npm - nextjs-secure - Versions diffs - 0.7.0 → 0.8.0 - Mend

nextjs-secure 0.7.0 → 0.8.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (14) hide show

package/dist/index.js CHANGED Viewed

@@ -6582,9 +6582,1638 @@ function getClientIP5(req) {
   return req.headers.get("x-forwarded-for")?.split(",")[0]?.trim() || req.headers.get("x-real-ip") || req.headers.get("cf-connecting-ip") || "unknown";
 }
+// src/middleware/api/types.ts
+var API_PROTECTION_PRESETS = {
+  /** Basic: Only timestamp and versioning */
+  basic: {
+    signing: false,
+    replay: false,
+    timestamp: {
+      maxAge: 600,
+      // 10 minutes
+      required: false
+    },
+    versioning: false,
+    idempotency: false
+  },
+  /** Standard: Timestamp, replay prevention, versioning */
+  standard: {
+    signing: false,
+    replay: {
+      ttl: 3e5,
+      // 5 minutes
+      required: true
+    },
+    timestamp: {
+      maxAge: 300,
+      // 5 minutes
+      required: true
+    },
+    versioning: false,
+    idempotency: {
+      required: false
+    }
+  },
+  /** Strict: All protections enabled */
+  strict: {
+    signing: {
+      secret: "",
+      // Must be provided
+      algorithm: "sha256",
+      timestampTolerance: 300
+    },
+    replay: {
+      ttl: 3e5,
+      required: true,
+      minLength: 32
+    },
+    timestamp: {
+      maxAge: 300,
+      required: true,
+      allowFuture: false
+    },
+    versioning: false,
+    idempotency: {
+      required: true,
+      methods: ["POST", "PUT", "PATCH", "DELETE"]
+    }
+  },
+  /** Financial: Maximum security for financial APIs */
+  financial: {
+    signing: {
+      secret: "",
+      // Must be provided
+      algorithm: "sha512",
+      timestampTolerance: 60,
+      // 1 minute
+      components: {
+        method: true,
+        path: true,
+        query: true,
+        body: true,
+        timestamp: true,
+        nonce: true
+      }
+    },
+    replay: {
+      ttl: 864e5,
+      // 24 hours
+      required: true,
+      minLength: 64
+    },
+    timestamp: {
+      maxAge: 60,
+      // 1 minute
+      required: true,
+      allowFuture: false,
+      maxFuture: 10
+    },
+    versioning: false,
+    idempotency: {
+      required: true,
+      ttl: 6048e5,
+      // 7 days
+      methods: ["POST", "PUT", "PATCH", "DELETE"],
+      hashRequestBody: true
+    }
+  }
+};
+// src/middleware/api/signing.ts
+var DEFAULT_SIGNING_OPTIONS = {
+  algorithm: "sha256",
+  encoding: "hex",
+  signatureHeader: "x-signature",
+  timestampHeader: "x-timestamp",
+  nonceHeader: "x-nonce",
+  components: {
+    method: true,
+    path: true,
+    query: true,
+    body: true,
+    headers: [],
+    timestamp: true,
+    nonce: false
+  },
+  timestampTolerance: 300
+  // 5 minutes
+};
+async function createHMAC(data, secret, algorithm = "sha256", encoding = "hex") {
+  const encoder3 = new TextEncoder();
+  const keyData = encoder3.encode(secret);
+  const messageData = encoder3.encode(data);
+  const hashName = {
+    sha1: "SHA-1",
+    sha256: "SHA-256",
+    sha384: "SHA-384",
+    sha512: "SHA-512"
+  }[algorithm];
+  const key = await crypto.subtle.importKey(
+    "raw",
+    keyData,
+    { name: "HMAC", hash: hashName },
+    false,
+    ["sign"]
+  );
+  const signature = await crypto.subtle.sign("HMAC", key, messageData);
+  return encodeSignature(new Uint8Array(signature), encoding);
+}
+function encodeSignature(bytes, encoding) {
+  switch (encoding) {
+    case "hex":
+      return Array.from(bytes).map((b) => b.toString(16).padStart(2, "0")).join("");
+    case "base64":
+      return btoa(String.fromCharCode(...bytes));
+    case "base64url":
+      return btoa(String.fromCharCode(...bytes)).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+    default:
+      return Array.from(bytes).map((b) => b.toString(16).padStart(2, "0")).join("");
+  }
+}
+function timingSafeEqual(a, b) {
+  if (a.length !== b.length) {
+    return false;
+  }
+  let result = 0;
+  for (let i = 0; i < a.length; i++) {
+    result |= a.charCodeAt(i) ^ b.charCodeAt(i);
+  }
+  return result === 0;
+}
+async function buildCanonicalString(req, components, options = {}) {
+  const parts = [];
+  if (components.method) {
+    parts.push(req.method.toUpperCase());
+  }
+  if (components.path) {
+    const url = new URL(req.url);
+    parts.push(url.pathname);
+  }
+  if (components.query) {
+    const url = new URL(req.url);
+    const params = new URLSearchParams(url.search);
+    const sortedParams = Array.from(params.entries()).sort((a, b) => a[0].localeCompare(b[0])).map(([k, v]) => `${k}=${v}`).join("&");
+    parts.push(sortedParams);
+  }
+  if (components.body) {
+    try {
+      const cloned = req.clone();
+      const body = await cloned.text();
+      if (body) {
+        parts.push(body);
+      }
+    } catch {
+    }
+  }
+  if (components.headers && components.headers.length > 0) {
+    const headerParts = components.headers.map((h) => h.toLowerCase()).sort().map((h) => `${h}:${req.headers.get(h) || ""}`);
+    parts.push(headerParts.join("\n"));
+  }
+  if (components.timestamp) {
+    const timestampHeader = options.timestampHeader || "x-timestamp";
+    const timestamp = req.headers.get(timestampHeader) || "";
+    parts.push(timestamp);
+  }
+  if (components.nonce) {
+    const nonceHeader = options.nonceHeader || "x-nonce";
+    const nonce = req.headers.get(nonceHeader) || "";
+    parts.push(nonce);
+  }
+  return parts.join("\n");
+}
+async function generateSignature(req, options) {
+  const {
+    secret,
+    algorithm = DEFAULT_SIGNING_OPTIONS.algorithm,
+    encoding = DEFAULT_SIGNING_OPTIONS.encoding,
+    components = DEFAULT_SIGNING_OPTIONS.components,
+    timestampHeader = DEFAULT_SIGNING_OPTIONS.timestampHeader,
+    nonceHeader = DEFAULT_SIGNING_OPTIONS.nonceHeader,
+    canonicalBuilder
+  } = options;
+  const canonical = canonicalBuilder ? await canonicalBuilder(req, components) : await buildCanonicalString(req, components, { timestampHeader, nonceHeader });
+  return createHMAC(canonical, secret, algorithm, encoding);
+}
+async function generateSignatureHeaders(method, url, body, options) {
+  const {
+    secret,
+    algorithm = DEFAULT_SIGNING_OPTIONS.algorithm,
+    encoding = DEFAULT_SIGNING_OPTIONS.encoding,
+    components = DEFAULT_SIGNING_OPTIONS.components,
+    signatureHeader = DEFAULT_SIGNING_OPTIONS.signatureHeader,
+    timestampHeader = DEFAULT_SIGNING_OPTIONS.timestampHeader,
+    nonceHeader = DEFAULT_SIGNING_OPTIONS.nonceHeader,
+    includeTimestamp = true,
+    includeNonce = false
+  } = options;
+  const headers = {};
+  const parts = [];
+  if (components.method) {
+    parts.push(method.toUpperCase());
+  }
+  if (components.path) {
+    const parsedUrl = new URL(url);
+    parts.push(parsedUrl.pathname);
+  }
+  if (components.query) {
+    const parsedUrl = new URL(url);
+    const params = new URLSearchParams(parsedUrl.search);
+    const sortedParams = Array.from(params.entries()).sort((a, b) => a[0].localeCompare(b[0])).map(([k, v]) => `${k}=${v}`).join("&");
+    parts.push(sortedParams);
+  }
+  if (components.body && body) {
+    parts.push(body);
+  }
+  if (components.timestamp && includeTimestamp) {
+    const timestamp = Math.floor(Date.now() / 1e3).toString();
+    headers[timestampHeader] = timestamp;
+    parts.push(timestamp);
+  }
+  if (components.nonce && includeNonce) {
+    const nonce = generateNonce();
+    headers[nonceHeader] = nonce;
+    parts.push(nonce);
+  }
+  const canonical = parts.join("\n");
+  const signature = await createHMAC(canonical, secret, algorithm, encoding);
+  headers[signatureHeader] = signature;
+  return headers;
+}
+function generateNonce(length = 32) {
+  const bytes = new Uint8Array(length);
+  crypto.getRandomValues(bytes);
+  return Array.from(bytes).map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+async function verifySignature(req, options) {
+  const {
+    secret,
+    algorithm = DEFAULT_SIGNING_OPTIONS.algorithm,
+    encoding = DEFAULT_SIGNING_OPTIONS.encoding,
+    signatureHeader = DEFAULT_SIGNING_OPTIONS.signatureHeader,
+    timestampHeader = DEFAULT_SIGNING_OPTIONS.timestampHeader,
+    nonceHeader = DEFAULT_SIGNING_OPTIONS.nonceHeader,
+    components = DEFAULT_SIGNING_OPTIONS.components,
+    timestampTolerance = DEFAULT_SIGNING_OPTIONS.timestampTolerance,
+    canonicalBuilder
+  } = options;
+  const providedSignature = req.headers.get(signatureHeader);
+  if (!providedSignature) {
+    return {
+      valid: false,
+      reason: "Missing signature header"
+    };
+  }
+  if (components.timestamp) {
+    const timestamp = req.headers.get(timestampHeader);
+    if (!timestamp) {
+      return {
+        valid: false,
+        reason: "Missing timestamp header"
+      };
+    }
+    const timestampNum = parseInt(timestamp, 10);
+    if (isNaN(timestampNum)) {
+      return {
+        valid: false,
+        reason: "Invalid timestamp format"
+      };
+    }
+    const now = Math.floor(Date.now() / 1e3);
+    const age = Math.abs(now - timestampNum);
+    if (age > timestampTolerance) {
+      return {
+        valid: false,
+        reason: `Timestamp too old or too far in future (age: ${age}s, max: ${timestampTolerance}s)`
+      };
+    }
+  }
+  const canonical = canonicalBuilder ? await canonicalBuilder(req, components) : await buildCanonicalString(req, components, { timestampHeader, nonceHeader });
+  const computedSignature = await createHMAC(canonical, secret, algorithm, encoding);
+  const valid = timingSafeEqual(providedSignature, computedSignature);
+  return {
+    valid,
+    reason: valid ? void 0 : "Signature mismatch",
+    computed: computedSignature,
+    provided: providedSignature,
+    canonical
+  };
+}
+function defaultInvalidResponse(reason) {
+  return new Response(
+    JSON.stringify({
+      error: "Unauthorized",
+      message: reason,
+      code: "INVALID_SIGNATURE"
+    }),
+    {
+      status: 401,
+      headers: { "Content-Type": "application/json" }
+    }
+  );
+}
+function withRequestSigning(handler, options) {
+  return async (req, ctx) => {
+    if (options.skip && await options.skip(req)) {
+      return handler(req, ctx);
+    }
+    const result = await verifySignature(req, options);
+    if (!result.valid) {
+      const onInvalid = options.onInvalid || defaultInvalidResponse;
+      return onInvalid(result.reason || "Invalid signature");
+    }
+    return handler(req, ctx);
+  };
+}
+// src/middleware/api/replay.ts
+var DEFAULT_REPLAY_OPTIONS = {
+  nonceHeader: "x-nonce",
+  nonceQuery: "",
+  ttl: 3e5,
+  // 5 minutes
+  required: true,
+  minLength: 16,
+  maxLength: 128
+};
+var MemoryNonceStore = class {
+  nonces = /* @__PURE__ */ new Map();
+  maxSize;
+  cleanupInterval = null;
+  constructor(options = {}) {
+    const { maxSize = 1e5, autoCleanup = true, cleanupIntervalMs = 6e4 } = options;
+    this.maxSize = maxSize;
+    if (autoCleanup) {
+      this.cleanupInterval = setInterval(() => {
+        this.cleanup();
+      }, cleanupIntervalMs);
+      if (this.cleanupInterval.unref) {
+        this.cleanupInterval.unref();
+      }
+    }
+  }
+  async exists(nonce) {
+    const entry = this.nonces.get(nonce);
+    if (!entry) {
+      return false;
+    }
+    if (Date.now() > entry.expiresAt) {
+      this.nonces.delete(nonce);
+      return false;
+    }
+    return true;
+  }
+  async set(nonce, ttl) {
+    if (this.nonces.size >= this.maxSize) {
+      this.evictOldest();
+    }
+    const now = Date.now();
+    this.nonces.set(nonce, {
+      timestamp: now,
+      expiresAt: now + ttl
+    });
+  }
+  async cleanup() {
+    const now = Date.now();
+    for (const [nonce, entry] of this.nonces.entries()) {
+      if (now > entry.expiresAt) {
+        this.nonces.delete(nonce);
+      }
+    }
+  }
+  getStats() {
+    let oldestTimestamp;
+    for (const entry of this.nonces.values()) {
+      if (!oldestTimestamp || entry.timestamp < oldestTimestamp) {
+        oldestTimestamp = entry.timestamp;
+      }
+    }
+    return {
+      size: this.nonces.size,
+      oldestTimestamp
+    };
+  }
+  evictOldest() {
+    const toRemove = Math.ceil(this.maxSize * 0.1);
+    const entries = Array.from(this.nonces.entries()).sort((a, b) => a[1].timestamp - b[1].timestamp).slice(0, toRemove);
+    for (const [nonce] of entries) {
+      this.nonces.delete(nonce);
+    }
+  }
+  /**
+   * Clear all nonces
+   */
+  clear() {
+    this.nonces.clear();
+  }
+  /**
+   * Stop auto cleanup
+   */
+  destroy() {
+    if (this.cleanupInterval) {
+      clearInterval(this.cleanupInterval);
+      this.cleanupInterval = null;
+    }
+  }
+};
+var globalNonceStore = null;
+function getGlobalNonceStore() {
+  if (!globalNonceStore) {
+    globalNonceStore = new MemoryNonceStore();
+  }
+  return globalNonceStore;
+}
+function generateNonce2(length = 32) {
+  const bytes = new Uint8Array(length);
+  crypto.getRandomValues(bytes);
+  return Array.from(bytes).map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+function isValidNonceFormat(nonce, minLength = 16, maxLength = 128) {
+  if (!nonce || typeof nonce !== "string") {
+    return false;
+  }
+  if (nonce.length < minLength || nonce.length > maxLength) {
+    return false;
+  }
+  return /^[a-zA-Z0-9_-]+$/.test(nonce);
+}
+function extractNonce(req, options = {}) {
+  const {
+    nonceHeader = DEFAULT_REPLAY_OPTIONS.nonceHeader,
+    nonceQuery = DEFAULT_REPLAY_OPTIONS.nonceQuery
+  } = options;
+  const headerNonce = req.headers.get(nonceHeader);
+  if (headerNonce) {
+    return headerNonce;
+  }
+  if (nonceQuery) {
+    const url = new URL(req.url);
+    const queryNonce = url.searchParams.get(nonceQuery);
+    if (queryNonce) {
+      return queryNonce;
+    }
+  }
+  return null;
+}
+async function checkReplay(req, options = {}) {
+  const {
+    store = getGlobalNonceStore(),
+    nonceHeader = DEFAULT_REPLAY_OPTIONS.nonceHeader,
+    nonceQuery = DEFAULT_REPLAY_OPTIONS.nonceQuery,
+    ttl = DEFAULT_REPLAY_OPTIONS.ttl,
+    required = DEFAULT_REPLAY_OPTIONS.required,
+    minLength = DEFAULT_REPLAY_OPTIONS.minLength,
+    maxLength = DEFAULT_REPLAY_OPTIONS.maxLength,
+    validate: validate2
+  } = options;
+  const nonce = extractNonce(req, { nonceHeader, nonceQuery });
+  if (!nonce) {
+    if (required) {
+      return {
+        isReplay: false,
+        // Not a replay, but missing
+        nonce: null,
+        reason: "Missing nonce"
+      };
+    }
+    return {
+      isReplay: false
+    };
+  }
+  if (!isValidNonceFormat(nonce, minLength, maxLength)) {
+    return {
+      isReplay: false,
+      nonce,
+      reason: `Invalid nonce format (length must be ${minLength}-${maxLength}, alphanumeric)`
+    };
+  }
+  if (validate2) {
+    const isValid = await validate2(nonce);
+    if (!isValid) {
+      return {
+        isReplay: false,
+        nonce,
+        reason: "Nonce failed custom validation"
+      };
+    }
+  }
+  const exists = await store.exists(nonce);
+  if (exists) {
+    return {
+      isReplay: true,
+      nonce,
+      reason: "Nonce has already been used"
+    };
+  }
+  await store.set(nonce, ttl);
+  return {
+    isReplay: false,
+    nonce
+  };
+}
+function defaultReplayResponse(nonce) {
+  return new Response(
+    JSON.stringify({
+      error: "Forbidden",
+      message: "Request replay detected",
+      code: "REPLAY_DETECTED",
+      nonce
+    }),
+    {
+      status: 403,
+      headers: { "Content-Type": "application/json" }
+    }
+  );
+}
+function defaultMissingNonceResponse(reason) {
+  return new Response(
+    JSON.stringify({
+      error: "Bad Request",
+      message: reason,
+      code: "INVALID_NONCE"
+    }),
+    {
+      status: 400,
+      headers: { "Content-Type": "application/json" }
+    }
+  );
+}
+function withReplayPrevention(handler, options = {}) {
+  return async (req, ctx) => {
+    if (options.skip && await options.skip(req)) {
+      return handler(req, ctx);
+    }
+    const result = await checkReplay(req, options);
+    if (result.isReplay) {
+      const onReplay = options.onReplay || defaultReplayResponse;
+      return onReplay(result.nonce);
+    }
+    if (result.reason && options.required !== false) {
+      return defaultMissingNonceResponse(result.reason);
+    }
+    return handler(req, ctx);
+  };
+}
+function addNonceHeader(headers = {}, options = {}) {
+  const { headerName = "x-nonce", length = 32 } = options;
+  return {
+    ...headers,
+    [headerName]: generateNonce2(length)
+  };
+}
+// src/middleware/api/timestamp.ts
+var DEFAULT_TIMESTAMP_OPTIONS = {
+  timestampHeader: "x-timestamp",
+  format: "unix",
+  maxAge: 300,
+  // 5 minutes
+  allowFuture: false,
+  maxFuture: 60,
+  // 1 minute
+  required: true
+};
+function parseTimestamp(value, format = "unix") {
+  if (!value || typeof value !== "string") {
+    return null;
+  }
+  try {
+    switch (format) {
+      case "unix": {
+        const num = parseInt(value, 10);
+        if (isNaN(num) || num <= 0) {
+          return null;
+        }
+        return num;
+      }
+      case "unix-ms": {
+        const num = parseInt(value, 10);
+        if (isNaN(num) || num <= 0) {
+          return null;
+        }
+        return Math.floor(num / 1e3);
+      }
+      case "iso8601": {
+        const date = new Date(value);
+        if (isNaN(date.getTime())) {
+          return null;
+        }
+        return Math.floor(date.getTime() / 1e3);
+      }
+      default:
+        return null;
+    }
+  } catch {
+    return null;
+  }
+}
+function formatTimestamp(format = "unix") {
+  const now = Date.now();
+  switch (format) {
+    case "unix":
+      return Math.floor(now / 1e3).toString();
+    case "unix-ms":
+      return now.toString();
+    case "iso8601":
+      return new Date(now).toISOString();
+    default:
+      return Math.floor(now / 1e3).toString();
+  }
+}
+function extractTimestamp(req, options = {}) {
+  const {
+    timestampHeader = DEFAULT_TIMESTAMP_OPTIONS.timestampHeader,
+    timestampQuery
+  } = options;
+  const headerTimestamp = req.headers.get(timestampHeader);
+  if (headerTimestamp) {
+    return headerTimestamp;
+  }
+  if (timestampQuery) {
+    const url = new URL(req.url);
+    const queryTimestamp = url.searchParams.get(timestampQuery);
+    if (queryTimestamp) {
+      return queryTimestamp;
+    }
+  }
+  return null;
+}
+function validateTimestamp(req, options = {}) {
+  const {
+    timestampHeader = DEFAULT_TIMESTAMP_OPTIONS.timestampHeader,
+    timestampQuery,
+    format = DEFAULT_TIMESTAMP_OPTIONS.format,
+    maxAge = DEFAULT_TIMESTAMP_OPTIONS.maxAge,
+    allowFuture = DEFAULT_TIMESTAMP_OPTIONS.allowFuture,
+    maxFuture = DEFAULT_TIMESTAMP_OPTIONS.maxFuture,
+    required = DEFAULT_TIMESTAMP_OPTIONS.required
+  } = options;
+  const timestampStr = extractTimestamp(req, { timestampHeader, timestampQuery });
+  if (!timestampStr) {
+    if (required) {
+      return {
+        valid: false,
+        reason: "Missing timestamp"
+      };
+    }
+    return {
+      valid: true
+    };
+  }
+  const timestamp = parseTimestamp(timestampStr, format);
+  if (timestamp === null) {
+    return {
+      valid: false,
+      reason: `Invalid timestamp format (expected: ${format})`
+    };
+  }
+  const now = Math.floor(Date.now() / 1e3);
+  const age = now - timestamp;
+  if (age > maxAge) {
+    return {
+      valid: false,
+      timestamp,
+      age,
+      reason: `Timestamp too old (age: ${age}s, max: ${maxAge}s)`
+    };
+  }
+  if (age < 0) {
+    if (!allowFuture) {
+      return {
+        valid: false,
+        timestamp,
+        age,
+        reason: "Timestamp is in the future"
+      };
+    }
+    const futureAge = Math.abs(age);
+    if (futureAge > maxFuture) {
+      return {
+        valid: false,
+        timestamp,
+        age,
+        reason: `Timestamp too far in future (${futureAge}s, max: ${maxFuture}s)`
+      };
+    }
+  }
+  return {
+    valid: true,
+    timestamp,
+    age
+  };
+}
+function isTimestampValid(timestampStr, options = {}) {
+  const {
+    format = "unix",
+    maxAge = 300,
+    allowFuture = false,
+    maxFuture = 60
+  } = options;
+  const timestamp = parseTimestamp(timestampStr, format);
+  if (timestamp === null) {
+    return false;
+  }
+  const now = Math.floor(Date.now() / 1e3);
+  const age = now - timestamp;
+  if (age > maxAge) {
+    return false;
+  }
+  if (age < 0) {
+    if (!allowFuture) {
+      return false;
+    }
+    if (Math.abs(age) > maxFuture) {
+      return false;
+    }
+  }
+  return true;
+}
+function defaultInvalidResponse2(reason) {
+  return new Response(
+    JSON.stringify({
+      error: "Bad Request",
+      message: reason,
+      code: "INVALID_TIMESTAMP"
+    }),
+    {
+      status: 400,
+      headers: { "Content-Type": "application/json" }
+    }
+  );
+}
+function withTimestamp(handler, options = {}) {
+  return async (req, ctx) => {
+    if (options.skip && await options.skip(req)) {
+      return handler(req, ctx);
+    }
+    const result = validateTimestamp(req, options);
+    if (!result.valid) {
+      const onInvalid = options.onInvalid || defaultInvalidResponse2;
+      return onInvalid(result.reason || "Invalid timestamp");
+    }
+    return handler(req, ctx);
+  };
+}
+function addTimestampHeader(headers = {}, options = {}) {
+  const { headerName = "x-timestamp", format = "unix" } = options;
+  return {
+    ...headers,
+    [headerName]: formatTimestamp(format)
+  };
+}
+function getRequestAge(req, options = {}) {
+  const timestampStr = extractTimestamp(req, options);
+  if (!timestampStr) {
+    return null;
+  }
+  const timestamp = parseTimestamp(timestampStr, options.format);
+  if (timestamp === null) {
+    return null;
+  }
+  const now = Math.floor(Date.now() / 1e3);
+  return now - timestamp;
+}
+// src/middleware/api/versioning.ts
+var DEFAULT_VERSIONING_OPTIONS = {
+  source: "header",
+  versionHeader: "x-api-version",
+  versionQuery: "version"};
+function extractFromHeader(req, headerName) {
+  return req.headers.get(headerName);
+}
+function extractFromQuery(req, queryParam) {
+  const url = new URL(req.url);
+  return url.searchParams.get(queryParam);
+}
+function extractFromPath(req, pattern) {
+  if (!pattern) {
+    pattern = /\/v(\d+(?:\.\d+)?)\//;
+  }
+  const url = new URL(req.url);
+  const match = url.pathname.match(pattern);
+  if (match && match[1]) {
+    return match[1];
+  }
+  return null;
+}
+function extractFromAccept(req, pattern) {
+  const accept = req.headers.get("accept");
+  if (!accept) {
+    return null;
+  }
+  if (!pattern) {
+    pattern = /version=(\d+(?:\.\d+)?)/;
+  }
+  const match = accept.match(pattern);
+  if (match && match[1]) {
+    return match[1];
+  }
+  return null;
+}
+function extractVersion(req, options) {
+  const {
+    source = DEFAULT_VERSIONING_OPTIONS.source,
+    versionHeader = DEFAULT_VERSIONING_OPTIONS.versionHeader,
+    versionQuery = DEFAULT_VERSIONING_OPTIONS.versionQuery,
+    pathPattern,
+    acceptPattern,
+    parseVersion
+  } = options;
+  let version = null;
+  let extractedSource = null;
+  switch (source) {
+    case "header":
+      version = extractFromHeader(req, versionHeader);
+      extractedSource = version ? "header" : null;
+      break;
+    case "query":
+      version = extractFromQuery(req, versionQuery);
+      extractedSource = version ? "query" : null;
+      break;
+    case "path":
+      version = extractFromPath(req, pathPattern);
+      extractedSource = version ? "path" : null;
+      break;
+    case "accept":
+      version = extractFromAccept(req, acceptPattern);
+      extractedSource = version ? "accept" : null;
+      break;
+  }
+  if (version && parseVersion) {
+    version = parseVersion(version);
+  }
+  return { version, source: extractedSource };
+}
+function getVersionStatus(version, options) {
+  const { current, supported, deprecated = [], sunset = [] } = options;
+  if (version === current) {
+    return "current";
+  }
+  if (sunset.includes(version)) {
+    return "sunset";
+  }
+  if (deprecated.includes(version)) {
+    return "deprecated";
+  }
+  if (supported.includes(version)) {
+    return "supported";
+  }
+  return null;
+}
+function isVersionSupported(version, options) {
+  const status = getVersionStatus(version, options);
+  return status === "current" || status === "supported" || status === "deprecated";
+}
+function validateVersion(req, options) {
+  const { current, supported, deprecated = [], sunset = [], sunsetDates = {} } = options;
+  const { version, source } = extractVersion(req, options);
+  if (!version) {
+    return {
+      version: current,
+      source: null,
+      status: "current",
+      valid: true
+    };
+  }
+  if (sunset.includes(version)) {
+    const sunsetDate = sunsetDates[version];
+    return {
+      version,
+      source,
+      status: "sunset",
+      valid: false,
+      reason: `API version ${version} has been sunset${sunsetDate ? ` on ${sunsetDate.toISOString()}` : ""}`,
+      sunsetDate
+    };
+  }
+  if (deprecated.includes(version)) {
+    const sunsetDate = sunsetDates[version];
+    return {
+      version,
+      source,
+      status: "deprecated",
+      valid: true,
+      sunsetDate
+    };
+  }
+  if (version === current) {
+    return {
+      version,
+      source,
+      status: "current",
+      valid: true
+    };
+  }
+  if (supported.includes(version)) {
+    return {
+      version,
+      source,
+      status: "supported",
+      valid: true
+    };
+  }
+  return {
+    version,
+    source,
+    status: null,
+    valid: false,
+    reason: `Unsupported API version: ${version}. Supported versions: ${[current, ...supported].join(", ")}`
+  };
+}
+function addDeprecationHeaders(response, version, sunsetDate) {
+  const headers = new Headers(response.headers);
+  headers.set("Deprecation", "true");
+  if (sunsetDate) {
+    headers.set("Sunset", sunsetDate.toUTCString());
+  }
+  headers.set(
+    "Warning",
+    `299 - "API version ${version} is deprecated${sunsetDate ? ` and will be removed on ${sunsetDate.toISOString().split("T")[0]}` : ""}"`
+  );
+  return new Response(response.body, {
+    status: response.status,
+    statusText: response.statusText,
+    headers
+  });
+}
+function defaultUnsupportedResponse(version, supportedVersions) {
+  return new Response(
+    JSON.stringify({
+      error: "Bad Request",
+      message: `Unsupported API version: ${version}`,
+      code: "UNSUPPORTED_VERSION",
+      supportedVersions
+    }),
+    {
+      status: 400,
+      headers: { "Content-Type": "application/json" }
+    }
+  );
+}
+function defaultSunsetResponse(version, sunsetDate) {
+  return new Response(
+    JSON.stringify({
+      error: "Gone",
+      message: `API version ${version} is no longer available${sunsetDate ? `. It was sunset on ${sunsetDate.toISOString().split("T")[0]}` : ""}`,
+      code: "VERSION_SUNSET"
+    }),
+    {
+      status: 410,
+      headers: { "Content-Type": "application/json" }
+    }
+  );
+}
+function withAPIVersion(handler, options) {
+  return async (req, ctx) => {
+    if (options.skip && await options.skip(req)) {
+      return handler(req, ctx);
+    }
+    const result = validateVersion(req, options);
+    if (result.status === "sunset") {
+      return defaultSunsetResponse(result.version, result.sunsetDate);
+    }
+    if (!result.valid) {
+      const onUnsupported = options.onUnsupported || ((v) => defaultUnsupportedResponse(v, [options.current, ...options.supported]));
+      return onUnsupported(result.version);
+    }
+    let response = await handler(req, ctx);
+    if (result.status === "deprecated") {
+      if (options.onDeprecated) {
+        options.onDeprecated(result.version, result.sunsetDate);
+      }
+      if (options.addDeprecationHeaders !== false) {
+        response = addDeprecationHeaders(response, result.version, result.sunsetDate);
+      }
+    }
+    return response;
+  };
+}
+function createVersionRouter(handlers, options) {
+  const versions = Object.keys(handlers);
+  const defaultVersion = options.default || versions[versions.length - 1];
+  return async (req, ctx) => {
+    const { version } = extractVersion(req, {
+      ...options});
+    const targetVersion = version || defaultVersion;
+    const handler = handlers[targetVersion];
+    if (!handler) {
+      return defaultUnsupportedResponse(targetVersion, versions);
+    }
+    return handler(req, ctx);
+  };
+}
+function compareVersions(a, b) {
+  const partsA = a.split(".").map(Number);
+  const partsB = b.split(".").map(Number);
+  const maxLength = Math.max(partsA.length, partsB.length);
+  for (let i = 0; i < maxLength; i++) {
+    const numA = partsA[i] || 0;
+    const numB = partsB[i] || 0;
+    if (numA > numB) return 1;
+    if (numA < numB) return -1;
+  }
+  return 0;
+}
+function normalizeVersion(version) {
+  version = version.replace(/^v/i, "");
+  const parts = version.split(".");
+  while (parts.length < 2) {
+    parts.push("0");
+  }
+  return parts.join(".");
+}
+// src/middleware/api/idempotency.ts
+var DEFAULT_IDEMPOTENCY_OPTIONS = {
+  keyHeader: "idempotency-key",
+  ttl: 864e5,
+  // 24 hours
+  required: false,
+  methods: ["POST", "PUT", "PATCH"],
+  minKeyLength: 16,
+  maxKeyLength: 256,
+  hashRequestBody: true,
+  lockTimeout: 3e4,
+  // 30 seconds
+  waitForLock: true,
+  maxWaitTime: 1e4
+  // 10 seconds
+};
+var MemoryIdempotencyStore = class {
+  cache = /* @__PURE__ */ new Map();
+  processing = /* @__PURE__ */ new Map();
+  maxSize;
+  cleanupInterval = null;
+  constructor(options = {}) {
+    const { maxSize = 1e4, autoCleanup = true, cleanupIntervalMs = 6e4 } = options;
+    this.maxSize = maxSize;
+    if (autoCleanup) {
+      this.cleanupInterval = setInterval(() => {
+        this.cleanup();
+      }, cleanupIntervalMs);
+      if (this.cleanupInterval.unref) {
+        this.cleanupInterval.unref();
+      }
+    }
+  }
+  async get(key) {
+    const entry = this.cache.get(key);
+    if (!entry) {
+      return null;
+    }
+    if (Date.now() > entry.expiresAt) {
+      this.cache.delete(key);
+      return null;
+    }
+    return entry.response;
+  }
+  async set(key, response, ttl) {
+    if (this.cache.size >= this.maxSize) {
+      this.evictOldest();
+    }
+    this.cache.set(key, {
+      response,
+      expiresAt: Date.now() + ttl
+    });
+  }
+  async isProcessing(key) {
+    const entry = this.processing.get(key);
+    if (!entry) {
+      return false;
+    }
+    if (Date.now() > entry.expiresAt) {
+      this.processing.delete(key);
+      return false;
+    }
+    return true;
+  }
+  async startProcessing(key, timeout) {
+    if (await this.isProcessing(key)) {
+      return false;
+    }
+    const now = Date.now();
+    this.processing.set(key, {
+      startedAt: now,
+      expiresAt: now + timeout
+    });
+    return true;
+  }
+  async endProcessing(key) {
+    this.processing.delete(key);
+  }
+  async delete(key) {
+    this.cache.delete(key);
+    this.processing.delete(key);
+  }
+  async cleanup() {
+    const now = Date.now();
+    for (const [key, entry] of this.cache.entries()) {
+      if (now > entry.expiresAt) {
+        this.cache.delete(key);
+      }
+    }
+    for (const [key, entry] of this.processing.entries()) {
+      if (now > entry.expiresAt) {
+        this.processing.delete(key);
+      }
+    }
+  }
+  getStats() {
+    return {
+      cacheSize: this.cache.size,
+      processingSize: this.processing.size
+    };
+  }
+  evictOldest() {
+    const toRemove = Math.ceil(this.maxSize * 0.1);
+    const entries = Array.from(this.cache.entries()).sort((a, b) => a[1].response.cachedAt - b[1].response.cachedAt).slice(0, toRemove);
+    for (const [key] of entries) {
+      this.cache.delete(key);
+    }
+  }
+  /**
+   * Clear all entries
+   */
+  clear() {
+    this.cache.clear();
+    this.processing.clear();
+  }
+  /**
+   * Stop auto cleanup
+   */
+  destroy() {
+    if (this.cleanupInterval) {
+      clearInterval(this.cleanupInterval);
+      this.cleanupInterval = null;
+    }
+  }
+};
+var globalIdempotencyStore = null;
+function getGlobalIdempotencyStore() {
+  if (!globalIdempotencyStore) {
+    globalIdempotencyStore = new MemoryIdempotencyStore();
+  }
+  return globalIdempotencyStore;
+}
+function generateIdempotencyKey(length = 32) {
+  const bytes = new Uint8Array(length);
+  crypto.getRandomValues(bytes);
+  return Array.from(bytes).map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+async function hashRequestBody(body) {
+  const encoder3 = new TextEncoder();
+  const data = encoder3.encode(body);
+  const hashBuffer = await crypto.subtle.digest("SHA-256", data);
+  const hashArray = new Uint8Array(hashBuffer);
+  return Array.from(hashArray).map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+function isValidIdempotencyKey(key, minLength = 16, maxLength = 256) {
+  if (!key || typeof key !== "string") {
+    return false;
+  }
+  if (key.length < minLength || key.length > maxLength) {
+    return false;
+  }
+  return /^[a-zA-Z0-9_-]+$/.test(key);
+}
+async function createCacheKey(idempotencyKey, req, hashBody = true) {
+  const parts = [idempotencyKey, req.method, new URL(req.url).pathname];
+  if (hashBody) {
+    try {
+      const cloned = req.clone();
+      const body = await cloned.text();
+      if (body) {
+        const bodyHash = await hashRequestBody(body);
+        parts.push(bodyHash);
+      }
+    } catch {
+    }
+  }
+  return parts.join(":");
+}
+async function checkIdempotency(req, options = {}) {
+  const {
+    store = getGlobalIdempotencyStore(),
+    keyHeader = DEFAULT_IDEMPOTENCY_OPTIONS.keyHeader,
+    required = DEFAULT_IDEMPOTENCY_OPTIONS.required,
+    methods = DEFAULT_IDEMPOTENCY_OPTIONS.methods,
+    minKeyLength = DEFAULT_IDEMPOTENCY_OPTIONS.minKeyLength,
+    maxKeyLength = DEFAULT_IDEMPOTENCY_OPTIONS.maxKeyLength,
+    hashRequestBody: hashBody = DEFAULT_IDEMPOTENCY_OPTIONS.hashRequestBody,
+    validateKey
+  } = options;
+  const method = req.method.toUpperCase();
+  if (!methods.includes(method)) {
+    return {
+      key: null,
+      fromCache: false,
+      isProcessing: false
+    };
+  }
+  const key = req.headers.get(keyHeader);
+  if (!key) {
+    if (required) {
+      return {
+        key: null,
+        fromCache: false,
+        isProcessing: false,
+        reason: "Missing idempotency key"
+      };
+    }
+    return {
+      key: null,
+      fromCache: false,
+      isProcessing: false
+    };
+  }
+  if (!isValidIdempotencyKey(key, minKeyLength, maxKeyLength)) {
+    return {
+      key,
+      fromCache: false,
+      isProcessing: false,
+      reason: `Invalid idempotency key format (length must be ${minKeyLength}-${maxKeyLength}, alphanumeric)`
+    };
+  }
+  if (validateKey) {
+    const isValid = await validateKey(key);
+    if (!isValid) {
+      return {
+        key,
+        fromCache: false,
+        isProcessing: false,
+        reason: "Idempotency key failed custom validation"
+      };
+    }
+  }
+  const cacheKey = await createCacheKey(key, req, hashBody);
+  const cached = await store.get(cacheKey);
+  if (cached) {
+    return {
+      key,
+      fromCache: true,
+      cachedResponse: cached,
+      isProcessing: false
+    };
+  }
+  const isProcessing = await store.isProcessing(cacheKey);
+  return {
+    key,
+    fromCache: false,
+    isProcessing,
+    reason: isProcessing ? "Request is currently being processed" : void 0
+  };
+}
+async function cacheResponse(key, req, response, options = {}) {
+  const {
+    store = getGlobalIdempotencyStore(),
+    ttl = DEFAULT_IDEMPOTENCY_OPTIONS.ttl,
+    hashRequestBody: hashBody = DEFAULT_IDEMPOTENCY_OPTIONS.hashRequestBody
+  } = options;
+  const cacheKey = await createCacheKey(key, req, hashBody);
+  const cloned = response.clone();
+  const body = await cloned.text();
+  const headers = {};
+  response.headers.forEach((value, name) => {
+    headers[name] = value;
+  });
+  const cachedResponse = {
+    status: response.status,
+    headers,
+    body,
+    cachedAt: Date.now()
+  };
+  await store.set(cacheKey, cachedResponse, ttl);
+  await store.endProcessing(cacheKey);
+}
+function createResponseFromCache(cached) {
+  const headers = new Headers(cached.headers);
+  headers.set("x-idempotency-replayed", "true");
+  headers.set("x-idempotency-cached-at", new Date(cached.cachedAt).toISOString());
+  return new Response(cached.body, {
+    status: cached.status,
+    headers
+  });
+}
+function defaultErrorResponse3(reason) {
+  return new Response(
+    JSON.stringify({
+      error: "Bad Request",
+      message: reason,
+      code: "IDEMPOTENCY_ERROR"
+    }),
+    {
+      status: 400,
+      headers: { "Content-Type": "application/json" }
+    }
+  );
+}
+async function waitForLock(store, cacheKey, maxWaitTime, pollInterval = 100) {
+  const startTime = Date.now();
+  while (Date.now() - startTime < maxWaitTime) {
+    const cached = await store.get(cacheKey);
+    if (cached) {
+      return cached;
+    }
+    const isProcessing = await store.isProcessing(cacheKey);
+    if (!isProcessing) {
+      return null;
+    }
+    await new Promise((resolve) => setTimeout(resolve, pollInterval));
+  }
+  return null;
+}
+function withIdempotency(handler, options = {}) {
+  return async (req, ctx) => {
+    if (options.skip && await options.skip(req)) {
+      return handler(req, ctx);
+    }
+    const {
+      store = getGlobalIdempotencyStore(),
+      methods = DEFAULT_IDEMPOTENCY_OPTIONS.methods,
+      hashRequestBody: hashBody = DEFAULT_IDEMPOTENCY_OPTIONS.hashRequestBody,
+      lockTimeout = DEFAULT_IDEMPOTENCY_OPTIONS.lockTimeout,
+      waitForLock: shouldWait = DEFAULT_IDEMPOTENCY_OPTIONS.waitForLock,
+      maxWaitTime = DEFAULT_IDEMPOTENCY_OPTIONS.maxWaitTime,
+      onError,
+      onCacheHit
+    } = options;
+    const method = req.method.toUpperCase();
+    if (!methods.includes(method)) {
+      return handler(req, ctx);
+    }
+    const result = await checkIdempotency(req, options);
+    if (result.reason && !result.isProcessing) {
+      const errorHandler = onError || defaultErrorResponse3;
+      return errorHandler(result.reason);
+    }
+    if (result.fromCache && result.cachedResponse) {
+      if (onCacheHit) {
+        onCacheHit(result.key, result.cachedResponse);
+      }
+      return createResponseFromCache(result.cachedResponse);
+    }
+    if (!result.key) {
+      return handler(req, ctx);
+    }
+    const cacheKey = await createCacheKey(result.key, req, hashBody);
+    if (result.isProcessing) {
+      if (shouldWait) {
+        const cached = await waitForLock(store, cacheKey, maxWaitTime);
+        if (cached) {
+          if (onCacheHit) {
+            onCacheHit(result.key, cached);
+          }
+          return createResponseFromCache(cached);
+        }
+      }
+      return new Response(
+        JSON.stringify({
+          error: "Conflict",
+          message: "Request with this idempotency key is currently being processed",
+          code: "IDEMPOTENCY_CONFLICT"
+        }),
+        {
+          status: 409,
+          headers: { "Content-Type": "application/json" }
+        }
+      );
+    }
+    const acquired = await store.startProcessing(cacheKey, lockTimeout);
+    if (!acquired) {
+      if (shouldWait) {
+        const cached = await waitForLock(store, cacheKey, maxWaitTime);
+        if (cached) {
+          if (onCacheHit) {
+            onCacheHit(result.key, cached);
+          }
+          return createResponseFromCache(cached);
+        }
+      }
+      return new Response(
+        JSON.stringify({
+          error: "Conflict",
+          message: "Request with this idempotency key is currently being processed",
+          code: "IDEMPOTENCY_CONFLICT"
+        }),
+        {
+          status: 409,
+          headers: { "Content-Type": "application/json" }
+        }
+      );
+    }
+    try {
+      const response = await handler(req, ctx);
+      if (response.status >= 200 && response.status < 300) {
+        await cacheResponse(result.key, req, response, options);
+      } else {
+        await store.endProcessing(cacheKey);
+      }
+      return response;
+    } catch (error) {
+      await store.endProcessing(cacheKey);
+      throw error;
+    }
+  };
+}
+function addIdempotencyHeader(headers = {}, options = {}) {
+  const { headerName = "idempotency-key", key = generateIdempotencyKey() } = options;
+  return {
+    ...headers,
+    [headerName]: key
+  };
+}
+// src/middleware/api/middleware.ts
+async function checkAPIProtection(req, options) {
+  const result = {
+    passed: true
+  };
+  if (options.timestamp !== false) {
+    const timestampResult = validateTimestamp(req, options.timestamp);
+    result.timestamp = timestampResult;
+    if (!timestampResult.valid) {
+      result.passed = false;
+      result.error = {
+        type: "timestamp",
+        message: timestampResult.reason || "Invalid timestamp"
+      };
+      return result;
+    }
+  }
+  if (options.replay !== false) {
+    const replayOpts = options.replay;
+    const replayResult = await checkReplay(req, {
+      ...replayOpts,
+      store: replayOpts.store || getGlobalNonceStore()
+    });
+    result.replay = replayResult;
+    if (replayResult.isReplay) {
+      result.passed = false;
+      result.error = {
+        type: "replay",
+        message: "Request replay detected",
+        details: { nonce: replayResult.nonce }
+      };
+      return result;
+    }
+    if (replayResult.reason && replayOpts.required !== false) {
+      result.passed = false;
+      result.error = {
+        type: "replay",
+        message: replayResult.reason
+      };
+      return result;
+    }
+  }
+  if (options.signing !== false) {
+    const signingOpts = options.signing;
+    const signingResult = await verifySignature(req, signingOpts);
+    result.signing = signingResult;
+    if (!signingResult.valid) {
+      result.passed = false;
+      result.error = {
+        type: "signing",
+        message: signingResult.reason || "Invalid signature"
+      };
+      return result;
+    }
+  }
+  if (options.versioning !== false) {
+    const versioningOpts = options.versioning;
+    const versionResult = validateVersion(req, versioningOpts);
+    result.version = versionResult;
+    if (!versionResult.valid) {
+      result.passed = false;
+      result.error = {
+        type: "versioning",
+        message: versionResult.reason || "Unsupported version",
+        details: { version: versionResult.version }
+      };
+      return result;
+    }
+  }
+  if (options.idempotency !== false) {
+    const idempotencyOpts = options.idempotency;
+    const idempotencyResult = await checkIdempotency(req, {
+      ...idempotencyOpts,
+      store: idempotencyOpts.store || getGlobalIdempotencyStore()
+    });
+    result.idempotency = idempotencyResult;
+    if (idempotencyResult.reason && !idempotencyResult.isProcessing && !idempotencyResult.fromCache) {
+      if (idempotencyOpts.required) {
+        result.passed = false;
+        result.error = {
+          type: "idempotency",
+          message: idempotencyResult.reason,
+          details: { key: idempotencyResult.key }
+        };
+        return result;
+      }
+    }
+  }
+  return result;
+}
+function defaultErrorResponse4(error) {
+  const statusMap = {
+    signing: 401,
+    replay: 403,
+    timestamp: 400,
+    versioning: 400,
+    idempotency: 400
+  };
+  const codeMap = {
+    signing: "INVALID_SIGNATURE",
+    replay: "REPLAY_DETECTED",
+    timestamp: "INVALID_TIMESTAMP",
+    versioning: "UNSUPPORTED_VERSION",
+    idempotency: "IDEMPOTENCY_ERROR"
+  };
+  return new Response(
+    JSON.stringify({
+      error: error.type === "signing" ? "Unauthorized" : error.type === "replay" ? "Forbidden" : "Bad Request",
+      message: error.message,
+      code: codeMap[error.type],
+      ...error.details || {}
+    }),
+    {
+      status: statusMap[error.type],
+      headers: { "Content-Type": "application/json" }
+    }
+  );
+}
+function withAPIProtection(handler, options) {
+  return async (req, ctx) => {
+    if (options.skip && await options.skip(req)) {
+      return handler(req, ctx);
+    }
+    const result = await checkAPIProtection(req, options);
+    if (!result.passed && result.error) {
+      const onError = options.onError || defaultErrorResponse4;
+      return onError(result.error);
+    }
+    if (result.idempotency?.fromCache && result.idempotency.cachedResponse) {
+      const idempotencyOpts = options.idempotency;
+      if (idempotencyOpts.onCacheHit) {
+        idempotencyOpts.onCacheHit(result.idempotency.key, result.idempotency.cachedResponse);
+      }
+      return createResponseFromCache(result.idempotency.cachedResponse);
+    }
+    if (result.idempotency?.isProcessing) {
+      return new Response(
+        JSON.stringify({
+          error: "Conflict",
+          message: "Request with this idempotency key is currently being processed",
+          code: "IDEMPOTENCY_CONFLICT"
+        }),
+        {
+          status: 409,
+          headers: { "Content-Type": "application/json" }
+        }
+      );
+    }
+    let response = await handler(req, ctx);
+    if (result.version?.status === "deprecated") {
+      const versioningOpts = options.versioning;
+      if (versioningOpts.addDeprecationHeaders !== false) {
+        response = addDeprecationHeaders(response, result.version.version, result.version.sunsetDate);
+      }
+      if (versioningOpts.onDeprecated) {
+        versioningOpts.onDeprecated(result.version.version, result.version.sunsetDate);
+      }
+    }
+    if (result.idempotency?.key && options.idempotency !== false) {
+      const idempotencyOpts = options.idempotency;
+      if (response.status >= 200 && response.status < 300) {
+        await cacheResponse(result.idempotency.key, req, response, idempotencyOpts);
+      }
+    }
+    return response;
+  };
+}
+function withAPIProtectionPreset(handler, preset, overrides = {}) {
+  const presetConfig = API_PROTECTION_PRESETS[preset];
+  const mergedOptions = {
+    ...presetConfig,
+    ...overrides
+  };
+  if (presetConfig.signing && typeof presetConfig.signing === "object" && overrides.signing && typeof overrides.signing === "object") {
+    mergedOptions.signing = { ...presetConfig.signing, ...overrides.signing };
+  }
+  if (presetConfig.replay && typeof presetConfig.replay === "object" && overrides.replay && typeof overrides.replay === "object") {
+    mergedOptions.replay = { ...presetConfig.replay, ...overrides.replay };
+  }
+  if (presetConfig.timestamp && typeof presetConfig.timestamp === "object" && overrides.timestamp && typeof overrides.timestamp === "object") {
+    mergedOptions.timestamp = { ...presetConfig.timestamp, ...overrides.timestamp };
+  }
+  if (presetConfig.idempotency && typeof presetConfig.idempotency === "object" && overrides.idempotency && typeof overrides.idempotency === "object") {
+    mergedOptions.idempotency = { ...presetConfig.idempotency, ...overrides.idempotency };
+  }
+  return withAPIProtection(handler, mergedOptions);
+}
 // src/index.ts
-var VERSION = "0.7.0";
+var VERSION = "0.8.0";
-export { MemoryStore2 as AuditMemoryStore, AuthenticationError, AuthorizationError, BOT_PROTECTION_PRESETS, CLFFormatter, ConfigurationError, ConsoleStore, CsrfError, DANGEROUS_EXTENSIONS, DEFAULT_ALLOWED_BOTS, DEFAULT_ALLOWED_CATEGORIES, DEFAULT_HONEYPOT_FIELDS, DEFAULT_PII_FIELDS, ExternalStore, JSONFormatter, KNOWN_BOT_PATTERNS, MIME_TYPES, MemoryBehaviorStore, MemoryStore, MultiStore, PRESET_API, PRESET_RELAXED, PRESET_STRICT, RateLimitError, SecureError, SecurityEventTracker, StructuredFormatter, TextFormatter, VERSION, ValidationError, analyzeBehavior, analyzeUserAgent, anonymizeIp, buildCSP, buildHSTS, buildPermissionsPolicy, checkBehavior, checkCaptcha, checkHoneypot, checkRateLimit, clearAllRateLimits, createMemoryStore2 as createAuditMemoryStore, createAuditMiddleware, createBotPattern, createCLFFormatter, createToken as createCSRFToken, createConsoleStore, createDatadogStore, createExternalStore, createJSONFormatter, createMemoryStore, createMultiStore, createRateLimiter, createRedactor, createSecurityHeaders, createSecurityHeadersObject, createSecurityTracker, createStructuredFormatter, createTextFormatter, createValidator, decodeJWT, detectBot, detectFileType, detectSQLInjection, detectXSS, escapeHtml, extractBearerToken, formatDuration, generateCSRF, generateHCaptcha, generateHoneypotCSS, generateHoneypotHTML, generateRecaptchaV2, generateRecaptchaV3, generateTurnstile, getBotsByCategory, getClientIp, getGeoInfo, getGlobalBehaviorStore, getGlobalMemoryStore, getPreset, getRateLimitStatus, hasPathTraversal, hasSQLInjection, isBotAllowed, isFormRequest, isJsonRequest, isLocalhost, isPrivateIp, isSecureError, isSuspiciousUA, isValidIp, mask, normalizeIp, nowInMs, nowInSeconds, parseDuration, redactCreditCard, redactEmail, redactHeaders, redactIP, redactObject, redactPhone, redactQuery, resetRateLimit, sanitize, sanitizeFields, sanitizeFilename, sanitizeObject, sanitizePath, sanitizeSQLInput, sleep, stripHtml, toSecureError, tokensMatch, trackSecurityEvent, validate, validateBody, validateCSRF, validateContentType, validateFile, validateFiles, validatePath, validateQuery, validateRequest, verifyToken as verifyCSRFToken, verifyCaptcha, verifyJWT, withAPIKey, withAuditLog, withAuth, withBehaviorAnalysis, withBehaviorProtection, withBotProtection, withBotProtectionPreset, withCSRF, withCaptcha, withCaptchaProtection, withContentType, withFileValidation, withHoneypot, withHoneypotProtection, withJWT, withOptionalAuth, withRateLimit, withRequestId, withRoles, withSQLProtection, withSanitization, withSecureValidation, withSecurityHeaders, withSession, withTiming, withUserAgentProtection, withValidation, withXSSProtection };
+export { API_PROTECTION_PRESETS, MemoryStore2 as AuditMemoryStore, AuthenticationError, AuthorizationError, BOT_PROTECTION_PRESETS, CLFFormatter, ConfigurationError, ConsoleStore, CsrfError, DANGEROUS_EXTENSIONS, DEFAULT_ALLOWED_BOTS, DEFAULT_ALLOWED_CATEGORIES, DEFAULT_HONEYPOT_FIELDS, DEFAULT_PII_FIELDS, ExternalStore, JSONFormatter, KNOWN_BOT_PATTERNS, MIME_TYPES, MemoryBehaviorStore, MemoryIdempotencyStore, MemoryNonceStore, MemoryStore, MultiStore, PRESET_API, PRESET_RELAXED, PRESET_STRICT, RateLimitError, SecureError, SecurityEventTracker, StructuredFormatter, TextFormatter, VERSION, ValidationError, addDeprecationHeaders, addIdempotencyHeader, addNonceHeader, addTimestampHeader, analyzeBehavior, analyzeUserAgent, anonymizeIp, buildCSP, buildCanonicalString, buildHSTS, buildPermissionsPolicy, cacheResponse, checkAPIProtection, checkBehavior, checkCaptcha, checkHoneypot, checkIdempotency, checkRateLimit, checkReplay, clearAllRateLimits, compareVersions, createMemoryStore2 as createAuditMemoryStore, createAuditMiddleware, createBotPattern, createCLFFormatter, createToken as createCSRFToken, createConsoleStore, createDatadogStore, createExternalStore, createHMAC, createJSONFormatter, createMemoryStore, createMultiStore, createRateLimiter, createRedactor, createResponseFromCache, createSecurityHeaders, createSecurityHeadersObject, createSecurityTracker, createStructuredFormatter, createTextFormatter, createValidator, createVersionRouter, decodeJWT, detectBot, detectFileType, detectSQLInjection, detectXSS, escapeHtml, extractBearerToken, extractVersion, formatDuration, formatTimestamp, generateCSRF, generateHCaptcha, generateHoneypotCSS, generateHoneypotHTML, generateIdempotencyKey, generateNonce2 as generateNonce, generateRecaptchaV2, generateRecaptchaV3, generateSignature, generateSignatureHeaders, generateTurnstile, getBotsByCategory, getClientIp, getGeoInfo, getGlobalBehaviorStore, getGlobalIdempotencyStore, getGlobalMemoryStore, getGlobalNonceStore, getPreset, getRateLimitStatus, getRequestAge, getVersionStatus, hasPathTraversal, hasSQLInjection, hashRequestBody, isBotAllowed, isFormRequest, isJsonRequest, isLocalhost, isPrivateIp, isSecureError, isSuspiciousUA, isTimestampValid, isValidIdempotencyKey, isValidIp, isValidNonceFormat, isVersionSupported, mask, normalizeIp, normalizeVersion, nowInMs, nowInSeconds, parseDuration, parseTimestamp, redactCreditCard, redactEmail, redactHeaders, redactIP, redactObject, redactPhone, redactQuery, resetRateLimit, sanitize, sanitizeFields, sanitizeFilename, sanitizeObject, sanitizePath, sanitizeSQLInput, sleep, stripHtml, timingSafeEqual, toSecureError, tokensMatch, trackSecurityEvent, validate, validateBody, validateCSRF, validateContentType, validateFile, validateFiles, validatePath, validateQuery, validateRequest, validateTimestamp, validateVersion, verifyToken as verifyCSRFToken, verifyCaptcha, verifyJWT, verifySignature, withAPIKey, withAPIProtection, withAPIProtectionPreset, withAPIVersion, withAuditLog, withAuth, withBehaviorAnalysis, withBehaviorProtection, withBotProtection, withBotProtectionPreset, withCSRF, withCaptcha, withCaptchaProtection, withContentType, withFileValidation, withHoneypot, withHoneypotProtection, withIdempotency, withJWT, withOptionalAuth, withRateLimit, withReplayPrevention, withRequestId, withRequestSigning, withRoles, withSQLProtection, withSanitization, withSecureValidation, withSecurityHeaders, withSession, withTimestamp, withTiming, withUserAgentProtection, withValidation, withXSSProtection };
 //# sourceMappingURL=index.js.map
 //# sourceMappingURL=index.js.map