@tracehound/fastify 1.3.0 → 1.4.1

package/README.md

@@ -13,17 +13,18 @@ npm install @tracehound/fastify @tracehound/core
 ```ts
 import fastify from 'fastify'
 import { tracehoundPlugin } from '@tracehound/fastify'
-import { createAgent, createQuarantine, createRateLimiter } from '@tracehound/core'
+import { createTracehound } from '@tracehound/core'
 
 const app = fastify()
 
-// Create Tracehound components
-const quarantine = createQuarantine({ maxCount: 10000, maxBytes: 100_000_000 })
-const rateLimiter = createRateLimiter({ windowMs: 60_000, maxRequests: 100 })
-const agent = createAgent({ quarantine, rateLimiter })
+// Create Tracehound instance
+const th = createTracehound({
+  quarantine: { maxCount: 10000, maxBytes: 100_000_000 },
+  rateLimit: { windowMs: 60_000, maxRequests: 100 },
+})
 
 // Register plugin
-app.register(tracehoundPlugin, { agent })
+app.register(tracehoundPlugin, { agent: th.agent })
 
 app.get('/', async (req, reply) => {
   return { message: 'Protected by Tracehound' }
@@ -34,11 +35,12 @@ app.listen({ port: 3000 })
 
 ## Options
 
-| Option         | Type                           | Required | Description               |
-| -------------- | ------------------------------ | -------- | ------------------------- |
-| `agent`        | `IAgent`                       | Yes      | Tracehound Agent instance |
-| `extractScent` | `(req) => Scent`               | No       | Custom scent extraction   |
-| `onIntercept`  | `(result, req, reply) => void` | No       | Custom response handler   |
+| Option                    | Type                           | Required | Description                                        |
+| ------------------------- | ------------------------------ | -------- | -------------------------------------------------- |
+| `agent`                   | `IAgent`                       | Yes      | Tracehound Agent instance                          |
+| `emitSignatureInResponse` | `boolean`                      | No       | If true, returns signature in 403 (default: false) |
+| `extractScent`            | `(req) => Scent`               | No       | Custom scent extraction                            |
+| `onIntercept`             | `(result, req, reply) => void` | No       | Custom response handler                            |
 
 ## Response Codes
 

package/dist/index.d.ts

@@ -14,9 +14,14 @@ export interface TracehoundPluginOptions {
      * Required - must be created via createAgent() from @tracehound/core.
      */
     agent: IAgent;
+    /**
+     * If true, includes the Tracehound `signature` in the HTTP 403 Forbidden body
+     * for quarantined requests. This is false by default to prevent correlation attacks.
+     */
+    emitSignatureInResponse?: boolean;
     /**
      * Custom scent extraction function.
-     * Default extracts IP, path, method, and headers.
+     * Default extracts IP, path, method, and headers safely.
      */
     extractScent?: (req: FastifyRequest) => Scent;
     /**
@@ -32,12 +37,12 @@ export interface TracehoundPluginOptions {
  * ```ts
  * import fastify from 'fastify'
  * import { tracehoundPlugin } from '@tracehound/fastify'
- * import { createAgent } from '@tracehound/core'
+ * import { createTracehound } from '@tracehound/core'
  *
  * const app = fastify()
- * const agent = createAgent({ ... })
+ * const th = createTracehound({ }) // options here
  *
- * app.register(tracehoundPlugin, { agent })
+ * app.register(tracehoundPlugin, { agent: th.agent })
  * ```
  */
 export declare const tracehoundPlugin: FastifyPluginCallback<TracehoundPluginOptions>;

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAoB,KAAK,MAAM,EAAE,KAAK,eAAe,EAAE,KAAK,KAAK,EAAE,MAAM,kBAAkB,CAAA;AAClG,OAAO,KAAK,EAAE,qBAAqB,EAAE,YAAY,EAAE,cAAc,EAAE,MAAM,SAAS,CAAA;AAElF;;GAEG;AACH,MAAM,WAAW,uBAAuB;IACtC;;;OAGG;IACH,KAAK,EAAE,MAAM,CAAA;IAEb;;;OAGG;IACH,YAAY,CAAC,EAAE,CAAC,GAAG,EAAE,cAAc,KAAK,KAAK,CAAA;IAE7C;;;OAGG;IACH,WAAW,CAAC,EAAE,CAAC,MAAM,EAAE,eAAe,EAAE,GAAG,EAAE,cAAc,EAAE,KAAK,EAAE,YAAY,KAAK,IAAI,CAAA;CAC1F;AAsED;;;;;;;;;;;;;;GAcG;AACH,eAAO,MAAM,gBAAgB,EAAE,qBAAqB,CAAC,uBAAuB,CAqB3E,CAAA;AAED;;GAEG;AACH,eAAO,MAAM,YAAY,gDAAmB,CAAA;AAG5C,eAAe,gBAAgB,CAAA;AAG/B,YAAY,EAAE,eAAe,EAAE,KAAK,EAAE,MAAM,kBAAkB,CAAA"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAoB,KAAK,MAAM,EAAE,KAAK,eAAe,EAAE,KAAK,KAAK,EAAE,MAAM,kBAAkB,CAAA;AAClG,OAAO,KAAK,EAAE,qBAAqB,EAAE,YAAY,EAAE,cAAc,EAAE,MAAM,SAAS,CAAA;AAElF;;GAEG;AACH,MAAM,WAAW,uBAAuB;IACtC;;;OAGG;IACH,KAAK,EAAE,MAAM,CAAA;IAEb;;;OAGG;IACH,uBAAuB,CAAC,EAAE,OAAO,CAAA;IAEjC;;;OAGG;IACH,YAAY,CAAC,EAAE,CAAC,GAAG,EAAE,cAAc,KAAK,KAAK,CAAA;IAE7C;;;OAGG;IACH,WAAW,CAAC,EAAE,CAAC,MAAM,EAAE,eAAe,EAAE,GAAG,EAAE,cAAc,EAAE,KAAK,EAAE,YAAY,KAAK,IAAI,CAAA;CAC1F;AAoFD;;;;;;;;;;;;;;GAcG;AACH,eAAO,MAAM,gBAAgB,EAAE,qBAAqB,CAAC,uBAAuB,CAgC3E,CAAA;AAED;;GAEG;AACH,eAAO,MAAM,YAAY,gDAAmB,CAAA;AAG5C,eAAe,gBAAgB,CAAA;AAG/B,YAAY,EAAE,eAAe,EAAE,KAAK,EAAE,MAAM,kBAAkB,CAAA"}

package/dist/index.js

@@ -4,6 +4,20 @@
  * Fastify plugin for Tracehound security buffer.
  */
 import { generateSecureId } from '@tracehound/core';
+/**
+ * Defensive clone for safely copying deeply nested or cyclical external payloads
+ * without crashing the process.
+ */
+function safeClone(obj) {
+    if (obj === undefined)
+        return undefined;
+    try {
+        return JSON.parse(JSON.stringify(obj));
+    }
+    catch {
+        return undefined; // Unsafe to clone or cyclical, omit silently
+    }
+}
 /**
  * Default scent extraction from Fastify request.
  */
@@ -16,19 +30,19 @@ function defaultExtractScent(req) {
         payload: {
             method: req.method,
             path: req.url,
-            query: JSON.parse(JSON.stringify(req.query)),
+            query: safeClone(req.query) ?? {},
             headers: {
                 'user-agent': req.headers['user-agent'] || '',
                 'content-type': req.headers['content-type'] || '',
             },
-            body: req.body ? JSON.parse(JSON.stringify(req.body)) : undefined,
+            body: safeClone(req.body),
         },
     };
 }
 /**
  * Default intercept result handler.
  */
-function defaultOnIntercept(result, _req, reply) {
+function defaultOnIntercept(result, _req, reply, options) {
     switch (result.status) {
         case 'rate_limited':
             reply
@@ -48,7 +62,7 @@ function defaultOnIntercept(result, _req, reply) {
         case 'quarantined':
             reply.status(403).send({
                 error: 'Forbidden',
-                signature: result.handle.signature,
+                ...(options?.emitSignatureInResponse ? { signature: result.handle.signature } : {}),
             });
             break;
         case 'error':
@@ -68,16 +82,16 @@ function defaultOnIntercept(result, _req, reply) {
  * ```ts
  * import fastify from 'fastify'
  * import { tracehoundPlugin } from '@tracehound/fastify'
- * import { createAgent } from '@tracehound/core'
+ * import { createTracehound } from '@tracehound/core'
  *
  * const app = fastify()
- * const agent = createAgent({ ... })
+ * const th = createTracehound({ }) // options here
  *
- * app.register(tracehoundPlugin, { agent })
+ * app.register(tracehoundPlugin, { agent: th.agent })
  * ```
  */
 export const tracehoundPlugin = (fastify, options, done) => {
-    const { agent, extractScent = defaultExtractScent, onIntercept = defaultOnIntercept } = options;
+    const { agent, extractScent = defaultExtractScent, onIntercept } = options;
     fastify.addHook('onRequest', (req, reply, hookDone) => {
         const scent = extractScent(req);
         const result = agent.intercept(scent);
@@ -85,7 +99,14 @@ export const tracehoundPlugin = (fastify, options, done) => {
             hookDone();
             return;
         }
-        onIntercept(result, req, reply);
+        if (onIntercept) {
+            onIntercept(result, req, reply);
+        }
+        else {
+            defaultOnIntercept(result, req, reply, options.emitSignatureInResponse !== undefined
+                ? { emitSignatureInResponse: options.emitSignatureInResponse }
+                : {});
+        }
         // Don't call hookDone() - response is already sent
     });
     done();

package/dist/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,gBAAgB,EAAiD,MAAM,kBAAkB,CAAA;AA0BlG;;GAEG;AACH,SAAS,mBAAmB,CAAC,GAAmB;IAC9C,MAAM,EAAE,GAAG,GAAG,CAAC,EAAE,IAAI,SAAS,CAAA;IAE9B,OAAO;QACL,EAAE,EAAE,gBAAgB,EAAE;QACtB,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;QACrB,MAAM,EAAE,EAAE;QACV,OAAO,EAAE;YACP,MAAM,EAAE,GAAG,CAAC,MAAM;YAClB,IAAI,EAAE,GAAG,CAAC,GAAG;YACb,KAAK,EAAE,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;YAC5C,OAAO,EAAE;gBACP,YAAY,EAAE,GAAG,CAAC,OAAO,CAAC,YAAY,CAAC,IAAI,EAAE;gBAC7C,cAAc,EAAE,GAAG,CAAC,OAAO,CAAC,cAAc,CAAC,IAAI,EAAE;aAClD;YACD,IAAI,EAAE,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS;SAClE;KACF,CAAA;AACH,CAAC;AAED;;GAEG;AACH,SAAS,kBAAkB,CACzB,MAAuB,EACvB,IAAoB,EACpB,KAAmB;IAEnB,QAAQ,MAAM,CAAC,MAAM,EAAE,CAAC;QACtB,KAAK,cAAc;YACjB,KAAK;iBACF,MAAM,CAAC,aAAa,EAAE,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,UAAU,GAAG,IAAI,CAAC,CAAC,CAAC;iBAClE,MAAM,CAAC,GAAG,CAAC;iBACX,IAAI,CAAC;gBACJ,KAAK,EAAE,mBAAmB;gBAC1B,UAAU,EAAE,MAAM,CAAC,UAAU;aAC9B,CAAC,CAAA;YACJ,MAAK;QAEP,KAAK,mBAAmB;YACtB,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBACrB,KAAK,EAAE,mBAAmB;gBAC1B,KAAK,EAAE,MAAM,CAAC,KAAK;aACpB,CAAC,CAAA;YACF,MAAK;QAEP,KAAK,aAAa;YAChB,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBACrB,KAAK,EAAE,WAAW;gBAClB,SAAS,EAAE,MAAM,CAAC,MAAM,CAAC,SAAS;aACnC,CAAC,CAAA;YACF,MAAK;QAEP,KAAK,OAAO;YACV,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBACrB,KAAK,EAAE,uBAAuB;aAC/B,CAAC,CAAA;YACF,MAAK;QAEP;YACE,yCAAyC;YACzC,MAAK;IACT,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;;;GAcG;AACH,MAAM,CAAC,MAAM,gBAAgB,GAAmD,CAC9E,OAAO,EACP,OAAO,EACP,IAAI,EACJ,EAAE;IACF,MAAM,EAAE,KAAK,EAAE,YAAY,GAAG,mBAAmB,EAAE,WAAW,GAAG,kBAAkB,EAAE,GAAG,OAAO,CAAA;IAE/F,OAAO,CAAC,OAAO,CAAC,WAAW,EAAE,CAAC,GAAG,EAAE,KAAK,EAAE,QAAQ,EAAE,EAAE;QACpD,MAAM,KAAK,GAAG,YAAY,CAAC,GAAG,CAAC,CAAA;QAC/B,MAAM,MAAM,GAAG,KAAK,CAAC,SAAS,CAAC,KAAK,CAAC,CAAA;QAErC,IAAI,MAAM,CAAC,MAAM,KAAK,OAAO,IAAI,MAAM,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;YAC7D,QAAQ,EAAE,CAAA;YACV,OAAM;QACR,CAAC;QAED,WAAW,CAAC,MAAM,EAAE,GAAG,EAAE,KAAK,CAAC,CAAA;QAC/B,mDAAmD;IACrD,CAAC,CAAC,CAAA;IAEF,IAAI,EAAE,CAAA;AACR,CAAC,CAAA;AAED;;GAEG;AACH,MAAM,CAAC,MAAM,YAAY,GAAG,gBAAgB,CAAA;AAE5C,0CAA0C;AAC1C,eAAe,gBAAgB,CAAA"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,gBAAgB,EAAiD,MAAM,kBAAkB,CAAA;AAgClG;;;GAGG;AACH,SAAS,SAAS,CAAC,GAAQ;IACzB,IAAI,GAAG,KAAK,SAAS;QAAE,OAAO,SAAS,CAAA;IACvC,IAAI,CAAC;QACH,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,CAAA;IACxC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,SAAS,CAAA,CAAC,6CAA6C;IAChE,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,mBAAmB,CAAC,GAAmB;IAC9C,MAAM,EAAE,GAAG,GAAG,CAAC,EAAE,IAAI,SAAS,CAAA;IAE9B,OAAO;QACL,EAAE,EAAE,gBAAgB,EAAE;QACtB,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;QACrB,MAAM,EAAE,EAAE;QACV,OAAO,EAAE;YACP,MAAM,EAAE,GAAG,CAAC,MAAM;YAClB,IAAI,EAAE,GAAG,CAAC,GAAG;YACb,KAAK,EAAE,SAAS,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,EAAE;YACjC,OAAO,EAAE;gBACP,YAAY,EAAE,GAAG,CAAC,OAAO,CAAC,YAAY,CAAC,IAAI,EAAE;gBAC7C,cAAc,EAAE,GAAG,CAAC,OAAO,CAAC,cAAc,CAAC,IAAI,EAAE;aAClD;YACD,IAAI,EAAE,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC;SAC1B;KACF,CAAA;AACH,CAAC;AAED;;GAEG;AACH,SAAS,kBAAkB,CACzB,MAAuB,EACvB,IAAoB,EACpB,KAAmB,EACnB,OAAkE;IAElE,QAAQ,MAAM,CAAC,MAAM,EAAE,CAAC;QACtB,KAAK,cAAc;YACjB,KAAK;iBACF,MAAM,CAAC,aAAa,EAAE,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,UAAU,GAAG,IAAI,CAAC,CAAC,CAAC;iBAClE,MAAM,CAAC,GAAG,CAAC;iBACX,IAAI,CAAC;gBACJ,KAAK,EAAE,mBAAmB;gBAC1B,UAAU,EAAE,MAAM,CAAC,UAAU;aAC9B,CAAC,CAAA;YACJ,MAAK;QAEP,KAAK,mBAAmB;YACtB,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBACrB,KAAK,EAAE,mBAAmB;gBAC1B,KAAK,EAAE,MAAM,CAAC,KAAK;aACpB,CAAC,CAAA;YACF,MAAK;QAEP,KAAK,aAAa;YAChB,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBACrB,KAAK,EAAE,WAAW;gBAClB,GAAG,CAAC,OAAO,EAAE,uBAAuB,CAAC,CAAC,CAAC,EAAE,SAAS,EAAE,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;aACpF,CAAC,CAAA;YACF,MAAK;QAEP,KAAK,OAAO;YACV,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBACrB,KAAK,EAAE,uBAAuB;aAC/B,CAAC,CAAA;YACF,MAAK;QAEP;YACE,yCAAyC;YACzC,MAAK;IACT,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;;;GAcG;AACH,MAAM,CAAC,MAAM,gBAAgB,GAAmD,CAC9E,OAAO,EACP,OAAO,EACP,IAAI,EACJ,EAAE;IACF,MAAM,EAAE,KAAK,EAAE,YAAY,GAAG,mBAAmB,EAAE,WAAW,EAAE,GAAG,OAAO,CAAA;IAE1E,OAAO,CAAC,OAAO,CAAC,WAAW,EAAE,CAAC,GAAG,EAAE,KAAK,EAAE,QAAQ,EAAE,EAAE;QACpD,MAAM,KAAK,GAAG,YAAY,CAAC,GAAG,CAAC,CAAA;QAC/B,MAAM,MAAM,GAAG,KAAK,CAAC,SAAS,CAAC,KAAK,CAAC,CAAA;QAErC,IAAI,MAAM,CAAC,MAAM,KAAK,OAAO,IAAI,MAAM,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;YAC7D,QAAQ,EAAE,CAAA;YACV,OAAM;QACR,CAAC;QAED,IAAI,WAAW,EAAE,CAAC;YAChB,WAAW,CAAC,MAAM,EAAE,GAAG,EAAE,KAAK,CAAC,CAAA;QACjC,CAAC;aAAM,CAAC;YACN,kBAAkB,CAChB,MAAM,EACN,GAAG,EACH,KAAK,EACL,OAAO,CAAC,uBAAuB,KAAK,SAAS;gBAC3C,CAAC,CAAC,EAAE,uBAAuB,EAAE,OAAO,CAAC,uBAAuB,EAAE;gBAC9D,CAAC,CAAC,EAAE,CACP,CAAA;QACH,CAAC;QACD,mDAAmD;IACrD,CAAC,CAAC,CAAA;IAEF,IAAI,EAAE,CAAA;AACR,CAAC,CAAA;AAED;;GAEG;AACH,MAAM,CAAC,MAAM,YAAY,GAAG,gBAAgB,CAAA;AAE5C,0CAA0C;AAC1C,eAAe,gBAAgB,CAAA"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@tracehound/fastify",
-  "version": "1.3.0",
+  "version": "1.4.1",
   "description": "Fastify plugin for Tracehound security buffer",
   "license": "Apache-2.0",
   "author": "Erdem Arslan <me@erdem.work>",
@@ -32,7 +32,7 @@
     "dist"
   ],
   "dependencies": {
-    "@tracehound/core": "1.3.0"
+    "@tracehound/core": "1.4.3"
   },
   "devDependencies": {
     "@types/node": "^20.0.0",