npm - nextjs-secure - Versions diffs - 0.1.1 → 0.3.0 - Mend

nextjs-secure 0.1.1 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (24) hide show

package/README.md +243 -0
package/dist/csrf.cjs +187 -10
package/dist/csrf.cjs.map +1 -1
package/dist/csrf.d.cts +71 -22
package/dist/csrf.d.ts +71 -22
package/dist/csrf.js +182 -8
package/dist/csrf.js.map +1 -1
package/dist/headers.cjs +277 -7
package/dist/headers.cjs.map +1 -1
package/dist/headers.d.cts +162 -25
package/dist/headers.d.ts +162 -25
package/dist/headers.js +267 -6
package/dist/headers.js.map +1 -1
package/dist/index.cjs +469 -1
package/dist/index.cjs.map +1 -1
package/dist/index.d.cts +6 -3
package/dist/index.d.ts +6 -3
package/dist/index.js +454 -2
package/dist/index.js.map +1 -1
package/dist/{memory-g9zyQPy5.d.cts → memory-Dauy-IH3.d.cts} +1 -1
package/dist/{memory-g9zyQPy5.d.ts → memory-Dauy-IH3.d.ts} +1 -1
package/dist/rate-limit.d.cts +2 -2
package/dist/rate-limit.d.ts +2 -2
package/package.json +1 -1

package/README.md CHANGED Viewed

@@ -47,6 +47,15 @@ pnpm add nextjs-secure
   - [Storage Backends](#storage-backends)
   - [Custom Identifiers](#custom-identifiers)
   - [Response Customization](#response-customization)
+- [CSRF Protection](#csrf-protection)
+  - [Basic Setup](#basic-setup)
+  - [Client-Side Usage](#client-side-usage)
+  - [Configuration](#configuration-1)
+  - [Manual Validation](#manual-validation)
+- [Security Headers](#security-headers)
+  - [Quick Start](#quick-start-1)
+  - [Presets](#presets)
+  - [Custom Configuration](#custom-configuration)
 - [Utilities](#utilities)
 - [API Reference](#api-reference)
 - [Examples](#examples)
@@ -387,6 +396,240 @@ export async function GET(request: NextRequest) {
 }
 ```
+## CSRF Protection
+Protect your forms against Cross-Site Request Forgery attacks using the double submit cookie pattern.
+### Basic Setup
+```typescript
+// app/api/csrf/route.ts - Token endpoint
+import { generateCSRF } from 'nextjs-secure/csrf'
+export async function GET() {
+  const { token, cookieHeader } = await generateCSRF()
+  return Response.json(
+    { csrfToken: token },
+    { headers: { 'Set-Cookie': cookieHeader } }
+  )
+}
+```
+```typescript
+// app/api/submit/route.ts - Protected endpoint
+import { withCSRF } from 'nextjs-secure/csrf'
+export const POST = withCSRF(async (req) => {
+  const data = await req.json()
+  // Safe to process - CSRF validated
+  return Response.json({ success: true })
+})
+```
+### Client-Side Usage
+```typescript
+// Fetch token on page load
+const { csrfToken } = await fetch('/api/csrf').then(r => r.json())
+// Include in form submissions
+fetch('/api/submit', {
+  method: 'POST',
+  headers: {
+    'Content-Type': 'application/json',
+    'x-csrf-token': csrfToken  // Token in header
+  },
+  body: JSON.stringify({ data: '...' })
+})
+```
+Or include in form body:
+```typescript
+fetch('/api/submit', {
+  method: 'POST',
+  headers: { 'Content-Type': 'application/json' },
+  body: JSON.stringify({
+    _csrf: csrfToken,  // Token in body
+    data: '...'
+  })
+})
+```
+### Configuration
+```typescript
+import { withCSRF } from 'nextjs-secure/csrf'
+export const POST = withCSRF(handler, {
+  // Cookie settings
+  cookie: {
+    name: '__csrf',        // Cookie name
+    httpOnly: true,        // Not accessible via JS
+    secure: true,          // HTTPS only
+    sameSite: 'strict',    // Strict same-site policy
+    maxAge: 86400          // 24 hours
+  },
+  // Where to look for token
+  headerName: 'x-csrf-token',  // Header name
+  fieldName: '_csrf',          // Body field name
+  // Token settings
+  secret: process.env.CSRF_SECRET,  // Signing secret
+  tokenLength: 32,                   // Token size in bytes
+  // Protected methods (default: POST, PUT, PATCH, DELETE)
+  protectedMethods: ['POST', 'PUT', 'PATCH', 'DELETE'],
+  // Skip protection conditionally
+  skip: (req) => req.headers.get('x-api-key') === 'trusted',
+  // Custom error response
+  onError: (req, reason) => {
+    return new Response(`CSRF failed: ${reason}`, { status: 403 })
+  }
+})
+```
+### Manual Validation
+```typescript
+import { validateCSRF } from 'nextjs-secure/csrf'
+export async function POST(req) {
+  const result = await validateCSRF(req)
+  if (!result.valid) {
+    console.log('CSRF failed:', result.reason)
+    // reason: 'missing_cookie' | 'invalid_cookie' | 'missing_token' | 'token_mismatch'
+    return Response.json({ error: result.reason }, { status: 403 })
+  }
+  // Continue processing
+}
+```
+### Environment Variable
+Set `CSRF_SECRET` in your environment:
+```env
+CSRF_SECRET=your-secret-key-min-32-chars-recommended
+```
+## Security Headers
+Add security headers to your responses with pre-configured presets or custom configuration.
+### Quick Start
+```typescript
+import { withSecurityHeaders } from 'nextjs-secure/headers'
+// Use strict preset (default)
+export const GET = withSecurityHeaders(async (req) => {
+  return Response.json({ data: 'protected' })
+})
+```
+### Presets
+Three presets available: `strict`, `relaxed`, `api`
+```typescript
+// Strict: Maximum security (default)
+export const GET = withSecurityHeaders(handler, { preset: 'strict' })
+// Relaxed: Development-friendly, allows inline scripts
+export const GET = withSecurityHeaders(handler, { preset: 'relaxed' })
+// API: Optimized for JSON APIs
+export const GET = withSecurityHeaders(handler, { preset: 'api' })
+```
+### Custom Configuration
+```typescript
+import { withSecurityHeaders } from 'nextjs-secure/headers'
+export const GET = withSecurityHeaders(handler, {
+  config: {
+    // Content-Security-Policy
+    contentSecurityPolicy: {
+      defaultSrc: ["'self'"],
+      scriptSrc: ["'self'", "'unsafe-inline'"],
+      styleSrc: ["'self'", "'unsafe-inline'"],
+      imgSrc: ["'self'", 'data:', 'https:'],
+    },
+    // Strict-Transport-Security
+    strictTransportSecurity: {
+      maxAge: 31536000,
+      includeSubDomains: true,
+      preload: true,
+    },
+    // Other headers
+    xFrameOptions: 'DENY',           // or 'SAMEORIGIN'
+    xContentTypeOptions: true,        // X-Content-Type-Options: nosniff
+    referrerPolicy: 'strict-origin-when-cross-origin',
+    // Cross-Origin headers
+    crossOriginOpenerPolicy: 'same-origin',
+    crossOriginEmbedderPolicy: 'require-corp',
+    crossOriginResourcePolicy: 'same-origin',
+    // Permissions-Policy (disable features)
+    permissionsPolicy: {
+      camera: [],
+      microphone: [],
+      geolocation: [],
+    },
+  }
+})
+```
+### Disable Specific Headers
+```typescript
+export const GET = withSecurityHeaders(handler, {
+  config: {
+    contentSecurityPolicy: false,  // Disable CSP
+    xFrameOptions: false,          // Disable X-Frame-Options
+  }
+})
+```
+### Manual Header Creation
+```typescript
+import { createSecurityHeaders } from 'nextjs-secure/headers'
+export async function GET() {
+  const headers = createSecurityHeaders({ preset: 'api' })
+  return new Response(JSON.stringify({ ok: true }), {
+    headers,
+  })
+}
+```
+### Available Headers
+| Header | Description |
+|--------|-------------|
+| Content-Security-Policy | Controls resources the page can load |
+| Strict-Transport-Security | Forces HTTPS connections |
+| X-Frame-Options | Prevents clickjacking |
+| X-Content-Type-Options | Prevents MIME sniffing |
+| Referrer-Policy | Controls referrer information |
+| Permissions-Policy | Disables browser features |
+| Cross-Origin-Opener-Policy | Isolates browsing context |
+| Cross-Origin-Embedder-Policy | Controls embedding |
+| Cross-Origin-Resource-Policy | Controls resource sharing |
 ## Utilities
 ### Duration Parsing

package/dist/csrf.cjs CHANGED Viewed

@@ -1,18 +1,195 @@
 'use strict';
-// src/middleware/csrf/index.ts
-function withCsrf() {
-  throw new Error("CSRF middleware coming soon in v0.2.0");
+var crypto = require('crypto');
+// src/middleware/csrf/token.ts
+var encoder = new TextEncoder();
+function randomBytes(length) {
+  const bytes = new Uint8Array(length);
+  crypto.webcrypto.getRandomValues(bytes);
+  return Array.from(bytes).map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+async function createSignature(data, secret) {
+  const key = await crypto.webcrypto.subtle.importKey(
+    "raw",
+    encoder.encode(secret),
+    { name: "HMAC", hash: "SHA-256" },
+    false,
+    ["sign"]
+  );
+  const sig = await crypto.webcrypto.subtle.sign("HMAC", key, encoder.encode(data));
+  return Array.from(new Uint8Array(sig)).map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+function safeCompare(a, b) {
+  if (a.length !== b.length) return false;
+  let result = 0;
+  for (let i = 0; i < a.length; i++) {
+    result |= a.charCodeAt(i) ^ b.charCodeAt(i);
+  }
+  return result === 0;
+}
+async function createToken(secret, length = 32) {
+  const data = randomBytes(length);
+  const sig = await createSignature(data, secret);
+  return `${data}.${sig}`;
+}
+async function verifyToken(token, secret) {
+  if (!token || typeof token !== "string") return false;
+  const parts = token.split(".");
+  if (parts.length !== 2) return false;
+  const [data, sig] = parts;
+  if (!data || !sig) return false;
+  try {
+    const expected = await createSignature(data, secret);
+    return safeCompare(sig, expected);
+  } catch {
+    return false;
+  }
+}
+function tokensMatch(a, b) {
+  if (!a || !b) return false;
+  return safeCompare(a, b);
+}
+// src/middleware/csrf/middleware.ts
+var DEFAULT_COOKIE = {
+  name: "__csrf",
+  path: "/",
+  httpOnly: true,
+  secure: process.env.NODE_ENV === "production",
+  sameSite: "strict",
+  maxAge: 86400
+  // 24h
+};
+var DEFAULT_CONFIG = {
+  headerName: "x-csrf-token",
+  fieldName: "_csrf",
+  tokenLength: 32,
+  protectedMethods: ["POST", "PUT", "PATCH", "DELETE"]
+};
+function getSecret(config) {
+  const secret = config.secret || process.env.CSRF_SECRET;
+  if (!secret) {
+    throw new Error(
+      "CSRF secret is required. Set config.secret or CSRF_SECRET env variable."
+    );
+  }
+  return secret;
+}
+function buildCookieString(name, value, opts) {
+  let cookie = `${name}=${value}`;
+  if (opts.path) cookie += `; Path=${opts.path}`;
+  if (opts.domain) cookie += `; Domain=${opts.domain}`;
+  if (opts.maxAge) cookie += `; Max-Age=${opts.maxAge}`;
+  if (opts.httpOnly) cookie += "; HttpOnly";
+  if (opts.secure) cookie += "; Secure";
+  if (opts.sameSite) cookie += `; SameSite=${opts.sameSite}`;
+  return cookie;
+}
+async function extractToken(req, headerName, fieldName) {
+  const headerToken = req.headers.get(headerName);
+  if (headerToken) return headerToken;
+  const contentType = req.headers.get("content-type") || "";
+  if (contentType.includes("application/x-www-form-urlencoded")) {
+    try {
+      const cloned = req.clone();
+      const formData = await cloned.formData();
+      const token = formData.get(fieldName);
+      if (typeof token === "string") return token;
+    } catch {
+    }
+  }
+  if (contentType.includes("application/json")) {
+    try {
+      const cloned = req.clone();
+      const body = await cloned.json();
+      if (body && typeof body[fieldName] === "string") {
+        return body[fieldName];
+      }
+    } catch {
+    }
+  }
+  return null;
+}
+function defaultErrorResponse(_req, reason) {
+  return new Response(JSON.stringify({ error: "CSRF validation failed", reason }), {
+    status: 403,
+    headers: { "Content-Type": "application/json" }
+  });
+}
+function withCSRF(handler, config = {}) {
+  const secret = getSecret(config);
+  const cookieOpts = { ...DEFAULT_COOKIE, ...config.cookie };
+  const headerName = config.headerName || DEFAULT_CONFIG.headerName;
+  const fieldName = config.fieldName || DEFAULT_CONFIG.fieldName;
+  const protectedMethods = config.protectedMethods || DEFAULT_CONFIG.protectedMethods;
+  const onError = config.onError || defaultErrorResponse;
+  return async (req) => {
+    const method = req.method.toUpperCase();
+    if (!protectedMethods.includes(method)) {
+      return handler(req);
+    }
+    if (config.skip) {
+      const shouldSkip = await config.skip(req);
+      if (shouldSkip) return handler(req);
+    }
+    const cookieName = cookieOpts.name || "__csrf";
+    const cookieToken = req.cookies.get(cookieName)?.value;
+    if (!cookieToken) {
+      return onError(req, "missing_cookie");
+    }
+    const cookieValid = await verifyToken(cookieToken, secret);
+    if (!cookieValid) {
+      return onError(req, "invalid_cookie");
+    }
+    const requestToken = await extractToken(req, headerName, fieldName);
+    if (!requestToken) {
+      return onError(req, "missing_token");
+    }
+    if (!tokensMatch(cookieToken, requestToken)) {
+      return onError(req, "token_mismatch");
+    }
+    return handler(req);
+  };
 }
-function generateCsrfToken() {
-  throw new Error("CSRF middleware coming soon in v0.2.0");
+async function generateCSRF(config = {}) {
+  const secret = getSecret(config);
+  const cookieOpts = { ...DEFAULT_COOKIE, ...config.cookie };
+  const tokenLength = config.tokenLength || DEFAULT_CONFIG.tokenLength;
+  const cookieName = cookieOpts.name || "__csrf";
+  const token = await createToken(secret, tokenLength);
+  const cookieHeader = buildCookieString(cookieName, token, cookieOpts);
+  return { token, cookieHeader };
 }
-function validateCsrfToken() {
-  throw new Error("CSRF middleware coming soon in v0.2.0");
+async function validateCSRF(req, config = {}) {
+  const secret = getSecret(config);
+  const cookieOpts = { ...DEFAULT_COOKIE, ...config.cookie };
+  const headerName = config.headerName || DEFAULT_CONFIG.headerName;
+  const fieldName = config.fieldName || DEFAULT_CONFIG.fieldName;
+  const cookieName = cookieOpts.name || "__csrf";
+  const cookieToken = req.cookies.get(cookieName)?.value;
+  if (!cookieToken) {
+    return { valid: false, reason: "missing_cookie" };
+  }
+  const cookieValid = await verifyToken(cookieToken, secret);
+  if (!cookieValid) {
+    return { valid: false, reason: "invalid_cookie" };
+  }
+  const requestToken = await extractToken(req, headerName, fieldName);
+  if (!requestToken) {
+    return { valid: false, reason: "missing_token" };
+  }
+  if (!tokensMatch(cookieToken, requestToken)) {
+    return { valid: false, reason: "token_mismatch" };
+  }
+  return { valid: true };
 }
-exports.generateCsrfToken = generateCsrfToken;
-exports.validateCsrfToken = validateCsrfToken;
-exports.withCsrf = withCsrf;
+exports.createToken = createToken;
+exports.generateCSRF = generateCSRF;
+exports.tokensMatch = tokensMatch;
+exports.validateCSRF = validateCSRF;
+exports.verifyToken = verifyToken;
+exports.withCSRF = withCSRF;
 //# sourceMappingURL=csrf.cjs.map
 //# sourceMappingURL=csrf.cjs.map

package/dist/csrf.cjs.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"sources":["../src/middleware/csrf/index.ts"],"names":[],"mappings":";;;AAuBO,SAAS,QAAA,GAAW;AACzB,EAAA,MAAM,IAAI,MAAM,uCAAuC,CAAA;AACzD;AAEO,SAAS,iBAAA,GAAoB;AAClC,EAAA,MAAM,IAAI,MAAM,uCAAuC,CAAA;AACzD;AAEO,SAAS,iBAAA,GAAoB;AAClC,EAAA,MAAM,IAAI,MAAM,uCAAuC,CAAA;AACzD","file":"csrf.cjs","sourcesContent":["/*\n CSRF Protection Middleware (Coming Soon)\n \n @example\n * ```typescript\n * import { withCsrf, generateCsrfToken } from 'next-secure/csrf'\n \n // Generate token\n * export async function GET() {\n * const token = await generateCsrfToken()\n * return Response.json({ csrfToken: token })\n * }\n \n // Validate token\n * export const POST = withCsrf(async (req) => {\n * return Response.json({ ok: true })\n * })\n * ```\n \n @packageDocumentation\n */\n\n// Placeholder for CSRF middleware\nexport function withCsrf() {\n throw new Error('CSRF middleware coming soon in v0.2.0')\n}\n\nexport function generateCsrfToken() {\n throw new Error('CSRF middleware coming soon in v0.2.0')\n}\n\nexport function validateCsrfToken() {\n throw new Error('CSRF middleware coming soon in v0.2.0')\n}\n"]}
1	+ {"version":3,"sources":["../src/middleware/csrf/token.ts","../src/middleware/csrf/middleware.ts"],"names":["webcrypto"],"mappings":";;;;;AAEA,IAAM,OAAA,GAAU,IAAI,WAAA,EAAY;AAKzB,SAAS,YAAY,MAAA,EAAwB;AAClD,EAAA,MAAM,KAAA,GAAQ,IAAI,UAAA,CAAW,MAAM,CAAA;AACnC,EAAAA,gBAAA,CAAU,gBAAgB,KAAK,CAAA;AAC/B,EAAA,OAAO,MAAM,IAAA,CAAK,KAAK,CAAA,CACpB,GAAA,CAAI,CAAC,CAAA,KAAM,CAAA,CAAE,QAAA,CAAS,EAAE,EAAE,QAAA,CAAS,CAAA,EAAG,GAAG,CAAC,CAAA,CAC1C,KAAK,EAAE,CAAA;AACZ;AAKA,eAAe,eAAA,CAAgB,MAAc,MAAA,EAAiC;AAC5E,EAAA,MAAM,GAAA,GAAM,MAAMA,gBAAA,CAAU,MAAA,CAAO,SAAA;AAAA,IACjC,KAAA;AAAA,IACA,OAAA,CAAQ,OAAO,MAAM,CAAA;AAAA,IACrB,EAAE,IAAA,EAAM,MAAA,EAAQ,IAAA,EAAM,SAAA,EAAU;AAAA,IAChC,KAAA;AAAA,IACA,CAAC,MAAM;AAAA,GACT;AAEA,EAAA,MAAM,GAAA,GAAM,MAAMA,gBAAA,CAAU,MAAA,CAAO,IAAA,CAAK,QAAQ,GAAA,EAAK,OAAA,CAAQ,MAAA,CAAO,IAAI,CAAC,CAAA;AACzE,EAAA,OAAO,KAAA,CAAM,KAAK,IAAI,UAAA,CAAW,GAAG,CAAC,CAAA,CAClC,IAAI,CAAC,CAAA,KAAM,EAAE,QAAA,CAAS,EAAE,EAAE,QAAA,CAAS,CAAA,EAAG,GAAG,CAAC,CAAA,CAC1C,KAAK,EAAE,CAAA;AACZ;AAKA,SAAS,WAAA,CAAY,GAAW,CAAA,EAAoB;AAClD,EAAA,IAAI,CAAA,CAAE,MAAA,KAAW,CAAA,CAAE,MAAA,EAAQ,OAAO,KAAA;AAElC,EAAA,IAAI,MAAA,GAAS,CAAA;AACb,EAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,CAAA,CAAE,QAAQ,CAAA,EAAA,EAAK;AACjC,IAAA,MAAA,IAAU,EAAE,UAAA,CAAW,CAAC,CAAA,GAAI,CAAA,CAAE,WAAW,CAAC,CAAA;AAAA,EAC5C;AACA,EAAA,OAAO,MAAA,KAAW,CAAA;AACpB;AAKA,eAAsB,WAAA,CACpB,MAAA,EACA,MAAA,GAAiB,EAAA,EACA;AACjB,EAAA,MAAM,IAAA,GAAO,YAAY,MAAM,CAAA;AAC/B,EAAA,MAAM,GAAA,GAAM,MAAM,eAAA,CAAgB,IAAA,EAAM,MAAM,CAAA;AAC9C,EAAA,OAAO,CAAA,EAAG,IAAI,CAAA,CAAA,EAAI,GAAG,CAAA,CAAA;AACvB;AAKA,eAAsB,WAAA,CACpB,OACA,MAAA,EACkB;AAClB,EAAA,IAAI,CAAC,KAAA,IAAS,OAAO,KAAA,KAAU,UAAU,OAAO,KAAA;AAEhD,EAAA,MAAM,KAAA,GAAQ,KAAA,CAAM,KAAA,CAAM,GAAG,CAAA;AAC7B,EAAA,IAAI,KAAA,CAAM,MAAA,KAAW,CAAA,EAAG,OAAO,KAAA;AAE/B,EAAA,MAAM,CAAC,IAAA,EAAM,GAAG,CAAA,GAAI,KAAA;AACpB,EAAA,IAAI,CAAC,IAAA,IAAQ,CAAC,GAAA,EAAK,OAAO,KAAA;AAE1B,EAAA,IAAI;AACF,IAAA,MAAM,QAAA,GAAW,MAAM,eAAA,CAAgB,IAAA,EAAM,MAAM,CAAA;AACnD,IAAA,OAAO,WAAA,CAAY,KAAK,QAAQ,CAAA;AAAA,EAClC,CAAA,CAAA,MAAQ;AACN,IAAA,OAAO,KAAA;AAAA,EACT;AACF;AAKO,SAAS,WAAA,CAAY,GAAW,CAAA,EAAoB;AACzD,EAAA,IAAI,CAAC,CAAA,IAAK,CAAC,CAAA,EAAG,OAAO,KAAA;AACrB,EAAA,OAAO,WAAA,CAAY,GAAG,CAAC,CAAA;AACzB;;;ACjFA,IAAM,cAAA,GAAoC;AAAA,EACxC,IAAA,EAAM,QAAA;AAAA,EACN,IAAA,EAAM,GAAA;AAAA,EACN,QAAA,EAAU,IAAA;AAAA,EACV,MAAA,EAAQ,OAAA,CAAQ,GAAA,CAAI,QAAA,KAAa,YAAA;AAAA,EACjC,QAAA,EAAU,QAAA;AAAA,EACV,MAAA,EAAQ;AAAA;AACV,CAAA;AAEA,IAAM,cAAA,GAAiE;AAAA,EAErE,UAAA,EAAY,cAAA;AAAA,EACZ,SAAA,EAAW,OAAA;AAAA,EAEX,WAAA,EAAa,EAAA;AAAA,EACb,gBAAA,EAAkB,CAAC,MAAA,EAAQ,KAAA,EAAO,SAAS,QAAQ;AACrD,CAAA;AAEA,SAAS,UAAU,MAAA,EAA4B;AAC7C,EAAA,MAAM,MAAA,GAAS,MAAA,CAAO,MAAA,IAAU,OAAA,CAAQ,GAAA,CAAI,WAAA;AAC5C,EAAA,IAAI,CAAC,MAAA,EAAQ;AACX,IAAA,MAAM,IAAI,KAAA;AAAA,MACR;AAAA,KACF;AAAA,EACF;AACA,EAAA,OAAO,MAAA;AACT;AAEA,SAAS,iBAAA,CAAkB,IAAA,EAAc,KAAA,EAAe,IAAA,EAAiC;AACvF,EAAA,IAAI,MAAA,GAAS,CAAA,EAAG,IAAI,CAAA,CAAA,EAAI,KAAK,CAAA,CAAA;AAE7B,EAAA,IAAI,IAAA,CAAK,IAAA,EAAM,MAAA,IAAU,CAAA,OAAA,EAAU,KAAK,IAAI,CAAA,CAAA;AAC5C,EAAA,IAAI,IAAA,CAAK,MAAA,EAAQ,MAAA,IAAU,CAAA,SAAA,EAAY,KAAK,MAAM,CAAA,CAAA;AAClD,EAAA,IAAI,IAAA,CAAK,MAAA,EAAQ,MAAA,IAAU,CAAA,UAAA,EAAa,KAAK,MAAM,CAAA,CAAA;AACnD,EAAA,IAAI,IAAA,CAAK,UAAU,MAAA,IAAU,YAAA;AAC7B,EAAA,IAAI,IAAA,CAAK,QAAQ,MAAA,IAAU,UAAA;AAC3B,EAAA,IAAI,IAAA,CAAK,QAAA,EAAU,MAAA,IAAU,CAAA,WAAA,EAAc,KAAK,QAAQ,CAAA,CAAA;AAExD,EAAA,OAAO,MAAA;AACT;AAKA,eAAe,YAAA,CACb,GAAA,EACA,UAAA,EACA,SAAA,EACwB;AAExB,EAAA,MAAM,WAAA,GAAc,GAAA,CAAI,OAAA,CAAQ,GAAA,CAAI,UAAU,CAAA;AAC9C,EAAA,IAAI,aAAa,OAAO,WAAA;AAGxB,EAAA,MAAM,WAAA,GAAc,GAAA,CAAI,OAAA,CAAQ,GAAA,CAAI,cAAc,CAAA,IAAK,EAAA;AAEvD,EAAA,IAAI,WAAA,CAAY,QAAA,CAAS,mCAAmC,CAAA,EAAG;AAC7D,IAAA,IAAI;AACF,MAAA,MAAM,MAAA,GAAS,IAAI,KAAA,EAAM;AACzB,MAAA,MAAM,QAAA,GAAW,MAAM,MAAA,CAAO,QAAA,EAAS;AACvC,MAAA,MAAM,KAAA,GAAQ,QAAA,CAAS,GAAA,CAAI,SAAS,CAAA;AACpC,MAAA,IAAI,OAAO,KAAA,KAAU,QAAA,EAAU,OAAO,KAAA;AAAA,IACxC,CAAA,CAAA,MAAQ;AAAA,IAER;AAAA,EACF;AAEA,EAAA,IAAI,WAAA,CAAY,QAAA,CAAS,kBAAkB,CAAA,EAAG;AAC5C,IAAA,IAAI;AACF,MAAA,MAAM,MAAA,GAAS,IAAI,KAAA,EAAM;AACzB,MAAA,MAAM,IAAA,GAAO,MAAM,MAAA,CAAO,IAAA,EAAK;AAC/B,MAAA,IAAI,IAAA,IAAQ,OAAO,IAAA,CAAK,SAAS,MAAM,QAAA,EAAU;AAC/C,QAAA,OAAO,KAAK,SAAS,CAAA;AAAA,MACvB;AAAA,IACF,CAAA,CAAA,MAAQ;AAAA,IAER;AAAA,EACF;AAEA,EAAA,OAAO,IAAA;AACT;AAEA,SAAS,oBAAA,CAAqB,MAAmB,MAAA,EAA0B;AACzE,EAAA,OAAO,IAAI,SAAS,IAAA,CAAK,SAAA,CAAU,EAAE,KAAA,EAAO,wBAAA,EAA0B,MAAA,EAAQ,CAAA,EAAG;AAAA,IAC/E,MAAA,EAAQ,GAAA;AAAA,IACR,OAAA,EAAS,EAAE,cAAA,EAAgB,kBAAA;AAAmB,GAC/C,CAAA;AACH;AAUO,SAAS,QAAA,CAAS,OAAA,EAAuB,MAAA,GAAqB,EAAC,EAAiB;AACrF,EAAA,MAAM,MAAA,GAAS,UAAU,MAAM,CAAA;AAC/B,EAAA,MAAM,aAAa,EAAE,GAAG,cAAA,EAAgB,GAAG,OAAO,MAAA,EAAO;AACzD,EAAA,MAAM,UAAA,GAAa,MAAA,CAAO,UAAA,IAAc,cAAA,CAAe,UAAA;AACvD,EAAA,MAAM,SAAA,GAAY,MAAA,CAAO,SAAA,IAAa,cAAA,CAAe,SAAA;AACrD,EAAA,MAAM,gBAAA,GAAmB,MAAA,CAAO,gBAAA,IAAoB,cAAA,CAAe,gBAAA;AACnE,EAAA,MAAM,OAAA,GAAU,OAAO,OAAA,IAAW,oBAAA;AAElC,EAAA,OAAO,OAAO,GAAA,KAAwC;AACpD,IAAA,MAAM,MAAA,GAAS,GAAA,CAAI,MAAA,CAAO,WAAA,EAAY;AAGtC,IAAA,IAAI,CAAC,gBAAA,CAAiB,QAAA,CAAS,MAAM,CAAA,EAAG;AACtC,MAAA,OAAO,QAAQ,GAAG,CAAA;AAAA,IACpB;AAGA,IAAA,IAAI,OAAO,IAAA,EAAM;AACf,MAAA,MAAM,UAAA,GAAa,MAAM,MAAA,CAAO,IAAA,CAAK,GAAG,CAAA;AACxC,MAAA,IAAI,UAAA,EAAY,OAAO,OAAA,CAAQ,GAAG,CAAA;AAAA,IACpC;AAEA,IAAA,MAAM,UAAA,GAAa,WAAW,IAAA,IAAQ,QAAA;AACtC,IAAA,MAAM,WAAA,GAAc,GAAA,CAAI,OAAA,CAAQ,GAAA,CAAI,UAAU,CAAA,EAAG,KAAA;AAGjD,IAAA,IAAI,CAAC,WAAA,EAAa;AAChB,MAAA,OAAO,OAAA,CAAQ,KAAK,gBAAgB,CAAA;AAAA,IACtC;AAGA,IAAA,MAAM,WAAA,GAAc,MAAM,WAAA,CAAY,WAAA,EAAa,MAAM,CAAA;AACzD,IAAA,IAAI,CAAC,WAAA,EAAa;AAChB,MAAA,OAAO,OAAA,CAAQ,KAAK,gBAAgB,CAAA;AAAA,IACtC;AAGA,IAAA,MAAM,YAAA,GAAe,MAAM,YAAA,CAAa,GAAA,EAAK,YAAY,SAAS,CAAA;AAClE,IAAA,IAAI,CAAC,YAAA,EAAc;AACjB,MAAA,OAAO,OAAA,CAAQ,KAAK,eAAe,CAAA;AAAA,IACrC;AAGA,IAAA,IAAI,CAAC,WAAA,CAAY,WAAA,EAAa,YAAY,CAAA,EAAG;AAC3C,MAAA,OAAO,OAAA,CAAQ,KAAK,gBAAgB,CAAA;AAAA,IACtC;AAEA,IAAA,OAAO,QAAQ,GAAG,CAAA;AAAA,EACpB,CAAA;AACF;AAMA,eAAsB,YAAA,CAAa,MAAA,GAAqB,EAAC,EAGtD;AACD,EAAA,MAAM,MAAA,GAAS,UAAU,MAAM,CAAA;AAC/B,EAAA,MAAM,aAAa,EAAE,GAAG,cAAA,EAAgB,GAAG,OAAO,MAAA,EAAO;AACzD,EAAA,MAAM,WAAA,GAAc,MAAA,CAAO,WAAA,IAAe,cAAA,CAAe,WAAA;AACzD,EAAA,MAAM,UAAA,GAAa,WAAW,IAAA,IAAQ,QAAA;AAEtC,EAAA,MAAM,KAAA,GAAQ,MAAM,WAAA,CAAY,MAAA,EAAQ,WAAW,CAAA;AACnD,EAAA,MAAM,YAAA,GAAe,iBAAA,CAAkB,UAAA,EAAY,KAAA,EAAO,UAAU,CAAA;AAEpE,EAAA,OAAO,EAAE,OAAO,YAAA,EAAa;AAC/B;AAMA,eAAsB,YAAA,CACpB,GAAA,EACA,MAAA,GAAqB,EAAC,EACwB;AAC9C,EAAA,MAAM,MAAA,GAAS,UAAU,MAAM,CAAA;AAC/B,EAAA,MAAM,aAAa,EAAE,GAAG,cAAA,EAAgB,GAAG,OAAO,MAAA,EAAO;AACzD,EAAA,MAAM,UAAA,GAAa,MAAA,CAAO,UAAA,IAAc,cAAA,CAAe,UAAA;AACvD,EAAA,MAAM,SAAA,GAAY,MAAA,CAAO,SAAA,IAAa,cAAA,CAAe,SAAA;AACrD,EAAA,MAAM,UAAA,GAAa,WAAW,IAAA,IAAQ,QAAA;AAEtC,EAAA,MAAM,WAAA,GAAc,GAAA,CAAI,OAAA,CAAQ,GAAA,CAAI,UAAU,CAAA,EAAG,KAAA;AACjD,EAAA,IAAI,CAAC,WAAA,EAAa;AAChB,IAAA,OAAO,EAAE,KAAA,EAAO,KAAA,EAAO,MAAA,EAAQ,gBAAA,EAAiB;AAAA,EAClD;AAEA,EAAA,MAAM,WAAA,GAAc,MAAM,WAAA,CAAY,WAAA,EAAa,MAAM,CAAA;AACzD,EAAA,IAAI,CAAC,WAAA,EAAa;AAChB,IAAA,OAAO,EAAE,KAAA,EAAO,KAAA,EAAO,MAAA,EAAQ,gBAAA,EAAiB;AAAA,EAClD;AAEA,EAAA,MAAM,YAAA,GAAe,MAAM,YAAA,CAAa,GAAA,EAAK,YAAY,SAAS,CAAA;AAClE,EAAA,IAAI,CAAC,YAAA,EAAc;AACjB,IAAA,OAAO,EAAE,KAAA,EAAO,KAAA,EAAO,MAAA,EAAQ,eAAA,EAAgB;AAAA,EACjD;AAEA,EAAA,IAAI,CAAC,WAAA,CAAY,WAAA,EAAa,YAAY,CAAA,EAAG;AAC3C,IAAA,OAAO,EAAE,KAAA,EAAO,KAAA,EAAO,MAAA,EAAQ,gBAAA,EAAiB;AAAA,EAClD;AAEA,EAAA,OAAO,EAAE,OAAO,IAAA,EAAK;AACvB","file":"csrf.cjs","sourcesContent":["import { webcrypto } from 'node:crypto'\n\nconst encoder = new TextEncoder()\n\n/*\n Generate random bytes as hex string\n /\nexport function randomBytes(length: number): string {\n const bytes = new Uint8Array(length)\n webcrypto.getRandomValues(bytes)\n return Array.from(bytes)\n .map((b) => b.toString(16).padStart(2, '0'))\n .join('')\n}\n\n/\n Create HMAC signature\n /\nasync function createSignature(data: string, secret: string): Promise<string> {\n const key = await webcrypto.subtle.importKey(\n 'raw',\n encoder.encode(secret),\n { name: 'HMAC', hash: 'SHA-256' },\n false,\n ['sign']\n )\n\n const sig = await webcrypto.subtle.sign('HMAC', key, encoder.encode(data))\n return Array.from(new Uint8Array(sig))\n .map((b) => b.toString(16).padStart(2, '0'))\n .join('')\n}\n\n/\n Constant-time string comparison to prevent timing attacks\n /\nfunction safeCompare(a: string, b: string): boolean {\n if (a.length !== b.length) return false\n\n let result = 0\n for (let i = 0; i < a.length; i++) {\n result \|= a.charCodeAt(i) ^ b.charCodeAt(i)\n }\n return result === 0\n}\n\n/\n Create a signed CSRF token\n /\nexport async function createToken(\n secret: string,\n length: number = 32\n): Promise<string> {\n const data = randomBytes(length)\n const sig = await createSignature(data, secret)\n return `${data}.${sig}`\n}\n\n/\n Verify a signed CSRF token\n /\nexport async function verifyToken(\n token: string,\n secret: string\n): Promise<boolean> {\n if (!token \|\| typeof token !== 'string') return false\n\n const parts = token.split('.')\n if (parts.length !== 2) return false\n\n const [data, sig] = parts\n if (!data \|\| !sig) return false\n\n try {\n const expected = await createSignature(data, secret)\n return safeCompare(sig, expected)\n } catch {\n return false\n }\n}\n\n/\n Compare two tokens (constant-time)\n /\nexport function tokensMatch(a: string, b: string): boolean {\n if (!a \|\| !b) return false\n return safeCompare(a, b)\n}\n","import type { NextRequest } from 'next/server'\nimport type { CSRFConfig, CSRFCookieOptions } from './types'\nimport { createToken, verifyToken, tokensMatch } from './token'\n\ntype RouteHandler = (req: NextRequest) => Response \| Promise<Response>\n\nconst DEFAULT_COOKIE: CSRFCookieOptions = {\n name: '__csrf',\n path: '/',\n httpOnly: true,\n secure: process.env.NODE_ENV === 'production',\n sameSite: 'strict',\n maxAge: 86400, // 24h\n}\n\nconst DEFAULT_CONFIG: Required<Omit<CSRFConfig, 'skip' \| 'onError'>> = {\n cookie: DEFAULT_COOKIE,\n headerName: 'x-csrf-token',\n fieldName: '_csrf',\n secret: '',\n tokenLength: 32,\n protectedMethods: ['POST', 'PUT', 'PATCH', 'DELETE'],\n}\n\nfunction getSecret(config: CSRFConfig): string {\n const secret = config.secret \|\| process.env.CSRF_SECRET\n if (!secret) {\n throw new Error(\n 'CSRF secret is required. Set config.secret or CSRF_SECRET env variable.'\n )\n }\n return secret\n}\n\nfunction buildCookieString(name: string, value: string, opts: CSRFCookieOptions): string {\n let cookie = `${name}=${value}`\n\n if (opts.path) cookie += `; Path=${opts.path}`\n if (opts.domain) cookie += `; Domain=${opts.domain}`\n if (opts.maxAge) cookie += `; Max-Age=${opts.maxAge}`\n if (opts.httpOnly) cookie += '; HttpOnly'\n if (opts.secure) cookie += '; Secure'\n if (opts.sameSite) cookie += `; SameSite=${opts.sameSite}`\n\n return cookie\n}\n\n/\n Extract token from request (header or body)\n /\nasync function extractToken(\n req: NextRequest,\n headerName: string,\n fieldName: string\n): Promise<string \| null> {\n // check header first\n const headerToken = req.headers.get(headerName)\n if (headerToken) return headerToken\n\n // try to get from form data\n const contentType = req.headers.get('content-type') \|\| ''\n\n if (contentType.includes('application/x-www-form-urlencoded')) {\n try {\n const cloned = req.clone()\n const formData = await cloned.formData()\n const token = formData.get(fieldName)\n if (typeof token === 'string') return token\n } catch {\n // ignore parse errors\n }\n }\n\n if (contentType.includes('application/json')) {\n try {\n const cloned = req.clone()\n const body = await cloned.json()\n if (body && typeof body[fieldName] === 'string') {\n return body[fieldName]\n }\n } catch {\n // ignore parse errors\n }\n }\n\n return null\n}\n\nfunction defaultErrorResponse(_req: NextRequest, reason: string): Response {\n return new Response(JSON.stringify({ error: 'CSRF validation failed', reason }), {\n status: 403,\n headers: { 'Content-Type': 'application/json' },\n })\n}\n\n/\n CSRF protection middleware\n \n Uses double submit cookie pattern:\n * 1. Server sets a signed token in a cookie\n * 2. Client sends the same token in header/body\n * 3. Server compares both values\n /\nexport function withCSRF(handler: RouteHandler, config: CSRFConfig = {}): RouteHandler {\n const secret = getSecret(config)\n const cookieOpts = { ...DEFAULT_COOKIE, ...config.cookie }\n const headerName = config.headerName \|\| DEFAULT_CONFIG.headerName\n const fieldName = config.fieldName \|\| DEFAULT_CONFIG.fieldName\n const protectedMethods = config.protectedMethods \|\| DEFAULT_CONFIG.protectedMethods\n const onError = config.onError \|\| defaultErrorResponse\n\n return async (req: NextRequest): Promise<Response> => {\n const method = req.method.toUpperCase()\n\n // skip unprotected methods\n if (!protectedMethods.includes(method)) {\n return handler(req)\n }\n\n // custom skip logic\n if (config.skip) {\n const shouldSkip = await config.skip(req)\n if (shouldSkip) return handler(req)\n }\n\n const cookieName = cookieOpts.name \|\| '__csrf'\n const cookieToken = req.cookies.get(cookieName)?.value\n\n // no cookie = first request, reject\n if (!cookieToken) {\n return onError(req, 'missing_cookie')\n }\n\n // verify cookie token is valid (signed by us)\n const cookieValid = await verifyToken(cookieToken, secret)\n if (!cookieValid) {\n return onError(req, 'invalid_cookie')\n }\n\n // get token from request\n const requestToken = await extractToken(req, headerName, fieldName)\n if (!requestToken) {\n return onError(req, 'missing_token')\n }\n\n // compare tokens\n if (!tokensMatch(cookieToken, requestToken)) {\n return onError(req, 'token_mismatch')\n }\n\n return handler(req)\n }\n}\n\n/\n Generate a new CSRF token and cookie header\n * Use this in GET routes to set the initial token\n /\nexport async function generateCSRF(config: CSRFConfig = {}): Promise<{\n token: string\n cookieHeader: string\n}> {\n const secret = getSecret(config)\n const cookieOpts = { ...DEFAULT_COOKIE, ...config.cookie }\n const tokenLength = config.tokenLength \|\| DEFAULT_CONFIG.tokenLength\n const cookieName = cookieOpts.name \|\| '__csrf'\n\n const token = await createToken(secret, tokenLength)\n const cookieHeader = buildCookieString(cookieName, token, cookieOpts)\n\n return { token, cookieHeader }\n}\n\n/\n Validate a CSRF token without middleware\n * Useful for custom validation flows\n */\nexport async function validateCSRF(\n req: NextRequest,\n config: CSRFConfig = {}\n): Promise<{ valid: boolean; reason?: string }> {\n const secret = getSecret(config)\n const cookieOpts = { ...DEFAULT_COOKIE, ...config.cookie }\n const headerName = config.headerName \|\| DEFAULT_CONFIG.headerName\n const fieldName = config.fieldName \|\| DEFAULT_CONFIG.fieldName\n const cookieName = cookieOpts.name \|\| '__csrf'\n\n const cookieToken = req.cookies.get(cookieName)?.value\n if (!cookieToken) {\n return { valid: false, reason: 'missing_cookie' }\n }\n\n const cookieValid = await verifyToken(cookieToken, secret)\n if (!cookieValid) {\n return { valid: false, reason: 'invalid_cookie' }\n }\n\n const requestToken = await extractToken(req, headerName, fieldName)\n if (!requestToken) {\n return { valid: false, reason: 'missing_token' }\n }\n\n if (!tokensMatch(cookieToken, requestToken)) {\n return { valid: false, reason: 'token_mismatch' }\n }\n\n return { valid: true }\n}\n"]}

package/dist/csrf.d.cts CHANGED Viewed

@@ -1,26 +1,75 @@
+import { NextRequest } from 'next/server';
+interface CSRFCookieOptions {
+    name?: string;
+    path?: string;
+    domain?: string;
+    secure?: boolean;
+    httpOnly?: boolean;
+    sameSite?: 'strict' | 'lax' | 'none';
+    maxAge?: number;
+}
+interface CSRFConfig {
+    /** Cookie settings */
+    cookie?: CSRFCookieOptions;
+    /** Header name to check for token (default: x-csrf-token) */
+    headerName?: string;
+    /** Form field name (default: _csrf) */
+    fieldName?: string;
+    /** Secret for signing tokens */
+    secret?: string;
+    /** Token length in bytes (default: 32) */
+    tokenLength?: number;
+    /** Methods to protect (default: POST, PUT, PATCH, DELETE) */
+    protectedMethods?: string[];
+    /** Skip CSRF check for specific requests */
+    skip?: (req: NextRequest) => boolean | Promise<boolean>;
+    /** Called when CSRF validation fails */
+    onError?: (req: NextRequest, reason: string) => Response | Promise<Response>;
+}
+interface CSRFToken {
+    value: string;
+    cookie: string;
+}
+type RouteHandler = (req: NextRequest) => Response | Promise<Response>;
 /**
- * CSRF Protection Middleware (Coming Soon)
- *
- * @example
- * ```typescript
- * import { withCsrf, generateCsrfToken } from 'next-secure/csrf'
- *
- * // Generate token
- * export async function GET() {
- *   const token = await generateCsrfToken()
- *   return Response.json({ csrfToken: token })
- * }
+ * CSRF protection middleware
  *
- * // Validate token
- * export const POST = withCsrf(async (req) => {
- *   return Response.json({ ok: true })
- * })
- * ```
- *
- * @packageDocumentation
+ * Uses double submit cookie pattern:
+ * 1. Server sets a signed token in a cookie
+ * 2. Client sends the same token in header/body
+ * 3. Server compares both values
+ */
+declare function withCSRF(handler: RouteHandler, config?: CSRFConfig): RouteHandler;
+/**
+ * Generate a new CSRF token and cookie header
+ * Use this in GET routes to set the initial token
+ */
+declare function generateCSRF(config?: CSRFConfig): Promise<{
+    token: string;
+    cookieHeader: string;
+}>;
+/**
+ * Validate a CSRF token without middleware
+ * Useful for custom validation flows
+ */
+declare function validateCSRF(req: NextRequest, config?: CSRFConfig): Promise<{
+    valid: boolean;
+    reason?: string;
+}>;
+/**
+ * Create a signed CSRF token
+ */
+declare function createToken(secret: string, length?: number): Promise<string>;
+/**
+ * Verify a signed CSRF token
+ */
+declare function verifyToken(token: string, secret: string): Promise<boolean>;
+/**
+ * Compare two tokens (constant-time)
  */
-declare function withCsrf(): void;
-declare function generateCsrfToken(): void;
-declare function validateCsrfToken(): void;
+declare function tokensMatch(a: string, b: string): boolean;
-export { generateCsrfToken, validateCsrfToken, withCsrf };
+export { type CSRFConfig, type CSRFCookieOptions, type CSRFToken, createToken, generateCSRF, tokensMatch, validateCSRF, verifyToken, withCSRF };