Initial commit

2025-08-25 22:12:02 +02:00 · 2023-11-30 14:15:19 +00:00
commit e4599df811
5457 changed files with 500139 additions and 0 deletions
--- a/node_modules/server/plugins/security/index.js
+++ b/node_modules/server/plugins/security/index.js
@@ -0,0 +1,63 @@
+const modern = require('../../src/modern');
+const csurf = require('csurf');
+const helmet = require('helmet');
+
+module.exports = {
+  name: 'security',
+  options: {
+    csrf: {
+      env: 'SECURITY_CSRF',
+      default: {},
+      type: Object
+    },
+    contentSecurityPolicy: {
+      env: 'SECURITY_CONTENTSECURITYPOLICY'
+    },
+    expectCt: {
+      env: 'SECURITY_EXPECTCT'
+    },
+    dnsPrefetchControl: {
+      env: 'SECURITY_DNSPREFETCHCONTROL'
+    },
+    frameguard: {
+      env: 'SECURITY_FRAMEGUARD'
+    },
+    hidePoweredBy: {
+      env: 'SECURITY_HIDEPOWEREDBY'
+    },
+    hpkp: {
+      env: 'SECURITY_HPKP'
+    },
+    hsts: {
+      env: 'SECURITY_HSTS'
+    },
+    ieNoOpen: {
+      env: 'SECURITY_IENOOPEN'
+    },
+    noCache: {
+      env: 'SECURITY_NOCACHE'
+    },
+    noSniff: {
+      env: 'SECURITY_NOSNIFF'
+    },
+    referrerPolicy: {
+      env: 'SECURITY_REFERRERPOLICY'
+    },
+    xssFilter: {
+      env: 'SECURITY_XSSFILTER'
+    }
+  },
+  before: [
+    ctx => ctx.options.security && ctx.options.security.csrf
+      ? modern(csurf(ctx.options.security.csrf))(ctx)
+      : false,
+    ctx => {
+      // Set the csrf for render(): https://expressjs.com/en/api.html#res.locals
+      if (ctx.req.csrfToken) {
+        ctx.csrf = ctx.req.csrfToken();
+        ctx.res.locals.csrf = ctx.csrf;
+      }
+    },
+    ctx => ctx.options.security ? modern(helmet(ctx.options.security))(ctx) : false
+  ]
+};
--- a/node_modules/server/plugins/security/unit.test.js
+++ b/node_modules/server/plugins/security/unit.test.js
@@ -0,0 +1,16 @@
+const run = require('server/test/run');
+const { get, post } = require('server/router');
+
+describe('static plugin', () => {
+  it('csurf', async () => {
+    return await run({ public: 'test' }, [
+      get('/', ctx => ctx.res.locals.csrf),
+      post('/', () => '世界')
+    ]).alive(async api => {
+      const csrf = (await api.get('/')).body;
+      expect(csrf).toBeDefined();
+      const res = await api.post('/', { body: { _csrf: csrf }});
+      expect(res.statusCode).toBe(200);
+    });
+  });
+});