@cosmstack/blackshield
Version:
A developer-first security toolkit for React/Next.js applications
104 lines (97 loc) • 3.69 kB
text/typescript
import { z } from 'zod';
import { NextRequest, NextResponse } from 'next/server';
interface SecureUser {
id: string;
email?: string;
roles?: string[];
permissions?: string[];
metadata?: Record<string, unknown>;
}
interface ServerInputValidation<T = unknown> {
data: T;
errors: Record<string, string[]>;
isValid: boolean;
}
interface CsrfToken {
token: string;
expiresAt: number;
}
interface CsrfConfig {
tokenHeader?: string;
tokenCookie?: string;
tokenExpiry?: number;
}
declare function validateServerInput<T>(schema: z.ZodSchema<T>, input: unknown): ServerInputValidation<T>;
declare function createServerValidator<T>(schema: z.ZodSchema<T>): (input: unknown) => ServerInputValidation<T>;
declare const commonSchemas: {
email: z.ZodString;
password: z.ZodString;
id: z.ZodString;
slug: z.ZodString;
url: z.ZodString;
safeString: z.ZodString;
};
interface SecureCookieOptions {
maxAge?: number;
httpOnly?: boolean;
secure?: boolean;
sameSite?: 'strict' | 'lax' | 'none';
path?: string;
}
declare function createSignedCookie(name: string, value: unknown, options?: SecureCookieOptions): Promise<void>;
declare function readSecureCookie<T = unknown>(name: string): Promise<T | null>;
declare function deleteSecureCookie(name: string): Promise<void>;
/**
* Generate a new CSRF token
*/
declare function generateCsrfToken(config?: Partial<CsrfConfig>): Promise<CsrfToken>;
/**
* Verify a CSRF token
*/
declare function verifyCsrfToken(token: string): Promise<boolean>;
/**
* Set CSRF token in cookie
*/
declare function setCsrfTokenCookie(config?: Partial<CsrfConfig>): Promise<string>;
/**
* Validate CSRF token from request
*/
declare function validateCsrfToken(req: NextRequest, config?: Partial<CsrfConfig>): Promise<boolean>;
/**
* CSRF middleware for API routes
*/
declare function csrfMiddleware(config?: Partial<CsrfConfig>): (req: NextRequest) => Promise<Response | null>;
interface ProtectOptions {
/** Require authentication */
requireAuth?: boolean;
/** Required user roles */
roles?: string[];
/** Required permissions */
permissions?: string[];
/** CSRF protection configuration */
csrf?: boolean | Partial<CsrfConfig>;
/** Rate limiting configuration */
rateLimit?: {
/** Maximum requests per window */
max: number;
/** Time window in seconds */
windowSeconds: number;
/** Custom key generator */
keyGenerator?: (req: NextRequest) => string;
};
/** Input validation schema */
schemaValidation?: z.ZodSchema;
/** Custom authorization function */
customAuth?: (user: SecureUser | null, req: NextRequest) => boolean | Promise<boolean>;
}
interface ProtectedContext {
user: SecureUser | null;
validatedInput?: unknown;
}
type ProtectedHandler<T = unknown> = (req: NextRequest, context: ProtectedContext, params?: T) => Promise<NextResponse> | NextResponse;
declare function protect<T = unknown>(handler: ProtectedHandler<T>, options?: ProtectOptions): (req: NextRequest, params?: T) => Promise<NextResponse>;
declare function protectServerAction<T extends unknown[], R>(action: (...args: T) => Promise<R>, options?: Omit<ProtectOptions, 'rateLimit'>): (...args: T) => Promise<R | {
error: string;
status: number;
}>;
export { type ProtectOptions, type SecureCookieOptions, type ServerInputValidation, commonSchemas, createServerValidator, createSignedCookie, csrfMiddleware, deleteSecureCookie, generateCsrfToken, protect, protectServerAction, readSecureCookie, setCsrfTokenCookie, validateCsrfToken, validateServerInput, verifyCsrfToken };