diff --git a/.adonisrc.json b/.adonisrc.json index f7394a4..7facf7c 100755 --- a/.adonisrc.json +++ b/.adonisrc.json @@ -31,7 +31,6 @@ "@adonisjs/view", "@adonisjs/bouncer", "@adonisjs/ally", - "@adonisjs/shield" ], "aceProviders": [ "@adonisjs/repl" diff --git a/config/shield.ts b/config/shield.ts deleted file mode 100644 index 4074832..0000000 --- a/config/shield.ts +++ /dev/null @@ -1,238 +0,0 @@ -/** - * Config source: https://git.io/Jvwvt - * - * Feel free to let us know via PR, if you find something broken in this config - * file. - */ - -import Env from '@ioc:Adonis/Core/Env' -import { ShieldConfig } from '@ioc:Adonis/Addons/Shield' - -/* -|-------------------------------------------------------------------------- -| Content Security Policy -|-------------------------------------------------------------------------- -| -| Content security policy filters out the origins not allowed to execute -| and load resources like scripts, styles and fonts. There are wide -| variety of options to choose from. -*/ -export const csp: ShieldConfig['csp'] = { - /* - |-------------------------------------------------------------------------- - | Enable/disable CSP - |-------------------------------------------------------------------------- - | - | The CSP rules are disabled by default for seamless onboarding. - | - */ - enabled: false, - - /* - |-------------------------------------------------------------------------- - | Directives - |-------------------------------------------------------------------------- - | - | All directives are defined in camelCase and here is the list of - | available directives and their possible values. - | - | https://content-security-policy.com - | - | @example - | directives: { - | defaultSrc: ['self', '@nonce', 'cdnjs.cloudflare.com'] - | } - | - */ - directives: { - }, - - /* - |-------------------------------------------------------------------------- - | Report only - |-------------------------------------------------------------------------- - | - | Setting `reportOnly=true` will not block the scripts from running and - | instead report them to a URL. - | - */ - reportOnly: false, -} - -/* -|-------------------------------------------------------------------------- -| CSRF Protection -|-------------------------------------------------------------------------- -| -| CSRF Protection adds another layer of security by making sure, actionable -| routes does have a valid token to execute an action. -| -*/ -export const csrf: ShieldConfig['csrf'] = { - /* - |-------------------------------------------------------------------------- - | Enable/Disable CSRF - |-------------------------------------------------------------------------- - */ - enabled: Env.get('NODE_ENV') !== 'testing', - - /* - |-------------------------------------------------------------------------- - | Routes to Ignore - |-------------------------------------------------------------------------- - | - | Define an array of route patterns that you want to ignore from CSRF - | validation. Make sure the route patterns are started with a leading - | slash. Example: - | - | `/foo/bar` - | - | Also you can define a function that is evaluated on every HTTP Request. - | ``` - | exceptRoutes: ({ request }) => request.url().includes('/api') - | ``` - | - */ - exceptRoutes: [], - - /* - |-------------------------------------------------------------------------- - | Enable Sharing Token Via Cookie - |-------------------------------------------------------------------------- - | - | When the following flag is enabled, AdonisJS will drop `XSRF-TOKEN` - | cookie that frontend frameworks can read and return back as a - | `X-XSRF-TOKEN` header. - | - | The cookie has `httpOnly` flag set to false, so it is little insecure and - | can be turned off when you are not using a frontend framework making - | AJAX requests. - | - */ - enableXsrfCookie: true, - - /* - |-------------------------------------------------------------------------- - | Methods to Validate - |-------------------------------------------------------------------------- - | - | Define an array of HTTP methods to be validated for a valid CSRF token. - | - */ - methods: ['POST', 'PUT', 'PATCH', 'DELETE'], -} - -/* -|-------------------------------------------------------------------------- -| DNS Prefetching -|-------------------------------------------------------------------------- -| -| DNS prefetching allows browsers to proactively perform domain name -| resolution in background. -| -| Learn more at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-DNS-Prefetch-Control -| -*/ -export const dnsPrefetch: ShieldConfig['dnsPrefetch'] = { - /* - |-------------------------------------------------------------------------- - | Enable/disable this feature - |-------------------------------------------------------------------------- - */ - enabled: true, - - /* - |-------------------------------------------------------------------------- - | Allow or Dis-Allow Explicitly - |-------------------------------------------------------------------------- - | - | The `enabled` boolean does not set `X-DNS-Prefetch-Control` header. However - | the `allow` boolean controls the value of `X-DNS-Prefetch-Control` header. - | - | - When `allow = true`, then `X-DNS-Prefetch-Control = 'on'` - | - When `allow = false`, then `X-DNS-Prefetch-Control = 'off'` - | - */ - allow: true, -} - -/* -|-------------------------------------------------------------------------- -| Iframe Options -|-------------------------------------------------------------------------- -| -| xFrame defines whether or not your website can be embedded inside an -| iframe. Choose from one of the following options. -| -| - DENY -| - SAMEORIGIN -| - ALLOW-FROM http://example.com -| -| Learn more at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options -*/ -export const xFrame: ShieldConfig['xFrame'] = { - enabled: true, - action: 'DENY', -} - -/* -|-------------------------------------------------------------------------- -| Http Strict Transport Security -|-------------------------------------------------------------------------- -| -| A security to ensure that a browser always makes a connection over -| HTTPS. -| -| Learn more at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security -| -*/ -export const hsts: ShieldConfig['hsts'] = { - enabled: true, - /* - |-------------------------------------------------------------------------- - | Max Age - |-------------------------------------------------------------------------- - | - | Control, how long the browser should remember that a site is only to be - | accessed using HTTPS. - | - */ - maxAge: '180 days', - - /* - |-------------------------------------------------------------------------- - | Include Subdomains - |-------------------------------------------------------------------------- - | - | Apply rules on the subdomains as well. - | - */ - includeSubDomains: true, - - /* - |-------------------------------------------------------------------------- - | Preloading - |-------------------------------------------------------------------------- - | - | Google maintains a service to register your domain and it will preload - | the HSTS policy. Learn more https://hstspreload.org/ - | - */ - preload: false, -} - -/* -|-------------------------------------------------------------------------- -| No Sniff -|-------------------------------------------------------------------------- -| -| Browsers have a habit of sniffing content-type of a response. Which means -| files with .txt extension containing Javascript code will be executed as -| Javascript. You can disable this behavior by setting nosniff to false. -| -| Learn more at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options -| -*/ -export const contentTypeSniffing: ShieldConfig['contentTypeSniffing'] = { - enabled: true, -} diff --git a/package.json b/package.json index 66a1fb6..fcf78be 100755 --- a/package.json +++ b/package.json @@ -28,7 +28,6 @@ "@adonisjs/redis": "^7.0.6", "@adonisjs/repl": "^3.1.4", "@adonisjs/session": "^6.1.1", - "@adonisjs/shield": "^7.0.5", "@adonisjs/view": "^6.0.3", "axios": "^0.21.1", "luxon": "^1.27.0", diff --git a/start/kernel.ts b/start/kernel.ts index 67432f3..2523202 100755 --- a/start/kernel.ts +++ b/start/kernel.ts @@ -22,7 +22,6 @@ import Server from "@ioc:Adonis/Core/Server"; Server.middleware.register([ () => import('@ioc:Adonis/Core/BodyParser'), - () => import('@ioc:Adonis/Addons/Shield'), () => import('App/Middleware/SilentAuth'), ]) diff --git a/tsconfig.json b/tsconfig.json index 09e3384..5c7402e 100755 --- a/tsconfig.json +++ b/tsconfig.json @@ -36,7 +36,6 @@ "@adonisjs/view", "@adonisjs/ally", "@adonisjs/bouncer", - "@adonisjs/shield" ] } } diff --git a/yarn.lock b/yarn.lock index b9e7fa3..609095f 100644 --- a/yarn.lock +++ b/yarn.lock @@ -281,15 +281,6 @@ "@poppinss/utils" "^3.1.5" fs-extra "^10.0.0" -"@adonisjs/shield@^7.0.5": - version "7.0.5" - resolved "https://registry.yarnpkg.com/@adonisjs/shield/-/shield-7.0.5.tgz#7103c1fa8fa0b42883988a12a5caac8371fc548d" - integrity sha512-Gst4PXDMOKBq5VLNrt4p3QK3fHDR4U3CdIJIWyrV+HZtbVXQM+SI8+aIK7WXUpNuaI5y10ux1qzJ2qHHjWLwTQ== - dependencies: - "@poppinss/utils" "^3.1.5" - csrf "^3.1.0" - helmet-csp "^3.4.0" - "@adonisjs/sink@^5.1.5": version "5.1.5" resolved "https://registry.yarnpkg.com/@adonisjs/sink/-/sink-5.1.5.tgz#8a238052d66f06dd9894516eb7270797c6489b2b" @@ -1405,15 +1396,6 @@ cross-spawn@^7.0.3: shebang-command "^2.0.0" which "^2.0.1" -csrf@^3.1.0: - version "3.1.0" - resolved "https://registry.yarnpkg.com/csrf/-/csrf-3.1.0.tgz#ec75e9656d004d674b8ef5ba47b41fbfd6cb9c30" - integrity sha512-uTqEnCvWRk042asU6JtapDTcJeeailFy4ydOQS28bj1hcLnYRiqi8SsD2jS412AY1I/4qdOwWZun774iqywf9w== - dependencies: - rndm "1.2.0" - tsscmp "1.0.6" - uid-safe "2.1.5" - css-select@^4.1.3: version "4.1.3" resolved "https://registry.yarnpkg.com/css-select/-/css-select-4.1.3.tgz#a70440f70317f2669118ad74ff105e65849c7067" @@ -2193,11 +2175,6 @@ header-case@^2.0.4: capital-case "^1.0.4" tslib "^2.0.3" -helmet-csp@^3.4.0: - version "3.4.0" - resolved "https://registry.yarnpkg.com/helmet-csp/-/helmet-csp-3.4.0.tgz#7fdd0b0274cd90a64664e2ed8e48f9a430037233" - integrity sha512-a+YgzWw6dajqhQfb6ktxil0FsQuWTKzrLSUfy55dxS8fuvl1jidTIMPZ2udN15mjjcpBPgTHNHGF5tyWKYyR8w== - html-minifier@^4.0.0: version "4.0.0" resolved "https://registry.yarnpkg.com/html-minifier/-/html-minifier-4.0.0.tgz#cca9aad8bce1175e02e17a8c33e46d8988889f56" @@ -4105,11 +4082,6 @@ rimraf@^3.0.2: dependencies: glob "^7.1.3" -rndm@1.2.0: - version "1.2.0" - resolved "https://registry.yarnpkg.com/rndm/-/rndm-1.2.0.tgz#f33fe9cfb52bbfd520aa18323bc65db110a1b76c" - integrity sha1-8z/pz7Urv9UgqhgyO8ZdsRCht2w= - safe-buffer@5.1.2, safe-buffer@~5.1.0, safe-buffer@~5.1.1: version "5.1.2" resolved "https://registry.yarnpkg.com/safe-buffer/-/safe-buffer-5.1.2.tgz#991ec69d296e0313747d59bdfd2b745c35f8828d" @@ -4640,11 +4612,6 @@ tslib@^2.0.3, tslib@^2.2.0, tslib@^2.3.0: resolved "https://registry.yarnpkg.com/tslib/-/tslib-2.3.1.tgz#e8a335add5ceae51aa261d32a490158ef042ef01" integrity sha512-77EbyPPpMz+FRFRuAFlWMtmgUWGe9UOG2Z25NqCwiIjRhOf5iKGuzSe5P2w1laq+FkRy4p+PCuVkJSGkzTEKVw== -tsscmp@1.0.6: - version "1.0.6" - resolved "https://registry.yarnpkg.com/tsscmp/-/tsscmp-1.0.6.tgz#85b99583ac3589ec4bfef825b5000aa911d605eb" - integrity sha512-LxhtAkPDTkVCMQjt2h6eBVY28KCjikZqZfMcC15YBeNjkgUpdCfBu5HoiOTDu86v6smE8yOjyEktJ8hlbANHQA== - tsse@^2.0.0: version "2.0.0" resolved "https://registry.yarnpkg.com/tsse/-/tsse-2.0.0.tgz#757a1357473fecaffb5c70024acd179514779f64"