npm - nextjs-secure - Versions diffs - 0.1.1 → 0.3.0 - Mend

nextjs-secure 0.1.1 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (24) hide show

package/README.md +243 -0
package/dist/csrf.cjs +187 -10
package/dist/csrf.cjs.map +1 -1
package/dist/csrf.d.cts +71 -22
package/dist/csrf.d.ts +71 -22
package/dist/csrf.js +182 -8
package/dist/csrf.js.map +1 -1
package/dist/headers.cjs +277 -7
package/dist/headers.cjs.map +1 -1
package/dist/headers.d.cts +162 -25
package/dist/headers.d.ts +162 -25
package/dist/headers.js +267 -6
package/dist/headers.js.map +1 -1
package/dist/index.cjs +469 -1
package/dist/index.cjs.map +1 -1
package/dist/index.d.cts +6 -3
package/dist/index.d.ts +6 -3
package/dist/index.js +454 -2
package/dist/index.js.map +1 -1
package/dist/{memory-g9zyQPy5.d.cts → memory-Dauy-IH3.d.cts} +1 -1
package/dist/{memory-g9zyQPy5.d.ts → memory-Dauy-IH3.d.ts} +1 -1
package/dist/rate-limit.d.cts +2 -2
package/dist/rate-limit.d.ts +2 -2
package/package.json +1 -1

package/dist/index.cjs CHANGED Viewed

@@ -1,5 +1,7 @@
 'use strict';
+var crypto$1 = require('crypto');
 // src/core/errors.ts
 var SecureError = class extends Error {
   /**
@@ -994,28 +996,489 @@ function clearAllRateLimits() {
     defaultStore.clear();
   }
 }
+var encoder = new TextEncoder();
+function randomBytes(length) {
+  const bytes = new Uint8Array(length);
+  crypto$1.webcrypto.getRandomValues(bytes);
+  return Array.from(bytes).map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+async function createSignature(data, secret) {
+  const key = await crypto$1.webcrypto.subtle.importKey(
+    "raw",
+    encoder.encode(secret),
+    { name: "HMAC", hash: "SHA-256" },
+    false,
+    ["sign"]
+  );
+  const sig = await crypto$1.webcrypto.subtle.sign("HMAC", key, encoder.encode(data));
+  return Array.from(new Uint8Array(sig)).map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+function safeCompare(a, b) {
+  if (a.length !== b.length) return false;
+  let result = 0;
+  for (let i = 0; i < a.length; i++) {
+    result |= a.charCodeAt(i) ^ b.charCodeAt(i);
+  }
+  return result === 0;
+}
+async function createToken(secret, length = 32) {
+  const data = randomBytes(length);
+  const sig = await createSignature(data, secret);
+  return `${data}.${sig}`;
+}
+async function verifyToken(token, secret) {
+  if (!token || typeof token !== "string") return false;
+  const parts = token.split(".");
+  if (parts.length !== 2) return false;
+  const [data, sig] = parts;
+  if (!data || !sig) return false;
+  try {
+    const expected = await createSignature(data, secret);
+    return safeCompare(sig, expected);
+  } catch {
+    return false;
+  }
+}
+function tokensMatch(a, b) {
+  if (!a || !b) return false;
+  return safeCompare(a, b);
+}
+// src/middleware/csrf/middleware.ts
+var DEFAULT_COOKIE = {
+  name: "__csrf",
+  path: "/",
+  httpOnly: true,
+  secure: process.env.NODE_ENV === "production",
+  sameSite: "strict",
+  maxAge: 86400
+  // 24h
+};
+var DEFAULT_CONFIG2 = {
+  headerName: "x-csrf-token",
+  fieldName: "_csrf",
+  tokenLength: 32,
+  protectedMethods: ["POST", "PUT", "PATCH", "DELETE"]
+};
+function getSecret(config) {
+  const secret = config.secret || process.env.CSRF_SECRET;
+  if (!secret) {
+    throw new Error(
+      "CSRF secret is required. Set config.secret or CSRF_SECRET env variable."
+    );
+  }
+  return secret;
+}
+function buildCookieString(name, value, opts) {
+  let cookie = `${name}=${value}`;
+  if (opts.path) cookie += `; Path=${opts.path}`;
+  if (opts.domain) cookie += `; Domain=${opts.domain}`;
+  if (opts.maxAge) cookie += `; Max-Age=${opts.maxAge}`;
+  if (opts.httpOnly) cookie += "; HttpOnly";
+  if (opts.secure) cookie += "; Secure";
+  if (opts.sameSite) cookie += `; SameSite=${opts.sameSite}`;
+  return cookie;
+}
+async function extractToken(req, headerName, fieldName) {
+  const headerToken = req.headers.get(headerName);
+  if (headerToken) return headerToken;
+  const contentType = req.headers.get("content-type") || "";
+  if (contentType.includes("application/x-www-form-urlencoded")) {
+    try {
+      const cloned = req.clone();
+      const formData = await cloned.formData();
+      const token = formData.get(fieldName);
+      if (typeof token === "string") return token;
+    } catch {
+    }
+  }
+  if (contentType.includes("application/json")) {
+    try {
+      const cloned = req.clone();
+      const body = await cloned.json();
+      if (body && typeof body[fieldName] === "string") {
+        return body[fieldName];
+      }
+    } catch {
+    }
+  }
+  return null;
+}
+function defaultErrorResponse(_req, reason) {
+  return new Response(JSON.stringify({ error: "CSRF validation failed", reason }), {
+    status: 403,
+    headers: { "Content-Type": "application/json" }
+  });
+}
+function withCSRF(handler, config = {}) {
+  const secret = getSecret(config);
+  const cookieOpts = { ...DEFAULT_COOKIE, ...config.cookie };
+  const headerName = config.headerName || DEFAULT_CONFIG2.headerName;
+  const fieldName = config.fieldName || DEFAULT_CONFIG2.fieldName;
+  const protectedMethods = config.protectedMethods || DEFAULT_CONFIG2.protectedMethods;
+  const onError = config.onError || defaultErrorResponse;
+  return async (req) => {
+    const method = req.method.toUpperCase();
+    if (!protectedMethods.includes(method)) {
+      return handler(req);
+    }
+    if (config.skip) {
+      const shouldSkip = await config.skip(req);
+      if (shouldSkip) return handler(req);
+    }
+    const cookieName = cookieOpts.name || "__csrf";
+    const cookieToken = req.cookies.get(cookieName)?.value;
+    if (!cookieToken) {
+      return onError(req, "missing_cookie");
+    }
+    const cookieValid = await verifyToken(cookieToken, secret);
+    if (!cookieValid) {
+      return onError(req, "invalid_cookie");
+    }
+    const requestToken = await extractToken(req, headerName, fieldName);
+    if (!requestToken) {
+      return onError(req, "missing_token");
+    }
+    if (!tokensMatch(cookieToken, requestToken)) {
+      return onError(req, "token_mismatch");
+    }
+    return handler(req);
+  };
+}
+async function generateCSRF(config = {}) {
+  const secret = getSecret(config);
+  const cookieOpts = { ...DEFAULT_COOKIE, ...config.cookie };
+  const tokenLength = config.tokenLength || DEFAULT_CONFIG2.tokenLength;
+  const cookieName = cookieOpts.name || "__csrf";
+  const token = await createToken(secret, tokenLength);
+  const cookieHeader = buildCookieString(cookieName, token, cookieOpts);
+  return { token, cookieHeader };
+}
+async function validateCSRF(req, config = {}) {
+  const secret = getSecret(config);
+  const cookieOpts = { ...DEFAULT_COOKIE, ...config.cookie };
+  const headerName = config.headerName || DEFAULT_CONFIG2.headerName;
+  const fieldName = config.fieldName || DEFAULT_CONFIG2.fieldName;
+  const cookieName = cookieOpts.name || "__csrf";
+  const cookieToken = req.cookies.get(cookieName)?.value;
+  if (!cookieToken) {
+    return { valid: false, reason: "missing_cookie" };
+  }
+  const cookieValid = await verifyToken(cookieToken, secret);
+  if (!cookieValid) {
+    return { valid: false, reason: "invalid_cookie" };
+  }
+  const requestToken = await extractToken(req, headerName, fieldName);
+  if (!requestToken) {
+    return { valid: false, reason: "missing_token" };
+  }
+  if (!tokensMatch(cookieToken, requestToken)) {
+    return { valid: false, reason: "token_mismatch" };
+  }
+  return { valid: true };
+}
+// src/middleware/headers/builder.ts
+function buildCSP(policy) {
+  const directives = [];
+  const directiveMap = {
+    defaultSrc: "default-src",
+    scriptSrc: "script-src",
+    styleSrc: "style-src",
+    imgSrc: "img-src",
+    fontSrc: "font-src",
+    connectSrc: "connect-src",
+    mediaSrc: "media-src",
+    objectSrc: "object-src",
+    frameSrc: "frame-src",
+    childSrc: "child-src",
+    workerSrc: "worker-src",
+    frameAncestors: "frame-ancestors",
+    formAction: "form-action",
+    baseUri: "base-uri",
+    manifestSrc: "manifest-src",
+    reportUri: "report-uri",
+    reportTo: "report-to"
+  };
+  for (const [key, directive] of Object.entries(directiveMap)) {
+    const value = policy[key];
+    if (value !== void 0 && value !== false) {
+      if (Array.isArray(value)) {
+        directives.push(`${directive} ${value.join(" ")}`);
+      } else if (typeof value === "string") {
+        directives.push(`${directive} ${value}`);
+      }
+    }
+  }
+  if (policy.upgradeInsecureRequests) {
+    directives.push("upgrade-insecure-requests");
+  }
+  if (policy.blockAllMixedContent) {
+    directives.push("block-all-mixed-content");
+  }
+  return directives.join("; ");
+}
+function buildHSTS(config) {
+  let value = `max-age=${config.maxAge}`;
+  if (config.includeSubDomains) {
+    value += "; includeSubDomains";
+  }
+  if (config.preload) {
+    value += "; preload";
+  }
+  return value;
+}
+function buildPermissionsPolicy(policy) {
+  const directives = [];
+  const featureMap = {
+    accelerometer: "accelerometer",
+    ambientLightSensor: "ambient-light-sensor",
+    autoplay: "autoplay",
+    battery: "battery",
+    camera: "camera",
+    displayCapture: "display-capture",
+    documentDomain: "document-domain",
+    encryptedMedia: "encrypted-media",
+    fullscreen: "fullscreen",
+    geolocation: "geolocation",
+    gyroscope: "gyroscope",
+    magnetometer: "magnetometer",
+    microphone: "microphone",
+    midi: "midi",
+    payment: "payment",
+    pictureInPicture: "picture-in-picture",
+    publicKeyCredentialsGet: "publickey-credentials-get",
+    screenWakeLock: "screen-wake-lock",
+    syncXhr: "sync-xhr",
+    usb: "usb",
+    webShare: "web-share",
+    xrSpatialTracking: "xr-spatial-tracking"
+  };
+  for (const [key, feature] of Object.entries(featureMap)) {
+    const origins = policy[key];
+    if (origins !== void 0) {
+      if (origins.length === 0) {
+        directives.push(`${feature}=()`);
+      } else {
+        const formatted = origins.map((o) => o === "self" ? "self" : `"${o}"`).join(" ");
+        directives.push(`${feature}=(${formatted})`);
+      }
+    }
+  }
+  return directives.join(", ");
+}
+var PRESET_STRICT = {
+  contentSecurityPolicy: {
+    defaultSrc: ["'self'"],
+    scriptSrc: ["'self'"],
+    styleSrc: ["'self'"],
+    imgSrc: ["'self'", "data:"],
+    fontSrc: ["'self'"],
+    objectSrc: ["'none'"],
+    frameAncestors: ["'none'"],
+    formAction: ["'self'"],
+    baseUri: ["'self'"],
+    upgradeInsecureRequests: true
+  },
+  strictTransportSecurity: {
+    maxAge: 31536e3,
+    // 1 year
+    includeSubDomains: true,
+    preload: true
+  },
+  xFrameOptions: "DENY",
+  xContentTypeOptions: true,
+  xDnsPrefetchControl: "off",
+  xDownloadOptions: true,
+  xPermittedCrossDomainPolicies: "none",
+  referrerPolicy: "strict-origin-when-cross-origin",
+  crossOriginOpenerPolicy: "same-origin",
+  crossOriginEmbedderPolicy: "require-corp",
+  crossOriginResourcePolicy: "same-origin",
+  permissionsPolicy: {
+    camera: [],
+    microphone: [],
+    geolocation: [],
+    payment: []
+  },
+  originAgentCluster: true
+};
+var PRESET_RELAXED = {
+  contentSecurityPolicy: {
+    defaultSrc: ["'self'"],
+    scriptSrc: ["'self'", "'unsafe-inline'", "'unsafe-eval'"],
+    styleSrc: ["'self'", "'unsafe-inline'"],
+    imgSrc: ["'self'", "data:", "blob:", "https:"],
+    fontSrc: ["'self'", "https:", "data:"],
+    connectSrc: ["'self'", "https:", "wss:"],
+    frameSrc: ["'self'"]
+  },
+  strictTransportSecurity: {
+    maxAge: 86400,
+    // 1 day
+    includeSubDomains: false
+  },
+  xFrameOptions: "SAMEORIGIN",
+  xContentTypeOptions: true,
+  referrerPolicy: "no-referrer-when-downgrade"
+};
+var PRESET_API = {
+  contentSecurityPolicy: {
+    defaultSrc: ["'none'"],
+    frameAncestors: ["'none'"]
+  },
+  strictTransportSecurity: {
+    maxAge: 31536e3,
+    includeSubDomains: true
+  },
+  xFrameOptions: "DENY",
+  xContentTypeOptions: true,
+  referrerPolicy: "no-referrer",
+  crossOriginResourcePolicy: "same-origin"
+};
+function getPreset(name) {
+  switch (name) {
+    case "strict":
+      return PRESET_STRICT;
+    case "relaxed":
+      return PRESET_RELAXED;
+    case "api":
+      return PRESET_API;
+    default:
+      return PRESET_STRICT;
+  }
+}
+function buildHeaders(config) {
+  const headers = new Headers();
+  if (config.contentSecurityPolicy) {
+    const csp = buildCSP(config.contentSecurityPolicy);
+    if (csp) headers.set("Content-Security-Policy", csp);
+  }
+  if (config.strictTransportSecurity) {
+    headers.set("Strict-Transport-Security", buildHSTS(config.strictTransportSecurity));
+  }
+  if (config.xFrameOptions) {
+    headers.set("X-Frame-Options", config.xFrameOptions);
+  }
+  if (config.xContentTypeOptions) {
+    headers.set("X-Content-Type-Options", "nosniff");
+  }
+  if (config.xDnsPrefetchControl) {
+    headers.set("X-DNS-Prefetch-Control", config.xDnsPrefetchControl);
+  }
+  if (config.xDownloadOptions) {
+    headers.set("X-Download-Options", "noopen");
+  }
+  if (config.xPermittedCrossDomainPolicies) {
+    headers.set("X-Permitted-Cross-Domain-Policies", config.xPermittedCrossDomainPolicies);
+  }
+  if (config.referrerPolicy) {
+    const value = Array.isArray(config.referrerPolicy) ? config.referrerPolicy.join(", ") : config.referrerPolicy;
+    headers.set("Referrer-Policy", value);
+  }
+  if (config.crossOriginOpenerPolicy) {
+    headers.set("Cross-Origin-Opener-Policy", config.crossOriginOpenerPolicy);
+  }
+  if (config.crossOriginEmbedderPolicy) {
+    headers.set("Cross-Origin-Embedder-Policy", config.crossOriginEmbedderPolicy);
+  }
+  if (config.crossOriginResourcePolicy) {
+    headers.set("Cross-Origin-Resource-Policy", config.crossOriginResourcePolicy);
+  }
+  if (config.permissionsPolicy) {
+    const pp = buildPermissionsPolicy(config.permissionsPolicy);
+    if (pp) headers.set("Permissions-Policy", pp);
+  }
+  if (config.originAgentCluster) {
+    headers.set("Origin-Agent-Cluster", "?1");
+  }
+  return headers;
+}
+// src/middleware/headers/middleware.ts
+function mergeConfigs(base, custom) {
+  return {
+    ...base,
+    ...custom,
+    // Deep merge CSP if both exist
+    contentSecurityPolicy: custom.contentSecurityPolicy === false ? false : custom.contentSecurityPolicy ? base.contentSecurityPolicy ? { ...base.contentSecurityPolicy, ...custom.contentSecurityPolicy } : custom.contentSecurityPolicy : base.contentSecurityPolicy,
+    // Deep merge HSTS if both exist
+    strictTransportSecurity: custom.strictTransportSecurity === false ? false : custom.strictTransportSecurity ? base.strictTransportSecurity ? { ...base.strictTransportSecurity, ...custom.strictTransportSecurity } : custom.strictTransportSecurity : base.strictTransportSecurity,
+    // Deep merge Permissions-Policy if both exist
+    permissionsPolicy: custom.permissionsPolicy === false ? false : custom.permissionsPolicy ? base.permissionsPolicy ? { ...base.permissionsPolicy, ...custom.permissionsPolicy } : custom.permissionsPolicy : base.permissionsPolicy
+  };
+}
+function withSecurityHeaders(handler, options = {}) {
+  const { preset, config, override = false } = options;
+  let baseConfig = preset ? getPreset(preset) : PRESET_STRICT;
+  if (config) {
+    baseConfig = mergeConfigs(baseConfig, config);
+  }
+  const securityHeaders = buildHeaders(baseConfig);
+  return async (req) => {
+    const response = await handler(req);
+    const newHeaders = new Headers(response.headers);
+    securityHeaders.forEach((value, key) => {
+      if (override || !newHeaders.has(key)) {
+        newHeaders.set(key, value);
+      }
+    });
+    return new Response(response.body, {
+      status: response.status,
+      statusText: response.statusText,
+      headers: newHeaders
+    });
+  };
+}
+function createSecurityHeaders(options = {}) {
+  const { preset, config } = options;
+  let baseConfig = preset ? getPreset(preset) : PRESET_STRICT;
+  if (config) {
+    baseConfig = mergeConfigs(baseConfig, config);
+  }
+  return buildHeaders(baseConfig);
+}
+function createSecurityHeadersObject(options = {}) {
+  const headers = createSecurityHeaders(options);
+  const obj = {};
+  headers.forEach((value, key) => {
+    obj[key] = value;
+  });
+  return obj;
+}
 // src/index.ts
-var VERSION = "0.1.0";
+var VERSION = "0.3.0";
 exports.AuthenticationError = AuthenticationError;
 exports.AuthorizationError = AuthorizationError;
 exports.ConfigurationError = ConfigurationError;
 exports.CsrfError = CsrfError;
 exports.MemoryStore = MemoryStore;
+exports.PRESET_API = PRESET_API;
+exports.PRESET_RELAXED = PRESET_RELAXED;
+exports.PRESET_STRICT = PRESET_STRICT;
 exports.RateLimitError = RateLimitError;
 exports.SecureError = SecureError;
 exports.VERSION = VERSION;
 exports.ValidationError = ValidationError;
 exports.anonymizeIp = anonymizeIp;
+exports.buildCSP = buildCSP;
+exports.buildHSTS = buildHSTS;
+exports.buildPermissionsPolicy = buildPermissionsPolicy;
 exports.checkRateLimit = checkRateLimit;
 exports.clearAllRateLimits = clearAllRateLimits;
+exports.createCSRFToken = createToken;
 exports.createMemoryStore = createMemoryStore;
 exports.createRateLimiter = createRateLimiter;
+exports.createSecurityHeaders = createSecurityHeaders;
+exports.createSecurityHeadersObject = createSecurityHeadersObject;
 exports.formatDuration = formatDuration;
+exports.generateCSRF = generateCSRF;
 exports.getClientIp = getClientIp;
 exports.getGeoInfo = getGeoInfo;
 exports.getGlobalMemoryStore = getGlobalMemoryStore;
+exports.getPreset = getPreset;
 exports.getRateLimitStatus = getRateLimitStatus;
 exports.isLocalhost = isLocalhost;
 exports.isPrivateIp = isPrivateIp;
@@ -1028,6 +1491,11 @@ exports.parseDuration = parseDuration;
 exports.resetRateLimit = resetRateLimit;
 exports.sleep = sleep;
 exports.toSecureError = toSecureError;
+exports.tokensMatch = tokensMatch;
+exports.validateCSRF = validateCSRF;
+exports.verifyCSRFToken = verifyToken;
+exports.withCSRF = withCSRF;
 exports.withRateLimit = withRateLimit;
+exports.withSecurityHeaders = withSecurityHeaders;
 //# sourceMappingURL=index.cjs.map
 //# sourceMappingURL=index.cjs.map