npm - auto-smart-security - Versions diffs - 1.1.0 → 1.1.2 - Mend

auto-smart-security 1.1.0 → 1.1.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/dist/apply-security.js +48 -47
package/dist/blacklist/memory.store.js +3 -1
package/dist/blacklist/redis.store.js +1 -0
package/package.json +1 -1

package/dist/apply-security.js CHANGED Viewed

@@ -40,11 +40,6 @@ function applySecurity(app, options) {
         }
         app.set('trust proxy', options.trustProxy);
     }
-    /** ================= HELMET ================= */
-    app.use((0, helmet_1.default)({
-        crossOriginResourcePolicy: false, // 🔥
-        crossOriginOpenerPolicy: false, // disable API
-    }));
     /** ================= BLACKLIST STORE ================= */
     const blacklist = options.blacklist?.store ??
         new memory_store_1.MemoryBlacklistStore(options.staticBlacklist, options.blacklistTTL);
@@ -57,63 +52,69 @@ function applySecurity(app, options) {
         const path = url.split('?')[0].toLowerCase();
         return STATIC_EXTENSIONS.some((ext) => path.endsWith(ext));
     };
+    /** 3️⃣ Path whitelist */
+    const normalizePath = (url) => url.split('?')[0].replace(/^\/+/, '');
+    const isPathAllowed = (url, whitelist) => {
+        const path = normalizePath(url);
+        return whitelist.some((p) => path === p || path.includes(`${p}`));
+    };
+    function recordPathViolation(ip) {
+        const now = Date.now();
+        const entry = pathViolationMap.get(ip);
+        if (!entry || now - entry.ts > PATH_VIOLATION_TTL) {
+            pathViolationMap.set(ip, { count: 1, ts: now });
+            return false; // not block
+        }
+        entry.count++;
+        pathViolationMap.set(ip, entry);
+        return entry.count > PATH_VIOLATION_LIMIT; // block if limit exceeded
+    }
+    if (options.rateLimit) {
+        app.set('trust proxy', options.trustProxy);
+        // Lưu ý: createAdaptiveRateLimiter get IP/Trust
+        app.use((0, rate_limiter_1.createAdaptiveRateLimiter)(options.rateLimit, (req) => (0, utils_1.getClientIP)(req), (req) => (0, trust_engine_1.getTrustLevel)(req, (0, utils_1.getClientIP)(req), options.trust), (ip) => blacklist.block(ip)));
+    }
+    /** ================= HELMET ================= */
+    app.use((0, helmet_1.default)({
+        crossOriginResourcePolicy: false, // 🔥
+        crossOriginOpenerPolicy: false, // disable API
+    }));
     /** ================= MAIN SECURITY ================= */
     app.use(async (req, res, next) => {
         const ip = (0, utils_1.getClientIP)(req);
         const url = req.originalUrl;
-        const trustLevel = (0, trust_engine_1.getTrustLevel)(req, ip, options.trust);
-        /** ================= RATE LIMIT ================= */
-        if (options.rateLimit) {
-            app.use((0, rate_limiter_1.createAdaptiveRateLimiter)(options.rateLimit, (req) => (0, utils_1.getClientIP)(req), () => trustLevel, () => blacklist.block(ip)));
-        }
-        // pass OPTIONS requests
-        if (req.method === 'OPTIONS')
+        if (req.method === 'OPTIONS' || isStaticAsset(url))
             return next();
+        const trustLevel = (0, trust_engine_1.getTrustLevel)(req, ip, options.trust);
+        const isWhitelisted = trustLevel >= 5;
+        const handleBlocking = async (reason) => {
+            options.onBlock?.({ ip, reason, url, ua: req.headers?.['user-agent'] });
+            if (isWhitelisted)
+                return false;
+            res.status(403).send(reason);
+            return true;
+        };
         if (isStaticAsset(url))
             return next();
         /** 1️⃣ Blacklist */
         if (await blacklist.isBlocked(ip)) {
-            return res.status(403).send('Access denied');
+            if (await handleBlocking('blacklist'))
+                return;
         }
         /** 2️⃣ Bot detection */
         if (botDetector?.detect(req, trustLevel)) {
-            await blacklist.block(ip, options.blacklistTTL);
-            options.onBlock?.({
-                ip,
-                reason: 'bot-detected',
-                url,
-                ua: req.headers?.['user-agent'],
-            });
-            return res.status(403).send('Bot detected');
-        }
-        /** 3️⃣ Path whitelist */
-        const normalizePath = (url) => url.split('?')[0].replace(/^\/+/, '');
-        const isPathAllowed = (url, whitelist) => {
-            const path = normalizePath(url);
-            return whitelist.some((p) => path === p || path.includes(`${p}`));
-        };
-        function recordPathViolation(ip) {
-            const now = Date.now();
-            const entry = pathViolationMap.get(ip);
-            if (!entry || now - entry.ts > PATH_VIOLATION_TTL) {
-                pathViolationMap.set(ip, { count: 1, ts: now });
-                return false; // not block
-            }
-            entry.count++;
-            pathViolationMap.set(ip, entry);
-            return entry.count > PATH_VIOLATION_LIMIT; // block if limit exceeded
+            if (!isWhitelisted)
+                await blacklist.block(ip, options.blacklistTTL);
+            if (await handleBlocking('bot-detected'))
+                return;
         }
         if (options.pathWhitelist?.length &&
             !isPathAllowed(url, options.pathWhitelist)) {
-            const shouldBlock = recordPathViolation(ip); // check violation count
-            if (shouldBlock) {
-                await blacklist.block(ip);
-                options.onBlock?.({
-                    ip,
-                    reason: 'path-not-allowed',
-                    url,
-                });
-                return res.status(403).send('Blocked path');
+            if (recordPathViolation(ip)) {
+                if (!isWhitelisted)
+                    await blacklist.block(ip);
+                if (await handleBlocking('path-not-allowed'))
+                    return;
             }
         }
         next();

package/dist/blacklist/memory.store.js CHANGED Viewed

@@ -8,8 +8,10 @@ class MemoryBlacklistStore {
         this.staticList = new Set(staticBlacklist);
     }
     isBlocked(ip) {
-        if (this.staticList.has(ip))
+        if (this.staticList.has(ip)) {
+            console.log(`[DEBUG] IP ${ip} detect block in MEMORY store`);
             return true;
+        }
         const exp = this.dynamic.get(ip);
         if (!exp)
             return false;

package/dist/blacklist/redis.store.js CHANGED Viewed

@@ -22,6 +22,7 @@ class RedisBlacklistStore {
     async block(ip, ttlSeconds) {
         if (!this.redis)
             return;
+        console.log(`[DEBUG] IP ${ip} detect block in REDIS store`);
         const ttl = ttlSeconds ?? this.ttlSeconds;
         await this.redis.set(this.key(ip), '1', 'EX', ttl);
     }

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "auto-smart-security",
-  "version": "1.1.0",
+  "version": "1.1.2",
   "description": "Production-ready security middleware for Express / NestJS",
   "author": "Hai Vinh <haivinhinspirit@gmail.com>",
   "main": "dist/index.js",