UNPKG

hono

Version:

Web framework built on Web Standards

hono.dev

honojs/hono

59 lines (58 loc) 2.16 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
"use strict"; var __defProp = Object.defineProperty; var __getOwnPropDesc = Object.getOwnPropertyDescriptor; var __getOwnPropNames = Object.getOwnPropertyNames; var __hasOwnProp = Object.prototype.hasOwnProperty; var __export = (target, all) => { for (var name in all) __defProp(target, name, { get: all[name], enumerable: true }); }; var __copyProps = (to, from, except, desc) => { if (from && typeof from === "object" || typeof from === "function") { for (let key of __getOwnPropNames(from)) if (!__hasOwnProp.call(to, key) && key !== except) __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable }); } return to; }; var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod); var csrf_exports = {}; __export(csrf_exports, { csrf: () => csrf }); module.exports = __toCommonJS(csrf_exports); var import_http_exception = require("../../http-exception"); const isSafeMethodRe = /^(GET|HEAD)$/; const isRequestedByFormElementRe = /^\b(application\/x-www-form-urlencoded|multipart\/form-data|text\/plain)\b/i; const csrf = (options) => { const handler = ((optsOrigin) => { if (!optsOrigin) { return (origin, c) => origin === new URL(c.req.url).origin; } else if (typeof optsOrigin === "string") { return (origin) => origin === optsOrigin; } else if (typeof optsOrigin === "function") { return optsOrigin; } else { return (origin) => optsOrigin.includes(origin); } })(options?.origin); const isAllowedOrigin = (origin, c) => { if (origin === void 0) { return false; } return handler(origin, c); }; return async function csrf2(c, next) { if (!isSafeMethodRe.test(c.req.method) && isRequestedByFormElementRe.test(c.req.header("content-type") || "") && !isAllowedOrigin(c.req.header("origin"), c)) { const res = new Response("Forbidden", { status: 403 }); throw new import_http_exception.HTTPException(403, { res }); } await next(); }; }; // Annotate the CommonJS export names for ESM import in node: 0 && (module.exports = { csrf });