@netacea/netaceaintegrationbase 2.0.18 → 2.0.20

package/dist/index.cjs

@@ -0,0 +1,562 @@
+'use strict';
+
+var crypto = require('crypto');
+var buffer = require('buffer');
+
+exports.NetaceaIngestType = void 0;
+(function (NetaceaIngestType) {
+    /**
+     * ORIGIN Ingest mode; data to be ingested is set by headers, so it can be forwarded via a seperate mechanism
+     */
+    NetaceaIngestType["ORIGIN"] = "ORIGIN";
+    /**
+     * HTTP Ingest mode, this is the standard implementation
+     */
+    NetaceaIngestType["HTTP"] = "HTTP";
+    /**
+     * Ingest over Kinesis, Netacea will inform you if this is required
+     * and will provide you with kinesis credentials.
+     */
+    NetaceaIngestType["KINESIS"] = "KINESIS";
+    /**
+     * Data to be Ingest via some mechanism native to the host/CDN, e.g. log shipping.
+     */
+    NetaceaIngestType["NATIVE"] = "NATIVE";
+})(exports.NetaceaIngestType || (exports.NetaceaIngestType = {}));
+exports.NetaceaLogVersion = void 0;
+(function (NetaceaLogVersion) {
+    /**
+     * Current style log version
+     */
+    NetaceaLogVersion["V1"] = "V1";
+    /**
+     * V2 Log format, should only be used if Netacea instructs
+     */
+    NetaceaLogVersion["V2"] = "V2";
+})(exports.NetaceaLogVersion || (exports.NetaceaLogVersion = {}));
+exports.NetaceaMitigationType = void 0;
+(function (NetaceaMitigationType) {
+    /**
+     * Run Netacea with mitigation mode enabled.
+     * This will serve Captcha pages and Forbidden pages when instructed to do so
+     */
+    NetaceaMitigationType["MITIGATE"] = "MITIGATE";
+    /**
+     * Run Netacea with Inject mode enabled.
+     * The end-user will only receive a cookie.
+     * The origin server will receive 3-4 headers,
+     *
+     * 'x-netacea-match' indicating what was matched (nothing(0), ua(1), ip(2), etc...)
+     *
+     * 'x-netacea-mitigate' indicating what action would've be taken (nothing (0), block(1), allow(2), etc...)
+     *
+     * 'x-netacea-captcha' indicating what captcha action would've been taken
+     *
+     * 'x-netacea-event-id' event id value that should be injected to the captcha
+     * page if using `@netacea/captchafeedback` module on the origin server
+     */
+    NetaceaMitigationType["INJECT"] = "INJECT";
+    /**
+     * Run Netacea with Ingest only mode
+     * No cookies will be set for the end user.
+     * No mitigations will be applied.
+     *
+     * **It's recommended to start in this mode!**
+     */
+    NetaceaMitigationType["INGEST"] = "INGEST";
+})(exports.NetaceaMitigationType || (exports.NetaceaMitigationType = {}));
+exports.NetaceaCookieV3IssueReason = void 0;
+(function (NetaceaCookieV3IssueReason) {
+    NetaceaCookieV3IssueReason["CAPTCHA_GET"] = "captcha_get";
+    NetaceaCookieV3IssueReason["CAPTCHA_POST"] = "captcha_post";
+    NetaceaCookieV3IssueReason["EXPIRED_SESSION"] = "expired_session";
+    NetaceaCookieV3IssueReason["FORCED_REVALIDATION"] = "forced_revalidation";
+    NetaceaCookieV3IssueReason["INVALID_SESSION"] = "invalid_session";
+    NetaceaCookieV3IssueReason["IP_CHANGE"] = "ip_change";
+    NetaceaCookieV3IssueReason["NO_SESSION"] = "no_session";
+})(exports.NetaceaCookieV3IssueReason || (exports.NetaceaCookieV3IssueReason = {}));
+
+const ONE_HOUR_IN_SECONDS = 60 * 60;
+function correctTimeout(timeout) {
+    return timeout <= 0 ? defaultTimeout : timeout;
+}
+function safeParseInt(value, defaultValue = 0) {
+    if (isNaN(value)) {
+        return defaultValue;
+    }
+    return parseInt(value);
+}
+const defaultTimeout = 3000;
+function configureMitataExpiry(mitigationType, expirySeconds) {
+    if (expirySeconds === undefined) {
+        return mitigationType === exports.NetaceaMitigationType.INGEST ? ONE_HOUR_IN_SECONDS : 60;
+    }
+    return expirySeconds;
+}
+
+const COOKIEDELIMITER = '_/@#/';
+const mitigationTypes = {
+    none: '',
+    block: 'block',
+    captcha: 'captcha',
+    allow: 'allow',
+    captchaPass: 'captchapass'
+};
+const netaceaHeaders = {
+    match: 'x-netacea-match',
+    mitigate: 'x-netacea-mitigate',
+    captcha: 'x-netacea-captcha',
+    mitata: 'x-netacea-mitata-value',
+    mitataExpiry: 'x-netacea-mitata-expiry',
+    mitataCaptcha: 'x-netacea-mitatacaptcha-value',
+    mitataCaptchaExpiry: 'x-netacea-mitatacaptcha-expiry',
+    eventId: 'x-netacea-event-id'
+};
+const matchMap = {
+    0: '',
+    1: 'ua_',
+    2: 'ip_',
+    3: 'visitor_',
+    4: 'datacenter_',
+    5: 'sev_',
+    6: 'organisation_',
+    7: 'asn_',
+    8: 'country_',
+    9: 'combination_'
+};
+const mitigateMap = {
+    0: '',
+    1: 'blocked',
+    2: 'allow',
+    3: 'hardblocked',
+    4: 'block'
+};
+const captchaMap = {
+    0: '',
+    1: 'captcha_serve',
+    2: 'captcha_pass',
+    3: 'captcha_fail',
+    4: 'captcha_cookiepass',
+    5: 'captcha_cookiefail'
+};
+const captchaStatusCodes = {
+    '': 0,
+    'captchaServe': 1,
+    'captchaPass': 2,
+    'captchaFail': 3,
+    'captchaCookiePass': 4,
+    'captchaCookieFail': 5
+};
+const bestMitigationMap = {
+    0: mitigationTypes.none,
+    1: mitigationTypes.block,
+    2: mitigationTypes.none,
+    3: mitigationTypes.block,
+    4: mitigationTypes.block
+};
+const bestMitigationCaptchaMap = {
+    1: mitigationTypes.captcha,
+    2: mitigationTypes.captchaPass,
+    3: mitigationTypes.captcha,
+    4: mitigationTypes.allow,
+    5: mitigationTypes.captcha
+};
+const netaceaCookieV3KeyMap = {
+    clientIP: 'cip',
+    userId: 'uid',
+    gracePeriod: 'grp',
+    cookieId: 'cid',
+    match: 'mat',
+    mitigate: 'mit',
+    captcha: 'cap',
+    issueTimestamp: 'ist',
+    issueReason: 'isr'
+};
+const netaceaCookieV3OptionalKeyMap = {
+    checkAllPostRequests: 'fCAPR'
+};
+const netaceaSettingsMap = {
+    checkAllPostRequests: 'checkAllPostRequests'
+};
+
+var dictionary = /*#__PURE__*/Object.freeze({
+    __proto__: null,
+    COOKIEDELIMITER: COOKIEDELIMITER,
+    bestMitigationCaptchaMap: bestMitigationCaptchaMap,
+    bestMitigationMap: bestMitigationMap,
+    captchaMap: captchaMap,
+    captchaStatusCodes: captchaStatusCodes,
+    matchMap: matchMap,
+    mitigateMap: mitigateMap,
+    mitigationTypes: mitigationTypes,
+    netaceaCookieV3KeyMap: netaceaCookieV3KeyMap,
+    netaceaCookieV3OptionalKeyMap: netaceaCookieV3OptionalKeyMap,
+    netaceaHeaders: netaceaHeaders,
+    netaceaSettingsMap: netaceaSettingsMap
+});
+
+// Using clientIP has no advantage when setting cookies in Ingest Only mode.
+// We therefore use a dummy value in place of the IP.
+// This brings its own advantage in that if the integration is switched
+// from INGEST to MITIGATE, then the INGEST cookie will be treated as expired
+// & a new MITIGATE cookie will be set
+const ingestIgnoredIpValue = 'ignored';
+const BASE_62_CHARSET = '1234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'.split('');
+const mitataCookieRegExp = /^(.*)_\/@#\/(.*)_\/@#\/(.*)_\/@#\/(.*)_\/@#\/((\d)(\d)(\d))$/;
+function matchMitataCookie(netaceaCookie) {
+    if (netaceaCookie === undefined) {
+        return undefined;
+    }
+    const matches = netaceaCookie.match(mitataCookieRegExp);
+    if (matches !== null && matches !== undefined) {
+        const [, signature, expiry, userId, ipHash, mitigationType, match, mitigate, captcha] = matches;
+        return {
+            signature,
+            expiry,
+            userId,
+            ipHash,
+            mitigationType,
+            match: parseInt(match),
+            mitigate: parseInt(mitigate),
+            captcha: parseInt(captcha)
+        };
+    }
+    return undefined;
+}
+function generateId(length = 16, charset = BASE_62_CHARSET) {
+    const randomBytesBuffer = crypto.randomBytes(length - 1);
+    const randomString = Array.from(randomBytesBuffer)
+        .map(byte => charset[byte % charset.length])
+        .join('');
+    return `c${randomString}`;
+}
+function createMitataCookie(clientIP, userId, expiryTime, saltKey, mitCode = '000') {
+    if (userId === undefined) {
+        userId = generateId();
+    }
+    const ipHash = hexSha256(clientIP + '|' + String(expiryTime), saltKey);
+    const originCookieValue = [
+        expiryTime,
+        userId,
+        ipHash,
+        mitCode
+    ].join(COOKIEDELIMITER);
+    const value = hexSha256(originCookieValue, saltKey);
+    const cookieValue = `${value}${COOKIEDELIMITER}${originCookieValue}`;
+    return cookieValue;
+}
+function hexSha256(value, saltKey) {
+    const hash = crypto.createHmac('sha256', saltKey);
+    hash.update(value);
+    return buffer.Buffer.from(hash.digest('hex')).toString('base64');
+}
+const warmupCookie = {
+    // eslint-disable-next-line max-len
+    cookie: 'MzBkZDEwYjc0ZmIyMzQ4YmY0OTlhNTkyNjY0MDRjMjhjNmQ5Y2RlYjVkYzVkMDQyZmEzODU4MDBiN2MwNTk1OQ==_/@#/1653044256_/@#/UUID_/@#/NjEyOWIzY2JiMjE5NjcwMThlYjg5NDYzY2YyMDZlYjE0ZDg2NTRjYmMxODg5Y2I4Y2U2NGFjZDAxOTdhMGFmNA==_/@#/000',
+    secretKey: 'EXAMPLE_SECRET_KEY',
+    clientIP: '192.168.0.1'
+};
+function checkMitataCookie(netaceaCookie, clientIP, secretKey) {
+    const defaultInvalidResponse = {
+        mitata: undefined,
+        requiresReissue: false,
+        isExpired: false,
+        shouldExpire: false,
+        isSameIP: false,
+        isPrimaryHashValid: false,
+        captcha: 0,
+        match: 0,
+        mitigate: 0
+    };
+    if (typeof netaceaCookie !== 'string' || netaceaCookie === '') {
+        return defaultInvalidResponse;
+    }
+    const mitata = matchMitataCookie(netaceaCookie);
+    if (mitata !== undefined) {
+        // Check cookie signature
+        const mitSvcStringValue = [
+            mitata.expiry, mitata.userId, mitata.ipHash, mitata.mitigationType
+        ].join(COOKIEDELIMITER);
+        const currentUnixTime = Math.floor(Date.now() / 1000);
+        const isExpired = parseInt(mitata.expiry) < currentUnixTime;
+        // serve, fail, cookiefail
+        const isCaptchaServe = [1, 3, 5].includes(mitata.captcha);
+        const isHardBlocked = mitata.mitigate === 3;
+        const shouldExpire = isCaptchaServe || isHardBlocked;
+        const currentIPHash = hexSha256(clientIP + '|' + mitata.expiry, secretKey);
+        const isSameIP = mitata.ipHash === currentIPHash;
+        const valid = mitata.signature === hexSha256(mitSvcStringValue, secretKey);
+        return {
+            mitata,
+            requiresReissue: isExpired || !isSameIP,
+            isExpired,
+            shouldExpire,
+            isSameIP,
+            isPrimaryHashValid: valid,
+            match: mitata.match,
+            mitigate: mitata.mitigate,
+            captcha: mitata.captcha
+        };
+    }
+    return defaultInvalidResponse;
+}
+
+function createNetaceaCookieV3(cookieParams) {
+    const paramEntries = Object.entries(cookieParams);
+    const cookieParts = paramEntries
+        .filter(([_, v]) => v !== undefined)
+        .map(([key, value]) => {
+        if (key in netaceaCookieV3OptionalKeyMap) {
+            return `${netaceaCookieV3OptionalKeyMap[key]}=${encodeURIComponent(value)}`;
+        }
+        return `${netaceaCookieV3KeyMap[key]}=${encodeURIComponent(value)}`;
+    });
+    return cookieParts.join('&');
+}
+function cookieIsNetaceaV3Format(cookie) {
+    if (cookie === undefined) {
+        return false;
+    }
+    return cookie.split('&')
+        .map(part => part.split('=')[0]) // E.g. 'cip' in cip=1.2.3.4
+        .filter(key => !Object.values(netaceaCookieV3OptionalKeyMap).includes(key)) // Filter out optional keys
+        .every(key => Object.values(netaceaCookieV3KeyMap).includes(key));
+}
+function objectIsNetaceaCookieV3(obj) {
+    if (typeof obj !== 'object' || obj === null) {
+        return false;
+    }
+    for (const key of Object.keys(netaceaCookieV3KeyMap)) {
+        if (!(key in obj)) {
+            return false;
+        }
+        if (obj[key] === undefined) {
+            return false;
+        }
+    }
+    return true;
+}
+function checkNetaceaCookieV3(netaceaCookie, clientIP) {
+    if (netaceaCookie === undefined || netaceaCookie === '') {
+        return defaultInvalidResponse();
+    }
+    const netaceaCookieV3 = matchNetaceaCookieV3(netaceaCookie);
+    if (netaceaCookieV3 !== undefined) {
+        const currentUnixTime = Math.floor(Date.now() / 1000);
+        const expiryTimestamp = netaceaCookieV3.issueTimestamp + netaceaCookieV3.gracePeriod;
+        const isExpired = expiryTimestamp < currentUnixTime;
+        const isSameIP = clientIP === netaceaCookieV3.clientIP;
+        // serve, fail, cookiefail
+        const isCaptchaServe = [1, 3, 5].includes(netaceaCookieV3.captcha);
+        const isHardBlocked = netaceaCookieV3.mitigate === 3;
+        const shouldExpire = isCaptchaServe || isHardBlocked;
+        return {
+            mitata: netaceaCookieV3,
+            requiresReissue: isExpired || !isSameIP,
+            isExpired,
+            shouldExpire,
+            isSameIP,
+            isPrimaryHashValid: true,
+            match: netaceaCookieV3.match,
+            mitigate: netaceaCookieV3.mitigate,
+            captcha: netaceaCookieV3.captcha,
+            issueReason: netaceaCookieV3.issueReason
+        };
+    }
+    return defaultInvalidResponse();
+}
+function matchNetaceaCookieV3(netaceaCookie) {
+    if (netaceaCookie === undefined || netaceaCookie === '') {
+        return undefined;
+    }
+    const cookieParts = netaceaCookie.split('&');
+    const cookieParams = {
+        clientIP: '',
+        userId: '',
+        cookieId: '',
+        gracePeriod: 0,
+        match: 0,
+        mitigate: 0,
+        captcha: 0,
+        issueTimestamp: 0,
+        issueReason: '',
+        checkAllPostRequests: undefined
+    };
+    for (const part of cookieParts) {
+        const [key, rawValue] = part.split('=');
+        const value = decodeURIComponent(rawValue);
+        let fullKey = Object.keys(netaceaCookieV3KeyMap).find(k => netaceaCookieV3KeyMap[k] === key);
+        if (fullKey === undefined) {
+            fullKey = Object.keys(netaceaCookieV3OptionalKeyMap).find(k => netaceaCookieV3OptionalKeyMap[k] === key);
+        }
+        let parsedValue = value === '' ? undefined : Number(value);
+        if (parsedValue !== undefined && isNaN(parsedValue)) {
+            parsedValue = value;
+        }
+        cookieParams[fullKey] = parsedValue;
+    }
+    return cookieParams;
+}
+function defaultInvalidResponse() {
+    return {
+        mitata: undefined,
+        requiresReissue: false,
+        isExpired: false,
+        shouldExpire: false,
+        isSameIP: false,
+        isPrimaryHashValid: false,
+        captcha: 0,
+        match: 0,
+        mitigate: 0,
+        issueReason: exports.NetaceaCookieV3IssueReason.NO_SESSION
+    };
+}
+
+// eslint-disable-next-line complexity
+function configureCookiesDomain(cookieAttr, captchaCookieAttr) {
+    cookieAttr = removeDuplicateAttrs(cookieAttr ?? '', true);
+    captchaCookieAttr = removeDuplicateAttrs(captchaCookieAttr ?? '', true);
+    let finalCookieAttr = cookieAttr;
+    let finalCaptchaCookieAttr = captchaCookieAttr;
+    if (cookieAttr !== undefined && captchaCookieAttr !== undefined) {
+        const domain = extractCookieAttr(cookieAttr, 'Domain');
+        const captchaDomain = extractCookieAttr(captchaCookieAttr, 'Domain');
+        if (domain !== undefined && captchaDomain !== undefined) {
+            finalCaptchaCookieAttr = captchaCookieAttr.replace(captchaDomain, domain);
+        }
+        else if (domain !== undefined && captchaDomain === undefined) {
+            // eslint-disable-next-line max-len
+            finalCaptchaCookieAttr = captchaCookieAttr + (captchaCookieAttr !== '' ? `; Domain=${domain}` : `Domain=${domain}`);
+        }
+        else if (domain === undefined && captchaDomain !== undefined) {
+            finalCookieAttr = cookieAttr + (cookieAttr !== '' ? `; Domain=${captchaDomain}` : `Domain=${captchaDomain}`);
+        }
+    }
+    else if (cookieAttr !== undefined && captchaCookieAttr === undefined) {
+        const domain = extractCookieAttr(cookieAttr, 'Domain');
+        if (domain !== undefined) {
+            finalCaptchaCookieAttr = `Domain=${domain}`;
+        }
+    }
+    else if (cookieAttr === undefined && captchaCookieAttr !== undefined) {
+        const captchaDomain = extractCookieAttr(captchaCookieAttr, 'Domain');
+        if (captchaDomain !== undefined) {
+            finalCookieAttr = `Domain=${captchaDomain}`;
+        }
+    }
+    return {
+        cookieAttributes: finalCookieAttr !== '' ? finalCookieAttr : undefined,
+        captchaCookieAttributes: finalCaptchaCookieAttr !== '' ? finalCaptchaCookieAttr : undefined
+    };
+}
+function extractAndRemoveCookieAttr(attributes, attribute) {
+    const attrValue = extractCookieAttr(attributes, attribute);
+    if (attrValue !== undefined) {
+        const attributesList = attributes
+            .replace(/ /g, '')
+            .replace(`${attribute}=${attrValue}`, '')
+            .split(';')
+            .filter(z => z.length > 0);
+        return {
+            extractedAttribute: attrValue,
+            cookieAttributes: attributesList.join('; ')
+        };
+    }
+    return {
+        extractedAttribute: undefined,
+        cookieAttributes: attributes
+    };
+}
+function extractCookieAttr(attributes, attribute) {
+    const extractedAttr = attributes
+        .split(';')
+        .map(attr => attr.trim())
+        .filter(attr => attr.toLowerCase().startsWith(attribute.toLowerCase()))[0];
+    return (extractedAttr !== undefined && extractedAttr.length > 0)
+        ? extractedAttr?.replace(`${attribute}=`, '')
+        : undefined;
+}
+function removeDuplicateAttrs(attributes, keepLast = false) {
+    if (attributes === '') {
+        return '';
+    }
+    const capitalizeAttrName = (attr) => attr.charAt(0).toUpperCase() + attr.slice(1);
+    return attributes
+        .replace(/ /g, '')
+        .split(';')
+        .map(capitalizeAttrName)
+        .filter(s => s.trim() !== '')
+        .filter((attr, i, attrs) => {
+        const getAttrName = (attr) => attr.split('=')[0];
+        const attrName = getAttrName(attr);
+        const attrNames = attrs.map(getAttrName);
+        if (keepLast) {
+            return i === attrNames.lastIndexOf(attrName);
+        }
+        return i === attrNames.indexOf(attrName);
+    })
+        .join('; ');
+}
+
+var cookieAttributes = /*#__PURE__*/Object.freeze({
+    __proto__: null,
+    configureCookiesDomain: configureCookiesDomain,
+    extractAndRemoveCookieAttr: extractAndRemoveCookieAttr,
+    extractCookieAttr: extractCookieAttr,
+    removeDuplicateAttrs: removeDuplicateAttrs
+});
+
+function createSetCookieString(args) {
+    // prefer attributes set in otherAttributes (customer configured)
+    const attributes = removeDuplicateAttrs([
+        args.otherAttributes ?? '',
+        `Max-Age=${args.maxAgeAttribute ?? 86400}`,
+        'Path=/'
+    ].join('; '));
+    return `${args.cookieName}=${args.cookieValue}; ${attributes}`;
+}
+function createNetaceaSetCookieString(args) {
+    return createSetCookieString({
+        ...args,
+        cookieName: args.cookieName ?? '_mitata'
+    });
+}
+function createNetaceaCaptchaSetCookieString(args) {
+    return createSetCookieString({
+        ...args,
+        cookieName: args.cookieName ?? '_mitatacaptcha'
+    });
+}
+
+var netaceaSessionCookie = /*#__PURE__*/Object.freeze({
+    __proto__: null,
+    createNetaceaCaptchaSetCookieString: createNetaceaCaptchaSetCookieString,
+    createNetaceaSetCookieString: createNetaceaSetCookieString,
+    createSetCookieString: createSetCookieString
+});
+
+const lib = {
+    cookie: {
+        attributes: cookieAttributes,
+        netaceaSession: netaceaSessionCookie
+    }
+};
+
+exports.checkMitataCookie = checkMitataCookie;
+exports.checkNetaceaCookieV3 = checkNetaceaCookieV3;
+exports.configureMitataExpiry = configureMitataExpiry;
+exports.cookieIsNetaceaV3Format = cookieIsNetaceaV3Format;
+exports.correctTimeout = correctTimeout;
+exports.createMitataCookie = createMitataCookie;
+exports.createNetaceaCookieV3 = createNetaceaCookieV3;
+exports.defaultInvalidResponse = defaultInvalidResponse;
+exports.dictionary = dictionary;
+exports.generateId = generateId;
+exports.hexSha256 = hexSha256;
+exports.ingestIgnoredIpValue = ingestIgnoredIpValue;
+exports.lib = lib;
+exports.matchMitataCookie = matchMitataCookie;
+exports.matchNetaceaCookieV3 = matchNetaceaCookieV3;
+exports.objectIsNetaceaCookieV3 = objectIsNetaceaCookieV3;
+exports.safeParseInt = safeParseInt;
+exports.warmupCookie = warmupCookie;