chanjs 2.1.1 → 2.3.0

package/utils/error-handler.js

@@ -0,0 +1,115 @@
+/**
+ * 数据库错误处理工具
+ * 提供数据库错误解析和错误响应生成功能
+ */
+
+export const DB_ERROR = {
+  ECONNREFUSED: 6001,
+  ER_ACCESS_DENIED_ERROR: 6002,
+  ER_ROW_IS_REFERENCED_2: 6003,
+  ER_BAD_FIELD_ERROR: 6004,
+  ER_DUP_ENTRY: 6005,
+  ER_NO_SUCH_TABLE: 6006,
+  ETIMEOUT: 6007,
+  ER_TABLE_EXISTS_ERROR: 4003,
+};
+
+export const ERROR_MESSAGES = {
+  6001: "数据库连接失败",
+  6002: "数据库访问被拒绝",
+  6003: "存在关联数据，操作失败",
+  6004: "数据库字段错误",
+  6005: "数据重复，违反唯一性约束",
+  6006: "目标表不存在",
+  6007: "数据库操作超时",
+  6008: "数据库语法错误，请检查查询语句",
+  6009: "数据库连接已关闭，请重试",
+  4003: "资源已存在",
+  5001: "系统内部错误",
+};
+
+/**
+ * 解析数据库错误
+ * @param {Error} error - 数据库错误对象
+ * @returns {Object} 包含 code、msg 和 statusCode 的对象
+ * @description
+ * 根据数据库错误代码映射为业务状态码
+ * 返回对应的错误消息和 HTTP 状态码
+ * @example
+ * const errorInfo = parseDatabaseError({ code: 'ER_DUP_ENTRY' });
+ * console.log(errorInfo); // { code: 6005, msg: '数据重复...', statusCode: 500 }
+ */
+export function parseDatabaseError(error) {
+  const errorCode = error?.code && DB_ERROR[error.code]
+    ? DB_ERROR[error.code]
+    : error?.message?.includes("syntax") || error?.message?.includes("SQL")
+      ? 6008
+      : error?.message?.includes("Connection closed")
+        ? 6009
+        : error?.message?.includes("permission")
+          ? 3003
+          : 5001;
+
+  return {
+    code: errorCode,
+    msg: ERROR_MESSAGES[errorCode] || error?.message || "服务器内部错误",
+    statusCode: errorCode >= 6000 ? 500 : errorCode >= 4000 ? 400 : 500,
+  };
+}
+
+/**
+ * 生成 404 响应
+ * @param {Object} req - Express 请求对象
+ * @returns {Object} 404 响应对象
+ * @description
+ * 返回标准的接口不存在响应
+ * 包含请求的路径和方法
+ * @example
+ * const response = notFoundResponse(req);
+ */
+export function notFoundResponse(req) {
+  return {
+    success: false,
+    msg: "接口不存在",
+    code: 404,
+    data: { path: req.path, method: req.method },
+  };
+}
+
+/**
+ * 生成错误响应
+ * @param {Error} err - 错误对象
+ * @param {Object} req - Express 请求对象
+ * @returns {Object} 错误响应对象
+ * @description
+ * 根据错误类型生成相应的错误响应
+ * 开发环境下包含详细的错误信息
+ * @example
+ * const response = errorResponse(error, req);
+ */
+export function errorResponse(err, req) {
+  const errorInfo = parseDatabaseError(err);
+  
+  console.error(`[Error Handler] ${errorInfo.msg} - ${err?.message}`, {
+    code: errorInfo.code,
+    path: req?.path,
+    method: req?.method,
+    sql: err?.sql,
+    sqlMessage: err?.sqlMessage,
+    stack: err?.stack,
+  });
+  
+  return {
+    success: false,
+    msg: errorInfo.msg,
+    code: errorInfo.code,
+    data: process.env.NODE_ENV === "development"
+      ? {
+          message: err?.message,
+          sql: err?.sql,
+          sqlMessage: err?.sqlMessage,
+          stack: err?.stack,
+        }
+      : {},
+  };
+}

package/utils/error.js

@@ -0,0 +1,81 @@
+/**
+ * 错误处理和日志工具
+ * 提供错误码定义和错误日志记录功能
+ */
+
+export const CODE = {
+  SUCCESS: { code: 200, message: "操作成功" },
+  FAIL: { code: 201, message: "操作失败" },
+  ERROR: { code: 500, message: "服务器错误" },
+  UNAUTHORIZED: { code: 401, message: "未授权" },
+  FORBIDDEN: { code: 403, message: "禁止访问" },
+  NOT_FOUND: { code: 404, message: "资源不存在" },
+  VALIDATION: { code: 400, message: "参数校验失败" },
+  CONFIG: { code: 500, message: "配置错误" },
+};
+
+/**
+ * 记录错误日志
+ * @private
+ * @param {string} type - 错误类型
+ * @param {string} message - 错误消息
+ * @param {Object} [extra={}] - 额外信息
+ * @description
+ * 将错误信息格式化为 JSON 并输出到控制台
+ * 包含时间戳、错误类型和消息
+ */
+function logError(type, message, extra = {}) {
+  const timestamp = new Date().toISOString();
+  console.error(JSON.stringify({
+    timestamp,
+    type,
+    message,
+    ...extra,
+  }));
+}
+
+/**
+ * 创建错误对象
+ * @private
+ * @param {string} message - 错误消息
+ * @param {number} [statusCode=500] - HTTP 状态码
+ * @param {string} [code="ERROR"] - 错误代码
+ * @returns {Object} 错误对象
+ */
+function createError(message, statusCode = 500, code = "ERROR") {
+  logError(code, message, { statusCode });
+  return {
+    isError: true,
+    message,
+    statusCode,
+    code,
+  };
+}
+
+/**
+ * 生成配置错误
+ * @param {string} message - 错误消息
+ * @returns {Object} 配置错误对象
+ * @description
+ * 生成配置类型错误并记录日志
+ * @example
+ * const error = configError('数据库配置缺失');
+ */
+export function configError(message) {
+  logError("CONFIG_ERROR", message);
+  return createError(message, CODE.CONFIG.code, "CONFIG_ERROR");
+}
+
+/**
+ * 生成认证错误
+ * @param {string} [message=CODE.UNAUTHORIZED.message] - 错误消息
+ * @returns {Object} 认证错误对象
+ * @description
+ * 生成认证类型错误并记录日志
+ * @example
+ * const error = authError('Token已过期');
+ */
+export function authError(message = CODE.UNAUTHORIZED.message) {
+  logError("AUTH_ERROR", message);
+  return createError(message, CODE.UNAUTHORIZED.code, "AUTH_ERROR");
+}

package/utils/index.js

@@ -0,0 +1,6 @@
+export { success, fail, error } from "./response.js";
+export { parseDatabaseError, notFoundResponse, errorResponse } from "./error-handler.js";
+export { configError, authError } from "./error.js";
+export { checkKeywords, isIgnored } from "./checker.js";
+export { filterXSS } from "./xss-filter.js";
+export { createRateLimitMiddleware } from "./rate-limit.js";

package/utils/keywords.js

@@ -0,0 +1,126 @@
+/**
+ * 安全关键词规则定义
+ * 定义各类恶意攻击的关键词检测规则
+ */
+
+export const KEYWORD_RULES = {
+  /**
+   * 整词匹配规则（需完整匹配）
+   */
+  wholeWord: [
+    "netcat", "nc", "php-cgi", "process", "require",
+    "child_process", "execSync", "mainModule"
+  ],
+  /**
+   * 敏感文件扩展名
+   */
+  extensions: [
+    ".php", ".asp", ".aspx", ".jsp", ".jspx", ".do", ".action", ".cgi",
+    ".py", ".pl", ".cfm", ".jhtml", ".shtml"
+  ],
+  /**
+   * 敏感目录名称
+   */
+  directories: [
+    "/administrator", "/wp-admin", "phpMyAdmin", "cgi-bin",
+    "setup", "staging", "internal", "debug", "metadata", "secret"
+  ],
+  /**
+   * SQL 注入关键词
+   */
+  sqlInjection: [
+    "sleep(", "benchmark(", "concat(", "extractvalue(", "updatexml(", "version(",
+    "union select", "union all", "select @@", "drop ", "alter ", "truncate ",
+    "(select", "information_schema", "load_file(", "into outfile", "into dumpfile"
+  ],
+  /**
+   * 命令注入关键词
+   */
+  commandInjection: [
+    "cmd=", "system(", "exec(", "shell_exec(", "passthru(",
+    "eval(", "assert(", "preg_replace", "bash -i", "rm -rf",
+    "wget ", "curl ", "chmod ", "base64_decode", "phpinfo()"
+  ],
+  /**
+   * 路径遍历关键词
+   */
+  pathTraversal: [
+    "../", "..\\", "/etc/passwd", "/etc/shadow", "/etc/hosts",
+    "/etc/", "/var/www/", "/app/", "/root/", "__dirname", "__filename"
+  ],
+  /**
+   * XSS 攻击关键词
+   */
+  xss: [
+    "<script", "javascript:", "onerror=", "onload=", "onclick=",
+    "alert(", "document.cookie", "document.write"
+  ],
+  /**
+   * 编码绕过关键词
+   */
+  encoding: [
+    "0x7e", "UNION%20SELECT", "%27OR%27", "{{", "}}", "${", "1+1"
+  ],
+  /**
+   * 敏感标识符
+   */
+  sensitiveIdentifiers: [
+    "wp-", "smtp", "redirect", "configs", ".well-known/",
+    "fs.readFile", "fs.existsSync", "process.env", "process.argv"
+  ],
+};
+
+/**
+ * 关键词正则表达式缓存
+ * 将关键词规则编译为正则表达式以提高检测性能
+ */
+export let keywordRegexCache = (() => {
+  const regexSpecialChars = /[.*+?^${}()|[\]\\]/g;
+  const cache = {};
+
+  for (const [category, keywords] of Object.entries(KEYWORD_RULES)) {
+    if (!Array.isArray(keywords)) continue;
+
+    cache[category] = keywords.map((keyword) => {
+      const escaped = keyword.replace(regexSpecialChars, "\\$&").replace(/ /g, "\\s");
+      return {
+        keyword,
+        regex: new RegExp(
+          category === 'wholeWord' ? `\\b${escaped}\\b` : escaped,
+          "i"
+        ),
+      };
+    });
+  }
+
+  return cache;
+})();
+
+/**
+ * 更新关键词缓存
+ * @param {Object} newRules - 新的关键词规则
+ * @description
+ * 允许动态添加或更新关键词检测规则
+ * @example
+ * updateKeywordCache({
+ *   customKeywords: ['malicious', 'attack']
+ * });
+ */
+export function updateKeywordCache(newRules = {}) {
+  const regexSpecialChars = /[.*+?^${}()|[\]\\]/g;
+
+  for (const [category, keywords] of Object.entries(newRules)) {
+    if (!Array.isArray(keywords)) continue;
+
+    keywordRegexCache[category] = keywords.map((keyword) => {
+      const escaped = keyword.replace(regexSpecialChars, "\\$&").replace(/ /g, "\\s");
+      return {
+        keyword,
+        regex: new RegExp(
+          category === 'wholeWord' ? `\\b${escaped}\\b` : escaped,
+          "i"
+        ),
+      };
+    });
+  }
+}

package/utils/rate-limit.js

@@ -0,0 +1,116 @@
+import { isIgnored } from "./checker.js";
+import { getIp } from "../helper/ip.js";
+
+/**
+ * 访问频率限制工具
+ * 提供基于 IP 和 Cookie 的访问限流功能
+ */
+
+const COOKIE_NAME = `${process.env.APP_NAME || 'app'}_ratelimit`;
+
+/**
+ * 解析时间窗口参数
+ * @private
+ * @param {number|string} time - 时间值
+ * @returns {number} 毫秒数
+ * @description
+ * 支持以下格式：
+ * - 数字：直接作为毫秒数
+ * - 数字+s：秒
+ * - 数字+m：分钟
+ * - 数字+h：小时
+ * - 数字+d：天
+ */
+function parseWindowMs(time) {
+  if (typeof time === 'number') return time;
+  if (typeof time !== 'string') return 60 * 60 * 1000;
+
+  const match = time.match(/^(\d+)([smhd])$/);
+  if (!match) return 60 * 60 * 1000;
+
+  const value = parseInt(match[1], 10);
+  const unit = match[2];
+
+  const multipliers = {
+    's': 1000,
+    'm': 60 * 1000,
+    'h': 60 * 60 * 1000,
+    'd': 24 * 60 * 60 * 1000,
+  };
+
+  return value * (multipliers[unit] || 1000);
+}
+
+/**
+ * 创建限流中间件
+ * @param {Object} rateLimitConfig - 限流配置
+ * @param {number|string} rateLimitConfig.windowMs - 时间窗口
+ * @param {number} rateLimitConfig.max - 最大请求次数
+ * @param {Array<string>} [rateLimitConfig.ignorePaths] - 忽略的路径数组
+ * @returns {Function} Express 中间件函数
+ * @description
+ * 基于客户端 IP 实现滑动窗口限流算法
+ * 使用 Cookie 存储限流状态，避免内存泄漏
+ * @example
+ * const rateLimiter = createRateLimitMiddleware({
+ *   windowMs: '1m',
+ *   max: 60,
+ *   ignorePaths: ['/health']
+ * });
+ */
+export function createRateLimitMiddleware(rateLimitConfig) {
+  const config = {
+    ...rateLimitConfig,
+    windowMs: parseWindowMs(rateLimitConfig?.windowMs),
+  };
+
+  return (req, res, next) => {
+    try {
+      if (isIgnored(req.path, config.ignorePaths)) {
+        return next();
+      }
+
+      const now = Date.now();
+      const ip = getIp(req);
+      const cookieValue = req.cookies && req.cookies[COOKIE_NAME];
+      let currentData = null;
+
+      if (cookieValue) {
+        try {
+          currentData = JSON.parse(cookieValue);
+          if (currentData && currentData.ip !== ip) {
+            currentData = null;
+          }
+        } catch (e) {
+          currentData = null;
+        }
+      }
+
+      let newData;
+      if (!currentData || now > currentData.resetTime) {
+        newData = { count: 1, resetTime: now + config.windowMs, ip };
+      } else if (currentData.count >= config.max) {
+        console.error(`[WAF 限流拦截] 路径:${req.path} 计数:${currentData.count}/${config.max} IP:${ip}`);
+        return res.status(429).json({
+          code: 429,
+          success: false,
+          msg: '请求过于频繁，请稍后重试',
+          retryAfter: Math.ceil((currentData.resetTime - now) / 1000),
+        });
+      } else {
+        newData = { count: currentData.count + 1, resetTime: currentData.resetTime, ip };
+      }
+
+      res.cookie(COOKIE_NAME, JSON.stringify(newData), {
+        httpOnly: true,
+        maxAge: config.windowMs,
+        sameSite: 'strict',
+      });
+
+      next();
+    } catch (error) {
+      console.error(`[WAF 限流异常] 路径:${req.path} 错误:${error.message}`);
+      next();
+    }
+  };
+}

package/utils/response.js

@@ -1,64 +1,103 @@
-import { CODE, DB_ERROR } from "../config/code.js";
-
-/**
- * @description 获取数据库错误码
- * @param {*} error
- * @returns {Number} 默认错误码
- */
-const getDefaultErrorCode = (error) => {
-  if (error.message.includes("syntax") || error.message.includes("SQL")) {
-    return 6008;
-  } else if (error.message.includes("Connection closed")) {
-    return 6009;
-  } else if (error.message.includes("permission")) {
-    return 3003;
-  }
-  return 5001;
-};
-
-/**
- * @description 数据库错误响应处理函数
- * @param {*} err
- * @returns {Object} 错误响应对象
- */
-export const error = (err) => {
-  console.error("DB Error:", err);
-  const errorCode = DB_ERROR[err.code] || getDefaultErrorCode(err);
-  return {
-    success: false,
-    msg: CODE[errorCode], // 从CODE对象获取错误消息
-    code: errorCode,
-    data: {
-      sql: err.sql,
-      sqlMessage: err.sqlMessage,
-    },
-  };
-};
-
-/**
- * @description 错误响应处理函数
- * @param {*} msg
- * @param {*} data
- * @returns {Object} 失败响应对象
- */
-export const fail = (msg = CODE[201], data = {}) => {
-  return {
-    success: false,
-    msg,
-    code: 201, // 使用通用失败码
-    data,
-  };
-};
-
-/**
- * @description 成功响应处理函数
- * @param {*} data
- * @param {*} msg
- * @returns {Object} 成功响应对象
- */
-export const success = (data = {}, msg = CODE[200]) => ({
-  success: true,
-  msg,
-  code: 200, // 使用标准成功码
-  data,
-});
+import { CODE, DB_ERROR } from "../config/code.js";
+
+/**
+ * 响应工具函数
+ * 提供统一的响应格式和错误处理
+ */
+
+/**
+ * 获取默认错误代码
+ * @private
+ * @param {Error} error - 错误对象
+ * @returns {number} 错误代码
+ */
+const getDefaultErrorCode = (error) => {
+  if (!error?.message) return 5001;
+  if (error.message.includes("syntax") || error.message.includes("SQL")) {
+    return 6008;
+  } else if (error.message.includes("Connection closed")) {
+    return 6009;
+  } else if (error.message.includes("permission")) {
+    return 3003;
+  }
+  return 5001;
+};
+
+/**
+ * 生成错误响应
+ * @param {Object} options - 响应选项
+ * @param {Error} options.err - 错误对象
+ * @param {Object} [options.data={}] - 响应数据
+ * @param {number} [options.code=500] - 错误代码
+ * @returns {Object} 错误响应对象
+ * @description
+ * 根据错误类型生成标准错误响应
+ * 开发环境下包含数据库错误详情
+ * @example
+ * const response = error({ err: databaseError });
+ */
+export const error = ({ err, data = {}, code = 500 } = {}) => {
+  if (err) {
+    console.error("[DB Error]", err?.message || err);
+    const errorCode = err?.code && DB_ERROR[err.code] ? DB_ERROR[err.code] : getDefaultErrorCode(err);
+    const msg = CODE[errorCode] || "操作失败";
+
+    return {
+      success: false,
+      msg,
+      code: errorCode,
+      data: process.env.NODE_ENV === 'development' ? {
+        sql: err?.sql,
+        sqlMessage: err?.sqlMessage,
+        message: err?.message,
+      } : {},
+    };
+  }
+  
+  const msg = CODE[code] || "操作失败";
+  return {
+    success: false,
+    msg,
+    code,
+    data,
+  };
+};
+
+/**
+ * 生成失败响应
+ * @param {Object} options - 响应选项
+ * @param {string} [options.msg="操作失败"] - 错误消息
+ * @param {Object} [options.data={}] - 响应数据
+ * @param {number} [options.code=201] - 错误代码
+ * @returns {Object} 失败响应对象
+ * @description
+ * 生成标准失败响应
+ * @example
+ * const response = fail({ msg: '用户不存在', code: 404 });
+ */
+export const fail = ({ msg = "操作失败", data = {}, code = 201 } = {}) => {
+  return {
+    success: false,
+    msg,
+    code,
+    data,
+  };
+};
+
+/**
+ * 生成成功响应
+ * @param {Object} options - 响应选项
+ * @param {Object} [options.data={}] - 响应数据
+ * @param {string} [options.msg="操作成功"] - 成功消息
+ * @returns {Object} 成功响应对象
+ * @description
+ * 生成标准成功响应
+ * @example
+ * const response = success({ data: { id: 1, name: '张三' } });
+ */
+export const success = ({ data = {}, msg = "操作成功" } = {}) => ({
+  success: true,
+  msg,
+  code: 200,
+  data,
+});

package/utils/xss-filter.js

@@ -0,0 +1,42 @@
+import xss from 'xss';
+
+/**
+ * XSS 过滤工具
+ * 提供跨站脚本攻击过滤功能
+ */
+
+/**
+ * 过滤 XSS 攻击代码
+ * @param {*} data - 要过滤的数据，可以是字符串、数组或对象
+ * @returns {*} 过滤后的数据
+ * @description
+ * 递归过滤数据中的所有字符串值
+ * 使用 xss 库清除危险的 HTML 和 JavaScript 代码
+ * 支持字符串、数组和对象的递归处理
+ * @example
+ * const clean = filterXSS({
+ *   name: '<script>alert(1)</script>',
+ *   items: ['<img src=x onerror=alert(1)>']
+ * });
+ */
+export function filterXSS(data) {
+  if (typeof data === 'string') {
+    return xss(data);
+  }
+
+  if (Array.isArray(data)) {
+    return data.map(item => filterXSS(item));
+  }
+
+  if (data && typeof data === 'object') {
+    const result = {};
+    for (const key in data) {
+      if (Object.prototype.hasOwnProperty.call(data, key)) {
+        result[key] = filterXSS(data[key]);
+      }
+    }
+    return result;
+  }
+
+  return data;
+}

package/core/controller.js

@@ -1,33 +0,0 @@
-
-import {formatTime} from "../helper/time.js";
-
-export default class Controller {
-  constructor() {}
-
-  success(data){
-    return {
-      success: true,
-      msg: "操作成功",
-      code: 200,
-      data,
-    };
-  }
-
-  fail(data, code = 201) {
-    return {
-      success: false,
-      msg: "操作失败",
-      code,
-      data,
-    };
-  }
-
-  err(data = {}, code = 500) {
-    return {
-      success: false,
-      msg: "系统异常",
-      code,
-      data,
-    };
-  }
-}

package/core/index.js

@@ -1,3 +0,0 @@
-import Controller from "./controller.js";
-import Service from "./service.js";
-export {Controller, Service};