nucleus-core-ts 0.9.724 → 0.9.725
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
|
@@ -326,6 +326,23 @@ export function createHttpProxyHandler(config) {
|
|
|
326
326
|
headers.delete('x-forwarded-for');
|
|
327
327
|
headers.delete('x-real-ip');
|
|
328
328
|
}
|
|
329
|
+
// SECURITY (same trust-boundary rationale as the IP strip above): the proxy is the
|
|
330
|
+
// authority for identity. STRIP every client-supplied identity header so a caller can
|
|
331
|
+
// never forward `x-user-id: <victim>` / `x-user-roles: godmin` / `x-user-claims: …`
|
|
332
|
+
// to a trusting backend. Any legitimate values are re-set below ONLY from a verified
|
|
333
|
+
// source (target.headers config, or injectUserIdFromJwt). Defense-in-depth: the nucleus
|
|
334
|
+
// edge (ElysiaPlugin onRequest) also strips these, but a non-nucleus backend behind this
|
|
335
|
+
// proxy would otherwise be impersonatable.
|
|
336
|
+
for (const h of [
|
|
337
|
+
'x-user-id',
|
|
338
|
+
'x-user-role',
|
|
339
|
+
'x-user-roles',
|
|
340
|
+
'x-user-claims',
|
|
341
|
+
'x-user-email',
|
|
342
|
+
'x-auth-type'
|
|
343
|
+
]){
|
|
344
|
+
headers.delete(h);
|
|
345
|
+
}
|
|
329
346
|
if (target.headers) {
|
|
330
347
|
for (const [key, value] of Object.entries(target.headers)){
|
|
331
348
|
headers.set(key, value);
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "nucleus-core-ts",
|
|
3
|
-
"version": "0.9.
|
|
3
|
+
"version": "0.9.725",
|
|
4
4
|
"description": "Production-ready, enterprise-grade TypeScript framework for building multi-tenant APIs",
|
|
5
5
|
"author": "Hidayet Can Özcan <hidayetcan@gmail.com>",
|
|
6
6
|
"license": "SEE LICENSE IN LICENSE",
|