f

Author: fengmk2

README.md

@@ -1,28 +1,29 @@
-# egg-security
-
-Security plugin in egg
+# @eggjs/security
 
 [![NPM version][npm-image]][npm-url]
 [![Node.js CI](https://github.com/eggjs/security/actions/workflows/nodejs.yml/badge.svg)](https://github.com/eggjs/security/actions/workflows/nodejs.yml)
 [![Test coverage][codecov-image]][codecov-url]
 [![Known Vulnerabilities][snyk-image]][snyk-url]
 [![npm download][download-image]][download-url]
+[![Node.js Version](https://img.shields.io/node/v/eggjs/security.svg?style=flat)](https://nodejs.org/en/download/)
+[![PRs Welcome](https://img.shields.io/badge/PRs-welcome-brightgreen.svg?style=flat-square)](https://makeapullrequest.com)
+![CodeRabbit Pull Request Reviews](https://img.shields.io/coderabbit/prs/github/eggjs/security)
 
-[npm-image]: https://img.shields.io/npm/v/egg-security.svg?style=flat-square
-[npm-url]: https://npmjs.org/package/egg-security
+[npm-image]: https://img.shields.io/npm/v/@eggjs/security.svg?style=flat-square
+[npm-url]: https://npmjs.org/package/@eggjs/security
 [codecov-image]: https://codecov.io/gh/eggjs/security/branch/master/graph/badge.svg
 [codecov-url]: https://codecov.io/gh/eggjs/security
-[snyk-image]: https://snyk.io/test/npm/egg-security/badge.svg?style=flat-square
-[snyk-url]: https://snyk.io/test/npm/egg-security
-[download-image]: https://img.shields.io/npm/dm/egg-security.svg?style=flat-square
-[download-url]: https://npmjs.org/package/egg-security
+[snyk-image]: https://snyk.io/test/npm/@eggjs/security/badge.svg?style=flat-square
+[snyk-url]: https://snyk.io/test/npm/@eggjs/security
+[download-image]: https://img.shields.io/npm/dm/@eggjs/security.svg?style=flat-square
+[download-url]: https://npmjs.org/package/@eggjs/security
 
 Egg's default security plugin, generally no need to configure.
 
 ## Install
 
 ```bash
-npm i egg-security
+npm i @eggjs/security
 ```
 
 ## Usage & configuration

README.zh-CN.md

@@ -1,21 +1,24 @@
-# egg-security
-
-egg 内置的安全插件
+# @eggjs/security
 
 [![NPM version][npm-image]][npm-url]
 [![Node.js CI](https://github.com/eggjs/security/actions/workflows/nodejs.yml/badge.svg)](https://github.com/eggjs/security/actions/workflows/nodejs.yml)
 [![Test coverage][codecov-image]][codecov-url]
 [![Known Vulnerabilities][snyk-image]][snyk-url]
 [![npm download][download-image]][download-url]
+[![Node.js Version](https://img.shields.io/node/v/eggjs/security.svg?style=flat)](https://nodejs.org/en/download/)
+[![PRs Welcome](https://img.shields.io/badge/PRs-welcome-brightgreen.svg?style=flat-square)](https://makeapullrequest.com)
+![CodeRabbit Pull Request Reviews](https://img.shields.io/coderabbit/prs/github/eggjs/security)
 
-[npm-image]: https://img.shields.io/npm/v/egg-security.svg?style=flat-square
-[npm-url]: https://npmjs.org/package/egg-security
+[npm-image]: https://img.shields.io/npm/v/@eggjs/security.svg?style=flat-square
+[npm-url]: https://npmjs.org/package/@eggjs/security
 [codecov-image]: https://codecov.io/gh/eggjs/security/branch/master/graph/badge.svg
 [codecov-url]: https://codecov.io/gh/eggjs/security
-[snyk-image]: https://snyk.io/test/npm/egg-security/badge.svg?style=flat-square
-[snyk-url]: https://snyk.io/test/npm/egg-security
-[download-image]: https://img.shields.io/npm/dm/egg-security.svg?style=flat-square
-[download-url]: https://npmjs.org/package/egg-security
+[snyk-image]: https://snyk.io/test/npm/@eggjs/security/badge.svg?style=flat-square
+[snyk-url]: https://snyk.io/test/npm/@eggjs/security
+[download-image]: https://img.shields.io/npm/dm/@eggjs/security.svg?style=flat-square
+[download-url]: https://npmjs.org/package/@eggjs/security
+
+egg 内置的安全插件
 
 ## 使用方式
 

package.json

@@ -39,26 +39,26 @@
     "@eggjs/core": "^6.2.13",
     "@eggjs/ip": "^2.1.0",
     "csrf": "^3.0.6",
-    "egg-path-matching": "^1.0.0",
+    "egg-path-matching": "^2.1.0",
     "escape-html": "^1.0.3",
     "extend": "^3.0.1",
     "extend2": "^4.0.0",
     "koa-compose": "^4.1.0",
     "matcher": "^4.0.0",
-    "methods": "^1.1.2",
     "nanoid": "^3.3.8",
-    "statuses": "^2.0.1",
-    "type-is": "^1.6.15",
+    "type-is": "^1.6.18",
     "xss": "^1.0.3"
   },
   "devDependencies": {
     "@arethetypeswrong/cli": "^0.17.1",
     "@eggjs/bin": "7",
     "@eggjs/mock": "^6.0.5",
     "@eggjs/tsconfig": "1",
+    "@types/escape-html": "^1.0.4",
     "@types/koa-compose": "^3.2.8",
     "@types/mocha": "10",
     "@types/node": "22",
+    "@types/type-is": "^1.6.7",
     "beautify-benchmark": "^0.2.4",
     "benchmark": "^2.1.4",
     "egg": "^4.0.1",

src/agent.ts

@@ -1,7 +1,7 @@
 import type { ILifecycleBoot, EggCore } from '@eggjs/core';
 import { preprocessConfig } from './lib/utils.js';
 
-export class AgentBoot implements ILifecycleBoot {
+export default class AgentBoot implements ILifecycleBoot {
   private readonly agent;
 
   constructor(agent: EggCore) {

src/app.ts

@@ -2,7 +2,7 @@ import assert from 'node:assert';
 import type { ILifecycleBoot, EggCore } from '@eggjs/core';
 import { preprocessConfig } from './lib/utils.js';
 
-export class AgentBoot implements ILifecycleBoot {
+export default class AgentBoot implements ILifecycleBoot {
   private readonly app;
 
   constructor(app: EggCore) {

src/app/extend/context.ts

@@ -8,7 +8,7 @@ import type {
   HttpClientOptions,
   HttpClientRequestReturn,
 } from '../../lib/extend/safe_curl.js';
-import { SecurityConfig } from '../../types.js';
+import { SecurityConfig, SecurityHelperConfig } from '../../types.js';
 
 const debug = debuglog('@eggjs/security/app/extend/context');
 
@@ -113,10 +113,10 @@ export default class SecurityContext extends Context {
 
   /**
    * ensure csrf secret exists in session or cookie.
-   * @param {Boolean} rotate reset secret even if the secret exists
+   * @param {Boolean} [rotate] reset secret even if the secret exists
    * @public
    */
-  ensureCsrfSecret(rotate: boolean) {
+  ensureCsrfSecret(rotate?: boolean) {
     if (this[CSRF_SECRET] && !rotate) return;
     debug('ensure csrf secret, exists: %s, rotate; %s', this[CSRF_SECRET], rotate);
     const secret = tokens.secretSync();
@@ -154,7 +154,7 @@ export default class SecurityContext extends Context {
     // try order: query, body, header
     const token = findToken(this.request.query, queryName)
       || findToken(this.request.body, bodyName)
-      || (headerName && this.request.get(headerName));
+      || (headerName && this.request.get<string>(headerName));
     debug('get token: %j, secret: %j', token, this[CSRF_SECRET]);
     return token;
   }
@@ -265,11 +265,11 @@ export default class SecurityContext extends Context {
 
 declare module '@eggjs/core' {
   interface Context {
-    get securityOptions(): Partial<SecurityConfig>;
+    get securityOptions(): Partial<SecurityConfig & SecurityHelperConfig>;
     isSafeDomain(domain: string, customWhiteList?: string[]): boolean;
     get nonce(): string;
     get csrf(): string;
-    ensureCsrfSecret(rotate: boolean): void;
+    ensureCsrfSecret(rotate?: boolean): void;
     rotateCsrfSecret(): void;
     assertCsrf(): void;
     safeCurl(url: HttpClientRequestURL, options?: HttpClientOptions): HttpClientRequestReturn;

src/app/extend/helper.js

@@ -0,0 +1,5 @@
+import helpers from '../../lib/helper/index.js';
+
+export default {
+  ...helpers,
+};

src/app/extend/helper.ts

@@ -1,8 +1,11 @@
 import { Response as KoaResponse } from '@eggjs/core';
+import SecurityContext from './context.js';
 
 const unsafeRedirect = KoaResponse.prototype.redirect;
 
 export default class SecurityResponse extends KoaResponse {
+  declare ctx: SecurityContext;
+
   /**
    * This is an unsafe redirection, and we WON'T check if the
    * destination url is safe or not.
@@ -84,5 +87,6 @@ declare module '@eggjs/core' {
   // add Response overrides types
   interface Response {
     unsafeRedirect(url: string, alt?: string): void;
+    redirect(url: string, alt?: string): void;
   }
 }