npm - aip-master-node-sumit - Versions diffs - 1.0.9 → 1.0.11 - Mend

aip-master-node-sumit 1.0.9 → 1.0.11

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/index.js +14 -7
package/package.json +1 -1

package/index.js CHANGED Viewed

@@ -10,7 +10,7 @@ const getSafeMasterUrl = (url) => {
     return clean;
 };
-// 🛡️ THE FIX: Bulletproof Native Cookie Parser (Handles JWT padding '=')
+// 🛡️ Bulletproof Native Cookie Parser (Handles JWT padding '=')
 const parseRawCookies = (cookieHeader) => {
     if (!cookieHeader) return {};
@@ -82,14 +82,21 @@ const aipGuard = (options = { requireLogin: true }) => {
             return res.status(413).json({ error: "AIP Infrastructure Shield: Payload Too Large." });
         }
-        // 🛡️ THE FIX: Smart Cookie Extraction & Removed Vulnerable Query Tokens
-        const cookies = req.cookies || parseRawCookies(req.headers.cookie);
-        let token = cookies.aip_session;
+        // ==========================================
+        // 🛡️ THE FIX: Strict Header Priority (Bearer overrides Cookies)
+        // ==========================================
+        let token = null;
-        if (!token && req.headers.authorization && req.headers.authorization.startsWith('Bearer ')) {
+        // 1. Check Explicit Headers FIRST
+        if (req.headers.authorization && req.headers.authorization.startsWith('Bearer ')) {
             token = req.headers.authorization.split(' ')[1];
-        } else if (!token && req.headers['x-aip-token']) {
+        } else if (req.headers['x-aip-token']) {
             token = req.headers['x-aip-token'];
+        }
+        // 2. Fallback to browser cookies ONLY if no explicit headers exist
+        else {
+            const cookies = req.cookies || parseRawCookies(req.headers.cookie);
+            token = cookies.aip_session;
         }
         // ==========================================
@@ -110,7 +117,7 @@ const aipGuard = (options = { requireLogin: true }) => {
                 req.user = authRes.data.user;
-                // 🛡️ THE FIX: Native Node.js Fallback for Set-Cookie (Framework Agnostic)
+                // 🛡️ Native Node.js Fallback for Set-Cookie (Framework Agnostic)
                 const isProd = process.env.NODE_ENV === 'production';
                 if (typeof res.cookie === 'function') {

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "aip-master-node-sumit",
-  "version": "1.0.9",
+  "version": "1.0.11",
   "description": "Enterprise-grade WAF and IAM security middleware for Node.js.",
   "main": "index.js",
   "scripts": {