tezx 3.0.14-beta → 3.0.14-beta2

package/cjs/jwt/web.js

@@ -0,0 +1,178 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.sign = sign;
+exports.verify = verify;
+function parseExpiry(exp) {
+    const match = exp.match(/^(\d+)([smhd])$/);
+    if (!match)
+        return parseInt(exp, 10);
+    const [, val, unit] = match;
+    const num = parseInt(val, 10);
+    switch (unit) {
+        case "s":
+            return num;
+        case "m":
+            return num * 60;
+        case "h":
+            return num * 3600;
+        case "d":
+            return num * 86400;
+        default:
+            return num;
+    }
+}
+const encoder = new TextEncoder();
+const decoder = new TextDecoder();
+function uint8ToBase64(u8) {
+    let binary = "";
+    const len = u8.length;
+    for (let i = 0; i < len; i++)
+        binary += String.fromCharCode(u8[i]);
+    return typeof btoa !== "undefined" ? btoa(binary) : fallbackBtoa(binary);
+}
+function base64ToUint8(base64) {
+    const bin = typeof atob !== "undefined" ? atob(base64) : fallbackAtob(base64);
+    const len = bin.length;
+    const u8 = new Uint8Array(len);
+    for (let i = 0; i < len; i++)
+        u8[i] = bin.charCodeAt(i);
+    return u8;
+}
+function base64urlFromUint8(u8) {
+    return uint8ToBase64(u8)
+        .replace(/=/g, "")
+        .replace(/\+/g, "-")
+        .replace(/\//g, "_");
+}
+function base64urlEncodeString(str) {
+    return base64urlFromUint8(encoder.encode(str));
+}
+function base64urlDecodeToString(input) {
+    let b64 = input.replace(/-/g, "+").replace(/_/g, "/");
+    const pad = b64.length % 4;
+    if (pad)
+        b64 += "=".repeat(4 - pad);
+    const u8 = base64ToUint8(b64);
+    return decoder.decode(u8);
+}
+function constantTimeEqual(a, b) {
+    if (a.length !== b.length)
+        return false;
+    let res = 0;
+    for (let i = 0; i < a.length; i++) {
+        res |= a.charCodeAt(i) ^ b.charCodeAt(i);
+    }
+    return res === 0;
+}
+function mapAlg(alg) {
+    if (alg === "HS256")
+        return { name: "HMAC", hash: "SHA-256" };
+    return { name: "HMAC", hash: "SHA-512" };
+}
+async function importKey(secret, alg) {
+    const keyData = encoder.encode(secret);
+    return crypto.subtle.importKey("raw", keyData, mapAlg(alg), false, [
+        "sign",
+        "verify",
+    ]);
+}
+async function hmacSign(key, data) {
+    const sig = await crypto.subtle.sign("HMAC", key, encoder.encode(data));
+    return new Uint8Array(sig);
+}
+function fallbackBtoa(binaryStr) {
+    let base64 = "";
+    const chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
+    let i = 0;
+    const len = binaryStr.length;
+    while (i < len) {
+        const c1 = binaryStr.charCodeAt(i++) & 0xff;
+        if (i === len) {
+            base64 += chars.charAt(c1 >> 2);
+            base64 += chars.charAt((c1 & 0x3) << 4);
+            base64 += "==";
+            break;
+        }
+        const c2 = binaryStr.charCodeAt(i++);
+        if (i === len) {
+            base64 += chars.charAt(c1 >> 2);
+            base64 += chars.charAt(((c1 & 0x3) << 4) | ((c2 & 0xf0) >> 4));
+            base64 += chars.charAt((c2 & 0xf) << 2);
+            base64 += "=";
+            break;
+        }
+        const c3 = binaryStr.charCodeAt(i++);
+        base64 += chars.charAt(c1 >> 2);
+        base64 += chars.charAt(((c1 & 0x3) << 4) | ((c2 & 0xf0) >> 4));
+        base64 += chars.charAt(((c2 & 0xf) << 2) | ((c3 & 0xc0) >> 6));
+        base64 += chars.charAt(c3 & 0x3f);
+    }
+    return base64;
+}
+function fallbackAtob(b64) {
+    const chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
+    let output = "";
+    let i = 0;
+    b64 = b64.replace(/[^A-Za-z0-9\+\/]/g, "");
+    while (i < b64.length) {
+        const enc1 = chars.indexOf(b64.charAt(i++));
+        const enc2 = chars.indexOf(b64.charAt(i++));
+        const enc3 = chars.indexOf(b64.charAt(i++));
+        const enc4 = chars.indexOf(b64.charAt(i++));
+        const chr1 = (enc1 << 2) | (enc2 >> 4);
+        const chr2 = ((enc2 & 15) << 4) | (enc3 >> 2);
+        const chr3 = ((enc3 & 3) << 6) | enc4;
+        output += String.fromCharCode(chr1);
+        if (enc3 !== 64 && enc3 !== -1)
+            output += String.fromCharCode(chr2);
+        if (enc4 !== 64 && enc4 !== -1)
+            output += String.fromCharCode(chr3);
+    }
+    return output;
+}
+async function sign(payload, opts) {
+    const alg = (opts?.algorithm || "HS256");
+    const secret = opts?.secret || globalThis.JWT_SECRET || "tezx_secret";
+    const header = { alg, typ: "JWT" };
+    const now = Math.floor(Date.now() / 1000);
+    const exp = typeof opts?.expiresIn === "string"
+        ? now + parseExpiry(opts.expiresIn)
+        : typeof opts?.expiresIn === "number"
+            ? now + opts.expiresIn
+            : now + 86400;
+    const fullPayload = { ...payload, iat: now, exp };
+    const encodedHeader = base64urlEncodeString(JSON.stringify(header));
+    const encodedPayload = base64urlEncodeString(JSON.stringify(fullPayload));
+    const data = `${encodedHeader}.${encodedPayload}`;
+    const key = await importKey(secret, alg);
+    const sigU8 = await hmacSign(key, data);
+    const signature = base64urlFromUint8(sigU8);
+    return `${data}.${signature}`;
+}
+async function verify(token, secret) {
+    try {
+        const parts = token.split(".");
+        if (parts.length !== 3)
+            return null;
+        const [eh, ep, sig] = parts;
+        const data = `${eh}.${ep}`;
+        const headerJson = base64urlDecodeToString(eh);
+        const header = JSON.parse(headerJson);
+        const alg = header?.alg === "HS512" ? "HS512" : "HS256";
+        const s = secret || globalThis.JWT_SECRET || "tezx_secret";
+        const key = await importKey(s, alg);
+        const expectedSigU8 = await hmacSign(key, data);
+        const expectedSig = base64urlFromUint8(expectedSigU8);
+        if (!constantTimeEqual(expectedSig, sig))
+            return null;
+        const payloadJson = base64urlDecodeToString(ep);
+        const payload = JSON.parse(payloadJson);
+        if (payload.exp && Date.now() / 1000 > payload.exp)
+            return null;
+        return payload;
+    }
+    catch {
+        return null;
+    }
+}
+exports.default = { sign, verify };

package/cjs/middleware/basic-auth.js

@@ -1,45 +1,40 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.basicAuth = void 0;
-const node_buffer_1 = require("node:buffer");
+const error_js_1 = require("../core/error.js");
+const buffer_js_1 = require("../utils/buffer.js");
 const basicAuth = (options) => {
     const { validate, realm = "Restricted Area", onUnauthorized = (ctx, error) => {
         ctx.setStatus = 401;
-        ctx.setHeader("WWW-Authenticate", `Basic realm="${realm}"`);
+        ctx.headers.set("WWW-Authenticate", `Basic realm="${realm}"`);
         return ctx.json({ error: error?.message || "Unauthorized" });
     }, } = options;
     return async (ctx, next) => {
         const auth = ctx.req.header("authorization");
         if (!auth || !auth.startsWith("Basic ")) {
-            return onUnauthorized(ctx, new Error("Basic authentication required"));
+            return onUnauthorized(ctx, new error_js_1.TezXError("Basic authentication required"));
         }
         const base64 = auth.slice(6).trim();
         if (!base64) {
-            return onUnauthorized(ctx, new Error("Empty credentials"));
+            return onUnauthorized(ctx, new error_js_1.TezXError("Empty credentials"));
         }
         let username, password;
         try {
-            const decoded = node_buffer_1.Buffer.from(base64, "base64").toString("utf-8");
+            const decoded = (0, buffer_js_1.base64Decode)(base64);
             const idx = decoded.indexOf(":");
             if (idx === -1)
-                throw new Error("Missing colon in credentials");
+                throw new error_js_1.TezXError("Missing colon in credentials", 400);
             username = decoded.slice(0, idx);
             password = decoded.slice(idx + 1);
-        }
-        catch (err) {
-            return onUnauthorized(ctx, new Error("Invalid Basic auth format"));
-        }
-        try {
             const valid = await validate(username, password, ctx);
             if (!valid) {
-                return onUnauthorized(ctx, new Error("Invalid username or password"));
+                return onUnauthorized(ctx, new error_js_1.TezXError("Invalid username or password", 403));
             }
             ctx.user = { username };
             await next();
         }
         catch (err) {
-            const error = err instanceof Error ? err : new Error(String(err));
-            return onUnauthorized(ctx, error);
+            return onUnauthorized(ctx, (0, error_js_1.TezXErrorParse)(err));
         }
     };
 };

package/cjs/middleware/bearer-auth.js

@@ -1,6 +1,7 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.bearerAuth = void 0;
+const error_js_1 = require("../core/error.js");
 const bearerAuth = (options) => {
     const { validate, realm = "API", onUnauthorized = (ctx, error) => {
         ctx.setStatus = 401;
@@ -10,23 +11,22 @@ const bearerAuth = (options) => {
     return async (ctx, next) => {
         const auth = ctx.req.header("authorization");
         if (!auth || !auth.startsWith("Bearer ")) {
-            return onUnauthorized(ctx, new Error("Bearer token required"));
+            return onUnauthorized(ctx, new error_js_1.TezXError("Bearer token required"));
         }
         const token = auth.slice(7).trim();
         if (!token) {
-            return onUnauthorized(ctx, new Error("Empty token"));
+            return onUnauthorized(ctx, new error_js_1.TezXError("Empty token"));
         }
         try {
             const valid = await validate(token, ctx);
             if (!valid) {
-                return onUnauthorized(ctx, new Error("Invalid or expired token"));
+                return onUnauthorized(ctx, new error_js_1.TezXError("Invalid or expired token"));
             }
             ctx.token = token;
             await next();
         }
         catch (err) {
-            const error = err instanceof Error ? err : new Error(String(err));
-            return onUnauthorized(ctx, error);
+            return onUnauthorized(ctx, (0, error_js_1.TezXErrorParse)(err));
         }
     };
 };

package/cjs/middleware/cache-control.js

@@ -0,0 +1,44 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.cacheControl = void 0;
+const error_js_1 = require("../core/error.js");
+const cacheControl = (opts) => {
+    const { defaultSettings, rules = [], onError = (err, ctx) => {
+        ctx.setStatus = 500;
+        ctx.body = { error: err.message ?? "Cache middleware failed" };
+    }, } = opts;
+    const len = rules.length | 0;
+    return async function cacheControlMiddleware(ctx, next) {
+        const method = ctx.method;
+        if (method !== "GET" && method !== "HEAD") {
+            return await next();
+        }
+        try {
+            await next();
+            let matched;
+            for (let i = 0; i < len; i++) {
+                const rule = rules[i];
+                if (rule.condition(ctx)) {
+                    matched = rule;
+                    break;
+                }
+            }
+            const settings = matched ?? defaultSettings;
+            const maxAge = settings.maxAge;
+            const scope = settings.scope;
+            const vary = settings.vary;
+            const cacheValue = `${scope}, max-age=${maxAge}`;
+            const expiresValue = new Date(Date.now() + maxAge * 1000).toUTCString();
+            const headers = ctx.headers;
+            headers.set("Cache-Control", cacheValue);
+            headers.set("Expires", expiresValue);
+            if (vary && vary.length > 0)
+                headers.set("Vary", vary.join(", "));
+        }
+        catch (err) {
+            return onError((0, error_js_1.TezXErrorParse)(err), ctx);
+        }
+    };
+};
+exports.cacheControl = cacheControl;
+exports.default = exports.cacheControl;

package/cjs/middleware/cors.js

@@ -3,7 +3,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.cors = cors;
 exports.default = cors;
 function cors(option = {}) {
-    const { credentials, maxAge, origin, } = option;
+    const { credentials, maxAge, origin } = option;
     let methods = (option.methods || ["GET", "POST", "PUT", "DELETE"]).join(", ");
     let allowedHeaders = (option.allowedHeaders || ["Content-Type", "Authorization"]).join(", ");
     let exposedHeaders = option?.exposedHeaders?.join(", ");

package/cjs/middleware/detect-bot.js

@@ -0,0 +1,57 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.detectBot = void 0;
+const config_js_1 = require("../core/config.js");
+const rateLimit_js_1 = require("../utils/rateLimit.js");
+const runtime_js_1 = require("../utils/runtime.js");
+const detectBot = (opts = {}) => {
+    const botUAs = opts.botUserAgents || ["bot", "spider", "crawl", "slurp"];
+    let checkBot;
+    if (runtime_js_1.runtime === "bun") {
+        const botRegex = new RegExp(botUAs.join("|"), "i");
+        checkBot = (ua) => botRegex.test(ua);
+    }
+    else {
+        checkBot = (ua) => {
+            for (const b of botUAs)
+                if (ua.includes(b))
+                    return true;
+            return false;
+        };
+    }
+    const maxReq = opts.maxRequests || 30;
+    const winMs = opts.windowMs || 60000;
+    const enableRL = !!opts.enableRateLimiting;
+    const onBot = opts.onBotDetected ??
+        ((ctx, reason) => ctx.status(403).json({ error: `Bot detected: ${reason}` }));
+    let store = opts.storage;
+    if (enableRL && !store)
+        store = (0, rateLimit_js_1.createRateLimitDefaultStorage)();
+    return async (ctx, next) => {
+        const ua = ctx.headers.get("user-agent") || "";
+        if (checkBot(ua)) {
+            return onBot?.(ctx, "User-Agent");
+        }
+        if (await opts?.isBlacklisted?.(ctx)) {
+            return onBot?.(ctx, "Blacklisted IP");
+        }
+        if (enableRL) {
+            const addr = ctx.req.remoteAddress;
+            if (!addr) {
+                config_js_1.GlobalConfig.debugging.warn("[TezX detectBot] Missing remoteAddress. Use `getConnInfo(ctx)` to enable rate limiting.");
+            }
+            else {
+                const key = `${addr.address}:${addr.port || 0}`;
+                const { check, entry } = (0, rateLimit_js_1.isRateLimit)(key, store, maxReq, winMs);
+                if (check && addr.address) {
+                    return onBot?.(ctx, `Rate limit exceeded. Retry after ${Math.ceil((entry.resetTime - Date.now()) / 1000)} seconds.`);
+                }
+            }
+        }
+        if (await opts.customBotDetector?.(ctx)) {
+            return onBot?.(ctx, "Custom Detector");
+        }
+        return await next();
+    };
+};
+exports.detectBot = detectBot;

package/cjs/middleware/i18n.js

@@ -0,0 +1,92 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.i18n = exports.default = void 0;
+const index_js_1 = require("../index.js");
+const i18n = (options) => {
+    const { loadTranslations, defaultCacheDuration = 3600000, detectLanguage, defaultLanguage = "en", translationFunctionKey = "t", formatMessage = (msg, vars = {}) => {
+        if (vars && msg.indexOf("{{") !== -1) {
+            let out = "";
+            let i = 0;
+            while (i < msg.length) {
+                const startVar = msg.indexOf("{{", i);
+                if (startVar === -1) {
+                    out += msg.slice(i);
+                    break;
+                }
+                const endVar = msg.indexOf("}}", startVar + 2);
+                if (endVar === -1) {
+                    out += msg.slice(i);
+                    break;
+                }
+                out += msg.slice(i, startVar);
+                const keyVar = msg.slice(startVar + 2, endVar).trim();
+                out += vars[keyVar] !== undefined ? String(vars[keyVar]) : "";
+                i = endVar + 2;
+            }
+            return out;
+        }
+        return msg;
+    }, isCacheValid = (cached) => cached.expiresAt > Date.now(), cacheTranslations = false, cacheStorage: externalCache = null, } = options;
+    let localCache = null;
+    if (cacheTranslations && !externalCache)
+        localCache = new Map();
+    return async function i18n(ctx, next) {
+        try {
+            const lang = detectLanguage(ctx) ?? defaultLanguage;
+            let translations = undefined;
+            if (cacheTranslations) {
+                if (externalCache) {
+                    const cached = await externalCache.get(lang);
+                    if (cached && isCacheValid(cached, lang))
+                        translations = cached.translations;
+                }
+                else if (localCache?.get(lang)) {
+                    const cached = localCache.get(lang);
+                    if (isCacheValid(cached, lang))
+                        translations = cached.translations;
+                    else
+                        localCache.delete(lang);
+                }
+            }
+            if (!translations) {
+                translations = await loadTranslations(lang);
+                const expiresAt = Date.now() + defaultCacheDuration;
+                if (cacheTranslations) {
+                    if (externalCache) {
+                        await externalCache.set(lang, { translations, expiresAt });
+                    }
+                    else {
+                        localCache?.set(lang, { translations, expiresAt });
+                    }
+                }
+            }
+            ctx[translationFunctionKey] = function translate(key, vars) {
+                let acc = translations;
+                let start = 0;
+                for (let i = 0; i <= key.length; i++) {
+                    const c = key.charCodeAt(i);
+                    if (c === 46 || i === key.length) {
+                        const segment = key.slice(start, i);
+                        if (acc && typeof acc === "object") {
+                            acc = acc[segment];
+                        }
+                        else {
+                            acc = undefined;
+                            break;
+                        }
+                        start = i + 1;
+                    }
+                }
+                let msg = typeof acc === "string" ? acc : key;
+                return formatMessage(msg, vars);
+            };
+            ctx.language = lang;
+            return await next();
+        }
+        catch (error) {
+            throw new index_js_1.TezXError(error?.message ?? "i18n failed", 500, error?.stack);
+        }
+    };
+};
+exports.default = i18n;
+exports.i18n = i18n;

package/cjs/middleware/index.js

@@ -16,10 +16,15 @@ var __exportStar = (this && this.__exportStar) || function(m, exports) {
 Object.defineProperty(exports, "__esModule", { value: true });
 __exportStar(require("./basic-auth.js"), exports);
 __exportStar(require("./bearer-auth.js"), exports);
+__exportStar(require("./cache-control.js"), exports);
 __exportStar(require("./cors.js"), exports);
+__exportStar(require("./detect-bot.js"), exports);
+__exportStar(require("./i18n.js"), exports);
 __exportStar(require("./logger.js"), exports);
 __exportStar(require("./pagination.js"), exports);
 __exportStar(require("./powered-by.js"), exports);
+__exportStar(require("./rate-limiter.js"), exports);
 __exportStar(require("./request-id.js"), exports);
 __exportStar(require("./sanitize-headers.js"), exports);
+__exportStar(require("./secure-headers.js"), exports);
 __exportStar(require("./xss-protection.js"), exports);

package/cjs/middleware/logger.js

@@ -1,7 +1,8 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.logger = logger;
 exports.default = logger;
+exports.logger = logger;
+const error_js_1 = require("../core/error.js");
 const colors_js_1 = require("../utils/colors.js");
 function logger(options = { enabled: true }) {
     return async function logger(ctx, next) {
@@ -19,7 +20,7 @@ function logger(options = { enabled: true }) {
         }
         catch (err) {
             console.error(`${(0, colors_js_1.colorText)("Error:", "red")}`, err.stack);
-            throw new Error(err.stack);
+            throw new error_js_1.TezXError(err.stack);
         }
     };
 }

package/cjs/middleware/rate-limiter.js

@@ -26,7 +26,7 @@ const rateLimiter = (options) => {
         if (check) {
             const retryAfter = Math.ceil((entry.resetTime - Date.now()) / 1000);
             ctx.headers.set("Retry-After", retryAfter.toString());
-            return onError(ctx, retryAfter, new Error(`Rate limit exceeded. Retry after ${retryAfter} seconds.`));
+            return onError(ctx, retryAfter, new error_js_1.TezXError(`Rate limit exceeded. Retry after ${retryAfter} seconds.`));
         }
         ctx.headers.set("X-RateLimit-Limit", maxRequests.toString());
         ctx.headers.set("X-RateLimit-Remaining", (maxRequests - entry.count).toString());

package/cjs/middleware/sanitize-headers.js

@@ -2,7 +2,7 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.sanitizeHeaders = exports.default = void 0;
 const sanitizeHeaders = (options = {}) => {
-    const { whitelist = [], blacklist = [], } = options;
+    const { whitelist = [], blacklist = [] } = options;
     const normalizedWhitelist = whitelist.map((h) => h.toLowerCase());
     const normalizedBlacklist = blacklist.map((h) => h.toLowerCase());
     let lWhite = normalizedWhitelist.length;

package/cjs/middleware/secure-headers copy.js

@@ -0,0 +1,143 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.secureHeaders = void 0;
+const crypto_1 = __importDefault(require("crypto"));
+const joinSrc = (v) => typeof v === "string" ? v : v.join(" ");
+const buildCSPString = (cspObj) => {
+    const parts = [];
+    for (const key in cspObj) {
+        parts.push(`${key} ${joinSrc(cspObj[key])}`);
+    }
+    return parts.join("; ");
+};
+const defaultPresets = {
+    strict: {
+        preset: "strict",
+        hsts: true,
+        hstsMaxAge: 63072000,
+        frameGuard: "DENY",
+        noSniff: true,
+        xssProtection: true,
+        referrerPolicy: "strict-origin-when-cross-origin",
+        permissionsPolicy: "geolocation=(), microphone=(), camera=(), usb=()",
+        csp: {
+            "default-src": ["'self'"],
+            "script-src": ["'self'"],
+            "style-src": ["'self'", "'unsafe-inline'"],
+            "img-src": ["'self'", "data:", "blob:"],
+            "font-src": ["'self'"],
+            "connect-src": ["'self'"],
+            "object-src": ["'none'"],
+            "frame-ancestors": ["'none'"],
+        },
+        cspReportOnly: false,
+    },
+    balanced: {
+        preset: "balanced",
+        hsts: true,
+        hstsMaxAge: 31536000,
+        frameGuard: "SAMEORIGIN",
+        noSniff: true,
+        xssProtection: true,
+        referrerPolicy: "no-referrer-when-downgrade",
+        permissionsPolicy: "geolocation=(), microphone=()",
+        csp: {
+            "default-src": ["'self'"],
+            "script-src": ["'self'", "https://cdn.jsdelivr.net"],
+            "style-src": [
+                "'self'",
+                "'unsafe-inline'",
+                "https://fonts.googleapis.com",
+            ],
+            "img-src": ["'self'", "data:", "https://images.example.com"],
+            "connect-src": ["'self'", "https://api.example.com"],
+        },
+        cspReportOnly: true,
+    },
+    dev: {
+        preset: "dev",
+        hsts: false,
+        frameGuard: "SAMEORIGIN",
+        noSniff: false,
+        xssProtection: false,
+        referrerPolicy: "no-referrer",
+        permissionsPolicy: "",
+        csp: {
+            "default-src": [
+                "'self'",
+                "'unsafe-inline'",
+                "'unsafe-eval'",
+                "http://localhost:3000",
+            ],
+            "img-src": ["'self'", "data:", "blob:"],
+        },
+        cspReportOnly: true,
+    },
+};
+const setHeader = (ctx, name, value) => {
+    if (typeof ctx.setHeader === "function")
+        ctx.setHeader(name, value);
+    else if (ctx.response?.setHeader)
+        ctx.response.setHeader(name, value);
+    else if (ctx.headersOut)
+        ctx.headersOut[name] = value;
+};
+const secureHeaders = (userOpts = {}) => {
+    const preset = userOpts.preset ?? "balanced";
+    const base = {
+        ...(defaultPresets[preset] || defaultPresets.balanced),
+        ...userOpts,
+    };
+    const hstsHeader = base.hsts
+        ? `max-age=${base.hstsMaxAge || 31536000}; includeSubDomains; preload`
+        : "";
+    const frameHeader = base.frameGuard || "SAMEORIGIN";
+    const noSniffHeader = base.noSniff ? "nosniff" : "";
+    const xssHeader = base.xssProtection ? "1; mode=block" : "0";
+    const referrerHeader = base.referrerPolicy || "no-referrer";
+    const permissionsHeader = base.permissionsPolicy || "";
+    let cspStatic = null;
+    let cspNeedsNonce = !!base.cspUseNonce;
+    if (typeof base.csp === "string")
+        cspStatic = base.csp;
+    else if (base.csp && typeof base.csp === "object")
+        cspStatic = buildCSPString(base.csp);
+    if (base.ultraFastMode)
+        cspNeedsNonce = false;
+    const cspReportOnly = !!base.cspReportOnly;
+    return async (ctx, next) => {
+        try {
+            if (base.hsts)
+                setHeader(ctx, "Strict-Transport-Security", hstsHeader);
+            setHeader(ctx, "X-Frame-Options", frameHeader);
+            setHeader(ctx, "X-Content-Type-Options", noSniffHeader);
+            setHeader(ctx, "X-XSS-Protection", xssHeader);
+            setHeader(ctx, "Referrer-Policy", referrerHeader);
+            if (permissionsHeader)
+                setHeader(ctx, "Permissions-Policy", permissionsHeader);
+            if (cspNeedsNonce) {
+                const nonce = crypto_1.default.randomBytes(12).toString("base64");
+                let cspHeader = cspStatic || `default-src 'self'; script-src 'self' 'nonce-${nonce}'`;
+                if (cspReportOnly)
+                    setHeader(ctx, "Content-Security-Policy-Report-Only", cspHeader);
+                else
+                    setHeader(ctx, "Content-Security-Policy", cspHeader);
+                ctx.cspNonce = nonce;
+            }
+            else if (cspStatic) {
+                if (cspReportOnly)
+                    setHeader(ctx, "Content-Security-Policy-Report-Only", cspStatic);
+                else
+                    setHeader(ctx, "Content-Security-Policy", cspStatic);
+            }
+            return await next();
+        }
+        catch {
+            return await next();
+        }
+    };
+};
+exports.secureHeaders = secureHeaders;