veryfront 0.1.749 → 0.1.751
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/esm/deno.js +1 -1
- package/esm/src/config/schemas/config.schema.d.ts +2 -2
- package/esm/src/config/schemas/config.schema.js +1 -1
- package/esm/src/modules/react-loader/ssr-module-loader/ssr-cache-manager.d.ts.map +1 -1
- package/esm/src/modules/react-loader/ssr-module-loader/ssr-cache-manager.js +10 -7
- package/esm/src/security/csrf/helpers.d.ts.map +1 -1
- package/esm/src/security/csrf/helpers.js +7 -5
- package/esm/src/security/http/csrf/csrf-handler.d.ts +2 -2
- package/esm/src/security/http/csrf/csrf-handler.js +2 -2
- package/esm/src/utils/version-constant.d.ts +1 -1
- package/esm/src/utils/version-constant.js +1 -1
- package/package.json +1 -1
package/esm/deno.js
CHANGED
|
@@ -110,7 +110,7 @@ export declare const getVeryfrontConfigSchema: () => import("../../internal-agen
|
|
|
110
110
|
* Set `true` for defaults, or pass an object to customize.
|
|
111
111
|
*
|
|
112
112
|
* When enabled, POST/PUT/PATCH/DELETE requests must include
|
|
113
|
-
* an `x-csrf-token` header matching the `vf_csrf` cookie.
|
|
113
|
+
* an `x-csrf-token` header matching the `__Host-vf_csrf` cookie.
|
|
114
114
|
* The cookie is set automatically on HTML document responses.
|
|
115
115
|
*
|
|
116
116
|
* Server Actions (`/_veryfront/rsc/action`) are CSRF-protected;
|
|
@@ -508,7 +508,7 @@ export declare const veryfrontConfigSchema: import("../../internal-agents/schema
|
|
|
508
508
|
* Set `true` for defaults, or pass an object to customize.
|
|
509
509
|
*
|
|
510
510
|
* When enabled, POST/PUT/PATCH/DELETE requests must include
|
|
511
|
-
* an `x-csrf-token` header matching the `vf_csrf` cookie.
|
|
511
|
+
* an `x-csrf-token` header matching the `__Host-vf_csrf` cookie.
|
|
512
512
|
* The cookie is set automatically on HTML document responses.
|
|
513
513
|
*
|
|
514
514
|
* Server Actions (`/_veryfront/rsc/action`) are CSRF-protected;
|
|
@@ -161,7 +161,7 @@ export const getVeryfrontConfigSchema = defineSchema((v) => v
|
|
|
161
161
|
* Set `true` for defaults, or pass an object to customize.
|
|
162
162
|
*
|
|
163
163
|
* When enabled, POST/PUT/PATCH/DELETE requests must include
|
|
164
|
-
* an `x-csrf-token` header matching the `vf_csrf` cookie.
|
|
164
|
+
* an `x-csrf-token` header matching the `__Host-vf_csrf` cookie.
|
|
165
165
|
* The cookie is set automatically on HTML document responses.
|
|
166
166
|
*
|
|
167
167
|
* Server Actions (`/_veryfront/rsc/action`) are CSRF-protected;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"ssr-cache-manager.d.ts","sourceRoot":"","sources":["../../../../../src/src/modules/react-loader/ssr-module-loader/ssr-cache-manager.ts"],"names":[],"mappings":"AAeA,OAAO,EAAE,gBAAgB,EAAE,MAAM,gCAAgC,CAAC;AAYlE,OAAO,KAAK,EAAE,gBAAgB,EAAE,sBAAsB,EAAE,MAAM,YAAY,CAAC;AAW3E;;;;;;;GAOG;AACH,qBAAa,eAAe;IAId,OAAO,CAAC,OAAO;IAH3B,OAAO,CAAC,EAAE,CAAsB;IAChC,OAAO,CAAC,gBAAgB,CAAqB;gBAEzB,OAAO,EAAE,sBAAsB;IAEnD,4DAA4D;IAC5D,aAAa,IAAI,MAAM;IAUvB,WAAW,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM;IAkB/B,gBAAgB,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAiBlD,WAAW,CAAC,QAAQ,EAAE,MAAM,EAAE,WAAW,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAK1E,yBAAyB,IAAI,OAAO;IAoB9B,kBAAkB,CACtB,IAAI,EAAE,MAAM,EACZ,QAAQ,EAAE,MAAM,EAChB,MAAM,EAAE,cAAc,GAAG,aAAa,EACtC,OAAO,EAAE;QAAE,eAAe,EAAE,OAAO,CAAC;QAAC,qBAAqB,EAAE,OAAO,CAAA;KAAE,GACpE,OAAO,CAAC,OAAO,CAAC;IAgCb,wBAAwB,CAC5B,WAAW,EAAE,gBAAgB,EAC7B,eAAe,EAAE,MAAM,EACvB,gBAAgB,EAAE,MAAM,EACxB,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,OAAO,CAAC;IAuBnB,4BAA4B,CAAC,QAAQ,EAAE,MAAM,EAAE,UAAU,CAAC,EAAE,gBAAgB,GAAG,IAAI;IAOnF,oCAAoC,CAClC,eAAe,EAAE,MAAM,EACvB,gBAAgB,EAAE,MAAM,EACxB,UAAU,CAAC,EAAE,gBAAgB,GAC5B,IAAI;IAQP,wDAAwD;IACxD,KAAK,IAAI,UAAU,CAAC,OAAO,gBAAgB,CAAC;IAI5C,OAAO,CAAC,4BAA4B;YAItB,qBAAqB;YAsBrB,oBAAoB;
|
|
1
|
+
{"version":3,"file":"ssr-cache-manager.d.ts","sourceRoot":"","sources":["../../../../../src/src/modules/react-loader/ssr-module-loader/ssr-cache-manager.ts"],"names":[],"mappings":"AAeA,OAAO,EAAE,gBAAgB,EAAE,MAAM,gCAAgC,CAAC;AAYlE,OAAO,KAAK,EAAE,gBAAgB,EAAE,sBAAsB,EAAE,MAAM,YAAY,CAAC;AAW3E;;;;;;;GAOG;AACH,qBAAa,eAAe;IAId,OAAO,CAAC,OAAO;IAH3B,OAAO,CAAC,EAAE,CAAsB;IAChC,OAAO,CAAC,gBAAgB,CAAqB;gBAEzB,OAAO,EAAE,sBAAsB;IAEnD,4DAA4D;IAC5D,aAAa,IAAI,MAAM;IAUvB,WAAW,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM;IAkB/B,gBAAgB,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAiBlD,WAAW,CAAC,QAAQ,EAAE,MAAM,EAAE,WAAW,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAK1E,yBAAyB,IAAI,OAAO;IAoB9B,kBAAkB,CACtB,IAAI,EAAE,MAAM,EACZ,QAAQ,EAAE,MAAM,EAChB,MAAM,EAAE,cAAc,GAAG,aAAa,EACtC,OAAO,EAAE;QAAE,eAAe,EAAE,OAAO,CAAC;QAAC,qBAAqB,EAAE,OAAO,CAAA;KAAE,GACpE,OAAO,CAAC,OAAO,CAAC;IAgCb,wBAAwB,CAC5B,WAAW,EAAE,gBAAgB,EAC7B,eAAe,EAAE,MAAM,EACvB,gBAAgB,EAAE,MAAM,EACxB,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,OAAO,CAAC;IAuBnB,4BAA4B,CAAC,QAAQ,EAAE,MAAM,EAAE,UAAU,CAAC,EAAE,gBAAgB,GAAG,IAAI;IAOnF,oCAAoC,CAClC,eAAe,EAAE,MAAM,EACvB,gBAAgB,EAAE,MAAM,EACxB,UAAU,CAAC,EAAE,gBAAgB,GAC5B,IAAI;IAQP,wDAAwD;IACxD,KAAK,IAAI,UAAU,CAAC,OAAO,gBAAgB,CAAC;IAI5C,OAAO,CAAC,4BAA4B;YAItB,qBAAqB;YAsBrB,oBAAoB;YAuDpB,YAAY;CA2B3B"}
|
|
@@ -178,12 +178,13 @@ export class SSRCacheManager {
|
|
|
178
178
|
}
|
|
179
179
|
async hasMissingLocalPaths(code, filePath) {
|
|
180
180
|
const allPaths = await extractAllFilePathsRecursive(code);
|
|
181
|
-
let
|
|
182
|
-
for (
|
|
181
|
+
let firstMissingPathIndex = -1;
|
|
182
|
+
for (let index = 0; index < allPaths.length; index++) {
|
|
183
|
+
const path = allPaths[index];
|
|
183
184
|
try {
|
|
184
185
|
const stat = await this.fs.stat(path);
|
|
185
186
|
if (!stat.isFile) {
|
|
186
|
-
|
|
187
|
+
firstMissingPathIndex = index;
|
|
187
188
|
break;
|
|
188
189
|
}
|
|
189
190
|
}
|
|
@@ -193,12 +194,13 @@ export class SSRCacheManager {
|
|
|
193
194
|
missingPath: path.slice(-60),
|
|
194
195
|
error,
|
|
195
196
|
});
|
|
196
|
-
|
|
197
|
+
firstMissingPathIndex = index;
|
|
197
198
|
break;
|
|
198
199
|
}
|
|
199
200
|
}
|
|
200
|
-
if (
|
|
201
|
-
|
|
201
|
+
if (firstMissingPathIndex === -1)
|
|
202
|
+
return false;
|
|
203
|
+
if (this.options.projectId &&
|
|
202
204
|
this.options.contentSourceId) {
|
|
203
205
|
const recovered = await ensureMdxModuleDependencies(code, {
|
|
204
206
|
projectId: this.options.projectId,
|
|
@@ -212,7 +214,8 @@ export class SSRCacheManager {
|
|
|
212
214
|
});
|
|
213
215
|
}
|
|
214
216
|
}
|
|
215
|
-
for (
|
|
217
|
+
for (let index = firstMissingPathIndex; index < allPaths.length; index++) {
|
|
218
|
+
const path = allPaths[index];
|
|
216
219
|
try {
|
|
217
220
|
const stat = await this.fs.stat(path);
|
|
218
221
|
if (!stat.isFile)
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"helpers.d.ts","sourceRoot":"","sources":["../../../../src/src/security/csrf/helpers.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"helpers.d.ts","sourceRoot":"","sources":["../../../../src/src/security/csrf/helpers.ts"],"names":[],"mappings":"AAkBA,MAAM,WAAW,UAAU;IACzB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IACxB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,gBAAgB;IAC/B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,yGAAyG;IACzG,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,mFAAmF;IACnF,MAAM,CAAC,EAAE,OAAO,CAAC;CAClB;AAED,wEAAwE;AACxE,wBAAgB,iBAAiB,CAAC,OAAO,CAAC,EAAE,gBAAgB,GAAG;IAC7D,KAAK,EAAE,MAAM,CAAC;IACd,SAAS,EAAE,MAAM,CAAC;CACnB,CAeA;AAmBD,yDAAyD;AACzD,wBAAgB,YAAY,CAC1B,GAAG,EAAE,OAAO,EACZ,OAAO,CAAC,EAAE;IAAE,UAAU,CAAC,EAAE,MAAM,CAAC;IAAC,UAAU,CAAC,EAAE,MAAM,CAAA;CAAE,GACrD,OAAO,CAiBT;AAED;;;GAGG;AACH,wBAAgB,eAAe,CAC7B,GAAG,EAAE,OAAO,EACZ,eAAe,EAAE,OAAO,EACxB,UAAU,CAAC,EAAE,OAAO,GAAG,UAAU,GAChC,IAAI,CA0CN"}
|
|
@@ -11,12 +11,13 @@ import { base64urlEncodeBytes } from "../../utils/base64url.js";
|
|
|
11
11
|
import { parseCookiesFromHeaders } from "../../utils/cookie-utils.js";
|
|
12
12
|
/** Default CSRF token TTL: 24 hours (longer than session action TTL to avoid stale-form 403s). */
|
|
13
13
|
const CSRF_DEFAULT_TTL_SEC = 86_400;
|
|
14
|
+
const DEFAULT_CSRF_COOKIE_NAME = "__Host-vf_csrf";
|
|
14
15
|
/** Generate a CSRF token and return value + Set-Cookie header string */
|
|
15
16
|
export function generateCsrfToken(options) {
|
|
16
|
-
const cookieName = options?.cookieName ??
|
|
17
|
+
const cookieName = options?.cookieName ?? DEFAULT_CSRF_COOKIE_NAME;
|
|
17
18
|
const maxAge = options?.ttlSec ?? CSRF_DEFAULT_TTL_SEC;
|
|
18
19
|
const httpOnly = options?.httpOnly ?? true;
|
|
19
|
-
const secure = options?.secure ?? true;
|
|
20
|
+
const secure = cookieName.startsWith("__Host-") ? true : options?.secure ?? true;
|
|
20
21
|
const bytes = new Uint8Array(32);
|
|
21
22
|
dntShim.crypto.getRandomValues(bytes);
|
|
22
23
|
const token = base64urlEncodeBytes(bytes);
|
|
@@ -44,7 +45,7 @@ function timingSafeEqual(a, b) {
|
|
|
44
45
|
}
|
|
45
46
|
/** Validate CSRF token by comparing header and cookie */
|
|
46
47
|
export function validateCsrf(req, options) {
|
|
47
|
-
const cookieName = options?.cookieName ??
|
|
48
|
+
const cookieName = options?.cookieName ?? DEFAULT_CSRF_COOKIE_NAME;
|
|
48
49
|
const headerName = options?.headerName ?? "x-csrf-token";
|
|
49
50
|
let cookieToken;
|
|
50
51
|
try {
|
|
@@ -83,7 +84,7 @@ export function applyCsrfCookie(req, responseHeaders, csrfConfig) {
|
|
|
83
84
|
return;
|
|
84
85
|
}
|
|
85
86
|
const config = typeof csrfConfig === "boolean" ? {} : csrfConfig;
|
|
86
|
-
const cookieName = config.cookieName ??
|
|
87
|
+
const cookieName = config.cookieName ?? DEFAULT_CSRF_COOKIE_NAME;
|
|
87
88
|
// Skip if cookie already present in request
|
|
88
89
|
let cookies;
|
|
89
90
|
try {
|
|
@@ -96,7 +97,8 @@ export function applyCsrfCookie(req, responseHeaders, csrfConfig) {
|
|
|
96
97
|
if (cookies[cookieName])
|
|
97
98
|
return;
|
|
98
99
|
// Detect HTTPS from request URL or forwarded proto
|
|
99
|
-
const isSecure =
|
|
100
|
+
const isSecure = cookieName.startsWith("__Host-") ||
|
|
101
|
+
req.url.startsWith("https://") ||
|
|
100
102
|
req.headers.get("x-forwarded-proto") === "https";
|
|
101
103
|
const { setCookie } = generateCsrfToken({
|
|
102
104
|
cookieName,
|
|
@@ -10,7 +10,7 @@
|
|
|
10
10
|
* are **not** exempt and require a valid CSRF token. Client-side code that calls
|
|
11
11
|
* Server Actions must:
|
|
12
12
|
*
|
|
13
|
-
* 1. Read the `vf_csrf` cookie (set automatically on HTML responses)
|
|
13
|
+
* 1. Read the `__Host-vf_csrf` cookie (set automatically on HTML responses)
|
|
14
14
|
* 2. Include it as the `x-csrf-token` request header on every POST
|
|
15
15
|
*
|
|
16
16
|
* Example (client-side fetch wrapper):
|
|
@@ -21,7 +21,7 @@
|
|
|
21
21
|
*
|
|
22
22
|
* const res = await fetch("/_veryfront/rsc/action", {
|
|
23
23
|
* method: "POST",
|
|
24
|
-
* headers: { "x-csrf-token": getCookie("vf_csrf") ?? "" },
|
|
24
|
+
* headers: { "x-csrf-token": getCookie("__Host-vf_csrf") ?? "" },
|
|
25
25
|
* body: actionPayload,
|
|
26
26
|
* });
|
|
27
27
|
* ```
|
|
@@ -10,7 +10,7 @@
|
|
|
10
10
|
* are **not** exempt and require a valid CSRF token. Client-side code that calls
|
|
11
11
|
* Server Actions must:
|
|
12
12
|
*
|
|
13
|
-
* 1. Read the `vf_csrf` cookie (set automatically on HTML responses)
|
|
13
|
+
* 1. Read the `__Host-vf_csrf` cookie (set automatically on HTML responses)
|
|
14
14
|
* 2. Include it as the `x-csrf-token` request header on every POST
|
|
15
15
|
*
|
|
16
16
|
* Example (client-side fetch wrapper):
|
|
@@ -21,7 +21,7 @@
|
|
|
21
21
|
*
|
|
22
22
|
* const res = await fetch("/_veryfront/rsc/action", {
|
|
23
23
|
* method: "POST",
|
|
24
|
-
* headers: { "x-csrf-token": getCookie("vf_csrf") ?? "" },
|
|
24
|
+
* headers: { "x-csrf-token": getCookie("__Host-vf_csrf") ?? "" },
|
|
25
25
|
* body: actionPayload,
|
|
26
26
|
* });
|
|
27
27
|
* ```
|