Make ContentSecurityPolicyDirectiveValueFunction interface accept Request and Response from express

Question

Make ContentSecurityPolicyDirectiveValueFunction interface accept Request and Response from express

schmkr opened this issue 2 years ago · comments

Currently, the ContentSecurityPolicyDirectiveValueFunction is defined as:

import { IncomingMessage, ServerResponse } from "http";

interface ContentSecurityPolicyDirectiveValueFunction {
  (req: IncomingMessage, res: ServerResponse): string;
}

We have some functions defined for CSP directives that actually rely on the Request and Response interfaces from Express (e.g. using locals on the Response). Would it be possible to type the function as such instead?

import { Request, Response } from "express";

interface ContentSecurityPolicyDirectiveValueFunction {
  (req: Request, res: Response): string
}

Evan Hahn · Answer 1 · Tue Nov 01 2022 09:06:32 GMT+0800 (China Standard Time)

Helmet doesn't require Express, so we can't assume that req and res are Express objects.

Would you be able to cast these objects to achieve what you want?

Alwin Schoemaker · Answer 2 · Tue Nov 01 2022 17:26:00 GMT+0800 (China Standard Time)

Ah, I see. I thought since this repo's about line is Help secure Express apps with various HTTP headers, I figured it has dependencies on Express.

Yes, I managed to succeed with casting the response parameter. Thanks.

Evan Hahn · Answer 3 · Tue Nov 01 2022 20:36:34 GMT+0800 (China Standard Time)

That makes sense, and I see why it's a little confusing. Most people use Helmet with Express, but it's possible without it.

I'll think about documentation improvements I can make here.