@onebots/core 0.5.0 → 1.0.4

package/lib/middleware/security-audit.js

@@ -0,0 +1,223 @@
+/**
+ * 安全审计日志中间件
+ * 记录所有安全相关事件
+ */
+import { createLogger } from '../logger.js';
+import * as fs from 'fs';
+import * as path from 'path';
+class SecurityAuditLogger {
+    logger = createLogger('SecurityAudit');
+    auditLogFile;
+    writeStream;
+    constructor(auditLogDir) {
+        // 确保目录存在
+        if (!fs.existsSync(auditLogDir)) {
+            fs.mkdirSync(auditLogDir, { recursive: true });
+        }
+        // 使用日期作为日志文件名
+        const today = new Date().toISOString().split('T')[0];
+        this.auditLogFile = path.join(auditLogDir, `security-audit-${today}.log`);
+        // 创建写入流
+        this.writeStream = fs.createWriteStream(this.auditLogFile, { flags: 'a', encoding: 'utf-8' });
+    }
+    /**
+     * 记录安全事件
+     */
+    log(event) {
+        const logEntry = JSON.stringify(event) + '\n';
+        // 写入文件
+        if (this.writeStream) {
+            this.writeStream.write(logEntry);
+        }
+        // 根据事件类型选择日志级别
+        const logData = {
+            type: event.type,
+            ip: event.ip,
+            path: event.path,
+            method: event.method,
+            ...event.details,
+        };
+        switch (event.type) {
+            case 'auth_failure':
+            case 'invalid_token':
+            case 'suspicious_request':
+                this.logger.warn('Security event', logData);
+                break;
+            case 'rate_limit':
+                this.logger.warn('Rate limit triggered', logData);
+                break;
+            case 'auth_success':
+                this.logger.debug('Security event', logData);
+                break;
+            default:
+                this.logger.info('Security event', logData);
+        }
+    }
+    /**
+     * 关闭写入流
+     */
+    close() {
+        if (this.writeStream) {
+            this.writeStream.end();
+            this.writeStream = undefined;
+        }
+    }
+}
+let auditLogger = null;
+/**
+ * 初始化安全审计日志
+ */
+export function initSecurityAudit(auditLogDir) {
+    auditLogger = new SecurityAuditLogger(auditLogDir);
+}
+/**
+ * 安全审计中间件
+ */
+export function securityAudit() {
+    return async (ctx, next) => {
+        if (!auditLogger) {
+            return next();
+        }
+        const startTime = Date.now();
+        const ip = ctx.ip || ctx.request.ip || 'unknown';
+        const userAgent = ctx.get('user-agent');
+        try {
+            await next();
+            const duration = Date.now() - startTime;
+            // 记录认证成功
+            if (ctx.status === 200 && ctx.path.includes('/api/')) {
+                auditLogger.log({
+                    timestamp: Date.now(),
+                    type: 'auth_success',
+                    ip,
+                    path: ctx.path,
+                    method: ctx.method,
+                    userAgent,
+                    details: {
+                        status: ctx.status,
+                        duration,
+                    },
+                });
+            }
+            // 记录错误
+            if (ctx.status >= 400) {
+                auditLogger.log({
+                    timestamp: Date.now(),
+                    type: 'error',
+                    ip,
+                    path: ctx.path,
+                    method: ctx.method,
+                    userAgent,
+                    details: {
+                        status: ctx.status,
+                        error: (ctx.body && typeof ctx.body === 'object' && 'error' in ctx.body)
+                            ? String(ctx.body.error)
+                            : ctx.message || 'Unknown error',
+                        duration,
+                    },
+                });
+            }
+        }
+        catch (error) {
+            // 记录异常
+            const err = error instanceof Error ? error : new Error(String(error));
+            auditLogger.log({
+                timestamp: Date.now(),
+                type: 'error',
+                ip,
+                path: ctx.path,
+                method: ctx.method,
+                userAgent,
+                details: {
+                    error: err.message,
+                    stack: err.stack,
+                },
+            });
+            throw err;
+        }
+    };
+}
+/**
+ * 记录认证失败
+ */
+export function logAuthFailure(ctx, reason) {
+    if (!auditLogger)
+        return;
+    auditLogger.log({
+        timestamp: Date.now(),
+        type: 'auth_failure',
+        ip: ctx.ip || ctx.request.ip || 'unknown',
+        path: ctx.path,
+        method: ctx.method,
+        userAgent: ctx.get('user-agent'),
+        details: {
+            reason,
+        },
+    });
+}
+/**
+ * 记录无效令牌
+ */
+export function logInvalidToken(ctx, token) {
+    if (!auditLogger)
+        return;
+    auditLogger.log({
+        timestamp: Date.now(),
+        type: 'invalid_token',
+        ip: ctx.ip || ctx.request.ip || 'unknown',
+        path: ctx.path,
+        method: ctx.method,
+        userAgent: ctx.get('user-agent'),
+        details: {
+            tokenPrefix: token ? token.substring(0, 10) + '...' : 'missing',
+        },
+    });
+}
+/**
+ * 记录可疑请求
+ */
+export function logSuspiciousRequest(ctx, reason, details) {
+    if (!auditLogger)
+        return;
+    auditLogger.log({
+        timestamp: Date.now(),
+        type: 'suspicious_request',
+        ip: ctx.ip || ctx.request.ip || 'unknown',
+        path: ctx.path,
+        method: ctx.method,
+        userAgent: ctx.get('user-agent'),
+        details: {
+            reason,
+            ...details,
+        },
+    });
+}
+/**
+ * 记录速率限制触发
+ */
+export function logRateLimit(ctx, key, count, max) {
+    if (!auditLogger)
+        return;
+    auditLogger.log({
+        timestamp: Date.now(),
+        type: 'rate_limit',
+        ip: ctx.ip || ctx.request.ip || 'unknown',
+        path: ctx.path,
+        method: ctx.method,
+        userAgent: ctx.get('user-agent'),
+        details: {
+            key,
+            count,
+            max,
+        },
+    });
+}
+/**
+ * 关闭审计日志
+ */
+export function closeSecurityAudit() {
+    if (auditLogger) {
+        auditLogger.close();
+        auditLogger = null;
+    }
+}

package/lib/middleware/token-manager.d.ts

@@ -0,0 +1,73 @@
+/**
+ * 令牌管理器
+ * 支持令牌过期、刷新、轮换等功能
+ */
+export interface TokenInfo {
+    token: string;
+    expiresAt?: number;
+    refreshToken?: string;
+    refreshExpiresAt?: number;
+    metadata?: Record<string, any>;
+}
+export interface TokenManagerOptions {
+    /** 默认令牌过期时间（毫秒） */
+    defaultExpiration?: number;
+    /** 刷新令牌过期时间（毫秒） */
+    refreshExpiration?: number;
+    /** 是否自动刷新 */
+    autoRefresh?: boolean;
+    /** 刷新阈值（在过期前多久刷新，毫秒） */
+    refreshThreshold?: number;
+}
+/**
+ * 令牌管理器
+ */
+export declare class TokenManager {
+    private tokens;
+    private options;
+    constructor(options?: TokenManagerOptions);
+    /**
+     * 生成新令牌
+     */
+    generateToken(metadata?: Record<string, any>): TokenInfo;
+    /**
+     * 验证令牌
+     */
+    validateToken(token: string): {
+        valid: boolean;
+        expired?: boolean;
+        info?: TokenInfo;
+    };
+    /**
+     * 刷新令牌
+     */
+    refreshToken(refreshToken: string): TokenInfo | null;
+    /**
+     * 撤销令牌
+     */
+    revokeToken(token: string): boolean;
+    /**
+     * 获取令牌信息
+     */
+    getTokenInfo(token: string): TokenInfo | undefined;
+    /**
+     * 清理过期令牌
+     */
+    cleanup(): number;
+    /**
+     * 获取统计信息
+     */
+    getStats(): {
+        total: number;
+        active: number;
+        expired: number;
+    };
+}
+/**
+ * 初始化全局令牌管理器
+ */
+export declare function initTokenManager(options?: TokenManagerOptions): TokenManager;
+/**
+ * 获取全局令牌管理器
+ */
+export declare function getTokenManager(): TokenManager | null;

package/lib/middleware/token-manager.js

@@ -0,0 +1,186 @@
+/**
+ * 令牌管理器
+ * 支持令牌过期、刷新、轮换等功能
+ */
+import { createLogger } from '../logger.js';
+import crypto from 'crypto';
+const logger = createLogger('TokenManager');
+/**
+ * 令牌管理器
+ */
+export class TokenManager {
+    tokens = new Map();
+    options;
+    constructor(options = {}) {
+        this.options = {
+            defaultExpiration: options.defaultExpiration || 3600000, // 默认 1 小时
+            refreshExpiration: options.refreshExpiration || 86400000 * 7, // 默认 7 天
+            autoRefresh: options.autoRefresh ?? false,
+            refreshThreshold: options.refreshThreshold || 300000, // 默认 5 分钟
+        };
+    }
+    /**
+     * 生成新令牌
+     */
+    generateToken(metadata) {
+        const token = crypto.randomBytes(32).toString('hex');
+        const refreshToken = crypto.randomBytes(32).toString('hex');
+        const now = Date.now();
+        const tokenInfo = {
+            token,
+            expiresAt: now + this.options.defaultExpiration,
+            refreshToken,
+            refreshExpiresAt: now + this.options.refreshExpiration,
+            metadata,
+        };
+        this.tokens.set(token, tokenInfo);
+        // 如果设置了刷新令牌，也存储
+        if (refreshToken) {
+            this.tokens.set(`refresh:${refreshToken}`, tokenInfo);
+        }
+        logger.debug('Token generated', {
+            tokenPrefix: token.substring(0, 10) + '...',
+            expiresAt: new Date(tokenInfo.expiresAt).toISOString(),
+        });
+        return tokenInfo;
+    }
+    /**
+     * 验证令牌
+     */
+    validateToken(token) {
+        const info = this.tokens.get(token);
+        if (!info) {
+            return { valid: false };
+        }
+        // 检查是否过期
+        if (info.expiresAt && Date.now() > info.expiresAt) {
+            // 清理过期令牌
+            this.tokens.delete(token);
+            if (info.refreshToken) {
+                this.tokens.delete(`refresh:${info.refreshToken}`);
+            }
+            return { valid: false, expired: true };
+        }
+        // 检查是否需要刷新
+        if (this.options.autoRefresh && info.expiresAt) {
+            const timeUntilExpiry = info.expiresAt - Date.now();
+            if (timeUntilExpiry < this.options.refreshThreshold) {
+                logger.debug('Token needs refresh', {
+                    tokenPrefix: token.substring(0, 10) + '...',
+                    timeUntilExpiry,
+                });
+            }
+        }
+        return { valid: true, info };
+    }
+    /**
+     * 刷新令牌
+     */
+    refreshToken(refreshToken) {
+        const key = `refresh:${refreshToken}`;
+        const info = this.tokens.get(key);
+        if (!info) {
+            return null;
+        }
+        // 检查刷新令牌是否过期
+        if (info.refreshExpiresAt && Date.now() > info.refreshExpiresAt) {
+            this.tokens.delete(key);
+            if (info.token) {
+                this.tokens.delete(info.token);
+            }
+            return null;
+        }
+        // 生成新令牌
+        const newToken = this.generateToken(info.metadata);
+        // 删除旧令牌
+        this.tokens.delete(info.token);
+        this.tokens.delete(key);
+        logger.info('Token refreshed', {
+            oldTokenPrefix: info.token.substring(0, 10) + '...',
+            newTokenPrefix: newToken.token.substring(0, 10) + '...',
+        });
+        return newToken;
+    }
+    /**
+     * 撤销令牌
+     */
+    revokeToken(token) {
+        const info = this.tokens.get(token);
+        if (!info) {
+            return false;
+        }
+        this.tokens.delete(token);
+        if (info.refreshToken) {
+            this.tokens.delete(`refresh:${info.refreshToken}`);
+        }
+        logger.info('Token revoked', {
+            tokenPrefix: token.substring(0, 10) + '...',
+        });
+        return true;
+    }
+    /**
+     * 获取令牌信息
+     */
+    getTokenInfo(token) {
+        return this.tokens.get(token);
+    }
+    /**
+     * 清理过期令牌
+     */
+    cleanup() {
+        const now = Date.now();
+        let cleaned = 0;
+        for (const [key, info] of this.tokens.entries()) {
+            const expired = (info.expiresAt && now > info.expiresAt) ||
+                (info.refreshExpiresAt && now > info.refreshExpiresAt);
+            if (expired) {
+                this.tokens.delete(key);
+                cleaned++;
+            }
+        }
+        if (cleaned > 0) {
+            logger.debug(`Cleaned up ${cleaned} expired tokens`);
+        }
+        return cleaned;
+    }
+    /**
+     * 获取统计信息
+     */
+    getStats() {
+        const now = Date.now();
+        let active = 0;
+        let expired = 0;
+        for (const info of this.tokens.values()) {
+            if (info.expiresAt && now > info.expiresAt) {
+                expired++;
+            }
+            else {
+                active++;
+            }
+        }
+        return {
+            total: this.tokens.size,
+            active,
+            expired,
+        };
+    }
+}
+// 全局令牌管理器实例（可选）
+let globalTokenManager = null;
+/**
+ * 初始化全局令牌管理器
+ */
+export function initTokenManager(options) {
+    globalTokenManager = new TokenManager(options);
+    // 定期清理过期令牌（每 5 分钟）
+    setInterval(() => {
+        globalTokenManager?.cleanup();
+    }, 5 * 60 * 1000);
+    return globalTokenManager;
+}
+/**
+ * 获取全局令牌管理器
+ */
+export function getTokenManager() {
+    return globalTokenManager;
+}

package/lib/middleware/token-validator.d.ts

@@ -0,0 +1,42 @@
+/**
+ * 访问令牌验证中间件
+ * 支持多种令牌格式和验证方式
+ */
+import type { Context, Next } from 'koa';
+interface TokenConfig {
+    /** 令牌名称（用于从 header 或 query 中获取） */
+    tokenName?: string;
+    /** 是否从 Authorization header 获取 */
+    fromHeader?: boolean;
+    /** 是否从 query 参数获取 */
+    fromQuery?: boolean;
+    /** 验证函数 */
+    validator?: (token: string, ctx: Context) => boolean | Promise<boolean>;
+    /** 是否必需 */
+    required?: boolean;
+    /** 自定义错误消息 */
+    errorMessage?: string;
+}
+/**
+ * 创建令牌验证中间件
+ */
+export declare function createTokenValidator(config?: TokenConfig): (ctx: Context, next: Next) => Promise<any>;
+/**
+ * 创建基于配置的令牌验证器
+ * 从配置中读取 access_token 列表进行验证
+ */
+export declare function createConfigTokenValidator(expectedTokens: string[]): (ctx: Context, next: Next) => Promise<any>;
+/**
+ * HMAC 签名验证
+ */
+export declare function createHMACValidator(secret: string, algorithm?: string): (ctx: Context, next: Next) => Promise<void>;
+/**
+ * 创建带令牌管理的验证器
+ * 支持令牌过期检查和自动刷新
+ */
+export declare function createManagedTokenValidator(tokenManager: import('./token-manager.js').TokenManager, config?: TokenConfig): (ctx: Context, next: Next) => Promise<any>;
+/**
+ * 组合多个验证器
+ */
+export declare function combineValidators(...validators: Array<(ctx: Context, next: Next) => Promise<void>>): (ctx: Context, next: Next) => Promise<void>;
+export {};