npm - @push.rocks/smartproxy - Versions diffs - 21.1.7 → 22.6.0 - Mend

@push.rocks/smartproxy 21.1.7 → 22.6.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (155) hide show

package/ts/proxies/http-proxy/security-manager.ts DELETED Viewed

@@ -1,433 +0,0 @@
-import * as plugins from '../../plugins.js';
-import type { ILogger } from './models/types.js';
-import type { IRouteConfig } from '../smart-proxy/models/route-types.js';
-import type { IRouteContext } from '../../core/models/route-context.js';
-/**
- * Manages security features for the NetworkProxy
- * Implements Phase 5.4: Security features like IP filtering and rate limiting
- */
-export class SecurityManager {
-  // Cache IP filtering results to avoid constant regex matching
-  private ipFilterCache: Map<string, Map<string, boolean>> = new Map();
-  // Store rate limits per route and key
-  private rateLimits: Map<string, Map<string, { count: number, expiry: number }>> = new Map();
-  // Connection tracking by IP
-  private connectionsByIP: Map<string, Set<string>> = new Map();
-  private connectionRateByIP: Map<string, number[]> = new Map();
-  constructor(private logger: ILogger, private routes: IRouteConfig[] = [], private maxConnectionsPerIP: number = 100, private connectionRateLimitPerMinute: number = 300) {
-    // Start periodic cleanup for connection tracking
-    this.startPeriodicIpCleanup();
-  }
-  /**
-   * Update the routes configuration
-   */
-  public setRoutes(routes: IRouteConfig[]): void {
-    this.routes = routes;
-    // Reset caches when routes change
-    this.ipFilterCache.clear();
-  }
-  /**
-   * Check if a client is allowed to access a specific route
-   *
-   * @param route The route to check access for
-   * @param context The route context with client information
-   * @returns True if access is allowed, false otherwise
-   */
-  public isAllowed(route: IRouteConfig, context: IRouteContext): boolean {
-    if (!route.security) {
-      return true; // No security restrictions
-    }
-    // --- IP filtering ---
-    if (!this.isIpAllowed(route, context.clientIp)) {
-      this.logger.debug(`IP ${context.clientIp} is blocked for route ${route.name || route.id || 'unnamed'}`);
-      return false;
-    }
-    // --- Rate limiting ---
-    if (route.security.rateLimit?.enabled && !this.isWithinRateLimit(route, context)) {
-      this.logger.debug(`Rate limit exceeded for route ${route.name || route.id || 'unnamed'}`);
-      return false;
-    }
-    // --- Basic Auth (handled at HTTP level) ---
-    // Basic auth is not checked here as it requires HTTP headers
-    // and is handled in the RequestHandler
-    return true;
-  }
-  /**
-   * Check if an IP is allowed based on route security settings
-   */
-  private isIpAllowed(route: IRouteConfig, clientIp: string): boolean {
-    if (!route.security) {
-      return true; // No security restrictions
-    }
-    const routeId = route.id || route.name || 'unnamed';
-    // Check cache first
-    if (!this.ipFilterCache.has(routeId)) {
-      this.ipFilterCache.set(routeId, new Map());
-    }
-    const routeCache = this.ipFilterCache.get(routeId)!;
-    if (routeCache.has(clientIp)) {
-      return routeCache.get(clientIp)!;
-    }
-    let allowed = true;
-    // Check block list first (deny has priority over allow)
-    if (route.security.ipBlockList && route.security.ipBlockList.length > 0) {
-      if (this.ipMatchesPattern(clientIp, route.security.ipBlockList)) {
-        allowed = false;
-      }
-    }
-    // Then check allow list (overrides block list if specified)
-    if (route.security.ipAllowList && route.security.ipAllowList.length > 0) {
-      // If allow list is specified, IP must match an entry to be allowed
-      allowed = this.ipMatchesPattern(clientIp, route.security.ipAllowList);
-    }
-    // Cache the result
-    routeCache.set(clientIp, allowed);
-    return allowed;
-  }
-  /**
-   * Check if IP matches any pattern in the list
-   */
-  private ipMatchesPattern(ip: string, patterns: string[]): boolean {
-    for (const pattern of patterns) {
-      // CIDR notation
-      if (pattern.includes('/')) {
-        if (this.ipMatchesCidr(ip, pattern)) {
-          return true;
-        }
-      }
-      // Wildcard notation
-      else if (pattern.includes('*')) {
-        const regex = new RegExp('^' + pattern.replace(/\./g, '\\.').replace(/\*/g, '.*') + '$');
-        if (regex.test(ip)) {
-          return true;
-        }
-      }
-      // Exact match
-      else if (pattern === ip) {
-        return true;
-      }
-    }
-    return false;
-  }
-  /**
-   * Check if IP matches CIDR notation
-   * Very basic implementation - for production use, consider a dedicated IP library
-   */
-  private ipMatchesCidr(ip: string, cidr: string): boolean {
-    try {
-      const [subnet, bits] = cidr.split('/');
-      const mask = parseInt(bits, 10);
-      // Convert IP to numeric format
-      const ipParts = ip.split('.').map(part => parseInt(part, 10));
-      const subnetParts = subnet.split('.').map(part => parseInt(part, 10));
-      // Calculate the numeric IP and subnet
-      const ipNum = (ipParts[0] << 24) | (ipParts[1] << 16) | (ipParts[2] << 8) | ipParts[3];
-      const subnetNum = (subnetParts[0] << 24) | (subnetParts[1] << 16) | (subnetParts[2] << 8) | subnetParts[3];
-      // Calculate the mask
-      const maskNum = ~((1 << (32 - mask)) - 1);
-      // Check if IP is in subnet
-      return (ipNum & maskNum) === (subnetNum & maskNum);
-    } catch (e) {
-      this.logger.error(`Invalid CIDR notation: ${cidr}`);
-      return false;
-    }
-  }
-  /**
-   * Check if request is within rate limit
-   */
-  private isWithinRateLimit(route: IRouteConfig, context: IRouteContext): boolean {
-    if (!route.security?.rateLimit?.enabled) {
-      return true;
-    }
-    const rateLimit = route.security.rateLimit;
-    const routeId = route.id || route.name || 'unnamed';
-    // Determine rate limit key (by IP, path, or header)
-    let key = context.clientIp; // Default to IP
-    if (rateLimit.keyBy === 'path' && context.path) {
-      key = `${context.clientIp}:${context.path}`;
-    } else if (rateLimit.keyBy === 'header' && rateLimit.headerName && context.headers) {
-      const headerValue = context.headers[rateLimit.headerName.toLowerCase()];
-      if (headerValue) {
-        key = `${context.clientIp}:${headerValue}`;
-      }
-    }
-    // Get or create rate limit tracking for this route
-    if (!this.rateLimits.has(routeId)) {
-      this.rateLimits.set(routeId, new Map());
-    }
-    const routeLimits = this.rateLimits.get(routeId)!;
-    const now = Date.now();
-    // Get or create rate limit tracking for this key
-    let limit = routeLimits.get(key);
-    if (!limit || limit.expiry < now) {
-      // Create new rate limit or reset expired one
-      limit = {
-        count: 1,
-        expiry: now + (rateLimit.window * 1000)
-      };
-      routeLimits.set(key, limit);
-      return true;
-    }
-    // Increment the counter
-    limit.count++;
-    // Check if rate limit is exceeded
-    return limit.count <= rateLimit.maxRequests;
-  }
-  /**
-   * Clean up expired rate limits
-   * Should be called periodically to prevent memory leaks
-   */
-  public cleanupExpiredRateLimits(): void {
-    const now = Date.now();
-    for (const [routeId, routeLimits] of this.rateLimits.entries()) {
-      let removed = 0;
-      for (const [key, limit] of routeLimits.entries()) {
-        if (limit.expiry < now) {
-          routeLimits.delete(key);
-          removed++;
-        }
-      }
-      if (removed > 0) {
-        this.logger.debug(`Cleaned up ${removed} expired rate limits for route ${routeId}`);
-      }
-    }
-  }
-  /**
-   * Check basic auth credentials
-   *
-   * @param route The route to check auth for
-   * @param username The provided username
-   * @param password The provided password
-   * @returns True if credentials are valid, false otherwise
-   */
-  public checkBasicAuth(route: IRouteConfig, username: string, password: string): boolean {
-    if (!route.security?.basicAuth?.enabled) {
-      return true;
-    }
-    const basicAuth = route.security.basicAuth;
-    // Check credentials against configured users
-    for (const user of basicAuth.users) {
-      if (user.username === username && user.password === password) {
-        return true;
-      }
-    }
-    return false;
-  }
-  /**
-   * Verify a JWT token
-   *
-   * @param route The route to verify the token for
-   * @param token The JWT token to verify
-   * @returns True if the token is valid, false otherwise
-   */
-  public verifyJwtToken(route: IRouteConfig, token: string): boolean {
-    if (!route.security?.jwtAuth?.enabled) {
-      return true;
-    }
-    try {
-      // This is a simplified version - in production you'd use a proper JWT library
-      const jwtAuth = route.security.jwtAuth;
-      // Verify structure
-      const parts = token.split('.');
-      if (parts.length !== 3) {
-        return false;
-      }
-      // Decode payload
-      const payload = JSON.parse(Buffer.from(parts[1], 'base64').toString());
-      // Check expiration
-      if (payload.exp && payload.exp < Math.floor(Date.now() / 1000)) {
-        return false;
-      }
-      // Check issuer
-      if (jwtAuth.issuer && payload.iss !== jwtAuth.issuer) {
-        return false;
-      }
-      // Check audience
-      if (jwtAuth.audience && payload.aud !== jwtAuth.audience) {
-        return false;
-      }
-      // In a real implementation, you'd also verify the signature
-      // using the secret and algorithm specified in jwtAuth
-      return true;
-    } catch (err) {
-      this.logger.error(`Error verifying JWT: ${err}`);
-      return false;
-    }
-  }
-  /**
-   * Get connections count by IP
-   */
-  public getConnectionCountByIP(ip: string): number {
-    return this.connectionsByIP.get(ip)?.size || 0;
-  }
-  /**
-   * Check and update connection rate for an IP
-   * @returns true if within rate limit, false if exceeding limit
-   */
-  public checkConnectionRate(ip: string): boolean {
-    const now = Date.now();
-    const minute = 60 * 1000;
-    if (!this.connectionRateByIP.has(ip)) {
-      this.connectionRateByIP.set(ip, [now]);
-      return true;
-    }
-    // Get timestamps and filter out entries older than 1 minute
-    const timestamps = this.connectionRateByIP.get(ip)!.filter((time) => now - time < minute);
-    timestamps.push(now);
-    this.connectionRateByIP.set(ip, timestamps);
-    // Check if rate exceeds limit
-    return timestamps.length <= this.connectionRateLimitPerMinute;
-  }
-  /**
-   * Track connection by IP
-   */
-  public trackConnectionByIP(ip: string, connectionId: string): void {
-    if (!this.connectionsByIP.has(ip)) {
-      this.connectionsByIP.set(ip, new Set());
-    }
-    this.connectionsByIP.get(ip)!.add(connectionId);
-  }
-  /**
-   * Remove connection tracking for an IP
-   */
-  public removeConnectionByIP(ip: string, connectionId: string): void {
-    if (this.connectionsByIP.has(ip)) {
-      const connections = this.connectionsByIP.get(ip)!;
-      connections.delete(connectionId);
-      if (connections.size === 0) {
-        this.connectionsByIP.delete(ip);
-      }
-    }
-  }
-  /**
-   * Check if IP should be allowed considering connection rate and max connections
-   * @returns Object with result and reason
-   */
-  public validateIP(ip: string): { allowed: boolean; reason?: string } {
-    // Check connection count limit
-    if (this.getConnectionCountByIP(ip) >= this.maxConnectionsPerIP) {
-      return {
-        allowed: false,
-        reason: `Maximum connections per IP (${this.maxConnectionsPerIP}) exceeded`
-      };
-    }
-    // Check connection rate limit
-    if (!this.checkConnectionRate(ip)) {
-      return {
-        allowed: false,
-        reason: `Connection rate limit (${this.connectionRateLimitPerMinute}/min) exceeded`
-      };
-    }
-    return { allowed: true };
-  }
-  /**
-   * Clears all IP tracking data (for shutdown)
-   */
-  public clearIPTracking(): void {
-    this.connectionsByIP.clear();
-    this.connectionRateByIP.clear();
-  }
-  /**
-   * Start periodic cleanup of IP tracking data
-   */
-  private startPeriodicIpCleanup(): void {
-    // Clean up IP tracking data every minute
-    setInterval(() => {
-      this.performIpCleanup();
-    }, 60000).unref();
-  }
-  /**
-   * Perform cleanup of expired IP data
-   */
-  private performIpCleanup(): void {
-    const now = Date.now();
-    const minute = 60 * 1000;
-    let cleanedRateLimits = 0;
-    let cleanedIPs = 0;
-    // Clean up expired rate limit timestamps
-    for (const [ip, timestamps] of this.connectionRateByIP.entries()) {
-      const validTimestamps = timestamps.filter(time => now - time < minute);
-      if (validTimestamps.length === 0) {
-        this.connectionRateByIP.delete(ip);
-        cleanedRateLimits++;
-      } else if (validTimestamps.length < timestamps.length) {
-        this.connectionRateByIP.set(ip, validTimestamps);
-      }
-    }
-    // Clean up IPs with no active connections
-    for (const [ip, connections] of this.connectionsByIP.entries()) {
-      if (connections.size === 0) {
-        this.connectionsByIP.delete(ip);
-        cleanedIPs++;
-      }
-    }
-    if (cleanedRateLimits > 0 || cleanedIPs > 0) {
-      this.logger.debug(`IP cleanup: removed ${cleanedIPs} IPs and ${cleanedRateLimits} rate limits`);
-    }
-  }
-}