nucleus-core-ts 0.9.724 → 0.9.725

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -326,6 +326,23 @@ export function createHttpProxyHandler(config) {
326
326
  headers.delete('x-forwarded-for');
327
327
  headers.delete('x-real-ip');
328
328
  }
329
+ // SECURITY (same trust-boundary rationale as the IP strip above): the proxy is the
330
+ // authority for identity. STRIP every client-supplied identity header so a caller can
331
+ // never forward `x-user-id: <victim>` / `x-user-roles: godmin` / `x-user-claims: …`
332
+ // to a trusting backend. Any legitimate values are re-set below ONLY from a verified
333
+ // source (target.headers config, or injectUserIdFromJwt). Defense-in-depth: the nucleus
334
+ // edge (ElysiaPlugin onRequest) also strips these, but a non-nucleus backend behind this
335
+ // proxy would otherwise be impersonatable.
336
+ for (const h of [
337
+ 'x-user-id',
338
+ 'x-user-role',
339
+ 'x-user-roles',
340
+ 'x-user-claims',
341
+ 'x-user-email',
342
+ 'x-auth-type'
343
+ ]){
344
+ headers.delete(h);
345
+ }
329
346
  if (target.headers) {
330
347
  for (const [key, value] of Object.entries(target.headers)){
331
348
  headers.set(key, value);
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "nucleus-core-ts",
3
- "version": "0.9.724",
3
+ "version": "0.9.725",
4
4
  "description": "Production-ready, enterprise-grade TypeScript framework for building multi-tenant APIs",
5
5
  "author": "Hidayet Can Özcan <hidayetcan@gmail.com>",
6
6
  "license": "SEE LICENSE IN LICENSE",