nsgm-cli 2.1.9 → 2.1.11

package/lib/index.js

@@ -5,6 +5,8 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.startExpress = void 0;
+// 加载环境变量
+require('dotenv').config();
 // 仅在开发环境中禁用TLS证书验证
 if (process.env.NODE_ENV === 'development') {
     process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
@@ -23,6 +25,8 @@ const config_1 = __importDefault(require("next/config"));
 const generate_1 = require("./generate");
 const lodash_1 = __importDefault(require("lodash"));
 const cors_1 = __importDefault(require("cors"));
+const express_session_1 = __importDefault(require("express-session"));
+const csrf_1 = require("./server/csrf");
 const { resolve } = path_1.default;
 const curFolder = process.cwd();
 const processArgvs = (0, args_1.getProcessArgvs)(2);
@@ -90,19 +94,48 @@ const startExpress = (options, callback) => {
             // 不要因为数据库连接失败就退出，允许应用继续运行
         }
         const server = (0, express_1.default)();
+        // 配置 session（CSRF 保护需要）
+        server.use((0, express_session_1.default)({
+            secret: process.env.SESSION_SECRET || 'nsgm-default-secret-key-change-in-production',
+            resave: false,
+            saveUninitialized: true, // 改为 true，确保 session 被创建
+            name: 'sessionId', // 明确指定 session cookie 名称
+            cookie: {
+                secure: false, // 开发环境总是使用 false，生产环境再考虑 HTTPS
+                httpOnly: true,
+                maxAge: 24 * 60 * 60 * 1000, // 24小时
+                sameSite: 'lax', // 设置 SameSite 策略
+                domain: undefined // 不设置 domain，使用默认
+            }
+        }));
+        // 初始化 CSRF token - 移除全局初始化，让每个端点自己处理
+        // server.use(setupCSRFToken)
         server.use(body_parser_1.default.urlencoded({
             extended: false
         }));
         // 支持跨域，nsgm export 之后前后分离
-        server.use((0, cors_1.default)());
+        server.use((0, cors_1.default)({
+            credentials: true, // 允许发送 cookies
+            origin: process.env.ALLOWED_ORIGINS?.split(',') || ['http://localhost:3000']
+        }));
         server.use(body_parser_1.default.json());
+        // 添加基本安全中间件
+        server.use(csrf_1.securityMiddleware.basicHeaders);
+        if (process.env.NODE_ENV === 'production') {
+            server.use((0, csrf_1.createCSPMiddleware)()); // 内容安全策略
+        }
+        // 添加 CSRF 保护中间件（在解析 body 之后）
+        server.use(csrf_1.csrfProtection);
         server.use((0, express_fileupload_1.default)());
         server.use('/static', express_1.default.static(path_1.default.join(__dirname, 'public')));
         server.use('/graphql', (0, graphql_1.default)(command));
         const nextConfig = (0, config_1.default)();
         const { publicRuntimeConfig } = nextConfig;
         const { host, port, prefix } = publicRuntimeConfig;
+        // 提供 CSRF token 的端点
+        server.get('/csrf-token', csrf_1.getCSRFToken);
         if (prefix !== '') {
+            server.get(`${prefix}/csrf-token`, csrf_1.getCSRFToken);
             server.use(`${prefix}/static`, express_1.default.static(path_1.default.join(__dirname, 'public')));
             server.use(`${prefix}/graphql`, (0, graphql_1.default)(command));
         }

package/lib/server/csrf.d.ts

@@ -0,0 +1,17 @@
+import { Request, Response, NextFunction } from 'express';
+declare module 'express-session' {
+    interface SessionData {
+        _csrf?: string;
+    }
+}
+declare module 'express-serve-static-core' {
+    interface Request {
+        csrfToken?: () => string;
+    }
+}
+export declare const csrfProtection: (req: Request, res: Response, next: NextFunction) => unknown;
+export declare const getCSRFToken: (req: Request, res: Response) => void;
+export declare const securityMiddleware: {
+    basicHeaders: import("express").RequestHandler<import("express-serve-static-core").ParamsDictionary, any, any, import("qs").ParsedQs, Record<string, any>>;
+};
+export declare const createCSPMiddleware: () => import("express").RequestHandler<import("express-serve-static-core").ParamsDictionary, any, any, import("qs").ParsedQs, Record<string, any>>;

package/lib/server/csrf.js

@@ -0,0 +1,99 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createCSPMiddleware = exports.securityMiddleware = exports.getCSRFToken = exports.csrfProtection = void 0;
+const lusca_1 = __importDefault(require("lusca"));
+// Lusca CSRF 配置
+const luscaConfig = {
+    // CSRF 保护 - 修正配置格式
+    csrf: {
+        header: 'x-csrf-token', // 从 header 中读取 token
+        cookie: '_csrf', // cookie 名称
+        key: 'csrf', // session key
+        secret: process.env.CSRF_SECRET || 'your-csrf-secret-change-in-production'
+    },
+    // 内容安全策略
+    csp: {
+        policy: {
+            'default-src': "'self'",
+            'script-src': "'self' 'unsafe-inline'",
+            'style-src': "'self' 'unsafe-inline'",
+            'img-src': "'self' data: https:",
+            'font-src': "'self' https:",
+            'connect-src': "'self'"
+        }
+    },
+    // 其他安全设置
+    xframe: 'SAMEORIGIN',
+    nosniff: true,
+    xssProtection: true,
+    referrerPolicy: 'same-origin'
+};
+// 条件性 CSRF 保护中间件
+const csrfProtection = (req, res, next) => {
+    // console.log('CSRF 中间件 - 路径:', req.path, '方法:', req.method)
+    // 跳过 GET 请求和某些不需要 CSRF 保护的路径
+    if (req.method === 'GET' ||
+        req.path.startsWith('/static') ||
+        req.path === '/csrf-token' ||
+        req.path.startsWith('/_next') || // Next.js 内部资源
+        req.path.startsWith('/__next') // Next.js 开发模式内部端点
+    ) {
+        // console.log('CSRF 中间件 - 跳过保护')
+        return next();
+    }
+    // 对其他请求应用 Lusca CSRF 保护
+    // console.log('CSRF 中间件 - 应用 Lusca 保护')
+    return lusca_1.default.csrf(luscaConfig.csrf)(req, res, next);
+};
+exports.csrfProtection = csrfProtection;
+// 获取 CSRF token 的路由处理器
+const getCSRFToken = (req, res) => {
+    try {
+        // 尝试从 session 中获取已有的 token
+        const csrfToken = req.session._csrf || req.session[luscaConfig.csrf.key];
+        if (!csrfToken) {
+            // 如果没有 token，先生成一个
+            lusca_1.default.csrf(luscaConfig.csrf)(req, res, () => {
+                const newToken = req.session._csrf || req.session[luscaConfig.csrf.key] || req.csrfToken?.();
+                // console.log('生成新的 CSRF token:', newToken)
+                // console.log('Token 生成时的 Session ID:', req.sessionID)
+                res.json({
+                    csrfToken: newToken
+                });
+            });
+        }
+        else {
+            // console.log('返回现有 CSRF token:', csrfToken)
+            // console.log('Token 生成时的 Session ID:', req.sessionID)
+            res.json({
+                csrfToken: csrfToken
+            });
+        }
+    }
+    catch (error) {
+        console.error('获取 CSRF token 错误:', error);
+        res.status(500).json({
+            error: 'Failed to generate CSRF token',
+            message: '生成 CSRF 令牌失败'
+        });
+    }
+};
+exports.getCSRFToken = getCSRFToken;
+// Lusca 安全中间件配置
+exports.securityMiddleware = {
+    // 基本的安全头
+    basicHeaders: (0, lusca_1.default)({
+        xframe: luscaConfig.xframe,
+        nosniff: luscaConfig.nosniff,
+        xssProtection: luscaConfig.xssProtection,
+        referrerPolicy: luscaConfig.referrerPolicy
+    })
+};
+// CSP 中间件
+const createCSPMiddleware = () => {
+    return lusca_1.default.csp(luscaConfig.csp);
+};
+exports.createCSPMiddleware = createCSPMiddleware;