@gravity-ui/expresskit - npm Package Compare versions

Comparing version 1.1.2 to 1.2.0

dist/base-middleware.d.ts

@@ -1,3 +0,3 @@
-import type { AppContext } from '@gravity-ui/nodekit';
+import { type AppContext } from '@gravity-ui/nodekit';
 import type { Express } from 'express';
 export declare function setupBaseMiddleware(ctx: AppContext, expressApp: Express): void;

dist/base-middleware.js

 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.setupBaseMiddleware = void 0;
+const nodekit_1 = require("@gravity-ui/nodekit");
 const uuid_1 = require("uuid");
@@ -21,3 +22,3 @@ const constants_1 = require("./constants");
             });
-            req.ctx.set('requestId', req.id);
+            req.ctx.set(nodekit_1.REQUEST_ID_PARAM_NAME, req.id);
             req.ctx.setTag('http.hostname', req.hostname);
@@ -24,0 +25,0 @@ req.ctx.setTag('http.method', req.method);

dist/expresskit.js

@@ -9,2 +9,3 @@ "use strict";
 const fs_1 = __importDefault(require("fs"));
+const worker_threads_1 = require("worker_threads");
 const express_1 = __importDefault(require("express"));
@@ -36,2 +37,3 @@ const base_middleware_1 = require("./base-middleware");
             cluster_1.default.isPrimary &&
+            worker_threads_1.isMainThread &&
             fs_1.default.existsSync(appSocket)) {
@@ -38,0 +40,0 @@ fs_1.default.unlinkSync(appSocket);

dist/index.d.ts

 export { ExpressKit } from './expresskit';
 export type { AppAuthHandler, AppMiddleware, AppMountDescription, AppMountHandler, AppRouteDescription, AppRouteHandler, AppRouteParams, AppRoutes, Request, Response, AppErrorHandler, NextFunction, } from './types';
 export { AuthPolicy } from './types';
+export * from './csp';

dist/index.js

 "use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
 Object.defineProperty(exports, "__esModule", { value: true });
@@ -8,1 +22,2 @@ exports.AuthPolicy = exports.ExpressKit = void 0;
 Object.defineProperty(exports, "AuthPolicy", { enumerable: true, get: function () { return types_1.AuthPolicy; } });
+__exportStar(require("./csp"), exports);

dist/router.js

@@ -16,2 +16,3 @@ "use strict";
 const express_1 = require("express");
+const middleware_1 = require("./csp/middleware");
 const types_1 = require("./types");
@@ -72,2 +73,3 @@ function isAllowedMethod(method) {
 function setupRoutes(ctx, expressApp, routes) {
+    const appPresets = (0, middleware_1.getAppPresets)(ctx.config.expressCspPresets);
     Object.entries(routes).forEach(([routeKey, rawRoute]) => {
@@ -81,3 +83,3 @@ const routeKeyParts = routeKey.split(/\s+/);
         const route = typeof rawRoute === 'function' ? { handler: rawRoute } : rawRoute;
-        const { authPolicy: routeAuthPolicy, handler: _h, beforeAuth: _beforeAuth, afterAuth: _afterAuth } = route, restRouteInfo = __rest(route, ["authPolicy", "handler", "beforeAuth", "afterAuth"]);
+        const { authPolicy: routeAuthPolicy, handler: _h, beforeAuth: _beforeAuth, afterAuth: _afterAuth, cspPresets } = route, restRouteInfo = __rest(route, ["authPolicy", "handler", "beforeAuth", "afterAuth", "cspPresets"]);
         const authPolicy = routeAuthPolicy || ctx.config.appAuthPolicy || types_1.AuthPolicy.disabled;
@@ -104,2 +106,13 @@ const handlerName = restRouteInfo.handlerName || route.handler.name || UNNAMED_CONTROLLER;
             routeInfoMiddleware,
+            ...(ctx.config.expressCspEnable
+                ? [
+                    (0, middleware_1.cspMiddleware)({
+                        appPresets,
+                        routPresets: cspPresets,
+                        reportOnly: ctx.config.expressCspReportOnly,
+                        reportTo: ctx.config.expressCspReportTo,
+                        reportUri: ctx.config.expressCspReportUri,
+                    }),
+                ]
+                : []),
             ...(ctx.config.appBeforeAuthMiddleware || []),
@@ -106,0 +119,0 @@ ...(route.beforeAuth || []),

dist/types.d.ts

 import type { AppContext } from '@gravity-ui/nodekit';
 import type bodyParser from 'body-parser';
 import type { ErrorRequestHandler, NextFunction, Request, RequestHandler, Response, Router } from 'express';
+import type { CSPPreset } from './csp';
+import type { getDefaultPresets } from './csp/default-presets';
+import type { CSPMiddlewareParams } from './csp/middleware';
 declare global {
@@ -41,6 +44,10 @@ namespace Express {
         appTelemetryChEnableSelfStats?: boolean;
+        expressCspEnable?: boolean;
+        expressCspPresets?: CSPPreset | ((params: {
+            getDefaultPresets: typeof getDefaultPresets;
+        }) => CSPPreset);
+        expressCspReportOnly?: boolean;
+        expressCspReportTo?: CSPMiddlewareParams['reportTo'];
+        expressCspReportUri?: CSPMiddlewareParams['reportUri'];
     }
-    interface AppContextParams {
-        requestId: string;
-    }
 }
@@ -62,2 +69,6 @@ export declare enum AuthPolicy {
     afterAuth?: AppMiddleware[];
+    cspPresets?: CSPPreset | ((params: {
+        getDefaultPresets: typeof getDefaultPresets;
+        appPresets: CSPPreset;
+    }) => CSPPreset);
 }
@@ -64,0 +75,0 @@ export declare const HTTP_METHODS: readonly ["get", "head", "options", "post", "put", "patch", "delete"];

package.json

 {
   "name": "@gravity-ui/expresskit",
-  "version": "1.1.2",
+  "version": "1.2.0",
   "description": "Express.js wrapper for NodeKit-based apps",
@@ -48,7 +48,9 @@ "main": "dist/index.js",
     "cookie-parser": "1.4.6",
+    "csp-header": "^5.2.1",
     "express": "^4.18.2",
+    "express-csp-header": "^5.2.1",
     "uuid": "^9.0.0"
   },
   "peerDependencies": {
-    "@gravity-ui/nodekit": "^1.0.0"
+    "@gravity-ui/nodekit": "^1.2.1"
   },
@@ -55,0 +57,0 @@ "nano-staged": {

README.md

@@ -29,1 +29,30 @@ # ExpressKit (work in progress)
 More complex examples and documentation are coming.
+
+## CSP
+
+`config.ts`
+
+```typescript
+import type {AppConfig} from '@gravity-ui/nodekit';
+import {csp} from '@gravity-ui/expresskit';
+
+const config: Partial<AppConfig> = {
+    expressCspEnable: true,
+    expressCspPresets: ({getDefaultPresets}) => {
+        return getDefaultPresets({defaultNone: true}).concat([
+            csp.inline(),
+            {csp.directives.REPORT_TO: 'my-report-group'},
+        ]);
+    },
+    expressCspReportTo: [
+        {
+            group: 'my-report-group',
+            max_age: 30 * 60,
+            endpoints: [{ url: 'https://cspreport.com/send'}],
+            include_subdomains: true,
+        }
+    ]
+}
+
+export default config;
+```

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

41726

increased by71.63%

Number of package files

43

increased by152.94%

Lines of code

880

increased by83.72%

Number of lines in readme file

58

increased by100%

Worsened metrics

Dependency count

7

increased by40%

Dependency changes

• + Addedcsp-header@^5.2.1

• + Addedexpress-csp-header@^5.2.1

• + Addedcsp-header@5.2.1(transitive)

• + Addedexpress-csp-header@5.2.1(transitive)

• + Addedpsl@1.8.0(transitive)