@hackthedev/dsync-ipsec 1.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.gitattributes +2 -0
- package/README.md +2 -0
- package/index.mjs +150 -0
- package/package.json +11 -0
package/.gitattributes
ADDED
package/README.md
ADDED
package/index.mjs
ADDED
|
@@ -0,0 +1,150 @@
|
|
|
1
|
+
import ArrayTools from "@hackthedev/arraytools"
|
|
2
|
+
|
|
3
|
+
export default class dSyncIPSec {
|
|
4
|
+
constructor({
|
|
5
|
+
blockBogon = true,
|
|
6
|
+
blockDatacenter = true,
|
|
7
|
+
blockSatelite = true,
|
|
8
|
+
blockCrawler = true,
|
|
9
|
+
blockProxy = true,
|
|
10
|
+
blockVPN = true,
|
|
11
|
+
blockTor = true,
|
|
12
|
+
blockAbuser = true,
|
|
13
|
+
// some arrays
|
|
14
|
+
whitelistedUrls = [],
|
|
15
|
+
whitelistedIps = [],
|
|
16
|
+
blockedCountryCodes = [],
|
|
17
|
+
whitelistedCompanyDomains = [],
|
|
18
|
+
blacklistedIps = [
|
|
19
|
+
"::1",
|
|
20
|
+
"127.0.0.1",
|
|
21
|
+
"localhost"
|
|
22
|
+
]
|
|
23
|
+
} = {}) {
|
|
24
|
+
|
|
25
|
+
this.blockBogon = blockBogon;
|
|
26
|
+
this.blockDatacenter = blockDatacenter;
|
|
27
|
+
this.blockSatelite = blockSatelite;
|
|
28
|
+
this.blockCrawler = blockCrawler;
|
|
29
|
+
this.blockProxy = blockProxy;
|
|
30
|
+
this.blockVPN = blockVPN;
|
|
31
|
+
this.blockTor = blockTor;
|
|
32
|
+
this.blockAbuser = blockAbuser;
|
|
33
|
+
this.blockedCountryCodes = blockedCountryCodes;
|
|
34
|
+
|
|
35
|
+
this.urlWhitelist = new ArrayTools(whitelistedUrls)
|
|
36
|
+
this.ipWhitelist = new ArrayTools(whitelistedIps)
|
|
37
|
+
this.ipBlacklist = new ArrayTools(blacklistedIps)
|
|
38
|
+
this.companyDomainWhitelist = new ArrayTools(whitelistedCompanyDomains)
|
|
39
|
+
this.blockedCountriesByCode = new ArrayTools(blockedCountryCodes)
|
|
40
|
+
}
|
|
41
|
+
|
|
42
|
+
updateRule({
|
|
43
|
+
blockBogon = null,
|
|
44
|
+
blockDatacenter = null,
|
|
45
|
+
blockSatelite = null,
|
|
46
|
+
blockCrawler = null,
|
|
47
|
+
blockProxy = null,
|
|
48
|
+
blockVPN = null,
|
|
49
|
+
blockTor = null,
|
|
50
|
+
blockAbuser = null,
|
|
51
|
+
}){
|
|
52
|
+
|
|
53
|
+
if(blockBogon !== null) this.blockBogon = blockBogon
|
|
54
|
+
if(blockDatacenter !== null) this.blockDatacenter = blockDatacenter
|
|
55
|
+
if(blockSatelite !== null) this.blockSatelite =blockSatelite
|
|
56
|
+
if(blockCrawler !== null) this.blockCrawler = blockCrawler
|
|
57
|
+
if(blockProxy !== null) this.blockProxy = blockProxy
|
|
58
|
+
if(blockVPN !== null) this.blockVPN = blockVPN
|
|
59
|
+
if(blockTor !== null) this.blockTor = blockTor
|
|
60
|
+
if(blockAbuser !== null) this.blockAbuser = blockAbuser
|
|
61
|
+
}
|
|
62
|
+
|
|
63
|
+
whitelistIP(ip, allowDuplicates = false){
|
|
64
|
+
if(!ip) throw new Error("Unable to whitelist ip as no ip was provided.");
|
|
65
|
+
if(!this.ipWhitelist.matches(ip) && !allowDuplicates) this.ipWhitelist.addEntry(ip);
|
|
66
|
+
if(this.ipBlacklist.matches(ip)) this.ipBlacklist.removeEntry(ip);
|
|
67
|
+
}
|
|
68
|
+
|
|
69
|
+
blacklistIp(ip, allowDuplicates = false){
|
|
70
|
+
if(!ip) throw new Error("Unable to blacklist ip as no ip was provided.");
|
|
71
|
+
if(!this.ipBlacklist.matches(ip) && !allowDuplicates) this.ipBlacklist.addEntry(ip);
|
|
72
|
+
if(this.ipWhitelist.matches(ip)) this.ipWhitelist.removeEntry(ip);
|
|
73
|
+
}
|
|
74
|
+
|
|
75
|
+
isBlacklistedIp(ip){
|
|
76
|
+
if(!ip) throw new Error("Coudlnt check ip blacklist as no ip was provided.")
|
|
77
|
+
return this.ipBlacklist.matches(ip);
|
|
78
|
+
}
|
|
79
|
+
|
|
80
|
+
isWhitelistedIp(ip){
|
|
81
|
+
if(!ip) throw new Error("Coudlnt check ip blacklist as no ip was provided.")
|
|
82
|
+
return this.ipWhitelist.matches(ip);
|
|
83
|
+
}
|
|
84
|
+
|
|
85
|
+
async filterExpressTraffic(app){
|
|
86
|
+
if(!app) throw new Error("Unable to filter express traffic as no express app was provided.");
|
|
87
|
+
|
|
88
|
+
app.use(async (req, res, next) => {
|
|
89
|
+
const ipInfo = await this.lookupIP(this.getClientIp(req));
|
|
90
|
+
if (!ipInfo) return next();
|
|
91
|
+
|
|
92
|
+
// whitelist some urls for functionality
|
|
93
|
+
let reqPath = req.path;
|
|
94
|
+
if(!reqPath) throw new Error("Unable to get request path from req parameter as it wasnt specified or null");
|
|
95
|
+
|
|
96
|
+
// first check for ip blacklist
|
|
97
|
+
if(this.ipBlacklist.matches(ipInfo?.ip)) return res.sendStatus(403);
|
|
98
|
+
|
|
99
|
+
// then we can check for whitelisted urls as these bypass normal checks
|
|
100
|
+
// url whitelist
|
|
101
|
+
if(this.urlWhitelist.matches(reqPath)) return next();
|
|
102
|
+
// let whitelisted ips pass
|
|
103
|
+
if(this.ipWhitelist.matches(ipInfo?.ip)) return next();
|
|
104
|
+
// company domain whitelist
|
|
105
|
+
if(this.companyDomainWhitelist.matches(ipInfo?.company?.domain)) return next();
|
|
106
|
+
|
|
107
|
+
// looking kinda beautiful
|
|
108
|
+
if (ipInfo?.is_bogon && this.blockBogon) return res.sendStatus(403);
|
|
109
|
+
if (ipInfo?.is_datacenter && this.blockDatacenter) return res.sendStatus(403);
|
|
110
|
+
if (ipInfo?.is_satelite && this.blockSatelite) return res.sendStatus(403);
|
|
111
|
+
if (ipInfo?.is_crawler && this.blockCrawler) return res.sendStatus(403);
|
|
112
|
+
if (ipInfo?.is_proxy && this.blockProxy) return res.sendStatus(403);
|
|
113
|
+
if (ipInfo?.is_vpn && this.blockVPN) return res.sendStatus(403);
|
|
114
|
+
if (ipInfo?.is_tor && this.blockTor) return res.sendStatus(403);
|
|
115
|
+
if (ipInfo?.is_abuser && this.blockAbuser) return res.sendStatus(403);
|
|
116
|
+
|
|
117
|
+
if (
|
|
118
|
+
ipInfo.location?.country_code &&
|
|
119
|
+
this.blockedCountriesByCode.matches(ipInfo?.location?.country_code?.toLowerCase())
|
|
120
|
+
) return res.sendStatus(403);
|
|
121
|
+
|
|
122
|
+
// continue
|
|
123
|
+
next();
|
|
124
|
+
});
|
|
125
|
+
}
|
|
126
|
+
|
|
127
|
+
getClientIp(req) {
|
|
128
|
+
if(!req) throw new Error("Unable to get client ip from req parameter as it wasnt specified or null");
|
|
129
|
+
const xf = req.headers["x-forwarded-for"];
|
|
130
|
+
if (xf) return xf.split(",")[0].trim();
|
|
131
|
+
return req.socket?.remoteAddress || req.connection?.remoteAddress;
|
|
132
|
+
}
|
|
133
|
+
|
|
134
|
+
async lookupIP(ip){
|
|
135
|
+
if(!ip) throw new Error("Unable to lookup ip as it wasnt provided.")
|
|
136
|
+
|
|
137
|
+
// if an ip is blacklisted we return with an error "reponse"
|
|
138
|
+
if(this.isBlacklistedIp(ip)) return {error: `IP ${ip} was local.`};
|
|
139
|
+
|
|
140
|
+
// make request to get ip info
|
|
141
|
+
let ipRequest = await fetch(`https://api.ipapi.is/?q=${ip}`);
|
|
142
|
+
if(ipRequest.status === 200){
|
|
143
|
+
let ipData = await ipRequest.json();
|
|
144
|
+
return ipData;
|
|
145
|
+
}
|
|
146
|
+
else{
|
|
147
|
+
return {error: "Failed to fetch IP data"};
|
|
148
|
+
}
|
|
149
|
+
}
|
|
150
|
+
}
|
package/package.json
ADDED
|
@@ -0,0 +1,11 @@
|
|
|
1
|
+
{
|
|
2
|
+
"name": "@hackthedev/dsync-ipsec",
|
|
3
|
+
"version": "1.0.0",
|
|
4
|
+
"description": "IP Based Security Library against Abuse",
|
|
5
|
+
"license": "ISC",
|
|
6
|
+
"author": "",
|
|
7
|
+
"main": "index.mjs",
|
|
8
|
+
"scripts": {
|
|
9
|
+
"test": "echo \"Error: no test specified\" && exit 1"
|
|
10
|
+
}
|
|
11
|
+
}
|