shokupan 0.15.0 → 0.15.1

package/dist/{index-46Z4ASUY.cjs → index-5vGQaaL5.cjs}

@@ -116,26 +116,58 @@ class BodyParser {
   }
   /**
    * Parsing helper for FormData
+   * Security: Enforces maxBodySize by reading the raw body stream before
+   * handing it to formData(), so the limit cannot be bypassed via a spoofed
+   * Content-Length header.
    */
   static async parseFormData(req, maxBodySize) {
-    const clHeader = req.headers.get("content-length");
-    if (!clHeader) {
-      const err = new Error("Length Required");
-      err.status = 411;
-      throw err;
+    const rawBuffer = await BodyParser.readRawBufferBody(req, maxBodySize);
+    const syntheticReq = new Request("http://localhost", {
+      method: "POST",
+      headers: req.headers,
+      body: rawBuffer.buffer
+    });
+    return syntheticReq.formData();
+  }
+  /**
+   * Reads raw body as Uint8Array with size enforcement (used by parseFormData).
+   */
+  static async readRawBufferBody(req, maxBodySize) {
+    if (typeof req.body === "string") {
+      const enc = new TextEncoder().encode(req.body);
+      if (enc.byteLength > maxBodySize) {
+        const err = new Error("Payload Too Large");
+        err.status = 413;
+        throw err;
+      }
+      return enc;
     }
-    const cl = parseInt(clHeader, 10);
-    if (isNaN(cl)) {
-      const err = new Error("Bad Request");
-      err.status = 400;
-      throw err;
+    const reader = req.body?.getReader();
+    if (!reader) return new Uint8Array(0);
+    const chunks = [];
+    let totalSize = 0;
+    try {
+      while (true) {
+        const { done, value } = await reader.read();
+        if (done) break;
+        totalSize += value.length;
+        if (totalSize > maxBodySize) {
+          const err = new Error("Payload Too Large");
+          err.status = 413;
+          throw err;
+        }
+        chunks.push(value);
+      }
+    } finally {
+      reader.releaseLock();
     }
-    if (cl > maxBodySize) {
-      const err = new Error("Payload Too Large");
-      err.status = 413;
-      throw err;
+    const result = new Uint8Array(totalSize);
+    let offset = 0;
+    for (const chunk of chunks) {
+      result.set(chunk, offset);
+      offset += chunk.length;
     }
-    return req.formData();
+    return result;
   }
   /**
    * Reads raw body as string with size enforcement
@@ -1383,7 +1415,7 @@ class ShokupanContext {
 }
 function RateLimitMiddleware(options = {}) {
   const windowMs = options.windowMs || 60 * 1e3;
-  const max = options.limit || options.max || 5;
+  const max = options.limit || options.max || 100;
   const message = options.message || "Too many requests, please try again later.";
   const statusCode = options.statusCode || 429;
   const headers = options.headers !== false;
@@ -1412,9 +1444,7 @@ function RateLimitMiddleware(options = {}) {
   const hits = /* @__PURE__ */ new Map();
   const interval = setInterval(() => {
     const now = Date.now();
-    const entries = Array.from(hits.entries());
-    for (let i = 0; i < entries.length; i++) {
-      const [key, record] = entries[i];
+    for (const [key, record] of hits) {
       if (record.resetTime <= now) {
         hits.delete(key);
       }
@@ -5920,29 +5950,29 @@ class Shokupan extends ShokupanRouter {
     try {
       switch (adapterName) {
         case "sqlite": {
-          const { SqliteAdapter } = await Promise.resolve().then(() => require("./sqlite-sfDxgiji.cjs"));
+          const { SqliteAdapter } = await Promise.resolve().then(() => require("./sqlite-DdGPsbUB.cjs"));
           this.datastore = new SqliteAdapter(options);
           break;
         }
         case "level": {
-          const { LevelAdapter } = await Promise.resolve().then(() => require("./level-B0zBSwWA.cjs"));
+          const { LevelAdapter } = await Promise.resolve().then(() => require("./level-dUQVvWkh.cjs"));
           this.datastore = new LevelAdapter(options);
           break;
         }
         case "surrealdb": {
-          const { SurrealAdapter } = await Promise.resolve().then(() => require("./surreal-DiEl_VJL.cjs"));
+          const { SurrealAdapter } = await Promise.resolve().then(() => require("./surreal-p1skSyYf.cjs"));
           const legacyConfig = this.applicationConfig.surreal || {};
           const effectiveOptions = { ...legacyConfig, ...options };
           this.datastore = new SurrealAdapter(effectiveOptions);
           break;
         }
         case "knex": {
-          const { KnexAdapter } = await Promise.resolve().then(() => require("./knex-CIS1IT0Y.cjs"));
+          const { KnexAdapter } = await Promise.resolve().then(() => require("./knex-CDjnrxdn.cjs"));
           this.datastore = new KnexAdapter(options || {});
           break;
         }
         default: {
-          const { SurrealAdapter } = await Promise.resolve().then(() => require("./surreal-DiEl_VJL.cjs"));
+          const { SurrealAdapter } = await Promise.resolve().then(() => require("./surreal-p1skSyYf.cjs"));
           const legacy = this.applicationConfig.surreal;
           this.datastore = new SurrealAdapter(options || legacy || {});
         }
@@ -6897,7 +6927,7 @@ class ApiExplorerPlugin extends ShokupanRouter {
     }
   }
   static getBasePath() {
-    const dir = path$1.dirname(node_url.fileURLToPath(typeof document === "undefined" ? require("url").pathToFileURL(__filename).href : _documentCurrentScript && _documentCurrentScript.tagName.toUpperCase() === "SCRIPT" && _documentCurrentScript.src || new URL("index-46Z4ASUY.cjs", document.baseURI).href));
+    const dir = path$1.dirname(node_url.fileURLToPath(typeof document === "undefined" ? require("url").pathToFileURL(__filename).href : _documentCurrentScript && _documentCurrentScript.tagName.toUpperCase() === "SCRIPT" && _documentCurrentScript.src || new URL("index-5vGQaaL5.cjs", document.baseURI).href));
     if (dir.endsWith("dist")) {
       return dir + "/plugins/application/api-explorer";
     }
@@ -6926,22 +6956,26 @@ class ApiExplorerPlugin extends ShokupanRouter {
     this.get("/style.css", (ctx) => serveFile(ctx, "style.css", "text/css"));
     this.get("/theme.css", (ctx) => serveFile(ctx, "theme.css", "text/css"));
     this.get("/explorer-client.mjs", (ctx) => serveFile(ctx, "explorer-client.mjs", "application/javascript"));
-    this.get("/_source", async (ctx) => {
-      const file = ctx.query["file"];
-      if (!file) return ctx.text("Missing file parameter", 400);
-      const { resolve, normalize, isAbsolute } = await import("node:path");
-      const cwd = process.cwd();
-      const resolvedPath = resolve(cwd, file);
-      if (!resolvedPath.startsWith(cwd)) {
-        return ctx.text("Forbidden: File must be within project root", 403);
-      }
-      try {
-        const content = await promises$1.readFile(resolvedPath, "utf-8");
-        return ctx.text(content);
-      } catch (err) {
-        return ctx.text("File not found", 404);
-      }
-    });
+    const isProduction = process.env.NODE_ENV === "production";
+    const sourceViewEnabled = this.pluginOptions.enableSourceView ?? !isProduction;
+    if (sourceViewEnabled) {
+      this.get("/_source", async (ctx) => {
+        const file = ctx.query["file"];
+        if (!file) return ctx.text("Missing file parameter", 400);
+        const { resolve } = await import("node:path");
+        const cwd = process.cwd();
+        const resolvedPath = resolve(cwd, file);
+        if (!resolvedPath.startsWith(cwd + "/") && resolvedPath !== cwd) {
+          return ctx.text("Forbidden: File must be within project root", 403);
+        }
+        try {
+          const content = await promises$1.readFile(resolvedPath, "utf-8");
+          return ctx.text(content);
+        } catch (err) {
+          return ctx.text("File not found", 404);
+        }
+      });
+    }
     this.get("/openapi.json", async (ctx) => {
       const spec = this.root.openApiSpec ? structuredClone(this.root.openApiSpec) : await (this.root || this).generateApiSpec();
       return ctx.json(stripSourceCode(spec));
@@ -7566,7 +7600,7 @@ class AsyncApiPlugin extends ShokupanRouter {
     this.init();
   }
   static getBasePath() {
-    const dir = path$1.dirname(node_url.fileURLToPath(typeof document === "undefined" ? require("url").pathToFileURL(__filename).href : _documentCurrentScript && _documentCurrentScript.tagName.toUpperCase() === "SCRIPT" && _documentCurrentScript.src || new URL("index-46Z4ASUY.cjs", document.baseURI).href));
+    const dir = path$1.dirname(node_url.fileURLToPath(typeof document === "undefined" ? require("url").pathToFileURL(__filename).href : _documentCurrentScript && _documentCurrentScript.tagName.toUpperCase() === "SCRIPT" && _documentCurrentScript.src || new URL("index-5vGQaaL5.cjs", document.baseURI).href));
     if (dir.endsWith("dist")) {
       return dir + "/plugins/application/asyncapi";
     }
@@ -7822,7 +7856,16 @@ class AuthPlugin extends ShokupanRouter {
       };
     } else if (provider === "apple") {
       if (idToken) {
-        const payload = this.jose.decodeJwt(idToken);
+        const { createRemoteJWKSet, jwtVerify } = this.jose;
+        if (!this._appleJwks) {
+          this._appleJwks = createRemoteJWKSet(
+            new URL("https://appleid.apple.com/auth/keys")
+          );
+        }
+        const { payload } = await jwtVerify(idToken, this._appleJwks, {
+          issuer: "https://appleid.apple.com",
+          audience: this.authConfig.providers.apple?.clientId
+        });
         user = {
           id: payload.sub,
           email: payload["email"],
@@ -8199,7 +8242,7 @@ function Card({ title, contentId }) {
     /* @__PURE__ */ jsxRuntime.jsx("div", { id: contentId })
   ] });
 }
-const require$1 = node_module.createRequire(typeof document === "undefined" ? require("url").pathToFileURL(__filename).href : _documentCurrentScript && _documentCurrentScript.tagName.toUpperCase() === "SCRIPT" && _documentCurrentScript.src || new URL("index-46Z4ASUY.cjs", document.baseURI).href);
+const require$1 = node_module.createRequire(typeof document === "undefined" ? require("url").pathToFileURL(__filename).href : _documentCurrentScript && _documentCurrentScript.tagName.toUpperCase() === "SCRIPT" && _documentCurrentScript.src || new URL("index-5vGQaaL5.cjs", document.baseURI).href);
 const http = require$1("node:http");
 const https = require$1("node:https");
 class FetchInterceptor {
@@ -8803,7 +8846,7 @@ class Dashboard {
   }
   // Get base path for dashboard files - works in both dev (src/) and production (dist/)
   static getBasePath() {
-    const dir = path$1.dirname(node_url.fileURLToPath(typeof document === "undefined" ? require("url").pathToFileURL(__filename).href : _documentCurrentScript && _documentCurrentScript.tagName.toUpperCase() === "SCRIPT" && _documentCurrentScript.src || new URL("index-46Z4ASUY.cjs", document.baseURI).href));
+    const dir = path$1.dirname(node_url.fileURLToPath(typeof document === "undefined" ? require("url").pathToFileURL(__filename).href : _documentCurrentScript && _documentCurrentScript.tagName.toUpperCase() === "SCRIPT" && _documentCurrentScript.src || new URL("index-5vGQaaL5.cjs", document.baseURI).href));
     if (dir.endsWith("dist")) {
       return dir + "/plugins/application/dashboard";
     }
@@ -11306,6 +11349,11 @@ function Cors(options = {}) {
     optionsSuccessStatus: 204
   };
   const opts = { ...defaults2, ...options };
+  if (opts.credentials && opts.origin === "*") {
+    throw new Error(
+      'CORS misconfiguration: `credentials: true` is incompatible with `origin: "*"`. Specify an explicit origin or array of origins instead.'
+    );
+  }
   const corsMiddleware = async function CorsMiddleware(ctx, next) {
     const headers = {};
     const origin = ctx.headers.get("origin");
@@ -11852,6 +11900,9 @@ function Proxy$1(options) {
     if (!["http:", "https:"].includes(url.protocol)) {
       return ctx.text("Invalid protocol in proxied URL", 400);
     }
+    if (!options.allowedHosts?.includes(url.hostname)) {
+      return ctx.text("Proxied hostname not in allowlist", 403);
+    }
     const headers = new Headers(req.headers);
     if (options.changeOrigin) {
       headers.set("host", targetUrl.host);
@@ -11945,7 +11996,9 @@ function handleWSDrain(ws) {
 }
 function SecurityHeaders(options = {}) {
   const securityHeadersMiddleware = async function SecurityHeadersMiddleware(ctx, next) {
-    const set = (k, v) => ctx.response.set(k, v);
+    const response = await next();
+    if (!(response instanceof Response)) return response;
+    const set = (k, v) => response.headers.set(k, v);
     if (options.dnsPrefetchControl !== false) {
       const allow = options.dnsPrefetchControl?.allow;
       set("X-DNS-Prefetch-Control", allow ? "on" : "off");
@@ -11956,7 +12009,7 @@ function SecurityHeaders(options = {}) {
       if (action === "sameorigin") set("X-Frame-Options", "SAMEORIGIN");
       else if (action === "deny") set("X-Frame-Options", "DENY");
     }
-    if (options.hsts !== false) {
+    if (options.hsts !== false && ctx.secure === true) {
       const opt = options.hsts || {};
       const maxAge = opt.maxAge || 15552e3;
       let header = `max-age=${maxAge}`;
@@ -11983,14 +12036,25 @@ function SecurityHeaders(options = {}) {
       if (opt === void 0 || opt === true) {
         set("Content-Security-Policy", "default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests");
       } else if (typeof opt === "object") {
-        const optEntries = Object.entries(opt);
-        for (let i = 0; i < optEntries.length; i++) {
-          const [key, val] = optEntries[i];
+        const parts = [];
+        for (const [key, val] of Object.entries(opt)) {
+          if (val === false) continue;
+          const directive = key.replace(/([A-Z])/g, "-$1").toLowerCase();
+          if (val === true) {
+            parts.push(directive);
+          } else {
+            const sources = Array.isArray(val) ? val.join(" ") : String(val);
+            parts.push(`${directive} ${sources}`);
+          }
+        }
+        if (parts.length > 0) {
+          set("Content-Security-Policy", parts.join(";"));
         }
       }
     }
-    if (options.hidePoweredBy !== false) ;
-    const response = await next();
+    if (options.hidePoweredBy !== false) {
+      response.headers.delete("X-Powered-By");
+    }
     return response;
   };
   securityHeadersMiddleware.isBuiltin = true;
@@ -12103,7 +12167,7 @@ function unsign(input, secret) {
   Buffer.from(expectedInput).copy(paddedExpected);
   Buffer.from(input).copy(paddedInput);
   try {
-    const valid = require("crypto").timingSafeEqual(paddedExpected, paddedInput);
+    const valid = crypto.timingSafeEqual(paddedExpected, paddedInput);
     return valid ? tentValue : false;
   } catch {
     return false;
@@ -12122,10 +12186,14 @@ function Session(options) {
     const cookies = ctx.cookies;
     const rawCookie = cookies[name];
     if (rawCookie) {
-      if (rawCookie.substr(0, 2) === "s:") {
-        const val = unsign(rawCookie.slice(2), secrets[0]);
-        if (val) {
-          reqSessionId = val;
+      if (rawCookie.slice(0, 2) === "s:") {
+        const signed = rawCookie.slice(2);
+        for (let i = 0; i < secrets.length; i++) {
+          const val = unsign(signed, secrets[i]);
+          if (val !== false) {
+            reqSessionId = val;
+            break;
+          }
         }
       } else {
         reqSessionId = rawCookie;
@@ -12181,8 +12249,6 @@ function Session(options) {
           });
         });
       };
-      sessObj.undefined = () => {
-      };
       sessObj.reload = () => {
         return new Promise((resolve, reject) => {
           store.get(sessObj.id, (err, sess2) => {
@@ -12425,4 +12491,4 @@ exports.traceMiddleware = traceMiddleware;
 exports.useExpress = useExpress;
 exports.valibot = valibot;
 exports.validate = validate;
-//# sourceMappingURL=index-46Z4ASUY.cjs.map
+//# sourceMappingURL=index-5vGQaaL5.cjs.map