lean-claudient-daemon 0.1.0

package/src/middleware/securityHeaders.ts

@@ -0,0 +1,305 @@
+/**
+ * Security Headers Middleware
+ * Adds security-related HTTP headers to all responses
+ */
+
+import { Request, Response, NextFunction } from 'express';
+
+/**
+ * Security headers configuration
+ */
+export interface SecurityHeadersConfig {
+  // Strict Transport Security (HSTS)
+  hstsMaxAge?: number; // seconds, default 31536000 (1 year)
+  hstsIncludeSubdomains?: boolean;
+  hstsPreload?: boolean;
+
+  // Content Security Policy (CSP)
+  cspDirectives?: Record<string, string>;
+
+  // X-Content-Type-Options
+  noSniff?: boolean;
+
+  // X-Frame-Options
+  frameOptions?: 'DENY' | 'SAMEORIGIN' | 'ALLOW-FROM';
+
+  // X-XSS-Protection
+  xssProtection?: boolean;
+
+  // Referrer-Policy
+  referrerPolicy?: string;
+
+  // Permissions-Policy (Feature-Policy)
+  permissionsPolicy?: Record<string, string>;
+}
+
+/**
+ * Default security headers configuration
+ */
+const DEFAULT_CONFIG: SecurityHeadersConfig = {
+  hstsMaxAge: 31536000, // 1 year
+  hstsIncludeSubdomains: true,
+  hstsPreload: true,
+  noSniff: true,
+  frameOptions: 'DENY',
+  xssProtection: true,
+  referrerPolicy: 'strict-origin-when-cross-origin',
+  cspDirectives: {
+    'default-src': "'none'",
+    'script-src': "'self'",
+    'style-src': "'self'",
+    'img-src': "'self'",
+    'font-src': "'self'",
+    'connect-src': "'self'",
+    'frame-ancestors': "'none'",
+    'base-uri': "'self'",
+    'form-action': "'self'",
+  },
+};
+
+/**
+ * Create security headers middleware
+ */
+export function securityHeaders(config: SecurityHeadersConfig = {}) {
+  const finalConfig = { ...DEFAULT_CONFIG, ...config };
+
+  return (req: Request, res: Response, next: NextFunction) => {
+    // Strict-Transport-Security (HSTS)
+    if (finalConfig.hstsMaxAge !== undefined) {
+      let hstsValue = `max-age=${finalConfig.hstsMaxAge}`;
+      if (finalConfig.hstsIncludeSubdomains) {
+        hstsValue += '; includeSubDomains';
+      }
+      if (finalConfig.hstsPreload) {
+        hstsValue += '; preload';
+      }
+      res.setHeader('Strict-Transport-Security', hstsValue);
+    }
+
+    // X-Content-Type-Options
+    if (finalConfig.noSniff !== false) {
+      res.setHeader('X-Content-Type-Options', 'nosniff');
+    }
+
+    // X-Frame-Options
+    if (finalConfig.frameOptions) {
+      res.setHeader('X-Frame-Options', finalConfig.frameOptions);
+    }
+
+    // X-XSS-Protection
+    if (finalConfig.xssProtection !== false) {
+      res.setHeader('X-XSS-Protection', '1; mode=block');
+    }
+
+    // Referrer-Policy
+    if (finalConfig.referrerPolicy) {
+      res.setHeader('Referrer-Policy', finalConfig.referrerPolicy);
+    }
+
+    // Content-Security-Policy (CSP)
+    if (finalConfig.cspDirectives) {
+      const cspValue = Object.entries(finalConfig.cspDirectives)
+        .map(([key, value]) => `${key} ${value}`)
+        .join('; ');
+      res.setHeader('Content-Security-Policy', cspValue);
+    }
+
+    // Permissions-Policy
+    if (finalConfig.permissionsPolicy) {
+      const ppValue = Object.entries(finalConfig.permissionsPolicy)
+        .map(([key, value]) => `${key}=(${value})`)
+        .join(', ');
+      res.setHeader('Permissions-Policy', ppValue);
+    }
+
+    // Additional security headers
+    res.setHeader('X-Powered-By', 'Lean Claudient');
+    res.setHeader('Server', 'Lean Claudient Daemon');
+
+    next();
+  };
+}
+
+/**
+ * Middleware for API endpoints (stricter CSP)
+ */
+export function securityHeadersAPI(config: SecurityHeadersConfig = {}) {
+  const apiConfig: SecurityHeadersConfig = {
+    ...DEFAULT_CONFIG,
+    cspDirectives: {
+      'default-src': "'none'",
+      'script-src': "'none'",
+      'style-src': "'none'",
+      'img-src': "'none'",
+      'font-src': "'none'",
+      'connect-src': "'none'",
+      'frame-ancestors': "'none'",
+      'base-uri': "'self'",
+      'form-action': "'none'",
+    },
+    ...config,
+  };
+
+  return securityHeaders(apiConfig);
+}
+
+/**
+ * Remove potentially dangerous headers
+ */
+export function removeDangerousHeaders(req: Request, res: Response, next: NextFunction) {
+  // Remove headers that might leak information
+  const dangerous = ['X-Powered-By', 'Server', 'X-AspNet-Version', 'X-Runtime-Version'];
+
+  for (const header of dangerous) {
+    res.removeHeader(header);
+  }
+
+  // Disable caching for sensitive data
+  if (req.path.includes('/api/')) {
+    res.setHeader('Cache-Control', 'no-store, no-cache, must-revalidate, max-age=0');
+    res.setHeader('Pragma', 'no-cache');
+    res.setHeader('Expires', '0');
+  }
+
+  next();
+}
+
+/**
+ * Validate request headers
+ */
+export function validateRequestHeaders(req: Request, res: Response, next: NextFunction) {
+  const dangerousPatterns = [
+    /javascript:/i,
+    /on\w+=/i, // onclick, onload, etc
+    /eval\(/i,
+  ];
+
+  // Check headers for suspicious content
+  for (const [key, value] of Object.entries(req.headers)) {
+    if (typeof value !== 'string') continue;
+
+    for (const pattern of dangerousPatterns) {
+      if (pattern.test(value)) {
+        return res.status(400).json({
+          error: 'Invalid request header',
+          code: 'INVALID_HEADER',
+          details: {
+            header: key,
+            message: 'Header contains suspicious content',
+          },
+        });
+      }
+    }
+  }
+
+  next();
+}
+
+/**
+ * Enforce HTTPS redirect for non-local environments
+ */
+export function enforceHTTPS(req: Request, res: Response, next: NextFunction) {
+  // Skip for localhost and internal IPs
+  if (
+    req.hostname === 'localhost' ||
+    req.hostname === '127.0.0.1' ||
+    req.ip === '::1' ||
+    req.ip?.startsWith('127.') ||
+    req.ip?.startsWith('192.168.') ||
+    req.ip?.startsWith('10.')
+  ) {
+    return next();
+  }
+
+  // Check if connection is secure
+  const isSecure = req.secure || req.get('X-Forwarded-Proto') === 'https';
+
+  if (!isSecure) {
+    return res.redirect(301, `https://${req.get('Host')}${req.url}`);
+  }
+
+  next();
+}
+
+/**
+ * Add Content Security Policy meta tag (for responses with HTML)
+ */
+export function cspMetaTag(config: SecurityHeadersConfig = {}) {
+  const finalConfig = { ...DEFAULT_CONFIG, ...config };
+
+  return (req: Request, res: Response, next: NextFunction) => {
+    // Store CSP config on response for template use
+    if (finalConfig.cspDirectives) {
+      const cspValue = Object.entries(finalConfig.cspDirectives)
+        .map(([key, value]) => `${key} ${value}`)
+        .join('; ');
+      (res as any).locals = { cspMetaTag: cspValue };
+    }
+
+    next();
+  };
+}
+
+/**
+ * Prevent information disclosure
+ */
+export function preventInformationDisclosure(req: Request, res: Response, next: NextFunction) {
+  const originalJson = res.json;
+
+  res.json = function (body: any) {
+    // Remove stack traces from error responses in production
+    if (process.env.NODE_ENV === 'production') {
+      if (body && typeof body === 'object') {
+        delete body.stack;
+        delete body.stackTrace;
+        delete body.internal;
+      }
+    }
+
+    return originalJson.call(this, body);
+  };
+
+  next();
+}
+
+/**
+ * Create all security headers middleware stack
+ */
+export function createSecurityStack(config: SecurityHeadersConfig = {}) {
+  return [
+    validateRequestHeaders,
+    removeDangerousHeaders,
+    preventInformationDisclosure,
+    securityHeaders(config),
+  ];
+}
+
+/**
+ * Strict security headers for admin endpoints
+ */
+export const strictSecurityHeaders = securityHeaders({
+  hstsMaxAge: 31536000,
+  frameOptions: 'DENY',
+  cspDirectives: {
+    'default-src': "'none'",
+    'script-src': "'self'",
+    'style-src': "'self'",
+    'img-src': "'self'",
+    'font-src': "'self'",
+    'connect-src': "'self'",
+    'frame-ancestors': "'none'",
+    'base-uri': "'self'",
+    'form-action': "'self'",
+  },
+});
+
+/**
+ * Relaxed security headers for public APIs (JSON only)
+ */
+export const apiSecurityHeaders = securityHeaders({
+  cspDirectives: {
+    'default-src': "'none'",
+    'frame-ancestors': "'none'",
+    'base-uri': "'self'",
+  },
+});

package/src/middleware/validation.ts

@@ -0,0 +1,222 @@
+/**
+ * Input Validation Middleware
+ * Express middleware for validating request bodies and parameters
+ */
+
+import { Request, Response, NextFunction } from 'express';
+import { z } from 'zod';
+
+/**
+ * Validation error response
+ */
+interface ValidationError {
+  field: string;
+  message: string;
+}
+
+/**
+ * Create validation middleware for a given schema
+ */
+export function createValidationMiddleware<T>(schema: z.ZodSchema<T>) {
+  return (req: Request, res: Response, next: NextFunction) => {
+    try {
+      const validated = schema.parse(req.body);
+      (req as any).validatedBody = validated;
+      next();
+    } catch (error) {
+      if (error instanceof z.ZodError) {
+        const errors: ValidationError[] = error.errors.map((e) => ({
+          field: e.path.join('.'),
+          message: e.message,
+        }));
+
+        return res.status(400).json({
+          error: 'Validation failed',
+          code: 'VALIDATION_ERROR',
+          details: errors,
+        });
+      }
+
+      return res.status(400).json({
+        error: 'Invalid request',
+        code: 'INVALID_REQUEST',
+      });
+    }
+  };
+}
+
+/**
+ * Validate request body
+ */
+export function validateRequestBody<T>(
+  data: unknown,
+  schema: z.ZodSchema<T>
+): { valid: true; data: T } | { valid: false; errors: ValidationError[] } {
+  try {
+    const parsed = schema.parse(data);
+    return { valid: true, data: parsed };
+  } catch (error) {
+    if (error instanceof z.ZodError) {
+      const errors: ValidationError[] = error.errors.map((e) => ({
+        field: e.path.join('.'),
+        message: e.message,
+      }));
+      return { valid: false, errors };
+    }
+    return {
+      valid: false,
+      errors: [{ field: 'unknown', message: 'Validation failed' }],
+    };
+  }
+}
+
+/**
+ * Validate UUID in path parameter
+ */
+export function validatePathUUID(
+  req: Request,
+  res: Response,
+  next: NextFunction,
+  id: string,
+  paramName: string = 'id'
+) {
+  const uuidPattern =
+    /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
+
+  if (!uuidPattern.test(id)) {
+    return res.status(400).json({
+      error: 'Invalid UUID format',
+      code: 'INVALID_UUID',
+      details: {
+        field: paramName,
+        message: 'Must be a valid UUID (36 characters with hyphens)',
+      },
+    });
+  }
+
+  next();
+}
+
+/**
+ * Middleware to validate UUID parameter 'id'
+ */
+export function validateIdParam(req: Request, res: Response, next: NextFunction) {
+  const { id } = req.params;
+  if (!id) {
+    return res.status(400).json({
+      error: 'Missing id parameter',
+      code: 'MISSING_PARAM',
+    });
+  }
+  validatePathUUID(req, res, next, id, 'id');
+}
+
+/**
+ * Middleware to validate UUID parameter 'sessionId'
+ */
+export function validateSessionIdParam(req: Request, res: Response, next: NextFunction) {
+  const { sessionId } = req.params;
+  if (!sessionId) {
+    return res.status(400).json({
+      error: 'Missing sessionId parameter',
+      code: 'MISSING_PARAM',
+    });
+  }
+  validatePathUUID(req, res, next, sessionId, 'sessionId');
+}
+
+/**
+ * Middleware to ensure Content-Type is application/json
+ */
+export function validateContentType(req: Request, res: Response, next: NextFunction) {
+  if (req.method === 'POST' || req.method === 'PUT' || req.method === 'PATCH') {
+    const contentType = req.get('Content-Type');
+    if (!contentType || !contentType.includes('application/json')) {
+      return res.status(415).json({
+        error: 'Unsupported Media Type',
+        code: 'UNSUPPORTED_MEDIA_TYPE',
+        details: {
+          message: 'Content-Type must be application/json',
+        },
+      });
+    }
+  }
+  next();
+}
+
+/**
+ * Middleware to limit request body size
+ */
+export function validateRequestSize(maxSize = '1mb') {
+  return (req: Request, res: Response, next: NextFunction) => {
+    if (!req.get('Content-Length')) {
+      return next();
+    }
+
+    const sizeBytes = parseSize(maxSize);
+    const contentLength = parseInt(req.get('Content-Length') || '0', 10);
+
+    if (contentLength > sizeBytes) {
+      return res.status(413).json({
+        error: 'Payload Too Large',
+        code: 'PAYLOAD_TOO_LARGE',
+        details: {
+          maxSize,
+          received: `${(contentLength / 1024).toFixed(2)}kb`,
+        },
+      });
+    }
+
+    next();
+  };
+}
+
+/**
+ * Parse size string to bytes
+ */
+function parseSize(size: string): number {
+  const units: Record<string, number> = {
+    b: 1,
+    kb: 1024,
+    mb: 1024 * 1024,
+    gb: 1024 * 1024 * 1024,
+  };
+
+  const match = size.toLowerCase().match(/^(\d+(?:\.\d+)?)\s*(kb|mb|gb|b)?$/);
+  if (!match) return 1024 * 1024; // default 1mb
+
+  const [, number, unit = 'b'] = match;
+  return Math.floor(parseFloat(number) * (units[unit] || 1));
+}
+
+/**
+ * Validate query parameters
+ */
+export function validateQueryParams(
+  data: unknown,
+  allowedKeys: string[]
+): { valid: true; data: Record<string, any> } | { valid: false; errors: ValidationError[] } {
+  if (typeof data !== 'object' || data === null) {
+    return { valid: false, errors: [{ field: 'query', message: 'Invalid query parameters' }] };
+  }
+
+  const errors: ValidationError[] = [];
+  const validated: Record<string, any> = {};
+
+  for (const [key, value] of Object.entries(data)) {
+    if (!allowedKeys.includes(key)) {
+      errors.push({
+        field: key,
+        message: `Unknown parameter: ${key}`,
+      });
+    } else {
+      validated[key] = value;
+    }
+  }
+
+  if (errors.length > 0) {
+    return { valid: false, errors };
+  }
+
+  return { valid: true, data: validated };
+}