Merge pull request #4 from AegisJSProject/patch/refactor

patch/refactor

Author: shgysk8zer0

CHANGELOG.md

@@ -7,6 +7,14 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [v1.0.1] - 2025-11-26
+
+### Added
+- Add default CSP using importmap and local package name
+
+### Changed
+- Update modules to have default exports for use as module specifiers
+
 ## [v1.0.0] - 2025-11-24
 
 Initial Release

compression.js

@@ -16,4 +16,4 @@ export function useCompression(format = 'deflate') {
 
 export const useGzip = useCompression('gzip');
 export const useDeflate = useCompression('deflate');
-export default useCompression;
+export default useDeflate;

cors.js

@@ -20,3 +20,5 @@ export function useCORS({ allowCredentials = false } = {}) {
 		}
 	};
 }
+
+export default useCORS();

csp.js

@@ -1,6 +1,31 @@
-export function useCSP(policy = {
-	'default-src': ['\'self\''],
-}) {
+import { readFile } from 'node:fs/promises';
+import { imports } from '@shgysk8zer0/importmap';
+
+const pkg = JSON.parse(await readFile(process.cwd() + '/package.json', { encoding: 'utf8' }));
+
+export const importmap = typeof pkg.module === 'string'
+	? JSON.stringify({
+		imports: {
+			...imports,
+			[pkg.name]: pkg.module,
+			[`${pkg.name}/`]: './',
+		}
+	})
+	: JSON.stringify({
+		imports: {
+			...imports,
+			[`${pkg.name}/`]: './',
+		}
+	});
+
+const sri = async (input) => await Promise.resolve(input)
+	.then(json => new TextEncoder().encode(json))
+	.then(bytes => crypto.subtle.digest('SHA-384', bytes))
+	.then(hash => 'sha384-' + new Uint8Array(hash).toBase64());
+
+export const integrity = await sri(importmap);
+
+export function useCSP(policy = { 'default-src': ['\'self\''] }) {
 	const policyStr = Object.entries(policy).map(([name, values]) => {
 		return `${name} ${Array.isArray(values) ? values.join(' ') : values}`;
 	}).join('; ');
@@ -11,3 +36,29 @@ export function useCSP(policy = {
 		}
 	};
 }
+
+const DEFAULT_SRC = ['\'self\''];
+const SCRIPT_SRC = ['\'self\'', 'https://unpkg.com/@shgysk8zer0/', 'https://unpkg.com/@kernvalley/', 'https://unpkg.com/@aegisjsproject/', `'${integrity}'`];
+const STYLE_SRC = ['\'self\'', 'https://unpkg.com/@agisjsproject/', 'blob:'];
+const IMAGE_SRC = ['\'self\'', 'https://i.imgur.com/', 'https://secure.gravatar.com/avatar/', 'blob:', 'data:'];
+const MEDIA_SRC = ['\'self\'', 'blob:'];
+const CONNECT_SRC = ['\'self\''];
+const FONT_SRC = ['\'self\''];
+const FRAME_SRC = ['\'self\'', 'https://www.youtube-nocookie.com'];
+const TRUSTED_TYPES = ['aegis-sanitizer#html'];
+
+export const useDefaultCSP = ({ ...rest } = {}) => useCSP({
+	'default-src': DEFAULT_SRC,
+	'script-src': SCRIPT_SRC,
+	'style-src': STYLE_SRC,
+	'img-src': IMAGE_SRC,
+	'media-src': MEDIA_SRC,
+	'font-src': FONT_SRC,
+	'frame-src': FRAME_SRC,
+	'connect-src': CONNECT_SRC,
+	'trusted-types': TRUSTED_TYPES,
+	'require-trusted-types-for': '\'script\'',
+	...rest
+});
+
+export default useDefaultCSP;

geo.js

@@ -1,12 +1,12 @@
 const ENDPOINT = 'https://api.ipgeolocation.io/ipgeo';
-const ENV_NAME = 'IPGEOLOCATION';
+const ENV_NAME = 'IPGEOLOCATION_KEY';
 const cache = new Map();
 let warned = false;
 
 /**
  * Adds a `geo` object containing geoip data to the request context object.
  *
- * @param {string} [apiKey=process.env.IPGEOLOCATION] The API key for `api.ipgeolocation.io`, defaulting to one provided by an environment variable.
+ * @param {string} [apiKey=process.env.IPGEOLOCATION_KEY] The API key for `api.ipgeolocation.io`, defaulting to one provided by an environment variable.
  * @returns {Function} The middleware context modifying callback.
  */
 export function useGeo(apiKey = process.env[ENV_NAME]) {
@@ -65,3 +65,5 @@ export function useGeo(apiKey = process.env[ENV_NAME]) {
 		}
 	};
 }
+
+export default typeof process.env[ENV_NAME] === 'string' ? useGeo(process.env[ENV_NAME]) : () => null;

http.config.js

@@ -1,9 +1,5 @@
 import { useRateLimit } from './rate-limit.js';
-import { useCSP } from './csp.js';
-import { useCORS } from './cors.js';
 import { checkCacheItem, setCacheItem } from './cache.js';
-import { useGeo } from './geo.js';
-import { useCompression } from './compression.js';
 import { imports } from '@shgysk8zer0/importmap';
 
 const visits = new Map();
@@ -21,21 +17,15 @@ export default {
 			console.log(`${req.url} visit count: ${visits.get(req.url)}`);
 		},
 		useRateLimit({ timeout: 60_000, maxRequests: 100 }),
-		useGeo(process.env.IPGEOLOCATION_KEY),
-		'./req-id.js',
+		'@aegisjsproject/http-utils/geo.js',
+		'@aegisjsproject/http-utils/request-id.js',
 		checkCacheItem,
 	],
 	responsePostprocessors: [
-		useCompression('deflate'),
+		'@aegisjsproject/http-utils/compression.js',
 		setCacheItem,
-		useCORS({ allowCredentials: true }),
-		useCSP({
-			'default-src': '\'none\'',
-			'script-src': ['\'self\'', 'https://unpkg.com/@shgysk8zer0/', 'https://unpkg.com/@shgysk8zer0/'],
-			'img-src': '\'self\'',
-			'media-src': '\'self\'',
-			'connect-src': ['\'self\'', 'http://localhost:*/'],
-		}),
+		'@aegisjsproject/http-utils/cors.js',
+		'@aegisjsproject/http-utils/csp.js',
 		(response, { request }) => {
 			if (request.destination === 'document') {
 				response.headers.append('Link', `<${imports['@shgysk8zer0/polyfills']}>; rel="preload"; as="script"; fetchpriority="high"; crossorigin="anonymous"; referrerpolicy="no-referrer"`);

logger.js

@@ -1 +1,2 @@
 export const logger = reqOrResp => console.log(reqOrResp);
+export default logger;