nucleus-core-ts 0.9.726 → 0.9.727

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -328,23 +328,15 @@ export function createHttpProxyHandler(config) {
328
328
  headers.delete('x-forwarded-for');
329
329
  headers.delete('x-real-ip');
330
330
  }
331
- // SECURITY (same trust-boundary rationale as the IP strip above): the proxy is the
332
- // authority for identity. STRIP every client-supplied identity header so a caller can
333
- // never forward `x-user-id: <victim>` / `x-user-roles: godmin` / `x-user-claims: …`
334
- // to a trusting backend. Any legitimate values are re-set below ONLY from a verified
335
- // source (target.headers config, or injectUserIdFromJwt). Defense-in-depth: the nucleus
336
- // edge (ElysiaPlugin onRequest) also strips these, but a non-nucleus backend behind this
337
- // proxy would otherwise be impersonatable.
338
- for (const h of [
339
- 'x-user-id',
340
- 'x-user-role',
341
- 'x-user-roles',
342
- 'x-user-claims',
343
- 'x-user-email',
344
- 'x-auth-type'
345
- ]){
346
- headers.delete(h);
347
- }
331
+ // NOTE: this proxy deliberately does NOT strip inbound x-user-* identity headers. A
332
+ // legitimate TRUSTED upstream (e.g. the Vorion portal server.ts) VERIFIES the session and
333
+ // sets x-user-id / x-user-role / x-user-roles / x-user-claims from the verified cookie
334
+ // BEFORE handing the request to this handler stripping them here would drop the caller's
335
+ // roles/claims and break the backend. Anti-spoofing therefore belongs at the entry edge
336
+ // that first sees the client (server.ts strips+re-sets from verified cookies; the nucleus
337
+ // ElysiaPlugin onRequest strips+re-derives from the verified JWT). Only x-user-id is
338
+ // re-set below when injectUserIdFromJwt is configured (an explicit opt-in for a bare
339
+ // backend); the other identity headers pass through from the trusted upstream unchanged.
348
340
  if (target.headers) {
349
341
  for (const [key, value] of Object.entries(target.headers)){
350
342
  headers.set(key, value);
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "nucleus-core-ts",
3
- "version": "0.9.726",
3
+ "version": "0.9.727",
4
4
  "description": "Production-ready, enterprise-grade TypeScript framework for building multi-tenant APIs",
5
5
  "author": "Hidayet Can Özcan <hidayetcan@gmail.com>",
6
6
  "license": "SEE LICENSE IN LICENSE",