nextjs-cms 0.5.9 → 0.5.11

package/dist/auth/csrf.js

@@ -1,76 +1,76 @@
-/**
- * Creates a cookie with the value 'token|hash',
- * where 'token' is the CSRF token and 'hash' is a hash made of the token and
- * the secret, and the two values are joined by a pipe '|'. By storing the
- * value and the hash of the value (with the secret used as a salt) we can
- * verify the cookie was set by the server and not by a malicious attacker.
- *
- * For more details, see the following OWASP links:
- * https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#double-submit-cookie
- * https://owasp.org/www-chapter-london/assets/slides/David_Johansson-Double_Defeat_of_Double-Submit_Cookie.pdf
- */
-export async function createCSRFToken(cookieValue) {
-    /**
-     * If there is a CSRF token cookie, we verify it
-     */
-    if (cookieValue) {
-        /**
-         * Split the cookie value into the token and the hash
-         */
-        const [csrfToken, csrfTokenHash] = cookieValue.split('|');
-        if (csrfToken && csrfTokenHash) {
-            /**
-             * Create a hash of the CSRF token and the secret
-             */
-            const expectedCsrfTokenHash = await createHash(`${csrfToken}${process.env.CSRF_TOKEN_SECRET}`);
-            /**
-             * If hash matches then we trust the CSRF token value
-             */
-            if (csrfTokenHash === expectedCsrfTokenHash) {
-                return { csrfToken };
-            }
-        }
-    }
-    /**
-     * If this line is reached, then the CSRF token is not verified and we need to create a new one
-     */
-    const csrfToken = randomString(32);
-    const csrfTokenHash = await createHash(`${csrfToken}${process.env.CSRF_TOKEN_SECRET}`);
-    const cookie = `${csrfToken}|${csrfTokenHash}`;
-    /**
-     * Return the cookie and the CSRF token value
-     */
-    return { cookie, csrfToken };
-}
-/**
- * This function is used to validate the CSRF token in POST, PUT, DELETE requests (or any request that changes data)
- * @param cookieValue
- * @param bodyValue
- */
-export async function validateCSRFToken({ cookieValue, bodyValue }) {
-    if (cookieValue) {
-        const [csrfToken, csrfTokenHash] = cookieValue.split('|');
-        const expectedCsrfTokenHash = await createHash(`${csrfToken}${process.env.CSRF_TOKEN_SECRET}`);
-        if (csrfTokenHash === expectedCsrfTokenHash) {
-            // If hash matches then we trust the CSRF token value
-            // If this is a POST request and the CSRF Token in the POST request matches
-            // the cookie we have already verified is the one we have set, then the token is verified!
-            return csrfToken === bodyValue;
-        }
-    }
-    return false;
-}
-export function randomString(size) {
-    const i2hex = (i) => ('0' + i.toString(16)).slice(-2);
-    const r = (a, i) => a + i2hex(i);
-    const bytes = crypto.getRandomValues(new Uint8Array(size));
-    return Array.from(bytes).reduce(r, '');
-}
-export async function createHash(message) {
-    const data = new TextEncoder().encode(message);
-    const hash = await crypto.subtle.digest('SHA-256', data);
-    return Array.from(new Uint8Array(hash))
-        .map((b) => b.toString(16).padStart(2, '0'))
-        .join('')
-        .toString();
-}
+/**
+ * Creates a cookie with the value 'token|hash',
+ * where 'token' is the CSRF token and 'hash' is a hash made of the token and
+ * the secret, and the two values are joined by a pipe '|'. By storing the
+ * value and the hash of the value (with the secret used as a salt) we can
+ * verify the cookie was set by the server and not by a malicious attacker.
+ *
+ * For more details, see the following OWASP links:
+ * https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#double-submit-cookie
+ * https://owasp.org/www-chapter-london/assets/slides/David_Johansson-Double_Defeat_of_Double-Submit_Cookie.pdf
+ */
+export async function createCSRFToken(cookieValue) {
+    /**
+     * If there is a CSRF token cookie, we verify it
+     */
+    if (cookieValue) {
+        /**
+         * Split the cookie value into the token and the hash
+         */
+        const [csrfToken, csrfTokenHash] = cookieValue.split('|');
+        if (csrfToken && csrfTokenHash) {
+            /**
+             * Create a hash of the CSRF token and the secret
+             */
+            const expectedCsrfTokenHash = await createHash(`${csrfToken}${process.env.CSRF_TOKEN_SECRET}`);
+            /**
+             * If hash matches then we trust the CSRF token value
+             */
+            if (csrfTokenHash === expectedCsrfTokenHash) {
+                return { csrfToken };
+            }
+        }
+    }
+    /**
+     * If this line is reached, then the CSRF token is not verified and we need to create a new one
+     */
+    const csrfToken = randomString(32);
+    const csrfTokenHash = await createHash(`${csrfToken}${process.env.CSRF_TOKEN_SECRET}`);
+    const cookie = `${csrfToken}|${csrfTokenHash}`;
+    /**
+     * Return the cookie and the CSRF token value
+     */
+    return { cookie, csrfToken };
+}
+/**
+ * This function is used to validate the CSRF token in POST, PUT, DELETE requests (or any request that changes data)
+ * @param cookieValue
+ * @param bodyValue
+ */
+export async function validateCSRFToken({ cookieValue, bodyValue }) {
+    if (cookieValue) {
+        const [csrfToken, csrfTokenHash] = cookieValue.split('|');
+        const expectedCsrfTokenHash = await createHash(`${csrfToken}${process.env.CSRF_TOKEN_SECRET}`);
+        if (csrfTokenHash === expectedCsrfTokenHash) {
+            // If hash matches then we trust the CSRF token value
+            // If this is a POST request and the CSRF Token in the POST request matches
+            // the cookie we have already verified is the one we have set, then the token is verified!
+            return csrfToken === bodyValue;
+        }
+    }
+    return false;
+}
+export function randomString(size) {
+    const i2hex = (i) => ('0' + i.toString(16)).slice(-2);
+    const r = (a, i) => a + i2hex(i);
+    const bytes = crypto.getRandomValues(new Uint8Array(size));
+    return Array.from(bytes).reduce(r, '');
+}
+export async function createHash(message) {
+    const data = new TextEncoder().encode(message);
+    const hash = await crypto.subtle.digest('SHA-256', data);
+    return Array.from(new Uint8Array(hash))
+        .map((b) => b.toString(16).padStart(2, '0'))
+        .join('')
+        .toString();
+}

package/dist/auth/hooks/index.d.ts

@@ -1,4 +1,4 @@
-import useAxiosPrivate from "./useAxiosPrivate.js";
-import useRefreshToken from "./useRefreshToken.js";
-export { useAxiosPrivate, useRefreshToken };
+import useAxiosPrivate from './useAxiosPrivate.js';
+import useRefreshToken from './useRefreshToken.js';
+export { useAxiosPrivate, useRefreshToken };
 //# sourceMappingURL=index.d.ts.map

package/dist/auth/hooks/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/auth/hooks/index.ts"],"names":[],"mappings":"AAAA,OAAO,eAAe,MAAM,mBAAmB,CAAA;AAC/C,OAAO,eAAe,MAAM,mBAAmB,CAAA;AAE/C,OAAO,EAAE,eAAe,EAAE,eAAe,EAAE,CAAA"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/auth/hooks/index.ts"],"names":[],"mappings":"AAAA,OAAO,eAAe,MAAM,sBAAsB,CAAA;AAClD,OAAO,eAAe,MAAM,sBAAsB,CAAA;AAElD,OAAO,EAAE,eAAe,EAAE,eAAe,EAAE,CAAA"}

package/dist/auth/hooks/index.js

@@ -1,3 +1,3 @@
-import useAxiosPrivate from "./useAxiosPrivate.js";
-import useRefreshToken from "./useRefreshToken.js";
-export { useAxiosPrivate, useRefreshToken };
+import useAxiosPrivate from './useAxiosPrivate.js';
+import useRefreshToken from './useRefreshToken.js';
+export { useAxiosPrivate, useRefreshToken };

package/dist/auth/hooks/useAxiosPrivate.d.ts

@@ -1,5 +1,5 @@
-declare const useAxiosPrivate: (options?: {
-    refreshTokenOn?: 401 | 404;
-}) => import("axios").AxiosInstance;
-export default useAxiosPrivate;
+declare const useAxiosPrivate: (options?: {
+    refreshTokenOn?: 401 | 404;
+}) => import("axios").AxiosInstance;
+export default useAxiosPrivate;
 //# sourceMappingURL=useAxiosPrivate.d.ts.map

package/dist/auth/hooks/useAxiosPrivate.js

@@ -1,74 +1,74 @@
-import { axiosPrivate } from "../axios/axiosInstance.js";
-import { useEffect } from 'react';
-import useRefreshToken from "./useRefreshToken.js";
-import axios from 'axios';
-import { getCsrfToken } from "../react.js";
-const useAxiosPrivate = (options) => {
-    const refresh = useRefreshToken();
-    const { refreshTokenOn = 401 } = options || {};
-    useEffect(() => {
-        /**
-         * Add a request interceptor
-         */
-        const requestIntercept = axiosPrivate.interceptors.request.use(
-        /**
-         * Do something before request is sent
-         * @param config The request config object
-         */
-        async (config) => {
-            if (config.method && ['post', 'put', 'delete'].includes(config.method.toLowerCase())) {
-                /**
-                 * If the request is a POST, PUT, or DELETE request, the XSRF-TOKEN header is added to the request.
-                 */
-                config.headers['x-csrf-token'] = await getCsrfToken();
-            }
-            /**
-             * Return the config object
-             */
-            return config;
-        }, (error) => Promise.reject(error));
-        /**
-         * This is the response interceptor
-         */
-        const responseIntercept = axiosPrivate.interceptors.response.use((response) => response, // Do nothing if the request is successful,
-        async (error) => {
-            // If the access token has expired, refresh it and retry the request
-            const prevRequest = error?.config; // The request that caused the error (the one that returned 401) is saved in the error object
-            if (error?.response?.status === refreshTokenOn && !prevRequest?.sent) {
-                // If the error is 401 and the request hasn't been sent before
-                prevRequest.sent = true; // Prevent infinite loops
-                const refreshStatus = await refresh(); // Refresh the access token cookie
-                if (refreshStatus === false)
-                    return Promise.reject(error); // If the refresh failed, reject the promise
-                // NOTICE: This is needed to send the request as multipart form data,
-                //  because resending the request with axios resets the Content-Type to application/json for some reason
-                // Use transformRequest to set Content-Type and include boundary for multipart form data
-                prevRequest.headers['Content-Type'] = 'multipart/form-data';
-                prevRequest.transformRequest = [
-                    (data, headers) => {
-                        // If the request data is FormData, set the boundary
-                        if (data instanceof FormData) {
-                            // @ts-ignore
-                            headers['Content-Type'] += `; boundary=${data._boundary}`;
-                        }
-                        return data;
-                    },
-                    ...axios.defaults.transformRequest, // Keep the default transformRequest functions
-                ];
-                return axiosPrivate(prevRequest); // The request that returned 401 is retried with the new access token
-            }
-            return Promise.reject(error);
-        });
-        // Remove the interceptors when the component unmounts
-        // This is needed to prevent memory leaks
-        return () => {
-            // Eject the interceptors
-            axiosPrivate.interceptors.request.eject(requestIntercept);
-            axiosPrivate.interceptors.response.eject(responseIntercept);
-        };
-    }, [
-    /*auth, refresh*/
-    ]);
-    return axiosPrivate;
-};
-export default useAxiosPrivate;
+import { axiosPrivate } from '../axios/axiosInstance.js';
+import { useEffect } from 'react';
+import useRefreshToken from './useRefreshToken.js';
+import axios from 'axios';
+import { getCsrfToken } from '../react.js';
+const useAxiosPrivate = (options) => {
+    const refresh = useRefreshToken();
+    const { refreshTokenOn = 401 } = options || {};
+    useEffect(() => {
+        /**
+         * Add a request interceptor
+         */
+        const requestIntercept = axiosPrivate.interceptors.request.use(
+        /**
+         * Do something before request is sent
+         * @param config The request config object
+         */
+        async (config) => {
+            if (config.method && ['post', 'put', 'delete'].includes(config.method.toLowerCase())) {
+                /**
+                 * If the request is a POST, PUT, or DELETE request, the XSRF-TOKEN header is added to the request.
+                 */
+                config.headers['x-csrf-token'] = await getCsrfToken();
+            }
+            /**
+             * Return the config object
+             */
+            return config;
+        }, (error) => Promise.reject(error));
+        /**
+         * This is the response interceptor
+         */
+        const responseIntercept = axiosPrivate.interceptors.response.use((response) => response, // Do nothing if the request is successful,
+        async (error) => {
+            // If the access token has expired, refresh it and retry the request
+            const prevRequest = error?.config; // The request that caused the error (the one that returned 401) is saved in the error object
+            if (error?.response?.status === refreshTokenOn && !prevRequest?.sent) {
+                // If the error is 401 and the request hasn't been sent before
+                prevRequest.sent = true; // Prevent infinite loops
+                const refreshStatus = await refresh(); // Refresh the access token cookie
+                if (refreshStatus === false)
+                    return Promise.reject(error); // If the refresh failed, reject the promise
+                // NOTICE: This is needed to send the request as multipart form data,
+                //  because resending the request with axios resets the Content-Type to application/json for some reason
+                // Use transformRequest to set Content-Type and include boundary for multipart form data
+                prevRequest.headers['Content-Type'] = 'multipart/form-data';
+                prevRequest.transformRequest = [
+                    (data, headers) => {
+                        // If the request data is FormData, set the boundary
+                        if (data instanceof FormData) {
+                            // @ts-ignore
+                            headers['Content-Type'] += `; boundary=${data._boundary}`;
+                        }
+                        return data;
+                    },
+                    ...axios.defaults.transformRequest, // Keep the default transformRequest functions
+                ];
+                return axiosPrivate(prevRequest); // The request that returned 401 is retried with the new access token
+            }
+            return Promise.reject(error);
+        });
+        // Remove the interceptors when the component unmounts
+        // This is needed to prevent memory leaks
+        return () => {
+            // Eject the interceptors
+            axiosPrivate.interceptors.request.eject(requestIntercept);
+            axiosPrivate.interceptors.response.eject(responseIntercept);
+        };
+    }, [
+    /*auth, refresh*/
+    ]);
+    return axiosPrivate;
+};
+export default useAxiosPrivate;

package/dist/auth/hooks/useRefreshToken.d.ts

@@ -1,7 +1,7 @@
-/**
- * This hook is used to refresh the access token when it expires.
- * It is used in the useAxiosPrivate hook to refresh the access token when a request returns a 401 error.
- */
-declare const useRefreshToken: () => () => Promise<unknown>;
-export default useRefreshToken;
+/**
+ * This hook is used to refresh the access token when it expires.
+ * It is used in the useAxiosPrivate hook to refresh the access token when a request returns a 401 error.
+ */
+declare const useRefreshToken: () => () => Promise<unknown>;
+export default useRefreshToken;
 //# sourceMappingURL=useRefreshToken.d.ts.map

package/dist/auth/hooks/useRefreshToken.js

@@ -1,79 +1,79 @@
-import { logout, refreshSession } from "../react.js";
-/**
- * This hook is used to refresh the access token when it expires.
- * It is used in the useAxiosPrivate hook to refresh the access token when a request returns a 401 error.
- */
-const useRefreshToken = () => {
-    let isRefreshing = false; // Is a refresh request being sent?
-    let failedQueue = []; // An array of requests that failed because of 401
-    const processQueue = (error, token = null) => {
-        failedQueue.forEach((prom) => {
-            if (error) {
-                prom.reject(error);
-            }
-            else {
-                prom.resolve(token);
-            }
-        });
-        failedQueue = [];
-    };
-    const refresh = async () => {
-        try {
-            const response = await fetch('/api/auth/refresh');
-            const data = await response.json();
-            /**
-             * The refresh request is done
-             */
-            isRefreshing = false;
-            if (response.status !== 200) {
-                /**
-                 * If the refresh token is invalid, we log out the user
-                 */
-                await logout({
-                    /**
-                     * No need to delete the cookies, because they are both invalid.
-                     */
-                    deleteCookies: false,
-                });
-                return false;
-            }
-            else {
-                /**
-                 * update the session
-                 */
-                await refreshSession();
-            }
-            /**
-             * Process the failed requests
-             */
-            processQueue(null, data?.accessToken);
-            return true;
-        }
-        catch (error) {
-            /**
-             * If the refresh token is invalid, we log out the user
-             */
-            await logout({
-                /**
-                 * No need to delete the cookies, because they are both invalid.
-                 */
-                deleteCookies: false,
-            });
-            return false;
-        }
-    };
-    // TODO: Apply this inside useAxiosPrivate.tsx to prevent even the 401 errors from happening
-    // Let's use semaphores to prevent multiple refreshes at the same time
-    return async () => {
-        if (isRefreshing) {
-            // If a refresh request is being sent, we return a promise
-            // that will be resolved when the refresh request is done
-            return new Promise((resolve, reject) => {
-                failedQueue.push({ resolve, reject });
-            });
-        }
-        isRefreshing = true; // A refresh request is being sent
-        return await refresh(); // Send the refresh request and return the new access token
-    };
-};
-export default useRefreshToken;
+import { logout, refreshSession } from '../react.js';
+/**
+ * This hook is used to refresh the access token when it expires.
+ * It is used in the useAxiosPrivate hook to refresh the access token when a request returns a 401 error.
+ */
+const useRefreshToken = () => {
+    let isRefreshing = false; // Is a refresh request being sent?
+    let failedQueue = []; // An array of requests that failed because of 401
+    const processQueue = (error, token = null) => {
+        failedQueue.forEach((prom) => {
+            if (error) {
+                prom.reject(error);
+            }
+            else {
+                prom.resolve(token);
+            }
+        });
+        failedQueue = [];
+    };
+    const refresh = async () => {
+        try {
+            const response = await fetch('/api/auth/refresh');
+            const data = await response.json();
+            /**
+             * The refresh request is done
+             */
+            isRefreshing = false;
+            if (response.status !== 200) {
+                /**
+                 * If the refresh token is invalid, we log out the user
+                 */
+                await logout({
+                    /**
+                     * No need to delete the cookies, because they are both invalid.
+                     */
+                    deleteCookies: false,
+                });
+                return false;
+            }
+            else {
+                /**
+                 * update the session
+                 */
+                await refreshSession();
+            }
+            /**
+             * Process the failed requests
+             */
+            processQueue(null, data?.accessToken);
+            return true;
+        }
+        catch (error) {
+            /**
+             * If the refresh token is invalid, we log out the user
+             */
+            await logout({
+                /**
+                 * No need to delete the cookies, because they are both invalid.
+                 */
+                deleteCookies: false,
+            });
+            return false;
+        }
+    };
+    // TODO: Apply this inside useAxiosPrivate.tsx to prevent even the 401 errors from happening
+    // Let's use semaphores to prevent multiple refreshes at the same time
+    return async () => {
+        if (isRefreshing) {
+            // If a refresh request is being sent, we return a promise
+            // that will be resolved when the refresh request is done
+            return new Promise((resolve, reject) => {
+                failedQueue.push({ resolve, reject });
+            });
+        }
+        isRefreshing = true; // A refresh request is being sent
+        return await refresh(); // Send the refresh request and return the new access token
+    };
+};
+export default useRefreshToken;

package/dist/auth/index.d.ts

@@ -1,23 +1,23 @@
-export interface Session {
-    user: User;
-}
-export interface User {
-    id: string;
-    name: string;
-    locale?: string | null;
-    email?: string | null;
-    image?: string | null;
-}
-/**
- * Internal function to get the auth session
- */
-declare function __auth__internal(): Promise<Session | null>;
-/**
- * Cache the auth session to avoid unnecessary requests per a single server request.
- */
-declare const auth: typeof __auth__internal;
-/**
- * Export the auth function
- */
-export default auth;
+export interface Session {
+    user: User;
+}
+export interface User {
+    id: string;
+    name: string;
+    locale?: string | null;
+    email?: string | null;
+    image?: string | null;
+}
+/**
+ * Internal function to get the auth session
+ */
+declare function __auth__internal(): Promise<Session | null>;
+/**
+ * Cache the auth session to avoid unnecessary requests per a single server request.
+ */
+declare const auth: typeof __auth__internal;
+/**
+ * Export the auth function
+ */
+export default auth;
 //# sourceMappingURL=index.d.ts.map

package/dist/auth/index.js

@@ -1,44 +1,44 @@
-import { decodeJWT } from "./jwt.js";
-import { cookies } from 'next/headers';
-import { cache } from 'react';
-/**
- * Get the authenticated user from the access token
- * @param accessToken
- */
-const getAuthedUser = (accessToken) => {
-    if (!accessToken)
-        return null;
-    try {
-        return decodeJWT(accessToken);
-    }
-    catch (err) {
-        return null;
-    }
-};
-/**
- * Internal function to get the auth session
- */
-async function __auth__internal() {
-    const cookieJar = await cookies();
-    const jwt = getAuthedUser(cookieJar.get('access_token')?.value);
-    if (jwt) {
-        return {
-            user: {
-                id: jwt.id,
-                name: jwt.sub,
-                locale: jwt.locale,
-            },
-        };
-    }
-    else {
-        return null;
-    }
-}
-/**
- * Cache the auth session to avoid unnecessary requests per a single server request.
- */
-const auth = cache(__auth__internal);
-/**
- * Export the auth function
- */
-export default auth;
+import { decodeJWT } from './jwt.js';
+import { cookies } from 'next/headers';
+import { cache } from 'react';
+/**
+ * Get the authenticated user from the access token
+ * @param accessToken
+ */
+const getAuthedUser = (accessToken) => {
+    if (!accessToken)
+        return null;
+    try {
+        return decodeJWT(accessToken);
+    }
+    catch (err) {
+        return null;
+    }
+};
+/**
+ * Internal function to get the auth session
+ */
+async function __auth__internal() {
+    const cookieJar = await cookies();
+    const jwt = getAuthedUser(cookieJar.get('access_token')?.value);
+    if (jwt) {
+        return {
+            user: {
+                id: jwt.id,
+                name: jwt.sub,
+                locale: jwt.locale,
+            },
+        };
+    }
+    else {
+        return null;
+    }
+}
+/**
+ * Cache the auth session to avoid unnecessary requests per a single server request.
+ */
+const auth = cache(__auth__internal);
+/**
+ * Export the auth function
+ */
+export default auth;