npm - @rsdk/db - Versions diffs - 5.11.0-next.1 → 5.11.0-next.10 - Mend

@rsdk/db 5.11.0-next.1 → 5.11.0-next.10

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (13) hide show

package/dist/index.d.ts CHANGED Viewed

@@ -6,3 +6,4 @@ export { TransactionRunner } from './transactional.runner';
 export { Propagation } from './propagation.enum';
 export { HEALTH_CHECK_QUERY } from './constants';
 export { getSecureContextOptions } from './tls';
+export { SslModeEnum } from './ssl-mode.enum';

package/dist/index.js CHANGED Viewed

@@ -1,6 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.getSecureContextOptions = exports.HEALTH_CHECK_QUERY = exports.Propagation = exports.TransactionRunner = exports.IncompatibleIsolationLevels = exports.CallOutOfContextWithMandatory = exports.NeverRunningInTransaction = exports.BaseContext = exports.ContextStorage = void 0;
+exports.SslModeEnum = exports.getSecureContextOptions = exports.HEALTH_CHECK_QUERY = exports.Propagation = exports.TransactionRunner = exports.IncompatibleIsolationLevels = exports.CallOutOfContextWithMandatory = exports.NeverRunningInTransaction = exports.BaseContext = exports.ContextStorage = void 0;
 var context_storage_1 = require("./context.storage");
 Object.defineProperty(exports, "ContextStorage", { enumerable: true, get: function () { return context_storage_1.ContextStorage; } });
 var context_base_1 = require("./context.base");
@@ -17,4 +17,6 @@ var constants_1 = require("./constants");
 Object.defineProperty(exports, "HEALTH_CHECK_QUERY", { enumerable: true, get: function () { return constants_1.HEALTH_CHECK_QUERY; } });
 var tls_1 = require("./tls");
 Object.defineProperty(exports, "getSecureContextOptions", { enumerable: true, get: function () { return tls_1.getSecureContextOptions; } });
+var ssl_mode_enum_1 = require("./ssl-mode.enum");
+Object.defineProperty(exports, "SslModeEnum", { enumerable: true, get: function () { return ssl_mode_enum_1.SslModeEnum; } });
 //# sourceMappingURL=index.js.map

package/dist/index.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";;;AAAA,qDAAmD;AAA1C,iHAAA,cAAc,OAAA;AACvB,+CAA6C;AAApC,2GAAA,WAAW,OAAA;AAEpB,2CAIsB;AAHpB,uHAAA,yBAAyB,OAAA;AACzB,2HAAA,6BAA6B,OAAA;AAC7B,yHAAA,2BAA2B,OAAA;AAE7B,+DAA2D;AAAlD,yHAAA,iBAAiB,OAAA;AAC1B,uDAAiD;AAAxC,+GAAA,WAAW,OAAA;AACpB,yCAAiD;AAAxC,+GAAA,kBAAkB,OAAA;AAC3B,6BAAgD;AAAvC,8GAAA,uBAAuB,OAAA"}
1	+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";;;AAAA,qDAAmD;AAA1C,iHAAA,cAAc,OAAA;AACvB,+CAA6C;AAApC,2GAAA,WAAW,OAAA;AAEpB,2CAIsB;AAHpB,uHAAA,yBAAyB,OAAA;AACzB,2HAAA,6BAA6B,OAAA;AAC7B,yHAAA,2BAA2B,OAAA;AAE7B,+DAA2D;AAAlD,yHAAA,iBAAiB,OAAA;AAC1B,uDAAiD;AAAxC,+GAAA,WAAW,OAAA;AACpB,yCAAiD;AAAxC,+GAAA,kBAAkB,OAAA;AAC3B,6BAAgD;AAAvC,8GAAA,uBAAuB,OAAA;AAChC,iDAA8C;AAArC,4GAAA,WAAW,OAAA"}

package/dist/ssl-mode.enum.d.ts ADDED Viewed

@@ -0,0 +1,8 @@
+export declare enum SslModeEnum {
+    DISABLE = "disable",
+    ALLOW = "allow",
+    PREFER = "prefer",
+    REQUIRE = "require",
+    VERIFY_CA = "verify-ca",
+    VERIFY_FULL = "verify-full"
+}

package/dist/ssl-mode.enum.js ADDED Viewed

@@ -0,0 +1,13 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SslModeEnum = void 0;
+var SslModeEnum;
+(function (SslModeEnum) {
+    SslModeEnum["DISABLE"] = "disable";
+    SslModeEnum["ALLOW"] = "allow";
+    SslModeEnum["PREFER"] = "prefer";
+    SslModeEnum["REQUIRE"] = "require";
+    SslModeEnum["VERIFY_CA"] = "verify-ca";
+    SslModeEnum["VERIFY_FULL"] = "verify-full";
+})(SslModeEnum || (exports.SslModeEnum = SslModeEnum = {}));
+//# sourceMappingURL=ssl-mode.enum.js.map

package/dist/ssl-mode.enum.js.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"ssl-mode.enum.js","sourceRoot":"","sources":["../src/ssl-mode.enum.ts"],"names":[],"mappings":";;;AAAA,IAAY,WAOX;AAPD,WAAY,WAAW;IACrB,kCAAmB,CAAA;IACnB,8BAAe,CAAA;IACf,gCAAiB,CAAA;IACjB,kCAAmB,CAAA;IACnB,sCAAuB,CAAA;IACvB,0CAA2B,CAAA;AAC7B,CAAC,EAPW,WAAW,2BAAX,WAAW,QAOtB"}

package/dist/tls.d.ts CHANGED Viewed

@@ -1,5 +1,7 @@
 import type { SecureContextOptions } from 'node:tls';
+import type { SslModeEnum } from './ssl-mode.enum';
 export interface SecureConfig {
+    sslMode: SslModeEnum;
     allowSelfSignedCert?: boolean | undefined;
     tlsCa?: string | undefined;
     tlsCert?: string | undefined;
@@ -7,4 +9,5 @@ export interface SecureConfig {
 }
 export declare const getSecureContextOptions: (config: SecureConfig) => (Pick<SecureContextOptions, "ca" | "cert" | "key"> & {
     rejectUnauthorized: boolean;
+    checkServerIdentity?: (host: string, cert: any) => Error | undefined;
 }) | false;

package/dist/tls.js CHANGED Viewed

@@ -5,12 +5,12 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.getSecureContextOptions = void 0;
 const node_fs_1 = __importDefault(require("node:fs"));
-const getSecureContextOptions = (config) => typeof config.allowSelfSignedCert === 'boolean' ||
-    config.tlsCa ||
-    config.tlsKey ||
-    config.tlsCert
-    ? {
-        rejectUnauthorized: !config.allowSelfSignedCert,
+const getSecureContextOptions = (config) => {
+    // disable - SSL полностью отключен
+    if (config.sslMode === 'disable') {
+        return false;
+    }
+    const tlsOptions = {
         ...(config.tlsCa && {
             ca: readFileIfExistsSync(config.tlsCa) ?? config.tlsCa,
         }),
@@ -20,8 +20,38 @@ const getSecureContextOptions = (config) => typeof config.allowSelfSignedCert ==
         ...(config.tlsCert && {
             cert: readFileIfExistsSync(config.tlsCert) ?? config.tlsCert,
         }),
+    };
+    // allow, prefer, require - SSL используется, но сертификат сервера не проверяется
+    // allow/prefer - в теории позволяют fallback на незащищенное соединение,
+    //   но в Node.js это контролируется сервером БД, а не клиентом
+    // require - требует SSL, но не проверяет валидность сертификата
+    // Все три режима защищают от пассивного прослушивания, но не от MITM атак
+    if (config.sslMode === 'allow' ||
+        config.sslMode === 'prefer' ||
+        config.sslMode === 'require') {
+        return {
+            rejectUnauthorized: false,
+            ...tlsOptions,
+        };
+    }
+    // verify-ca - проверяется, что сертификат сервера подписан доверенным CA,
+    // но hostname не проверяется. Защищает от MITM с самоподписанными сертификатами
+    if (config.sslMode === 'verify-ca') {
+        return {
+            rejectUnauthorized: !config.allowSelfSignedCert,
+            // Отключаем проверку hostname (принимаем любой hostname если CA валидный)
+            // eslint-disable-next-line unicorn/no-useless-undefined
+            checkServerIdentity: () => undefined,
+            ...tlsOptions,
+        };
     }
-    : false;
+    // verify-full - полная проверка сертификата включая hostname
+    // Самый безопасный режим, защищает от всех видов MITM атак
+    return {
+        rejectUnauthorized: !config.allowSelfSignedCert,
+        ...tlsOptions,
+    };
+};
 exports.getSecureContextOptions = getSecureContextOptions;
 const readFileIfExistsSync = (path) => node_fs_1.default.existsSync(path) ? node_fs_1.default.readFileSync(path) : undefined;
 //# sourceMappingURL=tls.js.map

package/dist/tls.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"tls.js","sourceRoot":"","sources":["../src/tls.ts"],"names":[],"mappings":";;;;;;AAAA,sDAAyB;~~AAUlB~~,MAAM,uBAAuB,GAAG,CACrC,MAAoB,~~EAKZ~~,EAAE,~~CACV~~,~~OAAO~~,MAAM,CAAC,~~mBAAmB~~,KAAK,SAAS~~;IAC/C~~,~~MAAM~~,CAAC~~,KAAK~~;~~IACZ~~,~~MAAM~~,~~CAAC~~,~~MAAM;IACb,MAAM,~~CAAC~~,OAAO~~;~~IACZ~~,CAAC~~,CAAC~~;~~QACE~~,~~kBAAkB,EAAE,CAAC,~~MAAM,~~CAAC~~,~~mBAAmB~~;~~QAC/C~~,GAAG,CAAC,MAAM,CAAC,KAAK,IAAI;YAClB,EAAE,EAAE,oBAAoB,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,MAAM,CAAC,KAAK;SACvD,CAAC;QACF,GAAG,CAAC,MAAM,CAAC,MAAM,IAAI;YACnB,GAAG,EAAE,oBAAoB,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,MAAM,CAAC,MAAM;SAC1D,CAAC;QACF,GAAG,CAAC,MAAM,CAAC,OAAO,IAAI;YACpB,IAAI,EAAE,oBAAoB,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,MAAM,CAAC,OAAO;SAC7D,CAAC;KACH;~~IACH~~,CAAC,CAAC,KAAK,CAAC;~~AAvBC~~,QAAA,uBAAuB,~~2BAuBxB~~;~~AAEZ~~,MAAM,oBAAoB,GAAG,CAAC,IAAY,EAAsB,EAAE,CAChE,iBAAE,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,iBAAE,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC"}
1	+ {"version":3,"file":"tls.js","sourceRoot":"","sources":["../src/tls.ts"],"names":[],"mappings":";;;;;;AAAA,sDAAyB;AAalB,MAAM,uBAAuB,GAAG,CACrC,MAAoB,EAMZ,EAAE;IACV,mCAAmC;IACnC,IAAI,MAAM,CAAC,OAAO,KAAK,SAAS,EAAE,CAAC;QACjC,OAAO,KAAK,CAAC;IACf,CAAC;IAED,MAAM,UAAU,GAAG;QACjB,GAAG,CAAC,MAAM,CAAC,KAAK,IAAI;YAClB,EAAE,EAAE,oBAAoB,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,MAAM,CAAC,KAAK;SACvD,CAAC;QACF,GAAG,CAAC,MAAM,CAAC,MAAM,IAAI;YACnB,GAAG,EAAE,oBAAoB,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,MAAM,CAAC,MAAM;SAC1D,CAAC;QACF,GAAG,CAAC,MAAM,CAAC,OAAO,IAAI;YACpB,IAAI,EAAE,oBAAoB,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,MAAM,CAAC,OAAO;SAC7D,CAAC;KACH,CAAC;IAEF,kFAAkF;IAClF,yEAAyE;IACzE,+DAA+D;IAC/D,gEAAgE;IAChE,0EAA0E;IAC1E,IACE,MAAM,CAAC,OAAO,KAAK,OAAO;QAC1B,MAAM,CAAC,OAAO,KAAK,QAAQ;QAC3B,MAAM,CAAC,OAAO,KAAK,SAAS,EAC5B,CAAC;QACD,OAAO;YACL,kBAAkB,EAAE,KAAK;YACzB,GAAG,UAAU;SACd,CAAC;IACJ,CAAC;IAED,0EAA0E;IAC1E,gFAAgF;IAChF,IAAI,MAAM,CAAC,OAAO,KAAK,WAAW,EAAE,CAAC;QACnC,OAAO;YACL,kBAAkB,EAAE,CAAC,MAAM,CAAC,mBAAmB;YAE/C,0EAA0E;YAC1E,wDAAwD;YACxD,mBAAmB,EAAE,GAAG,EAAE,CAAC,SAAS;YACpC,GAAG,UAAU;SACd,CAAC;IACJ,CAAC;IAED,6DAA6D;IAC7D,2DAA2D;IAC3D,OAAO;QACL,kBAAkB,EAAE,CAAC,MAAM,CAAC,mBAAmB;QAC/C,GAAG,UAAU;KACd,CAAC;AACJ,CAAC,CAAC;AA5DW,QAAA,uBAAuB,2BA4DlC;AACF,MAAM,oBAAoB,GAAG,CAAC,IAAY,EAAsB,EAAE,CAChE,iBAAE,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,iBAAE,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC"}

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@rsdk/db",
-  "version": "5.11.0-next.1",
+  "version": "5.11.0-next.10",
   "description": "Common functionality and interfaces for relational database plugins",
   "main": "dist/index.js",
   "publishConfig": {
@@ -18,5 +18,5 @@
     "@rsdk/decorators": "*",
     "reflect-metadata": "^0.1.12 || ^0.2.0"
   },
-  "gitHead": "5702cb032179ff5c8319c4b7e85b99af7e90245e"
+  "gitHead": "de767781fa92c9a3db87d8aa982aa682cb6375b6"
 }

package/src/index.ts CHANGED Viewed

@@ -10,3 +10,4 @@ export { TransactionRunner } from './transactional.runner';
 export { Propagation } from './propagation.enum';
 export { HEALTH_CHECK_QUERY } from './constants';
 export { getSecureContextOptions } from './tls';
+export { SslModeEnum } from './ssl-mode.enum';

package/src/ssl-mode.enum.ts ADDED Viewed

@@ -0,0 +1,8 @@
+export enum SslModeEnum {
+  DISABLE = 'disable',
+  ALLOW = 'allow',
+  PREFER = 'prefer',
+  REQUIRE = 'require',
+  VERIFY_CA = 'verify-ca',
+  VERIFY_FULL = 'verify-full',
+}

package/src/tls.ts CHANGED Viewed

@@ -1,7 +1,10 @@
 import fs from 'node:fs';
 import type { SecureContextOptions } from 'node:tls';
+import type { SslModeEnum } from './ssl-mode.enum';
 export interface SecureConfig {
+  sslMode: SslModeEnum;
   allowSelfSignedCert?: boolean | undefined;
   tlsCa?: string | undefined;
   tlsCert?: string | undefined;
@@ -13,25 +16,61 @@ export const getSecureContextOptions = (
 ):
   | (Pick<SecureContextOptions, 'ca' | 'cert' | 'key'> & {
       rejectUnauthorized: boolean;
+      checkServerIdentity?: (host: string, cert: any) => Error | undefined;
     })
-  | false =>
-  typeof config.allowSelfSignedCert === 'boolean' ||
-  config.tlsCa ||
-  config.tlsKey ||
-  config.tlsCert
-    ? {
-        rejectUnauthorized: !config.allowSelfSignedCert,
-        ...(config.tlsCa && {
-          ca: readFileIfExistsSync(config.tlsCa) ?? config.tlsCa,
-        }),
-        ...(config.tlsKey && {
-          key: readFileIfExistsSync(config.tlsKey) ?? config.tlsKey,
-        }),
-        ...(config.tlsCert && {
-          cert: readFileIfExistsSync(config.tlsCert) ?? config.tlsCert,
-        }),
-      }
-    : false;
+  | false => {
+  // disable - SSL полностью отключен
+  if (config.sslMode === 'disable') {
+    return false;
+  }
+  const tlsOptions = {
+    ...(config.tlsCa && {
+      ca: readFileIfExistsSync(config.tlsCa) ?? config.tlsCa,
+    }),
+    ...(config.tlsKey && {
+      key: readFileIfExistsSync(config.tlsKey) ?? config.tlsKey,
+    }),
+    ...(config.tlsCert && {
+      cert: readFileIfExistsSync(config.tlsCert) ?? config.tlsCert,
+    }),
+  };
+  // allow, prefer, require - SSL используется, но сертификат сервера не проверяется
+  // allow/prefer - в теории позволяют fallback на незащищенное соединение,
+  //   но в Node.js это контролируется сервером БД, а не клиентом
+  // require - требует SSL, но не проверяет валидность сертификата
+  // Все три режима защищают от пассивного прослушивания, но не от MITM атак
+  if (
+    config.sslMode === 'allow' ||
+    config.sslMode === 'prefer' ||
+    config.sslMode === 'require'
+  ) {
+    return {
+      rejectUnauthorized: false,
+      ...tlsOptions,
+    };
+  }
+  // verify-ca - проверяется, что сертификат сервера подписан доверенным CA,
+  // но hostname не проверяется. Защищает от MITM с самоподписанными сертификатами
+  if (config.sslMode === 'verify-ca') {
+    return {
+      rejectUnauthorized: !config.allowSelfSignedCert,
+      // Отключаем проверку hostname (принимаем любой hostname если CA валидный)
+      // eslint-disable-next-line unicorn/no-useless-undefined
+      checkServerIdentity: () => undefined,
+      ...tlsOptions,
+    };
+  }
+  // verify-full - полная проверка сертификата включая hostname
+  // Самый безопасный режим, защищает от всех видов MITM атак
+  return {
+    rejectUnauthorized: !config.allowSelfSignedCert,
+    ...tlsOptions,
+  };
+};
 const readFileIfExistsSync = (path: string): Buffer | undefined =>
   fs.existsSync(path) ? fs.readFileSync(path) : undefined;