@reldens/server-utils 0.27.0 → 0.29.0

package/README.md

@@ -1,13 +1,13 @@
 # Reldens - Server Utils
 
-A Node.js server toolkit providing secure application server creation, file handling, encryption, and file upload capabilities for production-ready applications.
+A Node.js server toolkit providing secure application server creation, file handling, encryption, and file upload capabilities for production-ready applications with modular security configurations.
 
 [![Reldens - GitHub - Release](https://www.dwdeveloper.com/media/reldens/reldens-mmorpg-platform.png)](https://github.com/damian-pastorini/reldens)
 
 ## Features
 
 ### AppServerFactory
-- Complete Express.js server configuration with security defaults
+- Complete Express.js server configuration with modular security
 - HTTPS/HTTP server creation with SSL certificate management
 - SNI (Server Name Indication) support for multi-domain hosting
 - Virtual host management with domain mapping
@@ -20,8 +20,18 @@ A Node.js server toolkit providing secure application server creation, file hand
 - Trusted proxy configuration
 - Request parsing with size limits and validation
 - Static file serving with security headers
+- Compression middleware with smart filtering
 - Input validation utilities
 
+#### Modular Security Components
+The AppServerFactory now uses specialized security configurers:
+
+- **CorsConfigurer** - Dynamic CORS origin validation with development domain support
+- **DevelopmentModeDetector** - Automatic development environment detection
+- **ProtocolEnforcer** - Protocol redirection with development mode awareness
+- **RateLimitConfigurer** - Global and endpoint-specific rate limiting
+- **SecurityConfigurer** - Helmet integration with CSP management and XSS protection
+
 ### FileHandler
 - Secure file system operations with path validation
 - File and folder creation, copying, and removal
@@ -34,6 +44,8 @@ A Node.js server toolkit providing secure application server creation, file hand
 - Temporary file creation
 - File quarantine functionality for security threats
 - Binary file head reading for type detection
+- Directory walking with callback processing
+- File comparison and relative path calculations
 - Comprehensive error handling with detailed context
 
 ### Encryptor
@@ -77,7 +89,8 @@ let appServerFactory = new AppServerFactory();
 let serverResult = appServerFactory.createAppServer({
     port: 3000,
     useHttps: false,
-    autoListen: true
+    autoListen: true,
+    useCompression: true
 });
 
 if(serverResult){
@@ -183,7 +196,9 @@ let serverResult = appServerFactory.createAppServer({
     useVirtualHosts: true,
     keyPath: '/ssl/default.key',
     certPath: '/ssl/default.crt',
-    port: 443
+    port: 443,
+    enforceProtocol: true,
+    developmentMultiplier: 10
 });
 ```
 
@@ -192,7 +207,7 @@ let serverResult = appServerFactory.createAppServer({
 ```javascript
 let appServerFactory = new AppServerFactory();
 
-// Add development domains
+// Add development domains (automatically detected)
 appServerFactory.addDevelopmentDomain('localhost');
 appServerFactory.addDevelopmentDomain('dev.myapp.local');
 
@@ -200,6 +215,11 @@ let serverResult = appServerFactory.createAppServer({
     port: 3000,
     corsOrigin: ['http://localhost:3000', 'http://dev.myapp.local:3000'],
     developmentMultiplier: 5, // More lenient rate limiting in dev
+    developmentPorts: [3000, 3001, 8080],
+    developmentExternalDomains: {
+        'script-src': ['https://cdn.example.com'],
+        'style-src': ['https://fonts.googleapis.com']
+    }
 });
 ```
 
@@ -222,7 +242,9 @@ let serverResult = appServerFactory.createAppServer({
     globalRateLimit: 100, // requests per window
     windowMs: 60000, // 1 minute
     maxRequests: 30,
-    trustedProxy: '127.0.0.1'
+    trustedProxy: '127.0.0.1',
+    useXssProtection: true,
+    sanitizeOptions: {allowedTags: [], allowedAttributes: {}}
 });
 ```
 
@@ -237,7 +259,6 @@ let serverResult = appServerFactory.createAppServer({
 - `enableServeHome(app, callback)` - Enables homepage serving
 - `serveStatics(app, staticPath)` - Serves static files
 - `serveStaticsPath(app, route, staticPath)` - Serves static files on specific route
-- `validateInput(input, type)` - Validates input against predefined patterns
 - `enableCSP(cspOptions)` - Enables Content Security Policy
 - `listen(port)` - Starts server listening
 - `close()` - Gracefully closes server
@@ -263,6 +284,13 @@ let serverResult = appServerFactory.createAppServer({
 - `generateSecureFilename(originalName)` - Generates cryptographically secure filename
 - `quarantineFile(path, reason)` - Moves file to quarantine folder
 - `createTempFile(prefix, extension)` - Creates a temporary file path
+- `moveFile(from, to)` - Moves file to new location
+- `getFileSize(path)` - Gets file size in bytes
+- `compareFiles(file1, file2)` - Compares file contents
+- `getRelativePath(from, to)` - Calculates relative path
+- `walkDirectory(path, callback)` - Recursively processes directory tree
+- `getDirectorySize(path)` - Calculates total directory size
+- `emptyDirectory(path)` - Removes all contents from directory
 
 ### Encryptor Methods
 
@@ -284,6 +312,7 @@ let serverResult = appServerFactory.createAppServer({
 - `validateFilenameSecurity(filename)` - Validates filename for security
 - `validateFile(file, allowedType, callback)` - Validates a file during upload
 - `validateFileContents(file, allowedType)` - Validates file content after upload
+- `convertToRegex(key)` - Converts MIME type patterns to regex
 
 ## Security Features
 

package/lib/app-server-factory/cors-configurer.js

@@ -17,7 +17,7 @@ class CorsConfigurer
         this.corsMethods = ['GET','POST'];
         this.corsHeaders = ['Content-Type','Authorization'];
         this.developmentCorsOrigins = [];
-        this.developmentPorts = [3000, 8080, 8081];
+        this.developmentPorts = [];
     }
 
     setup(app, config)
@@ -40,12 +40,15 @@ class CorsConfigurer
             allowedHeaders: this.corsHeaders,
             credentials: true
         };
+        if('*' === this.corsOrigin && true === corsOptions.credentials){
+            corsOptions.origin = true;
+        }
         if(this.isDevelopmentMode && 0 < this.developmentCorsOrigins.length){
             corsOptions.origin = (origin, callback) => {
                 if(!origin){
                     return callback(null, true);
                 }
-                if(-1 !== this.developmentCorsOrigins.indexOf(origin)){
+                if(-1 !== this.developmentCorsOrigins.indexOf(this.normalizeHost(origin))){
                     return callback(null, true);
                 }
                 if('*' === this.corsOrigin){
@@ -59,20 +62,32 @@ class CorsConfigurer
 
     extractDevelopmentOrigins(domainMapping)
     {
-        let origins = [];
+        let originsSet = new Set();
         let mappingKeys = Object.keys(domainMapping);
         for(let domain of mappingKeys){
-            origins.push('http://'+domain);
-            origins.push('https://'+domain);
-            if(domain.includes(':')){
+            let normalizedDomain = this.normalizeHost(domain);
+            originsSet.add('http://'+normalizedDomain);
+            originsSet.add('https://'+normalizedDomain);
+            if(-1 !== normalizedDomain.indexOf(':')){
                 continue;
             }
-            for(let port of this.developmentPorts){
-                origins.push('http://'+domain+':'+port);
-                origins.push('https://'+domain+':'+port);
+            if(0 < this.developmentPorts.length){
+                for(let port of this.developmentPorts){
+                    originsSet.add('http://'+normalizedDomain+':'+port);
+                    originsSet.add('https://'+normalizedDomain+':'+port);
+                }
             }
         }
-        return origins;
+        return Array.from(originsSet);
+    }
+
+    normalizeHost(originOrHost)
+    {
+        let normalizedHost = (''+originOrHost).toLowerCase();
+        if('/' === normalizedHost.charAt(normalizedHost.length - 1)){
+            normalizedHost = normalizedHost.substring(0, normalizedHost.length - 1);
+        }
+        return normalizedHost;
     }
 
 }

package/lib/app-server-factory/development-mode-detector.js

@@ -26,6 +26,7 @@ class DevelopmentModeDetector
             'staging.'
         ];
         this.developmentEnvironments = ['development', 'dev', 'test'];
+        this.env = process?.env?.NODE_ENV || 'production';
     }
 
     detect(config = {})
@@ -36,8 +37,7 @@ class DevelopmentModeDetector
         if(config.developmentEnvironments){
             this.developmentEnvironments = config.developmentEnvironments;
         }
-        let env = process.env.NODE_ENV;
-        if(this.developmentEnvironments.includes(env)){
+        if(this.developmentEnvironments.includes(this.env)){
             return true;
         }
         if(config.developmentDomains && 0 < config.developmentDomains.length){
@@ -49,7 +49,7 @@ class DevelopmentModeDetector
         }
         if(config.domains && 0 < config.domains.length){
             for(let domainConfig of config.domains){
-                if(!domainConfig.hostname){
+                if(!domainConfig?.hostname){
                     continue;
                 }
                 if(this.matchesPattern(domainConfig.hostname)){
@@ -62,8 +62,34 @@ class DevelopmentModeDetector
 
     matchesPattern(domain)
     {
-        for(let pattern of this.developmentPatterns){
-            if(domain.includes(pattern)){
+        if(!domain){
+            return false;
+        }
+        let d = (''+domain).toLowerCase();
+        if('localhost' === d){
+            return true;
+        }
+        if('127.0.0.1' === d){
+            return true;
+        }
+        if('::1' === d){
+            return true;
+        }
+        for(let pattern of this.developmentPatterns || []){
+            if(!pattern){
+                continue;
+            }
+            let p = (''+pattern).toLowerCase();
+            if('.' === p.charAt(0) && d.endsWith(p)){
+                return true;
+            }
+            if('.' === p.charAt(p.length - 1) && 0 === d.indexOf(p)){
+                return true;
+            }
+            if(d === p){
+                return true;
+            }
+            if(0 <= d.indexOf(p)){
                 return true;
             }
         }

package/lib/app-server-factory/protocol-enforcer.js

@@ -20,8 +20,8 @@ class ProtocolEnforcer
         this.useHttps = config.useHttps || false;
         this.enforceProtocol = config.enforceProtocol !== false;
         app.use((req, res, next) => {
-            let protocol = req.get('X-Forwarded-Proto') || req.protocol;
-            let host = req.get('host');
+            let protocol = (req.get('X-Forwarded-Proto') || req.protocol || '').toLowerCase();
+            let host = (req.get('host') || '').toLowerCase().trim();
             if(this.isDevelopmentMode){
                 res.removeHeader('Origin-Agent-Cluster');
                 res.removeHeader('Strict-Transport-Security');
@@ -29,12 +29,10 @@ class ProtocolEnforcer
                 res.set('Origin-Agent-Cluster', '?0');
                 if(this.enforceProtocol && host){
                     if(!this.useHttps && 'https' === protocol){
-                        let redirectUrl = 'http://'+host+req.url;
-                        return res.redirect(301, redirectUrl);
+                        return res.redirect(301, 'http://'+host+req.url);
                     }
                     if(this.useHttps && 'http' === protocol){
-                        let redirectUrl = 'https://'+host+req.url;
-                        return res.redirect(301, redirectUrl);
+                        return res.redirect(301, 'https://'+host+req.url);
                     }
                 }
             }

package/lib/app-server-factory/rate-limit-configurer.js

@@ -25,9 +25,9 @@ class RateLimitConfigurer
     {
         this.isDevelopmentMode = config.isDevelopmentMode || false;
         this.globalRateLimit = config.globalRateLimit || 0;
-        this.windowMs = config.windowMs || this.windowMs;
-        this.maxRequests = config.maxRequests || this.maxRequests;
-        this.developmentMultiplier = config.developmentMultiplier || this.developmentMultiplier;
+        this.windowMs = Number(config.windowMs || this.windowMs);
+        this.maxRequests = Number(config.maxRequests || this.maxRequests);
+        this.developmentMultiplier = Number(config.developmentMultiplier || this.developmentMultiplier);
         this.applyKeyGenerator = config.applyKeyGenerator || false;
         this.tooManyRequestsMessage = config.tooManyRequestsMessage || this.tooManyRequestsMessage;
         if(!this.globalRateLimit){
@@ -36,7 +36,7 @@ class RateLimitConfigurer
         let limiterParams = {
             windowMs: this.windowMs,
             limit: this.maxRequests,
-            standardHeaders: true,
+            standardHeaders: 'draft-8',
             legacyHeaders: false,
             message: this.tooManyRequestsMessage
         };
@@ -56,7 +56,7 @@ class RateLimitConfigurer
         let limiterParams = {
             windowMs: this.windowMs,
             limit: this.maxRequests,
-            standardHeaders: true,
+            standardHeaders: 'draft-8',
             legacyHeaders: false
         };
         if(this.isDevelopmentMode){

package/lib/app-server-factory/security-configurer.js

@@ -63,7 +63,10 @@ class SecurityConfigurer
             }
         };
         if(config.developmentExternalDomains){
-            this.addExternalDomainsToCsp(helmetOptions.contentSecurityPolicy.directives, config.developmentExternalDomains);
+            this.addExternalDomainsToCsp(
+                helmetOptions.contentSecurityPolicy.directives,
+                config.developmentExternalDomains
+            );
         }
         return helmetOptions;
     }
@@ -99,7 +102,7 @@ class SecurityConfigurer
             if(!req.body){
                 return next();
             }
-            if('object' === typeof req.body){
+            if('object' === typeof req.body && null !== req.body){
                 this.sanitizeRequestBody(req.body);
             }
             next();
@@ -108,9 +111,24 @@ class SecurityConfigurer
 
     sanitizeRequestBody(body)
     {
-        let bodyKeys = Object.keys(body);
-        for(let i = 0; i < bodyKeys.length; i++){
-            let key = bodyKeys[i];
+        if(Array.isArray(body)){
+            for(let i = 0; i < body.length; i++){
+                if('string' === typeof body[i]){
+                    body[i] = sanitizeHtml(body[i], this.sanitizeOptions);
+                    continue;
+                }
+                if('object' === typeof body[i] && null !== body[i]){
+                    this.sanitizeRequestBody(body[i]);
+                }
+            }
+            return;
+        }
+        if('object' !== typeof body || null === body){
+            return;
+        }
+        let keys = Object.keys(body);
+        for(let i = 0; i < keys.length; i++){
+            let key = keys[i];
             if('string' === typeof body[key]){
                 body[key] = sanitizeHtml(body[key], this.sanitizeOptions);
                 continue;

package/lib/app-server-factory.js

@@ -48,8 +48,8 @@ class AppServerFactory
         this.useXssProtection = true;
         this.globalRateLimit = 0;
         this.corsOrigin = '*';
-        this.corsMethods = ['GET','POST'];
-        this.corsHeaders = ['Content-Type','Authorization'];
+        this.corsMethods = [];
+        this.corsHeaders = [];
         this.tooManyRequestsMessage = 'Too many requests, please try again later.';
         this.error = {};
         this.processErrorResponse = false;
@@ -74,16 +74,9 @@ class AppServerFactory
         this.developmentDomains = [];
         this.domainMapping = {};
         this.enforceProtocol = true;
-        this.developmentPatterns = [
-            'localhost',
-            '127.0.0.1',
-            '.local',
-            '.test',
-            '.dev',
-            '.staging'
-        ];
-        this.developmentEnvironments = ['development', 'dev', 'test'];
-        this.developmentPorts = [3000, 8080, 8081];
+        this.developmentPatterns = [];
+        this.developmentEnvironments = [];
+        this.developmentPorts = [];
         this.developmentMultiplier = 10;
         this.developmentExternalDomains = {};
         this.developmentModeDetector = new DevelopmentModeDetector();
@@ -133,10 +126,10 @@ class AppServerFactory
 
     extractDomainFromHttpUrl(url)
     {
-        if(!url || (!url.startsWith('http://') && !url.startsWith('https://'))){
+        if(!url || !url.startsWith('http://')){
             return false;
         }
-        return url.replace(/^https?:\/\//, '').split(':')[0];
+        return url.replace(/^http:\/\//, '').split(':')[0];
     }
 
     addHttpDomainsAsDevelopment()
@@ -153,12 +146,17 @@ class AppServerFactory
 
     detectDevelopmentMode()
     {
-        this.isDevelopmentMode = this.developmentModeDetector.detect({
-            developmentPatterns: this.developmentPatterns,
-            developmentEnvironments: this.developmentEnvironments,
+        let detectConfig = {
             developmentDomains: this.developmentDomains,
             domains: this.domains
-        });
+        };
+        if(0 < this.developmentPatterns.length){
+            detectConfig['developmentPatterns'] = this.developmentPatterns;
+        }
+        if(0 < this.developmentEnvironments.length){
+            detectConfig['developmentEnvironments'] = this.developmentEnvironments;
+        }
+        this.isDevelopmentMode = this.developmentModeDetector.detect(detectConfig);
     }
 
     setupDevelopmentConfiguration()
@@ -208,15 +206,28 @@ class AppServerFactory
 
     setupCors()
     {
-        this.corsConfigurer.setup(this.app, {
+        let corsConfig = {
             isDevelopmentMode: this.isDevelopmentMode,
             useCors: this.useCors,
-            corsOrigin: this.corsOrigin,
-            corsMethods: this.corsMethods,
-            corsHeaders: this.corsHeaders,
-            domainMapping: this.domainMapping,
-            developmentPorts: this.developmentPorts
-        });
+            corsOrigin: this.corsOrigin
+        };
+        if(0 < this.corsMethods.length){
+            corsConfig['corsMethods'] = this.corsMethods;
+        }
+        if(0 < this.corsHeaders.length){
+            corsConfig['corsHeaders'] = this.corsHeaders;
+        }
+        if(0 < this.developmentPorts.length){
+            corsConfig['developmentPorts'] = this.developmentPorts;
+        }
+        if(
+            'object' === typeof this.domainMapping
+            && null !== this.domainMapping
+            && 0 < Object.keys(this.domainMapping)
+        ){
+            corsConfig['domainMapping'] = this.domainMapping;
+        }
+        this.corsConfigurer.setup(this.app, corsConfig);
     }
 
     setupRateLimiting()
@@ -255,7 +266,7 @@ class AppServerFactory
     setupTrustedProxy()
     {
         if('' !== this.trustedProxy){
-            this.app.enable('trust proxy', this.trustedProxy);
+            this.app.set('trust proxy', this.trustedProxy);
         }
     }
 
@@ -308,12 +319,13 @@ class AppServerFactory
             return false;
         }
         let cleanHostname = hostname.toLowerCase().trim();
+        let hostWithoutPort = cleanHostname.split(':')[0];
         for(let i = 0; i < this.domains.length; i++){
             let domain = this.domains[i];
-            if(domain.hostname === cleanHostname){
+            if(domain.hostname === hostWithoutPort){
                 return domain;
             }
-            if(domain.aliases && domain.aliases.includes(cleanHostname)){
+            if(domain.aliases && domain.aliases.includes(hostWithoutPort)){
                 return domain;
             }
         }
@@ -499,23 +511,6 @@ class AppServerFactory
         return this.securityConfigurer.enableCSP(this.app, cspOptions);
     }
 
-    validateInput(input, type)
-    {
-        if('string' !== typeof input){
-            return false;
-        }
-        let patterns = {
-            email: /^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$/,
-            username: /^[a-zA-Z0-9_-]{3,30}$/,
-            strongPassword: /^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[@$!%*?&])[A-Za-z\d@$!%*?&]{8,}$/,
-            alphanumeric: /^[a-zA-Z0-9]+$/,
-            numeric: /^\d+$/,
-            hexColor: /^#([A-Fa-f0-9]{6}|[A-Fa-f0-9]{3})$/,
-            ipv4: /^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$/
-        };
-        return patterns[type] ? patterns[type].test(input) : false;
-    }
-
 }
 
 module.exports.AppServerFactory = AppServerFactory;

package/package.json

@@ -1,7 +1,7 @@
 {
     "name": "@reldens/server-utils",
     "scope": "@reldens",
-    "version": "0.27.0",
+    "version": "0.29.0",
     "description": "Reldens - Server Utils",
     "author": "Damian A. Pastorini",
     "license": "MIT",

package/app-server-factory-v2.patch

@@ -1,29 +0,0 @@
---- a/lib/app-server-factory.js
-+++ b/lib/app-server-factory.js
-@@ -141,10 +141,14 @@ class AppServerFactory
-
-     addHttpDomainsAsDevelopment()
-     {
-+        console.log('ENV VARS:', process.env.RELDENS_APP_HOST, process.env.RELDENS_PUBLIC_URL);
-         let hostDomain = this.extractDomainFromHttpUrl(process.env.RELDENS_APP_HOST);
-         let publicDomain = this.extractDomainFromHttpUrl(process.env.RELDENS_PUBLIC_URL);
-+        console.log('EXTRACTED DOMAINS:', hostDomain, publicDomain);
-         if(hostDomain && !this.developmentDomains.includes(hostDomain)){
-             this.developmentDomains.push(hostDomain);
-+            console.log('ADDED HOST DOMAIN:', hostDomain);
-         }
-         if(publicDomain && !this.developmentDomains.includes(publicDomain)){
-             this.developmentDomains.push(publicDomain);
-+            console.log('ADDED PUBLIC DOMAIN:', publicDomain);
-         }
-+        console.log('FINAL DEVELOPMENT DOMAINS:', this.developmentDomains);
-     }
-@@ -154,6 +158,7 @@ class AppServerFactory
-         this.isDevelopmentMode = this.developmentModeDetector.detect({
-             developmentPatterns: this.developmentPatterns,
-             developmentEnvironments: this.developmentEnvironments,
-             developmentDomains: this.developmentDomains,
-             domains: this.domains
-         });
-+        console.log('DEVELOPMENT MODE DETECTED:', this.isDevelopmentMode);
-     }