nextjs-secure 0.1.1 → 0.2.0

package/dist/index.js

@@ -1,3 +1,5 @@
+import { webcrypto } from 'crypto';
+
 // src/core/errors.ts
 var SecureError = class extends Error {
   /**
@@ -992,10 +994,191 @@ function clearAllRateLimits() {
     defaultStore.clear();
   }
 }
+var encoder = new TextEncoder();
+function randomBytes(length) {
+  const bytes = new Uint8Array(length);
+  webcrypto.getRandomValues(bytes);
+  return Array.from(bytes).map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+async function createSignature(data, secret) {
+  const key = await webcrypto.subtle.importKey(
+    "raw",
+    encoder.encode(secret),
+    { name: "HMAC", hash: "SHA-256" },
+    false,
+    ["sign"]
+  );
+  const sig = await webcrypto.subtle.sign("HMAC", key, encoder.encode(data));
+  return Array.from(new Uint8Array(sig)).map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+function safeCompare(a, b) {
+  if (a.length !== b.length) return false;
+  let result = 0;
+  for (let i = 0; i < a.length; i++) {
+    result |= a.charCodeAt(i) ^ b.charCodeAt(i);
+  }
+  return result === 0;
+}
+async function createToken(secret, length = 32) {
+  const data = randomBytes(length);
+  const sig = await createSignature(data, secret);
+  return `${data}.${sig}`;
+}
+async function verifyToken(token, secret) {
+  if (!token || typeof token !== "string") return false;
+  const parts = token.split(".");
+  if (parts.length !== 2) return false;
+  const [data, sig] = parts;
+  if (!data || !sig) return false;
+  try {
+    const expected = await createSignature(data, secret);
+    return safeCompare(sig, expected);
+  } catch {
+    return false;
+  }
+}
+function tokensMatch(a, b) {
+  if (!a || !b) return false;
+  return safeCompare(a, b);
+}
+
+// src/middleware/csrf/middleware.ts
+var DEFAULT_COOKIE = {
+  name: "__csrf",
+  path: "/",
+  httpOnly: true,
+  secure: process.env.NODE_ENV === "production",
+  sameSite: "strict",
+  maxAge: 86400
+  // 24h
+};
+var DEFAULT_CONFIG2 = {
+  headerName: "x-csrf-token",
+  fieldName: "_csrf",
+  tokenLength: 32,
+  protectedMethods: ["POST", "PUT", "PATCH", "DELETE"]
+};
+function getSecret(config) {
+  const secret = config.secret || process.env.CSRF_SECRET;
+  if (!secret) {
+    throw new Error(
+      "CSRF secret is required. Set config.secret or CSRF_SECRET env variable."
+    );
+  }
+  return secret;
+}
+function buildCookieString(name, value, opts) {
+  let cookie = `${name}=${value}`;
+  if (opts.path) cookie += `; Path=${opts.path}`;
+  if (opts.domain) cookie += `; Domain=${opts.domain}`;
+  if (opts.maxAge) cookie += `; Max-Age=${opts.maxAge}`;
+  if (opts.httpOnly) cookie += "; HttpOnly";
+  if (opts.secure) cookie += "; Secure";
+  if (opts.sameSite) cookie += `; SameSite=${opts.sameSite}`;
+  return cookie;
+}
+async function extractToken(req, headerName, fieldName) {
+  const headerToken = req.headers.get(headerName);
+  if (headerToken) return headerToken;
+  const contentType = req.headers.get("content-type") || "";
+  if (contentType.includes("application/x-www-form-urlencoded")) {
+    try {
+      const cloned = req.clone();
+      const formData = await cloned.formData();
+      const token = formData.get(fieldName);
+      if (typeof token === "string") return token;
+    } catch {
+    }
+  }
+  if (contentType.includes("application/json")) {
+    try {
+      const cloned = req.clone();
+      const body = await cloned.json();
+      if (body && typeof body[fieldName] === "string") {
+        return body[fieldName];
+      }
+    } catch {
+    }
+  }
+  return null;
+}
+function defaultErrorResponse(_req, reason) {
+  return new Response(JSON.stringify({ error: "CSRF validation failed", reason }), {
+    status: 403,
+    headers: { "Content-Type": "application/json" }
+  });
+}
+function withCSRF(handler, config = {}) {
+  const secret = getSecret(config);
+  const cookieOpts = { ...DEFAULT_COOKIE, ...config.cookie };
+  const headerName = config.headerName || DEFAULT_CONFIG2.headerName;
+  const fieldName = config.fieldName || DEFAULT_CONFIG2.fieldName;
+  const protectedMethods = config.protectedMethods || DEFAULT_CONFIG2.protectedMethods;
+  const onError = config.onError || defaultErrorResponse;
+  return async (req) => {
+    const method = req.method.toUpperCase();
+    if (!protectedMethods.includes(method)) {
+      return handler(req);
+    }
+    if (config.skip) {
+      const shouldSkip = await config.skip(req);
+      if (shouldSkip) return handler(req);
+    }
+    const cookieName = cookieOpts.name || "__csrf";
+    const cookieToken = req.cookies.get(cookieName)?.value;
+    if (!cookieToken) {
+      return onError(req, "missing_cookie");
+    }
+    const cookieValid = await verifyToken(cookieToken, secret);
+    if (!cookieValid) {
+      return onError(req, "invalid_cookie");
+    }
+    const requestToken = await extractToken(req, headerName, fieldName);
+    if (!requestToken) {
+      return onError(req, "missing_token");
+    }
+    if (!tokensMatch(cookieToken, requestToken)) {
+      return onError(req, "token_mismatch");
+    }
+    return handler(req);
+  };
+}
+async function generateCSRF(config = {}) {
+  const secret = getSecret(config);
+  const cookieOpts = { ...DEFAULT_COOKIE, ...config.cookie };
+  const tokenLength = config.tokenLength || DEFAULT_CONFIG2.tokenLength;
+  const cookieName = cookieOpts.name || "__csrf";
+  const token = await createToken(secret, tokenLength);
+  const cookieHeader = buildCookieString(cookieName, token, cookieOpts);
+  return { token, cookieHeader };
+}
+async function validateCSRF(req, config = {}) {
+  const secret = getSecret(config);
+  const cookieOpts = { ...DEFAULT_COOKIE, ...config.cookie };
+  const headerName = config.headerName || DEFAULT_CONFIG2.headerName;
+  const fieldName = config.fieldName || DEFAULT_CONFIG2.fieldName;
+  const cookieName = cookieOpts.name || "__csrf";
+  const cookieToken = req.cookies.get(cookieName)?.value;
+  if (!cookieToken) {
+    return { valid: false, reason: "missing_cookie" };
+  }
+  const cookieValid = await verifyToken(cookieToken, secret);
+  if (!cookieValid) {
+    return { valid: false, reason: "invalid_cookie" };
+  }
+  const requestToken = await extractToken(req, headerName, fieldName);
+  if (!requestToken) {
+    return { valid: false, reason: "missing_token" };
+  }
+  if (!tokensMatch(cookieToken, requestToken)) {
+    return { valid: false, reason: "token_mismatch" };
+  }
+  return { valid: true };
+}
 
 // src/index.ts
-var VERSION = "0.1.0";
+var VERSION = "0.2.0";
 
-export { AuthenticationError, AuthorizationError, ConfigurationError, CsrfError, MemoryStore, RateLimitError, SecureError, VERSION, ValidationError, anonymizeIp, checkRateLimit, clearAllRateLimits, createMemoryStore, createRateLimiter, formatDuration, getClientIp, getGeoInfo, getGlobalMemoryStore, getRateLimitStatus, isLocalhost, isPrivateIp, isSecureError, isValidIp, normalizeIp, nowInMs, nowInSeconds, parseDuration, resetRateLimit, sleep, toSecureError, withRateLimit };
+export { AuthenticationError, AuthorizationError, ConfigurationError, CsrfError, MemoryStore, RateLimitError, SecureError, VERSION, ValidationError, anonymizeIp, checkRateLimit, clearAllRateLimits, createToken as createCSRFToken, createMemoryStore, createRateLimiter, formatDuration, generateCSRF, getClientIp, getGeoInfo, getGlobalMemoryStore, getRateLimitStatus, isLocalhost, isPrivateIp, isSecureError, isValidIp, normalizeIp, nowInMs, nowInSeconds, parseDuration, resetRateLimit, sleep, toSecureError, tokensMatch, validateCSRF, verifyToken as verifyCSRFToken, withCSRF, withRateLimit };
 //# sourceMappingURL=index.js.map
 //# sourceMappingURL=index.js.map