[PASO 2.11] Security module + PII masking#35
Merged
Conversation
Define PiiFieldType, PiiMaskingMode, CsrfConfig, and SecurityConfig as the foundational type contracts for the security module (CSRF protection, input sanitization, and PII masking).
Implement 5 masking functions (maskNif, maskCard, maskPhone, maskEmail, maskIban) with 35 unit tests covering standard inputs, edge cases, and null/undefined handling.
Standalone pipe mapping PiiFieldType to masking functions via Record lookup. Handles null/undefined/empty. 8 unit tests.
Attribute directive that displays masked PII and supports toggle between masked/unmasked states. Emits visibility events via ffPiiMaskToggled output. 11 unit tests.
Three sanitization utilities: sanitizeHtml (removes dangerous tags/attributes/URIs), escapeXss (HTML entity encoding), stripTags (all tags removed). 32 tests with real XSS vectors.
SecurityService manages CSRF tokens (cookie or manual) and module config via signal. csrfInterceptor adds CSRF header on mutation requests only, with pass-through for disabled config or missing token. 18 unit tests.
…xport from core - Create provideSecurity(config?) with SECURITY_CONFIG token - Create security/index.ts barrel exporting full public API - Re-export security module from packages/core/src/index.ts - Build OK, 620/620 tests passing
Add security module: provideSecurity(), SecurityService, csrfInterceptor, PII masking (5 types), FfPiiMaskPipe, FfPiiMaskDirective, HTML sanitization. Build OK, 620/620 tests pass.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
@fireflyframework/core(v0.12.0)maskNif,maskCard,maskPhone,maskEmail,maskIban) +FfPiiMaskPipe+FfPiiMaskDirectivewith toggle show/hidesanitizeHtml(),escapeXss(),stripTags()— regex-based, no DOM dependencySecurityService(signal-based, SSR-safe) +csrfInterceptor(mutation-only)provideSecurity(config?)following standard DI patternPiiFieldType,PiiMaskingMode,CsrfConfig,SecurityConfigCommits (8)
Stats
Test plan
pnpm nx build corepassespnpm nx test core— 620/620 tests pass