npm - @anomira/node-sdk - Versions diffs - 0.1.3 → 0.1.5 - Mend

@anomira/node-sdk 0.1.3 → 0.1.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/dist/index.js CHANGED Viewed

@@ -195,18 +195,124 @@ async function checkGeoVelocity(userId, ip, tsMs, lookupUrl) {
 // src/sensitive.ts
 var PATTERNS = [
+  // ── Cryptographic keys and certificates ───────────────────────────────────
   {
-    // "password: abc123", "pwd=secret", or standalone "password123"
-    type: "password",
-    label: "Password / Secret",
-    regex: /\bpassword\w*|\b(?:passwd|pwd|pass|secret|credentials?)\s*[:=]\s*\S+/i
+    type: "private_key",
+    label: "Private Key",
+    regex: /-----BEGIN (?:RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----/
   },
   {
-    // Nigerian BVN / NIN — exactly 11 digits, not a phone number (phones start with 0)
-    type: "bvn",
-    label: "BVN / NIN",
-    regex: /\b[1-9]\d{10}\b/
+    type: "certificate",
+    label: "Certificate / Public Key",
+    regex: /-----BEGIN CERTIFICATE-----/
+  },
+  // ── Cloud provider credentials ────────────────────────────────────────────
+  {
+    // AWS access key ID — highly specific, almost no false positives
+    type: "aws_key",
+    label: "AWS Access Key",
+    regex: /\bAKIA[0-9A-Z]{16}\b/
+  },
+  {
+    // AWS secret access key — 40-char base64 string after keyword
+    type: "aws_secret",
+    label: "AWS Secret Key",
+    regex: /\b(?:aws[_-]?secret|AWS_SECRET_ACCESS_KEY)\s*[:=]\s*[A-Za-z0-9+/]{40}\b/i
+  },
+  {
+    // Google API key
+    type: "google_key",
+    label: "Google API Key",
+    regex: /\bAIza[0-9A-Za-z\-_]{35}\b/
+  },
+  {
+    // Google OAuth client secret
+    type: "google_oauth",
+    label: "Google OAuth Secret",
+    regex: /\bGOCSP[A-Za-z0-9\-_]{28}\b/
+  },
+  {
+    // Firebase server key
+    type: "firebase_key",
+    label: "Firebase Server Key",
+    regex: /\bAAAA[A-Za-z0-9_-]{7}:[A-Za-z0-9_-]{140}\b/
   },
+  {
+    // Azure storage/connection string
+    type: "azure_key",
+    label: "Azure Key",
+    regex: /\bDefaultEndpointsProtocol=https;AccountName=[^;]+;AccountKey=[A-Za-z0-9+/=]{88}/
+  },
+  // ── Source control & CI tokens ────────────────────────────────────────────
+  {
+    // GitHub personal access tokens (classic and fine-grained)
+    type: "github_token",
+    label: "GitHub Token",
+    regex: /\b(?:ghp|gho|ghu|ghs|ghr|github_pat)_[A-Za-z0-9_]{36,255}\b/
+  },
+  {
+    // GitLab personal/project/group tokens
+    type: "gitlab_token",
+    label: "GitLab Token",
+    regex: /\bglpat-[A-Za-z0-9\-_]{20}\b/
+  },
+  {
+    // NPM access tokens
+    type: "npm_token",
+    label: "NPM Token",
+    regex: /\bnpm_[A-Za-z0-9]{36}\b/
+  },
+  // ── Payment providers ─────────────────────────────────────────────────────
+  {
+    // Stripe — secret, restricted, webhook keys
+    type: "stripe_key",
+    label: "Stripe Key",
+    regex: /\b(?:sk|rk|whsec)_(?:live|test)_[A-Za-z0-9]{24,}\b/
+  },
+  {
+    // Paystack secret/public keys
+    type: "paystack_key",
+    label: "Paystack Key",
+    regex: /\b(?:sk|pk)_(?:live|test)_[A-Za-z0-9]{40,}\b/
+  },
+  {
+    // Card PANs: Visa (4), Mastercard (51-55), Amex (34/37), Discover (6011/65)
+    type: "card_pan",
+    label: "Card PAN",
+    regex: /\b(?:4[0-9]{15}|5[1-5][0-9]{14}|3[47][0-9]{13}|6(?:011|5[0-9]{2})[0-9]{12})\b/
+  },
+  // ── Communication & messaging ─────────────────────────────────────────────
+  {
+    // Slack bot/user/app tokens
+    type: "slack_token",
+    label: "Slack Token",
+    regex: /\bxox[baprs]-[0-9A-Za-z]{10,48}\b/
+  },
+  {
+    // Slack webhook URL
+    type: "slack_webhook",
+    label: "Slack Webhook URL",
+    regex: /https:\/\/hooks\.slack\.com\/services\/T[A-Z0-9]+\/B[A-Z0-9]+\/[A-Za-z0-9]+/
+  },
+  {
+    // Twilio account SID and auth token
+    type: "twilio",
+    label: "Twilio Credential",
+    regex: /\bAC[a-z0-9]{32}\b|\bSK[a-z0-9]{32}\b/
+  },
+  {
+    // SendGrid / Brevo / Mailgun API keys
+    type: "email_provider_key",
+    label: "Email Provider API Key",
+    regex: /\bSG\.[A-Za-z0-9._-]{66}\b|\bkey-[0-9a-zA-Z]{32}\b/
+  },
+  // ── Database connection strings with embedded credentials ─────────────────
+  {
+    type: "db_connection",
+    label: "Database Connection String",
+    regex: /(?:postgresql|postgres|mysql|mongodb(?:\+srv)?|redis|amqp(?:s)?):\/\/[^:]+:[^@\s]{3,}@/i
+  },
+  // ── Auth tokens ───────────────────────────────────────────────────────────
   {
     // JWT — three base64url segments separated by dots
     type: "jwt",
@@ -214,36 +320,49 @@ var PATTERNS = [
     regex: /eyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}/
   },
   {
-    // API keys: sk_live_*, pk_live_*, or key/token/bearer label with long value
+    // Generic API key / token assigned to a keyword (must have 20+ char value)
     type: "api_key",
     label: "API Key / Token",
-    regex: /\b(?:sk|pk|rk)[-_](?:live|test|prod|secret)[-_][A-Za-z0-9]{16,}|\b(?:token|bearer|access_token|api_key)\s*[:=]\s*[A-Za-z0-9_./-]{20,}/i
+    regex: /\b(?:api[_-]?key|access[_-]?token|auth[_-]?token|bearer|client[_-]?secret)\s*[:=]\s*["']?[A-Za-z0-9_.\/+\-]{20,}["']?/i
   },
+  // ── Password fields ───────────────────────────────────────────────────────
   {
-    // Card PANs: Visa (4), Mastercard (51-55), Amex (34/37), Discover (6011/65)
-    type: "card_pan",
-    label: "Card PAN",
-    regex: /\b(?:4[0-9]{15}|5[1-5][0-9]{14}|3[47][0-9]{13}|6(?:011|5[0-9]{2})[0-9]{12})\b/
+    // Password/secret keyword immediately followed by a non-placeholder value
+    // Avoids false positives on "password: ${PASSWORD}" or "password: xxxx"
+    type: "password",
+    label: "Password / Secret",
+    regex: /\b(?:password|passwd|pwd|pass|secret|credentials?)\s*[:=]\s*["']?(?!\$\{)[^\s"'$]{6,}["']?/i
+  },
+  // ── Nigeria-specific PII ──────────────────────────────────────────────────
+  {
+    // BVN / NIN: 11 digits, first digit 1-9 (not a phone starting with 0)
+    // Require a non-digit boundary on both sides to reduce false positives
+    type: "bvn",
+    label: "BVN / NIN",
+    regex: /(?<!\d)[1-9]\d{10}(?!\d)/
   },
   {
     // Nigerian phone numbers: 080x, 081x, 070x, 090x, 091x — or with +234 prefix
     type: "ng_phone",
-    label: "Phone Number",
+    label: "Nigerian Phone Number",
     regex: /\b(?:\+?234|0)(?:7[0-9]|8[0-1]|9[0-1])\d{8}\b/
   },
+  // ── PII in credential context ─────────────────────────────────────────────
   {
-    // Email address appearing alongside other content — possible credential combo
-    // e.g. "john@test.com password123"
+    // Email only flagged when adjacent to a password/credential keyword
+    // Prevents false positives on normal email references in code
     type: "email_credential",
-    label: "Email in Log",
-    regex: /[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}/
+    label: "Email + Password Combo",
+    regex: /[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}\s+(?:password|passwd|pwd|secret|pass)\s*[:=]?\s*\S+/i
   }
 ];
 function scanForLeaks(message) {
+  const seen = /* @__PURE__ */ new Set();
   const found = [];
   for (const p of PATTERNS) {
     p.regex.lastIndex = 0;
-    if (p.regex.test(message)) {
+    if (p.regex.test(message) && !seen.has(p.type)) {
+      seen.add(p.type);
       found.push({ type: p.type, label: p.label });
     }
   }
@@ -293,6 +412,8 @@ var SentinelClient = class {
     this.logFlushTimer = null;
     this.blocklistTimer = null;
     this.firewallTimer = null;
+    /** True when credentials are missing — all operations become no-ops. */
+    this.disabled = false;
     /** In-process cache of blocked IPs — refreshed every 60 s from the ingest server. */
     this.blockedIpCache = /* @__PURE__ */ new Set();
     /** In-process cache of firewall rules with pre-compiled regex — refreshed every 60 s. */
@@ -301,8 +422,28 @@ var SentinelClient = class {
     this._origLog = console.log.bind(console);
     this._origWarn = console.warn.bind(console);
     this._origError = console.error.bind(console);
-    if (!config.apiKey) throw new Error("[SentinelAPI] apiKey is required");
-    if (!config.appId) throw new Error("[SentinelAPI] appId is required");
+    if (!config.apiKey || !config.appId) {
+      const missing = [!config.apiKey && "apiKey", !config.appId && "appId"].filter(Boolean).join(", ");
+      console.warn(`[Anomira] SDK disabled \u2014 missing config: ${missing}. Set SENTINEL_API_KEY and SENTINEL_APP_ID to enable monitoring.`);
+      this.disabled = true;
+      this.config = {
+        apiKey: "",
+        appId: "",
+        ingestUrl: DEFAULT_INGEST_URL,
+        geoLookupUrl: "",
+        maxBatchSize: DEFAULT_BATCH_SIZE,
+        flushIntervalMs: DEFAULT_FLUSH_MS,
+        maxRetries: DEFAULT_MAX_RETRIES,
+        debug: false,
+        captureConsole: false,
+        service: "app",
+        getUserId: defaultGetUserId,
+        getIp: defaultGetIp,
+        detect: { bruteForce: true, rateAbuse: true, pathTraversal: true, xss: true, scanDetection: true, geoVelocity: true }
+      };
+      this.buffer = new EventBuffer({ appId: "", apiKey: "", ingestUrl: DEFAULT_INGEST_URL, maxBatchSize: 0, flushIntervalMs: 999999999, maxRetries: 0, debug: false });
+      return;
+    }
     this.config = {
       apiKey: config.apiKey,
       appId: config.appId,
@@ -521,6 +662,7 @@ var SentinelClient = class {
    */
   /** Returns true if the IP is in the current blocked list. Synchronous — no network call. */
   isBlocked(ip) {
+    if (this.disabled) return false;
     return this.blockedIpCache.has(ip);
   }
   /** Evaluate firewall rules against a request. Returns the matched rule or null. Synchronous. */
@@ -528,6 +670,7 @@ var SentinelClient = class {
     return this.#matchFirewallRule(req);
   }
   track(eventName, data) {
+    if (this.disabled) return;
     const event = {
       name: eventName,
       ts: Date.now(),
@@ -550,6 +693,7 @@ var SentinelClient = class {
    * ```
    */
   async trackLogin(data) {
+    if (this.disabled) return;
     const tsMs = Date.now();
     this.track(EventName.LOGIN_SUCCESS, { ...data, meta: { ...data.meta } });
     if (!this.config.detect.geoVelocity) return;
@@ -589,6 +733,7 @@ var SentinelClient = class {
    * ```
    */
   trackPhoneAuth(data) {
+    if (this.disabled) return;
     this.track(EventName.PHONE_AUTH, {
       ip: data.ip,
       userId: data.userId,
@@ -605,6 +750,7 @@ var SentinelClient = class {
    * ```
    */
   log(level, message, meta) {
+    if (this.disabled) return;
     const { service, ...rest } = meta ?? {};
     const leaks = scanForLeaks(message);
     if (leaks.length > 0) {
@@ -626,6 +772,7 @@ var SentinelClient = class {
    * Useful before a graceful shutdown outside of the process lifecycle hooks.
    */
   async flush() {
+    if (this.disabled) return;
     await Promise.all([this.buffer.flush(), this.#flushLogs()]);
   }
   /**