diff --git a/docs/content/1.documentation/1.getting-started/2.configuration.md b/docs/content/1.documentation/1.getting-started/2.configuration.md index 6e376db2..586ef049 100644 --- a/docs/content/1.documentation/1.getting-started/2.configuration.md +++ b/docs/content/1.documentation/1.getting-started/2.configuration.md @@ -98,7 +98,10 @@ security: { }, throwError: true }, - allowedMethodsRestricter: '*', + allowedMethodsRestricter: { + methods: '*', + throwError: true + }, hidePoweredBy: true, basicAuth: false, enabled: true, diff --git a/docs/content/1.documentation/3.middleware/5.allowed-methods-restricter.md b/docs/content/1.documentation/3.middleware/5.allowed-methods-restricter.md index 4f2fa9be..97bee738 100644 --- a/docs/content/1.documentation/3.middleware/5.allowed-methods-restricter.md +++ b/docs/content/1.documentation/3.middleware/5.allowed-methods-restricter.md @@ -23,14 +23,18 @@ export default defineNuxtConfig({ // Global security: { - allowedMethodsRestricter: ['GET'] + allowedMethodsRestricter: { + methods: ['GET'] + } } // Per Route routeRules: { '/my-secret-route': { security: { - allowedMethodsRestricter: ['GET'] + allowedMethodsRestricter: { + methods: ['GET'] + } } } } @@ -46,11 +50,20 @@ Rate limiter accepts following configuration options: ```ts type HTTPMethod = 'GET' | 'POST' | 'DELETE' | 'PATCH' | 'POST' | string; -type AllowedHTTPMethods = HTTPMethod[] | '*' +export type AllowedHTTPMethods = { + methods: HTTPMethod[] | '*'; + throwError?: boolean; +} ``` -### `HTTP Method` +### `methods` - Default: `*` An array of allowed HTTP methods or `'*'` to allow all methods. + +### `throwError` + +- Default: `true` + +Whether to throw Nuxt Error with appriopriate error code and message. If set to false, it will just return the object with the error that you can handle. diff --git a/src/defaultConfig.ts b/src/defaultConfig.ts index 880de57a..bcf921dc 100644 --- a/src/defaultConfig.ts +++ b/src/defaultConfig.ts @@ -64,7 +64,10 @@ export const defaultSecurityConfig = (serverlUrl: string): ModuleOptions => ({ statusCode: 204 } }, - allowedMethodsRestricter: '*', + allowedMethodsRestricter: { + methods: '*', + ...defaultThrowErrorValue + }, hidePoweredBy: true, basicAuth: false, enabled: true, diff --git a/src/runtime/server/middleware/allowedMethodsRestricter.ts b/src/runtime/server/middleware/allowedMethodsRestricter.ts index 0f1c23ad..db6582ba 100644 --- a/src/runtime/server/middleware/allowedMethodsRestricter.ts +++ b/src/runtime/server/middleware/allowedMethodsRestricter.ts @@ -4,15 +4,15 @@ import { getRouteRules } from '#imports' export default defineEventHandler((event) => { const routeRules = getRouteRules(event) - const allowedMethods: string[] = routeRules.security.allowedMethodsRestricter - if (routeRules.security.allowedMethodsRestricter !== false) { - if (!Object.values(allowedMethods).includes(event.node.req.method!)) { + const allowedMethodsRestricter = routeRules.security.allowedMethodsRestricter + if (allowedMethodsRestricter !== false) { + const allowedMethods: string[] = allowedMethodsRestricter.methods + if (!allowedMethods.includes(event.node.req.method!)) { const methodNotAllowedError = { statusCode: 405, statusMessage: 'Method not allowed' } - // TODO: fix this as it does not work currently if (routeRules.security.allowedMethodsRestricter.throwError === false) { return methodNotAllowedError } diff --git a/src/types/middlewares.ts b/src/types/middlewares.ts index b3b373b1..a290d07d 100644 --- a/src/types/middlewares.ts +++ b/src/types/middlewares.ts @@ -53,10 +53,7 @@ export type CorsOptions = { }; } -export type AllowedHTTPMethods = HTTPMethod[] | '*' - -export type MiddlewareConfiguration = { - value: MIDDLEWARE; - route: string; +export type AllowedHTTPMethods = { + methods: HTTPMethod[] | '*'; throwError?: boolean; }