@torquedev/ext-security

Security hardening extension for Torque. Provides RBAC gates, rate limiting, CSRF enforcement (with bypass fix), and audit logging — all as composable request handlers.

Installation

npm install @torquedev/ext-security

Handlers

rbacGate

Role-based access control. Reads permissions from the bundle manifest and enforces role requirements per method.

import { rbacGate } from '@torquedev/ext-security';

const handler = rbacGate.create({ coordinator });

// In your bundle manifest:
// permissions:
//   deleteRecord:
//     roles: [admin, superuser]

If the calling user's role is not in the allowed list, throws 403 Forbidden.

rateLimiter

In-memory, per-IP sliding window rate limiter.

import { rateLimiter } from '@torquedev/ext-security';

const handler = rateLimiter.create({
  windowMs: 60_000,   // 1 minute window (default)
  maxRequests: 100,   // requests per window (default)
});

Throws 429 Rate limit exceeded when the limit is breached.

csrfEnforcement

CSRF protection for mutating methods. Fixes the bypass bug where a missing x-csrf-token header was silently passed even when the session cookie __torque_csrf was present.

import { csrfEnforcement } from '@torquedev/ext-security';

const handler = csrfEnforcement.create();

| Condition | Result | |-----------|--------| | GET / HEAD / OPTIONS | Allow (safe methods) | | Path contains sign_in | Allow (exempt — no session yet) | | No __torque_csrf cookie | Allow (no session, no CSRF risk) | | Cookie present, header absent | 403 CSRF token missing | | Cookie and header mismatch | 403 CSRF token mismatch | | Cookie and header match | Allow |

auditLog

Records security-relevant events to a configurable writer.

import { auditLog } from '@torquedev/ext-security';

const handler = auditLog.create({
  writer: (entry) => myLogger.info(entry), // optional; defaults to console.log
});

Each log entry contains: timestamp, event, userId, ip, bundle, method, path, details.

License

MIT