@bugspotter/sdk 0.3.1 → 1.1.0

package/dist/capture/console.js

@@ -2,7 +2,7 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.ConsoleCapture = exports.SDK_LOG_PREFIX = void 0;
 const base_capture_1 = require("./base-capture");
-const circular_buffer_1 = require("../core/circular-buffer");
+const common_1 = require("@bugspotter/common");
 const CONSOLE_METHODS = [
     'log',
     'warn',
@@ -21,7 +21,7 @@ class ConsoleCapture extends base_capture_1.BaseCapture {
         super(options);
         this.originalMethods = new Map();
         const maxLogs = (_a = options.maxLogs) !== null && _a !== void 0 ? _a : 100;
-        this.buffer = new circular_buffer_1.CircularBuffer(maxLogs);
+        this.buffer = new common_1.CircularBuffer(maxLogs);
         this.captureStackTrace = (_b = options.captureStackTrace) !== null && _b !== void 0 ? _b : true;
         this.interceptConsole((_c = options.levels) !== null && _c !== void 0 ? _c : CONSOLE_METHODS);
     }

package/dist/capture/network.js

@@ -2,14 +2,14 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.NetworkCapture = void 0;
 const base_capture_1 = require("./base-capture");
-const circular_buffer_1 = require("../core/circular-buffer");
+const common_1 = require("@bugspotter/common");
 class NetworkCapture extends base_capture_1.BaseCapture {
     constructor(options = {}) {
         var _a;
         super(options);
         this.isIntercepting = false;
         const maxRequests = (_a = options.maxRequests) !== null && _a !== void 0 ? _a : 50;
-        this.buffer = new circular_buffer_1.CircularBuffer(maxRequests);
+        this.buffer = new common_1.CircularBuffer(maxRequests);
         this.filterUrls = options.filterUrls;
         this.originalFetch = window.fetch;
         this.originalXHR = {

package/dist/core/offline-queue.d.ts

@@ -32,12 +32,20 @@ export declare class OfflineQueue {
     constructor(config: OfflineConfig, logger?: Logger, storage?: StorageAdapter);
     /**
      * Queue a request for offline retry
+     * SECURITY: Strips sensitive authentication headers before storage
      */
     enqueue(endpoint: string, body: BodyInit, headers: Record<string, string>): void;
     /**
      * Process offline queue
+     * @deprecated Use processWithAuth() instead to properly handle authentication
      */
     process(retryableStatusCodes: number[]): Promise<void>;
+    /**
+     * Process offline queue with authentication headers
+     * @param retryableStatusCodes - HTTP status codes that should be retried
+     * @param authHeaders - Authentication headers to merge with stored headers
+     */
+    processWithAuth(retryableStatusCodes: number[], authHeaders: Record<string, string>): Promise<void>;
     /**
      * Clear offline queue
      */
@@ -46,6 +54,11 @@ export declare class OfflineQueue {
      * Get queue size
      */
     size(): number;
+    /**
+     * Strip sensitive authentication headers before storing in localStorage
+     * SECURITY: Prevents API keys and tokens from being stored in plain text
+     */
+    private stripSensitiveHeaders;
     /**
      * Serialize body to string format
      */

package/dist/core/offline-queue.js

@@ -6,6 +6,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.OfflineQueue = exports.LocalStorageAdapter = void 0;
 exports.clearOfflineQueue = clearOfflineQueue;
 const logger_1 = require("../utils/logger");
+const url_helpers_1 = require("../utils/url-helpers");
 /**
  * LocalStorage implementation of StorageAdapter
  */
@@ -51,6 +52,18 @@ const DEFAULT_OFFLINE_CONFIG = {
     enabled: false,
     maxQueueSize: 10,
 };
+/**
+ * Set of sensitive header names that should be stripped before localStorage storage
+ * SECURITY: Using Set for O(1) lookup performance
+ */
+const SENSITIVE_HEADERS = new Set([
+    'authorization',
+    'x-api-key',
+    'x-auth-token',
+    'x-access-token',
+    'cookie',
+    'set-cookie',
+]);
 // ============================================================================
 // OFFLINE QUEUE CLASS
 // ============================================================================
@@ -63,6 +76,7 @@ class OfflineQueue {
     }
     /**
      * Queue a request for offline retry
+     * SECURITY: Strips sensitive authentication headers before storage
      */
     enqueue(endpoint, body, headers) {
         try {
@@ -76,7 +90,9 @@ class OfflineQueue {
                 this.logger.warn(`Offline queue is full (${this.config.maxQueueSize}), removing oldest request`);
                 queue.shift();
             }
-            queue.push(this.createQueuedRequest(endpoint, serializedBody, headers));
+            // SECURITY: Strip sensitive headers before storing in localStorage
+            const sanitizedHeaders = this.stripSensitiveHeaders(headers);
+            queue.push(this.createQueuedRequest(endpoint, serializedBody, sanitizedHeaders));
             this.saveQueue(queue);
             this.logger.log(`Request queued for offline retry (queue size: ${queue.length})`);
         }
@@ -86,14 +102,24 @@ class OfflineQueue {
     }
     /**
      * Process offline queue
+     * @deprecated Use processWithAuth() instead to properly handle authentication
      */
     async process(retryableStatusCodes) {
+        return this.processWithAuth(retryableStatusCodes, {});
+    }
+    /**
+     * Process offline queue with authentication headers
+     * @param retryableStatusCodes - HTTP status codes that should be retried
+     * @param authHeaders - Authentication headers to merge with stored headers
+     */
+    async processWithAuth(retryableStatusCodes, authHeaders) {
         const queue = this.getQueue();
         if (queue.length === 0) {
             return;
         }
         this.logger.log(`Processing offline queue (${queue.length} requests)`);
         const successfulIds = [];
+        const rejectedIds = [];
         const failedRequests = [];
         for (const request of queue) {
             // Check if request has exceeded max retry attempts
@@ -109,10 +135,20 @@ class OfflineQueue {
                 continue;
             }
             try {
+                // SECURITY: Verify endpoint is secure (HTTPS) before sending
+                // This prevents downgrade attacks and ensures data confidentiality
+                if (!(0, url_helpers_1.isSecureEndpoint)(request.endpoint)) {
+                    this.logger.error(`Refusing to send offline request to insecure endpoint: ${request.endpoint}`);
+                    rejectedIds.push(request.id);
+                    // Don't retry insecure requests
+                    continue;
+                }
+                // Merge auth headers with stored headers (auth headers take precedence)
+                const headers = Object.assign(Object.assign({}, request.headers), authHeaders);
                 // Attempt to send
                 const response = await fetch(request.endpoint, {
                     method: 'POST',
-                    headers: request.headers,
+                    headers,
                     body: request.body,
                 });
                 if (response.ok) {
@@ -139,8 +175,10 @@ class OfflineQueue {
         }
         // Update queue (remove successful and expired, keep failed)
         this.saveQueue(failedRequests);
-        if (successfulIds.length > 0 || failedRequests.length < queue.length) {
-            this.logger.log(`Offline queue processed: ${successfulIds.length} successful, ${failedRequests.length} remaining`);
+        if (successfulIds.length > 0 ||
+            rejectedIds.length > 0 ||
+            failedRequests.length < queue.length) {
+            this.logger.log(`Offline queue processed: ${successfulIds.length} successful, ${rejectedIds.length} rejected (insecure), ${failedRequests.length} remaining`);
         }
     }
     /**
@@ -163,6 +201,13 @@ class OfflineQueue {
     // ============================================================================
     // PRIVATE METHODS
     // ============================================================================
+    /**
+     * Strip sensitive authentication headers before storing in localStorage
+     * SECURITY: Prevents API keys and tokens from being stored in plain text
+     */
+    stripSensitiveHeaders(headers) {
+        return Object.fromEntries(Object.entries(headers).filter(([key]) => !SENSITIVE_HEADERS.has(key.toLowerCase())));
+    }
     /**
      * Serialize body to string format
      */

package/dist/core/transport.js

@@ -9,6 +9,7 @@ exports.getAuthHeaders = getAuthHeaders;
 exports.submitWithAuth = submitWithAuth;
 const logger_1 = require("../utils/logger");
 const offline_queue_1 = require("./offline-queue");
+const url_helpers_1 = require("../utils/url-helpers");
 // ============================================================================
 // CONSTANTS
 // ============================================================================
@@ -109,8 +110,8 @@ class RetryHandler {
     calculateDelay(attempt, response) {
         var _a, _b;
         // Check for Retry-After header
-        if ((_b = (_a = response === null || response === void 0 ? void 0 : response.headers) === null || _a === void 0 ? void 0 : _a.has) === null || _b === void 0 ? void 0 : _b.call(_a, 'Retry-After')) {
-            const retryAfter = response.headers.get('Retry-After');
+        const retryAfter = (_b = (_a = response === null || response === void 0 ? void 0 : response.headers) === null || _a === void 0 ? void 0 : _a.get) === null || _b === void 0 ? void 0 : _b.call(_a, 'Retry-After');
+        if (retryAfter) {
             const retryAfterSeconds = parseInt(retryAfter, 10);
             if (!isNaN(retryAfterSeconds)) {
                 return Math.min(retryAfterSeconds * 1000, this.config.maxDelay);
@@ -131,26 +132,30 @@ class RetryHandler {
 /**
  * Process offline queue in background
  */
-async function processQueueInBackground(offlineConfig, retryConfig, logger) {
+async function processQueueInBackground(offlineConfig, retryConfig, auth, logger) {
     if (!offlineConfig.enabled) {
         return;
     }
     const queue = new offline_queue_1.OfflineQueue(offlineConfig, logger);
-    queue.process(retryConfig.retryOn).catch((error) => {
+    const authHeaders = generateAuthHeaders(auth);
+    queue
+        .processWithAuth(retryConfig.retryOn, authHeaders)
+        .catch((error) => {
         logger.warn('Failed to process offline queue:', error);
     });
 }
 /**
  * Handle offline failure by queueing request
+ * SECURITY: Does not pass auth headers to queue - they will be regenerated when processing
  */
-async function handleOfflineFailure(error, endpoint, body, contentHeaders, auth, offlineConfig, logger) {
+async function handleOfflineFailure(error, endpoint, body, contentHeaders, _auth, offlineConfig, logger) {
     if (!offlineConfig.enabled || !isNetworkError(error)) {
         return;
     }
     logger.warn('Network error detected, queueing request for offline retry');
     const queue = new offline_queue_1.OfflineQueue(offlineConfig, logger);
-    const authHeaders = generateAuthHeaders(auth);
-    await queue.enqueue(endpoint, body, Object.assign(Object.assign({}, contentHeaders), authHeaders));
+    // SECURITY: Only pass content headers, not auth headers - auth will be regenerated when processing
+    await queue.enqueue(endpoint, body, contentHeaders);
 }
 // ============================================================================
 // PUBLIC API
@@ -176,8 +181,12 @@ async function submitWithAuth(endpoint, body, contentHeaders = {}, options) {
     const logger = options.logger || (0, logger_1.getLogger)();
     const retryConfig = Object.assign(Object.assign({}, DEFAULT_RETRY_CONFIG), options.retry);
     const offlineConfig = Object.assign(Object.assign({}, DEFAULT_OFFLINE_CONFIG), options.offline);
+    // Security: Enforce HTTPS
+    if (!(0, url_helpers_1.isSecureEndpoint)(endpoint)) {
+        throw new url_helpers_1.InsecureEndpointError(endpoint);
+    }
     // Process offline queue on each request (run in background without awaiting)
-    processQueueInBackground(offlineConfig, retryConfig, logger);
+    processQueueInBackground(offlineConfig, retryConfig, options.auth, logger);
     try {
         // Send with retry logic
         const response = await sendWithRetry(endpoint, body, contentHeaders, options.auth, retryConfig, logger);
@@ -196,6 +205,9 @@ async function submitWithAuth(endpoint, body, contentHeaders = {}, options) {
  * Make HTTP request with auth headers
  */
 async function makeRequest(endpoint, body, contentHeaders, auth) {
+    if (!(0, url_helpers_1.isSecureEndpoint)(endpoint)) {
+        throw new url_helpers_1.InsecureEndpointError(endpoint);
+    }
     const authHeaders = generateAuthHeaders(auth);
     const headers = Object.assign(Object.assign({}, contentHeaders), authHeaders);
     return fetch(endpoint, {

package/dist/index.d.ts

@@ -167,3 +167,4 @@ export { DEFAULT_REPLAY_DURATION_SECONDS, MAX_RECOMMENDED_REPLAY_DURATION_SECOND
  * ```
  */
 export declare function sanitize(text: string): string;
+export default BugSpotter;