue).replace(/'/g, "''")}'` : "";
10163
10174
  const autoIncrement = `${def.autoIncrement !== void 0 && def.autoIncrement === true ? ` AUTOINCREMENT` : ""}`;
10164
10175
  switch (def.type) {
10165
10176
  case "datetime":
@@ -10204,8 +10215,21 @@ function getOrderBy(orderBy, wrapper = '"') {
10204
10215
  function getLimit(limit, offsetBy) {
10205
10216
  return `${limit !== void 0 ? ` LIMIT ${limit}` : ""}${offsetBy ? ` OFFSET ${offsetBy}` : ""}`;
10206
10217
  }
10218
+ var IDENT_RE = /^[A-Za-z_][A-Za-z0-9_]*$/;
10207
10219
  function renderColumn(column, wrapper = '"') {
10208
- return `${column.split(".").map((c) => `${wrapper}${c}${wrapper}`).join(".")}`;
10220
+ const parts = column.split(".");
10221
+ for (const p of parts) {
10222
+ if (!IDENT_RE.test(p)) {
10223
+ throw new Error(`invalid identifier: ${p}`);
10224
+ }
10225
+ }
10226
+ return parts.map((c) => `${wrapper}${c}${wrapper}`).join(".");
10227
+ }
10228
+ function renderTable(name, wrapper = '"') {
10229
+ if (!IDENT_RE.test(name)) {
10230
+ throw new Error(`invalid table name: ${name}`);
10231
+ }
10232
+ return `${wrapper}${name}${wrapper}`;
10209
10233
  }
10210
10234
  function mergePrepareArgs(to, merge, concatOperator = " AND ") {
10211
10235
  return (merge instanceof Array ? merge : [merge]).reduce((current, value) => {
@@ -10412,6 +10436,9 @@ async function postgresExecutor(config) {
10412
10436
  connectionString: databaseOptions.connectionString
10413
10437
  // "postgresql://postgres:password@localhost:5432/db"
10414
10438
  });
10439
+ driver.on("error", (err) => {
10440
+ console.error("pg client error:", err);
10441
+ });
10415
10442
  await driver.connect();
10416
10443
  return {
10417
10444
  disconnect: async function postgresExecutorDisconnect() {
@@ -10423,14 +10450,14 @@ async function postgresExecutor(config) {
10423
10450
  switch (args._type) {
10424
10451
  case "create-table": {
10425
10452
  const q = args;
10426
- const sql = `CREATE TABLE${q._ignoreDuplicate ? " IF NOT EXISTS" : ""} "${q._table}"${getCreateTableColumns2(q._definition)}`;
10453
+ const sql = `CREATE TABLE${q._ignoreDuplicate ? " IF NOT EXISTS" : ""} ${renderTable(q._table)}${getCreateTableColumns2(q._definition)}`;
10427
10454
  return sql;
10428
10455
  }
10429
10456
  case "insert": {
10430
10457
  const q = args;
10431
10458
  const rows = getInsertValues(q._columns, q._values);
10432
10459
  const returing = q._returning.length === 0 ? "*" : q._returning.join(",");
10433
- const sql = `INSERT INTO "${q._table}"${getInsertColumns(q._columns)}${rows.sql} ${q._ignoreDuplicate ? "ON CONFLICT DO NOTHING " : ""}RETURNING ${returing}`;
10460
+ const sql = `INSERT INTO ${renderTable(q._table)}${getInsertColumns(q._columns)}${rows.sql} ${q._ignoreDuplicate ? "ON CONFLICT DO NOTHING " : ""}RETURNING ${returing}`;
10434
10461
  return {
10435
10462
  sql,
10436
10463
  values: rows.values
@@ -10441,7 +10468,7 @@ async function postgresExecutor(config) {
10441
10468
  let alters = [];
10442
10469
  if (q._renameTable) {
10443
10470
  alters.push({
10444
- sql: `ALTER TABLE "${q._table}" RENAME TO "?"`,
10471
+ sql: `ALTER TABLE ${renderTable(q._table)} RENAME TO "?"`,
10445
10472
  values: [q._renameTable]
10446
10473
  });
10447
10474
  }
@@ -10452,17 +10479,17 @@ async function postgresExecutor(config) {
10452
10479
  throw new Error("unsupported alter action add without definition");
10453
10480
  }
10454
10481
  alters.push({
10455
- sql: `ALTER TABLE "${q._table}" ADD COLUMN ${getCreateTableColumn2(l._column, l._definition, [])}`
10482
+ sql: `ALTER TABLE ${renderTable(q._table)} ADD COLUMN ${getCreateTableColumn2(l._column, l._definition, [])}`
10456
10483
  });
10457
10484
  break;
10458
10485
  case "drop":
10459
10486
  alters.push({
10460
- sql: `ALTER TABLE "${q._table}" DROP COLUMN "${l._column}"`
10487
+ sql: `ALTER TABLE ${renderTable(q._table)} DROP COLUMN "${l._column}"`
10461
10488
  });
10462
10489
  break;
10463
10490
  case "rename":
10464
10491
  alters.push({
10465
- sql: `ALTER TABLE "${q._table}" RENAME COLUMN "${l._column}" TO "${l._newName}"`
10492
+ sql: `ALTER TABLE ${renderTable(q._table)} RENAME COLUMN "${l._column}" TO "${l._newName}"`
10466
10493
  });
10467
10494
  break;
10468
10495
  default:
@@ -10498,7 +10525,7 @@ function getCreateTableColumns2(definition) {
10498
10525
  function getCreateTableColumn2(columnName, def, primaryKeyColumns) {
10499
10526
  const primaryKey = primaryKeyColumns.length === 1 && columnName === primaryKeyColumns[0] ? " PRIMARY KEY" : "";
10500
10527
  const notNull = `${def.allowNull == false ? " NOT NULL" : ""}`;
10501
- const defaultValue = `${def.defaultValue !== void 0 ? ` DEFAULT '${def.defaultValue}'` : ""}`;
10528
+ const defaultValue = def.defaultValue !== void 0 ? ` DEFAULT '${String(def.defaultValue).replace(/'/g, "''")}'` : "";
10502
10529
  if (def.autoIncrement) {
10503
10530
  return `"${columnName}" BIGSERIAL${primaryKey}`;
10504
10531
  }
@@ -10793,10 +10820,16 @@ var Where = class _Where {
10793
10820
  return this;
10794
10821
  }
10795
10822
  limit(limit) {
10823
+ if (typeof limit !== "number" || !Number.isInteger(limit) || limit < 0) {
10824
+ throw new Error("limit must be a non-negative integer");
10825
+ }
10796
10826
  this._limitBy = limit;
10797
10827
  return this;
10798
10828
  }
10799
10829
  offset(offset) {
10830
+ if (typeof offset !== "number" || !Number.isInteger(offset) || offset < 0) {
10831
+ throw new Error("offset must be a non-negative integer");
10832
+ }
10800
10833
  this._offsetBy = offset;
10801
10834
  return this;
10802
10835
  }
@@ -14133,13 +14166,15 @@ var auth_default = {
14133
14166
  const queryToken = args.req.query[ADMIN_EDITOR_AUTH_QUERY];
14134
14167
  const cookieToken = args.req.cookies[ADMIN_EDITOR_AUTH_COOKIE];
14135
14168
  if (queryToken) {
14136
- if (typeof queryToken === "string" && (0, import_node_crypto5.timingSafeEqual)(Buffer.from(queryToken), Buffer.from(KEY))) {
14169
+ const queryBuf = Buffer.from(String(queryToken));
14170
+ const keyBuf = Buffer.from(KEY);
14171
+ if (typeof queryToken === "string" && queryBuf.length === keyBuf.length && (0, import_node_crypto5.timingSafeEqual)(queryBuf, keyBuf)) {
14137
14172
  args.res.setCookie(ADMIN_EDITOR_AUTH_COOKIE, KEY, {
14138
- expires: new Date(Date.now() + 1e3 * 60 * 60 * 24 * 31 * 12 * 500),
14173
+ expires: new Date(Date.now() + 1e3 * 60 * 60 * 24),
14139
14174
  httpOnly: true,
14140
- //secure: true,
14175
+ //secure: args.req.secure,
14176
+ sameSite: "strict",
14141
14177
  path: "/"
14142
- //sameSite: "strict"
14143
14178
  });
14144
14179
  args.req.searchParams.delete(ADMIN_EDITOR_AUTH_QUERY);
14145
14180
  const queryString = args.req.searchParams.toString();
@@ -14407,16 +14442,34 @@ function setupExitHandlers(app) {
14407
14442
  }
14408
14443
  process.exit(EXIT_CODES.ABNORMAL_UNCONTROLLED);
14409
14444
  });
14410
- process.on("SIGTERM", function() {
14445
+ process.on("SIGTERM", async function() {
14411
14446
  app.logger?.info("SIGTERM received");
14447
+ if (app.server) {
14448
+ await Promise.race([
14449
+ app.stop(),
14450
+ new Promise((r) => setTimeout(r, 5e3))
14451
+ ]);
14452
+ }
14412
14453
  process.exit(EXIT_CODES.ABNORMAL_UNCONTROLLED);
14413
14454
  });
14414
- process.on("SIGHUP", function() {
14455
+ process.on("SIGHUP", async function() {
14415
14456
  app.logger?.info("SIGHUP received");
14457
+ if (app.server) {
14458
+ await Promise.race([
14459
+ app.stop(),
14460
+ new Promise((r) => setTimeout(r, 5e3))
14461
+ ]);
14462
+ }
14416
14463
  process.exit(EXIT_CODES.ABNORMAL_UNCONTROLLED);
14417
14464
  });
14418
- process.on("SIGINT", function() {
14465
+ process.on("SIGINT", async function() {
14419
14466
  app.logger?.info("SIGINT received");
14467
+ if (app.server) {
14468
+ await Promise.race([
14469
+ app.stop(),
14470
+ new Promise((r) => setTimeout(r, 5e3))
14471
+ ]);
14472
+ }
14420
14473
  process.exit(EXIT_CODES.ABNORMAL_UNCONTROLLED);
14421
14474
  });
14422
14475
  }
@@ -17706,7 +17759,12 @@ var Miqro = class _Miqro {
17706
17759
  if (this.options?.httpRedirect) {
17707
17760
  this.httpsRedirectServer = new App();
17708
17761
  this.httpsRedirectServer.use(async (req, res) => {
17709
- const hostname = req.headers.host.split(":").length > 1 ? req.headers.host.split(":")[0] : req.headers.host;
17762
+ const hostname = req.headers.host?.split(":")[0] ?? "";
17763
+ const allowed2 = this.options?.allowedRedirectHosts;
17764
+ if (allowed2 && !allowed2.includes(hostname)) {
17765
+ res.writeHead(400).end("Invalid Host header");
17766
+ return;
17767
+ }
17710
17768
  return await res.redirect("https://" + hostname + ":" + this.options.port + req.url);
17711
17769
  });
17712
17770
  }
package/editor/auth.ts CHANGED
@@ -28,14 +28,15 @@ export default {
28
28
  //console.log("\n\nqueryToken[%s] cookieToken[%s] KEY[%s]\n\n", queryToken, cookieToken, KEY);
29
29
 
30
30
  if (queryToken) {
31
- if (typeof queryToken === "string" && timingSafeEqual(Buffer.from(queryToken), Buffer.from(KEY))) {
31
+ const queryBuf = Buffer.from(String(queryToken));
32
+ const keyBuf = Buffer.from(KEY);
33
+ if (typeof queryToken === "string" && queryBuf.length === keyBuf.length && timingSafeEqual(queryBuf, keyBuf)) {
32
34
  args.res.setCookie(ADMIN_EDITOR_AUTH_COOKIE, KEY, {
33
- expires: new Date(Date.now() + 1000 * 60 * 60 * 24 * 31 * 12 * 500),
35
+ expires: new Date(Date.now() + 1000 * 60 * 60 * 24),
34
36
  httpOnly: true,
35
-
36
- //secure: true,
37
+ //secure: args.req.secure,
38
+ sameSite: "strict",
37
39
  path: "/",
38
- //sameSite: "strict"
39
40
  });
40
41
  args.req.searchParams.delete(ADMIN_EDITOR_AUTH_QUERY);
41
42
  const queryString = args.req.searchParams.toString();
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "miqro",
3
- "version": "7.3.3",
3
+ "version": "7.3.4",
4
4
  "description": "",
5
5
  "type": "module",
6
6
  "main": "build/esm/src/lib.js",
@@ -41,12 +41,12 @@
41
41
  },
42
42
  "dependencies": {
43
43
  "postject": "1.0.0-alpha.6",
44
- "@miqro/core": "^5.1.1",
44
+ "@miqro/core": "^5.1.2",
45
45
  "@miqro/jsx": "^1.0.2",
46
46
  "@miqro/jsx-dom": "^1.0.6",
47
47
  "@miqro/jsx-node": "^1.0.9",
48
48
  "@miqro/parser": "^2.0.6",
49
- "@miqro/query": "^0.0.8",
49
+ "@miqro/query": "^0.0.9",
50
50
  "@miqro/runner": "^2.0.3",
51
51
  "@miqro/test": "^0.2.10",
52
52
  "@miqro/test-http": "^0.1.4",