@creator.co/wapi 1.8.3 → 1.8.5

package/src/Server/Router.ts

@@ -1,6 +1,7 @@
 import { Server as HTTPServer } from 'http'
 
 import express from 'express'
+import type { RedisClientType } from 'redis'
 import { z } from 'zod'
 
 import ContainerServer from './lib/ContainerServer.js'
@@ -14,6 +15,46 @@ import Transaction, {
 } from '../BaseEvent/Transaction.js'
 import Utils from '../Util/Utils.js'
 
+/**
+ * Configuration options for rate limiting on a specific route.
+ * @property {number} [windowMs] - Time window in milliseconds for rate limiting (default: 60000 - 1 minute)
+ * @property {number} [limit] - Maximum number of requests allowed per window (default: 60)
+ * @property {string} [message] - Custom error message for rate limit exceeded
+ * @property {'ip' | 'userId' | ((req: express.Request) => string)} [keyGenerator] - Strategy for generating rate limit keys
+ */
+export interface RateLimitConfig {
+  windowMs?: number
+  limit?: number
+  message?: string
+  keyGenerator?: 'ip' | 'userId' | ((req: express.Request) => string)
+  skip?: (req: express.Request) => boolean
+}
+
+/**
+ * Global rate limiting configuration for the router.
+ * @property {boolean} [enabled] - Whether rate limiting is enabled (default: true if config provided)
+ * @property {number} [windowMs] - Time window in milliseconds (default: 60000 - 1 minute)
+ * @property {number} [limit] - Maximum requests per window per key (default: 60)
+ * @property {(req: express.Request) => string} [keyGenerator] - Function to generate rate limit key (default: IP-based)
+ * @property {(req: express.Request, res: express.Response) => void} [handler] - Custom handler for rate limit exceeded
+ * @property {(req: express.Request) => boolean} [skip] - Function to skip rate limiting for certain requests
+ * @property {'memory' | 'redis'} [store] - Storage backend for rate limit data
+ * @property {object} [redis] - Redis configuration when using Redis store
+ */
+export interface GlobalRateLimitConfig {
+  enabled?: boolean
+  windowMs?: number
+  limit?: number
+  keyGenerator?: (req: express.Request) => string
+  handler?: (req: express.Request, res: express.Response) => void
+  skip?: (req: express.Request) => boolean
+  store?: 'memory' | 'redis'
+  redis?: {
+    client: RedisClientType
+    prefix?: string
+  }
+}
+
 /**
  * Represents a route in an API.
  * @template InputType - The type of the input data for the route.
@@ -94,6 +135,13 @@ export interface Route<
       [key: string]: string[] | never[]
     }[]
   }
+
+  /**
+   * Optional rate limiting configuration for this specific route.
+   * Set to `false` to disable global rate limiting for this route.
+   * @type {RateLimitConfig | false}
+   */
+  rateLimit?: RateLimitConfig | false
 }
 
 export type AnyRoute = Route<any | never, any | never, any | never, any | never>
@@ -147,6 +195,12 @@ export type RouterConfig = TransactionConfig & {
    * @type {string | undefined}
    */
   healthCheckRoute?: string
+  /**
+   * Global rate limiting configuration for all routes.
+   * Individual routes can override this with their own rateLimit config.
+   * @type {GlobalRateLimitConfig | undefined}
+   */
+  rateLimit?: GlobalRateLimitConfig
   containerSetupHook?: (server: HTTPServer, app: express.Express) => Promise<void>
 }
 

package/src/Server/lib/container/Proxy.ts

@@ -3,13 +3,15 @@ import { Server as HTTPServer, createServer } from 'http'
 
 import cors from 'cors'
 import express from 'express'
+import { rateLimit } from 'express-rate-limit'
+import { RedisStore } from 'rate-limit-redis'
 
 import Server from './../Server.js'
 import GenericHandler from './GenericHandler.js'
 import HealthHandler from './HealthHandler.js'
 import Globals from '../../../Globals.js'
 import Utils from '../../../Util/Utils.js'
-import { RouterConfig } from '../../Router.js'
+import { GlobalRateLimitConfig, RouterConfig } from '../../Router.js'
 
 /* Get package.json version from Wapi on ESM */
 const { version: appVersion } = JSON.parse(fs.readFileSync('package.json').toString())
@@ -78,6 +80,13 @@ export default class Proxy {
       )
     )
 
+    // Apply global rate limiting if configured
+    if (this.config.rateLimit && this.config.rateLimit.enabled !== false) {
+      console.log('[Proxy] - [RATE-LIMIT] - Global rate limiting enabled')
+      const rateLimitMiddleware = this.createRateLimitMiddleware(this.config.rateLimit)
+      this.app.use(rateLimitMiddleware)
+    }
+
     // //This supposedly fix some 502 codes where nodejs socket would hang during
     // //a request and if behind ALB, it would cause 502 codes. Had experiencied this
     // //and 502 codes reduced dramastically, but still some appearances. Maybe this
@@ -174,4 +183,77 @@ export default class Proxy {
     //load balancer and we just foward everything we have to the function.
     this.app.route(Globals.Listener_HTTP_ProxyRoute).all(GenericHandler(this.serverlessHandler))
   }
+
+  /**
+   * Creates rate limiting middleware based on the provided configuration.
+   * @param {GlobalRateLimitConfig} config - The rate limit configuration
+   * @returns {express.RequestHandler} Express middleware for rate limiting
+   * @private
+   */
+  private createRateLimitMiddleware(config: GlobalRateLimitConfig): express.RequestHandler {
+    const store = this.createRateLimitStore(config)
+
+    return rateLimit({
+      windowMs: config.windowMs || 60000, // Default: 1 minute
+      limit: config.limit || 60, // Default: 60 requests per windowMs
+      standardHeaders: true, // Return rate limit info in `RateLimit-*` headers
+      legacyHeaders: false, // Disable `X-RateLimit-*` headers
+
+      // Key generator - how to identify unique clients
+      keyGenerator:
+        config.keyGenerator ||
+        ((req: express.Request) => {
+          // Use IP address from proxy-aware sources
+          return (
+            (req.ip as string) ||
+            (req.headers['x-forwarded-for'] as string)?.split(',')[0]?.trim() ||
+            req.socket.remoteAddress ||
+            'unknown'
+          )
+        }),
+
+      // Custom handler when rate limit is exceeded
+      handler:
+        config.handler ||
+        ((req: express.Request, res: express.Response) => {
+          // Log rate limit violation
+          console.warn('[Proxy] - [RATE-LIMIT] - Limit exceeded', {
+            ip: req.ip,
+            path: req.path,
+            method: req.method,
+            timestamp: new Date().toISOString(),
+          })
+
+          res.status(429).json({
+            error: 'rate_limit_exceeded',
+            message: 'Too many requests. Please try again later.',
+          })
+        }),
+
+      // Skip function - allows bypassing rate limiting for certain requests
+      skip: config.skip,
+
+      // Store - use Redis if configured, otherwise in-memory
+      store: store,
+    })
+  }
+
+  /**
+   * Creates the appropriate store for rate limiting based on configuration.
+   * @param {GlobalRateLimitConfig} config - The rate limit configuration
+   * @returns {RedisStore | undefined} Redis store if configured, undefined for in-memory
+   * @private
+   */
+  private createRateLimitStore(config: GlobalRateLimitConfig): any {
+    if (config.store === 'redis' && config.redis?.client) {
+      console.log('[Proxy] - [RATE-LIMIT] - Using Redis store')
+      return new RedisStore({
+        sendCommand: (...args: string[]) => config.redis!.client.sendCommand(args),
+        prefix: config.redis.prefix || 'wapi:rl:',
+      })
+    }
+
+    console.log('[Proxy] - [RATE-LIMIT] - Using in-memory store')
+    return undefined // express-rate-limit uses MemoryStore by default
+  }
 }

package/src/Util/Utils.ts

@@ -1,6 +1,8 @@
 import child_process from 'child_process'
+import { createHash } from 'crypto'
 
 import { convertToAttr, marshall, unmarshall } from '@aws-sdk/util-dynamodb'
+import stringify from 'json-stringify-safe'
 
 /**
  * Utility class containing various static methods for common operations.
@@ -129,4 +131,14 @@ export default class Utils {
     }
     return item
   }
+
+  /**
+   * helper that hashes values using SHA-256.
+   * @param {unknown} raw - The raw item for conversion.
+   * @returns {string} The hashed string.
+   */
+  public static hashValue(raw: unknown): string {
+    const s = typeof raw === 'string' ? raw : stringify(raw)
+    return createHash('sha256').update(s).digest('hex')
+  }
 }

package/tests/Logger/Logger.test.ts

@@ -63,7 +63,7 @@ function testLogs(isContainer: boolean, provider?: Logger) {
     )
     expect(consoleProxy.log).toHaveBeenNthCalledWith(
       1,
-      expect.stringContaining('] TEST {\n  "password": "**SUPPRESSED_SENSITIVE_DATA** (3 len)"\n}')
+      expect.stringContaining('] TEST {\n  "password": "[MASKED]"\n}')
     )
     // test if object is not mutate
     c_expect(object.password).to.be.equals('123')
@@ -80,7 +80,7 @@ function testLogs(isContainer: boolean, provider?: Logger) {
     expect(consoleProxy.log).toHaveBeenNthCalledWith(1, expect.stringContaining('] TEST'))
     expect(consoleProxy.log).toHaveBeenNthCalledWith(
       1,
-      expect.stringContaining('"password": "**SUPPRESSED_SENSITIVE_DATA** (5 len)"')
+      expect.stringContaining('"password": "[MASKED]"')
     )
   })
 
@@ -93,9 +93,7 @@ function testLogs(isContainer: boolean, provider?: Logger) {
     )
     expect(consoleProxy.log).toHaveBeenNthCalledWith(
       1,
-      expect.stringContaining(
-        '] {\n  "object": {\n    "password": "**SUPPRESSED_SENSITIVE_DATA** (3 len)"\n  }\n}'
-      )
+      expect.stringContaining('] {\n  "object": {\n    "password": "[MASKED]"\n  }\n}')
     )
   })
 
@@ -108,9 +106,7 @@ function testLogs(isContainer: boolean, provider?: Logger) {
     )
     expect(consoleProxy.log).toHaveBeenNthCalledWith(
       1,
-      expect.stringContaining(
-        '] {\n  "object": {\n    "password": "**SUPPRESSED_SENSITIVE_DATA** (3 len)"\n  }\n}'
-      )
+      expect.stringContaining('] {\n  "object": {\n    "password": "[MASKED]"\n  }\n}')
     )
   })
 
@@ -146,12 +142,57 @@ function testLogs(isContainer: boolean, provider?: Logger) {
     )
     expect(consoleProxy.log).toHaveBeenNthCalledWith(
       1,
-      expect.stringContaining(
-        '] TEST2 [\n  {\n    "password": "**SUPPRESSED_SENSITIVE_DATA** (4 len)"\n  }\n]'
-      )
+      expect.stringContaining('] TEST2 [\n  {\n    "password": "[MASKED]"\n  }\n]')
+    )
+  })
+  test(`${type} - ${loggerType} Log - Suppress sensitive info (token)`, async () => {
+    setContainerFlag(isContainer)
+    localProvider.log({ token: 'abc123xyz' })
+    expect(consoleProxy.log).toHaveBeenNthCalledWith(
+      1,
+      expect.stringContaining((isContainer ? `${transactionID} ` : '') + '[INFO] [Logger.test.ts:')
+    )
+    expect(consoleProxy.log).toHaveBeenNthCalledWith(
+      1,
+      expect.stringContaining('"token": "[HASHED:')
+    )
+  })
+
+  test(`${type} - ${loggerType} Log - Suppress sensitive info (key)`, async () => {
+    setContainerFlag(isContainer)
+    localProvider.log({ key: 'secret-key-123' })
+    expect(consoleProxy.log).toHaveBeenNthCalledWith(
+      1,
+      expect.stringContaining((isContainer ? `${transactionID} ` : '') + '[INFO] [Logger.test.ts:')
     )
+    expect(consoleProxy.log).toHaveBeenNthCalledWith(1, expect.stringContaining('"key": "[HASHED:'))
   })
 
+  test(`${type} - ${loggerType} Log - Suppress sensitive info (authorization)`, async () => {
+    setContainerFlag(isContainer)
+    localProvider.log({ authorization: 'Bearer token123' })
+    expect(consoleProxy.log).toHaveBeenNthCalledWith(
+      1,
+      expect.stringContaining((isContainer ? `${transactionID} ` : '') + '[INFO] [Logger.test.ts:')
+    )
+    expect(consoleProxy.log).toHaveBeenNthCalledWith(
+      1,
+      expect.stringContaining('"authorization": "Bearer [HASHED:')
+    )
+  })
+
+  test(`${type} - ${loggerType} Log - Suppress sensitive info (accounts)`, async () => {
+    setContainerFlag(isContainer)
+    localProvider.log({ accounts: 'account-data' })
+    expect(consoleProxy.log).toHaveBeenNthCalledWith(
+      1,
+      expect.stringContaining((isContainer ? `${transactionID} ` : '') + '[INFO] [Logger.test.ts:')
+    )
+    expect(consoleProxy.log).toHaveBeenNthCalledWith(
+      1,
+      expect.stringContaining('"accounts": "**SUPPRESSED_SENSITIVE_DATA** (12 len)"')
+    )
+  })
   test(`${type} - ${loggerType} Log - Circular reference (Error)`, async () => {
     setContainerFlag(isContainer)
     class SelfRefError extends Error {