npm - auto-smart-security - Versions diffs - 1.0.15 → 1.0.16 - Mend

auto-smart-security 1.0.15 → 1.0.16

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

package/README.md CHANGED Viewed

@@ -40,7 +40,11 @@ import { SEND_NOTIFICATION_ERR } from './notify';
 applySecurity(app, {
   mode: 'prod',
   pathWhitelist: ['admin/', 'media', 'oauth2'],
-  rateLimit: { max: 120, windowMs: 60_000 },
+  rateLimit: {
+    default: { max: 100, windowMs: 5000 },
+    trusted: { max: 500, windowMs: 5000 },
+    internal: { max: 2000, windowMs: 5000 },
+  },
   trustProxy: 1
   bot: { enabled: true },
   blacklistTTL: 10 * 60 * 1000,
@@ -61,39 +65,35 @@ UA: ${info.ua ?? 'N/A'}`,
 ```ts
 interface SecurityOptions {
-  /** Skip all security when in dev mode */
+  /** dev → skip security */
   mode?: 'prod' | 'dev';
-  /** Allowed API paths */
+  trust?: TrustOptions;
+  /** express trust proxy setting */
+  trustProxy?: number;
+  /** allow only these paths */
   pathWhitelist: string[];
-  /** Hard-coded blacklist */
+  /** hard blacklist */
   staticBlacklist?: string[];
-  /** Dynamic blacklist TTL (milliseconds) */
+  /** dynamic blacklist ttl (ms) */
   blacklistTTL?: number;
-  /** Custom blacklist store (Redis / Memory) */
+  /** custom blacklist store (Redis / Memory) */
   blacklist?: {
     store?: BlacklistStore;
   };
-  /** Rate limiting */
-  rateLimit?: {
-    windowMs: number;
-    max: number;
-  };
-  /** express trust proxy setting */
-  trustProxy?: number;
+  /** rate limit */
+  rateLimit?: AdaptiveRateLimit;
-  /** Bot detection */
-  bot?: {
-    enabled: boolean;
-    scoreLimit?: number;
-  };
+  /** bot detection */
+  bot?: BotOptions;
-  /** Callback when a request is blocked */
+  /** notify app when blocked */
   onBlock?: (info: BlockInfo) => void;
 }
 ```
@@ -145,7 +145,11 @@ const redis = new Redis({
 applySecurity(app, {
   mode: process.env.NODE_ENV === 'development' ? 'dev' : 'prod',
-  rateLimit: { max: 120, windowMs: 60_000 },
+  rateLimit: {
+      default: { max: 100, windowMs: 5000 },
+      trusted: { max: 500, windowMs: 5000 },
+      internal: { max: 2000, windowMs: 5000 },
+    },
   trustProxy: 1,
   bot: { enabled: true },
   blacklistTTL: 10 * 60 * 1000,
@@ -180,6 +184,29 @@ applySecurity(app, {
 });
 ```
+## Trust Ip/paths/paths
+```ts
+applySecurity(app, {
+  mode: 'prod',
+  trustProxy: 1,
+  trust: {
+    ips: ['113.xxx.xxx.xxx'],
+    origins: ['https://flamingo-fe.skydemo.vn'],
+    paths: ['admin'],
+  },
+  rateLimit: {
+    default: { max: 100, windowMs: 5000 },
+    trusted: { max: 500, windowMs: 5000 },
+    internal: { max: 2000, windowMs: 5000 },
+  },
+  bot: { enabled: true },
+});
+```
 ## 🧠 Best Practices
 - ✔ Whitelist only valid API paths

package/dist/apply-security.js CHANGED Viewed

@@ -7,8 +7,9 @@ exports.applySecurity = applySecurity;
 const helmet_1 = __importDefault(require("helmet"));
 const utils_1 = require("./utils");
 const bot_detector_1 = require("./bot-detector");
-const rate_limiter_1 = require("./rate-limiter");
 const memory_store_1 = require("./blacklist/memory.store");
+const trust_engine_1 = require("./trust-engine");
+const rate_limiter_1 = require("./rate-limiter");
 const STATIC_EXTENSIONS = [
     '.png',
     '.jpg',
@@ -51,19 +52,6 @@ function applySecurity(app, options) {
     const botDetector = options.bot?.enabled === true
         ? new bot_detector_1.BotDetector(options.bot.scoreLimit)
         : null;
-    /** ================= RATE LIMIT ================= */
-    if (options.rateLimit) {
-        app.use((0, rate_limiter_1.createRateLimiter)(options.rateLimit, (req) => {
-            const ip = (0, utils_1.getClientIP)(req);
-            blacklist.block(ip);
-            options.onBlock?.({
-                ip,
-                reason: 'rate-limit',
-                url: req.originalUrl,
-                ua: req.headers?.['user-agent'],
-            });
-        }));
-    }
     /** ================= IMAGES ================= */
     const isStaticAsset = (url) => {
         const path = url.split('?')[0].toLowerCase();
@@ -71,11 +59,16 @@ function applySecurity(app, options) {
     };
     /** ================= MAIN SECURITY ================= */
     app.use(async (req, res, next) => {
+        const ip = (0, utils_1.getClientIP)(req);
+        const url = req.originalUrl;
+        const trustLevel = (0, trust_engine_1.getTrustLevel)(req, ip, options.trust);
+        /** ================= RATE LIMIT ================= */
+        if (options.rateLimit) {
+            app.use((0, rate_limiter_1.createAdaptiveRateLimiter)(options.rateLimit, (req) => (0, utils_1.getClientIP)(req), () => trustLevel, () => blacklist.block(ip)));
+        }
         // pass OPTIONS requests
         if (req.method === 'OPTIONS')
             return next();
-        const ip = (0, utils_1.getClientIP)(req);
-        const url = req.originalUrl;
         if (isStaticAsset(url))
             return next();
         /** 1️⃣ Blacklist */
@@ -83,8 +76,8 @@ function applySecurity(app, options) {
             return res.status(403).send('Access denied');
         }
         /** 2️⃣ Bot detection */
-        if (botDetector?.detect(req)) {
-            await blacklist.block(ip);
+        if (botDetector?.detect(req, trustLevel)) {
+            await blacklist.block(ip, options.blacklistTTL);
             options.onBlock?.({
                 ip,
                 reason: 'bot-detected',

package/dist/bot-detector.d.ts CHANGED Viewed

@@ -3,5 +3,5 @@ export declare class BotDetector {
     private scores;
     private ttl;
     constructor(limit?: number);
-    detect(req: any): boolean;
+    detect(req: any, trustLevel?: number): boolean;
 }

package/dist/bot-detector.js CHANGED Viewed

@@ -8,8 +8,8 @@ class BotDetector {
         this.scores = new Map();
         this.ttl = 60000; // 1 minute
     }
-    detect(req) {
-        if (req.method === 'OPTIONS')
+    detect(req, trustLevel = 0) {
+        if (req.method === 'OPTIONS' || trustLevel >= 5)
             return false;
         let score = 0;
         const ua = (req.headers?.['user-agent'] || '').toLowerCase();

package/dist/rate-limiter.d.ts CHANGED Viewed

@@ -1,4 +1,2 @@
-export declare function createRateLimiter(options: {
-    windowMs: number;
-    max: number;
-}, onLimit: (req: any, res: any) => void): import("express-rate-limit").RateLimitRequestHandler;
+import { AdaptiveRateLimit } from './types';
+export declare function createAdaptiveRateLimiter(options: AdaptiveRateLimit, getKey: (req: any) => string, getLevel: (req: any) => number, onLimit: (req: any) => void): import("express-rate-limit").RateLimitRequestHandler;

package/dist/rate-limiter.js CHANGED Viewed

@@ -3,16 +3,22 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.createRateLimiter = createRateLimiter;
+exports.createAdaptiveRateLimiter = createAdaptiveRateLimiter;
 const express_rate_limit_1 = __importDefault(require("express-rate-limit"));
-function createRateLimiter(options, onLimit) {
+function createAdaptiveRateLimiter(options, getKey, getLevel, onLimit) {
     return (0, express_rate_limit_1.default)({
-        windowMs: options.windowMs,
-        max: options.max,
-        standardHeaders: true,
-        legacyHeaders: false,
+        windowMs: options.default.windowMs,
+        max: (req) => {
+            const level = getLevel(req);
+            if (level >= 7 && options.internal)
+                return options.internal.max;
+            if (level >= 4 && options.trusted)
+                return options.trusted.max;
+            return options.default.max;
+        },
+        keyGenerator: getKey,
         handler: (req, res) => {
-            onLimit(req, res);
+            onLimit(req);
             res.status(429).send('Too many requests');
         },
     });

package/dist/trust-engine.d.ts ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ import { TrustOptions } from './types';
2	+ export declare function getTrustLevel(req: any, ip: string, trust?: TrustOptions): number;

package/dist/trust-engine.js ADDED Viewed

@@ -0,0 +1,34 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getTrustLevel = getTrustLevel;
+function getTrustLevel(req, ip, trust) {
+    let level = 0;
+    if (!trust)
+        return 0;
+    // IP trust
+    if (trust.ips) {
+        if (Array.isArray(trust.ips) ? trust.ips.includes(ip) : trust.ips(ip)) {
+            level += 5;
+        }
+    }
+    // Origin trust
+    if (trust.origins?.length) {
+        const origin = req.headers.origin || '';
+        const referer = req.headers.referer || '';
+        if (trust.origins.some((o) => origin.startsWith(o) || referer.startsWith(o))) {
+            level += 3;
+        }
+    }
+    // Path trust
+    if (trust.paths?.length) {
+        const path = req.originalUrl.split('?')[0].replace(/^\/+/, '');
+        if (trust.paths.some((p) => path.startsWith(p))) {
+            level += 2;
+        }
+    }
+    // Auth header
+    if (req.headers.authorization) {
+        level += 2;
+    }
+    return level;
+}

package/dist/types.d.ts CHANGED Viewed

@@ -7,17 +7,34 @@ export interface BlockInfo {
     ua?: string;
     extra?: any;
 }
-export interface RateLimitOptions {
-    windowMs: number;
-    max: number;
-}
 export interface BotOptions {
     enabled: boolean;
     scoreLimit?: number;
 }
+export interface TrustOptions {
+    ips?: string[] | ((ip: string) => boolean);
+    origins?: string[];
+    paths?: string[];
+    minLevelToBypassBot?: number;
+}
+export interface AdaptiveRateLimit {
+    default: {
+        max: number;
+        windowMs: number;
+    };
+    trusted?: {
+        max: number;
+        windowMs: number;
+    };
+    internal?: {
+        max: number;
+        windowMs: number;
+    };
+}
 export interface SecurityOptions {
     /** dev → skip security */
     mode?: 'prod' | 'dev';
+    trust?: TrustOptions;
     /** express trust proxy setting */
     trustProxy?: number;
     /** allow only these paths */
@@ -31,7 +48,7 @@ export interface SecurityOptions {
         store?: BlacklistStore;
     };
     /** rate limit */
-    rateLimit?: RateLimitOptions;
+    rateLimit?: AdaptiveRateLimit;
     /** bot detection */
     bot?: BotOptions;
     /** notify app when blocked */

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "auto-smart-security",
-  "version": "1.0.15",
+  "version": "1.0.16",
   "description": "Production-ready security middleware for Express / NestJS",
   "author": "Hai Vinh <haivinhinspirit@gmail.com>",
   "main": "dist/index.js",