next-armored/dist/index.cjs.map

Security middlewares for Next.js

{"version":3,"sources":["../middlewares/cross-origin-resource-sharing/index.ts","../middlewares/cross-origin-resource-sharing/middleware.ts","../middlewares/cross-origin-resource-sharing/config.ts","../index.ts"],"sourcesContent":["import createCorsMiddleware from './middleware';\nimport type { CorsConfig } from './config';\nimport { DEFAULT_CORS_CONFIG } from './config';\n\nexport default createCorsMiddleware;\n\nexport { DEFAULT_CORS_CONFIG, type CorsConfig, createCorsMiddleware };\n","import { NextResponse, NextFetchEvent, NextRequest } from 'next/server';\nimport type { NextMiddleware } from 'next/server';\nimport type { CorsConfig, Method, Origin } from './config';\nimport { DEFAULT_CORS_CONFIG } from './config';\nimport type { NextMiddlewareResult } from 'next/dist/server/web/types';\n\nconst ACCESS_CONTROL_ALLOW_ORIGIN = 'Access-Control-Allow-Origin';\nconst ACCESS_CONTROL_ALLOW_CREDENTIALS = 'Access-Control-Allow-Credentials';\nconst ACCESS_CONTROL_ALLOW_METHODS = 'Access-Control-Allow-Methods';\nconst ACCESS_CONTROL_ALLOW_HEADERS = 'Access-Control-Allow-Headers';\nconst ACCESS_CONTROL_EXPOSE_HEADERS = 'Access-Control-Expose-Headers';\nconst ACCESS_CONTROL_MAX_AGE = 'Access-Control-Max-Age';\n\ntype NextCorsMiddleware = (request: NextRequest) => NextMiddlewareResult;\n\ninterface Header {\n  key: string;\n  value: string;\n}\n\n/**\n * @description\n * @param config\n * @returns\n */\nconst createCorsMiddleware = ({\n  origins,\n  methods = DEFAULT_CORS_CONFIG.methods,\n  headers = DEFAULT_CORS_CONFIG.headers,\n  allowCredentials = DEFAULT_CORS_CONFIG.allowCredentials,\n  exposedHeaders = DEFAULT_CORS_CONFIG.exposedHeaders,\n  maxAge = DEFAULT_CORS_CONFIG.maxAge,\n  optionsSuccessStatus = DEFAULT_CORS_CONFIG.optionsSuccessStatus,\n  preflightContinue = DEFAULT_CORS_CONFIG.preflightContinue,\n}: CorsConfig): NextCorsMiddleware => {\n  console.log('createCorsMiddleware');\n  // const configWithDefaults = { ...DEFAULT_CORS_CONFIG, ...config };\n  // const {\n  //   origins,\n  //   methods,\n  //   headers,\n  //   allowCredentials,\n  //   exposedHeaders,\n  //   maxAge,\n  //   optionsSuccessStatus,\n  //   preflightContinue,\n  // } = configWithDefaults;\n\n  const corsOptions = {\n    ACCESS_CONTROL_ALLOW_METHODS: methods.join(', '),\n    ACCESS_CONTROL_ALLOW_HEADERS: headers.join(', '),\n    ACCESS_CONTROL_ALLOW_CREDENTIALS: allowCredentials ? 'true' : 'false',\n    ...(exposedHeaders.length > 0\n      ? { ACCESS_CONTROL_EXPOSE_HEADERS: exposedHeaders.join(', ') }\n      : {}),\n    ...(maxAge ? { ACCESS_CONTROL_MAX_AGE: maxAge.toString() } : {}),\n  };\n\n  function configureMaxAge(maxAge: number): Header {\n    return {\n      key: ACCESS_CONTROL_MAX_AGE,\n      value: maxAge.toString(),\n    };\n  }\n\n  function configureExposedHeaders(exposedHeaders: string[]): Header {\n    return {\n      key: ACCESS_CONTROL_EXPOSE_HEADERS,\n      value: exposedHeaders.join(', '),\n    };\n  }\n\n  function configureAllowCredentials(allowCredentials: boolean): Header {\n    return {\n      key: ACCESS_CONTROL_ALLOW_CREDENTIALS,\n      value: allowCredentials ? 'true' : 'false',\n    };\n  }\n\n  function configureAllowMethods(methods: Method[]): Header {\n    return {\n      key: ACCESS_CONTROL_ALLOW_METHODS,\n      value: methods.join(', '),\n    };\n  }\n\n  function configureAllowHeaders(headers: string[]): Header {\n    return {\n      key: ACCESS_CONTROL_ALLOW_HEADERS,\n      value: headers.join(', '),\n    };\n  }\n\n  function configureAllowOrigin(origin: string): Header {\n    return {\n      key: ACCESS_CONTROL_ALLOW_ORIGIN,\n      value: origin,\n    };\n  }\n\n  type IsOriginAllowedResult =\n    | {\n        result: false;\n      }\n    | {\n        result: true;\n        origin: string;\n      };\n\n  function getIsOriginAllowed(\n    origin: string,\n    allowedOrigins: Origin[],\n  ): IsOriginAllowedResult {\n    console.log('getIsOriginAllowed', origin, allowedOrigins);\n    if (allowedOrigins.length === 0) {\n      return { result: false };\n    }\n    // if contains '*', allow all origins\n    if (allowedOrigins.includes('*')) {\n      return { result: true, origin };\n    }\n    // if (allowedOrigins.length === 1) {\n    //   return { result: allowedOrigins[0] === origin, origin: '' };\n    // }\n    // allowedOrigins.forEach(allowedOrigin => {\n    //   if (typeof allowedOrigin === 'string') {\n    //     if (allowedOrigin === origin) {\n    //       return { result: true, origin };\n    //     }\n    //   } else if (allowedOrigin instanceof RegExp) {\n    //     if (allowedOrigin.test(origin)) {\n    //       return { result: true, origin };\n    //     }\n    //   }\n    // });\n    for (const allowedOrigin of allowedOrigins) {\n      if (typeof allowedOrigin === 'string' && allowedOrigin === origin) {\n        return { result: true, origin };\n      }\n      if (allowedOrigin instanceof RegExp && allowedOrigin.test(origin)) {\n        return { result: true, origin };\n      }\n    }\n\n    return { result: false };\n  }\n\n  const middleware = (request: NextRequest) => {\n    const origin = request.headers.get('origin') ?? '';\n    const isOriginAllowed = getIsOriginAllowed(origin, origins);\n    console.log('isOriginAllowed', isOriginAllowed);\n    const optionsHeaders: Header[] = [];\n    optionsHeaders.push(configureMaxAge(maxAge));\n    optionsHeaders.push(configureExposedHeaders(exposedHeaders as string[]));\n    optionsHeaders.push(configureAllowCredentials(allowCredentials));\n    optionsHeaders.push(configureAllowMethods(methods as Method[]));\n    optionsHeaders.push(configureAllowHeaders(headers as string[]));\n\n    if (isOriginAllowed.result) {\n      optionsHeaders.push(configureAllowOrigin(isOriginAllowed.origin));\n    }\n\n    const isPreflight = request.method === 'OPTIONS';\n\n    if (isPreflight) {\n      // const preflightHeaders = {\n      //   ...(isOriginAllowed && { 'Access-Control-Allow-Origin': origin }),\n      //   ...corsOptions,\n      // };\n      if (preflightContinue) {\n        const response = NextResponse.next();\n        optionsHeaders.forEach(({ key, value }) => {\n          response.headers.set(key, value);\n        });\n        return response;\n      }\n      return NextResponse.json(\n        {},\n        {\n          headers: optionsHeaders.map(header => [header.key, header.value]),\n          status: optionsSuccessStatus,\n        },\n      );\n    }\n\n    const response = NextResponse.next();\n\n    // Object.entries(corsOptions).forEach(([key, value]) => {\n    //   response.headers.set(key, value);\n    // });\n    optionsHeaders.forEach(({ key, value }) => {\n      response.headers.set(key, value);\n    });\n\n    return response;\n  };\n\n  return middleware;\n};\n\nexport default createCorsMiddleware;\n","export type Method = 'GET' | 'POST' | 'PUT' | 'DELETE' | 'PATCH' | 'OPTIONS';\nexport type Origin = string | RegExp;\n\nexport type CorsConfig = {\n  origins: Origin[];\n  methods?: Method[];\n  headers?: string[];\n  allowCredentials?: boolean;\n  exposedHeaders?: string[];\n  maxAge?: number;\n  preflightContinue?: boolean;\n  optionsSuccessStatus?: number;\n};\n\ntype CorsConfigDefaults = {\n  origins: undefined;\n  methods: Method[];\n  headers: string[];\n  allowCredentials: boolean;\n  exposedHeaders: string[];\n  preflightContinue: boolean;\n  maxAge: number;\n  optionsSuccessStatus: number;\n};\n\n/**\n * @default origins is undefined, you must specify it manually to prevent unwanted * which can be a security risk\n * @default methods is ['GET', 'POST', 'PUT', 'DELETE', 'PATCH', 'OPTIONS']\n * @default headers is ['Content-Type', 'Authorization']\n * @default allowCredentials is true\n * @default preflightContinue is false\n * @default optionsSuccessStatus is 204\n * @default exposedHeaders is []\n * @default maxAge is 5 seconds\n */\nexport const DEFAULT_CORS_CONFIG: CorsConfigDefaults = {\n  origins: undefined, // Required -> DO NOT USE * by default\n  methods: ['GET', 'POST', 'PUT', 'DELETE', 'PATCH', 'OPTIONS'],\n  headers: ['Content-Type', 'Authorization'],\n  allowCredentials: true,\n  preflightContinue: false,\n  optionsSuccessStatus: 204,\n  exposedHeaders: [],\n  maxAge: 5, // 5 seconds is the default value, 86400 seconds is often used\n};\n","import { createCorsMiddleware } from './middlewares/cross-origin-resource-sharing';\n\nexport { createCorsMiddleware };\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,QAAA,wCAAA,CAAA;AAAA,IAAAA,UAAA,uCAAA;MAAA,qBAAA,MAAA;MAAA,sBAAA,MAAA;MAAA,SAAA,MAAA;IAAA,CAAA;AAAA,IAAAC,QAAA,UAAAC,cAAA,qCAAA;ACAA,QAAA,gBAA0D,QAAA,aAAA;ACmCnD,QAAM,sBAA0C;MACrD,SAAS;;MACT,SAAS,CAAC,OAAO,QAAQ,OAAO,UAAU,SAAS,SAAS;MAC5D,SAAS,CAAC,gBAAgB,eAAe;MACzC,kBAAkB;MAClB,mBAAmB;MACnB,sBAAsB;MACtB,gBAAgB,CAAC;MACjB,QAAQ;;IACV;ADtCA,QAAM,8BAA8B;AACpC,QAAM,mCAAmC;AACzC,QAAM,+BAA+B;AACrC,QAAM,+BAA+B;AACrC,QAAM,gCAAgC;AACtC,QAAM,yBAAyB;AAc/B,QAAMC,wBAAuB,CAAC;MAC5B;MACA,UAAU,oBAAoB;MAC9B,UAAU,oBAAoB;MAC9B,mBAAmB,oBAAoB;MACvC,iBAAiB,oBAAoB;MACrC,SAAS,oBAAoB;MAC7B,uBAAuB,oBAAoB;MAC3C,oBAAoB,oBAAoB;IAC1C,MAAsC;AACpC,cAAQ,IAAI,sBAAsB;AAalC,YAAM,cAAc;QAClB,8BAA8B,QAAQ,KAAK,IAAI;QAC/C,8BAA8B,QAAQ,KAAK,IAAI;QAC/C,kCAAkC,mBAAmB,SAAS;QAC9D,GAAI,eAAe,SAAS,IACxB,EAAE,+BAA+B,eAAe,KAAK,IAAI,EAAE,IAC3D,CAAC;QACL,GAAI,SAAS,EAAE,wBAAwB,OAAO,SAAS,EAAE,IAAI,CAAC;MAChE;AAEA,eAAS,gBAAgBC,SAAwB;AAC/C,eAAO;UACL,KAAK;UACL,OAAOA,QAAO,SAAS;QACzB;MACF;AAEA,eAAS,wBAAwBC,iBAAkC;AACjE,eAAO;UACL,KAAK;UACL,OAAOA,gBAAe,KAAK,IAAI;QACjC;MACF;AAEA,eAAS,0BAA0BC,mBAAmC;AACpE,eAAO;UACL,KAAK;UACL,OAAOA,oBAAmB,SAAS;QACrC;MACF;AAEA,eAAS,sBAAsBC,UAA2B;AACxD,eAAO;UACL,KAAK;UACL,OAAOA,SAAQ,KAAK,IAAI;QAC1B;MACF;AAEA,eAAS,sBAAsBC,UAA2B;AACxD,eAAO;UACL,KAAK;UACL,OAAOA,SAAQ,KAAK,IAAI;QAC1B;MACF;AAEA,eAAS,qBAAqB,QAAwB;AACpD,eAAO;UACL,KAAK;UACL,OAAO;QACT;MACF;AAWA,eAAS,mBACP,QACA,gBACuB;AACvB,gBAAQ,IAAI,sBAAsB,QAAQ,cAAc;AACxD,YAAI,eAAe,WAAW,GAAG;AAC/B,iBAAO,EAAE,QAAQ,MAAM;QACzB;AAEA,YAAI,eAAe,SAAS,GAAG,GAAG;AAChC,iBAAO,EAAE,QAAQ,MAAM,OAAO;QAChC;AAeA,mBAAW,iBAAiB,gBAAgB;AAC1C,cAAI,OAAO,kBAAkB,YAAY,kBAAkB,QAAQ;AACjE,mBAAO,EAAE,QAAQ,MAAM,OAAO;UAChC;AACA,cAAI,yBAAyB,UAAU,cAAc,KAAK,MAAM,GAAG;AACjE,mBAAO,EAAE,QAAQ,MAAM,OAAO;UAChC;QACF;AAEA,eAAO,EAAE,QAAQ,MAAM;MACzB;AAEA,YAAM,aAAa,CAAC,YAAyB;AAC3C,cAAM,SAAS,QAAQ,QAAQ,IAAI,QAAQ,KAAK;AAChD,cAAM,kBAAkB,mBAAmB,QAAQ,OAAO;AAC1D,gBAAQ,IAAI,mBAAmB,eAAe;AAC9C,cAAM,iBAA2B,CAAC;AAClC,uBAAe,KAAK,gBAAgB,MAAM,CAAC;AAC3C,uBAAe,KAAK,wBAAwB,cAA0B,CAAC;AACvE,uBAAe,KAAK,0BAA0B,gBAAgB,CAAC;AAC/D,uBAAe,KAAK,sBAAsB,OAAmB,CAAC;AAC9D,uBAAe,KAAK,sBAAsB,OAAmB,CAAC;AAE9D,YAAI,gBAAgB,QAAQ;AAC1B,yBAAe,KAAK,qBAAqB,gBAAgB,MAAM,CAAC;QAClE;AAEA,cAAM,cAAc,QAAQ,WAAW;AAEvC,YAAI,aAAa;AAKf,cAAI,mBAAmB;AACrB,kBAAMC,YAAW,cAAA,aAAa,KAAK;AACnC,2BAAe,QAAQ,CAAC,EAAE,KAAK,MAAM,MAAM;AACzCA,wBAAS,QAAQ,IAAI,KAAK,KAAK;YACjC,CAAC;AACD,mBAAOA;UACT;AACA,iBAAO,cAAA,aAAa;YAClB,CAAC;YACD;cACE,SAAS,eAAe,IAAI,CAAA,WAAU,CAAC,OAAO,KAAK,OAAO,KAAK,CAAC;cAChE,QAAQ;YACV;UACF;QACF;AAEA,cAAM,WAAW,cAAA,aAAa,KAAK;AAKnC,uBAAe,QAAQ,CAAC,EAAE,KAAK,MAAM,MAAM;AACzC,mBAAS,QAAQ,IAAI,KAAK,KAAK;QACjC,CAAC;AAED,eAAO;MACT;AAEA,aAAO;IACT;AAEA,QAAO,qBAAQN;ADpMf,QAAO,wCAAQ;;;;;AGJf;AAAA;AAAA;AAAA;AAAA;AAAA,2CAAqC;","names":["__export","module","__toCommonJS","createCorsMiddleware","maxAge","exposedHeaders","allowCredentials","methods","headers","response"]}