npm - aip-master-node-sumit - Versions diffs - 1.0.0 → 1.0.2 - Mend

aip-master-node-sumit 1.0.0 → 1.0.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/index.js +47 -41
package/package.json +1 -1

package/index.js CHANGED Viewed

@@ -1,27 +1,31 @@
 const axios = require('axios');
-// 🛡️ THE FIX: Allow clients to define the URL, or default to your live production API
 const AIP_MASTER_API = process.env.AIP_MASTER_URL || 'http://localhost:8080/api/v1';
 const API_KEY = process.env.AIP_MASTER_API_KEY;
-// Startup Ping Verification (Only runs if they provided an API key)
+// 🛡️ The Heartbeat System.
+// This continuously pings the Go Server every 5 minutes
+// to keep the dashboard "Live" without needing to restart the Express server!
 if (API_KEY) {
-    axios.post(`${AIP_MASTER_API}/iam/ping`, { module: 'middleware' }, {
-        headers: { 'Authorization': `Bearer ${API_KEY}` }
-    }).catch(() => {});
+    const sendHeartbeat = async () => {
+        try {
+            await axios.post(`${AIP_MASTER_API}/iam/ping`, { module: 'middleware' }, {
+                headers: { 'Authorization': `Bearer ${API_KEY}` },
+                timeout: 5000 // Prevent hanging if master is slow
+            });
+        } catch (err) {
+            // Silently fail so the client's app doesn't crash if Master API is updating
+        }
+    };
+    sendHeartbeat(); // Fire immediately on server startup
+    setInterval(sendHeartbeat, 5 * 60 * 1000); // Fire every 5 minutes forever
 }
-/**
- * Universal Security Guard (God-Mode)
- * @param {Object} options - { requireLogin: boolean }
- */
 const aipGuard = (options = { requireLogin: true }) => {
     return async (req, res, next) => {
-        // 🛡️ LAYER 1: INFRASTRUCTURE SHIELD (Anti-DDoS & Header Hacks)
-        const MAX_PAYLOAD_BYTES = 2 * 1024 * 1024; // 2MB Upload Limit
-        // Block advanced Chunked Encoding bypass attacks
+        // LAYER 1: INFRASTRUCTURE SHIELD
+        const MAX_PAYLOAD_BYTES = 2 * 1024 * 1024;
         if (req.headers['transfer-encoding'] && req.headers['transfer-encoding'].includes('chunked')) {
             return res.status(411).send("AIP Infrastructure Shield: Chunked encoding rejected.");
         }
@@ -30,53 +34,55 @@ const aipGuard = (options = { requireLogin: true }) => {
             return res.status(413).send("AIP Infrastructure Shield: Payload Too Large.");
         }
-        // Inject Secure Anti-Hacker Headers into the browser
         res.setHeader('X-Frame-Options', 'DENY');
         res.setHeader('X-Content-Type-Options', 'nosniff');
         res.setHeader('Strict-Transport-Security', 'max-age=31536000; includeSubDomains');
         res.setHeader('Access-Control-Allow-Origin', process.env.AIP_ALLOWED_ORIGIN || '*');
-        // 🛡️ LAYER 2: IDENTITY CHECK & RBAC AUTO-DISCOVERY
-        if (options.requireLogin) {
-            const token = req.query.token || (req.cookies && req.cookies.aip_session);
-            if (!token) return res.redirect('/login');
+        // Robust Token Extraction (Checks query, cookies, and Authorization headers)
+        let token = req.query.token || (req.cookies && req.cookies.aip_session);
+        if (!token && req.headers.authorization && req.headers.authorization.startsWith('Bearer ')) {
+            token = req.headers.authorization.split(' ')[1];
+        } else if (!token && req.headers['x-aip-token']) {
+            token = req.headers['x-aip-token'];
+        }
+        // LAYER 2: IDENTITY CHECK & RBAC
+        if (options.requireLogin) {
+            if (!token) return res.status(401).send("Unauthorized: Missing AIP Session Token");
             try {
-                // The Scout: Automatically grabs the route and sends it to AIP Master for RBAC Scanning
                 const currentAction = req.method + " " + (req.baseUrl + req.path);
                 const authRes = await axios.post(`${AIP_MASTER_API}/iam/verify-session`,
-                    {
-                        session_token: token,
-                        action: currentAction
-                    },
-                    {
-                        headers: { 'Authorization': `Bearer ${API_KEY}` }
-                    }
+                    { session_token: token, action: currentAction },
+                    { headers: { 'Authorization': `Bearer ${API_KEY}` } }
                 );
                 req.user = authRes.data.user;
-                res.cookie('aip_session', token, { httpOnly: true, secure: true });
+                const isProd = process.env.NODE_ENV === 'production';
+                res.cookie('aip_session', token, { httpOnly: true, secure: isProd });
             } catch (error) {
-                if (res.clearCookie) res.clearCookie('aip_session');
+                const status = error.response?.status || 500;
                 const errMsg = error.response?.data?.error || "AIP Identity Blocked: Invalid Token.";
-                return res.status(403).send(errMsg);
+                // 🛡️ CRITICAL FIX: Only clear the session cookie if the token is actually dead (401).
+                // If it is an RBAC block (403), we just deny the action but keep them logged in!
+                if (status === 401 && res.clearCookie) {
+                    res.clearCookie('aip_session');
+                }
+                return res.status(status === 401 ? 401 : 403).send(errMsg);
             }
         }
-        // 🛡️ LAYER 3: WAF THREAT SCAN & SMART IP EXTRACTION
+        // LAYER 3: WAF THREAT SCAN
         try {
             const payloadData = JSON.stringify({
-                body: req.body,
-                query: req.query
+                body: req.body || {},
+                query: req.query || {}
             });
-            // Smart IP Resolver: Protects clients hosted on Vercel, Heroku, or AWS
             const forwardedFor = req.headers['x-forwarded-for'];
             let clientIp = req.ip || (req.connection && req.connection.remoteAddress) || "0.0.0.0";
             if (forwardedFor) {
-                // Handle both string and array formats safely
                 clientIp = Array.isArray(forwardedFor)
                     ? forwardedFor[0].trim()
                     : forwardedFor.split(',')[0].trim();
@@ -89,9 +95,10 @@ const aipGuard = (options = { requireLogin: true }) => {
                 url: req.originalUrl,
                 payload: payloadData,
                 origin: req.headers.origin || "",
-                user_agent: req.headers['user-agent'] || ""
+                user_agent: req.headers['user-agent'] || "",
+                session_token: token || "" // Explicitly forwarding the token to the Master WAF
             });
             if (wafRes.data.action === "block") {
                 return res.status(403).send(`AIP Firewall Blocked Request: ${wafRes.data.reason}`);
             }
@@ -101,7 +108,6 @@ const aipGuard = (options = { requireLogin: true }) => {
             return res.status(500).send("Security verification failed.");
         }
-        // Passed all 3 Layers perfectly!
         next();
     };
 };

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "aip-master-node-sumit",
-  "version": "1.0.0",
+  "version": "1.0.2",
   "description": "Enterprise-grade WAF and IAM security middleware for Node.js.",
   "main": "index.js",
   "scripts": {