xypriss 9.10.23 → 9.11.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (59) hide show
  1. package/README.md +42 -37
  2. package/dist/cjs/src/middleware/built-in/BuiltInMiddleware.js +5 -4
  3. package/dist/cjs/src/middleware/built-in/BuiltInMiddleware.js.map +1 -1
  4. package/dist/cjs/src/middleware/security-middleware.js +98 -80
  5. package/dist/cjs/src/middleware/security-middleware.js.map +1 -1
  6. package/dist/cjs/src/server/components/static/XStatic.js +51 -13
  7. package/dist/cjs/src/server/components/static/XStatic.js.map +1 -1
  8. package/dist/cjs/src/server/const/default.js +15 -6
  9. package/dist/cjs/src/server/const/default.js.map +1 -1
  10. package/dist/cjs/src/server/const/internalFlags.js +8 -4
  11. package/dist/cjs/src/server/const/internalFlags.js.map +1 -1
  12. package/dist/cjs/src/server/core/ResponseEnhancer.js +1 -1
  13. package/dist/cjs/src/server/core/ResponseEnhancer.js.map +1 -1
  14. package/dist/cjs/src/server/core/SendFileHandler.js +5 -1
  15. package/dist/cjs/src/server/core/SendFileHandler.js.map +1 -1
  16. package/dist/cjs/src/server/core/XHSCBridge/cmd/buildPerformanceArgs.js +13 -10
  17. package/dist/cjs/src/server/core/XHSCBridge/cmd/buildPerformanceArgs.js.map +1 -1
  18. package/dist/cjs/src/server/core/XHSCBridge/cmd/buildWorkerPoolArgs.js +20 -10
  19. package/dist/cjs/src/server/core/XHSCBridge/cmd/buildWorkerPoolArgs.js.map +1 -1
  20. package/dist/cjs/src/server/core/XHSCProtocol.js +12 -4
  21. package/dist/cjs/src/server/core/XHSCProtocol.js.map +1 -1
  22. package/dist/cjs/src/server/middleware/MiddlewareManager.js +25 -11
  23. package/dist/cjs/src/server/middleware/MiddlewareManager.js.map +1 -1
  24. package/dist/cjs/src/utils/Send.js +20 -1
  25. package/dist/cjs/src/utils/Send.js.map +1 -1
  26. package/dist/cjs/src/xhsc/cluster/XHSCWorker.js +99 -37
  27. package/dist/cjs/src/xhsc/cluster/XHSCWorker.js.map +1 -1
  28. package/dist/cjs/src/xhsc/cluster/xbp.js +210 -0
  29. package/dist/cjs/src/xhsc/cluster/xbp.js.map +1 -0
  30. package/dist/esm/src/middleware/built-in/BuiltInMiddleware.js +5 -4
  31. package/dist/esm/src/middleware/built-in/BuiltInMiddleware.js.map +1 -1
  32. package/dist/esm/src/middleware/security-middleware.js +98 -80
  33. package/dist/esm/src/middleware/security-middleware.js.map +1 -1
  34. package/dist/esm/src/server/components/static/XStatic.js +51 -13
  35. package/dist/esm/src/server/components/static/XStatic.js.map +1 -1
  36. package/dist/esm/src/server/const/default.js +15 -6
  37. package/dist/esm/src/server/const/default.js.map +1 -1
  38. package/dist/esm/src/server/const/internalFlags.js +8 -4
  39. package/dist/esm/src/server/const/internalFlags.js.map +1 -1
  40. package/dist/esm/src/server/core/ResponseEnhancer.js +1 -1
  41. package/dist/esm/src/server/core/ResponseEnhancer.js.map +1 -1
  42. package/dist/esm/src/server/core/SendFileHandler.js +5 -1
  43. package/dist/esm/src/server/core/SendFileHandler.js.map +1 -1
  44. package/dist/esm/src/server/core/XHSCBridge/cmd/buildPerformanceArgs.js +13 -10
  45. package/dist/esm/src/server/core/XHSCBridge/cmd/buildPerformanceArgs.js.map +1 -1
  46. package/dist/esm/src/server/core/XHSCBridge/cmd/buildWorkerPoolArgs.js +20 -10
  47. package/dist/esm/src/server/core/XHSCBridge/cmd/buildWorkerPoolArgs.js.map +1 -1
  48. package/dist/esm/src/server/core/XHSCProtocol.js +12 -4
  49. package/dist/esm/src/server/core/XHSCProtocol.js.map +1 -1
  50. package/dist/esm/src/server/middleware/MiddlewareManager.js +25 -11
  51. package/dist/esm/src/server/middleware/MiddlewareManager.js.map +1 -1
  52. package/dist/esm/src/utils/Send.js +20 -1
  53. package/dist/esm/src/utils/Send.js.map +1 -1
  54. package/dist/esm/src/xhsc/cluster/XHSCWorker.js +99 -37
  55. package/dist/esm/src/xhsc/cluster/XHSCWorker.js.map +1 -1
  56. package/dist/esm/src/xhsc/cluster/xbp.js +207 -0
  57. package/dist/esm/src/xhsc/cluster/xbp.js.map +1 -0
  58. package/dist/index.d.ts +42 -185
  59. package/package.json +43 -40
package/README.md CHANGED
@@ -11,7 +11,7 @@ _Stop Coding Backends. Start Deploying Fortresses._
11
11
  [![License: Nehonix OSL (NOSL) v2.0](https://img.shields.io/badge/License-Nehonix%20OSL%20%28NOSL%29%20v2.0-blue.svg)](https://dll.nehonix.com/licenses/NOSL/v2)
12
12
  [![Powered by Nehonix](https://img.shields.io/badge/Powered%20by-Nehonix-blue?style=flat&logo=data:image/svg+xml;base64,PHN2ZyB3aWR0aD0iMjQiIGhlaWdodD0iMjQiIHZpZXdCb3g9IjAgMCAyNCAyNCIgZmlsbD0ibm9uZSIgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIj4KPHBhdGggZD0iTTEyIDJMMTMuMDkgOC4yNkwyMCA5TDEzLjA5IDE1Ljc0TDEyIDIyTDEwLjkxIDE1Ljc0TDQgOUwxMC45MSA4LjI2TDEyIDJaIiBmaWxsPSJ3aGl0ZSIvPgo8L3N2Zz4K)](https://nehonix.com)
13
13
 
14
- [Quick Start](https://xypriss.nehonix.com/docs/QUICK_START) • [Documentation](https://xypriss.nehonix.com/docs/) • [Examples](https://xypriss.nehonix.com/docs/EXAMPLES) • [API Reference](https://xypriss.nehonix.com/docs/api-reference)
14
+ [Quick Start](https://xypriss.nehonix.com/docs/quick-start) • [Documentation](https://xypriss.nehonix.com/docs/) • [Examples](https://xypriss.nehonix.com/docs/EXAMPLES) • [API Reference](https://xypriss.nehonix.com/docs/api-reference)
15
15
 
16
16
  </div>
17
17
 
@@ -21,7 +21,7 @@ _Stop Coding Backends. Start Deploying Fortresses._
21
21
  [**XyPriss**](https://xypriss.nehonix.com) is an **Enterprise-Grade Hybrid Web Framework** that combines the raw performance of compiled native binaries with the productivity and flexibility of **TypeScript**. It is designed for teams that require both operational speed and developer velocity, without compromise.
22
22
 
23
23
  > [!NOTE]
24
- > **Security Briefing:** XyPriss enforces a "Secure by Default" architecture. Core variables are protected by a native **[Environment Security Shield](./docs/ENVIRONMENT_SHIELD.md)** that blocks direct `process.env` access to prevent leakage. This is complemented by a built-in, zero-dependency storage system (**XEMS**), high-speed Go-powered networking (**XHSC**), and a **Zero-Trust Plugin Security** layer.
24
+ > **Security Briefing:** XyPriss enforces a "Secure by Default" architecture. Core variables are protected by a native **[Environment Security Shield](https://xypriss.nehonix.com/docs/security/environment-shield)** that blocks direct `process.env` access to prevent leakage. This is complemented by a built-in, zero-dependency storage system (**XEMS**), high-speed Go-powered networking (**XHSC**), and a **Zero-Trust Plugin Security** layer.
25
25
 
26
26
  ### Cross-Platform Foundation
27
27
 
@@ -44,7 +44,7 @@ The framework operates on a layered architecture:
44
44
 
45
45
  1. **XHSC (Native Engine):** Handles the HTTP/S stack, advanced radix routing, filesystem I/O, process monitoring, and real-time hardware telemetry. It acts as the high-speed gateway for all incoming traffic and system operations.
46
46
  2. **Node.js Runtime:** Provides the enterprise-ready application layer where developers define business logic, security middleware, and data processing pipelines using TypeScript.
47
- 3. **XFPM (XyPriss Fast Package Manager):** A high-performance, Go-powered package manager optimized for the XyPriss ecosystem. Provides ultra-fast dependency resolution, extraction, and caching. [Learn more about XFPM](https://github.com/Nehonix-Team/XFMP).
47
+ 3. **XFPM (XyPriss Fast Package Manager):** A high-performance, Go-powered package manager optimized for the XyPriss ecosystem. Provides ultra-fast dependency resolution, extraction, and caching. [Learn more about XFPM](https://xypriss.nehonix.com/docs/xfpm).
48
48
 
49
49
  This separation allows each layer to operate in its optimal domain: compiled native code for performance-critical paths, TypeScript for rapid application development.
50
50
 
@@ -62,16 +62,17 @@ This separation allows each layer to operate in its optimal domain: compiled nat
62
62
  - **Environment Security Shield** — Military-grade protection for sensitive variables. Direct `process.env` access is masked via a native Proxy to prevent accidental leakage, forcing the use of secure, typed APIs.
63
63
  - **Built-in DotEnv Loader** — Zero-dependency, ultra-fast `.env` parser with automatic support for `.env`, `.env.local`.
64
64
  - **Extensible Plugin System** — Permission-based plugin architecture with lifecycle hooks and strict security controls (sandboxed restricted instances).
65
+ - **XInS (XyPriss Intelligent Scaling)** — Native Auto-Scaling engine powered by AIMD congestion control. Dynamically adjusts Node.js concurrency based on real-time event loop latency to prevent starvation and ensure zero-downtime stability under extreme load (5000+ concurrent connections). [Read the XInS Guide](https://xypriss.nehonix.com/docs/XInS.md).
65
66
  - **Application Immutability** — Global protection against runtime hijacking. The `App` instance is locked via Proxy after creation to prevent unauthorized property mutations or deletions.
66
- - **Native Production Integration** — Built for automated deployments and SSL management via [XyNginC](https://github.com/Nehonix-Team/xynginc).
67
- - **Multi-Server Support (XMS)** — Run multiple server instances with isolated configurations from a single process. Features a **Global Merge Rule** where root options are automatically inherited by all server instances. [Learn more](docs/config/multi-server.md).
67
+ - **Native Production Integration** — Built for automated deployments and SSL management via [XyNginC](https://xypriss.nehonix.com/docs/plugins/official/xynginc).
68
+ - **Multi-Server Support (XMS)** — Run multiple server instances with isolated configurations from a single process. Features a **Global Merge Rule** where root options are automatically inherited by all server instances. [Learn more](https://xypriss.nehonix.com/docs/config/multi-server).
68
69
  - **Advanced Response Control** — Granular control over unknown routes, status codes, and custom response payloads. [Behavioral Guide](docs/config/notfound-vs-responsecontrol.md).
69
70
 
70
71
  ---
71
72
 
72
73
  We strongly recommend using the **XyPriss CLI (`xfpm`)** for the fastest and most reliable developer experience.
73
74
 
74
- Refer to the [**Installation Guide**](https://xypriss.nehonix.com/docs/installation?q=install%20xfpm&kw=This%20document%20provides%20step-by-step%20in) for detailed platform-specific instructions.
75
+ Refer to the [**Installation Guide**](https://xypriss.nehonix.com/docs/installation) for detailed platform-specific instructions.
75
76
 
76
77
  ### Quick Install (Unix)
77
78
 
@@ -153,7 +154,7 @@ app.version("v1", (v1) => {
153
154
  app.start();
154
155
  ```
155
156
 
156
- **[Complete Quick Start Guide](https://xypriss.nehonix.com/docs/QUICK_START)**
157
+ **[Complete Quick Start Guide](https://xypriss.nehonix.com/docs/quick-start)**
157
158
 
158
159
  ---
159
160
 
@@ -161,39 +162,38 @@ app.start();
161
162
 
162
163
  ### Getting Started
163
164
 
164
- - [Quick Start Guide](https://xypriss.nehonix.com/docs/QUICK_START) - Installation and basic setup
165
+ - [Quick Start Guide](https://xypriss.nehonix.com/docs/quick-start) - Installation and basic setup
165
166
  - [XFPM Guide](https://xypriss.nehonix.com/docs/xfpm) - Using the XyPriss Fast Package Manager
166
- - [Examples](https://xypriss.nehonix.com/docs/EXAMPLES) - Practical code examples
167
- - [Features Overview](https://xypriss.nehonix.com/docs/FEATURES_OVERVIEW) - Comprehensive feature list
168
- - [Router Engine V2](./docs/routing/README.md) - Rich modular routing
169
- - [Advanced Routing & XyGuard API](./docs/routing/ADVANCED_ROUTING.md) - Declarative guards and modularity
170
- - [XStatic Native Serving](./docs/core/XSTATIC.md) - Zero-Copy static file delegation
171
- - [Native Binary Streaming](./docs/core/response-sendfile.md) - res.sendFile() technical guide
167
+ - [Features Overview](https://xypriss.nehonix.com/docs) - Comprehensive feature list
168
+ - [XyPriss Router](https://xypriss.nehonix.com/docs/routing) - Rich modular routing
169
+ - [Advanced Routing & XyGuard API](https://xypriss.nehonix.com/docs/routing/groups-versioning) - Declarative guards and modularity
170
+ - [XStatic Native Serving](https://xypriss.nehonix.com/docs/server/static-files#xstatic-high-performance-delegation) - Zero-Copy static file delegation
171
+ - [Native Binary Streaming](https://xypriss.nehonix.com/docs/server/send-file) - res.sendFile() technical guide
172
172
 
173
173
  ### Security
174
174
 
175
- - [Security Overview](./docs/security/SECURITY.md) - Security features and best practices
176
- - [**XEMS — Modular Technical Suite**](./docs/security/xems/README.md) - Deep dive into sidecar architecture, encryption, and configuration
177
- - [**XEMS — Basic Tutorial**](./docs/XEMS_TUTORIAL.md) - High-level introduction to sessions and OTP flows
175
+ - [Security Overview](https://xypriss.nehonix.com/docs/security/overview) - Security features and best practices
176
+ - [**XEMS — Modular Technical Suite**](https://xypriss.nehonix.com/docs/security/xems) - Deep dive into sidecar architecture, encryption, and configuration
177
+ - [**XEMS — Basic Tutorial**](https://xypriss.nehonix.com/docs/security/xems/tutorial) - High-level introduction to sessions and OTP flows
178
178
  - [Route-Based Security](./docs/security/ROUTE_BASED_SECURITY.md) - Per-route security policies
179
- - [Request Signature Auth](./docs/security/request-signature-auth.md) - API key authentication
179
+ - [Request Signature Auth](https://xypriss.nehonix.com/docs/security/signatures) - API key authentication
180
180
  - [CORS Configuration](./docs/security/advanced-cors-regexp.md) - Advanced CORS with RegExp patterns
181
-
181
+
182
182
  ### Plugin System
183
183
 
184
- - [Plugin Development Guide](./docs/plugins/PLUGIN_SYSTEM_GUIDE.md) - Recommended: Comprehensive guide to the modular architecture.
185
- - [Plugin API Reference](./docs/plugins/plugins.md) - Detailed interface and hook reference.
186
- - [Plugin Permissions](./docs/plugins/PLUGIN_PERMISSIONS.md) - Security and permissions (Capability-Based).
187
- - [Built-in Plugins](./docs/plugins/BUILTIN_PLUGINS.md) - Official XEMS, Route Optimization, and Maintenance plugins.
188
- - [Console Intercept Hook](./docs/CONSOLE_INTERCEPT_HOOK.md) - Console monitoring.
184
+ - [Plugin Development Guide](https://xypriss.nehonix.com/docs/plugins) - Recommended: Comprehensive guide to the modular architecture.
185
+ - [Plugin API Reference](https://xypriss.nehonix.com/docs/plugins/api-reference) - Detailed interface and hook reference.
186
+ - [Plugin Permissions](https://xypriss.nehonix.com/docs/plugins/permissions) - Security and permissions (Capability-Based).
187
+ - [Built-in Plugins](https://xypriss.nehonix.com/docs/plugins/built-in) - Official XEMS, Route Optimization, and Maintenance plugins.
188
+ - [Console Intercept Hook](https://xypriss.nehonix.com/docs/plugins/api-reference/logging-ops#console-intercept) - Console monitoring.
189
189
 
190
190
  ### Request Logging
191
191
 
192
192
  > [!NOTE]
193
193
  > **`morgan` is not recommended in XyPriss applications.**
194
- > While morgan will not break your application, it is not the right fit for the XyPriss security model. To get the best out of the framework with accurate request tracing, IP anonymization, and full compliance with the Zero-Trust architecture, use **[Xyphra](https://github.com/Nehonix-Team/xyphra)** instead.
194
+ > While morgan will not break your application, it is not the right fit for the XyPriss security model. To get the best out of the framework with accurate request tracing, IP anonymization, and full compliance with the Zero-Trust architecture, use **[Xyphra](https://xypriss.nehonix.com/docs/plugins/official/xyphra)** instead.
195
195
 
196
- The official logging solution for XyPriss is **[Xyphra](https://github.com/Nehonix-Team/xyphra)** — a native plugin built for the XHSC engine. It integrates seamlessly into the plugin system, respects the Zero-Trust security model, and provides IP anonymization, header redaction, and structured output.
196
+ The official logging solution for XyPriss is **[Xyphra](https://xypriss.nehonix.com/docs/plugins/official/xyphra)** — a native plugin built for the XHSC engine. It integrates seamlessly into the plugin system, respects the Zero-Trust security model, and provides IP anonymization, header redaction, and structured output.
197
197
 
198
198
  ```typescript
199
199
  import { createServer } from "xypriss";
@@ -211,13 +211,17 @@ const app = createServer({
211
211
  });
212
212
  ```
213
213
 
214
+ ### Response Utilities
215
+
216
+ - [**Send — Structured HTTP Response Helper**](./docs/utils/SEND.md) - Unified JSON response API covering all 2xx, 3xx, 4xx, and 5xx status codes with a consistent response body contract.
217
+
214
218
  ### Advanced Topics
215
219
 
216
- - [XJson API](./docs/XJSON_API.md) - Advanced JSON serialization
217
- - [Clustering](./docs/bun-clustering.md) - Multi-worker scaling
218
- - [Performance Tuning](./docs/cluster-performance-tuning.md) - Optimization strategies
220
+ - [XJson API](https://xypriss.nehonix.com/docs/features/xjson?h=#xypriss-json-xjson-api) - Advanced JSON serialization
221
+ - [Clustering](https://xypriss.nehonix.com/docs/cluster) - Multi-worker scaling
222
+ - [Performance Tuning](https://xypriss.nehonix.com/docs/cluster) - Optimization strategies
219
223
 
220
- **[View All Documentation](./docs/)**
224
+ **[View All Documentation](https://xypriss.nehonix.com/docs)**
221
225
 
222
226
  ---
223
227
 
@@ -251,11 +255,11 @@ const app = createServer({
251
255
  });
252
256
  ```
253
257
 
254
- **[Read the Honeypot Tarpit documentation for detailed internal logic and capabilities →](./docs/security/HONEYPOT_TARPIT.md)**
258
+ **[Read the Honeypot Tarpit documentation for detailed internal logic and capabilities →](https://xypriss.nehonix.com/docs/security/honeypot)**
255
259
 
256
260
  ### XEMS — Encrypted Memory Store
257
261
 
258
- [XEMS](https://github.com/Nehonix-Team/XyPriss-XEMS) is the built-in session security layer. Unlike cookie-based JWT, XEMS stores all session data **server-side inside a native Go sidecar process**, encrypted with AES-256-GCM. The client only ever holds a random opaque token.
262
+ [XEMS](https://xypriss.nehonix.com/docs/security/xems/configuration) is the built-in session security layer. Unlike cookie-based JWT, XEMS stores all session data **server-side inside a native Go sidecar process**, encrypted with AES-256-GCM. The client only ever holds a random opaque token.
259
263
 
260
264
  ```typescript
261
265
  import { createServer, xems } from "xypriss";
@@ -285,7 +289,7 @@ app.get("/profile", (req, res) => {
285
289
  });
286
290
  ```
287
291
 
288
- **[Full XEMS Technical Guide →](./docs/security/xems/README.md)** | **[Tutorial →](./docs/XEMS_TUTORIAL.md)**
292
+ **[Full XEMS Technical Guide →](https://xypriss.nehonix.com/docs/security/xems)** | **[Tutorial →](https://xypriss.nehonix.com/docs/security/xems/tutorial)**
289
293
 
290
294
  ### Application Immutability
291
295
 
@@ -302,7 +306,7 @@ To prevent runtime hijacking and ensure system-wide stability, XyPriss implement
302
306
  - **Deep Audit Engine**: The XHSC core performs a mandatory, high-performance security audit upon engine startup, verifying every plugin against pinned author keys.
303
307
  - **Author Key Pinning**: Trusted authors are pinned within the project configuration (`xypriss.config.jsonc`), preventing unauthorized plugin execution or "Evil Upgrades."
304
308
 
305
- **[Read the Plugin Signature Specification for detailed security mechanics →](./docs/plugins/PLUGIN_SIGNATURE_SPEC.md)**
309
+ **[Read the Plugin Signature Specification for detailed security mechanics →](https://xypriss.nehonix.com/docs/plugins/system-guide)**
306
310
 
307
311
  ### Plugin Permissions
308
312
 
@@ -311,7 +315,7 @@ XyPriss uses a Capability-Based Security Model for plugins. Each plugin operates
311
315
  - **Zero-Trust Configs**: By default, plugins cannot access `server.app.configs`. Accessing this property will return `undefined`.
312
316
  - **Explicit Permissions**: Privileged access to the full server configuration must be explicitly granted via the `XHS.PERM.SECURITY.CONFIGS` permission.
313
317
 
314
- **[Learn more about Plugin Permissions →](./docs/plugins/PLUGIN_PERMISSIONS.md)**
318
+ **[Learn more about Plugin Permissions →](https://xypriss.nehonix.com/docs/plugins/permissions)**
315
319
 
316
320
  ### Environment Security Shield
317
321
 
@@ -344,7 +348,7 @@ For project configuration, use the `XYPRISS_` prefix to bypass the shield for in
344
348
  - `XYPRISS_HOST`
345
349
  - `XYPRISS_REDIS_URL`
346
350
 
347
- **[Learn more about Environment Security →](./docs/ENVIRONMENT_SHIELD.md)**
351
+ **[Learn more about Environment Security →](https://xypriss.nehonix.com/docs/system/environment)**
348
352
 
349
353
  ### Security Disclosure Policy
350
354
 
@@ -363,6 +367,7 @@ We are committed to:
363
367
  - Crediting researchers who responsibly disclose vulnerabilities
364
368
 
365
369
  Your assistance in maintaining the security of XyPriss is greatly appreciated.
370
+ **[Learn more →](https://xypriss.nehonix.com/docs/contributing#disclosure-policy)**
366
371
 
367
372
  ### Multi-Server Security Isolation
368
373
 
@@ -395,7 +400,7 @@ XyPriss is an open-source project that welcomes contributions from the community
395
400
  - Ensure all tests pass before submitting
396
401
  - Write clear commit messages
397
402
 
398
- **[Read the Complete Contributing Guide](./CONTRIBUTING.md)**
403
+ **[Read the Complete Contributing Guide](https://xypriss.nehonix.com/docs/contributing)**
399
404
 
400
405
  ---
401
406
 
@@ -279,10 +279,7 @@ class BuiltInMiddleware {
279
279
  /**
280
280
  * CSRF protection middleware using csrf-csrf library
281
281
  */
282
- static csrf(options = {
283
- getSecret: () => "e6ac40fffc5e9399eab10f5b84fcba2c923e7f74a73b76b56c11b722671eea5e",
284
- getSessionIdentifier: (req) => req.session.id,
285
- }) {
282
+ static csrf(options = {}) {
286
283
  const defaultOptions = {
287
284
  cookieName: "__Host-psifi.x-csrf-token",
288
285
  cookieOptions: {
@@ -298,6 +295,10 @@ class BuiltInMiddleware {
298
295
  req.body?._csrf ||
299
296
  req.query?._csrf);
300
297
  },
298
+ getSecret: () => {
299
+ throw new Error("[XyPriss] CSRF protection requires a secret.");
300
+ },
301
+ getSessionIdentifier: (req) => req.session?.id || "anonymous",
301
302
  };
302
303
  const config = mergeWithDefaults.mergeWithDefaults(defaultOptions, options);
303
304
  const { doubleCsrfProtection } = csrfCsrf.doubleCsrf(config);
@@ -1 +1 @@
1
- {"version":3,"file":"BuiltInMiddleware.js","sources":["../../../../../src/middleware/built-in/BuiltInMiddleware.ts"],"sourcesContent":[null],"names":["mergeWithDefaults","cors","shouldCompress","Logger","doubleCsrf","hpp","BrowserOnlyProtector","TerminalOnlyProtector","MobileOnlyProtector","RequestSignatureProtector"],"mappings":";;;;;;;;;;;;;;;AAAA;;;AAGG;MA4BU,iBAAiB,CAAA;AAC1B;;AAEG;AACH,IAAA,OAAO,MAAM,CAAC,OAAA,GAAwC,EAAE,EAAA;AACpD,QAAA,MAAM,cAAc,GAAiC;AACjD,YAAA,qBAAqB,EAAE;AACnB,gBAAA,UAAU,EAAE;oBACR,UAAU,EAAE,CAAC,QAAQ,CAAC;oBACtB,SAAS,EAAE,CAAC,QAAQ,CAAC;AACrB,oBAAA,QAAQ,EAAE,CAAC,QAAQ,EAAE,iBAAiB,CAAC;AACvC,oBAAA,MAAM,EAAE,CAAC,QAAQ,EAAE,OAAO,CAAC;oBAC3B,OAAO,EAAE,CAAC,QAAQ,CAAC;AACtB,iBAAA;AACJ,aAAA;AACD,YAAA,yBAAyB,EAAE,IAAI;AAC/B,YAAA,uBAAuB,EAAE,IAAI;AAC7B,YAAA,yBAAyB,EAAE,EAAE,MAAM,EAAE,aAAa,EAAE;AACpD,YAAA,kBAAkB,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE;AACpC,YAAA,UAAU,EAAE,EAAE,MAAM,EAAE,MAAM,EAAE;AAC9B,YAAA,aAAa,EAAE,IAAI;AACnB,YAAA,IAAI,EAAE;AACF,gBAAA,MAAM,EAAE,QAAQ;AAChB,gBAAA,iBAAiB,EAAE,IAAI;AACvB,gBAAA,OAAO,EAAE,KAAK;AACjB,aAAA;AACD,YAAA,QAAQ,EAAE,IAAI;AACd,YAAA,OAAO,EAAE,IAAI;AACb,YAAA,kBAAkB,EAAE,IAAI;AACxB,YAAA,4BAA4B,EAAE,KAAK;AACnC,YAAA,cAAc,EAAE,EAAE,MAAM,EAAE,iCAAiC,EAAE;AAC7D,YAAA,SAAS,EAAE,IAAI;SAClB;;AAGD,QAAA,IAAI,YAAY,GAAQ,EAAE,GAAG,cAAc,EAAE;;AAG7C,QAAA,IAAI,OAAO,CAAC,qBAAqB,KAAK,SAAS,EAAE;AAC7C,YAAA,IAAI,OAAO,CAAC,qBAAqB,KAAK,KAAK,EAAE;;AAEzC,gBAAA,YAAY,CAAC,qBAAqB,GAAG,KAAK;YAC9C;AAAO,iBAAA,IACH,OAAO,OAAO,CAAC,qBAAqB,KAAK,QAAQ;AACjD,gBAAA,OAAO,CAAC,qBAAqB,KAAK,IAAI,EACxC;gBACE,YAAY,CAAC,qBAAqB,GAAG;oBACjC,GAAI,cAAc,CAAC,qBAA6B;oBAChD,GAAG,OAAO,CAAC,qBAAqB;iBACnC;;AAGD,gBAAA,IAAI,OAAO,CAAC,qBAAqB,CAAC,UAAU,EAAE;;oBAE1C,MAAM,wBAAwB,GAAQ,EAAE;AACxC,oBAAA,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CACrC,OAAO,CAAC,qBAAqB,CAAC,UAAU,CAC3C,EAAE;;wBAEC,MAAM,QAAQ,GAAG,GAAG,CAAC,OAAO,CAAC,WAAW,EAAE,CAAC,CAAC,EAAE,MAAM,KAChD,MAAM,CAAC,WAAW,EAAE,CACvB;AACD,wBAAA,wBAAwB,CAAC,QAAQ,CAAC,GAAG,KAAK;oBAC9C;AAEA,oBAAA,YAAY,CAAC,qBAAqB,CAAC,UAAU,GAAG;;wBAE5C,GAAI,cAAc,CAAC;AACf,8BAAE,UAAU;;AAEhB,wBAAA,GAAG,wBAAwB;qBAC9B;gBACL;YACJ;QACJ;;QAGA,MAAM,EAAE,qBAAqB,EAAE,GAAG,YAAY,EAAE,GAAG,OAAO;QAC1D,YAAY,GAAG,EAAE,GAAG,YAAY,EAAE,GAAG,YAAY,EAAE;AAEnD,QAAA,OAAO,MAAM,CAAC,YAAmB,CAAC;IACtC;AAEA;;;;;;;;;;AAUG;AACH,IAAA,OAAO,IAAI,CAAC,OAAA,GAAsC,EAAE,EAAA;AAChD,QAAA,MAAM,cAAc,GAAG;AACnB,YAAA,MAAM,EAAE,IAAI;AACZ,YAAA,OAAO,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,MAAM,EAAE,QAAQ,CAAC;;;AAG1D,YAAA,WAAW,EAAE,KAAK;YAClB,MAAM,EAAE,KAAK;SAChB;;;;;;;QAQD,MAAM,MAAM,GAAQA,mCAAiB,CAAC,cAAc,EAAE,OAAc,CAAC;;;;;;QAOrE,MAAM,kBAAkB,GACpB,OAAO,IAAI,IAAI,IAAI,QAAQ,IAAK,OAAkB;QACtD,IAAI,MAAM,CAAC,WAAW,KAAK,IAAI,IAAI,CAAC,kBAAkB,EAAE;YACpD,MAAM,CAAC,MAAM,GAAG,CACZ,aAAiC,EACjC,QAA+D,KAC/D;AACA,gBAAA,QAAQ,CAAC,IAAI,EAAE,aAAa,IAAI,KAAK,CAAC;AAC1C,YAAA,CAAC;QACL;;;;AAMA,QAAA,MAAM,iBAAiB,GAAG,CAAC,KAAU,KAAwB;AACzD,YAAA,IAAI,CAAC,KAAK;AAAE,gBAAA,OAAO,SAAS;;YAG5B,IAAI,OAAO,KAAK,KAAK,QAAQ;AAAE,gBAAA,OAAO,KAAK;;AAG3C,YAAA,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE;AACtB,gBAAA,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC;YAC3B;;AAGA,YAAA,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE;gBAC3B,MAAM,WAAW,GAAG,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC;AACxC,gBAAA,OAAO,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC;YACjC;AAEA,YAAA,OAAO,SAAS;AACpB,QAAA,CAAC;;AAGD,QAAA,IAAI,MAAM,CAAC,OAAO,EAAE;YAChB,MAAM,UAAU,GAAG,iBAAiB,CAAC,MAAM,CAAC,OAAO,CAAC;YACpD,IAAI,UAAU,EAAE;AACZ,gBAAA,MAAM,CAAC,OAAO,GAAG,UAAU;YAC/B;QACJ;;AAGA,QAAA,IAAI,MAAM,CAAC,cAAc,EAAE;YACvB,MAAM,UAAU,GAAG,iBAAiB,CAAC,MAAM,CAAC,cAAc,CAAC;YAC3D,IAAI,UAAU,EAAE;AACZ,gBAAA,MAAM,CAAC,cAAc,GAAG,UAAU;YACtC;QACJ;;AAGA,QAAA,IAAI,MAAM,CAAC,cAAc,EAAE;YACvB,MAAM,UAAU,GAAG,iBAAiB,CAAC,MAAM,CAAC,cAAc,CAAC;YAC3D,IAAI,UAAU,EAAE;AACZ,gBAAA,MAAM,CAAC,cAAc,GAAG,UAAU;YACtC;QACJ;;QAGA,IAAI,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,CAAC,EAAE;YAC9B,MAAM,YAAY,GAAG,MAAM,CAAC,MAAM,CAAC,MAAM,CACrC,CAAC,MAAW,KACR,OAAO,MAAM,KAAK,QAAQ,IAAI,MAAM,YAAY,MAAM,CAC7D;AAED,YAAA,IAAI,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE;gBACzB,MAAM,CAAC,MAAM,GAAG,IAAI,CAAC,4BAA4B,CAAC,YAAY,CAAC;YACnE;QACJ;AAEA,QAAA,OAAOC,uBAAI,CAAC,MAAM,CAAC;IACvB;AAEA;;AAEG;IACK,OAAO,4BAA4B,CAAC,OAA4B,EAAA;AAOpE,QAAA,OAAO,CACH,MAA0B,EAC1B,QAA+D,KAC/D;AACA,YAAA,IAAI;;gBAEA,IAAI,CAAC,MAAM,EAAE;AACT,oBAAA,OAAO,QAAQ,CAAC,IAAI,EAAE,KAAK,CAAC;gBAChC;;AAGA,gBAAA,KAAK,MAAM,OAAO,IAAI,OAAO,EAAE;AAC3B,oBAAA,IAAI,OAAO,OAAO,KAAK,QAAQ,EAAE;;wBAE7B,IAAI,IAAI,CAAC,mBAAmB,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE;;AAE3C,4BAAA,OAAO,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;wBACjC;oBACJ;AAAO,yBAAA,IAAI,OAAO,YAAY,MAAM,EAAE;;AAElC,wBAAA,IAAI,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE;AACtB,4BAAA,OAAO,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;wBACjC;oBACJ;gBACJ;;AAGA,gBAAA,OAAO,QAAQ,CAAC,IAAI,EAAE,KAAK,CAAC;YAChC;YAAE,OAAO,KAAK,EAAE;;AAEZ,gBAAA,OAAO,QAAQ,CAAC,KAAc,EAAE,KAAK,CAAC;YAC1C;AACJ,QAAA,CAAC;IACL;AAEA;;AAEG;AACK,IAAA,OAAO,mBAAmB,CAC9B,MAAc,EACd,OAAe,EAAA;;AAGf,QAAA,IAAI,OAAO,KAAK,MAAM,EAAE;AACpB,YAAA,OAAO,IAAI;QACf;;AAGA,QAAA,IAAI,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE;;YAEvB,MAAM,YAAY,GAAG;AAChB,iBAAA,OAAO,CAAC,oBAAoB,EAAE,MAAM,CAAC;AACrC,iBAAA,OAAO,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;YAE1B,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,CAAA,CAAA,EAAI,YAAY,CAAA,CAAA,CAAG,CAAC;AAC7C,YAAA,OAAO,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC;QAC7B;AAEA,QAAA,OAAO,KAAK;IAChB;AAEA;;;AAGG;AACH;;AAEG;AACH,IAAA,OAAO,SAAS,CAAC,OAAA,GAAe,EAAE,EAAA;;;;AAI9B,QAAA,OAAO,CAAC,GAAQ,EAAE,GAAQ,EAAE,IAAS,KAAI;;;AAGrC,YAAA,IAAI,EAAE;AACV,QAAA,CAAC;IACL;AAEA;;AAEG;AACH,IAAA,OAAO,WAAW,CAAC,OAAA,GAAe,EAAE,EAAA;AAChC,QAAA,MAAM,cAAc,GAAG;AACnB,YAAA,KAAK,EAAE,CAAC;YACR,SAAS,EAAE,IAAI;YACf,MAAM,EACF,OAAO,CAAC,MAAM;AACd,iBAAC,CAAC,GAAQ,EAAE,GAAQ,KAAI;;AAEpB,oBAAA,IAAI,GAAG,CAAC,OAAO,CAAC,kBAAkB,CAAC,EAAE;AACjC,wBAAA,OAAO,KAAK;oBAChB;;AAEA,oBAAA,OAAOC,0BAAc,CAAC,GAAG,EAAE,GAAG,CAAC;AACnC,gBAAA,CAAC,CAAC;SACT;QAED,MAAM,MAAM,GAAQF,mCAAiB,CAAC,cAAc,EAAE,OAAc,CAAC;;AAGrE,QAAA,MAAM,aAAa,GACf,OAAO,WAAW,KAAK;AACnB,cAAE;AACF,cAAG,WAAmB,CAAC,OAAO;AAEtC,QAAA,IAAI,OAAO,aAAa,KAAK,UAAU,EAAE;AACrC,YAAA,MAAM,MAAM,GAAGG,aAAM,CAAC,WAAW,EAAE;AACnC,YAAA,MAAM,CAAC,KAAK,CACR,YAAY,EACZ,6DAA6D,CAChE;YACD,OAAO,CAAC,IAAS,EAAE,IAAS,EAAE,IAAS,KAAK,IAAI,EAAE;QACtD;AAEA,QAAA,OAAO,aAAa,CAAC,MAAM,CAAC;IAChC;AAEA;;AAEG;IACH,OAAO,IAAI,CACP,OAAA,GAA4C;AACxC,QAAA,SAAS,EAAE,MACP,kEAAkE;QACtE,oBAAoB,EAAE,CAAC,GAAQ,KAAK,GAAG,CAAC,OAAO,CAAC,EAAE;AACrD,KAAA,EAAA;AAED,QAAA,MAAM,cAAc,GAAG;AACnB,YAAA,UAAU,EAAE,2BAA2B;AACvC,YAAA,aAAa,EAAE;AACX,gBAAA,QAAQ,EAAE,IAAI;AACd,gBAAA,QAAQ,EAAE,QAAQ;AAClB,gBAAA,MAAM,EAAE,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY;gBAC7C,MAAM,EAAE,OAAO;AAClB,aAAA;AACD,YAAA,IAAI,EAAE,EAAE;AACR,YAAA,cAAc,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,SAAS,CAAC;AAC1C,YAAA,mBAAmB,EAAE,CAAC,GAAQ,KAAI;AAC9B,gBAAA,QACI,GAAG,CAAC,OAAO,CAAC,cAAc,CAAC;oBAC3B,GAAG,CAAC,IAAI,EAAE,KAAK;AACf,oBAAA,GAAG,CAAC,KAAK,EAAE,KAAK;YAExB,CAAC;SACJ;QAED,MAAM,MAAM,GAAQH,mCAAiB,CAAC,cAAc,EAAE,OAAc,CAAC;QAErE,MAAM,EAAE,oBAAoB,EAAE,GAAGI,mBAAU,CAAC,MAAa,CAAC;;AAG1D,QAAA,OAAO,oBAAoB;IAC/B;AAEA;;AAEG;AACH,IAAA,OAAO,GAAG,CAAC,OAAA,GAAqC,EAAE,EAAA;AAC9C,QAAA,MAAM,cAAc,GAAG;AACnB,YAAA,SAAS,EAAE,CAAC,MAAM,EAAE,YAAY,CAAC;SACpC;QAED,MAAM,MAAM,GAAQJ,mCAAiB,CAAC,cAAc,EAAE,OAAc,CAAC;AACrE,QAAA,OAAOK,qBAAG,CAAC,MAAM,CAAC;IACtB;AAEA;;AAEG;AACH,IAAA,OAAO,GAAG,CAAC,OAAA,GAAe,EAAE,EAAA;AACxB,QAAA,MAAM,cAAc,GAAG;AACnB,YAAA,SAAS,EAAE;AACP,gBAAA,CAAC,EAAE,CAAC,MAAM,EAAE,OAAO,CAAC;AACpB,gBAAA,CAAC,EAAE,EAAE;AACL,gBAAA,CAAC,EAAE,EAAE;AACL,gBAAA,MAAM,EAAE,EAAE;AACV,gBAAA,EAAE,EAAE,EAAE;AACT,aAAA;SACJ;QAED,MAAM,MAAM,GAAQL,mCAAiB,CAAC,cAAc,EAAE,OAAc,CAAC;AAErE,QAAA,OAAO,CAAC,GAAQ,EAAE,IAAS,EAAE,IAAS,KAAI;;AAEtC,YAAA,IAAI,GAAG,CAAC,IAAI,EAAE;AACV,gBAAA,GAAG,CAAC,IAAI,GAAG,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,IAAI,EAAE,MAAM,CAAC;YACpD;;AAGA,YAAA,IAAI,GAAG,CAAC,KAAK,EAAE;AACX,gBAAA,GAAG,CAAC,KAAK,GAAG,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,KAAK,EAAE,MAAM,CAAC;YACtD;AAEA,YAAA,IAAI,EAAE;AACV,QAAA,CAAC;IACL;;IAGA,OAAO,MAAM,CAAC,QAAc,EAAA;AACxB,QAAA,MAAM,IAAI,KAAK,CACX,sHAAsH,CACzH;IACL;AAEA;;AAEG;AACH,IAAA,OAAO,WAAW,CAAC,OAAA,GAAe,EAAE,EAAA;;QAEhC,OAAO,IAAIM,yCAAoB,CAAC,OAAc,CAAC,CAAC,aAAa,EAAE;IACnE;AAEA;;AAEG;AACH,IAAA,OAAO,YAAY,CAAC,OAAA,GAAe,EAAE,EAAA;;QAEjC,OAAO,IAAIC,2CAAqB,CAAC,OAAc,CAAC,CAAC,aAAa,EAAE;IACpE;AAEA;;AAEG;AACH,IAAA,OAAO,UAAU,CAAC,OAAA,GAAe,EAAE,EAAA;;QAE/B,OAAO,IAAIC,uCAAmB,CAAC,OAAc,CAAC,CAAC,UAAU,EAAE;IAC/D;AAEA;;AAEG;IACH,OAAO,gBAAgB,CAAC,OAA+B,EAAA;AACnD,QAAA,MAAM,SAAS,GAAG,IAAIC,mDAAyB,CAAC,OAAc,CAAC;AAC/D,QAAA,OAAO,SAAS,CAAC,aAAa,EAAE;IACpC;AAEA;;AAEG;AACH,IAAA,OAAO,QAAQ,CAAC,OAAA,GAAmC,EAAE,EAAA;QACjD,OAAO;YACH,MAAM,EAAE,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC;YACnC,IAAI,EAAE,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC;YAC7B,WAAW,EAAE,IAAI,CAAC,WAAW,CAAC,OAAO,CAAC,WAAW,CAAC;YAClD,IAAI,EAAE,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC;YAC7B,gBAAgB,EAAE,IAAI,CAAC,gBAAgB,CAAC,OAAO,CAAC,gBAAgB,CAAC;SACpE;IACL;;AAGQ,IAAA,OAAO,cAAc,CAAC,GAAQ,EAAE,MAAW,EAAA;AAC/C,QAAA,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE;AACzB,YAAA,OAAO,GAAG,CAAC,GAAG,EAAE,MAAM,CAAC;QAC3B;AAAO,aAAA,IAAI,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE;AAC3B,YAAA,OAAO,GAAG,CAAC,GAAG,CAAC,CAAC,IAAI,KAAK,IAAI,CAAC,cAAc,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;QAC/D;AAAO,aAAA,IAAI,GAAG,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE;YACvC,MAAM,SAAS,GAAQ,EAAE;AACzB,YAAA,KAAK,MAAM,GAAG,IAAI,GAAG,EAAE;AACnB,gBAAA,IAAI,GAAG,CAAC,cAAc,CAAC,GAAG,CAAC,EAAE;AACzB,oBAAA,SAAS,CAAC,GAAG,CAAC,GAAG,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,MAAM,CAAC;gBAC1D;YACJ;AACA,YAAA,OAAO,SAAS;QACpB;AACA,QAAA,OAAO,GAAG;IACd;AACH;;;;"}
1
+ {"version":3,"file":"BuiltInMiddleware.js","sources":["../../../../../src/middleware/built-in/BuiltInMiddleware.ts"],"sourcesContent":[null],"names":["mergeWithDefaults","cors","shouldCompress","Logger","doubleCsrf","hpp","BrowserOnlyProtector","TerminalOnlyProtector","MobileOnlyProtector","RequestSignatureProtector"],"mappings":";;;;;;;;;;;;;;;AAAA;;;AAGG;MA4BU,iBAAiB,CAAA;AAC1B;;AAEG;AACH,IAAA,OAAO,MAAM,CAAC,OAAA,GAAwC,EAAE,EAAA;AACpD,QAAA,MAAM,cAAc,GAAiC;AACjD,YAAA,qBAAqB,EAAE;AACnB,gBAAA,UAAU,EAAE;oBACR,UAAU,EAAE,CAAC,QAAQ,CAAC;oBACtB,SAAS,EAAE,CAAC,QAAQ,CAAC;AACrB,oBAAA,QAAQ,EAAE,CAAC,QAAQ,EAAE,iBAAiB,CAAC;AACvC,oBAAA,MAAM,EAAE,CAAC,QAAQ,EAAE,OAAO,CAAC;oBAC3B,OAAO,EAAE,CAAC,QAAQ,CAAC;AACtB,iBAAA;AACJ,aAAA;AACD,YAAA,yBAAyB,EAAE,IAAI;AAC/B,YAAA,uBAAuB,EAAE,IAAI;AAC7B,YAAA,yBAAyB,EAAE,EAAE,MAAM,EAAE,aAAa,EAAE;AACpD,YAAA,kBAAkB,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE;AACpC,YAAA,UAAU,EAAE,EAAE,MAAM,EAAE,MAAM,EAAE;AAC9B,YAAA,aAAa,EAAE,IAAI;AACnB,YAAA,IAAI,EAAE;AACF,gBAAA,MAAM,EAAE,QAAQ;AAChB,gBAAA,iBAAiB,EAAE,IAAI;AACvB,gBAAA,OAAO,EAAE,KAAK;AACjB,aAAA;AACD,YAAA,QAAQ,EAAE,IAAI;AACd,YAAA,OAAO,EAAE,IAAI;AACb,YAAA,kBAAkB,EAAE,IAAI;AACxB,YAAA,4BAA4B,EAAE,KAAK;AACnC,YAAA,cAAc,EAAE,EAAE,MAAM,EAAE,iCAAiC,EAAE;AAC7D,YAAA,SAAS,EAAE,IAAI;SAClB;;AAGD,QAAA,IAAI,YAAY,GAAQ,EAAE,GAAG,cAAc,EAAE;;AAG7C,QAAA,IAAI,OAAO,CAAC,qBAAqB,KAAK,SAAS,EAAE;AAC7C,YAAA,IAAI,OAAO,CAAC,qBAAqB,KAAK,KAAK,EAAE;;AAEzC,gBAAA,YAAY,CAAC,qBAAqB,GAAG,KAAK;YAC9C;AAAO,iBAAA,IACH,OAAO,OAAO,CAAC,qBAAqB,KAAK,QAAQ;AACjD,gBAAA,OAAO,CAAC,qBAAqB,KAAK,IAAI,EACxC;gBACE,YAAY,CAAC,qBAAqB,GAAG;oBACjC,GAAI,cAAc,CAAC,qBAA6B;oBAChD,GAAG,OAAO,CAAC,qBAAqB;iBACnC;;AAGD,gBAAA,IAAI,OAAO,CAAC,qBAAqB,CAAC,UAAU,EAAE;;oBAE1C,MAAM,wBAAwB,GAAQ,EAAE;AACxC,oBAAA,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CACrC,OAAO,CAAC,qBAAqB,CAAC,UAAU,CAC3C,EAAE;;wBAEC,MAAM,QAAQ,GAAG,GAAG,CAAC,OAAO,CAAC,WAAW,EAAE,CAAC,CAAC,EAAE,MAAM,KAChD,MAAM,CAAC,WAAW,EAAE,CACvB;AACD,wBAAA,wBAAwB,CAAC,QAAQ,CAAC,GAAG,KAAK;oBAC9C;AAEA,oBAAA,YAAY,CAAC,qBAAqB,CAAC,UAAU,GAAG;;wBAE5C,GAAI,cAAc,CAAC;AACf,8BAAE,UAAU;;AAEhB,wBAAA,GAAG,wBAAwB;qBAC9B;gBACL;YACJ;QACJ;;QAGA,MAAM,EAAE,qBAAqB,EAAE,GAAG,YAAY,EAAE,GAAG,OAAO;QAC1D,YAAY,GAAG,EAAE,GAAG,YAAY,EAAE,GAAG,YAAY,EAAE;AAEnD,QAAA,OAAO,MAAM,CAAC,YAAmB,CAAC;IACtC;AAEA;;;;;;;;;;AAUG;AACH,IAAA,OAAO,IAAI,CAAC,OAAA,GAAsC,EAAE,EAAA;AAChD,QAAA,MAAM,cAAc,GAAG;AACnB,YAAA,MAAM,EAAE,IAAI;AACZ,YAAA,OAAO,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,MAAM,EAAE,QAAQ,CAAC;;;AAG1D,YAAA,WAAW,EAAE,KAAK;YAClB,MAAM,EAAE,KAAK;SAChB;;;;;;;QAQD,MAAM,MAAM,GAAQA,mCAAiB,CAAC,cAAc,EAAE,OAAc,CAAC;;;;;;QAOrE,MAAM,kBAAkB,GACpB,OAAO,IAAI,IAAI,IAAI,QAAQ,IAAK,OAAkB;QACtD,IAAI,MAAM,CAAC,WAAW,KAAK,IAAI,IAAI,CAAC,kBAAkB,EAAE;YACpD,MAAM,CAAC,MAAM,GAAG,CACZ,aAAiC,EACjC,QAA+D,KAC/D;AACA,gBAAA,QAAQ,CAAC,IAAI,EAAE,aAAa,IAAI,KAAK,CAAC;AAC1C,YAAA,CAAC;QACL;;;;AAMA,QAAA,MAAM,iBAAiB,GAAG,CAAC,KAAU,KAAwB;AACzD,YAAA,IAAI,CAAC,KAAK;AAAE,gBAAA,OAAO,SAAS;;YAG5B,IAAI,OAAO,KAAK,KAAK,QAAQ;AAAE,gBAAA,OAAO,KAAK;;AAG3C,YAAA,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE;AACtB,gBAAA,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC;YAC3B;;AAGA,YAAA,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE;gBAC3B,MAAM,WAAW,GAAG,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC;AACxC,gBAAA,OAAO,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC;YACjC;AAEA,YAAA,OAAO,SAAS;AACpB,QAAA,CAAC;;AAGD,QAAA,IAAI,MAAM,CAAC,OAAO,EAAE;YAChB,MAAM,UAAU,GAAG,iBAAiB,CAAC,MAAM,CAAC,OAAO,CAAC;YACpD,IAAI,UAAU,EAAE;AACZ,gBAAA,MAAM,CAAC,OAAO,GAAG,UAAU;YAC/B;QACJ;;AAGA,QAAA,IAAI,MAAM,CAAC,cAAc,EAAE;YACvB,MAAM,UAAU,GAAG,iBAAiB,CAAC,MAAM,CAAC,cAAc,CAAC;YAC3D,IAAI,UAAU,EAAE;AACZ,gBAAA,MAAM,CAAC,cAAc,GAAG,UAAU;YACtC;QACJ;;AAGA,QAAA,IAAI,MAAM,CAAC,cAAc,EAAE;YACvB,MAAM,UAAU,GAAG,iBAAiB,CAAC,MAAM,CAAC,cAAc,CAAC;YAC3D,IAAI,UAAU,EAAE;AACZ,gBAAA,MAAM,CAAC,cAAc,GAAG,UAAU;YACtC;QACJ;;QAGA,IAAI,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,CAAC,EAAE;YAC9B,MAAM,YAAY,GAAG,MAAM,CAAC,MAAM,CAAC,MAAM,CACrC,CAAC,MAAW,KACR,OAAO,MAAM,KAAK,QAAQ,IAAI,MAAM,YAAY,MAAM,CAC7D;AAED,YAAA,IAAI,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE;gBACzB,MAAM,CAAC,MAAM,GAAG,IAAI,CAAC,4BAA4B,CAAC,YAAY,CAAC;YACnE;QACJ;AAEA,QAAA,OAAOC,uBAAI,CAAC,MAAM,CAAC;IACvB;AAEA;;AAEG;IACK,OAAO,4BAA4B,CAAC,OAA4B,EAAA;AAOpE,QAAA,OAAO,CACH,MAA0B,EAC1B,QAA+D,KAC/D;AACA,YAAA,IAAI;;gBAEA,IAAI,CAAC,MAAM,EAAE;AACT,oBAAA,OAAO,QAAQ,CAAC,IAAI,EAAE,KAAK,CAAC;gBAChC;;AAGA,gBAAA,KAAK,MAAM,OAAO,IAAI,OAAO,EAAE;AAC3B,oBAAA,IAAI,OAAO,OAAO,KAAK,QAAQ,EAAE;;wBAE7B,IAAI,IAAI,CAAC,mBAAmB,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE;;AAE3C,4BAAA,OAAO,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;wBACjC;oBACJ;AAAO,yBAAA,IAAI,OAAO,YAAY,MAAM,EAAE;;AAElC,wBAAA,IAAI,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE;AACtB,4BAAA,OAAO,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;wBACjC;oBACJ;gBACJ;;AAGA,gBAAA,OAAO,QAAQ,CAAC,IAAI,EAAE,KAAK,CAAC;YAChC;YAAE,OAAO,KAAK,EAAE;;AAEZ,gBAAA,OAAO,QAAQ,CAAC,KAAc,EAAE,KAAK,CAAC;YAC1C;AACJ,QAAA,CAAC;IACL;AAEA;;AAEG;AACK,IAAA,OAAO,mBAAmB,CAC9B,MAAc,EACd,OAAe,EAAA;;AAGf,QAAA,IAAI,OAAO,KAAK,MAAM,EAAE;AACpB,YAAA,OAAO,IAAI;QACf;;AAGA,QAAA,IAAI,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE;;YAEvB,MAAM,YAAY,GAAG;AAChB,iBAAA,OAAO,CAAC,oBAAoB,EAAE,MAAM,CAAC;AACrC,iBAAA,OAAO,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;YAE1B,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,CAAA,CAAA,EAAI,YAAY,CAAA,CAAA,CAAG,CAAC;AAC7C,YAAA,OAAO,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC;QAC7B;AAEA,QAAA,OAAO,KAAK;IAChB;AAEA;;;AAGG;AACH;;AAEG;AACH,IAAA,OAAO,SAAS,CAAC,OAAA,GAAe,EAAE,EAAA;;;;AAI9B,QAAA,OAAO,CAAC,GAAQ,EAAE,GAAQ,EAAE,IAAS,KAAI;;;AAGrC,YAAA,IAAI,EAAE;AACV,QAAA,CAAC;IACL;AAEA;;AAEG;AACH,IAAA,OAAO,WAAW,CAAC,OAAA,GAAe,EAAE,EAAA;AAChC,QAAA,MAAM,cAAc,GAAG;AACnB,YAAA,KAAK,EAAE,CAAC;YACR,SAAS,EAAE,IAAI;YACf,MAAM,EACF,OAAO,CAAC,MAAM;AACd,iBAAC,CAAC,GAAQ,EAAE,GAAQ,KAAI;;AAEpB,oBAAA,IAAI,GAAG,CAAC,OAAO,CAAC,kBAAkB,CAAC,EAAE;AACjC,wBAAA,OAAO,KAAK;oBAChB;;AAEA,oBAAA,OAAOC,0BAAc,CAAC,GAAG,EAAE,GAAG,CAAC;AACnC,gBAAA,CAAC,CAAC;SACT;QAED,MAAM,MAAM,GAAQF,mCAAiB,CAAC,cAAc,EAAE,OAAc,CAAC;;AAGrE,QAAA,MAAM,aAAa,GACf,OAAO,WAAW,KAAK;AACnB,cAAE;AACF,cAAG,WAAmB,CAAC,OAAO;AAEtC,QAAA,IAAI,OAAO,aAAa,KAAK,UAAU,EAAE;AACrC,YAAA,MAAM,MAAM,GAAGG,aAAM,CAAC,WAAW,EAAE;AACnC,YAAA,MAAM,CAAC,KAAK,CACR,YAAY,EACZ,6DAA6D,CAChE;YACD,OAAO,CAAC,IAAS,EAAE,IAAS,EAAE,IAAS,KAAK,IAAI,EAAE;QACtD;AAEA,QAAA,OAAO,aAAa,CAAC,MAAM,CAAC;IAChC;AAEA;;AAEG;AACH,IAAA,OAAO,IAAI,CAAC,OAAA,GAAe,EAAE,EAAA;AACzB,QAAA,MAAM,cAAc,GAAG;AACnB,YAAA,UAAU,EAAE,2BAA2B;AACvC,YAAA,aAAa,EAAE;AACX,gBAAA,QAAQ,EAAE,IAAI;AACd,gBAAA,QAAQ,EAAE,QAAQ;AAClB,gBAAA,MAAM,EAAE,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY;gBAC7C,MAAM,EAAE,OAAO;AAClB,aAAA;AACD,YAAA,IAAI,EAAE,EAAE;AACR,YAAA,cAAc,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,SAAS,CAAC;AAC1C,YAAA,mBAAmB,EAAE,CAAC,GAAQ,KAAI;AAC9B,gBAAA,QACI,GAAG,CAAC,OAAO,CAAC,cAAc,CAAC;oBAC3B,GAAG,CAAC,IAAI,EAAE,KAAK;AACf,oBAAA,GAAG,CAAC,KAAK,EAAE,KAAK;YAExB,CAAC;YACD,SAAS,EAAE,MAAK;AACZ,gBAAA,MAAM,IAAI,KAAK,CAAC,8CAA8C,CAAC;YACnE,CAAC;AACD,YAAA,oBAAoB,EAAE,CAAC,GAAQ,KAAK,GAAG,CAAC,OAAO,EAAE,EAAE,IAAI,WAAW;SACrE;QAED,MAAM,MAAM,GAAQH,mCAAiB,CAAC,cAAc,EAAE,OAAc,CAAC;QAErE,MAAM,EAAE,oBAAoB,EAAE,GAAGI,mBAAU,CAAC,MAAa,CAAC;;AAG1D,QAAA,OAAO,oBAAoB;IAC/B;AAEA;;AAEG;AACH,IAAA,OAAO,GAAG,CAAC,OAAA,GAAqC,EAAE,EAAA;AAC9C,QAAA,MAAM,cAAc,GAAG;AACnB,YAAA,SAAS,EAAE,CAAC,MAAM,EAAE,YAAY,CAAC;SACpC;QAED,MAAM,MAAM,GAAQJ,mCAAiB,CAAC,cAAc,EAAE,OAAc,CAAC;AACrE,QAAA,OAAOK,qBAAG,CAAC,MAAM,CAAC;IACtB;AAEA;;AAEG;AACH,IAAA,OAAO,GAAG,CAAC,OAAA,GAAe,EAAE,EAAA;AACxB,QAAA,MAAM,cAAc,GAAG;AACnB,YAAA,SAAS,EAAE;AACP,gBAAA,CAAC,EAAE,CAAC,MAAM,EAAE,OAAO,CAAC;AACpB,gBAAA,CAAC,EAAE,EAAE;AACL,gBAAA,CAAC,EAAE,EAAE;AACL,gBAAA,MAAM,EAAE,EAAE;AACV,gBAAA,EAAE,EAAE,EAAE;AACT,aAAA;SACJ;QAED,MAAM,MAAM,GAAQL,mCAAiB,CAAC,cAAc,EAAE,OAAc,CAAC;AAErE,QAAA,OAAO,CAAC,GAAQ,EAAE,IAAS,EAAE,IAAS,KAAI;;AAEtC,YAAA,IAAI,GAAG,CAAC,IAAI,EAAE;AACV,gBAAA,GAAG,CAAC,IAAI,GAAG,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,IAAI,EAAE,MAAM,CAAC;YACpD;;AAGA,YAAA,IAAI,GAAG,CAAC,KAAK,EAAE;AACX,gBAAA,GAAG,CAAC,KAAK,GAAG,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,KAAK,EAAE,MAAM,CAAC;YACtD;AAEA,YAAA,IAAI,EAAE;AACV,QAAA,CAAC;IACL;;IAGA,OAAO,MAAM,CAAC,QAAc,EAAA;AACxB,QAAA,MAAM,IAAI,KAAK,CACX,sHAAsH,CACzH;IACL;AAEA;;AAEG;AACH,IAAA,OAAO,WAAW,CAAC,OAAA,GAAe,EAAE,EAAA;;QAEhC,OAAO,IAAIM,yCAAoB,CAAC,OAAc,CAAC,CAAC,aAAa,EAAE;IACnE;AAEA;;AAEG;AACH,IAAA,OAAO,YAAY,CAAC,OAAA,GAAe,EAAE,EAAA;;QAEjC,OAAO,IAAIC,2CAAqB,CAAC,OAAc,CAAC,CAAC,aAAa,EAAE;IACpE;AAEA;;AAEG;AACH,IAAA,OAAO,UAAU,CAAC,OAAA,GAAe,EAAE,EAAA;;QAE/B,OAAO,IAAIC,uCAAmB,CAAC,OAAc,CAAC,CAAC,UAAU,EAAE;IAC/D;AAEA;;AAEG;IACH,OAAO,gBAAgB,CAAC,OAA+B,EAAA;AACnD,QAAA,MAAM,SAAS,GAAG,IAAIC,mDAAyB,CAAC,OAAc,CAAC;AAC/D,QAAA,OAAO,SAAS,CAAC,aAAa,EAAE;IACpC;AAEA;;AAEG;AACH,IAAA,OAAO,QAAQ,CAAC,OAAA,GAAmC,EAAE,EAAA;QACjD,OAAO;YACH,MAAM,EAAE,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC;YACnC,IAAI,EAAE,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC;YAC7B,WAAW,EAAE,IAAI,CAAC,WAAW,CAAC,OAAO,CAAC,WAAW,CAAC;YAClD,IAAI,EAAE,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC;YAC7B,gBAAgB,EAAE,IAAI,CAAC,gBAAgB,CAAC,OAAO,CAAC,gBAAgB,CAAC;SACpE;IACL;;AAGQ,IAAA,OAAO,cAAc,CAAC,GAAQ,EAAE,MAAW,EAAA;AAC/C,QAAA,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE;AACzB,YAAA,OAAO,GAAG,CAAC,GAAG,EAAE,MAAM,CAAC;QAC3B;AAAO,aAAA,IAAI,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE;AAC3B,YAAA,OAAO,GAAG,CAAC,GAAG,CAAC,CAAC,IAAI,KAAK,IAAI,CAAC,cAAc,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;QAC/D;AAAO,aAAA,IAAI,GAAG,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE;YACvC,MAAM,SAAS,GAAQ,EAAE;AACzB,YAAA,KAAK,MAAM,GAAG,IAAI,GAAG,EAAE;AACnB,gBAAA,IAAI,GAAG,CAAC,cAAc,CAAC,GAAG,CAAC,EAAE;AACzB,oBAAA,SAAS,CAAC,GAAG,CAAC,GAAG,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,MAAM,CAAC;gBAC1D;YACJ;AACA,YAAA,OAAO,SAAS;QACpB;AACA,QAAA,OAAO,GAAG;IACd;AACH;;;;"}
@@ -1,6 +1,5 @@
1
1
  'use strict';
2
2
 
3
- var xyprissSecurity = require('xypriss-security');
4
3
  var SQLInjectionDetector = require('./built-in/security/SQLInjectionDetector.js');
5
4
  var PathTraversalDetector = require('./built-in/security/PathTraversalDetector.js');
6
5
  var CommandInjectionDetector = require('./built-in/security/CommandInjectionDetector.js');
@@ -9,6 +8,7 @@ var LDAPInjectionDetector = require('./built-in/security/LDAPInjectionDetector.j
9
8
  var Logger = require('../shared/logger/Logger.js');
10
9
  var BuiltInMiddleware = require('./built-in/BuiltInMiddleware.js');
11
10
  var xss = require('xss');
11
+ var getSysApi = require('../plugins/const/getSysApi.js');
12
12
 
13
13
  /**
14
14
  * XyPriss Security Middleware
@@ -33,7 +33,11 @@ class SecurityMiddleware {
33
33
  this.level = config.level || "enhanced";
34
34
  this._ignore = config._ignore || [];
35
35
  this._ignoreAll = config._ignoreAll || [];
36
- this.csrf = config.csrf !== false ? config.csrf || true : false;
36
+ // console.log("config.csrf: ", config.csrf);
37
+ this.csrf =
38
+ typeof config.csrf === "boolean"
39
+ ? config.csrf
40
+ : (config.csrf ?? { enabled: true, secret: "" });
37
41
  this.helmet = config.helmet !== false ? config.helmet || true : false;
38
42
  this.xss = config.xss !== false ? config.xss || true : false;
39
43
  this.sqlInjection =
@@ -85,28 +89,6 @@ class SecurityMiddleware {
85
89
  keySize: 32,
86
90
  ...config.encryption,
87
91
  };
88
- this.authentication = {
89
- jwt: {
90
- secret: config.authentication?.jwt?.secret ||
91
- xyprissSecurity.Random.generateSecureToken(32).toString("hex"),
92
- expiresIn: config.authentication?.jwt?.expiresIn || "1h",
93
- algorithm: config.authentication?.jwt?.algorithm || "HS256",
94
- },
95
- session: {
96
- secret: config.authentication?.session?.secret ||
97
- xyprissSecurity.Random.generateSecureToken(32).toString("hex"),
98
- name: config.authentication?.session?.name ||
99
- "xypriss.nehonix.sid",
100
- cookie: {
101
- maxAge: 24 * 60 * 60 * 1000, // 24 hours
102
- secure: true,
103
- httpOnly: true,
104
- sameSite: "strict",
105
- ...config.authentication?.session?.cookie,
106
- },
107
- },
108
- ...config.authentication,
109
- };
110
92
  // Store route configuration
111
93
  this.routeConfig = config.routeConfig;
112
94
  // Initialize security detectors
@@ -283,16 +265,22 @@ class SecurityMiddleware {
283
265
  // CSRF protection using BuiltInMiddleware
284
266
  if (this.csrf) {
285
267
  this.logger.debug("security", "Initializing CSRF protection");
286
- const csrfConfig = typeof this.csrf === "object" ? this.csrf : {};
268
+ const csrfConfig = typeof this.csrf === "object" ? this.csrf : { secret: "" };
269
+ // Secret must be provided directly in the csrf config
270
+ const secret = csrfConfig.secret;
271
+ if (!secret) {
272
+ throw new Error("[XyPriss Security] CSRF protection is enabled but no secret was provided. Set 'security.csrf.secret' in your server config.");
273
+ }
287
274
  this.csrfMiddleware = BuiltInMiddleware.BuiltInMiddleware.csrf({
288
- getSecret: (req) => this.authentication.session?.secret ||
289
- "ac934dfcffc9e037b6921b6d4e874e788bfba7c5f48d17332ef92c9c67450000",
290
- getSessionIdentifier: (req) => req.session?.id,
275
+ getSecret: () => secret,
276
+ getSessionIdentifier: (req) => req.session?.id ||
277
+ req.headers["x-session-id"] ||
278
+ "anonymous",
291
279
  cookieName: csrfConfig.cookieName || "__Host-csrf-token",
292
280
  cookieOptions: {
293
281
  httpOnly: true,
294
282
  sameSite: "strict",
295
- secure: process.env.NODE_ENV === "production",
283
+ secure: getSysApi.getSysApi().__env__.isProduction(),
296
284
  maxAge: 24 * 60 * 60 * 1000, // 24 hours
297
285
  ...(csrfConfig.cookieOptions || {}),
298
286
  },
@@ -444,6 +432,7 @@ class SecurityMiddleware {
444
432
  const middleware = stack[index++];
445
433
  try {
446
434
  // Set a timeout to detect if middleware doesn't call next()
435
+ //@ts-ignore - NodeJS.Timeout
447
436
  let timeoutId = null;
448
437
  let middlewareCompleted = false;
449
438
  const middlewareNext = (err) => {
@@ -453,6 +442,21 @@ class SecurityMiddleware {
453
442
  if (timeoutId) {
454
443
  clearTimeout(timeoutId);
455
444
  }
445
+ // Intercept HTTP/CSRF errors passed via next(err)
446
+ if (err &&
447
+ (err.statusCode ||
448
+ err.status ||
449
+ err.code === "EBADCSRFTOKEN")) {
450
+ const statusCode = err.statusCode || err.status || 403;
451
+ this.logger.debug("security", `Security middleware rejected request (${statusCode}): ${err.message}`);
452
+ if (!res.headersSent) {
453
+ res.status(statusCode).json({
454
+ error: err.message || "Forbidden",
455
+ code: err.code || "SECURITY_BLOCKED",
456
+ });
457
+ }
458
+ return;
459
+ }
456
460
  this.logger.debug("security", `Middleware ${currentIndex + 1} completed`);
457
461
  next(err);
458
462
  };
@@ -475,6 +479,20 @@ class SecurityMiddleware {
475
479
  middleware(req, res, middlewareNext);
476
480
  }
477
481
  catch (error) {
482
+ // CSRF and other HTTP errors: respond directly instead of crashing
483
+ if (error?.statusCode ||
484
+ error?.status ||
485
+ error?.code === "EBADCSRFTOKEN") {
486
+ const statusCode = error.statusCode || error.status || 403;
487
+ this.logger.debug("security", `Security middleware rejected request (${statusCode}): ${error.message}`);
488
+ if (!res.headersSent) {
489
+ res.status(statusCode).json({
490
+ error: error.message || "Forbidden",
491
+ code: error.code || "SECURITY_BLOCKED",
492
+ });
493
+ }
494
+ return;
495
+ }
478
496
  this.logger.debug("security", `Exception in middleware at index ${currentIndex}:`, error);
479
497
  finalNext(error);
480
498
  }
@@ -751,56 +769,57 @@ class SecurityMiddleware {
751
769
  }
752
770
  return null;
753
771
  }
754
- /**
755
- * Check if browser-only protection is enabled
756
- */
757
- isBrowserOnlyEnabled() {
758
- if (this.browserOnly === true)
759
- return true;
760
- if (typeof this.browserOnly === "object" && this.browserOnly !== null) {
761
- return this.browserOnly.enable !== false; // Default to true when config provided
762
- }
763
- return false;
764
- }
765
- /**
766
- * Check if terminal-only protection is enabled
767
- */
768
- isTerminalOnlyEnabled() {
769
- if (this.terminalOnly === true)
770
- return true;
771
- if (typeof this.terminalOnly === "object" &&
772
- this.terminalOnly !== null) {
773
- return this.terminalOnly.enable !== false; // Default to true when config provided
774
- }
775
- return false;
776
- }
777
- /**
778
- * Check if mobile-only protection is enabled
779
- */
780
- isMobileOnlyEnabled() {
781
- if (this.mobileOnly === true)
782
- return true;
783
- if (typeof this.mobileOnly === "object" && this.mobileOnly !== null) {
784
- return this.mobileOnly.enable !== false; // Check enable property, default to true when config provided
785
- }
786
- return false;
787
- }
788
- /**
789
- * Validate device access configuration
790
- */
791
- validateDeviceAccessConfig() {
792
- // Check enabled device access controls
793
- const browserEnabled = this.isBrowserOnlyEnabled();
794
- const terminalEnabled = this.isTerminalOnlyEnabled();
795
- const mobileEnabled = this.isMobileOnlyEnabled();
796
- // Terminal-only cannot be combined with browser-only or mobile-only
797
- if (terminalEnabled && (browserEnabled || mobileEnabled)) {
798
- throw new Error("Security configuration error: terminalOnly cannot be enabled simultaneously with browserOnly or mobileOnly. " +
799
- "Choose terminalOnly alone, or browserOnly and/or mobileOnly.");
800
- }
801
- // Browser-only and mobile-only can be enabled together (they will be applied based on request characteristics)
802
- // No other restrictions needed
803
- }
772
+ // /**
773
+ // * Check if browser-only protection is enabled
774
+ // */
775
+ // private isBrowserOnlyEnabled(): boolean {
776
+ // if (this.browserOnly === true) return true;
777
+ // if (typeof this.browserOnly === "object" && this.browserOnly !== null) {
778
+ // return this.browserOnly.enable !== false; // Default to true when config provided
779
+ // }
780
+ // return false;
781
+ // }
782
+ // /**
783
+ // * Check if terminal-only protection is enabled
784
+ // */
785
+ // private isTerminalOnlyEnabled(): boolean {
786
+ // if (this.terminalOnly === true) return true;
787
+ // if (
788
+ // typeof this.terminalOnly === "object" &&
789
+ // this.terminalOnly !== null
790
+ // ) {
791
+ // return this.terminalOnly.enable !== false; // Default to true when config provided
792
+ // }
793
+ // return false;
794
+ // }
795
+ // /**
796
+ // * Check if mobile-only protection is enabled
797
+ // */
798
+ // private isMobileOnlyEnabled(): boolean {
799
+ // if (this.mobileOnly === true) return true;
800
+ // if (typeof this.mobileOnly === "object" && this.mobileOnly !== null) {
801
+ // return this.mobileOnly.enable !== false; // Check enable property, default to true when config provided
802
+ // }
803
+ // return false;
804
+ // }
805
+ // /**
806
+ // * Validate device access configuration
807
+ // */
808
+ // private validateDeviceAccessConfig(): void {
809
+ // // Check enabled device access controls
810
+ // const browserEnabled = this.isBrowserOnlyEnabled();
811
+ // const terminalEnabled = this.isTerminalOnlyEnabled();
812
+ // const mobileEnabled = this.isMobileOnlyEnabled();
813
+ // // Terminal-only cannot be combined with browser-only or mobile-only
814
+ // if (terminalEnabled && (browserEnabled || mobileEnabled)) {
815
+ // throw new Error(
816
+ // "Security configuration error: terminalOnly cannot be enabled simultaneously with browserOnly or mobileOnly. " +
817
+ // "Choose terminalOnly alone, or browserOnly and/or mobileOnly.",
818
+ // );
819
+ // }
820
+ // // Browser-only and mobile-only can be enabled together (they will be applied based on request characteristics)
821
+ // // No other restrictions needed
822
+ // }
804
823
  /**
805
824
  * Get security configuration
806
825
  */
@@ -826,7 +845,6 @@ class SecurityMiddleware {
826
845
  mongoSanitize: this.mongoSanitize,
827
846
  slowDown: this.slowDown,
828
847
  encryption: this.encryption,
829
- authentication: this.authentication,
830
848
  routeConfig: this.routeConfig,
831
849
  _ignore: this._ignore,
832
850
  _ignoreAll: this._ignoreAll,