veryfront 0.1.749 → 0.1.750
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/esm/deno.js +1 -1
- package/esm/src/config/schemas/config.schema.d.ts +2 -2
- package/esm/src/config/schemas/config.schema.js +1 -1
- package/esm/src/security/csrf/helpers.d.ts.map +1 -1
- package/esm/src/security/csrf/helpers.js +7 -5
- package/esm/src/security/http/csrf/csrf-handler.d.ts +2 -2
- package/esm/src/security/http/csrf/csrf-handler.js +2 -2
- package/esm/src/utils/version-constant.d.ts +1 -1
- package/esm/src/utils/version-constant.js +1 -1
- package/package.json +1 -1
package/esm/deno.js
CHANGED
|
@@ -110,7 +110,7 @@ export declare const getVeryfrontConfigSchema: () => import("../../internal-agen
|
|
|
110
110
|
* Set `true` for defaults, or pass an object to customize.
|
|
111
111
|
*
|
|
112
112
|
* When enabled, POST/PUT/PATCH/DELETE requests must include
|
|
113
|
-
* an `x-csrf-token` header matching the `vf_csrf` cookie.
|
|
113
|
+
* an `x-csrf-token` header matching the `__Host-vf_csrf` cookie.
|
|
114
114
|
* The cookie is set automatically on HTML document responses.
|
|
115
115
|
*
|
|
116
116
|
* Server Actions (`/_veryfront/rsc/action`) are CSRF-protected;
|
|
@@ -508,7 +508,7 @@ export declare const veryfrontConfigSchema: import("../../internal-agents/schema
|
|
|
508
508
|
* Set `true` for defaults, or pass an object to customize.
|
|
509
509
|
*
|
|
510
510
|
* When enabled, POST/PUT/PATCH/DELETE requests must include
|
|
511
|
-
* an `x-csrf-token` header matching the `vf_csrf` cookie.
|
|
511
|
+
* an `x-csrf-token` header matching the `__Host-vf_csrf` cookie.
|
|
512
512
|
* The cookie is set automatically on HTML document responses.
|
|
513
513
|
*
|
|
514
514
|
* Server Actions (`/_veryfront/rsc/action`) are CSRF-protected;
|
|
@@ -161,7 +161,7 @@ export const getVeryfrontConfigSchema = defineSchema((v) => v
|
|
|
161
161
|
* Set `true` for defaults, or pass an object to customize.
|
|
162
162
|
*
|
|
163
163
|
* When enabled, POST/PUT/PATCH/DELETE requests must include
|
|
164
|
-
* an `x-csrf-token` header matching the `vf_csrf` cookie.
|
|
164
|
+
* an `x-csrf-token` header matching the `__Host-vf_csrf` cookie.
|
|
165
165
|
* The cookie is set automatically on HTML document responses.
|
|
166
166
|
*
|
|
167
167
|
* Server Actions (`/_veryfront/rsc/action`) are CSRF-protected;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"helpers.d.ts","sourceRoot":"","sources":["../../../../src/src/security/csrf/helpers.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"helpers.d.ts","sourceRoot":"","sources":["../../../../src/src/security/csrf/helpers.ts"],"names":[],"mappings":"AAkBA,MAAM,WAAW,UAAU;IACzB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IACxB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,gBAAgB;IAC/B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,yGAAyG;IACzG,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,mFAAmF;IACnF,MAAM,CAAC,EAAE,OAAO,CAAC;CAClB;AAED,wEAAwE;AACxE,wBAAgB,iBAAiB,CAAC,OAAO,CAAC,EAAE,gBAAgB,GAAG;IAC7D,KAAK,EAAE,MAAM,CAAC;IACd,SAAS,EAAE,MAAM,CAAC;CACnB,CAeA;AAmBD,yDAAyD;AACzD,wBAAgB,YAAY,CAC1B,GAAG,EAAE,OAAO,EACZ,OAAO,CAAC,EAAE;IAAE,UAAU,CAAC,EAAE,MAAM,CAAC;IAAC,UAAU,CAAC,EAAE,MAAM,CAAA;CAAE,GACrD,OAAO,CAiBT;AAED;;;GAGG;AACH,wBAAgB,eAAe,CAC7B,GAAG,EAAE,OAAO,EACZ,eAAe,EAAE,OAAO,EACxB,UAAU,CAAC,EAAE,OAAO,GAAG,UAAU,GAChC,IAAI,CA0CN"}
|
|
@@ -11,12 +11,13 @@ import { base64urlEncodeBytes } from "../../utils/base64url.js";
|
|
|
11
11
|
import { parseCookiesFromHeaders } from "../../utils/cookie-utils.js";
|
|
12
12
|
/** Default CSRF token TTL: 24 hours (longer than session action TTL to avoid stale-form 403s). */
|
|
13
13
|
const CSRF_DEFAULT_TTL_SEC = 86_400;
|
|
14
|
+
const DEFAULT_CSRF_COOKIE_NAME = "__Host-vf_csrf";
|
|
14
15
|
/** Generate a CSRF token and return value + Set-Cookie header string */
|
|
15
16
|
export function generateCsrfToken(options) {
|
|
16
|
-
const cookieName = options?.cookieName ??
|
|
17
|
+
const cookieName = options?.cookieName ?? DEFAULT_CSRF_COOKIE_NAME;
|
|
17
18
|
const maxAge = options?.ttlSec ?? CSRF_DEFAULT_TTL_SEC;
|
|
18
19
|
const httpOnly = options?.httpOnly ?? true;
|
|
19
|
-
const secure = options?.secure ?? true;
|
|
20
|
+
const secure = cookieName.startsWith("__Host-") ? true : options?.secure ?? true;
|
|
20
21
|
const bytes = new Uint8Array(32);
|
|
21
22
|
dntShim.crypto.getRandomValues(bytes);
|
|
22
23
|
const token = base64urlEncodeBytes(bytes);
|
|
@@ -44,7 +45,7 @@ function timingSafeEqual(a, b) {
|
|
|
44
45
|
}
|
|
45
46
|
/** Validate CSRF token by comparing header and cookie */
|
|
46
47
|
export function validateCsrf(req, options) {
|
|
47
|
-
const cookieName = options?.cookieName ??
|
|
48
|
+
const cookieName = options?.cookieName ?? DEFAULT_CSRF_COOKIE_NAME;
|
|
48
49
|
const headerName = options?.headerName ?? "x-csrf-token";
|
|
49
50
|
let cookieToken;
|
|
50
51
|
try {
|
|
@@ -83,7 +84,7 @@ export function applyCsrfCookie(req, responseHeaders, csrfConfig) {
|
|
|
83
84
|
return;
|
|
84
85
|
}
|
|
85
86
|
const config = typeof csrfConfig === "boolean" ? {} : csrfConfig;
|
|
86
|
-
const cookieName = config.cookieName ??
|
|
87
|
+
const cookieName = config.cookieName ?? DEFAULT_CSRF_COOKIE_NAME;
|
|
87
88
|
// Skip if cookie already present in request
|
|
88
89
|
let cookies;
|
|
89
90
|
try {
|
|
@@ -96,7 +97,8 @@ export function applyCsrfCookie(req, responseHeaders, csrfConfig) {
|
|
|
96
97
|
if (cookies[cookieName])
|
|
97
98
|
return;
|
|
98
99
|
// Detect HTTPS from request URL or forwarded proto
|
|
99
|
-
const isSecure =
|
|
100
|
+
const isSecure = cookieName.startsWith("__Host-") ||
|
|
101
|
+
req.url.startsWith("https://") ||
|
|
100
102
|
req.headers.get("x-forwarded-proto") === "https";
|
|
101
103
|
const { setCookie } = generateCsrfToken({
|
|
102
104
|
cookieName,
|
|
@@ -10,7 +10,7 @@
|
|
|
10
10
|
* are **not** exempt and require a valid CSRF token. Client-side code that calls
|
|
11
11
|
* Server Actions must:
|
|
12
12
|
*
|
|
13
|
-
* 1. Read the `vf_csrf` cookie (set automatically on HTML responses)
|
|
13
|
+
* 1. Read the `__Host-vf_csrf` cookie (set automatically on HTML responses)
|
|
14
14
|
* 2. Include it as the `x-csrf-token` request header on every POST
|
|
15
15
|
*
|
|
16
16
|
* Example (client-side fetch wrapper):
|
|
@@ -21,7 +21,7 @@
|
|
|
21
21
|
*
|
|
22
22
|
* const res = await fetch("/_veryfront/rsc/action", {
|
|
23
23
|
* method: "POST",
|
|
24
|
-
* headers: { "x-csrf-token": getCookie("vf_csrf") ?? "" },
|
|
24
|
+
* headers: { "x-csrf-token": getCookie("__Host-vf_csrf") ?? "" },
|
|
25
25
|
* body: actionPayload,
|
|
26
26
|
* });
|
|
27
27
|
* ```
|
|
@@ -10,7 +10,7 @@
|
|
|
10
10
|
* are **not** exempt and require a valid CSRF token. Client-side code that calls
|
|
11
11
|
* Server Actions must:
|
|
12
12
|
*
|
|
13
|
-
* 1. Read the `vf_csrf` cookie (set automatically on HTML responses)
|
|
13
|
+
* 1. Read the `__Host-vf_csrf` cookie (set automatically on HTML responses)
|
|
14
14
|
* 2. Include it as the `x-csrf-token` request header on every POST
|
|
15
15
|
*
|
|
16
16
|
* Example (client-side fetch wrapper):
|
|
@@ -21,7 +21,7 @@
|
|
|
21
21
|
*
|
|
22
22
|
* const res = await fetch("/_veryfront/rsc/action", {
|
|
23
23
|
* method: "POST",
|
|
24
|
-
* headers: { "x-csrf-token": getCookie("vf_csrf") ?? "" },
|
|
24
|
+
* headers: { "x-csrf-token": getCookie("__Host-vf_csrf") ?? "" },
|
|
25
25
|
* body: actionPayload,
|
|
26
26
|
* });
|
|
27
27
|
* ```
|