@netacea/cloudfront 5.2.54 → 6.0.1

package/dist/index.d.ts

@@ -0,0 +1,508 @@
+import { CloudFrontRequestEvent, CloudFrontResultResponse, CloudFrontRequest, CloudFrontResponseEvent, CloudFrontResponse } from 'aws-lambda';
+
+type KinesisMakeRequest = (args: {
+    headers: Record<string, string>;
+    method: 'POST' | 'GET';
+    host: string;
+    path: string;
+    body?: any;
+}) => Promise<any>;
+interface KinesisIngestWebLog {
+    apiKey: string;
+}
+interface KinesisIngestConfigArgs {
+    kinesisStreamName: string;
+    kinesisAccessKey?: string;
+    kinesisSecretKey?: string;
+    logBatchSize?: number;
+    maxLogAgeSeconds?: number;
+}
+interface KinesisIngestArgs extends KinesisIngestConfigArgs {
+    apiKey: string;
+}
+declare class KinesisIngest {
+    protected readonly kinesisStreamName: string;
+    protected readonly kinesisAccessKey?: string;
+    protected readonly kinesisSecretKey?: string;
+    protected readonly logBatchSize: number;
+    protected readonly maxLogAgeSeconds: number;
+    protected logCache: KinesisIngestWebLog[];
+    private intervalSet;
+    constructor({ kinesisStreamName, kinesisAccessKey, kinesisSecretKey, maxLogAgeSeconds, logBatchSize }: KinesisIngestArgs);
+    putToKinesis<MakeRequest extends KinesisMakeRequest>(makeRequest: MakeRequest): Promise<void>;
+    ingest<LogFormat extends KinesisIngestWebLog, MakeRequest extends KinesisMakeRequest>(log: LogFormat, makeRequest: MakeRequest): Promise<any>;
+}
+
+declare enum NetaceaIngestType {
+    /**
+     * ORIGIN Ingest mode; data to be ingested is set by headers, so it can be forwarded via a seperate mechanism
+     */
+    ORIGIN = "ORIGIN",
+    /**
+     * HTTP Ingest mode, this is the standard implementation
+     */
+    HTTP = "HTTP",
+    /**
+     * Ingest over Kinesis, Netacea will inform you if this is required
+     * and will provide you with kinesis credentials.
+     */
+    KINESIS = "KINESIS",
+    /**
+     * Data to be Ingest via some mechanism native to the host/CDN, e.g. log shipping.
+     */
+    NATIVE = "NATIVE"
+}
+declare enum NetaceaLogVersion {
+    /**
+     * Current style log version
+     */
+    V1 = "V1",
+    /**
+     * V2 Log format, should only be used if Netacea instructs
+     */
+    V2 = "V2"
+}
+declare enum NetaceaMitigationType {
+    /**
+     * Run Netacea with mitigation mode enabled.
+     * This will serve Captcha pages and Forbidden pages when instructed to do so
+     */
+    MITIGATE = "MITIGATE",
+    /**
+     * Run Netacea with Inject mode enabled.
+     * The end-user will only receive a cookie.
+     * The origin server will receive 3-4 headers,
+     *
+     * 'x-netacea-match' indicating what was matched (nothing(0), ua(1), ip(2), etc...)
+     *
+     * 'x-netacea-mitigate' indicating what action would've be taken (nothing (0), block(1), allow(2), etc...)
+     *
+     * 'x-netacea-captcha' indicating what captcha action would've been taken
+     *
+     * 'x-netacea-event-id' event id value that should be injected to the captcha
+     * page if using `@netacea/captchafeedback` module on the origin server
+     */
+    INJECT = "INJECT",
+    /**
+     * Run Netacea with Ingest only mode
+     * No cookies will be set for the end user.
+     * No mitigations will be applied.
+     *
+     * **It's recommended to start in this mode!**
+     */
+    INGEST = "INGEST"
+}
+
+interface MakeRequestArgs {
+    /**
+     * Hostname of the request. For example https://mitigations.netacea.net
+     */
+    host: string;
+    /**
+     * Path for the request, i.e captcha requests will be `/AtaVerifyCaptcha`
+     */
+    path: string;
+    /**
+     * Key value collection of the request headers
+     */
+    headers: Record<string, string>;
+    /**
+     * HTTP Method
+     */
+    method: 'GET' | 'POST' | 'PUT' | 'DELETE';
+    /**
+     * Request body value
+     */
+    body?: string;
+    /**
+     * Request timeout value in ms
+     */
+    timeout?: number;
+}
+interface NetaceaBaseArgs {
+    /**
+     * Netacea APIKey
+     */
+    apiKey: string;
+    /**
+     * Netacea Secret Key
+     */
+    secretKey: string;
+    /**
+     * Google RECaptcha Site Key.
+     * This is used for providing your own captcha values without updating these in the Netacea console.
+     */
+    captchaSiteKey?: string;
+    /**
+     * Google RECaptcha Secret Key.
+     * This is used for providing your own captcha values without updating these in the Netacea console.
+     */
+    captchaSecretKey?: string;
+    /**
+     * Request timeout in ms
+     */
+    timeout?: number;
+    /**
+     * URL of the Netacea ingest service.
+     * DEFAULT: https://ingest.netacea.net
+     */
+    ingestServiceUrl?: string;
+    /**
+     * URL of the Netacea mitigation service.
+     * DEFAULT: https://mitigations.netacea.net
+     */
+    mitigationServiceUrl?: string;
+    /**
+     * Type of mitigation applied, see the `NetaceaMitigationType` ENUM
+     *  - INGEST - Ingest only mode, no mitigations applied
+     *  - MITIGATION - Mitigation mode, active blocking/captcha rules will be applied.
+     *  - INJECT - Inject mode, headers will be sent to your origin server
+     *             indicating what actions Netacea would have taken.
+     * DEFAULT: NetaceaMitigationType.INGEST
+     */
+    mitigationType?: NetaceaMitigationType;
+    /**
+     * Type of ingest, see the `NetaceaIngestType` ENUM
+     *  - HTTP - Ingest via HTTP.
+     *  - KINESIS - Ingest via KINESIS
+     * DEFAULT: NetaceaIngestType.HTTP
+    */
+    ingestType?: NetaceaIngestType;
+    /**
+     * Kinesis ingest definition, see the `KinesisIngestConfigArgs` type.
+     * Only to be provided if ingestType is set to KINESIS.
+     * Netacea will provide you with the details for this stream.
+    */
+    kinesis?: KinesisIngestConfigArgs;
+    /**
+     * Version of ingest, see the `NetaceaLogVersion` ENUM
+     *  - V1 - Standard ingest.
+     *  - V2 - New BETA ingest.
+     * Use NetaceaLogVersion.V1 unless instructed otherwise.
+     * DEFAULT: NetaceaLogVersion.V1
+    */
+    logVersion?: NetaceaLogVersion;
+    /**
+     * Deprecated: alias for netaceaCookieExpirySeconds.
+     * If both are set, netaceaCookieExpirySeconds is prefered.
+     * Seconds for the netacea cookie to be revalidated after.
+     */
+    mitataCookieExpirySeconds?: number;
+    /**
+     * Seconds for the netacea cookie to be revalidated after.
+     */
+    netaceaCookieExpirySeconds?: number;
+    /**
+     * The name of the netacea cookie. Defaults to _mitata.
+     */
+    netaceaCookieName?: string;
+    /**
+     * The name of the netacea captcha cookie. Defaults to _mitatacaptcha.
+     */
+    netaceaCaptchaCookieName?: string;
+}
+interface InjectHeaders {
+    'x-netacea-match': string;
+    'x-netacea-mitigate': string;
+    'x-netacea-captcha': string;
+    'x-netacea-event-id'?: string;
+}
+interface ComposeResultResponse {
+    /**
+     * Body value of the response, should be in text format
+     */
+    body?: string;
+    /**
+     * Response status code
+     */
+    apiCallStatus: number;
+    /**
+     * setCookie values
+     */
+    setCookie: string[];
+    /**
+     * Netacea session status string for ingest
+     */
+    sessionStatus: string;
+    /**
+     * Netacea mitigation string
+     */
+    mitigation: string;
+    /**
+     * Indicates if response should be mitigated or not
+     */
+    mitigated: boolean;
+    /**
+     * Headers to ingest to origin server
+     */
+    injectHeaders?: InjectHeaders;
+}
+interface IngestArgs {
+    /**
+     * Client IP Address
+     */
+    ip: string;
+    /**
+     * Client User-Agent header value
+     */
+    userAgent: string;
+    /**
+     * Response status code
+     * Should be 403 if Netacea mitigated
+     */
+    status: string;
+    /**
+     * Request method
+     */
+    method: string;
+    /**
+     * Request path
+     */
+    path: string;
+    /**
+     * Request protocol
+     */
+    protocol: string | null;
+    /**
+     * Request referer header value
+     */
+    referer: string;
+    /**
+     * Request content-length header, or body size
+     */
+    bytesSent: string | number;
+    /**
+     * Time taken to serve request
+     */
+    requestTime: string | number;
+    /**
+     * Netacea mitata cookie value.
+     * Should be request's cookie value if Netacea was not called.
+     */
+    mitataCookie?: string;
+    /**
+     * Session status from `ComposeResultResponse`
+     */
+    sessionStatus?: string;
+    /**
+     * Type of the integration, for example "Cloudflare" or "Cloudfront"
+     */
+    integrationType?: string;
+    /**
+     * SEMVER string indicating the version of the integration
+     * Example: 1.2.3
+     */
+    integrationVersion?: string;
+    /**
+     * IP values set by a CDN under "x-fowarded-for" header
+     */
+    xForwardedFor?: string;
+    headerFingerprint?: string;
+    cookieFingerprint?: string;
+}
+interface WebLog {
+    Request: string;
+    TimeLocal: string;
+    RealIp: string;
+    UserAgent: string;
+    Status: string;
+    RequestTime: string;
+    BytesSent: string;
+    Referer: string;
+    NetaceaUserIdCookie: string;
+    NetaceaMitigationApplied: string;
+    IntegrationType?: string;
+    IntegrationVersion?: string;
+    XForwardedFor?: string;
+    optional?: Record<string, unknown>;
+}
+interface V2WebLog {
+    '@timestamp': string;
+    bc_type?: string;
+    bytes_sent: number;
+    client: string;
+    domain_name?: string;
+    domain_name_orig?: string;
+    hour: number;
+    integration_type?: string;
+    integration_version?: string;
+    method: string;
+    minute: number;
+    path: string;
+    protocol: string | null;
+    query?: string;
+    referrer?: string;
+    request: string;
+    request_time: number;
+    status: string;
+    user_agent: string;
+    user_id?: string;
+    x_forwarded_for?: string;
+    optional?: Record<string, unknown>;
+}
+interface NetaceaResponseBase {
+    /**
+     * Cookies that should be set back to the user.
+     */
+    setCookie?: string[];
+    /**
+     * Netacea session status string
+     */
+    sessionStatus: string;
+}
+interface MitigateResponse<T = any> extends NetaceaResponseBase {
+    /**
+     * Response value, using Response generic
+     */
+    response?: T;
+}
+interface InjectResponse<T = any> extends MitigateResponse<T> {
+    /**
+     * Headers to be sent to the origin server
+     * X-Netacea-Match
+     * X-Netacea-Mitigate
+     * X-Netacea-Captcha
+     * X-Netacea-Event-ID (Only sent when CAPTCHA is served)
+     */
+    injectHeaders: InjectHeaders | undefined;
+    /**
+     * Response value, using Response generic
+     */
+    response?: T | undefined;
+}
+type NetaceaMitigationResponse<T> = MitigateResponse<T> | InjectResponse<T> | undefined;
+interface FindBestMitigationResponse {
+    sessionStatus: string;
+    mitigation: string;
+    parts: NetaceaParts;
+}
+interface NetaceaParts {
+    match: number;
+    mitigate: number;
+    captcha: number;
+}
+interface APICallResponse {
+    status: number;
+    body?: string;
+}
+interface ProcessMitigateRequestArgs {
+    url: string;
+    method: string;
+    mitata: string | undefined;
+    mitataCaptcha: string | undefined;
+    clientIp: string;
+    userAgent: string;
+    getBodyFn: () => Promise<string>;
+}
+
+interface CloudfrontConstructorArgs extends NetaceaBaseArgs, KinesisIngestArgs {
+    ingestEnabled?: boolean;
+    cookieEncryptionKey?: string;
+    netaceaCaptchaPath?: string;
+    captchaHeader?: CustomHeader;
+    dynamicCaptchaContentType?: boolean;
+    netaceaCookieAttributes?: string;
+    netaceaCaptchaCookieAttributes?: string;
+    /**
+     * The name of the header from which to retrieve the client's IP address.
+     */
+    ipHeaderName?: string;
+}
+interface CustomHeader {
+    name: string;
+    value: string;
+}
+
+interface MakeRequestResponse {
+    status: number;
+    headers: Record<string, string | string[]>;
+    body?: any;
+}
+declare class Cloudfront {
+    static NetaceaCookieHeader: string;
+    static NetaceaTrueUserAgentHeader: string;
+    private readonly cookieEncryptionKey;
+    ingestEnabled: boolean;
+    private readonly netaceaCaptchaPath?;
+    private readonly captchaHeader?;
+    private readonly dynamicCaptchaContentType;
+    private readonly ipHeaderName?;
+    protected mitataCookieExpirySeconds: number;
+    protected apiKey: string;
+    protected secretKey?: string;
+    protected mitigationServiceUrl: string;
+    protected ingestServiceUrl: string;
+    protected readonly timeout: number;
+    protected readonly captchaSiteKey?: string;
+    protected readonly captchaSecretKey?: string;
+    protected readonly ingestType: NetaceaIngestType;
+    protected readonly logVersion: NetaceaLogVersion;
+    protected readonly kinesis?: KinesisIngest;
+    protected readonly mitigationType: NetaceaMitigationType;
+    protected readonly encryptedCookies: string[];
+    protected readonly netaceaCookieName: string;
+    protected readonly netaceaCaptchaCookieName: string;
+    protected readonly netaceaCookieAttributes: string;
+    protected readonly netaceaCaptchaCookieAttributes: string;
+    constructor(options: CloudfrontConstructorArgs);
+    run(cloudfrontEvent: CloudFrontRequestEvent): Promise<{
+        respondWith?: CloudFrontResultResponse;
+    }>;
+    protected makeRequest({ host, path, method, body, headers, timeout }: MakeRequestArgs): Promise<MakeRequestResponse>;
+    protected mitigate(cfRequest: CloudFrontRequest): Promise<MitigateResponse<CloudFrontResultResponse>>;
+    protected inject(request: CloudFrontRequest): Promise<InjectResponse>;
+    ingest(requestOrEvent: CloudFrontRequestEvent | CloudFrontResponseEvent | CloudFrontRequest, response?: CloudFrontResultResponse | CloudFrontResponse | undefined): Promise<any>;
+    addNetaceaCookiesToResponse(cloudfrontEvent: CloudFrontResponseEvent): void;
+    private setInjectHeaders;
+    private getValueFromHeaderOrDefault;
+    private getMitataValueFromHeaderOrDefault;
+    private getRequestResponseFromEvent;
+    private getMitigationResponse;
+    private addNetaceaCookiesToRequest;
+    getCookieHeader(request: CloudFrontRequest): string | null;
+    protected encryptCookieValue(cookieValue: string): Promise<string>;
+    protected decryptCookieValue(encryptedCookieValue: string): Promise<string>;
+    /**
+     * START -- NETACEA BASE METHODS
+     */
+    runMitigation(request: CloudFrontRequest): Promise<NetaceaMitigationResponse<CloudFrontResultResponse>>;
+    /**
+     * Returns the value of the cookie with the given name from a string or list of cookies.
+     * If the cookie name is included in the encryptedCookies class property,
+     * then the cookie value will be decrypted automatically.
+     * The method may operate of either the HTTP Cookie or Set-Cookie headers.
+     * @param cookieName the name of the cookie to find.
+     * @param cookies the full list of cookies, either as a string or an array of strings.
+     * @returns the value of the cookie, if found.
+     */
+    protected readCookie(cookieName: string, cookies: string | string[] | null | undefined): Promise<string | undefined>;
+    protected processMitigateRequest(args: ProcessMitigateRequestArgs & {
+        accept: string;
+        host: string;
+    }): Promise<ComposeResultResponse>;
+    protected isUrlCaptchaPost(url: string, method: string): boolean;
+    protected isUrlCaptchaGet(url: string, method: string): boolean;
+    protected shouldSetCaptchaPass(request: CloudFrontRequest, response: CloudFrontResponse | CloudFrontResultResponse): boolean;
+    private processCaptcha;
+    private makeCaptchaAPICall;
+    private getApiCallResponseFromResponse;
+    protected APIError(response: APICallResponse): Error;
+    protected createMitata(clientIP: string, userId: string | undefined, match: number, mitigate: number, captcha: number, maxAge?: number, expiry?: number | undefined): Promise<string>;
+    protected createMitataCaptcha(headers: Record<string, string | string[]>): Promise<string | undefined>;
+    private buildCookieFromValues;
+    protected callIngest(args: IngestArgs): Promise<void>;
+    protected constructWebLog(args: IngestArgs): WebLog | V2WebLog;
+    private constructV2WebLog;
+    private constructV1WebLog;
+    private makeIngestApiCall;
+    protected processIngest(request: CloudFrontRequest): Promise<NetaceaResponseBase>;
+    protected setIngestOnlyMitataCookie(userId: string | undefined): Promise<NetaceaResponseBase>;
+    protected findBestMitigation(match: number, mitigate: number, captcha: number, isCaptchaPost: boolean): FindBestMitigationResponse;
+    private adjustCaptchaCode;
+    protected check(netaceaCookie: string | undefined, clientIP: string, userAgent: string, accept: string, host: string, captchaCookie?: string): Promise<ComposeResultResponse>;
+    private makeMitigateAPICall;
+    private buildCookieHeader;
+    private composeResult;
+}
+
+export { Cloudfront, type CloudfrontConstructorArgs };

package/dist/index.js

@@ -0,0 +1,2 @@
+"use strict";var e=require("node:crypto"),t=require("node:buffer"),a=require("axios"),i=require("aws4");function s(e){var t=Object.create(null);return e&&Object.keys(e).forEach((function(a){if("default"!==a){var i=Object.getOwnPropertyDescriptor(e,a);Object.defineProperty(t,a,i.get?i:{enumerable:!0,get:function(){return e[a]}})}})),t.default=e,Object.freeze(t)}var o,r,n,c,h=s(require("jose"));!function(e){e.ORIGIN="ORIGIN",e.HTTP="HTTP",e.KINESIS="KINESIS",e.NATIVE="NATIVE"}(o||(o={})),function(e){e.V1="V1",e.V2="V2"}(r||(r={})),function(e){e.MITIGATE="MITIGATE",e.INJECT="INJECT",e.INGEST="INGEST"}(n||(n={})),function(e){e.CAPTCHA_GET="captcha_get",e.CAPTCHA_POST="captcha_post",e.EXPIRED_SESSION="expired_session",e.FORCED_REVALIDATION="forced_revalidation",e.INVALID_SESSION="invalid_session",e.IP_CHANGE="ip_change",e.NO_SESSION="no_session"}(c||(c={}));function u(e,t=0){return isNaN(e)?t:parseInt(e)}const d=3e3;const p="_/@#/",l={none:"",block:"block",captcha:"captcha",allow:"allow",captchaPass:"captchapass"},m={0:l.none,1:l.block,2:l.none,3:l.block,4:l.block},g={1:l.captcha,2:l.captchaPass,3:l.captcha,4:l.allow,5:l.captcha};var y=Object.freeze({__proto__:null,COOKIEDELIMITER:p,bestMitigationCaptchaMap:g,bestMitigationMap:m,captchaMap:{0:"",1:"captcha_serve",2:"captcha_pass",3:"captcha_fail",4:"captcha_cookiepass",5:"captcha_cookiefail"},captchaStatusCodes:{"":0,captchaServe:1,captchaPass:2,captchaFail:3,captchaCookiePass:4,captchaCookieFail:5},matchMap:{0:"",1:"ua_",2:"ip_",3:"visitor_",4:"datacenter_",5:"sev_",6:"organisation_",7:"asn_",8:"country_",9:"combination_"},mitigateMap:{0:"",1:"blocked",2:"allow",3:"hardblocked",4:"block"},mitigationTypes:l,netaceaCookieV3KeyMap:{clientIP:"cip",userId:"uid",gracePeriod:"grp",cookieId:"cid",match:"mat",mitigate:"mit",captcha:"cap",issueTimestamp:"ist",issueReason:"isr"},netaceaCookieV3OptionalKeyMap:{checkAllPostRequests:"fCAPR"},netaceaHeaders:{match:"x-netacea-match",mitigate:"x-netacea-mitigate",captcha:"x-netacea-captcha",mitata:"x-netacea-mitata-value",mitataExpiry:"x-netacea-mitata-expiry",mitataCaptcha:"x-netacea-mitatacaptcha-value",mitataCaptchaExpiry:"x-netacea-mitatacaptcha-expiry",eventId:"x-netacea-event-id"},netaceaSettingsMap:{checkAllPostRequests:"checkAllPostRequests"}});const k="ignored",C="1234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ".split(""),f=/^(.*)_\/@#\/(.*)_\/@#\/(.*)_\/@#\/(.*)_\/@#\/((\d)(\d)(\d))$/;function v(e){if(void 0===e)return;const t=e.match(f);if(null!=t){const[,e,a,i,s,o,r,n,c]=t;return{signature:e,expiry:a,userId:i,ipHash:s,mitigationType:o,match:parseInt(r),mitigate:parseInt(n),captcha:parseInt(c)}}}function S(t,a,i,s,o="000"){void 0===a&&(a=function(t=16,a=C){const i=e.randomBytes(t-1);return`c${Array.from(i).map((e=>a[e%a.length])).join("")}`}());const r=[i,a,N(t+"|"+String(i),s),o].join(p);return`${N(r,s)}${p}${r}`}function N(a,i){const s=e.createHmac("sha256",i);return s.update(a),t.Buffer.from(s.digest("hex")).toString("base64")}function I(e,t,a){const i={mitata:void 0,requiresReissue:!1,isExpired:!1,shouldExpire:!1,isSameIP:!1,isPrimaryHashValid:!1,captcha:0,match:0,mitigate:0};if("string"!=typeof e||""===e)return i;const s=v(e);if(void 0!==s){const e=[s.expiry,s.userId,s.ipHash,s.mitigationType].join(p),i=Math.floor(Date.now()/1e3),o=parseInt(s.expiry)<i,r=[1,3,5].includes(s.captcha),n=3===s.mitigate,c=r||n,h=N(t+"|"+s.expiry,a),u=s.ipHash===h;return{mitata:s,requiresReissue:o||!u,isExpired:o,shouldExpire:c,isSameIP:u,isPrimaryHashValid:s.signature===N(e,a),match:s.match,mitigate:s.mitigate,captcha:s.captcha}}return i}function A(e,t){const a=e.split(";").map((e=>e.trim())).filter((e=>e.toLowerCase().startsWith(t.toLowerCase())))[0];return void 0!==a&&a.length>0?a?.replace(`${t}=`,""):void 0}function b(e,t=!1){return"string"!=typeof e&&(e=e.join("; ")),""===e?"":w(e.split(";"),t).join("; ")}function w(e,t=!1){if(t)return w(e.reverse()).reverse();const a=new Set,i=[];for(let t of e){if(t=t.trimStart(),""===t.trim())continue;const e=t.split("=")[0].toUpperCase();a.has(e)||(a.add(e),i.push(t))}return i}var E=Object.freeze({__proto__:null,configureCookiesDomain:function(e,t){let a=e=b(e??"",!0),i=t=b(t??"",!0);if(void 0!==e&&void 0!==t){const s=A(e,"Domain"),o=A(t,"Domain");void 0!==s&&void 0!==o?i=t.replace(o,s):void 0!==s&&void 0===o?i=t+(""!==t?`; Domain=${s}`:`Domain=${s}`):void 0===s&&void 0!==o&&(a=e+(""!==e?`; Domain=${o}`:`Domain=${o}`))}else if(void 0!==e&&void 0===t){const t=A(e,"Domain");void 0!==t&&(i=`Domain=${t}`)}else if(void 0===e&&void 0!==t){const e=A(t,"Domain");void 0!==e&&(a=`Domain=${e}`)}return{cookieAttributes:""!==a?a:void 0,captchaCookieAttributes:""!==i?i:void 0}},extractAndRemoveCookieAttr:function(e,t){const a=A(e,t);if(void 0!==a){return{extractedAttribute:a,cookieAttributes:e.replace(/ /g,"").replace(`${t}=${a}`,"").split(";").filter((e=>e.length>0)).join("; ")}}return{extractedAttribute:void 0,cookieAttributes:e}},extractCookieAttr:A,removeDuplicateAttrs:b});function T(e){const t=b([e.otherAttributes??"",`Max-Age=${e.maxAgeAttribute??86400}`,"Path=/"].join("; "));return`${e.cookieName}=${e.cookieValue}; ${t}`}var K=Object.freeze({__proto__:null,createNetaceaCaptchaSetCookieString:function(e){return T({...e,cookieName:e.cookieName??"_mitatacaptcha"})},createNetaceaSetCookieString:function(e){return T({...e,cookieName:e.cookieName??"_mitata"})},createSetCookieString:T});var x=Object.freeze({__proto__:null,parseSetCookie:function(e){const t=e.indexOf("=");if(t<0)throw new Error("Could not parse the given set-cookie value.");const a=e.slice(0,t),i=e.slice(t+1),s=i.indexOf(";");return{name:a,value:i.slice(0,s),attributes:i.slice(s).trimStart()}}});const R={cookie:{parse:x,attributes:E,netaceaSession:K}};var P={},_={},O={},H={};Object.defineProperty(H,"__esModule",{value:!0}),H.API_VERSION=H.REGION=H.PAYLOAD_TYPE=H.STATE=void 0,H.STATE={ACTIVE:"ACTIVE",UPDATING:"UPDATING",CREATING:"CREATING",DELETING:"DELETING"},H.PAYLOAD_TYPE="string",H.REGION="eu-west-1",H.API_VERSION="2013-12-02",Object.defineProperty(O,"__esModule",{value:!0}),O.signRequest=void 0;const M=i,q=H;function V(e,t){const a=[];for(let i=0;i<e.length;i+=t){const s=e.slice(i,i+t);a.push({Data:Buffer.from(JSON.stringify(s)).toString("base64"),PartitionKey:Date.now().toString()})}return a}O.signRequest=function(e,t,a){const{accessKeyId:i,secretAccessKey:s}=e,o={Records:V(t,a),PartitionKey:Date.now().toString(),StreamName:e.streamName};return M.sign({service:"kinesis",body:JSON.stringify(o),headers:{"Content-Type":"application/x-amz-json-1.1","X-Amz-Target":"Kinesis_20131202.PutRecords"},region:q.REGION},{accessKeyId:i,secretAccessKey:s})},Object.defineProperty(_,"__esModule",{value:!0});const D=O;_.default=class{constructor({kinesisStreamName:e,kinesisAccessKey:t,kinesisSecretKey:a,maxLogAgeSeconds:i,logBatchSize:s}){this.logBatchSize=20,this.maxLogAgeSeconds=10,this.logCache=[],this.intervalSet=!1,this.kinesisStreamName=e,this.kinesisAccessKey=t,this.kinesisSecretKey=a,void 0!==i&&i<this.maxLogAgeSeconds&&i>0&&(this.maxLogAgeSeconds=i),void 0!==s&&(this.logBatchSize=s)}async putToKinesis(e){if(0===this.logCache.length)return;const t=[...this.logCache];this.logCache=[];try{const a=(0,D.signRequest)({streamName:this.kinesisStreamName,accessKeyId:this.kinesisAccessKey,secretAccessKey:this.kinesisSecretKey},t,this.logBatchSize);await e({headers:a.headers,host:`https://${a.hostname}`,method:a.method,path:a.path,body:a.body})}catch(e){this.logCache.push(...t),console.error(e)}}async ingest(e,t){this.logCache.push(e),this.intervalSet||(this.intervalSet=!0,await async function(e){await new Promise((t=>{setTimeout(t,e)}))}(1e3*this.maxLogAgeSeconds),await this.putToKinesis(t),this.intervalSet=!1),this.logCache.length>=this.logBatchSize&&await this.putToKinesis(t)}},Object.defineProperty(P,"__esModule",{value:!0});const F=_;var $=P.default=F.default;async function j(e,t){const a=h.base64url.decode(t),{plaintext:i}=await h.compactDecrypt(e,a,{keyManagementAlgorithms:["dir"],contentEncryptionAlgorithms:["A256GCM"]});return(new TextDecoder).decode(i)}function U(e,t){const{clientIp:a}=e;if(void 0===t||""===t)return a;const i=e.headers[t]?.[0]?.value;return void 0===i||""===i?a:"x-forwarded-for"===t?i.split(/, ?/).pop()??a:i}async function L(e,t,a){const i=t.cookie?.[0].value.split(";"),s=i?.find((t=>t.includes(`${e}=`)))?.trimStart()?.replace(`${e}=`,"");if(void 0!==s){if(void 0!==a)try{return await j(s,a)}catch(e){return}return s}}function G(e){const t={"set-cookie":[]};for(const a of e)t["set-cookie"]?.push({key:"set-cookie",value:a});return t}function B(e,t){const a=e[t];return"string"==typeof a?a:a?.[0]}function X(e,t){const a=B(e,t);if(void 0!==a)return parseInt(a)}function J(e,t,a){"/"!==t[0]&&(t=`/${t}`);const i=t.split("?"),s=i[0],o=i.length>1?`?${i[1]}`:void 0;return{path:s,query:o,request:`${e} ${s}${o??""}${""!==(a??"")?` ${a}`:""}`}}const{extractCookieAttr:z,extractAndRemoveCookieAttr:W,removeDuplicateAttrs:Y}=R.cookie.attributes,Z=R.cookie.parse.parseSetCookie,{configureCookiesDomain:Q}=R.cookie.attributes,{matchMap:ee,mitigationTypes:te,mitigateMap:ae,bestMitigationMap:ie,bestMitigationCaptchaMap:se,captchaMap:oe,netaceaHeaders:re}=y;class ne{static NetaceaCookieHeader="x-netacea-cloudfront-mitata-cookie";static NetaceaTrueUserAgentHeader="x-netacea-true-useragent-header";cookieEncryptionKey;ingestEnabled=!0;netaceaCaptchaPath;captchaHeader;dynamicCaptchaContentType;ipHeaderName;mitataCookieExpirySeconds;apiKey;secretKey;mitigationServiceUrl;ingestServiceUrl;timeout;captchaSiteKey;captchaSecretKey;ingestType;logVersion;kinesis;mitigationType;encryptedCookies=[];netaceaCookieName;netaceaCaptchaCookieName;netaceaCookieAttributes;netaceaCaptchaCookieAttributes;constructor(e){if(e.ingestType=o.KINESIS,void 0===e.kinesis&&(console.warn(['NETACEA :: Please move kinesis params to "kinesis" object in config.',"Backwards compatibility will soon be removed."].join(" ")),e.kinesis={kinesisStreamName:e.kinesisStreamName,kinesisAccessKey:e.kinesisAccessKey,kinesisSecretKey:e.kinesisSecretKey,maxLogAgeSeconds:1}),null===e.apiKey||void 0===e.apiKey)throw new Error("apiKey is a required parameter");var t;this.apiKey=e.apiKey,this.secretKey=e.secretKey,this.mitigationServiceUrl=e.mitigationServiceUrl??"https://mitigations.netacea.net",this.ingestServiceUrl=e.ingestServiceUrl??"https://ingest.netacea.net",this.mitigationType=e.mitigationType??n.INGEST,this.ingestType=e.ingestType??o.HTTP,this.logVersion=e.logVersion??r.V1,this.ingestType===o.KINESIS&&(void 0===e.kinesis?console.warn(`NETACEA WARN: no kinesis args provided, when ingestType is ${this.ingestType}`):this.kinesis=new $({...e.kinesis,apiKey:this.apiKey})),void 0===e.captchaSiteKey&&void 0===e.captchaSecretKey||(this.captchaSiteKey=e.captchaSiteKey,this.captchaSecretKey=e.captchaSecretKey),this.timeout=(t=e.timeout??3e3)<=0?d:t,this.netaceaCookieName=e.netaceaCookieName??"_mitata",this.netaceaCaptchaCookieName=e.netaceaCaptchaCookieName??"_mitatacaptcha",this.netaceaCaptchaPath=e.netaceaCaptchaPath,this.dynamicCaptchaContentType=e.dynamicCaptchaContentType??!1;const a=Q(e.netaceaCookieAttributes??"",e.netaceaCaptchaCookieAttributes??"");var i,s;this.netaceaCookieAttributes=a.cookieAttributes??"",this.netaceaCaptchaCookieAttributes=a.captchaCookieAttributes??"",this.captchaHeader=e.captchaHeader,this.ipHeaderName=e.ipHeaderName?.toLowerCase()?.trim(),this.encryptedCookies=[this.netaceaCookieName,this.netaceaCaptchaCookieName],this.mitataCookieExpirySeconds=(i=this.mitigationType,void 0===(s=e.netaceaCookieExpirySeconds??e.mitataCookieExpirySeconds)?i===n.INGEST?3600:60:s),this.ingestEnabled=e.ingestEnabled??!0,this.cookieEncryptionKey=e.cookieEncryptionKey}async run(e){try{const{request:t}=this.getRequestResponseFromEvent(e),{uri:a,method:i}=t;if(this.isUrlCaptchaGet(a,i)){const a=await async function({request:e,secretKey:t,mitigationCallFn:a,composeResultFn:i,cookieEncryptionKey:s,netaceaCookieName:o,netaceaCaptchaCookieName:r,ipHeaderName:n}){const{querystring:c}=e,h=U(e,n),u=e.headers["user-agent"]?.[0].value??"",d=e.headers.accept?.[0].value??"text/html",p=e.headers.host?.[0].value??"";if(void 0===t)throw new Error("Secret key needs to be defined to make mitigation calls.");const l=c.split("&").find((e=>e.includes("trackingId=")))?.replace("trackingId=",""),{headers:m}=e,g=await L(o,m,s),y=await L(r,m,s),{userId:k}=v(g)??{},C=await async function({userId:e,clientIp:t,userAgent:a,trackingId:i,accept:s,host:o,captchaCookie:r,mitigationCallFn:n,composeResultFn:c}){const h={match:0,mitigate:0,captcha:1},u=await n({userId:e,clientIP:t,userAgent:a,captchaCookie:r,accept:s,host:o,isCaptchaGet:!0,defaultMitataCodes:h,trackingId:i});return c(u.body,u.setCookie,u.status,u.match,u.mitigate,u.captcha,!0)}({userId:k,clientIp:h,userAgent:u,captchaCookie:y,accept:d,host:p,trackingId:l,mitigationCallFn:a,composeResultFn:i});return{headers:G(C.setCookie),status:"403",body:C.body,statusDescription:"Forbidden"}}({request:t,secretKey:this.secretKey,mitigationCallFn:this.makeMitigateAPICall.bind(this),composeResultFn:this.composeResult.bind(this),cookieEncryptionKey:this.cookieEncryptionKey,netaceaCookieName:this.netaceaCookieName,netaceaCaptchaCookieName:this.netaceaCaptchaCookieName,ipHeaderName:this.ipHeaderName});return this.ingest(e,a),{respondWith:a}}const s=await this.runMitigation(t);return this.addNetaceaCookiesToRequest(t,s),t.headers[ne.NetaceaTrueUserAgentHeader]=[{key:ne.NetaceaTrueUserAgentHeader,value:this.getValueFromHeaderOrDefault(t.headers,"user-agent","-")}],{respondWith:s?.response}}catch(e){return console.error("Netacea FailOpen - ",e.message),{}}}async makeRequest({host:e,path:t,method:i,body:s,headers:o,timeout:r}){const n=`${e}${t}`,c=await a.request({url:n,data:s,headers:o,method:i,timeout:r,transformResponse:e=>e});return{headers:c.headers,status:c.status,body:c.data}}async mitigate(e){try{const{netaceaResult:a,request:i}=await this.getMitigationResponse(e);let s;if(a.mitigated){const e={"set-cookie":[]};for(const t of a.setCookie)e["set-cookie"]=e["set-cookie"]??[],e["set-cookie"].push({key:"set-cookie",value:t});"captcha"===a.mitigation&&void 0!==this.captchaHeader&&(e[this.captchaHeader.name]=[{key:this.captchaHeader.name,value:this.captchaHeader.value}]);s={headers:e,...this.isUrlCaptchaPost(i.uri,i.method)?{status:"200",statusDescription:"OK",body:""}:{status:"403",statusDescription:"Forbidden",body:"Forbidden"}};let o=0;if(void 0!==a.body&&a.body.length>0){o=a.body.length;const e=(t=a.body).includes("captchaRelativeURL")&&t.includes("captchaAbsoluteURL");s.status=e?"403":"200",s.statusDescription=e?"Forbidden":"OK",s.body=a.body,s.bodyEncoding="text"}const r={status:s.status,statusDescription:s.statusDescription??"",headers:{"content-length":[{key:"content-length",value:o.toString()}],"set-cookie":a.setCookie.map((e=>({key:"set-cookie",value:e})))}};this.ingest(i,r)}return this.addNetaceaCookiesToRequest(i,a),{response:s,sessionStatus:a.sessionStatus,setCookie:a.setCookie}}catch(e){return console.error("Netacea FailOpen Error: ",e),{sessionStatus:""}}var t}async inject(e){try{const{netaceaResult:t}=await this.getMitigationResponse(e);return{injectHeaders:t.injectHeaders,sessionStatus:t.sessionStatus,setCookie:t.setCookie}}catch(e){return console.error("Netacea FailOpen Error: ",e),{sessionStatus:"",injectHeaders:void 0,setCookie:void 0}}}async ingest(e,t=void 0){let a;if(Object.prototype.hasOwnProperty.call(e,"Records")){const i=this.getRequestResponseFromEvent(e);a=i.request,void 0===t&&(t=i.response)}else a=e;if(!this.ingestEnabled)return;if(null==t)throw new Error("Cloudfront response is required to ingest");const i=this.getMitataValueFromHeaderOrDefault(t.headers,"set-cookie"),s=""!==i?i:this.getMitataValueFromHeaderOrDefault(a.headers,"cookie");let o=await this.readCookie(this.netaceaCookieName,s)??"";if(void 0===o||""===o){const e=this.getMitataValueFromHeaderOrDefault(a.headers,"cookie");o=await this.readCookie(this.netaceaCookieName,e)??""}let r=0,n=0,c=0;const h=v(o);void 0!==h&&(r=h.match,n=h.mitigate,c=h.captcha);const u=this.shouldSetCaptchaPass(a,t),{sessionStatus:d}=this.findBestMitigation(r,n,c,u);await this.callIngest({bytesSent:this.getValueFromHeaderOrDefault(t.headers,"content-length","0"),ip:U(a,this.ipHeaderName),method:a.method,path:a.uri,protocol:null,referer:this.getValueFromHeaderOrDefault(a.headers,"referer"),requestTime:"0",status:t.status,userAgent:this.getValueFromHeaderOrDefault(a.headers,ne.NetaceaTrueUserAgentHeader,this.getValueFromHeaderOrDefault(a.headers,"user-agent")),mitataCookie:o,sessionStatus:d,integrationType:"@netacea/cloudfront".replace("@netacea/",""),integrationVersion:"6.0.1",xForwardedFor:this.getValueFromHeaderOrDefault(a.headers,"x-forwarded-for")})}addNetaceaCookiesToResponse(e){const{response:t,request:a}=this.getRequestResponseFromEvent(e);if(void 0===t)throw new Error("Response required to add cookies to response");const i=a.headers[ne.NetaceaCookieHeader];if(null!=i&&null!=t.headers){let e=!1;if(void 0===t.headers["set-cookie"]?t.headers["set-cookie"]=[]:e=void 0!==t.headers["set-cookie"].find((e=>e.value.includes(this.netaceaCookieName)||e.value.includes(this.netaceaCaptchaCookieName))),!e)for(const e of i)t.headers["set-cookie"].push({key:"set-cookie",value:e.value})}this.setInjectHeaders(e)}setInjectHeaders(e){const{response:t,request:a}=this.getRequestResponseFromEvent(e);if(null!=t?.headers){const e=a.headers["x-netacea-match"],i=a.headers["x-netacea-mitigate"],s=a.headers["x-netacea-captcha"],o=a.headers["x-netacea-event-id"];void 0!==e&&void 0!==i&&void 0!==s&&(t.headers["x-netacea-match"]=e,t.headers["x-netacea-mitigate"]=i,t.headers["x-netacea-captcha"]=this.shouldSetCaptchaPass(a,t)?[{key:"x-netacea-captcha",value:"2"}]:s),void 0!==o&&(t.headers["x-netacea-event-id"]=o)}}getValueFromHeaderOrDefault(e,t,a=""){if(void 0!==e?.[t]){const a=e[t];if(void 0!==a)return a[0].value}return a}getMitataValueFromHeaderOrDefault(e,t,a=""){if(void 0!==e?.[t]){const a=e[t];if(void 0!==a){const e=a.find((e=>e.value.includes(this.netaceaCookieName)));if(void 0!==e)return e.value}}return a}getRequestResponseFromEvent(e){return e.Records[0].cf}async getMitigationResponse(e){const t=this.getMitataValueFromHeaderOrDefault(e.headers,"cookie"),a=await this.readCookie(this.netaceaCookieName,t),i=await this.readCookie(this.netaceaCaptchaCookieName,t),s=U(e,this.ipHeaderName),o=this.getValueFromHeaderOrDefault(e.headers,"user-agent"),r=this.getValueFromHeaderOrDefault(e.headers,"accept","text/html"),n=this.getValueFromHeaderOrDefault(e.headers,"host");return{netaceaResult:await this.processMitigateRequest({getBodyFn:async()=>await Promise.resolve(Buffer.from(e.body?.data??"","base64").toString()),clientIp:s,method:e.method,url:e.uri,userAgent:o,accept:r,host:n,mitata:a,mitataCaptcha:i}),request:e}}addNetaceaCookiesToRequest(e,t){if(void 0===t)return e;if(e.headers[ne.NetaceaCookieHeader]=[],void 0!==t.setCookie)for(const a of t.setCookie){const t=e.headers[ne.NetaceaCookieHeader]??[];t.push({key:ne.NetaceaCookieHeader,value:a}),e.headers[ne.NetaceaCookieHeader]=t}if(this.mitigationType===n.INJECT)for(const[a,i]of Object.entries(t.injectHeaders??{}))e.headers[a]=[{key:a,value:i}];return e}getCookieHeader(e){return this.getMitataValueFromHeaderOrDefault(e.headers,"cookie")}async encryptCookieValue(e){return void 0!==this.cookieEncryptionKey?await async function(e,t){const a=h.base64url.decode(t),i=(new TextEncoder).encode(e);return await new h.CompactEncrypt(i).setProtectedHeader({alg:"dir",enc:"A256GCM"}).encrypt(a)}(e,this.cookieEncryptionKey):e}async decryptCookieValue(e){return void 0!==this.cookieEncryptionKey?await j(e,this.cookieEncryptionKey):e}async runMitigation(e){try{switch(this.mitigationType){case n.MITIGATE:return await this.mitigate(e);case n.INJECT:return await this.inject(e);case n.INGEST:return await this.processIngest(e);default:throw new Error(`Netacea Error: Mitigation type ${this.mitigationType} not recognised`)}}catch(e){return console.error("Netacea FAILOPEN Error:",e),{injectHeaders:{"x-netacea-captcha":"0","x-netacea-match":"0","x-netacea-mitigate":"0"},sessionStatus:""}}}async readCookie(e,t){if(null==t)return;if("string"==typeof t)return await this.readCookie(e,t.split(";"));const a=`${e}=`;for(const i of t){const t=i.split(";")[0].trimStart();if(t.startsWith(a)){const i=t.slice(a.length);if(this.encryptedCookies.includes(e))try{return await this.decryptCookieValue(i)}catch(e){return}return i}}}async processMitigateRequest(e){const t=this.isUrlCaptchaPost(e.url,e.method);return await(t?this.processCaptcha(e.mitata,e.clientIp,e.userAgent,await e.getBodyFn()):this.check(e.mitata,e.clientIp,e.userAgent,e.accept,e.host,e.mitataCaptcha))}isUrlCaptchaPost(e,t){return e.includes("/AtaVerifyCaptcha")&&"post"===t.toLowerCase()}isUrlCaptchaGet(e,t){return e.toLowerCase()===this.netaceaCaptchaPath?.toLowerCase()&&"get"===t.toLowerCase()}shouldSetCaptchaPass(e,t){if(this.isUrlCaptchaPost(e.uri,e.method))return!0;if(void 0===t)return!1;const a=null!=t.headers?t.headers["set-cookie"]:void 0,i=a?.find((e=>e.value.split("=")[0]===this.netaceaCaptchaCookieName)),s=void 0!==i;return this.mitigationType===n.INJECT&&s}async processCaptcha(e,t,a,i){const{status:s,match:o,mitigate:r,captcha:n,body:c,setCookie:h}=await this.makeCaptchaAPICall(e,t,a,i);return this.composeResult(c,h,s,o,r,n,!0)}async makeCaptchaAPICall(e,t,a,i){const s={"X-Netacea-API-Key":this.apiKey,"X-Netacea-Client-IP":t,"user-agent":a,"Content-Type":"application/x-www-form-urlencoded; charset=UTF-8"},o=v(e);void 0!==o&&(s["X-Netacea-UserId"]=o.userId),void 0!==this.captchaSiteKey&&void 0!==this.captchaSecretKey&&(s["X-Netacea-Captcha-Site-Key"]=this.captchaSiteKey,s["X-Netacea-Captcha-Secret-Key"]=this.captchaSecretKey);const r=await this.makeRequest({host:this.mitigationServiceUrl,path:"/AtaVerifyCaptcha",headers:s,method:"POST",body:i,timeout:this.timeout});return await this.getApiCallResponseFromResponse(r,o?.userId,t)}async getApiCallResponseFromResponse(e,t,a,i){if(200!==e.status)throw this.APIError(e);let s=X(e.headers,re.match)??NaN,o=X(e.headers,re.mitigate)??NaN,r=X(e.headers,re.captcha)??NaN;isNaN(s)&&(s=i?.match??0),isNaN(o)&&(o=i?.mitigate??0),isNaN(r)&&(r=i?.captcha??0);let n=X(e.headers,re.mitataExpiry)??NaN;isNaN(n)&&(n=86400);const c=[await this.createMitata(a,t,s,o,r),await this.createMitataCaptcha(e.headers)].filter((e=>void 0!==e)),h=B(e.headers,re.eventId);return{status:e.status,match:s,mitigate:o,captcha:r,setCookie:c,body:e.body,eventId:h,mitataMaxAge:n}}APIError(e){let t="Unknown error";switch(e.status){case 403:t="Invalid credentials";break;case 500:t="Server error";break;case 502:t="Bad Gateway";break;case 503:t="Service Unavailable";break;case 400:t="Invalid request"}return new Error(`Error reaching Netacea API (${t}), status: ${e.status}`)}async createMitata(e,t,a,i,s,o=86400,r=void 0){const n=[1,3,5].includes(s)||3===i?-60:this.mitataCookieExpirySeconds,c=r??Math.floor(Date.now()/1e3)+n;if(void 0===this.secretKey)throw new Error("Cannot build cookie without secret key.");const h=[a,i,s].join(""),u=S(e,t,c,this.secretKey,h);let d,p,l=o;if(""!==this.netaceaCookieAttributes){const{extractedAttribute:e,cookieAttributes:t}=W(this.netaceaCookieAttributes,"Max-Age");l=void 0!==e?Number(e):o;const{extractedAttribute:a,cookieAttributes:i}=W(t,"Path");d=a??"/",p=i??void 0}return await this.buildCookieFromValues(this.netaceaCookieName,u,l,p,d)}async createMitataCaptcha(e){let t=e["set-cookie"]??[];t="string"==typeof t?[t]:t;const a=t.find((e=>e.startsWith("_mitatacaptcha=")));let i,s="86400";if(void 0!==a&&""!==a)try{const e=Z(a);i=e.value,s=z(e.attributes,"Max-Age")??"86400"}catch(e){return}if(""===i||void 0===i)return;const o=Y([this.netaceaCaptchaCookieAttributes,"Path=/",`Max-Age=${s}`]);return i=this.encryptedCookies.includes(this.netaceaCaptchaCookieName)?await this.encryptCookieValue(i):i,`${this.netaceaCaptchaCookieName}=${i}; ${o}`}async buildCookieFromValues(e,t,a,i,s="/"){const o=`${e}=${this.encryptedCookies.includes(e)?await this.encryptCookieValue(t):t}; Max-Age=${a}; Path=${s}`;return void 0!==i&&""!==i?`${o}; ${i}`:o}async callIngest(e){const t=this.constructWebLog(e);if(this.ingestType===o.KINESIS){if(void 0===this.kinesis)return void console.error("Netacea Error: Unable to log as Kinesis has not been defined.");try{await this.kinesis.ingest({...t,apiKey:this.apiKey},this.makeRequest.bind(this))}catch(e){console.error("NETACEA Error: ",e.message)}}else{const e={"X-Netacea-API-Key":this.apiKey,"content-type":"application/json"},a=await this.makeIngestApiCall(e,t);if(200!==a.status)throw this.APIError(a)}}constructWebLog(e){return e.bytesSent=""===e.bytesSent?"0":e.bytesSent,this.logVersion===r.V2?this.constructV2WebLog(e):this.constructV1WebLog(e)}constructV2WebLog({ip:e,userAgent:t,status:a,method:i,path:s,protocol:o,referer:r,bytesSent:n,requestTime:c,mitataCookie:h,sessionStatus:d,integrationType:p,integrationVersion:l,xForwardedFor:m}){const g=new Date,{path:y,query:k,request:C}=J(i,s,o),f=v(h)?.userId;return{status:a,method:i,bytes_sent:u(n),referrer:""===r?void 0:r,request:C,request_time:u(c),integration_type:p,integration_version:l,client:e,user_agent:t,bc_type:""===d?void 0:d,hour:g.getUTCHours(),minute:g.getUTCMinutes(),"@timestamp":g.toISOString().replace("Z","+00:00"),path:y,protocol:o,query:k,user_id:f,x_forwarded_for:m}}constructV1WebLog({ip:e,userAgent:t,status:a,method:i,path:s,protocol:o,referer:r,bytesSent:n,requestTime:c,mitataCookie:h,sessionStatus:u,integrationType:d,integrationVersion:p,xForwardedFor:l}){const m=(new Date).toUTCString(),{request:g}=J(i,s,o);return{Request:g,TimeLocal:m,RealIp:e,UserAgent:t,Status:a,RequestTime:c?.toString(),BytesSent:n?.toString(),Referer:""===r?"-":r,NetaceaUserIdCookie:h??"",NetaceaMitigationApplied:u??"",IntegrationType:d??"",IntegrationVersion:p??"",XForwardedFor:l}}async makeIngestApiCall(e,t){return await this.makeRequest({host:this.ingestServiceUrl,method:"POST",path:"/",headers:e,body:JSON.stringify(t),timeout:this.timeout})}async processIngest(e){if(void 0===this.secretKey)throw new Error("Secret key is required for ingest");const t=this.getCookieHeader(e),a=I(await this.readCookie(this.netaceaCookieName,t),k,this.secretKey);return a.isPrimaryHashValid?a.requiresReissue?await this.setIngestOnlyMitataCookie(a.mitata?.userId):{sessionStatus:"",setCookie:[]}:await this.setIngestOnlyMitataCookie(void 0)}async setIngestOnlyMitataCookie(e){return{sessionStatus:"",setCookie:[await this.createMitata(k,e,0,0,0,86400)]}}findBestMitigation(e,t,a,i){const s="unknown";a=this.adjustCaptchaCode(a,i);let o=ee[e]??s+"_";o+=ae[t]??s;let r=ie[t];if(0!==a){o+=","+(oe[a]??s);const e=se[a];void 0!==e&&(r=e)}return this.mitigationType===n.INJECT&&(r=te.none),{sessionStatus:o,mitigation:r,parts:{match:e,mitigate:t,captcha:a}}}adjustCaptchaCode(e,t){let a=e;return t||(2===e?a=4:3===e&&(a=5)),a}async check(e,t,a,i,s,o){let r,n,c,h,u,d,p;if(void 0===this.secretKey)throw new Error("Secret key is required to mitigate");const l=I(e,t,this.secretKey);if(!l.isPrimaryHashValid||l.requiresReissue){const e=await this.makeMitigateAPICall({userId:l.mitata?.userId,clientIP:t,userAgent:a,captchaCookie:o,accept:i,host:s});r=e.status,n=e.match,c=e.mitigate,h=e.captcha,u=e.body,d=[await this.createMitata(t,l.mitata?.userId,n,c,h,e.mitataMaxAge)],p=e.eventId}else r=-1,n=l.match,c=l.mitigate,h=l.captcha,u=void 0,d=[];return this.composeResult(u,d,r,n,c,h,!1,p)}async makeMitigateAPICall({userId:e,clientIP:t,userAgent:a,captchaCookie:i,accept:s,host:o,isCaptchaGet:r=!1,defaultMitataCodes:n,trackingId:c}){const h={"X-Netacea-API-Key":this.apiKey,"X-Netacea-Client-IP":t,"user-agent":a,cookie:this.buildCookieHeader({_mitatacaptcha:i})};void 0!==e&&(h["X-Netacea-UserId"]=e),void 0!==this.captchaSiteKey&&void 0!==this.captchaSecretKey&&(h["X-Netacea-Captcha-Site-Key"]=this.captchaSiteKey,h["X-Netacea-Captcha-Secret-Key"]=this.captchaSecretKey),this.dynamicCaptchaContentType&&void 0!==this.netaceaCaptchaPath&&(h["X-Netacea-Captcha-Content-Type"]=function(e){const t=e?.toLowerCase()??"text/html",a=t?.includes("text/html")||t?.includes("application/html"),i=t?.includes("application/json");return i&&!a?"application/json":"text/html"}(s));const u="application/json"===h["X-Netacea-Captcha-Content-Type"],d=void 0!==c?`?trackingId=${c}`:"",p=await this.makeRequest({host:this.mitigationServiceUrl,path:r?`/captcha${d}`:"/",headers:h,method:"GET",timeout:this.timeout});return u&&void 0!==this.netaceaCaptchaPath&&(p.body=function(e,t,a){let i;if(void 0===e||""===e)return"";if("string"==typeof e&&(i=JSON.parse(e)),!function(e){if(null==e)return!1;const t=e;return void 0!==t?.captchaSiteKey&&void 0!==t?.trackingId&&void 0!==t?.captchaURL}(i))throw new Error("Body is not a Mitigation Service JSON response!");const s=`${a}?trackingId=${i.trackingId}`,o=`https://${t}${s}`;return JSON.stringify({captchaRelativeURL:s,captchaAbsoluteURL:o})}(p.body,o,this.netaceaCaptchaPath)),await this.getApiCallResponseFromResponse(p,e,t,n)}buildCookieHeader(e){let t="",a="";for(const i in e){const s=e[i];void 0!==s&&(t=`${t}${a}${i}=${s}`,a="; ")}return t}composeResult(e,t,a,i,s,o,r,c){const h=this.findBestMitigation(i,s,o,r),u={body:e,apiCallStatus:a,setCookie:t,sessionStatus:h.sessionStatus,mitigation:h.mitigation,mitigated:[te.block,te.captcha,te.captchaPass].includes(h.mitigation)};if(this.mitigationType===n.INJECT){const e={"x-netacea-match":h.parts.match.toString(),"x-netacea-mitigate":h.parts.mitigate.toString(),"x-netacea-captcha":h.parts.captcha.toString()};void 0!==c&&(e["x-netacea-event-id"]=c),u.injectHeaders=e}return u}}exports.Cloudfront=ne;
+//# sourceMappingURL=index.js.map

package/package.json

@@ -1,9 +1,13 @@
 {
     "name": "@netacea/cloudfront",
-    "version": "5.2.54",
+    "version": "6.0.1",
     "description": "Netacea Cloudfront CDN integration",
-    "main": "dist/src/index.js",
-    "types": "dist/src/index.d.ts",
+    "files": [
+        "dist/index.js",
+        "dist/index.d.ts"
+    ],
+    "main": "dist/index.js",
+    "types": "dist/index.d.ts",
     "scripts": {
         "prepack": "npx netacea-bundler prepack",
         "postpack": "npx netacea-bundler postpack"
@@ -14,9 +18,10 @@
     },
     "license": "ISC",
     "dependencies": {
-        "@netacea/netaceaintegrationbase": "^2.0.36",
+        "@types/aws-lambda": "^8.10.138",
+        "aws4": "1.11.0",
         "axios": "^0.21.0",
         "jose": "^4.11.2"
     },
-    "gitHead": "6a7870a1569541c04f792429141980159d5beaf6"
+    "gitHead": "e7403c128b50009211ff7af59995e380ac7ef6fc"
 }

package/.vscode/launch.json

@@ -1,21 +0,0 @@
-{
-  "version": "0.2.0",
-  "configurations": [
-    {
-      "type": "node",
-      "request": "launch",
-      "name": "Debug Tests",
-      "program": "${workspaceFolder}/node_modules/.bin/mocha",
-      "args": [
-        "-r",
-        "ts-node/register",
-        "./tests/mocha/*.test.ts"
-      ],
-      "console": "internalConsole",
-      "skipFiles": [
-        "<node_internals>/**",
-        "${workspaceFolder}/node_modules/**"
-      ],
-    }
-  ]
-}

package/.vscode/settings.json

@@ -1,5 +0,0 @@
-{
-  "cSpell.words": [
-    "netaceaintegrationtestrunner"
-  ]
-}