veryfront 0.1.749 → 0.1.750

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/esm/deno.js CHANGED
@@ -1,6 +1,6 @@
1
1
  export default {
2
2
  "name": "veryfront",
3
- "version": "0.1.749",
3
+ "version": "0.1.750",
4
4
  "license": "Apache-2.0",
5
5
  "nodeModulesDir": "auto",
6
6
  "minimumDependencyAge": "P2D",
@@ -110,7 +110,7 @@ export declare const getVeryfrontConfigSchema: () => import("../../internal-agen
110
110
  * Set `true` for defaults, or pass an object to customize.
111
111
  *
112
112
  * When enabled, POST/PUT/PATCH/DELETE requests must include
113
- * an `x-csrf-token` header matching the `vf_csrf` cookie.
113
+ * an `x-csrf-token` header matching the `__Host-vf_csrf` cookie.
114
114
  * The cookie is set automatically on HTML document responses.
115
115
  *
116
116
  * Server Actions (`/_veryfront/rsc/action`) are CSRF-protected;
@@ -508,7 +508,7 @@ export declare const veryfrontConfigSchema: import("../../internal-agents/schema
508
508
  * Set `true` for defaults, or pass an object to customize.
509
509
  *
510
510
  * When enabled, POST/PUT/PATCH/DELETE requests must include
511
- * an `x-csrf-token` header matching the `vf_csrf` cookie.
511
+ * an `x-csrf-token` header matching the `__Host-vf_csrf` cookie.
512
512
  * The cookie is set automatically on HTML document responses.
513
513
  *
514
514
  * Server Actions (`/_veryfront/rsc/action`) are CSRF-protected;
@@ -161,7 +161,7 @@ export const getVeryfrontConfigSchema = defineSchema((v) => v
161
161
  * Set `true` for defaults, or pass an object to customize.
162
162
  *
163
163
  * When enabled, POST/PUT/PATCH/DELETE requests must include
164
- * an `x-csrf-token` header matching the `vf_csrf` cookie.
164
+ * an `x-csrf-token` header matching the `__Host-vf_csrf` cookie.
165
165
  * The cookie is set automatically on HTML document responses.
166
166
  *
167
167
  * Server Actions (`/_veryfront/rsc/action`) are CSRF-protected;
@@ -1 +1 @@
1
- {"version":3,"file":"helpers.d.ts","sourceRoot":"","sources":["../../../../src/src/security/csrf/helpers.ts"],"names":[],"mappings":"AAiBA,MAAM,WAAW,UAAU;IACzB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IACxB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,gBAAgB;IAC/B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,yGAAyG;IACzG,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,mFAAmF;IACnF,MAAM,CAAC,EAAE,OAAO,CAAC;CAClB;AAED,wEAAwE;AACxE,wBAAgB,iBAAiB,CAAC,OAAO,CAAC,EAAE,gBAAgB,GAAG;IAC7D,KAAK,EAAE,MAAM,CAAC;IACd,SAAS,EAAE,MAAM,CAAC;CACnB,CAeA;AAmBD,yDAAyD;AACzD,wBAAgB,YAAY,CAC1B,GAAG,EAAE,OAAO,EACZ,OAAO,CAAC,EAAE;IAAE,UAAU,CAAC,EAAE,MAAM,CAAC;IAAC,UAAU,CAAC,EAAE,MAAM,CAAA;CAAE,GACrD,OAAO,CAiBT;AAED;;;GAGG;AACH,wBAAgB,eAAe,CAC7B,GAAG,EAAE,OAAO,EACZ,eAAe,EAAE,OAAO,EACxB,UAAU,CAAC,EAAE,OAAO,GAAG,UAAU,GAChC,IAAI,CAyCN"}
1
+ {"version":3,"file":"helpers.d.ts","sourceRoot":"","sources":["../../../../src/src/security/csrf/helpers.ts"],"names":[],"mappings":"AAkBA,MAAM,WAAW,UAAU;IACzB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IACxB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,gBAAgB;IAC/B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,yGAAyG;IACzG,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,mFAAmF;IACnF,MAAM,CAAC,EAAE,OAAO,CAAC;CAClB;AAED,wEAAwE;AACxE,wBAAgB,iBAAiB,CAAC,OAAO,CAAC,EAAE,gBAAgB,GAAG;IAC7D,KAAK,EAAE,MAAM,CAAC;IACd,SAAS,EAAE,MAAM,CAAC;CACnB,CAeA;AAmBD,yDAAyD;AACzD,wBAAgB,YAAY,CAC1B,GAAG,EAAE,OAAO,EACZ,OAAO,CAAC,EAAE;IAAE,UAAU,CAAC,EAAE,MAAM,CAAC;IAAC,UAAU,CAAC,EAAE,MAAM,CAAA;CAAE,GACrD,OAAO,CAiBT;AAED;;;GAGG;AACH,wBAAgB,eAAe,CAC7B,GAAG,EAAE,OAAO,EACZ,eAAe,EAAE,OAAO,EACxB,UAAU,CAAC,EAAE,OAAO,GAAG,UAAU,GAChC,IAAI,CA0CN"}
@@ -11,12 +11,13 @@ import { base64urlEncodeBytes } from "../../utils/base64url.js";
11
11
  import { parseCookiesFromHeaders } from "../../utils/cookie-utils.js";
12
12
  /** Default CSRF token TTL: 24 hours (longer than session action TTL to avoid stale-form 403s). */
13
13
  const CSRF_DEFAULT_TTL_SEC = 86_400;
14
+ const DEFAULT_CSRF_COOKIE_NAME = "__Host-vf_csrf";
14
15
  /** Generate a CSRF token and return value + Set-Cookie header string */
15
16
  export function generateCsrfToken(options) {
16
- const cookieName = options?.cookieName ?? "vf_csrf";
17
+ const cookieName = options?.cookieName ?? DEFAULT_CSRF_COOKIE_NAME;
17
18
  const maxAge = options?.ttlSec ?? CSRF_DEFAULT_TTL_SEC;
18
19
  const httpOnly = options?.httpOnly ?? true;
19
- const secure = options?.secure ?? true;
20
+ const secure = cookieName.startsWith("__Host-") ? true : options?.secure ?? true;
20
21
  const bytes = new Uint8Array(32);
21
22
  dntShim.crypto.getRandomValues(bytes);
22
23
  const token = base64urlEncodeBytes(bytes);
@@ -44,7 +45,7 @@ function timingSafeEqual(a, b) {
44
45
  }
45
46
  /** Validate CSRF token by comparing header and cookie */
46
47
  export function validateCsrf(req, options) {
47
- const cookieName = options?.cookieName ?? "vf_csrf";
48
+ const cookieName = options?.cookieName ?? DEFAULT_CSRF_COOKIE_NAME;
48
49
  const headerName = options?.headerName ?? "x-csrf-token";
49
50
  let cookieToken;
50
51
  try {
@@ -83,7 +84,7 @@ export function applyCsrfCookie(req, responseHeaders, csrfConfig) {
83
84
  return;
84
85
  }
85
86
  const config = typeof csrfConfig === "boolean" ? {} : csrfConfig;
86
- const cookieName = config.cookieName ?? "vf_csrf";
87
+ const cookieName = config.cookieName ?? DEFAULT_CSRF_COOKIE_NAME;
87
88
  // Skip if cookie already present in request
88
89
  let cookies;
89
90
  try {
@@ -96,7 +97,8 @@ export function applyCsrfCookie(req, responseHeaders, csrfConfig) {
96
97
  if (cookies[cookieName])
97
98
  return;
98
99
  // Detect HTTPS from request URL or forwarded proto
99
- const isSecure = req.url.startsWith("https://") ||
100
+ const isSecure = cookieName.startsWith("__Host-") ||
101
+ req.url.startsWith("https://") ||
100
102
  req.headers.get("x-forwarded-proto") === "https";
101
103
  const { setCookie } = generateCsrfToken({
102
104
  cookieName,
@@ -10,7 +10,7 @@
10
10
  * are **not** exempt and require a valid CSRF token. Client-side code that calls
11
11
  * Server Actions must:
12
12
  *
13
- * 1. Read the `vf_csrf` cookie (set automatically on HTML responses)
13
+ * 1. Read the `__Host-vf_csrf` cookie (set automatically on HTML responses)
14
14
  * 2. Include it as the `x-csrf-token` request header on every POST
15
15
  *
16
16
  * Example (client-side fetch wrapper):
@@ -21,7 +21,7 @@
21
21
  *
22
22
  * const res = await fetch("/_veryfront/rsc/action", {
23
23
  * method: "POST",
24
- * headers: { "x-csrf-token": getCookie("vf_csrf") ?? "" },
24
+ * headers: { "x-csrf-token": getCookie("__Host-vf_csrf") ?? "" },
25
25
  * body: actionPayload,
26
26
  * });
27
27
  * ```
@@ -10,7 +10,7 @@
10
10
  * are **not** exempt and require a valid CSRF token. Client-side code that calls
11
11
  * Server Actions must:
12
12
  *
13
- * 1. Read the `vf_csrf` cookie (set automatically on HTML responses)
13
+ * 1. Read the `__Host-vf_csrf` cookie (set automatically on HTML responses)
14
14
  * 2. Include it as the `x-csrf-token` request header on every POST
15
15
  *
16
16
  * Example (client-side fetch wrapper):
@@ -21,7 +21,7 @@
21
21
  *
22
22
  * const res = await fetch("/_veryfront/rsc/action", {
23
23
  * method: "POST",
24
- * headers: { "x-csrf-token": getCookie("vf_csrf") ?? "" },
24
+ * headers: { "x-csrf-token": getCookie("__Host-vf_csrf") ?? "" },
25
25
  * body: actionPayload,
26
26
  * });
27
27
  * ```
@@ -1,3 +1,3 @@
1
1
  /** Shared version value. */
2
- export declare const VERSION = "0.1.749";
2
+ export declare const VERSION = "0.1.750";
3
3
  //# sourceMappingURL=version-constant.d.ts.map
@@ -1,4 +1,4 @@
1
1
  // Keep in sync with deno.json version.
2
2
  // scripts/release.ts updates this constant during releases.
3
3
  /** Shared version value. */
4
- export const VERSION = "0.1.749";
4
+ export const VERSION = "0.1.750";
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "veryfront",
3
- "version": "0.1.749",
3
+ "version": "0.1.750",
4
4
  "description": "The simplest way to build AI-powered apps",
5
5
  "keywords": [
6
6
  "react",