@nest-omni/core 4.1.3-25 → 4.1.3-27

package/http-client/utils/sanitize.util.js

@@ -0,0 +1,188 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SanitizeUtil = void 0;
+/**
+ * HTTP 请求数据脱敏工具
+ * 统一处理 headers、body、query string 的敏感信息过滤
+ */
+class SanitizeUtil {
+    /**
+     * 脱敏 headers
+     * @param headers - 原始 headers 对象
+     * @param sensitiveFields - 自定义敏感字段列表
+     * @returns 脱敏后的 headers
+     */
+    static sanitizeHeaders(headers, sensitiveFields = []) {
+        if (!headers)
+            return {};
+        const sanitized = {};
+        const fieldsToSanitize = [
+            ...this.DEFAULT_SENSITIVE_FIELDS,
+            ...sensitiveFields,
+        ];
+        Object.keys(headers).forEach((key) => {
+            if (this.isSensitiveField(key, fieldsToSanitize)) {
+                sanitized[key] = '[FILTERED]';
+            }
+            else {
+                sanitized[key] = String(headers[key]);
+            }
+        });
+        return sanitized;
+    }
+    /**
+     * 脱敏 body
+     * @param body - 原始 body 数据
+     * @param sensitiveFields - 自定义敏感字段列表
+     * @returns 脱敏后的 body
+     */
+    static sanitizeBody(body, sensitiveFields = []) {
+        if (!body)
+            return undefined;
+        if (typeof body === 'string') {
+            try {
+                body = JSON.parse(body);
+            }
+            catch (_a) {
+                // 非 JSON 字符串，不做处理
+                return body.length > 1000 ? body.substring(0, 1000) + '...' : body;
+            }
+        }
+        if (typeof body === 'object') {
+            const sanitized = Object.assign({}, body);
+            const fieldsToSanitize = [
+                ...this.DEFAULT_SENSITIVE_FIELDS,
+                ...sensitiveFields,
+            ];
+            this.sanitizeObject(sanitized, fieldsToSanitize);
+            return sanitized;
+        }
+        return body;
+    }
+    /**
+     * 脱敏 URL 中的 query string
+     * @param url - 原始 URL
+     * @param sensitiveFields - 自定义敏感字段列表
+     * @returns 脱敏后的 URL
+     */
+    static sanitizeQueryString(url, sensitiveFields = []) {
+        if (!url)
+            return url;
+        const queryIndex = url.indexOf('?');
+        if (queryIndex === -1) {
+            return url; // 没有 query string
+        }
+        const baseUrl = url.substring(0, queryIndex);
+        const queryString = url.substring(queryIndex + 1);
+        const params = new URLSearchParams(queryString);
+        const fieldsToSanitize = [
+            ...this.DEFAULT_SENSITIVE_FIELDS,
+            ...sensitiveFields,
+        ];
+        params.forEach((value, key) => {
+            if (this.isSensitiveField(key, fieldsToSanitize)) {
+                params.set(key, '[FILTERED]');
+            }
+        });
+        const sanitizedQuery = params.toString();
+        return sanitizedQuery ? `${baseUrl}?${sanitizedQuery}` : baseUrl;
+    }
+    /**
+     * 脱敏 params 对象
+     * @param params - 原始 params 对象
+     * @param sensitiveFields - 自定义敏感字段列表
+     * @returns 脱敏后的 params
+     */
+    static sanitizeParams(params, sensitiveFields = []) {
+        if (!params)
+            return {};
+        const sanitized = {};
+        const fieldsToSanitize = [
+            ...this.DEFAULT_SENSITIVE_FIELDS,
+            ...sensitiveFields,
+        ];
+        Object.keys(params).forEach((key) => {
+            if (this.isSensitiveField(key, fieldsToSanitize)) {
+                sanitized[key] = '[FILTERED]';
+            }
+            else {
+                sanitized[key] = params[key];
+            }
+        });
+        return sanitized;
+    }
+    /**
+     * 将 body 转换为字符串并脱敏
+     * @param data - 原始数据
+     * @param sensitiveFields - 自定义敏感字段列表
+     * @returns 脱敏后的字符串
+     */
+    static sanitizeBodyAsString(data, sensitiveFields = []) {
+        const sanitized = this.sanitizeBody(data, sensitiveFields);
+        if (!sanitized)
+            return undefined;
+        if (typeof sanitized === 'string') {
+            return sanitized.length > 5000
+                ? sanitized.substring(0, 5000) + '...'
+                : sanitized;
+        }
+        const jsonString = JSON.stringify(sanitized);
+        return jsonString.length > 5000
+            ? jsonString.substring(0, 5000) + '...'
+            : jsonString;
+    }
+    /**
+     * 判断字段是否为敏感字段
+     * @param key - 字段名
+     * @param sensitiveFields - 敏感字段列表
+     * @returns 是否为敏感字段
+     */
+    static isSensitiveField(key, sensitiveFields) {
+        const lowerKey = key.toLowerCase();
+        return sensitiveFields.some((field) => lowerKey.includes(field.toLowerCase()));
+    }
+    /**
+     * 递归脱敏对象中的敏感字段
+     * @param obj - 目标对象
+     * @param sensitiveFields - 敏感字段列表
+     */
+    static sanitizeObject(obj, sensitiveFields) {
+        if (typeof obj !== 'object' || obj === null)
+            return;
+        for (const key in obj) {
+            if (this.isSensitiveField(key, sensitiveFields)) {
+                obj[key] = '[FILTERED]';
+            }
+            else if (typeof obj[key] === 'object') {
+                this.sanitizeObject(obj[key], sensitiveFields);
+            }
+        }
+    }
+}
+exports.SanitizeUtil = SanitizeUtil;
+/**
+ * 默认敏感字段列表
+ */
+SanitizeUtil.DEFAULT_SENSITIVE_FIELDS = [
+    // Headers 相关
+    'authorization',
+    'apikey',
+    'x-api-key',
+    'x-auth-token',
+    'cookie',
+    'set-cookie',
+    // Body/Query 通用字段
+    'password',
+    'secret',
+    'token',
+    'key',
+    'credential',
+    'private',
+    'confidential',
+    'ssn',
+    'creditCard',
+    'accessToken',
+    'refreshToken',
+    'apiKey',
+    'apiSecret',
+];

package/http-client/utils/security-validator.util.d.ts

@@ -75,6 +75,25 @@ export declare class SecurityValidator {
         valid: boolean;
         error?: string;
     };
+    /**
+     * 敏感数据检测
+     * 检查数据中是否包含敏感信息（如密码、token等）
+     * @param data 要检查的数据对象
+     * @param additionalPatterns 额外的敏感数据模式
+     * @returns 检测结果
+     */
+    static detectSensitiveData(data: any, additionalPatterns?: RegExp[]): {
+        hasSensitiveData: boolean;
+        fields: string[];
+    };
+    /**
+     * 获取默认SSRF防护配置
+     */
+    static getDefaultSSRFConfig(): SSRFProtectionConfig;
+    /**
+     * 获取默认URL验证配置
+     */
+    static getDefaultURLConfig(): URLValidationConfig;
     /**
      * 从主机名中提取IP地址
      */
@@ -96,23 +115,4 @@ export declare class SecurityValidator {
      * 验证主机名格式
      */
     private static isValidHostname;
-    /**
-     * 敏感数据检测
-     * 检查数据中是否包含敏感信息（如密码、token等）
-     * @param data 要检查的数据对象
-     * @param additionalPatterns 额外的敏感数据模式
-     * @returns 检测结果
-     */
-    static detectSensitiveData(data: any, additionalPatterns?: RegExp[]): {
-        hasSensitiveData: boolean;
-        fields: string[];
-    };
-    /**
-     * 获取默认SSRF防护配置
-     */
-    static getDefaultSSRFConfig(): SSRFProtectionConfig;
-    /**
-     * 获取默认URL验证配置
-     */
-    static getDefaultURLConfig(): URLValidationConfig;
 }

package/http-client/utils/security-validator.util.js

@@ -143,6 +143,69 @@ class SecurityValidator {
         }
         return { url: sanitizedURL, valid: true };
     }
+    /**
+     * 敏感数据检测
+     * 检查数据中是否包含敏感信息（如密码、token等）
+     * @param data 要检查的数据对象
+     * @param additionalPatterns 额外的敏感数据模式
+     * @returns 检测结果
+     */
+    static detectSensitiveData(data, additionalPatterns = []) {
+        const sensitiveFields = [];
+        // 默认敏感字段名模式
+        const defaultPatterns = [
+            /password/i,
+            /secret/i,
+            /token/i,
+            /api[_-]?key/i,
+            /authorization/i,
+            /credential/i,
+            /private[_-]?key/i,
+            /access[_-]?token/i,
+            /refresh[_-]?token/i,
+            /session[_-]?id/i,
+            /csrf/i,
+            /ssn/i,
+            /credit[_-]?card/i,
+        ];
+        const allPatterns = [...defaultPatterns, ...additionalPatterns];
+        const checkObject = (obj, path = '') => {
+            if (!obj || typeof obj !== 'object') {
+                return;
+            }
+            for (const key in obj) {
+                if (!obj.hasOwnProperty(key)) {
+                    continue;
+                }
+                const currentPath = path ? `${path}.${key}` : key;
+                // 检查键名是否匹配敏感模式
+                if (allPatterns.some((pattern) => pattern.test(key))) {
+                    sensitiveFields.push(currentPath);
+                }
+                // 递归检查嵌套对象
+                if (typeof obj[key] === 'object' && obj[key] !== null) {
+                    checkObject(obj[key], currentPath);
+                }
+            }
+        };
+        checkObject(data);
+        return {
+            hasSensitiveData: sensitiveFields.length > 0,
+            fields: sensitiveFields,
+        };
+    }
+    /**
+     * 获取默认SSRF防护配置
+     */
+    static getDefaultSSRFConfig() {
+        return Object.assign({}, this.defaultSSRFConfig);
+    }
+    /**
+     * 获取默认URL验证配置
+     */
+    static getDefaultURLConfig() {
+        return Object.assign({}, this.defaultURLConfig);
+    }
     /**
      * 从主机名中提取IP地址
      */
@@ -165,7 +228,9 @@ class SecurityValidator {
     static validateIPAddress(ipAddress, config) {
         // 检查是否为本地回环地址
         if (!config.allowLoopback) {
-            if (ipAddress === '127.0.0.1' || ipAddress === '::1' || ipAddress.startsWith('127.')) {
+            if (ipAddress === '127.0.0.1' ||
+                ipAddress === '::1' ||
+                ipAddress.startsWith('127.')) {
                 return {
                     valid: false,
                     error: 'Loopback addresses are not allowed',
@@ -251,69 +316,6 @@ class SecurityValidator {
         const hostnameRegex = /^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])(\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9]))*$/;
         return hostnameRegex.test(hostname);
     }
-    /**
-     * 敏感数据检测
-     * 检查数据中是否包含敏感信息（如密码、token等）
-     * @param data 要检查的数据对象
-     * @param additionalPatterns 额外的敏感数据模式
-     * @returns 检测结果
-     */
-    static detectSensitiveData(data, additionalPatterns = []) {
-        const sensitiveFields = [];
-        // 默认敏感字段名模式
-        const defaultPatterns = [
-            /password/i,
-            /secret/i,
-            /token/i,
-            /api[_-]?key/i,
-            /authorization/i,
-            /credential/i,
-            /private[_-]?key/i,
-            /access[_-]?token/i,
-            /refresh[_-]?token/i,
-            /session[_-]?id/i,
-            /csrf/i,
-            /ssn/i,
-            /credit[_-]?card/i,
-        ];
-        const allPatterns = [...defaultPatterns, ...additionalPatterns];
-        const checkObject = (obj, path = '') => {
-            if (!obj || typeof obj !== 'object') {
-                return;
-            }
-            for (const key in obj) {
-                if (!obj.hasOwnProperty(key)) {
-                    continue;
-                }
-                const currentPath = path ? `${path}.${key}` : key;
-                // 检查键名是否匹配敏感模式
-                if (allPatterns.some((pattern) => pattern.test(key))) {
-                    sensitiveFields.push(currentPath);
-                }
-                // 递归检查嵌套对象
-                if (typeof obj[key] === 'object' && obj[key] !== null) {
-                    checkObject(obj[key], currentPath);
-                }
-            }
-        };
-        checkObject(data);
-        return {
-            hasSensitiveData: sensitiveFields.length > 0,
-            fields: sensitiveFields,
-        };
-    }
-    /**
-     * 获取默认SSRF防护配置
-     */
-    static getDefaultSSRFConfig() {
-        return Object.assign({}, this.defaultSSRFConfig);
-    }
-    /**
-     * 获取默认URL验证配置
-     */
-    static getDefaultURLConfig() {
-        return Object.assign({}, this.defaultURLConfig);
-    }
 }
 exports.SecurityValidator = SecurityValidator;
 SecurityValidator.logger = new common_1.Logger(SecurityValidator.name);

package/interceptors/http-logging-interceptor.service.d.ts

@@ -0,0 +1,38 @@
+import { NestInterceptor, ExecutionContext, CallHandler } from '@nestjs/common';
+import { Observable } from 'rxjs';
+import { ApiConfigService } from '../shared/services/api-config.service';
+/**
+ * HTTP 日志拦截器
+ * 参考 Tomcat AccessLog 的实现，每个请求只记录一条日志
+ * 在请求完成时同时记录请求和响应的完整信息
+ */
+export declare class HttpLoggingInterceptor implements NestInterceptor {
+    private readonly configService;
+    private readonly logger;
+    constructor(configService: ApiConfigService);
+    intercept(context: ExecutionContext, next: CallHandler): Observable<any>;
+    /**
+     * 生成请求 ID
+     */
+    private generateRequestId;
+    /**
+     * 记录请求和响应（一条日志）
+     */
+    private logRequestResponse;
+    /**
+     * 记录请求和错误（一条日志）
+     */
+    private logRequestError;
+    /**
+     * 清理敏感的 header 信息
+     */
+    private sanitizeHeaders;
+    /**
+     * 清理敏感的 body 信息
+     */
+    private sanitizeBody;
+    /**
+     * 从 headers 提取用户信息
+     */
+    private extractUser;
+}

package/interceptors/http-logging-interceptor.service.js

@@ -0,0 +1,167 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var HttpLoggingInterceptor_1;
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.HttpLoggingInterceptor = void 0;
+const common_1 = require("@nestjs/common");
+const operators_1 = require("rxjs/operators");
+const api_config_service_1 = require("../shared/services/api-config.service");
+/**
+ * HTTP 日志拦截器
+ * 参考 Tomcat AccessLog 的实现，每个请求只记录一条日志
+ * 在请求完成时同时记录请求和响应的完整信息
+ */
+let HttpLoggingInterceptor = HttpLoggingInterceptor_1 = class HttpLoggingInterceptor {
+    constructor(configService) {
+        this.configService = configService;
+        this.logger = new common_1.Logger(HttpLoggingInterceptor_1.name);
+    }
+    intercept(context, next) {
+        const ctx = context.switchToHttp();
+        const request = ctx.getRequest();
+        const response = ctx.getResponse();
+        const startTime = Date.now();
+        const { method, url, headers, body } = request;
+        const requestId = String(request.id || headers['x-request-id'] || this.generateRequestId());
+        // 监听响应完成事件，一条日志同时记录请求和响应
+        response.on('finish', () => {
+            const duration = Date.now() - startTime;
+            this.logRequestResponse(requestId, request, response, duration);
+        });
+        return next.handle().pipe((0, operators_1.catchError)((error) => {
+            const duration = Date.now() - startTime;
+            this.logRequestError(requestId, request, error, duration);
+            throw error;
+        }));
+    }
+    /**
+     * 生成请求 ID
+     */
+    generateRequestId() {
+        return `${Date.now()}-${Math.random().toString(36).substr(2, 9)}`;
+    }
+    /**
+     * 记录请求和响应（一条日志）
+     */
+    logRequestResponse(requestId, request, response, duration) {
+        const statusCode = response.statusCode;
+        const logData = {
+            requestId,
+            timestamp: new Date().toISOString(),
+            env: this.configService.nodeEnv,
+            appName: this.configService.getString('NAME'),
+            http: {
+                method: request.method,
+                url: request.url,
+                query: request.query,
+                statusCode,
+                duration: `${duration}ms`,
+                req: {
+                    headers: this.sanitizeHeaders(request.headers),
+                    body: this.sanitizeBody(request.body),
+                },
+                res: {
+                    headers: this.sanitizeHeaders(response.getHeaders()),
+                },
+            },
+            user: this.extractUser(request.headers),
+        };
+        const message = `HTTP ${request.method} ${request.url} ${statusCode} (${duration}ms)`;
+        if (statusCode >= 500) {
+            this.logger.error(message, logData);
+        }
+        else if (statusCode >= 400) {
+            this.logger.warn(message, logData);
+        }
+        else {
+            this.logger.log(message, logData);
+        }
+    }
+    /**
+     * 记录请求和错误（一条日志）
+     */
+    logRequestError(requestId, request, error, duration) {
+        const logData = {
+            requestId,
+            timestamp: new Date().toISOString(),
+            env: this.configService.nodeEnv,
+            appName: this.configService.getString('NAME'),
+            http: {
+                method: request.method,
+                url: request.url,
+                query: request.query,
+                statusCode: (error === null || error === void 0 ? void 0 : error.status) || 500,
+                duration: `${duration}ms`,
+                req: {
+                    headers: this.sanitizeHeaders(request.headers),
+                    body: this.sanitizeBody(request.body),
+                },
+            },
+            error: {
+                message: error.message,
+                stack: error.stack,
+                code: error.code,
+            },
+            user: this.extractUser(request.headers),
+        };
+        this.logger.error(`HTTP ${request.method} ${request.url} ${(error === null || error === void 0 ? void 0 : error.status) || 500} (${duration}ms) - ${error.message}`, logData);
+    }
+    /**
+     * 清理敏感的 header 信息
+     */
+    sanitizeHeaders(headers) {
+        if (!headers)
+            return {};
+        const sanitized = Object.assign({}, headers);
+        const sensitiveKeys = ['authorization', 'apikey', 'x-api-key', 'token', 'cookie'];
+        for (const key of Object.keys(sanitized)) {
+            if (sensitiveKeys.includes(key.toLowerCase())) {
+                sanitized[key] = '[REDACTED]';
+            }
+        }
+        return sanitized;
+    }
+    /**
+     * 清理敏感的 body 信息
+     */
+    sanitizeBody(body) {
+        if (!body)
+            return body;
+        // 如果 body 太大，只记录部分信息
+        const bodyStr = JSON.stringify(body);
+        if (bodyStr.length > 1000) {
+            return { _large: `${bodyStr.length} bytes` };
+        }
+        return body;
+    }
+    /**
+     * 从 headers 提取用户信息
+     */
+    extractUser(headers) {
+        const userHeader = headers['user'] || headers['x-user'];
+        if (userHeader) {
+            try {
+                return typeof userHeader === 'string'
+                    ? JSON.parse(userHeader)
+                    : userHeader;
+            }
+            catch (_a) {
+                return userHeader;
+            }
+        }
+        return null;
+    }
+};
+exports.HttpLoggingInterceptor = HttpLoggingInterceptor;
+exports.HttpLoggingInterceptor = HttpLoggingInterceptor = HttpLoggingInterceptor_1 = __decorate([
+    (0, common_1.Injectable)(),
+    __metadata("design:paramtypes", [api_config_service_1.ApiConfigService])
+], HttpLoggingInterceptor);

package/interceptors/index.d.ts

@@ -1,2 +1,3 @@
 export * from './language-interceptor.service';
 export * from './translation-interceptor.service';
+export * from './http-logging-interceptor.service';

package/interceptors/index.js

@@ -16,3 +16,4 @@ var __exportStar = (this && this.__exportStar) || function(m, exports) {
 Object.defineProperty(exports, "__esModule", { value: true });
 __exportStar(require("./language-interceptor.service"), exports);
 __exportStar(require("./translation-interceptor.service"), exports);
+__exportStar(require("./http-logging-interceptor.service"), exports);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@nest-omni/core",
-  "version": "4.1.3-25",
+  "version": "4.1.3-27",
   "description": "A comprehensive NestJS framework for building enterprise-grade applications with best practices",
   "main": "index.js",
   "types": "index.d.ts",

package/setup/bootstrap.setup.js

@@ -166,7 +166,7 @@ function bootstrapSetup(AppModule, SetupSwagger) {
         const reflector = app.get(core_1.Reflector);
         app.useGlobalFilters(new setup_1.SentryGlobalFilter(), new __1.HttpExceptionFilter(), new __1.QueryFailedFilter(reflector));
         // 全局拦截器
-        app.useGlobalInterceptors(new __1.LanguageInterceptor(), new __1.TranslationInterceptor(), new nestjs_pino_1.LoggerErrorInterceptor());
+        app.useGlobalInterceptors(new __1.HttpLoggingInterceptor(configService), new __1.LanguageInterceptor(), new __1.TranslationInterceptor());
         // 全局管道
         app.useGlobalPipes(new nestjs_i18n_1.I18nValidationPipe({
             whitelist: true,

package/shared/services/api-config.service.js

@@ -214,25 +214,10 @@ let ApiConfigService = ApiConfigService_1 = class ApiConfigService {
                 genReqId: (req) => req.id,
                 transport,
                 level: this.isDev ? 'debug' : 'info',
-                customLogLevel: function (res) {
-                    if (res.statusCode >= 500)
-                        return 'error';
-                    if (res.statusCode >= 400)
-                        return 'warn';
-                    return 'info';
-                },
-                wrapSerializers: true,
-                customProps: (req, res) => {
-                    return {
-                        env: this.nodeEnv,
-                        appName: this.getString('NAME'),
-                        user: req === null || req === void 0 ? void 0 : req.user,
-                        'req.body': req === null || req === void 0 ? void 0 : req.body,
-                        'res.body': res === null || res === void 0 ? void 0 : res.body,
-                    };
-                },
+                // 禁用 pinoHttp 的自动日志，由 HttpLoggingInterceptor 处理
+                autoLogging: false,
                 redact: {
-                    paths: ['req.headers.authorization', 'req.headers.apikey'],
+                    paths: ['req.headers.authorization', 'req.headers.apikey', 'req.headers.cookie'],
                     remove: true,
                 },
             },

package/vault/vault-config.service.js

@@ -172,7 +172,7 @@ let VaultConfigService = VaultConfigService_1 = class VaultConfigService {
             }
             try {
                 const health = yield this.vaultClient.health();
-                return health && !health.sealed;
+                return !!(health && !health.sealed);
             }
             catch (error) {
                 this.logger.error('Vault health check failed', error.message);