@elliemae/microfe-common 2.24.0 → 2.25.1

package/dist/cjs/auditThrottler.js

@@ -0,0 +1,60 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var auditThrottler_exports = {};
+__export(auditThrottler_exports, {
+  AuditThrottler: () => AuditThrottler
+});
+module.exports = __toCommonJS(auditThrottler_exports);
+class AuditThrottler {
+  #logger;
+  #enabled;
+  #throttleMs;
+  #lastAudited = /* @__PURE__ */ new Map();
+  static DEFAULT_THROTTLE_MS = 1e4;
+  constructor(options) {
+    this.#logger = options.logger;
+    this.#enabled = options.enabled ?? true;
+    this.#throttleMs = options.throttleMs ?? AuditThrottler.DEFAULT_THROTTLE_MS;
+  }
+  get enabled() {
+    return this.#enabled;
+  }
+  /**
+   * Log a high-frequency operation. When audit is enabled and the throttle
+   * window allows it the payload is sent at `audit` level; otherwise `debug`.
+   * @param {string} key - dedup key for throttling (e.g. `invoke:loan.getField`)
+   * @param {LogRecord} payload - structured log payload
+   */
+  log(key, payload) {
+    if (!this.#enabled) {
+      this.#logger.debug(payload);
+      return;
+    }
+    if (this.#throttleMs > 0) {
+      const now = performance.now();
+      const last = this.#lastAudited.get(key);
+      if (last !== void 0 && now - last < this.#throttleMs) {
+        this.#logger.debug(payload);
+        return;
+      }
+      this.#lastAudited.set(key, now);
+    }
+    this.#logger.audit(payload);
+  }
+}

package/dist/cjs/index.js

@@ -18,6 +18,7 @@ var __copyProps = (to, from, except, desc) => {
 var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
 var index_exports = {};
 __export(index_exports, {
+  AuditThrottler: () => import_auditThrottler.AuditThrottler,
   Event: () => import_event2.Event,
   MessageType: () => import_messageType.MessageType,
   ProxyEvent: () => import_event.ProxyEvent,
@@ -39,3 +40,4 @@ var import_scriptingObject = require("./scriptingObject.js");
 var import_messageType = require("./messageType.js");
 var import_scriptingObjectManager = require("./scriptingObjectManager.js");
 var import_proxy = require("./proxy.js");
+var import_auditThrottler = require("./auditThrottler.js");

package/dist/cjs/remoting.js

@@ -66,17 +66,21 @@ class Remoting {
    * The set of windows that are allowed to send messages to this window
    */
   #allowedSenders = /* @__PURE__ */ new Map();
+  #disableOriginCheck;
   /**
    * Create a new instance of the Remoting class
    * @param logger pui-diagnostic logger
    * @param correlationId unique id for the current session
+   * @param options optional configuration
    */
-  constructor(logger, correlationId) {
+  constructor(logger, correlationId, options) {
     if (!logger) throw new Error("logger is required");
     if (!correlationId) throw new Error("correlationId is required");
     this.#correlationId = correlationId;
     this.#logger = logger;
+    this.#disableOriginCheck = options?.unsafeAllowAnyGuestOrigin ?? false;
   }
+  #getTargetOrigin = (targetOrigin) => this.#disableOriginCheck ? "*" : targetOrigin;
   // Evaluates the timeouts on any waiting invocations and schedules the next check
   #evaluateTimeouts = () => {
     this.#timeoutMonitorHandle = null;
@@ -259,7 +263,7 @@ class Remoting {
         reject,
         cancelTime: responseTimeoutMs ? Date.now() + responseTimeoutMs : null
       });
-      targetWin.postMessage(msg, targetOrigin);
+      targetWin.postMessage(msg, this.#getTargetOrigin(targetOrigin));
       const { requestId } = msg;
       this.#logger.debug(
         `Posted invocation message of type ${messageType} requestId: ${requestId || ""}`
@@ -306,7 +310,7 @@ class Remoting {
       messageBody,
       onewayMsg: true
     });
-    targetWin.postMessage(msg, targetOrigin);
+    targetWin.postMessage(msg, this.#getTargetOrigin(targetOrigin));
     this.#logger.debug(`Posted one-way message of type "${messageType}"`);
   };
   /**
@@ -328,7 +332,7 @@ class Remoting {
       messageBody: response,
       requestId
     });
-    targetWin.postMessage(msg, targetOrigin);
+    targetWin.postMessage(msg, this.#getTargetOrigin(targetOrigin));
     this.#logger.debug(
       `Response sent to caller for invocation requestId: ${requestId}`
     );
@@ -345,7 +349,7 @@ class Remoting {
       messageBody,
       requestId
     });
-    targetWin.postMessage(msg, targetOrigin);
+    targetWin.postMessage(msg, this.#getTargetOrigin(targetOrigin));
     this.#logger.debug(
       `Exception sent to caller for invocation. requestId: ${requestId}`
     );

package/dist/esm/auditThrottler.js

@@ -0,0 +1,40 @@
+class AuditThrottler {
+  #logger;
+  #enabled;
+  #throttleMs;
+  #lastAudited = /* @__PURE__ */ new Map();
+  static DEFAULT_THROTTLE_MS = 1e4;
+  constructor(options) {
+    this.#logger = options.logger;
+    this.#enabled = options.enabled ?? true;
+    this.#throttleMs = options.throttleMs ?? AuditThrottler.DEFAULT_THROTTLE_MS;
+  }
+  get enabled() {
+    return this.#enabled;
+  }
+  /**
+   * Log a high-frequency operation. When audit is enabled and the throttle
+   * window allows it the payload is sent at `audit` level; otherwise `debug`.
+   * @param {string} key - dedup key for throttling (e.g. `invoke:loan.getField`)
+   * @param {LogRecord} payload - structured log payload
+   */
+  log(key, payload) {
+    if (!this.#enabled) {
+      this.#logger.debug(payload);
+      return;
+    }
+    if (this.#throttleMs > 0) {
+      const now = performance.now();
+      const last = this.#lastAudited.get(key);
+      if (last !== void 0 && now - last < this.#throttleMs) {
+        this.#logger.debug(payload);
+        return;
+      }
+      this.#lastAudited.set(key, now);
+    }
+    this.#logger.audit(payload);
+  }
+}
+export {
+  AuditThrottler
+};

package/dist/esm/index.js

@@ -8,7 +8,9 @@ import {
   SecurityContext
 } from "./scriptingObjectManager.js";
 import { ScriptingObjectProxy, isScriptingObjectProxy } from "./proxy.js";
+import { AuditThrottler } from "./auditThrottler.js";
 export {
+  AuditThrottler,
   Event,
   MessageType,
   ProxyEvent,

package/dist/esm/remoting.js

@@ -42,17 +42,21 @@ class Remoting {
    * The set of windows that are allowed to send messages to this window
    */
   #allowedSenders = /* @__PURE__ */ new Map();
+  #disableOriginCheck;
   /**
    * Create a new instance of the Remoting class
    * @param logger pui-diagnostic logger
    * @param correlationId unique id for the current session
+   * @param options optional configuration
    */
-  constructor(logger, correlationId) {
+  constructor(logger, correlationId, options) {
     if (!logger) throw new Error("logger is required");
     if (!correlationId) throw new Error("correlationId is required");
     this.#correlationId = correlationId;
     this.#logger = logger;
+    this.#disableOriginCheck = options?.unsafeAllowAnyGuestOrigin ?? false;
   }
+  #getTargetOrigin = (targetOrigin) => this.#disableOriginCheck ? "*" : targetOrigin;
   // Evaluates the timeouts on any waiting invocations and schedules the next check
   #evaluateTimeouts = () => {
     this.#timeoutMonitorHandle = null;
@@ -235,7 +239,7 @@ class Remoting {
         reject,
         cancelTime: responseTimeoutMs ? Date.now() + responseTimeoutMs : null
       });
-      targetWin.postMessage(msg, targetOrigin);
+      targetWin.postMessage(msg, this.#getTargetOrigin(targetOrigin));
       const { requestId } = msg;
       this.#logger.debug(
         `Posted invocation message of type ${messageType} requestId: ${requestId || ""}`
@@ -282,7 +286,7 @@ class Remoting {
       messageBody,
       onewayMsg: true
     });
-    targetWin.postMessage(msg, targetOrigin);
+    targetWin.postMessage(msg, this.#getTargetOrigin(targetOrigin));
     this.#logger.debug(`Posted one-way message of type "${messageType}"`);
   };
   /**
@@ -304,7 +308,7 @@ class Remoting {
       messageBody: response,
       requestId
     });
-    targetWin.postMessage(msg, targetOrigin);
+    targetWin.postMessage(msg, this.#getTargetOrigin(targetOrigin));
     this.#logger.debug(
       `Response sent to caller for invocation requestId: ${requestId}`
     );
@@ -321,7 +325,7 @@ class Remoting {
       messageBody,
       requestId
     });
-    targetWin.postMessage(msg, targetOrigin);
+    targetWin.postMessage(msg, this.#getTargetOrigin(targetOrigin));
     this.#logger.debug(
       `Exception sent to caller for invocation. requestId: ${requestId}`
     );

package/dist/types/lib/auditThrottler.d.ts

@@ -0,0 +1,29 @@
+import type { Logger, LogRecord } from '@elliemae/pui-diagnostics';
+export type AuditThrottlerOptions = {
+    logger: Logger;
+    /** When `true`, high-frequency operations are logged at `audit` level. @default true */
+    enabled?: boolean;
+    /** Throttle window (ms). Same operation key is audited at most once per window. @default 10000 */
+    throttleMs?: number;
+};
+/**
+ * Controls whether high-frequency operations are logged at `audit` level
+ * (sent to Splunk) or `debug` level (local only).
+ *
+ * When enabled, a per-key throttle window prevents the same operation from
+ * flooding Splunk. Operations outside the window or with throttling disabled
+ * (`throttleMs === 0`) go straight to `audit`.
+ */
+export declare class AuditThrottler {
+    #private;
+    static readonly DEFAULT_THROTTLE_MS = 10000;
+    constructor(options: AuditThrottlerOptions);
+    get enabled(): boolean;
+    /**
+     * Log a high-frequency operation. When audit is enabled and the throttle
+     * window allows it the payload is sent at `audit` level; otherwise `debug`.
+     * @param {string} key - dedup key for throttling (e.g. `invoke:loan.getField`)
+     * @param {LogRecord} payload - structured log payload
+     */
+    log(key: string, payload: LogRecord): void;
+}

package/dist/types/lib/index.d.ts

@@ -1,5 +1,5 @@
 export { Remoting, sendMessage } from './remoting.js';
-export type { ListenerCallback, ListenerCallbackParams, ListenParam, InvokeParam, RaiseExceptionParam, RespondParam, SendParam, AddSenderParam, } from './remoting.js';
+export type { ListenerCallback, ListenerCallbackParams, ListenParam, InvokeParam, RaiseExceptionParam, RemotingOptions, RespondParam, SendParam, AddSenderParam, } from './remoting.js';
 export type { RemotingEventMessage } from './remotingEventMessage.js';
 export { getEventId, ProxyEvent } from './event.js';
 export type { IScriptingObjectProxyEvent, EventParam, DispatchEventParam, EventOptions, SubscribeParam, UnsubscribeParam, IEventManager, FilterCriteria, FilterOperator, } from './event.js';
@@ -12,3 +12,5 @@ export type { ISSFGuest, ConnectParam } from './guest.js';
 export { ScriptingObjectManager, SecurityContext, } from './scriptingObjectManager.js';
 export type { AddScriptingObjectParams, CallContext, CallerInfo, GetObjectParams, GuestContext, } from './scriptingObjectManager.js';
 export { ScriptingObjectProxy, isScriptingObjectProxy } from './proxy.js';
+export { AuditThrottler } from './auditThrottler.js';
+export type { AuditThrottlerOptions } from './auditThrottler.js';

package/dist/types/lib/remoting.d.ts

@@ -171,14 +171,24 @@ export type AddSenderParam = {
 /**
  * Provides core messaging capabilities for cross-frame interactions in a sandboxed environment.
  */
+export type RemotingOptions = {
+    /**
+     * **UNSAFE**: When true, uses '*' as the targetOrigin for all outbound postMessage calls,
+     * bypassing the browser's origin check on the receiving window. This means any window
+     * can receive messages intended for the guest, potentially exposing sensitive data.
+     * Only enable this if you fully understand the security implications.
+     */
+    unsafeAllowAnyGuestOrigin?: boolean;
+};
 export declare class Remoting {
     #private;
     /**
      * Create a new instance of the Remoting class
      * @param logger pui-diagnostic logger
      * @param correlationId unique id for the current session
+     * @param options optional configuration
      */
-    constructor(logger: Logger, correlationId: string);
+    constructor(logger: Logger, correlationId: string, options?: RemotingOptions);
     /**
      * Adds window and its origin list of allowed senders
      * @param {AddSenderParam} param - The sender to add

package/dist/types/lib/tests/auditThrottler.test.d.ts

@@ -0,0 +1 @@
+export {};