nsgm-cli/lib/server/csrf.js

A CLI tool to run Next/Style-components and Graphql/Mysql fullstack project

"use strict";
var __importDefault = (this && this.__importDefault) || function (mod) {
    return (mod && mod.__esModule) ? mod : { "default": mod };
};
Object.defineProperty(exports, "__esModule", { value: true });
exports.createCSPMiddleware = exports.securityMiddleware = exports.getCSRFToken = exports.csrfProtection = void 0;
const lusca_1 = __importDefault(require("lusca"));
// Lusca CSRF 配置
const luscaConfig = {
    // CSRF 保护 - 修正配置格式
    csrf: {
        header: "x-csrf-token", // 从 header 中读取 token
        cookie: "_csrf", // cookie 名称
        key: "csrf", // session key
        secret: process.env.CSRF_SECRET || "your-csrf-secret-change-in-production",
    },
    // 内容安全策略
    csp: {
        policy: {
            "default-src": "'self'",
            "script-src": "'self' 'unsafe-inline'",
            "style-src": "'self' 'unsafe-inline'",
            "img-src": "'self' data: https:",
            "font-src": "'self' https:",
            "connect-src": "'self'",
        },
    },
    // 其他安全设置
    xframe: "SAMEORIGIN",
    nosniff: true,
    xssProtection: true,
    referrerPolicy: "same-origin",
};
// 条件性 CSRF 保护中间件
const csrfProtection = (req, res, next) => {
    // 跳过 GET 请求和某些不需要 CSRF 保护的路径
    if (req.method === "GET" ||
        req.path.startsWith("/static") ||
        req.path === "/csrf-token" ||
        req.path.startsWith("/_next") || // Next.js 内部资源
        req.path.startsWith("/__next") // Next.js 开发模式内部端点
    ) {
        return next();
    }
    // 对其他请求应用 Lusca CSRF 保护
    return lusca_1.default.csrf(luscaConfig.csrf)(req, res, next);
};
exports.csrfProtection = csrfProtection;
// 获取 CSRF token 的路由处理器
const getCSRFToken = (req, res) => {
    try {
        // 尝试从 session 中获取已有的 token
        const csrfToken = req.session._csrf || req.session[luscaConfig.csrf.key];
        if (!csrfToken) {
            // 如果没有 token，先生成一个
            lusca_1.default.csrf(luscaConfig.csrf)(req, res, () => {
                const newToken = req.session._csrf || req.session[luscaConfig.csrf.key] || req.csrfToken?.();
                res.json({
                    csrfToken: newToken,
                });
            });
        }
        else {
            res.json({
                csrfToken: csrfToken,
            });
        }
    }
    catch (error) {
        console.error("获取 CSRF token 错误:", error);
        res.status(500).json({
            error: "Failed to generate CSRF token",
            message: "生成 CSRF 令牌失败",
        });
    }
};
exports.getCSRFToken = getCSRFToken;
// Lusca 安全中间件配置
exports.securityMiddleware = {
    // 基本的安全头
    basicHeaders: (0, lusca_1.default)({
        xframe: luscaConfig.xframe,
        nosniff: luscaConfig.nosniff,
        xssProtection: luscaConfig.xssProtection,
        referrerPolicy: luscaConfig.referrerPolicy,
    }),
};
// CSP 中间件
const createCSPMiddleware = () => {
    return lusca_1.default.csp(luscaConfig.csp);
};
exports.createCSPMiddleware = createCSPMiddleware;