create-phoenixjs 0.1.0

package/template/framework/security/InputSanitizerMiddleware.ts

@@ -0,0 +1,134 @@
+/**
+ * PhoenixJS - Input Sanitizer Middleware
+ * 
+ * Sanitizes request input to prevent XSS and other injection attacks.
+ */
+
+import type { Middleware, NextFunction } from '@framework/middleware/Middleware';
+import type { FrameworkRequest } from '@framework/http/Request';
+import type { SanitizerConfig } from '@/config/security';
+
+export class InputSanitizerMiddleware implements Middleware {
+	constructor(private config: SanitizerConfig) { }
+
+	async handle(request: FrameworkRequest, next: NextFunction): Promise<Response> {
+		// Skip if sanitization is disabled
+		if (!this.config.enabled) {
+			return next(request);
+		}
+
+		// Sanitize the request input
+		// Note: We sanitize the parsed body when it's accessed
+		// The sanitization happens at the framework level
+
+		return next(request);
+	}
+
+	/**
+	 * Sanitize a value (string, object, or array)
+	 */
+	sanitize(value: unknown, fieldPath: string = ''): unknown {
+		// Skip if field is in skip list
+		if (this.shouldSkipField(fieldPath)) {
+			return value;
+		}
+
+		if (typeof value === 'string') {
+			return this.sanitizeString(value);
+		}
+
+		if (Array.isArray(value)) {
+			return value.map((item, index) => this.sanitize(item, `${fieldPath}[${index}]`));
+		}
+
+		if (value !== null && typeof value === 'object') {
+			const sanitized: Record<string, unknown> = {};
+			for (const [key, val] of Object.entries(value as Record<string, unknown>)) {
+				const newPath = fieldPath ? `${fieldPath}.${key}` : key;
+				sanitized[key] = this.sanitize(val, newPath);
+			}
+			return sanitized;
+		}
+
+		return value;
+	}
+
+	/**
+	 * Sanitize a string value
+	 */
+	private sanitizeString(value: string): string {
+		let result = value;
+
+		// Trim whitespace
+		if (this.config.trim) {
+			result = result.trim();
+		}
+
+		// Strip HTML tags
+		if (this.config.stripTags) {
+			result = this.stripHtmlTags(result);
+		}
+
+		// Escape HTML entities
+		if (this.config.escapeHtml) {
+			result = this.escapeHtmlEntities(result);
+		}
+
+		return result;
+	}
+
+	/**
+	 * Strip HTML tags from a string
+	 */
+	private stripHtmlTags(value: string): string {
+		// Remove script and style tags completely (with content)
+		let result = value.replace(/<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script>/gi, '');
+		result = result.replace(/<style\b[^<]*(?:(?!<\/style>)<[^<]*)*<\/style>/gi, '');
+
+		// Remove all other HTML tags (but keep content)
+		result = result.replace(/<[^>]*>/g, '');
+
+		return result;
+	}
+
+	/**
+	 * Escape HTML entities
+	 */
+	private escapeHtmlEntities(value: string): string {
+		const entities: Record<string, string> = {
+			'&': '&amp;',
+			'<': '&lt;',
+			'>': '&gt;',
+			'"': '&quot;',
+			"'": '&#x27;',
+			'/': '&#x2F;',
+			'`': '&#x60;',
+			'=': '&#x3D;',
+		};
+
+		return value.replace(/[&<>"'`=/]/g, (char) => entities[char] || char);
+	}
+
+	/**
+	 * Check if a field should be skipped
+	 */
+	private shouldSkipField(fieldPath: string): boolean {
+		const fieldName = fieldPath.split('.').pop() || fieldPath;
+		return this.config.skipFields.includes(fieldName);
+	}
+}
+
+/**
+ * Create an Input Sanitizer middleware instance with the given config
+ */
+export function sanitizer(config: Partial<SanitizerConfig> = {}): InputSanitizerMiddleware {
+	const defaultConfig: SanitizerConfig = {
+		enabled: true,
+		stripTags: true,
+		escapeHtml: true,
+		trim: true,
+		skipFields: ['password', 'html', 'content'],
+	};
+
+	return new InputSanitizerMiddleware({ ...defaultConfig, ...config });
+}

package/template/framework/security/RateLimiterMiddleware.ts

@@ -0,0 +1,189 @@
+/**
+ * PhoenixJS - Rate Limiter Middleware
+ * 
+ * Provides rate limiting to protect against abuse.
+ */
+
+import type { Middleware, NextFunction } from '@framework/middleware/Middleware';
+import type { FrameworkRequest } from '@framework/http/Request';
+import type { RateLimitConfig } from '@/config/security';
+import { FrameworkResponse } from '@framework/http/Response';
+
+interface RateLimitEntry {
+	count: number;
+	resetTime: number;
+}
+
+export class RateLimiterMiddleware implements Middleware {
+	private store: Map<string, RateLimitEntry> = new Map();
+	private cleanupInterval: ReturnType<typeof setInterval> | null = null;
+
+	constructor(private config: RateLimitConfig) {
+		// Start cleanup interval to prevent memory leaks
+		this.startCleanup();
+	}
+
+	async handle(request: FrameworkRequest, next: NextFunction): Promise<Response> {
+		// Check if rate limiting is enabled
+		if (!this.config.enabled) {
+			return next(request);
+		}
+
+		// Check if this request should be skipped
+		if (this.config.skip && this.config.skip(request.getOriginal())) {
+			return next(request);
+		}
+
+		// Get the rate limit key (default: IP address)
+		const key = this.getKey(request);
+
+		// Get or create rate limit entry
+		const entry = this.getEntry(key);
+
+		// Check if rate limit exceeded
+		if (entry.count >= this.config.max) {
+			const retryAfter = Math.ceil((entry.resetTime - Date.now()) / 1000);
+			return this.createRateLimitResponse(entry, retryAfter);
+		}
+
+		// Increment count
+		entry.count++;
+		this.store.set(key, entry);
+
+		// Process the request
+		const response = await next(request);
+
+		// Add rate limit headers
+		return this.addRateLimitHeaders(response, entry);
+	}
+
+	/**
+	 * Get the rate limit key for a request
+	 */
+	private getKey(request: FrameworkRequest): string {
+		if (this.config.keyGenerator) {
+			return this.config.keyGenerator(request.getOriginal());
+		}
+		// Default: use IP address (with fallback for unknown)
+		return request.ip() || 'unknown';
+	}
+
+	/**
+	 * Get or create a rate limit entry
+	 */
+	private getEntry(key: string): RateLimitEntry {
+		const now = Date.now();
+		let entry = this.store.get(key);
+
+		// If no entry or window expired, create new one
+		if (!entry || now >= entry.resetTime) {
+			entry = {
+				count: 0,
+				resetTime: now + this.config.windowMs,
+			};
+			this.store.set(key, entry);
+		}
+
+		return entry;
+	}
+
+	/**
+	 * Create a rate limit exceeded response
+	 */
+	private createRateLimitResponse(entry: RateLimitEntry, retryAfter: number): Response {
+		const headers: Record<string, string> = {
+			'Content-Type': 'application/json',
+			'Retry-After': retryAfter.toString(),
+			'X-RateLimit-Limit': this.config.max.toString(),
+			'X-RateLimit-Remaining': '0',
+			'X-RateLimit-Reset': Math.ceil(entry.resetTime / 1000).toString(),
+		};
+
+		return new Response(
+			JSON.stringify({
+				error: true,
+				message: this.config.message,
+			}),
+			{
+				status: 429,
+				headers,
+			}
+		);
+	}
+
+	/**
+	 * Add rate limit headers to a response
+	 */
+	private addRateLimitHeaders(response: Response, entry: RateLimitEntry): Response {
+		const headers = new Headers(response.headers);
+		const remaining = Math.max(0, this.config.max - entry.count);
+
+		headers.set('X-RateLimit-Limit', this.config.max.toString());
+		headers.set('X-RateLimit-Remaining', remaining.toString());
+		headers.set('X-RateLimit-Reset', Math.ceil(entry.resetTime / 1000).toString());
+
+		return new Response(response.body, {
+			status: response.status,
+			statusText: response.statusText,
+			headers,
+		});
+	}
+
+	/**
+	 * Start cleanup interval to remove expired entries
+	 */
+	private startCleanup(): void {
+		// Clean up every minute
+		this.cleanupInterval = setInterval(() => {
+			const now = Date.now();
+			for (const [key, entry] of this.store.entries()) {
+				if (now >= entry.resetTime) {
+					this.store.delete(key);
+				}
+			}
+		}, 60000);
+
+		// Allow the process to exit even if the interval is running
+		if (this.cleanupInterval.unref) {
+			this.cleanupInterval.unref();
+		}
+	}
+
+	/**
+	 * Stop the cleanup interval (for testing)
+	 */
+	stopCleanup(): void {
+		if (this.cleanupInterval) {
+			clearInterval(this.cleanupInterval);
+			this.cleanupInterval = null;
+		}
+	}
+
+	/**
+	 * Clear all rate limit entries (for testing)
+	 */
+	clear(): void {
+		this.store.clear();
+	}
+
+	/**
+	 * Get current stats (for testing/debugging)
+	 */
+	getStats(): { totalKeys: number } {
+		return { totalKeys: this.store.size };
+	}
+}
+
+/**
+ * Create a Rate Limiter middleware instance with the given config
+ */
+export function rateLimit(config: Partial<RateLimitConfig> = {}): RateLimiterMiddleware {
+	const defaultConfig: RateLimitConfig = {
+		enabled: true,
+		windowMs: 60000, // 1 minute
+		max: 100,
+		message: 'Too many requests, please try again later.',
+	};
+
+	return new RateLimiterMiddleware({ ...defaultConfig, ...config });
+}

package/template/framework/security/SecurityManager.ts

@@ -0,0 +1,128 @@
+/**
+ * PhoenixJS - Security Manager
+ * 
+ * Central manager for all security features.
+ * Provides factory methods for security middleware.
+ */
+
+import type { Application } from '@framework/core/Application';
+import type { SecurityConfig } from '@/config/security';
+import { CorsMiddleware, cors } from '@framework/security/CorsMiddleware';
+import { HelmetMiddleware, helmet } from '@framework/security/HelmetMiddleware';
+import { RateLimiterMiddleware, rateLimit } from '@framework/security/RateLimiterMiddleware';
+import { InputSanitizerMiddleware, sanitizer } from '@framework/security/InputSanitizerMiddleware';
+import { CsrfMiddleware, csrf } from '@framework/security/CsrfMiddleware';
+import type { MiddlewareHandler } from '@framework/middleware/Middleware';
+
+export class SecurityManager {
+	private corsMiddleware: CorsMiddleware | null = null;
+	private helmetMiddleware: HelmetMiddleware | null = null;
+	private rateLimiterMiddleware: RateLimiterMiddleware | null = null;
+	private sanitizerMiddleware: InputSanitizerMiddleware | null = null;
+	private csrfMiddleware: CsrfMiddleware | null = null;
+
+	constructor(
+		private app: Application,
+		private config?: SecurityConfig
+	) { }
+
+	/**
+	 * Get CORS middleware
+	 */
+	getCorsMiddleware(): CorsMiddleware {
+		if (!this.corsMiddleware) {
+			this.corsMiddleware = cors(this.config?.cors);
+		}
+		return this.corsMiddleware;
+	}
+
+	/**
+	 * Get Helmet middleware
+	 */
+	getHelmetMiddleware(): HelmetMiddleware {
+		if (!this.helmetMiddleware) {
+			this.helmetMiddleware = helmet(this.config?.helmet);
+		}
+		return this.helmetMiddleware;
+	}
+
+	/**
+	 * Get Rate Limiter middleware
+	 */
+	getRateLimiterMiddleware(): RateLimiterMiddleware {
+		if (!this.rateLimiterMiddleware) {
+			this.rateLimiterMiddleware = rateLimit(this.config?.rateLimit);
+		}
+		return this.rateLimiterMiddleware;
+	}
+
+	/**
+	 * Get Input Sanitizer middleware
+	 */
+	getSanitizerMiddleware(): InputSanitizerMiddleware {
+		if (!this.sanitizerMiddleware) {
+			this.sanitizerMiddleware = sanitizer(this.config?.sanitizer);
+		}
+		return this.sanitizerMiddleware;
+	}
+
+	/**
+	 * Get CSRF middleware
+	 */
+	getCsrfMiddleware(): CsrfMiddleware {
+		if (!this.csrfMiddleware) {
+			this.csrfMiddleware = csrf(this.config?.csrf);
+		}
+		return this.csrfMiddleware;
+	}
+
+	/**
+	 * Get all enabled security middleware as an array
+	 */
+	getSecurityMiddleware(): MiddlewareHandler[] {
+		const middleware: MiddlewareHandler[] = [];
+
+		// Always add CORS (handles OPTIONS requests)
+		middleware.push(this.getCorsMiddleware());
+
+		// Add Helmet for security headers
+		middleware.push(this.getHelmetMiddleware());
+
+		// Add rate limiting if enabled
+		if (this.config?.rateLimit?.enabled !== false) {
+			middleware.push(this.getRateLimiterMiddleware());
+		}
+
+		// Add CSRF if enabled
+		if (this.config?.csrf?.enabled) {
+			middleware.push(this.getCsrfMiddleware());
+		}
+
+		return middleware;
+	}
+
+	/**
+	 * Configure security from a config object
+	 */
+	configure(config: Partial<SecurityConfig>): this {
+		this.config = { ...this.config, ...config } as SecurityConfig;
+
+		// Reset cached middleware so they get recreated with new config
+		this.corsMiddleware = null;
+		this.helmetMiddleware = null;
+		this.rateLimiterMiddleware = null;
+		this.sanitizerMiddleware = null;
+		this.csrfMiddleware = null;
+
+		return this;
+	}
+
+	/**
+	 * Stop any background tasks (for cleanup)
+	 */
+	shutdown(): void {
+		if (this.rateLimiterMiddleware) {
+			this.rateLimiterMiddleware.stopCleanup();
+		}
+	}
+}