npm - nextjs-secure - Versions diffs - 0.1.1 → 0.2.0 - Mend

nextjs-secure 0.1.1 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (18) hide show

package/README.md +128 -0
package/dist/csrf.cjs +187 -10
package/dist/csrf.cjs.map +1 -1
package/dist/csrf.d.cts +71 -22
package/dist/csrf.d.ts +71 -22
package/dist/csrf.js +182 -8
package/dist/csrf.js.map +1 -1
package/dist/index.cjs +190 -1
package/dist/index.cjs.map +1 -1
package/dist/index.d.cts +5 -3
package/dist/index.d.ts +5 -3
package/dist/index.js +185 -2
package/dist/index.js.map +1 -1
package/dist/{memory-g9zyQPy5.d.cts → memory-Dauy-IH3.d.cts} +1 -1
package/dist/{memory-g9zyQPy5.d.ts → memory-Dauy-IH3.d.ts} +1 -1
package/dist/rate-limit.d.cts +2 -2
package/dist/rate-limit.d.ts +2 -2
package/package.json +1 -1

package/dist/csrf.js CHANGED Viewed

@@ -1,14 +1,188 @@
-// src/middleware/csrf/index.ts
-function withCsrf() {
-  throw new Error("CSRF middleware coming soon in v0.2.0");
+import { webcrypto } from 'crypto';
+// src/middleware/csrf/token.ts
+var encoder = new TextEncoder();
+function randomBytes(length) {
+  const bytes = new Uint8Array(length);
+  webcrypto.getRandomValues(bytes);
+  return Array.from(bytes).map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+async function createSignature(data, secret) {
+  const key = await webcrypto.subtle.importKey(
+    "raw",
+    encoder.encode(secret),
+    { name: "HMAC", hash: "SHA-256" },
+    false,
+    ["sign"]
+  );
+  const sig = await webcrypto.subtle.sign("HMAC", key, encoder.encode(data));
+  return Array.from(new Uint8Array(sig)).map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+function safeCompare(a, b) {
+  if (a.length !== b.length) return false;
+  let result = 0;
+  for (let i = 0; i < a.length; i++) {
+    result |= a.charCodeAt(i) ^ b.charCodeAt(i);
+  }
+  return result === 0;
+}
+async function createToken(secret, length = 32) {
+  const data = randomBytes(length);
+  const sig = await createSignature(data, secret);
+  return `${data}.${sig}`;
+}
+async function verifyToken(token, secret) {
+  if (!token || typeof token !== "string") return false;
+  const parts = token.split(".");
+  if (parts.length !== 2) return false;
+  const [data, sig] = parts;
+  if (!data || !sig) return false;
+  try {
+    const expected = await createSignature(data, secret);
+    return safeCompare(sig, expected);
+  } catch {
+    return false;
+  }
+}
+function tokensMatch(a, b) {
+  if (!a || !b) return false;
+  return safeCompare(a, b);
+}
+// src/middleware/csrf/middleware.ts
+var DEFAULT_COOKIE = {
+  name: "__csrf",
+  path: "/",
+  httpOnly: true,
+  secure: process.env.NODE_ENV === "production",
+  sameSite: "strict",
+  maxAge: 86400
+  // 24h
+};
+var DEFAULT_CONFIG = {
+  headerName: "x-csrf-token",
+  fieldName: "_csrf",
+  tokenLength: 32,
+  protectedMethods: ["POST", "PUT", "PATCH", "DELETE"]
+};
+function getSecret(config) {
+  const secret = config.secret || process.env.CSRF_SECRET;
+  if (!secret) {
+    throw new Error(
+      "CSRF secret is required. Set config.secret or CSRF_SECRET env variable."
+    );
+  }
+  return secret;
+}
+function buildCookieString(name, value, opts) {
+  let cookie = `${name}=${value}`;
+  if (opts.path) cookie += `; Path=${opts.path}`;
+  if (opts.domain) cookie += `; Domain=${opts.domain}`;
+  if (opts.maxAge) cookie += `; Max-Age=${opts.maxAge}`;
+  if (opts.httpOnly) cookie += "; HttpOnly";
+  if (opts.secure) cookie += "; Secure";
+  if (opts.sameSite) cookie += `; SameSite=${opts.sameSite}`;
+  return cookie;
+}
+async function extractToken(req, headerName, fieldName) {
+  const headerToken = req.headers.get(headerName);
+  if (headerToken) return headerToken;
+  const contentType = req.headers.get("content-type") || "";
+  if (contentType.includes("application/x-www-form-urlencoded")) {
+    try {
+      const cloned = req.clone();
+      const formData = await cloned.formData();
+      const token = formData.get(fieldName);
+      if (typeof token === "string") return token;
+    } catch {
+    }
+  }
+  if (contentType.includes("application/json")) {
+    try {
+      const cloned = req.clone();
+      const body = await cloned.json();
+      if (body && typeof body[fieldName] === "string") {
+        return body[fieldName];
+      }
+    } catch {
+    }
+  }
+  return null;
+}
+function defaultErrorResponse(_req, reason) {
+  return new Response(JSON.stringify({ error: "CSRF validation failed", reason }), {
+    status: 403,
+    headers: { "Content-Type": "application/json" }
+  });
+}
+function withCSRF(handler, config = {}) {
+  const secret = getSecret(config);
+  const cookieOpts = { ...DEFAULT_COOKIE, ...config.cookie };
+  const headerName = config.headerName || DEFAULT_CONFIG.headerName;
+  const fieldName = config.fieldName || DEFAULT_CONFIG.fieldName;
+  const protectedMethods = config.protectedMethods || DEFAULT_CONFIG.protectedMethods;
+  const onError = config.onError || defaultErrorResponse;
+  return async (req) => {
+    const method = req.method.toUpperCase();
+    if (!protectedMethods.includes(method)) {
+      return handler(req);
+    }
+    if (config.skip) {
+      const shouldSkip = await config.skip(req);
+      if (shouldSkip) return handler(req);
+    }
+    const cookieName = cookieOpts.name || "__csrf";
+    const cookieToken = req.cookies.get(cookieName)?.value;
+    if (!cookieToken) {
+      return onError(req, "missing_cookie");
+    }
+    const cookieValid = await verifyToken(cookieToken, secret);
+    if (!cookieValid) {
+      return onError(req, "invalid_cookie");
+    }
+    const requestToken = await extractToken(req, headerName, fieldName);
+    if (!requestToken) {
+      return onError(req, "missing_token");
+    }
+    if (!tokensMatch(cookieToken, requestToken)) {
+      return onError(req, "token_mismatch");
+    }
+    return handler(req);
+  };
 }
-function generateCsrfToken() {
-  throw new Error("CSRF middleware coming soon in v0.2.0");
+async function generateCSRF(config = {}) {
+  const secret = getSecret(config);
+  const cookieOpts = { ...DEFAULT_COOKIE, ...config.cookie };
+  const tokenLength = config.tokenLength || DEFAULT_CONFIG.tokenLength;
+  const cookieName = cookieOpts.name || "__csrf";
+  const token = await createToken(secret, tokenLength);
+  const cookieHeader = buildCookieString(cookieName, token, cookieOpts);
+  return { token, cookieHeader };
 }
-function validateCsrfToken() {
-  throw new Error("CSRF middleware coming soon in v0.2.0");
+async function validateCSRF(req, config = {}) {
+  const secret = getSecret(config);
+  const cookieOpts = { ...DEFAULT_COOKIE, ...config.cookie };
+  const headerName = config.headerName || DEFAULT_CONFIG.headerName;
+  const fieldName = config.fieldName || DEFAULT_CONFIG.fieldName;
+  const cookieName = cookieOpts.name || "__csrf";
+  const cookieToken = req.cookies.get(cookieName)?.value;
+  if (!cookieToken) {
+    return { valid: false, reason: "missing_cookie" };
+  }
+  const cookieValid = await verifyToken(cookieToken, secret);
+  if (!cookieValid) {
+    return { valid: false, reason: "invalid_cookie" };
+  }
+  const requestToken = await extractToken(req, headerName, fieldName);
+  if (!requestToken) {
+    return { valid: false, reason: "missing_token" };
+  }
+  if (!tokensMatch(cookieToken, requestToken)) {
+    return { valid: false, reason: "token_mismatch" };
+  }
+  return { valid: true };
 }
-export { generateCsrfToken, validateCsrfToken, withCsrf };
+export { createToken, generateCSRF, tokensMatch, validateCSRF, verifyToken, withCSRF };
 //# sourceMappingURL=csrf.js.map
 //# sourceMappingURL=csrf.js.map

package/dist/csrf.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"sources":["../src/middleware/csrf/index.ts"],"names":[],"mappings":";AAuBO,SAAS,QAAA,GAAW;AACzB,EAAA,MAAM,IAAI,MAAM,uCAAuC,CAAA;AACzD;AAEO,SAAS,iBAAA,GAAoB;AAClC,EAAA,MAAM,IAAI,MAAM,uCAAuC,CAAA;AACzD;AAEO,SAAS,iBAAA,GAAoB;AAClC,EAAA,MAAM,IAAI,MAAM,uCAAuC,CAAA;AACzD","file":"csrf.js","sourcesContent":["/*\n CSRF Protection Middleware (Coming Soon)\n \n @example\n * ```typescript\n * import { withCsrf, generateCsrfToken } from 'next-secure/csrf'\n \n // Generate token\n * export async function GET() {\n * const token = await generateCsrfToken()\n * return Response.json({ csrfToken: token })\n * }\n \n // Validate token\n * export const POST = withCsrf(async (req) => {\n * return Response.json({ ok: true })\n * })\n * ```\n \n @packageDocumentation\n */\n\n// Placeholder for CSRF middleware\nexport function withCsrf() {\n throw new Error('CSRF middleware coming soon in v0.2.0')\n}\n\nexport function generateCsrfToken() {\n throw new Error('CSRF middleware coming soon in v0.2.0')\n}\n\nexport function validateCsrfToken() {\n throw new Error('CSRF middleware coming soon in v0.2.0')\n}\n"]}
1	+ {"version":3,"sources":["../src/middleware/csrf/token.ts","../src/middleware/csrf/middleware.ts"],"names":[],"mappings":";;;AAEA,IAAM,OAAA,GAAU,IAAI,WAAA,EAAY;AAKzB,SAAS,YAAY,MAAA,EAAwB;AAClD,EAAA,MAAM,KAAA,GAAQ,IAAI,UAAA,CAAW,MAAM,CAAA;AACnC,EAAA,SAAA,CAAU,gBAAgB,KAAK,CAAA;AAC/B,EAAA,OAAO,MAAM,IAAA,CAAK,KAAK,CAAA,CACpB,GAAA,CAAI,CAAC,CAAA,KAAM,CAAA,CAAE,QAAA,CAAS,EAAE,EAAE,QAAA,CAAS,CAAA,EAAG,GAAG,CAAC,CAAA,CAC1C,KAAK,EAAE,CAAA;AACZ;AAKA,eAAe,eAAA,CAAgB,MAAc,MAAA,EAAiC;AAC5E,EAAA,MAAM,GAAA,GAAM,MAAM,SAAA,CAAU,MAAA,CAAO,SAAA;AAAA,IACjC,KAAA;AAAA,IACA,OAAA,CAAQ,OAAO,MAAM,CAAA;AAAA,IACrB,EAAE,IAAA,EAAM,MAAA,EAAQ,IAAA,EAAM,SAAA,EAAU;AAAA,IAChC,KAAA;AAAA,IACA,CAAC,MAAM;AAAA,GACT;AAEA,EAAA,MAAM,GAAA,GAAM,MAAM,SAAA,CAAU,MAAA,CAAO,IAAA,CAAK,QAAQ,GAAA,EAAK,OAAA,CAAQ,MAAA,CAAO,IAAI,CAAC,CAAA;AACzE,EAAA,OAAO,KAAA,CAAM,KAAK,IAAI,UAAA,CAAW,GAAG,CAAC,CAAA,CAClC,IAAI,CAAC,CAAA,KAAM,EAAE,QAAA,CAAS,EAAE,EAAE,QAAA,CAAS,CAAA,EAAG,GAAG,CAAC,CAAA,CAC1C,KAAK,EAAE,CAAA;AACZ;AAKA,SAAS,WAAA,CAAY,GAAW,CAAA,EAAoB;AAClD,EAAA,IAAI,CAAA,CAAE,MAAA,KAAW,CAAA,CAAE,MAAA,EAAQ,OAAO,KAAA;AAElC,EAAA,IAAI,MAAA,GAAS,CAAA;AACb,EAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,CAAA,CAAE,QAAQ,CAAA,EAAA,EAAK;AACjC,IAAA,MAAA,IAAU,EAAE,UAAA,CAAW,CAAC,CAAA,GAAI,CAAA,CAAE,WAAW,CAAC,CAAA;AAAA,EAC5C;AACA,EAAA,OAAO,MAAA,KAAW,CAAA;AACpB;AAKA,eAAsB,WAAA,CACpB,MAAA,EACA,MAAA,GAAiB,EAAA,EACA;AACjB,EAAA,MAAM,IAAA,GAAO,YAAY,MAAM,CAAA;AAC/B,EAAA,MAAM,GAAA,GAAM,MAAM,eAAA,CAAgB,IAAA,EAAM,MAAM,CAAA;AAC9C,EAAA,OAAO,CAAA,EAAG,IAAI,CAAA,CAAA,EAAI,GAAG,CAAA,CAAA;AACvB;AAKA,eAAsB,WAAA,CACpB,OACA,MAAA,EACkB;AAClB,EAAA,IAAI,CAAC,KAAA,IAAS,OAAO,KAAA,KAAU,UAAU,OAAO,KAAA;AAEhD,EAAA,MAAM,KAAA,GAAQ,KAAA,CAAM,KAAA,CAAM,GAAG,CAAA;AAC7B,EAAA,IAAI,KAAA,CAAM,MAAA,KAAW,CAAA,EAAG,OAAO,KAAA;AAE/B,EAAA,MAAM,CAAC,IAAA,EAAM,GAAG,CAAA,GAAI,KAAA;AACpB,EAAA,IAAI,CAAC,IAAA,IAAQ,CAAC,GAAA,EAAK,OAAO,KAAA;AAE1B,EAAA,IAAI;AACF,IAAA,MAAM,QAAA,GAAW,MAAM,eAAA,CAAgB,IAAA,EAAM,MAAM,CAAA;AACnD,IAAA,OAAO,WAAA,CAAY,KAAK,QAAQ,CAAA;AAAA,EAClC,CAAA,CAAA,MAAQ;AACN,IAAA,OAAO,KAAA;AAAA,EACT;AACF;AAKO,SAAS,WAAA,CAAY,GAAW,CAAA,EAAoB;AACzD,EAAA,IAAI,CAAC,CAAA,IAAK,CAAC,CAAA,EAAG,OAAO,KAAA;AACrB,EAAA,OAAO,WAAA,CAAY,GAAG,CAAC,CAAA;AACzB;;;ACjFA,IAAM,cAAA,GAAoC;AAAA,EACxC,IAAA,EAAM,QAAA;AAAA,EACN,IAAA,EAAM,GAAA;AAAA,EACN,QAAA,EAAU,IAAA;AAAA,EACV,MAAA,EAAQ,OAAA,CAAQ,GAAA,CAAI,QAAA,KAAa,YAAA;AAAA,EACjC,QAAA,EAAU,QAAA;AAAA,EACV,MAAA,EAAQ;AAAA;AACV,CAAA;AAEA,IAAM,cAAA,GAAiE;AAAA,EAErE,UAAA,EAAY,cAAA;AAAA,EACZ,SAAA,EAAW,OAAA;AAAA,EAEX,WAAA,EAAa,EAAA;AAAA,EACb,gBAAA,EAAkB,CAAC,MAAA,EAAQ,KAAA,EAAO,SAAS,QAAQ;AACrD,CAAA;AAEA,SAAS,UAAU,MAAA,EAA4B;AAC7C,EAAA,MAAM,MAAA,GAAS,MAAA,CAAO,MAAA,IAAU,OAAA,CAAQ,GAAA,CAAI,WAAA;AAC5C,EAAA,IAAI,CAAC,MAAA,EAAQ;AACX,IAAA,MAAM,IAAI,KAAA;AAAA,MACR;AAAA,KACF;AAAA,EACF;AACA,EAAA,OAAO,MAAA;AACT;AAEA,SAAS,iBAAA,CAAkB,IAAA,EAAc,KAAA,EAAe,IAAA,EAAiC;AACvF,EAAA,IAAI,MAAA,GAAS,CAAA,EAAG,IAAI,CAAA,CAAA,EAAI,KAAK,CAAA,CAAA;AAE7B,EAAA,IAAI,IAAA,CAAK,IAAA,EAAM,MAAA,IAAU,CAAA,OAAA,EAAU,KAAK,IAAI,CAAA,CAAA;AAC5C,EAAA,IAAI,IAAA,CAAK,MAAA,EAAQ,MAAA,IAAU,CAAA,SAAA,EAAY,KAAK,MAAM,CAAA,CAAA;AAClD,EAAA,IAAI,IAAA,CAAK,MAAA,EAAQ,MAAA,IAAU,CAAA,UAAA,EAAa,KAAK,MAAM,CAAA,CAAA;AACnD,EAAA,IAAI,IAAA,CAAK,UAAU,MAAA,IAAU,YAAA;AAC7B,EAAA,IAAI,IAAA,CAAK,QAAQ,MAAA,IAAU,UAAA;AAC3B,EAAA,IAAI,IAAA,CAAK,QAAA,EAAU,MAAA,IAAU,CAAA,WAAA,EAAc,KAAK,QAAQ,CAAA,CAAA;AAExD,EAAA,OAAO,MAAA;AACT;AAKA,eAAe,YAAA,CACb,GAAA,EACA,UAAA,EACA,SAAA,EACwB;AAExB,EAAA,MAAM,WAAA,GAAc,GAAA,CAAI,OAAA,CAAQ,GAAA,CAAI,UAAU,CAAA;AAC9C,EAAA,IAAI,aAAa,OAAO,WAAA;AAGxB,EAAA,MAAM,WAAA,GAAc,GAAA,CAAI,OAAA,CAAQ,GAAA,CAAI,cAAc,CAAA,IAAK,EAAA;AAEvD,EAAA,IAAI,WAAA,CAAY,QAAA,CAAS,mCAAmC,CAAA,EAAG;AAC7D,IAAA,IAAI;AACF,MAAA,MAAM,MAAA,GAAS,IAAI,KAAA,EAAM;AACzB,MAAA,MAAM,QAAA,GAAW,MAAM,MAAA,CAAO,QAAA,EAAS;AACvC,MAAA,MAAM,KAAA,GAAQ,QAAA,CAAS,GAAA,CAAI,SAAS,CAAA;AACpC,MAAA,IAAI,OAAO,KAAA,KAAU,QAAA,EAAU,OAAO,KAAA;AAAA,IACxC,CAAA,CAAA,MAAQ;AAAA,IAER;AAAA,EACF;AAEA,EAAA,IAAI,WAAA,CAAY,QAAA,CAAS,kBAAkB,CAAA,EAAG;AAC5C,IAAA,IAAI;AACF,MAAA,MAAM,MAAA,GAAS,IAAI,KAAA,EAAM;AACzB,MAAA,MAAM,IAAA,GAAO,MAAM,MAAA,CAAO,IAAA,EAAK;AAC/B,MAAA,IAAI,IAAA,IAAQ,OAAO,IAAA,CAAK,SAAS,MAAM,QAAA,EAAU;AAC/C,QAAA,OAAO,KAAK,SAAS,CAAA;AAAA,MACvB;AAAA,IACF,CAAA,CAAA,MAAQ;AAAA,IAER;AAAA,EACF;AAEA,EAAA,OAAO,IAAA;AACT;AAEA,SAAS,oBAAA,CAAqB,MAAmB,MAAA,EAA0B;AACzE,EAAA,OAAO,IAAI,SAAS,IAAA,CAAK,SAAA,CAAU,EAAE,KAAA,EAAO,wBAAA,EAA0B,MAAA,EAAQ,CAAA,EAAG;AAAA,IAC/E,MAAA,EAAQ,GAAA;AAAA,IACR,OAAA,EAAS,EAAE,cAAA,EAAgB,kBAAA;AAAmB,GAC/C,CAAA;AACH;AAUO,SAAS,QAAA,CAAS,OAAA,EAAuB,MAAA,GAAqB,EAAC,EAAiB;AACrF,EAAA,MAAM,MAAA,GAAS,UAAU,MAAM,CAAA;AAC/B,EAAA,MAAM,aAAa,EAAE,GAAG,cAAA,EAAgB,GAAG,OAAO,MAAA,EAAO;AACzD,EAAA,MAAM,UAAA,GAAa,MAAA,CAAO,UAAA,IAAc,cAAA,CAAe,UAAA;AACvD,EAAA,MAAM,SAAA,GAAY,MAAA,CAAO,SAAA,IAAa,cAAA,CAAe,SAAA;AACrD,EAAA,MAAM,gBAAA,GAAmB,MAAA,CAAO,gBAAA,IAAoB,cAAA,CAAe,gBAAA;AACnE,EAAA,MAAM,OAAA,GAAU,OAAO,OAAA,IAAW,oBAAA;AAElC,EAAA,OAAO,OAAO,GAAA,KAAwC;AACpD,IAAA,MAAM,MAAA,GAAS,GAAA,CAAI,MAAA,CAAO,WAAA,EAAY;AAGtC,IAAA,IAAI,CAAC,gBAAA,CAAiB,QAAA,CAAS,MAAM,CAAA,EAAG;AACtC,MAAA,OAAO,QAAQ,GAAG,CAAA;AAAA,IACpB;AAGA,IAAA,IAAI,OAAO,IAAA,EAAM;AACf,MAAA,MAAM,UAAA,GAAa,MAAM,MAAA,CAAO,IAAA,CAAK,GAAG,CAAA;AACxC,MAAA,IAAI,UAAA,EAAY,OAAO,OAAA,CAAQ,GAAG,CAAA;AAAA,IACpC;AAEA,IAAA,MAAM,UAAA,GAAa,WAAW,IAAA,IAAQ,QAAA;AACtC,IAAA,MAAM,WAAA,GAAc,GAAA,CAAI,OAAA,CAAQ,GAAA,CAAI,UAAU,CAAA,EAAG,KAAA;AAGjD,IAAA,IAAI,CAAC,WAAA,EAAa;AAChB,MAAA,OAAO,OAAA,CAAQ,KAAK,gBAAgB,CAAA;AAAA,IACtC;AAGA,IAAA,MAAM,WAAA,GAAc,MAAM,WAAA,CAAY,WAAA,EAAa,MAAM,CAAA;AACzD,IAAA,IAAI,CAAC,WAAA,EAAa;AAChB,MAAA,OAAO,OAAA,CAAQ,KAAK,gBAAgB,CAAA;AAAA,IACtC;AAGA,IAAA,MAAM,YAAA,GAAe,MAAM,YAAA,CAAa,GAAA,EAAK,YAAY,SAAS,CAAA;AAClE,IAAA,IAAI,CAAC,YAAA,EAAc;AACjB,MAAA,OAAO,OAAA,CAAQ,KAAK,eAAe,CAAA;AAAA,IACrC;AAGA,IAAA,IAAI,CAAC,WAAA,CAAY,WAAA,EAAa,YAAY,CAAA,EAAG;AAC3C,MAAA,OAAO,OAAA,CAAQ,KAAK,gBAAgB,CAAA;AAAA,IACtC;AAEA,IAAA,OAAO,QAAQ,GAAG,CAAA;AAAA,EACpB,CAAA;AACF;AAMA,eAAsB,YAAA,CAAa,MAAA,GAAqB,EAAC,EAGtD;AACD,EAAA,MAAM,MAAA,GAAS,UAAU,MAAM,CAAA;AAC/B,EAAA,MAAM,aAAa,EAAE,GAAG,cAAA,EAAgB,GAAG,OAAO,MAAA,EAAO;AACzD,EAAA,MAAM,WAAA,GAAc,MAAA,CAAO,WAAA,IAAe,cAAA,CAAe,WAAA;AACzD,EAAA,MAAM,UAAA,GAAa,WAAW,IAAA,IAAQ,QAAA;AAEtC,EAAA,MAAM,KAAA,GAAQ,MAAM,WAAA,CAAY,MAAA,EAAQ,WAAW,CAAA;AACnD,EAAA,MAAM,YAAA,GAAe,iBAAA,CAAkB,UAAA,EAAY,KAAA,EAAO,UAAU,CAAA;AAEpE,EAAA,OAAO,EAAE,OAAO,YAAA,EAAa;AAC/B;AAMA,eAAsB,YAAA,CACpB,GAAA,EACA,MAAA,GAAqB,EAAC,EACwB;AAC9C,EAAA,MAAM,MAAA,GAAS,UAAU,MAAM,CAAA;AAC/B,EAAA,MAAM,aAAa,EAAE,GAAG,cAAA,EAAgB,GAAG,OAAO,MAAA,EAAO;AACzD,EAAA,MAAM,UAAA,GAAa,MAAA,CAAO,UAAA,IAAc,cAAA,CAAe,UAAA;AACvD,EAAA,MAAM,SAAA,GAAY,MAAA,CAAO,SAAA,IAAa,cAAA,CAAe,SAAA;AACrD,EAAA,MAAM,UAAA,GAAa,WAAW,IAAA,IAAQ,QAAA;AAEtC,EAAA,MAAM,WAAA,GAAc,GAAA,CAAI,OAAA,CAAQ,GAAA,CAAI,UAAU,CAAA,EAAG,KAAA;AACjD,EAAA,IAAI,CAAC,WAAA,EAAa;AAChB,IAAA,OAAO,EAAE,KAAA,EAAO,KAAA,EAAO,MAAA,EAAQ,gBAAA,EAAiB;AAAA,EAClD;AAEA,EAAA,MAAM,WAAA,GAAc,MAAM,WAAA,CAAY,WAAA,EAAa,MAAM,CAAA;AACzD,EAAA,IAAI,CAAC,WAAA,EAAa;AAChB,IAAA,OAAO,EAAE,KAAA,EAAO,KAAA,EAAO,MAAA,EAAQ,gBAAA,EAAiB;AAAA,EAClD;AAEA,EAAA,MAAM,YAAA,GAAe,MAAM,YAAA,CAAa,GAAA,EAAK,YAAY,SAAS,CAAA;AAClE,EAAA,IAAI,CAAC,YAAA,EAAc;AACjB,IAAA,OAAO,EAAE,KAAA,EAAO,KAAA,EAAO,MAAA,EAAQ,eAAA,EAAgB;AAAA,EACjD;AAEA,EAAA,IAAI,CAAC,WAAA,CAAY,WAAA,EAAa,YAAY,CAAA,EAAG;AAC3C,IAAA,OAAO,EAAE,KAAA,EAAO,KAAA,EAAO,MAAA,EAAQ,gBAAA,EAAiB;AAAA,EAClD;AAEA,EAAA,OAAO,EAAE,OAAO,IAAA,EAAK;AACvB","file":"csrf.js","sourcesContent":["import { webcrypto } from 'node:crypto'\n\nconst encoder = new TextEncoder()\n\n/*\n Generate random bytes as hex string\n /\nexport function randomBytes(length: number): string {\n const bytes = new Uint8Array(length)\n webcrypto.getRandomValues(bytes)\n return Array.from(bytes)\n .map((b) => b.toString(16).padStart(2, '0'))\n .join('')\n}\n\n/\n Create HMAC signature\n /\nasync function createSignature(data: string, secret: string): Promise<string> {\n const key = await webcrypto.subtle.importKey(\n 'raw',\n encoder.encode(secret),\n { name: 'HMAC', hash: 'SHA-256' },\n false,\n ['sign']\n )\n\n const sig = await webcrypto.subtle.sign('HMAC', key, encoder.encode(data))\n return Array.from(new Uint8Array(sig))\n .map((b) => b.toString(16).padStart(2, '0'))\n .join('')\n}\n\n/\n Constant-time string comparison to prevent timing attacks\n /\nfunction safeCompare(a: string, b: string): boolean {\n if (a.length !== b.length) return false\n\n let result = 0\n for (let i = 0; i < a.length; i++) {\n result \|= a.charCodeAt(i) ^ b.charCodeAt(i)\n }\n return result === 0\n}\n\n/\n Create a signed CSRF token\n /\nexport async function createToken(\n secret: string,\n length: number = 32\n): Promise<string> {\n const data = randomBytes(length)\n const sig = await createSignature(data, secret)\n return `${data}.${sig}`\n}\n\n/\n Verify a signed CSRF token\n /\nexport async function verifyToken(\n token: string,\n secret: string\n): Promise<boolean> {\n if (!token \|\| typeof token !== 'string') return false\n\n const parts = token.split('.')\n if (parts.length !== 2) return false\n\n const [data, sig] = parts\n if (!data \|\| !sig) return false\n\n try {\n const expected = await createSignature(data, secret)\n return safeCompare(sig, expected)\n } catch {\n return false\n }\n}\n\n/\n Compare two tokens (constant-time)\n /\nexport function tokensMatch(a: string, b: string): boolean {\n if (!a \|\| !b) return false\n return safeCompare(a, b)\n}\n","import type { NextRequest } from 'next/server'\nimport type { CSRFConfig, CSRFCookieOptions } from './types'\nimport { createToken, verifyToken, tokensMatch } from './token'\n\ntype RouteHandler = (req: NextRequest) => Response \| Promise<Response>\n\nconst DEFAULT_COOKIE: CSRFCookieOptions = {\n name: '__csrf',\n path: '/',\n httpOnly: true,\n secure: process.env.NODE_ENV === 'production',\n sameSite: 'strict',\n maxAge: 86400, // 24h\n}\n\nconst DEFAULT_CONFIG: Required<Omit<CSRFConfig, 'skip' \| 'onError'>> = {\n cookie: DEFAULT_COOKIE,\n headerName: 'x-csrf-token',\n fieldName: '_csrf',\n secret: '',\n tokenLength: 32,\n protectedMethods: ['POST', 'PUT', 'PATCH', 'DELETE'],\n}\n\nfunction getSecret(config: CSRFConfig): string {\n const secret = config.secret \|\| process.env.CSRF_SECRET\n if (!secret) {\n throw new Error(\n 'CSRF secret is required. Set config.secret or CSRF_SECRET env variable.'\n )\n }\n return secret\n}\n\nfunction buildCookieString(name: string, value: string, opts: CSRFCookieOptions): string {\n let cookie = `${name}=${value}`\n\n if (opts.path) cookie += `; Path=${opts.path}`\n if (opts.domain) cookie += `; Domain=${opts.domain}`\n if (opts.maxAge) cookie += `; Max-Age=${opts.maxAge}`\n if (opts.httpOnly) cookie += '; HttpOnly'\n if (opts.secure) cookie += '; Secure'\n if (opts.sameSite) cookie += `; SameSite=${opts.sameSite}`\n\n return cookie\n}\n\n/\n Extract token from request (header or body)\n /\nasync function extractToken(\n req: NextRequest,\n headerName: string,\n fieldName: string\n): Promise<string \| null> {\n // check header first\n const headerToken = req.headers.get(headerName)\n if (headerToken) return headerToken\n\n // try to get from form data\n const contentType = req.headers.get('content-type') \|\| ''\n\n if (contentType.includes('application/x-www-form-urlencoded')) {\n try {\n const cloned = req.clone()\n const formData = await cloned.formData()\n const token = formData.get(fieldName)\n if (typeof token === 'string') return token\n } catch {\n // ignore parse errors\n }\n }\n\n if (contentType.includes('application/json')) {\n try {\n const cloned = req.clone()\n const body = await cloned.json()\n if (body && typeof body[fieldName] === 'string') {\n return body[fieldName]\n }\n } catch {\n // ignore parse errors\n }\n }\n\n return null\n}\n\nfunction defaultErrorResponse(_req: NextRequest, reason: string): Response {\n return new Response(JSON.stringify({ error: 'CSRF validation failed', reason }), {\n status: 403,\n headers: { 'Content-Type': 'application/json' },\n })\n}\n\n/\n CSRF protection middleware\n \n Uses double submit cookie pattern:\n * 1. Server sets a signed token in a cookie\n * 2. Client sends the same token in header/body\n * 3. Server compares both values\n /\nexport function withCSRF(handler: RouteHandler, config: CSRFConfig = {}): RouteHandler {\n const secret = getSecret(config)\n const cookieOpts = { ...DEFAULT_COOKIE, ...config.cookie }\n const headerName = config.headerName \|\| DEFAULT_CONFIG.headerName\n const fieldName = config.fieldName \|\| DEFAULT_CONFIG.fieldName\n const protectedMethods = config.protectedMethods \|\| DEFAULT_CONFIG.protectedMethods\n const onError = config.onError \|\| defaultErrorResponse\n\n return async (req: NextRequest): Promise<Response> => {\n const method = req.method.toUpperCase()\n\n // skip unprotected methods\n if (!protectedMethods.includes(method)) {\n return handler(req)\n }\n\n // custom skip logic\n if (config.skip) {\n const shouldSkip = await config.skip(req)\n if (shouldSkip) return handler(req)\n }\n\n const cookieName = cookieOpts.name \|\| '__csrf'\n const cookieToken = req.cookies.get(cookieName)?.value\n\n // no cookie = first request, reject\n if (!cookieToken) {\n return onError(req, 'missing_cookie')\n }\n\n // verify cookie token is valid (signed by us)\n const cookieValid = await verifyToken(cookieToken, secret)\n if (!cookieValid) {\n return onError(req, 'invalid_cookie')\n }\n\n // get token from request\n const requestToken = await extractToken(req, headerName, fieldName)\n if (!requestToken) {\n return onError(req, 'missing_token')\n }\n\n // compare tokens\n if (!tokensMatch(cookieToken, requestToken)) {\n return onError(req, 'token_mismatch')\n }\n\n return handler(req)\n }\n}\n\n/\n Generate a new CSRF token and cookie header\n * Use this in GET routes to set the initial token\n /\nexport async function generateCSRF(config: CSRFConfig = {}): Promise<{\n token: string\n cookieHeader: string\n}> {\n const secret = getSecret(config)\n const cookieOpts = { ...DEFAULT_COOKIE, ...config.cookie }\n const tokenLength = config.tokenLength \|\| DEFAULT_CONFIG.tokenLength\n const cookieName = cookieOpts.name \|\| '__csrf'\n\n const token = await createToken(secret, tokenLength)\n const cookieHeader = buildCookieString(cookieName, token, cookieOpts)\n\n return { token, cookieHeader }\n}\n\n/\n Validate a CSRF token without middleware\n * Useful for custom validation flows\n */\nexport async function validateCSRF(\n req: NextRequest,\n config: CSRFConfig = {}\n): Promise<{ valid: boolean; reason?: string }> {\n const secret = getSecret(config)\n const cookieOpts = { ...DEFAULT_COOKIE, ...config.cookie }\n const headerName = config.headerName \|\| DEFAULT_CONFIG.headerName\n const fieldName = config.fieldName \|\| DEFAULT_CONFIG.fieldName\n const cookieName = cookieOpts.name \|\| '__csrf'\n\n const cookieToken = req.cookies.get(cookieName)?.value\n if (!cookieToken) {\n return { valid: false, reason: 'missing_cookie' }\n }\n\n const cookieValid = await verifyToken(cookieToken, secret)\n if (!cookieValid) {\n return { valid: false, reason: 'invalid_cookie' }\n }\n\n const requestToken = await extractToken(req, headerName, fieldName)\n if (!requestToken) {\n return { valid: false, reason: 'missing_token' }\n }\n\n if (!tokensMatch(cookieToken, requestToken)) {\n return { valid: false, reason: 'token_mismatch' }\n }\n\n return { valid: true }\n}\n"]}

package/dist/index.cjs CHANGED Viewed

@@ -1,5 +1,7 @@
 'use strict';
+var crypto$1 = require('crypto');
 // src/core/errors.ts
 var SecureError = class extends Error {
   /**
@@ -994,9 +996,190 @@ function clearAllRateLimits() {
     defaultStore.clear();
   }
 }
+var encoder = new TextEncoder();
+function randomBytes(length) {
+  const bytes = new Uint8Array(length);
+  crypto$1.webcrypto.getRandomValues(bytes);
+  return Array.from(bytes).map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+async function createSignature(data, secret) {
+  const key = await crypto$1.webcrypto.subtle.importKey(
+    "raw",
+    encoder.encode(secret),
+    { name: "HMAC", hash: "SHA-256" },
+    false,
+    ["sign"]
+  );
+  const sig = await crypto$1.webcrypto.subtle.sign("HMAC", key, encoder.encode(data));
+  return Array.from(new Uint8Array(sig)).map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+function safeCompare(a, b) {
+  if (a.length !== b.length) return false;
+  let result = 0;
+  for (let i = 0; i < a.length; i++) {
+    result |= a.charCodeAt(i) ^ b.charCodeAt(i);
+  }
+  return result === 0;
+}
+async function createToken(secret, length = 32) {
+  const data = randomBytes(length);
+  const sig = await createSignature(data, secret);
+  return `${data}.${sig}`;
+}
+async function verifyToken(token, secret) {
+  if (!token || typeof token !== "string") return false;
+  const parts = token.split(".");
+  if (parts.length !== 2) return false;
+  const [data, sig] = parts;
+  if (!data || !sig) return false;
+  try {
+    const expected = await createSignature(data, secret);
+    return safeCompare(sig, expected);
+  } catch {
+    return false;
+  }
+}
+function tokensMatch(a, b) {
+  if (!a || !b) return false;
+  return safeCompare(a, b);
+}
+// src/middleware/csrf/middleware.ts
+var DEFAULT_COOKIE = {
+  name: "__csrf",
+  path: "/",
+  httpOnly: true,
+  secure: process.env.NODE_ENV === "production",
+  sameSite: "strict",
+  maxAge: 86400
+  // 24h
+};
+var DEFAULT_CONFIG2 = {
+  headerName: "x-csrf-token",
+  fieldName: "_csrf",
+  tokenLength: 32,
+  protectedMethods: ["POST", "PUT", "PATCH", "DELETE"]
+};
+function getSecret(config) {
+  const secret = config.secret || process.env.CSRF_SECRET;
+  if (!secret) {
+    throw new Error(
+      "CSRF secret is required. Set config.secret or CSRF_SECRET env variable."
+    );
+  }
+  return secret;
+}
+function buildCookieString(name, value, opts) {
+  let cookie = `${name}=${value}`;
+  if (opts.path) cookie += `; Path=${opts.path}`;
+  if (opts.domain) cookie += `; Domain=${opts.domain}`;
+  if (opts.maxAge) cookie += `; Max-Age=${opts.maxAge}`;
+  if (opts.httpOnly) cookie += "; HttpOnly";
+  if (opts.secure) cookie += "; Secure";
+  if (opts.sameSite) cookie += `; SameSite=${opts.sameSite}`;
+  return cookie;
+}
+async function extractToken(req, headerName, fieldName) {
+  const headerToken = req.headers.get(headerName);
+  if (headerToken) return headerToken;
+  const contentType = req.headers.get("content-type") || "";
+  if (contentType.includes("application/x-www-form-urlencoded")) {
+    try {
+      const cloned = req.clone();
+      const formData = await cloned.formData();
+      const token = formData.get(fieldName);
+      if (typeof token === "string") return token;
+    } catch {
+    }
+  }
+  if (contentType.includes("application/json")) {
+    try {
+      const cloned = req.clone();
+      const body = await cloned.json();
+      if (body && typeof body[fieldName] === "string") {
+        return body[fieldName];
+      }
+    } catch {
+    }
+  }
+  return null;
+}
+function defaultErrorResponse(_req, reason) {
+  return new Response(JSON.stringify({ error: "CSRF validation failed", reason }), {
+    status: 403,
+    headers: { "Content-Type": "application/json" }
+  });
+}
+function withCSRF(handler, config = {}) {
+  const secret = getSecret(config);
+  const cookieOpts = { ...DEFAULT_COOKIE, ...config.cookie };
+  const headerName = config.headerName || DEFAULT_CONFIG2.headerName;
+  const fieldName = config.fieldName || DEFAULT_CONFIG2.fieldName;
+  const protectedMethods = config.protectedMethods || DEFAULT_CONFIG2.protectedMethods;
+  const onError = config.onError || defaultErrorResponse;
+  return async (req) => {
+    const method = req.method.toUpperCase();
+    if (!protectedMethods.includes(method)) {
+      return handler(req);
+    }
+    if (config.skip) {
+      const shouldSkip = await config.skip(req);
+      if (shouldSkip) return handler(req);
+    }
+    const cookieName = cookieOpts.name || "__csrf";
+    const cookieToken = req.cookies.get(cookieName)?.value;
+    if (!cookieToken) {
+      return onError(req, "missing_cookie");
+    }
+    const cookieValid = await verifyToken(cookieToken, secret);
+    if (!cookieValid) {
+      return onError(req, "invalid_cookie");
+    }
+    const requestToken = await extractToken(req, headerName, fieldName);
+    if (!requestToken) {
+      return onError(req, "missing_token");
+    }
+    if (!tokensMatch(cookieToken, requestToken)) {
+      return onError(req, "token_mismatch");
+    }
+    return handler(req);
+  };
+}
+async function generateCSRF(config = {}) {
+  const secret = getSecret(config);
+  const cookieOpts = { ...DEFAULT_COOKIE, ...config.cookie };
+  const tokenLength = config.tokenLength || DEFAULT_CONFIG2.tokenLength;
+  const cookieName = cookieOpts.name || "__csrf";
+  const token = await createToken(secret, tokenLength);
+  const cookieHeader = buildCookieString(cookieName, token, cookieOpts);
+  return { token, cookieHeader };
+}
+async function validateCSRF(req, config = {}) {
+  const secret = getSecret(config);
+  const cookieOpts = { ...DEFAULT_COOKIE, ...config.cookie };
+  const headerName = config.headerName || DEFAULT_CONFIG2.headerName;
+  const fieldName = config.fieldName || DEFAULT_CONFIG2.fieldName;
+  const cookieName = cookieOpts.name || "__csrf";
+  const cookieToken = req.cookies.get(cookieName)?.value;
+  if (!cookieToken) {
+    return { valid: false, reason: "missing_cookie" };
+  }
+  const cookieValid = await verifyToken(cookieToken, secret);
+  if (!cookieValid) {
+    return { valid: false, reason: "invalid_cookie" };
+  }
+  const requestToken = await extractToken(req, headerName, fieldName);
+  if (!requestToken) {
+    return { valid: false, reason: "missing_token" };
+  }
+  if (!tokensMatch(cookieToken, requestToken)) {
+    return { valid: false, reason: "token_mismatch" };
+  }
+  return { valid: true };
+}
 // src/index.ts
-var VERSION = "0.1.0";
+var VERSION = "0.2.0";
 exports.AuthenticationError = AuthenticationError;
 exports.AuthorizationError = AuthorizationError;
@@ -1010,9 +1193,11 @@ exports.ValidationError = ValidationError;
 exports.anonymizeIp = anonymizeIp;
 exports.checkRateLimit = checkRateLimit;
 exports.clearAllRateLimits = clearAllRateLimits;
+exports.createCSRFToken = createToken;
 exports.createMemoryStore = createMemoryStore;
 exports.createRateLimiter = createRateLimiter;
 exports.formatDuration = formatDuration;
+exports.generateCSRF = generateCSRF;
 exports.getClientIp = getClientIp;
 exports.getGeoInfo = getGeoInfo;
 exports.getGlobalMemoryStore = getGlobalMemoryStore;
@@ -1028,6 +1213,10 @@ exports.parseDuration = parseDuration;
 exports.resetRateLimit = resetRateLimit;
 exports.sleep = sleep;
 exports.toSecureError = toSecureError;
+exports.tokensMatch = tokensMatch;
+exports.validateCSRF = validateCSRF;
+exports.verifyCSRFToken = verifyToken;
+exports.withCSRF = withCSRF;
 exports.withRateLimit = withRateLimit;
 //# sourceMappingURL=index.cjs.map
 //# sourceMappingURL=index.cjs.map