xypriss 3.1.0 → 3.2.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/cjs/src/middleware/XyPrissMiddlewareAPI.js +3 -2
- package/dist/cjs/src/middleware/XyPrissMiddlewareAPI.js.map +1 -1
- package/dist/cjs/src/middleware/built-in/BuiltInMiddleware.js +16 -23
- package/dist/cjs/src/middleware/built-in/BuiltInMiddleware.js.map +1 -1
- package/dist/cjs/src/middleware/built-in/security/MobileOnlyProtector.js +504 -0
- package/dist/cjs/src/middleware/built-in/security/MobileOnlyProtector.js.map +1 -0
- package/dist/cjs/src/middleware/built-in/security/RequestSignatureProtector.js +20 -4
- package/dist/cjs/src/middleware/built-in/security/RequestSignatureProtector.js.map +1 -1
- package/dist/cjs/src/middleware/security-middleware.js +114 -19
- package/dist/cjs/src/middleware/security-middleware.js.map +1 -1
- package/dist/cjs/src/server/const/default.js +43 -5
- package/dist/cjs/src/server/const/default.js.map +1 -1
- package/dist/esm/src/middleware/XyPrissMiddlewareAPI.js +3 -2
- package/dist/esm/src/middleware/XyPrissMiddlewareAPI.js.map +1 -1
- package/dist/esm/src/middleware/built-in/BuiltInMiddleware.js +16 -23
- package/dist/esm/src/middleware/built-in/BuiltInMiddleware.js.map +1 -1
- package/dist/esm/src/middleware/built-in/security/MobileOnlyProtector.js +502 -0
- package/dist/esm/src/middleware/built-in/security/MobileOnlyProtector.js.map +1 -0
- package/dist/esm/src/middleware/built-in/security/RequestSignatureProtector.js +20 -4
- package/dist/esm/src/middleware/built-in/security/RequestSignatureProtector.js.map +1 -1
- package/dist/esm/src/middleware/security-middleware.js +114 -19
- package/dist/esm/src/middleware/security-middleware.js.map +1 -1
- package/dist/esm/src/server/const/default.js +43 -5
- package/dist/esm/src/server/const/default.js.map +1 -1
- package/dist/index.d.ts +174 -4
- package/package.json +1 -1
package/dist/index.d.ts
CHANGED
|
@@ -1664,6 +1664,51 @@ interface CacheStrategy {
|
|
|
1664
1664
|
tags?: string[];
|
|
1665
1665
|
}
|
|
1666
1666
|
|
|
1667
|
+
/**
|
|
1668
|
+
* Mobile-Only Access Protector
|
|
1669
|
+
* Blocks browser requests and allows only mobile app access.
|
|
1670
|
+
* Multi-layered detection with strict validation to avoid false positives.
|
|
1671
|
+
*
|
|
1672
|
+
* @example Enable with defaults:
|
|
1673
|
+
* ```typescript
|
|
1674
|
+
* mobileOnly: true
|
|
1675
|
+
* ```
|
|
1676
|
+
*
|
|
1677
|
+
* @example Custom configuration:
|
|
1678
|
+
* ```typescript
|
|
1679
|
+
* mobileOnly: {
|
|
1680
|
+
* blockBrowserIndicators: true,
|
|
1681
|
+
* allowedPlatforms: ['ios', 'android'],
|
|
1682
|
+
* requireMobileHeaders: true,
|
|
1683
|
+
* customUserAgentPatterns: [/MyApp/i],
|
|
1684
|
+
* errorMessage: "Mobile app access required"
|
|
1685
|
+
* }
|
|
1686
|
+
* ```
|
|
1687
|
+
*/
|
|
1688
|
+
|
|
1689
|
+
interface MobileOnlyConfig {
|
|
1690
|
+
/** Enable/disable mobile-only protection */
|
|
1691
|
+
enable?: boolean;
|
|
1692
|
+
/** Block requests with browser indicators */
|
|
1693
|
+
blockBrowserIndicators?: boolean;
|
|
1694
|
+
/** Allowed mobile platforms */
|
|
1695
|
+
allowedPlatforms?: ("ios" | "android" | "react-native" | "expo" | "flutter")[];
|
|
1696
|
+
/** Require mobile-specific headers */
|
|
1697
|
+
requireMobileHeaders?: boolean;
|
|
1698
|
+
/** Custom User-Agent patterns to allow */
|
|
1699
|
+
customUserAgentPatterns?: RegExp[];
|
|
1700
|
+
/** Debug logging */
|
|
1701
|
+
debug?: boolean;
|
|
1702
|
+
/** Custom error message */
|
|
1703
|
+
errorMessage?: string;
|
|
1704
|
+
/** HTTP status code for blocked requests */
|
|
1705
|
+
statusCode?: number;
|
|
1706
|
+
/** Case-sensitive User-Agent matching */
|
|
1707
|
+
caseSensitive?: boolean;
|
|
1708
|
+
/** Trim whitespace from User-Agent */
|
|
1709
|
+
trimUserAgent?: boolean;
|
|
1710
|
+
}
|
|
1711
|
+
|
|
1667
1712
|
/**
|
|
1668
1713
|
* Browser-Only Protection Configuration
|
|
1669
1714
|
*
|
|
@@ -1841,6 +1886,22 @@ interface RequestSignatureConfig {
|
|
|
1841
1886
|
caseSensitive?: boolean;
|
|
1842
1887
|
/** Trim whitespace from header value */
|
|
1843
1888
|
trimValue?: boolean;
|
|
1889
|
+
/** Maximum allowed header length to prevent DoS (default: 512) */
|
|
1890
|
+
maxHeaderLength?: number;
|
|
1891
|
+
/** Rate limiting: max failed attempts before temporary block (default: 5) */
|
|
1892
|
+
maxFailedAttempts?: number;
|
|
1893
|
+
/** Rate limiting: block duration in milliseconds (default: 15 minutes) */
|
|
1894
|
+
blockDuration?: number;
|
|
1895
|
+
/** Disable rate limiting entirely (default: false) */
|
|
1896
|
+
disableRateLimiting?: boolean;
|
|
1897
|
+
/** Scale factor for rate limiting thresholds (default: 1.0) */
|
|
1898
|
+
rateLimitScaleFactor?: number;
|
|
1899
|
+
/** Minimum secret length requirement (default: 32) */
|
|
1900
|
+
minSecretLength?: number;
|
|
1901
|
+
/** Enable timing attack protection (default: true) */
|
|
1902
|
+
timingSafeComparison?: boolean;
|
|
1903
|
+
/** Reject requests with suspicious patterns (default: true) */
|
|
1904
|
+
rejectSuspiciousPatterns?: boolean;
|
|
1844
1905
|
}
|
|
1845
1906
|
/**
|
|
1846
1907
|
* Helmet Security Headers Configuration
|
|
@@ -2752,6 +2813,67 @@ interface SecurityConfig {
|
|
|
2752
2813
|
* ```
|
|
2753
2814
|
*/
|
|
2754
2815
|
terminalOnly?: boolean | TerminalOnlyConfig;
|
|
2816
|
+
/**
|
|
2817
|
+
* Mobile-Only Protection Configuration
|
|
2818
|
+
*
|
|
2819
|
+
* Blocks browser requests while allowing mobile app access.
|
|
2820
|
+
* Perfect for APIs that should only be accessed through mobile applications.
|
|
2821
|
+
*
|
|
2822
|
+
* @example Enable with defaults:
|
|
2823
|
+
* ```typescript
|
|
2824
|
+
* mobileOnly: true
|
|
2825
|
+
* ```
|
|
2826
|
+
*
|
|
2827
|
+
* @example Custom configuration:
|
|
2828
|
+
* ```typescript
|
|
2829
|
+
* mobileOnly: {
|
|
2830
|
+
* blockBrowserIndicators: true,
|
|
2831
|
+
* allowedPlatforms: ['ios', 'android'],
|
|
2832
|
+
* requireMobileHeaders: true,
|
|
2833
|
+
* customUserAgentPatterns: [/MyApp/i],
|
|
2834
|
+
* errorMessage: "Mobile app access required"
|
|
2835
|
+
* }
|
|
2836
|
+
* ```
|
|
2837
|
+
*/
|
|
2838
|
+
mobileOnly?: boolean | MobileOnlyConfig;
|
|
2839
|
+
/**
|
|
2840
|
+
* Device Access Control Configuration
|
|
2841
|
+
*
|
|
2842
|
+
* Comprehensive device-based access control allowing multiple device types.
|
|
2843
|
+
* Enables fine-grained control over which devices can access your API.
|
|
2844
|
+
*
|
|
2845
|
+
* @example Allow only mobile apps:
|
|
2846
|
+
* ```typescript
|
|
2847
|
+
* deviceAccess: {
|
|
2848
|
+
* mobileOnly: true
|
|
2849
|
+
* }
|
|
2850
|
+
* ```
|
|
2851
|
+
*
|
|
2852
|
+
* @example Allow mobile apps and browsers:
|
|
2853
|
+
* ```typescript
|
|
2854
|
+
* deviceAccess: {
|
|
2855
|
+
* mobileOnly: true,
|
|
2856
|
+
* browserOnly: true
|
|
2857
|
+
* }
|
|
2858
|
+
* ```
|
|
2859
|
+
*
|
|
2860
|
+
* @example Allow all except browsers:
|
|
2861
|
+
* ```typescript
|
|
2862
|
+
* deviceAccess: {
|
|
2863
|
+
* mobileOnly: true,
|
|
2864
|
+
* terminalOnly: true,
|
|
2865
|
+
* browserOnly: false
|
|
2866
|
+
* }
|
|
2867
|
+
* ```
|
|
2868
|
+
*/
|
|
2869
|
+
deviceAccess?: {
|
|
2870
|
+
/** Allow only browser requests */
|
|
2871
|
+
browserOnly?: boolean | BrowserOnlyConfig;
|
|
2872
|
+
/** Allow only terminal/API tool requests */
|
|
2873
|
+
terminalOnly?: boolean | TerminalOnlyConfig;
|
|
2874
|
+
/** Allow only mobile app requests */
|
|
2875
|
+
mobileOnly?: boolean | MobileOnlyConfig;
|
|
2876
|
+
};
|
|
2755
2877
|
/**
|
|
2756
2878
|
* XyRS - XyPriss Request Signature Configuration
|
|
2757
2879
|
*
|
|
@@ -2993,6 +3115,7 @@ interface CORSConfig {
|
|
|
2993
3115
|
*
|
|
2994
3116
|
* @example
|
|
2995
3117
|
* ```typescript
|
|
3118
|
+
* // String message
|
|
2996
3119
|
* const rateLimitConfig: RateLimitConfig = {
|
|
2997
3120
|
* windowMs: 900000, // 15 minutes
|
|
2998
3121
|
* max: 100, // 100 requests per window
|
|
@@ -3000,6 +3123,19 @@ interface CORSConfig {
|
|
|
3000
3123
|
* standardHeaders: true,
|
|
3001
3124
|
* legacyHeaders: false
|
|
3002
3125
|
* };
|
|
3126
|
+
*
|
|
3127
|
+
* // Object message (more flexible)
|
|
3128
|
+
* const rateLimitConfig: RateLimitConfig = {
|
|
3129
|
+
* windowMs: 900000,
|
|
3130
|
+
* max: 100,
|
|
3131
|
+
* message: {
|
|
3132
|
+
* error: 'Rate limit exceeded',
|
|
3133
|
+
* message: 'Too many requests, please try again later',
|
|
3134
|
+
* retryAfter: 900
|
|
3135
|
+
* },
|
|
3136
|
+
* standardHeaders: true,
|
|
3137
|
+
* legacyHeaders: false
|
|
3138
|
+
* };
|
|
3003
3139
|
* ```
|
|
3004
3140
|
*/
|
|
3005
3141
|
interface RateLimitConfig$1 {
|
|
@@ -3007,8 +3143,13 @@ interface RateLimitConfig$1 {
|
|
|
3007
3143
|
windowMs?: number;
|
|
3008
3144
|
/** Maximum requests per window */
|
|
3009
3145
|
max?: number;
|
|
3010
|
-
/** Message to send when limit is exceeded */
|
|
3011
|
-
message?: string
|
|
3146
|
+
/** Message to send when limit is exceeded (string or object) */
|
|
3147
|
+
message?: string | {
|
|
3148
|
+
error?: string;
|
|
3149
|
+
message?: string;
|
|
3150
|
+
retryAfter?: number;
|
|
3151
|
+
[key: string]: any;
|
|
3152
|
+
};
|
|
3012
3153
|
/** Include standard rate limit headers */
|
|
3013
3154
|
standardHeaders?: boolean;
|
|
3014
3155
|
/** Include legacy rate limit headers */
|
|
@@ -4628,6 +4769,12 @@ declare class SecurityMiddleware {
|
|
|
4628
4769
|
slowDown: boolean | SlowDownConfig;
|
|
4629
4770
|
browserOnly: boolean | BrowserOnlyConfig;
|
|
4630
4771
|
terminalOnly: boolean | TerminalOnlyConfig;
|
|
4772
|
+
mobileOnly: boolean | MobileOnlyConfig;
|
|
4773
|
+
deviceAccess?: {
|
|
4774
|
+
browserOnly?: boolean | BrowserOnlyConfig;
|
|
4775
|
+
terminalOnly?: boolean | TerminalOnlyConfig;
|
|
4776
|
+
mobileOnly?: boolean | MobileOnlyConfig;
|
|
4777
|
+
};
|
|
4631
4778
|
requestSignature: boolean | RequestSignatureConfig;
|
|
4632
4779
|
encryption: Required<SecurityConfig>["encryption"];
|
|
4633
4780
|
authentication: Required<SecurityConfig>["authentication"];
|
|
@@ -4639,6 +4786,7 @@ declare class SecurityMiddleware {
|
|
|
4639
4786
|
private csrfMiddleware;
|
|
4640
4787
|
private browserOnlyMiddleware;
|
|
4641
4788
|
private terminalOnlyMiddleware;
|
|
4789
|
+
private mobileOnlyMiddleware;
|
|
4642
4790
|
private requestSignatureMiddleware;
|
|
4643
4791
|
private mongoSanitizeMiddleware;
|
|
4644
4792
|
private hppMiddleware;
|
|
@@ -4652,6 +4800,7 @@ declare class SecurityMiddleware {
|
|
|
4652
4800
|
private ldapInjectionDetector;
|
|
4653
4801
|
private browserOnlyProtector?;
|
|
4654
4802
|
private terminalOnlyProtector?;
|
|
4803
|
+
private mobileOnlyProtector?;
|
|
4655
4804
|
private logger;
|
|
4656
4805
|
constructor(config?: SecurityConfig, logger?: Logger);
|
|
4657
4806
|
/**
|
|
@@ -4696,6 +4845,22 @@ declare class SecurityMiddleware {
|
|
|
4696
4845
|
* Check if terminal-only protection is enabled
|
|
4697
4846
|
*/
|
|
4698
4847
|
private isTerminalOnlyEnabled;
|
|
4848
|
+
/**
|
|
4849
|
+
* Check if mobile-only protection is enabled
|
|
4850
|
+
*/
|
|
4851
|
+
private isMobileOnlyEnabled;
|
|
4852
|
+
/**
|
|
4853
|
+
* Validate device access configuration
|
|
4854
|
+
*/
|
|
4855
|
+
private validateDeviceAccessConfig;
|
|
4856
|
+
/**
|
|
4857
|
+
* Create combined middleware for browser and mobile access control
|
|
4858
|
+
*/
|
|
4859
|
+
private createCombinedDeviceMiddleware;
|
|
4860
|
+
/**
|
|
4861
|
+
* Check if request is from a mobile device (using MobileOnlyProtector logic)
|
|
4862
|
+
*/
|
|
4863
|
+
private isMobileRequest;
|
|
4699
4864
|
/**
|
|
4700
4865
|
* Get security configuration
|
|
4701
4866
|
*/
|
|
@@ -5291,7 +5456,7 @@ interface SecurityMiddlewareConfig {
|
|
|
5291
5456
|
xssFilter?: boolean;
|
|
5292
5457
|
};
|
|
5293
5458
|
cors?: boolean | {
|
|
5294
|
-
origin?: string | string[] | boolean;
|
|
5459
|
+
origin?: string | RegExp | (string | RegExp)[] | boolean;
|
|
5295
5460
|
methods?: string | string[];
|
|
5296
5461
|
allowedHeaders?: string | string[];
|
|
5297
5462
|
exposedHeaders?: string | string[];
|
|
@@ -5303,7 +5468,12 @@ interface SecurityMiddlewareConfig {
|
|
|
5303
5468
|
rateLimit?: boolean | {
|
|
5304
5469
|
windowMs?: number;
|
|
5305
5470
|
max?: number;
|
|
5306
|
-
message?: string
|
|
5471
|
+
message?: string | {
|
|
5472
|
+
error?: string;
|
|
5473
|
+
message?: string;
|
|
5474
|
+
retryAfter?: number;
|
|
5475
|
+
[key: string]: any;
|
|
5476
|
+
};
|
|
5307
5477
|
standardHeaders?: boolean;
|
|
5308
5478
|
legacyHeaders?: boolean;
|
|
5309
5479
|
store?: any;
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "xypriss",
|
|
3
|
-
"version": "3.1
|
|
3
|
+
"version": "3.2.1",
|
|
4
4
|
"description": "XyPriss is a lightweight, TypeScript-first, open-source Node.js web framework crafted for developers seeking a familiar Express-like API without Express dependencies. It features built-in security middleware, a robust routing system, and performance optimizations to build scalable, secure web applications effortlessly. Join our community and contribute on GitHub!",
|
|
5
5
|
"main": "dist/cjs/index.js",
|
|
6
6
|
"module": "dist/esm/index.js",
|