@hadi_ali/warden 1.0.0

package/app/db_connection/queries.js

@@ -0,0 +1,61 @@
+async function upsertReputation(db, { ip_hash, score, path, action, reason }) {
+  if (!db || typeof db.query !== 'function') return null;
+
+  const query = `
+    WITH upserted AS (
+      INSERT INTO warden_reputation (ip_hash, score, last_seen)
+      VALUES ($1, $2, NOW())
+      ON CONFLICT (ip_hash)
+      DO UPDATE SET
+        score = GREATEST(0, LEAST(100,
+          FLOOR(
+            warden_reputation.score
+            * POWER(
+              0.95,
+              EXTRACT(EPOCH FROM (
+                NOW() - COALESCE(warden_reputation.last_seen, NOW())
+              )) / 3600.0
+            )
+          ) + EXCLUDED.score
+        )),
+        last_seen = NOW()
+      RETURNING score
+    )
+    INSERT INTO warden_requests (ip_hash, timestamp, path, score_delta, action, reason)
+    VALUES ($1, NOW(), $3, $2, $4, $5)
+    RETURNING
+      (SELECT score FROM upserted) AS new_score;
+  `;
+
+  const result = await db.query(query, [ip_hash, score, path, action, reason]);
+  return result.rows[0];
+}
+
+async function upsertSession(db, session_hash, score) {
+  if (!db || typeof db.query !== 'function') return null;
+
+  const query = `
+    INSERT INTO warden_sessions (session_hash, score, last_seen)
+    VALUES ($1, $2, NOW())
+    ON CONFLICT (session_hash)
+    DO UPDATE SET
+      score = GREATEST(0, LEAST(100,
+        FLOOR(
+          warden_sessions.score
+          * POWER(
+            0.95,
+            EXTRACT(EPOCH FROM (
+              NOW() - COALESCE(warden_sessions.last_seen, NOW())
+            )) / 3600.0
+          )
+        ) + EXCLUDED.score
+      )),
+      last_seen = NOW()
+    RETURNING score AS new_score
+  `;
+
+  const result = await db.query(query, [session_hash, score]);
+  return result.rows[0];
+}
+
+module.exports = { upsertReputation, upsertSession };

package/app/demo/server.js

@@ -0,0 +1,56 @@
+const express = require('express');
+const { pool } = require('../db_connection/db');
+const { createClient } = require('redis');
+const { warden } = require('../middleware/warden');
+const { syncVerifiedBots } = require('../verified-bots/sync');
+const { reloadRanges } = require('../verified-bots/matcher');
+
+// Example/demo server wiring up Warden with PostgreSQL + Redis.
+// Run with: CONNECTION_STRING=postgres://... node node_modules/warden/app/demo/server.js
+async function main() {
+  const app = express();
+  app.set('trust proxy', 1);
+
+  let redis = null;
+  try {
+    redis = createClient({ url: process.env.REDIS_URL || 'redis://localhost:6379' });
+    redis.on('error', (err) => console.error('[Redis]', err.message));
+    await redis.connect();
+  } catch (err) {
+    console.warn('[Redis] not available, falling back to in-memory store');
+    redis = null;
+  }
+
+  app.use(warden({
+    db: pool,
+    redis,
+    allowlist: [],
+    failopen: true,
+    scorethreshold: 30,
+  }));
+
+  app.get('/', (req, res) => {
+    res.json({ message: 'hello' });
+  });
+
+  try {
+    const success = await syncVerifiedBots();
+    if (success) reloadRanges();
+    setInterval(async () => {
+      const refreshed = await syncVerifiedBots();
+      if (refreshed) reloadRanges();
+    }, 24 * 60 * 60 * 1000).unref();
+  } catch (err) {
+    console.warn('[verified-bots sync] skipped:', err.message);
+  }
+
+  const port = process.env.PORT || 3000;
+  app.listen(port, () => {
+    console.log(`Server running on port ${port}`);
+  });
+}
+
+main().catch((err) => {
+  console.error('Fatal startup error:', err);
+  process.exit(1);
+});

package/app/getClientIP.js

@@ -0,0 +1,51 @@
+function pickFirst(list) {
+  if (!list) return null;
+  const parts = String(list).split(',');
+  for (const part of parts) {
+    const trimmed = part.trim();
+    if (trimmed) return trimmed;
+  }
+  return null;
+}
+
+/**
+ * Resolve the client IP for a request.
+ *
+ * Security: by default we trust ONLY req.ip, which Express populates
+ * from req.socket.remoteAddress unless app.set('trust proxy', N) is configured.
+ * Manually parsing X-Forwarded-For / X-Real-IP / CF-Connecting-IP would let
+ * attackers spoof IPs (e.g. "X-Forwarded-For: 8.8.8.8" via Postman) and
+ * bypass rate limits or get legitimate services banned.
+ *
+ * Pass trustHeaders: true ONLY if you've already configured
+ * app.set('trust proxy', N) with a specific hop count. Warden will not
+ * validate that configuration for you.
+ */
+function getClientIP(req, { trustHeaders = false } = {}) {
+  if (!req) return null;
+
+  if (trustHeaders) {
+    const headers = req.headers || {};
+
+    const xff = pickFirst(headers['x-forwarded-for']);
+    if (xff) return xff;
+
+    const xri = pickFirst(headers['x-real-ip']);
+    if (xri) return xri;
+
+    const cf = pickFirst(headers['cf-connecting-ip']);
+    if (cf) return cf;
+  }
+
+  if (typeof req.ip === 'string' && req.ip.trim()) {
+    return req.ip.trim();
+  }
+
+  if (req.socket && typeof req.socket.remoteAddress === 'string') {
+    return req.socket.remoteAddress.trim();
+  }
+
+  return null;
+}
+
+module.exports = { getClientIP };

package/app/hashIP.js

@@ -0,0 +1,7 @@
+const crypto = require('crypto');
+
+function hashIP(ip) {
+    return crypto.createHash('sha256').update(ip).digest('hex');
+}
+
+module.exports = { hashIP };

package/app/honeypot.js

@@ -0,0 +1,29 @@
+function checkHoneypot(req) {
+  const honeypots = [
+    'wp-admin', 'wp-login.php', 'wp-config.php',
+    'phpmyadmin', 'pma',
+    'shell.php', 'cmd.php', 'exec.php', 'backdoor', 'webshell',
+    'phpinfo', 'phpinfo.php',
+    'env', 'git', 'htaccess', '.env', '.git', '.htaccess',
+    'config.php', 'web.config',
+  ];
+
+  const path = req.path.toLowerCase().replace(/\/+$/, '');
+
+  for (const honeypot of honeypots) {
+    if (path === `/${honeypot}` || path === honeypot) {
+      return 30;
+    }
+  }
+
+  const pathSegments = path.split('/').filter(Boolean);
+  for (const segment of pathSegments) {
+    if (honeypots.includes(segment)) {
+      return 30;
+    }
+  }
+
+  return 0;
+}
+
+module.exports = { checkHoneypot };

package/app/middleware/warden.js

@@ -0,0 +1,276 @@
+const { computeScore } = require('../scoring/computeScore');
+const { checkAllowlist } = require('../allowlist');
+const { checkHoneypot } = require('../honeypot');
+const { upsertReputation, upsertSession  } = require('../db_connection/queries');
+const { getLimit, isRateLimited, DEFAULTS } = require('../ratelimit');
+const { log } = require('../Loger');
+const { trackFailure } = require('../bruteforce');
+const crypto = require('crypto');
+const { computeSessionScore } = require('../scoring/computeSessionScore');
+const { isVerifiedBot } = require('../verified-bots/matcher');
+const { store } = require('../store');
+const verifiedBotsSync = require('../verified-bots/sync');
+
+function logInternalError(message, err, meta = {}) {
+  const details = {
+    ...meta,
+    error: err instanceof Error ? err.message : String(err),
+  };
+
+  if (err instanceof Error && err.stack) {
+    details.stack = err.stack;
+  }
+
+  console.error(`[warden] ${message}:`, details);
+}
+
+function safeCall(hookName, fn, ...args) {
+  if (typeof hookName === 'function') {
+    args = [fn, ...args];
+    fn = hookName;
+    hookName = 'anonymous';
+  }
+
+  if (typeof fn !== 'function') return;
+
+  try {
+    const result = fn(...args);
+    if (result && typeof result.then === 'function') {
+      return result.catch((err) => {
+        logInternalError(`hook "${hookName}" failed`, err);
+      });
+    }
+
+    return result;
+  } catch (err) {
+    logInternalError(`hook "${hookName}" failed`, err);
+  }
+}
+
+function getSafeTier(score, limits) {
+  const tier = getLimit(score, limits) || getLimit(score, DEFAULTS) || DEFAULTS.clean;
+
+  if (
+    !tier ||
+    !Number.isFinite(tier.requests) ||
+    !Number.isFinite(tier.windowSeconds) ||
+    tier.requests <= 0 ||
+    tier.windowSeconds <= 0
+  ) {
+    return DEFAULTS.clean;
+  }
+
+  return tier;
+}
+
+async function withFallback(taskName, task, fallbackValue, meta = {}) {
+  try {
+    return await task();
+  } catch (err) {
+    logInternalError(taskName, err, meta);
+    return fallbackValue;
+  }
+}
+
+function setHeaderSafe(res, name, value) {
+  if (!res || res.headersSent) return;
+  if (typeof res.set === 'function') {
+    res.set(name, value);
+    return;
+  }
+
+  if (typeof res.setHeader === 'function') {
+    res.setHeader(name, value);
+  }
+}
+
+function replySafe(res, statusCode, body) {
+  if (!res || res.headersSent) return;
+
+  if (typeof res.status === 'function') {
+    res.status(statusCode);
+  } else {
+    res.statusCode = statusCode;
+  }
+
+  if (typeof res.json === 'function') {
+    return res.json(body);
+  }
+
+  if (typeof res.send === 'function') {
+    return res.send(body);
+  }
+
+  if (typeof res.end === 'function') {
+    const payload = typeof body === 'string' ? body : JSON.stringify(body);
+    return res.end(payload);
+  }
+}
+
+function warden({
+  db = null,
+  redis = null,
+  allowlist = [],
+  failopen = true,
+  scorethreshold = 30,
+  limits = {},
+  onBlock = null,
+  knownSubdomains = [],
+  onSuspicious = null,
+  onRateLimit = null,
+  suspiciousThreshold = 30,
+  trustHeaders = false,
+  getSessionId = null,
+} = {}) {
+  const BRUTETHRESHOLD=7
+  const mergedLimits = {
+    clean:      { ...DEFAULTS.clean,      ...(limits.clean      || {}) },
+    suspicious: { ...DEFAULTS.suspicious, ...(limits.suspicious || {}) },
+    hostile:    { ...DEFAULTS.hostile,    ...(limits.hostile     || {}) },
+  };
+
+  if (redis && typeof redis === 'object' && typeof store.useRedis === 'function') {
+    store.useRedis(redis);
+  }
+
+  if (redis && typeof redis.set === 'function') {
+    verifiedBotsSync.setExternalStore(redis);
+  } else if (db && typeof db.query === 'function') {
+    verifiedBotsSync.setExternalStore(db);
+  }
+
+  return async function(req, res, next) {
+    const reqId = crypto.randomUUID();
+    const start = Date.now();
+    const path = req?.path || req?.originalUrl || req?.url || 'unknown';
+
+    try {
+      if (checkAllowlist(req, allowlist)) return next();
+
+      const computed = computeScore(req, knownSubdomains, { trustHeaders }) || {};
+      const ip_hash = typeof computed.ip_hash === 'string' && computed.ip_hash ? computed.ip_hash : 'unknown';
+      const score = Number.isFinite(computed.score) ? computed.score : 0;
+      const raw_ip = computed.raw_ip;
+
+      if (raw_ip && isVerifiedBot(raw_ip)) return next();
+      const honeypotScore = checkHoneypot(req);
+      const totalScore = score + honeypotScore;
+      const action = totalScore >= scorethreshold ? 'blocked' : 'allowed';
+      const reason = honeypotScore > 0 ? 'honeypot' : 'score';
+
+      if (typeof res?.on === 'function') {
+        res.on('finish', () => {
+          (async () => {
+            try {
+              if (![400, 401, 404].includes(res.statusCode)) return;
+              if (res.statusCode === 404) {
+      const isStaticAsset = /\.(png|jpg|jpeg|gif|ico|css|js|woff|woff2|ttf|svg|map)$/i.test(path);
+      if (isStaticAsset) return; // Let it go, it's just a broken webpage
+    }
+
+              const count = await withFallback(
+                'post-response brute-force tracking failed',
+                () => trackFailure(ip_hash),
+                0,
+                { reqId, ip_hash, path }
+              );
+
+              if (count < BRUTETHRESHOLD) return;
+
+              await withFallback(
+                'post-response brute-force persistence failed',
+                () => upsertReputation(db, {
+                  ip_hash,
+                  score: 100,
+                  path,
+                  action: 'blocked',
+                  reason: 'bruteforce'
+                }),
+                null,
+                { reqId, ip_hash, path }
+              );
+            } catch (err) {
+              logInternalError('post-response handler crashed', err, { reqId, ip_hash, path });
+            }
+          })();
+        });
+      }
+
+      const session_hash = getSessionId ? computeSessionScore(req, getSessionId) : null;
+
+      const shouldPersistScore = totalScore > 0;
+      const [reputationResult, sessionResult] = await Promise.all([
+        shouldPersistScore
+          ? withFallback(
+              'reputation persistence failed',
+              () => upsertReputation(db, {
+                ip_hash,
+                score: totalScore,
+                path,
+                action,
+                reason,
+              }),
+              null,
+              { reqId, ip_hash, path }
+            )
+          : Promise.resolve(null),
+        shouldPersistScore && session_hash
+          ? withFallback(
+              'session persistence failed',
+              () => upsertSession(db, session_hash, totalScore),
+              null,
+              { reqId, ip_hash, path, session_hash }
+            )
+          : Promise.resolve(null)
+      ]);
+  
+      const new_score = Number.isFinite(reputationResult?.new_score)
+        ? reputationResult.new_score
+        : Math.max(0, totalScore);
+      const session_new_score = Number.isFinite(sessionResult?.new_score)
+        ? sessionResult.new_score
+        : null;
+      const finalScore = session_new_score !== null
+        ? Math.max(new_score, session_new_score)
+        : new_score;
+      const tier = getSafeTier(finalScore, mergedLimits);
+      const rateLimitKey = `rl:${ip_hash}:${tier.windowSeconds}:${tier.requests}`;
+      const window_requests = await withFallback(
+        'rate limit store increment failed',
+        () => store.increment(rateLimitKey, tier.windowSeconds),
+        0,
+        { reqId, ip_hash, path, rateLimitKey }
+      );
+      setHeaderSafe(res, 'X-RateLimit-Limit', tier.requests);
+      setHeaderSafe(res, 'X-RateLimit-Remaining', Math.max(0, tier.requests - window_requests));
+      setHeaderSafe(res, 'X-RateLimit-Reset', Math.floor(Date.now() / 1000) + tier.windowSeconds);
+
+      if (isRateLimited(finalScore, window_requests, mergedLimits)) {
+        setHeaderSafe(res, 'Retry-After', tier.windowSeconds);
+        log({ reqId, ip_hash, score: finalScore, raw_score: totalScore, action: 'blocked', reason: 'rate_limit', path, duration_ms: Date.now() - start });
+        safeCall('onRateLimit', onRateLimit, ip_hash, finalScore, req);
+        return replySafe(res, 429, { error: 'Too many requests' });
+      }
+
+      if (finalScore >= scorethreshold) {
+        log({ reqId, ip_hash, score: finalScore, raw_score: totalScore, action: 'blocked', reason, path, duration_ms: Date.now() - start });
+        safeCall('onBlock', onBlock, ip_hash, finalScore, reason, req);
+        return replySafe(res, 403, { error: 'forbidden' });
+      }
+
+      log({ reqId, ip_hash, score: finalScore, raw_score: totalScore, action: 'allowed', reason, path, duration_ms: Date.now() - start });
+      if (finalScore > suspiciousThreshold) {
+        safeCall('onSuspicious', onSuspicious, ip_hash, finalScore, req);
+      }
+      return next();
+
+    } catch (err) {
+      logInternalError('middleware execution failed', err, { reqId, path });
+      if (failopen === true) return next();
+      if (res?.headersSent && typeof next === 'function') return next(err);
+      return replySafe(res, 500, { error: 'internal server error' });
+    }
+  };
+}
+
+module.exports = { warden, safeCall, logInternalError, replySafe, setHeaderSafe, getSafeTier };

package/app/normalizeIP.js

@@ -0,0 +1,18 @@
+const { Address6 } = require('ip-address');
+const net = require('net');
+
+function normalizeIP(input) {
+  if (!input) return null;
+
+  const ipVersion = net.isIP(input);
+  if (ipVersion === 4) {
+    return input;
+  } else if (ipVersion === 6) {
+    const addr = new Address6(input);
+    const sections = addr.canonicalForm().split(':');
+    return sections.slice(0, 4).join(':') + '::/64';
+  }
+  return null;
+}
+
+module.exports = { normalizeIP };

package/app/ratelimit.js

@@ -0,0 +1,17 @@
+
+ const DEFAULTS = {
+  clean:      { requests: 60, windowSeconds: 60 },
+  suspicious: { requests: 20, windowSeconds: 60 },
+  hostile:    { requests: 5,  windowSeconds: 30 }
+};
+
+function getLimit(score, limits=DEFAULTS) {
+  if (score > 60) return limits.hostile;
+  if (score > 30) return limits.suspicious;
+  return limits.clean;
+}
+
+function isRateLimited(score, windowRequests, customLimits = {}) {
+  return windowRequests > getLimit(score, customLimits).requests;
+}
+module.exports={getLimit,isRateLimited,DEFAULTS}

package/app/scoring/SubDomainScore.js

@@ -0,0 +1,90 @@
+function scoreSubdomain(req, knownSubdomains = []) {
+  const host = (req.headers?.host || req.hostname || '').toLowerCase();
+  if (!host || !host.includes('.')) return 0;
+
+  const cleanHost = host.split(':')[0];
+  const parts = cleanHost.split('.');
+  if (parts.length < 3) return 0;
+
+  const subdomains = parts.slice(0, -2);
+  const whitelist = new Set(knownSubdomains.map(s => s.toLowerCase()));
+
+  // 60 points — no legitimate user hits these, pure recon/attack surface
+  const highSensitive = new Set([
+    // admin panels
+    'admin', 'administrator', 'panel', 'control', 'manage', 'manager',
+    'phpmyadmin', 'pma', 'adminer', 'myadmin', 'dbadmin', 'sqladmin',
+    'cpanel', 'whm', 'plesk', 'directadmin', 'virtualmin', 'webmin',
+    // remote access
+    'ssh', 'rdp', 'vnc', 'telnet', 'bastion', 'console', 'remote', 'access',
+    // secrets
+    'vault', 'secrets', 'cred', 'credentials', 'password', 'passwords',
+    // backups
+    'backup', 'bak', 'old', 'restore', 'archive',
+    // debug
+    'phpinfo', 'debug', 'debugger', 'devmode',
+    // database admin
+    'dba',
+    // shell
+    'shell', 'cmd', 'exec',
+    // internal
+    'intranet', 'internal', 'inside', 'private', 'secret', 'confidential',
+    'corp', 'corporate',
+    // vpn/tunnel
+    'vpn', 'tunnel', 'gateway',
+  ]);
+
+  // 15 points — common but signals reconnaissance
+  const medSensitive = new Set([
+    // dev environments
+    'dev', 'development', 'staging', 'stage', 'test', 'testing',
+    'beta', 'alpha', 'demo', 'uat', 'qa', 'sandbox', 'mock',
+    'preprod', 'pre-prod', 'preview',
+    // versioning
+    'v1', 'v2', 'v3', 'v4', 'version',
+    // apis
+    'api', 'graphql', 'gql', 'rest', 'soap', 'rpc',
+    'swagger', 'openapi', 'api-docs', 'playground',
+    // ci/cd
+    'jenkins', 'ci', 'cd', 'build', 'deploy', 'release', 'pipeline',
+    'travis', 'circleci', 'github', 'gitlab', 'bitbucket', 'git', 'svn',
+    // monitoring
+    'grafana', 'prometheus', 'kibana', 'monitor', 'monitoring',
+    'nagios', 'zabbix', 'datadog', 'newrelic', 'splunk',
+    'logs', 'log', 'logging', 'trace', 'tracing', 'metrics',
+    'jaeger', 'zipkin', 'otel',
+    // databases
+    'db', 'database', 'sql', 'mysql', 'postgres', 'postgresql',
+    'mongo', 'mongodb', 'redis', 'cassandra', 'oracle', 'elastic',
+    // auth
+    'auth', 'sso', 'oauth', 'saml', 'ldap', 'login', 'signin',
+    // infra
+    'k8s', 'kubernetes', 'kube', 'docker', 'rancher', 'portainer',
+    'consul', 'nomad',
+    // mail
+    'mail', 'email', 'webmail', 'smtp',
+    // docs
+    'wiki', 'docs', 'confluence', 'jira',
+    // misc
+    'status', 'health', 'ping', 'probe',
+    'ws', 'socket', 'realtime',
+  ]);
+
+  let score = 0;
+
+  for (const sub of subdomains) {
+    if (whitelist.has(sub)) continue;
+    if (highSensitive.has(sub)) {
+      score += 60;
+      continue;
+    }
+    if (medSensitive.has(sub)) {
+      score += 15;
+      continue;
+    }
+  }
+
+  return Math.min(score, 100);
+}
+
+module.exports = { scoreSubdomain };

package/app/scoring/computeScore.js

@@ -0,0 +1,28 @@
+const { getClientIP } = require('../getClientIP');
+const { hashIP } = require('../hashIP');
+const { normalizeIP } = require('../normalizeIP');
+const { scoreFromHeaders } = require('./scoreFromHeaders');
+const {scoreSubdomain}=require('./SubDomainScore')
+function computeScore(req, knownSubdomains, options = {}) {
+  const ip = getClientIP(req, options);
+  const normalip = normalizeIP(ip);
+
+  if (!normalip) {
+    return {
+      ip_hash: 'unknown',
+      score: 60,
+      raw_ip: null
+    };
+  }
+
+  const haship = hashIP(normalip);
+  const headerScore = scoreFromHeaders(req);
+const scoreSub = scoreSubdomain(req,knownSubdomains)
+  return {
+    ip_hash: haship,
+    score: headerScore+scoreSub,
+    raw_ip: normalip
+  };
+}
+
+module.exports = { computeScore };

package/app/scoring/computeSessionScore.js

@@ -0,0 +1,52 @@
+const crypto = require('crypto');
+
+function hashSession(session) {
+  return crypto.createHash('sha256').update(String(session)).digest('hex');
+}
+
+function extractBearerToken(req) {
+  const auth = req.headers?.authorization 
+  if (!auth) return null;
+  const parts = String(auth).split(' ');
+  if (parts.length === 2 && parts[0].toLowerCase() === 'bearer') {
+    return parts[1];
+  }
+  return null;
+}
+
+function extractCookie(req, name) {
+  if (req.cookies && req.cookies[name]) {
+    return req.cookies[name];
+  }
+  if (req.headers?.cookie) {
+    const match = req.headers.cookie.match(
+      new RegExp(`(?:^|;\\s*)${name}=([^;]+)`)
+    );
+    if (match) return match[1];
+  }
+  return null;
+}
+
+function getDefaultSessionId(req) {
+  // 1. Try connect.sid cookie first
+  const sid = extractCookie(req, 'connect.sid');
+  if (sid) return sid;
+
+  // 2. Try Authorization bearer second
+  const bearer = extractBearerToken(req);
+  if (bearer) return bearer;
+
+  return null;
+}
+
+function computeSessionScore(req, getSessionId) {
+  const sessionId = typeof getSessionId === 'function'
+    ? getSessionId(req)
+    : getDefaultSessionId(req);
+
+  if (!sessionId) return null;
+
+  return hashSession(sessionId);
+}
+
+module.exports = { computeSessionScore, hashSession };