Merge pull request #39 from Baroshem/feat/allowed-methods

feat: add allowedMethodsRestricter
nuxt-modules · Oct 29, 2022 · c7c975c · c7c975c · vercel · Oct 29, 2022
2 parents 1a076ab + c7d5120
commit c7c975c
Show file tree

Hide file tree

Showing 8 changed files with 66 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -22,6 +22,7 @@
 - Rate Limiter
 - XSS Validator for both GET and POST requests
 - CORS Handler similar to popular Express.js middleware
+- Allowed HTTP Methods Restricter
 - TypeScript support
 
 [📖 &nbsp;Read the documentation](https://nuxt-security.vercel.app)

diff --git a/docs/content/1.getting-started/2.configuration.md b/docs/content/1.getting-started/2.configuration.md
@@ -28,6 +28,7 @@ export interface ModuleOptions {
   rateLimiter: MiddlewareConfiguration<RateLimiter> | boolean;
   xssValidator: MiddlewareConfiguration<XssValidator> | boolean;
   corsHandler: MiddlewareConfiguration<CorsOptions> | boolean;
+  allowedMethodsRestricter: MiddlewareConfiguration<AllowedHTTPMethods> | boolean;
   hidePoweredBy: boolean;
 }
 ```
@@ -125,6 +126,10 @@ security: {
     },
     route: '',
   },
+  allowedMethodsRestricter: {
+    value: '*',
+    route: '',
+  },
   hidePoweredBy: true,
 }
 ```

diff --git a/docs/content/1.index.md b/docs/content/1.index.md
@@ -31,6 +31,7 @@ Security Module for Nuxt based on OWASP Top 10 and Helmet
     - Rate Limiter
     - XSS Validator for both GET and POST requests
     - CORS Handler similar to popular Express.js middleware
+    - Allowed HTTP Methods Restricter
     - TypeScript support
   ::
 ::
diff --git a/docs/content/2.middlewares/6.allowed-methods-restricter.md b/docs/content/2.middlewares/6.allowed-methods-restricter.md
@@ -0,0 +1,32 @@
+---
+title: Allowed Methods Restricter
+description: ''
+---
+
+This middleware works by default for `*` HTTP Methods and will throw an `405 Method Not Allowed` error when the there will be a request sent with an HTTP Method that is not allowed.
+
+It will help you solve [this](https://cheatsheetseries.owasp.org/cheatsheets/REST_Security_Cheat_Sheet.html#restrict-http-methods) security problem.
+
+```ts
+export type HTTPMethod = 'GET' | 'POST' | 'DELETE' | 'PATCH' | 'POST' | string;
+
+export type AllowedHTTPMethods = HTTPMethod[] | '*'
+```
+
+To write a custom logic for this middleware follow this pattern:
+
+```javascript
+// nuxt.config.js
+
+{
+  modules: [
+    "nuxt-security",
+  ],
+  security: {
+    allowedMethodsRestricter: {
+      value: ['POST'],
+      route: '/my-custom-route'
+    }
+  }
+}
+```
diff --git a/src/defaultConfig.ts b/src/defaultConfig.ts
@@ -92,5 +92,9 @@ export const defaultSecurityConfig: ModuleOptions = {
     },
     ...defaultMiddlewareRoute,
   },
+  allowedMethodsRestricter: {
+    value: '*',
+    ...defaultMiddlewareRoute,
+  },
   hidePoweredBy: true,
 };
diff --git a/src/module.ts b/src/module.ts
@@ -2,7 +2,7 @@ import { resolve } from 'path'
 import { fileURLToPath } from 'url'
 import { defineNuxtModule, addServerHandler } from '@nuxt/kit'
 import defu from 'defu'
-import { MiddlewareConfiguration, ModuleOptions, RateLimiter, RequestSizeLimiter, SecurityHeaders, XssValidator } from './types'
+import { AllowedHTTPMethods, MiddlewareConfiguration, ModuleOptions, RateLimiter, RequestSizeLimiter, SecurityHeaders, XssValidator } from './types'
 import { defaultSecurityConfig } from './defaultConfig'
 import { SECURITY_HEADER_NAMES } from './headers'
 import { Nuxt, NuxtOptions, RuntimeConfig } from '@nuxt/schema'
@@ -71,5 +71,11 @@ export default defineNuxtModule<ModuleOptions>({
     if (corsHandlerConfig) {
       addServerHandler({ route: (corsHandlerConfig as MiddlewareConfiguration<CorsOptions>).route, handler: resolve(runtimeDir, 'server/middleware/corsHandler') })
     }
+
+    // Register allowedMethodsRestricter middleware with that will by default allow all methods
+    const allowedMethodsRestricterConfig = nuxt.options.security.allowedMethodsRestricter as MiddlewareConfiguration<AllowedHTTPMethods>
+    if (allowedMethodsRestricterConfig && allowedMethodsRestricterConfig.value !== '*') {
+      addServerHandler({ route: allowedMethodsRestricterConfig.route, handler: resolve(runtimeDir, 'server/middleware/allowedMethodsRestricter') })
+    }
   }
 })
diff --git a/src/runtime/server/middleware/allowedMethodsRestricter.ts b/src/runtime/server/middleware/allowedMethodsRestricter.ts
@@ -0,0 +1,11 @@
+import { defineEventHandler, createError } from 'h3'
+import { useRuntimeConfig } from '#imports'
+
+const securityConfig = useRuntimeConfig().security
+
+export default defineEventHandler((event) => {
+  const allowedMethods: string[] = securityConfig.allowedMethodsRestricter.value
+  if (!allowedMethods.includes(event.req.method!!)) {
+    throw createError({ statusCode: 405, statusMessage: 'Method not allowed' })
+  }
+})
diff --git a/src/types.ts b/src/types.ts
@@ -18,6 +18,10 @@ export type XssValidator = {
   css: Record<string, any> | boolean;
 } | {};
 
+export type HTTPMethod = 'GET' | 'POST' | 'DELETE' | 'PATCH' | 'POST' | string;
+
+export type AllowedHTTPMethods = HTTPMethod[] | '*'
+
 export type MiddlewareConfiguration<MIDDLEWARE> = {
   value: MIDDLEWARE;
   route: string;
@@ -45,5 +49,6 @@ export interface ModuleOptions {
   rateLimiter: MiddlewareConfiguration<RateLimiter> | boolean;
   xssValidator: MiddlewareConfiguration<XssValidator> | boolean;
   corsHandler: MiddlewareConfiguration<CorsOptions> | boolean;
+  allowedMethodsRestricter: MiddlewareConfiguration<AllowedHTTPMethods> | boolean;
   hidePoweredBy: boolean;
 }