npm - nyte - Versions diffs - 1.2.1 → 1.2.3 - Mend

nyte 1.2.1 → 1.2.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/dist/client/entry.client.js +4 -2
package/package.json +6 -1
package/src/client/entry.client.tsx +9 -5
package/dist/security.selftest.d.ts +0 -1
package/dist/security.selftest.js +0 -170
package/src/security.selftest.ts +0 -192

package/dist/client/entry.client.js CHANGED Viewed

@@ -280,9 +280,11 @@ function DevIndicator({ hasBuildError = false, onClickBuildError, }) {
       }
       .nyte-dev-badge {
         /* AQUI ESTÁ O QUE SEGURA ELE NA TELA: */
-        position: fixed;
+        position: sticky;
         bottom: 20px;
-        right: 20px;
+        /* float e margens para forçar a direita no modo sticky */
+        float: right;
+        margin-right: 20px;
         z-index: 999999;
         display: flex;

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "nyte",
-  "version": "1.2.1",
+  "version": "1.2.3",
   "description": "Nyte.js is a high-level framework for building web applications with ease and speed. It provides a robust set of tools and features to streamline development and enhance productivity.",
   "types": "dist/index.d.ts",
   "author": "itsmuzin",
@@ -29,6 +29,11 @@
       "import": "./dist/index.js",
       "require": "./dist/index.js"
     },
+    "./console": {
+      "types": "./dist/api/console.d.ts",
+      "import": "./dist/api/console.js",
+      "require": "./dist/api/console.js"
+    },
     "./react": {
       "types": "./dist/client/client.d.ts",
       "import": "./dist/client/client.js",

package/src/client/entry.client.tsx CHANGED Viewed

@@ -261,10 +261,12 @@ function App({ componentMap, routes, initialComponentPath, initialParams, layout
 export function DevIndicator({
-    hasBuildError = false,
-    onClickBuildError,
-}: {
+                                 hasBuildError = false,
+                                 onClickBuildError,
+                             }: {
     hasBuildError?: boolean;
     onClickBuildError?: () => void;
 }) {
@@ -314,9 +316,11 @@ export function DevIndicator({
       }
       .nyte-dev-badge {
         /* AQUI ESTÁ O QUE SEGURA ELE NA TELA: */
-        position: fixed;
+        position: sticky;
         bottom: 20px;
-        right: 20px;
+        /* float e margens para forçar a direita no modo sticky */
+        float: right;
+        margin-right: 20px;
         z-index: 999999;
         display: flex;

package/dist/security.selftest.d.ts DELETED Viewed

	@@ -1 +0,0 @@
1	- export {};

package/dist/security.selftest.js DELETED Viewed

@@ -1,170 +0,0 @@
-"use strict";
-/*
- * Lightweight security self-tests (no external test runner required).
- *
- * These tests validate that:
- * - Static serving does NOT allow path traversal outside its base dirs.
- * - HTTP->HTTPS redirect does NOT trust hostile Host headers.
- *
- * Run (from repo root):
- *   node packages/nytejs/dist/security.selftest.js
- */
-var __importDefault = (this && this.__importDefault) || function (mod) {
-    return (mod && mod.__esModule) ? mod : { "default": mod };
-};
-Object.defineProperty(exports, "__esModule", { value: true });
-const fs_1 = __importDefault(require("fs"));
-const path_1 = __importDefault(require("path"));
-const http_1 = __importDefault(require("http"));
-const helpers_1 = require("./helpers");
-function assert(condition, message) {
-    if (!condition)
-        throw new Error(message);
-}
-async function httpRequest(opts) {
-    return new Promise((resolve, reject) => {
-        const req = http_1.default.request(opts, (res) => {
-            let data = '';
-            res.setEncoding('utf8');
-            res.on('data', (c) => (data += c));
-            res.on('end', () => resolve({ status: res.statusCode || 0, headers: res.headers, body: data }));
-        });
-        req.on('error', reject);
-        if (opts.body)
-            req.write(opts.body);
-        req.end();
-    });
-}
-function randomPort() {
-    // Avoid privileged ports. Not cryptographic; just for tests.
-    return 20000 + Math.floor(Math.random() * 20000);
-}
-// --- Redirect host poisoning: test a pure builder (no TLS required) ---
-function buildHttpsRedirectLocation(params) {
-    const rawHost = String(params.requestHostHeader || '').trim();
-    let hostToUse = String(params.configuredHostname || params.fallbackHostname || '').trim();
-    if (!hostToUse) {
-        const hostWithoutPort = rawHost.split(':')[0];
-        const isValidHost = /^[a-zA-Z0-9.-]+$/.test(hostWithoutPort) && !hostWithoutPort.includes('..');
-        hostToUse = isValidHost ? hostWithoutPort : 'localhost';
-    }
-    let redirectUrl = `https://${hostToUse}`;
-    if (params.httpsPort !== 443)
-        redirectUrl += `:${params.httpsPort}`;
-    redirectUrl += params.requestUrl || '/';
-    return redirectUrl;
-}
-async function withTempProject(fn) {
-    const base = path_1.default.join(process.cwd(), '.nyte-security-selftest');
-    fs_1.default.mkdirSync(base, { recursive: true });
-    const projectDir = fs_1.default.mkdtempSync(path_1.default.join(base, 'proj-'));
-    // minimal folder structure
-    fs_1.default.mkdirSync(path_1.default.join(projectDir, 'src', 'web', 'routes'), { recursive: true });
-    fs_1.default.mkdirSync(path_1.default.join(projectDir, 'src', 'backend', 'routes'), { recursive: true });
-    fs_1.default.mkdirSync(path_1.default.join(projectDir, 'public'), { recursive: true });
-    // Basic route so app.prepare() succeeds (route loader expects files)
-    const routeFile = path_1.default.join(projectDir, 'src', 'web', 'routes', 'index.tsx');
-    fs_1.default.writeFileSync(routeFile, `export default function Index(){ return null; }\nexport const component = Index;\n`, 'utf8');
-    // A secret file OUTSIDE public/.nyte to test traversal attempts
-    fs_1.default.writeFileSync(path_1.default.join(projectDir, 'SECRET.txt'), 'TOP_SECRET', 'utf8');
-    try {
-        return await fn(projectDir);
-    }
-    finally {
-        try {
-            fs_1.default.rmSync(projectDir, { recursive: true, force: true });
-        }
-        catch {
-            // ignore cleanup issues
-        }
-    }
-}
-async function testStaticPathTraversal() {
-    await withTempProject(async (projectDir) => {
-        const port = randomPort();
-        const server = await (0, helpers_1.app)({ dir: projectDir, dev: true, port, hostname: '127.0.0.1' }).init();
-        try {
-            // Try to escape public dir
-            const res1 = await httpRequest({
-                hostname: '127.0.0.1',
-                port,
-                method: 'GET',
-                path: '/../SECRET.txt'
-            });
-            assert(res1.status !== 200, `Expected traversal from public to be blocked, got 200 with body: ${res1.body}`);
-            assert(!res1.body.includes('TOP_SECRET'), 'Traversal leaked secret content');
-            // Try to escape .nyte via /_nyte/
-            const res2 = await httpRequest({
-                hostname: '127.0.0.1',
-                port,
-                method: 'GET',
-                path: '/_nyte/../SECRET.txt'
-            });
-            assert(res2.status !== 200, `Expected traversal from /_nyte to be blocked, got 200 with body: ${res2.body}`);
-            assert(!res2.body.includes('TOP_SECRET'), 'Traversal via /_nyte leaked secret content');
-            // Encoded traversal
-            const res3 = await httpRequest({
-                hostname: '127.0.0.1',
-                port,
-                method: 'GET',
-                path: '/_nyte/%2e%2e/SECRET.txt'
-            });
-            assert(res3.status !== 200, `Expected encoded traversal to be blocked, got 200 with body: ${res3.body}`);
-            assert(!res3.body.includes('TOP_SECRET'), 'Encoded traversal leaked secret content');
-        }
-        finally {
-            await new Promise((resolve) => server.close(() => resolve()));
-        }
-    });
-}
-async function testHttpsRedirectHostPoisoning() {
-    // configuredHostname should win over hostile Host header
-    const loc1 = buildHttpsRedirectLocation({
-        configuredHostname: 'example.com',
-        fallbackHostname: '0.0.0.0',
-        httpsPort: 8443,
-        requestHostHeader: 'evil.com',
-        requestUrl: '/login?x=1'
-    });
-    assert(loc1.startsWith('https://example.com:8443/'), `Expected configured hostname, got ${loc1}`);
-    assert(!loc1.includes('evil.com'), `Redirect trusted hostile Host header. Location=${loc1}`);
-    // without configured host, a valid host header is accepted
-    const loc2 = buildHttpsRedirectLocation({
-        httpsPort: 443,
-        requestHostHeader: 'good.example',
-        requestUrl: '/'
-    });
-    assert(loc2 === 'https://good.example/', `Expected host header to be used, got ${loc2}`);
-    // invalid host header should be rejected
-    const loc3 = buildHttpsRedirectLocation({
-        httpsPort: 443,
-        requestHostHeader: 'evil.com\r\nX-Evil: 1',
-        requestUrl: '/'
-    });
-    assert(loc3 === 'https://localhost/', `Expected invalid host to fallback to localhost, got ${loc3}`);
-}
-async function main() {
-    const results = [];
-    async function run(name, fn) {
-        try {
-            await fn();
-            results.push({ name, ok: true });
-        }
-        catch (e) {
-            results.push({ name, ok: false, error: e?.message || String(e) });
-        }
-    }
-    await run('static path traversal', testStaticPathTraversal);
-    await run('https redirect host poisoning', testHttpsRedirectHostPoisoning);
-    const failed = results.filter(r => !r.ok);
-    for (const r of results) {
-        // eslint-disable-next-line no-console
-        console.log(`${r.ok ? 'PASS' : 'FAIL'} - ${r.name}${r.ok ? '' : `: ${r.error}`}`);
-    }
-    if (failed.length) {
-        process.exitCode = 1;
-    }
-}
-// Only run when executed directly
-// eslint-disable-next-line @typescript-eslint/no-floating-promises
-main();

package/src/security.selftest.ts DELETED Viewed

@@ -1,192 +0,0 @@
-/*
- * Lightweight security self-tests (no external test runner required).
- *
- * These tests validate that:
- * - Static serving does NOT allow path traversal outside its base dirs.
- * - HTTP->HTTPS redirect does NOT trust hostile Host headers.
- *
- * Run (from repo root):
- *   node packages/nytejs/dist/security.selftest.js
- */
-import fs from 'fs';
-import path from 'path';
-import http from 'http';
-import { app } from './helpers';
-function assert(condition: any, message: string): void {
-    if (!condition) throw new Error(message);
-}
-async function httpRequest(opts: http.RequestOptions & { body?: string }): Promise<{ status: number; headers: http.IncomingHttpHeaders; body: string }> {
-    return new Promise((resolve, reject) => {
-        const req = http.request(opts, (res) => {
-            let data = '';
-            res.setEncoding('utf8');
-            res.on('data', (c) => (data += c));
-            res.on('end', () => resolve({ status: res.statusCode || 0, headers: res.headers, body: data }));
-        });
-        req.on('error', reject);
-        if (opts.body) req.write(opts.body);
-        req.end();
-    });
-}
-function randomPort(): number {
-    // Avoid privileged ports. Not cryptographic; just for tests.
-    return 20000 + Math.floor(Math.random() * 20000);
-}
-// --- Redirect host poisoning: test a pure builder (no TLS required) ---
-function buildHttpsRedirectLocation(params: {
-    configuredHostname?: string;
-    fallbackHostname?: string;
-    httpsPort: number;
-    requestHostHeader?: string;
-    requestUrl?: string;
-}): string {
-    const rawHost = String(params.requestHostHeader || '').trim();
-    let hostToUse = String(params.configuredHostname || params.fallbackHostname || '').trim();
-    if (!hostToUse) {
-        const hostWithoutPort = rawHost.split(':')[0];
-        const isValidHost = /^[a-zA-Z0-9.-]+$/.test(hostWithoutPort) && !hostWithoutPort.includes('..');
-        hostToUse = isValidHost ? hostWithoutPort : 'localhost';
-    }
-    let redirectUrl = `https://${hostToUse}`;
-    if (params.httpsPort !== 443) redirectUrl += `:${params.httpsPort}`;
-    redirectUrl += params.requestUrl || '/';
-    return redirectUrl;
-}
-async function withTempProject<T>(fn: (projectDir: string) => Promise<T>): Promise<T> {
-    const base = path.join(process.cwd(), '.nyte-security-selftest');
-    fs.mkdirSync(base, { recursive: true });
-    const projectDir = fs.mkdtempSync(path.join(base, 'proj-'));
-    // minimal folder structure
-    fs.mkdirSync(path.join(projectDir, 'src', 'web', 'routes'), { recursive: true });
-    fs.mkdirSync(path.join(projectDir, 'src', 'backend', 'routes'), { recursive: true });
-    fs.mkdirSync(path.join(projectDir, 'public'), { recursive: true });
-    // Basic route so app.prepare() succeeds (route loader expects files)
-    const routeFile = path.join(projectDir, 'src', 'web', 'routes', 'index.tsx');
-    fs.writeFileSync(
-        routeFile,
-        `export default function Index(){ return null; }\nexport const component = Index;\n`,
-        'utf8'
-    );
-    // A secret file OUTSIDE public/.nyte to test traversal attempts
-    fs.writeFileSync(path.join(projectDir, 'SECRET.txt'), 'TOP_SECRET', 'utf8');
-    try {
-        return await fn(projectDir);
-    } finally {
-        try {
-            fs.rmSync(projectDir, { recursive: true, force: true });
-        } catch {
-            // ignore cleanup issues
-        }
-    }
-}
-async function testStaticPathTraversal(): Promise<void> {
-    await withTempProject(async (projectDir) => {
-        const port = randomPort();
-        const server = await app({ dir: projectDir, dev: true, port, hostname: '127.0.0.1' }).init();
-        try {
-            // Try to escape public dir
-            const res1 = await httpRequest({
-                hostname: '127.0.0.1',
-                port,
-                method: 'GET',
-                path: '/../SECRET.txt'
-            });
-            assert(res1.status !== 200, `Expected traversal from public to be blocked, got 200 with body: ${res1.body}`);
-            assert(!res1.body.includes('TOP_SECRET'), 'Traversal leaked secret content');
-            // Try to escape .nyte via /_nyte/
-            const res2 = await httpRequest({
-                hostname: '127.0.0.1',
-                port,
-                method: 'GET',
-                path: '/_nyte/../SECRET.txt'
-            });
-            assert(res2.status !== 200, `Expected traversal from /_nyte to be blocked, got 200 with body: ${res2.body}`);
-            assert(!res2.body.includes('TOP_SECRET'), 'Traversal via /_nyte leaked secret content');
-            // Encoded traversal
-            const res3 = await httpRequest({
-                hostname: '127.0.0.1',
-                port,
-                method: 'GET',
-                path: '/_nyte/%2e%2e/SECRET.txt'
-            });
-            assert(res3.status !== 200, `Expected encoded traversal to be blocked, got 200 with body: ${res3.body}`);
-            assert(!res3.body.includes('TOP_SECRET'), 'Encoded traversal leaked secret content');
-        } finally {
-            await new Promise<void>((resolve) => (server as any).close(() => resolve()));
-        }
-    });
-}
-async function testHttpsRedirectHostPoisoning(): Promise<void> {
-    // configuredHostname should win over hostile Host header
-    const loc1 = buildHttpsRedirectLocation({
-        configuredHostname: 'example.com',
-        fallbackHostname: '0.0.0.0',
-        httpsPort: 8443,
-        requestHostHeader: 'evil.com',
-        requestUrl: '/login?x=1'
-    });
-    assert(loc1.startsWith('https://example.com:8443/'), `Expected configured hostname, got ${loc1}`);
-    assert(!loc1.includes('evil.com'), `Redirect trusted hostile Host header. Location=${loc1}`);
-    // without configured host, a valid host header is accepted
-    const loc2 = buildHttpsRedirectLocation({
-        httpsPort: 443,
-        requestHostHeader: 'good.example',
-        requestUrl: '/'
-    });
-    assert(loc2 === 'https://good.example/', `Expected host header to be used, got ${loc2}`);
-    // invalid host header should be rejected
-    const loc3 = buildHttpsRedirectLocation({
-        httpsPort: 443,
-        requestHostHeader: 'evil.com\r\nX-Evil: 1',
-        requestUrl: '/'
-    });
-    assert(loc3 === 'https://localhost/', `Expected invalid host to fallback to localhost, got ${loc3}`);
-}
-async function main(): Promise<void> {
-    const results: Array<{ name: string; ok: boolean; error?: string }> = [];
-    async function run(name: string, fn: () => Promise<void>) {
-        try {
-            await fn();
-            results.push({ name, ok: true });
-        } catch (e: any) {
-            results.push({ name, ok: false, error: e?.message || String(e) });
-        }
-    }
-    await run('static path traversal', testStaticPathTraversal);
-    await run('https redirect host poisoning', testHttpsRedirectHostPoisoning);
-    const failed = results.filter(r => !r.ok);
-    for (const r of results) {
-        // eslint-disable-next-line no-console
-        console.log(`${r.ok ? 'PASS' : 'FAIL'} - ${r.name}${r.ok ? '' : `: ${r.error}`}`);
-    }
-    if (failed.length) {
-        process.exitCode = 1;
-    }
-}
-// Only run when executed directly
-// eslint-disable-next-line @typescript-eslint/no-floating-promises
-main();