@revealui/security 0.2.4 → 0.2.5

package/dist/index.js

@@ -1,394 +1,227 @@
-// src/audit.ts
-var AuditSystem = class {
-  storage;
-  filters = [];
-  constructor(storage) {
-    this.storage = storage;
+import {
+  AuditReportGenerator,
+  AuditSystem,
+  AuditTrail,
+  InMemoryAuditStorage,
+  audit,
+  createAuditMiddleware,
+  signAuditEntry,
+  verifyAuditEntry
+} from "./chunk-Q5KAPSST.js";
+
+// src/logger.ts
+var securityLogger = console;
+function configureSecurityLogger(logger) {
+  securityLogger = logger;
+}
+function getSecurityLogger() {
+  return securityLogger;
+}
+
+// src/alerting.ts
+var DEFAULT_THRESHOLDS = {
+  failedLogins: {
+    maxCount: 10,
+    windowMs: 15 * 60 * 1e3,
+    severity: "high",
+    messageTemplate: "Excessive failed logins detected: {count} attempts in 15 minutes"
+  },
+  privilegeEscalation: {
+    maxCount: 1,
+    windowMs: 60 * 60 * 1e3,
+    severity: "critical",
+    messageTemplate: "Privilege escalation detected: role changed to admin"
+  },
+  massDataExport: {
+    maxCount: 100,
+    windowMs: 60 * 60 * 1e3,
+    severity: "high",
+    messageTemplate: "Mass data export detected: {count} exports in 1 hour"
+  },
+  accountLockout: {
+    maxCount: 1,
+    windowMs: 60 * 60 * 1e3,
+    severity: "high",
+    messageTemplate: "Account lockout triggered"
+  },
+  mfaDisabled: {
+    maxCount: 1,
+    windowMs: 60 * 60 * 1e3,
+    severity: "critical",
+    messageTemplate: "MFA disabled on account"
   }
-  /**
-   * Log audit event
-   */
-  async log(event) {
-    const fullEvent = {
-      ...event,
-      id: crypto.randomUUID(),
-      timestamp: (/* @__PURE__ */ new Date()).toISOString()
-    };
-    const shouldLog = this.filters.every((filter) => filter(fullEvent));
-    if (!shouldLog) {
-      return;
+};
+var LogAlertHandler = class {
+  /** Write alert details to the configured security logger. */
+  async handle(alert) {
+    const logger = getSecurityLogger();
+    const prefix = `[SecurityAlert:${alert.type}]`;
+    if (alert.severity === "critical") {
+      logger.error(`${prefix} ${alert.message}`, alert.context);
+    } else {
+      logger.warn(`${prefix} ${alert.message}`, alert.context);
     }
-    await this.storage.write(fullEvent);
-  }
-  /**
-   * Log authentication event
-   */
-  async logAuth(type, actorId, result, metadata) {
-    await this.log({
-      type,
-      severity: result === "failure" ? "medium" : "low",
-      actor: {
-        id: actorId,
-        type: "user"
-      },
-      action: type.replace("auth.", ""),
-      result,
-      metadata
-    });
-  }
-  /**
-   * Log data access event
-   */
-  async logDataAccess(action, actorId, resourceType, resourceId, result, changes) {
-    await this.log({
-      type: `data.${action}`,
-      severity: action === "delete" ? "high" : "medium",
-      actor: {
-        id: actorId,
-        type: "user"
-      },
-      resource: {
-        type: resourceType,
-        id: resourceId
-      },
-      action,
-      result,
-      changes
-    });
-  }
-  /**
-   * Log permission change
-   */
-  async logPermissionChange(action, actorId, targetUserId, permission, result) {
-    await this.log({
-      type: `permission.${action}`,
-      severity: "high",
-      actor: {
-        id: actorId,
-        type: "user"
-      },
-      resource: {
-        type: "user",
-        id: targetUserId
-      },
-      action,
-      result,
-      metadata: {
-        permission
-      }
-    });
-  }
-  /**
-   * Log security event
-   */
-  async logSecurityEvent(type, severity, actorId, message, metadata) {
-    await this.log({
-      type: `security.${type}`,
-      severity,
-      actor: {
-        id: actorId,
-        type: "user"
-      },
-      action: type,
-      result: "failure",
-      message,
-      metadata
-    });
-  }
-  /**
-   * Log GDPR event
-   */
-  async logGDPREvent(type, actorId, result, metadata) {
-    await this.log({
-      type: `gdpr.${type}`,
-      severity: "high",
-      actor: {
-        id: actorId,
-        type: "user"
-      },
-      action: type,
-      result,
-      metadata
-    });
   }
-  /**
-   * Query audit logs
-   */
-  async query(query) {
-    return this.storage.query(query);
-  }
-  /**
-   * Count audit logs
-   */
-  async count(query) {
-    return this.storage.count(query);
+};
+var AuditAlertHandler = class {
+  /** Record the alert in the audit trail with severity 'critical'. */
+  async handle(alert) {
+    try {
+      const { audit: audit2 } = await import("./audit-UF7PIYBU.js");
+      await audit2.logSecurityEvent(
+        "alert",
+        "critical",
+        alert.context.actorId ?? "system",
+        alert.message,
+        { alertType: alert.type, ...alert.context }
+      );
+    } catch {
+    }
   }
+};
+var WebhookAlertHandler = class {
+  url;
+  headers;
   /**
-   * Add filter
+   * Create a webhook alert handler.
+   *
+   * @param url - The webhook endpoint URL
+   * @param headers - Additional HTTP headers (e.g. authorization)
    */
-  addFilter(filter) {
-    this.filters.push(filter);
+  constructor(url, headers = {}) {
+    this.url = url;
+    this.headers = headers;
   }
-  /**
-   * Remove filter
-   */
-  removeFilter(filter) {
-    const index = this.filters.indexOf(filter);
-    if (index > -1) {
-      this.filters.splice(index, 1);
+  /** POST the alert payload to the configured webhook URL. */
+  async handle(alert) {
+    try {
+      await fetch(this.url, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          ...this.headers
+        },
+        body: JSON.stringify(alert)
+      });
+    } catch {
+      const logger = getSecurityLogger();
+      logger.error(`[WebhookAlertHandler] Failed to POST alert to ${this.url}`);
     }
   }
 };
-var InMemoryAuditStorage = class {
-  events = [];
-  maxEvents;
-  constructor(maxEvents = 1e4) {
-    this.maxEvents = maxEvents;
-  }
-  async write(event) {
-    this.events.push(event);
-    if (this.events.length > this.maxEvents) {
-      this.events.shift();
-    }
+function mapEventToRule(event) {
+  if (event.type === "auth.failed_login") {
+    return "failedLogins";
   }
-  async query(query) {
-    let results = [...this.events];
-    if (query.types && query.types.length > 0) {
-      results = results.filter((e) => query.types?.includes(e.type));
+  if (event.type === "role.assign") {
+    const newRole = event.changes?.after?.role ?? event.metadata?.role;
+    if (newRole === "admin") {
+      return "privilegeEscalation";
     }
-    if (query.actorId) {
-      results = results.filter((e) => e.actor.id === query.actorId);
-    }
-    if (query.resourceType) {
-      results = results.filter((e) => e.resource?.type === query.resourceType);
-    }
-    if (query.resourceId) {
-      results = results.filter((e) => e.resource?.id === query.resourceId);
-    }
-    if (query.startDate) {
-      const startDate = query.startDate;
-      results = results.filter((e) => new Date(e.timestamp) >= startDate);
-    }
-    if (query.endDate) {
-      const endDate = query.endDate;
-      results = results.filter((e) => new Date(e.timestamp) <= endDate);
-    }
-    if (query.severity && query.severity.length > 0) {
-      results = results.filter((e) => query.severity?.includes(e.severity));
-    }
-    if (query.result && query.result.length > 0) {
-      results = results.filter((e) => query.result?.includes(e.result));
-    }
-    results.sort((a, b) => new Date(b.timestamp).getTime() - new Date(a.timestamp).getTime());
-    const offset = query.offset || 0;
-    const limit = query.limit || 100;
-    return results.slice(offset, offset + limit);
   }
-  async count(query) {
-    const results = await this.query({ ...query, limit: void 0, offset: void 0 });
-    return results.length;
+  if (event.type === "data.export") {
+    return "massDataExport";
   }
-  /**
-   * Clear all events
-   */
-  clear() {
-    this.events = [];
+  if (event.action === "account_locked") {
+    return "accountLockout";
   }
-  /**
-   * Get all events
-   */
-  getAll() {
-    return [...this.events];
+  if (event.type === "auth.mfa_disabled") {
+    return "mfaDisabled";
   }
-};
-function AuditTrail(type, action, options) {
-  return (_target, _propertyKey, descriptor) => {
-    const originalMethod = descriptor.value;
-    descriptor.value = async function(...args) {
-      const actorId = this.user?.id || "system";
-      const before = options?.captureChanges ? args[0] : void 0;
-      let result = "success";
-      let error;
-      try {
-        const returnValue = await originalMethod.apply(this, args);
-        if (this.audit) {
-          await this.audit.log({
-            type,
-            severity: options?.severity || "medium",
-            actor: {
-              id: actorId,
-              type: "user"
-            },
-            resource: options?.resourceType ? {
-              type: options.resourceType,
-              id: args[0]?.id || "unknown"
-            } : void 0,
-            action,
-            result,
-            changes: options?.captureChanges ? {
-              before,
-              after: returnValue
-            } : void 0
-          });
-        }
-        return returnValue;
-      } catch (err) {
-        result = "failure";
-        error = err;
-        if (this.audit) {
-          await this.audit.log({
-            type,
-            severity: "high",
-            actor: {
-              id: actorId,
-              type: "user"
-            },
-            resource: options?.resourceType ? {
-              type: options.resourceType,
-              id: args[0]?.id || "unknown"
-            } : void 0,
-            action,
-            result,
-            message: error.message
-          });
-        }
-        throw error;
-      }
-    };
-    return descriptor;
-  };
+  return null;
 }
-function createAuditMiddleware(audit2, getUser) {
-  return async (request, next) => {
-    const user = getUser(request);
-    const startTime = Date.now();
-    try {
-      const response = await next();
-      await audit2.log({
-        type: "data.read",
-        severity: "low",
-        actor: {
-          id: user.id,
-          type: "user",
-          ip: user.ip,
-          userAgent: user.userAgent
-        },
-        action: request.method,
-        result: "success",
-        metadata: {
-          path: request.url,
-          duration: Date.now() - startTime,
-          status: response.status
-        }
-      });
-      return response;
-    } catch (error) {
-      await audit2.log({
-        type: "data.read",
-        severity: "medium",
-        actor: {
-          id: user.id,
-          type: "user",
-          ip: user.ip,
-          userAgent: user.userAgent
-        },
-        action: request.method,
-        result: "failure",
-        message: error instanceof Error ? error.message : "Unknown error",
-        metadata: {
-          path: request.url,
-          duration: Date.now() - startTime
-        }
-      });
-      throw error;
-    }
-  };
-}
-var AuditReportGenerator = class {
-  constructor(audit2) {
-    this.audit = audit2;
+function getGroupKey(event, ruleName) {
+  if (ruleName === "failedLogins") {
+    return `${ruleName}:${event.actor.id}`;
   }
+  if (ruleName === "massDataExport") {
+    return ruleName;
+  }
+  return `${ruleName}:${event.actor.id}`;
+}
+var SecurityAlertService = class {
+  config;
+  windows = /* @__PURE__ */ new Map();
   /**
-   * Generate security report
+   * Create a new SecurityAlertService.
+   *
+   * @param config - Alerting configuration with thresholds and handlers
    */
-  async generateSecurityReport(startDate, endDate) {
-    const allEvents = await this.audit.query({
-      startDate,
-      endDate
-    });
-    const securityViolations = allEvents.filter((e) => e.type.startsWith("security.")).length;
-    const failedLogins = allEvents.filter((e) => e.type === "auth.failed_login").length;
-    const permissionChanges = allEvents.filter((e) => e.type.startsWith("permission.")).length;
-    const dataExports = allEvents.filter((e) => e.type === "data.export").length;
-    const criticalEvents = allEvents.filter((e) => e.severity === "critical");
-    return {
-      totalEvents: allEvents.length,
-      securityViolations,
-      failedLogins,
-      permissionChanges,
-      dataExports,
-      criticalEvents
-    };
+  constructor(config) {
+    this.config = config;
   }
   /**
-   * Generate user activity report
+   * Evaluate a single audit event against all threshold rules.
+   * If a threshold is breached, dispatches alerts to all handlers.
+   *
+   * @param event - The audit event to evaluate
+   * @returns The alert that was dispatched, or null if no threshold was breached
    */
-  async generateUserActivityReport(userId, startDate, endDate) {
-    const events = await this.audit.query({
-      actorId: userId,
-      startDate,
-      endDate
-    });
-    const actionsByType = events.reduce(
-      (acc, event) => {
-        acc[event.type] = (acc[event.type] || 0) + 1;
-        return acc;
+  async evaluateEvent(event) {
+    const ruleName = mapEventToRule(event);
+    if (!ruleName) {
+      return null;
+    }
+    const rule = this.config.thresholds[ruleName];
+    if (!rule) {
+      return null;
+    }
+    const groupKey = getGroupKey(event, ruleName);
+    const now = Date.now();
+    const cutoff = now - rule.windowMs;
+    let entry = this.windows.get(groupKey);
+    if (!entry) {
+      entry = { timestamps: [], lastAlertAt: 0 };
+      this.windows.set(groupKey, entry);
+    }
+    entry.timestamps.push(now);
+    entry.timestamps = entry.timestamps.filter((ts) => ts > cutoff);
+    if (entry.timestamps.length < rule.maxCount) {
+      return null;
+    }
+    if (entry.lastAlertAt > cutoff) {
+      return null;
+    }
+    entry.lastAlertAt = now;
+    const message = rule.messageTemplate.includes("{count}") ? rule.messageTemplate.split("{count}").join(String(entry.timestamps.length)) : rule.messageTemplate;
+    const alert = {
+      type: ruleName,
+      severity: rule.severity,
+      message,
+      context: {
+        actorId: event.actor.id,
+        eventType: event.type,
+        count: entry.timestamps.length,
+        windowMs: rule.windowMs
       },
-      {}
-    );
-    const failedActions = events.filter((e) => e.result === "failure").length;
-    return {
-      totalActions: events.length,
-      actionsByType,
-      failedActions,
-      recentActions: events.slice(0, 10)
+      timestamp: new Date(now).toISOString()
     };
+    await this.dispatchAlert(alert);
+    return alert;
   }
   /**
-   * Generate compliance report
+   * Clear all sliding window state. Useful for testing.
    */
-  async generateComplianceReport(startDate, endDate) {
-    const events = await this.audit.query({
-      startDate,
-      endDate
-    });
-    const dataAccesses = events.filter((e) => e.type === "data.read").length;
-    const dataModifications = events.filter(
-      (e) => e.type === "data.update" || e.type === "data.create"
-    ).length;
-    const dataDeletions = events.filter((e) => e.type === "data.delete").length;
-    const gdprRequests = events.filter((e) => e.type.startsWith("gdpr.")).length;
-    const auditTrailComplete = this.checkAuditTrailContinuity(events);
-    return {
-      dataAccesses,
-      dataModifications,
-      dataDeletions,
-      gdprRequests,
-      auditTrailComplete
-    };
+  reset() {
+    this.windows.clear();
   }
   /**
-   * Check audit trail continuity
+   * Dispatch an alert to all configured handlers.
+   * Errors in individual handlers are logged but do not prevent
+   * other handlers from receiving the alert.
    */
-  checkAuditTrailContinuity(events) {
-    if (events.length === 0) return true;
-    const sorted = events.sort(
-      (a, b) => new Date(a.timestamp).getTime() - new Date(b.timestamp).getTime()
-    );
-    return sorted.length > 0;
+  async dispatchAlert(alert) {
+    const results = this.config.handlers.map(async (handler) => {
+      try {
+        await handler.handle(alert);
+      } catch {
+        const logger = getSecurityLogger();
+        logger.error(`[SecurityAlertService] Handler failed for alert type=${alert.type}`);
+      }
+    });
+    await Promise.all(results);
   }
 };
-var audit = new AuditSystem(new InMemoryAuditStorage());
 
 // src/auth.ts
 import { createHmac, timingSafeEqual } from "crypto";
@@ -1506,17 +1339,6 @@ var TokenGenerator = {
 
 // src/gdpr.ts
 import { createHash, createHmac as createHmac2 } from "crypto";
-
-// src/logger.ts
-var securityLogger = console;
-function configureSecurityLogger(logger) {
-  securityLogger = logger;
-}
-function getSecurityLogger() {
-  return securityLogger;
-}
-
-// src/gdpr.ts
 var ConsentManager = class {
   storage;
   consentVersion = "1.0.0";
@@ -2400,6 +2222,7 @@ function setRateLimitHeaders(response, limit, remaining, reset) {
   response.headers.set("X-RateLimit-Reset", reset.toString());
 }
 export {
+  AuditAlertHandler,
   AuditReportGenerator,
   AuditSystem,
   AuditTrail,
@@ -2409,6 +2232,7 @@ export {
   CommonRoles,
   ConsentManager,
   CookieConsentManager,
+  DEFAULT_THRESHOLDS,
   DataAnonymization,
   DataBreachManager,
   DataDeletionSystem,
@@ -2421,6 +2245,7 @@ export {
   InMemoryBreachStorage,
   InMemoryGDPRStorage,
   KeyRotationManager,
+  LogAlertHandler,
   OAuthClient,
   OAuthProviders,
   PasswordHasher,
@@ -2430,10 +2255,12 @@ export {
   PrivacyPolicyManager,
   RequirePermission,
   RequireRole,
+  SecurityAlertService,
   SecurityHeaders,
   SecurityPresets,
   TokenGenerator,
   TwoFactorAuth,
+  WebhookAlertHandler,
   audit,
   authorization,
   canAccessResource,
@@ -2450,6 +2277,8 @@ export {
   encryption,
   permissionCache,
   privacyPolicyManager,
-  setRateLimitHeaders
+  setRateLimitHeaders,
+  signAuditEntry,
+  verifyAuditEntry
 };
 //# sourceMappingURL=index.js.map