UNPKG

@voilajsx/appkit

Version:

Minimal and framework agnostic Node.js toolkit designed for AI agentic backend development

github.com/voilajsx/appkit

voilajsx/appkit

138 lines 5.8 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
/** * Core security class with CSRF, rate limiting, sanitization, and encryption * @module @voilajsx/appkit/security * @file src/security/security.ts * * @llm-rule WHEN: Building apps that need security protection (CSRF, rate limiting, input sanitization, encryption) * @llm-rule AVOID: Using directly - always get instance via securityClass.get() * @llm-rule NOTE: Provides enterprise-grade security with CSRF tokens, rate limiting, XSS prevention, and AES-256-GCM encryption */ import type { SecurityConfig } from './defaults.js'; export interface ExpressRequest { method: string; session?: any; body?: any; headers?: Record<string, string | string[] | undefined>; query?: any; ip?: string; connection?: { remoteAddress?: string; }; csrfToken?: () => string; [key: string]: any; } export interface ExpressResponse { setHeader?: (name: string, value: string | number) => void; [key: string]: any; } export interface ExpressNextFunction { (error?: any): void; } export type ExpressMiddleware = (req: ExpressRequest, res: ExpressResponse, next: ExpressNextFunction) => void; export interface CSRFOptions { secret?: string; tokenField?: string; headerField?: string; expiryMinutes?: number; } export interface RateLimitOptions { maxRequests?: number; windowMs?: number; message?: string; keyGenerator?: (req: ExpressRequest) => string; } export interface InputOptions { maxLength?: number; trim?: boolean; removeXSS?: boolean; } export interface HTMLOptions { allowedTags?: string[]; stripAllTags?: boolean; } /** * Security class with enterprise-grade protection functionality */ export declare class SecurityClass { config: SecurityConfig; private requestStore; private cleanupInitialized; constructor(config: SecurityConfig); /** * Creates CSRF protection middleware for forms and AJAX requests * @llm-rule WHEN: Protecting forms and state-changing requests from CSRF attacks * @llm-rule AVOID: Using without session middleware - CSRF requires sessions for token storage * @llm-rule NOTE: Automatically validates tokens on POST/PUT/DELETE/PATCH requests, adds req.csrfToken() method */ forms(options?: CSRFOptions): ExpressMiddleware; /** * Creates rate limiting middleware with configurable limits and windows * @llm-rule WHEN: Protecting endpoints from abuse and brute force attacks * @llm-rule AVOID: Using same limits for all endpoints - auth should have stricter limits than API * @llm-rule NOTE: Uses in-memory storage with automatic cleanup, sets standard rate limit headers */ requests(maxRequests?: number, windowMs?: number, options?: RateLimitOptions): ExpressMiddleware; /** * Cleans text input with XSS prevention and length limiting * @llm-rule WHEN: Processing any user text input before storage or display * @llm-rule AVOID: Storing raw user input - always clean to prevent XSS attacks * @llm-rule NOTE: Removes dangerous patterns like <script>, javascript:, event handlers */ input(text: any, options?: InputOptions): string; /** * Cleans HTML content allowing only specified safe tags * @llm-rule WHEN: Processing user HTML content like rich text editor input * @llm-rule AVOID: Allowing all HTML tags - only whitelist safe formatting tags * @llm-rule NOTE: Removes script, iframe, object tags and dangerous attributes like onclick */ html(html: any, options?: HTMLOptions): string; /** * Escapes HTML special characters for safe display in HTML content * @llm-rule WHEN: Displaying user text content in HTML without allowing any HTML tags * @llm-rule AVOID: Direct interpolation of user content in HTML - always escape first * @llm-rule NOTE: Converts &, <, >, quotes to HTML entities for safe display */ escape(text: any): string; /** * Encrypts sensitive data using AES-256-GCM with authentication * @llm-rule WHEN: Storing sensitive data like SSNs, credit cards, personal info * @llm-rule AVOID: Storing sensitive data in plain text - always encrypt before database storage * @llm-rule NOTE: Uses random IV per encryption, includes authentication tag to prevent tampering */ encrypt(data: string | Buffer, key?: string | Buffer, associatedData?: Buffer): string; /** * Decrypts previously encrypted data with authentication verification * @llm-rule WHEN: Retrieving sensitive data that was encrypted with encrypt() method * @llm-rule AVOID: Using with data not encrypted by this module - will fail authentication * @llm-rule NOTE: Automatically verifies authentication tag to detect tampering */ decrypt(encryptedData: string, key?: string | Buffer, associatedData?: Buffer): string; /** * Generates a cryptographically secure 256-bit encryption key * @llm-rule WHEN: Setting up encryption for the first time or rotating keys * @llm-rule AVOID: Using weak or predictable keys - always use this method for key generation * @llm-rule NOTE: Returns 64-character hex string suitable for VOILA_SECURITY_ENCRYPTION_KEY */ generateKey(): string; /** * Generates a cryptographically secure CSRF token */ private generateCSRFToken; /** * Verifies CSRF token using timing-safe comparison */ private verifyCSRFToken; /** * Gets unique identifier for the client */ private getClientKey; /** * Initializes cleanup interval for memory management */ private initializeCleanup; /** * Validates encryption key format and length */ private validateEncryptionKey; } //# sourceMappingURL=security.d.ts.map