@abtnode/core 1.16.38 → 1.16.39-beta-20250209-032436-5ceca2cb

package/lib/blocklet/migration-dist/migration.cjs

@@ -537,6 +537,7 @@ module.exports = Object.freeze({
   WELLKNOWN_PATH_PREFIX: '/.well-known',
   WELLKNOWN_ACME_CHALLENGE_PREFIX: '/.well-known/acme-challenge',
   WELLKNOWN_DID_RESOLVER_PREFIX: '/.well-known/did.json', // server wellknown endpoint
+  WELLKNOWN_BLACKLIST_PREFIX: '/.well-known/blacklist',
   WELLKNOWN_PING_PREFIX: '/.well-known/ping',
   WELLKNOWN_ANALYTICS_PREFIX: '/.well-known/analytics',
   WELLKNOWN_SERVICE_PATH_PREFIX: '/.well-known/service',
@@ -747,6 +748,10 @@ module.exports = Object.freeze({
     PUSH: 'push',
     WEBHOOK: 'webhook',
   },
+
+  BLACKLIST_SCOPE: {
+    ROUTER: 'router',
+  },
 });
 
 
@@ -38649,7 +38654,7 @@ module.exports = require("zlib");
 /***/ ((module) => {
 
 "use strict";
-module.exports = /*#__PURE__*/JSON.parse('{"name":"@abtnode/core","publishConfig":{"access":"public"},"version":"1.16.37","description":"","main":"lib/index.js","files":["lib"],"scripts":{"lint":"eslint tests lib --ignore-pattern \'tests/assets/*\'","lint:fix":"eslint --fix tests lib","test":"node tools/jest.js","coverage":"npm run test -- --coverage"},"keywords":[],"author":"wangshijun <wangshijun2010@gmail.com> (http://github.com/wangshijun)","license":"Apache-2.0","dependencies":{"@abtnode/analytics":"1.16.37","@abtnode/auth":"1.16.37","@abtnode/certificate-manager":"1.16.37","@abtnode/constant":"1.16.37","@abtnode/cron":"1.16.37","@abtnode/docker-utils":"1.16.37","@abtnode/logger":"1.16.37","@abtnode/models":"1.16.37","@abtnode/queue":"1.16.37","@abtnode/rbac":"1.16.37","@abtnode/router-provider":"1.16.37","@abtnode/static-server":"1.16.37","@abtnode/timemachine":"1.16.37","@abtnode/util":"1.16.37","@arcblock/did":"1.19.9","@arcblock/did-auth":"1.19.9","@arcblock/did-ext":"^1.19.9","@arcblock/did-motif":"^1.1.13","@arcblock/did-util":"1.19.9","@arcblock/event-hub":"1.19.9","@arcblock/jwt":"^1.19.9","@arcblock/pm2-events":"^0.0.5","@arcblock/validator":"^1.19.9","@arcblock/vc":"1.19.9","@blocklet/constant":"1.16.37","@blocklet/did-space-js":"^1.0.9","@blocklet/env":"1.16.37","@blocklet/meta":"1.16.37","@blocklet/resolver":"1.16.37","@blocklet/sdk":"1.16.37","@blocklet/store":"1.16.37","@fidm/x509":"^1.2.1","@ocap/mcrypto":"1.19.9","@ocap/util":"1.19.9","@ocap/wallet":"1.19.9","@slack/webhook":"^5.0.4","archiver":"^7.0.1","axios":"^1.7.9","axon":"^2.0.3","chalk":"^4.1.2","cross-spawn":"^7.0.3","deep-diff":"^1.0.2","detect-port":"^1.5.1","envfile":"^7.1.0","escape-string-regexp":"^4.0.0","fast-glob":"^3.3.2","filesize":"^10.1.1","flat":"^5.0.2","fs-extra":"^11.2.0","get-port":"^5.1.1","hasha":"^5.2.2","is-base64":"^1.1.0","is-cidr":"4","is-ip":"3","is-url":"^1.2.4","joi":"17.12.2","joi-extension-semver":"^5.0.0","js-yaml":"^4.1.0","kill-port":"^2.0.1","lodash":"^4.17.21","lru-cache":"^11.0.2","node-stream-zip":"^1.15.0","p-all":"^3.0.0","p-limit":"^3.1.0","p-map":"^4.0.0","p-retry":"^4.6.2","read-last-lines":"^1.8.0","semver":"^7.6.3","sequelize":"^6.35.0","shelljs":"^0.8.5","ssri":"^8.0.1","stream-throttle":"^0.1.3","stream-to-promise":"^3.0.0","systeminformation":"^5.23.3","tail":"^2.2.4","tar":"^6.1.11","transliteration":"^2.3.5","ua-parser-js":"^1.0.2","ufo":"^1.5.3","uuid":"^9.0.1","valid-url":"^1.0.9","which":"^2.0.2","xbytes":"^1.8.0"},"devDependencies":{"expand-tilde":"^2.0.2","express":"^4.18.2","jest":"^29.7.0","unzipper":"^0.10.11"},"gitHead":"e5764f753181ed6a7c615cd4fc6682aacf0cb7cd"}');
+module.exports = /*#__PURE__*/JSON.parse('{"name":"@abtnode/core","publishConfig":{"access":"public"},"version":"1.16.38","description":"","main":"lib/index.js","files":["lib"],"scripts":{"lint":"eslint tests lib --ignore-pattern \'tests/assets/*\'","lint:fix":"eslint --fix tests lib","test":"node tools/jest.js","coverage":"npm run test -- --coverage"},"keywords":[],"author":"wangshijun <wangshijun2010@gmail.com> (http://github.com/wangshijun)","license":"Apache-2.0","dependencies":{"@abtnode/analytics":"1.16.38","@abtnode/auth":"1.16.38","@abtnode/certificate-manager":"1.16.38","@abtnode/constant":"1.16.38","@abtnode/cron":"1.16.38","@abtnode/docker-utils":"1.16.38","@abtnode/logger":"1.16.38","@abtnode/models":"1.16.38","@abtnode/queue":"1.16.38","@abtnode/rbac":"1.16.38","@abtnode/router-provider":"1.16.38","@abtnode/static-server":"1.16.38","@abtnode/timemachine":"1.16.38","@abtnode/util":"1.16.38","@arcblock/did":"1.19.9","@arcblock/did-auth":"1.19.9","@arcblock/did-ext":"^1.19.9","@arcblock/did-motif":"^1.1.13","@arcblock/did-util":"1.19.9","@arcblock/event-hub":"1.19.9","@arcblock/jwt":"^1.19.9","@arcblock/pm2-events":"^0.0.5","@arcblock/validator":"^1.19.9","@arcblock/vc":"1.19.9","@blocklet/constant":"1.16.38","@blocklet/did-space-js":"^1.0.9","@blocklet/env":"1.16.38","@blocklet/meta":"1.16.38","@blocklet/resolver":"1.16.38","@blocklet/sdk":"1.16.38","@blocklet/store":"1.16.38","@fidm/x509":"^1.2.1","@ocap/mcrypto":"1.19.9","@ocap/util":"1.19.9","@ocap/wallet":"1.19.9","@slack/webhook":"^5.0.4","archiver":"^7.0.1","axios":"^1.7.9","axon":"^2.0.3","chalk":"^4.1.2","cross-spawn":"^7.0.3","deep-diff":"^1.0.2","detect-port":"^1.5.1","envfile":"^7.1.0","escape-string-regexp":"^4.0.0","fast-glob":"^3.3.2","filesize":"^10.1.1","flat":"^5.0.2","rate-limiter-flexible":"^5.0.5","fs-extra":"^11.2.0","get-port":"^5.1.1","hasha":"^5.2.2","is-base64":"^1.1.0","is-cidr":"4","is-ip":"3","is-url":"^1.2.4","joi":"17.12.2","joi-extension-semver":"^5.0.0","js-yaml":"^4.1.0","kill-port":"^2.0.1","lodash":"^4.17.21","lru-cache":"^11.0.2","node-stream-zip":"^1.15.0","p-all":"^3.0.0","p-limit":"^3.1.0","p-map":"^4.0.0","p-retry":"^4.6.2","read-last-lines":"^1.8.0","semver":"^7.6.3","sequelize":"^6.35.0","shelljs":"^0.8.5","ssri":"^8.0.1","stream-throttle":"^0.1.3","stream-to-promise":"^3.0.0","systeminformation":"^5.23.3","tail":"^2.2.4","tar":"^6.1.11","transliteration":"^2.3.5","ua-parser-js":"^1.0.2","ufo":"^1.5.3","uuid":"^9.0.1","valid-url":"^1.0.9","which":"^2.0.2","xbytes":"^1.8.0"},"devDependencies":{"expand-tilde":"^2.0.2","express":"^4.18.2","jest":"^29.7.0","unzipper":"^0.10.11"},"gitHead":"e5764f753181ed6a7c615cd4fc6682aacf0cb7cd"}');
 
 /***/ }),
 

package/lib/index.js

@@ -42,6 +42,7 @@ const getMetaFromUrl = require('./util/get-meta-from-url');
 const getDynamicComponents = require('./util/get-dynamic-components');
 const SecurityAPI = require('./blocklet/security');
 const dockerRestartAllContainers = require('./util/docker/docker-restart-all-containers');
+const RouterBlocker = require('./router/security/blocker');
 
 /**
  * @typedef {{} & import('./api/team')}} TNode
@@ -275,6 +276,7 @@ function ABTNode(options) {
     deleteRoutingRule,
     addDomainAlias,
     deleteDomainAlias,
+    getGatewayBlacklist,
   } = getRouterHelpers({
     dataDirs,
     routingSnapshot,
@@ -590,6 +592,7 @@ function ABTNode(options) {
     addDomainAlias,
     deleteDomainAlias,
     isDidDomain: routerManager.isDidDomain.bind(routerManager),
+    getGatewayBlacklist,
 
     getRoutingProviders: () => listProviders(dataDirs.router),
     checkDomains: domainStatus.checkDomainsStatus.bind(domainStatus),
@@ -704,6 +707,7 @@ function ABTNode(options) {
         LogRotator.getCron(),
         ...getStateCrons(states),
         ...nodeAPI.getCrons(),
+        ...RouterBlocker.getSecurityCrons(),
       ].filter((x) => options.daemon || (options.service && get(x, 'options.runInService'))),
       onError: (error, name) => {
         states.notification.create({

package/lib/router/helper.js

@@ -9,7 +9,9 @@ const isUrl = require('is-url');
 const get = require('lodash/get');
 const cloneDeep = require('lodash/cloneDeep');
 const groupBy = require('lodash/groupBy');
+const uniq = require('lodash/uniq');
 const isEqual = require('lodash/isEqual');
+const countBy = require('lodash/countBy');
 const { joinURL } = require('ufo');
 const {
   replaceSlotToIp,
@@ -47,6 +49,7 @@ const {
   LOG_RETAIN_IN_DAYS,
   EVENTS,
   DEFAULT_IP_DOMAIN,
+  WELLKNOWN_BLACKLIST_PREFIX,
 } = require('@abtnode/constant');
 const {
   BLOCKLET_DYNAMIC_PATH_PREFIX,
@@ -75,7 +78,10 @@ const { getFromCache: getAccessibleExternalNodeIp } = require('../util/get-acces
 
 const Router = require('./index');
 const states = require('../states');
-const monitor = require('../util/monitor');
+const monitor = require('./monitor');
+const scanner = require('./security/scanner');
+const blocker = require('./security/blocker');
+const { createLimiter } = require('./security/limiter');
 const {
   getBlockletDomainGroupName,
   getDidFromDomainGroupName,
@@ -840,6 +846,12 @@ module.exports = function getRouterHelpers({
         to: proxyTarget,
       };
 
+      const blacklistWellknownRule = {
+        isProtected: true,
+        from: { pathPrefix: WELLKNOWN_BLACKLIST_PREFIX },
+        to: proxyTarget,
+      };
+
       const acmeChallengeWellknownRule = {
         isProtected: true,
         from: { pathPrefix: WELLKNOWN_ACME_CHALLENGE_PREFIX },
@@ -849,9 +861,10 @@ module.exports = function getRouterHelpers({
       if (site) {
         const didResolverRuleUpdateRes = await upsertSiteRule({ site, rule: didResolverWellknownRule }, context);
         const acmeRuleUpdateRes = await upsertSiteRule({ site, rule: acmeChallengeWellknownRule }, context);
+        const blacklistUpdateRes = await upsertSiteRule({ site, rule: blacklistWellknownRule }, context);
         const pingRuleRes = await upsertSiteRule({ site, rule: pingWellknownRule }, context);
         const analyticsRuleRes = await upsertSiteRule({ site, rule: analyticsWellknownRule }, context);
-        return didResolverRuleUpdateRes || acmeRuleUpdateRes || pingRuleRes || analyticsRuleRes;
+        return didResolverRuleUpdateRes || acmeRuleUpdateRes || blacklistUpdateRes || pingRuleRes || analyticsRuleRes;
       }
 
       await routerManager.addRoutingSite(
@@ -860,7 +873,13 @@ module.exports = function getRouterHelpers({
             domain: DOMAIN_FOR_INTERNAL_SITE,
             port: await getWellknownSitePort(),
             name: NAME_FOR_WELLKNOWN_SITE,
-            rules: [didResolverWellknownRule, acmeChallengeWellknownRule, pingWellknownRule, analyticsWellknownRule],
+            rules: [
+              didResolverWellknownRule,
+              acmeChallengeWellknownRule,
+              blacklistWellknownRule,
+              pingWellknownRule,
+              analyticsWellknownRule,
+            ],
             isProtected: true,
           },
           skipCheckDynamicBlacklist: true,
@@ -1302,6 +1321,81 @@ module.exports = function getRouterHelpers({
   }
 
   const providers = {}; // we need to keep reference for different router instances
+
+  const startAccessLogWatcher = (info) => {
+    const providerName = get(info, 'routing.provider', null);
+    if (!providerName || !providers[providerName]) {
+      return;
+    }
+
+    if (daemon && process.env.ABT_NODE_MONITOR_GATEWAY_5XX === '1') {
+      monitor.stopLogWatcher();
+      const logs = providers[providerName].getLogFilesForToday();
+      monitor.startLogWatcher(logs.access, (logEntries) => {
+        notification.create({
+          title: 'Server 5xx Alert',
+          description: `5xx request detected: ${JSON.stringify(logEntries.slice(0, 1), null, 2)}`,
+          entityType: 'server',
+          severity: 'error',
+          sticky: true,
+        });
+      });
+    }
+  };
+
+  const startErrorLogWatcher = async (info, shouldScheduleReload = false) => {
+    const providerName = get(info, 'routing.provider', null);
+    if (!providerName || !providers[providerName]) {
+      return;
+    }
+
+    if (daemon && info.routing.blockPolicy?.autoBlocking?.enabled && providers[providerName].supportsModSecurity()) {
+      scanner.stopLogWatcher();
+      const logs = providers[providerName].getLogFilesForToday();
+      const limiter = createLimiter(info.routing.blockPolicy.autoBlocking);
+      scanner.startLogWatcher(logs.error, async (logEntries) => {
+        const blocked = [];
+        const grouped = countBy(logEntries, 'ip');
+        for (const [ip, count] of Object.entries(grouped)) {
+          // eslint-disable-next-line no-await-in-loop
+          const timeout = await limiter.check(ip, count);
+          if (timeout > 0) {
+            blocked.push(timeout);
+          }
+        }
+
+        logger.debug('router error detected', { logEntries, grouped, blocked, timestamp: dayjs().unix() });
+
+        if (blocked.length) {
+          providers[providerName].throttledReload();
+          // Reload 1 second after block expiration
+          uniq(blocked).forEach((timeout) => {
+            setTimeout(() => {
+              logger.info('router reload on block expire', { timeout, timestamp: dayjs().unix() });
+              providers[providerName].throttledReload();
+            }, timeout + 1000);
+          });
+        }
+      });
+    }
+
+    // Schedule router reload for active blacklist
+    if (daemon && shouldScheduleReload) {
+      const blacklist = await blocker.getActiveBlacklist(false);
+      if (blacklist.length) {
+        logger.info('schedule router reload for active blacklist', blacklist);
+        const now = dayjs().unix();
+        blacklist.forEach((x) => {
+          const timeout = x.expiresAt - now + 1;
+          setTimeout(() => {
+            logger.info('router reload on block expire', { ip: x.key });
+            providers[providerName].throttledReload();
+          }, timeout * 1000);
+        });
+      }
+    }
+  };
+
   const handleRouting = async (nodeInfo) => {
     const now = Date.now();
     logger.info('start handle routing');
@@ -1315,6 +1409,8 @@ module.exports = function getRouterHelpers({
       throw new Error(`${providerName} pre-check failed, ${checkResult.error}`);
     }
 
+    const shouldScheduleReload = !providers[providerName];
+
     if (providers[providerName]) {
       await providers[providerName].reload();
     } else {
@@ -1364,19 +1460,8 @@ module.exports = function getRouterHelpers({
       await providers[providerName].start();
     }
 
-    if (daemon && process.env.ABT_NODE_MONITOR_GATEWAY_5XX === '1') {
-      monitor.stopLogWatcher();
-      const logs = providers[providerName].getLogFilesForToday();
-      monitor.startLogWatcher(logs.access, (logEntries) => {
-        notification.create({
-          title: 'Server 5xx Alert',
-          description: `5xx request detected: ${JSON.stringify(logEntries.slice(0, 1), null, 2)}`,
-          entityType: 'server',
-          severity: 'error',
-          sticky: true,
-        });
-      });
-    }
+    await startAccessLogWatcher(nodeInfo);
+    await startErrorLogWatcher(nodeInfo, shouldScheduleReload);
 
     logger.info('done handle routing', { cost: Date.now() - now });
   };
@@ -1386,20 +1471,9 @@ module.exports = function getRouterHelpers({
     const providerName = get(info, 'routing.provider', null);
 
     if (providerName && providers[providerName] && typeof providers[providerName].rotateLogs === 'function') {
-      monitor.stopLogWatcher();
       await providers[providerName].rotateLogs({ retain: LOG_RETAIN_IN_DAYS });
-      if (daemon && process.env.ABT_NODE_MONITOR_GATEWAY_5XX === '1') {
-        const logs = providers[providerName].getLogFilesForToday();
-        monitor.startLogWatcher(logs.access, (logEntries) => {
-          notification.create({
-            title: 'Server 5xx Alert',
-            description: `5xx request detected: ${JSON.stringify(logEntries.slice(0, 1), null, 2)}`,
-            entityType: 'server',
-            severity: 'error',
-            sticky: true,
-          });
-        });
-      }
+      await startAccessLogWatcher(info);
+      await startErrorLogWatcher(info);
     }
   };
 
@@ -1692,6 +1766,21 @@ module.exports = function getRouterHelpers({
   // @ts-ignore
   const gatewayBlacklistRefreshInterval = +process.env.ABT_NODE_BLACKLIST_REFRESH_INTERVAL || 2;
 
+  const getGatewayBlacklist = async (type = 'both') => {
+    const info = await nodeState.read();
+    const blockPolicy = info.routing.blockPolicy || { enabled: false, blacklist: [] };
+    const blacklist = await expandBlacklist(blockPolicy.blacklist);
+    const blockedIps = await blocker.getActiveBlacklist();
+    if (type === 'both') {
+      return uniq([...blacklist, ...blockedIps]);
+    }
+    if (type === 'dynamic') {
+      return uniq([...blockedIps]);
+    }
+
+    return uniq([...blacklist]);
+  };
+
   return {
     ensureDashboardRouting,
     ensureBlockletRouting,
@@ -1748,6 +1837,7 @@ module.exports = function getRouterHelpers({
     addDomainAlias,
     deleteDomainAlias,
     isGatewayCacheEnabled,
+    getGatewayBlacklist,
   };
 };
 

package/lib/router/index.js

@@ -1,4 +1,6 @@
 const get = require('lodash/get');
+const uniq = require('lodash/uniq');
+const throttle = require('lodash/throttle');
 const pick = require('lodash/pick');
 const isEqual = require('lodash/isEqual');
 const cloneDeep = require('lodash/cloneDeep');
@@ -17,6 +19,7 @@ const logger = require('@abtnode/logger')('@abtnode/core:router');
 
 const { isGatewayCacheEnabled, isBlockletSite } = require('../util');
 const { expandBlacklist } = require('../util/router');
+const { getActiveBlacklist } = require('./security/blocker');
 const IP = require('../util/ip');
 
 const isServiceFeDevelopment = process.env.ABT_NODE_SERVICE_FE_PORT;
@@ -101,6 +104,9 @@ class Router {
     this.provider = provider;
     this.getRoutingParams = getRoutingParams;
     this.routingTable = [];
+
+    this.throttledReload = throttle(() => this.reload(), 5000, { leading: true, trailing: true });
+    this.throttledRestart = throttle(() => this.restart(), 5000, { leading: true, trailing: true });
   }
 
   async updateRoutingTable() {
@@ -128,6 +134,12 @@ class Router {
       if (result?.internal) {
         blockPolicy.blacklist = blockPolicy.blacklist.filter((x) => x !== result.internal);
       }
+
+      // Append blocked ips from database
+      const blockedIps = await getActiveBlacklist();
+      logger.info('router auto blocked ips', blockedIps);
+
+      blockPolicy.blacklist = uniq([...blockPolicy.blacklist, ...blockedIps]);
     }
 
     const proxyPolicy = nodeInfo.routing.proxyPolicy || {
@@ -141,7 +153,7 @@ class Router {
       enabled: false,
       mode: 'DetectionOnly',
       inboundAnomalyScoreThreshold: 10,
-      outboundAnomalyScoreThreshold: 4,
+      outboundAnomalyScoreThreshold: 10,
     };
 
     await this.provider.update({
@@ -212,6 +224,10 @@ class Router {
   clearCache(group) {
     return this.provider.clearCache(group);
   }
+
+  supportsModSecurity() {
+    return !!this.provider.capabilities?.modsecurity;
+  }
 }
 
 Router.formatSites = (sites = []) => {

package/lib/router/monitor.js

@@ -0,0 +1,55 @@
+const { createLogWatcher } = require('./watcher');
+
+// Function to parse the log entry and extract relevant information
+function parseLogEntry(line, check = true) {
+  const regex =
+    /^(\S+) - (\S+) \[([^\]]+)\] (\S+) "([^"]+)" "([^"]+)" (\d{3}) (\d+) "(.*?)" "(.*?)" "(.*?)" rt="(\S+)" uid="(.+?)" uos="(.+?)" uct="(\S+)" uht="(\S+)" urt="(\S+)"/;
+  const match = line.match(regex);
+  if (match) {
+    const logEntry = {
+      ip: match[1],
+      remoteUser: match[2],
+      timeIso8601: match[3],
+      requestId: match[4],
+      host: match[5],
+      request: match[6],
+      status: parseInt(match[7], 10),
+      bodyBytesSent: parseInt(match[8], 10),
+      referer: match[9],
+      userAgent: match[10],
+      forwardedFor: match[11],
+      requestTime: parseFloat(match[12]),
+      connectedDid: match[13],
+      connectedWalletOs: match[14],
+      upstreamConnectTime: parseFloat(match[15]),
+      upstreamHeaderTime: parseFloat(match[16]),
+      upstreamResponseTime: parseFloat(match[17]),
+    };
+
+    if (!check) {
+      return logEntry;
+    }
+
+    if (
+      logEntry.status >= 500 &&
+      logEntry.status !== 503 &&
+      logEntry.status <= 599 &&
+      logEntry.request.includes('/.well-known/did.json') === false &&
+      logEntry.request.includes('/websocket?token=') === false &&
+      logEntry.request.includes('/.well-known/service/health') === false
+    ) {
+      console.warn(`5xx request detected: ${logEntry.host}`, line);
+      return logEntry;
+    }
+  }
+
+  return null;
+}
+
+const logWatcher = createLogWatcher(parseLogEntry);
+
+module.exports = {
+  parseLogEntry,
+  startLogWatcher: logWatcher.start,
+  stopLogWatcher: logWatcher.stop,
+};

package/lib/router/security/blocker.js

@@ -0,0 +1,27 @@
+const { BLACKLIST_SCOPE } = require('@abtnode/constant');
+const logger = require('@abtnode/logger')('@abtnode/core:router:security:blocker');
+
+const states = require('../../states');
+
+async function cleanupExpiredBlacklist() {
+  const result = await states.blacklist.removeExpiredByScope(BLACKLIST_SCOPE.ROUTER);
+  logger.info('Cleanup router blacklists', { result });
+}
+
+async function getActiveBlacklist(justIp = true) {
+  const result = await states.blacklist.findActiveByScope(BLACKLIST_SCOPE.ROUTER);
+  return justIp ? result.map((item) => item.key) : result;
+}
+
+module.exports = {
+  getActiveBlacklist,
+  cleanupExpiredBlacklist,
+  getSecurityCrons: () => [
+    {
+      name: 'cleanup-router-blacklist',
+      time: '0 0 * * * *', // refresh blocking list every hour
+      fn: cleanupExpiredBlacklist,
+      options: { runOnInit: process.env.ABT_NODE_JOB_NAME === 'cleanup-router-blacklist' },
+    },
+  ],
+};

package/lib/router/security/limiter.js

@@ -0,0 +1,54 @@
+// FIXME: use a crash safe store for the limiter
+const dayjs = require('@abtnode/util/lib/dayjs');
+const { BLACKLIST_SCOPE } = require('@abtnode/constant');
+const { RateLimiterMemory } = require('rate-limiter-flexible');
+
+const logger = require('@abtnode/logger')('@abtnode/core:router:security:limiter');
+
+const states = require('../../states');
+
+/**
+ * Create a rate limiter for suspicious requests.
+ * https://github.com/animir/node-rate-limiter-flexible/wiki/Options
+ *
+ * @param {{
+ *   windowSize: number;
+ *   windowQuota: number;
+ *   blockDuration: number;
+ * }} options
+ * @returns {{ check: (ip: string, points?: number) => Promise<number> }}
+ */
+function createLimiter(options) {
+  const limiter = new RateLimiterMemory({
+    points: options.windowQuota,
+    duration: options.windowSize,
+    blockDuration: options.blockDuration,
+  });
+
+  logger.info('Rate limiter created', { options });
+
+  const check = async (ip, points = 1) => {
+    try {
+      const result = await limiter.consume(ip, points);
+      logger.debug('Rate limit not exceeded', { ip, result });
+    } catch (err) {
+      logger.info('Rate limit has exceeded', { ip, err });
+      const expiresAt = dayjs().add(err.msBeforeNext, 'ms').unix();
+      const added = await states.blacklist.addItem(BLACKLIST_SCOPE.ROUTER, ip, expiresAt);
+      if (added) {
+        logger.info('User IP blocked', { ip, expiresAt });
+        return err.msBeforeNext;
+      }
+    }
+
+    return 0;
+  };
+
+  return {
+    check,
+  };
+}
+
+module.exports = {
+  createLimiter,
+};

package/lib/router/security/scanner.js

@@ -0,0 +1,46 @@
+const { createLogWatcher } = require('../watcher');
+
+// Function to parse the log entry and extract relevant information
+function parseLogEntry(line) {
+  // Quick check before regex
+  if (!line.includes('ModSecurity:')) {
+    return null;
+  }
+
+  const pattern =
+    /^(\d{4}\/\d{2}\/\d{2} \d{2}:\d{2}:\d{2}).*\[error\].*\[client (\d+\.\d+\.\d+\.\d+)\].*ModSecurity:.*\[id "(\d+)"\].*\[unique_id "([^"]+)"\]/;
+
+  const match = line.match(pattern);
+  if (match) {
+    const logEntry = {
+      type: 'modsecurity',
+      timestamp: match[1],
+      ip: match[2],
+      ruleId: match[3],
+      requestId: match[4],
+    };
+
+    // Ignore old log entries
+    if (process.env.NODE_ENV === 'test') {
+      return logEntry;
+    }
+
+    const now = Date.now();
+    const timestamp = new Date(match[1]).getTime();
+    if (now - timestamp > 1000) {
+      return null;
+    }
+
+    return logEntry;
+  }
+
+  return null;
+}
+
+const logWatcher = createLogWatcher(parseLogEntry);
+
+module.exports = {
+  parseLogEntry,
+  startLogWatcher: logWatcher.start,
+  stopLogWatcher: logWatcher.stop,
+};

package/lib/router/watcher.js

@@ -0,0 +1,135 @@
+/* eslint-disable no-await-in-loop */
+const fs = require('fs');
+
+const THROTTLE_DELAY = 1000; // 1 second throttle
+
+async function readLogFile(filePath, startPosition = 0) {
+  let fd = null;
+  try {
+    if (!fs.existsSync(filePath)) {
+      return { lines: [], fileSize: 0 };
+    }
+
+    const realPath = await fs.promises.realpath(filePath);
+    fd = await fs.promises.open(realPath, 'r');
+    const stats = await fd.stat();
+    const fileSize = stats.size;
+
+    if (startPosition < 0) {
+      // eslint-disable-next-line no-param-reassign
+      startPosition = Math.max(0, fileSize + startPosition);
+    }
+
+    if (startPosition >= fileSize) {
+      return { lines: [], fileSize };
+    }
+
+    const readSize = fileSize - startPosition;
+    if (readSize <= 0) {
+      return { lines: [], fileSize };
+    }
+
+    const buffer = Buffer.alloc(readSize);
+    const { bytesRead } = await fd.read(buffer, 0, readSize, startPosition);
+    const content = buffer.slice(0, bytesRead).toString();
+
+    const lines = content
+      .split('\n')
+      .map((line) => line.trim())
+      .filter(Boolean);
+
+    return { lines, fileSize };
+  } finally {
+    if (fd) {
+      await fd.close();
+    }
+  }
+}
+
+// A generic log watcher that can be used for different log formats
+function createLogWatcher(parseLogEntry, throttleDelay = THROTTLE_DELAY) {
+  let watcher;
+  process.on('SIGINT', () => {
+    watcher?.close();
+  });
+
+  process.on('SIGTERM', () => {
+    watcher?.close();
+  });
+
+  function start(logFilePath, onLogEntry, initialBufferSize = 1024) {
+    if (!fs.existsSync(logFilePath)) {
+      console.error(`Log file ${logFilePath} does not exist`);
+      return;
+    }
+
+    console.warn(`Start watching ${logFilePath}...`);
+
+    let isProcessing = false;
+    let isFirstRun = true;
+    let timeoutId = null;
+    let lastProcessedPosition = 0;
+
+    async function processLogChanges() {
+      isProcessing = true;
+      try {
+        const { lines, fileSize } = await readLogFile(
+          logFilePath,
+          isFirstRun ? -initialBufferSize : lastProcessedPosition
+        );
+        const entries = [];
+
+        for (const line of lines) {
+          const logEntry = parseLogEntry(line);
+          if (logEntry) {
+            entries.push(logEntry);
+          }
+        }
+
+        if (entries.length > 0) {
+          onLogEntry(entries);
+        }
+
+        lastProcessedPosition = fileSize;
+        isFirstRun = false;
+      } catch (error) {
+        console.error(`Error reading log file ${logFilePath}`, error);
+      } finally {
+        isProcessing = false;
+      }
+    }
+
+    watcher = fs.watch(logFilePath, { persistent: true }, async (eventType, filename) => {
+      if (!filename || eventType !== 'change') return;
+
+      // Clear any pending timeout
+      if (timeoutId) {
+        clearTimeout(timeoutId);
+      }
+
+      // If already processing, schedule for later
+      if (isProcessing) {
+        timeoutId = setTimeout(() => {
+          processLogChanges();
+        }, throttleDelay);
+        return;
+      }
+
+      await processLogChanges();
+    });
+  }
+
+  function stop() {
+    watcher?.close();
+  }
+
+  return {
+    start,
+    stop,
+  };
+}
+
+module.exports = {
+  createLogWatcher,
+  readLogFile,
+};

package/lib/states/audit-log.js

@@ -5,6 +5,7 @@ const get = require('lodash/get');
 const uniq = require('lodash/uniq');
 const isEqual = require('lodash/isEqual');
 const { joinURL } = require('ufo');
+const { Op } = require('sequelize');
 const { getDisplayName } = require('@blocklet/meta/lib/util');
 const { BLOCKLET_SITE_GROUP_SUFFIX, NODE_SERVICES, WHO_CAN_ACCESS } = require('@abtnode/constant');
 const logger = require('@abtnode/logger')('@abtnode/core:states:audit-log');
@@ -706,12 +707,37 @@ class AuditLogState extends BaseState {
 
         fixActor(user);
 
+        const content = (await getLogContent(action, args, context, result, info, node)).trim();
+        const actor = pick(user.actual || user, ['did', 'fullName', 'role']);
+
+        const teamDid = user.blockletDid || args.teamDid || get(args, 'did.0');
+        const userDid = user.did || args.userDid || get(args, 'user.did') || args.ownerDid;
+        if (teamDid && userDid && teamDid !== userDid) {
+          try {
+            const fullUser = await node.getUser({
+              teamDid,
+              user: { did: userDid },
+              options: {
+                enableConnectedAccount: true,
+              },
+            });
+            actor.avatar = fullUser?.avatar || '';
+            if (!actor.fullName) {
+              actor.fullName = fullUser?.fullName || '';
+            }
+          } catch (err) {
+            logger.error('get user info error', err);
+          }
+        } else {
+          actor.avatar = '';
+        }
+
         const data = await this.insert({
           scope: getScope(args) || info.did, // server or blocklet did
           action,
           category: await getLogCategory(action),
-          content: (await getLogContent(action, args, context, result, info, node)).trim(),
-          actor: pick(user.actual || user, ['did', 'fullName', 'role']),
+          content: content.slice(0, 10 * 1000),
+          actor,
           extra: args,
           env: pick(uaInfo, ['browser', 'os', 'device']),
           ip,
@@ -727,13 +753,21 @@ class AuditLogState extends BaseState {
     });
   }
 
-  findPaginated({ scope, category, paging } = {}) {
-    const conditions = {};
+  findPaginated({ scope, category, actionOrContent, paging } = {}) {
+    const conditions = {
+      where: {},
+    };
     if (scope) {
-      conditions.scope = scope;
+      conditions.where.scope = scope;
     }
     if (category) {
-      conditions.category = category;
+      conditions.where.category = category;
+    }
+    if (actionOrContent) {
+      conditions.where[Op.or] = [
+        { action: { [Op.like]: `%${actionOrContent}%` } },
+        { content: { [Op.like]: `%${actionOrContent}%` } },
+      ];
     }
 
     return super.paginate(conditions, { createdAt: -1 }, { pageSize: 20, ...paging });

package/lib/states/blacklist.js

@@ -0,0 +1,46 @@
+const { Op } = require('sequelize');
+const dayjs = require('@abtnode/util/lib/dayjs');
+const logger = require('@abtnode/logger')('@abtnode/core:state:blacklist');
+
+const BaseState = require('./base');
+
+/**
+ * This db is used to save blacklist data.
+ * @extends BaseState<import('@abtnode/models').BlacklistState>
+ */
+class BlacklistState extends BaseState {
+  findActiveByScope(scope) {
+    const now = dayjs().unix();
+    return this.find({ where: { scope, expiresAt: { [Op.gt]: now } } });
+  }
+
+  removeExpiredByScope(scope) {
+    const now = dayjs().unix();
+    return this.remove({ where: { scope, expiresAt: { [Op.lte]: now } } });
+  }
+
+  async addItem(scope, key, expiresAt) {
+    const now = dayjs().unix();
+    if (expiresAt < now) {
+      return false;
+    }
+
+    const exist = await this.findOne({ where: { scope, key } });
+    if (exist) {
+      if (exist.expiresAt >= now) {
+        logger.debug('reuse existing item', { exist, scope, key, expiresAt });
+        return false;
+      }
+
+      // if the item is expired, remove it
+      logger.debug('remove expired item on add', { exist });
+      await this.remove({ where: { scope, key } });
+    }
+
+    logger.debug('add new item', { scope, key, expiresAt });
+    await this.insert({ scope, key, expiresAt });
+    return true;
+  }
+}
+
+module.exports = BlacklistState;

package/lib/states/index.js

@@ -17,6 +17,7 @@ const JobState = require('./job');
 const BackupState = require('./backup');
 const TrafficInsightState = require('./traffic-insight');
 const RuntimeInsightState = require('./runtime-insight');
+const BlacklistState = require('./blacklist');
 
 const { getDbFilePath } = require('../util');
 
@@ -44,6 +45,7 @@ const init = (dataDirs, config = {}) => {
   const backupState = new BackupState(models.Backup, config);
   const trafficInsight = new TrafficInsightState(models.TrafficInsight, config);
   const runtimeInsight = new RuntimeInsightState(models.RuntimeInsight, { ...config, maxPageSize: 8640 });
+  const blacklistState = new BlacklistState(models.Blacklist, config);
 
   return {
     node: nodeState,
@@ -61,6 +63,7 @@ const init = (dataDirs, config = {}) => {
     backup: backupState,
     trafficInsight,
     runtimeInsight,
+    blacklist: blacklistState,
   };
 };
 /**
@@ -72,6 +75,7 @@ const init = (dataDirs, config = {}) => {
  *  notificationReceiver: import('./notification-receiver'),
  *  job: import('./job'),
  *  node: import('./node'),
+ *  blacklist: import('./blacklist'),
  *  [key: string]: any
  * }}
  */

package/lib/validators/node.js

@@ -106,6 +106,19 @@ const updateGatewaySchema = Joi.object({
       .optional()
       .max(256)
       .default([]),
+    autoBlocking: Joi.object({
+      enabled: Joi.boolean().optional().default(false),
+      windowSize: Joi.number().integer().min(1).default(1), // in seconds
+      windowQuota: Joi.number().integer().min(2).default(5), // number of requests
+      statusCodes: Joi.array().items(Joi.number().integer().min(100).max(599)).default([403]), // status codes to check
+      blockDuration: Joi.number().integer().min(60).default(3600), // in seconds
+    }).default({
+      enabled: false,
+      windowSize: 1,
+      windowQuota: 5,
+      statusCodes: [403],
+      blockDuration: 3600,
+    }),
   }),
   proxyPolicy: Joi.object({
     enabled: Joi.boolean().optional().default(false),

package/package.json

@@ -3,7 +3,7 @@
   "publishConfig": {
     "access": "public"
   },
-  "version": "1.16.38",
+  "version": "1.16.39-beta-20250209-032436-5ceca2cb",
   "description": "",
   "main": "lib/index.js",
   "files": [
@@ -19,20 +19,20 @@
   "author": "wangshijun <wangshijun2010@gmail.com> (http://github.com/wangshijun)",
   "license": "Apache-2.0",
   "dependencies": {
-    "@abtnode/analytics": "1.16.38",
-    "@abtnode/auth": "1.16.38",
-    "@abtnode/certificate-manager": "1.16.38",
-    "@abtnode/constant": "1.16.38",
-    "@abtnode/cron": "1.16.38",
-    "@abtnode/docker-utils": "1.16.38",
-    "@abtnode/logger": "1.16.38",
-    "@abtnode/models": "1.16.38",
-    "@abtnode/queue": "1.16.38",
-    "@abtnode/rbac": "1.16.38",
-    "@abtnode/router-provider": "1.16.38",
-    "@abtnode/static-server": "1.16.38",
-    "@abtnode/timemachine": "1.16.38",
-    "@abtnode/util": "1.16.38",
+    "@abtnode/analytics": "1.16.39-beta-20250209-032436-5ceca2cb",
+    "@abtnode/auth": "1.16.39-beta-20250209-032436-5ceca2cb",
+    "@abtnode/certificate-manager": "1.16.39-beta-20250209-032436-5ceca2cb",
+    "@abtnode/constant": "1.16.39-beta-20250209-032436-5ceca2cb",
+    "@abtnode/cron": "1.16.39-beta-20250209-032436-5ceca2cb",
+    "@abtnode/docker-utils": "1.16.39-beta-20250209-032436-5ceca2cb",
+    "@abtnode/logger": "1.16.39-beta-20250209-032436-5ceca2cb",
+    "@abtnode/models": "1.16.39-beta-20250209-032436-5ceca2cb",
+    "@abtnode/queue": "1.16.39-beta-20250209-032436-5ceca2cb",
+    "@abtnode/rbac": "1.16.39-beta-20250209-032436-5ceca2cb",
+    "@abtnode/router-provider": "1.16.39-beta-20250209-032436-5ceca2cb",
+    "@abtnode/static-server": "1.16.39-beta-20250209-032436-5ceca2cb",
+    "@abtnode/timemachine": "1.16.39-beta-20250209-032436-5ceca2cb",
+    "@abtnode/util": "1.16.39-beta-20250209-032436-5ceca2cb",
     "@arcblock/did": "1.19.9",
     "@arcblock/did-auth": "1.19.9",
     "@arcblock/did-ext": "^1.19.9",
@@ -43,13 +43,13 @@
     "@arcblock/pm2-events": "^0.0.5",
     "@arcblock/validator": "^1.19.9",
     "@arcblock/vc": "1.19.9",
-    "@blocklet/constant": "1.16.38",
+    "@blocklet/constant": "1.16.39-beta-20250209-032436-5ceca2cb",
     "@blocklet/did-space-js": "^1.0.9",
-    "@blocklet/env": "1.16.38",
-    "@blocklet/meta": "1.16.38",
-    "@blocklet/resolver": "1.16.38",
-    "@blocklet/sdk": "1.16.38",
-    "@blocklet/store": "1.16.38",
+    "@blocklet/env": "1.16.39-beta-20250209-032436-5ceca2cb",
+    "@blocklet/meta": "1.16.39-beta-20250209-032436-5ceca2cb",
+    "@blocklet/resolver": "1.16.39-beta-20250209-032436-5ceca2cb",
+    "@blocklet/sdk": "1.16.39-beta-20250209-032436-5ceca2cb",
+    "@blocklet/store": "1.16.39-beta-20250209-032436-5ceca2cb",
     "@fidm/x509": "^1.2.1",
     "@ocap/mcrypto": "1.19.9",
     "@ocap/util": "1.19.9",
@@ -85,6 +85,7 @@
     "p-limit": "^3.1.0",
     "p-map": "^4.0.0",
     "p-retry": "^4.6.2",
+    "rate-limiter-flexible": "^5.0.5",
     "read-last-lines": "^1.8.0",
     "semver": "^7.6.3",
     "sequelize": "^6.35.0",
@@ -109,5 +110,5 @@
     "jest": "^29.7.0",
     "unzipper": "^0.10.11"
   },
-  "gitHead": "c75b3026d0e3fa45ccc2af00e2a85962bf5d17af"
+  "gitHead": "949581a46cec2ebfb656a42632ca550ed3b0ba70"
 }

package/lib/util/monitor.js

@@ -1,167 +0,0 @@
-/* eslint-disable no-await-in-loop */
-const fs = require('fs');
-
-const THROTTLE_DELAY = 1000; // 1 second throttle
-
-// Function to parse the log entry and extract relevant information
-function parseLogEntry(line) {
-  const regex =
-    /^(\S+) - (\S+) \[([^\]]+)\] (\S+) "([^"]+)" "([^"]+)" (\d{3}) (\d+) "(.*?)" "(.*?)" "(.*?)" rt="(\S+)" uid="(.+?)" uos="(.+?)" uct="(\S+)" uht="(\S+)" urt="(\S+)"/;
-  const match = line.match(regex);
-  if (match) {
-    return {
-      ip: match[1],
-      remoteUser: match[2],
-      timeIso8601: match[3],
-      requestId: match[4],
-      host: match[5],
-      request: match[6],
-      status: parseInt(match[7], 10),
-      bodyBytesSent: parseInt(match[8], 10),
-      referer: match[9],
-      userAgent: match[10],
-      forwardedFor: match[11],
-      requestTime: parseFloat(match[12]),
-      connectedDid: match[13],
-      connectedWalletOs: match[14],
-      upstreamConnectTime: parseFloat(match[15]),
-      upstreamHeaderTime: parseFloat(match[16]),
-      upstreamResponseTime: parseFloat(match[17]),
-    };
-  }
-  return null;
-}
-
-async function readLogFile(filePath, startPosition = 0) {
-  let fd = null;
-  try {
-    if (!fs.existsSync(filePath)) {
-      return { lines: [], fileSize: 0 };
-    }
-
-    const realPath = await fs.promises.realpath(filePath);
-    fd = await fs.promises.open(realPath, 'r');
-    const stats = await fd.stat();
-    const fileSize = stats.size;
-
-    if (startPosition < 0) {
-      // eslint-disable-next-line no-param-reassign
-      startPosition = Math.max(0, fileSize + startPosition);
-    }
-
-    if (startPosition >= fileSize) {
-      return { lines: [], fileSize };
-    }
-
-    const readSize = fileSize - startPosition;
-    if (readSize <= 0) {
-      return { lines: [], fileSize };
-    }
-
-    const buffer = Buffer.alloc(readSize);
-    const { bytesRead } = await fd.read(buffer, 0, readSize, startPosition);
-    const content = buffer.slice(0, bytesRead).toString();
-
-    const lines = content
-      .split('\n')
-      .map((line) => line.trim())
-      .filter(Boolean);
-
-    return { lines, fileSize };
-  } finally {
-    if (fd) {
-      await fd.close();
-    }
-  }
-}
-
-let watcher;
-process.on('SIGINT', () => {
-  watcher?.close();
-});
-
-process.on('SIGTERM', () => {
-  watcher?.close();
-});
-
-function startLogWatcher(logFilePath, onLogEntry, initialBufferSize = 10240) {
-  if (!fs.existsSync(logFilePath)) {
-    console.error(`Log file ${logFilePath} does not exist`);
-    return;
-  }
-
-  console.warn(`Start watching ${logFilePath} for 5xx requests...`);
-
-  let isProcessing = false;
-  let isFirstRun = true;
-  let timeoutId = null;
-  let lastProcessedPosition = 0;
-
-  async function processLogChanges() {
-    isProcessing = true;
-    try {
-      const { lines, fileSize } = await readLogFile(
-        logFilePath,
-        isFirstRun ? -initialBufferSize : lastProcessedPosition
-      );
-      const entries = [];
-
-      for (const line of lines) {
-        const logEntry = parseLogEntry(line);
-        if (
-          logEntry &&
-          logEntry.status >= 500 &&
-          logEntry.status !== 503 &&
-          logEntry.status <= 599 &&
-          logEntry.request.includes('/.well-known/did.json') === false &&
-          logEntry.request.includes('/websocket?token=') === false &&
-          logEntry.request.includes('/.well-known/service/health') === false
-        ) {
-          console.warn(`5xx request detected: ${logEntry.host}`, line);
-          entries.push(logEntry);
-        }
-      }
-
-      if (entries.length > 0) {
-        onLogEntry(entries);
-      }
-
-      lastProcessedPosition = fileSize;
-      isFirstRun = false;
-    } catch (error) {
-      console.error(`Error reading log file ${logFilePath}`, error);
-    } finally {
-      isProcessing = false;
-    }
-  }
-
-  watcher = fs.watch(logFilePath, { persistent: true }, async (eventType, filename) => {
-    if (!filename || eventType !== 'change') return;
-
-    // Clear any pending timeout
-    if (timeoutId) {
-      clearTimeout(timeoutId);
-    }
-
-    // If already processing, schedule for later
-    if (isProcessing) {
-      timeoutId = setTimeout(() => {
-        processLogChanges();
-      }, THROTTLE_DELAY);
-      return;
-    }
-
-    await processLogChanges();
-  });
-}
-
-function stopLogWatcher() {
-  watcher?.close();
-}
-
-module.exports = {
-  parseLogEntry,
-  readLogFile,
-  startLogWatcher,
-  stopLogWatcher,
-};