@liberstudio/cloudflare-list 2.1.9 → 2.2.1

package/README.md

@@ -35,6 +35,7 @@ import { CloudflareAttacksModule } from "@liberstudio/cloudflare-list";
       apiToken: "<api_token>",
       comment: "<comment>",
       logPath: "<logPath>",
+      excludedPaths: "<excludedList>",
     }),
   ],
 })
@@ -52,12 +53,13 @@ import { CloudflareAttacksModule } from "@liberstudio/cloudflare-list";
       imports: [ConfigModule],
       inject: [ConfigService],
       useFactory: (config: ConfigService) => ({
-        apiToken: config.getOrThrow<string>('CLOUDFLARE_API_TOKEN'),
-        accountId: config.getOrThrow<string>('CLOUDFLARE_ACCOUNT_ID'),
-        listId: config.getOrThrow<string>('CLOUDFLARE_LIST_ID'),
-        comment: config.get<string>('CLOUDFLARE_LIST_COMMENT') || 'Blocked',
-        logPath: config.get<string>('CLOUDFLARE_LIST_LOG_PATH') || '/var/log/nestjs-attacks.log',
-      })
+        apiToken: config.getOrThrow<string>("CLOUDFLARE_API_TOKEN"),
+        accountId: config.getOrThrow<string>("CLOUDFLARE_ACCOUNT_ID"),
+        listId: config.getOrThrow<string>("CLOUDFLARE_LIST_ID"),
+        comment: config.get<string>("CLOUDFLARE_LIST_COMMENT") || "Blocked",
+        logPath: config.get<string>("CLOUDFLARE_LIST_LOG_PATH") || "/var/log/nestjs-attacks.log",
+        excludedPaths: ["/api/health", "/api/webhook", /^\/api\/public\/.*/],
+      }),
     }),
   ],
 })
@@ -65,4 +67,5 @@ export class AppModule {}
 ```
 
 ## License
+
 This project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details.

package/dist/interfaces/cloudflare-attacks.interface.d.ts

@@ -4,6 +4,7 @@ export interface CloudflareAttacksOptions {
     listId: string;
     comment: string;
     logPath: string;
+    excludedPaths?: (string | RegExp)[];
 }
 export interface CloudflareAttacksAsyncOptions {
     imports?: any[];

package/dist/middleware/attack-logger.middleware.d.ts

@@ -15,5 +15,6 @@ export declare class AttackLoggerMiddleware implements NestMiddleware, OnModuleD
     private isThrottled;
     private sanitize;
     private ensureDirectoryExists;
+    private isExcluded;
     onModuleDestroy(): void;
 }

package/dist/middleware/attack-logger.middleware.js

@@ -42,7 +42,7 @@ let AttackLoggerMiddleware = AttackLoggerMiddleware_1 = class AttackLoggerMiddle
     }
     use(req, res, next) {
         res.on("finish", () => {
-            if (res.statusCode === 404) {
+            if (res.statusCode === 404 && !this.isExcluded(req.url)) {
                 this.handleSuspicious(req);
             }
         });
@@ -65,9 +65,11 @@ let AttackLoggerMiddleware = AttackLoggerMiddleware_1 = class AttackLoggerMiddle
                 this.logger.debug("Stream del log degli attacchi svuotato");
             });
         }
-        const cidr = (0, utils_1.toCidr)(ip);
-        if (!cidr)
+        const cidr = (0, utils_1.normalizeIp)(ip);
+        if (!cidr) {
+            this.logger.warn(`IP non valido: ${ip}`);
             return;
+        }
         this.attSrv.updateIpList(cidr).catch((err) => {
             const msg = err instanceof Error ? err.message : "Errore sconosciuto";
             this.logger.error(`Aggiornamento Cloudflare fallito: ${msg}`);
@@ -92,6 +94,10 @@ let AttackLoggerMiddleware = AttackLoggerMiddleware_1 = class AttackLoggerMiddle
             this.logger.log(`Cartella dei log creata: ${dir}`);
         }
     }
+    isExcluded(url) {
+        const excluded = this.options.excludedPaths ?? [];
+        return excluded.some((p) => (p instanceof RegExp ? p.test(url) : url.startsWith(p)));
+    }
     onModuleDestroy() {
         this.stream.end();
         for (const timeout of this.recentIps.values()) {

package/dist/utils/get-client-ip.util.d.ts

@@ -1,3 +1,3 @@
-import { Request } from "express";
+import type { Request } from "express";
 export declare function getClientIp(req: Request): string;
-export declare function toCidr(ip: string): string | null;
+export declare function normalizeIp(ip: string): string | null;

package/dist/utils/get-client-ip.util.js

@@ -1,7 +1,8 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.getClientIp = getClientIp;
-exports.toCidr = toCidr;
+exports.normalizeIp = normalizeIp;
+const net_1 = require("net");
 function getClientIp(req) {
     const cfIp = req.headers["cf-connecting-ip"];
     if (typeof cfIp === "string")
@@ -15,16 +16,39 @@ function getClientIp(req) {
     }
     return req.socket.remoteAddress ?? "unknown";
 }
-function toCidr(ip) {
+function normalizeIp(ip) {
     if (!ip)
         return null;
-    // IPv6
-    if (ip.includes(":")) {
-        return `${ip}/128`;
+    ip = ip.trim();
+    // IPv4-mapped IPv6 → converti in IPv4 puro
+    if (ip.startsWith("::ffff:")) {
+        ip = ip.replace("::ffff:", "");
     }
-    // IPv4
-    if (ip.includes(".")) {
+    const version = (0, net_1.isIP)(ip);
+    if (!version)
+        return null;
+    // Blocca loopback
+    if (ip === "127.0.0.1" || ip === "::1")
+        return null;
+    // Blocca IPv4 privati
+    if (version === 4) {
+        if (ip.startsWith("10.") || ip.startsWith("192.168.") || (ip.startsWith("172.") && isPrivate172(ip))) {
+            return null;
+        }
         return `${ip}/32`;
     }
+    // Blocca IPv6 link-local e unique local
+    if (version === 6) {
+        if (ip.startsWith("fe80:") || // link-local
+            ip.startsWith("fc") || // unique local
+            ip.startsWith("fd")) {
+            return null;
+        }
+        return `${ip}/128`;
+    }
     return null;
 }
+function isPrivate172(ip) {
+    const secondOctet = Number(ip.split('.')[1]);
+    return secondOctet >= 16 && secondOctet <= 31;
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@liberstudio/cloudflare-list",
-  "version": "2.1.9",
+  "version": "2.2.1",
   "description": "Modulo NestJS per gestione IP List Cloudflare",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",